Browse by Tags

Tagged Content List
  • Blog Post: Easy Checking for MaxConcurrentApi Problems

    Hi folks! I’m due for my (now) semi annual blog post, and I have a pretty good one. Short and sweet. Remember my blog posts about MaxConcurrentApi problems? Well, of course not but they are here and here so you can read them now. I’m certain you read these fine blog posts about the...
  • Blog Post: The Domain Logon Dialogue

    Happy New Years everyone! Let’s start the year off with a less strenuous article regarding how the domain logon list gets populated. I’m talking about the user logon dialogue which you see following pressing control, alt and delete at the same time. There is a little bit of confusion around what you...
  • Blog Post: ADMT and Server 2008

    Whenever we release a new product or suite of products we at Microsoft want to ease the adoption of it. For that reason we’ve released tools and scripts over the years to help our customers out. We’ve typically given these as free downloads from the internet, and (I know my opinion is skewed here) frankly...
  • Blog Post: T2A4D (Coincidentally What I Would Name A Droid, If I Had One)

    Not another post about Kerberos! Sorry folks, my Momma said ‘stick with what you’re good with’. And since playing Halo 3 is not a paying job I’m doing another blog post on Kerberos. I thought this would be a good one to post since how this works can save people a lot of time, even though this is...
  • Blog Post: What's in a name?

    Have you ever heard the Shakespeare paraphrased saying “a rose by any other name is still a rose?”. Well, the same holds true for objects in AD. Not that we have “rose” class objects, but the point being that simply renaming an object doesn’t really fundamentally alter that object. Here’s how this...
  • Blog Post: I’ll Say It Again- User Account Control

    You may heard of a little thing we like to call Windows Vista. In fact, you may be slightly deafened by our marketing making sure you do know about it. Vista contains various security enhancements all designed to work toward the goal of keeping folks from unintentionally getting compromised by...
  • Blog Post: What Would Microsoft Support Do?

    To start the new year off right I have an article that is a must read if you IT administrator and using Microsoft products.  It’s in the January edition of Windows IT Pro magazine, in their “What Would Microsoft Support Do?” column.  You can read it from this link . Happy New Year folks!
  • Blog Post: Testing a Credential Provider

    Weeks ago I blogged about how single sign on and credential providers work and a scenario you can run into with them. One reader faced a slightly different scenario but was able to apply that topic toward getting his issue resolved. He had installed a credential provider for testing purposes. Unfortunately...
  • Blog Post: Question about AD authentication, Put In Context

    Occasionally I am contacted with specific questions or topics people would like to hear more about. This post is a reply to one of those. Here’s the question: My question is what are the impact when I change the logon workstation property of a user account in AD. Obviously, that user account cannot...
  • Blog Post: Vista Issue: Vista to Vista Terminal Service Logon Failing

    Some of my colleagues recently had a real puzzler of an issue. When they are that good I want to share it out with everyone so that they don’t have to take the time themselves. The symptoms were when attempting to connect via terminal services from one Vista computer to another Vista computer the...
  • Blog Post: Scary Sounding Errors

    We have a temporary role in CSS where support folks will help out in supporting prerelease (also known as beta) software.   I’ve worked a couple of Windows betas, and it’s a great experience.   I mention this since I remember a few years ago during the beta of a prior Windows release...
  • Blog Post: Enough With The Delays Already!

    A while back I got involved in an issue where a company had written an application for their own internal use. This application was intended to connect to a web page served out by IIS and then proceed with some other action. They wisely chose to make sure that the initial connections it used were secure...
  • Blog Post: Dude, where's my PAC?

    Something that is becoming more prevalent over the past few years has been great investments into our security technologies for application oriented reasons. Impersonation, people, that’s what I’m talking about. If anyone ever asks you what the big deal with Kerberos authentication is you can some it...
  • Blog Post: Downgrade "Attack"? A little more info

    I decided that we needed some more detail and to give a walk through scenario on this downgrade attack deal I mentioned a while back in a blog post . As a recap, a customer called in after noticing the events below appearing intermittently but repeatedly-and always in the sequence of one after the other...
  • Blog Post: Locked, Unlocked...Whatever, I Just Want Access

    A while back we had a customer contact us that was seeing something with authentication that they were struggling with understanding. They had a lot of small, remote sites where it was impractical to have a local domain controller. So each site relied on WAN network connectivity to receive domain...
  • Blog Post: Unusual Kerberos Failure...User to User to What?

    We get some really unique issues at times that strain patience and understanding. With Kerberos this is doubly true since it is already as complex and extensible as any person could ever ask for. This one may be particularly interesting to those who are creating new solutions using our Kerberos implantation...
  • Blog Post: Thoughts on Single Sign On and Credential Providers

    We use the term single sign on (SSO) to describe a variety of behaviors in Windows and other applications where the result is simply to prevent the user from being prompted to provide their credentials again and again; to ideally enter their credentials only once at initial logon. Active Directory and...
  • Blog Post: The FEK, AES and FIPs: Acronym Heaven!

    I’ve had several blog posts about the improved security in Windows Vista and Server 2008, particularly around cryptography. Here’s one more, albeit a short one. This post is about how, generally, Encrypted File System (EFS) works using Advanced Encryption Standards (AES) encryption algorithms to...
  • Blog Post: CeeKwuhl and Kurbyeros

    It's been a while! Sorry for the delay since the last post. It has been a hectic few weeks. I've been temporarily assigned as a beta support person, which means that I have been working on Windows Vista and Longhorn Server, assisting with filed (and filing) bugs for seen behavior and design change requests...
  • Blog Post: A Vista UAC story: Can’t change the time Zone?

    We have internal discussion lists in Microsoft that act as clearinghouses for technical issues or hot topics. One of the first thing a fledgling or newly assimilated Microsoftie must do is decide what discussion lists to join for their role. I am internal “owner” of the support alias for Vista...
  • Blog Post: Kerberos Constrained Delegation, FE and BE Servers Must Be In Same Domain

    This has come up several times, and I suspect will continue to do so occasionally. So I thought I’d post about this real quick in order to get the word out and also make sure that I don’t give the wrong answer on this to someone again (I forgot, gave the wrong answer to someone and feel a little guilty...
  • Blog Post: Important Security Bulletin

    I wanted to do a quick post on an important security bulletin. It’s Microsoft Security Bulletin MS09-018 – Critical . This security update is to address a vulnerability in Active Directory. I’m pasting the Executive Summary below, but I highly recommend that you read the entire bulletin and apply the...
  • Blog Post: Vista Issue: Time Skew Error When Logging on Across a Trust

    One of the cool things about this job is the way we get to trail blaze new issues as they happen and before any solution or workaround is in sight. We’re the pioneers in a way. This is one example. We’ve had a few customer’s recently mention that they had seen an odd behavior from their Vista clients...
  • Blog Post: Why! Won't! PAC! Validation! Turn! Off!

    A while back I wrote a blog post regarding PAC (Privilege Attribute Certificate) validation in Microsoft Kerberos. We’ve had enough interest in this lately, particularly around the idea of disabling it, that it seemed like a good idea to post about this again and add some more detail. The reason for...
  • Blog Post: So Good We Should Charge For it (But We Don’t)

    If you are like every other IT person I know you are doing a lot of technical support for family and friends over the holiday season. I thought of that last week and decided to write a short blog post detailing one of the least hyped and most useful items in all of the current Microsoft product offerings...