Browse by Tags

Tagged Content List
  • Blog Post: Migrating your Certification Authority Hashing Algorithm from SHA1 to SHA2

    Hey all, Rob Greene here again. Well it’s been a very long while since I have written anything for the AskDS blog. I’ve been heads down supporting all the new cool technology from Microsoft. I wanted to see if I could head off some cases coming our way with regard to the whole SHA1 deprecation...
  • Blog Post: iPad / iPhone Certificate Issuance

    Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up. I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can...
  • Blog Post: Troubleshooting Kerberos Authentication problems – Name resolution issues

    Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot...
  • Blog Post: Windows PowerShell remoting and delegating user credentials

    Hey all Rob Greene here again. Yeah, I know, it’s been a while since I’ve written anything for you good people of the Internet. I recently had an interesting issue with the Active Directory Web Services and the Active Directory Windows PowerShell 2.0 modules in Windows 7 and Windows Server...
  • Blog Post: How to setup a federation with Automatic Data Processing, Inc (ADP) using ADFS 2.0

    Hey all, Rob Greene here again. We have been getting calls recently on how to use ADFS 2.0 to federate with ADP , so today I explain how. Disclaimer: If you have problems with connecting to ADP, your first call should be to them. If after talking with ADP you need further assistance you then open...
  • Blog Post: Kerberos for the Busy Admin

    Hi Rob here, I am a Support Escalation Engineer in Directory Services out of Charlotte, NC, USA. We work a lot of Kerberos authentication failure issues. Since Kerberos is typically the first authentication method attempted, it ends up having authentication failures more often. One of the great things...
  • Blog Post: Internet Explorer behaviors with Kerberos Authentication

    Hey Rob here again, I thought that I would share with you some of the things that we see where Internet Explorer Kerberos authentication fails. It is important to understand the default behavior of Internet Explorer and its support for Kerberos authentication so that you don’t start ripping...
  • Blog Post: PolicyMaker stops working after installing Windows XP SP3

    Hi this is Rob again. We had a couple cases recently where PolicyMaker settings were not applying to computer and users after installing Windows XP Service Pack 3. We found that PolicyMaker client-side extensions (CSE) are not registered after installing Service Pack 3. Examine the following location...
  • Blog Post: Enabling CEP and CES for enrolling non-domain joined computers for certificates

    Hey all, Rob here again. I thought I would expand upon my last blog describing Certificate Enrollment Web Services by covering some of the different configurations that are possible. As a refresher, Certificate Enrollment Policy and Certificate Enrollment Services abstracts certificate Policy and...
  • Blog Post: How to configure the Windows Server 2008 CA Web Enrollment Proxy

    Hi all, Rob here again. I had a case recently where the customer wanted to have the Windows Server 2008 Certificate Authority website loaded on another machine. For those of you that do not know, you can install the Windows Server 2008 CA web site pages on an alternate server from the CA. One reason...
  • Blog Post: Friday Mail Sack: Guest Reply Edition

    Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion...
  • Blog Post: Extended Validation support for websites using internal certificates

    Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates. So for those of you who do not know, this means...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

    Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time...
  • Blog Post: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

    Hey everyone, Rob Greene here back after a long hiatus from blogging. I had an interesting case come through that I thought many of you IT pros would be interested in. Background The customer had an issue with using Cisco VPN and Cisco ASA concentrators and authenticating the user with Kerberos...
  • Blog Post: Addendum: Making the DelegConfig website work on IIS 7

    Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [ I sure did. Rob’s revenge was to make a blog post...
  • Blog Post: Certificate Enrollment Web Services

    Hey everyone, Rob here again. With the release of Windows Server 2008 R2 and Windows 7 we have added new methods of enrolling for certificates: Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES). CEP is a web service that enables users and computers to obtain certificate enrollment...
  • Blog Post: RSA Key Blocking is Coming

    Hey all, Ned here again with one of my rare public service announcement posts: In August 2012, Microsoft will issue a software update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...
  • Blog Post: USMT and Converting Registry Data Types

    Heya folks, Ned here again. Microsoft is legendary for its backwards compatibility. No other operating system family can claim to support as much older software and settings as Windows - heck, companies like Apple seem to proudly cut "legacy" support after a few years and spin it like it's a positive...
  • Blog Post: Domain Locator Across a Forest Trust

    Rob and Mike here. We're asked, many times, why a user does not authenticate against a local domain controller in the same site when logging on across a forest. We've setup the most common scenario to help explain how domain locator works for user logons across a forest. Scenario Let's explain...
  • Blog Post: AskDS is 0.03 Centuries Old Today

    Three years ago today the AskDS site published its first post and had its first commenter . In the meantime we’ve created 455 articles and we’re now ranked 6th in all of TechNet’s blogs, behind AskPerf , Office2010 , MarkRussinovich , SBS , and HeyScriptingGuy . That’s a pretty amazing group to be lumped...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2

    Rob here. So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined for the Kerberos ticket the application is requesting. The next part I would like to show you is what might be the error message you would get if there were multiple accounts with the same...
  • Blog Post: Fun with the Kerberos Delegation Web Site

    Hi, Rob here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the Kerberos Authentication Troubleshooting blogs and if they could get a copy of it. The web site was created by our IIS support counterparts...
  • Blog Post: Vista’s MoveUser.exe replacement

    Hi Rob here again. I recently had a customer that needed the functionality of MoveUser.exe from the Windows 2000 Resource Kit available in Windows Vista. The customer had quite a few Windows Vista machines that were not joined to the domain but were now migrating to Active Directory. For their own business...
  • Blog Post: Automatic creation of user folders for home, roaming profile and redirected folders.

    Hi Rob here again. Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME...
  • Blog Post: Friday Mail Sack: Drop the dope, hippy! edition

    Hi all, Ned here again with an actual back to back mail sack. This week we discuss: Running out of USNs and Versions DFSR RDC LAN WAN FWIW AOK NPS and dotted NetBIOS domain names USMT and the case of the failing sourcepriority Revisiting NIC teaming Weird DFSR files MaxConcurrentAPI...