Browse by Tags

Tagged Content List
  • Blog Post: Enabling CEP and CES for enrolling non-domain joined computers for certificates

    Hey all, Rob here again. I thought I would expand upon my last blog describing Certificate Enrollment Web Services by covering some of the different configurations that are possible. As a refresher, Certificate Enrollment Policy and Certificate Enrollment Services abstracts certificate Policy and...
  • Blog Post: How to configure the Windows Server 2008 CA Web Enrollment Proxy

    Hi all, Rob here again. I had a case recently where the customer wanted to have the Windows Server 2008 Certificate Authority website loaded on another machine. For those of you that do not know, you can install the Windows Server 2008 CA web site pages on an alternate server from the CA. One reason...
  • Blog Post: Friday Mail Sack: Guest Reply Edition

    Hi folks, Ned here again. This week we talk: CA migration from 1 to 2 tier ADAM/ADLDS P2V ABC 123 Managing AGPM security filters Multiple IIS App pools and Kerberos AGPM multi-domain comparison ADUC domain password weirdness DFSR deletion conflict handling Stale account deletion...
  • Blog Post: Extended Validation support for websites using internal certificates

    Hey all Rob here again. One feature that that is new with Windows Server 2008R2 / Windows 7 is the ability to configure your internal certification authority hierarchy in order to issue certificates that can show as Extended Validation certificates. So for those of you who do not know, this means...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 1

    Hi Rob here again. I hope that you found the first blog on troubleshooting Kerberos Authentication problems caused by name resolution informative and learned something about how to review network captures as well as how the SMB protocol works at a high level when reviewing a network trace. This time...
  • Blog Post: Potential for Kerberos Issues When Using a Cisco VPN/ASA with Win2003 or later DC’s

    Hey everyone, Rob Greene here back after a long hiatus from blogging. I had an interesting case come through that I thought many of you IT pros would be interested in. Background The customer had an issue with using Cisco VPN and Cisco ASA concentrators and authenticating the user with Kerberos...
  • Blog Post: Addendum: Making the DelegConfig website work on IIS 7

    Hi All Rob here again. I thought I would take the time today and expand upon the Kerberos Delegation website blog to show how you can use the web site on IIS 7. Actually, Ned beat me up pretty badly for not showing how to set the site up on IIS 7 [ I sure did. Rob’s revenge was to make a blog post...
  • Blog Post: Certificate Enrollment Web Services

    Hey everyone, Rob here again. With the release of Windows Server 2008 R2 and Windows 7 we have added new methods of enrolling for certificates: Certificate Enrollment Policy (CEP) and Certificate Enrollment Service (CES). CEP is a web service that enables users and computers to obtain certificate enrollment...
  • Blog Post: RSA Key Blocking is Coming

    Hey all, Ned here again with one of my rare public service announcement posts: In August 2012, Microsoft will issue a software update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use...
  • Blog Post: USMT and Converting Registry Data Types

    Heya folks, Ned here again. Microsoft is legendary for its backwards compatibility. No other operating system family can claim to support as much older software and settings as Windows - heck, companies like Apple seem to proudly cut "legacy" support after a few years and spin it like it's a positive...
  • Blog Post: Domain Locator Across a Forest Trust

    Rob and Mike here. We're asked, many times, why a user does not authenticate against a local domain controller in the same site when logging on across a forest. We've setup the most common scenario to help explain how domain locator works for user logons across a forest. Scenario Let's explain...
  • Blog Post: AskDS is 0.03 Centuries Old Today

    Three years ago today the AskDS site published its first post and had its first commenter . In the meantime we’ve created 455 articles and we’re now ranked 6th in all of TechNet’s blogs, behind AskPerf , Office2010 , MarkRussinovich , SBS , and HeyScriptingGuy . That’s a pretty amazing group to be lumped...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 2

    Rob here. So, we saw in Part 1 what kind of error you could expect when there is no Service Principal Name defined for the Kerberos ticket the application is requesting. The next part I would like to show you is what might be the error message you would get if there were multiple accounts with the same...
  • Blog Post: Fun with the Kerberos Delegation Web Site

    Hi, Rob here. First I want to thank you guys for reading and participating in our blogging efforts. I had one of you e-mail us and ask about the web site I used in the Kerberos Authentication Troubleshooting blogs and if they could get a copy of it. The web site was created by our IIS support counterparts...
  • Blog Post: Vista’s MoveUser.exe replacement

    Hi Rob here again. I recently had a customer that needed the functionality of MoveUser.exe from the Windows 2000 Resource Kit available in Windows Vista. The customer had quite a few Windows Vista machines that were not joined to the domain but were now migrating to Active Directory. For their own business...
  • Blog Post: Automatic creation of user folders for home, roaming profile and redirected folders.

    Hi Rob here again. Periodically we’re asked "what is the best way to auto-create home, roaming profile, and folder redirection folders instead of Administrators creating and configuring the NTFS permissions manually?" The techniques in this post requires you to use the environment variable %USERNAME...
  • Blog Post: Friday Mail Sack: Drop the dope, hippy! edition

    Hi all, Ned here again with an actual back to back mail sack. This week we discuss: Running out of USNs and Versions DFSR RDC LAN WAN FWIW AOK NPS and dotted NetBIOS domain names USMT and the case of the failing sourcepriority Revisiting NIC teaming Weird DFSR files MaxConcurrentAPI...
  • Blog Post: Clustered Certification Authority maintenance tasks

    Hi all Rob Greene here again. I thought I would share with you how to do some common tasks with a Windows Server 2008 clustered Certification Authority (CA). When the CA is clustered there are definitely different steps that need to be taken when you: Make a change to the behavior of the CA by...
  • Blog Post: AskDS is 12,614,400,000,000,000 shakes old

    It’s been four years and 591 posts since AskDS reached critical mass. You’d hope our party would look like this:  But it’s more likely to be: Without you, we’d be another of those sites that glow red hot, go supernova, then collapse into a white dwarf . We really appreciate your comments, questions...
  • Blog Post: Friday Mail Sack: Best Post This Year Edition

    Hi folks, Ned here and welcoming you to 2012 with a new Friday Mail Sack. Catching up from our holiday hiatus, today we talk about: Disabling Administrative Shares Making Get-ADDomainController useful’er Kerberos group bloat USMT moving profiles back from other disks The DFSR...
  • Blog Post: Kerberos Authentication problems – Service Principal Name (SPN) issues - Part 3

    Rob here. Now we have seen what it looks like when there is no Service Principal Name defined , and when the Service Principal Name is not unique in the forest. We will now cover what things look like when the Service Principal Name is NOT added to the correct account. We are still using the same...
  • Blog Post: iPad / iPhone Certificate Issuance

    Hey all, Rob here again. It’s been a while since I have written a blog post, and this one was too interesting to pass up. I recently worked a case around deploying certificates to Apple iPhones and iPads to secure their network communications. The investigation uncovered that Apple devices can...
  • Blog Post: Troubleshooting Kerberos Authentication problems – Name resolution issues

    Hi Rob here. I thought I would show you how we in Microsoft Commercial Technical Support typically troubleshoot Kerberos authentication issues. This discussion should do much to get you more comfortable viewing network traces for Kerberos authentication problems. There are other ways to troubleshoot...
  • Blog Post: Windows PowerShell remoting and delegating user credentials

    Hey all Rob Greene here again. Yeah, I know, it’s been a while since I’ve written anything for you good people of the Internet. I recently had an interesting issue with the Active Directory Web Services and the Active Directory Windows PowerShell 2.0 modules in Windows 7 and Windows Server...
  • Blog Post: How to setup a federation with Automatic Data Processing, Inc (ADP) using ADFS 2.0

    Hey all, Rob Greene here again. We have been getting calls recently on how to use ADFS 2.0 to federate with ADP , so today I explain how. Disclaimer: If you have problems with connecting to ADP, your first call should be to them. If after talking with ADP you need further assistance you then open...