The Active Directory 2016 PAM Trust: how it works, and why it should come with a safety advisory

We have long been working on increasing security in the design and operations of Active Directory. In each release from Windows Server 2003, 2008 and up to 2012 R2 you can see steps taken: better encryption, additional Kerberos features, deprecation of old protocols, etc. With Windows Server 2016 we have taken a next step, and…

6

PKI: which templates are built-in and which are from my company?

A colleague asked me a question on behalf of his customer. They were doing a discovery in a rather messy PKI environment and the question arose: which templates are standard (default), and which ones were created manually? Hopefully they have a good naming convention to make this immediately obvious, but otherwise a deeper look is needed. After…

0

PKI: which templates are published where?

Windows Server has two kinds of Certificate Authorities: Standalone and Enterprise. This strangely named difference really only means one thing: an Enterprise CA can (must) use templates for certificates it issues. Using templates you enforce standards for your private certificates, and enable desirable features like autoenrollment. A template exists as an object in the Configuration…

0

The well-known SID -1000

It is not every day that you discover a new well-known SID, but today I got mine. I know… if I just discovered a well-known SID it can hardly be well-known, can it? Let me explain. If you have been around the (Windows) block a few times, you will know what a SID is: a security…

0

Get rid of accounts that use Kerberos Unconstrained Delegation

Suppose you are managing an enterprise Active Directory. You will have people at your desk that need you to configure something in AD to support their applications: GPOs, service accounts, OUs and permissions, etc. Sometimes they will ask for Kerberos Delegation, a nebulous technology that is generally not well understood by admins or developers. There are…

2

Find missing SPN registrations

Active Directory admins are probably well aware of how Kerberos works. If you need a little refresher, check out the article over at askds: Kerberos for the busy admin. Kerberos requires a service principle name (SPN) for each Kerberos enabled network service offered in the forest: a file service, KDC, web farm, whatever. Typical examples…

0

Azure Template to deploy a forest with two domains, Part 3 — visualizing the template

This is part 3 in a series about writing a complex Azure AMR template. This is the full list: Part 1: using the template Part 2: Understanding the template structure Part 3: visualizing the template In the final part of this series I want to have a brief look at the template design, and in…

1

Azure template to deploy a forest with two domains, part 1 — using the template

This is Part 1 in a series. This is the whole series: Part 1: using the template Part 2: Understanding the template structure Part 3: visualizing the template This blog has been a while in the making. For various reasons I needed a simple way to quickly create a test forest in Azure with two domains, and…

1

Why you can still have duplicate SPNs in AD 2012 R2 and AD 2016

As an AD admin you are probably familiar with the problem of duplicate Service Principal Name (SPN) attributes. Need a refresher on Kerberos and SPN? Read the famous blogpost over at askds: Kerberos for the busy admin. If you have these duplicates, Kerberos fails for the affected accounts. It always fails so there is no…

1