Quickly find potential Kerberoast victims

Read up on the Kerberoast approach to bruteforce the passwords of service accounts, and find out which of your service accounts would be an interesting target.


Logging on to Azure for your everyday job

Use a PowerShell profile function to load Azure RM account context automatically. If the context file does not exist, create one. Also, check the token for validity because it may have expired.


Azure Batch for the IT Pro – Part 1

I spent some time on working with Azure Batch for a customer, and what struck me that it was not so easy for an IT Pro to create a meaningful testing setup. The stumbling point is that you need to have an application doing meaningful work. So what is Azure Batch? It is the PaaS…


Azure Batch for the IT Pro – Part 2

This is the second and final part of a blog series with a walkthrough for Azure Batch. The first part is here: Azure Batch for the IT Pro – Part 1 In the first part I showed you how to create an Azure Batch Account, the corresponding Storage Account, a test application based on Powershell,…


Get-UniqueString: generate unique ID for Azure Deployments

When deploying resources to Azure, you sometimes need to generate a world-wide unique name. Examples of these are DNS names, storage account names, Azure Batch account names, etc. Some of these names have additional requirements. For instance, storage account names must be all lowercase with a length of 3 to 24 letters. How do you…


PKI: which templates are built-in and which are from my company?

A colleague asked me a question on behalf of his customer. They were doing a discovery in a rather messy PKI environment and the question arose: which templates are standard (default), and which ones were created manually? Hopefully they have a good naming convention to make this immediately obvious, but otherwise a deeper look is needed. After…


PKI: which templates are published where?

Windows Server has two kinds of Certificate Authorities: Standalone and Enterprise. This strangely named difference really only means one thing: an Enterprise CA can (must) use templates for certificates it issues. Using templates you enforce standards for your private certificates, and enable desirable features like autoenrollment. A template exists as an object in the Configuration…


Get rid of accounts that use Kerberos Unconstrained Delegation

Suppose you are managing an enterprise Active Directory. You will have people at your desk that need you to configure something in AD to support their applications: GPOs, service accounts, OUs and permissions, etc. Sometimes they will ask for Kerberos Delegation, a nebulous technology that is generally not well understood by admins or developers. There are…


Find missing SPN registrations

Active Directory admins are probably well aware of how Kerberos works. If you need a little refresher, check out the article over at askds: Kerberos for the busy admin. Kerberos requires a service principle name (SPN) for each Kerberos enabled network service offered in the forest: a file service, KDC, web farm, whatever. Typical examples…


Azure Template to deploy a forest with two domains, Part 3 — visualizing the template

This is part 3 in a series about writing a complex Azure AMR template. This is the full list: Part 1: using the template Part 2: Understanding the template structure Part 3: visualizing the template In the final part of this series I want to have a brief look at the template design, and in…