Using Debugging Tools to Find Token and Session Leaks

Hello AskDS readers and Identity aficionados. Long time no blog. Ryan Ries here, and today I have a relatively “hardcore” blog post that will not be for the faint of heart. However, it’s about an important topic. The behavior surrounding security tokens and logon sessions has recently changed on all supported versions of Windows. IT… Read more

Speaking in Ciphers and other Enigmatic tongues…update!

Hi! Jim Tierney here again to talk to you about Cryptographic Algorithms, SCHANNEL and other bits of wonderment. My original post on the topic has gone through a rewrite to bring you up to date on recent changes in this space. So, your company purchases this new super awesome vulnerability and compliance management software suite,… Read more

MD5 Signature Hash Deprecation and Your Infrastructure

Hi everyone, David here with a quick announcement. Yesterday, MSRC announced a timeframe for deprecation of built-in support for certificates that use the MD5 signature hash. You can find more information here: http://blogs.technet.com/b/srd/archive/2013/08/13/cryptographic-improvements-in-microsoft-windows.aspx Along with this announcement, we’ve released a framework which allows enterprises to test their environment for certificates that might be blocked as part of the upcoming… Read more

Monthly Mail Sack: Yes, I Finally Admit It Edition

Heya folks, Ned here again. Rather than continue the lie that this series comes out every Friday like it once did, I am taking the corporate approach and rebranding the mail sack. Maybe we’ll have the occasional Collector’s Edition versions. This week month, I answer your questions on: The semi-myth of Kerberos time skew Finding… Read more

Managing RID Issuance in Windows Server 2012

Hi all, Ned here again to talk further about managing your RID pool. By default, a domain has capacity for roughly one billion security principals, such as users, security groups, managed service accounts, and computers. If you run out, you can’t create any more. There aren’t any domains with that many active objects, of course,… Read more

Windows PowerShell remoting and delegating user credentials

Hey all Rob Greene here again. Yeah, I know, it’s been a while since I’ve written anything for you good people of the Internet. I recently had an interesting issue with the Active Directory Web Services and the Active Directory Windows PowerShell 2.0 modules in Windows 7 and Windows Server 2008 R2. Let me explain… Read more

Kerberos errors in network captures

Hi guys, Joji Oshima here again. When troubleshooting Kerberos authentication issues, a network capture is one of the best pieces of data to collect. When you review the capture, you may see various Kerberos errors but you may not know what they mean or if they are real problems. In this post, I’m going to… Read more

Dynamic Access Control and ISV Goodness

Hey all, Ned here with a quickie: Robert Paige just published an interesting read on Windows Server 2012 Dynamic Access Control over at the Windows Server blog: http://blogs.technet.com/b/wincat/archive/2012/07/20/diving-deeper-into-windows-server-2012-dynamic-access-control.aspx It highlights the work done with Independent Software Vendor partners and the products they are creating to integrate with the DAC suite. Definitely worth a read. As… Read more

Standardizing Dynamic Access Control Configuration – Exporting and Importing Dynamic Access Control objects between Active Directory Forests

[This is a guest post from Joe Isenhour, a Senior Program Manager in Windows Server. You may remember him from his previous ADFS claims rule post. If you are not yet up to speed on the DAC security suite in Windows Server 2012, I recommend our own Mike Stephens’ treatise Understand and Troubleshoot Dynamic Access… Read more

RSA Key Blocking is Coming

Hey all, Ned here again with one of my rare public service announcement posts: In August 2012, Microsoft will issue a software update for Windows XP, Windows Server 2003, Windows Server 2003 R2, Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2. The update will block the use of RSA cryptographic keys… Read more