Fiddling with ADFS – end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting. In short; If the web server has Extended Protection for Authentication enabled then it detects that…

0

TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We’re attempting to enroll for certificates using a TPM chip on a laptop – it fails when autoenrollment is involved but works when done manually via the MMC.   According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “By default, the service is configured for manual mode. Smart card reader driver authors must configure the…

0

Certificate Enrollment Web Services primers

From http://social.technet.microsoft.com/wiki/contents/articles/7734.certificate-enrollment-policy-web-services-in-active-directory-certificate-services-ad-cs.aspx:  Starting in Windows Server 2008 R2, there is an enrollment protocol that is based on WS-Trust and contains two new role services. These services use HTTP-based messaging over a TLS-encrypted transport and they do not depend solely on the Kerberos protocol for authentication. [Note: Using this for enrollment requires Windows 7 or Windows 2008 R2…

1

Cheat sheet for Smartcard Redirection on W2k8 R2 RDP servers

Available Updates for Remote Desktop Services (Terminal Services) in Windows Server 2008 R2http://support.microsoft.com/kb/2601888 Latest BaseCSP.DLL (as of April 2012): You may wait for up to 30 seconds when you use a smart card to unlock a computer that is running Windows 7 or Windows Server 2008 R2http://support.microsoft.com/kb/2577550   Latest Winscard.dll (as of April 2012) A…

2

PreferLogonDC issues on W2k8 R2 DC’s

A hotfix has recently been issued that resolves an issue where the Windows 7/Windows 2008 R2 client “forgets” its dynamic site name during the startup sequence. The net effect of this being that the client always makes additional generic DNS queries which return non-site specific DC names back to the client.  The DC returned from the DNS…

0

New hotfix for intermittent OCSP revocation failure issues on domain controllers available

A new hotfix for Cryptnet.dll on Windows Server 2008 R2 has been released which covers a scenario which could cause a Domain Controller (or any service doing frequent revocation checking of certificates, such as NPS or ISA Server) to get into a state where revocation checks started failing.The revocation check failures on the DC would then…

0

Alternative methods to getting a standalone CA to issue smartcard certificates

We want to implement a smartcard solution but we’re not ready for an implementation internally.  We considered implementing a standalone CA to avoid making changes to the Configuration partition but as it isn’t able to issue smartcard certificates we’re now considering a 3rd party solution instead. A Standalone CA can actually issue smartcard logon certificates…

0

Deconstructing the KDC certificate processing functionality

For a DC to be able to service smartcard logons the DC must have a valid and suitable certificate present in the personal store of the computer account.This is typically autoenrolled for whenever a Windows CA server has been installed into the AD environment. The KDC service on W2k8 R2 monitors the personal certificate store…

0

Changing the Primary Domain DNS name of this computer to "" failed.

This is a bogus error message that can be safely ignored – it’s caused by the domain join code ending up in a function which it doesn’t need to run anyway during a domain join operation using the GUI. What’s failing is the attempt to change the Primary DNS suffix of the machine after the domain…

2

The Legacy of the Past Tense

When working with Microsoft technologies you’ll inevitably come across references to Legacy API’s, Legacy OS’s, etc. Have you ever wondered what that means in technical terms? Well, in technical terms this is just a reference to indicate that a newer piece of whatever API component or OS we’re discussing is available. This introduces the scenario where one day…

0