God mode on Windows 8

It’ s summer, you’re bored enough to start reading random newsletters and then you pick up something useful. Create a folder on your Surface desktop with the name GodMode.{ED7BA470-8E54-465E-825C-99712043E01C} Open The folder for a surprise…   …this incidentally also works on Windows 7.  


ADCS and dedicated CRL-signing certificates

 We’re seeing what appears to be random revocation checking failures on clients for certificates issued by our CA. The infrastructure is a 2-tier PKI with an OCSP defined on the issuing CA certificate and the CRL from the Root CA signed by a dedicated CRL-signing certificate (i.e. not the issuing cert).  We´ve observed that in cases…


Installing ADFS 2.1 on Windows Server 2012 with Windows Internal Database fails if local GPO granting User Rights is overwritten at the Domain or OU-level

During the installation of ADFS 2.1 on Windows Server 2012 the Add-Role wizard grants the local virtual account NT SERVICEMSSQL$MICROSOFT##WID that runs the WID service ‘Log on as a service‘ user rights via the Local Group policy. If the Local Group Policy that grants the user rights is overwritten by a GPO with a higher priority that also defines User Rights the…


Upgrading from ADFS 2.0 to ADFS 2.1

[Note: this is a shortcut variation on the steps in the Technet article on http://technet.microsoft.com/en-us/library/jj134039.aspx and should for now only be used in lab scenarios as it hasn’t been officially tested by the PG’s] The short version;  Add the AD FS role on Windows Server 2012, choose to add it to an existing farm. Make the new…


Fiddling with ADFS – end the infinite authentication loop

While working at a customer site the other day I was reminded of an article by Eric Lawrence on why you sometimes start seeing endless pop-up windows asking for credentials when using Fiddler to decrypt HTTPS traffic during troubleshooting. In short; If the web server has Extended Protection for Authentication enabled then it detects that…


Setting up your first ADFS POC

Here are the steps for setting up a POC for ADFS: First of all, you need to decide on what your federation server farm will be called on the Internet. In the drawing below I’ve chosen the name fs.contoso.com – this will be registered in DNS as follows: in external DNS to point to the…


TPM-CSP Autoenrollment failing with 0x8010002e SCARD_E_NO_READERS_AVAILABLE

We’re attempting to enroll for certificates using a TPM chip on a laptop – it fails when autoenrollment is involved but works when done manually via the MMC.   According to http://msdn.microsoft.com/en-us/library/bb905527.aspx on the Smart Card Resource Manager service: “By default, the service is configured for manual mode. Smart card reader driver authors must configure the…


ADCS has become site-aware in Windows Server 2012

One of the largely unheralded big new features of Active Directory Certificate Services is that it can now be configured to be site-aware! This is accomplished by following the detailed steps that are described on the ADCS Wiki link below. The short version is however as follows: set the CA to detect which AD site it is in by running the following…