AD Fun Services – Track down the source of ADFS lockouts

Tracking down the devices locking out accounts on an ADFS deployment is quite challenging. From an ADDS perspective, lockouts coming from a WAP server will look like they’re come from an ADFS server: Lockouts coming from internal client using Form Based authentication also look like they are coming from the ADFS server itself and not…


Do I really need ADFS?

Update 2018-01-06: Lots of new things came up so I updated this article. Update 2018-04-10: Few updates again, thanks to your contributions!  I often hear and read misconceptions on whether or not you should or must deploy an ADFS farm when Office 365 is in the picture. So I will try to give you my…


All you need to know about Keytab files

Whether you are currently using them or planning to issue one, here is (I hope) all you need to know about those little binary files. It’s a Kerberos thing If you use or plan to use keytabs, it means that you are planning to add Kerberos support to a system which can’t do it otherwise…


How to detect applications using "hardcoded" DC name or IP?

You look at Windows Server 2012 R2 and you tell yourself: “that would be nice if I could leverage all those new features”. Then you remember… Adding new domain controllers is usually not a problem. Besides, if you want to add your new DCs in a smooth way, without impacting the existing environment, you can…


Raising the functional level – Are you getting cold feet because of KB2260240?

Raising the functional level of your domain is a pretty straight forward operation. It is a mandatory step if you want to start using the Recycle Bin with Windows Server 2008 R2 or other new great security features with the newest versions of Windows. It is super well documented, and among the great resources we…


Customizing the AD FS sign-in pages per relying party trust

UPDATE: Windows Server 2016 allows this out of the box. See here: Customizing user signin for AD FS relying parties The way the Windows Server 2012 R2 ADFS customization works currently does not enable you to modify the graphical end user experience based on the relying party trust (RP) the user is trying to access….


ADFS refuses to start, error 1297

Here is the scenario, your ADFS farm is happy, up and running. Because of update management sometimes you server has to restart. And when the server is restarting all hosted services will also restart with it. Then, maybe you’ll be running into this error message when you start your ADFS Server service: It is weird especially that you…


🐶🐶🐶 Credential theft made easy with Kerberos delegation

Yes it takes just 2 lines of PowerShell to impersonate whoever you want… A small preamble: things discussed here are not hacking techniques, nor innovative ways to impersonate a user. These are intended behaviors, and they all have been around for a very long time. Why talk about it now? Because as a part of my job, I…