A new post about kerberos.. indeed some techno stuff nobody seems to understand but is very important for security. A new feature in Windows 2008 IIS7 is the kernel mode support, what does it do, and more important how can it help you?
Once in a while, antivirus companies create a new signature file that kinda stops the entire system instead of just the virus..
It’s like the docter amputates the heart of the patient, just to cure a brooze
Congratulations McAffee this time:
Problem
Blue screen or DCOM error, followed by shutdown messages after updating to the 5958 DAT on April 21, 2010.
Solution
WARNING: If you have not done so already, do NOT download the 5958 DAT and disable all automatic pull and update tasks.
When creating a forest trust, each domain within the trusted forest becomes trusted. While this is sometimes not desired it is possible to limit the scope by implementing selective-authentication. It is possible to only allow authentication between those domains you want by granting the allowed to authenticate right to only those domains objects.
In a previous entry I’ve explained how you can run services under the new Managed Service Account. Say now that we want to use this service account in combination with Kerberos and the account needs to be trusted for delegation. We set an SPN to it, but in the Active Directory Users and Computers, we seem to be unable to find the trusted for delegation option.. Let’s take a closer look at these accounts once they have been created, to do this we’ll be using ldp.exe
So we’ve seen how a trust is setup, and how we can manipulate the domain controllers involved, can we do the same for authentication traffic? The answer would be yes, but why is it a yes, and how is the main question.
While many believe WINS or LMHOSTS can help us on external (non-forest) trusts, we dive into a packet capture that has captured the opening of a fileshare on a remote forest.
For this demo, I have installed a resource server in the forestroot domain, and a RIVER client on the OCEANFLOOR domain.
So I was wondering the following, how do all the domain controllers know that the trust is established, since (see previous post) we cannot accurately say which domain controller is being used..
When we have the same problem with user passwords, the PDC gives the vote whether the password (just changed) for the user is valid. The same seems to apply for Trusts. When running a trace while creating the trust on a “regular” domain controller and not the PDC, we can find out how that is accomplished. For this, I have installed a domain controller called MICHDC01 which is on the (newly created) LAKES site.
In part of the the forest authentication blog post, we’ve seen that a particular path is used depending on Kerberos or NTLM authentication. We’ve also seen that domain controllers rely on other domain controllers of the forest to find the right domain (and thus object in the AD). The question now is, which domain controller of the other forest is used to authenticate the user? What happens during a trust creation, do we really need the PDC emulator? Will LMHOSTS still help us, like it did in the old days?
Those questions we will answer in this series of authentication across trusts part 2, 3 etc..
When you want to control the bindings on a network card in Server Core (2008R2), your stuck with the registry editor. So how do you A: know what binding you want to remove, B: where to locate it, C: to disable it.. A is easy.. you want to remove, File and Printer Sharing, Client for […]
So I tried to install the FIM RC (u3) in a demo environment, and what a hush hush was that.. My setup was fairly easy, all (except SQL) on a single box.. offcourse reading is not my best skill, but the install went fine.. and the portal was ready for the administrator account (installed it with). It opened on the fim server without a problem, but getting it to work remotely, that was another problem..
The guide tells you to register SPN’s for the Kerberos to work if the FIM Portal and FIM service are on seperate servers, but ALSO if you want to use the FIM password reset extension.. however registering the http/servername to a service account renders the remote login useless.. you will receive an HTTP Error 401. The requested resource required used authentication.
If you where to google (or bing) on that error code the links tell you to disable Kernel Mode kerberos in IIS.. well that kinda did NOT do the trick either and although the Sharepoint site comes up then, the FIM portal dies..
When installing MOSS in an 2008R2 environment, you will notice that the Best Practices Analyser for Sharepoint will not run.. now this is not only to the fact that the BPA is running on the 2008R2 environment, it’s when the entire sharepoint farm is running on 2008R2. One option is to have a single 2008/2003 server on the same farm and point to that, or wait for the next release of BPA for Sharepoint.
The error received would be: Failed to retrieve the configuration database connection string from machine ‘<insert machinename>’ due to the following error: Failed to retrieve the configuration database connection string from machine ‘<insert machinename>’