Tag: ACTIVEDIRECTORY
-
LDAP Proxy for old stuff
Doing Active Directory Migrations is always tricky, certainly on applications. I’ve recently came across an application that performs an (uche 200x) based simple-LDAP bind to validate credentials. Now, we could rewrite the entire application to use SAML, OpenIDConect, Kerberos, Headers or whatever. But that’s not always possible. But how do we manage applications that do…
-
Look up… DNS Anycast on ADDS
When deploying Active Directory, it has been a tradition to set the DNS IP addresses on clients to match the nearest Domain Controller to the clients. This means that every DHCP scope in the organization has to have different IP addresses for the name servers and administrators have to manually ensure everything is configured correctly.…
-
Offline AD Domain Join for Azure Files
The URL: Windows Virtual Desktop for the enterprise – Azure Example Scenarios | Microsoft Docs explains a bit on how the integration with Azure Files and Active Directory can be accomplished. However, it does not highlight the creation of the AD object to represent the storage in your Active Directory. So a short post on…
-
F5 – LDAP – Active Directory Lightweight Services
Some people have had some trouble with the F5 demo I posted about where we can inject additional HEADERS based on an external LDAP store. While this post specifically goes into setting up the LDAP store for that, it can also be used for any Active Directory LDAP deployment. First let’s start with a standard…
-
Azure AD – Domain services preview features
There are 3 (relatively) new functions in Azure AD Domain Services. Both in preview at the time of writing but combining all can unlock new functionality. This post will go over the following items with regards to Azure AD – Domain Services What’s new in Azure AD – Domain Services Force trust creation with AAD-DS/ADDS…
-
F5 – Allowing AAD Guests Kerberos Access
F5 – KCD – AAD – B2B In my last post I gave you a script that allows the automatic creation of B2B users in your local AD to enable you to publish (on-premises) Kerberos applications using Constraint Delegation. In this post, we will enable an F5 to use this setup to actually publish the…
-
F5 BIG-IP & AAD & KCD Simplified
With the release of an Application in Azure AD, the configuration of F5 publishing Kerberos backend applications have just been made a whole lot easier. This we cover in this post, but as an added bonus, the previous post adds the possibility of authenticating (Forest) trusted users on the same backend server using KCD (although…
-
F5 Big-IP & AAD & BASIC / NTLM
In our previous post we looked at using Azure AD to perform the authentication for our F5 published web apps that used Kerberos. Now the strength of the F5 APM module is the SSO capabilities that allow it to authenticate users once and then they could reach any web app published by it, regardless of…
-
F5 Big-IP & AAD & KCD
The title being full of acronyms, this topic is about publishing Kerberos based websites behind an F5 load balancer, while using Azure AD as the authenticating service. Or in more technical terms, F5 will rely on an external SAML based token to perform Kerberos Constraint Delegation towards a backend server. Get settled in, this is…
-
ImmutableID – mS-DS-ConsistencyGuid – AADConnect – ADMT – part 3b
In part 3a, we explained how ADFS can be used in cross-forest migrations to ensure all users (migrated or not) can still authenticate. In part 3B we will be looking at Pass-Through authentication and how it affects migrated/non-migrated users. First of all, we need to make sure we have pass-through authentication agents deployed. In my…
-
ImmutableID – mS-DS-ConsistencyGuid – AADConnect – ADMT – part 3a
To continue our coverage of ADMT and AAD, part three of the series. I know I promised 3 articles, but given the amount of data, I’ll split part 3 (authentication) in a few more posts.. We have 1 AAD and 2 AD’s; FORESTOOT.local as the source and TARGET.local is still the target AD forest. There…