Tag: ACTIVEDIRECTORY
-
Azure Stack Development Kit – Custom AD
(Not supported by Microsoft alert!) Azure Stack uses Active Directory technologies for identity management and authentication. By default, Azure Stack has 2 modes in can operate in. It can be used in a AAD mode utilizing Azure Active Directory for identity permission assignment as well as federated authentication or it can be setup in the…
-
AAD Pass-Through Authentication – SSO without ADFS
There are multiple options for authenticating users against Azure AD. But until now, full support for SSO based logins was only possible using two options. Azure AD joined devices, or a local ADFS service to your on-premises Active Directory. The latter being the most used option it also had its problems, first of all you…
-
Selective password synchronization with AAD-Connect
In my previous post, I talked about the possibility of using Kerberos Constraint Delegation to avoid having passwords in AAD. However, sometime you want to have a few passwords in AAD-Domain Services to ensure that administrators can still login to the VM’s interactively (RDP) or users are able to use certain services that are not…
-
ADFS on Azure
Azure Active Directory and thus any relying party on that service (such as Office 365) has two different modes for (your) custom domains that are added to it. Managed and Federated. Managed means that the authentication happens against the Azure Active Directory. The password (-hashes) of the user accounts are in Azure AD and no…
-
Pass the Hash
When you create a new forest or new domain, you use the Domain Admin credentials. Through the use of the “Administrator” account you can control each and every workstation and server. You can install Exchange, System Center products and much much more. But Microsoft is probably thinking twice now about the framework they have chosen…
-
Mitigating attacks on your Active Directory network
Microsoft released a new whitepaper this week that gives an insight in why you should protect your privileged accounts. One of the techniques described is the PassTheHash attack which is a sophisticated attack but fairly easy to execute. These attacks have been seen in the “field” and are being used today. If you work with…
-
Import/Export Active Directory data…
I was trying to get a test environment up and running that should reflect the production environment of my customer (off course at the customers site.. secured and all).. one task was to duplicate the OU structure, group structure and user information (without passwords). Browsing through the web I found a VBS script that can…
-
Selective authentication
When creating a forest trust, each domain within the trusted forest becomes trusted. While this is sometimes not desired it is possible to limit the scope by implementing selective-authentication. It is possible to only allow authentication between those domains you want by granting the allowed to authenticate right to only those domains objects.
-
Cross Forest Authentication NTLM
So we’ve seen how a trust is setup, and how we can manipulate the domain controllers involved, can we do the same for authentication traffic? The answer would be yes, but why is it a yes, and how is the main question. While many believe WINS or LMHOSTS can help us on external (non-forest) trusts,…
-
Creating trusts (as follow up to…)
So I was wondering the following, how do all the domain controllers know that the trust is established, since (see previous post) we cannot accurately say which domain controller is being used.. When we have the same problem with user passwords, the PDC gives the vote whether the password (just changed) for the user is valid. The…