Joining a domain via Smartcards

http://technet.microsoft.com/en-us/library/cc721959.aspxundefined A snip from the article: Smart card root certificate requirements for use when joining a domain When using a smart card to join a domain, the smart card certificate must comply with one of the following conditions: The smart card certificate must contain a Subject field that contains the DNS domain name within the…

0

More fun with Kerberos and Web Sites

SPN’s. Service Principal Names. I am not going to go into the details of how SPN’s are used right now, see my other posts on Kerberos or go use your favorite search engine to determine how they are used. Most of this post will relate to web sites and access to sites via Kerberos. Scenario:…

1

James saved me many hours of pain..

  Gotta love the internet. The Tubes. I was trying to install\reinstall IIS in Windows Server 2008 and it would not install.   Web Server (IIS)   Error: Attempt to install IIS Management Console failed with error code 0x80070643.  Fatal error during installation   Error: Attempt to install Static Content Compression failed with error code 0x80070643.  Fatal…

2

Honey, I lost the (private) keys — EFS keys missing?

    Interesting  EFS issue the other day.. Customer was rolling  out EFS so they set up DRA’s and this worked great. When they encrypted files the DRA’s  showed up just fine in the file information. However, when they went to decrypt a file via the assigned DRA account – it failed to recover the…

2

Kerberos domain routing

So the scenarios is pretty simple. Forest trust like so:       Basic problem. User tried to access sharepoint and fails to use Kerberos.   So we can review the end to end process ( still at a high level  )   1.       User logs on 2.       User gets TGT for kz.com domain 3.      …

8

SQL pains..

So I was working on some code to read and write data to SQL ( not using LINQ or any fancy stuff.. heck I just started doing managed code. ) I was specifically interested in the count of times , it should look something like this ( from SQL  ) select COUNT(DateandTime),DateandTime from MyData group…

3

LDAP client tracing…

ADinsight from the sysinternals toolset is a great tool , but I seem to have problems  with it at times. Specifically on Server 2008  & Vista (maybe due to the way it hooks wldap32.dll) On Vista OS and beyond, there is built in client ldap tracing which can give you similar results  ( with a…

13

Get Serial number, expiry date, subject name and subject alternative names in script

The question was something like this:   …”What I need to be able to do is iterate through each certificate in the Local Machine’s Personal store and spit out at least the serial number, expiry date, subject name and subject alternative names.”   Here is the output:   —————————————————————- Serial: 619487CD000000E4DCFFSubjectName: CN=SPATDSG, OU=Workstations, OU=Machines, DC=crisco,…

2

Windows 2008 CA fails install ( ADCS ) : Object already exists. 0x8009000f

During the installation of Windows Server 2008 (2k8) certificate services ( ADCS ) the installation fails with the following error:     The installation debug logs under \windows\certocm.log will show something similar to the following:   202.5443.271: Generate Keys: TestHSMSPat: nCipher Enhanced Cryptographic Provider: 0x800(2048): Object already exists. 0x8009000f (-2146893809) 0.299.965: Message Box: Microsoft Active…

8

Create a Dump file with pagefile on non boot partition..

The general advice in Windows is to place the paging file on the boot partition in order to get a crash dump file. Here is a snip from an older KB “… However, if you remove the paging file from the boot partition, Windows cannot create a dump file (Memory.dmp) in which to write debugging information…

3