Add claims with claim name..

Just a reminder to self.. Wanted to add multiple claims and needed to also have the name specified – not sure where this was documented but here it is anyway – maybe i overlooked it somewhere.   $claim_PrimarySID = New-AdfsClaimRuleSet -ClaimRule ‘@RuleName = “Pass through GroupSID” c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”] => issue(claim = c);’ $claim_GroupSid =…

0

Timeouts or delays connecting to WinRM

  Ran into an interesting issue the other day where WinRM connections were taking 15-20s per connection to the domain controllers and due to many connections from an automation system, connections would backup and then fail. The only real hint we had was from the WinRM logs: logman.exe start winrm -p Microsoft-Windows-Winrm -o winrm.etl –ets…

0

Automate Forest trust creation

Just a quick note: In case you were not aware – netdom.exe cannot create a Forest trust (inbound or outbound). But you can leverage the S.DS namespace to automate this with a little powershell:     $targetForestName = “targetForest.local” $trustPassword = “PassWord123!23” $TrustDirection = “Outbound”   # see http://msdn.microsoft.com/en-us/library/system.directoryservices.activedirectory.trustdirection.aspx $Forest  = [System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest() $Forest.CreateLocalSideOfTrustRelationship($targetForestName,$TrustDirection,$trustPassword)   or both sides:…

1

DC fails logons or experiences LDAP timeouts

DC fails logons or experiences LDAP timeouts This was an interesting one which rolled by recently, and it’s a looong post so I apologize ahead of time.   Let’s start with the end user experience and move on from there: User(s) cannot send mail or retrieve mail from Exchange 2010 server. Well that’s pretty simple…

3

Audit policy not registering audits

  So there was an interesting case which floated my way the other day. The Audit policies in the domain controllers policy was set to the following, and there were no other policies blocking or changing these.   After a policy update the following events were logged: Log Name:      Security Source:        Microsoft-Windows-Security-Auditing Date:          5/23/2011 7:58:56…

25

HowTo: Disable UPN mapping for SmartCard logon

  <rant> good lord this is an ugly blog… I need to find the time to customize this hideous new theme </rant> It’s been a while since I’ve blogged about something around smartcards ( ha! ) , so here goes. Here is the basic setup. The smartcard certificate has the following key information:   Serial:…

9

Just a quick post on IIS7 cert mapping setup

Install the role service under IIS At the Server level – enable DS mapping under authentication: Create the web site. Enable it for HTTPS ( bindings ) Set the site to require certs under: Enable the site : C:\Windows\SysWOW64\inetsrv>appcmd unlock config /section:clientCertificateMappingAuthentication Unlocked section “system.webServer/security/authentication/clientCertificateMappingAuthentication” at configuration path “MACHINE/WEBROOT/APPHOST”. C:\Windows\SysWOW64\inetsrv>appcmd set config “CertAuthWebSite” -section:clientCertificateMappingAuthentication /enabled:true…

1

More Kerberos fun with PAC’s- decrypt the PAC

I had been meaning to blog about this for a while, and recently was teaching a class when a friend of mine looked into the exact steps and issues – thanks Woody. It may be interesting to peek into the PAC every once in a while and make sure everything is OK. Yaknow – like…

5

There and back again.. the journey of a bug in ADFS

Let’s look at a bug fix.. end to end. So back in November, my friend Jim Simonet had posted a question about a problem with ADFS using ADAM as the auth store and specifying that it connect via  LDAP over SSL. He could connect to ADAM via LDP on 636, so we knew ADAM and…

2

More fun with Kerberos and Web Sites

SPN’s. Service Principal Names. I am not going to go into the details of how SPN’s are used right now, see my other posts on Kerberos or go use your favorite search engine to determine how they are used. Most of this post will relate to web sites and access to sites via Kerberos. Scenario:…

1