Spat's WebLog (Steve Patrick)

When things go wrong...

Browse by Tags

Tagged Content List
  • Blog Post: Add claims with claim name..

    Just a reminder to self.. Wanted to add multiple claims and needed to also have the name specified - not sure where this was documented but here it is anyway - maybe i overlooked it somewhere. $claim_PrimarySID = New-AdfsClaimRuleSet -ClaimRule '@RuleName = "Pass through GroupSID" c:[Type =...
  • Blog Post: Automate Forest trust creation

    Just a quick note: In case you were not aware - netdom.exe cannot create a Forest trust (inbound or outbound). But you can leverage the S.DS namespace to automate this with a little powershell: $targetForestName = "targetForest.local" $trustPassword = "PassWord123!23" $TrustDirection ...
  • Blog Post: DC fails logons or experiences LDAP timeouts

    DC fails logons or experiences LDAP timeouts This was an interesting one which rolled by recently, and it’s a looong post so I apologize ahead of time. Let’s start with the end user experience and move on from there: User(s) cannot send mail or retrieve mail from Exchange 2010 server...
  • Blog Post: Audit policy not registering audits

    So there was an interesting case which floated my way the other day. The Audit policies in the domain controllers policy was set to the following, and there were no other policies blocking or changing these. After a policy update the following events were logged: Log Name: Security...
  • Blog Post: HowTo: Disable UPN mapping for SmartCard logon

    <rant> good lord this is an ugly blog... I need to find the time to customize this hideous new theme </rant> It’s been a while since I’ve blogged about something around smartcards ( ha! ) , so here goes. Here is the basic setup. The smartcard certificate has the following...
  • Blog Post: Just a quick post on IIS7 cert mapping setup

    Install the role service under IIS At the Server level - enable DS mapping under authentication: Create the web site. Enable it for HTTPS ( bindings ) Set the site to require certs under: Enable the site : C:\Windows\SysWOW64\inetsrv> appcmd unlock config /section:clientCertificateMappingAuthentication...
  • Blog Post: More Kerberos fun with PAC’s- decrypt the PAC

    I had been meaning to blog about this for a while, and recently was teaching a class when a friend of mine looked into the exact steps and issues – thanks Woody. It may be interesting to peek into the PAC every once in a while and make sure everything is OK. Yaknow – like a long lost cousin. See http...
  • Blog Post: There and back again.. the journey of a bug in ADFS

    Let's look at a bug fix.. end to end. So back in November, my friend Jim Simonet had posted a question about a problem with ADFS using ADAM as the auth store and specifying that it connect via LDAP over SSL. He could connect to ADAM via LDP on 636, so we knew ADAM and the certificate validation...
  • Blog Post: More fun with Kerberos and Web Sites

    SPN’s. Service Principal Names. I am not going to go into the details of how SPN’s are used right now, see my other posts on Kerberos or go use your favorite search engine to determine how they are used. Most of this post will relate to web sites and access to sites via Kerberos. Scenario...
  • Blog Post: Kerberos domain routing

    So the scenarios is pretty simple. Forest trust like so: Basic problem. User tried to access sharepoint and fails to use Kerberos. So we can review the end to end process ( still at a high level ) 1. User logs on 2. User gets TGT for kz.com domain 3. User requests...
  • Blog Post: LDAP client tracing...

    ADinsight from the sysinternals toolset is a great tool , but I seem to have problems with it at times. Specifically on Server 2008 & Vista (maybe due to the way it hooks wldap32.dll) On Vista OS and beyond, there is built in client ldap tracing which can give you similar results ( with a wee...
  • Blog Post: How to populate the “Street” field with more than 1 line of text...or, how to use top down tshooting.

    The goal was to get the street attribute to be a multi lined value.. not streetadddress which is easy enough to do from the GUI. So part of this is to help folks understand that if you take the basics of a system, and expand on those, then you can resolve a lot of your issues on your own. I guess...
  • Blog Post: Remote Server Administration Toolset (RSAT) for Windows Vista SP1 -- now available!

    Long awaited remote admin tools you can toss on Vista.. located here: http://www.microsoft.com/downloads/details.aspx?FamilyID=9ff6e897-23ce-4a36-b7fc-d52065de9960&DisplayLang=en and x64 here: http://www.microsoft.com/downloads/details.aspx?FamilyID=d647a60b-63fd-4ac5-9243-bd3c497d2bc5&DisplayLang...
  • Blog Post: Group Policy Preferences CSE for download -

    Group Policy Preference Client Side Extensions for Windows XP (KB943729) Multiple Group Policy Preferences have been added to the Windows Server 2008 Group Policy Management Console (which are also available through the Remote Server Administration Toolset (RSAT) for Windows Vista SP1). ...
  • Blog Post: "Kerberos delegation .. end to end" Part III

    When we last left off, we had just installed SQL. Also my standard disclaimer for this series: First off let me say that I am not a “SQL guy” nor am I an “IIS guy” .. I am primarily a platforms OS kinda guy. However, I can wing my way thru some of those two technologies. This series...
  • Blog Post: Set WMI namespace security via GPO (script)

    This was an example of setting WMI security via a script - the specific question was: “Is there a way I can change the permissions on WMI (need to grant remote enable access) so I can grant a service account read access to certain machines via Group Policy?” This came up on the activedir mailing...
  • Blog Post: "Kerberos delegation .. end to end" Part II

    When we left off - I was about to install SQL. Also my standard disclaimer for this series: First off let me say that I am not a “SQL guy” nor am I an “IIS guy” .. I am primarily a platforms OS kinda guy. However, I can wing my way thru some of those two technologies. This series of...
  • Blog Post: "Kerberos delegation .. end to end" Part I

    First off let me say that I am not a “SQL guy” nor am I an “IIS guy” .. I am primarily a platforms OS kinda guy. However, I can wing my way thru some of those two technologies. This series of posts may not exactly follow best practices when it comes to SQL or IIS but it will definitely get you...
  • Blog Post: A few handy queries to ask Active Directory

    I just wanted to do a random DS related post . These are a few useful constructed attributes. A constructed attribute is one which is not directly stored in the AD, but is constructed specifically when requested. More info on MSDN I'm sure.. Some useful ones are … AllowedAttributesEffective...
  • Blog Post: AD insight released as free download

    Some folks may recall this from using the Winternals product,.. ADInsight is an LDAP (Light-weight Directory Access Protocol) real-time monitoring tool aimed at troubleshooting Active Directory client applications. Use it’s detailed tracing of Active Directory client-server communications to solve...
  • Blog Post: The Conch Shell...and how DFS uses it.

    Ahh yes.. the conch shell . I run into weird problems all the time.. this was on of those weird problems. The high level statement was this: "Clients in remote sites are accessing mapped drives via explorer and the UI hangs for 10-15 minutes, they lose access to the mapped drive and on occasion...
  • Blog Post: Back up your event logs when full

    So many reg keys, so little time AutoBackupLogFiles - backs up the event logs "Using this entry causes the Event Log service to automatically clear a full event log and to back up the log file. " http://support.microsoft.com/kb/312571
  • Blog Post: Authentication weirdness

    Odd things … Well - its been very busy around here and I haven't had a lot of time for posts.. but h ere was an interesting one… at least I thought so. It began with the following events being posted – it appeared that there was something wrong with the authentication of the server...
  • Blog Post: Why not to use DFSR one way replication....

    I won’t go into any support statements or nonsense in this post ( not foolish enough to step into that pie ) What I will do , is go into some technical reasons of why this doesn’t work so well. Here is a sample setup: Here is how it is setup in the connection properties...
  • Blog Post: MaxConcurrentAPI update - monitor the netlogon secure channel ... finally!

    Edit 11/21/2011 NOTE: Please see http://support.microsoft.com/kb/975363 for updated informaton Here is something which will be very very useful for a lot of larger IT shops. It is a DCR which implements perfmon counters to monitor netlogon performance, specifically the scenario I discussed...
Page 1 of 3 (58 items) 123