The ramblings of a computer geek
We had an issue where our RODCs suddenly stopped authenticating users and also would not allow administrators to logon via RDP or locally via the console giving this message: “there are currently no logon servers available to service the logon request” Any downstream services that were trying to authenticate via LDAP or LDAPS also failed […]
More...Here’s a quick one, if you need to show a logon message to all users as they logon to a Terminal Server, for example to alert them to maintenance upcoming, there are a number of ways to do this, but this approach is a simple one. You would just add the a “Logon” script by […]
More...A long running issue, which I covered in my previous posts: https://geekmungus.co.uk/?p=3532 and https://geekmungus.co.uk/?p=3593, this should be taken as the current status of the problem and the resolution. Issue Following the patch: KB5021131 CVE-2022-37966, which was released November 8th 2022 we’ve continued to have some issues with Kerberos authentication to servers (devices) that use (and […]
More...NOTE: See https://geekmungus.co.uk/?p=3619 for the most up to date article! The following is my analysis going going deeper into my recent article: https://geekmungus.co.uk/?p=3532, hopefully this will give you a bit more context and information, but also allowed me to work through the issue in my head through documentation. Synopsis The patch KB5019964 changes what the […]
More...
NOTE: See https://geekmungus.co.uk/?p=3619 for the most up to date article! We’ve had an issue with the recent “Security Update for Microsoft Windows (KB5019964)” update, as by the looks of it a load of other people. In our case we are running Microsoft Windows 2016 domain controllers, the NetApp filers are pretty old we’re readying to […]
More...To find gMSA (Group Managed Service) Accounts i.e. group managed accounts and if your ADUC doesn’t have this as an option you can use a “Custom Search” and click “Advanced”, then use the following string in the “Enter LDAP query:” https://www.mssqltips.com/sqlservertip/5340/using-group-managed-service-accounts-with-sql-server/
More...Kerberos is an authentication technology, if you’ve used Microsoft Windows and Active Directory (AD) you will have heard of Kerberos as its the authentication method used to secure an AD Domain and any hosts and devices that are joined to it. I’d like to provide a fairly high-level run through of how Kerberos works, so […]
More...Microsoft Active Directory uses the concepts of “domains”, a domain is the outer edge of a security compartment; within a domain, user accounts, computer accounts and resources are authenticated and share a common authentication source. There is also the concept of a “forest”, a forest is a collection of domains, in the most basic configuration […]
More...The Kemp Load Master allows for the configuration of authentication offloading to itself (from the Microsoft Exchange server supporting Kerberos) to allow for the Kemp Load Master to act as a sP (Service Provider) against an IdP (Identity Provider) for example OKTA. The use of SAML via OKTA allows for any SAML (and Kerberos KCD […]
More...So it appears that there is a vulnerability identified in Microsoft Windows machines running Active Directory, this is covered on the Register: https://www.theregister.com/2021/06/30/windows_print_spool_vuln_rce/ Until you patch this you can just disable the “Printer Spooler” service on your Domain Controllers and well to be honest you don’t need this running on the Domain Controller anyway. Edit: […]
More...