Entra ID (AD)

Technical articles about authentication and authorization of directory services for Azure cloud. Articles include topics such as domain controllers, DNS, Group Policy Management, certifictates, and single sign on. Learn about using Active Directory Management Tools and PowerShell.

First Issuance manual, with automated renewals

Hey all Rob Greene again. Seems like I have been on this PKI kick lately, and today is not going to be any different. Occasionally, I will get a customer who must get certificates issued for things like Web sites, and they must have custom Subject Alternative Name (SAN) DNS values on the issued certificate.  […]

First Issuance manual, with automated renewals Continue Reading

NTLM vs Kerberos

Reposting – This article was originally written and posted by Nuno Tavares in 2018 .  In this post, we will go through the basics of NTLM and Kerberos. We will explain using the three Ws, covering what the main differences between them are, how to identify when a protocol is being used over the other, and why

NTLM vs Kerberos Continue Reading

Speaking in Ciphers and other Enigmatic tongues fresh content update!

First published on TechNet on Dec 08, 2015 Hi! Jim Tierney here again to talk to you about Cryptographic Algorithms, SCHANNEL and other bits of wonderment. My original post on the topic has gone through yet another rewrite to bring you up to date on recent changes in this crypto space. So, your company purchases

Speaking in Ciphers and other Enigmatic tongues fresh content update! Continue Reading

THIS JUST IN!!!!  High LSASS Usage After Windows Update 3B March 2024

Jim and the Directory Services Team here again to alert you to an emerging issue which is an unintended consequence of a recent update released in March 2024.   What is LSASS and why is it important?  The Local Security Authority Subsystem Service (LSASS) is a process that handles user authentication, security policies, and auditing on

THIS JUST IN!!!!  High LSASS Usage After Windows Update 3B March 2024 Continue Reading

We need to discuss the Microsoft Certification Authority Web Enrollment (CAWE) Role

Hello everyone, this is Rob Greene. I recently had a case where a customer was having trouble with the CAWE pages. I realized that we do not have much useful information on how outdated these web pages are. Customers have been using different default browsers, and while security has been evolving in the Windows environment,

We need to discuss the Microsoft Certification Authority Web Enrollment (CAWE) Role Continue Reading

Stop Worrying and Love the Outage, Vol II: DCs, custom ports, and Firewalls/ACLs

This is the first article in a series: Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations Stop Worrying and Love the Outage, Vol II: DCs, custom ports, and Firewalls/ACLs Hello, it’s Chris Cartwright from the Directory Services support team again.  This is the second entry in a series where I

Stop Worrying and Love the Outage, Vol II: DCs, custom ports, and Firewalls/ACLs Continue Reading

More Speaking in Ciphers and other Enigmatic Tongues with a focus on SCHANNEL hardening.

Hi! Jim Tierney here again to talk to you about Cryptographic Algorithms, SCHANNEL and other bits of crypto excitement. I have elucidated at length on this topic in this post which had been updated a few years back to the aptly titled, Speaking in Ciphers and other Enigmatic tongues…update! I am creating this brand-new piece

More Speaking in Ciphers and other Enigmatic Tongues with a focus on SCHANNEL hardening. Continue Reading

Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations

Hello! Chris Cartwright here from the Directory Services support team.  Recently, we have seen an uptick in cases related to sharing violations when processing or editing group policies.  Most of these issues are caused by locks on policy-related files within the SysVol share, from either security products or environmental conditions.  Security product mitigations are already

Stop Worrying and Love the Outage, Vol I: Group Policy and Sharing Violations Continue Reading

KRB_AP_ERR_BAD_INTEGRITY

First cousin once removed to KRB_AP_ERR_MODIFIED Most anyone who would be interested in reading an article like this has very likely encountered the error, KRB_AP_ERR_MODIFIED. This error tells us one thing: The account secret (aka password hash) that is being used to decipher the ticket cannot decipher the ticket. The most common reasons are: The

KRB_AP_ERR_BAD_INTEGRITY Continue Reading

Renew Certificate Authority Certificates on Windows Server Core. No Problem!

Hi there!  Rob and Jim are here from the Directory Services team.  Today’s blog strives to clearly elucidate an administrative procedure that comes along more frequently with PKI Hierarchies being deployed to Windows Server Core operating systems. Installing the Certificate Services Role on Windows Server Core will not be covered in this blog, but this

Renew Certificate Authority Certificates on Windows Server Core. No Problem! Continue Reading