HOWTO: Hunt for abuse of Azure AD Connect’s AD Connector account

Azure AD Connect Sync’s uses three separate accounts. Its AD Connector account is an account that has several permissions that warrant a closer look at how the account can be abused. Of course, we’ll need command lines to hunt for any misuse. About the AD Connector account Since Azure AD Connect version 1.4.18.0, the use … Continue reading "HOWTO: Hunt for abuse of Azure AD Connect’s AD Connector account"

HOWTO: Find out the capabilities Domain Controllers may offer your device

One of the hard nuts to crack in Active Directory is meeting the requirements for the infrastructure features your organization’s business needs to operate reliably, securely and smooth. About Active Directory requirements Throughout Microsoft’s recent history, features have been introduced in all sorts of products that have certain Active Directory requirements. The perfect example is … Continue reading "HOWTO: Find out the capabilities Domain Controllers may offer your device"

KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect

One of the issues you might encounter, when you misconfigure the delegated permissions for Azure AD Connect’s Active Directory connector account is events in your Domain Controllers’ event viewers every hour with event ID 1699. The situation You are using Azure AD Connect with Password Hash Synchronization as either the sign-in method to Azure AD … Continue reading "KnowledgeBase: You experience EventID 1699 on Domain Controllers targeted by Azure AD Connect"

Windows PKU2U Elevation of Privilege Vulnerability (CVE-2021-25195, Critical)

Yesterday, for its February 2021 Patch Tuesday, Microsoft released a critical security update for PKU2U. This vulnerability is known as CVE-2021-25195 and rated with CVSSv3.0 scores of 7.8/6.8.   About PKU2U Authentication PKU2U is a peer-to-peer authentication protocol. This setting prevents online identities from authenticating to domain-joined systems. Authentication will be centrally managed with Windows … Continue reading "Windows PKU2U Elevation of Privilege Vulnerability (CVE-2021-25195, Critical)"

Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078, Critical CVSSv3 9.8/8.5)

Today, for its February 2021 Patch Tuesday, Microsoft released a critical security update for DNS Servers running Windows Server. This vulnerability is known as CVE-2021-24078 and rated with CVSSv3.0 scores of 9.8/8.5. A remote code execution vulnerability exists in Windows Domain Name System (DNS) servers. An attacker who successfully exploited the vulnerability could run arbitrary … Continue reading "Windows DNS Server Remote Code Execution Vulnerability (CVE-2021-24078, Critical CVSSv3 9.8/8.5)"

On-premises Identity-related updates and fixes for January 2021

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the Identity-related updates and fixes we saw for January 2021:   Windows Server 2016 We observed the following update for Windows Server 2016: KB4598243 January 12, 2021 … Continue reading "On-premises Identity-related updates and fixes for January 2021"

Active Directory’s ESE database code now available on GitHub

Active Directory Domain Services (AD DS) and Active Directory Certificate Services (AD CS) use the Extensible Storage Engine (ESE) as its database. Now Microsoft has open sourced the code for its database engine available to all on GitHub.   About the Extensible Storage Engine The Extensible Storage Engine (ESE) is an embedded / Indexed Sequential … Continue reading "Active Directory’s ESE database code now available on GitHub"

HOWTO: Configure Accurate Time in Active Directory

Windows Server 2016 introduced the Accurate Time feature. Microsoft introduced increased polling and clock update frequency in Windows Server 2016 Active Directory, when compared to Windows Server 2008/2012. While this introduces a small additional CPU load on Domain Controllers, it does provide for more Accurate Time for Windows Server 2016 because of more frequent polling, … Continue reading "HOWTO: Configure Accurate Time in Active Directory"

HOWTO: Install Azure AD Connect behind an Internet Proxy

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices. In many environments, tier 0 systems like Azure AD Connect installations are only allowed Internet access through one … Continue reading "HOWTO: Install Azure AD Connect behind an Internet Proxy"

KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect

Sometimes, the installation of Azure AD Connect can mess up your project deadlines in mere seconds. In this blogpost, I want to share an error that kept the admins of an organization occupied for several days, while it was relatively (har har) easy to fix. The situation An organization wants to configure Azure AD Connect. … Continue reading "KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect"