AD FS Certificates Best Practices, Part 2: Key size

Because Active Directory Federation Services (AD FS) rely heavily on certificates, you’ll want the most straightforward SSL/TLS certificate as the Service Communications Certificate throughout your Active Directory Federation Services (AD FS) implementation. Notice however, that I’m not recommending to use the strongest certificates for your Active Directory Federation Services (AD FS) implementation? You won’t hear … Continue reading "AD FS Certificates Best Practices, Part 2: Key size"

AD FS Certificates Best Practices, Part 1: Hashing Algorithms

Because Active Directory Federation Services (AD FS) rely heavily on certificates, you’ll want the most straightforward SSL/TLS certificate as the Service Communications Certificate throughout your Active Directory Federation Services (AD FS) implementation. Notice however, that I’m not recommending to use the strongest certificates for your Active Directory Federation Services (AD FS) implementation? You won’t hear … Continue reading "AD FS Certificates Best Practices, Part 1: Hashing Algorithms"

Vulnerability in Active Directory Federation Services could allow elevation of privilege (Important, CVE-2015-1757, MS15-062)

Today, Microsoft released update 3062577 as part of its June 2015 Patch Tuesday to address a cross-site scripting vulnerability that affects Active Directory Federation Services (AD FS) 2.0 and Active Directory Federation Services (AD FS) 2.1 installations. Note: This means Windows Server 2008, Windows Server 2008 R2 and Windows Server 2012 are affected, but Windows … Continue reading "Vulnerability in Active Directory Federation Services could allow elevation of privilege (Important, CVE-2015-1757, MS15-062)"

Video: Join the Virtualized!

Windows 10 brings a huge change when it comes to joining the trusted environment. How does the virtualization of the join change the security paradigm that we got so used to over the past decade. What happens to single sign-on and management of the workplace? Where are the new boundaries of the virtualized territory? How … Continue reading "Video: Join the Virtualized!"

WorkPlace Join vs. DirectAccess

Previously, I discussed the differences and commonalities for WorkPlace Join and Domain Join. Today, I would like to discuss the differences and commonalities between two very similar and yet widely different remote access technologies: WorkPlace Join and DirectAccess.   Let’s start with the characteristics these two technologies have in common: WorkPlace Join and DirectAccess are … Continue reading "WorkPlace Join vs. DirectAccess"

Update your Federation Servers with MS14-077 to patch CVE-2014-6331 (Important)

During the November 2014 Patch Tuesday, Microsoft has released Security Bulletin MS114-077, that describes how a vulnerability in Active Directory Federation Services (AD FS) could allow unintentional information disclosure and how you can fix this by installing the security update that is part of KB3003381 on your Active Directory Federation Servers, including proxies.   About MS14-077 … Continue reading "Update your Federation Servers with MS14-077 to patch CVE-2014-6331 (Important)"

Configuring the maximum amount of devices colleagues can Workplace Join

We’ve discussed the WorkPlace Join functionality in Active Directory Federation Services in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services, and we’ve looked into granularly granting and revoking access to WorkPlace Join by specifying Issuance Authorization Rules for the Device Registration Services (DRS) and configuring the … Continue reading "Configuring the maximum amount of devices colleagues can Workplace Join"

Configuring the inactivity time-out for WorkPlace-joined Devices

When we discussed the WorkPlace Join functionality in Active Directory Federation Services in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services, you might have gotten the feeling that the directory might get cluttered with Registered Devices. Microsoft has built in a feature in the Device Registration … Continue reading "Configuring the inactivity time-out for WorkPlace-joined Devices"

Granularly permitting or denying the right to WorkPlace Join devices based on group membership

Previously, we’ve looked at the WorkPlace Join functionality in Active Directory Federation Services (AD FS) in Windows Server 2012 R2 (and up) and the accompanying Registered Device objects in Active Directory Domain Services (AD DS). When WorkPlace Join is enabled for a networking environment, by default anyone has the right to WorkPlace Join devices, by … Continue reading "Granularly permitting or denying the right to WorkPlace Join devices based on group membership"

WorkPlace Join vs. Domain Join

Yesterday, we discussed WorkPlace Join and the msDS-Device object. Over the past months, these technologies sparked conversations with several people, some of which have very strong opinions on the exclusivity of domain join and a passion for loosely-coupling devices to Active Directory. This conversation could best be titled WorkPlace Join versus Domain Join. I’ll use … Continue reading "WorkPlace Join vs. Domain Join"