Sometimes, you hit error messages that are just too vague to troubleshoot. I like these kinds of situations. This particular one is especially fun, because it requires some intermediate knowledge of Active Directory Federation Services in Hybrid Identity environments. My favorite subject. The situation Single Sign-On (SSO) for organizations comes in many shapes and … Continue reading "From the field: Colleagues in specific group encounter error “AADSTS50107 Requested federation realm object does not exist.”"
Category: Best practices
Best practices
Azure AD Cloud App Discovery as a Service, not as a Project
Azure Active Directory is quickly becoming the Identity Management-as-a-Service solution of choice for many organizations. One of the nicest features, but unfortunately less common features of Azure AD is its Cloud App Discovery tool and the way it integrates with Azure AD Identity Protection. About Azure AD Cloud App Discovery Azure AD Cloud App … Continue reading "Azure AD Cloud App Discovery as a Service, not as a Project"
I will be delivering 9 Identity webinars for Microsofts Partner University this May
A while ago, I was contacted to to present online webinars to explain the Enterprise Mobility Suite (EMS) for Microsofts Partner University. For this series of fifteen webinars, I was selected as the speaker for the first three sessions in three different timeslots, accommodating the Asia Pacific, Europe and Americas regions using the EventBuilder platform: … Continue reading "I will be delivering 9 Identity webinars for Microsofts Partner University this May"
Installing Azure AD Connect on Windows Server 2008, 2008 R2 and 2012
In most projects, we set up a brand new Windows Server 2012 R2-installation, purely for Azure AD Connect and its underlying Azure AD Connect. For some reasons, however, you might install Azure AD Connect on Windows Server 2008, Windows Server 2008 R2 or Windows Server 2012. Note: Installing Azure AD Connect is not supported on … Continue reading "Installing Azure AD Connect on Windows Server 2008, 2008 R2 and 2012"
Knowledgebase: You receive Event-ID 1539 and ‘This device does not allow its write-caching setting to be changed’ warnings on virtualized Generation 2 Domain Controllers
When I was in training as an Active Directory admin, I was taught that the disk(s) where the Active Directory database and Active Directory transaction logs reside are automatically configured with write-back caching disabled. Today, roughly 15 years later, I found out that although my teacher was right, things have changed and might be counter-intuitive … Continue reading "Knowledgebase: You receive Event-ID 1539 and ‘This device does not allow its write-caching setting to be changed’ warnings on virtualized Generation 2 Domain Controllers"
Video: Running highly-sensitive Domain Controllers on Hyper-V and Azure
Active Directory Domain Controllers hold the keys to your kingdom. So how do you virtualize these castles of identity, without compromising on the requirements of your organization? In this session, Raymond Comvalius (Windows Expert – IT Pro MVP) and Sander Berkouwer (Directory Services MVP) give best practices for hardening, backing up, restoring and managing virtualized … Continue reading "Video: Running highly-sensitive Domain Controllers on Hyper-V and Azure"
Security Thoughts: Include command line in process creation events
Windows 8.1 and Windows Server 2012 R2 introduced an awesome new feature, called Include command line in process creation events, a Group Policy setting that expands the Audit Process Creation policy so events in Event Viewer (eventvwr.msc) include the actual commands issued. Last week, Microsoft introduced an update to Windows 7, Windows 8, Windows Server … Continue reading "Security Thoughts: Include command line in process creation events"
Security Thoughts: LSASS Protection in Windows 8.1 and Windows Server 2012 R2
I’ve written about Pass-the-Hash (PtH) attacks before. Today, I’m writing on the cleanup mechanisms to remove lingering password(hashe)s from Windows, that Microsoft has introduced with Windows 8.1 and Windows Server 2012 R2. These mechanisms help protect against Pass-the-Hash (PtH) attacks.
Security Thoughts: Passwords in Group Policy Preferences (CVE-2014-1812)
Last week, Microsoft released Security Bulletin MS04-025, including guidance and an update that resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if Active Directory Group Policy preferences are used to distribute passwords across the domain – a practice that could allow an attacker to retrieve and decrypt the … Continue reading "Security Thoughts: Passwords in Group Policy Preferences (CVE-2014-1812)"
Security Thoughts: The Inconvenient Truth about CVE-2014-1776 (aka “The Windows XP Mega Vulnerability”)
Looking at the news these last couple of days, you’d think the XPocalypse has begun. A vulnerability has been discovered in Internet Explorer 6 through 11 and code has been made publicly available to attack it. Since, according to several websites, this is a critical vulnerability that was discovered after Microsoft officially ended support for … Continue reading "Security Thoughts: The Inconvenient Truth about CVE-2014-1776 (aka “The Windows XP Mega Vulnerability”)"