We’ve migrated many AD FS implementations from Windows Server 2012 R2 to Windows Server 2016 and beyond. This blogpost intends to share our experiences during these migrations, so you can take advantage of them during your migrations. How we migrate In general, we migrate Web Application Proxy servers by adding additional Web Application Proxies … Continue reading "A Real-world tested Approach for Transitioning Web Application Proxy Servers"
We’ve migrated many Active Directory Federation Services (AD FS) implementations from Windows Server 2012 R2 to Windows Server 2016 and beyond. This blogpost intends to share our experiences during these migrations, so you can take advantage of them during your migrations. How we migrate In general, we migrate AD FS servers by adding additional … Continue reading "A Real-world tested Approach for Transitioning AD FS Servers"
In many Active Directory Domain Services environments, LDAP is a common protocol to provide access to objects and their attributes in the directory. The Lightweight Directory Access Protocol (LDAP) is an open protocol for use with various directory services, including Active Directory. Over the years, Microsoft has been made aware about vulnerabilities in the way … Continue reading "TODO: Test your exposure to Microsoft’s 2020 LDAP Channel Binding and Signing changes"
Sometimes, Microsoft products have a way of their own. The Domain Naming System (DNS) service since Windows Server 2003, too, has a nice little quirk that I ran into the other day, that I’d like to share with you. About DNS debug logging When you suspect problems with the Domain Naming System (DNS) Service, … Continue reading "Knowledgebase: When you enable DNS debug logging to removable media, the DNS Service no longer starts"
Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. These components have requirements of Active Directory Domain Services (AD DS) in terms of the schema, the Windows Server versions on the Domain Controllers an organization runs, the Domain Functional Level (DFL) and the … Continue reading "Hybrid Identity features per Active Directory Domain Services Domain Controller Operating System, Domain Functional Level, Forest Functional Level and Schema version"
With the release of version 13.1 of its BIG-IP software, F5 Networks enables you to make your F5 BIG-IP series appliances and F5 Virtual Edition (VE) appliances to act as ful-fledged Web Application Proxies in combination with Windows Server 2012 R2 and/or Windows Server 2016-based Active Directory Federation Services (AD FS) Servers using MS-ADFSPIP. About … Continue reading "Use your F5 BIG-IP Appliance as Full-Fledged AD FS Web Application Proxy"
Today, for its March 2017 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS). The security update addresses a vulnerability that could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system.. … Continue reading "Important Update for Active Directory Federation Services (MS17-019, KB4010320, CVE-2017-0043)"
Today, for its March 2017 Patch Tuesday, Microsoft released a security update for supported versions of Windows Server offering File Sharing services using the Server Message Block (SMB) version 1.0 protocol. The security update addresses the vulnerabilities by correcting how SMBv1 handles specially crafted requests. About the vulnerabilities The vulnerabilities that are fixed with … Continue reading "Critical Flaw in SMB1 could allow remote code execution on Active Directory Domain Controllers (MS17-010, KB4013389)"
Sometimes, you hit error messages that are just too vague to troubleshoot. I like these kinds of situations. This particular one is especially fun, because it requires some intermediate knowledge of Active Directory Federation Services in Hybrid Identity environments. My favorite subject. The situation Single Sign-On (SSO) for organizations comes in many shapes and … Continue reading "From the field: Colleagues in specific group encounter error “AADSTS50107 Requested federation realm object does not exist.”"
When organizations embrace new versions of software in a structured way, they end up with checklists, much like the ones I wrote for Windows 7 and Windows 8. Migrating end-user device Operating Systems (OSs), however, is different to embracing a new version of the Windows Server Operating System (OS). From an information security point of … Continue reading "An entirely new Management Pack for Active Directory on Windows Server 2016 is now available"