Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS

I feel we are at a crossroads. Five years ago, I made the case for token-signing and token-decrypting certificates in Active Directory Federation Services (AD FS) with a validity of 5-year. Today, I’m making the case for 30-day Token-signing and Token-decrypting certificates, based on my understanding of the UNC2452 attack campaign (also known as ‘SolariGate’). … Continue reading "Making the Case for 30-day Token-signing and Token-decrypting Certificates in AD FS"

HOWTO: Configure Accurate Time in Active Directory

Windows Server 2016 introduced the Accurate Time feature. Microsoft introduced increased polling and clock update frequency in Windows Server 2016 Active Directory, when compared to Windows Server 2008/2012. While this introduces a small additional CPU load on Domain Controllers, it does provide for more Accurate Time for Windows Server 2016 because of more frequent polling, … Continue reading "HOWTO: Configure Accurate Time in Active Directory"

What’s New in Identity in Microsoft Edge v88

Today, Microsoft made Edge version 88.0.705.50 generally available to the Edge stable channel. Consequently, Edge 88 will be rolling out to devices in the next few days.   What’s New in Identity Edge version 88 provides these new features in terms of identity:   Single Sign-on on Windows 7 and Windows 8.1 When using Microsoft … Continue reading "What’s New in Identity in Microsoft Edge v88"

From the field: The Case of the Unstable AD FS Farm

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully. Last month, I experienced an issue with an AD FS farm, … Continue reading "From the field: The Case of the Unstable AD FS Farm"

HOWTO: Install Azure AD Connect behind an Internet Proxy

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices. In many environments, tier 0 systems like Azure AD Connect installations are only allowed Internet access through one … Continue reading "HOWTO: Install Azure AD Connect behind an Internet Proxy"

Azure AD Connect’s v2 endpoint is now Generally Available (GA)

Azure AD Connect is Microsoft’s free tool to synchronize objects and their attributes from Active Directory Domain Services (AD DS) implementations to Azure Active Directory tenants. Many millions of organizations depend on Azure Active Directory and the APIs that the tool connects to. Azure AD Connect’s v2 Endpoint Microsoft has deployed a new endpoint (API) … Continue reading "Azure AD Connect’s v2 endpoint is now Generally Available (GA)"

Configuration Items that are part of Azure AD Connect’s Export and Import functionality

Azure AD Connect is a crucial component in today’s Hybrid Identity strategies. This tool takes care of the synchronization of objects and their attributes from an on-premises Active Directory environment to Azure AD. In some scenarios, it also takes care of authentication when accessing Azure AD-integrated applications. In version 1.5.42.0, Microsoft introduced Import and Export … Continue reading "Configuration Items that are part of Azure AD Connect’s Export and Import functionality"

Azure Active Directory Pod Identity Spoofing Vulnerability (CVE-2021-1677)

Today, for its January 2021 Patch Tuesday, Microsoft released an important security update for Azure Active Directory Pod Identities. This vulnerability is known as CVE-2021-1677 and rated with CVSSv3.0 scores of 5.5/4.8 About the vulnerability The Azure AD pod identity feature enables users to assign identities to pods in Kubernetes clusters and fetch them from … Continue reading "Azure Active Directory Pod Identity Spoofing Vulnerability (CVE-2021-1677)"

KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect

Sometimes, the installation of Azure AD Connect can mess up your project deadlines in mere seconds. In this blogpost, I want to share an error that kept the admins of an organization occupied for several days, while it was relatively (har har) easy to fix. The situation An organization wants to configure Azure AD Connect. … Continue reading "KnowledgeBase: You receive error ‘The directory service was unable to allocate a relative identifier’ when installing Azure AD Connect"

The video of my presentation at IT Pro|Dev Connections is now available

IT Pro|Dev Connections is a conference organized by the largest Greek communities for everyone in the Computer and Information Technology industry. The content focuses on products, technologies and services that are "hot" or up and coming and provide valuable knowledge to the participants. On December 13th, 2020, I presented the following 50-minute session at the … Continue reading "The video of my presentation at IT Pro|Dev Connections is now available"