0

Kerberos Issues November 2022

Kerberos Issues November 2022

The November 8, 2022 and later Windows updates address a  security bypass and elevation of privilege vulnerability with Authentication Negotiation by using weak RC4-HMAC negotiation.

This update will set AES as the default encryption type for session keys on accounts that are not marked with a default encryption type already.

To help secure your environment, install the Windows update that is dated … Read the rest “Kerberos Issues November 2022”

0

Check If AD FS WSTrust Endpoint Enabled

Check WSTrust Endpoint Configuration

Active Directory Federation Services (AD FS) uses endpoints to provide access to features.  There are a series of different endpoints which each serve a different purpose from password reset, publishing federation metadata or multiple web services protocols.  It is important to ensure that only the required features are actually enabled, and also if those features are to be made available internal… Read the rest “Check If AD FS WSTrust Endpoint Enabled”

10

Sign-In Error 5000811 — Unable to verify token signature. The signing key Identifier Does Not Match Any Valid Registered Keys

The error message "Sorry, that didn’t work. Please go back to office.com and try again” is probably one of the most vague that I've seen.  It's up there with "please contact your administrator", which is fine unless you are the administrator...

The below is a repro of a case where all users were unable to sign into Office 365.  They would receive the aforementioned "Sorry, that didn't work" message… Read the rest “Sign-In Error 5000811 — Unable to verify token signature. The signing key Identifier Does Not Match Any Valid Registered Keys”

7

AD FS Web Application Proxy Re-Establish Proxy Trust

WAP Re-Establish Trust

In the Tailspintoys environment the AD FS Proxy was offline for month.  It was unable to contact the AD FS server on the internal network, and this allowed the short lived authentication certificate to expire.  At this point the AD FS Proxy was "dead to me" as far as the AD FS server was concerned.  The internal AD FS server was OK, the issue was just with the proxy.

Bummer....

How do we fix this?  … Read the rest “AD FS Web Application Proxy Re-Establish Proxy Trust”

2

Defender For Identity Sensor Service Fails To Start on AD FS – Sequence Contains No Elements

After installing Defender for Identity sensor onto AD FS, you may experience an issue where the service does not enter the running state.

In the Microsoft Defender for Identity portal the sensor is reported as "Not Configured"

Lab Starting Reference Point

Since the AD FS sensor is new (January 2021), you initially installed sensors onto all of your AD Domain Controllers.

The below indicates that all o… Read the rest “Defender For Identity Sensor Service Fails To Start on AD FS – Sequence Contains No Elements”

0

AD FS Extranet Smart Account Lockout Protection

Windows Server 2012 R2 AD FS added the Extranet Account Lockout protection feature.  The intent of Extranet Account Lockout protection is to add an additional feature to password authentication which traverses Web Application Proxy (WAP).  Note that the feature is not available for authentication directly targeting AD FS.  The reason for this is that the Extranet Account Lockout protection was des… Read the rest “AD FS Extranet Smart Account Lockout Protection”

2

Unable to Edit WAP Published Application in Mixed Mode Farm

During the upgrade process it is expected that there will be multiple versions of AD FS and WAP servers operating in a farm at a given time.  This is actually a good option as it allows us to easily upgrade from AD FS 2012 R2 to a newer version such as 2016 or 2019.  We can do this without having to build a brand new farm from scratch and then cutting over applications to the new farm wi… Read the rest “Unable to Edit WAP Published Application in Mixed Mode Farm”

2

Unable To Access WAP AD FS Proxy Instance Externally

When deploying AD FS and Web Application Proxy it is common to run into some networking issues.  Normally this is due to firewall rules not being set correctly.

However we need to be aware of the default behaviour of WAP and factor that into our deployment.

When WAP is installed, it will write additional firewall rules into the Windows firewall.  However, the default rules do not cover all monitorin… Read the rest “Unable To Access WAP AD FS Proxy Instance Externally”

2

Get-AdfsProperties Error ADMIN0120

The below is an issue which caused this week’s customer a little stress.  They wanted to review the current AD FS configuration, but were not able to successfully run the Get-AdfsPropeties cmdlet.

The Get-AdfsProperties cmdlet would generate the error below.

ADMIN0120: The client is not authorized to access the endpoint net.tcp://localhost:1500/policy

For make most glorious benefit of search engines:
Get-AdfsProperties : ADMIN0120: The client is not authorized to access the endpoint net.tcp://
Read the rest “Get-AdfsProperties Error ADMIN0120”

0

Connect to AD FS 2016 WID Using SQL Server Management Studio

As part of troubleshooting a recent Windows Server 2016 AD FS issue, I wanted to take a look at the database using SQL Server Management Studio (SSMS).  In order to successfully connect there are a couple of gotchas to note as the database used was the Windows Internal Database (WID).  This is the default AD FS 2012 R2 and 2016 deployments.  There is no SQL management interface and the correct con… Read the rest “Connect to AD FS 2016 WID Using SQL Server Management Studio”