Hi

We have our ADFS environment deployed on-prem, with one ADFS server and one ADFS Proxy.

We want to restrict external access to Office 365 for a group of users, I've followed the instructions provided at the following article for scenario 4: https://technet.microsoft.com/en-us/library/dn592182.aspx?tduid=(f8012d9bc9aa6e1d76f7fdeb30305871)(256380)(2459594)(TnL5HPStwNw-CaLU1ayHnT2YtXzM3PfudA)()#scenario4

At the example the rules work to restrict external access except for a group of users, as I want to restrict external access only to a group of users I modified the rules but it doesn't seem to be working.

I've tried to analyze the event logs but didn't find anything descriptive.

Does any one had the same problem or what else do you suggest me to try?

Thanks in advance

Cristian 

Hello

I see when setting up AD FS Server/Farm you can use a self-signed certificate for the Token Signing and Token Encryption Certificates.

I see the certificate is also included as part the Metadata which is exchanged between the Claims Provider and the Replaying Party. However does the certificate also need to be imported into their X509 certificate trust store (e.g. in Windows the 'trusted root certifications authorities' store).

I assume yes, or does the claims aware app trust by virtue of WIF (Windows Identify Foundation, under Windows at least) which I believe performs the validation of the Claims token before passing the result up to the App. In other words if the Certificate in the metadata can use used to check the signature of the token, then WIF does not bother to check if the certificate is actually trusted.

or, it this done on a case by case basis (e.g. weather or not you need to add the certificate tot he trust store at the relaying party end)

Any help most welcome
Thanks

Hi all,

I ran DCPromo to remove this server. This is a Server 2008 on VM. The server went through the process and threw an error at the end before rebooting. It said something about an RPC error trying to remove .. or something like that. I accidentally clicked ok and did not get a screen shot of the message. I thought nothing of it as I figured that I would be able to get into the server and make sure it was working correctly afterwards.

Well, it is now sitting at a black screen with a mouse cursor. And it seems to be going no where fast. I have tried rebooting it into ADS Recovery mode and it does the nothing. It never seems to come completely up.

It looks like it cleaned up after itself but I cannot tell completely. It doesn't come up enough for me to log in to it from remote desktop or from the keyboard interface.

What should I do next.

Thank you

Charles

Long story short, I was cleaning up and deleted some old ex-employee accounts from AD Users and Computers screen on Server 2012 R2.

Catch was, it turns out that one of the replacement employees was using an ex-employee's computer, complete with credentials.  He had access to everything he needed to do his job, but under someone else' name.   When I deleted that user from the Domain Controller, next time he had to restart his work station (Windows 7 Pro 64 bit) he was unable to log in using the ex-employees now deleted credentials.

Recycle bin on server was not enabled.  Neither ADrestore, nor LDP could find any trace of tombstones.

So, is there an easy way for me to recover the desktop, programs and files of the ex-employee, for the current employee, or am I going to have to try to rebuild from scratch?

Thanks!

Brett

Hi!

We are using ADFS mostly for SaaS applications (including O365).

It is working perfectly but we have now integrated a new application and it is showing a popup window asking for credentials.

Let me explain the scenario. 

I know that ADFS tries using WIA (SSO) if the browser is running in the intranet and if it is a Internet Explorer.

So our services are working ok:

- External users are shown the login form

- Internal users with corporate laptops use integrated windows auth

- Internal users with other devices or browsers are shown the login form

But with this new app, internal users with Firefox are seing a popup window (basic authentication). 

We have had a look at the difference between this application and other applications and have seen that the only difference is that this app is calling ADFS with a GET method (SAML) while the rest use a POST method.

AFAIK our ADFS is not customized.

Are any of you aware of this difference? Why GET and POST work different? Can we fix this in ADFS or should we ask for a change in the application? 

Thank you!!

Is it possible to add select multiple users and add them to a group within Active Directory all at the same time.  When adding users to a group, I've always had to do it one at a time.

Thanks for reading!

Hi All, 

I am facing a replication issues with one of a new domain controller. 

On repadmin /replsummary , I am getting the error message like AD Replication error 1818: The remote procedure call was cancelled. 

nslookup getting success.

i have followed the link  https://support.microsoft.com/en-in/kb/2694215 , but it doesn't help to fix the issue. 

Please advice

SK

A couple of years ago we added Windows 2008 R2 Domain Controllers to our Windows 2003 domain and completed the process of moving off of the old 2003 to the new and finally changed the functional level to 2008 R2.  As far as everything we were using things were functioning as expected.  However here recently we've been working on enhancing our GPO configuration for our desktops to increase security.

One of the changes we made was based off of DoD STIG settings and according to MS documentation was supported by our W7 & W10 machines connecting to our Windows 2008 R2 domain.

Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> Network security: Configure encryption types allowed for Kerberos -> checking only AES128, AES256, & Future

After that change was made though the test machines (w7 & W10) all started getting popups telling them they needed to lock their machine and log back in because the password was out of sync.  Doing so did not resolve the issue and then if you tried to change the account password from the computer you get an error about the KDC not supporting the encryption requested.  The following error was logged in the Domain Controller too.

While processing an AS request for target service krbtgt, the account USER_ACCOUNT did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18  17  3. The accounts available etypes : 23  -133  -128. Changing or resetting the password of USER_ACCOUNT will generate a proper key.

Researching etypes 18 & 17 are AES128 & AES256 which is what I expected but then on the Domain Side its telling me it only supports RC4 and I couldn't figure out what -133 & -128 were.  So I did more research and was assuming the domain when upgraded just never added the AES options so I started delving into klist & ksetup.  However I started running into errors.

ksetup /getenctypeattr MY.DOMAIN
Query of attributes on MY.DOMAIN failed with 0xc0000034
Failed /GetEncTypeAttr : 0xc0000034

ksetup /AddEncTypeAttr MY.DOMAINAES128-CTS-HMAC-SHA1-96Query of attributes onMY.DOMAINfailed with 0xc0000034
Failed /AddEncTypeAttr : 0xc0000034

So I was messing around with klist on the machines that couldn't login and were throwing the error on the Domain Controller.

klist
Current LogonId is 0:0x123456789
Cached Tickets: (0)

Then I ran it on any of our other machines that did not have the new GPO changes and was a bit surprised to see everything in my domain is already using AES256...

So while my KDC is not advertising it does AES once a machine talks to it then it starts actually using AES.  I went back to that GPO value I set and added to let it request RC4 and as soon as I did that those test machines all started talking to the KDC, got new tickets, the popup stopped showing, and all of the tickets were AES.

So yippy I'm actually running in the level I was trying to enforce but in order to do it I have to allow the ability to down level to RC4...

I've done a bunch of research online and I can't seem to figure out how to get the KDC to correctly report what it supports so that I can remove the usage of RC4.

Systems Administrator Senior - University of Central Florida

Hello everybody,

I create a new topic after my first one here : https://social.technet.microsoft.com/Forums/windowsserver/en-US/1b551474-8d04-470f-94a7-08fb2bbd45ff/client-not-authenticating-to-the-right-domain-controller-but-the-site-is-correctly-identified?forum=winserverDS#b23a803c-2640-4cab-bcee-3fcd259b6431

I have an issue with a DC (win 2003 Sp2) that doesnt authenticate the user associated to its website (no subnet overlap, clients retrieve the AD right AD site, etc.) but the authentication is done to another DC, in another AD site).

I run this command on a client that has an IP address on the subnet attached to the AD site :

klist query_bind

I have this information regarding my DC attached to this AD Site : 

#3>     RealmName: MyDomain.local
        KDC Address: MYDC.MyDomain.local
KDC Name: (null)
Flags: 0x41000 -> WRITABLE_REQUIRED NEXTCLOSEST_SITE
        DC Flags: 0xe00001fc -> GC LDAP DS KDC TIMESERV CLOSEST_SITE WRITABLE DN
S_DC DNS_DOMAIN DNS_FOREST
        Cache Flags: 0

On other DCs, I have more something like this : 

RealmName: ABC
KDC Address: 1.2.3.4
KDC Name: DC_ABC
Flags: 0 
DC Flags: 0x8000017c -> GC LDAP DS KDC TIMESERV WRITABLE DNS_FOREST 
Cache Flags: 0 

I think that's the point but I am not able to decrypt this output for now.

Thank you everybody :)

Hi,

I have a 2012R2 Domain and I have started to use DFS and Replication a lot now. But I've just found out the past couple of says that my Windows 8.1 clients will not see the DFS shares I have set in my GPO. They ether don't appear of just have a Red X on them. Windows 7 clients work fine. So does Windows 8.1 as long as I share them directly to the server in question. Can anyone shed any light on it please as I'm going to be using Windows 8.1 a lot.Thanks

Dears,

I have a customer who has about 34000 computer objects in AD and ask for a script \ tool that will move computers around AD OUs based on computer IP address. The customer has about 29 subnets in AD sites and service linked to 8 AD sites. How can we achieve this with minimum effort?

Mike Bartfield

Hello All,

We are facing some issue particularly with Remote Users, who are always on field and travelling outside the Office for months.

As per our password policy every users password is about to expire in 90 days, but for these users even though their password are expired, there LastLogon and LastLoginStamp keeps on updating to recent dates.

These remote users use CiscoAnyConnect as VPN connections. We are investigating how this users account are still active while not having successfully reset his password for so long. Below are some example of users whose lastlogin is recent

Last Logon           Last Logon Timestamp           Last Password Change
6/6/2016 5:37        6/6/2016 5:36                      3/2/2016 0:03
6/7/2016 4:38        6/7/2016 4:32                             2/29/2016 22:43
5/9/2016 2:09        4/27/2016 2:43                           1/18/2016 2:23
6/16/2016 23:42    6/16/2016 23:41                     12/23/2015 22:57

Thanks HA

Hello 

I need to find all the OU name with General.

I opened AD console (find users and computer) and selected OrganisationUnit and find General

it gave me 240 OU with General.

I want to know the complete path of this General OU, how?

Aamir 

NA

I want to use DirectorySearcher to find out first 1000 AD objects that has usnChanged field greater than 123456 (sorted by usnChanged in ascending order).

I intent to do the following:

DirectorySearcher.Filter= "(usnChanged>=123456)"
DirectorySearcher.Sort = new SortOption("usnChanged", SortDirection.Ascending);
using (SearchResultCollection searchResults = searcher.FindAll())
{
   // enumerate through searchResults assuming there MUST be in order.
}

Is this the right way of doing it?

Is "DirectorySearcher.Sort" passed to the domain controller to perform a server-size sort (which guarantees that it will return the 1st 1000 objects with lowest usnChanged field among all AD objects which is way more than 1000)?

Thanks.

I just finished setting up a new AD Forest in our DMZ, bi-directional IPsec communication between the DMZ DC the Internal Domain's DC, and a one-way external non-transitive trust between them so that accounts in the Internal domain can access resources in the DMZ domain.

Now I need to use one of the accounts on the Internal domain as a service account on one of the DMZ application servers. However, whenever I try to find the account the management console (mmc) is locking up, I think because it is unable to communicate with the Internal domain in order to perform the user lookup.

Do I have to open firewall ports between ANY server I need to authenticate Internal domain users? I was hoping that I could just channel all of the communication to the Internal domain AD services through the DMZ DC. Is that not the case? It kind of defeats the purpose of setting up a separate AD Forest for the DMZ if I still have to open up these ports for my servers that need to authenticate Internal domain users. There's got to be another way to do this. Does anyone know?

FYI, when I browse for a user account from the DMZ DC it prompts me for credentials for the Internal domain, but my understanding is that it SHOULD. However, when I do the same thing from the DMZ App Server it just sits there, and never even prompts me for credentials.

Hopefully there is another way to get this working other than opening up LDAP between all of the servers I need to authenticate against the Internal domain. However, if I do end up having to do that, should I set up IPsec for that communication as well, or just open up TCP 389?

There are a number of topics on this behavior, but I'm looking for some current advice. Any feedback is much appreciated!

Domain Functional Level: 2003

Domain Controllers: 2x 2003 R2, 2x 2008 R2

I have a handful of policies that are reporting sysvol mismatch in this domain. The first report showed 3 DCs in sync, and 1 with a "changed" timestamp that differed from the rest. I opened the GPO, made a change, and closed it. My next scan reported all 4 DCs with a sysvol mismatch. All 4 show a "changed" timestamp within seconds of each other. The date and time on all 4 DCs is correct (no delays).

The articles I have found related to this issue suggest editing the GPT.ini for the affected GPOs. Is this still the correct course of action? What other actions would you recommend for remediating these policies?

============================================================
Policy {0851DC2C-3F69-4166-91CC-AFC553076611}
Friendly name: TestGPO
Error: DC1.contoso.com - DC4.contoso.com sysvol mismatch
Details:
------------------------------------------------------------
DC: DC1.contoso.com
Friendly name: TestGPO
Created: 5/26/2016 8:06:40 AM
Changed: 6/16/2016 2:15:11 PM
DS version:     2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC2.contoso.com
Friendly name: TestGPO
Created: 5/26/2016 8:06:40 AM
Changed: 6/16/2016 2:15:23 PM
DS version:     2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC3.contoso.com
Friendly name: TestGPO
Created: 5/26/2016 8:06:40 AM
Changed: 6/16/2016 2:15:26 PM
DS version:     2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
------------------------------------------------------------
DC: DC4.contoso.com
Friendly name: TestGPO
Created: 5/26/2016 8:06:40 AM
Changed: 6/16/2016 2:15:32 PM
DS version:     2(user) 0(machine)
Sysvol version: 2(user) 0(machine)
Flags: 0 (user side enabled; machine side enabled)
User extensions: [{35378EAC-683F-11D2-A89A-00C04FBBCFA2}{0F6B957E-509E-11D1-A7CC-0000F87571E3}]
Machine extensions: not found
Functionality version: 2
------------------------------------------------------------
============================================================

Hi

I dont have Quest Active directory pluggins installed on windows 2008 and not really had a chance to look at powershell. Right i have ran the DSquery computer -inactive -limit 0 > c:\inactive.txt

Also i have run DSquery computer -limit 0 > c:\active.txt well when i search through active i find old machines that have not been active for a while. Hmmm what attributes is this command targetting ?

Yes i know its most probably been asked and people will post scripts. but i am trying to understand why this command is not working as it should.

Cheers in advanced for the help

Regards, Triyambak