We have covered a lot of ground so far, and we have touched on the Kerberos conversations that go on, but let’s take a deeper look at exactly how these messages are made up and how they are protected. Elements to protect the transmission Secret Keys Secret keys are stored inside the Security Account Manager […]
Inside Kerberos – 5: Tokens
Alright then, we’ve covered SIDs, SIDHistory, and Tickets. Let’s move onto Access Tokens. Privilege Access Certificate The Privilege Access Certificate or PAC is a Microsoft extension to Kerberos utilizing the Authorization Data field in the tickets. This is sometimes referred to as the Access Token, however strictly speaking the Access Token is the structure generated […]
Inside Kerberos – 4: Tickets
Ok I think we have talked enough about SIDs in the previous two parts on SIDs and SIDHistory. Let’s move on to Kerberos tickets… Luckily in Kerberos there are really only two tickets (which confusingly are sometimes also referred to as Tokens) Ticket Granting Ticket (TGT) Service Ticket (ST) Both of these tickets are issued […]
Inside Kerberos – 3: SIDHistory
In this blog we will be exploring SID History, and it follows on from Part 1 which gave an overview of Kerberos, and Part 2 which was all about SIDs. The attribute sid-history has been there right since Windows 2000 and is used to store all of the SIDs that an object has had. […]
Inside Kerberos – 2: SIDs
In Part 1 we set the scene in regards to how Kerberos works at a high level, so let’s now get down and dirty with Security Identifiers (SIDs) What is a Security Identifier (SID)? From MSDN: “A security identifier (SID) is a unique value of variable length used to identify a trustee. Each account has […]
Inside Kerberos – 1: Overview
I recently did some work at a client to help migrate them to a new Active Directory. While setting up the migration including password and SidHistory syncs I told them to be careful of Domain Local Groups which can cause issues if users are nested directly in them. Now I knew this was true, but […]
Add open with Notepad as Administrator
So often do I work on my laptop or on servers and I have to open a file in Notepad to edit it, however the file is protected so you have to not only be an administrator but you need to use ‘Run as Administrator’ Now that’s all well and good if the menu item […]
The Groups Dilemma – post migration
Today a client that we had previously migrated off Lotus Notes asked us about applying Groups to their Shared Mailboxes in Office 365 but ensuring that the Shared Mailbox Owners had the ability modify those Groups to provide access. This blog very much goes hand in hand with this blog I wrote on Shared Mailboxes, […]
Uploading Microsoft Office Templates to SharePoint
Introduction We have a current client that deal directly with blind and partially sighted people. They have a customised Word Template where the default normal font must be Arial size 14 with Headings etc additionally edited for their needs as well. (We also know many other client that use lovely nice corporate (paid-for) branding and […]
NeroBlanco Lotus Notes to O365 MaaS
We’re often asked why our Migration as a service offering is more advantageous than any on-premises solution an organisation could wish to deploy. Typically if a company has decided to host their email in the Microsoft cloud they have already familiarised & accepted all the certifications which Microsoft abides by in their services, like […]
DirectAccess warm standby without IPv6
DirectAccess has come a long way and with Windows Server 2016 it is pretty easy to install as a single site, single server deployment. What if you need additional resilience though, what if you want a fail over server? You can of course go down the multi-site route but that needs IPv6 to be deployed […]
Securing the Azure AD Connect account
Azure AD Connect (AADC) integrates your Active Directory with Azure Active Directory (and from there with the various Active Directories for your workloads) AADC has an account on-premises that has rights within Active Directory and depending on what you are syncing back from Azure AD to on-premises those rights can be extensive. Microsoft has issued […]
6