Restore-GPO : Value does not fall within the expected range
Once in a while you Google on some error and come across an old blog post of yours … and you smile. :) That’s what happened today. I was trying to Backup-GPO and Restore-GPO between two (trusted)...
View ArticleADFS and CNAME records – HTTP/400 error with WIA
I had heard that it is better to create an A record for ADFS (i.e. you get an IP address as the reply when querying the record) rather than a CNAME record (i.e. you get a name and the IP address of...
View ArticleADFS WIA Support UserAgent strings for Chrome etc.
This is more as a note to myself. Out of the box ADFS does not have WIA enabled for most browsers. You need to add the UserAgent strings of browsers you wish to enable WIA for. Here is the cmdlet with...
View ArticleServerManager crashes on add/ remove roles
Learnt from various forum posts when I experienced it today: If ServerManager crashes on add/ remove roles, or Get-WindowFeature and related cmdlets throw a “The given key was not present in the...
View ArticleClik here to view.
Setting up SimpleSAMLphp on Windows Server with ADFS
Going to be brief here as it’s late at night. SimpleSAMLphp is a PHP application you can setup as a Relying Party in ADFS if you want a test application to play around with it. (It can do more things...
View ArticleFirefox and ADFS WIA
Hat tip to this blog post. You have to add the URL of you ADFS server to the network.automatic-ntlm-auth.trusted-uris setting in about:config. Official documentation from Mozilla is here. Firefox, by...
View ArticleRandom ADFS notes
(Nothing new here. I was taking notes when reading up while troubleshooting an issue). All incoming rules can be thought of as being stored in an input rules set. All the claim rules are in a claim...
View ArticleClik here to view.
ADFS with Exchange OWA & ECP (contd.)
This is a continuation to my post from yesterday. While OWA works fine following my post yesterday, I learnt today that ECP does not work for users in the second domain. (To use correct terminology,...
View ArticleADFS across trusted forests
I don’t know why there aren’t any blog posts on ADFS across trusted forests on the Interwebs. I know people are aware of it (we use it at our firm for instance) but whenever it comes to cross forest...
View Article[Aside] Enable ADFS Logging
See https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-logging. Enable the ADFS Tracing Logs. Enable auditing via Set-AdfsProperties -AuditLevel Verbose....
View Article[Aside] Registry keys for Enabling TLS 1.2 etc.
Came across via this Exchange blog post. Registry keys for enabling TLS 1.2 as default as well as making it available if applications as for it. Also contains keys to enable this for .NET 3.5 and 4.0....
View Article[Aside] Clearning Credential Manager
Very useful blog post. Clearing all entries in credential manager.
View ArticleTIL: Teams User-Agent String
Today I learnt that Teams too has a User-Agent String, and it defaults to that of the default browser of the OS. In my case, macOS with Firefox as the default, it was using the User-Agent String of...
View ArticleClik here to view.
Certificates in the time of Let’s Encrypt
Here’s me generating two certs – one for “edge.raxnet.global” (with a SAN of “mx.raxnet.global”), another for “adfs.raxnet.global”. Both are “public” certificates, using Let’s Encrypt. PS...
View ArticleDemoting a 2012R2 Domain Controller using PowerShell
Such a simple command. But a bit nerve racking coz it doesn’t have much options and you wonder if it will somehow remove your entire domain and not just the DC you are targeting. :)...
View ArticleUnable to install a Windows Update – CBS error 0x800f0831
Note to self for next. Was trying to install a Windows Update on a Server 2012 R2 machine and it kept failing. Checked C:\Windows\WindowsUpdate.log and found the following entry:...
View ArticleClik here to view.
Deploying Office 2016 language packs (using PowerShell Admin Toolkit)
I need to deploy a language pack for one of our offices via ConfigMgr. I have no idea how to do this! What they want is for the language to appear in this section of Office: I don’t know much of...
View ArticleClik here to view.
Useful NPS & certificate stuff (for myself)
Came across an odd problem at work the other day involving NPS and Wireless APs. We have an internal wireless network that is set to authenticate against Microsoft NPS using certificates. The setup is...
View Article[Aside] Demystifying the Windows Firewall
Quick shoutout to this old (but not too old) video by Jessica Payne on the Windows Firewall. The stuff on IPSec was new to me. It’s amazing how you can skip targeting source IPs and simply use IPSec to...
View Article[TIL] WMI filtering has separate precedence with GPOs
I knew that when it comes to a bunch of GPOs linked to an OU the one with the lowest number (highest in the list) has the highest priority. What I learnt today is that if in this list you have a GPO...
View ArticleClik here to view.
Some Windows firewall troubleshooting …
Obvious in retrospect, but today I picked up something new with Windows firewall. I have a work laptop and I had been trying to RDP into from one of my home machines. Easier, you know, when I am not...
View ArticleGet-ADDomainController : Directory object not found
No, I don’t have a solution to the above. But I do have a workaround in case it affects any one else. :) ldifde -d "OU=Domain Controllers,DC=contoso,DC=com" -f c:\output.txt -l "sAMAccountName,...
View ArticleHow to check LDAPS certificate and TLS version
Get OpenSSL (a list of 3rd party sites here; I went with this one). The connect to your DC thus: openssl s_client -connect <Domain_Controller>:636 To test a specific version add a switch like...
View ArticleNotes on PSADT
Been a while since I worked with PSADT so here’s a quick reminder to myself. PSADT is a god-send for anyone deploying applications via SCCM. To install just run the script: Deploy-Application.ps1 # if...
View ArticleClik here to view.
More Notes on Teams
Quick shoutout to this excellent blog post by James Rankin on installing Teams (aptly titled installing the damned thing). A few weeks ago I had blogged about Teams and I thought I had it under...
View ArticleNew-ADUser – A referral was returned from the server
This stupid error message stumped me for a bit yesterday. Microsoft.ActiveDirectory.Management.ADReferralException: A referral was returned from the server at...
View ArticleAzure AD connect sync via Remote PowerShell
I wanted to initiate a remote sync of Azure AD connect via Remote PowerShell. The cmdlet is simple – Start-ADSyncSyncCycle -PolicyType Delta – but by default you can’t remove PowerShell unless you are...
View ArticleUniversal Groups are limited to other domains of the same forest
Lookie, an AD related post. Been ages since I did any AD work. I always thought Universal groups could contain members from any domains in any forests. Coz back when I was learning about this stuff I...
View ArticleClik here to view.
Maximized Citrix windows with FancyZones
Here’s a “first world” problem and my fancy solution for it. Don’t judge. We use Citrix at work. Not a big deal. But I like to hop between machines – like when I am on the couch I prefer using the...
View ArticleClik here to view.
Playing with pass on macOS and Windows
A long time ago I had stumbled upon pass (website), thought it looked interesting, made a note to take a look at it later, and then forgot about it. This week I was thinking I need some sort of a...
View Article