a blog about nothing

For proper Kerberos authentication to take place, the Service Principal Names (SPNs) have to be registered correctly on the correct account.

SPNs are AD attributes that uniquely identifies an instance of a service for a given target host.

If you have a SQL server where the SQL service run under the Network Service or Local System account, the SPN for SQL should be registered on the machine account. If you have set the service to run under a service account (a domain user account), the SPN should be registered on the domain user.

SPNs registered on a machine account will be registered automatically, but if you use a user account you’ll have to register the SPN manually. You can use the setspn.exe tool, or use adsiedit.msc.

You can only register the unique SPN on one account. If you have duplicate SPNs in the forest, Kerberos authentication will fail.

If you have an IIS server (version 6 or prior) the Service class (http) should be registered on the application pool Identity the site is using. This is not the case if you have IIS 7/7.5. By default IIS 7 has enabled “Kernel-Mode authentication”.  The Kerberos Service ticket is then encrypted with the Machine account password no matter what account is set to run the application pool.

This weekend I attended at the NIC2012 conference in Oslo.

Many interesting sessions were on the schedule like DS MVP Brian Desmond’s “What’s new in Windows Server 8 Active Directory” and “Kerberos uncovered”.

Key notes from WinServer 8 AD:

• USN Rollback preventions when restoring a snapshot (PDCe needs to be on a Win Server 8 DC)
• Support for cloning DCs (handy when you have to deploy dozens of them)
• GUI for the AD Recycle Bin and Fine Grained Password Policy
• Dcpromo.exe is gone (you promote a DC from the server manager)
• AD delivers the mechanism for file server access with Claims Based Authentication
• A huge amount of new Powershell cmdlets

Unfortunately it looks like the video for this session is missing, though I’d recommend you to have a look at some other sessions like:

“Kerberos uncovered” by Brian Desmond:
http://vimeo.com/nicconf/review/35059113/4695c41e86

”How to Not Screw Up Your PKI Environment“ by Brian Komar:
http://vimeo.com/nicconf/review/35053082/aaff51b192

“What’s new in Windows 8 Hyper-V” by Ronald Beeklaar:
http://vimeo.com/nicconf/review/35059126/939388d621

All sessions: http://www.nic2012.com/nic2012_agenda

When a computer joins a domain, a computer account is created in AD. The computer account gets its own password that will expire after 30 days (default). When the password expire, the computer itself will initiate a password change with a DC in its domain.

When the computer starts up, it uses this password to create a secure channel (SC) with a DC. The computer will request to sign all traffic that passes the SC. If a DC says “go ahead”, all traffic that is signed passes through this channel.

Traffic like NTLM pass through authentication is typically signed traffic.

So what will happen if there is a mismatch between the computer account password? The computer tries to authenticate, but the DC says this is not the correct password.

The SC is down.

Tools like “netdom” could be used to reset the password, but this only worked to reset the SC between two DCs. It was not possible to reset the SC on a domain member. The computer had to rejoin the domain.

Syntax:

netdom resetpwd /server:<Name of a DC> /userd:domain\administrator /passwordd:admin_password

Netdom was written back in the NT4 days, and a new tool has taken over. Not just taken over for Netdom, but also for tools like Nltest. Windows PowerShell.

To reset the SC between a computer and a DC:

Open PowerShell on the computer and run the *cmdlet:

Test-ComputerSecureChannel -repair

*The cmdlet requires PowerShell 2.0, which is pre-installed on Win7/2008R2.

In Win8 there are thousands of new cmdlets, so if you have not began to look at PS. Now is a good time.

References:

PowerShell 2.0 for XP, 2003, Vista, 2008: http://support.microsoft.com/kb/968929

Symptoms of a broken SC: http://blogs.technet.com/b/asiasupp/archive/2007/01/18/typical-symptoms-when-secure-channel-is-broken.aspx

Test-ComputerSecureChannel cmdlet: http://technet.microsoft.com/en-us/library/dd367893.aspx

To access Dynamics CRM 4 (on premise) from the Internet, you’d to configure IFD and you could use i.e. ISA in a DMZ if you didn’t want the CRM server to be facing the Internet.

If you decided to use ISA you couldn’t use the built-in security provided by ISA/UAG, but you had to just tunnel all traffic through and let the CRM server authenticate the user. This was not so cool, but it was fairly easy to set up and configure.

With the release of Dynamics CRM 2011 things started to get a little more complicated. If you wanted to access CRM from the Internet you’d to configure claims-based authentication, ADFS 2.0 and IFD. UAG was not supported.

I was taken by surprise when I read about this, since Microsoft uses UAG to make i.e. Exchange and SharePoint more secure. Did they forget about CRM?

Products like Citrix Access Gateway began to take a sole lead.

Things changed with the release of UAG Service Pack 1. CRM is now supported to be published via UAG. You don’t need to set up ADFS and claims. Let the UAG do the job to secure and authenticate the users. With or without two-factor authentication like RSA.

Easy to configure, easy to understand 🙂

Reference:

Publishing: http://technet.microsoft.com/en-us/library/hh490315.aspx
UAG: http://www.microsoft.com/en-us/server-cloud/forefront/unified-access-gateway.aspx

We recently had a two day visit by some folks from Microsoft Norway. Good food and drinking, driving ATVs, and talking. We talked much about how MS saw the future and things like Lync, Intune, Hyper-V, Windows mobile, Win 8 and Win Server 8.

We are in the middle of a Oracle consolidation, so what is better than giving us some really cool t-shirts and say good luck?

If you only have 2008 DCs, and you are replicating SYSVOL with FRS. You could/would/should migrate to DFS replication.

Like with any major changes you do to your domain, you should run a dcdiag before you do anything.

I just saw a case where an old Reference was still alive and stalled the migration. The DC (SYSVOL member) was cleaned out long ago, but it looked like it failed removing all traces. The solution was to delete the reference manually with adsiedit.

dcdiag:

Starting test: VerifyEnterpriseReferences

The following problems were found while verifying various important DN
references.  Note, that  these problems can be reported because of
latency in replication.  So follow up to resolve the following
problems, only if the same problem is reported on all DCs for a given
domain or if  the problem persists after replication has had
reasonable time to replicate changes.

[1] Problem: Missing Expected Value

Base Object: CN=Win2008-DC01,OU=Domain Controllers,DC=spurs,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: msDFSR-ComputerReferenceBL
Value Object Description: "SYSVOL FRS Member Object"
Recommended Action: See Knowledge Base Article: Q312862

[2] Problem: Missing Expected Value

Base Object: CN=Win2000-DC1, OU=Domain Controllers,DC=spurs,DC=local
Base Object Description: "DC Account Object"
Value Object Attribute Name: serverReferenceBL
Value Object Description: "Server Object"
Recommended Action: Check if this server is deleted, and if so
clean up this DCs Account Object.

Beware that the “VerifyEnterpriseReferences” tested from a Win2008 DC will report back a “Missing Expected Value” for msDFSR-ComputerReferenceBL. This is expected since the 2008 version of dcdiag don’t know that SYSVOL is still replicated with FRS.

So, don’t touch DFSR references.

Migrating step-by-step:

http://blogs.technet.com/b/filecab/archive/2008/02/08/sysvol-migration-series-part-1-introduction-to-the-sysvol-migration-process.aspx

Consider the following environment:

3 x Win2008R2 SP1 RDS (terminal servers with load balancing)
1 x Win2008R2 SP1 Microsoft Dynamics CRM 2011 (Rollup pack 2 at the moment)
CRM for Outlook installed on the RDS servers.

Since you don’t want users to save documents, pictures, etc. on the RDS servers, and you want the users environment to be the same no matter what RDS server they happen to be routed to, you configure Folder Redirection and Roaming Profiles.

Doing this will leave your MS CRM installation in an unsupported state as MS CRM 4 and CRM 2011 don’t support Folder Redirection.

Problems I experienced:

If you open up a window from CRM and then you close it, you’ll get: “An error occurred. Send Report to Microsoft?”

If you open CRM for Outlook as a normal user, and you try to track an email, you’ll get and error stating that it didn’t work. If you look in the Event log on the RDS server you’ll see:

EventID 5972 Source MSCRMAddin

I opened a support case with Microsoft, and got in contact with the MS CRM team. They told me that Folder Redirection (FR) is unsupported in MS CRM, so I had to remove FR if they should be able to investigate any further.

That would be a huge drawback, since we uses load balancing between the RDS’s, and the users would be saving documents directly on the RDS servers. Ouch!

Solution: Remove Folder Redirection completly

Solution (unsupported):

There are two files (caches) that have to be local on the RDS for CRM to work. “EmailCache.sdf” and “OutlookSyncCache.sdf”.

They are located in the “%userprofile%\AppData\Roaming\Microsoft\MSCRM” folder. If you redirect “Appdata(Roaming)” those two files will be on a file share. That will cause problems for the CRM client and present you some weird errors.

So if you have to use FR, you can’t redirect “AppData”. That folder has to be local. The rest of the folders didn’t seem to cause any problems redirecting.

There are no official KB’s stating that Folder Redirection is unsupported in CRM 4 and CRM 2011, but it is. The CRM support team told me the product team was working on it, and there might come a resolution in the upcoming versions / rollups.

COYS!

An updated version of ADTD was just realased. Go get it if you like to have a graphical documentation of your domain. It requires MS Visio. The older version worked with the Visio trial version. I’ve not tested if this version do.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=13380

Without Folder Redirection, users might/will save data on their local profile on their computer. If they accidentally delete such a file, you don’t have a backup of it (unless you take backups of workstations which I doubt…).

Configuring Folder Redirection is fairly easy, but you should get it configured correctly.

In this step-by-step I will just use a domain controller (DC) to store the user folders. I always strive to keep DCs dedicated and don’t mix other roles to them. If you don’t have the HW or budget I guess you don’t have a choice.

Open up the “Share and Storage Manager” (that came along with Win2008, which in fact is a great tool).

In the Action frame, choose “Provision Share”:

Click “Browse” and “Make new folder”. Give it a meaningful name like “FolderRedir” or similar:

  Edit the NTFS permissions:

Remove the inheritance so it don’t get permissions from its parent folder:

Permissions:

Administrators: Full Control, “This folder, subfolders and files”
System: Full Control, “This folder, subfolders and files”
Users (or a group containing the domain users): READ & Execute + “Create folders / Append data”, “This folder only”
Creator Owner: Full Control, “Subfolders and files only“

Give it a share name and make it administrative (add a $ at the end of the share name):

Enable “Access-based enumeration” (optional). This feature will only list folders the user has access to when browsing:

Set the share permissions:

Domain admins: Full Control
Users (or a group containing the domain users): Full Control

If you use DFS, you should consider placing the folder redirection on the DFS for redundancy. If you don’t have it, just click Next:

Hit Next and Create the good stuff.

With the share and NTFS permissions in place, you have to create a Group Policy Object (GPO):

Open the Group Policy Management Consol:

Create a new GPO, and give it an informative name. I.e. “GPO_FolderRedir”.

Navigate to “User Configuration – Windows Settings – Folder Redirection”. You now have to decide what you want to redirect. You can redirect all, or just a few. “Documents”, “Desktop”  and “Favorites” are handsome to pick if you don’t pick all.

If all your users should be on the same share, you should use the “Basic” setting. If you have different shares for different domain groups you can use the “Advanced” setting.

Set “Root Path” = the share path you created earlier.

On the Settings tab, untick the “Grant the users exclusive rights to Documents” if you want domain admins to have access to the redirected folders. If you don’t untick it now and the folders are created, unticking it at a later time will not give domain admins access to the already created folders. You have to take ownership on the folder to gain access. If a user logs on the redirection will not work as the user has to be the owner.

Now you can link the GPO to an OU (not a Container like “Users”) where the users resides.
When the users logs on, the folders are created automatically and the permissions are set correctly. If the user saves i.e. a Word document to My Documents, it’s saved on the file server.

If you have terminal server users, folder redirection in conjunction with Roaming Profiles is a m.u.s.t!

COYS! 
(even though Manchester City bought a Champions League place)

In Star Wars, “R2-D2” was Luke Skywalker’s good friend. If you’re running a domain with FRS, D2 is your good friend. Even thought (2008) R2 (and DFSR) should be your buddy.

So when should you call your D2 buddy and give him a run?

You experience:

• One of your DCs are in Journal Wrap
• The local FRS jet database has become corrupt
• Assertions in the FRS service
• Missing FRS junction points
• Missing FRS attributes/objects
• Missing SYSVOL/NETLOGON share
• Corrupt/missing NTFS journal
• You are bored… (meaning the list is long)

Setting the backup/restore flag , a.k.a. “Burflags”, to D2, and you restart the NTFRS service things start moving.

HKLM\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

The bad DC will move all its SYSVOL data, if it holds any, into the “NtFrs_PreExisting_See_EventLog” folder. The bad DC will compare all these files with the ones of an upstream partner. It will compare the file IDs and the MD5 checksum from the upstream partner with the local ones. If a match is found, it will copy this file from the Pre-Existing folder into the original location. If it don’t match, it will copy the file from its partner.

When the replication has finished (Event ID 13516 is logged), you can delete the content in the Pre-Existing folder to free up space.