EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Active Directory and the LDAP protocol

Managing a corporate computer network using Microsoft OS usually means managing Active Directory Domain Services (AD DS). It is a very extensive group of technologies, protocols and services. The basis is directory services, authentication and the LDAP communication protocol.

Directory Services and LDAP

This article only briefly describes directory services, focusing mainly on Active Directory, and the protocol for communicating with LDAP directory services. In practice, the terms directory, directory service, and LDAP are often used interchangeably, and this article explains the interrelationships between them. This is a theoretical introduction to the practical use of LDAP in PHP.

LDAP Authentication (AD)

This article is a follow-up to the previous article, which focused on Directory Services and LDAP. It briefly discusses the LDAP security model and authentication capabilities of Directory Services and focuses on Active Directory specialties. In other words, the ways in which a user is authenticated against a domain are described.

How to use LDAP and LDAPS in PHP under Windows

This article serves as a reminder of the possibilities that PHP gives us. In PHP we can access directory services such as Active Directory, which is useful for many applications (such as intranets). It also shows how to get started using LDAPS under Windows.
02.11.2007 | Samuraj - Petr Bouška | webdesign | 33 071x | Comments [5]

User authentication against AD in PHP

This article builds on previous examples of using LDAP in PHP. One useful feature provided by LDAP access to directory services is the ability to perform user authentication. In practice, for example on an intranet, we can authenticate a user with their domain account against Active Directory. The article shows a simple example of how to do this. Of course, a better way would be to use Single Sign On, but that is not so simple anymore.
06.11.2007 | Samuraj - Petr Bouška | webdesign | 23 148x | Comments [8]

Active Directory Users And Computers extension to edit employeeID

This article discusses a relatively simple procedure for extending the Active Directory Users And Computers administrative tool to edit an additional attribute. This is an attribute that is part of the AD schema but is not supported in ADUC. The example shows the employeeID attribute, but it can be similarly applied to any other attribute. In the first step, a VB script is created that accesses the value. In the second step, the ADUC context menu is expanded.
03.12.2007 | 03.12.2007 | Samuraj - Petr Bouška | Microsoft admin | 24 735x | Comments [0]

Active Directory components - domain, tree, forest, site

My original plan was to write an article that would be intended for beginners in the field of Microsoft corporate environment management and describe in a simple form the basic Active Directory structures (forest, tree, domain and site), their interrelations and use. But as I wrote the article, I added more and more information, so while I think it is still suitable for beginners, a more experienced admin may find the information useful. However, there is still a large amount of detail that I don't cover in the article, such as replication or trust relationships. But I have added a description of the global catalog, operations masters roles and something about deployment.

Kerberos protocol and Single sign-on

Let's look at the standard Kerberos protocol, which has long been used in Windows and is the primary authentication protocol in recent versions. This protocol is very secure and by design supports single sign-on. And SSO is what we're interested in. Kerberos is widely used (not only on Windows), but we will base the description on the MS implementation in a domain environment.
06.03.2014 | 15.09.2010 | Samuraj - Petr Bouška | Microsoft admin | 31 949x | Comments [7]

Kerberos SSO - Internet Explorer and Firefox settings

The article deals with setting up the client to be able to use Single sign-on against the application on the server. We take Microsoft Windows as clients that are joined to a domain, all SSO authentication is against Active Directory and we consider only Kerberos protocol. Of course our server application must support SSO. Mainly we will be looking at web applications and therefore web browser configuration and bulk configuration using Group Policy.

Kerberos SSO in a PHP application with Apache on Linux

In previous articles, we have described the Kerberos protocol and its use in Single sign-on. Also, using SSO from a Windows client perspective, primarily when authenticating to a web application. Today we'll look at the other side, the web server and the use of SSO in our web application. The basic description is general, but in the details we have to work from precise conditions. Again, we will take advantage of the fact that we have user management in an Active Directory domain, and thus authentication to AD using Kerberos. The clients will be on Windows as we described in the last article. On the server we will be using the Apache application server and a small mention of the code will be related to the PHP language.
08.04.2013 | 22.09.2010 | Samuraj - Petr Bouška | webdesign | 37 349x | Comments [12]

Active Directory - user photos not only for Outlook 2010

Since Windows Server 2000, MS Active Directory (AD) has included attributes for saving an image (photo) to a user account. This information can be used in some applications (such as Instant Messaging) that retrieve user information from AD. And it's useful if we use a directory for personal data. Newly AD photos are supported in MS Outlook 2010. Inserting images into AD is not complicated, but there are various options, which we will describe here.

PowerShell - Active Directory and personal user data

We probably all use Active Directory (if we are on the MS platform) for central identity management (simplified user management and authentication). But the question is how many companies use the multitude of attributes we can set on a user. At the same time, we usually record various personnel or organizational data in HR systems. Although this is unavoidable, we can enter (or export or synchronize) this data into AD. And what is this good for? For example, the Outlook mail client can display this data and simplify our communication.

PowerShell - Active Directory

So PowerShell has gotten to me, not that I would resist it, but I prefer to do a lot of things in the GUI. For various bulk editing or listing certain values, it is a very useful helper. However, I think that PowerShell is not exactly User Friendly, so unless you use something regularly, it's impossible to remember it (it doesn't contain such simple and clever help as Cisco IOS). That's why I started creating this list of useful commands (and their variations), so that I have somewhere to refer to when needed.

Auditing AD DS Objects in Windows Server 2008

If you want to log operations (record events in a log) over Active Directory Domain Services (AD DS) - basically, creating, changing, or deleting user and computer accounts and groups - you use the AD DS auditing feature. This auditing was already possible before in a similar way, but Windows Server 2008 brings extensions and refinements. We can now audit only a specific subcategory (an improved setting offered by Windows Server 2008 R2), the original and new values are logged for changes (not just who changed what attribute), and the event IDs have changed.

Active Directory Recycle Bin

New to the domain (forest) in the Windows Server 2008 R2 functional level is the Recycle Bin. I think it's a useful feature, although I've only used it once in the year it's been enabled. It certainly doesn't hurt anything. He's doing what everyone suspects. A deleted object in Active Directory Domain Services (AD DS) is moved to the Recycle Bin and can be restored to its original state.

Exchange Server, Outlook and certificates in GAL

This article focuses on storing encryption certificates in Active Directory. How they are then accessed by clients such as Outlook or OWA. What problems can occur when we switch to a new CA and clients are still being offered old certificates from AD. And also the various PowerShell cmdlets that we can use to work with certificates in AD.

Migration of SYSVOL replications from FRS to DFSR

SYSVOL is an important shared directory that is found on all domain controllers (DCs). And just to keep it the same on all DCs, replication is used. Since Windows 2000 Server, replication has been handled by the File Replication Service (FRS). When moving to a Windows Server 2008 domain, FRS is still used by default, but it is quite easy to switch to the newer and better Distributed File System Replication (DFSR). We will briefly describe how to do this here.

Windows Server 2012 Active Directory

The new Windows Server 2012 also brings a new version of Active Directory Domain Services. One of the new features is the installation method, which no longer uses dcpromo, but PowerShell or Server Manager.

Microsoft Certification Authority Auditing

When we run a certification authority from MS, which is suitable for almost every company, it is good to set up some logging of operations. In the meantime, we can only track information, such as certificate issuance failures, in the CA console. This article is for overview only, the same information can be found directly from MS.

Kerberos authentication and group membership

The article describes a problem I recently encountered. It is a situation where we have a user who is a member of a large number of groups. I first ran into a problem with a web application that uses SSO and it stopped working. The solution is to modify the Apache or Tomcat configuration. Then I ran into a problem in Windows 7 where the user stopped authenticating correctly (while some features still worked).

Kerberos part 6 - Kerberos SSO between Domains

So far, we've covered the Kerberos authentication (SSO) process within a single domain (Realm). The advantage of Kerberos is that it can establish relationships between Realms and perform Cross-Realm authentication. In the case of Microsoft domains, this means that when we have established a trust relationship between some domains, authentication automatically works. The user account may be in one domain and the server (service) in another, the user still logs in using SSO.
27.06.2014 | 23.04.2014 | Samuraj - Petr Bouška | Microsoft admin | 12 252x | Comments [1]

Kerberos part 7 - Troubleshooting Kerberos SSO

In this article, we'll look at some troubleshooting options when we set up Single Sign-On (SSO) authentication using Kerberos and automatic login still doesn't work. We are considering an AD domain controller as the authentication server. Most of the options are generic, but in the practical examples we will consider a situation where authentication to a web application from a browser is involved.
29.06.2014 | 03.05.2014 | Samuraj - Petr Bouška | Microsoft admin | 16 337x | Comments [1]

Kerberos part 1 - Active Directory Components

Welcome to the first part of a series that focuses on Kerberos, with a focus on Single Sign-On (SSO) in Microsoft Active Directory. Today's episode doesn't focus on Kerberos directly, but we'll cover the basic Active Directory terms that we need to know and what Kerberos authentication is related to (when using it in a domain environment). We'll briefly mention the AD components because the structure is related to Kerberos Realm. Next, we'll describe how the client finds the domain controller (which is also the Kerberos authentication server).

Kerberos part 2 - AD User Accounts and Service Principal Name

The second part of the series on the Kerberos protocol, focusing on Single Sign-On (SSO) in the Microsoft Active Directory environment, will follow on from the first part and will not focus on Kerberos, but on things related to Active Directory Domain Services. We will look in quite some detail at user account login names, i.e. User Principal Name (UPN) and sAMAccountName. Finally, we will describe the names of service instances (Service Principal Name).

Migrating a domain from Windows Server 2008 R2 to Windows Server 2012 R2

An older article describing the transition from 2003 to 2008 R2 is quite popular. So now I'm going to describe the migration of Active Directory Domain Services (AD DS) to the current version of Windows Server 2012 R2. This involves adding new Windows Server 2012 R2 Domain Controllers, moving roles and features, removing the original servers and finally upgrading the domain functional level. It should be a fairly straightforward process, but of course in practice there will be a number of issues.

Microsoft Certification Authority conversion from SHA1 to SHA2

It's been a year since (let's say) the official end of support for the SHA-1 hashing algorithm in certificates. The recommendation is to switch to SHA-2 as soon as possible. If we use Microsoft Certification Authority internally, it is also a good idea to make this change. Fortunately, it's (in most cases) nothing complicated and it's just a few changes to the existing certification infrastructure. There is a lot written about this area on the Internet, but I did not find any summary article, so I bring it here.

Auditing Windows security events in a domain

There are a number of security events that can occur on computers, servers, and especially domain controllers that we should monitor and control. In Windows, we use event logs (Event Log) where many situations are recorded. For various events, we can set whether and when we want to save them in the log. We solve this by setting up auditing (Security Auditing). But that alone is not enough. Furthermore, it is necessary to somehow automatically process the audit log of events and select information that is important to us, and display or send it somewhere.

Changing the domain account password or name

This article provides more general information on how to change the password of a domain user (who is active with a valid password) in a corporate environment with a Microsoft domain. The detailed options depend on the environment, and the services used, of the company in question. We do not deal here with password expiration situations, where a change dialog may pop up. Instead, we will look at situations where the user is working remotely. When we change the password of a domain account, we often have to take a few extra steps because the old password is used differently. The situation is somewhat similar when the username is changed (for example, when changing the last name).

Microsoft NPS as RADIUS for WiFi

We will briefly look at the options for configuring the Microsoft Network Policy Server (NPS), which we will use as a RADIUS server for wireless networks (WLAN). We will describe the possibility to create multiple profiles for different WLANs (SSIDs). We will mention common authentication methods that we will use to verify Active Directory users or computers when logging into WiFi. Including the authentication situation in Windows 11 from version 22H2 (Credential Guard).

Kerberos deactivation RC4 part 1 - protocol principle and encryption types

Let's take a look at the Kerberos authentication protocol. The main focus is the blocking of the weak and dangerous RC4 cipher and the complete transition to AES encryption. We will cover this in the second part. In this article, we will go through the workings of the Kerberos protocol, which is quite important to know in order to make changes. We will focus on encryption algorithms and keys, more generally encryption types. The main thing is how the type of encryption used is chosen, i.e. whether RC4 or AES is used. Apart from theoretical information, we will show some commands for finding data and setting parameters for encryption. At the end, we will discuss a bit the Microsoft update 11/2022, which partly changes the behavior and brings new possibilities. It probably contained an error when it was published, which we hope not to encounter again.

Kerberos disabling RC4 part 2 - moving from RC4 to AES

In the first part, we focused on the theory of how the Kerberos protocol works and the choice of encryption type. Today we will follow up with practical examples. How to detect tickets with RC4. How to find accounts that don't have AES enabled or AES keys exposed. What information and errors can we find among the events in the log on the domain controller. Where can be problems if we use Keytab files. We will be using PowerShell for most things. Finally, we will show you how to force the use of AES and block RC4.

How to Group Managed Service Accounts (gMSA)

How to better and more securely resolve service accounts for running services or scheduled tasks in a Microsoft Active Directory domain environment. Managed service accounts have been available for a long time. Managed Service Accounts were added with Windows Server 2008 R2. They help address service identities with greater security and reduce management overhead. The administrator doesn't have to worry about passwords because secure password management for the accounts is provided by the Windows operating system. They are used to non-interactively run applications, services, processes, or tasks that need a secure identity (credential).