RDS with network segmentation
Hi, We have an environment that is not connected to the internet. This environment contains Windows Servers 2022 and Windows client 10/11. To be able to access this environment remotely, we have to use Cisco VPN and when the VPN is connected we do a RDP…
Fix Root AD CA certificate on Win Server 2022 for Apache Tomcat 9 website not loading?
We setup a Windows Active Directory Certificate Authority on our Windows Server 2022 and issued a certificate for an Apache Tomcat 9 server website. When a user accesses the website, logging in with a valid AD logon, the website will show the website…
CA Web enrollment(certsrv) behind VIP , load balancer
Hello Team, Is it a good recommendataion to move the CA WEB Enrollment role behind VIP , load balancer? I am getting an error while using the CA WEB Enrollement behind VIP , I am unable to request a certificate using…
Remote Credential Guard double-hop issue after server 2022 upgrade
we upgraded two of our jump/admin servers from server 2019 to server 2022. one was installed fresh, the other one was upgraded via inplace upgrade. now mstsc /remoteguard no longer works correctly, we seem to run into a kerberos double-hop issue. …
Block NTLM and NTLMv2 totally, only enable Kerberos
Dear PPL. I would like to totally shut down NTLMv2 in our Domain. I would like only Kerberos as our Accounts Authentications. Should I just change GPO of Default Domain Policy on AD: Network security: Restrict NTLM: Incoming NTLM traffic: to Deny All…
April Security update breaks MSMQ on Windows Server,
This patch will to break MSMQ in any current Windows Server version, Example KB5036896 installed on Windows Server 2019 Get "not implemented" error after patching. ErrorNumber: '-2147467263' Source: 'MSMQTransaction' Raised 'Unhandled…
How to change days before password expires notice
I'm looking for a way to change the number of days before notifying users of password expiration from the default of 5 to some other number. I've found a web posting that references: Default Domain Policy (or Default Domain Controller Policy?) >…
LDAP over SSL on a RODC only (how to)
Hi I have a "basic" question. Customer has 2x RODC in a separated environment, which is direct connected to the On_Prem domain controllers (all 2016) Firewall ports are configured and open. The RODC setup was done without any issues. …
what are Microsoft security recommendation for Microsoft Entra
hello, We are setting up a Microsoft Enterprise tenant; what basic recommendations can we make to make it more secure? Like we know, we like to implement MFA,CA ,PIM ,Audit log anything apart for this specially from IAM side security. Thanks Richa
Need some help to target the Group Policy to enable the NTLM audit?
I must audit any computers still using NTLM v1 in my AD Domain. Do I need to enable these group policies for all Windows servers and workstations in my AD Domain or just the Domain Controllers? Computer Configuration\Windows Settings\Security…
Procedure for enabling and configuring the LDAPs feature for the existing Domain Controllers globally.
I need to globally configure the LDAPS feature in over 20 on-premises Domain Controllers/Global Catalogs to support new security software integration. My existing AD Domain controllers are Windows Server 2016 with Windows Server 2016 FFL/DFL. What steps…
Effective Mail Security applications for Exchange 2019 on-prem
I currently use Symantec Mail Security for Microsoft Exchange on our on-prem Exchange 2019 environment but am looking for a new product. The environment is not connected to the Internet, but on a large stand alone network and I initially wondered if…
Credential Validation Audit Failure -Event ID 4776 - MICROSOFT_AUTHENTICATION_PACKAGE_V1_0 - Error Code: 0xc000006a/0xC0000234
Hello all, thanks for reading and attempting to help, I have been having an ongoing issue for the past month or so with having my account get locked multiple times throughout the day due to error listed in the title. Every time it happens I go check…
Delegate Control Wizard reports
Does the Delegate Control Wizard in AD allow an auditor to view which permissions have already been 'delegated' within AD/a domain? Or is it purely for delegating new permissions? If it does not, how exactly could you determine where such permissions…
Certificate is not valid - Issuer: MS-Organization-Access
Hi, On several Servers, I have certificates where the certificates are listed as: Issued to: 0882ac7e-3ff6-4231-a45b-5a654aa4303f Issued by: MS-Organization-Access SCOM reports these as "Certificate is invalid". Chain Details: ---…
How to implement tiering model in Microsoft Entra
Hello, Microsoft recommends the tiering model for AD that we implemented. is there any tiering model concept that Microsoft recommends for designing Microsoft Entra so we can implement it in new tenant . incase no tiering model recommended the…
SSO to get into Outlook account
I cannot seem to figure out how to do this, or if it's even possible. I am the admin of our Azure. I am trying to set up an SSO into our Outlook accounts. As in, when someone signs into Outlook, they are taken to another screen to authenticate them. I'm…
How to disable MFA for a single user
How can I disable MFA for a single user in Azure
How to handle a SEC_I_RENEGOTIATE received in TLS 1.3 Negotiation
I have a client application that uses SCHANNEL to negotiate TLS 1.1 and TLS 1.2 which has worked for years. I recently changed to use SCH_CREDENTIALS and it still works for TLS 1.2 (and I presume TLS 1.1) on Windows 10. When run on Windows 11, it…