Finding Accounts Trusted for Delegation

As part of a security audit, I was asked to help in finding all accounts marked with "Trusted for Delegation"

What is "Trust for Delegation"

You can try reading the TechNet Article, but in short - delegation (also known as kerberos double-hop) is allowing a service to impersonate clients in order ...

more ...

setspn Duplicates and Case Sensitivity

Today I found out that the command I use to find duplicate SPNs, setspn -x

is case sensitive, meaning that the following SPNs don't count as duplicates:

HOST/bla
HOST/BLA

This makes sense when using UNIX systems for TGS creation.
However, Active Directory Domain Controllers, being Windows systems ...

more ...

Remotely changing DNS server list through registry

Recently I was called to help some some friends who had an unusual problem:
They demoted an old DC because they needed to raise the domain functional level, and after doing so many of their servers stopped working - they wouldn't allow remote logins, the Exchange services wouldn't start ...

more ...

Investigating Repeatedly Locked Out Users

I often get asked by some other IT guy "why does user XXXXX keep on getting locked out?"

Let me clue you in on something - users (almost) always get locked out for the same reason: They try the wrong password too many times.The reasons for THAT, however, are quite ...

more ...

Windows Event Collection

I've recently implemented an enterprise-wide solution of event collection in our organization, using Windows' built-in mechanism called the Windows Event Collector.
This mechanism allows you to collect events from computers running Windows NT5+ (XP/Server 2003 and greater) into Windows NT6+ (Vista/Server 2008 and greater) machines. The only ...

more ...

Internet Explorer and SPNs

After learning how SPNs work (read my "Who? Why? Where" to learn what's an SPN), I was frustrated to find out that I can't implement my experience in the real world.
I've created a Sharepoint Central Admin site on port 1234, and wanted to enable kerberos authentication ...

more ...

SPNs - Who? Why? Where?

I was making an introduction to a new teammate about SharePoint infrastructure, and one of the things I had to teach her about was SPNs. I was surprised to know almost no one at our place knew what SPNs are actually for. Until my PowerPoint presentation is ready, here is ...

more ...