ADFS Cert Best Practices – unspoken

  • Hashing algorithms: SHA-256
  • Key size: 2048 bit
  • Private Key generation process: Make sure you select the Legacy key template on domain-joined devices; it is not the default option.
  • AD FS Token Signing and -Decrypting Certs for a longer lifetime: 3 or 5 years


Posted in AD | Leave a comment

AD – NTLM Blocking and Pass-through Auth

NTLM Blocking

Windows Server 2008 R2 and Windows 7 restricts NTLM authentication usage out of the box. This feature is known as NTLM blocking. NTLM blocking prevents NTLM from being used for authentication

Pass-through Authentication

The NetLogon service is responsible for implementing pass-through authentication. To perform pass-through authentication, the service:

  • Selects the domain to pass the authentication request to.
  • Selects the server within the domain.
  • Passes the authentication request through to the selected server.

Selecting the domain is straightforward. The domain name is passed to LsaLogonUser. LsaLogonUser supports interactive logons, service logons, and network logons. Since the domain name specified is not trusted by the domain, the authentication request is processed on the computer being connected to as if the domain name specified were that domain name. NetLogon does not differentiate between a nonexistent domain, an untrusted domain, and an incorrectly typed domain name.


NTLM and Pass-through Authentication (119536)

Configuring server exceptions to allow NTLM

Posted in AD | Leave a comment

AD – Cross domain vs Kerberos

Conditions for Kerberos to be used over an External Trust

Interactive logon across external trusts will attempt Kerberos. On Windows XP and Windows Server 2003, NTLM will be tried if Kerberos fails. Windows Vista and newer operating systems will not allow fallback to NTLM
for interactive logon over external trusts.

This ONY applies to Windows workstations. How about individual applications ? it will depends !!!

Kerberos Authentication Over An External Trust – Is It Possible?

Posted in AD | Leave a comment

AD – Cross Domain Authentication – samAccountName vs userPrincipalName

Encounter 2 issues w/o no answer yet – related to SAM but not UPN

a. User from Domain SG is able to login to the PC’s in Domain HK using SAM account, but can’t change the password.

b. User from Domain HK is able to login to the PC’s in Domain SG using SAM account and also able to change the password, but the user can’t login to the IIS web in the same PC with Windows Integrated Auth.

Q: how SAM to resolve the Domain Name in the trusted domain without WINS replication enable between domain?

Points to be noted:

1. Domain DNS’ name & Domain NetBios Name: but xxx_Domain.

2. Understanding the NetBIOS Node Types: Enhanced h-node

Clients that use the Enhanced h-node type use the p-node type and b-node type, and DNS to resolve NetBIOS names to IP addresses. Enhanced h-noe type is the default node type used for Windows 2000, Windows XP, and Windows Server 2003 NetBIOS clients who have a configured WINS server for name resolution. The order in which Enhanced h-node type clients resolve NetBIOS name are:

  • NetBIOS name cache.
  • NetBIOS name server – WINS
  • Broadcasting name resolution method.
  • LMHOSTS file
  • DNS name cache
  • HOSTS file
  • DNS server

3. How to disable NetBIOS name resolution: Disable NetBIOS over TCP/IP

4. How to make sure NetBIOS name resolution works ?

  • NetBIOS over TCP/IP is enabled
  • TCP/IP NetBIOS Helper Service is running


samAccountName vs userPrincipalName

Crossing Domain Boundaries: Name Resolution

Understanding NetBIOS Name Resolution

Using GlobalNames Zone in Windows Server 2008

Posted in AD | Leave a comment

AD Upgrade – Configuring DFSR to a Static Port ?

Working on the FW ports for the project, and noted that Microsoft confuses IT guy again – DFSR port

In reference 1, Microsoft mentioned that TCP 5722 is for “RPC, DFSR (SYSVOL)” and this article is applied up to W2K12 R2 (dated on Mar 28 2014)


But the fact is: TCP 5722 is fixed for DFSR in W2K8 only. In Windows 2012, DFSR is back to dynamic port as the same W2K3.

If you want to fix the port in W2K12, yes, possbile but have to install the File Services Tools feature with the Distributed File System Tools option and enjoy dfsrdiag command


1. Active Directory and Active Directory Domain Services Port Requirements

2. 2012R2 DC – Configure Static DFSR Replication Port

Posted in AD | Leave a comment

ESX 5.5 – OVA Error “The operation is not supported on the object”

Export VMs OVA from v5.5.0 (3248547), and Deploying OVA into v5.5.0 (3000241) but fails with “Failed to Deploy OVF/OVA package: The operation is not supported on the object”, the root cause is due to the video card settings, funny!


Posted in VMWare | Leave a comment

AD Upgrade – Domain Controller Stickiness Prevention

This will help on the site migration 

Domain Controller Stickiness Prevention

Posted in Uncategorized | Leave a comment