Archive

Archive for August, 2011

How do I enable Single Sign-on for RD Gateway Server?

August 24th, 2011 Comments off
  1. Create, edit or change a group policy object for your clients
  2. Navigate to “User Configuration”, “Administrative Templates”, “Windows Components”, “Remote Desktop Services”, “RD Gateway” and select the “Set RD Gateway server authentication method” setting:
  3. Select the “Enabled” radio button.
  4. Under “Set RD Gateway server authentication method”, click on the combo-box and select “Use locally logged-on credentials”.
  5. If you want the users to be able to override this authentication method then select “Allow users to change this setting” checkbox.
  6. Confirm the changes by clicking on the “OK” button until you return back to the main Group Policy Object Editor dialog.
  7. Apply the policy and make sure it has been enforced on the client by running “gpupdate” to force the policy to be refreshed immediately on the local machine.
  8. Start up the RD client and navigate to “Options”, “Advanced”, click on “Settings” under “connect from anywhere”. You should see the status text indicate the following: “Your Windows logon credentials will be used to connect to this RD Gateway server”.
  9. The client will now be able to connect to the gateway server using locally logged on credentials

Speaking IPv6 @ Best of MMS Sweden 2011

August 23rd, 2011 Comments off

Yes, you can get by without it, but probably not for long. Adopting the new IPv6 protocols will be a challenge, and there are ways to work around the shortages of IPv4. So why bother to make the move? Because any workarounds eventually will get in the way of new services and devices, and the rest of the world will pass by those who do not adapt. What are the requirement, what management options are available and how should we implement the new protocol and the required management.

Welcome to my session “IPv6::Why:Should:I:Care?” at Best of MMS Sweden 2011 http://www.microsoft.com/sverige/bestofmms2011/default.html

Categories: IPv6, Speaking Tags: ,

Single-Label-Domains (SLD) in Active Directory Domain Services (AD DS)

August 19th, 2011 Comments off

An Active Directory domain name that contains one or more labels separated by a dot is referred to as a fully qualified domain name with two or more names, in contrast there is the concept of single-label domain (SLD), which refers to Active Directory domain names with only one label.Given that SLD is not a commonly deployed configuration today.

Not that many Microsoft and third-party applications have not been tested under an SLD configuration as Microsoft recommends FQDN Active Directory deployments and companies who have deployed SLD should transition to an FQDN Active Directory deployment. This will ensure that they get the most value out of their deployed applications.

For companies that will be evaluating transition to FQDN from SLD configurations Microsoft has finally released a whitepaper describing the options and considerations that they will need to take into account. In particular it describes Domain Migration and Domain Rename operations and explains the different considerations of these two options, so that companies can build a transition plan that makes sense to them.

The complete whitepaper “Single-Label-Domains in Active Directory Domain Services (AD DS) – Considerations, Migration, and Co-existence” can be downloaded from http://www.microsoft.com/download/en/details.aspx?id=27143

 

 

Problem in certreq.exe sign operation

August 13th, 2011 2 comments

CMC certificate requests are normally used in combination with EOBO enrollment (Enroll On Behalf Of) scenarios where additional enrollment agent signatures are required by the certification authority to accept and process the certificate request.

Generating and signing the CMC certificate request can either be done using the certmgr.msc MMC snap-in or scripted using the certreq.exe tool provided in the Windows platform. The procedure using certreq to generate and sign the CMC certificate request is defined by the following steps

1. Create a certificate request inf file describing the request, below you find a sample inf file for EOBO request

[Version]
Signature= “$Windows NT$”

[NewRequest]
RequesterName = Crisco0\Administrator
RequestType = CMC

[RequestAttributes]
CertificateTemplate = EOBO_Template

 

2. Generate the initial self signed CMC certficate request using the command:

certreq.exe -new certificate_request.inf certificate_request.req

3. Sign the initial self signed CMC certficate request with the enrollment agent certificate using the command:

certreq.exe -sign certificate_request.req signed_certificate.req

4. Submit the agent signed CMC request to the enterprise CA and receive the certificate using the command:

certreq.exe -submit signed_certificate.req new_certificate.cer

The procedure described above works as expected until you try it in Windows 2008 R2 SP1 (I have not had the chans to test other versions yet) and you will get an error message at step 3 failing the agent signing.

What happens in step 3 is that the certreq tools will try to read the referenced certificate template from Active Directory and to figure out the signing requirements and it simply fails with the error message:

Certificate Request Processor: An attempt was made to perform an initialization operation when initialization has already been completed. 0x800704df (WIN32: 1247)

After struggling with my request inf file and certificate template with the same error I decided to perform the agent signing using other tools, after some research I found this very interesting MSDN article http://msdn.microsoft.com/en-us/library/ms867026.aspx  about Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI. The article looked nice with provided samples but I wanted something more simple so I ended up in this article http://technet.microsoft.com/en-us/library/ff182315(WS.10).aspx about “Create Enroll on Behalf of Another User Request”. Usingthe code from the “Create Enroll on Behalf of Another User Request” article I created the cmcSigner tool and the CMC request could be signed and the certificate issued without errors.

What if this version certreq.exe has some issue? To figure out that I decided to test the certreq -sign operation with an older version of certreq.exe so I grabbed the Windows 2003 Admin Tool Pack and extracted the certreq.exe and tested the signing step with no errors!

Conclusion: certreq.exe in some later versions has a problem performing a certificate signing operation.

Solution: use another version of certreq.exe or another tool like the cmcSigner tool

  cmcSigner Tool download:(258.8 KiB, 1,932)

IT Pro at Home Demonstration: Wireless Networking

August 6th, 2011 Comments off

Learn how, in Windows 7, you can connect to a wireless access point in just three clicks. With this screencast from the Springboard Series IT Pro at Home: Tips and Tricks series, you’ll see how, whether you’re sitting in a coffee shop or at the airport, connecting to a wireless network is simple and easy when you’re using Windows 7. This demonstration will also go over moving between wireless networks and provide tips to help you go from home to the office using each network seamlessly.

Download the Wireless Networking screencast here or from Microsoft at http://www.microsoft.com/download/en/details.aspx?id=1271

 

 

Maintain SDL requirement in code

August 5th, 2011 Comments off

Microsoft has released an updated version of the banned.h header file to help developers sanitizing resource which supports the SDL requirement and to remove banned functions from code. The header file simply lists all banned APIs and allows any developer to locate them in code and remove or adjust the code to be aligned with the SDL requirements.

The updated banned.h can be downloaded from Microsoft Download Center http://www.microsoft.com/download/en/details.aspx?id=24817