Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Djimi
Jan 23, 2004

I like digital data

mllaneza posted:

And the idiot is in charge of developing licensing schemes for Microsoft.
Looking through this thread trying to find information about my first foray into KMS Host service, for activations of Datacenter 2022 (or whatever eventually)— and I thought our "key" (license?) should work. But I keep getting this:
code:
The following error has occurred. Please resolve the error and
Description: The Software Licensing Service reported that the product key cannot be used for this type of activation
I was hoping that the issue was that my firewall was blocking something going out and/or back from Redmond.

If it's just what we paid for, our VAR seems to have never dealt with anything like this, and we did buy it originally from a different VAR company (but the same team (we stayed with them)), and maybe that's the issue....

And even though I've been working on Windows since the last century, I've never worked with this feature/role ... so I'm a stupid newbie on this.
I actually don't think I have ever called M$ support for anything to do with a Server feature issue. So it's a first for me.
Pity me or chortle if you like... thanks if you can throw me a bone. :tipshat:

Adbot
ADBOT LOVES YOU

Boogalo
Jul 8, 2012

Meep Meep




Where do you get the key and where are you applying it?

We have a volume license agreement negotiated with MS and processed through a 3rd party vendor so our keys and downloads are in the m365 admin portal. In there are lots of different keys for different purposes. We used to use KMS but now use AD-based activation where the key is stored in AD and anything that is domain joined is automatically licensed appropriately.

If you're trying to activate individual systems in the OS by hand, IIRC you need to use the "MAK" key. That key is good for multiple, but limited activations and that count would show in the admin portal. Also, keep it safe and don't let it leak, that is very bad.

I agree it is fairly cursed system even compared to other deep level cursed MS features. The activation hotline tends to be very helpful though they can probably tell you what's wrong but couldn't help with you procuring the correct thing.

buffbus
Nov 19, 2012
Just taking stabs because I've stood up a few KMS hosts before. I have never used the GUI for it because it makes me uneasy, mostly because it gives vibes of starting over from scratch each time. I usually just use the various slmgr commands from an elevated command prompt. If the key types are messing you up, make sure you attempt to register the CSVLK on the host and the GVLK on the clients. Also keep in mind you need a fairly new OS version on the host if you are activating server 2022 keys. For the MS Office products which still use keys, those usually need a small support pack installed.

kiwid
Sep 30, 2013

What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob?

GreenNight
Feb 19, 2006
Turning the light on the darkest places, you and I know we got to face this now. We got to face this now.

At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week.

Sir Bobert Fishbone
Jan 16, 2006

Beebort

kiwid posted:

What do you all do about employees who refuse to use their personal phones (understandable) for Azure MFA? Do you use some type of hardware fob?

We have one user who does not own a smartphone, and she was given a Yubikey.

kiwid
Sep 30, 2013

GreenNight posted:

At my job management decided it's like wearing shoes to the office. If you want to work remote, using your personal phone for MFA is required. Or you're required to be on site 5 days a week.

We're such a relaxed environment, HR would never go for it but I like this idea.

Sir Bobert Fishbone posted:

We have one user who does not own a smartphone, and she was given a Yubikey.

Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user?

Internet Explorer
Jun 1, 2005





Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of.

kiwid
Sep 30, 2013

Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative?

kiwid
Sep 30, 2013

Internet Explorer posted:

Yup yup. Also I do vaguely remember there is an upper limit of hardware MFA tokens EntraID will allow for your tenant. Maybe that's out of date knowledge, but I think it was talked about here or maybe the InfoSec thread fairly recently. Doesn't sound like it will be a problem for you, but something to be aware of.

Thanks for that tip. We have about ~100 PCs across the company but only like 50 are user PCs while the rest are for plant controls. It kinda sucks to be honest but it is what it is. I'm not worried about MFA for users but rather we can't have MFA prompting for the general use accounts.

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

kiwid posted:

Another question I suppose. We have two locations that are in the middle of nowhere and the only ISP available other than Starlink is a PTP wireless provider that does double-nat and doesn't provide static IPs. It's been a nightmare for site-to-site VPN but FortiGate's dial-up VPN has gotten us by. However, this means I can't setup these locations as trusted locations for MFA. What are my options here? Now that you mentioned Yubikey, I'm considering just using these for the general use PCs and leave the Yubikey plugged in 24/7. Is there an alternative?

You could route traffic over the tunnel so they present the static IP from whatever office the tunnel terminates at, obviously puts more strain on that connection and adds some latency.

that's just the first thing that popped into my head, wouldn't be the best solution but could be a temporary measure.

Number19
May 14, 2003

HOCKEY OWNS
FUCK YEAH


kiwid posted:

Are Yubikey's reusable, as in if the employee leaves I can somehow reassign it to another user?

They are, yes. But they are also not all that expensive and we treat them as a consumable. If someone get a Yubikey from us, it's theirs forever. You can't stop them from using it for non-work accounts once they have it so it just becomes a personal item for them and we don't want it back.

They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use.

Thanks Ants
May 21, 2004

#essereFerrari


The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable.

For your double-NAT site you probably want to tunnel them out to somewhere with real internet service, either as part of a wider SD-WAN project or just these sites on an ad-hoc basis, because otherwise you will struggle with stuff like VoIP in future. There's a provider here that you can buy "ISP" service from without the actual connection part, you build an L2TP tunnel and get to use their static IP ranges, people use it with things like 5G modems.

https://www.aa.net.uk/broadband/l2tp-service/

Thanks Ants fucked around with this message at 22:34 on Mar 27, 2024

buffbus
Nov 19, 2012

Number19 posted:

They are also great and I wish I could get more people to take them. I use them for all my daily and admin accounts and it's so much easier to use.

I still prefer to use my fingerprint with hello for business to sign into my devices but the Yubikey is amazing for privileged accounts, especially when sessions constantly glitch out and need a new sign-in the last couple weeks.

Adbot
ADBOT LOVES YOU

Internet Explorer
Jun 1, 2005





Thanks Ants posted:

The limit was to do with tokens on a Yubikey IIRC and not how many hardware tokens an Entra tenant can support. And yes, they are £30 or something along those lines, you might have a handful of employees who request a token, just treat it as disposable.

Huh. Maybe I misunderstood on more than one occasion because after briefly looking now I don't see any mention of it online.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply