|
incoherent posted:How do you even scale an app that is looking at HOSTNAME+IP as its security mechanism? BangersInMyKnickers posted:You could probably get clever with a load balancer in front of it. FT on a VM if you don't need to scale beyond single VM/FT limits any time soon. The real answer is that you put every host in the "cluster" on the same hostname and IP and then wonder why everyone complains about availability all the time.
|
#
?
Aug 14, 2018 20:48
|
|
|
|
| # ? Apr 23, 2024 17:55 |
|
|
You should clone the mac addresses while you're at it.
|
|
#
?
Aug 14, 2018 21:21
|
|
|
I'm slowly nursing a problematic (misconfigured) s2d cluster to health right now, I am basically massively triggered by these suggestions
Potato Salad fucked around with this message at 00:48 on Aug 15, 2018 |
|
#
?
Aug 15, 2018 00:42
|
|
|
When you're finding the max distance of stretched clustering, do you count 1x of fully-extended arm length of both clusters (each cluster is gripping the other's shirt) or 2x of that arm length (the clusters are locking hands)? Help me my business is dying
|
|
#
?
Aug 15, 2018 00:54
|
|
|
orange sky posted:Now, a question. Do you guys know if there's any registry in devices with an SCCM agent that tells us the last successful connection to the SCCM server and the last successful hardware inventory cycle? I doubt it. The client doesn't even know if it's successfully uploaded inventory. It passes it onto the management point but that doesn't mean the management point successfully sends it to the site server.
|
|
#
?
Aug 15, 2018 14:47
|
|
|
Who is ready to support Windows 10 Build 180911?
|
|
#
?
Aug 20, 2018 23:09
|
|
|
Potato Salad posted:Who is ready to support Windows 10 Build 180911?
|
|
#
?
Aug 21, 2018 00:48
|
|
|
Is that the build that supports FIDO2 login
|
|
#
?
Aug 21, 2018 07:35
|
|
|
I’m just happy Sets fully supports Chrome! Right? Right?!
|
|
#
?
Aug 21, 2018 17:26
|
|
|
Has anyone dealt with this poo poo on an iPhone before? https://s4erka.wordpress.com/tag/mobile-app-web-service/ It's neither a TLS or a cert chain issue. I have random users where the goddamn phone app will not work for them but they can use another phone or an iPad and it works. We tested it here in the office and it works perfectly.
|
|
#
?
Aug 22, 2018 19:32
|
|
|
Do those random users have custom root certs on their devices, maybe ones that have been added by a hotspot profile?
|
|
#
?
Aug 22, 2018 22:09
|
|
|
Remote Desktop Session/Remote App question for internal network only. I'm in a company.local domain. I want to setup RDWEB/RemoteApp. I've read best way to go about things for the pure SSO experience is using a wildcard on the RD Web Access/Connection Brokers (internal cert.) The thing is though, when we connect to RDWEB through https://rdwebserver/Rdweb we get a certificate error (obviously because there's no .company.local appended to it.) Is there anyway for users who access https://rdwebserver/rdweb to be redirect to https://rdwebserver.company.local/rdweb ? I always felt in the past, it always appended company.local when you enter in https://serverhostname here. Any input or suggestions? Also is it possible to split up the connection broker and rdweb certs if we don't use a wildcard? (ie. connectionbroker.company.local and rdweb.comapny.local) lol internet. fucked around with this message at 08:29 on Sep 2, 2018 |
|
#
?
Sep 2, 2018 08:22
|
|
|
When you generate the cert, you should be able to put both the base hostname and the fqdn on it as valid names. Then it will work for either. A redirect won’t work because when you initially connect to the “wrong” name you will get a mismatched cert and the process will fail right away.
|
|
#
?
Sep 2, 2018 10:39
|
|
|
Docjowles posted:When you generate the cert, you should be able to put both the base hostname and the fqdn on it as valid names. Then it will work for either. A redirect won’t work because when you initially connect to the “wrong” name you will get a mismatched cert and the process will fail right away. Blah I guess I'll mess around some more then. Doing this through the internal microsoft CA. Also annoyingly if I set the certificate template to 5 year validity it only gives 2 years.
|
|
#
?
Sep 2, 2018 21:31
|
|
|
A CA will use either the expiry in the template or it’s own expiry date when issuing a cert, whichever is sooner. This prevents a cert from expiring after the CA cert and causing a cert chain validity issue.
|
|
#
?
Sep 3, 2018 00:39
|
|
|
lol internet. posted:Blah There's a hard coded cert validity period. 2 years by default. Run command prompt as admin and run "certutil -setreg CA\ValidityPeriodUnits 5" if you want to change it to 5 years. You'll need to restart the CA service and then re-do the cert.
|
|
#
?
Sep 3, 2018 17:20
|
|
|
This has been bugging me for a while but I've never had the time to get around to addressing it. Users cannot change their own passwords on Windows 10 LTSB 1607 Here's the problem: for remote users we use an appliance that runs Apache Guacamole to open a terminal session into a virtual desktop. Under the User's 'Sign-in options' Password Change button is disabled and requires the user to hit Ctrl+Alt+Del to get to the password change screen. Guacamole doesn't pass Ctrl+Alt+Del and there's no way to emulate it afaik.  I can't seem to find what GPO would allow the use of the Change button within the user's Account screen. I'm hoping it's not the "Interactive Logon: Do not require " option. Am I barking up the wrong tree here? What I don't understand is, how the gently caress Guacamole passes the credentials in the first place if Interactive logon: Do not require CTRL+ALT+DEL is set to Disabled. But I think that's a whole 'nother rabbit hole.
|
|
#
?
Sep 5, 2018 19:55
|
|
|
GnarlyCharlie4u posted:This has been bugging me for a while but I've never had the time to get around to addressing it. Users cannot change their own passwords on Windows 10 LTSB 1607 I don't have a Guacamole setup to test with, but control-alt-end doesn't work?
|
|
#
?
Sep 5, 2018 20:19
|
|
|
Maneki Neko posted:I don't have a Guacamole setup to test with, but control-alt-end doesn't work? ctrl-alt-insert may also work. Windows is pretty flexible about the special escape code keys, because the original purpose is long obsolete.
|
|
#
?
Sep 5, 2018 20:22
|
|
|
Maneki Neko posted:I don't have a Guacamole setup to test with, but control-alt-end doesn't work? EoRaptor posted:ctrl-alt-insert may also work. Windows is pretty flexible about the special escape code keys, because the original purpose is long obsolete. nope and nope. or home or pgup pgdn HOLY gently caress! CTRL+ALT+SHIFT brings up a secret options menu that allows me to use Guacamole's OSK and Ctrl+Alt+delete works with that... I'd still prefer a more elegant option that doesn't involve that though.
|
|
#
?
Sep 5, 2018 20:27
|
|
|
Google suggests that Ctrl+Alt+Del can be sent via Guacamole's on-screen keyboardGnarlyCharlie4u posted:I'd still prefer a more elegant option that doesn't involve that though. anthonypants fucked around with this message at 20:30 on Sep 5, 2018 |
|
#
?
Sep 5, 2018 20:28
|
|
|
GnarlyCharlie4u posted:nope and nope. or home or pgup pgdn If you're doing password expirations you're likely going to run in to a situation where people let their password expire and then they can't even auth in to the system in the first place to change their password. We ended up working around that with this: https://thycotic.com/products/password-reset-server/ Its cheap enough but I wouldn't trust Thycotic to code their way out of a wet paper bag so only give it permission to modify user accounts in specific OUs and definitely not ones with DA permissions.
|
|
#
?
Sep 5, 2018 20:31
|
|
|
BangersInMyKnickers posted:If you're doing password expirations you're likely going to run in to a situation where people let their password expire and then they can't even auth in to the system in the first place to change their password. We ended up working around that with this: Funny you should mention that. We built a website for accounts that need to reset their passwords but don't have access to any machines on the domain (they just use AD accounts for LDAP for whatever softwares). Problem is, policy states we only make that available to specific network segments and absolutely not public facing in any way.
|
|
#
?
Sep 5, 2018 20:54
|
|
|
Last time I checked you can do password writeback to your on-prem AD with an Azure AD Premium subscription
|
|
#
?
Sep 5, 2018 21:00
|
|
|
anthonypants posted:Last time I checked you can do password writeback to your on-prem AD with an Azure AD Premium subscription We're not properly licensed. Also we don't have pw writeback enabled. oh and we don't allow OWA so... But a coworker did have another solution. Shortcut to an Explorer shell command: code:GnarlyCharlie4u fucked around with this message at 21:13 on Sep 5, 2018 |
|
#
?
Sep 5, 2018 21:08
|
|
|
Has anyone got a solution for issuing machine certificates for Azure AD joined devices? You can do user certificates with Intune, there's a uservoice where Microsoft say they're investigating, last updated November 2017.
|
|
#
?
Sep 12, 2018 01:16
|
|
|
Spyderizer posted:Has anyone got a solution for issuing machine certificates for Azure AD joined devices? Are you going to Ignite? This seems like a great “go bug the product manager” thing if so.
|
|
#
?
Sep 12, 2018 05:23
|
|
|
I have an elevator pitch "Hey, know how you're trying to sell more azure ad p1 licenses?" on exactly the same feature
|
|
#
?
Sep 12, 2018 05:40
|
|
|
I'm working on setting up a proper PKI for the first time, using AD CS and... why is this poo poo so complicated? It's ridiculous. Does anyone have a decent guide to use? I have the root CA deployed. It's off the domain and will be shut down when I am done. I have the enterprise CA deployed. It's on the domain and will remain online. I have an IIS server deployed (because ???). It's on the domain and will remain online. I was using this guide, because it looked quite good, but there is some poo poo that I just do not understand. It seems like this web server is only for internal sources and if we wanted to publish certs for external sources we should have another web server (off the domain) for that? We have a .local domain for internal use and also your standard .com domain for external use. I know that .local is no longer a best practice, but we use split brain DNS. I would like to be able to issue certs for both .local and .com... do I need to do anything special here? What a pain.
|
|
#
?
Sep 15, 2018 00:17
|
|
|
Internet Explorer posted:I'm working on setting up a proper PKI for the first time, using AD CS and... why is this poo poo so complicated? It's ridiculous. Does anyone have a decent guide to use? Talking out of my rear end here because lol AD CS But IIS is probably for CRL checking. Making sure that a certificate has not been revoked. You can specify additional domains that a certificate applies to. These are called SAN, subject alternative names. https://youtube.com Check the certificate here. *.google.com is the subject with a poo poo ton of other alternative domains that are also valid under the certificate Methanar fucked around with this message at 02:46 on Sep 15, 2018 |
|
#
?
Sep 15, 2018 02:42
|
|
|
IIS is also probably used for doing certificate signing. You submit CSRs to whatever is running on IIS and then that returns to you a signed certificate
|
|
#
?
Sep 15, 2018 02:46
|
|
|
Methanar posted:IIS is also probably used for doing certificate signing. You submit CSRs to whatever is running on IIS and then that returns to you a signed certificate AD CS is for internal certificates. If you've got internal websites on https://tools.internal.workplace.com that need certificates, that's fine. If you want to use AD CS to issue certificates for your public website at https://www.workplace.com then every single person outside of your organization is going to get errors about how they shouldn't trust your website. anthonypants fucked around with this message at 04:01 on Sep 15, 2018 |
|
#
?
Sep 15, 2018 03:55
|
|
|
anthonypants posted:Yeah, IIS is for making CSRs stupid easy and it rules. AD CS is cool and good. That's what my assumption was, but I think the external is more for hybrid cloud setups. Also, I'm familiar with SAN certs, but I know that third party CAs have stopped issuing certs with internal DNS domains like .local. Internet Explorer fucked around with this message at 07:17 on Sep 15, 2018 |
|
#
?
Sep 15, 2018 06:36
|
|
|
If you have a linkedin training account, they have a pretty good course on standing up ADCS and getting all the CRL/OCSP stuff stood up and published correctly. You won't necessarily need another webserver for external stuff, a second IP/interface on the box will do it along with another cert from a globally trusted CA. If its only a handful of external infrastructure connecting to it that you control, then you have the option of importing the root and intermediate certs from your internal PKI in to the trust store on those systems to make it work.
|
|
#
?
Sep 15, 2018 13:07
|
|
|
you can have ad cs use a publicly trusted signing cert, but unless you're dealing with some dipshit at GoDaddy that involves a hideous amount of work and expense
|
|
#
?
Sep 15, 2018 17:11
|
|
|
Internet Explorer posted:That's what my assumption was, but I think the external is more for hybrid cloud setups. Also, I'm familiar with SAN certs, but I know that third party CAs have stopped issuing certs with internal DNS domains like .local.
|
|
#
?
Sep 15, 2018 19:24
|
|
|
Office 365 email migration question: I'm in the testing phase of migrating users/computers/groups from an AD domain that we're retiring due to a merger. Both olddomain.com and new domain.com are using using ADsync to both sync to the same O365 tenant, absolutely no on-premise Exchange servers are involved. I've got the users/computers/groups portion down, I've successfully migrated my test objects over without incident. However, migrating email is proving to be a bit trickier. I know that I can migrate the user over to the new domain, export their email from user@olddomain.com, and then bulk import it into O365. The export step looks like it has to be done manually using the E-discovery tool, and I've got almost 100 mailboxes, mostly from users that never delete anything so the exported data dump is going to be rather large. So, all that being said, there must be an easier way to do this in TYOOL2018. Any ideas?
|
|
#
?
Sep 20, 2018 22:04
|
|
|
Just use Skykick or similar
|
|
#
?
Sep 20, 2018 22:13
|
|
|
Thanks Ants posted:Just use Skykick or similar Sounds nice, but have I mentioned the budget for this project? It's $0.
|
|
#
?
Sep 21, 2018 00:34
|
|
|
|
| # ? Apr 23, 2024 17:55 |
|
|
Sounds like Office 365 is a little out of your price range, then.
|
|
#
?
Sep 21, 2018 00:52
|
|