|
We're using RADIUS (NPS running on Windows server) to authenticate clients on one of our wifi networks. Is there any way to limit the number of devices that one person can authenticate? I'm trying to prevent Joe Blow from joining his personally-owned laptop to this network, we already have a guest network set up for that purpose.
|
#
?
Jun 5, 2019 18:37
|
|
|
|
| # ? Apr 19, 2024 12:05 |
|
|
Really the answer is to move to using client certs to authenticate to the Wi-Fi, and only distribute them to compliant clients through GPO/MDM/whatever. If you want to limit the amount of concurrent devices connected per RADIUS username then I would look to your wireless controller to handle that.
|
|
#
?
Jun 5, 2019 19:34
|
|
|
I've issued a certificate from a template that authenticates the machine the certificate is imported to against a small subset of sites in our infrastructure. I'm trying to make that certificate available to be downloaded through certsrv, however I'm having a hard time tracking down documentation on how to add this issued certificate. Has anyone ever encountered this before that can point me in the right direction as far as documentation?
|
|
#
?
Jun 5, 2019 21:06
|
|
|
Found this cool thing It is a PowerShell function that lets you connect to multiple Office 365 services. Exchange, Azure AD, Sharepoint, Teams, Security and Compliance center, etc. Even has an argument for if you have MFA enabled. Not sure if it'll be useful for anyone else here, but I am thrilled.
|
|
#
?
Jun 5, 2019 23:51
|
|
|
Anyone know any tricks to actually getting an Engineer from Microsoft on the phone to address an issue affecting our Production environment? Opened a Sev A tkt with them at 4:30 PM PST yesterday, called three times that night to try and get our ticket escalated to an Engineer, even went as far as trying to speak to a Manager to ensure it got escalated, but I got nowhere. Escalated to our MSFT rep today at 8:00 AM, STILL waiting for a call from Microsoft. Where can I start looking into SLA Agreements regarding our Support Contract so I have some shade to throw these fuckers way? A Sev A (PRODUCTION DOWN) issue that MSFT support hasn't even attempted to work on for 18 goddamn hours...
|
|
#
?
Jun 6, 2019 21:26
|
|
|
Wicaeed posted:Anyone know any tricks to actually getting an Engineer from Microsoft on the phone to address an issue affecting our Production environment? I thought Sev A was 24/7 coverage with a Critical Situation (CritSit) manager making hourly touches. Who's your TAM and why are they sucking so hard at their job? Sev B is daily touches and no CritSit manager, assuming you're closing the loop on your end every day. I recently had to convince my management not to escalate to Sev A because no one involved wanted to be making hourly touches 24/7, but it also wasn't a life-ruining issue, either.
|
|
#
?
Jun 6, 2019 21:35
|
|
|
Wicaeed posted:Anyone know any tricks to actually getting an Engineer from Microsoft on the phone to address an issue affecting our Production environment? Seconding the suggestion to start riding your TAM and your Account Manager on this. 18 hours is way beyond reasonable for a CritSit. Are you sure they have it as a Sev A on their side?
|
|
#
?
Jun 6, 2019 21:51
|
|
|
Did you make yourself available 24/7? I’ve never waited more than a couple hours on a sev A and my Tam touches base constantly when she’s cc’d on the ticket
|
|
#
?
Jun 7, 2019 00:53
|
|
|
Anyone well versed in Azure able to see a way out of the hole I dug for myself? Seems that when I setup an Azure network I picked the VpnGw1 SKU instead of Basic SKU. This costs ~$100 more per month. I'm not even sure if Basic was an option when I tried creating it, but whateverrrr. Anyhow, there's no way to change the Virtual Network Gateway from VpnGw1 to Basic, so I need to make a new one. The problem is, from what I am seeing, I am going to have to destroy the entire virtual network and start from scratch. Is that true, or is there a way to shift everything over to a new Gateway that I'm not seeing?
|
|
#
?
Jun 7, 2019 01:16
|
|
|
snackcakes posted:Anyone well versed in Azure able to see a way out of the hole I dug for myself? I don't think you need to delete your whole network definition. I believe you can delete the subnet, the create a new gateway subnet and assign your new gateway to that.
|
|
#
?
Jun 7, 2019 01:29
|
|
|
You can just delete the gateway and create the SKU you want. You may have to disconnect the remote gateways (e.g. your site) first.
|
|
#
?
Jun 7, 2019 01:48
|
|
|
Does anybody know anything about Certificates? I'm being tasked with migrating our Certificate Authority to a brand new server, and I'm thinking it might be best to just redo the entire certificate chain... but I don't know how to do that. A lot of the guides I've found are kind of terrible. Does anybody know where I can find a top-to-bottom guide on how to do everything from setting up a new root Certificate Authority server, to creating a brand new certificate from scratch, to sending that brand new cert down to certificate distribution servers (like mail and web servers) and to domain client PCs via GPO?
|
|
#
?
Jun 7, 2019 04:12
|
|
|
Without a better idea of the scope of your environment or your underlying CA choice, I'd start with these two links: Everything you should know about certificates and PKI but are too afraid to ask Microsoft's guidance for 2012r2 CAs If you're doing a master/subordinate/consumer cert chain, and you've still got access to the master CA, maybe just make a new sub CA? Due to divestiture, I had the opportunity to create new PKI infrastructure for a large enterprise (before the reduction in force sneaked up on us), and it wasn't technically challenging. There were just a LOT of details to work through. Getting it right the first time will take a lot of up-front investment in terms of understanding your product, your goals, and what realistic options you have to achieve them. Also, make sure you have solid time infrastructure, and if you're doing an off-line root, triple-check your timezone settings before you start signing master and sub certs. It's not like Microsoft's default choice of setting 2012r2 to PST by default will bite you in the rear end or anything. Wizard of the Deep fucked around with this message at 04:53 on Jun 7, 2019 |
|
#
?
Jun 7, 2019 04:50
|
|
|
I am sure I read something about this a few years ago but cant remember nor google it for the life of me. In a windows failover cluster, can you configure a VM role so that it monitors an external IP address (e.g. some remote storage device that the VM talks to) and have the VM fail over to another node if the host can no longer ping or otherwise reach that IP address?
|
|
#
?
Jun 7, 2019 08:54
|
|
|
Slightly off topic, but I have an Outlook install that is driving me crazy. I've deleted all the plugins, reset the recipient cache, repaired the PST, etc. but it still hangs for a good 5-10 minutes when I create messages with CERTAIN recipients inside the company. Its like its trying to directory lookup and failing BAD, but of course, I have no error messages or diagnostics (or I don't know where to look). Google is no help. Anyone able to tell me what is going on or what to disable? This is my desktop so I do not have Teams/SkypeFB installed either, so I don't think it is those components. Same O365 account, same Outlook install works fine on my laptop. With Teams integration and whatnot enabled.
|
|
#
?
Jun 11, 2019 19:50
|
|
|
whats that crazy file that autocompletes a email address? an .m2? see if thats sticking around in your APPDATA folder after an uninstall..
|
|
#
?
Jun 12, 2019 01:07
|
|
|
incoherent posted:whats that crazy file that autocompletes a email address? an .m2? see if thats sticking around in your APPDATA folder after an uninstall.. Been a long time but maybe .nk2?
|
|
#
?
Jun 12, 2019 01:23
|
|
|
ding ding Look up nk2 editors
|
|
#
?
Jun 12, 2019 01:34
|
|
|
Nk2 isn't a thing anymore, autocompletes are stored in the pst now. E: Nirsoft has a tool that will edit them, along with the nk2 files if you are dealing with an older version.
|
|
#
?
Jun 12, 2019 03:51
|
|
|
The Fool posted:dealing with an older version don't doxx me like this
|
|
#
?
Jun 12, 2019 03:57
|
|
|
Thanks Ants posted:Really the answer is to move to using client certs to authenticate to the Wi-Fi, and only distribute them to compliant clients through GPO/MDM/whatever. I'm still a newbie when it comes to certs but I've done some research based on what you posted and understand the process at a high level to be pretty much: - Set up an internal server to be a CA and issue certificates - Use our internal infrastructure (GPO etc.) to issue these certs to our domain joined machines - Set up NPS so that it uses the issued cert to authenticate That sound about right?
|
|
#
?
Jun 13, 2019 01:20
|
|
|
you forgot the heavy drinking when nothing works right because you forgot one stupid little thing 5 steps ago and now you have to start over
|
|
#
?
Jun 13, 2019 01:21
|
|
|
Mr. Clark2 posted:I'm still a newbie when it comes to certs but I've done some research based on what you posted and understand the process at a high level to be pretty much: In addition to the heaving drinking, I want to clarify the second step. You'll have a GPO that tells your clients (either devices or users) to request certs from your PKI infrastructure, based on established and published templates. Then, the NPS can verify that the cert is valid (I.E., signed by a valid sub-CA) and not revoked. Once that's done, it can run whatever policies are appropriate for the client.
|
|
#
?
Jun 13, 2019 03:00
|
|
|
The Fool posted:you forgot the heavy drinking when nothing works right because you forgot one stupid little thing 5 steps ago and now you have to start over oh i see you've also attempted to deploy a multi tier PKI infrastructure
|
|
#
?
Jun 13, 2019 14:56
|
|
|
H2SO4 posted:oh i see you've also attempted to deploy a multi tier PKI infrastructure
|
|
#
?
Jun 13, 2019 17:07
|
|
|
The Fool posted:Nk2 isn't a thing anymore, autocompletes are stored in the pst now. OST, rather?
|
|
#
?
Jun 14, 2019 17:24
|
|
|
AlternateAccount posted:OST, rather? Both.
|
|
#
?
Jun 14, 2019 17:58
|
|
|
The Fool posted:Both. So if you add a PST from another machine.... would you also get their autocompletes? Or is this just for when you're running without Exchange?
|
|
#
?
Jun 17, 2019 15:51
|
|
|
AlternateAccount posted:So if you add a PST from another machine.... would you also get their autocompletes? Or is this just for when you're running without Exchange? I don't think so. I've never tried it, but the autocomplete data is stored in the "Associated Content Table" and I don't believe it is imported when you import a PST, and I don't believe it is read if the PST is attached as a secondary data store. You can use this tool to browse a PST or OST and see what other information is stored there too.
|
|
#
?
Jun 17, 2019 17:49
|
|
|
This looks like a good idea https://azure.microsoft.com/en-gb/blog/announcing-the-preview-of-microsoft-azure-bastion/
|
|
#
?
Jun 19, 2019 00:40
|
|
|
Thanks Ants posted:This looks like a good idea Oh drat do want 
|
|
#
?
Jun 19, 2019 01:03
|
|
|
Thanks Ants posted:This looks like a good idea Looks promising, definitely bringing this up with my boss.
|
|
#
?
Jun 19, 2019 17:49
|
|
|
So what are people doing for automated activation of Windows Client/Server now? Starting to move forward with our Win 7 -> Win 10 VDI project, as well as just snagged some Server 2019 DC licensing. I am seeing 3 different options, AD Based Activation, KMS activation or MAK activation. Just about all of the machines will be domain joined, minus a few servers sitting in our DMZs. AD Based Activation the route I want to go? Seems nice that I won't need an additional VM for a KMS server.
|
|
#
?
Jun 24, 2019 17:34
|
|
|
Go the KMS route. Just pick one of your DCs to run the service and get the KMS server key from MS. The install will publish service records in DNS and then all you need to do is load your clients with their KMS client key and it goes automagically. KMS key activations are valid for 90 days, so you have plenty of "oh poo poo" time buffer in case something goes wonky on it. Just get a monitoring script on it so you don't have it down for weeks without knowing.
|
|
#
?
Jun 24, 2019 18:37
|
|
|
KMS just because it has been around forever? AD Based "seems" to be the "replacement"? I only plan on activating Win 10/Office 16 and Server 16/19.
|
|
#
?
Jun 24, 2019 19:52
|
|
|
Are there online ARM template editors that can show me what an expression might do, provided I give it an input? For example if I have an ARM variable like this: "[resourceID('Microsoft.Network/virtualNetworks', concat('AZ',toupper(parameters('ClientCode'))))]", I want to know what this might evaluate to. Any ideas?
|
|
#
?
Jun 24, 2019 21:39
|
|
|
Moey posted:KMS just because it has been around forever? Gotcha, I was assuming some older infrastructure was going to be in the mix. AD is probably good for you then, anything but MAK.
|
|
#
?
Jun 24, 2019 21:51
|
|
|
BangersInMyKnickers posted:Gotcha, I was assuming some older infrastructure was going to be in the mix. AD is probably good for you then, anything but MAK. Yeah, all legacy stuff was done with MAK, and will all die with MAK.
|
|
#
?
Jun 24, 2019 22:36
|
|
|
Wicaeed posted:Are there online ARM template editors that can show me what an expression might do, provided I give it an input? nm, guess once you install the VS Code ARM Template extension you can do this...
|
|
#
?
Jun 25, 2019 09:09
|
|
|
|
| # ? Apr 19, 2024 12:05 |
|
|
I'm running into an issue... And while troubleshooting, I ran into another issue. Here are both issues: THE REAL ISSUE: I have a RODC on my domain and a third party Windows server is supposed to perform LDAPS queries against it. This broke somehow a few days ago after the RODC froze and got a hard reboot. The issue is the other server is not trusting the cert presented by my RODC. The cert presented is signed by my internal CA. The third party says they shouldn't have to trust my internal CA. I have a wild card cert from godaddy on this RODC. but LDAPS is not presenting it. I understand that LDAPS just takes the first cert it sees and it sees the internal-CA one and uses that. The workaround in place is to use LDAP without the S which is working. THE SECOND ISSUE: Anyway.... To troubleshoot this, I restored a copy of the RODC from before this happened... Of course I put it off network and then turned it on. I can't sign in to it - no logon servers available. Windows server 2012 bla bla bla. I'm really sad about having to post in this thread again, I was doing so well avoiding all work. And for the record I inherited this.
|
|
#
?
Jun 26, 2019 15:48
|
|
