2025-04-27

huge netbios traffic - after print server removal, next part

After print server removal (guys responsible of print servers) every workstation is trying to find print server which is unavailable. We have still wins servers but addresses are removed from wins and dns servers. So every 30 seconds every of 20k workstations is trying to find names at first by querrying wins, later by broadcasts. Finally network traffic from this source is huge. I must try to remove registry entries for missing print servers.

2025-04-25

IBM MQ amq4036 access not permitted

A fresh, new installation, MQ 9.x (I'm not a MQ guy), Windows Active Directory but MQ not integrated with Active Directory - only local accounts. Windows 2019 as an operating system. All users in next statements are local admins - all of them. Some of them have amq4036 access error, but rest of them can open MQ Explorer and view status of Queue Manager. User-A have access and have had access before on and old version of server and still have access on the new server (current). User-B0 (me) hasn't got access to the old server and has got access to the new server (queue manager), User-B1 (also me) the same - access to the new queue manager (I can see status), User-B2 (also me, again) - still has access.

User-E0 - admin of the old queue manager hasn't got access - with error amq4036, User-E1 (the same guy, but different account, also local administrator of Windows machine) - hasn't got access to the new queue manager.

I've compared attributes on accounts, groups, number of groups, parameters and I've got no clue what is the source of this problem.

2025-04-22

ADFS loop detection

Loop detection cookie on Technet

monitor ADFS logons

From Technet :
- events on ADFS: 1200,1201,1203,1206,1210
- events on WAP: 224, 245, 396, 12025, 13015, 13046, 14027, 14032

- events on ADFS - Security - 299, 401, 403, 404, 410, 412, 431, 500, 501, 502, 503, 510, 1200

event Security:299, AD FS Auditing, Classic - Audit Success, Information - token is issued; connection with different events on Instance ID; relaying party identifier

event Security:401, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:403, AD FS Auditing, Classic - Audit Success, Information - HTTP request was received, Instance ID, Activity ID, client IP, caller identity, details, request header in ID 510

event Security:404, AD FS Auditing, Classic - Audit Success, Information - HTTP response was dispatched, Instance ID, Activity ID, headers in ID 510

event Security:410, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:412, AD FS Auditing, Classic - Audit Success, Information - token for relaying party was successfully authenticated, instance ID in event 501 - caller identity, Activity ID, Instance ID

event Security:431, AD FS Auditing, Classic - Audit Success, Information - active request was received, key type, request type, Activity ID

event Security:500, AD FS Auditing, Classic - Audit Success, Information - issued claims; connection with different events on Instance ID

event Security:501, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; caller identity

event Security:502, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; onBehalf of identity

event Security:503, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; actAS identity

event Security:510, AD FS Auditing, Classic - Audit Success, Information - header for request from event ID 403, Instance ID

event Security:1200, AD FS Auditing, Classic - Audit Success, Information - valid token issued; connection with different events on Instance ID

event Security:1206, AD FS Auditing, Classic - Audit Success, Information - sign out request Activity ID

ADFS how to remove claim from output?

Should I focus on the question "how to remove claim"? But this is false question - I'm the administrator so it strictly depends on me what will be issued... So why I want to remove claim if I can just not issue this claim? Sorry, stupid question... But why I'm just looking for this statement/command with adfs? I'm trying to log adfs activity and I have an idea to store some activity data in sql database - querying for some claim, but this claim can be just included in input stream without issueing it.

Can it be a bottleneck? yes, of course, but I'm looking for how to better monitor activity on many apps - we have above 200 (two hundred) apps - some of them are in dev or test flavor so they are not heavily used, for production apps workload is huge. So this is only thinking.

2025-04-11

upn change for M365 migration concerns

In infrastructure with PaloAlto, ActiveDirectory and VPN on Cisco AnyConnect after upn change we have a problem with access to infrascture. As I can remember - our envrionment - PaloAlto and AnyConnect have problem w with recognition of proper source domain (we have few domains) so after change of upn to a new value (equal to email address) workstation moves to different access policy for unknown users - it has access to selected infrastructure servers, but on user level there is no access to any components (for example rdp connections).

2025-04-05

change upn for M365 migration

Some company with near 25k identities (above 30k accounts - many persons or identities have few accounts). Now in process of the big jump on clouds - Exchange Online and SharePoint Online.
And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
  • at first look we can recognize few apps with invalid access due to upn change
  • if a user provide valid email outlook will work properly
  • we don't know what will be affected by this change - we have 300-400 apps so impact is unknown