Starting with Windows 10 version 1507 and Windows Server 2016, you can configure Kerberos clients to support IPv4 and IPv6 host names in SPNs. Yes, it is again possible - as I can remember - it was disabled on Windows 2008 r2 or maybe Windows 2008, up to these versions it was possible.
Entry in registry:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters
DWORD:TryIPSPN, value = 1
SPN value must be registered in Active Directory or course.
e-micra
2025-08-09
2025-08-06
Windows 11 - customize taskbar
It's impossible to have taskbar on the top, on the right or on the left - the only position and the best position according to Microsft is the bottom. Next stupid choice like "only one button" in IOS devices. Users don't know what is the best for Them, but of course - one guy - Satya, Bill or Steve knows. What an idiotic choice.
Is there a sollution? Of course, please praise the lords and ask them of one stupid option.
Registry customization is not working. What audacity to think that change could be so simple by using only registry. It's must be hardened in binaries to prevent such brave steps.
Is there a sollution? Of course, please praise the lords and ask them of one stupid option.
Registry customization is not working. What audacity to think that change could be so simple by using only registry. It's must be hardened in binaries to prevent such brave steps.
2025-07-21
DNS CAA proper internal configuration
What is a valid configuration of internal CAA records (internal - not visible in Internet) on Windows DNS servers:
- You should point to valid source of certificates - "issue" prefix for DNS record, for example if Your internal PKI is from pki.internal.contoso.com you should place record issueinternal.contoso.com or issuecontoso.com; this will cover also wildcard certificates;
- If You don't want to allow wildcards You should place another DNS record with empty source record like "issuewild;" - allowed entries is empty;
- binary representation of DNS record contains first byte equal zero (the higest bit has critical meaning, rest is not used now), next byte value 5, rest of record is a string data, e.g. "<00><05>issuewild;"
- binary representation must be located in DNS record of Type257
2025-06-17
ADFS certificate renew with Azure, Entra ID and M365
We have ADFS 4.0 farm without WAP (security reasons) so we don't have strict accessibility from Internet - only communication between on-premise and Azure from selected networks and addresses. Why it is important? Probably we've been had some issue with renewal process.
According to Renew federation certificates for Microsoft 365 and Microsoft Entra ID we should enable rollover on certificates and after controlled switch between primary and secondary certificates our federation between Azure and ADFS should be updated, but:
Pay Attention!!! You must have BGA account without MFA (if you have enabled MFA) - probably You will have issues connecting to Azure after certificate replacement. Maybe You should open connection (powershell session) before any steps - just in case.
According to Renew federation certificates for Microsoft 365 and Microsoft Entra ID we should enable rollover on certificates and after controlled switch between primary and secondary certificates our federation between Azure and ADFS should be updated, but:
- the next signing certificate on Azure was from two periods ago (one period is 2 years, so it was 4 years old, now we have certs from 2025 to 2027, previous period it was 2023 to 2025, but two periods ago it was 2021 to 2023)
- so the next signing certificate wasn't updated till 4 years
- on daily basis we have AutoCertificateRollover disabled
- when it should be enabled? just before enforced generation of the new certificates? it wasn't
- so we changed it manually - after replacement of certificates (flip between secondary and primary) they've been exported to base64, imported in powershell (copy paste from .cer file to variable)
- connection to Entra - Connect-Entra -Scopes 'Domain.ReadWrite.All' (different possible values are like User.ReadWrite.All, Directory.ReadWrite.All, Group.ReadWrite.All - not suitable in our case)
- and update using Update-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' (like contoso.com) -InternalDomainFederationId 'our-federation-id' -signingcertificate $variableWithCert
- at first we've tested on -nextsigningcertificate, later on -signingcertificate
- confirmation on Get-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' -InternalDomainFederatoinId 'our-federation-id' (pipe) Format-list - there we could confirmed that certificates were replaced
- additional confirmation was on Teams on mobile devices - after logout and logon it was obious that it is working
Pay Attention!!! You must have BGA account without MFA (if you have enabled MFA) - probably You will have issues connecting to Azure after certificate replacement. Maybe You should open connection (powershell session) before any steps - just in case.
2025-04-27
huge netbios traffic - after print server removal, next part
After print server removal (guys responsible of print servers) every workstation is trying to find print server which is unavailable. We have still wins servers but addresses are removed from wins and dns servers. So every 30 seconds every of 20k workstations is trying to find names at first by querrying wins, later by broadcasts. Finally network traffic from this source is huge. I must try to remove registry entries for missing print servers.
2025-04-25
IBM MQ amq4036 access not permitted
A fresh, new installation, MQ 9.x (I'm not a MQ guy), Windows Active Directory but MQ not integrated with Active Directory - only local accounts. Windows 2019 as an operating system. All users in next statements are local admins - all of them. Some of them have amq4036 access error, but rest of them can open MQ Explorer and view status of Queue Manager. User-A have access and have had access before on and old version of server and still have access on the new server (current). User-B0 (me) hasn't got access to the old server and has got access to the new server (queue manager), User-B1 (also me) the same - access to the new queue manager (I can see status), User-B2 (also me, again) - still has access.
User-E0 - admin of the old queue manager hasn't got access - with error amq4036, User-E1 (the same guy, but different account, also local administrator of Windows machine) - hasn't got access to the new queue manager.
I've compared attributes on accounts, groups, number of groups, parameters and I've got no clue what is the source of this problem.
User-E0 - admin of the old queue manager hasn't got access - with error amq4036, User-E1 (the same guy, but different account, also local administrator of Windows machine) - hasn't got access to the new queue manager.
I've compared attributes on accounts, groups, number of groups, parameters and I've got no clue what is the source of this problem.
Subskrybuj:
Posty (Atom)