TechShizz | Tech Guides

Group Managed Service Accounts

#Create KDC root Key (This command takes 10 hours to take effect)

 

Add-KDSRootKey -EffectiveImmediatly

#Install a Group Managed Service Account and configure it to work with the "Web Servers" group and a DNS CNAME which resolves to all machines.

New-ADSeriveAccount -Name GroupMSAAccount -DNSHostName WebClusterA.mydomain.local -PrincipalAllowedToRetrieveManagedPassword "Web Servers"

#Target machines need the RSAT-AD-PowerShell feature instralled

Invoke-Command -ComputerName Web01,Web02,Web03 -ScriptBlock { Install-WindowsFeature RSAT-AD-PowerShell }

#Install the GMSA

Install-ADServiceAccount GroupMSAAccount

#On the target server

Install-ADServiceAccount GroupMSAAccount

Test-ADServiceAccount -Identity GroupMSAAccount

Go to your service you wish to run on a service account, on the logon tab, set the credentials for the service as a network account. Use the browse button to find your MSA (You'll need to change the location to the domain to find the account instead of the local machine. Remove the pre-populated password from the fields and save.

Managed Service Accounts (For Single Machine)

PowerShell is required to create a service account. Once created it can be managed  in the GUI.

 

#Create the MSA

New-ADServiceAccount -Name MyAppSrv -RestrictToSingleComputer

#Add the Machine to be used with the account

Add-ADComputerServiceAccount -Identity SRV-01 -ServiceAccount MyAppSrv

#You can test to see if it is working (it won't... yet)

Test-ADServiceAccount -Identity MyAppSrv

#Finally, install the account and test again

Install-ADServiceAccount MyAppSrv

Test-ADServiceAccount -Identity MyAppSrv

#Next, Configure the service to use the account.

Go to your service you wish to run on a service account, on the logon tab, set the credentials for the service as a network account. Use the browse button to find your MSA. Remove the pre-populated password from the fields and save.

 

 

Unable to activate Office 365 - Activation window blank when trying to activate

Problem

Various authentication issues including:

  • Outlook wont authenticate on Office 365
  • Activation window blank when trying to activate Office 365
  • Outlook wont authenticate on Office 365 with SSO
Cause

ADAL is the new authentication method for azure cloud solutions. It over-rides the standard kerberos, basic and NTLM protocols - There seems to be an issue with this displaying (usually windows 10).

Solution

ADAL can be disabled by registry key:

To disable modern authentication on a device, set the following registry keys:

Run > Regedit > 

Registry key

    Type

       Value

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

    REG_DWORD

        0


Reference, Links and Imges

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook/modern-authentication-on-outlook-2016-keeps-on/98a263f4-ab9c-4d6f-b5eb-2728a8e77412 

RDP Error "CredSSP Encryption Oracle Remediation"

Problem

 Unable to RDP to Machine: CredSSP Encryption Oracle Remediation

Cause

 Windows Update: https://support.microsoft.com/en-gb/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Solution

The fix is to open your local group policy settings and do this.

Computer Configuration -> Administrative Templates -> System -> Credentials Delegation--Encryption Oracle Remediation

enable and set to 'vulnerable'.

If Windows Home edition reg key change...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002

I had to create the CredSSP key, then the Parameters key, then the dword value as none of them existed.

Reference, Links and Imges

 https://blogs.technet.microsoft.com/mckittrick/unable-to-rdp-to-virtual-machine-credssp-encryption-oracle-remediation/

https://support.microsoft.com/en-gb/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018

Microsoft Outlook can’t start Microsoft InfoPath

Problem

When launching outlook you receive a popup saying "Microsoft Outlook can’t start Microsoft InfoPath"

Cause

Unknown

Solution

 Run Regedit & go to HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\Options\Mail

If the "Mail" kay doesnt exisit, create it.

Create a new DWORD called “DisableInfopathForms” & set the value to 1

Reference, Links and Imges

 http://www.cottenhamcomputers.co.uk/microsoft-outlook-cant-start-microsoft-infopath/