Category Archives: Security

IE8 Security Warning HTTPS content

Posted on by
13

Since I upgraded to IE8, I’ve been a bit annoyed with the this security warning:

image

It states: “Do you want to view only the webpage content that was delivered securely”. The first time I just pressed Yes, by pressing [Enter] on my keyboard (without reading the warning correctly), which obviously rendered me a incomplete page.

Note to Steve Balmer:
Why change this button press behavior Microsoft, just to let us read dialogs? It will cost time every time we have to read such a dialog, and as you know.. time is money :-)

Since then the warning came up a few times. So I’ve you want to disable this warning the change this:
in IE8, go to [Tools], [internet options] , [security] , [custom level]
and change [display mixed content] to “enable”

image

Settings will take effect after a restart of IE.

*edit after comment
I’m not saying that you should disable the warning. If you find it annoying, you can disable it.
The “old” dialog was different:
image
As you can see, this is the other way around. The changed it.
What you do with it is your choice.

DelegConfig v2

Posted on by
Reply

A new version of the Kerberos tool DelegConfig is ready. Download it here.

Notable Features:

  • Supports IIS 7.0 (useKernelMode / useAppPoolCredentials)

  • Allows adding backend servers of type UNC, HTTP, LDAP, OLAP, SQL, SSAS, and RDP

  • Allows chaining of multiple hops (versus only a single backend)

  • Performs duplicate SPN check against all trusted domains.

  • /Set/SPNs.aspx – Allows adding and removing of ServicePrincipalNames

  • /Set/Delegation.aspx – Allows changing Trust for Delegation settings.

  • /Set/Providers.aspx – Allows correcting of inadequate NTAuthenticationProviders settings.

  • /Report.aspx – Gives a picture of what is right and what is wrong.

  • /Wizard.aspx – A set of wizard steps that supports adding more tiers to /Report.aspx.

  • /Test.aspx – Allows double-hop tests for webServer-to-Sql or webServer-to-fileServer or webServer-to-webServer

Document explaining Kerberos & Double Hop

Posted on by
Reply

A nice document explaining Kerberos, the double hop issue and what to do about it. It is also using an example with Reporting Server, Analysis Server and Sharepoint.

Check it out @ http://www.ssas-info.com/analysis-services-articles/51-security/1492-enhanced-security-and-integration-of-microsoft-bi-solutions-with-kerberos

written by Mark Dasco and Boyan Penev

SQL Query to identify Kerberos or NTLM connection

Posted on by
2

SELECT
    s.session_id,
    c.connect_time,
    s.login_time,
    s.login_name,
    c.protocol_type,
    c.auth_scheme,
    s.HOST_NAME,
    s.program_name
FROM sys.dm_exec_sessions s
JOIN sys.dm_exec_connections c
ON s.session_id = c.session_id

 

A query to see if a connection is made with Kerberos or NTLM.
login_name together with host_name and program_name will identify the login.
auth_scheme will reflect what security protocol was used

See Service Principal Names in your domain

Posted on by
Reply

To see all the service principal names registered in your domain, execute the following command:

ldifde -f <FileName> -s <DomainController> -t 3268 -d dc=forest,dc=root -r
"(objectclass=computer)" -l servicePrincipalname

this will return all computerobjects with an SPN and place it in the file <filename>. For all users execute the following:

ldifde -f <FileName> -s <DomainController> -t 3268 -d dc=forest,dc=root -r
"(objectclass=user)" -l servicePrincipalname

In this command replace forest with your NetBIOS domain name (i.e. marcvalk), root with your top level domain (i.e. net)