Category Archives: Homelab

ADDS Group Managed Service Accounts

Posted on by

This guide covers the creation and management of Active Directory Domain Services (ADDS) Group Managed Service Accounts (gMSA). Group Managed Service Accounts are system managed service accounts that behave much like computer accounts in that the system automatically manages and rotates the account password. A gMSA solves many of the security implications arising from using service accounts where passwords may be infrequently (or never) rotated and where multiple users may have access to the account’s credential.

Steps in this guide can be performed on any computer joined to the domain. Access to a domain controller is not necessary.

Requirements

  • Domain Administrator, or delegated privileges to create Group Managed Service Accounts and Security Enabled Groups.

Summary Steps

  • Create a Security Enabled Group
  • Create a Group Managed Service Account

Continue reading

ADCS Enrollment Web Service with Managed Service Accounts

Posted on by

This guide covers the deployment of the Active Directory Certificate Services (AD CS) Enrollment Web Service (CES) role using group Managed Service Accounts (gMSA) on Server Core. The Enrollment Web Service allows for automated certificate issuance to computers that are unable to directly reach the Certificate Authorities over the standard DCOM ports, such as external or DMZ housed computers. Users and computers can enroll for certificates from a CES server over HTTPS/443.

The Enrollment Web Service binds to an individual issuing Certificate Authority. To issue certificates from multiple CAs, multiple CES servers will need to be provisioned. The CES server requires that at least one Certificate Enrollment Policy Web Service (CEP) server be configured. The CES and CEP roles can both exist on the same system or can be deployed separately.

Requirements

  • Enterprise Administrator
  • Administrator permissions on the target Enterprise Certificate Authority.
  • A deployed and functional Enterprise PKI.
  • A deployed and enabled Certificate Enrollment Policy Web Service server.

Summary Steps

  • Enroll a Computer Certificate for the CES server IIS binding.
  • Install the Certificate Authority feature with the Enrollment Web Service role.
  • Create a group Managed Service Account (gMSA) for the IIS App Pool.
  • Assign the gMSA to the local IIS_IUSRS group on the CES server.
  • Assign a service principal name (SPN) to the gMSA.
  • Configure the gMSA for constrained delegation to the Certificate Authorities.
  • Assign the gMSA to the CES server IIS App Pool.

Continue reading

Pages: 1 2

Ubiquiti UniFi Security Gateway Disable NAT

Posted on by

This is a guide for disabling the Network Address Translation (NAT) function on the Ubiquiti Networks UniFi Security Gateway (USG). The NAT functionality can be disabled by a custom config.gateway.json file on the UniFi Controller. There is no User Interface option currently to disable NAT.

Note: These instructions apply to the Unifi Security Gateway (USG) line of products, which are end of life. The config.gateway.json method does not exist on the UDM and UXG line of products.

If you’re here looking to disable NAT on a UDM or UXG product line, know that there is now an option in the web interface. Ubiquiti added controls directly in the web interface starting with UniFi Network 8.3.32 to control or disable NAT. See the UniFi Help Article.

Requirements

  • Unifi Security Gateway (USG)
  • SSH access to the UniFi Controller

Summary Steps

  • Create or update a custom config.gateway.json configuration file
  • Perform a manual device provision of the USG

Continue reading

IIS WMSvc Automated Certificate Management

Posted on by

I’ve added a new script to my GitHub PowerShell repository for managing the IIS WMSvc Certificate. The script WMSvc_InstallCertificate.ps1 is intended to be ran either by scheduled task or by command line and will attempt to detect when the Web Management Service (WMSvc) certificate needs to be replaced. Replacement certificates are sourced from an Enterprise Certificate Authority automatically. The IIS machine account must have privileges to enroll.

In my lab, this script is tied to a scheduled task that is automatically created by group policy on servers attached to the IIS role security group. This same security group is also granted enroll privileges on the certificate template. In effect, new servers created will automatically receive a trusted certificate for their management port and that certificate is rotated automatically before expiration.

Since my lab IIS installations run on Server Core, it is quite convenient to have the remote management service configured automatically.

Local and Domain NTP Overridden by Secure Time Service

Posted on by

Starting with Windows 10 1511, Microsoft introduced a new feature called Secure Time Seeding, part of the Secure Time Service (STS), as an upgrade to the W32TIME service. The STS uses information from SSL connections to validate NTP data. Information from this feature supersedes all other time sources, including locally configured NTP, domain controllers, and Hyper-V time synchronization.

I first noticed the feature when several of my Hyper-V virtual machines began shifting their system clocks backwards and forwards several times a minute. At first the time changes spanned a few hours, but as the machine uptime climbed, so did the time jumps. Eventually, the time was bouncing backwards and forwards by weeks, several times a minute. The Hyper-V time synchronization service was fighting with the new Secure Time Service and this wrecked havoc on authentication and any other services running on the systems.

Continue reading