Attempting to log onto a domain controller via RDP fails with the message: "An authentication error has occurred. The specified network password is not correct."

Problem

You attempt to use Remote Desktop to log into a domain controller but the attempt fails with the following message:

An authentication error has occurred.
The specified network password is not correct.

Attempting to log in via the console is not an option.

Solution

The workaround to successfully RDP to this domain controller is to disable the Allow connections only form computers running Remote Desktop with Network Level Authentication (recommended) in the RDP settings:

If console access is available, try to log in via direct console access and disable the configuration. For situations where the domain controller is hosted in cloud providers such as Azure, console access will not an option. In scenarios where console access is not available, one of the potential workarounds is to use the Registry Editor to remotely connect to the domain controller and disable this setting via the registry.

Launch the Registry Editor, select the File tab and choose Connect Network Registry:

Enter the remote domain controller’s name:

The connection should succeed:

Navigate to the following registry path:

dc2\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Locate the REG_DWORD named UserAuthentication and change the value from 1 (enabled) to 0 (disabled):

Changing this registry key should now have the NLA configuration disabled as such:

You should now be able to log into the domain controller:

Proceed to review the event logs of the domain controller and correct any health issues.

Configuring Security Headers to secure Microsoft Active Directory Federation Services / AD FS for scoring an A on SecurityHeaders.com

I’ve recently been asked by a colleague who wanted to know how they can score an A+ on www.securityheaders.com with a Windows Server 2019 AD FS WAP server that is exposed to the internet. It has been a while since I’ve configured one so I had to dig up my old notes and thought it would be great to write this quick post with the headers that achieves an A score. The reason why an A+ is not possible because it would require the Content-Security-Policy header to exclude the values:

1. 'unsafe-inline'
2. 'unsafe-eval'

… and excluding these would throw the following error:

JavaScript required

JavaScript is required. This web browser does not support JavaScript or JavaScript in this web browser is not enabled.

To find out if your web browser supports JavaScript or to enable JavaScript, see web browser help.

The following are the configuration for headers that I’ve used in the past to score an A (these are executed on the internal AD FS server and not on the WAP):

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self' "

Set-AdfsResponseHeaders -SetHeaderName "Strict-Transport-Security" -SetHeaderValue " max-age=157680000; includeSubDomains"

Set-AdfsResponseHeaders -SetHeaderName "X-XSS-Protection" -SetHeaderValue "1;mode=block"

Set-AdfsResponseHeaders -SetHeaderName "X-Content-Type-Options" -SetHeaderValue "nosniff"

Set-AdfsResponseHeaders -SetHeaderName "Referrer-Policy" -SetHeaderValue "no-referrer"

Set-AdfsResponseHeaders -SetHeaderName "Permissions-Policy" -SetHeaderValue "geolocation=(),microphone=(),fullscreen=(self), vibrate=(self)"

Note that X-Frame-Options is already set to DENY by the AD FS server so there is no need to configure it. Use the following cmdlet to review the settings:

Get-AdfsResponseHeaders | Select-Object -ExpandProperty ResponseHeaders

Hope this helps anyone who may be looking for these headers.

Attempting to Activate Windows Server 2019 fails with: "Windows can't activate right now. Try activating again later. If that doesn't work, contact your system administrator. Error code: 0x800705B4"

Problem

You attempt to activate a Windows Server 2019 Standard server with a MAK key but notice that it fails with:

Windows can't activate right now. Try activating again later. If that doesn't work, contact your system administrator. Error code: 0x800705B4

If you’re having problems with activation, select Troubleshoot to try and fix the problem.

You’ve activated other servers with this same MAK key without any issues.

The product key you entered didn’t work. Check the product key and try again, or enter a different one. (0x80070490)

Solution

One of the ways this issue can be fixed is to execute the slmgr.vbs script with the upk switch to uninstall the current key on the Windows Server 2019 server. More information about this script and switch can be found here: https://docs.microsoft.com/en-us/windows-server/get-started/activation-slmgr-vbs-options#advanced-options

One of the ways this issue can be fixed is to execute the slmgr.vbs script with the upk switch to uninstall the current key on the Windows Server 2019 server. More information about this script and switch can be found here: https://docs.microsoft.com/en-us/windows-server/get-started/activation-slmgr-vbs-options#advanced-options

/upk [<Application ID>]

This option uninstalls the product key of the current Windows edition. After a restart, the system will be in an Unlicensed state unless a new product key is installed. Optionally, you can use the <Activation ID> parameter to specify a different installed product. This operation must be run from an elevated Command Prompt window.

Executing this:com

slmgr.vbs -upk

… command will display the following prompt:

Uninstalled product key successfully.

Once the existing product key is removed, we can use the same slmgr.vbs script with the ipk switch to install the new key as such:

slmgr.vbs -ipk KBP8M-XXXXX-K47P8-XXXXX-XXXXX

Review the Activation settings of the server should display the server as being activated:

Configuring Zoom with ADFS as an iDP

I was recently asked to configure Zoom with ADFS and found certain parts of the following documentation provided by Zoom:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… a bit confusing so I would like to write this post to provide a clear example of the settings required in the portal.

To configure Zoom to use ADFS as an iDP, you’ll need to log into the administration console, navigate to Admin > Advanced > Single Sign-On and click on Enable Single Sign-On:

Once in the portal, edit the SAML settings as shown in the screenshot below:

The two configuration settings I felt wasn’t clear in the instructions were:

• Identity provider certificate
• Issuer (IDP Entity ID)

What confused me with the Identity provider certificate was whether we should copy and paste the tags in or not and the answer is no:

As for the Issuer (IDP Entity ID), ensure that you use the ADFS URL:

The instructions for configuring the ADFS servers were fairly straight forward so I won’t include them in this post. If you experience any issues with logging via the ADFS portal, you can turn on logging in the Zoom administrative portal by enabling the Save SAML response logs on user sign-in:

With the above enabled, a new tab will be available to review sign-in attempts:

Configuring Zoom with ADFS throws the error: "An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint."

Problem

I was recently asked to configure Zoom with ADFS as per the following documentation:

Configuring Zoom With ADFS
https://support.zoom.us/hc/en-us/articles/202374287-Configuring-Zoom-With-ADFS

… and was not able to complete the process because the following error was displayed when importing the federation metadata:

An error occurred during an attempt to read the federation metadata. Verify that the specified URL or host name is a valid federation metadata endpoint.

Searching on the internet earlier this year did not return any posts that helped resolve this issue and opening up a ticket with Zoom had us wait months before we received a reply (escalated by the client’s account manager). To give Zoom some credit, the support engineer who reached out to us was extremely quick with response and very helpful. I am unsure if searching for this error will yield the KB he forwarded to us so this post serves to help anyone who may run into the same problem.

Solution

One of the possible reasons why the import of the federation metadata would fail on the ADFS server is if when TLS 1.2 is not enabled on ADFS. The server in this example was a fresh install of Windows Server 2019 and navigating to the following registry showed that TLS 1.2 was not explicitly enabled:

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

To correct this issue, simply following the steps provided in this Zoom article:

How to enable TLS 1.2 on an ADFS Server (Windows Server 2012 R2)
https://support.zoom.us/hc/en-us/articles/360033739531-How-to-enable-TLS-1-2-on-an-ADFS-Server-Windows-Server-2012-R2-

The following PowerShell cmdlets create the keys required to enable TLS 1.2:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

The following PowerShell cmdlet enable’s Strong Authentication for .Net Framework:

The following PowerShell cmdlets disables SSL 3.0:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Here is the list of cmdlets demonstrated above:

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -name 'SchUseStrongCrypto' -value '1' -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

With TLS 1.2 enabled, strong encryption enabled, and SSL 3.0 enabled, the import of the federation metadata should now succeed.

Deploying a redundant Active Directory Federation Services (ADFS) Web Application Proxy servers on Windows Server 2019

As a follow up to my previous post demonstrating the deployment of a redundant Active Directory Federation Services (ADFS) Farm on Windows Server 2019:

Deploying a redundant Active Directory Federation Services (ADFS) farm on Windows Server 2019
http://terenceluk.blogspot.com/2020/04/deploying-redundant-active-directory.html

This post serves to demonstrate the deployment of the internet facing ADFS Web Application Proxy servers.

Prerequisites

Servers:

Prepare 2 x Windows Server 2019 servers that will serve as the ADFS Web Application Proxy servers located in a DMZ network (these servers does not have to be joined to the domain and I typically suggest they reside in a workgroup unless there is a compelling reason to join them to the domain)

Certificate:

You can use the same certificate that you used for your internal ADFS servers that contain the FQDN for your ADFS deployment (e.g. fs.contoso.com)

DNS:

During the deployment:

I’ve had inconsistent results during the deployment if the WAP server connects to a internal ADFS server in the farm that hosts a secondary read only copy of the WID so begin by configuring the WAP server to connect directly to the internal ADFS server that host the primary writable WID database.

After the deployment:

Determine how you will be configuring the ADFS Web Application Proxy servers’ DNS settings.

Scenario #1 – Using your internal Active Directory DNS servers

If you are using your internal Active Directory DNS servers, which will serve the IP address of either your load balancer that load balances the internal ADFS server farm, then no action is required as the Web Application Proxy servers will properly resolve the IP required to get to the internal farm.

Scenario #2 – Using your external DNS servers

If these DMZ servers are not going to use your internal Active Directory DNS servers to perform lookups and/or using a DNS service that is unaware of the internal IP address for the fs.contoso.com address then you would either create a record on these DNS servers (if you manage them) or use host records on the Web Application Proxy servers to force traffic to fs.contoso.com to the load balancer so communication can be established between them and the internal ADFS server farm.

In addition to the above scenarios, you will need to create an external DNS entry for the FQDN of your ADFS Web Application Proxy (e.g. fs.contoso.com) that points to your internet facing firewall, which will then NAT the IP into a load balancer to load balance the ADFS Web Application Proxy servers.

Deploying the first ADFS Web Application Proxy server

Begin by launching server manager and clicking on Add roles and features:

Click Next:

Select Role-based or feature-based installation and click Next:

Leave the Select a server from the pool radio button selected and click Next:

Select Remote Access and click Next:

Leave the Features as default and click Next:

The Remote Access window will be displayed providing a description of the service. Proceed and click Next:

The following Add Roles and Features Wizard window will be displayed to display the tools that will be installed onto the server:

Select the Web Application Proxy role and click Next:

A restart isn’t usually necessary so you can leave the radio button for that option unchecked and then click on Install:

The Web Application Proxy and dependent components will proceed to install:

You will be presented with a Welcome wizard once the installation completes. Proceed by clicking on the link to launch the configuration:

Fill out the following fields:

Federation service name - Enter the fully qualified domain name (FQDN) of the AD FS server (e.g. fs.contoso.com)

User name and Password - An account with location administrator permissions on the internal ADFS server

Select the SSL certificate that has been installed onto the Local Computer certificate store:

Proceed with the configuration by clicking on the Configure button:

The configuration will begin:

Once the configuration completes, click on the Close button:

The Remote Access Management Console should automatically launch listing the server name on the left window:

Click on the Publish button on the right window:

Click Next to proceed:

I feel that most material available on the internet demonstrating the deployment of a WAP server are never very clear on this step so I’d like to try providing a bit more information for the differences between the following preauthentication methods.

Active Directory Federation Services (AD FS)

This preauthentication method will always direct the traffic for the published application to the AD FS server so the user requesting the traffic will be authenticated by your internal ADFS server farm. There are also 3 different types of preauthentication when you select this option and they are:

• Web and MSOFBA
• HTTP Basic
• OAuth2

Which option you should select depends on the requirements of the application you’re publishing so review the following article and determine the correct method:

Publishing Applications using AD FS Preauthentication

https://docs.microsoft.com/en-us/windows-server/remote/remote-access/web-application-proxy/publishing-applications-using-ad-fs-preauthentication

In the document from the link above, scroll down to the following headings:

• Publish an Application that uses MS-OFBA
• Publish an Application that uses HTTP Basic
• Publish an Application that uses OAuth2 such as a Microsoft Store App

An example of when you would need to select this option is if you are configuring AD FS claims-based authentication with Outlook on the web. If you select Pass-through preauthentication then you would have effectively bypassed ADFS sending the authentication back to the Exchange server.

Pass-through

This preauthentication method will directly send the traffic for the published application to the backend server and bypasses the internal AD FS server farm. What this means is that if you are publishing a web application that leverages AD FS for authentication then you have effectively bypassed it and sent the user or application to authenticate to the application server.

One of the common questions I’ve been asked in the past is which of the above should you be selecting if you are publishing ADFS so you can have users accessing Office 365 to authenticate against it and the short answer is both would work because the target server for the traffic redirected from Office 365 to your WAP server is destined for the ADFS server. Selecting Active Directory Federation Services (AD FS) or Pass-through would send the traffic essentially to the same place.

Please refer to the following documentation for more information on the differences as this setting cannot be changed afterwards but you can always remove and recreate the published application:

Publish Applications using AD FS Preauthentication

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383640(v=ws.11)

Publish Applications using Pass-through Preauthentication

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/dn383639(v=ws.11)

I’ll include the screenshots for using both options to demonstrate what the configuration looks like.

Option #1: Active Directory Federation Services (AD FS)

Note that the Microsoft Office 365 Identity Platform Worldwide option would only be displayed if you have already confirmed this in the ADFS farm. If you are publishing other applications then you will need to make sure configure them in the ADFS farm before you attempt to publish them.

Enter a logical name for the web application, the FQDN for the external URL, select the SSL certificate that has been imported into the Local Computer certificate store, determine whether you want to enable HTTP to HTTPS redirection, and finally enter the backend internal ADFS farm’s URL (this will be same as the external URL for this design):

Option #2: Pass-through

Enter a logical name for the web application, the FQDN for the external URL, select the SSL certificate that has been imported into the Local Computer certificate store, determine whether you want to enable HTTP to HTTPS redirection, and finally enter the backend internal ADFS farm’s URL (this will be same as the external URL for this design):

Proceed with publishing the application by clicking on the Publish button:

Close the wizard when completed:

You should now see the newly published ADFS web application in the Published Web Applications window:

Repeat the previous steps for the second ADFS Web Application Proxy server and you should see the additional server listed in the Remote Access Management Console:

There is no need to publish the application twice if you have multiple Web Application Proxies as the publication of the application will automatically be configured on the other servers.

Event Logs

The following are event log entries that will be logged on the internal ADFS server when the Web Application Proxy Server successfully connects to the internal ADFS farm:

Log Name: AD/FS Admin

Source: AD FS

Event ID: 395

Level: Information

The trust between the federation server proxy and the Federation Service was established successfully using the account 'contoso\tluk'.

Proxy trust certificate subject: CN=ADFS ProxyTrust - ADFSWAP1.

Proxy trust certificate thumbprint: 1A2A8768073DB880E2ED086E8226848F129E4DB

Log Name: AD/FS Admin

Source: AD FS

Event ID: 396

Level: Information

The trust between the federation server proxy and the Federation Service was renewed successfully.

Proxy trust certificate subject: CN=ADFS ProxyTrust - ADFSWAP1.

Proxy trust certificate old thumbprint: 1A2A8768073DB880E2ED086E8226848F129E4DBE.

Proxy trust certificate new thumbprint: 18F8E09B827F49D23073BE398E8D9BF643D8AF75.