How to Enable/Search Users in Lync 2013 Control Panel ?

Posted by Ahmed Nabil In | 0 comments»
Lately I received several inquiries about enabling Lync 2013 features as Enterprise Voice for new domain users in the Lync Control Panel and the difference between enabling a user and searching for a user. Power Shell is my default location for any action as adding new user however i started checking this issue and discussing it with several admins as well as Microsoft Support team.

The User Search Option as shown in the below image with its two option (Search or LDAP) is limited to searching for users that are already enabled for Lync not new users who are not enabled yet for Lync

To Search for Existing enabled users, you can use the Search button and enter the user name for the user you are looking for. If you would like to use the LDAP search then you need to search using LDAP Expression. If you tried to enter normal username in the LDAP search you will get an error "Active Directory Operation Failed. The Search filer is invalid"

So to use the LDAP search for existing users you need to enter LDAP expression. To get the LDAP expression for the user you can get it from AD ADSIEDIT by navigating to the user location or by running the below PowerShell command in Lync Server

"Get-Aduser -identity -username"

The Value of the distinguished name is the one that you need to enter in LDAP Search

So back to the first question, How to enable new users that joined the domain and are not yet enabled for Lync. To add/Enable new user you need to click on Enable Users in the User Search Menu (Lync Control Panel) then Click Add

Now you will get a new Search Window where you can search here for New users either using normal username (Search Check box) or using LDAP expression as explained earlier.

Now you can enable this new user and assign him to the correct pool

Hopefully this can clarify the difference between Searching for Existing users and adding new users using the Lync Control Panel.

Windows 10 Security Part 2 : Enable Credentials Guard / Pass the Hash Mitigation

Posted by Ahmed Nabil In | 2 comments»
For checking Part 1 of Windows 10 Security, please check the below link

Pass the Hash was really one of the hottest attacks in 2015, No major attack happened last year without having a flavor of PTH either on local accounts or domain accounts by stealing the Hash and passing it to other services.........etc

Windows 10 introduced a new feature which is Credential Guard or Virtual Secure Mode (VSM). The main idea is utilizing Microsoft hyper-V by enabling Hyper-V on the Windows 10 machine and having a special secure kernel mode based on the virtualization technology to store critical process as the Local Security Authority (Your passwords). This new feature provides a promise to finally get rid of Pass the Hash attack and stealing passwords/Hashes. This secure Kernel mode has no GUI or network access and it communicates with the OS in a new format that cannot be replayed or passed (at least for the time being)

How to Enable Credential Guard

  1. First of all we need to add the Hyper-V from Control Panel - Programs and Features - Turn windows Features on or off.                                                                                                                             
  2. Secure Boot need to be enabled.                                                                                                                           
  3. This feature will work only on Windows 10 Enterprise.                                                                                    
  4. Machine should be domain joined as this will protect domain accounts, its not for local accounts. For local accounts you should have other protection mechanisms as Microsoft LAPS                                                                                                                                                  
  5. VSM or Credential Guard can be enabled using Group Policy (Updated group policy for Windows 10 copied to the Domain Controller Central store), In my case i am enabling it manually on my Laptop using Local Group Policy Editor as shown below (Computer configuration - Administrative Templates - System - Device Guard - Turn on Virtualization based Security)                                                                                                                                                         
  6. Enable the setting, I picked Enabled without Lock so it can be controlled/Disabled later using Group policy. Detailed description is shown in Help section.                                                                                               
  7. Start the special VSM process by editing the boot Configuration data as shown below from an elevated command prompt                                                                                                                              
To verify its running and working normally as designed, you will need first to reboot the computer and after booting go to the computer system information (From Cortana Search for System Information or msinfo) and check the system summary as shown below.

Also in the Task Manager you will find Credential Guard Process as well as in the details Tab.

This is a very new nice feature to secure your credentials and i would advice Windows 10 users to go ahead and try it.

How to Upgrade/Move your Enterprise Certification Authority (CA) from 2008 R2 to 2012 R2 - Part 1

Posted by Ahmed Nabil In | 9 comments»
In this series we will be going through the main steps to migrate and move our Enterprise Subordinate Certification Authority from Windows 2008 R2 server to Windows 2012 R2 Server (Side by Side move). In Part 1 of this series I will be discussing the main requirements and preparation done on the Source Server (CA on 2008 R2)

Key things to note:

  1. If you would like to have the new CA server computer name same as the old one then you will need to decommission and remove the old server from the domain prior to building the new server. In our case i will keep the old server (Just disable the Certificate Windows services) and have the new server with new name (Just in case you need to revert back at any time)                                                                    
  2. During the Migration and setup of CA on the new server no certificates or CRLs will be issued. Its preferred to run this after hours. Plan to publish a CRL that will cover the downtime period.                                                                                 
  3. User running the migration should be member of Enterprise Admins or Domain Admins group.

Source Server (2008 R2) Preparation

  1. Publish a new CRL to ensure that your migration period is covered. Open Certification Authority - Right Click Revoked Certificates - All Tasks - Publish                                                                                  
  2. Take a backup from the Current Source CA (2008R2 server) - Right Click Certification Authority - All Tasks - Back Up CA                                                                                                        
                                                  Make sure to pick both check boxes as shown above   (Private Key, CA Cert and DB). Store them in a dedicated empty folder (will be copied later to the destination server).                              
  3. After picking a password and finishing the Wizard check the Backup folder (In our case C:\CA_Backup). We should have a CAname.P12 file and a Database folder.                                                        
  4. Next step will be taking a backup from the CA configuration in the registry as another check point/line of defense (hopefully won't be needed). Navigate to HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration and right click configuration and take an Export and save the output REG file in the same Backup location.                                                                                                      
  5. If a Custom CApolicy is used then we need to copy the CApolicy.inf file from the C:\Windows (Default location) to the backup folder created earlier.                                                                                 
  6. Final step to be done on the Source CA server is to stop the certification Authority service and change its start up to be disabled in case anyone by mistake tried to start it (Remember we will be keeping the source server for some time till everything is up on the new server)                                                             

This should conclude Part 1 of this series, In Part 2 we will install the CA on the new 2012 R2 and restore the backup taken on the old  2008 R2.  Hopefully this has been beneficial and see you on the next Part.

PKIView OCSP Location#1 Error

Posted by Ahmed Nabil In | 2 comments»
After configuring and installing OCSP on an Enterprise Certification Authority I noticed that the OCSP location in the PKIView is displaying an error as per below screen shot.

The OCSP was working fine with current certificate and I verified and validated it using the

Certutil -url (Check below article for more details)

It turned to be that the original AIA path that was used has been changed on my CA extensions with another path which led to this error. So in order to fix this issue, the following was done:

  1. Revoked the Latest CA Exchange certificate, this can be done by checking your Certification Authority - Issued Certificate - Arrange them by Certificate template and check the latest CA Exchange Certificate                                                                                                                                                                                                                                                                                                                                       
  2. From an Admin Command prompt run "certutil -cainfo xchg"                                                                                                                                                                                                                                   
This did the trick and it was fixed back in the PKIView.