Відео

Thanks for watching! The certificate I select I have had to choose by its expiration date. I use the RADIUS Server certificate template for that. In this video I made a cert that could be used by both the server and client. In this case I would have selected that one. It is okay to do. For least priv purposes it’s best to have a separate template for server and client

@@OsbornePro Appreciate the feedback. I was not 100 percent sure. I thought it might be best to just setup a cert template for just the radius server that way its not using same cert the clients are using as I currently have the validity period set to 3 months and the renewal period set to 2 months. It may cause issues once I deploy to production if my radius server cert is using the same as the clients.

@@TheMeMo1999 thansk for watching glad it was helpful!

@@ryanmcguire2578 thanks for watching! Yes they will automatically connect to wifi once setup

@OsbornePro ok I had set the up previously on a different dc, and my first test user I had to hit connect for them to connect, in the cert authority should each computer have 2 certs listed?

@@ryanmcguire2578 if you have two certificates on a device capable of being used for radius auth from the same certificate authority. In your client wireless profile you define the CA that assigned the certificate to auto select from. If you have two they may prompt you to

​@@OsbornePro I have my original cert authority setup on server 2016(going to decommission) which is still active and it has both certificate templates for radius server client and computer(machine) on it but my server 2022, the new CA only has the radius server client cert template listed for this user

@@OsbornePro sent you an email if you have a chance to take a look...thank you

Thanks for watching! I do not have a video like that. You want your CA to not have any other services on it. It should just do CA stuff. The best practice that is rarely followed is to have an offline root CA server non-domain joined. Then have an Intermediate CA attached to that which is domain joined. Require NTLMv2 authentication to it. Use SMBv2 and v3 with required signing. Biggest threat to your domain with a certificate authority are Certificate Templates. The guys who wrote an exploit tool called Certify have a white paper that is well worth the read to see the do not so certificate template making. You can run the tool to discover vulnerable certificates on your CA if you are ever unsure

@@faizankhanseo4639 thanks for watching! No it is not. Lazesoft has a free one I believe still

@@OsbornePro yes lazesoft is free you are right thanks 👍🏼🙏🏼

@@shinshen9020 thanks for watching! Yes a Mac can bind to a Windows domain. There is more info on how that is done and requirements in this article. onmac.net/how-to-join-mac-to-windows-domain/

Thanks for watching! I would be curious what you do for this. If you are using PEAP I would think trusting the Root CA and a domain trust would be required between the two domains so the user accounts can be found. For EAP-TLS you probably need a non-domain joined CA to issue certs to both domains in order to accomplish that

@@pstz_800 thanks for watching glad it was helpful!

@@BGPNetworks thanks for watching! It is not recommended to user your DC as a CA however, that should not affect the setup. The CA cert still needs to be trusted by the server and clients. It is still able to do what you need it too

@@filipfabicevic3077 thanks for watching! The DHCP server is registering the domain and IP resolution on behalf of the client so as long as the client can get a DHCP address it should work. It sounds like you need to set an ip helper-address on the switch for that VLAN. Make sure the forward look up zone exists on the DHCP server also. In the DNS server check your security settings to see if there are restrictions and what subnets allow updates

@@rakesh4a1 thanks for watching! FTP over SSL is not capable of key authentication, only FTP over SSH can use certificates for authentication. FTP over SSL to FTP is the equivalent of what HTTPS is to HTTP. The user tobor does not have a certificate assigned. You will need to create the ftpsecure user. It is used for limiting permissions and employing least privileges.

I put this script together to auto-install using a secure method. If the vsftpd service fails to start it is because UTF8 is no longer an option to set on certain Linux distro github.com/OsbornePro/ConfigTemplates/blob/main/vsftpd-installer.sh

@@vladimirarias-antonov9584 thanks for watching! I would suggest taking a look at this article for the NPS side of things documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

Thank you this is great

@@user-zg3pw5qb2j thanks for watching, sounds like the same thing I have seen with Macs. If you check the NPS event logs it probably says it can’t find the account. If that is the case you won’t be able to use EAP-TLS to authenticate Linux devices unless they are domain joined

@@hichamlyaacoubi1196 thanks for watching! There is a registry value you can at on the NPS server to define what version you want to use if you want to make sure a modern one is used support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af

@@marcusjackman1487 thanks for watching glad it was helpful! Haha I do not unfortunately. The Apache documentation is very extensive. The things I have learned came from doing hackthebox labs and configuring apache for different web services. I don’t know a good source out there for it so I put this together to share things I have run into

Thanks for watching! Glad it was helpful

Thanks for watching! No the students will not be able to download and install the certs on their phone; the important part for you to achieve that is when creating the device certificate template on your CA, the private key can not be marked as exportable. Once the certificate is assigned it will only be able to be used on the device it is assigned too. Also, the device hostname will have to match the subject name of the certificate. You can use PEAP certificates for deployment on a per user basis. However, making the key non-exportable in that situation means only one certificate goes to a user. That one certificate can only be used on the device that received it for that particular user. For example the students will not be able to use a second device like a laptop and desktop. EAP-TLS/Device Certificates allow you to authenticate devices. Users can access a device and that device can access the network. For your situation if possible I would use Aruba as a certificate authority with EAP-TLS for device authentication. The reason being is you may run into issues with devices that are not domain joined using certificates from a domain joined CA to authenticate. The account/user will not be found in AD and dummy accounts will not resolve the issue.

Thanks for watching! Yes you can. Just have to assign each DC its own LDAPS certificate where the FQDN of each individual DC is in the Subject of the certificate.

Thanks for watching! Glad it was helpful

Lol of course don't want anyone researching to get sick! Thanks for watching!

Thanks for watching. If you are running the nltest command on a device that is NOT a Windows Domain Controller there may be an issue with the trust or there is something up with the certificate trust on the client. Either of the below commands can be used to repair the trust. nltest /sc_reset:YourDomain.com Test-ComputerSecureChannel -Repair -Verbose # Run on the client device in admin powershell window Otherwise look at the System logs in Event Viewer after you do the above. Look for any events related to secure channel issues, likely with a the source Netlogon. This may help identify what exactly the trouble is.

@@OsbornePro ok thank you very much for your response. I will try to execute the commands. I just forgot to mention that i tried executing the command on a windows 11 in the same network and domain, on a windows 11 in another network (through internet) and on the DC itself. I got the same error in every case. Oh and the DC is also the DNS server

@@OsbornePro but my main issue is how to make LDAP work with iOS because iOS devices somehow dont send bind requests, only search requests from what i see through Wireshark. So i was trying to connect with SSL but apparently the iphone doesn't recognize the certificate. In Wireshark, we can see a "Unknown certificate" error.

@@aliounethiaw1443 if you are not seeing bind requests from the iOS devices they are not trying to perform authenticated searches. They may need an LDAP profile of some sort with credentials specified typically using the distinguished name as the username. An MDM solution will need to be used to push out the Root CA certificate to the devices trusted machine certificate store.

@@OsbornePro so i need to manually register the phone in the LDAP server using the phone's name and a password as credentials, then install the certificate on the phone via an MDM. And then i try to connect using the phone's credentials instead of the user's credentials. Is that what you mean?

Thanks for watching! I would still assign the server to the DnsUpdateProxy group. If there ever comes a time when the role is moved off the server, it can be seen the current server is a member of that group and it will make whoever looks at it take notice possibly preventing or shortening a resolution. Twenty years from now some IT guy will say thank you Wyatt. This is not needed however when you issue that command. The link below references if that helps you decide whatever is best for you. Your summary of actions looks complete to me and yes use "dnscmd /config /OpenAclOnProxyUpdates 0" since your DC is also a DHCP server. Here is a link to Microsoft's mention of this learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff631099(v=ws.10)#summary

@OsbornePro awesome! Thank you! This was the first video of yours that I have seen and it was perfect. Explain everything so well. Will definitely recommend to others and watch more of your tutorials!

Thanks for watching! A valid certificate is typically selected automatically however, its not perfect. Yes you should select the certificate to use on the RADIUS server in the network policy. I forgot to cover this in the video. I updated the description of the video to make mention of this in case someone reaches out to me having that issue. I can also get a quick copy paste responding to emails.

I finally figured it out. My CA root certificate was expired. Once it is renew, I see the LDAP certificate is now available.

Thanks for watching! Right on appreciate you sharing that. My approach would have been checking RPC and Windows Firewall. That did not even cross my mind.

Thanks for watching! Glad it was helpful

Thanks for watching! What I have found with non-domain joined Apple devices is they require a non-domain joined Root CA with a domain joined Intermediate CA. The non-domain joined Root CA is for issuing certs to Apple devices not on the domain. The domain joined intermediate is for auto-management of the Windows RADIUS client certificates. Of if you have something like Cisco ISE to act as a CA that issues certs to those devices that can work. If you just have a domain joined Root CA that assigns a device certificate to a non-domain joined Apple device, the authentication fails saying no matching account could be found. I have tried creating dummy accounts etc but nothing worked for me.

Thanks for watching! Very happy it was helpful

Thanks for watching! That I am not sure. By default you should have default certificate authorities that exist in both the Trusted Root Certificate Authorities and Intermediate Certificate Authorities stores. If there is nothing there maybe the Windows store is not used for trust and some other technology is handling that? If you want to get your domains Root CA, remote into the Root CA server and open Command Prompt or PowerShell. Then execute the below command mkdir C:\Temp # Creates a directory if it does not exist certutil -ca.cert C:\Temp\RootCA.cer # Exports your domains Root CA certificate to a file that you can import into the trusted stores Once you have the RootCA.cert file you can open certlm.msc and import it into the Trusted Root Certificate Authorities store

Thanks for watching! Glad it helped to get your VM started like you want!

Thanks for watching! You actually are do not need to install the Active Directory Lightweight services role and it will not harm anything to remove it. That was bad information circulating at the time I released the video. You do not need to install that Feature and it can be safely uninstalled. As long as the NTDS service is running LDAP and LDAPS are available. The certificate attached to the NTDS service is required and the clients need to trust the Root CA that issued it. If you are moving to a new DC you will need to request an LDAPS certificate for it and attach it to the NTDS service. Once that is done simply point whatever third party apps you need to towards the new DC.

Thanks for watching! Always happy to hear this helped someone implement it!

Thanks for watching! Glad it was helpful. I love hearing when things like this get implemented you are killing it

Thanks for watching! The length of the video may be deceptive in how much needs to be done. Prerequisites: 1. Certificate Authority a. Contains an LDAPS Certificate Template to issue to DCs 2. Domain Controller a. Assigned the LDAPS certificate from the CA b. LDAPS Certificate template attached to the NTDS service You do not necessarily need an Enterprise CA however it does make the implementation simpler. The LDAPS certificate template can likely be obtained from whatever you are using as your Certificate Authority. The tricky part is the LDAPS certificate can not use a typical SSL certificate such as one you would attach to HTTPS. This is why the service is unable to be a wildcard certificate and it cannot have a Subject Alternative Name.

Thanks for watching! Event ID 8018 when I looked it up is a Zone Transfer failure. It sounds to me like the DNS records are not able to be updated in DNS because of Zone Transfer restrictions. Open the DNS configuration area. Right click and select Properties (on the DNS server if I remember correctly) and go to the Forwarders tab. Then you want to allow forwarding to your specific DNS servers. This prevents an attacker from having the ability to dump your DNS records. You should not configure the DHCP Dynamic DNS credentials if you are allowing the clients to secure update themselves. This can create overlaps and permission issues and mismatched records. If you have the dynamic DNS account update a DNS entry, the device referenced by that DNS entry will not be able to update that record.

Thanks for watching! Glad you it was helpful for ya!

Usually its going to be the Calling-Sation-Id, in this situation he's using EAP-TLS so the certificate the device was issued will have it's name in the certificate metadata.

^ What he said :) Thanks for watching! Thanks for the help @Patmorgan235Us

Have a Snickers and calm down.

@@user-sh5kx8cx5c I was actually calm but it bothers me when "YT experts" are making misleading videos.

Thanks for watching! Yes you are right you do not need to install that role I get asked that a lot. I initially documented my setup process during the time Microsoft was planning to force everyone to move to LDAPS and that role was mentioned in all the blog articles and clearly misunderstood. Installing that service creates a port for LDAPS and the role is easily removed. I do not see any harm. I will add a note in the description and chapter mentioning the role does not need to be installed.

That is how I felt. I did this to help teach myself and reinforce information. I would suggest try doing your own and how you think it could be better and improve the info available in the IT community. If nothing else it helps someone see what they are buying when they hire you.

Thanks for watching and thanks for pointing that out much appreciated!

Thanks for watching! Glad it helped!

Thanks for watching! I can make the excuse that the Deny is more of a "Keep Denying" since we are being prompted on what we want to do with the log message entry. I think you are right it is not necessary to have that manual entry created since it was already being denied. The wildcard explanation makes sense to me also.

Thanks for watching! If you are trying to connect with a Python script you do not need to enforce anything with group policy. You will need to just attach the certificate to the NTDS service on your domain controller. Your Python script may need help trusting the certificate if you are on a host that doesn’t trust the root ca that issued the LDAPS certificate

@@OsbornePro okay, thank you for the quick response. I will try this when I'm back at the lab tomorrow. Much appreciated!

@@invenorofstaw7570 no problem happy to help

Thanks for watching! Appreciate the compliment very glad it was helpful

Thanks for watching! I believe that Yealink phones are not capable of trusting third party certificates. In order to get them internet you would need to configure a multi-host policy on a Cisco switch. This allows the phones to piggy back on the computers authentication and not have to use RADIUS to authenticate to pass traffic. www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3560/software/release/12-2_37_se/configuration/guide/3560scg/sw8021x.html#wp1271507

Thanks I will check that out!

Thanks for watching! No unfortunately LAPS can only manage the local admin account of systems and not domain accounts

@@OsbornePro if you disabled user local user/ admins after setting up Laps whats the point setting up esp if device is not authenticated back to domain for period of time?

@@Akira29H you may need to enable the local admin account at some point to rejoin to a domain for example and the account may not vSomeone setting up a device for the first time may set a weak password to get through the setup and log in easily. It’s just defense in depth to keep track of the password in case you need it. If setting longer expirations works better for you because of offline machines there is no harm in doing that

@@OsbornePro thanks for all learning advice. I have question. I have different domain admin accounts but i dont have any controls to them like user account pw reset or join pc to domain i want these users to have min access to AD. A video would be appreciated. Tq very much.

@@Akira29H no problem thanks for the idea. I will do a next video on delegate permissions for some scenarios I have had requested before and include yours

Thanks for watching! Yes this process is still the same today. You don’t need to install that Rile and Feature in the beginning. Just need to assign the certificate to the port and trust it on your client. Good luck on your project

Thanks for watching! The RADIUS Client authentication certificate can be assigned to any security group you want. It is best to create a RADIUS Devices security group in AD. It does not necessarily have to go out to everything. The RADIUS Server one will only be distributed to servers with the NPS ability. The root ca certificate needs to be distributed to everything for trust purposes. If a certificate isn’t trusted the connection won’t connect without extra steps that are bad for security. I think I answered the question. Let me know if I can provide any more info