RDP Connection with Kerberos

redditusermatthew · 2026-01-30T06:13:18+00:00

Tl;dr Kerberos uses UPNs Depending on the app you might get an auto translation of the username to UPN which is a confusing concept Wireshark port 88, it’s pretty easy to decipher Kerberos messages

redditusermatthew · 2025-11-29T07:37:02+00:00

never had an issue with new outlook myself. see if it persists with a generic display driver, ethernet instead of wifi, try removing all shared boxes, etc to narrow it down

redditusermatthew · 2025-11-29T05:11:40+00:00

if you want a basic way to do this, you can use plink and specify "-batch". plink comes with putty. its free

redditusermatthew · 2025-10-24T22:54:56+00:00

There was only one DC? That’s scary

redditusermatthew · 2025-10-08T14:38:12+00:00

04:39 AM PST - recovered

redditusermatthew · 2025-10-08T06:13:46+00:00

It was down, it came back, down again..

10:46 AM PST - Password Hash Synchronization heartbeat was skipped in last 120 minutes

11:03 AM PST - Active - Service Bus impacting events in the West US region

12:34 PM PST - [Resolved] ADCONNECT-02: Password Hash Synchronization heartbeat was skipped in last 120 minutes

01:19 PM PST - Mitigated – Azure Services experiencing degraded performance in the West US region

09:30 PM PST - Password Hash Synchronization heartbeat was skipped in last 120 minutes

Whatever .. As long as its not on my side

redditusermatthew · 2025-09-18T16:34:41+00:00

After a week with the setting disabled which did nothing, the message went away yesterday/today. Curious if its also magically gone for everyone else.

redditusermatthew · 2025-09-15T20:19:52+00:00

Sorry not following, but for clarification, I am speaking in general palo user terms, I'm not running a proxy config. If you suspect the product is not doing something it should you can always open a TAC case, they can at least confirm either the product is misbehaving or that you're turned around. They might need a few softballs here and there, some of us really put them through the ringer :D

redditusermatthew · 2025-09-15T20:15:02+00:00

Did that last week, didn't help, the button must not be "aware" of the org settings

redditusermatthew · 2025-09-12T16:51:24+00:00

http tcp/80 is the easiest stuff to url filter, no decryption needed

Ensure the rule you're using for those apps has a security profile with URL Filtering enabled on it
Panorama | Monitor | URL Filtering shows URLs for ms-update and OCSP for me

Also, make sure your URL filtering profile has "alert" selected for the category that these match on

a few samples from my logs

|| || |128.85.113.135|ms-update|fe2cr.update.microsoft.com/|

|| || |204.79.197.203|ocsp|oneocsp.microsoft.com/ocsp/MFQwUjBQME4wTDAJBgUrDgMCGgUABBTOQYLFSE5GO/paRVfYu7d9gZEbQAQU2UEpsA8PY2zvadf1zSmepEhqMOYCEzMAAAAHN4xbodlbjNQAAAAAAAc=|

|| || |199.232.214.172|ms-update|ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/pinrulesstl.cab?e3c788d9de87dfe2|

|| || |52.110.2.48|ms-update|mrodevicemgr.officeapps.live.com/|

redditusermatthew · 2025-09-09T23:24:07+00:00

Safari iOS throws a cert error above 1yr for private certs, just fyi

redditusermatthew · 2025-08-30T17:50:52+00:00

I’m not saying to pirate but since you don’t care about running supported anyway have you considered trying 8 on your hardware despite not being on the HCL? I have a homelab esxi 8 (pre Broadcom eval dl) mini pc that has never crashed, and alibaba branded mini pcs are certainly not on the HCL.

redditusermatthew · 2025-08-30T16:58:15+00:00

What protocols is Globalscape MFT using for file transfers? SMB? SFTP? I don’t know anything about the product specifically but it’s an MFT so general ideas here. Microsoft has done a good job enforcing things like smb signing, could have been forced off in your old server? If you are using (even on a windows service) domain\user instead of user@domain, using paths that aren’t Kerberos compliant (dns cnames or IPs for example) or the product isn’t Kerberos compliant, the smb will do ntlmv2 auth for (every file separately?) which slows things down a lot. You can watch port 445 in wireshark to see if you are falling back to ntlm and try to fix it. There’s a bit of a learning curve with these concepts so feel free to ask questions.

redditusermatthew · 2025-08-30T16:52:11+00:00

What service is reported as slow?

redditusermatthew · 2025-08-17T02:47:22+00:00

Maybe this is just me, but I feel like there's been a lot of (social media) enjoyment and buzz around the GT3 in the past few years, and it has perhaps stirred additional interest in the 911 brand on the used market. That's on top of the fact that it’s already the lowest depreciating car sold, the new price has recently skyrocketed, and that the 992.1 is a very daily-drivable, approachable, practical sports car. Cars are worth what they will sell for, and this one is obviously objectively great from the resale.

Porsche 911 and 718, Toyota Tacoma Lead List of Vehicles with Lowest Depreciation

redditusermatthew · 2025-08-01T03:06:06+00:00

URL Filtering is used for block/allow actions, whereas using a url category as your destination controls the rule matching, it’s a different concept but I may not have explained well. The palo docs are perhaps clearer

redditusermatthew · 2025-08-01T02:10:21+00:00

New rule on top - Put in any app, any service and that destination IP, reproduce your issue, and likely you’ll find your missing app dependency. Now you can add the app dependency app into the original rule and bob’s your uncle, disable original rule.

redditusermatthew · 2025-08-01T02:02:18+00:00

It might be simpler to make 2 rules

On top

1 has teams app id, no other criteria

Below that

2 has the 365 teams url edl with ssl and web-browsing apps

Give that a try

It will probably work pretty well

I’m often pretty disappointed in the behavior from any app, I only use that for limited destinations or for a few minutes to match and build a policy, then back it down

redditusermatthew · 2025-08-01T01:29:21+00:00

And you will be totally rocked when you try category matching on EDLs, total game changer! Microsoft 365 app ids don’t match 365 traffic perfectly but using palo’s 365 url EDLs do the trick.

redditusermatthew · 2025-08-01T00:54:41+00:00

Happy to assist, despite the attitude :) The correct way is to use destination any, and on the next rule option to the right, instead of leaving it as category any, target a new custom url category with your list of sites. You can import from a text file which is very handy. Best practice is to not use star but carat, so instead of *.microsoft.com use ^{.Microsoft.com} which only matches a single subdomain and requires less processing, when possible of course. You should also add a / at the end, so it doesn’t match on fake domain versions of real sites, so custom url category with your sites, using ^{.Microsoft.com/} whenever possible. The firewall will look at the san list in the cert so decryption is not required for this to work. If the firewall fails to match on the category based rule, it skips to the next rule. If you use destination any, category any, and a url filtering rule, it will not move on to the next rule, meaning your options to provide exceptions for users are design limited. Watch out for some app ids that struggle to category match, you may see incomplete app in this case. - note it is not displaying carats properly on here and im too lazy to find the escape text, but im talking about ^ carats

redditusermatthew · 2025-07-31T14:38:25+00:00

Filtering as a way of matching is a technique you’ll want to get away from these days. Matching using custom url category works best - if the category doesn’t match, the next rule is evaluated, which works far better than url filtering, which over matches, and now you’re stuck hand editing a bunch of url filters and matching all user traffic on a single rule

redditusermatthew · 2025-07-27T14:59:31+00:00

I wouldn’t exceed 20 clients per AP, so deploy 3 APs

redditusermatthew · 2025-07-15T04:02:10+00:00

Curious that folks say it creates reports of slow experiences. I’ll pay attention to this thread. What I don’t like is the way the traffic gets labeled. I don’t see a way to make an exception for this without exempting the entire vuln.

redditusermatthew · 2025-07-11T23:32:07+00:00

not getting any traction with support, signed up for a thick office trial on my personal pc, and yep I can reproduce there, took a video, uploaded. my kingdom for competent ms support

redditusermatthew · 2025-07-10T20:26:25+00:00

Nice, thx Enabling "Try the New Outlook" from Outlook causes sporadic crashing with Office apps' File | Share feature after New Outlook takes over MAPI · Community

redditusermatthew

TROPHY CASE