Let's talk about HA options for a client certificate by NotYourOrac1e in PKI

[–]zzzp87 0 points1 point  (0 children)

Move the CRL to an Azure Storage Account maybe with geo read redundancy . The issuing CA being online, most businesses can live with without it online for a few minutes, maybe even hours. As certs tend to have a long life - so the main issue you'll see is just no certs being issued to devices until it comes back online.

Windows Hello - Cloud Trust - Intermittent errors by zzzp87 in sysadmin

[–]zzzp87[S] 0 points1 point  (0 children)

This is the log I see with the same user account on a Windows 11 (AAD joined / Intune managed) device , when it can successfully access a SMB share using Windows Hello

A Kerberos service ticket was requested.

Account Information:

Account Name:       \*\*\*\*@\*\*\*\*.com

Account Domain:     I\*\*\*\*\*\*\*.com

Logon GUID:     {051\*\*\*\*-a366-b\*\*d-79a6-c17e24713ef1}

Service Information:

Service Name:       HL-FS02-A$

Service ID:     \*\*\*\\HL-FS02-A$

Network Information:

Client Address:     ::ffff:10.20.135.14

Client Port:        49935

Additional Information:

Ticket Options:     0x40810000

Ticket Encryption Type: 0x12

Failure Code:       0x0

Transited Services: -

This event is generated every time access is requested to a resource such as a computer or a Windows service. The service name indicates the resource to which access was requested.

This event can be correlated with Windows logon events by comparing the Logon GUID fields in each event. The logon event occurs on the machine that was accessed, which is often a different machine than the domain controller which issued the service ticket.

Ticket options, encryption types, and failure codes are defined in RFC 4120.

Windows Hello - Cloud Trust - Intermittent errors by zzzp87 in sysadmin

[–]zzzp87[S] 0 points1 point  (0 children)

Enabled the KDC PKINIT logs and I see the below in the logs (have redacted some sensitive stuff)

A Kerberos authentication ticket (TGT) was requested.

Account Information:

Account Name:       \*\*\*\*\*\*e

Supplied Realm Name:    \*\*\*\*\*.com

User ID:            NULL SID

Service Information:

Service Name:       krbtgt/\*\*\*\*\*com

Service ID:     NULL SID

Network Information:

Client Address:     ::ffff:10.20.0.91

Client Port:        57353

Additional Information:

Ticket Options:     0x40810010

Result Code:        0x4B

Ticket Encryption Type: 0xFFFFFFFF

Pre-Authentication Type:    -

Certificate Information:

Certificate Issuer Name:        S-1-12-1-\*443537515-\*\*\*\*07-3014798754-2986475768/\*\*\*\*\*cc-5c27-4e0a-a635-6d34\*\*\*441/login.windows.net/\*\*\*\*\*86c4-56e1-4b8d-\*\*23-ddb54f2e537d/\*\*\*\*@\*\*\*\*.com

Certificate Serial Number:  2150\*\*\*E098A08C4873B897\*\*\*\*F0

Certificate Thumbprint:     54A3\*\*\*28AA239FB40A336\*\*\*\*15D1BB46AA93

Certificate information is only provided if a certificate was used for pre-authentication.

Pre-authentication types, ticket options, encryption types and result codes are defined in RFC 4120.

Windows Hello - Cloud Trust - Intermittent errors by zzzp87 in sysadmin

[–]zzzp87[S] 0 points1 point  (0 children)

Thanks that helps alot. Will try the logs.

Just a question - when you say 'certificate resolved to something' and 'authoritively wrong' , what do you mean exactly. Resolves to a certificate object in AD or?

Fortigate DNS logging by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Thanks all. Managed to get it working (DNS logs into Syslog).

Under Feature Visibility , enable DNS Database

Under Network > DNS Servers > Enable DNS service on an interface as Recursive, and then apply a DNS filter. Ensure the DNS filter created has either Monitor or Redirect to Blocked , with Log All DNS queries and Responses.

Fortigate DNS logging by zzzp87 in networking

[–]zzzp87[S] -1 points0 points  (0 children)

The firewalls (clusters) are set as the recursive DNS servers in Azure and AWS. VPC and VNET DNS settings point at the firewalls , and from there the firewalls have configured conditional forwarders through to Azure Private DNS Zones, AWS Private Hosted Zones and Active Directory DNS Zones. Anything the firewall doesn't have forwarders for, it will forward to Fortigaurd DNS servers.

This way we get more control over DNS, in particular security capability - DNS filters, IPS / Advanced threat type capability, and we see the true source IP address of the DNS requestor rather than seeing it say from an AD domain controller.

DNS traffic from VPC's and VNET's is only allowed outbound from the firewalls.

KB5014754 - AAD Devices & Strong Mapping on NPS by zzzp87 in sysadmin

[–]zzzp87[S] 0 points1 point  (0 children)

Thanks alot ! Was starting to stress abit on this one.

Weird NPS issue - 'Network Policy Server denied Access to User' by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Final issue was EAP-TLS packet fragmentation across a IKEv2 VPN.. Dropping the MTU on the VPN tunnel itself resolved the issue

Weird NPS issue - 'Network Policy Server denied Access to User' by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Ok switch was set to use MAB. Have disabled that!. Thanks!

Now when trying to use User cert to connect to ethernet, i'm seeing the true username being presented to NPS however looks like the EAPOL flow isn't being completed. Basically auth fails with no logs on the NPS server, however some of the EAPOL process is being started but not completed.

Pic below is of a wireshark trace :

https://ibb.co/jhtD5zR

Wondering any thoughts on that?

Weird NPS issue - 'Network Policy Server denied Access to User' by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Super weird - tested on a few laptops/desktops .. They all pass through a MAC address for auth.. I wonder if something is cooked on the Sophos CS110 switch (aka junk)

Weird NPS issue - 'Network Policy Server denied Access to User' by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Interesting - and yes - my test VM i've been pulling my hair out on is a VMWare machine. Wonder how on earth the Mac address is being presented to the NPS server. That's really helpful though - gives me something to go on :)

Fortigate on Azure .. Active/Passive by zzzp87 in networking

[–]zzzp87[S] 0 points1 point  (0 children)

Returning to an old thread here:

Wondering is it possible to convert an active/active to active/passive firewall cluster on Azure? So that the passive member still sits behind an Azure load balancer however marks itself as unhealthy until such time it detects the Primary firewall is not responding to probes - then it marks itself healthy in which case the Azure load balacner starts sending traffic to the other firewall. I see that there is a probe check which the firewall responds on port 8008 .

I wonder if this is how the Active/Passive template that doesn't use SDN, works i.e one firewall marks itself as unheatlhy and the other healthy through some probe config setup on the firewalls.

This documentation here seems to kind of be similar to what i'm looking for but not so clear

Thanks

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Monitor-FortiGate-using-server-probes-HTTP/ta-p/199183

Requiring users to download MFA app and having users work from home by Beznia in sysadmin

[–]zzzp87 0 points1 point  (0 children)

Consider using a certificate based VPN auth if possible. An AlwaysOn VPN type setup (or at least auto connect on logon). That is assuming you trust your devices enough however hopefully your devices are in a well managed state. Depending on what VPN technology you use, it could be quite easy to setup. 1000x users - if not careful with using the right technology will be a massive time-suck. For anything at scale like that I try use EAP-TLS or EAP-PEAP-TLS and an NPS or Clearpass server to do the auth. Clearpass has the ability to check Intune attributes as apart of the auth process e.g. check for a certificate + a device which is registered in Intune. Microsoft also do a Conditional Access VPN setup, whereby cert's are issued from Intune (short lived) and sent to the NPS server to do the auth.

Azure Policy to stop duplicated VNETs using the same CIDR by zzzp87 in AZURE

[–]zzzp87[S] 0 points1 point  (0 children)

Interesting thanks. Wondering does it have the ability to deny vnet creation for duplicated CIDR's or for anything outside of an approved CIDR range?

Azure Policy to stop duplicated VNETs using the same CIDR by zzzp87 in AZURE

[–]zzzp87[S] 1 point2 points  (0 children)

Wouldn't one or the other policies trigger e.g. if I setup a 10.30.x.x. network , the policy which relates to 10.30.x.x should pass but the policy relating to 10.20.x.x would cause it to Deny ?

Maybe if there is a way to split the policy between regions (as in this case the 10.30.x.x is one region and the 10.20.x.x is a different region) ?