Adding permissions for ADFS 3.0 and DRS service to read private keys

Daniel Loughlin's Blog

We had to replace our ADFS Service Communications SSL certificate this week and I ran into a problem assigning read permissions on the new certificate’s primary key.

Both the ADFS and Domain Registration Service (DRS) services need read access to the SSL certificates private key, however the certificates snap-in would not let me add accounts drs or adfssrv

You can use the following powershell to add permissions to private keys:

$PrivateKey=(((Get-ChildItem Cert:LocalMachineMy | Where-Object {$_.Thumbprint -like "thumbprint"}).PrivateKey).CspKeyContainerInfo).UniqueKeyContainerName
$KeyPath = "C:ProgramDataMicrosoftCryptoRSAMachineKeys"
$acl=Get-Acl -Path $FullPath
$Permission="NT SERVICEadfssrv","Read","Allow"
$AccessRule=new-object System.Security.AccessControl.FileSystemAccessRule $Permission
Set-Acl $fullPath $acl

You can also, as I then remembered, just type NT SERVICEdrs or NT SERVICEadfssrv into the certificates snap in! It’s been a long week.

View original post


SAN v7000: How to fix broken HTTP web-GUI

I see the Dude.


I thought i would never write about storage on this blog, but it turns out strange things happen to SAN”s as well. I do normally not work with SAN that much, the ones im familiar to is IBM DS3400 and Storeweize v7000. Today the v7000 stoped answer to https, so we could not manage it with the web gui.

Luckily one of the nodes still got HTTP service up. So here is what i did:

  1. Connect to the Node.
  2. Chose the Node you would like to restart the tomcat on (webserver).
  3. Go to “Restart Service”

4.  And chose to restart the Web server (Tomcat)

If you don’t have the same amount of luck as i had. You will have to restart the web server using CLI. You can only run satask commands if you connected to the CLI using the SSH private key which is associated with the user called superuser. No other SSH key will allow you to run satask commands:

View original post 180 more words

Error when adding second 2012R2 AD FS server when using gMSA

Source: Error when adding second 2012R2 AD FS server when using gMSA

WSUS on Windows Server 2012 Core from scratch

Core is always the way to do it.


I don’t know anything about WSUS as I’m more a ConfigMgr guy but I wanted to evaluate a few things about WSUS a.k.a Update Services on Windows Server 2012:

  • Can it run on a Core version?
  • Can it be managed on Core version?

The short answer is YES, it can run on a Core version as it’s a built-in role. YES, it can be managed on Core version but you should rather stick to Microsoft piece of advice “install it on core, manage it from a Windows 8 box with RSAT” (Remote Server Administration Tools). If you don’t have a Windows 8, you can also switch the server to the Minimal shell configuration that will allow you to launch MMC based snap-ins.

So here’s my scenario. I want to build a VM running a Core version of Windows server 2012, install Updates Services, configure it and push updates…

View original post 2,794 more words

Formation PowerShell (TP)


En cherchant une cas concret pour des travaux pratiques lors d’une formation PowerShell dispensée à quelques collègues, je suis tombé sur une pépite.

Cette idée était tellement sympa et stimulante qu’il m’a paru impossible de ne pas la partager avec la communauté francophone.

J’ai fait de cet exercice sur la gestion des modes d’alimentation un petit cookbook illustré d’environs une trentaine de pages, disponible ici .

Voici le code qui accompagne ce petit cookbook. Il est disponible sur ce lien

C’est pas tout! Une occasion unique s’offre à vous 😀
Vous pouvez apprendre PowerShell DSC (Desired State Configuration) le 25 et 26 février en live sur la Microsoft Virtual Academy.
C’est ​Jeffrey Snover et Jason Helmick qui dispensent ces 2 cours.

Pour ce faire, il faut:

  • un compte Microsoft que vous pouvez créer sur (en bas, ‘créer un compte maintenant’) si vous n’en avez pas
  • s’inscrire aux 2 cours…

View original post 42 more words