Blog Feed

Fixing Kerberos SSO Failures After Recent Windows Updates

Ayesh De Silva

We have observed that Single Sign-On (SSO) may fail for some applications after installing recent Windows Server updates on domain controllers (KB5082123 and KB5087538).

This issue is caused by Microsoft’s continued efforts to strengthen Kerberos authentication security. The updates enforce stronger encryption requirements and reduce support for older, less secure encryption types.

If your application uses a keytab file to decrypt Kerberos tickets and the keytab was generated some time ago without explicitly specifying the encryption type, SSO authentication may start failing after these updates are applied.

Resolution

1. Enable Stronger Encryption on the Service Account

Update the service account used by the application to support modern Kerberos encryption types (such as AES256).

2. Reset the Service Account Password

After enabling stronger encryption, the service account password must be reset for the changes to take effect.

To avoid application disruptions, you can reset the password to the same value currently in use.

3. Generate a New Keytab File

Generate a new keytab file using the updated encryption settings. Run the following command on a domain controller. Be sure to open Command Prompt with Administrator privileges.

ktpass -out c:\temp\gateway.keytab ^
-princ HTTP/gateway.example.com@EXAMPLE.COM ^
-mapuser gateway-service-account ^
-crypto AES256-SHA1 ^
-ptype KRB5_NT_PRINCIPAL ^
-pass *

4. Update the Application

Upload the newly generated keytab file to the affected application and follow the vendor’s documentation for updating Kerberos credentials.

Conclusion

After replacing the old keytab file with one generated using AES256 encryption, Kerberos authentication should function normally again. Applications relying on older encryption types may require similar updates as Microsoft continues to strengthen Kerberos security requirements in future releases.

Outlook LTSC cannot connect to office 365

Ayesh De Silva

When tring to connect to office 365 using Office LTSC getting an error “Something went wrong and Outlook couldn’t set up your account.”

This caused by missing reg key for the Modern Auth, fix can be apply via adding below reg keys. Make sure you have done all other tshoots before jumping to this 🙂

I have tested this with LTSC 2021 on Server 2019

reg add "HKCU\Software\Microsoft\Office\16.0\Common\Identity" /v DisableAADWAM /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Office\16.0\Common\Identity" /v EnableADAL /t REG_DWORD /d 1 /f
reg add "HKCU\Software\Microsoft\Exchange" /v AlwaysUseMSOAuthForAutoDiscover /t REG_DWORD /d 1 /f

AWS Migrating your virtual machines (AWS MGN Service)  

Ayesh De Silva

🔧 Additional Clarifications for Step 3 (Based on Real‑World Experience Using Oracle Linux)
While following the migration steps, I found a few practical details that can help ensure a smooth setup—especially when installing and configuring the AWS MGN vCenter Client on an Oracle Linux VM.

Here is the article for step by step,

https://sudoconsultants.com/migrate-your-vms-to-aws-a-step-by-step-guide/

✅ Ensure Network Connectivity to vCenter

The VM running the AWS MGN vCenter Client must have uninterrupted network access to the vCenter Server.
If the MGN client cannot reach vCenter (firewall, routing, DNS, or port issues), the installation will fail or the service will not start properly.
Make sure the following are open and reachable:

  • vCenter IP or hostname
  • Port 443 (HTTPS)
  • DNS resolution (if using hostname)
  • No outbound restrictions blocking AWS endpoints

This is a critical requirement that is easy to overlook.

📝 Useful Input Details During the Installer Prompts

When running the installer script on Oracle Linux, you will be asked for several parameters. Below is a clear reference for each field

These details help avoid confusion during installation, especially when using Oracle Linux instead of Ubuntu.

Add a Refresh option to the right‑click context menu in Windows

Ayesh De Silva

Open PowerShell as Administrator and run the command below, or copy it into Notepad, save the file as a .ps1, and run it as Administrator.

# Restore classic context menu in Windows 11
# Creates HKCU:\Software\Classes\CLSID\{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}\InprocServer32 with empty default value

# Ensure we're in PowerShell
$ErrorActionPreference = 'Stop'

# Registry path and GUID
$basePath = 'HKCU:\Software\Classes\CLSID'
$guid     = '{86ca1aa0-34aa-4e8b-a509-50c905bae2a2}'
$inproc   = Join-Path -Path (Join-Path $basePath $guid) -ChildPath 'InprocServer32'

# Create the keys if they don't exist
if (-not (Test-Path (Join-Path $basePath $guid))) {
    New-Item -Path $basePath -Name $guid | Out-Null
}
if (-not (Test-Path $inproc)) {
    New-Item -Path (Join-Path $basePath $guid) -Name 'InprocServer32' | Out-Null
}

# Set the (Default) value to empty string
# Using .NET to set the unnamed default value
New-ItemProperty -Path $inproc -Name '(Default)' -Value '' -PropertyType String -Force | Out-Null

# Restart Explorer to apply changes
Write-Host 'Restarting Windows Explorer...'
Get-Process explorer -ErrorAction SilentlyContinue | Stop-Process -Force -ErrorAction SilentlyContinue
Start-Process explorer.exe

Write-Host 'Done. The classic context menu should now appear.'

If you want the PS script,
https://github.com/ayeshsherman/right-click-context-menu-in-Windows.git

Windows update database error detected

Ayesh De Silva

Save this script as a batch file and run as a admin. After that reboot the system and run the windows updates. 

@echo off
echo ============================================
echo Resetting Windows Update Components...
echo ============================================

:: Stop services
net stop wuauserv
net stop cryptSvc
net stop bits
net stop msiserver

:: Rename folders
Ren C:\Windows\SoftwareDistribution SoftwareDistribution.old
Ren C:\Windows\System32\catroot2 Catroot2.old

:: Restart services
net start wuauserv
net start cryptSvc
net start bits
net start msiserver

echo ============================================
echo Process Completed Successfully.
echo ============================================
pause

Credits goes here https://www.kapilarya.com/potential-windows-update-database-error-in-windows-10

Decommissioning Exchange Server

Ayesh De Silva

I had recently been tasked with removing one exchange server from an on-prem three-node cluster. These are the steps that I had to take to remove the server. As with any decommissioning process, make sure to take a full backup and arrange for downtime 🙂

Before runs command bring is exchange snap in for on Exchange PowerShell by running below

Exchange 2007:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin;

Exchange 2010:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010;

Exchange 2013:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

Before decom server mailboxes need to move to another DB.

Before you move the mailboxes, run the Set-ADServerSettings cmdlet, including the -ViewEntireForest parameter. This will let you view the objects in the entire forest.

Set-ADServerSettings -ViewEntireForest $true

  • Run the Get-MailboxDatabase cmdlet, including the -Status parameter, to check which mailbox databases are present and whether they are mounted.

Get-MailboxDatabase -Status | Sort Name | Format-Table Name, Server, Mounted

  • Run Get-Mailbox to find all mailboxes in the database that you are going to delete.

Get-Mailbox -Database “DB01” -ResultSize Unlimited

Move all mailboxes from one database to another with the New-MoveRequest cmdlet.

Get-Mailbox -Database “DB01” -ResultSize Unlimited | New-MoveRequest -TargetDatabase “DB02”

Move Archive mailbox

Find archive mailboxes in the database.

Get-Mailbox -ResultSize Unlimited | Where {$_.ArchiveDatabase -like “DB01”}

Move archive mailboxes to another database.

Get-Mailbox -ResultSize Unlimited | Where {$_.ArchiveDatabase -like “DB01”} | New-MoveRequest -ArchiveTargetDatabase “DB02”

Move Public folder mailbox

Find public folder mailboxes in the database.

Get-Mailbox -Database “DB01” -PublicFolder

Move public folder mailboxes to another database.

Get-Mailbox -Database “DB01” -PublicFolder | New-MoveRequest -TargetDatabase “DB02”

Move Arbitration mailbox

Find arbitration mailboxes in the database.

Get-Mailbox -Database “DB01” -Arbitration

Move arbitration mailbox to another database.

Get-Mailbox -Database “DB01” -Arbitration | New-MoveRequest -TargetDatabase “DB02”

Move Audit Log mailbox

Find audit log mailboxes in the database.

Get-Mailbox -Database “DB01” -AuditLog

Move audit log mailboxes to another database.

Get-Mailbox -Database “DB01” -AuditLog | New-MoveRequest -TargetDatabase “DB02”

Disable Monitoring mailbox

Find monitoring mailboxes associated with the mailbox database.

Get-Mailbox -Database “DB01” -Monitoring | Format-Table Name, DisplayName, Database, Servername

Disable monitoring mailboxes.

Get-Mailbox -Database “DB01” -Monitoring | Disable-Mailbox -Confirm:$false

Please note that the above listed steps need to be done for each DB on the server that is going to remove in order to remove all the mailbox DBs from the server.

Verify mailboxes move

Verify that all the mailboxes are moved. After that, remove  completed move requests. If you don’t, you will get the error this mailbox database is associated with one or more move requests. If you want to remove all move requests, run the third command.

Get-MoveRequestStatistics -MoveRequestQueue “DB02”

To remove only selected DB moves,

Get-MoveRequest -SourceDatabase “DB02” -MoveStatus Completed -ResultSize Unlimited | Remove-MoveRequest -Confirm:$false

If you want to remove all the move request run,

Get-MoveRequest -MoveStatus Completed -ResultSize Unlimited | Remove-MoveRequest -Confirm:$false

Get-MoveRequest -ResultSize Unlimited | Remove-MoveRequest -Confirm:$false

Reboot the server

Make sure to check send connectors and Firewall to see any dependencies before remove completely.

Set the Exchange to maintenance mode

Set-ServerComponentState <ServerName> -Component ServerWideOffline -State Inactive -Requester Maintenance

Validate

Get-ServerComponentState <ServerName> | Format-Table Component,State -Autosize

After that you will need to go to ECP and delete the DBs. After that on the exchange server you will be able to uninstall from add/remove in control panel.

Some Useful Documents:

https://practical365.com/decommissioning-exchange-on-premises-servers-and-consolidating-email-smtp-relays/
https://www.alitajran.com/list-mailboxes-in-database/
https://www.alitajran.com/get-exchange-mailbox-database-mount-status-with-powershell/
https://www.alitajran.com/cannot-delete-mailbox-database-exchange/

Search and Delete an Email from office365.

Ayesh De Silva

Here is the steps to find and delete a specific mail from mailbox(s) from the office365 exchange.

1. Install PowerShell 7 using the following command:  winget install –id Microsoft.Powershell –source winget . Because complaince task need new PS.

2. PowerShell 7 will install side-by-side with your current version of Powershell. You will be able to find it using Search or in Start->All Programs. Start it

3. Install the Exchange Online Management Module using the command : install-module exchangeonlinemanagement

4. Connect to Exchange Online using the command: connect-exchangeonline. You will be asked to authenticate using your credentials ( Make sure the account that using has proper permission)

5. Connect to Security and Compliance Online using the command:  Connect-IPPSSession. You will be asked to authenticate using your credentials

6. Create a new compliance search: New-ComplianceSearch -Name “Give it a title” -ExchangeLocation All -ContentMatchQuery ‘(Received>=10/22/2020 -AND Received<=10/25/2020) AND (Subject:”provide words/phrase to look for in the subject”) AND (From:sender email address)’

7. Start the search with the command: start-compliancesearch “use the title you gave it above”

8. Check on the status of the search with the commanD: get-compliancesearch “user the title you gave it”. You can also use the command – get-compliancesearch “user the title you gave it” | fl, for more details and find out if any emails were found. You will not see a list in the results, but just a number.

9. If there were emails and you want to delete them then use the command: New-ComplianceSearchAction -SearchName “provide the title from above” -Purge -PurgeType SoftDelete

10. Check on the status: Get-ComplianceSearchAction “the title from above and append _purge”

References: 

1. https://learn.microsoft.com/en-us/powershell/exchange/connect-to-scc-powershell?view=exchange-ps 

2. https://learn.microsoft.com/en-us/purview/ediscovery-search-for-and-delete-email-messages

3. https://adamtheautomator.com/office-365-delete-email/

Install Patch on ESXI Server

Ayesh De Silva

I’m not going to detail the steps here to update the ESXI server. These are quick steps to get your ESXI server updated via the VMware patch bundle. In this installation, I have patched the ESXI 7.0U3 server to the latest 7.0U3o patch level.

Go to vmware and download the patch bundle VMware-ESXi-7.0U3o-22348816-depot.zip and upload it to your ESXI server datastore.

Then note down the store location, safely shutdown or move servers, and put the host in maintenance mode.

SSH into the server and run( Make sure to edit your line as needed for file location, esxcli software sources profile list -d /vmfs/volumes/Store1/ISO/VMware-ESXi-7.0U3o-22348816-depot.zip

It will shows package content

Then run ( in this insttance I have selected esxi standard) esxcli software profile update -d /vmfs/volumes/Store1/ISO/VMware-ESXi-7.0U3o-22348816-depot.zip -p ESXi-7.0U3o-22348816-standard

After sometimes, you will see a notifcation that update has been completed and server needs a reboot

Go ahead and reboot and done.

Here is some links for detail ver of above,

https://www.youtube.com/watch?v=UOFf56VuodU

https://www.vinchin.com/en/blog/esxi-update-upgrade.html

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.esxi.upgrade.doc/GUID-FE668788-1F32-4CB2-845C-5547DD59EB48.html

https://www.experts-exchange.com/articles/34250/HOW-TO-Update-VMware-ESXi-7-0-GA-to-ESXi-7-0b-in-5-easy-steps.html

How to import IP address in bulk to Palo Alto Firewall

Ayesh De Silva

***Prepare Text file with all the address needed,

set address test ip-netmask 10.0.0.1
set address test2 ip-netmask 10.0.0.2
set address test33 ip-netmask 10.0.0.3

***SSH into PA CLI and enter configure, Now past the what you copied from text file. You can enter ” show address” to see added address

***If you want to add thses to address group same as before prepare text file and enter those to CLI

set address-group MyCustomAddressGroup static test
set address-group MyCustomAddressGroup static test2

***Enter "commit” to commite the changes

***See the address group “show address-group”

More info https://live.paloaltonetworks.com/t5/general-topics/how-to-import-address-objects-in-csv-to-pa-firewall/td-p/453559

In Place Upgrade ADFS Server 2012 to 2019

Ayesh De Silva

Recently, I had the opportunity to upgrade ADFS server runs on 2012. I was able to upgrade 2012 server to 2019 via Windows in-place upgrade without reconfiguring or rebuilding entire server. This a very brife write up on how to do this.

**It is best to backup or take a proper snapshot of the server before any changes. In my case vmware snapshot was the option.

**First, insert 2019 ISO to the 2012 server and bring up PS shell as a admin and then browse to the ISO folder( in my case it was d:\support\adfs). You will be able to see two PS script one for export and another for import. We are gonna use the export, run( Make sure that you have created appropriate folder first to export the data)

export-federationconfiguration.ps1 -path c:\adfs_backup

Once the export done make sure to take a screenshot or note down all the adfs server name and stuff show end of the script. This is important, since you gonna need to install adfs after the upgrade.

**Then I copied that contetnt from adfs_backup folder to my desktop, just incase things goes south 🙂

***Then Export the certificate with the private key to safe location. Usually server woudn’t purge any certs during the in place upgrade but its better to be safe.

***Then go ahead and do the upgrade of 2012 to 2019. Once done, re-install adfs role on the server using the same name and properties showen end of the script run from the first step and do the basic config.

***Once ADFS done, brows to the ISO d:\support\adfs import the federation data that was exported from the old ADFS run via PS Shell

import-federationconfiguration.ps1 -path  c:\adfs_backup

***Make sure al the certs properly inplace using certmanger via MMC

***Bring PS Shell and run,

$FormatEnumerationLimit=-1
Get-ADFSProperties

Set-ADFSProperties –ExtendedProtectionTokenCheck None

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + "Chrome" + "Mozilla/5.0")

***Then finally test out the ADFS!

Please find great write up here,

https://ezcloudinfo.com/2017/02/20/easy-migration-steps-from-adfs-2-0-to-4-0/

https://www.ibm.com/docs/en/security-verify?topic=directory-configuring-adfs-windows-integrated-authentication

https://help.hcltechsw.com/domino/10.0.1/admin/secu_enabling_iwa_adfs30.html