Here's random stuff related to what I am working on or interested in during my work day or in my personal life. I'm a nerd. The content will be nerdy.
Friday, March 24, 2017
I Just Saved $121!!
I have NO IDEA how GoodRX works, but I do know it saved me $121.11 on a single prescription. Usually, when you install an app that get's you something for free, you are the commodity. Most apps want all sorts of crazy access to your phone. GoodRX wanted pretty basic access and gave me s super coupon.
Drug cost was $221. My insurance only covered $48. I was going to pay $173. Enter the GoodRX coupon and I saved $121. I only paid $52!!!!
Thursday, March 16, 2017
The Tyranny of Network Level Authentication and CredSSP
“My password is expired so I can’t login, but I need to RDP in to change my password!”, is the cry we constantly hear.
This happens when your users login to their local machine using one account, but need to RDP into to a machine using another account in a different domain. This is often because the systems they need to work on are in a different domain in order to segment access. Think Corp creds for email and HR vs prod creds for the company’s web sites.
NLA is not really a security control, it simply changes when you authenticate. With NLA on, you authenticate (using CredSSP) before getting the remote session and GUI. This is designed to reduce the load on the server. This however removes a user’s access to the login GUI where then can change their password at login.
Everything you are likely to find on this issue will tell you that the issue in Network Level Access (NLA) being required for RDP. NLA is not supposed to be required by default, but I have seen and heard that it often turns on on domain join. I have seen this even though there was no GPO setting it. (We are both wrong, but I’ll get back to that later) This could be related to all sorts of build and domain join automation. If you have the issue, why is not particularly important. You will just need to go and set the GPO or edit the registry on the machine or via GUI.
“Mark, I made the change, but I still can’t get in!!” That’s right, you can’t. NLA probably wasn’t even turned on. As I mentioned above, we were wrong. So why can’t we login and change our passwords‽ We can’t change our passwords because most RDP clients, such as mstsc.exe or rdcman.exe, just assume NLA is on and try to authenticate you first anyway. This fails and you are kept out.
You need to tell your client not to use CredSSP for your connection. If you are implementing your own RDP client via the activeX library MsTscAx.dll, set EnableCredSspSupport to false.
One caveat is that there is no way to send the password anymore, say from your local cred manager or a password management tool. You will have to type the old password once and the new password twice, so it’s a bit of a pain.
Don’t let your password expire…
The Tyranny of Network Level Authentication and CredSSP