All posts by Don Matteo

lebt in der Schweiz, ist System Engineer MCP bei A-Enterprise GmbH. Mitglied des UNBLOG Knowledge Network. Author und Blogger zu den Themen, Tutorials für Linux und Open Source.
Howto Tutorials (EN)

Name Resolution via VPN with Split Horizon DNS

Home
Leave a comment

Using Name Resolution in VPN connections, clients often cannot resolve the network resources to which the VPN clients are connected.

This is especially problematic with Active Directory, because the clients cannot reach domain controllers to log on. The login then takes place only via the local cache, as a result, group policies and login scripts fail to run.

Customize Interface Metric

To control the Windows interface metric and favor the DNS server after dialing the VPN connection. The VPN interface can be assigned a higher priority and thus lower metric via the TCP/IP settings of the network adapter using the Windows+R keys and entering ncpa.cpl

In the properties of the corresponding network adapter you open with a double-click. Internetprotocol, version 4 (TCP/IPv4), then via the button Advanced, you will find the field for the value of the interface metric.

Split Horizon DNS Interface metric

Here “Automatic metric” should not be activated for the VPN interface, a low value can be entered. After the next initialization, name resolution should take place over the VPN network.

Disable multicast name resolution

Windows 10 and 11 introduced Smart Multi-Homed Name Resolution (SMHNR), which sends DNS requests to multiple DNS servers simultaneously to speed up name resolution.

This is an undesirable side effect, the requests for internal name resolution are sent to external DNS servers (“DNS leakage”). Their operators can thus obtain a detailed overview of the organisation’s IT resources.

Name resolution via VPN

The setting is Turn off smart multi-homed name resolution under Computer Configuration => Administrative Templates => Network > DNS Client.

Customize interface metrics in PowerShell

The interface metrics of the different network connections can be displayed sorted in PowerShell with the following command.

PS C:\> Get-NetIPInterface | Sort-Object Interfacemetric

PowerShell now shows all interface metrics.

Alternatively, the metrics can be output with the netsh.exe utility, although not as detailed as in PowerShell.

C:\> netsh int ip show interfaces

Idx     Met         MTU          State                Name
---  ----------  ----------  ------------  ---------------------------
  1          75  4294967295  connected     Loopback Pseudo-Interface 1
 10           5       65535  disconnected  OpenVPN Wintun
 12          40        1500  connected     WLAN
 15           5        1500  disconnected  Ethernet
  8          25        1500  disconnected  OpenVPN TAP-Windows6
 11          65        1500  disconnected  Bluetooth-Netzwerkverbindung
 17          25        1500  disconnected  OpenVPN Data Channel Offload
 16          25        1500  disconnected  LAN-Verbindung* 3
 22          25        1500  disconnected  LAN-Verbindung* 12
  4          35        1500  connected     VMware Network Adapter VMnet1
  6          35        1500  connected     VMware Network Adapter VMnet8

The interface metric is changed in PowerShell as follows.

PS C:\> Set-NetIPInterface -InterfaceIndex <ifIndex Wert> -InterfaceMetric <Metrik>

The network adapter is identified by using the –InterfaceIndex parameter, which is obtained when queried with the Get-NetIPInterface cmdlet in the ifIndex column.

Conclusion

In this tutorial we show you, the name resolution for VPN clients is enabled via the tunneled VPN connections.

Network resources are resolved and the domain controllers can be reached for authentication. Login can be done through Local Security Authority Subsystem Service (LSASS), running Group Policy and login scripts.

What is Split-Horizon DNS

When split-horizon DNS is deployed by a network. Then certain domains are only resolvable by querying the network-designated DNS server rather than a public DNS server.

DNS clients which use DNS servers not provided by the network need to route those DNS domain queries to the network-designated DNS server.

This document informs DNS clients of split-horizon DNS, their DNS domains, and is compatible with encrypted DNS.

Howto Tutorials (EN)

Office Something went wrong, error code 80090016

Home
Leave a comment

Microsoft Office 365 users may experience the error message (“Something went wrong”) with the error code 80090016 when logging into the Office 365 account from Word or Excel:

Office something went wrong, error code 80090016

Cause

It is no longer possible to log in to the Microsoft Office 365 account from an Office or Microsoft 365 application. Office something went wrong. The password entry no longer appears, or no response follows after the entry. The credentials underlying the Microsoft Trusted Platform are no longer valid.

Solution

The Microsoft Office error code 80090016 is due to incorrect processing of the TPM cryptography module. The Trusted Platform credentials must be reset. This under the user profile path %localappdata\%Packages it is the folder Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy.

By typing into the Explorer address bar: %localappdata%\Packages the folder Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy Rename to _old.

C:\Users\<username>\appdata\local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy_old

Next time you log on to your Microsoft Office 365 account, it will become the Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy folder recreated. The newly generated credentials can be processed correctly by the Trusted Platform. The message no longer appears.

what is Trusted Platform Module (TPM)

The Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM.

The most common TPM functions are used for system integrity measurements and for key creation and use. During the boot process of a system, the boot code that is loaded (including firmware and the operating system components) can be measured and recorded in the TPM. The integrity measurements can be used as evidence for how a system started and to make sure that a TPM-based key was used only when the correct software was used to boot the system.

TPM-based keys can be configured in a variety of ways. One option is to make a TPM-based key unavailable outside the TPM. This is good to mitigate phishing attacks because it prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If too many incorrect authorization guesses occur, the TPM will activate its dictionary attack logic and prevent further authorization value guesses.