Sometimes the issue is the dumbest thing

Rich
6 min readNov 26, 2022

TL;DR I recently ran into an issue in the hybrid AD lab that was difficult to diagnose but easy to fix. It is RE logging into AAD as the Global Admin from ‘on prem’, TLS 1.2 & error code AADSTS1002016. Posting it here in case it helps anyone else.

Welcome to Part VI of our Back to the Basics Series!

Part I: NTDS.dit vs SAM

Part II: Ownership Matters

Part III: Recovering from a Crash

Part IV: Setting up a Simple Honeypot Account

Part V: Automating DC Deployment

Part VI: Sometimes it’s the dumbest thing

Part VII: Merry Christmas, macros, & Base64

Part VIII: Why old 0 Days make great teaching tools

Part IX: PowerShell & PS1s without PowerShell.exe

Part X: Ownership & so called “effective permissions”

Part XI: Windows Event Forwarding & SACLs

Part XII: Poorly planned honeypots & other Bad Ideas

Part XIII: Setting up a simple honey token

Part XIV: Smartcards and Pass-the-Hash

Part XV: Forwarding logs to Sentinel & basic alerts

Background

I have run into a couple gremlins in the homelab since moving it from just AD to Hybrid AD. To Microsoft’s and AAD’s credit, all these issues so far have been caused by misconfigurations in my ‘on prem’ environment specific to AD.

This howto is about diagnosing and solving one of those, namely error code AADSTS1002016. It turned out to be a simple fix, but I did not see if all over Google so I figured I’d post my notes in case it helps anyone else.

The issue

Microsoft AAD recently began mandating TLS 1.2 or 1.3 in order to login to AAD as a Global Admin. I had been using my laptop to access AAD via PowerShell and screw around, so I did not initially notice anything amiss. My laptop is not on test.local.

However I eventually went to tweak a configuration in Azure AD Connect and saw the below:

I attempted to access AAD via PowerShell from a VM in test.local and got the same error.

My standalone laptop is still accessing AAD just fine though. What gives?

Barking up the wrong tree

I initially assumed the issue was the version of TLS that .NET was using. Googling the error code “AADSTS1002016” did not disabuse me of this notion. You can see what TLS version PowerShell is using via

[Net.ServicePointManager]::SecurityProtocol

The odd thing is that PowerShell on my desktop and laptop are showing the same TLS versions as the VMs in the lab domain. The desktop and laptop could login fine.

Regardless, just to make sure I pushed registry keys to the lab VMs. If at nothing else it was good training. I Googled up the relevant keys and pushed the below via a startup *.ps1 in Group Policy:

Set-GPPrefRegistryValue -Name "Mishky's TLS 1.2" -Context Computer -Key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -ValueName "Enabled" -Value "1" -Type REG_DWORD -Action Update

#Create these
Set-GPPrefRegistryValue -Name "Mishky's TLS 1.2" -Context Computer -Key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client" -ValueName "DisableByDefault" -Value "0" -Type REG_DWORD -Action Create

Set-GPPrefRegistryValue -Name "Mishky's TLS 1.2" -Context Computer -Key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -ValueName "Enabled" -Value "1" -Type REG_DWORD -Action Create

Set-GPPrefRegistryValue -Name "Mishky's TLS 1.2" -Context Computer -Key "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server" -ValueName "DisableByDefault" -Value "0" -Type REG_DWORD -Action Create

Set-GPPrefRegistryValue -Name "Mishky's TLS 1.2" -Context Computer -Key "HKLM\SYSTEM\CurrentControlSet\services\HTTP\Parameters" -ValueName "EnableHttp3" -Value "1" -Type REG_DWORD -Action Create

If you are only setting a registry key on one system you can also simply copy/paste and save to a *.reg file. To set the last key listed above for example use:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\HTTP\Parameters]"EnableHttp3"=dword:00000001

However none of this helped.

The root cause

After awhile it dawned on me that the issue was actually an old suspect.

That’s right; Internet Exploder. For reasons unknown it had taken it upon itself to default to SSL 3.0 only. The login box that pops up when you execute ‘Connect-AzureAD’ is from IE, causing the issue. Ironic that a trainwreck of a browser from the days when Microsoft had a well deserved reputation [and not a good one] was the root cause of an issue regarding AAD.

Nonetheless once I realized what the root cause was it was easy to fix. I felt pretty dumb for not grasping it sooner, but it was easy to fix. I swear sometimes it’s the dumbest thing.

The fix

Simply push a GPO under

Computer Configuration\Administrative Templates\Windows Components\Internet Explorer\Internet Explorer Control Panel\Advanced Page\

Enable ‘Turn Off Encryption Support’, as counterintuitive as that sounds, and set the options accordingly in the drop down box. I hit the easy button and just picked ‘Only use TLS 1.2’.

Once the lab’s VMs updated Group Policy all was well.

Installing Azure AD Cloud Sync

Once that was resolved I finally got around to enabling Azure AD Cloud Sync. AAD supports running it alongside Azure AD Connect, so I figured why not. Simply install the agent on an ‘on prem’ system and then configure the sync options from AAD.

Just like Azure AD Connect, Cloud Sync has an option to only sync selected OUs.

I will have to poke around later and see if an attacker can dump creds from the system running the Cloud Sync agent, and if so what privilege is required. We covered setting up a hybrid AD lab here and dumping creds from the Azure AD Connect server here.

Summary

IMHO stuff like this is the reason to have a home lab in the first place. Make your mistakes, dive headfirst down the wrong rabbit hole, and learn your lessons in an environment without any users impatiently asking when it’ll work again. Obviously it is also great for learning common attacks and mitigations, all while winging it. Change requests, meetings, etc are not required.

The eventual goal is to move away from needing ‘on prem’ in the lab at all. Eventually we will spring for a license or two for M365 and Intune so we can screw around with syncing Exchange, SSO to everything, managing client workstation VMs without Group Policy, etc.

Ironically the issues we have encountered so far, like this one, have been caused by the ‘on prem’ side of the house, not by AAD.

References

Set TLS manually in PowerShell: https://stackoverflow.com/questions/73132536/tls-version-issue-is-being-raised-while-connecting-to-azuread-using-the-azure-fu

Force IE to use TLS 1.2 via GPO: https://www.bauer-power.net/2014/06/how-to-enabled-tls-11-and-tls-12-in.html

Check/set TLS version in use: https://stackoverflow.com/questions/73132536/tls-version-issue-is-being-raised-while-connecting-to-azuread-using-the-azure-fu

Add DNS forwarder: https://www.server-world.info/en/note?os=Windows_Server_2019&p=dns&f=10

Azure AD Cloud Sync setup: https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-pilot-aadc-aadccp

Set keys using reg files: https://www.lifewire.com/how-to-create-edit-and-use-reg-files-2622817

--

--

Rich

I work various IT jobs & like Windows domain security as a hobby. Most of what’s here is my notes from auditing or the lab.