Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2014-12-19) Finding Attributes Marked As Confidential

Posted by Jorge on 2014-12-19


ADFIND

ADFIND -h RFSRWDC1.ADCORP.LAB -schema -f "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))" -dn

OR

ADFIND -h RFSRWDC1.ADCORP.LAB -bit -schema -f "(&(objectClass=attributeSchema)(searchFlags:AND:=128))" -dn

-

image

Figure 1: Example Output

-

AD PoSH Module

Get-ADObject -Server RFSRWDC1.ADCORP.LAB -SearchBase $((Get-ADRootDSE).schemaNamingContext) -LDAPFilter "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))" | %{$_.DistinguishedName}

-

ADSI Through PoSH

$targetDC = "RFSRWDC1.ADCORP.LAB"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$schemaNamingContext = $rootDSE.schemaNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$schemaNamingContext"
$search.filter = "(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))"
$search.FindAll() | %{$_.Properties.distinguishedname}

-

PS: replace the FQDN of the DC with your info

-

PS: the opposite of this query can be found by replacing (searchFlags:1.2.840.113556.1.4.803:=128) with (!(searchFlags:1.2.840.113556.1.4.803:=128))

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), AD Queries, Tooling/Scripting | Leave a Comment »

(2014-12-15) Finding All Groups With A Specific Direct And Indirect Member (User)

Posted by Jorge on 2014-12-15


LDAP Control 1.2.840.113556.1.4.1941 | LDAP_MATCHING_RULE_IN_CHAIN

This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. Many applications using AD and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Previously, applications performed transitive group expansion to figure out group membership, which used too much network bandwidth; applications needed to make multiple roundtrips to figure out if an object fell "in the chain" if a link is traversed through to the end. Note that when using LDAP_MATCHING_RULE_IN_CHAIN, scope is not limited—it can be base, one-level, or subtree. Some such queries on subtrees may be more processor intensive, such as chasing links with a high fan-out; that is, listing all the groups that a user is a member of. Inefficient searches will log appropriate event log messages, as with any other type of query.

-

ADFIND

ADFIND -h RFSRWDC1.ADCORP.LAB -default -f "(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=user1,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB))" -dn

-

image

Figure 1: Example Output

-

AD PoSH Module

Get-ADGroup -Server RFSRWDC1.ADCORP.LAB -SearchBase $((Get-ADRootDSE).defaultNamingContext) -LDAPFilter "(member:1.2.840.113556.1.4.1941:=CN=user1,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB)" | %{$_.DistinguishedName}

-

ADSI Through PoSH

$targetDC = "RFSRWDC1.ADCORP.LAB"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$defaultNamingContext = $rootDSE.defaultNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$defaultNamingContext"
$search.filter = "(&(objectCategory=group)(member:1.2.840.113556.1.4.1941:=CN=user1,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB))"
$search.FindAll() | %{$_.Properties.distinguishedname}

-

PS: replace the FQDN of the DC and the distinguishedName of the group with your info

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), AD Queries, Tooling/Scripting | Leave a Comment »

(2014-12-11) Finding All Direct And Indirect Members (Users) Of A Specific Group

Posted by Jorge on 2014-12-11


LDAP Control 1.2.840.113556.1.4.1941 | LDAP_MATCHING_RULE_IN_CHAIN

This rule is limited to filters that apply to the DN. This is a special "extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. The LDAP_MATCHING_RULE_IN_CHAIN is a matching rule OID that is designed to provide a method to look up the ancestry of an object. Many applications using AD and AD LDS usually work with hierarchical data, which is ordered by parent-child relationships. Previously, applications performed transitive group expansion to figure out group membership, which used too much network bandwidth; applications needed to make multiple roundtrips to figure out if an object fell "in the chain" if a link is traversed through to the end. Note that when using LDAP_MATCHING_RULE_IN_CHAIN, scope is not limited—it can be base, one-level, or subtree. Some such queries on subtrees may be more processor intensive, such as chasing links with a high fan-out; that is, listing all the groups that a user is a member of. Inefficient searches will log appropriate event log messages, as with any other type of query.

-

ADFIND

ADFIND -h RFSRWDC1.ADCORP.LAB -default -f "(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=group9.ls,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB))" -dn

-

image

Figure 1: Example Output

-

AD PoSH Module

Get-ADUser -Server RFSRWDC1.ADCORP.LAB -SearchBase $((Get-ADRootDSE).defaultNamingContext) -LDAPFilter "(memberOf:1.2.840.113556.1.4.1941:=CN=group9.ls,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB)" | %{$_.DistinguishedName}

-

ADSI Through PoSH

$targetDC = "RFSRWDC1.ADCORP.LAB"
$rootDSE = [ADSI]"LDAP://$targetDC/RootDSE"
$defaultNamingContext = $rootDSE.defaultNamingContext
$search = New-Object DirectoryServices.DirectorySearcher([ADSI]"")
$Search.SearchRoot = "LDAP://$targetDC/$defaultNamingContext"
$search.filter = "(&(objectCategory=person)(objectClass=user)(memberOf:1.2.840.113556.1.4.1941:=CN=group9.ls,OU=TEST,OU=Org-Users,DC=ADCORP,DC=LAB))"
$search.FindAll() | %{$_.Properties.distinguishedname}

-

PS: replace the FQDN of the DC and the distinguishedName of the group with your info

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
http://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), AD Queries, Tooling/Scripting | Leave a Comment »

(2014-12-07) Web Application Proxy With Kerberos Constrained Delegation (KCD)

Posted by Jorge on 2014-12-07


I was setting the Web Application Proxy to publish three apps to the outside, 2 Claims Based Apps and 1 Windows Token Based App. All three apps were using ADFS pre-authentication. Because of that in ADFS I had 2 Claims Aware Relying Party Trusts and 1 non-Claims Aware Relying Party Trust.

image

Figure 1: Published Apps Through The Web Application Proxy (WAP)

-

After setting up all three apps in the WAP, I wanted to test the if all apps were working through WAP. Before doing that I tried accessing all apps from the inside. From the inside all apps worked. From the outside, through WAP, the Claims Based apps worked, but the Windows Token Based app did not work, or better said, it was not accessible.

image

Figure 2: IE Error When Trying To Access The Windows Token Based App Through WAP And ADFS

-

image

Figure 3: Error 1 Information In the Web Application Proxy Event Log

-

Web Application Proxy received an HTTP request with a valid edge token.

Audience: urn:AppProxy:com
Issuer: urn:federation:fs4.adcorp.lab
Valid From: ‎2014‎-‎10‎-‎26T21:38:41.000000000Z
Expires: ‎2014‎-‎10‎-‎26T22:38:41.000000000Z
Relying Party Trust Id: c064e4b5-345d-e411-8166-000c2929d8bc
UPN: jalmeidapinto@partner.lan
Device Registration Certificate Thumbprint: <Not Applicable>

Details:
Transaction ID: {b1f99230-f13d-0000-0da6-f9b13df1cf01}
Session ID: {b1f99230-f13d-0000-03a6-f9b13df1cf01}
Published Application Name: Kerberos WAP Based Sharepoint App (RFSRWDC1)
Published Application ID: 3d096d98-4c52-d89d-b6c4-14321593fb1c
Published Application External URL:
https://app-kerb-wap2.adcorp.lab/
Published Backend URL: https://app-kerb-wap.adcorp.lab:453/
User: jalmeidapinto@partner.lan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://app-kerb-wap2.adcorp.lab/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRrZVpHY2VnSHVDalA0Qk9FZWY5emY4OWVNVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoidXJuOmZlZGVyYXRpb246ZnM0LmFkY29ycC5sYWIiLCJpYXQiOjE0MTQzNTU5MjEsImV4cCI6MTQxNDM1OTUyMSwicmVseWluZ3BhcnR5dHJ1c3RpZCI6ImMwNjRlNGI1LTM0NWQtZTQxMS04MTY2LTAwMGMyOTI5ZDhiYyIsInVwbiI6ImphbG1laWRhcGludG9AcGFydG5lci5sYW4iLCJjbGllbnRyZXFpZCI6ImIxZjk5MjMwLWYxM2QtMDAwMC0wM2E2LWY5YjEzZGYxY2YwMSIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTQtMTAtMjZUMTk6NTg6MTQuODQ3WiIsInZlciI6IjEuMCJ9.Xx_NP1vZvVVewhhz0cZlY5RMKU_6q1ZuhUmZbSFHBP8bs3El6p5a_x3QfP_LxtCQFSM-vMdBQ930HwuAUq7EURoGIg5wsCQpvu-YC5CRokLSkb9pLF2_m_gnBcHxNVvGTg_3JSa0ZLUyvF3QIdNdh26E7A_msO3_PEp2m04l97OjBhFtQ1UxJhAx4NAKWMog2SwLuqP8bfpvSBrJ37Vzlr8_868QmQkuUQau-EIls4VhMTGdKXUEGrZHkOzLS2kbgAjGwX41Tl_Q_oyPfWFdAeoSee07lyvG69HmP7d_bSkje6D9Ez2xHc7GnT1VY77gSwP0-TKzGA8L8fvLPzUaQg&client-request-id=b1f99230-f13d-0000-03a6-f9b13df1cf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode:
State Machine State: Idle
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

-

image

Figure 4: Error 2 Information In the Web Application Proxy Event Log

-

Web Application Proxy cannot retrieve a Kerberos ticket on behalf of the user because of the following general API error: No credentials are available in the security package
(0x8009030e).

Details:
Transaction ID: {b1f99230-f13d-0000-0da6-f9b13df1cf01}
Session ID: {b1f99230-f13d-0000-03a6-f9b13df1cf01}
Published Application Name: Kerberos WAP Based Sharepoint App (RFSRWDC1)
Published Application ID: 3d096d98-4c52-d89d-b6c4-14321593fb1c
Published Application External URL:
https://app-kerb-wap2.adcorp.lab/
Published Backend URL: https://app-kerb-wap.adcorp.lab:453/
User: jalmeidapinto@partner.lan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://app-kerb-wap2.adcorp.lab/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRrZVpHY2VnSHVDalA0Qk9FZWY5emY4OWVNVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoidXJuOmZlZGVyYXRpb246ZnM0LmFkY29ycC5sYWIiLCJpYXQiOjE0MTQzNTU5MjEsImV4cCI6MTQxNDM1OTUyMSwicmVseWluZ3BhcnR5dHJ1c3RpZCI6ImMwNjRlNGI1LTM0NWQtZTQxMS04MTY2LTAwMGMyOTI5ZDhiYyIsInVwbiI6ImphbG1laWRhcGludG9AcGFydG5lci5sYW4iLCJjbGllbnRyZXFpZCI6ImIxZjk5MjMwLWYxM2QtMDAwMC0wM2E2LWY5YjEzZGYxY2YwMSIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTQtMTAtMjZUMTk6NTg6MTQuODQ3WiIsInZlciI6IjEuMCJ9.Xx_NP1vZvVVewhhz0cZlY5RMKU_6q1ZuhUmZbSFHBP8bs3El6p5a_x3QfP_LxtCQFSM-vMdBQ930HwuAUq7EURoGIg5wsCQpvu-YC5CRokLSkb9pLF2_m_gnBcHxNVvGTg_3JSa0ZLUyvF3QIdNdh26E7A_msO3_PEp2m04l97OjBhFtQ1UxJhAx4NAKWMog2SwLuqP8bfpvSBrJ37Vzlr8_868QmQkuUQau-EIls4VhMTGdKXUEGrZHkOzLS2kbgAjGwX41Tl_Q_oyPfWFdAeoSee07lyvG69HmP7d_bSkje6D9Ez2xHc7GnT1VY77gSwP0-TKzGA8L8fvLPzUaQg&client-request-id=b1f99230-f13d-0000-03a6-f9b13df1cf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

-

image

Figure 5: Error 3 Information In the Web Application Proxy Event Log

-

Web Application Proxy encountered an unexpected error while processing the request.
Error: No credentials are available in the security package
(0x8009030e)

Details:
Transaction ID: {b1f99230-f13d-0000-0da6-f9b13df1cf01}
Session ID: {b1f99230-f13d-0000-03a6-f9b13df1cf01}
Published Application Name: Kerberos WAP Based Sharepoint App (RFSRWDC1)
Published Application ID: 3d096d98-4c52-d89d-b6c4-14321593fb1c
Published Application External URL:
https://app-kerb-wap2.adcorp.lab/
Published Backend URL: https://app-kerb-wap.adcorp.lab:453/
User: jalmeidapinto@partner.lan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://app-kerb-wap2.adcorp.lab/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRrZVpHY2VnSHVDalA0Qk9FZWY5emY4OWVNVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoidXJuOmZlZGVyYXRpb246ZnM0LmFkY29ycC5sYWIiLCJpYXQiOjE0MTQzNTU5MjEsImV4cCI6MTQxNDM1OTUyMSwicmVseWluZ3BhcnR5dHJ1c3RpZCI6ImMwNjRlNGI1LTM0NWQtZTQxMS04MTY2LTAwMGMyOTI5ZDhiYyIsInVwbiI6ImphbG1laWRhcGludG9AcGFydG5lci5sYW4iLCJjbGllbnRyZXFpZCI6ImIxZjk5MjMwLWYxM2QtMDAwMC0wM2E2LWY5YjEzZGYxY2YwMSIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTQtMTAtMjZUMTk6NTg6MTQuODQ3WiIsInZlciI6IjEuMCJ9.Xx_NP1vZvVVewhhz0cZlY5RMKU_6q1ZuhUmZbSFHBP8bs3El6p5a_x3QfP_LxtCQFSM-vMdBQ930HwuAUq7EURoGIg5wsCQpvu-YC5CRokLSkb9pLF2_m_gnBcHxNVvGTg_3JSa0ZLUyvF3QIdNdh26E7A_msO3_PEp2m04l97OjBhFtQ1UxJhAx4NAKWMog2SwLuqP8bfpvSBrJ37Vzlr8_868QmQkuUQau-EIls4VhMTGdKXUEGrZHkOzLS2kbgAjGwX41Tl_Q_oyPfWFdAeoSee07lyvG69HmP7d_bSkje6D9Ez2xHc7GnT1VY77gSwP0-TKzGA8L8fvLPzUaQg&client-request-id=b1f99230-f13d-0000-03a6-f9b13df1cf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: OuOfOrderFEHeadersWriting
Response Code to Client: 500
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

-

Now, let’s think out loud to see why this is wrong, or not working. The following occurs in the order listed

  • The user on the external network uses the external URL in IE to target the application
  • The external URL resolves to the IP of the WAP and the WAP is targeted
  • WAP knows about the app being targeted and sees that pre-authentication through ADFS is enabled for it.
  • WAP sends the request to ADFS and because the user is coming from the extranet, the forms based logon page is presented to the user. If ADFS has more than claims provider trust, the home realm discovery page is shown first where the user must determine which identity provider will authenticate the user.
  • After the user has been authenticated, WAP goes to the next step. It sees the app being accessed is a Windows Token app
  • Because it is a Windows Token app, WAP expects to receive a the UPN claim type "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" with a value. Currently it is not possible to change that to expect another claim type like was possible in Unified Access Gateway (UAG)
  • Using the value from the UPN claim, it queries AD to determine the AD user account does exist, and assuming it exists, it will request kerberos tickets on behalf of the user for the service through kerberos constrained delegation (KCD). The service is identified through the SPN configured in the published app through WAP (WAP is able to do this when the Windows Server with WAP is joined to an AD domain! It cannot perform KCD when not joined to an AD domain! Also see: What’s New in Kerberos Authentication)

image

Figure 6: Backend Server SPN Identifying The Service Being Requested By The User

-

With just the errors above, I did not get it the first time. However, after thinking out loud, I realized I had forgotten to configure SPNs and delegation for the computer account of the WAP

-

So, let’s configure what needs to be configured.

-

WAP itself is running through a Network Service. It is not using some shared service account, but rather it is using its own computer account for KCD. Therefore the computer account of the individual WAP servers need to be configured, even if they are load balanced.

Doe every WAP server in the ball game, perform the following actions, as you can also see in the picture:

  • Add 2 SPNs to the WAP computer account:
    • HTTP/<FQDN> (e.g. HTTP/R1FSMBSVynext.ADCORP.LAB)
    • HTTP/<NetBIOS> (e.g. HTTP/R1FSMBSVynext)

image

Figure 7: Configuring 2 SPNs On The Computer Account Of The WAP Server

-

Now we need to configure delegation for the WAP computer account so that it is allowed to request kerberos service tickets for configured services. Also see: (2014-03-25) An Account With "Trusted For Delegation" – What Are The Risks?

In this case configure:

  • Trust this computer for delegation to specified services only
  • Use any authentication protocol

Then click the [Add] button to add the service to the list of allowed services

image

Figure 8: Configuring 2 SPNs On The Computer Account Of The WAP Server

-

However, which account do you add? There are a few ways to find out. Either query AD using the SPN specified in figure 6 using any of the three method in figure 9

image

Figure 9: Querying AD In Three ways For The Account Configured With A Specific SPN

-

…Or just go to the server and check which credentials the corresponding service is using. In this case it was a sharepoint site, whereas the IIS site was configured to use an application pool that was configured with an account.

image

Figure 10: Checking First If It Was Forced To Use An Application Pool

-

image

Figure 11: Checking The Advanced Settings Of The Service To Determine The Application Pool Name

-

image

Figure 12: Checking The Advanced Settings Of The Service To Determine The Application Pool Name

-

image

Figure 13: Specifying The sAMAccountName In The Object Dialog Window

-

image

Figure 14: Selecting The Service For Which The SPN Matches The SPN As Specified In Figure 6

-

image

Figure 15: After All, Committing The Config To The Directory

-

Now let’s try accessing the App again through WAP and ADFS….

image

Figure 16: Successful Access To The Windows Token App

-

Reviewing Web Application Proxy Event Log again…

image

Figure 17: Event ID Information In the Web Application Proxy Event Log

-

Web Application Proxy received an HTTP request with a valid edge token.

Audience: urn:AppProxy:com
Issuer: urn:federation:fs4.adcorp.lab
Valid From: ‎2014‎-‎10‎-‎26T22:02:06.000000000Z
Expires: ‎2014‎-‎10‎-‎26T23:02:06.000000000Z
Relying Party Trust Id: c064e4b5-345d-e411-8166-000c2929d8bc
UPN: jalmeidapinto@partner.lan
Device Registration Certificate Thumbprint: <Not Applicable>

Details:
Transaction ID: {b1f99230-f13d-0000-40a6-f9b13df1cf01}
Session ID: {b1f99230-f13d-0000-30a6-f9b13df1cf01}
Published Application Name: Kerberos WAP Based Sharepoint App (RFSRWDC1)
Published Application ID: 3d096d98-4c52-d89d-b6c4-14321593fb1c
Published Application External URL:
https://app-kerb-wap2.adcorp.lab/
Published Backend URL: https://app-kerb-wap.adcorp.lab:453/
User: jalmeidapinto@partner.lan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://app-kerb-wap2.adcorp.lab/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRrZVpHY2VnSHVDalA0Qk9FZWY5emY4OWVNVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoidXJuOmZlZGVyYXRpb246ZnM0LmFkY29ycC5sYWIiLCJpYXQiOjE0MTQzNTczMjYsImV4cCI6MTQxNDM2MDkyNiwicmVseWluZ3BhcnR5dHJ1c3RpZCI6ImMwNjRlNGI1LTM0NWQtZTQxMS04MTY2LTAwMGMyOTI5ZDhiYyIsInVwbiI6ImphbG1laWRhcGludG9AcGFydG5lci5sYW4iLCJjbGllbnRyZXFpZCI6ImIxZjk5MjMwLWYxM2QtMDAwMC0zMGE2LWY5YjEzZGYxY2YwMSIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTQtMTAtMjZUMjE6MDI6NTUuODA5WiIsInZlciI6IjEuMCJ9.GTOChpYcBD8zMgHvMPfrbNEEmYPDHi4iBVd513NJXYgPMTHZJMnD7n7ndAgN8sTPY330VLICHS2ccSXgRzGcayNyA_MJU-0awnklSQBLos5saAkUYi6yesZbyML0OFQ3ERL_aU-BuWMBiPE9oxG2V1v0uo6ESLAZ1Gh2KeRgDG0KiRtENzout5nz3gOprksgDGpKMIPyC5NDEotBgmOnVMQAw9UfWFALTr1Ovmuxhlp9jhbOz1EsgON8YzwHOar96DteGHX4hPPeCUzeuAERW8tUoT1FJocfEq9LtHH_oK-OLR2gLO2CMvng9AWGv4I9PLVHQp25pjyqtR6F4pOFgQ&client-request-id=b1f99230-f13d-0000-30a6-f9b13df1cf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode:
State Machine State: Idle
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

-

image

Figure 18: Event ID Information In the Web Application Proxy Event Log

-

Web Application Proxy successfully retrieved a Kerberos ticket on behalf of the user.

Details:
Transaction ID: {b1f99230-f13d-0000-40a6-f9b13df1cf01}
Session ID: {b1f99230-f13d-0000-30a6-f9b13df1cf01}
Published Application Name: Kerberos WAP Based Sharepoint App (RFSRWDC1)
Published Application ID: 3d096d98-4c52-d89d-b6c4-14321593fb1c
Published Application External URL:
https://app-kerb-wap2.adcorp.lab/
Published Backend URL: https://app-kerb-wap.adcorp.lab:453/
User: jalmeidapinto@partner.lan
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko
Device ID: <Not Applicable>
Token State: OK
Cookie State: NotFound
Client Request URL:
https://app-kerb-wap2.adcorp.lab/?authToken=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImRrZVpHY2VnSHVDalA0Qk9FZWY5emY4OWVNVSJ9.eyJhdWQiOiJ1cm46QXBwUHJveHk6Y29tIiwiaXNzIjoidXJuOmZlZGVyYXRpb246ZnM0LmFkY29ycC5sYWIiLCJpYXQiOjE0MTQzNTczMjYsImV4cCI6MTQxNDM2MDkyNiwicmVseWluZ3BhcnR5dHJ1c3RpZCI6ImMwNjRlNGI1LTM0NWQtZTQxMS04MTY2LTAwMGMyOTI5ZDhiYyIsInVwbiI6ImphbG1laWRhcGludG9AcGFydG5lci5sYW4iLCJjbGllbnRyZXFpZCI6ImIxZjk5MjMwLWYxM2QtMDAwMC0zMGE2LWY5YjEzZGYxY2YwMSIsImF1dGhtZXRob2QiOiJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZFByb3RlY3RlZFRyYW5zcG9ydCIsImF1dGhfdGltZSI6IjIwMTQtMTAtMjZUMjE6MDI6NTUuODA5WiIsInZlciI6IjEuMCJ9.GTOChpYcBD8zMgHvMPfrbNEEmYPDHi4iBVd513NJXYgPMTHZJMnD7n7ndAgN8sTPY330VLICHS2ccSXgRzGcayNyA_MJU-0awnklSQBLos5saAkUYi6yesZbyML0OFQ3ERL_aU-BuWMBiPE9oxG2V1v0uo6ESLAZ1Gh2KeRgDG0KiRtENzout5nz3gOprksgDGpKMIPyC5NDEotBgmOnVMQAw9UfWFALTr1Ovmuxhlp9jhbOz1EsgON8YzwHOar96DteGHX4hPPeCUzeuAERW8tUoT1FJocfEq9LtHH_oK-OLR2gLO2CMvng9AWGv4I9PLVHQp25pjyqtR6F4pOFgQ&client-request-id=b1f99230-f13d-0000-30a6-f9b13df1cf01
Backend Request URL: <Not Applicable>
Preauthentication Flow: PreAuthBrowser
Backend Server Authentication Mode: WIA
State Machine State: BackendRequestProcessing_Pending
Response Code to Client: <Not Applicable>
Response Message to Client: <Not Applicable>
Client Certificate Issuer: <Not Found>
Response Code from Backend: <Not Applicable>
Frontend Response Location Header: <Not Applicable>
Backend Response Location Header: <Not Applicable>
Backend Request Http Verb: <Not Applicable>
Client Request Http Verb: GET

-

That’s all folks!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

 

Posted in Active Directory Federation Services (ADFS), Kerberos Constrained Delegation, Web Application Proxy | Leave a Comment »

(2014-12-03) Incorrect Statement When Demoting An RODC While Retaining Metadata

Posted by Jorge on 2014-12-03


When demoting an RODC, you have two options for an end result:

  1. The RODC is demoted and became a domain joined member server
  2. The RODC is demoted and became a stand-alone server (non-domain joined) and its metadata is kept in AD

Let’s go through the process and demote an RODC.

image

Figure 1: The Active Directory Domain Services Configuration Wizard – Credentials For Demotion

-

image

Figure 2: The Active Directory Domain Services Configuration Wizard – Explicitly Confirming The Demotion

-

image

Figure 3: The Active Directory Domain Services Configuration Wizard – Choosing Whether Or Not To Retain The Metadata Of The RODC

-

image

Figure 4: The Active Directory Domain Services Configuration Wizard – Password For The Local Administrator

-

image

Figure 5: The Active Directory Domain Services Configuration Wizard – Summary Of The End Result

-

The PowerShell script:

#
# Windows PowerShell script for AD DS Deployment
#

Import-Module ADDSDeployment
Uninstall-ADDSDomainController `
-DemoteOperationMasterRole:$true `
-RetainDCMetadata:$true `
-Force:$true

-

The statement in figure 5 is incorrect. Because I selected "Retain Metadata" (see figure 3), the statement should be: "When the process is complete, this server will be a stand-alone server (non-domain joined)". When you retain the metadata of an RODC, it becomes "unoccupied" which allows you to attach to when promoting a new RODC with the same name.

If you did not select "Retain Metadata", the statement in figure 5 is correct.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Promotion/Demotion, Read-Only Domain Controller | Leave a Comment »

(2014-11-29) A Hotfix Rollup Package (Build 4.1.3613.0) Is Available for Forefront Identity Manager 2010 R2

Posted by Jorge on 2014-11-29


Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3613.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3011057

Download link

-

Issues that are fixed or features that are added in this update

This update fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

BHOLD Attestation

Issue 1

Symptoms: When a steward is added to an in-progress campaign, the steward receives the "New entries for Steward" email.

Changes after the fix: When a steward is added to an in-progress campaign, the steward receives the "Instance Start" email.

-

BHOLD Core

Issue 1

Symptoms: When a user has conflicting ABA roles, and the user’s "EndDate" field is changed through the BHOLD Core UI, the user may be assigned an incorrect role.

Changes after the fix: Changing the user’s "EndDate" field does not affect any other ABA role attributes.

-

BHOLD Core and FIM provisioning

Issue 1

When you use the Access Management Connector, and an import is performed immediately following an export that caused ABA role membership changes, the import may indicate that users have fewer permissions than are assigned by either their previous or new role memberships.

After you install this fix: If an import is performed immediately following an export that caused ABA role membership changes, the import indicates that users have the permissions assigned by either their previous or new role memberships. After queue processing is completed, the import indicates that users have the permissions that are assigned by their new role memberships.

-

Issue 2

In some deployments, deletion of multiple groups through the Access Management Connector is not successful if there are two or more pending exports.

After you install the fix, the deletion of multiple groups through the Access Management Connector is successful.

-

Issue 3

In some deployments, export of changes through the Access Management Connector to OU objects that specify a new parent OU do not take effect.

After you install the fix: A Parent OU can be changed from root to any other OU through the Access Management Connector.

-

FIM Service and Identity Management Portal

Issue 1

Some text that is displayed in the FIM Portal and added to email templates always uses the English language. For example, this issue occurs in the Display Name of Approval objects.
After you install the fix: The string translation for objects that are created by the FIM Service in the FIM Service database is performed according to the FIM Service account locale that was in effect when the object was created. Note that this functionality is not affected by the client browser locale. To change the language that is used for string translation to a setting other than English, log on to each computer where the FIM Service is installed as the FIM Service account, and then set the locale for this account through Control Panel.

-

Issue 2

Creating synchronization rules in the FIM Identity Management Portal fails to load connected system object types in the External System Resource Type drop-down list. This behavior may occur if the size of the connector instance definition (ma-data) is larger than the 14 MB default WCF message size limit in the ResourceManagementClient configuration. This size is configured by using the maxReceivedMessageSizeInBytes property of the ResourceManagementClient.

Before you apply this fix, maxReceivedMessageSizeInBytes values that are configured in the web.config for the Identity Management Portal are ignored in favor of the default setting. After you apply this fix, the maxReceivedMessageSizeInBytes setting is applied.

Note that this setting is case-sensitive. For more information about this setting, go to the following Microsoft website: Registry keys and configuration file settings in FIM 2010

-

FIM Certificate Management

Issue 1

Online certificate updates are failing because of a constraint violation.

-

Issue 2

The FIM Certificate Management (CM) exit module does not honor the CT_FLAG_DONOTPERSISTINDB flag on a certificate. This may cause many certificates to be written to the FIM CM database. This, in turn, causes performance issues.

After you install this fix, the FIM CM exit module honors the CT_FLAG_DONOTPERSISTINDB flag on certificates, and those certificates are not written to the FIM CM database.

-

FIM Clients (Portal, Outlook, Windows logon)

Issue 1

After you install the FIM Windows logon extension, and then you (or a user) try to log on to the computer through a remote desktop, you must enter your credentials two times.

After you apply the fix, remote desktop logons work as expected. 

-

Synchronization Service

Issue 1

The Synchronization Service crashes during an Export run profile run on a SQL Server management agent.

-

Issue 2

When you run a Delta Import on the FIM Service management agent, the MIIServer.exe process terminates with a CLR_EXCEPTION_SYSTEM.APPDOMAINUNLOADEDEXCEPTION exception.

After you install this fix, the race condition that triggers this exception no longer occurs.

-

Issue 3

If a synchronization rule uses the NULL() function in an incoming attribute flow rule, returning NULL() is seen as a value instead of being blank, and attribute precedence does not continue to the next precedent incoming attribute flow.

After you apply this fix, attribute flow precedence on incoming attribute flow rules that use the NULL() function works as expected.

-

Password Change Notification Service (PCNS)

Issue 1

The following error message is logged:

6914 The connection from a password notification source failed because it is not a Domain Controller service account.

After you install this fix, adding a backslash character to a domain name causes the function to return the domain controller Security Identifier (SID) instead of an empty user SID.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates | Leave a Comment »

(2014-11-25) Troubleshooting Issues With Lingering Objects And Solving It

Posted by Jorge on 2014-11-25


The following resources can help you troubleshoot issues with lingering objects:

-

Tools:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Backup And Restore, Lingering Objects, Replication | Leave a Comment »

(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or Windows Intune

Posted by Jorge on 2014-11-21


The following resources can help you troubleshoot with SSO issues:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Office 365, SSO, SSO, Troubleshoot, Troubleshoot, Windows Azure Active Directory | Leave a Comment »

(2014-11-18) Vulnerability in ADFS Could Allow Information Disclosure (Important)

Posted by Jorge on 2014-11-18


This affects ALL ADFS versions! Make sure to patch all your ADFS servers

More info: https://technet.microsoft.com/library/security/ms14-077

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2014-11-18) Vulnerability in Kerberos Could Allow Elevation of Privilege (Critical)

Posted by Jorge on 2014-11-18


This affects ALL Windows versions! Make sure to patch all your Windows servers and DCs

More info:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Updates | Leave a Comment »

 
%d bloggers like this: