Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2014-11-21) Troubleshooting SSO Issues In Azure AD, Office 365 Or Windows Intune

Posted by Jorge on 2014-11-21


The following resources can help you troubleshoot with SSO issues:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Office 365, SSO, SSO, Troubleshoot, Troubleshoot, Windows Azure Active Directory | Leave a Comment »

(2014-11-18) Vulnerability in ADFS Could Allow Information Disclosure (Important)

Posted by Jorge on 2014-11-18


This affects ALL ADFS versions! Make sure to patch all your ADFS servers

More info: https://technet.microsoft.com/library/security/ms14-077

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Updates | Leave a Comment »

(2014-11-18) Vulnerability in Kerberos Could Allow Elevation of Privilege (Critical)

Posted by Jorge on 2014-11-18


This affects ALL Windows versions! Make sure to patch all your Windows servers and DCs

More info:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Updates | Leave a Comment »

(2014-11-17) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The PowerShell Connector

Posted by Jorge on 2014-11-17


Microsoft released a new hotfix for the PowerShell Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008179

Download link

-

PowerShell Connector for FIM 2010 R2 Technical Reference

-

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

Creating a PowerShell connector without using an LDAP DN style fails because of an issue in the default template.

Features that are added

-

Features that are added

Feature 1

This update adds support for Windows PowerShell 4.0.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2014-11-13) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The Web Services Connector

Posted by Jorge on 2014-11-13


Microsoft released a new hotfix for the Web Services Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008178

Download link

-

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

The WebServices connector uses 100 percent CPU during password synchronization if many of the password operations fail with a password violation error.

-

Features that are added

Feature 1

This update adds support for REST-based web services. This includes support for XML and JSON data formats and for parsing these formats.

-

Feature 2

This update adds support for additional bindings for Transport and Message Level security. The new options are as follows:

  • BasicHTTPBinding
  • WSHttpBinding
  • NetTCPBinding

-

These bindings also support the following authentication methods:

  • Basic
  • Certificate
  • Digest
  • Windows

-

Feature 3

In new WebServices connectors, the capabilities page is visible. This makes it possible to configure the connectors’ behavior.

-

Feature 4

This update adds event tracing for Windows (ETW) logging to the WebServices connector and the configuration tool.

-

Feature 5

This update adds new templates for SAP to support the following object types:

  • User
  • Role
  • Group

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2014-11-09) FIM 2010 R2: Hotfix Rollup Build 1.0.419.911 For The Generic LDAP Connector

Posted by Jorge on 2014-11-09


Microsoft released a new hotfix for the Generic LDAP Connector with build 1.0.419.911. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3008177

Download link

-

Generic LDAP Connector for FIM 2010 R2 Technical Reference

-

Issues that are fixed

This hotfix rollup fixes the following issues that were not previously documented in the Microsoft Knowledge Base.

Issue 1

An attribute in the Lightweight Directory Access Protocol (LDAP) schema that is defined as ‘NumericString’ – 1.3.6.1.4.1.1466.115.121.1.36 is defined incorrectly as an integer in the connector. These attributes are now defined as strings instead.

-

Issue 2

Delta import on Open LDAP is not processing object moves between organizational units (OUs) and containers correctly.

-

Features that are added

Feature 1

You can now authenticate on an LDAP server by using only a certificate. A username and password are not required.

-

Feature 2

If the Generic LDAP connector cannot automatically detect the correct way to do a delta import, a drop-down menu is now available that includes the supported options, and the administrator can select the correct option.

-

Feature 3

This hotfix adds support for the RadiantOne Virtual Directory Server (VDS) version 7.1.1. This version or a later version must be used for the connector to function correctly.

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Connector/MA, Forefront Identity Manager (FIM) Sync, Updates | Leave a Comment »

(2014-11-05) Upgrading Azure AD Sync Services From GA (v1.0.419.911) To v1.0.470.1023

Posted by Jorge on 2014-11-05


As mentioned in this blog post Microsoft released a new version of the Azure AD Sync Services. As mentioned in the release notes the upgrade is quite straightforward with a fix, but only if you modified one or more sync rules.

If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For each modified Sync Rule do the following:

  • Locate the Sync Rule you have modified and take a note of the changes
  • Delete the Sync Rule
  • Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.

-

So let’s try this and see what happens.

My starting point is the GA version

image

Figure 1: GA Version Of Azure AD Sync Services (AADSync)

-

Double-click on MicrosoftAzureADConnectionTool.exe and the following screen appears. Check the checkbox "I agree to the license terms" if you indeed do agree with the license terms. Click the [Upgrade] button to continue.

image

Figure 2: Initial Screen Of The Azure AD Sync Upgrade

-

The first thing the upgrade wizard tries to do is upgrade the Azure Active Directory Sign-in Assistance/Client, and then it will upgrade all other components. However, you might receive the following "error". If you do not see it, you’re good. therefore continue to figure 12.

image

Figure 3: Error About Upgrading The Azure Active Directory Sign-in Assistance/Client

-

As specified, go and look in the Application Event Log. Event ID 906 tells you to check a log file, so you should do so!

image

Figure 4: Error In The Application Event Log

-

You see another Event ID 906, and that’s not really helpful

image

Figure 5: Error In The Application Event Log

-

And yet you see another Event ID 906, and again that’s not really helpful. It just mentions the upgrade of the Azure Active Directory Sign-in Assistance/Client failed.

image

Figure 6: Error In The Application Event Log

-

System.Exception: Unable to upgrade the Azure Active Directory Sign-in Client.  Please see the event log for additional details. —> Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1603.

Details:
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackage(String msiPackageDirectory, String msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String installLogFileName, Boolean quiet, Boolean suppressReboot)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.MsiExecAdapter.InstallMsiPackageQuietSuppressReboot(String msiPackageDirectory, String msiPackageFileName, String parametersString, String installationPath, NetworkCredential credential, String installLogFileName)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.MsiSetupTaskBase.UpgradeCore()
   at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
   — End of inner exception stack trace —
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.ThrowSetupTaskFailureException(String exceptionFormatString, String taskName, Exception innerException)
   at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SetupBase.Upgrade()
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.SetupAdapter.TypeDependencies.GenericDirectorySyncSetupUpgrade(String pathToSetupFiles, String installationPath, ProgressChangedEventHandler progressChangedEventHandler)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.WizardPages.InstallOrUpgradePageViewModel.SetupTask(Object sender, DoWorkEventArgs args)
   at Microsoft.Azure.ActiveDirectory.Synchronization.UserInterface.UI.Controls.Wizards.ProgressReportingTaskViewModel.ExecuteAction(Action action, Boolean isProgressIndeterminate)

-

Finally looking in ‘C:\Windows\temp\AADSync\MsoIdCli_64_Install.log’ at point, almost in the end, you will see the following errors marked yellow. Basically it is saying that the repair failed. Why is it repairing instead of upgrading?

image

Figure 7: Error In The Log File About Repairing The Installation

-

The version of the Azure Active Directory Sign-in Assistance/Client in this AADSync package is v7.250.4556.0, and the version that I already had installed was also v7.250.4556.0. Because the versions are the same, it will not upgrade, but rather it will try to repair. On my test server, I have ADFS v3.0 and AADSync on the same server. A few days ago I updated the Azure AD PowerShell CMDlets including the Azure Active Directory Sign-in Assistance/Client. And that’s why I ended up with that version already installed.

The solution here is to go to the "Control Panel – Programs and Features" and uninstall the Azure Active Directory Sign-in Assistance/Client.

image

Figure 8: Uninstalling The Microsoft Online Services Sign-In Assistant (= Azure Active Directory Sign-in Assistance/Client)

-

Confirm the uninstall

image

Figure 9: Confirming Uninstalling The Microsoft Online Services Sign-In Assistant

-

When the uninstall is done, do not reboot the server as requested

image

Figure 10: Request To Reboot The Server

-

Now go back to the upgrade wizard and click the [Upgrade] button again.

image

Figure 11: Retrying The Upgrade

-

The upgrade will now continue. It will present the current credentials you are using to connect to Azure AD.

image

Figure 12: Credentials To Connect To Azure AD Tenant

-

Next it will present the current AD forest already connected. If you want to can connect extra AD forests, otherwise click the [Next] button.

image

Figure 13: AD Forests Already Connected To AADSync

-

Now, it presents you with the user matching configuration. You cannot change this right now, therefore click the [Next] button.

image

Figure 14: Previously Configured User Matching Options

-

Now, it presents you with optional features you can use. You can keep it AS-IS or you can enable what you need to enable. If you want to enable or disable optional feature, you just need to rerun the wizard.

[Exchange Hybrid Deployment] –> If you have an Exchange hybrid deployment, then select this checkbox. This will write-back some attributes from Exchange online to the on-premises Active Directory.

[Password Synchronization] –> With password synchronization, you enable your users to use the same password they are using to logon to your on-premises Active Directory to logon to Azure Active Directory. For more information on how to configure this, please see http://msdn.microsoft.com/en-us/library/azure/dn835016.aspx.

[Password Write-Back] –> Password write-back is an Azure Active Directory Premium feature. For more information on how to configure this, please see http://blogs.technet.com/b/ad/archive/2014/04/29/deep-dive-password-reset-with-on-premise-sync-in-azure-ad-premium.aspx.

[Azure AD App And Attribute Filtering] –> If you want to review or limit the attributes which are synchronized with Azure AD, then select Azure AD app and attribute filtering. You will then get two additional pages in the wizard. For more information on how to configure this, please see http://msdn.microsoft.com/en-us/library/azure/dn764938.aspx

Click the [Next] button.

image

Figure 15: Optional Features To Enable

-

Now it will present you with a summary screen. Click the [Next] button to really start the upgrade of the software.

image

Figure 16: Ready To Configure And Upgrade

-

After the upgrade you can choose to synchronize now or do it later as scheduled. Click the [Finish] button.

image

Figure 17: Finished

-

image

Figure 18: Upgraded Version Of Azure AD Sync Services (AADSync)

-

That’s all folks!

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-11-01) A New Version Of Azure Active Directory Sync Services Has Been Released (v1.0.470.1023)

Posted by Jorge on 2014-11-01


A few days ago, Microsoft has released a new version of the Azure Active Directory Sync Services (AADSync)

-

This version adds the following features:

  • Password synchronization from multiple on-premise AD to AAD
  • Localized installation UI to all Windows Server languages

-

Upgrading from AADSync 1.0 GA

If you already have Azure AD Sync installed, there is one additional step you have to take in case you have changed any of the out-of-box Synchronization Rules. After you have upgraded to the 1.0.470.1023 release, the synchronization rules you have modified are duplicated. For each modified Sync Rule do the following:

  • Locate the Sync Rule you have modified and take a note of the changes.
  • Delete the Sync Rule.
  • Locate the new Sync Rule created by Azure AD Sync and re-apply the changes.

-

Permissions for the AD account

The AD account must be granted additional permissions to be able to read the password hashes from AD. The permissions to grant are named “Replicating Directory Changes” and “Replicating Directory Changes All”. Both permissions are required to be able to read the password hashes.

-

Release Note: Changing the AD password

After password sync has been enabled, if the password of the account used by the AD Connector is changed through the UI then password synchronization must by disabled and re-enabled.

-

-

More information:

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Sync, Windows Azure Active Directory | Leave a Comment »

(2014-10-24) Enabling IdP Initiated Sign-On In ADFS

Posted by Jorge on 2014-10-24


In ADFS v2.0, ADFS v2.1 and ADFS v3.0 the IdP Initiated Sign On Page can be used by default and you do not need to do anything for it. It just works! However, if you also need to use RelayState, then also have a look at (2014-10-16) Enabling RelayState In ADFS Versions

The URL of the IdP Initiated Sign On Page is: "https://<FQDN Of The Federation Service>/adfs/ls/IdPInitiatedSignOn.aspx"

-

image

Figure 1: The IdP Initiated Sign On Page In ADFS v2.0

-

image

Figure 2: The IdP Initiated Sign On Page In ADFS v3.0

-

image

Figure 3: The IdP Initiated Sign On Page In ADFS v4.0 (BEFORE Enabling It In The ADFS Properties)

-

In the Event Viewer (ADFS Admin Event Log) you will see:

image

Figure 4: Error In The ADFS Admin Event Log About The IdP Initiated Sign On Page

-

Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

-

So, in ADFS v4.0 it looks as it by default is disabled! Checking the ADFS properties….

Yep, it is disabled by default in ADFS v4.0!

image

Figure 5: IdP Initiated Sign On Page Configured To Be Disabled In The ADFS Properties (=Default)

-

image

Figure 6: Enabling The IdP Initiated Sign On Page In The ADFS Properties Of ADFS v4.0

-

image

Figure 7: The IdP Initiated Sign On Page In ADFS v4.0 (AFTER Enabling It In The ADFS Properties)

-

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), IdP-Initiated | 2 Comments »

 
%d bloggers like this: