Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2017-05-27) Real Required Permissions For Password Change, Password Reset And Account Unlock Through Azure AD

Posted by Jorge on 2017-05-27


When deploying Azure AD Self-Service Password/Account Management you need to configure stuff in both Azure AD and the on-premises AD. The “what” and the “how” can be found through Azure AD self-service password reset for the IT professional.

In the on-premises AD you need to assign a number of permissions to the account for the connector/MA that services that specific AD. You will need to do this for every AD forest being serviced by AAD Connect. For every AD forest you need to determine the scope of management being either at domain level of OU level. Nevertheless, the following actions are supported by Azure AD Self-Service Password/Account Management and according to Microsoft the corresponding permissions need to be assigned to the connector/MA account (as listed here):

  • Account Unlock
    • Requires at least the Allow:Write permission for the lockoutTime  attribute on the user account
  • Password Reset
    • Requires at least the Allow:Write permission for the pwdLastSet attribute on the targeted user account
    • Requires at least the Allow:Reset Password Control Access Right (CAR) on the targeted user account
  • Password Change
    • Requires at least the Allow:Change Password Control Access Right (CAR) on the targeted user account

The permissions can be configured through the GUI in ADUC/ADAC or through DSACLS. For regular accounts the permissions need to be assigned at container level (domain or specific OUs) and must be inherited by user objects.

The “Allow:Write permission for the lockoutTime  attribute on the user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Account Unlock>:WP;lockoutTime;user" /I:S

The “Allow:Write permission for the pwdLastSet attribute on the targeted user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Password Reset>:WP;pwdLastSet;user" /I:S

The “Allow:Reset Password Control Access Right (CAR) on the targeted user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Password Reset>:CA;Reset Password;user" /I:S

The “Allow:Change Password Control Access Right (CAR) on the targeted user account” for regular accounts can be configured through:

….does NOT need to be configured at all as the password change action always occurs under the context of the account for which the password is being changed. For that to be possible, AD already has the needed permissions in place for this to be possible as shown below!

image

Figure 1: The “Allow:Change Password” Permission Already Assigned By Default To The EVERYONE And SELF Security Principals

Therefore: There is NO NEED to specifically assign “Allow:Change Password Control Access Right (CAR) on the targeted user account” for the connector/MA account. It will work perfectly without it!

The exact same permissions are required on “protected” accounts. However, the permissions for those accounts need to be assigned through the adminSDHolder object. The permissions can be configured through the GUI in ADUC/ADAC or through DSACLS.

The “Allow:Write permission for the lockoutTime  attribute on the user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Account Unlock>:WP;lockoutTime;user"

The “Allow:Write permission for the pwdLastSet attribute on the targeted user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Password Reset>:WP;pwdLastSet;user"

The “Allow:Reset Password Control Access Right (CAR) on the targeted user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Password Reset>:CA;Reset Password;user"

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Self-Service Password Reset, Windows Azure Active Directory | Leave a Comment »

(2017-05-23) Bug In GPP Registry Wizard Prevents Registry Settings From Applying

Posted by Jorge on 2017-05-23


In the blog post (2017-03-01) Hardening – Disabling Weak Ciphers, Hashes And Protocols On ADFS, WAP, AAD Connect, Azure AD MFA Server And Azure AD Application Proxy I explain how to harden several hybrid identity related servers. I provide the individual settings and I also provide at the end of the blog post how you can use a GPO to configure all the settings from AD. For the registry settings I configured one server using the REG ADD commands and then I used the Registry Wizard in the GPP to consume all the settings I configured. The GPO I used also contained other regular policy settings.

After having all the settings in the GPO as described above, I found out the registry settings specifically never were applied to the servers, although the GPO was being processed. I confirmed processing of the GPO by using GPRESULT remotely and locally. I also looked at the registry settings multiple times to see if I could find any anomalies, but unfortunately I did not see anything strange. Well it took me some time, but if you look very carefully there is something strange to it

image

Figure 1: Setting Registry Values Through A GPO

I’m going to spare you the time that it took me to find what was wrong and guide you through the steps so that you understand where it goes wrong and how you can fix it.

If you look at figure 2 below what are you noticing? Hint: Look at the values in every column!

Correct! The “Hive” column does not have any value specified. THAT is the reason the registry setting is not applied at all to targeted servers

image

Figure 2: A Sample Registry Setting That Was Read Through The Registry Wizard – Empty Hive Value

However, if you open a registry setting for which the “Hive” value is not listed as shown in figure 2, you can see in figure 3, the “Hive” value IS listed. Confusing right?!

image

Figure 3: A Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value

The solution here is to reconfigure the “Hive value and committing the change into the GPO. Bu if you look at the [Apply] button figure 3 you see it is grayed out.

As shown in figure 4 just reselect the already listed “Hive” value.

image

Figure 4: A Sample Registry Setting That Was Read Through The Registry Wizard – Reselecting The Hive Value

After doing that the [Apply] button becomes available to be clicked/pressed.

image

Figure 5: A Sample Registry Setting That Was Read Through The Registry Wizard – Recommitting The Hive Value

After you have clicked/pressed the [Apply] button, you can see the “Hive” value is indeed populated as shown in the figure 6.

image

Figure 6: Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value For One Setting

Now do this for every registry setting read by the wizard

image

Figure 7: Sample Registry Setting That Was Read Through The Registry Wizard – Populated Hive Value For Another Setting

Because the “Hive” value was not specified for the registry settings in the GPO, those same registry settings were not applied, although the GPO that contained them was processed! Respecifying the “Hive” value solved the problem. And yes you will have to do this for every registry setting.

This issue only occurs when you use the Registry Wizard within the GPP and specify a remote server as the target server. If you specify the local server as the target then “Hive” value is populated correctly.

This occurred on both W2K12R2 and W2K16 servers

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects, Group Policy Preferences | Leave a Comment »

(2017-05-17) Azure AD MFA Server v7.3.0.3 Has Been Released

Posted by Jorge on 2017-05-17


Microsoft has released a newer version of the Azure AD MFA server. If you start the MFA Server Console you should see a notification about a newer version being available.

Release notes: https://pfweb.phonefactor.net/install/7.3.0.3/release_notes.txt

Version 7.3.0.3 of the Azure Multi-Factor Authentication Server adds the following additional functionality:

  • AD FS adapter performance improvements
  • Tags performance improvements
  • Log request IDs to allow correlation with backend logs
  • Modified AD sync service to clear phone numbers that are cleared in the directory
  • Fix for RADIUS one-way text message fallback to OATH token
  • Fix for passwords that contain leading or trailing spaces
  • Fix AD FS adapter to handle cultures that aren’t associated with a locale ID
  • Change mobile app references from Azure Authenticator to Microsoft Authenticator

Known Issues:

  • Windows Authentication for Terminal Services is not supported for Windows Server 2012 R2

Upgrade Considerations:

  • Must upgrade MFA Server and Web Service SDK before upgrading AD FS adapter
  • All other features and components are backwards-compatible with all previous versions

More information about Azure AD MFA Server can be found here.

Upgrade steps can be found here, but also take the following info into account

For this version of the MFA server:

  • you need to have MS-KB2919355 installed on the MFA server before starting the installation (check with Get-HotFix KB2919355)
  • you need to have the following installed on any server with any MFA server component: The Visual C++ 2015 Update 3 Redistribution packages are also available (x86, x64),

Before upgrading/installing the new ADFS adapter, you need to unselect and unregister the previous ADFS adapter

  • Using WID?: Execute the commands below on primary ADFS server and wait at least 5 minutes to allow WID replication to take place and finish
  • Using SQL?: Execute the commands below on any ADFS server

# Unselecting The Use Of Azure AD MFA Adapter To Be Listed
$listOfCurrentMFAProviders = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$listOfNewMFAProviders = $listOfCurrentMFAProviders
$listOfNewMFAProviders.Remove("WindowsAzureMultiFactorAuthentication")  # Use THIS line if the old version is v6.3.0 or lower
$listOfNewMFAProviders.Remove("AzureMfaServerAuthentication")  # Use THIS line if the old version is v7.0.0.9 or higher
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $listOfNewMFAProviders

# Unregistering The Azure AD MFA Adapter Within ADFS
Unregister-AdfsAuthenticationProvider -Name WindowsAzureMultiFactorAuthentication  # Use THIS line if the old version is v6.3.0 or lower
Unregister-AdfsAuthenticationProvider -Name AzureMfaServerAuthentication  # Use THIS line if the old version is v7.0.0.9 or higher

After installing the new ADFS adapter, you need to configure it, register it and configure it within ADFS

  • Using WID?: EDIT The file “MultiFactorAuthenticationAdfsAdapter.config” on the primary ADFS server as explained below (use your previous settings where applicable), and SAVE it afterwards
  • Using SQL?: EDIT The file “MultiFactorAuthenticationAdfsAdapter.config” on any ADFS server as explained below (use your previous settings where applicable), and SAVE it afterwards

FILE: MultiFactorAuthenticationAdfsAdapter.config

<ConfigurationData xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">

    <UseWebServiceSdk><true OR false></UseWebServiceSdk>

    <WebServiceSdkUrl><URL to the MFA Web Service SDK></WebServiceSdkUrl>

    <WebServiceSdkUsername><the account (DOMAIN\SAMACCOUNTNAME) the user portal is also using in its web.config></WebServiceSdkUsername>

    <WebServiceSdkPassword><the password of the account above the user portal is also using in its web.config></WebServiceSdkPassword>

    <WebServiceSdkCertificateThumbprint><thumbprint of certificate of web service sdk></WebServiceSdkCertificateThumbprint>

    <AutomaticallyTriggerUserDefaultMethod><true OR false></AutomaticallyTriggerUserDefaultMethod>

    <TestMode><true OR false></TestMode>

</ConfigurationData>

Now we need to register and configure the new ADFS adapter within ADFS

# Registering The Azure AD MFA Adapter Within ADFS

$typeName = "pfadfs.AuthenticationAdapter, MultiFactorAuthAdfsAdapter, Version=7.3.0.3, Culture=neutral, PublicKeyToken=f300afd708cefcd3"
Register-AdfsAuthenticationProvider -TypeName $typeName -Name AzureMfaServerAuthentication –ConfigurationFilePath "<Provide Path To MultiFactorAuthenticationAdfsAdapter.config>"

# Selecting The Use Of Azure AD MFA Adapter To Be Listed
$listOfCurrentMFAProviders = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider
$listOfNewMFAProviders = $listOfCurrentMFAProviders + "AzureMfaServerAuthentication"
Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $listOfNewMFAProviders

# Configuring Custom Display Name And Custom Description
Set-AdfsAuthenticationProviderWebContent -Name "AzureMfaServerAuthentication" -DisplayName "<Provide Custom DisplayName>" -Description "<Provide Custom Description>"

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD MFA Adapter, Multi-Factor AuthN, Windows Azure Active Directory | Leave a Comment »

(2017-05-16) Azure AD Connect v1.1.524.0 Has Been Released

Posted by Jorge on 2017-05-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.524.0

Released: 2017 May

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues:

Azure AD Connect sync

  • Fixed an issue that causes Automatic Upgrade to occur on the Azure AD Connect server even if customer has disabled the feature using the Set-ADSyncAutoUpgrade cmdlet. With this fix, the Automatic Upgrade process on the server still checks for upgrade periodically, but the downloaded installer honors the Automatic Upgrade configuration.
  • During DirSync in-place upgrade, Azure AD Connect creates an Azure AD service account to be used by the Azure AD connector for synchronizing with Azure AD. After the account is created, Azure AD Connect authenticates with Azure AD using the account. Sometimes, authentication fails because of transient issues, which in turn causes DirSync in-place upgrade to fail with error “An error has occurred executing Configure AAD Sync task: AADSTS50034: To sign into this application, the account must be added to the xxx.onmicrosoft.com directory.” To improve the resiliency of DirSync upgrade, Azure AD Connect now retries the authentication step.
  • There was an issue with build 443 that causes DirSync in-place upgrade to succeed but run profiles required for directory synchronization are not created. Healing logic is included in this build of Azure AD Connect. When customer upgrades to this build, Azure AD Connect detects missing run profiles and creates them.
  • Fixed an issue that causes Password Synchronization process to fail to start with Event ID 6900 and error “An item with the same key has already been added”. This issue occurs if you update OU filtering configuration to include AD configuration partition. To fix this issue, Password Synchronization process now synchronizes password changes from AD domain partitions only. Non-domain partitions such as configuration partition are skipped.
  • During Express installation, Azure AD Connect creates an on-premises AD DS account to be used by the AD connector to communicate with on-premises AD. Previously, the account is created with the PASSWD_NOTREQD flag set on the user-Account-Control attribute and a random password is set on the account. Now, Azure AD Connect explicitly removes the PASSWD_NOTREQD flag after the password is set on the account.
  • Fixed an issue that causes DirSync upgrade to fail with error “a deadlock occurred in sql server which trying to acquire an application lock” when the mailNickname attribute is found in the on-premises AD schema, but is not bounded to the AD User object class.
  • Fixed an issue that causes Device writeback feature to automatically be disabled when an administrator is updating Azure AD Connect sync configuration using Azure AD Connect wizard. This is caused by the wizard performing pre-requisite check for the existing Device writeback configuration in on-premises AD and the check fails. The fix is to skip the check if Device writeback is already enabled previously.
  • To configure OU filtering, you can either use the Azure AD Connect wizard or the Synchronization Service Manager. Previously, if you use the Azure AD Connect wizard to configure OU filtering, new OUs created afterwards are included for directory synchronization. If you do not want new OUs to be included, you must configure OU filtering using the Synchronization Service Manager. Now, you can achieve the same behavior using Azure AD Connect wizard.
  • Fixed an issue that causes stored procedures required by Azure AD Connect to be created under the schema of the installing admin, instead of under the dbo schema.
  • Fixed an issue that causes the TrackingId attribute returned by Azure AD to be omitted in the AAD Connect Server Event Logs. The issue occurs if Azure AD Connect receives a redirection message from Azure AD and Azure AD Connect is unable to connect to the endpoint provided. The TrackingId is used by Support Engineers to correlate with service side logs during troubleshooting.
  • When Azure AD Connect receives LargeObject error from Azure AD, Azure AD Connect generates an event with EventID 6941 and message “The provisioned object is too large. Trim the number of attribute values on this object.” At the same time, Azure AD Connect also generates a misleading event with EventID 6900 and message “Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service.” To minimize confusion, Azure AD Connect no longer generates the latter event when LargeObject error is received.
  • Fixed an issue that causes the Synchronization Service Manager to become unresponsive when trying to update the configuration for Generic LDAP connector.

Known issues:

  • N.A. 

New features/Improvements:

Azure AD Connect sync

  • Sync Rule Changes – The following sync rule changes have been implemented:

    • Updated default sync rule set to not export attributes userCertificate and userSMIMECertificate if the attributes have more than 15 values.
    • AD attributes employeeID and msExchBypassModerationLink are now included in the default sync rule set.
    • AD attribute photo has been removed from default sync rule set.
    • Added preferredDataLocation to the Metaverse schema and AAD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so. To find out more about the attribute, refer to article section Azure AD Connect sync: How to make a change to the default configuration – Enable synchronization of PreferredDataLocation.
    • Added userType to the Metaverse schema and AAD Connector schema. Customers who want to update either attributes in Azure AD can implement custom sync rules to do so.
  • Azure AD Connect now automatically enables the use of ConsistencyGuid attribute as the Source Anchor attribute for on-premises AD objects Further, Azure AD Connect populates the ConsistencyGuid attribute with the objectGuid attribute value if it is empty. This feature is applicable to new deployment only. To find out more about this feature, refer to article section Azure AD Connect: Design concepts – Using msDS-ConsistencyGuid as sourceAnchor.

  • New troubleshooting cmdlet Invoke-ADSyncDiagnostics has been added to help diagnose Password Hash Synchronization related issues.
  • Azure AD Connect now supports synchronizing Mail-Enabled Public Folder objects from on-premises AD to Azure AD. You can enable the feature using Azure AD Connect wizard under Optional Features.
  • Azure AD Connect requires AD DS accounts to synchronize from on-premises AD. Previously, if you install Azure AD Connect using Express mode, you can provide the credential of an Enterprise Admin account. Azure AD Connect and leave it to Azure AD Connect to create the AD DS account required. However, for custom installation and adding forests to existing deployment, you must provide the AD DS account instead. Now, you also have the option to provide the credentials of an Enterprise Admin account during custom installation and let Azure AD Connect create the AD DS account required.
  • Azure AD Connect now supports SQL AOA. You must enable SQL before installing Azure AD Connect. During installation, Azure AD Connect detects whether the SQL instance provided is enabled for SQL AOA or not. If SQL AOA is enabled, Azure AD Connect further figures out if SQL AOA is configured to use synchronous replication or asynchronous replication. When setting up the Availability Group Listener, it is recommended that you set the RegisterAllProvidersIP property to 0. This is because Azure AD Connect currently uses SQL Native Client to connect to SQL and SQL Native Client does not support the use of MultiSubNetFailover property.
  • If you are using LocalDB as the database for your Azure AD Connect server and has reached its 10-GB size limit, the Synchronization Service no longer starts. Previously, you need to perform ShrinkDatabase operation on the LocalDB to reclaim enough DB space for the Synchronization Service to start. After which, you can use the Synchronization Service Manager to delete run history to reclaim more DB space. Now, you can use Start-ADSyncPurgeRunHistory cmdlet to purge run history data from LocalDB to reclaim DB space. Further, this cmdlet supports an offline mode (by specifying the -offline parameter) which can be used when the Synchronization Service is not running. Note: The offline mode can only be used if the Synchronization Service is not running and the database used is LocalDB.
  • To reduce the amount of storage space required, Azure AD Connect now compresses sync error details before storing them in LocalDB/SQL databases. When upgrading from an older version of Azure AD Connect to this version, Azure AD Connect performs a one-time compression on existing sync error details.
  • Previously, after updating OU filtering configuration, you must manually run Full import to ensure existing objects are properly included/excluded from directory synchronization. Now, Azure AD Connect automatically triggers Full import during the next sync cycle. Further, Full import is only be applied to the AD connectors affected by the update. Note: this improvement is applicable to OU filtering updates made using the Azure AD Connect wizard only. It is not applicable to OU filtering update made using the Synchronization Service Manager.
  • Previously, Group-based filtering supports Users, Groups, and Contact objects only. Now, Group-based filtering also supports Computer objects.
  • Previously, you can delete Connector Space data without disabling Azure AD Connect sync scheduler. Now, the Synchronization Service Manager blocks the deletion of Connector Space data if it detects that the scheduler is enabled. Further, a warning is returned to inform customers about potential data loss if the Connector space data is deleted.
  • Previously, you must disable PowerShell transcription for Azure AD Connect wizard to run correctly. This issue is partially resolved. You can enable PowerShell transcription if you are using Azure AD Connect wizard to manage sync configuration. You must disable PowerShell transcription if you are using Azure AD Connect wizard to manage ADFS configuration.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2017-05-16) Azure AD Connect v1.1.486.0 Has Been Released

Posted by Jorge on 2017-05-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.486.0

Released: 2017 April

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New features:

  • N.A.

Fixed issues:

  • Fixed the issue where Azure AD Connect will not install successfully on localized version of Windows Server.

Known issues:

  • N.A. 

Improvements:

  • N.A.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2017-05-16) Azure AD Connect v1.1.484.0 Has Been Released

Posted by Jorge on 2017-05-16


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.484.0

Released: 2017 April

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues:

Azure AD Connect sync+

  • Fixed an issue where the sync scheduler skips the entire sync step if one or more connectors are missing run profile for that sync step. For example, you manually added a connector using the Synchronization Service Manager without creating a Delta Import run profile for it. This fix ensures that the sync scheduler continues to run Delta Import for other connectors.
  • Fixed an issue where the Synchronization Service immediately stops processing a run profile when it is encounters an issue with one of the run steps. This fix ensures that the Synchronization Service skips that run step and continues to process the rest. For example, you have a Delta Import run profile for your AD connector with multiple run steps (one for each on-premises AD domain). The Synchronization Service will run Delta Import with the other AD domains even if one of them has network connectivity issues.
  • Fixed an issue that causes the Azure AD Connector update to be skipped during Automatic Upgrade.
  • Fixed an issue that causes Azure AD Connect to incorrectly determine whether the server is a domain controller during setup, which in turn causes DirSync upgrade to fail.
  • Fixed an issue that causes DirSync in-place upgrade to not create any run profile for the Azure AD Connector.
  • Fixed an issue where the Synchronization Service Manager user interface becomes unresponsive when trying to configure Generic LDAP Connector.

AD FS management

  • Fixed an issue where the Azure AD Connect wizard fails if the AD FS primary node has been moved to another server.

Desktop SSO

  • Fixed an issue in the Azure AD Connect wizard where the Sign-In screen does not let you enable Desktop SSO feature if you chose Password Synchronization as your Sign-In option during new installation.

Known issues:

This version of Azure AD Connect will not install successfully if the following conditions are all true:

  1. You are performing either DirSync in-place upgrade or fresh installation of Azure AD Connect.
  2. You are using a localized version of Windows Server where the name of built-in Administrator group on the server isn’t "Administrators".
  3. You are using the default SQL Server 2012 Express LocalDB installed with Azure AD Connect instead of providing your own full SQL.

New features/Improvements:

Azure AD Connect sync

  • Azure AD Connect Sync now supports the use of Virtual Service Account, Managed Service Account and Group Managed Service Account as its service account. This applies to new installation of Azure AD Connect only. When installing Azure AD Connect:
    • By default, Azure AD Connect wizard will create a Virtual Service Account and uses it as its service account.
    • If you are installing on a domain controller, Azure AD Connect falls back to previous behavior where it will create a domain user account and uses it as its service account instead.
    • You can override the default behavior by providing one of the following:
      • A Group Managed Service Account
      • A Managed Service Account
      • A domain user account
      • A local user account
  • Previously, if you upgrade to a new build of Azure AD Connect containing connectors update or sync rule changes, Azure AD Connect will trigger a full sync cycle. Now, Azure AD Connect selectively triggers Full Import step only for connectors with update, and Full Synchronization step only for connectors with sync rule changes.
  • Previously, the Export Deletion Threshold only applies to exports which are triggered through the sync scheduler. Now, the feature is extended to include exports manually triggered by the customer using the Synchronization Service Manager.
  • On your Azure AD tenant, there is a service configuration which indicates whether Password Synchronization feature is enabled for your tenant or not. Previously, it is easy for the service configuration to be incorrectly configured by Azure AD Connect when you have an active and a staging server. Now, Azure AD Connect will attempt to keep the service configuration consistent with your active Azure AD Connect server only.
  • Azure AD Connect wizard now detects and returns a warning if on-premises AD does not have AD Recycle Bin enabled.
  • Previously, Export to Azure AD times out and fails if the combined size of the objects in the batch exceeds certain threshold. Now, the Synchronization Service will reattempt to resend the objects in separate, smaller batches if the issue is encountered.
  • The Synchronization Service Key Management application has been removed from Windows Start Menu. Management of encryption key will continue to be supported through command-line interface using miiskmu.exe. For information about managing encryption key, refer to article Abandoning the Azure AD Connect Sync encryption key.
  • Previously, if you change the Azure AD Connect sync service account password, the Synchronization Service will not be able start correctly until you have abandoned the encryption key and reinitialized the Azure AD Connect sync service account password. Now, this is no longer required.

Desktop SSO

  • Azure AD Connect wizard no longer requires port 9090 to be opened on the network when configuring Pass-through Authentication and Desktop SSO. Only port 443 is required.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2017-05-11) Updating MIM 2016 With Patches After Fresh MIM 2016 (SP1) Install

Posted by Jorge on 2017-05-11


Somewhere in September 2016 Microsoft released MIM 2016 SP1 (see this blog post). That was MIM 2016 with SP1 included (build 4.4.1237.0) and which could be installed freshly. However, if you were running MIM 2016 RTM (4.3.1935.0) (with or without patches 4.3.2064.0, or 4.3.2195.0, or 4.3.2266.0) you could not apply this MIM 2016 SP1 (build 4.4.1237.0) as it was not an update package for RTM, but rather a new installation package. To still install MIM 2016 SP1 (build 4.4.1237.0) you had to first uninstall MIM 2016 RTM and then install MIM 2016 SP1 (build 4.4.1237.0) and reuse existing DBs. That procedure is explained here. In November 2016 I blogged about 2 different SP1 packages here. The build 4.4.1302.0 is explained here. Since then Microsoft released a newer build 4.4.1459.0 to replace the build 4.4.1302.0. The build 4.4.1459.0 is explained here.

If you are running MIM 2016, you will be able to install either build 4.4.1302.0 or build 4.4.1459.0.

However, if you are running MIM 2016 SP1, because you performed a fresh install you will NOT be able to install either build 4.4.1302.0 or build 4.4.1459.0.

If you want to install build 4.4.1302.0 and/or build 4.4.1459.0 you will have to perform the following actions:

  • Do NOT make any changes
  • Backup ALL FIM related databases in SQL Server
  • Create a backup copy of the contents of the folder “C:\Program Files\Microsoft Forefront Identity Manager\2010”
  • Uninstall the MIM 2016 SP1 server components
  • Install the MIM 2016 RTM (4.3.1935.0) and reuse the databases
  • DO NOT try to apply the patches 4.3.2064.0, or 4.3.2195.0, or 4.3.2266.0 as that will break your database. In that latter case you will need to restore the DB from backup
  • Apply the patch with build 4.4.1302.0 (this may be skipped if you want to install the newest patch mentioned next)
  • Apply the patch with build 4.4.1459.0
  • Check the different settings in the WEB.CONFIGs by comparing them with the backup copy. Apply any configuration differences you find
  • If applicable also check the mfasettings.xml
  • Done!

I do not when, but I think/hope Microsoft will create patches that can be applied to both SP1 packages.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Microsoft Identity Manager (MIM), Updates | Leave a Comment »

(2017-05-11) A Hotfix Rollup Package (Build 4.4.1459.0) Is Available for Microsoft Identity Manager 2016 SP1

Posted by Jorge on 2017-05-11


Microsoft released a new hotfix for MIM 2016 SP1 with build 4.4.1459.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ4012498. If you have installed build build 4.4.1237.0 you cannot install this package. Build 4.4.1237.0 was a fresh MIM 2016 SP1 install and this hotfix enables the upgrade to SP1 without the need to uninstall first and reinstall.

Download link

Issues that are fixed or improvements that are added in this update

MIM Service

Issue 1

Authentication workflow fails with "The semaphore time out period has expired" after custom client requests AuthN token.

After you install the update, the request will complete as expected, and a clear message about a communications error is thrown into the event log.

Issue 2

Under a heavy load, there may be race condition situation when two MIM Service instances try to process the same workflow at the same time. This may cause workflow processing to fail.

After you install this update, this problem no longer occurs.

Issue 3

Set partitioning may not work if a set criteria contains a sub-condition. After you install this update, set partitioning works correctly.

Issue 4

Over time, some processing data accumulates in the MIM Service database, which may cause performance issues. This causes a problem when many Object IDs are retained in the FIM.Objects table. The SQL Server Agent job runs stored procedure FIM_DeleteExpiredSystemObjectsJob and removes expired system objects by collecting all the requests and any object references, and puts their object IDs into the ExpiredObjectKeys table.

Next, all values in the ObjectValue* tables are removed for each ID number in the ExpiredObjectKeys table. Finally, if the values in the ObjectValue* tables have indeed all been deleted, the matching row in the ExpiredObjectKeys table is also deleted. However, the object ID itself is never deleted from the fim.Objects table.

After you install the update, a new stored procedure in the debug namespace is added to clean up the database of these objects.

Stored Procedure Name: debug.DeleteObjectRemainders
Syntax: exec debug.DeleteObjectRemainders

Issue 5

After MIM SP1 clean installation, MIM Reporting or MIM Service Partitioning may not work correctly. After you install this update, both MIM Service reporting and partitioning are installed and function correctly.

Issue 6

If the FIMService database compatibility level is set to 120, SQL deadlocks may occur. After you install this update, these deadlocks no longer occur.

Improvement 1

Verbose trace logging in the MIM Service can now be enabled without forcing a restart of the service.

One new section is added to the Microsoft.ResourceManagement.Service.exe.config file to support this functionality. After you install this update, this new section is now present.

<dynamicLogging mode="true" loggingLevel="Critical" />

Logging can be set to any level between Critical and Verbose.

Two output files will be written to the installation folder for the MIM Service. It is important for the MIM Service account to have write permissions to this folder.

Folder location:

%programfiles%\Microsoft Forefront Identity Manager\2010\Service

Files written:

Microsoft.ResourceManagement.Service_tracelog.svclog

Microsoft.ResourceManagement.Service_tracelog.txt

Improvement 2

Support for System Center 2016 Service Manager and Data Warehouse is added for MIM Service Reporting.

Before this update, MIM Reporting could not install and perform with System Center 2016 Service Manager Console.

After you install this update, MIM Reporting can be installed and perform without a need to pre-install SCSM console, for any supported version of SCSM.

Synchronization Service

Issue 1

If the FIM Service management agent exports an object deletion but does not receive a confirmation of the deletion, that same object may be partly recreated in the FIMService.

After you install this update, an error will be displayed in the error list of the export run, and the recreation does not occur.

Issue 2

When the DN of an object is also the anchor, it cannot be renamed. Instead, you receive the following exception:

Unexpected-error

“The dimage has a different anchor or primary object class from what is on the hologram.”

After you install this update, the rename is processed as expected.

Issue 3

The Encryption Key Management Key (miiskmu.exe) tool may not abandon keys because of a time-out caused by a database lock.

After you install this update, the keys are processed without encountering the time-out.

Issue 4

When you run a synchronization profile step, periodic performance issues are encountered.

A fix was made to the mms_getprojected_csrefguids_noorder stored procedure to help improve performance.

Issue 5

Under certain circumstances, filter-based sync rules are applied even when they should not be.

After you install this update, the sync rule is applied only if it should be.

Issue 6

On Export for the Generic LDAP Connector, if the creation of an Audit Log file has been configured, the export run profile stops without posting a BAIL error.

After you install this update, an Export run profile step will run properly on the Generic LDAP Connector when the Audit Log File creation option is enabled.

MIM Password Reset Portal

Issue 1

When you reset a password by using the SMS authentication gate, an incorrect message is displayed to the user:

You need to click Next once you completed this call" and in next line "Call Verified:

After you install this update, the incorrect string, “Call Verified:” is removed from that dialog box.

MIM Identity Management Portal

Issue 1

Drag-and-drop users into the Remove box to delete or remove a member for group membership does not work in all circumstances.

After you install this fix, users can drag-and-drop users into the Remove box when you manage manual group memberships.

Issue 2

Local Date/Time settings being ignored for English (Australia).

After you install this update, the local date/time format settings are applied.

Issue 3

Custom controls are not initialized if we have custom event parameters in the Resource Control Display Configuration (RCDC).

After you install this fix, the custom controls are initialized as expected.

Issue 4

Error handling in the Resource Control Display Configuration is sometimes unclear.

In this update, error notifications are customized to describe the error more clearly.

Issue 5

When you use a copied link to a custom object in the Identity Management Portal, the object does not display as expected.

After you install this update, the custom object displays as expected from the copied link.

Issue 6

When you try to install the Identity Management Portal on SharePoint 2016 after you uninstall or during an update, the Portal is not installed. Additionally, you receive the following exception:

Timeout expired and error in Sharepoint log: Package name does not exist in the solution store.

Installing this update, setup will restart the SharePoint timer service to retry the failed SharePoint jobs, so setup can now complete.

Issue 7

The Approval View RCDC has incorrect symbols and displays an error.

After you install this fix, the approval view RCDC is displayed as expected, and does not throw an exception.

Issue 8

The membership buttons if custom group objects do not work correctly.

After you install this fix, the group membership buttons work as expected.

Issue 9

When you view the MIM Identity Management Portal by using the Firefox browser, object list-views, such as Users and Distribution Groups, do not display properly.

After you install this update, object list-views display as expected when you use the Firefox browser.

Issue 10

When you view the MIM Identity Management Portal by using the Internet Explorer browser, object list-views headings may not be left-aligned in the column.

After you install this update, object list-view headings display left aligned as expected.

Issue 11

When you run the MIM Portal in SharePoint 2016, the Join, Leave, Add Member, and Remove Member buttons do not work as expected on custom group object types.

After you install this update, these buttons work as expected against custom group object types.

Improvement 1

To address the fact that the default value of a Group Scope cannot be set, two optional properties were added to the UoCDropDownList and the UocRadioButtonList.

  • DefaultValue
    • This is an optional property. Use this property to define a default value for the control if the control is used to create new data

For example:

   <my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
        …
         <my:Properties>
          ...
           <my:Property my:Name="DefaultValue" my:Value="MyDefault" />
  • Condition
    • Condition is optional attribute in property and it is used to specify the condition when the property is applied. The control can have several properties that use the same name but disjoint conditions
    • The syntax for condition is as follows:
      • my:Condition="[left part] [condition] [right part]
    • Notes
      • [left part] has the following options:
        • Binding Source and path
        • Simple value
      • [condition] has the following options:
        • ==
        • !=
      • [right part] has the following options:
        • Binding Source and path
        • Simple value

Example of creation different defaults for different types of group:

<my:Control my:Name="My UocDropDownList" my:TypeName="UocDropDownList"
        …
         <my:Properties>
          ...
           <my:Property my:Name="DefaultValue" my:Value=" MyDefautltForDistributionGroups" my:Condition="{Binding Source=object, Path=Type} == Distribution" />
          <my:Property my:Name="DefaultValue" my:Value=" MyDefautltForSecurityGroups " my:Condition="{Binding Source=object, Path=Type} == Security" />
-

Improvement 2

The name for all activity types that you created through Portal is authenticationGateActivity. After you install this update, all new ActivityType objects that are created, will have the following activity name values, according to type:

  • Authentication: authenticationActivity1… authenticationActivityN
  • Authorization: authorizationActivity1… authorizationActivityN
  • Action: actionActivity1… actionActivityN

Improvement 3

Requestor or Approver has no means to provide Justification upon creating the request or Approving/Rejecting pending request.

With this update, a justification field is added to the Create Request view, and new justification request/workflow data can be used. The following attributes are added [//Request/Justification] and [//WorkflowData/Reason] parameters.

Certificate Management

Issue 1

When enrolling for a virtual smart card, entering a pin with fewer than 8 characters returns a misleading error.

After you install this update, a relevant error is returned to the user.

Issue 2

When renewing a smartcard, a user can be caught in an infinite renew loop.

The following steps will cause this issue:

  1. The current smartcard profiles enter the renew window:
    • User receives an email from FIM CM Service asking him to complete a renew request
  2. User successfully executes the renew request and retrieves all certs renewed.
  3. Several hours later, user receives a second email from FIM CM Service.
    • This is not expected as the profile has already been renewed.
  4. The user will end in an infinite renew loop if he executes all the requests FIM CM Service creates.

After you install this update, only the correct requests are created, and there is no infinite loop.

Issue 3

If the Delta CRLs are disabled on a Certification Authority used by MIM Certificate Management, the exception ERROR_FILE_NOT_FOUND will be thrown by MIM CM.

After you install this update, no exception is thrown.

Issue 4

MIM CM does not support NonAdmin mode when you work with virtual cards. Virtual smart card could be only created by the MIM CM Client during enrollment. It is also required to have local admin rights to create a virtual smart card. So, only local admins can enroll for a new virtual smart card through MIM CM Portal.

After you install this hotfix, a new registry key will configure the MIM CM client to run in non-admin mode. Notice that the virtual smart card must be pre-created before the user can enroll their virtual smart card under the non-Admin mode settings.

To enable NonAdmin mode, change or create DWORD value NonAdmin=1 under the following registry key on a client computer:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\CLM\v1.0\SmartCardClient

Issue 5

When you use the MIM CM REST API to change the smart card status to “Disabled”, an Error 501 (NotImplemented) is returned.

After you install this update, this same code will successfully disable the smart card.

PUT …/api/v1.0/requests/{reqID}/smartcards/{smartcardID}
{
   “status” : “Disabled”
}

For more information, see the Update Smartcard Status topic on the Microsoft website.

Issue 6

MIM CM Server version 4.3.1999.0 or a later version (until current hotfix) cannot work with older version of CM Clients (FIM 2010R2 and MIM).

After you install this update, MIM CM Server will work with older MIM and FIM 2010R2 CM Clients (FIM 2010R2 Clients version 4.1.3508.0 and later versions were tested).

Issue 7

"OfflineUnblock" request could not be created by using the following call from the MIM CM REST API:

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request

After you install this update, this same code will successfully submit the OfflineUnblock request.

Issue 8

There is no possibility to use smart card id as a parameter when you create a "Disable"(or any other type) request by using the following call from MIM CM REST API:

https://docs.microsoft.com/en-us/microsoft-identity-manager/reference/create-request

Only the "profile" parameter is available.

For example:

POST api/v1.0/requests
    {
        "target":"e5008CDD9E614F9BBEDC45EEEE6776F0",
        "comment":"any comment",
        "type":"Disable",
        "profiletemplateuuid":"7860DEBB-771D-464E-AAC5-2F093282CE66",
        "datacollection":[],
        "priority":"1",
        "smartcard":"49BFE09C-5590-4CC4-8A21-FB4289F4F6C8"  
     }

After you install this update, you can use the smart card id as a parameter.

Notice that the smart card id is not the same as that of the smart card serial number. Smart card id is created by the MIM CM for each active smart card.

Issue 9

MIM CM Client tracing does not log datetime. After you install this update, the date time data will be included in the client trace log.

Issue 10

Cancelling a user in the existing virtual smart cards modal dialog box can lead to an unusal and confusing error message instead of simply cancelling the operation.

After you install this update, the operation cancels the user.

Issue 11

Retire flow stops responding for TPM virtual smart cards when the NonAdmin option is set in the registry.

Issue 12

Duplicate Revocation Settings under Replace policy does not apply to a duplicated profile. After you install this update, the flow works as expected. The revocation delay is successfully copied to the duplicated profile.

Issue 13

MIM Certificate Management does not log web service exception data. After you install this update, CM now logs all web service exception data.

Improvement 1

Before this update, the only options for PIN rules in the MIM CM Modern App is MinimumPinLength.

After you install this update, the following validation settings are now available:

  • Digits
  • LowercaseLetters
  • MaxLength
  • MinLength
  • SpecialCharacters
  • UppercaseCharacters

MIM Add-in for Outlook

Issue 1

The 32-bit MIM Add-in dlls (for example, OfficeintegrationShim2010.dll) are unsigned after you apply the MIM SP1 MSP update (4.4.1302.0 build).

In this update, all files are signed as expected.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Microsoft Identity Manager (MIM), Updates, Updates, Updates, Updates, Updates, Updates | 1 Comment »

(2017-05-11) A Hotfix Rollup Package (Build 4.4.1302.0) Is Available for Microsoft Identity Manager 2016

Posted by Jorge on 2017-05-11


Microsoft released a new hotfix for MIM 2016 with build 4.4.1302.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3201389. If you have installed build build 4.4.1237.0 you cannot install this package. Build 4.4.1237.0 was a fresh MIM 2016 SP1 install and this hotfix enables the upgrade to SP1 without the need to uninstall first and reinstall.

Issues that are fixed in this update

Microsoft Identity Manager 2016

Issue 1

When you try to upgrade to Microsoft Identity Manager SP1, you may have to uninstall and reinstall previous versions of Microsoft Identity Manager.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | 1 Comment »

(2017-03-28) Why You Should Turn On Forms Based Authentication (FBA) For The Intranet In ADFS!

Posted by Jorge on 2017-03-29


Right after the install, every ADFS farm by default has Windows Integrated Authentication explicitly enabled and Forms Based Authentication disabled on the intranet. Below you see a screenshot from ADFS v4.0, and the settings for ADFS v2.x and ADFS v3.0 are similar.

image

Figure 1: Authentication Methods For The Intranet In ADFS (WIA Enabled And FBA Disabled)

Previously you only had to enable Forms Based Authentication (FBA) for the Intranet in ADFS when you for example used Microsoft CRM Dynamics.

Now with Azure AD playing a very important role in almost every infrastructure, I’m suggesting/recommending to enable FBA by default for the Intranet in ADFS.

Of course you ask: “WHY?”

With Azure AD on the playground you also need FBA for the Intranet in ADFS for the following scenarios:

  1. Azure AD/MSOnline PowerShell Module
  2. Azure AD Self-Service Password Reset

[AD.1]

Every time you connect to Azure AD using a federated account where a browser based window is opened, FBA will be used. If FBA is not enabled, you will get an error

This problem does not occur if you use a native Azure AD Account, or you use a federated account that is specified in the credentials parameter of the PowerShell CMDlet and is also not enforced for MFA!

image

Figure 2: Authentication Screen When Using The Azure AD/MSOnline PowerShell Module

image

Figure 3: Error After Entering Your Federated Account Credentials

[AD.2]

Sometimes with Self-Service Password Reset, Azure AD will ask you to reconfirm your password. You may experience this when:

  • Navigating to https://myapps.microsoft.com/ with a browser, for which WIA is enabled in ADFS. Logon as you normally do with your corporate desktop/laptop
  • Next to your picture, click on “Profile”
  • The click on “Set up self service password reset”
  • It could be the case, the next screen will say “Confirm you current password”
  • Click on “Re-enter my password” and you will be redirected to ADFS and that’s were it will go wrong if FBA is not enabled

In both scenarios you will see the following error in the ADFS Event Log

image

Figure 4: Error In The ADFS Admin Event Log When FBA (In This Case) Is Not Enabled For The Intranet

Encountered error during federation passive request.

Additional Data

Protocol Name:
wsfed

Relying Party:
urn:federation:MicrosoftOnline

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.ProcessRequestedAuthMethodsV2(IEnumerable`1 requestedAuthMethods, HashSet`1 globalPolicyAuthProviders, String[] authProvidersInToken, Boolean& validAuthProvidersInToken)
   at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicyV2(IList`1 mappedRequestedAuthMethods, IList`1 mappedRequestedACRAuthProviders, AccessLocation location, ProtocolContext context, HashSet`1 authProvidersInToken, Boolean isOnWiaEndpoint, Boolean& validAuthProvidersInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.RetrieveFirstStageAuthenticationDomainV2(Boolean& validAuthProvidersInToken)
   at Microsoft.IdentityServer.Web.Authentication.AuthenticationPolicyEvaluator.EvaluatePolicy(Boolean& isLastStage, AuthenticationStage& currentStage, Boolean& strongAuthRequried)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthMethodsFromAuthPolicyRules(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetAuthenticationMethods(PassiveProtocolHandler protocolHandler, ProtocolContext protocolContext)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Therefore: enable FBA for the Intranet in ADFS as soon as you install ADFS. If you want to enabled it later on, make sure first no application is impacted when the “Active Directory” IdP is used.

image

Figure 5: Authentication Methods For The Intranet In ADFS (WIA Enabled And FBA Enabled)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Forms Based AuthN, Windows Integrated AuthN | Leave a Comment »

 
%d bloggers like this: