Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-08-08) Configuring Custom Logos For Your Identity Providers/Claim Providers Trusts

Posted by Jorge on 2016-08-08


As the page “Customizing the AD FS Sign-in Pages” already explains, use configure custom logos for your HRD page, being

  • The Illustration (in figure 1 – on the left)
  • The Logo (in figure 1 – upper right)
  • The Local STS Icon (in figure 1 – IdP called “IAM Technologies”)
  • The Remote IdP Icon for which no suffixes have been configured (in figure 1 – last 3 IdPs)

That then looks like it is displayed in figure 1

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Other Remote IdPs

However, have you ever wanted to see it like it is displayed in figure 2?

image

Figure 1: HRD Page With A Custom Illustration, A Custom Logo, A Custom Icon For the Local STS And a Custom Icon For Every Individual Remote IdP

Yes, that is possible!

To configure the logo execute the following command:

Set-AdfsWebTheme –TargetName <Web Theme> -Logo @{path="<Path To Logo JPG/PNG>"}

To configure the illustration execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -Illustration @{path="<Path To Illustration JPG/PNG>"}

To configure the logo for the local STS execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/localsts.png’;path="<Path To Local STS Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which no suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/idp.png’;path="<Path To General IdP Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS, for which at least one suffix is configured, execute the following command:

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{Uri=’/adfs/portal/images/idp/otherorganizations.png’;path="<Path To Other Organizations Logo JPG/PNG>"}

To configure the logo for the Remote IdP/STS with a custom (company) logo, execute the following command

Set-AdfsWebTheme -TargetName <Web Theme> -AdditionalFileResource @{uri="/adfs/portal/images/idp/<CP Trust Name>.png";path="<Path To Custom IdP Logo JPG/PNG>"}

REMARK: If you rename a CP trust, you also need to rename the web file in the URL! If you do not, the general IdP logo is displayed

REMARK: Instead of using PNG files, you can also use JPG files! Whatever extension you use, the extension of the file being imported must match the extension of the web file in the URL!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD), Web Themes | Leave a Comment »

(2016-08-04) Forcing Sync On A Non-Primary ADFS Server When Using WID

Posted by Jorge on 2016-08-04


By default, when using WID, any secondary ADFS server pulls data from the primary ADFS server every 5 minutes (default value). To change the pull interval, it must be changed on all secondary ADFS servers, using the following command:

Set-AdfsSyncProperties -PollDuration <Number In Seconds>

However, if you want to force pull synchronization on any secondary ADFS to source it from the primary ADFS server, there is no default PowerShell cmdlet to do this. You must simply restart the ADFS server on the secondary ADFS server, like for example:

Restart-Service ADFSSRV

Remember that when you restart the ADFS service, you ADFS server temporarily becomes unavailable!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID | Leave a Comment »

(2016-07-31) Configuring ADFS To Use A Custom SQL Port

Posted by Jorge on 2016-07-31


If for whatever reason you need to change the default SQL port and you need to tell ADFS to use it, or if you need to move the DBs to another SQL server, you can use the following procedure:

Retrieving the current connection string for the configuration DB:

Execute the following commands on any ADFS Server:

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTSConfigDBConnectionString = $fedSvcSTS.ConfigurationdatabaseConnectionstring

$fedSvcSTSConfigDBConnectionString

Setting a new connection string for the configuration DB:

Execute the following commands ON EVERY ADFS SERVER!:

$fedSvcSTSConfigDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSConfiguration;Integrated Security=True" <—example values!!!

$fedSvcSTS = Get-WmiObject -namespace root/ADFS -class SecurityTokenService

$fedSvcSTS.ConfigurationdatabaseConnectionstring = $fedSvcSTSConfigDBNewConnectionString

$fedSvcSTS.put()

Restart-Service ADFSSRV

Retrieving the current connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBConnectionString = (Get-ADFSProperties).ArtifactDbConnection

Setting a new connection string for the artifact DB:

Execute the following commands on any SQL Based ADFS Server, or the primary WID based ADFS Server:

$fedSvcSTSArtifactDBNewConnectionString = "Data Source=SQL1.DOMAIN.COM\SQLINSTANCE,10001;Failover Partner=SQL2.DOMAIN.COM\SQLINSTANCE,10001;Initial Catalog=ADFSArtifactStore;Integrated Security=True" <—example values!!!

Set-ADFSProperties -ArtifactDbConnection $fedSvcSTSArtifactDBNewConnectionString

Restart-Service ADFSSRV

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On SQL, Ports | Leave a Comment »

(2016-07-27) How To Disable Local Authentication In ADFS v2.x, ADFS v3.0 And ADFS v4.0

Posted by Jorge on 2016-07-27


If you do not want to have the local STS (and therefore the local AD and any trusted AD) to be listed on the HRD page, while only allowing remote IdPs (CPs), you need to disable local authentication in ADFS

To disable local authentication in ADFS v2.0, perform the following steps:

  • Navigate to the folder “C:\inetpub\adfs\ls”
  • Edit the file "web.config"
  • Edit the following section as follows, and save afterwards:

<localAuthenticationTypes>
        <!– <add name="Integrated" page="auth/integrated/" /> –>
        <!– <add name="Forms" page="FormsSignIn.aspx" /> –>
        <!– <add name="TlsClient" page="auth/sslclient/" /> –>
        <!– <add name="Basic" page="auth/basic/" /> –>
</localAuthenticationTypes>

To disable local authentication in ADFS v2.1 and ADFS v3.0, perform the following steps:

  • Navigate to “C:\Windows\Adfs”
  • Edit the file "microsoft.IdentityServer.Servicehost.exe.config"
  • Edit the following section as follows, and save afterwards:

<microsoft.identityServer.web> 
       <acceptedFederationProtocols wsFederation="true" saml="true" /> 
       <localAuthenticationTypes enabled="false"> 
</localAuthenticationTypes>

To disable local authentication in ADFS v4.0, perform the following steps:

  • Open a PowerShell command prompt window
  • Execute the following command:

Set-AdfsProperties -EnableLocalAuthenticationTypes $false

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD) | Leave a Comment »

(2016-07-24) Fixing Web Content Data In ADFS 2012 R2 (v3.0) When Leveraging WID As A Database Store

Posted by Jorge on 2016-07-24


This blog post only applies if you are using ADFS v3.0 (ADFS 2012 R2) AND you are using WID as the database store! It does not apply when using SQL, and it does not apply when using ADFS v4.0 (ADFS 2016) with WID!

In ADFS v3.0 (and higher) it is possible to configure custom web content for:

  1. Relying Party Trust Web Content (*)
  2. Global Web Content
  3. Authentication Provider Web Content (*)
  4. Web Config
  5. Web Theme

When using WID, you must execute the configuration on the primary ADFS server. After 5 minutes (default) at a maximum, the secondary ADFS servers, get the changes from the primary ADFS server. Well, with regards to web content, almost right

For the web content stuff marked with a (*), there is bug where the content defined at the primary ADFS server DOES NOT replicate to the secondary ADFS servers. Because of that users may experience inconsistent results

Example configurations for [1]:

Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage "<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access."

Example configurations for [3]:

Set-AdfsAuthenticationProviderWebContent -Name AzureMfaServerAuthentication -DisplayName ‘Azure AD MFA AuthN’ -Description ‘Azure AD MFA Based Upon SMS, Phone Call Or Authenticator App’

The user experience is as follows….

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a relying party trust:

image

Figure 1: Custom Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for a relying party trust:

image

Figure 2: Default Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a authentication provider:

image

Figure 3: Custom Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for an authentication provider:

image

Figure 4: Default Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

So, as you can see the user experience is quite different when hitting either the primary ADFS server or any secondary ADFS server

You might think to also execute the PowerShell commands on any secondary ADFS server. However, that’s not possible because secondary ADFS servers are not writable and therefore the PowerShell commands do not work. It will work however, if you temporarily configure a secondary to be a primary, execute the commands, then reconfigure it back to a secondary. If you have multiple WID based ADFS servers, that can be some extensive work, which is also subject to mistakes ending up in inconsistencies.

So, how to solve this?

I wrote a script, which is available here that helps in configuring the web content on secondary ADFS servers.

WARNING: I do not know if this is supported or not by Microsoft. However, it does solve the problem as currently unfortunately there is no hotfix that fixes this issue in ADFS v3.0. Make sure to test this FIRST in a test lab before using it in production!

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

  • <PoSH Script File> [-adfsServers <FQDN ADFS server 1>,<FQDN ADFS server 2>,etc ] [-scriptBlock <PowerShell Command>] [-scriptFile <Path To Text File Containing PowerShell Commands>] [-showScriptOutput]

This script is well documented (look inside the script) or execute:

Get-help .\Process-Web-Content-On-WID-Based-ADFS-Servers.ps1 -full

….but I’ll explain the parameters that can be used

Parameter “adfsServers”

When this parameter is specified, the XML config file is NOT read and a separated list of FQDNs must be specified through this parameter listing the ADFS servers that must be targeted. This may for example be used when you have just one or more new secondary ADFS server to update after those have been installed in addition to the existing ones

However, if you have a new configuration that must be applied to all ADFS servers, you may still use this parameter, but you can also create an XML file that contains all ADFS servers. This can be handy when you must apply changes to all existing ADFS servers. When you want to use the XML config file, do not use this parameter and the script will look for the XML config file which must be in the same folder as the script itself. By default the script will look for the XML file! It will abort if it does not find the XML config file!

EXAMPLE Contents of “ADFS-STS-SCRIPT-CONFIG.XML”

<?xml version="1.0" encoding="utf-8"?>
<adfsScriptConfig xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <adfsServers>
        <adfsServer serverName="R1FSRWDC1.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC2.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC3.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC4.IAMTEC.NET" />
    </adfsServers>
</adfsScriptConfig>

Parameter “scriptBlock”

With this parameter one PowerShell command can be specified as a value for this parameter. Pay very special attention to the quotes used!

Example value: "Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage `"<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access.`""

Parameter “scriptFile”

With this parameter one or more PowerShell commands can be specified in a text file. The complete path of the text is then used as a value for this parameter.

Example value: "C:\TEMP\ScriptBlock.txt"

Parameter “showScriptOutput”

This parameter tells the script to display the output of the commands on screen, if there is anything to display at all.

Another thing to be aware of is that the script logs everything into an event log called “Custom – Support”. If the event log does not exist it will create it and also register the source. If you do not want this, scan through the script and remove or out comment those parts!

image

Figure 5: Example XML Config File

image

Figure 6: Example Script Block File Containing Multiple PowerShell Commands To Execute

image

Figure 7: Example Output – General Info

image

Figure 8: Example Output – Performing Checks

image

Figure 9: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC1.IAMTEC.NET)

image

Figure 10: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC2.IAMTEC.NET)

image

Figure 11: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC3.IAMTEC.NET)

image

Figure 12: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC4.IAMTEC.NET)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, PowerShell, Tooling/Scripting | Leave a Comment »

(2016-07-21) A Hotfix Rollup Package (Build 4.3.2266.0) Is Available for Microsoft Identity Manager 2016

Posted by Jorge on 2016-07-21


Microsoft released a new hotfix for MIM 2016 with build 4.3.2266.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3171342

Download link

Issues that are fixed and features that are added in this update

Privileged Access Management (PAM)

Issue 1

When you create a PRIV ONLY PAM user, the PAM monitor service throws the following warning message when it tries to update the PAM users email in active directory and the value already exists:

System.Exception: Set PAM object dictionary already contain attribute ‘Email’.

FIM add-ins and extensions

Issue 1

SSPR windows clients on systems that use a high DPI setting have an incorrect scaling of the final page (the Password Reset Flow page) in which the radio buttons are overlapped.

Issue 2

SSPR windows clients have text messages that overlap after a password reset if the resulting message (success or error) contains more than three lines.

FIM Certificate Management

Issue 1

The ExecuteOperations.Disable operation from the Microsoft.Clm.BusinessLayer.Shared.dll public library does not work correctly and returns an error because of incorrect object initialization.

Issue 2

A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.

Issue 3

There is a redundant space in the "Profile Summary" string on the Request Complete page for some languages.

Issue 4

The Duplicate Revocation Settings policy is replaced because some users could not set it.

Issue 5

A certificate in the Certificate Management portal may use the LDAP CN name instead of DisplayName when it calls REST.

Issue 6

For ZH-Hans and some other languages, link underlining in the Certificate Management portal is misplaced (stroke instead of an underline) because of a font issue.

FIM Synchronization Service

Issue 1

Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.

Issue 2

Error messages are logged in the event log (such as Event ID 6313). Additionally, performance counters don’t work.

Issue 3

The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.

Issue 4

When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the page size value quietly changes to the minimum or the maximum after you click Finish.

Issue 5

An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.

Issue 6

You receive a "Reference to undeclared entity ‘qt’" error message when you run the history process and the history text contains the "greater than" (>) symbol.

Issue 7

New Functionality: The ability to skip the Management Agent during the import of a server configuration is added. A new -Skip parameter is added to the Import-MIISServerConfig cmdlet.
The names of MAs to skip should be delimited by a semicolon (;), as in the following example:

Import-MIISServerConfig -Path "C:\exported" -Skip "FIMMA;ADMA"

Note If you do not use the -Skip parameter, the default behavior occurs.

Issue 8

A "MEMORY_ALLOCATION_FAILURE" error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

Issue 1

Multivalued labels are displayed incorrectly in a single line in the UI.

Issue 2

When you upload Resource Control Display Configurations (RCDC), the xml-format is not verified.

Issue 3

You cannot drag-and-drop a user to the Remove box to delete the user or to remove the user from a group membership.

Issue 4

Local date and time settings are ignored for the Australian English (en-AU) locale.

Issue 5

This update enables customizations that have controls that are shown or hidden based on the state of the email-enabling check box.

An additional attribute to RCDCs configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, the element should contain a comma-separated, case-sensitive list of controls to show or hide.

Example

<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox"
 my:Caption="%SYMBOL_EmailEnablingCaption_END%"
 my:Description="%SYMBOL_EmailEnablingDescription_END%"
 my:AutoPostback="true" my:RightsLevel="{Binding Source=rights,
 Path=Email}">
        <my:Properties>
         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>
        </my:Properties>
        <my:Events>

Note If the Parameters attribute is not included, the default behavior occurs.

FIM Service

Issue 1

In SharePoint Server 2013 and later versions, if you edit a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

Issue 1

When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.

Issue 2

Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.

Issue 3

When you use Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

Issue 4

An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.

Issue 5

If two or more roles that are assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.

Issue 6

An email alias is truncated if it is longer than 30 characters.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | Leave a Comment »

(2016-07-21) A Hotfix Rollup Package (Build 4.1.3765.0) Is Available for Forefront Identity Manager 2010 R2

Posted by Jorge on 2016-07-21


Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3765.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3171318

Download link

Issues that are fixed and features that are added in this update

FIM Certificate Management

Issue 1

A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.

Issue 2

The Duplicate Revocation Settings policy is replaced because some users could not set it.

Issue 3

There is a redundant space in the "Profile Summary" string on the Request Complete page for some languages.

FIM Synchronization Service

Issue 1

In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.

Issue 2

Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.

Issue 3

The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.

Issue 4

When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.

Issue 5

An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.

Issue 6

You receive a "Reference to undeclared entity ‘qt’" error message when you run the history process and the history text contains the "greater than" symbol (>).

Issue 7

Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.

Issue 8

A "MEMORY_ALLOCATION_FAILURE" error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

Issue 1

Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

Issue 1

During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.

Issue 2

In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

Issue 1

When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.

Issue 2

Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.

Issue 3

When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

Issue 4

An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.

Issue 5

If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.

Issue 6

An email alias is truncated if it is longer than 30 characters.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | 2 Comments »

(2016-07-20) Installing And Configuring Azure AD Connect Health For Active Directory Domain Services

Posted by Jorge on 2016-07-20


This blog post show you how to configure Azure AD Connect Health for AD/ADDS

First download the Azure AD Connect Health Agent for AD/ADDS from here

After the download move/copy the executable to every DC you want to install the Azure AD Connect Health for AD/ADDS on

Double-click on the executable

Click [Install]

image

Figure 1: Azure AD Connect Health – Install Screen

After the installation ends, you need to determine how your DCs have access to the internet.

If the DC has a direct connection, you need to only open up firewall ports first before continuing.

If the DC must have access through a proxy, you must configure the proxy settings first before continuing

There are several options to source the proxy settings from

[1] If you want to source the settings from Internet Explorer use: Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings

[2] If you want to source the settings from WinHTTP use: Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp

[3] If you want to source the settings manually use: Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress <PROXYSERVER>:<PORT>

Afterwards you can view the proxy settings in use by Azure AD Connect Health through: Get-AzureAdConnectHealthProxySettings

Additional info regarding the URLs accessed by Azure AD Connect Health see: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health-agent-install/

If your DC supports cookies and JavaScript or IE Enhanced Security Configuration has been disabled:

Click [Configure Now]

If your DC does not support cookies and JavaScript or IE Enhanced Security Configuration has been or is enabled:

Click [Close] and continue with figure 9

image

Figure 2: Azure AD Connect Health – Configure Screen

Specify either native Azure AD credentials or federated credentials. In either case, the credentials must have the Global Administrator role in Azure AD!

image

Figure 3: Azure AD Connect Health – Initial Credentials Screen

…because I used federated credentials, I’m redirected to ADFS

image

Figure 4: Azure AD Connect Health – Redirection To ADFS

…specify the password belonging to the specified user name

image

Figure 5: Azure AD Connect Health – Credentials Screen

…registration continues

image

Figure 6: Azure AD Connect Health – Registration Of The Agent

If you clicked [Configure Now] in figure 2 and your DC did not support cookies and JavaScript or IE Enhanced Security Configuration has been or is enabled, you will see the following message

Close the screen by clicking the red cross in the upper right corner

image

Figure 7: Azure AD Connect Health – Message About Cookies And/Or Javascript Not Being Supported

Closing the screen above throws the following errors

image

Figure 8: Azure AD Connect Health – Additional Errors

Open a new PowerShell command prompt window and type:

Import-Module AdHealthAdds

$azureADCreds = Get-Credential

Specify either native Azure AD credentials or federated credentials. In either case, the credentials must have the Global Administrator role in Azure AD!

image

Figure 9: Azure AD Connect Health – Starting Registration And Entering Native Azure Credentials

In the existing PowerShell command prompt window type:

Register-AzureADConnectHealthADDSAgent -Credential $azureADCreds

image

Figure 10: Azure AD Connect Health – Registration Of The Agent

Done! After doing on all the DCs, you can go to https://portal.azure.com/ and check the health of your AD/ADDS

PS: The installation of the Azure AD Connect Health Agent for ADFS is very similar!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Azure AD Connect Health, Azure AD Connect Health, Windows Azure Active Directory | Leave a Comment »

(2016-07-19) Azure AD Connect Health For Active Directory Domain Services Has Been Released

Posted by Jorge on 2016-07-19


Microsoft has released Azure AD Connect Health for AD/ADDS! COOL!

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

 

Posted in Active Directory Domain Services (ADDS), Azure AD Connect Health, Azure AD Connect Health, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: