Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2017-01-15) Azure AD Connect Health Telling The ADFS Farm Just Dropped Dead!

Posted by Jorge on 2017-01-15


When you get any or all of the following mails from Azure AD Connect, your ADFS farm is hosed and you are in big trouble. Make sure this does NOT happen to you!

(Don’t worry, this is just my test/demo environment that was turned for the holidays)

image

image

image

Figure 1: E-mail From Azure AD Connect Health Mentioning The Token Signing Certificate Has Expired

image

image

image

Figure 2: E-mail From Azure AD Connect Health Mentioning The Token Encryption/Decryption Certificate Has Expired

image

image

Figure 3: E-mail From Azure AD Connect Health Mentioning The SSL Certificate Has Expired

In addition, your ADFS Admin Event Log only displays one color, RED, lots of it!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD Connect Health, Certificates, Windows Azure Active Directory | Leave a Comment »

(2017-01-11) Azure AD Connect v1.1.380.0 Has Been Released

Posted by Jorge on 2017-01-11


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.1.380.0

Released: 2016 December

Prerequisites for Azure AD Connect

More information about Azure AD Connect

New features:

  • N.A. 

Fixed issues:

  • Fixed the issue where the issuerid claim rule for ADFS is missing in this build

Known issues:

  • N.A. 

Improvements:

  • N.A.

I ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2017-01-01) Re-Awarded for the 12th Time – MVP Enterprise Mobility (Identity And Access)

Posted by Jorge on 2017-01-01


Oops, I did it again! Smile

Today on January 1st I received an e-mail from Microsoft I was re-awarded again with the MVP Award for Enterprise Mobility in the Identity And Access Area. This year is the twelfth time I have received this award! Smile

Let’s go for yet another year! Whooohoooo! Smile

image

12x  image_thumb2_thumb_thumb_thumb_thumb

!!! THANKS !!!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in MVP | 1 Comment »

(2016-12-31) Happy New Year!

Posted by Jorge on 2016-12-31


I would like to wish everyone a happy New Year. Be careful with the fireworks!

https://i1.wp.com/www.happy-newyearimages.com/wp-content/uploads/2016/09/Happy-New-Year-2017-Wallpapers-1.jpg

Figure 1: Happy New Year 2017 (Source: http://www.happy-newyearimages.com/wp-content/uploads/2016/09/Happy-New-Year-2017-Wallpapers-1.jpg)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | Leave a Comment »

(2016-12-28) Joining Devices To Azure AD – The Options And The Differences

Posted by Jorge on 2016-12-28


This blog post is about joining/registering devices to Azure and the differences between them.

The following types of relations exist between a device and Azure AD:

[A] “AD Domain Join” + “Auto Registration for AAD” (a.k.a. just AAD Domain Join):

This is the traditional way of joining a computer to an AD domain. If auto registration for AAD has been configured in the AD domain for Windows computers, then Win7/8.1/10 devices will also register in AAD automatically. The way how this is done differs for the windows versions. The device is managed through GPOs and/or SCCM on-premises.

In AAD the status of the device is:

  • DeviceTrustType = Domain Joined”
  • “DeviceTrustLevel = Managed”.

Due to the trust type “Domain Joined”, the device would be able to access resources configured with conditional access. If you computer joined to your AD domain, then you should use this option. You can read more about it in the following blog post (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail.

[B] “Azure AD Join”:

This setting is the online version of joining a device to an AD domain. Instead of joining the device to the AD domain, the device is joined directory to the AAD tenant. It is the new way of setting up work devices for work (e.g. Windows 10 laptop) and using Azure AD as your online directory directly. When configured accordingly, it is possible to disallow Azure AD join to any user, allow it for specific people/groups or allow it for every user (self-service). When configured accordingly the device can also enrol into either Intune or the MDM solution that has been configured in Azure AD. The device is managed through the applicable MDM solution.

In AAD the status of the device is:

  • DeviceTrustType = Azure AD Joined”
  • “DeviceTrustLevel = Compliant” (only when fulfilling compliancy requirements, otherwise it is managed)

Due to the trust level “Compliant”, the device would be able to access resources configured with conditional access. You should only use this if you are migrating from your on-premises AD to Azure AD or if you do not have or want to have an on-premises AD

image

Figure 1: The Link To The Azure AD Join Option

image

Figure 2: Azure AD Join For Work Related Devices

[C] “Workplace Join” (Windows 7/8.1) or “Add Work or School Account” (Windows 10) or a.k.a. just “Device Registration”

This the way to register personal devices with Azure AD to be able to access work related resources. The user will then be able to leverage SSO for work resources through apps and browser (Edge and IE). When configured accordingly, it is possible to either disallow device registration or allow device registration for every user (self-service). When configured accordingly the device can also enrol into either Intune or the MDM solution that has been configured in Azure AD. The device is managed through the applicable MDM solution.

In AAD the status of the device is:

  • “DeviceTrustType = Workplace Joined”
  • “DeviceTrustLevel = Compliant” (only when fulfilling compliancy requirements, otherwise it is managed)

Due to the trust level “Compliant”, the device would be able to access resources configured with conditional access. When enabling this it applies to every user with an AAD account. It is however possible to limit the number of registered devices per user. If MDM is used, it is also possible to configure for which users MDM i mandatory, being “None”, “Specific Groups” or “All”. You should use this if you allow people to register their personal devices.

image

Figure 3: “Add Work Or School Account” (Windows 10) Or A.K.A. Just “Device Registration” For Personal Devices

In addition

  • Registered = device is known to Azure AD (a registered device can be managed or non-managed)
  • Managed = Registered + managed by MDM solution (a managed device can be compliant or non-compliant)
  • Compliant = Managed + full fills all compliancy rules

With regards to auto Azure AD joining computers to Azure you can read the following documentation:

….and if you also want to go all crazy about all kinds of details, you must definitely read Jairo’s blog posts about Azure AD join and related matters. These are:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Join, Windows Azure Active Directory | Leave a Comment »

(2016-12-24) Merry Christmas Everyone!

Posted by Jorge on 2016-12-24


I would like to wish everyone a merry Christmas! Enjoy the holidays!

https://i0.wp.com/www.planwallpaper.com/static/images/Merry_christmas-6.jpg

Figure 1: Merry Christmas By Patrice (Source: http://www.imagesbuddy.com/merry-christmas-wallpaper-by-patrice/)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Day-To-Day Stuff | Leave a Comment »

(2016-12-24) Can You Use ADFS v2.x To Federate With Azure AD?

Posted by Jorge on 2016-12-24


You might still be running ADFS v2.0 and you want to know if you can federate with Azure AD and what possible limitations are.

Below you can find my experiences:

  1. Federated user authentication against Azure AD will work
  2. Federated computer authentication against Azure AD will NOT work. In other words Auto Azure AD join will not work
  3. Redirecting MFA from Azure AD to on-premises ADFS will NOT work, unless you have a custom developed MFA solution for ADFS v2.x

[AD.1]

The read about the configurations required, see (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail. Look at the claims rules for user authentication on the RP trust for Azure AD and the CP trust for AD.

[AD.2]

All the required configurations as mention in (2016-12-16) Automatic Azure AD Join With ADFS v3.0 And Higher And Conditional Access – What You Really Need In Detail can be achieved in ADFS, except one! You just configure the "AllowedAuthenticationClassReferences" on the RP trust for Azure AD, which is not possible in ADFS v2.0

[AD.3]

To use MFA with ADFS v2.0, like it is possible in ADFS v3.0 and higher, you have bought or developed a custom MFA solution. Any investment in that is pointless as you cannot reuse it in any way in ADFS v3.0 or higher due to the different architecture. Therefore, without an MFA solution in ADFS v2.0 you will not be able to redirect any MFA required to the on-premises ADFS. It must be processed by Azure AD itself.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Azure AD / Office 365, Workplace Join | Leave a Comment »

(2016-12-23) New Password Change Notification Service (PCNS) Package Has Been Released

Posted by Jorge on 2016-12-23


If you have installed the MIM 2016 version with SP1 integrated, you will have PCNS version 4.4.1237.0 on your writable DCs if you are using PCNS at all

image

Figure 1: PCNS Version/Build 4.41237.0 Installed On A Writable DC

However as soon as you try to start the “Password Change Notification Service” service, it stops immediately. When you look in the Application event log, you will see:

image

Figure 2: PCNS Error About An Untrusted Root Certificate That Is Part Of A Certificate Chain Used To Sign The Binaries

The Password Change Notification service executable "C:\Program Files\Microsoft Password Change Notification\pcnssvc.exe" failed while verifying the file signature. The service will not be started and password notifications will not be sent.
pcnsfltapi.cpp (525): A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider.

To solve this issue, Microsoft has released a new version of the PCNS package, which can be downloaded from here.

Funny enough the new PCNS package carries the same version/build as MIM 2016 after applying the SP1 update package, but it does not mention MIM 2016 (with SP1) in the release notes. It does also not state it can run on Windows Server 2016 writable DCs.

Well I did install it on a Windows Server 2016 writable DC and it actually works also works with MIM 2016 SP1! Smile

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Microsoft Identity Manager (MIM), PCNS | Leave a Comment »

(2016-12-20) The LDAP Filter Prettyfier

Posted by Jorge on 2016-12-20


Have you ever received an LDAP filter that was so hideous or so complex you had to reformat it to understand it? Well, you no longer need reformat it yourself!

Willem Kasdorp, a Microsoft PFE, has written a very effective PowerShell script that reformat any LDAP filter to a more understandable form. You can read more about this, and also get the PowerShell code from here.

I once received an LDAP filter similar to what you see below:

"(|(&(|(mail=*@company.nl)(mail=*@company.com))(!mail=*testuser*)(!mail=*internal*)(!mail=*1111*)(!mail=*zz-pa1111*)(!mail=*2222*)(!mail=*somestring1*)(!mail=*somestring2*)(!mail=vendor*)(!mail=*somestring3*)(!mail=*somestring4*)(!displayName=aaa*)(!name=bbb*)(!name=ccc*)(!name=ddd*)(!sAMAccountName=eee*)(!sAMAccountName=admin*)(!sAMAccountName=fff*)(!title=functional*)(!displayName=ggg*)(!displayName=hhh*)(!displayName=iii*)(!msExchHideFromAddressLists=TRUE))(&(|(mail=*@company.nl)(mail=*@company.com))(!mail=*somestring5*)(!mail=*somestring6*)(!mail=*3333*)(!mail=*zz-pa2222*)(!mail=*4444*)(!mail=*somestring7*)(!mail=*somestring1*)(!mail=vendor*)(!mail=*somestring8*)(!mail=*somestring9*)(!name=jjj)(!name=kkk*)(!name=lll*)(!sAMAccountName=mmm*)(!sAMAccountName=admin*)(!sAMAccountName=nnn*)(!title=functional*)(!displayName=ooo*)(!displayName=ppp*)(!displayName=qqq*)(msExchHideFromAddressLists=TRUE)(userAccountControl:1.2.840.113556.1.4.803:=2)))"

There is NO WAY you will understand this LDAP filter without reformatting it first to some more understandable form!

So, let’s use the PowerShell script and see what the LDAP filter is actually doing

image

Figure 1: Prettyfying The LDAP Filter To An Understandable Format

(|
  (&
    (|
      (mail=*@company.nl)
      (mail=*@company.com)
    )
    (!mail=*testuser*)
    (!mail=*internal*)
    (!mail=*1111*)
    (!mail=*zz-pa1111*)
    (!mail=*2222*)
    (!mail=*somestring1*)
    (!mail=*somestring2*)
    (!mail=vendor*)
    (!mail=*somestring3*)
    (!mail=*somestring4*)
    (!displayName=aaa*)
    (!name=bbb*)
    (!name=ccc*)
    (!name=ddd*)
    (!sAMAccountName=eee*)
    (!sAMAccountName=admin*)
    (!sAMAccountName=fff*)
    (!title=functional*)
    (!displayName=ggg*)
    (!displayName=hhh*)
    (!displayName=iii*)
    (!msExchHideFromAddressLists=TRUE)
  )
  (&
    (|
      (mail=*@company.nl)
      (mail=*@company.com)
    )
    (!mail=*somestring5*)
    (!mail=*somestring6*)
    (!mail=*3333*)
    (!mail=*zz-pa2222*)
    (!mail=*4444*)
    (!mail=*somestring7*)
    (!mail=*somestring1*)
    (!mail=vendor*)
    (!mail=*somestring8*)
    (!mail=*somestring9*)
    (!name=jjj)
    (!name=kkk*)
    (!name=lll*)
    (!sAMAccountName=mmm*)
    (!sAMAccountName=admin*)
    (!sAMAccountName=nnn*)
    (!title=functional*)
    (!displayName=ooo*)
    (!displayName=ppp*)
    (!displayName=qqq*)
    (msExchHideFromAddressLists=TRUE)
    (userAccountControl:1.2.840.113556.1.4.803:=2)
  )
)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), AD Queries | 2 Comments »

(2016-12-19) Azure AD Connect Delta Import Run Profile Throws “Stopped-Server-Down”

Posted by Jorge on 2016-12-19


You may notice that the “Delta Import” Run Profile for the AAD connector in Azure AD Connect throws a “Stopped-Server-Down” after running for about 20 or so minutes. Other connectors and other profiles execute without any problem!

In the application event log, you may see the following information and error events.

clip_image002

Figure 1: Informational Event In The Application Event Log

The underlying connection was closed: The connection was closed unexpectedly.

clip_image004

Figure 2: Informational Event In The Application Event Log

ProvisioningServiceAdapter::ExecuteWithRetry: Action: Import, Attempt: 0.

Live token has expired and it will be renewed automatically.

clip_image006

Figure 3: Error Event In The Application Event Log

Failure while prefetching import data.

clip_image008

Figure 4: Error Event In The Application Event Log

Failure while importing entries from Windows Azure Active Directory. Exception: Microsoft.MetadirectoryServices.ServerDownException: Failed even after 5 retries. Action: Import, Network error occurrences = 5. Exception: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: b1796718-1719-4014-aa4a-80e73c5f8087 See the event log for more details.. —> Microsoft.Online.Coexistence.ProvisionRetryException: Unable to communicate with the Windows Azure Active Directory service. Tracking ID: b1796718-1719-4014-aa4a-80e73c5f8087 See the event log for more details. —> System.ServiceModel.CommunicationException: The underlying connection was closed: The connection was closed unexpectedly. —> System.Net.WebException: The underlying connection was closed: The connection was closed unexpectedly.

   at System.Net.HttpWebRequest.GetResponse()

   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   — End of inner exception stack trace —

Server stack trace:

   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)

   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)

   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)

   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)

   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)

Exception rethrown at [0]:

   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)

   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)

   at Microsoft.Online.Coexistence.Schema.IProvisioningWebService.ReadBackAzureADSyncObjects(Byte[] inputCookie, Boolean isFullSync)

   at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)

   — End of inner exception stack trace —

   at Microsoft.Online.Coexistence.ProvisionHelper.CommunicationExceptionHandler(CommunicationException ex)

   at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)

   at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c__DisplayClass7.<Import>b__6()

   at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action)

   — End of inner exception stack trace —

   at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.GetNextBatch()

   at Microsoft.Azure.ActiveDirectory.Connector.AADConnector.GetImportEntriesCore()

   at Microsoft.Azure.ActiveDirectory.Connector.AADConnector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep).

clip_image010

Figure 5: Error Event In The Application Event Log

The management agent "XXXXXXXXXXXXXXXX.onmicrosoft.com – AAD" failed on run profile "Delta Import" because the server encountered errors.

The solution? Believe it or not, but it worked for me!

Set-ADSyncScheduler -SyncCycleEnabled $FALSE

Start-ADSyncSyncCycle -PolicyType Initial

Start-ADSyncSyncCycle -PolicyType Delta

Set-ADSyncScheduler -SyncCycleEnabled $TRUE

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Troubleshoot, Windows Azure Active Directory | Leave a Comment »

 
%d bloggers like this: