Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-01-24) Azure AD Connect – Identifying Users In AD And In Azure AD (Part 2)

Posted by Jorge on 2016-01-24


In previous blog post, I described the unique identification of users in AD and AAD. In this blog I will describe the unique identification of other objects in AD and AAD and how that is done through Azure AD Connect.

For the other object types (e.g. Group, Contact, ForeignSecurityPrincipal), it is not possible to make similar selections as it is possible for users. it always uses the default configuration

For the object types Group and Contact, the attribute used as the sourceAnchor attribute in Azure AD will always the objectGUID. Any objects of the object type ForeignSecurityPrincipal will only join to existing objects.

In the default sync rules “In from AD – Group Common” and “In from AD – Contact Common” the following attribute flow exists:

Expression(ConvertToBase64([objectGUID])) ===> attribute(sourceAnchor)

For the object type Group, the default sync rules “In from AD – Group Join” and “In from AD – Group Filtering” list the following to join/match/link objects.

image

Figure 1: Default Join Rules For Group Objects

For the object type Contact, the default sync rules “In from AD – Contact Join” and “In from AD – Contact Filtering” list the following to join/match/link objects.

image

Figure 2: Default Join Rules For Contact Objects

For the object type ForeignSecurityPrincipal, the default sync rules “In from AD – ForeignSecurityPrincipal Join User” lists the following to join/match/link objects.

image

Figure 3: Default Join Rules For ForeignSecurityPrincipal Objects

In the next blog post I will blog about my views, and also show you how to configure this, regarding what you should do with regards to using an Immutable ID.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-01-19) Free AD Tool For The IT Pro (4)

Posted by Jorge on 2016-01-19


While browsing the internet I found the following AD related tools that might be worth checking out. Have fun!

REMARK: I do not own and do not support these tools. These tools are also not specifically recommended by me, this post is just a "FYI only!" It is your responsibility to test and check out these tools to see if these meet your requirements.

Z-Hire/Z-Term Active Directory, Exchange, Lync, Office 365 User Creation Tool

Z-Hire automates the IT account creation process for Exchange mailbox, Active Directory, Lync accounts, Office 365 cloud and SalesForce cloud deployments. With just a click of the button, your Exchange mailbox, and Active directory user and Lync accounts will be created simultaneousy. This tool can also create and set custom settings for Office 365 accounts using templates. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT user accounts with the option for custom scripts. Z-hire will decrease your new hire user account deployment time by 600%, without the need for complicated and expensive identity management solutions. This Active Directory User Creation Tool makes creating Active Directory users a breeze. Some of the features include:

  • Environment Auto detection/discovery (AD/Exchange/Lync/Office 365/SalesForce)
  • Copy existing Active Directory User to Z-Hire Template
  • Support for Active Directory user, Exchange Mailbox, Lync 2010, Lync 2013, Office 365 user and SalesForce user account
  • Template based deployment (allows consistency for all user accounts)
  • Office 365 account creation with major attributes
  • Office 365 license only mode (assign license only, when using DirSync)
  • Office 365 Hybrid mode ( for organizations running Office 365 in Hybrid mode)
  • Active Directory user account creation with major attributes
  • Active Directory group selection
  • Active Directory user duplicate SamAccountName verification
  • Lync 2010 account creation supporting all policies
  • SalesForce user creation support all major attributes
  • Faster performance (compared to previous version)
  • Bulk import from CSV / Text to provision Active Directory, Exchange, Lync and Office 365 users (version 5.3)
  • HRIS / WorkDay driven user provisioning (Automatically provision users from WorkDay and other HRIS Systems)
  • HRIS / WorkDay driven data sync (Automatically sync user data such as Title, Department from WorkDay and other HRIS systems)

Click HERE for more information

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Exchange Server, IT Pro Tools, OCS/Lync Server, Office 365, Windows Azure Active Directory | Leave a Comment »

(2016-01-17) Azure AD Connect – Identifying Users In AD And In Azure AD (Part 1)

Posted by Jorge on 2016-01-17


Like in AD, users in Azure AD (ADD) must be uniquely identified. When synchronizing users from AD to AAD, AD is the authoritative source and must therefore provide all the data to uniquely identify the user in AAD. Within Azure AD all users must be uniquely identified by 2 attributes, being an Immutable ID (sourceAnchor) and a User Principal Name.

Source Anchor: This attribute is immutable during the lifetime of a user object. It is the primary key linking the on-premises AD account with the Azure AD account.

User Principal Name: This attribute is used by users, for both regular accounts and admin accounts, when logging on to Azure AD and Office 365.

The preferred synchronization tool of choice is the sync engine available in Azure AD Connect. During the installation of Azure AD Connect in the section “(Uniquely) Identifying (Your) Users” one must specify for:

  • “Select how users should be identified in your on-premises directory” (a.k.a. “Join Criteria”) –> which attribute or attributes should be used in the sync rule “In from AD – User Join” (for user objects) and sync rule “In from AD – InetOrgPerson Join” (for InetOrgPerson objects)
  • “Select how users should be identified with Azure” –> which attributes should be used as the identifiers (for source anchor and user principal name) in AAD for the user account

Multiple choices exist, and with this blog post I will explain all the options and provide the corresponding configurations so that you can see what you get when making a specific choice, but before installing Azure AD Connect.

image

Figure 1: (Uniquely) Identifying (Your) Users – Option 1 – “Users Are Represented Only Once Across All Directories”

With the selected options under “Select how users should be identified with Azure”, the attribute listed as the source anchor will be used as the source for the sourceAnchor attribute in Azure AD. By default it specifies the objectGUID, and in this case it lists iamTECImmutableID which is a custom attribute that I added to the schema of my AD. More info about this in a later blog post.

In the default sync rules “In from AD – User AccountEnabled”, “In from AD – User Common”, “In from AD – InetOrgPerson AccountEnabled” and “In from AD – InetOrgPerson Common” the following attribute flow exists:

Expression(IIF(IsPresent([msExchRecipientTypeDetails]),IIF([msExchRecipientTypeDetails]=2,NULL,IIF(IsString([<attribute listed as source anchor>]),CStr([iamTECImmutableID]),ConvertToBase64([iamTECImmutableID]))),IIF(IsString([iamTECImmutableID]),CStr([iamTECImmutableID]),ConvertToBase64([iamTECImmutableID])))) ===> attribute(sourceAnchor)

The expression can be better seen as:

IIF(
     IsPresent([msExchRecipientTypeDetails]),
     IIF(
          [msExchRecipientTypeDetails]=2,
          NULL,
          IIF(
               IsString([<attribute listed as source anchor>]),
               CStr([<attribute listed as source anchor>]),
               ConvertToBase64([<attribute listed as source anchor>])
          )
     ),
     IIF(
          IsString([<attribute listed as source anchor>]),
          CStr([<attribute listed as source anchor>]),
          ConvertToBase64([<attribute listed as source anchor>])
     )
)

In the same 4 default sync rules the following attribute flow exist:

Expression(IIF(IsPresent([userPrincipalName]),[userPrincipalName], IIF(IsPresent([sAMAccountName]),([sAMAccountName]&"@"&%Domain.FQDN%),Error("AccountName is not present")))) ===> attribute(userPrincipalName)

The expression can be better seen as:

IIF(
     IsPresent([<attribute listed as user principal name>]),
     [<attribute listed as user principal name>],
     IIF(
          IsPresent([sAMAccountName]),
          ([sAMAccountName]&"@"&%Domain.FQDN%),
          Error("AccountName is not present")
     )
)

With the selected options under “Select how users should be identified in your on-premises directory”, the join rules in the default sync rules “In from AD – User Join” and “In from AD – InetOrgPerson Join” list the following when the option “Users are represented only once across all directories” is selected. In this case the objectGUID is used to join/match/link objects.

image

Figure 2: Default Join Rules For User And InetOrgPerson Objects When “Users are represented only once across all directories” Is Selected

With the the option “Users identities exist across multiple directories. Match using:” you can choose yourself which attribute is used to used to join/match/link objects.

When you choose the mail attribute….

image

Figure 3: (Uniquely) Identifying (Your) Users – Option 2 – “Users identities exist across multiple directories. Match using: ‘mail’”

…the join rules in the default sync rules “In from AD – User Join” and “In from AD – InetOrgPerson Join” list the following when the mail attribute is used to join/match/link objects.

image

Figure 4: Default Join Rules For User And InetOrgPerson Objects When “Users identities exist across multiple directories. Match using: ‘mail’” Is Selected

When you choose the ObjectSID/msExchangeMasterAccountSID/msRTCSIP-OriginatorSID attributes….

image

Figure 5: (Uniquely) Identifying (Your) Users – Option 3 – “Users identities exist across multiple directories. Match using: ‘ObjectSID/msExchangeMasterAccountSID/msRTCSIP-OriginatorSID’”

…the join rules in the default sync rules “In from AD – User Join” and “In from AD – InetOrgPerson Join” list the following when the ObjectSID/msExchangeMasterAccountSID/msRTCSIP-OriginatorSID attributes are used to join/match/link objects.

image

Figure 6: Default Join Rules For User And InetOrgPerson Objects When “Users identities exist across multiple directories. Match using: ‘ObjectSID/msExchangeMasterAccountSID/msRTCSIP-OriginatorSID’” Is Selected

When you choose the ObjectSID/msExchangeMasterAccountSID/msRTCSIP-OriginatorSID attributes….

image

Figure 7: (Uniquely) Identifying (Your) Users – Option 4 – “Users identities exist across multiple directories. Match using: ‘SAMAccountName/MailNickName’”

…the join rules in the default sync rules “In from AD – User Join” and “In from AD – InetOrgPerson Join” list the following when the SAMAccountName/MailNickName attributes are used to join/match/link objects.

image

Figure 8: Default Join Rules For User And InetOrgPerson Objects When “Users identities exist across multiple directories. Match using: ‘SAMAccountName/MailNickName’” Is Selected

And last but not least, you have the option to specify another attribute. You can use any attribute that is available in the AD schema, but make sure when you choose another attribute, that attribute really is able to contribute in joining/matching/linking objects. In addition, if you choose an attribute that is not already known in the metaverse (MV), you will end up with errors during the installation as described in this blog post (2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute. In this case I chose an attribute that I added to the AD schema myself and in that case…

image

Figure 9: (Uniquely) Identifying (Your) Users – Option 5 – “Users identities exist across multiple directories. Match using: ‘<Custom Attribute>’”

image

Figure 10: Default Join Rules For User And InetOrgPerson Objects When “Users identities exist across multiple directories. Match using: ‘<Custom Attribute>’” Is Selected

You have seen now how this is configured for users. How about all the other objects? Well that’s for the next part in these series!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2016-01-14) Public Availability Of The MIM WAL Project

Posted by Jorge on 2016-01-14


Announcing the public availability of the MIMWAL project, now available as an Open Source Project on GitHub.

The MIMWAL is a Workflow Activity Library (WAL) for building complex workflows in the Microsoft Identity Manager (MIM) 2016 and Forefront Identity Manager (FIM) 2010 R2 solution. The WAL is a powerful solution accelerator for MIM / FIM that provides foundational activities which can be combined to create complex workflows to implement business processes within a MIM / FIM solution simply by configuration instead of coding for days and months.

image

Figure 1: Available Activities Within FIM/MIM WAL

MIMWAL Features

  • Building-block Workflow Activities
  • Conditional Execution Capability for Building-block Activities
  • Support for Iteration Over a Collection of Values in Building-block Activities
  • Deep Resolution Capability for FIM Lookup Grammar
  • Rich Library of Workflow Functions
  • UI Framework for Building Additional Custom Workflow Activities
  • Support for ETW Event Tracing
  • Optimization of Update Requests
    • Combining multiple updates into a single request per resource per activity
    • Issuing update request only when resource is actually modified.

Supported Product Versions

  • Forefront Identity Manager (FIM) 2010 R2 – 4.1.3496 and above
  • Microsoft Identity Manager (MIM) 2016 – 4.3.1935 and above.

More information

Please visit the MIMWAL site at http://aka.ms/MIMWAL for information on project source code, releases and documentation, and discussion forums.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Workflow | Leave a Comment »

(2016-01-10) Joining Criteria In Azure AD Connect Throws An Error When Leveraging A Custom Attribute

Posted by Jorge on 2016-01-10


At some point in time during the Azure AD Connect Installation Wizard, you need to select how objects will be matched within Azure AD Sync/Connect and how user will be identified within Azure AD. The attribute “iamTECImmutableID” is an attribute in my TEST/DEMO AD forest. You should NOT use it in your AD forest. You should use your own custom AD attribute!

image

Figure 1: Specifying Object Matching Within Azure AD Sync And Object Identification Within Azure AD

As you can see there are 5 options to choose from with regards to object matching within Azure AD Sync/Connect. The first 4 options use “default” attributes that are known to AD and to the MV in Azure AD Sync/Connect. The last option allows you to specify any attribute that is known to the AD schema. When choosing the 5th option (“A Specific Attribute”), you must be aware that the name of the attribute chosen must also exist in the MV of Azure AD Sync/Connect. The matching will be similar to cs:<attribute> – mv:<attribute>. If you choose an attribute that is already known within the MV of Azure AD Sync/Connect then you are good to go. If you choose and attribute that is NOT yet known within the MV of Azure AD Sync/Connect then you will experience issues later on. You will see an error similar to what is displayed below.

image

Figure 1: Error “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”

The clue is in the sentence “JoinCondition’s specified target attribute ‘iamTECImmutableID’ is not a defined attribute type”. Basically it is saying “The attribute ‘iamTECImmutableID’ does not exist in the Metaverse (MV)”. Because it does not exist it cannot create the join criteria. Clicking [Retry] won’t help until you add the attribute to the MV. After adding the attribute to the MV and clicking [Retry], you could see a similar error message as shown below

image

Figure 2: Error “Failed To Set Connector <Error>E_MMS_SCHEMA_CLASS_NOT_FOUND</Error>”

Clicking [Retry] won’t help. At least, that’s what I experienced. The only solution I could use was aborting the wizard by clicking on the cross in the upper right corner. After that, uninstall Azure AD Connect by running the MSI and choosing remove. There is no need to uninstall the supporting components. Last but not least, make sure to delete everything in “C:\Program Files\Microsoft Azure AD Sync\Data” otherwise you will get an error during installation that folder is not empty.

Now you can reexecute the MSI and install Azure AD Connect again. As soon as you have configured the screen as shown in figure 1, DO NOT click on [Next]. Rather start the Azure AD Connect Synchronization Service client. Then:

  • Click on Metaverse Designer
  • Click person object
  • Click Add Attribute
  • Click New Attribute

Specify the name of the attribute. It should be the same name as the name used in AD.

Specify the type of the attribute. It should match the type of the attribute in AD and make sure it is indexable.

Check “Indexed”. This is needed as the attribute is used in join criteria

Click [OK] twice

image

Figure 3: Defining A New Attribute In The Metaverse

Close Azure AD Connect Synchronization Service client

Now click on [Next] as shown in figure 1. Everything should be OK now and you are good to go!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Azure AD Connect, Windows Azure Active Directory | 1 Comment »

(2016-01-01) Re-Awarded for the 11th Time – MVP Enterprise Mobility (Identity And Access)

Posted by Jorge on 2016-01-01


Oops, I did it again! Smile

Today on January 1st I received an e-mail from Microsoft I was re-awarded again with the MVP Award for Enterprise Mobility in the Identity And Access Area. This year is the eleventh time I have received this award! Smile

Let’s go for yet another year! Whooohooo! Smile

image

11x  image_thumb2_thumb_thumb_thumb

!!! THANKS !!!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in MVP | Leave a Comment »

(2015-12-17) The “Get-ADPermission” CMDlet Reports A Corrupted ACE

Posted by Jorge on 2015-12-17


You are managing Exchange through PowerShell and this time you are checking the AD permissions on a user account with a mailbox. For that you use the following PwoerShell command line:

Get-Mailbox -identity "<identity value>" | Get-ADPermission | Sort user | FT –AutoSize

The “<identity value>” specifies the mailbox that you want to view. You can use any value that uniquely identifies the mailbox. Values of example are:

  • Name
  • Display name
  • Alias
  • Distinguished name (DN)
  • Canonical DN
  • <domain name>\<account name>
  • Email address
  • GUID
  • LegacyExchangeDN
  • SamAccountName
  • User ID or user principal name (UPN)

The command executes and you are confronted with the following, or similar, error:

WARNING: The object IAMTEC.NET/Org-Users/EMPLOYEES/Users/ICT/Jorge.deAlmeidaPint has been corrupted, and it’s in an inconsistent state. The following validation errors happened:

WARNING: The access control entry defines the ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929′ that can’t be resolved..

image

Figure 1: The PowerShell CMDlet “Get-ADPermission” Throws Error About Corrupted ACE

After seeing this error you may think about incorrect ordering of ACEs, as explained in the blog post (2014-08-04) Incorrectly Ordered Permissions After Removing ACE With LDP, or might even think your AD schema is in a bad shape.

This time, that is not the case.

Let’s investigate this step by step and see where the so called corruption came from!

When an ACE is defined, the specified security principal (user, group or computer) is assigned the specified permissions for an objectClass or for an attributeClass within a objectClass. In either case the specified objectClass or attributeClass is always translated under the hood to its corresponding schemaIDGUID. Every objectClass and attributeClass in the AD schema must have and has a unique schemaIDGUID value. When extending the AD schema it is not mandatory to specify a schemaIDGUID value in base64 format. If you do not specify a schemaIDGUID value, AD will generate a unique value for you. However, that is NOT a best practice. When extending the AD schema you should always specify a unique schemaIDGUID value. If you intend to deploy your schema extension to multiple AD forests, then the schemaIDGUID for the extended objectClass or attributeClass across all AD forest is preferably the same schemaIDGUID value.

The error mentions “ObjectType ’18d30bdd-e673-6047-b13c-cffee0abb929’”. The specified GUID value is NOT the objectGUID, it is the schemaIDGUID value of the objectClass or attributeClass that is causing the error. So, let’s search using the specified schemaIDGUID value.

For I’m going to use PowerShell through the following command to find the objectClass or attributeClass:

$rawGuid = ([guid]’18d30bdd-e673-6047-b13c-cffee0abb929′).toByteArray();

Get-ADObject -Filter {schemaIDGUID -eq $rawGuid} -SearchBase (Get-ADRootDSE).schemaNamingContext -Properties * | FL

The query result is:

image

Figure 2: Result Of The PowerShell Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

The name of the attributeClass already tells you how special it is, but that’s because I named it like that. In reality you will not see that. The real answer is hidden in the searchFlags property. If you look above you will 904, and that does not tell you much, unless you decode it yourself, or use ADFIND from joeware.net. (@joe: stop laughing!)

Now let’s use ADFIND through the following command to find the objectClass or attributeClass:

adfind -schema -f "schemaIDGUID={{GUID:18d30bdd-e673-6047-b13c-cffee0abb929}}" -binenc –flagdc

The query result is

image

Figure 3: Result Of The ADFIND Query In Searching For An objectClass Or attributeClass Through The schemaIDGUID

Of course ADFIND will return the same attributeClass, but at the same time it decoded searchFlags and systemFlags. When looking at the searchFlags property you will see the attribute has been configured with the confidentiality bit. Now, what’s special about that? You may remember it or not, but to be able to read the data in a confidential attribute, you must be either a member of “Domain Admins” or a member of “Account Operators” or a member of any other group that has Full Control on the corresponding object, or you must have at least the “Control Access” extended right.

Now the ONLY tools, I know of, that can both read (interpreter) and set the “Control Access” extended right, are DSACLS, LDP and ADFIND/ADMOD. Any other tools, may not process/interpreter it correctly. Those tools then either do not display the “Control Access” extended right or throw some weird error, like the PowerShell CMDet “Get-ADPermission”.

Now you might think “Yeah right. Your attribute is a custom AD schema extension and its has been implemented/designed in a bad way!”. Again, that’s not the case. This AD schema extension or any other AD schema I have ever designed has followed best practices! By default, the AD schema also contains attributeClasses that have been configured with the confidentiality bit. To find those attributeClasses, read the (2014-12-19) Finding Attributes Marked As Confidential. Now choose an attribute you like, and configure it with the “Control Access” extended right (do this in a TEST environment).

To configure the “Control Access” extended right for the confidential attribute on an OU that targets user objects, execute the following command:

DSACLS "<DN of OU>" /G "<Security Pincipal>:CA;<Confidential Attribute>;user" /I:S

Now, execute the Get-ADPermission CMDlet as specified at the beginning of this blog post. You should see a similar error about a corrupted ACE.

Therefore the conclusion is, that this is caused by the GET-ADPermission CMDlet (bug!) that misinterpreters the “Control Access” extended right. I know this occurs in Exchange Server 2010 and Exchange Server 2013, and most likely also in Exchange Server 2016. The Exchange Product Team, most likely, will never fix this as it is very low priority and there is no real issue here. If you really want to change the behavior of the GET-ADPermission CMDlet, then you need to submit a Design Change Request (DCR) will and impact analysis, including any monetary harm or loss you have due to this behavior. Good luck in trying to do that! You are better off ignoring this and paying real attention to some other stuff that’s more important! Smile

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Confidential, Exchange Server, PowerShell | 5 Comments »

(2015-12-14) LithNet Utilities And Tools For Your FIM/MIM Solution

Posted by Jorge on 2015-12-14


There is a guy called Ryan Newington  (Twitter and Blog), and he wrote and created some impressive utilities and tools that you can use in your challenge to design and configure an Identity Management system based  upon either FIM 2010 R2 or MIM 2016.

Lithnet Metadirectory Services Utilities

  • Description: The Lithnet Metadirectory Services Utilities package is a .NET library containing extensions and utilities for writing code for the FIM sync engine. The library contains various helper classes and extensions for objects in the Microsoft.MetadirectoryServices namespace, such as the CSEntryChange. It allows you to reduce code and introduces new functions, such as XML serialization of native metadirectory services objects. It can be used in any rules extension or ECMA2.2 project, along side the Microsoft.MetadirectoryServices component.
  • Documentation: https://lithnetmsu.codeplex.com/documentation
  • Download: https://www.nuget.org/packages/Lithnet.MetadirectoryServices/

Lithnet FIM Service REST API

Lithnet FIM PowerShell Module

Lithnet FIM Service Client

Lithnet FIM Unix/Linux SSH MA

  • Description: The Lithnet SSH MA is a ForeFront Identity Manager (FIM) ECMA2.2 management agent used to provision and synchronize objects to unix and linux systems using SSH. The management agent supports: Full and (optionally) delta imports, Exports (supporting either object replace, attribute replace, attribute update, or multivalued reference attribute update modes), Password set and change, Username and RSA key-based logins, as well as username/password logins, Dynamic DN construction
  • Documentation: https://lithnetsshma.codeplex.com/documentation
  • Download: https://lithnetsshma.codeplex.com/releases/view/113093

Lithnet ACMA

  • Description: Lithnet ACMA is a codeless rules engine for Microsoft Forefront Identity Manager 2010 R2. ACMA provides a means for performing powerful rules-based construction of objects and attributes without the need to write custom code.
    ACMA is implemented as an extensible management agent (ECMA2.2), built upon an SQL Server 2012 database, and comes with a powerful UI-based rules editor and PowerShell extensions.
  • Documentation: https://acma.codeplex.com/documentation
  • Download: https://acma.codeplex.com/releases/view/617213

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Tools, Tools | Leave a Comment »

(2015-12-13) Your Claims Based Sharepoint Site Throws “SecurityTokenHandler Is Not Registered To Read Security Token”

Posted by Jorge on 2015-12-13


You have a claims based sharepoint site that is connected to your federation system (ADFS v3.0 or higher). When you navigate to the sharepoint site, you get the following error. This does assume you have configured the WEB.CONFIG of the sharepoint site with CustomErrors=Off

image

Figure 1: Error “A SecurityTokenHandler Is Not Registered To Read Security Token” In The Browser When CustomErrors Is Set To Off

If you do not get the error message above because the WEB.CONFIG of the sharepoint site is configured with CustomErrors=On, and you look in the Application Event Log and see the following Event ID

image

Figure 2: Error “A SecurityTokenHandler Is Not Registered To Read Security Token” In The Application Event Log

Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11-Dec-2015 20:10:20
Event time (UTC): 11-Dec-2015 19:10:20
Event ID: 64406daa97dd490587551a7e16ad4a9b
Event sequence: 274
Event occurrence: 2
Event detail code: 0
 
Application information:
    Application domain: /LM/W3SVC/1518143395/ROOT-2-130943174825892689
    Trust level: Full
    Application Virtual Path: /
    Application Path: C:\inetpub\wwwroot\wss\VirtualDirectories\448\
    Machine name: R1FSMBSV2
 
Process information:
    Process ID: 3640
    Process name: w3wp.exe
    Account name: IAMTEC\SVC_R1_WebAppClaims
 
Exception information:
    Exception type: SecurityTokenException
    Exception message: ID4014: A SecurityTokenHandler is not registered to read security token (‘BinarySecurityToken’, ‘
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd’).
   at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 
 
Request information:
    Request URL:
https://claims.iamtec.net:448/_trust/
    Request path: /_trust/
    User host address: 10.1.1.1
    User: 
    Is authenticated: False
    Authentication Type: 
    Thread account name: IAMTEC\SVC_R1_WebAppClaims
 
Thread information:
    Thread ID: 10
    Thread account name: IAMTEC\SVC_R1_WebAppClaims
    Is impersonating: False
    Stack trace:    at Microsoft.IdentityModel.Web.TokenReceiver.ReadToken(String tokenXml, XmlDictionaryReaderQuotas readerQuotas)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)
   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
   at Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs eventArgs)
   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
 
 
Custom event details:

Within ADFS execute:

Get-AdfsRelyingPartyTrust "<The Name Of The RP Trust Representing Your Sharepoint Application>"

Check the value of the EnableJWT property. If it is set to True, then that could be the issue.

image

Figure 3: The Properties Of The ADFS Relying Party Trust Representing The Sharepoint Application

Within ADFS execute:

Set-AdfsRelyingPartyTrust -TargetName "<The Name Of The RP Trust Representing Your Sharepoint Application>" -EnableJWT $false

Now try to access your Sharepoint application. If the use of JWT tokens was the issue, the error should not appear and you should be able to access your Sharepoint site.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), JWT Tokens | Leave a Comment »

(2015-12-12) A Hotfix Rollup Package (Build 4.3.2064.0) Is Available for Microsoft Identity Manager 2016

Posted by Jorge on 2015-12-12


Microsoft released a new hotfix for MIM 2016 with build 4.3.2064.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3092179

Download link

Issues that are fixed or features that are added in this update

This update also fixes the following issues or adds the following features that were not previously documented in the Microsoft Knowledge Base.

MIM add-ins and extensions

Issue 1

This hotfix addresses an issue that affects the password reset window and that occurs on monitors that have high DPI settings when the Windows display sizing of items is set to a custom size, such as 200 percent or more.

Certificate Management

Issue 1

You try to enroll a smart card by having the correct profile selected (with correct adminKey). However, the user PIN doesn’t correspond to the smart card PIN policy. In this situation, you receive the following error message:

The card cannot be accessed because the wrong PIN was presented.

Issue 2

MIM Configuration Manager Reporting doesn’t show smart card settings correctly. Settings are shown only for the Pkcs11 smartcard provider and not for baseCSP.

Issue 3

All policies in the MIM Configuration Manager allows for changes to "Revocation Settings" only for all certificates together. In this fix, a new page is added (CertificateTemplateRevocationSettings) to show "revocation settings" for the selected certificate. Changes to ProfilePolicyrevocationSettingsPage are also made to show all certificates of the profile.

MIM Synchronization Service

Issue 1

When you configure an ECMA2 run profile, you receive a “Value of ‘10’ is not a valid value” error message.

Issue 2

The Sync Engine reports a staging-error during delta import when the Generic LDAP connector detects the renaming of an object distinguished name.

Issue 3

When a rename, or a distinguishedName change, of a user is exported to Oracle Directory Enterprise Edition (ODSEE), that user is removed from group memberships. You expect that the membership reference to the renamed object will be updated, instead.

Issue 4

When unsupported characters are entered in the SMTP address, MIM Sync cannot correctly provision the object into GALSync MA. In this situation, the object fails and throws an error. This problem also causes the object to be duplicated.

Issue 5

ECMA2 Export only MA displays an "The image or delta doesn’t have an anchor" error message when you perform an Export, CS Search, or CS Deletion.

Issue 6

The Sync Service stops responding when you stop a run profile for the ECMA connector.

Issue 7

The Active Directory MA interprets objects that are restored in the directory as deleted.

Issue 8

If you call Set-MIISECMA2Configuration to set the configuration for the SharePoint connector (Microsoft.IdentityManagement.Connector.Sharepoint.dll, version 4.3.836.0), the call fails silently but the verbose output says that the operation was successful.

Issue 9

The Set-MIISADMAConfiguration cmdlet supports only a single partition and a single container. In this update, the following changes are made to the parameters of this cmdlet.

-Partitions

The -Partitions parameter allows one or more partitions to be specified in the Active Directory MA.

  • The -Partitions parameter can apply single or multiple containers by using the ";" delimiter.
  • If the -Partitions parameter is absent, the Set-MIISADMAConfiguration cmdlet behaves in the same manner as it did prior to this update.

Example command that uses the -Partitions parameter:

Set-MIISADMAConfiguration -MAName ‘AD_MA’ -Forest Contoso.COM -Credentials (Get-Credential Contoso\ma_ADMA) -Partitions ‘DC=Contoso,DC=COM;DC=ForestDnsZones,DC=Contoso,DC=COM’

-Container

This parameter is updated to allow one or more containers to be specified together with the -Parameters parameter. It uses the following rules:

  • If the –Partitions parameter is present, parameter –Container can now apply to single or multiple containers by using the ";" delimiter.
  • If –Container is absent or no container are given for the partition, all the containers of this partition are selected.
  • If –Partitions is absent, the MIISADMAConfiguration cmdlet behaves in the same manner as it did prior to this update, and –Container can accept only a single containe.

Example command that uses the -Partitions and -Container parameters:

Set-MIISADMAConfiguration -MAName ‘AD_MA’ -Forest Contoso.COM -Credentials (Get-Credential Contoso\ma_ADMA) -Partitions ‘DC=Contoso,DC=COM;DC=ForestDnsZones,DC=Contoso,DC=COM’ -Container ‘OU=1,DC=Contoso,DC=COM;CN=Users,DC=Contoso,DC=COM;CN=Infrastructure,DC=ForestDnsZones,DC=Contoso,DC=COM’

MIM Portal

Issue 1

This hotfix addresses an issue in the MIM Portal that affects the sorting of a customized list view based on the columns that are specified in the ColumnsToDisplay property.

Issue 2

This hotfix updates HTML elements and attributes in the password registration portal and MIM Portal.

Issue 3

The object picker does not search objects that have special characters in their name.

Issue 4

This hotfix updates the translation of the user interface strings that relate to the “Password Reset AuthN Workflow” activity into Russian.

Issue 5

This hotfix addresses an issue that affects the Leave Member and Remove Member buttons when the group resource type is customized.

Issue 6

This hotfix adds a new search scope that is named "All Groups" to enable searching for and joining groups if the user does not know whether the group is a security group or a distribution list.

Issue 7

Specific culture localization settings for Spanish and French revert to English.

Issue 8

When you update an integer attribute value on the Extended Attributes tab of an object in the MIM Portal, the value is limited to a 32-bit integer. This issue occurs even though the same attribute allows 64-bit integer values if it is updated outside the Portal.

Issue 9

Resource Control Display Configuration (RCDC) does not allow a default tab to be configured

In this hotfix, the UOCInitialTabName parameter is added to the URL so that an object loads together with its associated RCDC.

Examples

The current RCDC users page has four tabs: General, Work Info, Contact Info, Summary.

If you open the corresponding XML, you find XML code that resembles the following:

<my:Grouping my:Name="WorkInfo" my:Caption="%SYMBOL_WorkInfoTabCaption_END%" my:Enabled="true" my:Visible="true">

If you provide the following code for an RCDC users page, the Work Info tab automatically opens:

http://mimPortal/IdentityManagement/aspx/users/EditPerson.aspx?UOCInitialTabName=WorkInfo

Or, if you provide the following code for a default administrators page, the Work Info page automatically opens:

http://mimPortal/IdentityManagement/aspx/users/EditPerson.aspx?id=7fb2b853-24f0-4498-9534-4e10589723c4&_p=1&UOCInitialTabName=WorkInfo

MIM Password Registration Portal

Issue 1

On the Question and Answer page, the initial scroll position is incorrect and prevents users from seeing the initial question.

MIM Service

Issue 1

roker service conversations are closed after a sync export to the MIM Service database.

Issue 2

A custom expression that includes Concatenate() is replaced by a plus sign (+) and generates an error when it is saved.

Issue 3

This hotfix addresses an issue that affects the MIM Service database stored procedures in which deadlocks might occur in approval workflows. In particular, deadlocks might occur in deployments that have complex or general Set definitions (for example, sets that match "/*" instead of specific resource types).

BHOLD

Issue 1

An inconsistency can occur between the Permission name and attribute changes that occur during an export, import, and subsequent export process in MIM Sync. In this case, BHOLD receives duplicates of a renamed group and maintains the original group in the database.

Issue 2

The Attestation Campaign Portal has an incorrectly worded title that displays campaign progress.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | Leave a Comment »

 
%d bloggers like this: