Jorge's Quest For Knowledge!

About Windows Server, ADDS, ADFS, Azure AD, FIM/MIM & AADSync (Just Like An Addiction, The More You Have, The More You Want To Have!)

(2016-07-27) How To Disable Local Authentication In ADFS v2.x, ADFS v3.0 And ADFS v4.0

Posted by Jorge on 2016-07-27


If you do not want to have the local STS (and therefore the local AD and any trusted AD) to be listed on the HRD page, while only allowing remote IdPs (CPs), you need to disable local authentication in ADFS

To disable local authentication in ADFS v2.0, perform the following steps:

  • Navigate to the folder “C:\inetpub\adfs\ls”
  • Edit the file "web.config"
  • Edit the following section as follows, and save afterwards:

<localAuthenticationTypes>
        <!– <add name="Integrated" page="auth/integrated/" /> –>
        <!– <add name="Forms" page="FormsSignIn.aspx" /> –>
        <!– <add name="TlsClient" page="auth/sslclient/" /> –>
        <!– <add name="Basic" page="auth/basic/" /> –>
</localAuthenticationTypes>

To disable local authentication in ADFS v2.1 and ADFS v3.0, perform the following steps:

  • Navigate to “C:\Windows\Adfs”
  • Edit the file "microsoft.IdentityServer.Servicehost.exe.config"
  • Edit the following section as follows, and save afterwards:

<microsoft.identityServer.web> 
       <acceptedFederationProtocols wsFederation="true" saml="true" /> 
       <localAuthenticationTypes enabled="false"> 
</localAuthenticationTypes>

To disable local authentication in ADFS v4.0, perform the following steps:

  • Open a PowerShell command prompt window
  • Execute the following command:

Set-AdfsProperties -EnableLocalAuthenticationTypes $false

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Home Realm Discovery (HRD) | Leave a Comment »

(2016-07-24) Fixing Web Content Data In ADFS 2012 R2 (v3.0) When Leveraging WID As A Database Store

Posted by Jorge on 2016-07-24


This blog post only applies if you are using ADFS v3.0 (ADFS 2012 R2) AND you are using WID as the database store! It does not apply when using SQL, and it does not apply when using ADFS v4.0 (ADFS 2016) with WID!

In ADFS v3.0 (and higher) it is possible to configure custom web content for:

  1. Relying Party Trust Web Content (*)
  2. Global Web Content
  3. Authentication Provider Web Content (*)
  4. Web Config
  5. Web Theme

When using WID, you must execute the configuration on the primary ADFS server. After 5 minutes (default) at a maximum, the secondary ADFS servers, get the changes from the primary ADFS server. Well, with regards to web content, almost right

For the web content stuff marked with a (*), there is bug where the content defined at the primary ADFS server DOES NOT replicate to the secondary ADFS servers. Because of that users may experience inconsistent results

Example configurations for [1]:

Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage "<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access."

Example configurations for [3]:

Set-AdfsAuthenticationProviderWebContent -Name AzureMfaServerAuthentication -DisplayName ‘Azure AD MFA AuthN’ -Description ‘Azure AD MFA Based Upon SMS, Phone Call Or Authenticator App’

The user experience is as follows….

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a relying party trust:

image

Figure 1: Custom Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for a relying party trust:

image

Figure 2: Default Web Content For A Relying Party Trust On The Primary ADFS Server

When a user hits the primary ADFS server, the following is displayed, which is the custom web content for a authentication provider:

image

Figure 3: Custom Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

When a user hits any of the secondary ADFS servers, the following is displayed, which is the default web content for an authentication provider:

image

Figure 4: Default Web Content For An Authentication Provider Relying Party Trust On The Primary ADFS Server

So, as you can see the user experience is quite different when hitting either the primary ADFS server or any secondary ADFS server

You might think to also execute the PowerShell commands on any secondary ADFS server. However, that’s not possible because secondary ADFS servers are not writable and therefore the PowerShell commands do not work. It will work however, if you temporarily configure a secondary to be a primary, execute the commands, then reconfigure it back to a secondary. If you have multiple WID based ADFS servers, that can be some extensive work, which is also subject to mistakes ending up in inconsistencies.

So, how to solve this?

I wrote a script, which is available here that helps in configuring the web content on secondary ADFS servers.

WARNING: I do not know if this is supported or not by Microsoft. However, it does solve the problem as currently unfortunately there is no hotfix that fixes this issue in ADFS v3.0. Make sure to test this FIRST in a test lab before using it in production!

Please provide feedback through the comments section OR you the contact page

DISCLAIMER (READ THIS!):

  • I wrote this script, therefore I own it. Anyone asking money for it, should NOT be doing that and is basically ripping you off!
  • The script is freeware, you are free to use it and distribute it, but always refer to this website (https://jorgequestforknowledge.wordpress.com/) as the location where you got it.
  • This script is furnished "AS IS". No warranty is expressed or implied!
  • I have NOT tested it in every scenario nor have I tested it against every Windows and/or AD version
  • Always test first in lab environment to see if it meets your needs!
  • Use this script at your own risk!
  • I do not warrant this script to be fit for any purpose, use or environment!
  • I have tried to check everything that needed to be checked, but I do not guarantee the script does not have bugs!
  • I do not guarantee the script will not damage or destroy your system(s), environment or whatever!
  • I do not accept liability in any way if you screw up, use the script wrong or in any other way where damage is caused to your environment/systems!
  • If you do not accept these terms do not use the script in any way and delete it immediately!

SYNTAX:

  • <PoSH Script File> [-adfsServers <FQDN ADFS server 1>,<FQDN ADFS server 2>,etc ] [-scriptBlock <PowerShell Command>] [-scriptFile <Path To Text File Containing PowerShell Commands>] [-showScriptOutput]

This script is well documented (look inside the script) or execute:

Get-help .\Process-Web-Content-On-WID-Based-ADFS-Servers.ps1 -full

….but I’ll explain the parameters that can be used

Parameter “adfsServers”

When this parameter is specified, the XML config file is NOT read and a separated list of FQDNs must be specified through this parameter listing the ADFS servers that must be targeted. This may for example be used when you have just one or more new secondary ADFS server to update after those have been installed in addition to the existing ones

However, if you have a new configuration that must be applied to all ADFS servers, you may still use this parameter, but you can also create an XML file that contains all ADFS servers. This can be handy when you must apply changes to all existing ADFS servers. When you want to use the XML config file, do not use this parameter and the script will look for the XML config file which must be in the same folder as the script itself. By default the script will look for the XML file! It will abort if it does not find the XML config file!

EXAMPLE Contents of “ADFS-STS-SCRIPT-CONFIG.XML”

<?xml version="1.0" encoding="utf-8"?>
<adfsScriptConfig xmlns:xsi="
http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
    <adfsServers>
        <adfsServer serverName="R1FSRWDC1.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC2.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC3.IAMTEC.NET" />
        <adfsServer serverName="R1FSRWDC4.IAMTEC.NET" />
    </adfsServers>
</adfsScriptConfig>

Parameter “scriptBlock”

With this parameter one PowerShell command can be specified as a value for this parameter. Pay very special attention to the quotes used!

Example value: "Set-AdfsRelyingPartyWebContent -Name ‘SALESFORCE dot COM’ -ErrorPageAuthorizationErrorMessage `"<B><Font size=’4′ color=’red’>Authorization Has Been Denied For ‘SALESFORCE.COM’.</Font></B><BR><BR>You Either Do Not Have The Correct Authorization Or You Have Been Assigned More Than One Profile ID.<BR><BR>Please Contact <A HREF=’mailto:ADM.ROOT@IAMTEC.NL?subject=Access Request For Application 'SALESFORCE.COM'’>ADM.ROOT</A> To Resolve This If You Require Access.`""

Parameter “scriptFile”

With this parameter one or more PowerShell commands can be specified in a text file. The complete path of the text is then used as a value for this parameter.

Example value: "C:\TEMP\ScriptBlock.txt"

Parameter “showScriptOutput”

This parameter tells the script to display the output of the commands on screen, if there is anything to display at all.

Another thing to be aware of is that the script logs everything into an event log called “Custom – Support”. If the event log does not exist it will create it and also register the source. If you do not want this, scan through the script and remove or out comment those parts!

image

Figure 5: Example XML Config File

image

Figure 6: Example Script Block File Containing Multiple PowerShell Commands To Execute

image

Figure 7: Example Output – General Info

image

Figure 8: Example Output – Performing Checks

image

Figure 9: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC1.IAMTEC.NET)

image

Figure 10: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC2.IAMTEC.NET)

image

Figure 11: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC3.IAMTEC.NET)

image

Figure 12: Example Output – Processing Commands Against An ADFS Server (R1FSRWDC4.IAMTEC.NET)

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), DB On WID, PowerShell, Tooling/Scripting | Leave a Comment »

(2016-07-21) A Hotfix Rollup Package (Build 4.3.2266.0) Is Available for Microsoft Identity Manager 2016

Posted by Jorge on 2016-07-21


Microsoft released a new hotfix for MIM 2016 with build 4.3.2266.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3171342

Download link

Issues that are fixed and features that are added in this update

Privileged Access Management (PAM)

Issue 1

When you create a PRIV ONLY PAM user, the PAM monitor service throws the following warning message when it tries to update the PAM users email in active directory and the value already exists:

System.Exception: Set PAM object dictionary already contain attribute ‘Email’.

FIM add-ins and extensions

Issue 1

SSPR windows clients on systems that use a high DPI setting have an incorrect scaling of the final page (the Password Reset Flow page) in which the radio buttons are overlapped.

Issue 2

SSPR windows clients have text messages that overlap after a password reset if the resulting message (success or error) contains more than three lines.

FIM Certificate Management

Issue 1

The ExecuteOperations.Disable operation from the Microsoft.Clm.BusinessLayer.Shared.dll public library does not work correctly and returns an error because of incorrect object initialization.

Issue 2

A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.

Issue 3

There is a redundant space in the "Profile Summary" string on the Request Complete page for some languages.

Issue 4

The Duplicate Revocation Settings policy is replaced because some users could not set it.

Issue 5

A certificate in the Certificate Management portal may use the LDAP CN name instead of DisplayName when it calls REST.

Issue 6

For ZH-Hans and some other languages, link underlining in the Certificate Management portal is misplaced (stroke instead of an underline) because of a font issue.

FIM Synchronization Service

Issue 1

Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.

Issue 2

Error messages are logged in the event log (such as Event ID 6313). Additionally, performance counters don’t work.

Issue 3

The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.

Issue 4

When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the page size value quietly changes to the minimum or the maximum after you click Finish.

Issue 5

An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.

Issue 6

You receive a "Reference to undeclared entity ‘qt’" error message when you run the history process and the history text contains the "greater than" (>) symbol.

Issue 7

New Functionality: The ability to skip the Management Agent during the import of a server configuration is added. A new -Skip parameter is added to the Import-MIISServerConfig cmdlet.
The names of MAs to skip should be delimited by a semicolon (;), as in the following example:

Import-MIISServerConfig -Path "C:\exported" -Skip "FIMMA;ADMA"

Note If you do not use the -Skip parameter, the default behavior occurs.

Issue 8

A "MEMORY_ALLOCATION_FAILURE" error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

Issue 1

Multivalued labels are displayed incorrectly in a single line in the UI.

Issue 2

When you upload Resource Control Display Configurations (RCDC), the xml-format is not verified.

Issue 3

You cannot drag-and-drop a user to the Remove box to delete the user or to remove the user from a group membership.

Issue 4

Local date and time settings are ignored for the Australian English (en-AU) locale.

Issue 5

This update enables customizations that have controls that are shown or hidden based on the state of the email-enabling check box.

An additional attribute to RCDCs configuration data is included in this update. The Now Event element may have a Parameters attribute. For Group RCDC for the OnChangeEmailEnabling event, the element should contain a comma-separated, case-sensitive list of controls to show or hide.

Example

<my:Control my:Name="EmailEnabling" my:TypeName="UocCheckBox"
 my:Caption="%SYMBOL_EmailEnablingCaption_END%"
 my:Description="%SYMBOL_EmailEnablingDescription_END%"
 my:AutoPostback="true" my:RightsLevel="{Binding Source=rights,
 Path=Email}">
        <my:Properties>
         <my:Property my:Name="Text" my:Value="%SYMBOL_EmailEnablingValue_END%"/>
        </my:Properties>
        <my:Events>

Note If the Parameters attribute is not included, the default behavior occurs.

FIM Service

Issue 1

In SharePoint Server 2013 and later versions, if you edit a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

Issue 1

When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.

Issue 2

Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.

Issue 3

When you use Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

Issue 4

An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.

Issue 5

If two or more roles that are assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.

Issue 6

An email alias is truncated if it is longer than 30 characters.

Cheers,

Jorge

———————————————————————————————

* This posting is provided "AS IS" with no warranties and confers no rights!

* Always evaluate/test yourself before using/implementing this!

* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/

———————————————————————————————

############### Jorge’s Quest For Knowledge #############

######### http://JorgeQuestForKnowledge.wordpress.com/ ########

———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | Leave a Comment »

(2016-07-21) A Hotfix Rollup Package (Build 4.1.3765.0) Is Available for Forefront Identity Manager 2010 R2

Posted by Jorge on 2016-07-21


Microsoft released a new hotfix for FIM 2010 R2 with build 4.1.3765.0. What it fixes can be found in this blog post. For additional or detailed info see MS-KBQ3171318

Download link

Issues that are fixed and features that are added in this update

FIM Certificate Management

Issue 1

A smart card search takes 3.5 minutes on an idle server. Additionally, the search never ends if the server is stressed.

Issue 2

The Duplicate Revocation Settings policy is replaced because some users could not set it.

Issue 3

There is a redundant space in the "Profile Summary" string on the Request Complete page for some languages.

FIM Synchronization Service

Issue 1

In a metaverse search and when you view the object, there is a Last Modified field. But when you sort that field, it sorts as a generic text field instead of as a date field.

Issue 2

Error messages (such as Event ID 6313) are logged in the event log. Additionally, performance counters don’t work.

Issue 3

The Sync Service crashes when you run a Full Synchronization process that has Equal Precedence set for attributes that exist in IAF or EAF.

Issue 4

When an incorrect page size (either less than the minimum or more than the maximum) is used for the run profile of the ECMA2 management agent, the size value quietly changes to the minimum or the maximum after you click Finish.

Issue 5

An error message from the Management Agent cannot be parsed if it contains some special symbols. Therefore, the error message doesn’t appear in the error list as expected, and a non-informative error window appears.

Issue 6

You receive a "Reference to undeclared entity ‘qt’" error message when you run the history process and the history text contains the "greater than" symbol (>).

Issue 7

Under certain conditions, the file selection dialog box does not appear on the MA configuration wizard pages.

Issue 8

A "MEMORY_ALLOCATION_FAILURE" error occurs in the Performance Monitoring tool when the performance data .dll file cannot open the process.

FIM Portal

Issue 1

Multivalued labels are displayed incorrectly in a single line in the UI.

FIM Service

Issue 1

During an Export process between the Synchronization and FIM Service, the msidmCompositeType request may fail if some multivalued string attribute value is changed in the scope of the Export session. This behavior affects performance.

Issue 2

In SharePoint Server 2013 and later versions, if you change a workflow or update an email template by using the FIM Portal, the version is automatically updated to 4.0.0.0. This causes a system error message during processing.

BHOLD

Issue 1

When you add a user to an organizational unit (OU) that has some incompatible permissions in the OUs role, all the incompatible permissions are assigned.

Issue 2

Some issues are fixed for attribute-based authorization (ABA) roles that are assigned to a user when the roles have incompatible permissions.

Issue 3

When you use the Access Management Connector to provision new OUs with a parent OU, all the parent OU roles are inherited but are also disabled.

Issue 4

An error occurs in BHOLD during installation in Internet Information Services (IIS) 10.

Issue 5

If two or more roles assigned to a user who has the same permissions as the roles, and the roles use the endDate attribute, you cannot extract a user permission that has the latest date.

Issue 6

An email alias is truncated if it is longer than 30 characters.

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Forefront Identity Manager (FIM) bHold, Forefront Identity Manager (FIM) Certificate Management, Forefront Identity Manager (FIM) PCNS, Forefront Identity Manager (FIM) Portal, Forefront Identity Manager (FIM) Sync, Updates, Updates, Updates, Updates, Updates | 2 Comments »

(2016-07-20) Installing And Configuring Azure AD Connect Health For Active Directory Domain Services

Posted by Jorge on 2016-07-20


This blog post show you how to configure Azure AD Connect Health for AD/ADDS

First download the Azure AD Connect Health Agent for AD/ADDS from here

After the download move/copy the executable to every DC you want to install the Azure AD Connect Health for AD/ADDS on

Double-click on the executable

Click [Install]

image

Figure 1: Azure AD Connect Health – Install Screen

After the installation ends, you need to determine how your DCs have access to the internet.

If the DC has a direct connection, you need to only open up firewall ports first before continuing.

If the DC must have access through a proxy, you must configure the proxy settings first before continuing

There are several options to source the proxy settings from

[1] If you want to source the settings from Internet Explorer use: Set-AzureAdConnectHealthProxySettings -ImportFromInternetSettings

[2] If you want to source the settings from WinHTTP use: Set-AzureAdConnectHealthProxySettings -ImportFromWinHttp

[3] If you want to source the settings manually use: Set-AzureAdConnectHealthProxySettings -HttpsProxyAddress <PROXYSERVER>:<PORT>

Afterwards you can view the proxy settings in use by Azure AD Connect Health through: Get-AzureAdConnectHealthProxySettings

Additional info regarding the URLs accessed by Azure AD Connect Health see: https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-health-agent-install/

If your DC supports cookies and JavaScript or IE Enhanced Security Configuration has been disabled:

Click [Configure Now]

If your DC does not support cookies and JavaScript or IE Enhanced Security Configuration has been or is enabled:

Click [Close] and continue with figure 9

image

Figure 2: Azure AD Connect Health – Configure Screen

Specify either native Azure AD credentials or federated credentials. In either case, the credentials must have the Global Administrator role in Azure AD!

image

Figure 3: Azure AD Connect Health – Initial Credentials Screen

…because I used federated credentials, I’m redirected to ADFS

image

Figure 4: Azure AD Connect Health – Redirection To ADFS

…specify the password belonging to the specified user name

image

Figure 5: Azure AD Connect Health – Credentials Screen

…registration continues

image

Figure 6: Azure AD Connect Health – Registration Of The Agent

If you clicked [Configure Now] in figure 2 and your DC did not support cookies and JavaScript or IE Enhanced Security Configuration has been or is enabled, you will see the following message

Close the screen by clicking the red cross in the upper right corner

image

Figure 7: Azure AD Connect Health – Message About Cookies And/Or Javascript Not Being Supported

Closing the screen above throws the following errors

image

Figure 8: Azure AD Connect Health – Additional Errors

Open a new PowerShell command prompt window and type:

Import-Module AdHealthAdds

$azureADCreds = Get-Credential

Specify either native Azure AD credentials or federated credentials. In either case, the credentials must have the Global Administrator role in Azure AD!

image

Figure 9: Azure AD Connect Health – Starting Registration And Entering Native Azure Credentials

In the existing PowerShell command prompt window type:

Register-AzureADConnectHealthADDSAgent -Credential $azureADCreds

image

Figure 10: Azure AD Connect Health – Registration Of The Agent

Done! After doing on all the DCs, you can go to https://portal.azure.com/ and check the health of your AD/ADDS

PS: The installation of the Azure AD Connect Health Agent for ADFS is very similar!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Azure AD Connect Health, Azure AD Connect Health, Windows Azure Active Directory | Leave a Comment »

(2016-07-19) Azure AD Connect Health For Active Directory Domain Services Has Been Released

Posted by Jorge on 2016-07-19


Microsoft has released Azure AD Connect Health for AD/ADDS! COOL!

More information:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

 

Posted in Active Directory Domain Services (ADDS), Azure AD Connect Health, Azure AD Connect Health, Windows Azure Active Directory | Leave a Comment »

(2016-07-02) The Export Script “Export-FederationConfiguration.ps1” Throws An Error in ADFS v3

Posted by Jorge on 2016-07-02


With ADFS v3.0 (ADFS in Windows Server 2012 R2), Microsoft has provided an export script (“Export-FederationConfiguration.ps1”) and an import script (“Import-FederationConfiguration.ps1”). Both scripts can be found in the folder “C:\Windows\ADFS”. The scripts are to be used to support the migration from ADFS v2.x to ADFS v3.0. The export script should be used on ADFS v2.x and the import script should be used on ADFS 3.0

As you may have read in this blog post you need to export and import the configuration when moving from SQL-based ADFS to WID-based ADFS.

However, when running the export script on ADFS v3.0, you will see the following error

image

Figure 1: Error When Running The Export Script “Export-FederationConfiguration.ps1” On ADFS v3.0

Unable to find type [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyTrust]. Make sure that the assembly that contains this type
is loaded.
At C:\Windows\ADFS\Export-FederationConfiguration.ps1:1220 char:9
+         $rpTrusts = [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyT …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Ident…lyingPartyTrust:TypeName) [], RuntimeException
    + FullyQualifiedErrorId : TypeNotFound

Unable to find type [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyTrust]. Make sure that the assembly that contains this type
is loaded.
At C:\Windows\ADFS\Export-FederationConfiguration.ps1:1220 char:9
+         $rpTrusts = [Microsoft.IdentityServer.PowerShell.Resources.RelyingPartyT …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (Microsoft.Ident…lyingPartyTrust:TypeName) [], ParentContainsErrorRecordException
    + FullyQualifiedErrorId : TypeNotFound

The reason for not working?

The reason the export script does not work in ADFS v3 has to do with a reference to an assembly that does not exist in ADFS 3.0, but only ADFS v2.x

The solution?

A guy named Jeff Patton, already published a fixed version of the script. You can find it on Github: https://gist.github.com/jeffpatton1971/12f9e00dbca27abf8b59

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Federation Services (ADFS), Configuration, PowerShell, Tooling/Scripting | Leave a Comment »

(2016-06-28) Quick Learning Guide For PowerShell

Posted by Jorge on 2016-06-28


Have you ever wanted to have a quick learning guide about PowerShell, then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in PowerShell | Leave a Comment »

(2016-06-24) Quick Learning Guide For A Public Key Infrastructure (PKI)

Posted by Jorge on 2016-06-24


Have you ever wanted to have a quick learning guide about a Public Key Infrastructure (PKI), then have a look at the following:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Certificate Services (ADCS), Learning Guide | 1 Comment »

(2016-06-16) A Change In Group Policy Processing After The Security Update MS16-072

Posted by Jorge on 2016-06-16


The Security Update MS16-072 changes the way how user GPOs are being processed. If you do not meet pre-requisites, make sure you do before applying the security update!

This applies to every Windows version starting from Windows Server 2008 and Windows Vista and higher!

More about this:

Symptoms

All user Group Policy, including those that have been security filtered on user accounts or security groups, or both, may fail to apply on domain joined computers.

Cause

This issue may occur if the Group Policy Object is missing the Read permissions for the Authenticated Users group or if you are using security filtering and are missing Read permissions for the domain computers group.

Resolution

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).
If you are using security filtering, add the Domain Computers group with read permission.

Script

If you want to script this have a look at:

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Group Policy Objects | Leave a Comment »

 
%d bloggers like this: