Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

Archive for the ‘Active Directory Lightweight Directory Services (ADLDS)’ Category

(2018-10-11) Configuring A New Identity Store As A Local Claims Provider In ADFS

Posted by Jorge on 2018-10-11


In ADFS v1.0 and ADFS v1.1 it was possible to use both AD and ADLDS/ADAM as an identity store. One of the very common scenarios is to use the AD identity store for internal users and use the ADLDS/ADAM identity store for external users (e.g. partners, customers, vendors, etc.). After ADFS v1.x Microsoft released ADFS v2.0 (separate download for W2K8 and W2K8R2), ADFS v2.1 in W2K12 and ADFS v3.0 in W2K12R2. All the ADFS versions starting with ADFS v2.0 and higher only supported AD as the identity store and nothing else. That could be one of the reasons why some companies remained using ADFS v1.1 and did not move one.

If you would like to support a similar scenario, where you would like to have a separate identity store for externals, you would need to:

  1. Configure a separate AD with its own ADFS infrastructure and configure federation between (also see: (2013-09-24) AD User Accounts For Which The ADFS STS Can Generate Security Tokens)
    OR
  2. Use Azure AD to store those identities and configure federation

The biggest advantage of using [2] instead of [1] is that you do not need a complete new infrastructure just to support externals. The basic Azure AD features are free, but as soon as you need something special from the Azure AD Premium list, you need to pay licensing.

With the release of the Windows Server 2016, a third option has become available as already mentioned in the blog post (2014-10-03) ADFS In vNext To Support Other Identity Stores Than AD Only. YES! YES! YES! Finally!

For the passive federation protocols (e.g. SAML, WS-Federation and Oauth) and the active federation protocols (e.g. WS-Trust), ADFS v4.0 (ADFS in Windows Server 2016) and higher will support the following identity stores:

  • Identity Stores As Claim Providers:◦Active Directory (Trusted AD forests)
  • Identity Stores As Local Claim Providers:◦Active Directory (NON-Trusted AD forests)
    • ADLDS/ADAM
    • Apache DS
    • IBM Tivoli DS
    • Novell DS
    • Open LDAP
    • Open DJ
    • Open DS
    • Radiant Logic Virtual DS
    • Sun ONE v6, v7, v11

The local claims providers can only be configured through PowerShell and authentication through ADFS against those local claims providers can only be done by using forms-based authentication. One last thing to note is that you can only configure local claims providers when the Farm Behavior/Level is higher than Win2012R2. Also see: (2014-10-12) Migrating Or Upgrading To A New ADFS Version.

For more information also see:

I have the following Identity (ID) Store:

  • Type: ADLDS (LDAP)
  • Node Server (1): R1FSRWDC1.IAMTEC.NET
    • LDAP Port: 5389
    • LDAPS Port: 5636
  • Node Server (2): R1FSRWDC2.IAMTEC.NET
    • LDAP Port: 5389
    • LDAPS Port: 5636
  • Account UserName For ADFS To Access data In The IDStore: SVC_R1_LDAPQuery@CORP

# Define The Credentials For ADFS To Use When Connecting To The ID Store

$idStoreAccountUserName = ‘SVC_R1_LDAPQuery@CORP’

$idStoreAccountPassword = ‘pwd’ | ConvertTo-SecureString -asPlainText -Force

$idStoreAccountCreds = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $idStoreAccountUserName,$idStoreAccountPassword

# Define All The Server Instances Hosting The Identity Store

$idStoreInstance1 = New-AdfsLdapServerConnection -HostName R1FSRWDC1.IAMTEC.NET -Port 5389 -SslMode None -Credential $idStoreAccountCreds -AuthenticationMethod Basic

$idStoreInstance2 = New-AdfsLdapServerConnection -HostName R1FSRWDC2.IAMTEC.NET -Port 5389 -SslMode None -Credential $idStoreAccountCreds -AuthenticationMethod Basic

PS: If you have a load balanced ADLDS farm than you would only need to define one connection instance as the load balancer would figure out which node to use. For more information about load balancing ADLDS please see: https://www.itprotoday.com/management-mobility/load-balance-ad-lds-microsoft-nlb-6-steps. If you do not have a load balanced ADLDS farm you need to define all connection instances so that ADFS can figure out which one to use. In the connection above I’m using the custom LDAP port (5389) configured by me. I did this as I was too lazy for this post to get an SSL certificate for LDAPS. For production systems I do suggest you use LDAPS!. For more information please see: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc725767(v=ws.10)

# Define All The Attribute-To-ClaimType Mappings For Which You Want ADFS To Automatically Retrieve From The ID Store

# (These are the attributes and their values, if any, automatically retrieved from the ID store and stored in claims, whether or not these are issued later on in a security token)

$mappingGivenName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute givenName -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"

$mappingSurname = New-AdfsLdapAttributeToClaimMapping -LdapAttribute sn -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname"

$mappingDisplayName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute displayName -ClaimType "http://temp.org/identity/claims/displayName"

$mappingEmployeeID = New-AdfsLdapAttributeToClaimMapping -LdapAttribute employeeID -ClaimType "http://temp.org/identity/claims/employeeID"

$mappingDescription = New-AdfsLdapAttributeToClaimMapping -LdapAttribute description -ClaimType "http://temp.org/identity/claims/description"

# Create The Local Claims Provider Trust To Appear In The HRD Screen Through A List Of Claims Providers

Add-AdfsLocalClaimsProviderTrust -Name "External ID Store" -Identifier "urn:adlds:external:idstore" -Type Ldap -LdapServerConnection @($idStoreInstance1,$idStoreInstance2) -UserObjectClass user -UserContainer "OU=People,O=CORP" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($mappingGivenName, $mappingSurname, $mappingDisplayName, $mappingEmployeeID, $mappingDescription) -Enabled $true -AcceptanceTransformRules "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);"

OR

# Create The Local Claims Provider Trust To Appear In The HRD Screen Through UPN Suffix

Add-AdfsLocalClaimsProviderTrust -Name "External ID Store" -Identifier "urn:adlds:external:idstore" -Type Ldap -LdapServerConnection @($idStoreInstance1,$idStoreInstance2) -UserObjectClass user -UserContainer "OU=People,O=CORP" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute userPrincipalName -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" -LdapAttributeToClaimMapping @($mappingGivenName, $mappingSurname, $mappingDisplayName, $mappingEmployeeID, $mappingDescription) -Enabled $true -AcceptanceTransformRules "@RuleName = `"Issue All Mapped Claims`"`nc:[] => issue(claim = c);"

Now when running either of the “Add-AdfsLocalClaimsProviderTrust” CMDlets you may see the following error at the end. It is really vague and does not tell you anything about what is really wrong. At first I thought something was wrong with the database.

image

Figure 1: Creating The Local Claims Provider Trust Fails With An Error

When things go wrong, the first thing I look at is the event log of the specific application/system. In this case it was the ADFS Admin Event Log. It did not say anything about this error. Knowing that I thought it would took me hours to figure this out. Au contraire!. Looking at the ADFS Debug Event Log, I saw the following message. It was referencing the Certificate Sharing Container.

image

Figure 2: Error Message In The ADFS Debug Event Log

An error occurred while trying to add an object:
Message: MSIS0013: Encrypted property ‘AccountStoreData’ cannot be set when a certificate sharing container is not configured in AD FS properties.

It was a weird error, because my ADFS farm is NOT using automatic certificate rollover and therefore it does not need the Certificate Sharing Container. You can see in the figure below that is the case. My farm is using CA issued certificates for the Token Signing Certificate and the Token Encryption Certificate.

image

Figure 3: Certificate Rollover NOT Being Enabled And The Certificate Sharing Container Not Being Configured

The Certificate Sharing Container is related to ADFS using ADFS Managed Self-Signed Certificates for the Token Signing Certificate and the Token Encryption Certificate. When the “AutoCertificateRollover” is set to TRUE, the “CertificateSharingContainer” property MUST specify the DN of the Certificate Sharing Container in AD. The ADFS servers and the Certificate Sharing Container must be in the same AD domain. When the “AutoCertificateRollover” is set to FALSE, the “CertificateSharingContainer” property CAN have a DN specified but in that case it is not being and can be removed if needed (but only when you are not going to use it in the future!).

Well, because the error was mentioning the Certificate Sharing Container and I did not have a Certificate Sharing Container, I decided to create one. When doing so you need to specify the service account in use by ADFS. I did that by reading the account from the ADFS service. Please be aware that by configuring the Certificate Sharing Container in ADFS, it will also be created in AD. Because of that you need to have Domain Admin equivalent permissions to be able to successfully do this!

$adfsService = Get-WmiObject win32_service -filter "name=’ADFSSRV’"
$adfsServiceAccount = $adfsService.StartName
Set-AdfsCertSharingContainer -ServiceAccount $adfsServiceAccount

image

Figure 4: Configuring The Certificate Sharing Container For ADFS

Now looking at the ADFS properties you can see the Certificate Sharing Container is configured in ADFS.

image

Figure 5: The Certificate Sharing Container Being Configured For ADFS

Before the configuration in ADFS you can see AD did not have a Certificate Sharing Container.

image

Figure 6: The AD Domain The ADFS Servers Are In With NO Certificate Sharing Container

After the configuration in ADFS you can see AD now does have a Certificate Sharing Container.

image

Figure 7: The AD Domain The ADFS Servers Are In With Certificate Sharing Container

Now when running either of the “Add-AdfsLocalClaimsProviderTrust” CMDlets above succeeds!

image

Figure 8: Creating The Local Claims Provider Trust Now Succeeds

Below you can see the properties of the Local Claims Provider trust that was created.

image

Figure 9: The Configuration Of The Local Claims Provider Trust That Was Just Created

And now you also see the local Claims Provider Trust is displayed and therefore available in the HRD page in ADFS.

image

Figure 10: The HRD Page In ADFS Showing The Newly Created Local Claims Provider Trust

Choosing the IdP “External ID Store” and logging on with an account from the ADLDS based ID Store through Forms Based Authentication, show amongst others the claims as displayed in the figure below.

image

Figure 11: My Show My Claims Application Displaying The Claims That Were Retrieved From The ID Store Based Upon ADLDS

You can see the values for the following claims that were configured above:

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Active Directory Federation Services (ADFS), Active Directory Lightweight Directory Services (ADLDS), Identity Stores | 2 Comments »

(2016-11-16) New Replica Of ADLDS Fails When Functional Level Is Too High (Error 0x80072177)

Posted by Jorge on 2016-11-16


On one of my DCs I also have one instance of ADLDS running. As I have a second DC running, I wanted to also install an ADLDS replica instance of the configuration set running on the first DC. The servers are running W2K12R2 and the FFL of the configuration set is W2K12R2 (level 6).

I used a scripted installation of the replica instance and it ended up with the following error

image

Figure 1: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

To see if there would be any different or additional information I tried the manual setup, but it ended with the following error

image

Figure 2: Error Message About The Level Of The Operating System Not Matching The Level Of The Configuration Set

Looking at the error it might even look like a permission error as it mentions not being able to create the NTDS Settings object. However, when you look at the ADLDS Instance Event Log of the existing ADLDS instance that is being used as the replication source, you will see that apparently the new ADLDS replica instance running W2K12R2 presents itself as a W2K8R2 server (level 4).

image

Figure 3: Error About OS Level Not Matching The Required Level Of The Configuration Set

This looks like a bug!

The solution (make sure to provide the ADLDS host and Ldap port!):

  • View the current level of the Configuration Set

Get-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -SearchBase $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -SearchScope Base -Filter * -Properties "msDS-Behavior-Version" | FL

  • Lower the Configuration Set Level to level 4

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=4}

  • Add the new replica instance

image

Figure 4: Installing The New ADLDS Replica Instance While The Level Is Set To 4

  • If you try to increase the Configuration Set Level to level 6 again, you will see….

Set-ADObject -Server <ADLDS Host>:<ADLDS LDAP Port> -Identity $("CN=Partitions," + (Get-ADRootDse -Server <ADLDS Host>:<ADLDS LDAP Port>).ConfigurationNamingContext) -Replace @{"msDS-Behavior-Version"=6}

image

Figure 5: Error When Trying To Increase The Level Again After Installing The New ADLDS Replica Instance

UPDATE 2016-12-03: This issue does not exist in Windows Server 2016 where you will be able to increase the configuration set level to level 7

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Lightweight Directory Services (ADLDS), Functional Level | Leave a Comment »

(2015-10-07) Realistic Random Data Set To Import Into Some Identity Store

Posted by Jorge on 2015-10-07


Have you ever required to have a large and realistic random data set to test your application or system in some way? Well, look no further!

With testing, “performance/volume testing” and/or “logic testing” (either declarative or coded, against small and large data sets) is meant. Testing with correctly defined (custom) data is required to make sure the application/system behaves as you require it to behave. By using fake data you are sure you do not get into trouble due to privacy or security related issues. You also do not have to beg for and jump through all kinds of hoops to get the data. Depending, on your organization, you may also need to have a data set that includes special characters (e.g. apostrophes) and/or very special characters (e.g. unicode characters from other languages)

Most likely, there are more websites out there, but the following 2 websites can help you out in different scenarios:

  1. https://www.mockaroo.com/
  2. http://www.fakenamegenerator.com/order.php

[1] Mockaroo – Realistics Data Generator

This website allows you to use your own defined schema. You can do that by selecting/defining the field names and field types or by importing the field headers of some CSV file you have. After importing the CSV headers, you still need to define the field types. When done, you can preview the data or download it right away. The data can be downloaded in different formats, such as, but not limited to, CSV format. The only downsides are the limited number of objects (max. 1000) and that it only supports western characters for names. If you need more data, you need to pay a fee per year.

image

Figure 1: The Interface Of The Mockaroo Website To Define The Required Schema

[2] Fake Name Generator

However, if you do not have a strict schema, you want up to 50.000 objects and you also require non-western characters for names (e.g. japanese, chinese, arabic, etc.), then you might be interesting in using this website. You can generate data for a single object, or you can bulk generate (order for free!) a very large amount of data up to 50.000 objects. If you need more objects, you just request it multiple times.

First you need to select the format and compression type. Secondly you need to select the name set(s), countries, gender and age of that objects.

image

Figure 2a: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set

And last but not least, you need to select the required fields you want to include in the data set, define the required number of objects and the e-mail address where the bulk order is e-mailed to.

image

Figure 2b: The Interface Of The Fake Name Generator Website To Define The Configuration For The Data Set

Every request file is made available after a few minutes and when done you will receive an e-mail with a time-limited link.

After receiving the data set you can import it, by first writing your own PowerShell script, into ADDS, ADLDS, Azure AD, FIM Portal/Sync, SQL database or anything similar

Have fun!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Domain Services (ADDS), Active Directory Lightweight Directory Services (ADLDS), Data Set, Data Set, Data Set, Data Set, Forefront Identity Manager (FIM) Portal, Windows Azure Active Directory | Leave a Comment »

(2012-03-27) Active Directory Lightweight Directory Services (ADLDS) On Windows “8”

Posted by Jorge on 2012-03-27


Active Directory Lightweight Directory Services (ADLDS), or a.k.a. Active Directory Application Mode (ADAM), (you can find its logo here clip_image001) by default is available on the server OS as a Server Role.

clip_image002

Figure 1: The “Active Directory Lightweight Directory Services” On Windows Server “8” Beta As A Server Role

However, on the client OS, for Windows XP you needed to download it separately, for Windows Vista there was no ADLDS available and for Windows 7 you also had to download it separately. For Windows Client “8” Consumer Preview, there is not need to download anything separately as it is by default available as a Windows Feature. YES!!!!

clip_image003

Figure 2: The “Active Directory Lightweight Directory Services” On Windows Client “8” Consumer Preview As A Windows Feature

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Lightweight Directory Services (ADLDS), Windows Client, Windows Server | Leave a Comment »

(2010-01-11) ADLDS (ADAM) For Windows 7

Posted by Jorge on 2010-01-11


In previous client versions of Windows, ADLDS (a.k.a. ADAM) was available for WXP. IN addition to that it was available in every server version of Windows (W2K3, W2K3R2, W2K8 and W2K8R2). There was no official version for Vista, but if I remember correctly (not sure though) it was possible to get the separate download working with some hacks.

However, since yesterday, Microsoft has provided a version of ADLDS for Windows 7. Now everybody with interest to have a lean and mean directory service on his desktop to test or develop software can do it on his desktop without the need to have a server OS.

Get it here!

….and for its logo, see here. J

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Lightweight Directory Services (ADLDS), Windows Client | Leave a Comment »

(2009-04-16) ADLDS (ADAM) On Windows Client

Posted by Jorge on 2009-04-16


At the moment you have ADLDS, a.k.a. ADAM, only on the server platform starting from Windows Server 2003 R2 and up. For both Windows Server 2003 RTM and Windows XP Professional you can download an out-of-band version of ADAM. Unfortunately there is no ADAM for Windows Vista or Windows 7. Developers, and others, using the last two are out of luck. But wait! That’s gonna change. Microsoft will release an out-of-band version of ADLDS for BOTH Windows Vista and Windows 7. Yes people, it’s going to happen, you just need to be a little more patient!

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

Posted in Active Directory Lightweight Directory Services (ADLDS), Windows Client | Leave a Comment »

 
%d bloggers like this: