(2019-12-12) Delivered Session About “Moving Towards Passwordless Concept”

Delivered session @DetronICT, invited by @ThierryVos about "Moving Towards Passwordless Concept" (preso and demos). About 30 tech enthusiasts listened until bitter end. Thanks for the invitation, and until a next time! Reward afterwards? Enjoying some beers together!

Figure 1: Initial Slide – Title/SubTitle

–

Figure 2: Introducing Me

–

Figure 3: The Agenda

–

Figure 4: The Agenda With Demos

– Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2019-08-01) Moving Towards The Password-Less Concept – One Heck Of Journey And Badly Needed

Current passwords are potentially weak and any use of those in general further weakens an infrastructure. Preferably any org needs to move away from using passwords as much as possible. This means for example preventing the usage of passwords, and instead use SSO and/or other more secure authentication mechanisms. In other words, the adoption of the "Password-Less" concept. However, for those scenarios that cannot adopt “Password-Less" (yet), passwords must be strengthened or better secured at rest and in transport. In today’s world “identity” is the key control plane. Therefore protecting the “identity” and everything related is of utmost importance. Usage of weak passwords presents unacceptable security risks to any org. We all know that, don’t we?! Now you need to act to secure yourself as best as possible.

–

Going password-less is a journey on its own and implementing that concept could mean for example (NOT an exhaustive list and also in random order!):

• Ban “weak/common” words from being used in weak passwords using Azure AD Password Protection and/or LithNet Password Protection For Active Directory (LPP) (last one is free and the feature set is huge!)
• Check AD for weak passwords and weak accounts configurations and follow up with risk mitigating actions. Can be done through LPP and DS Internals and generic LDAP queries
• Help and educate users in terms of using, storing, generating, uniqueness, sharing/distributing, etc. for less frequent (complex and long) and regular used (pass phrases) passwords. Preferably use machine generated passwords as those have no human logic in them, or use (long) passphrases or bang your head against the keyboard multiple times while on and off holding the SHIFT key (last one, kidding!) (people tend to implement logic or sequences somehow in passwords to not forget those long passwords and to make them unique)
• To generate password you can use for example: https://passwordsgenerator.net/ which supports pre-configured URLs such as
• Generate Pwd (010 – No Symbols)
• Generate Pwd (015 – No Symbols)
• Generate Pwd (016 – No Symbols)
• Generate Pwd (016 – With Symbols)
• Generate Pwd (020 – No Symbols)
• Generate Pwd (020 – With Symbols)
• Generate Pwd (030 – No Symbols)
• Generate Pwd (030 – With Symbols)
• Generate Pwd (064 – No Symbols)
• Generate Pwd (064 – With Symbols)
• Generate Pwd (128 – No Symbols)
• Generate Pwd (128 – With Symbols)
• Generate Pwd (256 – No Symbols)
• Generate Pwd (256 – With Symbols)
• Move service accounts in AD from regular service accounts to:
• Group Managed Service Accounts if possible
• …and if that’s not possible have a password vault store, manage and change passwords on a regular basis
• …and if that’s not possible keep using regular service accounts with long and unique passwords
• If possible, increase the password length to a minimum of 15 characters for users
• Move away from periodic password changes to risk based password changes (e.g. through Azure AD Identity Protection)
• Using strong and unique passwords for every individual system/site not supporting SSO (the strength of a password is mostly determined by its length, the longer the better!);
• Securely store passwords in an MFA enabled password manager/vault that is available on both your desktop and mobile device(s)
• Make Self-Service Password Reset available to users for those occasions where the password is needed but the user has forgotten the password or has locked itself out
• When using ADFS, implement extranet lockout policy
• Only use HTTPS connections (at least TLS1.2) in your environment and do not use HTTP
• Update systems, tools, scripts to NOT set weak/generic/well-known password or account configurations (e.g. LM Hashes, Password Not Required, Password Never Expires, etc)
• Decrease the use of passwords as much as possible by:

• Implementing SSO
• Implement password-less authN for Windows computers (e.g. Windows Hello for Business) and remove password based authN if possible
• Implement password-less authN for mobile devices (e.g. Azure AD MFA + AuthNtor App Notifications And OTPs) as primary authN, preferably with at least 2 factors during that primary authN, or implement password authN as secondary authN (when using ADFS)

–

Additional Resources:

• What is password-less?
• Password-less Strategy
• Password-less Protection (White Paper)
• A world without passwords with Azure Active Directory
• Enable password-less security key sign in for Azure AD
• Enable password-less sign-in with the Microsoft Authenticator app
• Windows Hello for Business

–

Hope this helps you!

–

Cheers,

Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2017-06-23) Adding A Link To The SSPR Page In The ADFS FBA Page

When users use Windows Integrated Authentication against ADFS through their Windows desktop/laptop the users are authenticated based upon the credentials they used to logon with onto that Windows desktop.laptop. If those users needed to reset their password or unlock their account, a link would need to be provided within the logon screen to point to the SSPR page or users would need to use some kind of kiosk PC.

However, when hitting the Forms Based Authentication page within ADFS, it would be nice if you could display a link on that same page if users needed to reset their password or unlock their account when for example on a mobile device. Something similar to the following:

 

Figure 1: A Link To The SSPR Page On The FBA Page

–

If you want to do this, you can use the following steps

[Step 1]

Clone the current active ADFS web theme to a new ADFS web theme

First determine the current web theme

Get-ADFSWebConfig

Clone the current active web theme to a new web theme

New-AdfsWebTheme -Name <New Web Theme Name> -SourceName <Active Web Theme Name>

–

[Step 2]

Export the cloned web theme to a folder on the file system

Export-AdfsWebTheme -Name <New Web Theme Name> -DirectoryPath <Some Folder On The File System>

–

[Step 3]

Edit the file “onload.js” in the folder “<Some Folder On The File System>\Script” and add the following piece of code to the end of the file to show the link to the SSPR page in AAD on the FBA page (NOTE: you can use any other SSPR page if you want, such as the FIM/MIM SSPR page)

// Add link for password reset, if we find the forms authentication element in the page
var formsAuthArea = document.getElementById("formsAuthenticationArea");
if (formsAuthArea) {
    //Create the hyperlink
    var pwdResetLink = document.createElement(‘a’);
    var linkText = document.createTextNode("Click Here For Password Reset Or Account Unlock");
    pwdResetLink.appendChild(linkText);
    pwdResetLink.title = "Click Here For Password Reset Or Account Unlock";
    pwdResetLink.href = "";’>";’>https://passwordreset.microsoftonline.com/?whr=<Your Domain In AAD>";
    pwdResetLink.target = "_blank";
    document.body.appendChild(pwdResetLink);

    //append to the authArea
    var authNArea = document.getElementById("authArea");
    authNArea.appendChild(pwdResetLink);
}

–

[Step 4]

Import the new edited “onload.js” file

Set-AdfsWebTheme -TargetName <New Web Theme Name> -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="<Some Folder On The File System>\script\onload.js"}

–

[Step 5]

Activate the new web theme

Set-AdfsWebConfig -ActiveThemeName <New Web Theme Name>

–

Now access an application and make sure to use the FBA page. The FBA page is used when coming from a mobile device on an external network or when not using WIA

–

–

Cheers,
Jorge

 

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

(2017-05-27) Real Required Permissions For Password Change, Password Reset And Account Unlock Through Azure AD

When deploying Azure AD Self-Service Password/Account Management you need to configure stuff in both Azure AD and the on-premises AD. The “what” and the “how” can be found through Azure AD self-service password reset for the IT professional.

–

In the on-premises AD you need to assign a number of permissions to the account for the connector/MA that services that specific AD. You will need to do this for every AD forest being serviced by AAD Connect. For every AD forest you need to determine the scope of management being either at domain level of OU level. Nevertheless, the following actions are supported by Azure AD Self-Service Password/Account Management and according to Microsoft the corresponding permissions need to be assigned to the connector/MA account (as listed here):

• Account Unlock
• Requires at least the Allow:Write permission for the lockoutTime  attribute on the user account
• Password Reset
• Requires at least the Allow:Write permission for the pwdLastSet attribute on the targeted user account
• Requires at least the Allow:Reset Password Control Access Right (CAR) on the targeted user account
• Password Change
• Requires at least the Allow:Change Password Control Access Right (CAR) on the targeted user account

–

The permissions can be configured through the GUI in ADUC/ADAC or through DSACLS. For regular accounts the permissions need to be assigned at container level (domain or specific OUs) and must be inherited by user objects.

The “Allow:Write permission for the lockoutTime  attribute on the user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Account Unlock>:WP;lockoutTime;user" /I:S

–

The “Allow:Write permission for the pwdLastSet attribute on the targeted user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Password Reset>:WP;pwdLastSet;user" /I:S

–

The “Allow:Reset Password Control Access Right (CAR) on the targeted user account” for regular accounts can be configured through:

DSACLS "<DN of OU>" /G "<AD Group For Password Reset>:CA;Reset Password;user" /I:S

–

The “Allow:Change Password Control Access Right (CAR) on the targeted user account” for regular accounts can be configured through:

….does NOT need to be configured at all as the password change action always occurs under the context of the account for which the password is being changed. For that to be possible, AD already has the needed permissions in place for this to be possible as shown below!

Figure 1: The “Allow:Change Password” Permission Already Assigned By Default To The EVERYONE And SELF Security Principals

–

Therefore: There is NO NEED to specifically assign “Allow:Change Password Control Access Right (CAR) on the targeted user account” for the connector/MA account. It will work perfectly without it!

–

The exact same permissions are required on “protected” accounts. However, the permissions for those accounts need to be assigned through the adminSDHolder object. The permissions can be configured through the GUI in ADUC/ADAC or through DSACLS.

The “Allow:Write permission for the lockoutTime  attribute on the user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Account Unlock>:WP;lockoutTime;user"

–

The “Allow:Write permission for the pwdLastSet attribute on the targeted user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Password Reset>:WP;pwdLastSet;user"

–

The “Allow:Reset Password Control Access Right (CAR) on the targeted user account” for protected accounts can be configured through:

DSACLS "CN=AdminSDHolder,CN=System,<DN Of Domain>" /G "<AD Group For Password Reset>:CA;Reset Password;user"

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2017-03-21) “Unrecoverable Issue” Error Or “Temporary Connectivity Issue” Error During Azure AD Password Change Or Password Reset

A few days ago I was testing with Azure AD Password Change and Azure AD Self-Service Password Reset. I experienced the following errors, which at that time were weird and that I was not able to understand, as a few days before everything was working.

The errors below are related to password change. However, you will see similar errors when using password reset.

Figure 1: Error When Using Azure AD Self-Service Password Change/Reset

–

we could not change your password

We’re sorry, but we cannot change your password at this time. This is due to a temporary

connectivity issue, so if you try again later, changing your password may succeed.

If the issue persists, please contact your admin to change your password for you

–

Figure 2: Error When Using Azure AD Self-Service Password Change/Reset

–

we could not change your password

 

We’re sorry, but we cannot change your password at this time. Unfortunately, this is due to

an unrecoverable issue with your account configuration, so trying again won’t work.

Please contact your admin to change your password for you

–

When you look in the Application Event Log on the active Azure AD Connect server you will see an event similar to the following one.

Figure 3: Error In The Application Event Log Of The AAD Connect Server When Using Azure AD Self-Service Password Change/Reset

–

An unexpected error has occurred during a password set operation.
"ERR_: MMS(2332): ..\ObjectSearcher.cpp(461): AD Object is not present.
BAIL: MMS(2332): ..\ObjectSearcher.cpp(491): 0x80230405 (The operation failed because the object cannot be found): No password writeback targets found. Make sure that the source object exists and is connected to the target objects via MV and the target object is in scope of password sync rule. AAD anchor = User_ad4555c8-5a6c-4769-b3f7-27f58383f23dAzure AD Sync 1.1.443.0"

–

I also saw the following error

Figure 4: Error In The Application Event Log Of The AAD Connect Server When Using Azure AD Self-Service Password Change/Reset

–

TrackingId: 0f14f5a9-b62c-448f-a0bf-9783f73660ea, Reason: Synchronization Engine returned an error hr=80230405, message=The operation failed because the object cannot be found, Context: cloudAnchor: User_cb4555c8-5a6c-4769-b3f7-27f58383f23d, SourceAnchorValue: xxxxxxxxxxxxx UserPrincipalName: jorge@xxxxxx.nl, Details: Microsoft.CredentialManagement.OnPremisesPasswordReset.Shared.PasswordResetException: Synchronization Engine returned an error hr=80230405, message=The operation failed because the object cannot be found
   at AADPasswordReset.SynchronizationEngineManagedHandle.ThrowSyncEngineError(Int32 hr)
   at AADPasswordReset.SynchronizationEngineManagedHandle.ChangePassword(String cloudAnchor, String sourceAnchor, String oldPassword, String newPassword)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.PasswordResetCredentialManager.ChangePassword(String changePasswordXMLRequestString)

–

The errors mention 2 key hints:

1. The operation failed because the object cannot be found
1. Make sure that the source object exists and is connected to the target objects via MV ….
2. …..and the target object is in scope of password sync rule

–

[AD.1]

This basically says the following:

• The AD user object has a representative connector space object in the AD connector space, which is connected to a metaverse object, which is connected to connector space object in the AAD connector space, which is a representation of the AAD user object

In other words, the AD object and the AAD object must be related to each other through the CS objects and the MV object in Azure AD Connect. All CS objects must be a “connector”. If that is not the case you will need to fix this.

–

[AD.2]

This basically says the following:

• Are there at least 1 inbound sync rule from AD and at least 1 outbound sync rule to AAD that both have the setting “Enable Password Sync” enabled and that both target the related objects end-to-end in Azure AD Connect

In other words, if at least one inbound sync rule and at least one outbound sync rule do not have the setting “Enable Password Sync” enabled it will produce this error. In addition, if the inbound and outbound sync rules with that setting do not scope the same related objects, it will also produce this error

–

So what was it in my case? Let’s first go back to the theory.

–

By default, 2 sync rules in Azure AD Connect (“In from AD – User AccountEnabled” and “Out to AAD – User Join”) have the settings “Enable Password Sync” enabled. If you want to use Password Change and Password Reset in Azure AD, you will have to enable Password Writeback in Azure AD Connect. That’s it! You do not have to do anything else!

–

Let’s assume you need to change any of the default rules. In that scenario you will try to edit the default sync rule and then choose the option to clone and disable the original sync rule. The cloned sync rule is then edited as you see fit or need. When you clone a sync rule that has the setting “Enable Password Sync”, that setting will also be transferred from the original sync rule to the cloned sync rule.

–

A week or so ago, I had to reinstall Azure AD Connect. So I used my script to export sync rules to PowerShell files, uninstalled Azure AD Connect, reinstalled Azure AD Connect and imported my custom sync rules. And here is where it went wrong! The script that I had written had a bug where it DID NOT export the setting “Enable Password Sync” on any sync rule. Therefore, during import the setting “Enable Password Sync” was also not put back on my custom inbound sync rule (and the original sync rule was disabled, as expected!). A simple fix to the script solved the export issue.

–

For Azure AD Connect, on my custom inbound sync rule I enabled the setting “Enable Password Sync” and ran an initial (full) sync with the command: Start-ADSyncSyncCycle -PolicyType Initial

Problem solved!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

(2014-04-05) Azure Active Directory Services – It’s Getting Cooler By The Day!

Azure Active Directory has reached general availability. It is packed with very cool features for all the stuff you want, or need, to do in the cloud.

Azure Active Directory Premium is a service targeted at large enterprises and is available through volume licensing and/or an enterprise agreement. So if you are interested in a demo, a trial or purchasing, contact your Microsoft account rep (OR ME!). It is also available as part of our new Enterprise Mobility Suite (EMS) which includes Intune and Azure RMS as well. We are offering some incredible deals on EMS for the next 90 days so if you are considering purchasing subscriptions any of these services, now is a great time to act!

As always, we’d love to hear any feedback or suggestions you have. And for those of you with enterprise class identity needs, I hope you’ll find Azure AD Premium useful!

–

It is a combined offering for:

• Directory Services
• Federation Services
• Rights Management Services
• Multi-Factor AuthN
• Identity Management
• Monitoring and Reporting
• and much more!

….in the cloud.

–

WOW!

–

Read more about it through the following links:

• Cloud based Identity and Access Management for every user on every device
• Azure Active Directory Premium has reached GA!
• Azure RMS now in Azure management portal !

–

Have fun!

–

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
######### http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————