Jorge's Quest For Knowledge!

All About Identity And Security On-Premises And In The Cloud – It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2019-02-07) People Picker Error In Sharepoint 2013

Posted by Jorge on 2019-02-07


From time to time I fully update my test/demo environment to make sure all the installed stuff uses the latest available features for those versions. And yes, I’m still running some old versions because I need the basic functionality for some things to work and do not need the latest and greatest. Because I’m still running everything on a server on-premises, yes those people still exist, I need to careful will the latest and greatest apps behaving as resource hogs. And that’s why I’m still running Sharepoint Foundation 2013. At the same time while updating I some times also try out stuff just to see if things are still working. This blog is basically more about archiving this piece of information from my brain the next time it happens so I do not forget it.

This time, even as a Site Collection administrator, I was not able to navigate to the site or assign permissions to some AD group or user.

In the first case, I saw the error “Sorry, You Don’t Have Access To This Page”. For me that was quite surprising as by default Site Collection admin have Full Control.

image this

Figure 1: Error “Sorry, You Don’t Have Access To This Page”

Browsing to the settings page to assign permissions, using a direct URL (“https://<FQDN>:<PORT>/_layouts/15/settings.aspx”)as navigation was not possible. While trying to assign permissions to a group, the group could not be resolved and it showed the error “Sorry, We’re Having Trouble Reaching The Server”

image

Figure 2: Error “Sorry, We’re Having Trouble Reaching The Server” While Resolving A Security Principal

I googled around and noticed I was not the only one having this issue. After trying a number of solutions, the only solution that really worked for me was extending the web application and when done unextending it again.

To extend a web application:

  • On the Sharepoint Server start a browser and navigate to the Central Administration site
  • On the Central Administration site in the Application Management section  click “Manage Web Applications”
  • Select the web application that is not working due to the errors above and in the ribbon click “Extend”
  • Make sure the option “Create A New IIS Web Site” is selected
  • Check all the other settings and see if those do not conflict with any other web application on the same box, and when OK click “OK” at the bottom
  • After letting the system finish the extension of the web application, try to assign permissions again

…and if correct you should now be able to resolve security principals from AD.

image

Figure 3: Resolving A Security Principal From AD Now Does Work

After confirming, it is working again, you can UNextend the web application again.

To UNextend a web application:

  • On the Sharepoint Server start a browser and navigate to the Central Administration site
  • On the Central Administration site in the Application Management section  click “Manage Web Applications”
  • Select the web application that was previously extended for which you want to delete the extension
  • On the ribbon, just below the “Extend” button click on the tiny arrow and select “Remove Sharepoint from IIS Web Site”
  • Select the correct extension to delete
  • Make sure to delete the IIS Web Site too

You should be good now. At least I was! Smile

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Advertisements

Posted in Sharepoint Server | Leave a Comment »

(2019-01-03) Some Phones Are Not That Good With Face Recognition

Posted by Jorge on 2019-01-03


Are you using face recognition to unlock your mobile phone?

And is that mobile phone on the following list?

It appears all the mobile phones on the list can be unlocked by using a picture instead of your face.

To be sure nobody access your personal data that easy, preferably and if possible use finger or a code to unlock the mobile phone

All the phones on the list titled “Toestellen ontgrendeld met een foto” can be easily unlocked with a photo of your face

All the phones on the list titled “Toestellen ontgrendeld met een foto, maar met betere beveiliging” can also be easily unlocked with a photo of your face but also provide more secure settings for face recognition

All the phones on the list titled “Toestellen die niet met een foto zijn te ontgrendelen” appear to be secure and face recognition is not fooled by a photo of your face.

From the dutch consumers authority:

https://www.consumentenbond.nl/veilig-internetten/gezichtsherkenning-te-hacken

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided “AS IS” with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER: https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-

########################### Jorge’s Quest For Knowledge ##########################
#################### http://JorgeQuestForKnowledge.wordpress.com/ ###################

————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff, Mobile Devices, Security | Leave a Comment »

(2019-01-01) Happy New Year 2019!

Posted by Jorge on 2019-01-01


A happy new year 2019 to everyone!. Enjoy, have fun and make the best of it!

Related image

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Day-To-Day Stuff | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.70.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.70.0

Released: 12/18/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This build updates the non-standard connectors (for example, Generic LDAP Connector and Generic SQL Connector) shipped with Azure AD Connect. For more information on applicable connectors, see version 1.1.911.0 in Connector Version Release History.

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.69.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications
  • Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

IMPORTANT: I upgraded from Azure AD Connect v1.2.68.0, and the next time it synched after performing the steps below it triggered a full import and full sync for both the AD connector and the AAD connector. Since this may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Azure AD Connect: Version Release History

1.2.69.0

Released: 12/11/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This hotfix build allows the user to select a target domain, within the specified forest, for the RegisteredDevices container when enabling device writeback. In the previous versions that contain the new Device Options functionality (1.1.819.0 – 1.2.68.0), the RegisteredDevices container location was limited to the forest root and did not allow child domains. This limitation only manifested itself on new deployments – in-place upgrades were unaffected.
  • If any build containing the updated Device Options functionality was deployed to a new server and device writeback was enabled, you will need to manually specify the location of the container if you do not want it in the forest root. To do this, you need to disable device writeback and re-enable it which will allow you to specify the container location on the “Writeback forest” page.

I (finally) ran the MSI and upgraded from the previous version without any issues (except for what I mentioned below!) and ran at least one scheduled sync cycle!

After the upgrade I noticed the following, which was weird! Device writeback was enabled and configured correctly. I have one single AD domain. No idea why this happened. This was not a new server as the second bullet mentions in the “fixed issues” section mentions above.

After the next sync I started seeing….

The upper 2 are devices synched from AAD to AD, the lower 2 are Windows 10 devices being synched from AD to AAD.

image

Figure 1: “Container-Not-In-Scope” Errors

After checking the device writeback config, it was empty!

Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 2: Device Writeback NOT Being Enabled And Configured After The Upgrade

Checking the Azure AD Connect Wizard it said it was enabled. Again, weird!

My solution for this were the following steps

  • Disable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $false # <— By The Way, Should ALWAYS Be Executed Before An Upgrade Of AAD Connect To Make Sure The Sync DOES NOT Start

  • Using The Azure AD Connect Wizard: Disable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Disable Device Writeback” –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Using The Azure AD Connect Wizard: Reenable Device Writeback
    • Start AAD Connect Wizard –> Click [Configure] –> Select [Configure Device Options] –> Click [Next] (2x) –> Enter AAD Global Credentials –> Select “Configure Device Writeback” –> Click [Next] –> Select the AD Forest And AD Domain To Host The Synched Devices From AAD –> Enter AD Enterprise Admin Credentials Or Select The Option To Download The PowerShell Script –> Click [Next] –> Click [Configure] –> Click [Exit])

  • Check The Device Writeback Configuration
    • Get-ADSyncGlobalSettingsParameter | ?{$_.name -like "Microsoft.DeviceWriteBack*"}

image

Figure 3: Device Writeback Being Enabled And Configured

  • Reenable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $true # <—Should ALWAYS Be Executed AFTER A Successful And Verified Upgrade Of AAD Connect To Make Sure The Sync DOES Start The Next Schedule

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.68.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.68.0

Released: 11/30/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

Fixed issues

  • This hotfix build fixes a conflict where an authentication error might occur due to the independent presence of the MSOnline PowerShell Gallery module on the synchronization server

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-12-30) Azure AD Connect v1.2.67.0 Has Been Released

Posted by Jorge on 2018-12-30


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.67.0

Released: 11/19/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT: I upgraded from Azure AD Connect v1.2.65.0, and the next time it synched it triggered a full sync for the AD connector. Since this may take some time, depending on the size of your AD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

Fixed issues
  • This hotfix build fixes a regression in the previous build where Password Writeback fails when using an ADDS Domain Controller on Windows Server 2008/R2

I (finally) ran the MSI and upgraded from the previous version without any issues and ran at least one scheduled sync cycle!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Leave a Comment »

(2018-11-06) Meet Poshkatz – Mimikatz On PowerShell Steroids

Posted by Jorge on 2018-11-06


We all know Mimikatz right? If you do not, Mimikatz is a tool that really can do some geeky funky stuff with regards to Windows/AD security. It can do stuff like: extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Now meet Poshkatz! Poshkatz is a PowerShell module/wrapper around Mimikatz with tab completion! The module was created by Adam Driscoll and Lee Berg

Enjoy!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in PowerShell | Leave a Comment »

(2018-11-05) Azure AD Connect v1.2.65.0 Has Been Released

Posted by Jorge on 2018-11-05


Integrating your on-premises directories with Azure AD makes your users more productive by providing a common identity for accessing both cloud and on-premises resources. With this integration users and organizations can take advantage of the following:

  • Organizations can provide users with a common hybrid identity across on-premises or cloud-based services leveraging Windows Server Active Directory and then connecting to Azure Active Directory.
  • Administrators can provide conditional access based on application resource, device and user identity, network location and multifactor authentication.
  • Users can leverage their common identity through accounts in Azure AD to Office 365, Intune, SaaS apps and third-party applications.
  • Developers can build applications that leverage the common identity model, integrating applications into Active Directory on-premises or Azure for cloud-based applications

Azure AD Connect makes this integration easy and simplifies the management of your on-premises and cloud identity infrastructure.

Download "Microsoft Azure Active Directory Connect"

Azure AD Connect: Version Release History

1.2.65.0

Released: 10/25/2018

Released for download

Prerequisites for Azure AD Connect

More information about Azure AD Connect

IMPORTANT: I upgraded Azure AD Connect v1.1.882, and the next time it synched it triggered a full import and full sync for both the AD connector and the AAD connector. Since this may take some time, depending on the size of your AD/AAD environment in terms of number objects being synched, make sure that you have taken the necessary steps to support this or hold off on upgrading until you have found a convenient moment to do so.

New features and improvements
  • Changed the functionality of attribute write-back to ensure hosted voice-mail is working as expected. Under certain scenarios, Azure AD was overwriting the msExchUcVoicemailSettings attribute during write-back with a null value. Azure AD will now no longer clear the on-premises value of this attribute if the cloud value is not set.
  • Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to Azure AD. These same diagnostics can also be run directly through Powershell using the Test- AdSyncAzureServiceConnectivity Cmdlet.
  • Added diagnostics in the Azure AD Connect wizard to investigate and identify Connectivity issues to AD. These same diagnostics can also be run directly through Powershell using the Start-ConnectivityValidation function in the ADConnectivityTools Powershell module. For more information see What is the ADConnectivityTool PowerShell Module?
  • Added an AD schema version pre-check for Hybrid Azure Active Directory Join and device write-back
  • Changed the Directory Extension page attribute search to be non-case sensitive.
  • Added full support for TLS 1.2. This release supports all other protocols being disabled and only TLS 1.2 being enabled on the machine where Azure AD Connect is installed. For more information see TLS 1.2 enforcement for Azure AD Connect

Fixed issues
  • Fixed a bug where Azure AD Connect Upgrade would fail if SQL Always On was being used.
  • Fixed a bug to correctly parse OU names that contain a forward slash.
  • Fixed an issue where Pass-Through Authentication would be disabled for a clean install in staging mode.
  • Fixed a bug that prevented the PowerShell module to be loaded when running the Troubleshooting tools
  • Fixed a bug that would block customers from using numeric values in the first character of a host name.
  • Fixed a bug where Azure AD Connect would allow invalid partitions and container selection
  • Fixed the “Invalid Password” error message when Desktop SSO is enabled.
  • Various Bug fixes for AD FS Trust Management
  • When configuring Device Writeback – fixed the schema check to look for the msDs-DeviceContainer object class (introduced on WS2012 R2)

I (finally) ran the MSI and upgraded from the previous version without any issues!

Cheers,
Jorge

————————————————————————————————————————————————————-
This posting is provided "AS IS" with no warranties and confers no rights!
Always evaluate/test everything yourself first before using/implementing this in production!
This is today’s opinion/technology, it might be different tomorrow and will definitely be different in 10 years!
DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
————————————————————————————————————————————————————-
########################### Jorge’s Quest For Knowledge ##########################
####################
http://JorgeQuestForKnowledge.wordpress.com/ ###################
————————————————————————————————————————————————————-

Posted in Azure AD Connect, Windows Azure Active Directory | Tagged: , | Leave a Comment »

 
%d bloggers like this: