Saturday, November 19, 2011

Office 365 DirSync 64bit based on FIM 2010

Office 365 for 64bit servers (2008 and 2008 R2) is here.

http://community.office365.com/en-us/w/sso/555.aspx


Still best practice is to have at least one of those servers for a setup with federated identities and Exchange rich-coexistence:
- ADFS server (plus ADFS proxy oder TMG or similar)
- DirSync server
- Exchange 2010 Hybrid server

btw: If you try to install DirSync 64bit on a Windows 2008 R2 DC you will see this message.


And it has still the same "scary" error about MSOLCoExistence registry key. Run the config wizard with elevated rights.


Error: Access to the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence' is denied.

Monday, November 14, 2011

Do I need a OCSP responder?

OCSP - Online Certificate Status Protocol

I was thinking about the question, why and when should I add OCSP for a PKI. And I see a lot of points why smaller organizations might not have a need for OCSP and large companies not necessarily.

- with Windows 2008 R2 OCSP uses the CRL as data set. So you must issued fresh CRLs more often.
- if you do not revoked certificates or have a alternative method to block access to your service, e.g. disable the user account in AD, then OCSP is only overhead. Review your revocation policy, if you dont have one - create one!
- Might not all of your clients "speak" OCSP (e.g. Windows 2000 and Windows XP)
- Check network connectivity from all your potential clients to the OCSP server, your clients talk on each certificate check back to OCSP. This can cause latency issues for your applications
- For e.g. Cisco concentrators you do not need to publish the OCSP path to all certificates, you can configure the OCSP path on the concentrator.
- Most clients cache the CRL locally, so if the CRL distribution point is not available for a short time, lets say 4 hours when your CRL validity is 2 weeks, still most of your systems would work without any issue. If you rely only on OCSP then make it high available.
- think also about additional license cost, operational costs and support

OCSP is a great improvement in environments with a high number of revokes, what means you have larger CRLs (in size). Unfortunately it is not easy to say when OCSP makes sense and when not, it highly depends how applications check for revocation status.

And OCSP is not a simple replacement for CRLs, it gives you more capabilities to manage certificate revocation. So it is more a logical extension of a PKI.

[Update] Google disables CRL and OCSP checks in the next Chrome version http://www.imperialviolet.org/2012/02/05/crlsets.html

---------------------------
Note 1: You can use 3rd party OCSP responder or clients as well to overcome Windows OCSP limitations.
Note 2: On Windows 2008 R2 Server Enterprise Edition is needed for each OCSP server installation.

Friday, November 11, 2011

Office 365 password change for webmail-only remote users

Recently a question came across my mind about password change for remote users if they are only use OWA.
So might they work from home with their personal computer. A password change is then not enforced and a password change via CTRL-ALT-DEL will not change the AD password.

In a setup with federated identities those users will still see a URL for password change in OWA, but they cant access it. And of course they do not have a password on O365 at all (may a very long random password as we know it from Smart Card only users).   So my idea was to search for a option to define a alternative URL, but no luck. MS Online confirmed that there is no option today to define such an URL.



Okay, so what. Let's go and a grab the IISADMPWD from Windows 2003 IIS and tell the user the new URL to change the password.I would like to have them changed their password every 43 days (or whatever) . IISADMPWD works, even it is not supported anymore, also with IIS 7. But I found one catch. If you are using a ADFS proxy server, which is usually not a domain member and located highly protected in a DMZ, then IISADMPWD cannot be used to change the AD passwords.
So might I can extend IISADMPWD with an web service running on the ADFS server. Lets see if I get this done before end of this year.