Sunday, February 12, 2023

Azure AD Connect - DataValidationFailed

Working with the new Azure AD Lifecycle Workflows I ran into a problem syncing the employee's start (employeeHireDate) and leave date (employeeLeaveDateTime) from on premises AD to Azure AD. First you must have Azure AD Connect version 2.1.20 or better to sync both attributes.

Hear the problem. after I added the attribute flows via a custom sync rule (out to AAD) picking the timestamps up from extensionAttribute1 and 2 I got DataValidationFailed errors (0x8023134a).

here the detail info:

"

Unable to update this object in Azure Active Directory, because the attribute [employeeHireDate], is not valid. Update the value in your local directory services.


Tracking Id: 673b26d2-b793-4b26-91f5-2bb753c97059

ExtraErrorDetails:

[{"Key":"ObjectId","Value":["b1d0b05b-d012-4be5-8259-b1ad1fa88211"]},{"Key":"InvalidAttributeName","Value":["employeeHireDate"]}]

"

the correct date and time format in on premises AD is 20230212100000.0Z. If the format is not correct, or is not a date-time format at all, you will see the error "InvalidAttributeName". The ExtraErrorDetails are confusing because the data is not valid, but the attribute name is correct.

see also How to synchronize attributes for Lifecycle workflows - Microsoft Entra | Microsoft Learn


just to add one more thought: It will be a secret to Microsoft why the attributes are named differently, one just ...Date and the other one ...DateTime, both attributes must have a timestamp in the same format including the time info.


Monday, May 23, 2022

 Default Certificate Mapping in Windows has been changed with Windows Updates May 10th, 2022


Microsoft made a significant change with the May 10th, 2022 updates what is impacting typical Wi-Fi authentication configurations  with NPS or other Radius servers. They decided to allow as default only stronger mapping methods from a certificate to an AD user or machine. See the article below in section "Certificate mappings".


https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16


Saturday, November 16, 2019

SQL Server Linked Server error - OLE DB provider "ADSDSOObject" for linked server "ADSI" reported an error.

I ran into this problem while trying to set up a linked server from SQL server(SQL 2016 Developer Edition) to Active Directory. More information how to do that can be found here https://www.mssqltips.com/sqlservertip/2580/querying-active-directory-data-from-sql-server/

"The OLE DB provider "ADSDSOObject" for linked server "ADSI" reported an error. The provider indicates that the user did not have the permission to perform the operation."

After googling and binging and scratching my head, it turned out that I misspelled the domain name in the user name for the LDAP connection. As I found many other solutions for this problem but no one mentioned a typo I wanted to share this. The OLE DB provider is giving only a little information back about the real problem.

Friday, November 16, 2018

Fun with bitmask math

I had fun today working on queries against Active Directory userAccountControl. In cases like mine where you have 514 and 546 for enabled and disabled accounts, I wanted to check which bit is set.
so 2 to the power of 2 is set if the account is disabled.


see here for more values to play with https://jackstromberg.com/2013/01/useraccountcontrol-attributeflag-values/

the bitmask.ps1 script gives me all the bits set

param([int]$value=2147483647)

clear
[int]$i=0
$hexvalue = '{0:X}' -f $value
$bitmask = [convert]::tostring($value,2)
write-host "hex original value is 0x$($hexvalue)"
write-host "dec original value is $value"
write-host "bin original value is $bitmask"

do {

$valcheck = [math]::pow(2,$i)

if ( $value -band $valcheck) { write-host "hit: 2 to the power of $i = $valcheck"}

$i++
} until ($i -eq 31)
write-host "info: max tested to 2 to the power of 30, the max value for a int32 value"




In my case, I have userAccountControl as an integer value in a SQL database and I can run the following query to find all objects which are disabled, regardless if it is 514 or 546

select cn, useraccountcontrol
from [dbo].[domain.com_users]
where useraccountcontrol & 2 = 2


Saturday, January 21, 2017

What groups are used in my Microsoft Identity Manager installation

I came across a question today what the actual group names are used in a MIM installation. For a production system that should never be a question but in test labs with one AD and multiple "flying" setups, it can understand that it come sometimes to confusion. So thought it can be helpful to others to show how to find that out.

At first, I was looking into the registry under the FIMsync service but there was nothing to find there.
So I check in the sync database and voila I found the SIDs in the FIMsynchronization database in table [mms_server_configuration]. I copied the value from administrators_sid and pasted it into ldp.exe to run the translation to a human-readable group name. But bummer. The sid format looked already a little bit strange and ldp.exe could not use it as well.

0x010500000000000515000000D1D64379336F47EB77D1D6B32D760C00

I know ldp.exe can use a SID in the format S-1-5-...and so I googled it and found on http://poshcode.org/3181a script to convert the hex sid into the format ldp.exe (and I) like.

S-1-5-21-2034489041-3947327283-3017199991-816685

So now I know the group name is TESTLAB\LAB4711-MIMSyncAdmins ;-)




Tuesday, May 31, 2016

Help on The federation server proxy could not renew its trust with the Federation Service. ADFS 3.0


If you run a Windows Server 2012 R2 ADFS with Web Application Proxy (WAP) you may run into a situation where the web browser page is just saying

"
The page cannot be displayed because an internal server error has occurred.
"

and in the event log of the server running WAP you see this error (and many more afterwards)

Eventlog (Apps and Services/AD FS/Admin)
The federation server proxy could not renew its trust with the Federation Service.



So that means the trust relationship between WAP and the ADFS is broken. So you can uninstall WAP from that machine and reinstall it. the install wizard will guide you to reconnect to the ADFS server or you run the following commands to re-instate the trust.



 dir Cert:\LocalMachine\My

dir Cert: .... will list all certificates available to connect to the ADFS server. select the one with the name of the ADFS in it if you see multiple certs. You will need the thumbprint of the certificate later in this process


 $ADFScredentials = Get-Credential

Enter here your admin user on the ADFS server


Then enter the Install-WebApplicationProxy command, note there is no Reconnect or Renew command let, to re-establish the trust relationship to the ADFS server.

 Install-WebApplicationProxy -CertificateThumbprint CC35E9EE9EBA26697ABDC9C74CC4218818B1D1B8 -FederationServiceName "sso.domain.org" -FederationServiceTrustCredential $ADFScredentials


I blog this here for my own notes but I hope it will help others as well.

Monday, April 4, 2016

How to protectet credentials with certificates

I am at the PowerShell and DevOps Global Summit 2016 in Bellevue, WA this week and I attended a session ("A DevOps DSC Crash Course ") from and with Jason Helmick yesterday where he pointed out that with PowerShell 5 Microsoft is changing the approach in PowerShell and you know DSC is PowerShell to protect usernames and passwords in a better way by asking us to use certificates to encrypt that information. I hope the information in this post will help you to retrieve such an certificate and to demystify a few things.

For DSC this certificate has to be installed in the machine certificate store and the certificate including the private key has to be copied to all machines where you want decrypt that information.

first of all, what are the certificate requirements:
- it is mandatory that this certificate contains the OID 1.3.6.1.4.1.311.80.1, that is the OID for extended key usage for "Document encryption"
- As any other certificate that certificate is verified, so it must be trusted. A good way to achieve that is get a certificate from an internal PKI
- the certificate must be installed for DSC in the local machine certificate store, not in the user store. But it does not mean that this certificate is machine specific. So it should not include the OID for client authentication and server authentication.
- also the name on the certificate should be something what lets you distinguished later between a real machine cert and that certificate. also you can have multiple certificates for different machines in your DSC environment, so think about a good naming convention.
- as you protect data with that certificate you should enable key recovery on your internal PKI to have always a copy of the private key or you should keep a copy of the private key or the passwords (perhaps you have them in a password vault anyway) in a safe place somewhere else. As a PKI guy I recommend to turn on key archival regardless what other measurements you implement.
- You want a SHA2 certificate as SHA1 is on the deprecate list
- from the handling/management of such an certificate a lot of things are very similar to SSL/TLS certificates. We cannot use auto-enrollment as it has to be the same key on all the machines and we do not want a auto-renewal either. The common name in the certificate is an alias, a friendly name like webfarm0815 and the cert is installed on multiple machines like you would do that in a web farm environment where not the load balancer is the SSL/TLS endpoint.


lets switch to the PKI side of the house:
- The Windows CA (Active Directory Certificate Services ADCS) does not have a default template for our purpose but has already included the OID for Document Encryption, so it is only a click away to add it to an certificate template.

- go the the Certificate Template MMC (certtmpl.msc)
- make a copy of the Web Server template
- name it e.g. Cred_encryption
- check the validity and maybe 3 years is a good value
- set Allow private key to be exported
- make sure that the minimum key size is at least 2048 bit, don't go higher than 4096 for performance reasons and compatibility
- the common name needs to be provided during submitting the certificate request, that is the default on the web server template
- now comes the important part. Remove Server authentication from the extended key usage attribute and add Document encryption




- make proper settings to allow users to request such an certificates and publish the certificate template on the CA.

Now we can request a certificate using certreq.exe


- create a inf file, e.g. Cred_encryption.inf


[NewRequest]
Subject="CN=DSC_cred_encryption_webfarm0815"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
SMIME = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


[EnhancedKeyUsageExtension]
OID=1.3.6.1.4.1.311.80.1


[RequestAttributes]
CertificateTemplate = Cred_encryption



And here we are with the batch file, to complete this post.


certreq -f -NEW Cred_encryption.inf Cred_encryption.csr
CertReq -f -Submit Cred_encryption.csr Cred_encryption.cer
CertReq -accept Cred_encryption.cer

Now you can export the certificate including the private key from the local machine certificate store.


here an idea how to do that with PowerShell

PS C:> $outpath = Get-Location;
PS C:> $pass = read-host "pass" -assecurestring;

PS C:> dir cert:\LocalMachine\my |
Where-Object { $_.HasPrivateKey -and $_.PrivateKey.CspKeyContainerInfo.Exportable } |
Foreach-Object { [system.IO.file]::WriteAllBytes( "$outpath\$($_.thumbprint).pfx" , ($_.Export('PFX', $pass)) ) }




More questions/topics (I will try to answer these in future posts):
- what happens if that certificate expires or is revoked? as in any other case of using certificates to encrypt data you should be able to decrypt the data even the certificate has expired or is revoked. I can't answer yet if DSC would perform a certificate check before using it. hopefully not. Only the PowerShell command to encrypt the data should give you at least a warning.
(Remote Desktop Connection Manager 2.7 can use such a certificate as well, if it is installed in the user store and it can still be used to decrypt data but you cannot select an expired certificate for encryption)
- How to rollover encrypted credentials from certificate A to certificate? In theory the same data can be encrypted with multiple certificates. If that is supported=working with DSC that would ease the process to move to a newer certificate and only in case the certificate was revoked you want remove access. Other than that we can write a PowerShell script to decrypt the data and re-encrypt the data with the new certificates. This is also known as re-keying data. Or you just create a new list of credentials from you password vault.
- Even the setting do not export on a certificate is not a 100 percent secure we should add set it on all machines. So that means we need to get it from the CA with private key set to exportable, but then on the import to all remote machines it is imported with the flag not exportable. We want DSC to be able to use the certificate on those machines but we do not want anyone else being able to copy it and take it home including the encrypted file holding the credentials.

Until next time,
Lutz