Tuesday, September 29, 2015

execute command prompt under Local System or Network Service account

Running tasks under a different user context as you are just logged in is a quiet common tasks as a Windows server administrator. I like especially the local system account to sync files to other servers and I just assign permissions on the destination server under the source server name. That eliminates the need of having an service account with password or to have managed service accounts.
To run a script under the Local System account I used to create a scheduled task to execute the script. It is working but troubleshooting is a little tough because you do not see the console output.

Recently I came across this article http://blogs.msdn.com/b/beanexpert/archive/2015/06/11/azure-ad-application-proxy-connector-connectivity-issues-with-a-proxy.aspx

Using PsExec from Sysinternals

PsExec.exe -i -u "NT Authority\System" cmd.exe

will open a command prompt under the Local System account and you can run your scripts there and see their output. I tried that before using the runas command but it was always asking for a password what I do not have and I do not have to have it anymore. Less password = easier life.

Friday, May 29, 2015

Microsoft Azure MFA authentication options

Microsoft Azure MFA and the equivalent for the on-premise installation is coming with 3 options for user verification:

- MFA service calls the user's phone
- MFA service sends a text message (aka SMS)
- Use of a MFA app on you mobile phone

So which option should we allow users to use and why?

Thought #1: The most generic and reliable option, and the option which can even be used with a landline phone is the option to give the user a call.

Thought #2: Send a text is more silent as option 1 and typically all cellphones can receive text messages while landline phones can't. If you are a global organisation and have users in different countries with different wireless providers you will may encounter that text messages sometimes need a long time before they arrive and sometimes they just silently disappear. So that needs to be considered.

Thought #3: The only solution which does not require a wireless signal to receive a call or text is the MFA app. But it requires a smart phone. I am very often in data centers and the cell phone reception is usually bad there, not just because of the noise. So I prefer using the app.

In general users should not be trained like a Pavlov's dogs to just accept phone calls without listening anymore because the get 500 calls per day. so use MFA wisely.

In conclusion all methods have pros and cons, but might for end users the phone call verification is the best, it can be for admins the smart phone app.

Fiddler and TLS 1.2 support

After all the issues we have seen in the last year with SSL/TLS a lot of web applications have already disabled SSL entirely and started using TLS 1.2.
Therefore I want give an update on my Fiddler post:
Fiddler2 cannot handle TLS 1.2 traffic, so you should upgrade to Fiddler4.
In short Fiddler4 is using the .Net Framework 4 which can handle TLS 1.2 traffic while framework 2.0 cannot.

see also, just select the different framwork versions and see yourself.

Friday, May 8, 2015

Microsoft Ignite - Identity Manager

Reviewing this week being at the Ignite conference I can say I was there because of the presentations Mark Wahl (http://goo.gl/yY0unq) has given about Identity Management. Here the highlights:

- Microsoft Identity Manager 2016 is still coming mid-year 2015 (actually the technical preview from April is saying 2015, but all new server apps are 2016 versions)
- Privileged Access Management (PAM, don't be confused with the Unix PAM - Pluggable Authentication Module) is integrated
- MS will not provide management agents for MIM for all SaaS applications as they provide that as functionality in Azure AD
- Cloud password reset will be supported only through the new Azure AD connect tool (you can think about it as Dirsync with more features) not through the FIM or MIM Azure AD management agent
- MIM certificate management works completed without ActiveX controls. The new Internet Edge web browser in Windows 10 - aka Spartan web browser - will cut the support for ActiveX controls anyway
- time-limited groups managed by MIM
- in-place upgrade from FIM 2010 to MIM 2016 is supported (no major changes e.g. no API changes)

Your are welcome to see the presentations on Channel9:



Wednesday, May 6, 2015

Microsoft Ignite - Federation Services and Publish Applications

I am at the Ignite again. Tuesday was the day for application publishing and AD Federation Services for me.

I just want focus on the main points:

- AD FS 3.0 is using OAuth2 as the strategic protocol (reasons: platform support much broader, no api pre-requisited, always a web logon experience (consent to use app, MFA integration))
- AD FS 3.0 will allow other LDAP servers as authentication system

Web Application Proxy Service:
- strategically seen from Microsoft as the successor of UAG and TMG
- Features will be first introduces in Azure AD and then later also be available with the new Windows Server 2016
- The WAP service on Azure requires the install of a small agent on one of your on-premise servers. Interesting is that this client requires only outgoing traffic but no incoming ports. Is that a relief for you  or does it scare you? What will your Information Security team think about that? Do they think about it like about a Trojan Horse, possible. So get prepared for their questions.
- The WAP connector can be installed on multiple machines to provide fault-tolerance and load-share. Microsoft has plans to allow to have connectors in multiple locations and to bind URLs to a specific connector, e.g. you run a app in a co-location and all others in you main datacenter.
- Microsoft will also add better monitoring and logging to the WAP service. Right now troubleshooting is very limited.

So if you ask me, the Web Application Proxy service in Azure is they way to go. And if you see how easy it is to configure it, you probably do not want go back to the old days with UAG and TMG.

btw: WAP is used from Microsoft as acronym for Windows Azure Pack and Web Application Proxy, so don't get confused. Here it is all about the Web Application Proxy

If you want watch the sessions online go here




Monday, May 4, 2015

Microsoft Ignite - Identity and Access Management Everywhere

On my first day the most important session was BRK3863 - Identity and Access Management Everywhere.
The video on Channel9 is not yet available, but it might will when you read this. So check out http://channel9.msdn.com/Events/Ignite/2015/BRK3863

Here in short the highlights:
- Dynamic groups for app access - Yuppie, finally. E.g. groups for managers get automatically updated if someone works now for that manager or not any longer; or anyone in sales based on the user description field
- Group of people have access to a application with a single user, e.g. Twitter Enterprise account, and with password rollover only Azure AD internally knows the password, not an admin
- Azure AD detects and tracks inconsistent access patterns, e.g.g log on s from the US and China at the same time. (Note: They will catch me a lot because I am accessing the system for several reasons from different places on the planet through proxies or VPN connections all the time)
- End user and social identity identities can be added to Azure AD soon
- Workday is the first HR cloud app allowing user to be added in Azure AD
- Approval for app access requests
- Adding B2B capabilities soon
- Windows 10 Workspace AD Join will work directly with Azure AD, that gives you now options of enrolling machines for your workforce

You might know that you can access thousands SaaS applications through Azure AD and all is configured in Azure AD and not on a onpremise federation server. Azure AD can also provision user accounts in SaaS applications, so that minimizes the lead time for connecting a SaaS application to your Azure or onpremise Active Directory.

Microsoft Ignite - MIM vNext April 2015 release, Windows Server 10 technical preview 2


I am at the Microsoft Ignite Conference this week in Chicago, IL and I will blog about news I got from the conference sessions and related information.

So starting with that:

- There is a new version of Microsoft Identity Manager (successor of FIM 2010 R2) available as technical preview on Microsoft Connect.
Go to https://connect.microsoft.com and log on. Then go to the Identity and Access Management page and go to the Download section.

- We also got a new technical preview for Windows Server 10. http://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
Hyper-V Server 10 can be found as technical preview there as well.

More to come...

Thursday, April 30, 2015

AD finduser project

Hi there.
I was just working on a project where we had to find user information by searching for SMTP address, or username, or GUID.
So instead of adding a paramter for everything I thought the script can find out itself if I have provided an SMTP address or an GUID. And if you work with Office 365/Azure AD you might have already received notifications about certain user accounts from MS and they provide the GUID, or here called Immutable, in a different format.

So the outcome of my thinking and lazyeness providing parameters all the time can now be found on CodePlex (https://adfinduser.codeplex.com/).

finduser.ps1 userA
finduser.ps1 user.A@domain.com
finduser.ps1 5Gz/Z7McHEWGzHdUTs5Kuw==
finduser.ps1 67ff6ce4-1cb3-451c-86cc-77544ece4abb
finduser.ps1 "{67ff6ce4-1cb3-451c-86cc-77544ece4abb}"

The script can work with remote Active Directories as well as with AD LDS servers, just see the 2 lines you have to activate or to deactivate.

Feel free to use it and to adapt. You can also add some more error handling if you like.

Wednesday, March 11, 2015

MIM with new feature: SSAU

Microsoft Identity Manager is not released yet but in CTP2 a new feature is added to mitigate the problem that after a user is changing his/her password there are these days plenty of devices and RDP sessions still using the old password and the user account is locked within a few minutes.
Until now the user had to call the helpdesk fur account unlocking or wait the grace period for automated unlock.
With MIM a self-service account unlock feature is added to the password reset page. So a user can unlock his/her account and keep the existing password. E.g. then he/she can log in to the RDP session and close it or update the password on the smartphone.
SSAU can be integrated with Azure Multi-Factor-Authentication (MFA, previously PhoneFactor)

See also: http://blogs.technet.com/b/ad/archive/2015/03/03/microsoft-identity-manager-public-preview-2-is-available.aspx

Tuesday, February 24, 2015

What does the insidecorporatenetwork claim mean in ADFS 3.0?

I was searching around to find an answer how the the new claim type insidecorporatenetwork  in ADFS 3.0 (Windows Server 2012 R2) would work and I was looking to find somewhere a configuration page to add all the internal networks so that ADFS knows them. Wrong all way as I found out ADFS is just checking if the authentication request coming in through a WAP server or directly.
Through WAP it is considered as external and insidecorporatenetwork is set to false and if it came directly it is considered as request from internal and insidecorporatenetwork is set to true.

Because I did not got that many hits on Bing I thought it would be good having this in my blog as well. See also



Friday, February 6, 2015

Microsoft Azure AD Sync - Push sync and change execution schedule

Microsoft Azure Active Directory Sync Services

If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.

Instead of you can executed this command

C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe

or you into the Task Scheduler and run the task from there. 

The Microsoft Azure Active Directory Sync Services tool can be downloaded from

Happy Syncing!

Thursday, February 5, 2015

Change Certificate on Windows Server 2012 R2 Web Application Proxy

With ADFS 3.0 and Web Application Proxy the installation of IIS is not required and necessary. The binding for certificates on the ADFS and WAP service can be done with PowerShell. In this example the same certificate will be used for ADFS and all WAP applications.
The desired certificate must have been installed into the local machines certificate store and the hash value of the certificate will be used to reference the certificate. To list all available certificates run:

dir Cert:\LocalMachine\My


Thumbprint                                Subject
----------                                -------
9450B39AAAE6F203DD68AC1EA1D8D46A8C581E41  CN=certold.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9  CN=certnew.mydomain.com

Now run the PowerShell commands to bind the new certificate:

get-WebApplicationProxyApplication DRS | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
get-WebApplicationProxyApplication Workfolders | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
Set-WebApplicationProxySslCertificate -Thumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9

Now restart the ADFS service

stop-service "Active Directory Federation Services"
start-service "Active Directory Federation Services"

For verification  you can run these commands and verify that the new hash is active:

get-WebApplicationProxyApplication DRS
get-WebApplicationProxyApplication Workfolders


netsh http show ssl