Tuesday, February 24, 2015

What does the insidecorporatenetwork claim mean in ADFS 3.0?

I was searching around to find an answer how the the new claim type insidecorporatenetwork  in ADFS 3.0 (Windows Server 2012 R2) would work and I was looking to find somewhere a configuration page to add all the internal networks so that ADFS knows them. Wrong all way as I found out ADFS is just checking if the authentication request coming in through a WAP server or directly.
Through WAP it is considered as external and insidecorporatenetwork is set to false and if it came directly it is considered as request from internal and insidecorporatenetwork is set to true.

Because I did not got that many hits on Bing I thought it would be good having this in my blog as well. See also

http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

https://technet.microsoft.com/en-us/library/dn592182.aspx#build




Friday, February 6, 2015

Microsoft Azure AD Sync - Push sync and change execution schedule

Microsoft Azure Active Directory Sync Services

If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.

Instead of you can executed this command

C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe


or you into the Task Scheduler and run the task from there. 


The Microsoft Azure Active Directory Sync Services tool can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=44225

Happy Syncing!

Thursday, February 5, 2015

Change Certificate on Windows Server 2012 R2 Web Application Proxy

With ADFS 3.0 and Web Application Proxy the installation of IIS is not required and necessary. The binding for certificates on the ADFS and WAP service can be done with PowerShell. In this example the same certificate will be used for ADFS and all WAP applications.
The desired certificate must have been installed into the local machines certificate store and the hash value of the certificate will be used to reference the certificate. To list all available certificates run:

dir Cert:\LocalMachine\My

example:

Thumbprint                                Subject
----------                                -------
9450B39AAAE6F203DD68AC1EA1D8D46A8C581E41  CN=certold.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9  CN=certnew.mydomain.com

Now run the PowerShell commands to bind the new certificate:

get-WebApplicationProxyApplication DRS | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
get-WebApplicationProxyApplication Workfolders | set-WebApplicationProxyApplication -ExternalCertificateThumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9
Set-WebApplicationProxySslCertificate -Thumbprint 921461C2FF106D4A50A6F3574D1CC25A7D4451B9

Now restart the ADFS service

stop-service "Active Directory Federation Services"
start-service "Active Directory Federation Services"


For verification  you can run these commands and verify that the new hash is active:

get-WebApplicationProxyApplication DRS
get-WebApplicationProxyApplication Workfolders
get-WebApplicationProxySslCertificate


or 

netsh http show ssl