I was searching around to find an answer how the the new claim type insidecorporatenetwork in ADFS 3.0 (Windows Server 2012 R2) would work and I was looking to find somewhere a configuration page to add all the internal networks so that ADFS knows them. Wrong all way as I found out ADFS is just checking if the authentication request coming in through a WAP server or directly.
Through WAP it is considered as external and insidecorporatenetwork is set to false and if it came directly it is considered as request from internal and insidecorporatenetwork is set to true.
Because I did not got that many hits on Bing I thought it would be good having this in my blog as well. See also
http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx
https://technet.microsoft.com/en-us/library/dn592182.aspx#build
Tuesday, February 24, 2015
Friday, February 6, 2015
Microsoft Azure AD Sync - Push sync and change execution schedule
Microsoft Azure Active Directory Sync Services
If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.
Instead of you can executed this command
C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe
or you into the Task Scheduler and run the task from there.
The Microsoft Azure Active Directory Sync Services tool can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=44225
Happy Syncing!
If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.
Instead of you can executed this command
C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe
or you into the Task Scheduler and run the task from there.
The Microsoft Azure Active Directory Sync Services tool can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=44225
Happy Syncing!
Thursday, February 5, 2015
Change Certificate on Windows Server 2012 R2 Web Application Proxy
With ADFS 3.0 and Web Application Proxy the installation of
IIS is not required and necessary. The binding for certificates on the ADFS and
WAP service can be done with PowerShell. In this example the
same certificate will be used for ADFS and all WAP applications.
The desired
certificate must have been installed into the local machines certificate store and
the hash value of the certificate will be used to reference the certificate. To
list all available certificates run:
dir
Cert:\LocalMachine\My
example:
Thumbprint Subject
---------- -------
---------- -------
9450B39AAAE6F203DD68AC1EA1D8D46A8C581E41 CN=certold.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9 CN=certnew.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9 CN=certnew.mydomain.com
Now run the PowerShell commands to bind the new certificate:
get-WebApplicationProxyApplication
DRS | set-WebApplicationProxyApplication -ExternalCertificateThumbprint
get-WebApplicationProxyApplication
Workfolders | set-WebApplicationProxyApplication -ExternalCertificateThumbprint
Set-WebApplicationProxySslCertificate
-Thumbprint
Now restart the ADFS service
stop-service "Active
Directory Federation Services"
start-service "Active
Directory Federation Services"
For verification you
can run these commands and verify that the new hash is active:
get-WebApplicationProxyApplication
DRS
get-WebApplicationProxyApplication
Workfolders
get-WebApplicationProxySslCertificate
Subscribe to:
Posts (Atom)