Hi,
I am at the Microsoft Ignite Conference this week in Chicago, IL and I will blog about news I got from the conference sessions and related information.
So starting with that:
- There is a new version of Microsoft Identity Manager (successor of FIM 2010 R2) available as technical preview on Microsoft Connect.
Go to https://connect.microsoft.com and log on. Then go to the Identity and Access Management page and go to the Download section.
- We also got a new technical preview for Windows Server 10. http://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
Hyper-V Server 10 can be found as technical preview there as well.
More to come...
Monday, May 4, 2015
Thursday, April 30, 2015
AD finduser project
Hi there.
I was just working on a project where we had to find user information by searching for SMTP address, or username, or GUID.
So instead of adding a paramter for everything I thought the script can find out itself if I have provided an SMTP address or an GUID. And if you work with Office 365/Azure AD you might have already received notifications about certain user accounts from MS and they provide the GUID, or here called Immutable, in a different format.
So the outcome of my thinking and lazyeness providing parameters all the time can now be found on CodePlex (https://adfinduser.codeplex.com/).
Examples:
finduser.ps1 userA
finduser.ps1 user.A@domain.com
finduser.ps1 5Gz/Z7McHEWGzHdUTs5Kuw==
finduser.ps1 67ff6ce4-1cb3-451c-86cc-77544ece4abb
finduser.ps1 "{67ff6ce4-1cb3-451c-86cc-77544ece4abb}"
The script can work with remote Active Directories as well as with AD LDS servers, just see the 2 lines you have to activate or to deactivate.
Feel free to use it and to adapt. You can also add some more error handling if you like.
I was just working on a project where we had to find user information by searching for SMTP address, or username, or GUID.
So instead of adding a paramter for everything I thought the script can find out itself if I have provided an SMTP address or an GUID. And if you work with Office 365/Azure AD you might have already received notifications about certain user accounts from MS and they provide the GUID, or here called Immutable, in a different format.
So the outcome of my thinking and lazyeness providing parameters all the time can now be found on CodePlex (https://adfinduser.codeplex.com/).
Examples:
finduser.ps1 userA
finduser.ps1 user.A@domain.com
finduser.ps1 5Gz/Z7McHEWGzHdUTs5Kuw==
finduser.ps1 67ff6ce4-1cb3-451c-86cc-77544ece4abb
finduser.ps1 "{67ff6ce4-1cb3-451c-86cc-77544ece4abb}"
The script can work with remote Active Directories as well as with AD LDS servers, just see the 2 lines you have to activate or to deactivate.
Feel free to use it and to adapt. You can also add some more error handling if you like.
Wednesday, March 11, 2015
MIM with new feature: SSAU
Microsoft Identity Manager is not released yet but in CTP2 a new feature is added to mitigate the problem that after a user is changing his/her password there are these days plenty of devices and RDP sessions still using the old password and the user account is locked within a few minutes.
Until now the user had to call the helpdesk fur account unlocking or wait the grace period for automated unlock.
With MIM a self-service account unlock feature is added to the password reset page. So a user can unlock his/her account and keep the existing password. E.g. then he/she can log in to the RDP session and close it or update the password on the smartphone.
SSAU can be integrated with Azure Multi-Factor-Authentication (MFA, previously PhoneFactor)
See also: http://blogs.technet.com/b/ad/archive/2015/03/03/microsoft-identity-manager-public-preview-2-is-available.aspx
Until now the user had to call the helpdesk fur account unlocking or wait the grace period for automated unlock.
With MIM a self-service account unlock feature is added to the password reset page. So a user can unlock his/her account and keep the existing password. E.g. then he/she can log in to the RDP session and close it or update the password on the smartphone.
SSAU can be integrated with Azure Multi-Factor-Authentication (MFA, previously PhoneFactor)
See also: http://blogs.technet.com/b/ad/archive/2015/03/03/microsoft-identity-manager-public-preview-2-is-available.aspx
Tuesday, February 24, 2015
What does the insidecorporatenetwork claim mean in ADFS 3.0?
I was searching around to find an answer how the the new claim type insidecorporatenetwork in ADFS 3.0 (Windows Server 2012 R2) would work and I was looking to find somewhere a configuration page to add all the internal networks so that ADFS knows them. Wrong all way as I found out ADFS is just checking if the authentication request coming in through a WAP server or directly.
Through WAP it is considered as external and insidecorporatenetwork is set to false and if it came directly it is considered as request from internal and insidecorporatenetwork is set to true.
Because I did not got that many hits on Bing I thought it would be good having this in my blog as well. See also
http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx
https://technet.microsoft.com/en-us/library/dn592182.aspx#build
Through WAP it is considered as external and insidecorporatenetwork is set to false and if it came directly it is considered as request from internal and insidecorporatenetwork is set to true.
Because I did not got that many hits on Bing I thought it would be good having this in my blog as well. See also
http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx
https://technet.microsoft.com/en-us/library/dn592182.aspx#build
Friday, February 6, 2015
Microsoft Azure AD Sync - Push sync and change execution schedule
Microsoft Azure Active Directory Sync Services
If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.
Instead of you can executed this command
C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe
or you into the Task Scheduler and run the task from there.
The Microsoft Azure Active Directory Sync Services tool can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=44225
Happy Syncing!
If you have worked before with DirSync for Office 365 and your are now switching to Azure AD Sync you might have noticed that the Start-OnlineCoexistenceSync command is gone.
Instead of you can executed this command
C:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe
or you into the Task Scheduler and run the task from there.
The Microsoft Azure Active Directory Sync Services tool can be downloaded from
http://www.microsoft.com/en-us/download/details.aspx?id=44225
Happy Syncing!
Thursday, February 5, 2015
Change Certificate on Windows Server 2012 R2 Web Application Proxy
With ADFS 3.0 and Web Application Proxy the installation of
IIS is not required and necessary. The binding for certificates on the ADFS and
WAP service can be done with PowerShell. In this example the
same certificate will be used for ADFS and all WAP applications.
The desired
certificate must have been installed into the local machines certificate store and
the hash value of the certificate will be used to reference the certificate. To
list all available certificates run:
dir
Cert:\LocalMachine\My
example:
Thumbprint Subject
---------- -------
---------- -------
9450B39AAAE6F203DD68AC1EA1D8D46A8C581E41 CN=certold.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9 CN=certnew.mydomain.com
921461C2FF106D4A50A6F3574D1CC25A7D4451B9 CN=certnew.mydomain.com
Now run the PowerShell commands to bind the new certificate:
get-WebApplicationProxyApplication
DRS | set-WebApplicationProxyApplication -ExternalCertificateThumbprint
get-WebApplicationProxyApplication
Workfolders | set-WebApplicationProxyApplication -ExternalCertificateThumbprint
Set-WebApplicationProxySslCertificate
-Thumbprint
Now restart the ADFS service
stop-service "Active
Directory Federation Services"
start-service "Active
Directory Federation Services"
For verification you
can run these commands and verify that the new hash is active:
get-WebApplicationProxyApplication
DRS
get-WebApplicationProxyApplication
Workfolders
get-WebApplicationProxySslCertificate
Monday, November 17, 2014
How to archive and un-archive certificates
You are might aware that certificates can be flagged archived on a Windows machine. That has nothing (as in nada) to do with key archiving what is performed if configured on the Certification Authority.
The archive flagged is used to make certificates invisible to applications without deleting them from a user or machine store. E.g. auto-enrollment sets this flag to an certificate if a new certificate has been enrolled.
In this post I want show you how to set and unset this flag.
First of all we want see if we have a certificate in the certificate store with the archive flag set. I work on my machine as local administrator and so should you.
1. Open for that a MMC and add the Certificate snap-in for either your user or the local machine, or both if you like.
Then enable show archived certificates. That is like an advanced view setting that you might know from Active Directory Users and Computers.
Note: You have to enable the Archived certificate view for each snap-in separately. So in the picture above I made that for Certificates - Current user and for Certificates (Local Computer)
Now you see archived certificates in the MMC
_Personal_Certificates_2014-11-17_14-15-02.png)
Note the letter A at the end. That is the sign that this certificate is flagged archived.
2. You can do the same by running a certutil command. The MMC does not give you an option to set the flag from there. So you have to use certutil to do that, see below.
Use certutil to see all certificates
certutil.exe -store my
will show you all certificates in the local machine store
...
================ Certificate 4 ================
Archived!
Serial Number: 3dc344f3e2cf6dab48d7085ecd1bb849
Issuer: CN=localhost
NotBefore: 6/13/2012 2:17 PM
NotAfter: 6/12/2022 5:00 PM
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 80 3e 7f 62 5a be 5b 14 52 e3 65 dd 72 4d 59 98 cb 8a 30 d3
Key Container = IIS Express Development Certificate Container
Unique container name: fad662b360941f26a1193357aab3c12d_42f2ea6e-c662-4d0b-8b56-2f094a3a3dc9
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
....
So that certificate is number 4 in the certificate store. Lets write this down for later.
3. We will use certutil for un-archiving the certificate (and we can use it for archiving as well).
Here the file to set the archive flag.
- Create a new file with notepad and call it archive_set.inf
- paste these two lines to the archive_set.inf file
[Properties]
19 = Empty ;
Here the file to remove the archive flag
- Create a new file with notepad and call it archive_remove.inf
- paste these 2 lines to the archive_remove.inf file
[Properties]
19 = ;
4. Now you can toggle the archive flag as you desire:
Now you need the number you have taken down from step 2 or use the certificate serial number instead.
flag on
certutil.exe -repairstore my 4 archive_set.inf
flag off
certutil.exe -repairstore my 4 archive_remove.inf
See also http://blogs.technet.com/b/pki/archive/2007/02/22/how-to-manually-set-the-archive-flag-for-certifictes.aspx
The archive flagged is used to make certificates invisible to applications without deleting them from a user or machine store. E.g. auto-enrollment sets this flag to an certificate if a new certificate has been enrolled.
In this post I want show you how to set and unset this flag.
First of all we want see if we have a certificate in the certificate store with the archive flag set. I work on my machine as local administrator and so should you.
1. Open for that a MMC and add the Certificate snap-in for either your user or the local machine, or both if you like.
Then enable show archived certificates. That is like an advanced view setting that you might know from Active Directory Users and Computers.
Note: You have to enable the Archived certificate view for each snap-in separately. So in the picture above I made that for Certificates - Current user and for Certificates (Local Computer)
Now you see archived certificates in the MMC
Note the letter A at the end. That is the sign that this certificate is flagged archived.
2. You can do the same by running a certutil command. The MMC does not give you an option to set the flag from there. So you have to use certutil to do that, see below.
Use certutil to see all certificates
certutil.exe -store my
will show you all certificates in the local machine store
...
================ Certificate 4 ================
Archived!
Serial Number: 3dc344f3e2cf6dab48d7085ecd1bb849
Issuer: CN=localhost
NotBefore: 6/13/2012 2:17 PM
NotAfter: 6/12/2022 5:00 PM
Subject: CN=localhost
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template:
Cert Hash(sha1): 80 3e 7f 62 5a be 5b 14 52 e3 65 dd 72 4d 59 98 cb 8a 30 d3
Key Container = IIS Express Development Certificate Container
Unique container name: fad662b360941f26a1193357aab3c12d_42f2ea6e-c662-4d0b-8b56-2f094a3a3dc9
Provider = Microsoft RSA SChannel Cryptographic Provider
Encryption test passed
....
So that certificate is number 4 in the certificate store. Lets write this down for later.
3. We will use certutil for un-archiving the certificate (and we can use it for archiving as well).
Here the file to set the archive flag.
- Create a new file with notepad and call it archive_set.inf
- paste these two lines to the archive_set.inf file
[Properties]
19 = Empty ;
- save the file
Here the file to remove the archive flag
- Create a new file with notepad and call it archive_remove.inf
- paste these 2 lines to the archive_remove.inf file
[Properties]
19 = ;
- save the file
4. Now you can toggle the archive flag as you desire:
Now you need the number you have taken down from step 2 or use the certificate serial number instead.
flag on
certutil.exe -repairstore my 4 archive_set.inf
flag off
certutil.exe -repairstore my 4 archive_remove.inf
See also http://blogs.technet.com/b/pki/archive/2007/02/22/how-to-manually-set-the-archive-flag-for-certifictes.aspx
Subscribe to:
Posts (Atom)