Securing the RDP connection Using Azure MFA for windows 2012/ 2012R2/2016 with RD Gateway and NPS server.

Hello All,

Ahmad Yasin

In my previous articles, we explained a step by step how to secure the remote access (RDP connection) using Azure Multi-factor Authentication (MFA), at that time we mentioned that the same procedure can only applied to windows 2012 and earlier and it’s not supported to be applied to windows 2012 R2 and above.

You can review the previous articles using below links:

Part 1: http://azuredummies.com/2016/02/05/secure-terminal-services-rdp-using-azure-multifactor-authentication-mfa-part-1/

Part 2: http://azuredummies.com/2016/02/06/secure-terminal-services-rdp-using-azure-multi-factor-authentication-mfa-part-2/

Part 3: http://azuredummies.com/2016/02/13/azure-active-directory-part-3-azure-ad-connect-installation-and-configuration/

Today in this article we will walk through the steps in how to secure the RDP connection to windows 2012 R2 and above, I found many articles on the internet that describe the procedure, i followed a lot of them with no luck,

We found multiple public articles which described this deployment.Unfortunately, we followed these articles but it never works, i collaborated with my colleague “Lucian Busoi” in order to find what are the missing steps in these articles, Finally we found it and i will summarize all required steps in this article, Thanks Lucian for this help.

“Other Public Articles may Assumed that the missing steps something that the reader should know by default”

To simplify the scenario, let’s summarize what are the components required for this deployment:

1- Windows 2012 R2/2016 machine which will be used to setup the MFA stand alone server which will be used for MFA authentication with MS back-end service.

2- Windows 2012 R2/2016 machine which will be used to install and deploy the Gateway and NPS roles, to simplify the concept of this server let’s imagine that this server will be used as an intermediate between the target server and MFA server, when the user try to connect to the target server using RDP, the traffic actually will reach the gateway server first, after gateway server verify the domain credentials it will forward the traffic to the MFA server to do the second factor Authentication, if MFA challenge Passed then the user will be allowed to access the target server.

3- The target Server(s) which you require to access it thorough RDP, for example windows 2012 R2 or 2016 machines.

before start the Implementation, let’s first explain the concept, for the MFA server as we already know we need this machine n order to deploy the MFA server, deploying the MFA server is easy process, in order to be able to download the MFA setup package from Azure portal, you need to have a license that allow you to deploy the MFA stand alone server, you need to have one of the following licenses:

  • Azure Multi-Factor Authentication
  • Azure Active Directory Premium
  • Enterprise Mobility + Security

one important thing i noticed that many customers tried to follow MS article to deploy the MFA stand alone server as described in below article:

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-get-started-auth-provider

Some customers stuck in above article in the “Create a Multi-Factor Auth Provider” step as they don’t have this option in their Azure Tenant even they have a valid license for MFA, at this point they stop deploying the MFA and start complaining about this, HEADACHE !!

If you don’t see the option to create the MFA provider, Then a default MFA provider is already setup for Your tenant assuming that you have a valid license.

To access the MFA provider, you need to follow below steps:

login to https://portal.azure.com with global administrator user, then from the left pane select “Azure Active Directory” as below:

Then Click on ” Users and Groups” option as below:

Now, Make sure to select “All Users” option, then click in “Multi-Factor Authentication” option as below:

The MFA page will appear as below, make sure to click on the “Service Settings” option, then in the bottom of the page click on “Go to Portal” option as below:

 

Note: if “Go to the portal” option doesn’t appear, then this means usually that you don’t have a valid license for MFA stand alone deployment or you didn’t assign any user for an MFA license.

Finally, you will find the option to download the MFA stand alone server as below:

In this article we will assume that the MFA server already deployed as we discussed this in details in my previous article as below:

http://azuredummies.com/2016/02/06/secure-terminal-services-rdp-using-azure-multi-factor-authentication-mfa-part-2/

For now, we have an MFA stand alone server already deployed but not configured yet.

Let’s move to the second component which is the Gateway/NPS server, let’s go a little deep from technical perspectives, the most important question why this component is required in this deployment, to answer this question let’s try to understand the flow in GW/NPS with MFA:

i draw above diagram (Not professional in drawing 🙂 ) to demonstrate the concept and the functionality of GW/NPS server, let’s summarize the flow as below using the numbers in the diagram:

1- User will trying to access on-premises resource using gateway, in this stage the user credential will be sent to the gateway server.

2- Gateway will forward the request to the MFA server, till this stage the provided credentials by the user not validated yet.

3- since the credentials still not validated, then the MFA server will forward the request to the NPS server asking it to verify the credentials before moving forward and start the MFA process.

Note: in our demo, Gateway and NPS is the same server.

4- Now, NPS will verify the user credential using the local Active directory, depends on the response from local AD the NPS will respond to the MFA server, if the user credentials are correct then the NPS will receive and accept response from local AD, otherwise NPS will receive rject request from local AD which will deny the user to access the resource, noting that if the NPS got a reject message from local AD then the MFA will not be processed and this make sense as no need to apply second factor Auth if the credentials (first Factor Auth) are wrong.

Note: when we are saying “Accept” or ” Reject” message this is not actually mean that AD send Accept or Reject message literally, we are trying to simplify the process only.

5- in case of Accept response from AD, NPS will send the request back to the MFA with Accept Message.

6- MFA will perform the second factor authentication, it will challenge the use by MFA challenge, for example it may call user phone or send notification in Microsoft Auth App.

7- MFA will send the result of MFA challenge to the RD Gateway again.

8- In case the MFA challenge passed, then RD Gateway will evaluate the request against Resource Authorization Policies (RAP) and check if the user is allowed to access the resource or not.

9- if the user is allowed to access the target resource, then RD Gateway will allow the user, otherwise the user will be rejected.

 

To summarize above, in order to the user to successfully access the resource, three major conditions should be met:

1- The Users credentials should be correct and accepted by local active directory.

2- User should pass the MFA Challenge.

3- User should be allowed to access the resource based on the RAP policies.

As we now understand the purposes of each components, let’s start the implementation, to do that i have below servers:

1- Windows 2016 machine for MFA deployment, IP: 192.168.0.15

2- Windows 2016 for gateway and NPS deployment, IP: 192.168.0.14

3- Target resource, it may be windows 2016, 2012 R2, 2012.

Theoretically, earlier versions of target resource such as windows 2008 R2 should work using the procedure in this article, but i didn’t test this, no guarantee.

As mentioned before, the installation of MFA server is an easy process, and i already discussed it in my previous posts, if you are not familiar in how to install the MFA server please follow my previous article:

http://azuredummies.com/2016/02/06/secure-terminal-services-rdp-using-azure-multi-factor-authentication-mfa-part-2/

Now, let’s go to the implementation of gateway/NPS server, first of all, the RD gateway is a windows Role whick means you can deploy it without the need of any external package, You can deploy it using server manager, to do deploy these services, open the “Add Roles and features Wizard” from server manager then click Next in the first page as below:

Now, Choose “Role-based or feature-based installation” option and click Next:

Choose the right server and click Next:

Choose “Remote Desktop Services” option only and click next, Don’t choose the NPS from here as it will be added automatically by the wizard later on:

Now, once you reach the Role Services tab, choose “Remote Desktop Gateway” option, new dialog box will appear asking you to install other related roles/features including the NPS as below:

Click Add features to add all required features including the NPS:

Now, keep clicking Next till you reach the Role Services tab again, make sure that the “Network Policy Server” option selected then click Next:

Finish the wizard by click Install and wait till the installation finish:

The Installation of Gateway and NPS services finished as below:

Till this step, we have two server, the first one is the MFA server and the Second one is the Gateway/NPS server, now let’s go through the Configurations Part.

First of all, let’s configure the GW/NPS server, to do that, from server manager, launch the remote desktop gateway manager as below:

From RD Gateway console, right click on the Server name and choose Properties as below:

Now, click on the “RD CAP Store” tab, then select “Central Server running NPS” option, enter the IP (or the name) of MFA server then click Add button as below:

a new windows will appear asking you to enter a shared secret key, enter any key you want and click OK:

Note: this shared secret key will be used later on on the MFA configuration, let’s call this in our minds GATEWAY SECRET KEY.

after adding the MFA server successfully, click OK:

Now, Open the NPS console from server manager as below:

Choose the “Remote Radius Server Groups”, then right click on the “TS GATEWAY SERVER GROUP” and choose properties, or double click as below:

Make Sure that the IP of MFA server appears under the General Tab, select it and click on the Edit button as below:

Click on load balancing tab, increase the highlighted values to avoid any time out issues, i prefer to set these values to 60 seconds or more:

Now, let’s create a Radius client, to do that from the NPS console, right click on the RADIUS Clients option and choose New as below:

Make Sure to check the “Enable this RADIUS client”, enter any friendly name you want, keep in mind that this name should be used exactly in another next step, choose any name and write it down for later on usage, Also you need to fill the IP (or name) of the MFA server and finally choose a a new shared secret, Remember that this secret key will be used also in MFA configuration later on, for that let’s call this in our minds NPS SECRET KEY, once finish click OK button as below:

Now let’s create two policies which will be user to forward and receive the requests from the MFA server, the easiest way to do that is to duplicate the Default policy “TS GATEWAY AUTHORIZATION POLICY” as below:

Now, Rename Both Policies exactly as appear below, make sure that both policies are enabled, the “Processing order” is very important here:

Righ click on the first Policy which is called “From MFA”, go to condition tab and click Add button as below:

Choose Client Friendly name option, then click Add button as below:

This is will ask you about the name of the Radius client, you SHOULD use the same name you used when you create the radius client in one of the previous steps, if you remember we used MFA as the name of the radius client, so we should use the same name here as this will specify from which radius client the NPS will receive the requests: 

Now in the same policy, go to the settings Tab, under Authentication request make sure to select the “Authenticate Requests on this server” option as below:

Under Accounting tab, make sure to remove the check from “Forward accounting requests ….” option as below:

Now, in the other policy which is called ” To MFA”, under the setting tab , verify the the Authentication have the option to forward the request to the TS GATEWAY SERVER GROUP as below:

Under Accounting, make sure that the ” Forward accounting requests …. ” is selected as below:

Under Conditions tab, you should have only “NAS Port Type” as a condition as below:

Just to verify above settings, both policies SHOULD have below configurations, click in the first one and see below configurations:

Now click on the second Policy and check the configurations:

Now, we still have three steps to do before finalize the configurations of GATEWAY/NPS, these two steps as per my search i didn’t find it in any public article which are related to this topic, so we need to make sure to do below steps.

The first one, as we mentioned in the flow diagram of GW,NPS,AD and the MFA server in Step No. 8, we mentioned that if the user respond to the  MFA challenge successfully, then MFA server will send the request back to the Gateway, Now Gateway will validate if the user is allowed to access the Target resource based on RAP policies, DO YOU REMEMBER THAT 🙂

if we open the RD Gateway console, under Resource Authorization Policies (RAP) tab we will not see any policy, this is by default, as the installation of gateway role only will not create any default RAP, so if you missed this step no user will be allowed to access any internal resource even if the user respond to MFA challenge successfully:

So we need to create a new policy, the policy will define who is allowed to access and what to access, to do that right click and choose “create New Policy using the wizard for simplicity as below:

Choose “Create only a RD RAP” then click Next as below:

Give the policy and friendly name and click Next:

Here, you need to decide which group will have an access, i created a group in my AD called it “Home Users”, add the groups you need to grant it an access then click Next:

Here, you have an option to decide which Resource(s) can be accessed by the groups you selected in previous step, for simplicityi will allow the group to acc

Also you can decide to allow the connection in specific ports, in this demo i will allow any port for simplicity as below:

Note: In production environments, you need to select the options based on your company requirements, choose above options as i did may be a security concerns for others, BE CAREFUL !

Finally, click Finish as below:

The Policy should be completed successfully as below:

The new Policy will appear in the Gateway Console:

The second important thing, by default the NPS will have a network policy to deny all requests as below, this policy is enabled by default:

Double click on the policy, you can see that the policy deny all connections and ignore user account dial in properties:

Each user in AD have a user account dial in property, this option by default will keep the NPS to take the decision to allow user to access or not as below snapshot from my AD:

Even if you try to change the option from AD to Allow Access, this is will not effect as the default NPS policy is to ignore this value from AD.

Now we need to change the option to be Grant Access as below, again if you missed this option no users will be able to access any resource through the gateway:

Now, you should see that the policy have a Grant Access as an access type as below:

The third important step, that we need to configure the RD Gateway certificate, I am using public certificate and i think you can use a private certificate from your internal CA but you need to make sure that the client machine trust the CA certificate, based on my testing if you don’t configure the gateway certificate the connection to gateway externally will not work, also if you decide to use the IP of GW instead of the name it will not work also as we will see this in the teasing part.

to configure the certificate, open the gateway console, choose the properties of the server name as below:

Under the certificate Tab, select the option to import the certificate and continue the process, from below snapshot you can notice that i am using a Public certificate issued by DigiCert, also you can see that my certificate is a wild card so i can access the Gateway using any name end with my domain name in the format of: xxxxxx.JoTechLab.com, if you don’t use a wild card certificate, then make sure that the name which will be used to publish the Gateway externally is included in the certificate SAN:

Now, the last thing we need to do is to configure the MFA server, to do that launch the MFA console and Go to “Radius Authentication” tab as below, make sure that “Enable RADIUS Authentication” is checked, then click in Add button:

As you can see from below snapshot, the Auth and Accounting have specific ports, if there is any network device that prevent these ports you need to allow them.

Add the IP of the Gateway Server, give any friendly name beside the Application Name field, then enter the shared secret key, the key that SHOULD be used here should match the one we configured in the gateway console (We called GATEWAY SECRET KEY if you Remember), finally click OK:

Now, from the target TAB, choose RADIUS Server(s) option and click Add as below:

You can see that there is a Server timeout option, i recommend to increase it to 45 seconds to avoid any time out in the MFA process, i forgot to do this in my lab.

Again, Add the IP of the NPS server (in our case the same IP of GW), enter the sahred Secret Key, again this should match the secret key we used in the NPS configurations, if you remember we called it NPS SECRET KEY:

Now to test this, we need to configure a test user, to do that we need to add the user to the MFA console, there are multiple ways to do that, i prefer the easiest one, Just go to the users Tab, then click Import from Active Directory:

Find the user and add it as below, in my example i will add a user called “Mohamad” then click Import as below:

Now, choose the user from the MFA console and Click Edit, make sure that the user have a valid phone number, if the value is incorrect or empty you can fill it from MFA directly as usually it’s supposed to import these info from local AD, fill the country code, Phone number and the MFA Method and finally make sure to enable the user, Click Apply as below:

From MFA console and under Users tab, verify that the user exist and configured as below:

Now the final part is the testing one, to test this i will access a target server using RDP connection, the Private IP of target server is 192.168.0.10, from my machine which is located externally from servers network, i will launch MSTSC /Admin, in the computer field i will enter the Private IP of the detestation server as below:

Now, from Advance Tab, click on the Settings button as below:

Choose “Use These RD Gateway Server Settings” option, enter the Name of the of the RD Gateway server that is accessible externally as below then click OK:

Here there is a very important note, based on my testing you cannot enter the public IP of the gateway because the connection will failed with certificate error as we discussed earlier in this article and as appears below, maybe there is another way to configure it, but at least this is what i find in my lab:

You can see that in my connection i used RG.JoTechLab.com which is point to the public IP of my Gateway server, as we mentioned before since i have a wild card certificate then this name is covered by my certificate.

Now enter the Credentials then click OK as below:

Based on the Policy that we created in previous steps, only the users who are member of HOME Users group will be allowed to access the gateway, the User Mohamad already member of this group as below:

Now the connection started:

Finally, i got the MFA challenge in my mobile as below snapshot, it ask me to press the # key to continue:

once i responded to the MFA challenge successfully the connection was allowed as below:

For example if i didn’t respond to the MFA challenge then the connection will be denied as below:

As a conclusion, in this article we covered the implementation of securing the RDP connection with Azure MFA using gateway/NPS server, in Next article we will discuss a very common issues, Also we will discuss how to troubleshoot the issues related to this deployment starting by reading the gateway and NPS logs ends with understanding the MFA logs.

Stay Tuned 🙂

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

 

Configure AD FS to use Email Address as Alternate Login ID – Case Study

Hello Experts,

Ahmad Yasin

Recently, i saw some requests asking how to Allow AD FS to authenticate against Email address instead of username, to understand the concept more, let’s imaging below scenario:

Customer have an AD Connect to sync objects from local Active Directory to Azure AD, usually when you deploy AD Connect using Express setting or if you use customize setting as below, AD Connect will choose the Azure AD User name to be the local userPrincipleName:

 

So let’s imagine that we have an internal user with a userPricncipleName called “Ahmad@AzureDummies.com”, and let’s see that the email address for the same user is “Ahmad.Yasin@AzureDummies.com”.

in Above scenario and with AD Connect default configuration, when the Ahmad trying to access the portal he need to enter Ahmad@AzureDummies.com instead of his email address to login, usually this may make a trouble for some users as they used to enter the email address anywhere they asked for authenticate.

To solve above issue, some IT Admins deploy AD Connect and choose the mail attribute to be Azure username instead of the userPrincipleName and that’s fine as long as no AD FS in the environment.

The problem Now, if the environment have AD FS to redirect users to authenticate against local AD instead of Azure (Office 365), assuming that AD Connect syncing the mail as the Azure username, when the user enter the mail and the redirection happens to AD FS, then AD FS will receive the mail and try to authenticate against AD,unfortunately this is will fail as it will not be able to authenticate against AD using the mail.

AD FS by default will authenticate the users based on their AD usernames, to allow AD FS to authenticate the user using his email address it require to be configured to use alternate login ID (This is based on my knowledge and not sure if there is another method to achieve it), to achieve that you need to run below command in the AD FS server:

Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests dummieslab.local

After that the user will be able to Authenticate against local AD using Ahmad.Yasin@AzureDummies.com instead of  Ahmad@AzureDummies.com.

Important Notes:

  1. For more information in how to change ADFS to use Mail instead of UPN, please read this carefully as there is some side effects and limitations: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id ; in same article you will find the command to roll back from mail to UPN. https://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/
  2. Changing AD connect to use mail instead of UPN have some limitations as mention here: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configuring-alternate-login-id
  3. Using Set-AdfsClaimsProviderTrust -TargetIdentifier “AD AUTHORITY” -AlternateLoginID mail -LookupForests dummieslab.local will effect all federated domains in ADFS.
  4. Changing AD connect to use mail instead of UPN will effect all synced users.
Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

Enable Persistent Single Sign on (PSSO) for SharePoint online

Hello All,

Ahmad Yasin

In this short article, we will discuss the steps in order to enable Persistent Single Sign on (PSSO) for SharePoint Online with ADFS integration.

Simply, PSSO means that within a period of time, the users can access SharePoint online without the need to authenticate every time with ADFS (within specific period), usually the normal process that happens when the user trying to Access SharePoint online (Assuming that SharePoint online already integrated with ADFS to Authenticate Against local AD), when the user close the browser and try to access the SharePoint again, he will be redirected to ADFS to get the Authentication token which sometimes make a little delay.

to solve this issue, we can use PSSO claim which will allow the user to access SharePoint without the need to go each time to the ADFS within the life time of the cookies that will be issued.

To do that, open ADFS management console, right click on the O365 relying party and choose Edit claim Rule as below:

 

From Claim Rule Template, choose “Send Claim Using a Custom Rule as below:

Finally Add below:

c:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork“] => issue(Type = “http://schemas.microsoft.com/2014/03/psso“, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

 

Now, from the PowerShell, if you write below command:

Get-AdfsProperties | fl *persistent*

You can see from the result the PSSO lifetime in minutes:

Make sure that PSSO is enabled, Also you can play with the lifetime using the Set-AdfsProperties command.

 

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

How to deal with Stopped deletion threshold exceeded error in AD Connect

Hello All,

Ahmad Yasin

Today we will discuss very simple topic but sometimes it may confuse the IT Admins, this scenario happens when the Admin made a changes in the synchronization filtering by mistake, for example unselect one OU from OU filtering.

AD Connect have a built in feature to prevent accidental deletion for the objects, when AD Connect sync cycle occurs, if the number of objects to be excluded (deleted) from sync exceed more than 500 objects, AD Connect will prevent this process by default and the export in the Azure AD Connecter will failed with error: Stopped-deletion-threshold-exceeded.

Previously, we discussed this feature , if you are not familiar with this feature read my previous article: http://azuredummies.com/2016/07/15/ad-connect-object-deletion-threshold-office-365/

In this article, we will discuss how to deal with this error if you edited the Sync filtering by mistake, for example remove some OU’s from OU Filtering option.

To make it easier to understand, imagine that you need to exclude some OU’s from syncing, usually you will edit the properties of local AD Connecter in AD Connect console, then uncheck the unwanted OU as below snapshots:

 

Then Uncheck the unwanted OU’s, for example i need to uncheck Users OU, but by mistake let say i unchecked Employees OU as well as below:

Then I tried to run Initial sync using PowerShell As below:

When i went to AD Connect Management Console, i got below result:

from above snapshot, i ended up with 895 objects to be deleted! This is what i did by mistake since Employees OU contains this number of objects, fortunately in this case am very luck and thanks for AD Connect since it will prevent this process to be exported based on the deletion threshold feature, as the number of objects to be deleted exceed 500 objects then the process will be terminated as below snapshot:

Again, Thanks for AD Connect to prevent this accidental deletion for my objects, but what Next and how to deal with this?

Be careful, in this demo i already know that i unchecked Employees OU only, if i go and check the Employees OU again it will solve the issue, but assume that you don’t know which OU’s that was unchecked or another admin who did this!

in this situation, first, let’s go to Azure AD Connecter and click on search connector Space option as appears below:

Then from Scope choose Pending Export Option, check the delete checkbox and finally click search, as appears below all object that will be deleted will appears in the result, in our case it’s under pending Export since AD Connect prevent the completion of this process as below:

so, till now, we know that i have more than 500 objects to be deleted by Mistake, also i know that AD Connect terminate this process.

Note: if the number of objects to be deleted less than 500 objects then the process will complete successfully and the objects will be deleted from Azure AD which may interrupt cloud services such as exchange online. In this case, you need to revert the changes back and sync the objects again, don’t worry because AD Connect will match the objects again.

in this stage, be very careful, if you are trying to guess which OU’s should be selected and in any level, you reach below than 500 objects to be deleted then the process will be completed and you will lose some objects in Azure AD which will interrupt the cloud services until you sync the objects again.

the best approach in this case is to enable the staging Mode for AD Connect server, i will not discuss the staging Mode deeply here (maybe in Next Articles), but simply this action makes the server active for import and synchronization, but it does not run any exports which means that nothing will be commit in Azure AD or local AD and this is what we need till we correct the AD Connect OU filtering operation.

To enable the staging Mode, Run AD Connect Wizard Again, click Configure as below:

Choose “Configure Staging Mode” and click Next:

Enter the GA credential and Click Next:

Check the “Enable Staging Mode” option and click Next:

Finally, click Configure:

Once the configuration completed, click Exit:

if you go to the AD Connect management console, we can see that no export operation was executed as below:

Also, to double confirm, i ran initial sync again as below:

Again, no export operations was executed as below:

For Now this is Great as i can modify and try to correct the configuration without be worried, if we go now to the Azure Connector and search for connector space, we still see the pending deleted objects, Now even while i am correct the configuration ends with less than 500 objects, it will not be deleted since the export operation will not be executed as we are currently in staging mode:

In you case, you need to correct the configuration, and you can go every time to the connector space and see if there is still pending deletion objects or not, in my case i know that the Employees OU should be included again in the sync to prevent this deletion, in your case if you are not sure you can click in any pending export deletion object and see in which OU for example it’s located to check it as below:

Note: From My point of view, if you still not sure which OU’s should be selected, i prefer to select the whole directory then you can exclude one by one based on your requirements.

I went back and check the Employees OU as below:

Once i ran the initial sync again, i can see again that the export not executed as we are still in the staging mode as below:

I went again and search in the Azure AD Connector, i found nothing will be deleted and this make sense since now AD Connect doesn’t see anything to be deleted as Employees OU included in the Sync again as below:

Once i verified nothing will be deleted, i will disable the staging Mode, the same procedure as enabling it but now Just uncheck the option:

Once, the configurations finish, i can see that the export executed without any deletion as below snapshot: ( I Have some errors in export for other objects so don’t worry about that 🙂 )

 

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

Getting Started with Azure Active Directory Graph API

Hello Everybody,

In this article we will discuss the concept of Azure Active Directory Graph API and how to start using Graph API.

In local active directory, when any application integrated with local AD want to look up for objects in the directory it used Lightweight Directory Access Protocol (LDAP) in order to perform the queries, LDAP is the protocol used to perform queries against local AD, modifying objects in AD, Adding and removing …etc. For example, if local exchange server wants to search for an object in active directory it will use LDAP protocol to achieve this. Also any other application which integrated with local AD will use LDAP to communicate with Active Directory.

So in general, LDAP is a query language with its special syntax that used to search and perform some operations in the directory such ass Add objects, Update Objects …etc.

To demonstrate the concept of LDAP, lets login to local active directory server and try to search for an object in our directory using LDAP queries, the simplest way to do that is to open Active Directory users and computers console, Right Click in the directory name and choose Find as appear below:

Now, change the find option to be “Custom Search” and click on Advance tab as appear below:

In “Enter LDAP query” field, we can enter our queries and click on Find Now button to get the result, for example if we write below LDAP Query and click on “Find Now” button:

LDAP Query to retrieve all groups in the directory:

(objectCategory=group)

We can see Cleary from above snapshot that the LDAP query get all groups in our directory.

Also, let’s try to get all objects with User type which their names begin with “MO”, to do that let’s execute below LDAP query:

(&(objectCategory=person)(objectClass=user) (cn=Mo*))

The result of the query will retrieve all users which their names starting with “Mo” as appear below:

So imagine that you have an attendance system in your environment, usually such these systems require user’s information, these systems usually configured to be integrated with local active directory to retrieve all employees’ information, in this case the attendance system most probably will apply the queries against local active directory using LDAP queries.

In azure Active Directory the story is different, LDAP was replaced with Graph API which can be used in order to execute queries against Azure Active Directory, Graph API provides programmatic access to azure AD through, Applications can use Graph API to perform Create, read, update and delete operations (CRUD) against Azure AD and get the result of queries in JSON format, so the applications should communicate with Azure AD using Graph API instead of LDAP protocol.

The general syntax of Graph API queries looks like below formula:

https://graph.windows.net/{tenant-identifier}/{resource-path}?[query-parameters]

Example on that Syntax:

https://Graph.Microsoft.net/AzureDummies.com/user?$filter=DisplayName eq “Ali Saleh”

Service Root: In Azure AD Graph API, the service root is always https://graph.windows.net.

Tenant identifier: This can be a verified (registered) domain name, in above example it’s our verified domain AzureDummies.com, we can also use .onmicrosoft domain if needed, It can also be a tenant object ID or the “myorganiztion” or “me” alias

Resource path: This section of a URL identifies the resource to be interacted with (users, groups, a particular user, or a particular group, etc.) In the example above, it is the top-level “users” to address that resource set. You can also address a specific entity, for example “users/{objectId}” or “users/userPrincipalName”.

Query parameters: ? separates the resource path section from the query parameters section. The Graph API also supports the following OData query options: $filter, $orderby, $expand, $top, and $format. The following query options are not currently supported: $count, $inlinecount, and$skip.

Note: at the end of the query you should specify the API version to be used, for example you should write above syntax in this way https://graph.windows.net/AzureDummies.com/users?api-version=1.6, but in our below examples we will not specify it since the web interface will use its API version implicitly.

To demonstrate the concept more, let’s navigate to https://graphexplorer2.cloudapp.net which is a web interface which will help us to execute Graph API queries against Azure AD, after open the web page just click on sign in label as appear below:

Enter a credential for a user with appropriate permission in the directory and click sign in button as appear below:

It will ask you to confirm the requested permission, click Accept button as appear below:

Just verify that the login successes as appear below:

Note: Graph Explorer site only support read (GET) queries, it’s not supported to execute other operations such as deleting objects, we can use https://graph.microsoft.io/en-us/graph-explorer in order to execute other operation which will be discusses in next lines.

Now, for example to get all details about all users in Azure AD we can run below query and click on the GET Button as appear below:

If we zoom out the result, we can see for example a user called “Ahmad Yasin” with his information as appear below:

Assume now we need to get all information about “Ali Saleh user, we can execute the GET query and specify the User Principle name in the query as appear below:

Also if we need to get the Job Title for “Ali Saleh” we can execute the GET query and specify the attribute we need to find it in the query as appear below:

Let’s assume we need to know the status of the password policy for the same user, we can execute below query:

Also we can execute other commands like Create, delete and update operations against azure AD, to demonstrate more, let’s navigate to other website https://graph.microsoft.io/en-us/graph-explorer which will give us the ability to execute more operations, let’s sign in in the page with our tenant privileged account as appear below:

Let’s try to get the information about “Mohammad Saleh” user by executing GET query as appear below:

Let’s double confirm that the user exists in our Azure AD by looking for it in office 365 users as appear below:

Now, let’s try to remove the user by executing below DELETE command:

To verify that the user was removed, let’s try to execute GET query as appear below:

We can be noticed from above snapshot that the user no longer exists, to double confirm that the user was removed, let’s go back to office 365 users, we will see now that the user appears in the deleted user’s container as appear below:

Note: This Article will not discuss the development side using Graph API, It’s Just to demonstrate the general concept of accessing Azure AD using Graph API, for full information about Graph API concepts and references, follow Microsoft Article: https://msdn.microsoft.com/en-us/library/azure/hh974476.aspx

As a conclusion, Application can be integrated with Azure Active Directory using Graph API in the same manner of integrating Applications with local active directory using LDAP.

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

 

Azure AD Pass-Through Authentication – Concept Overview

Hello Azure Lovers,

In this Paper,we will discuss the concept of Azure AD pass-through authentication which will enable the organization to keep the users’ password in on-premises and redirect all cloud authentications to be against local active directory.

To download the full document, visit Microsoft Technet: https://gallery.technet.microsoft.com/Azure-AD-pass-through-d0c97543 

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

 

 

Understanding AZURE AD Connect Sync Scheduler

Hi All,

we prepared a document to discuss the concept of Azure AD Connect Sync Scheduler, we tried to demonstrate the concept and let you have a good knowledge on it in addition to how modify the schedule using windows Azure PowerShell based on your requirements, we assumed you have a basic knowledge of Azure AD Connect in this document, to download the document visit TechNet gallery from below:

https://gallery.technet.microsoft.com/Understanding-AZURE-AD-0a837ca7

 

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

Office 365 [Solved] – Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization

Hello folks,

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

In one of our Migration projects from on-premises exchange to Exchange online (Office 365), we enabled Directory Synchronization using AD Connect tool, All on-premises users was synchronized to Azure AD successfully.

After enabling Hybrid Configuration wizard, we migrated a lot of mailboxes without any issues, few number of mailboxes failed to be migrated and showed below error (From office 365 portal, Migration Batch Details):

aa2

 

The error says:

“Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization –> You can’t use the domain because it’s not an accepted domain for your organization”

Now. let’s understand why this error appear:

Assume you are the owner of AzureDummies.com domain, all email in the format of emailaddress@AzureDummies.com, in order to migrate these mailboxes to office 365 (Exchange online) you should prove for office 365 tenant that you are the real owner of the domain AzureDummies.com and this make sense, Imagine that there is no need to prove the ownership then anyone can create emails in office 365 using any public domain name which is impossible to be allowed.

In our case, our domain already verified in office but still we faced the same error for some mailboxes, when we checked the failed on-premises mailboxe (Email Address Attribute) we something similar to below:

aa1

from above snapshot, the blue arrow is the primary email address for this mailbox and use the same domain which was verified in office 365, but we can notice that the same mailbox have another alias end with different domain (Red Arrow) which is not verified in office 365 which is the main cause of this issue.

To solve the issue we have two options, the first one is to remove the alias and resync the object using AD Connect to update the attribute in Azure AD, in that case the user will not be able to receive emails using the alias.

the second option is to verified the alias domain in office 365 and re-migrate the mailbox again, and this is what we did 🙂

 

About Blogger …

 

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

Secure terminal Services (RDP) using Azure Multi-factor Authentication (MFA) – Part 2

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin

Hello Everyone,

In First article of this series we discussed the general concept of Azure Multi-Factor Authentication and how it’s work

In second part of this series we went more deeper in the technical aspects of the implementation of Azure MFA by taking an example of how to secure your remote desktop connection through Azure Multi-Factor authentication and we prepared the azure tenant and the Azure MFA provider.

In this part, we will continue our demo of integrating remote desktop connection (RDP) with Azure MFA by installing the Azure MFA server in the same server we need to secure it.

in this demo we have a server called Secure-Server with windows server 2008 r2 joined to the domain, we need to secure the remote desktop connection to it by installing the MFA server in it.

In this demo, I assumed that the MFA provider is already prepared, for more information read our previous article.

so let’s start the installation of the MFA:

Just to remind you, the below three snapshots show you how to download the MFA setup and generate the credentials which we explained in the previous article :

9

10

11

12

Now after the download of MFA completed, double click in the setup file, choose the installation path and click Next:

13

wait a seconds for the installation to complete:

14

once the installation finish click Finish:

15

A new Wizard will appear as below, Click Next:

16

Now enter the Email and Password credentials which we obtained before from the MFA provider, if you forget how to obtain it please read our previous post, if the credentials expired you can re-generate it again, once you fill the required information click Next:

21

Now, MFA server will try to communicate with Azure MFA Provider as below:

22

Ops, we received an error message as shown below ” Unable to communicate with the Multi-factor Authentication POP, The Multi-factor Authentication server could not be activated … etc“, this error is normal if you use an proxy to access internet, in this case you must verify three things if you use a proxy server:

1- Your proxy is set correctly in the server (in IE browser).
2- Run CMD as administrator, write the following command:
netsh winhttp import proxy source=ie
3-  MFA server must be able to communicate on port 443 outbound to the following:

  • https://pfd.phonefactor.net
  • https://pfd2.phonefactor.net
  • https://css.phonefactor.net

If outbound firewalls are restricted on port 443, the following IP address ranges will need to be opened:

IP Subnet Netmask IP Range
134.170.116.0/25 255.255.255.128 134.170.116.1 – 134.170.116.126
134.170.165.0/25 255.255.255.128 134.170.165.1 – 134.170.165.126
70.37.154.128/25 255.255.255.128 70.37.154.129 – 70.37.154.254

If you are not using Azure Multi-Factor Authentication Event Confirmation features and if users are not authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network the IP ranges can be reduced to the following:

IP Subnet Netmask IP Range
134.170.116.72/29 255.255.255.248 134.170.116.72 – 134.170.116.79
134.170.165.72/29 255.255.255.248 134.170.165.72 – 134.170.165.79
70.37.154.200/29 255.255.255.248 70.37.154.201 – 70.37.154.206

23

After we set a proxy rules, I tried another time to activate the MFA as below:

24

finally, its verified successfully, Now the wizard will ask you to create new MFA group or choose existing one, since it’s first MFA server to be deployed, give any meaningful name for the new group as below, also note that the group used to manage more than MFA servers and enable replication between the servers if there is a need, Click Next:

25

Uncheck enable replication between servers option and click Next:

26

Now, you can select what application need to integrate it with Azure MFA, the last option is remote desktop, you can select it and click Next, but in our demo we will click cancel to configure the remote desktop from the MFA console, click Cancel.

27

Now, go to star menu and click on Multi-Factor Authentication Server icon:

28

Azure MFA server is loading as below:

29

After a while the console appear, this is the MFA server console that you can manage the MFA setup, in the status option it display that the server Secure-Server.demo.lab is online which is the same server we need to secure the RDP connection on it and the MFA server at the same time:

30

Also if you go to the Azure MFA provider manage page, click on Server Status option you will see the server is online as below:
31

Now back to the MFA server console, go to windows authentication, check “Enable Windows Authentication” option as below, then click Add button:
32

Choose the server name and terminal services as an application option, check the “Enable” option, now if you will apply all users in AD to use MFA check the “Require Multi-Factor Authentication user match” option, if not leave it uncheck as below, click OK:

33

The MFA is configured to secure the RDP in that server, it mentioned that the server need to be restarted to take the effect, click OK and wait before restart to continue the configuration:

34

As shown below, the server appear in the console:
35

Now go to Users icon to add the users you need to apply MFA authentication on them, click in Import from Active Directory button as below:

36

choose the users you need and click Import as below:

37

The users successfully imported as below, click OK:

38

the new users appear in the console, there is a warning icon beside each user, this warning because the user must enabled for MFA manual, by default when you import the user it will be not enabled for MFA automatically, double click in any user:

39

fill the required information as below:
-Country Code.
-Phone.
– choose MFA to be phone call, Text Message or mobile app … etc. we will choose for this demo a phone call option.
-check the enabled option.
Finally, Click Apply:

40

note after we check the enable option the warning icon disappear, do the same for all users you need:

41

after I prepared all users, the users appear in the console without the warning icon, to test the configuration choose any user and click the test button:

42

provide the password and click test:

43

wait a while:

44

Now, the user should receive a call, if he end the call the authentication will be refused because it will considered that another person try to use his/her credentials, if the user click (#) he/she confirm that he is the one trying to access the server:

45

After I clicked (#), the test completed as belwo:

46

Now, after I restarted the machine to take effect, I try to access the server remotely as below:

47

I tried to login with the administrator user:

48

Now the welcome page start:

49

during the login and within the welcome page  I received a call from Microsoft MFA, I answered the call and end it direct:

50 - Copy

Because I end the call and didn’t press the (#) key, the login process failed as below:
52

I tried to login again with the same user: 53

I received another call from Microsoft MFA, but this time I press (#) key:

54

Because I press the (#) key I confirmed for Microsoft that I am the same person who try to login now, so I successfully login to the server as below:

55 56

So in this article we tried to demonstrate how to install the MFA server and integrate it with the remote desktop connection (RPD).

In next part we will show you how to customize the MFA setup by using Fraud alert, changing the received call voice, generate a reports … etc.

Stay tuned 🙂

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

 

Secure terminal Services (RDP) using Azure Multi-factor Authentication (MFA) – Part 1

Hello Everyone,

In First article of this series, we discussed the general concept of Azure Multifactor Authentication, and how MFA participate in securing your on premise environment and Hybrid one if exist.

In this article we will go in more technical details about how to use Azure Multifactor Authentication using a real example.

One of my customers have a server which contains a highly secure data and only around 6 users have a remote desktop access to that server, the customer need to add more security layer for accessing this server.

I suggest the customer to use Azure MFA, since it will add a highly secure layer to the remote desktop access to the server in addition to the low cost of this service.

so let’s start the technical steps to do that, remember that we need to integrate remote desktop protocol access (RDP) with Azure MFA.

in this part we will prepare the Azure MFA provider and download the MFA server setup files, In next part we will deploy and configure the MFA server to secure the RDP.

First of all let’s summarize the requirements to implement this scenario:

1- we need an azure account (Azure Tenant) to configure and install the Azure setup, if you don’t have account you can sign up for one month as trial, for more info follow this link : https://azure.microsoft.com/en-us/pricing/free-trial/

2- integrate RPD protocol with Azure MFA is not supported in windows 2012 R2 (until the date of this article), which means if you need to integrate RPD with Azure MFA you need to install windows 2012 and earlier such as windows 2008 R2.

3- To secure the remote desktop protocol (RDP) with Azure Multifactor, you must install the Azure MFA server in the same RDP server, in other word assume you have a server called “SRV1”, then you should install the MFA setup in the “SRV1” server, if you look back to point #2 you can conclude that you cannot secure the RDP for windows 2012 R2 (until the date of this article).

This deployment called MFA stand alone server since all deployment will be on premise and no integration will be done between local AD and Azure AD.

Now, log in to your azure tenant using https://manage.windowsazure.com, go to active directory tab from left pane:

1

Now choose MULTI-FACTOR AUTH PROVIDERS option from the top options,

2

Click New:

3

MULTI-FACTOR AUTH PROVIDERS used to install the MFA server setup files, also the provider will be responsible for the usage calculations and you can customize your setup from the provide such as fraud alerts.

Now choose App Services -> Active Directory -> MULTI-FACTOR AUTH PROVIDERS – Quick Create.

5

Name: choose any meaning full name for your provider.
Usage Model: you have two options here, per user enabled and per authentication, this option cannot be changed later, if you need to change it later you must create new provider, the difference between the two model is how Microsoft will charge you, if you choose per enabled user then you will be charged for how many users using MFA regardless of how many actual authentication occurs, if you choose per authentication you will be charged every time the users try to authenticate using Azure MFA.
Directory: choose Don’t link a directory since we will install the stand alone MFA server without integration with Azure AD.

After you fill the required information, click create:

6

after less than minute a new provider will be available in your tenant as shown below:

7

Click in the provider just created, then click in the MANAGE button in the bottom of the portal page:

8

The MFA Management page will appear, click in Downloads button as below:

9
in the download server page, it’s list the supported OS versions for MFA server including windows 2012 R2 and this is not what I said before, be smart I mentioned that the RPD feature is not supported in windows 2012 R2 but there is a lot of features that work in windows 2012 R2, Now click in Generate Activation Credentials button to generate the credential which will be used to register your server in MFA provider during the setup.

10

Email and password credential will  be generated, these credential valid to be used within 10 minutes, if you take more than 10 min to start the setup you can re generate a new credentials.

11

Now click the download text to start the downloading of the MFA setup:

12

After the download complete, copy the setup file to the server you need to secure the RDP on it and double click on the setup to start the installation.

In Next Part we will continue our demo by installing the multifactor server and configuring it to secure remote desktop access.

So keep tuned 🙂

About Blogger …

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

Deep Dive in Azure Active Directory Synchronization – Ahmad Yasin – Beta Edition

Hello All,

Today, we published our First E-Book which discuss some topics in Azure AD Synchronization process and federation services.

This is the first edition of this book, it’s a beta edition, Me and the other contributors in this book wrote it without any external support, we did our best to make it useful to the reader. You may find some mistakes from language side or technical side, it will be our pleasure to hear from you. To contact us please send us an email to Author@AzureDummies.com ; we will try to improve it in next version.

This book took around seven months to be completed, some commands or procedures may be changed as cloud technology grow rapidly and changed every day, the most important thing that we focused in the concept more than “HOW TO”, even if you find anything got changes most likely the concept is the same and this is what we tried to achieve in this book to demonstrate the concept.

We got assistance from Microsoft article in some parts, we admit that the content of this book is no 100% from our minds, sometimes we found that Microsoft or other sites explain the idea better than us so we take some texts from these articles.

Again, in this book we didn’t assume that you will master the implementation of Azure identities after reading this book, we only focusing in the concept so we expect that the reader will be able to understand the concept behind Azure AD, for that we assumed that the reader should have a little background in below topics:

Basic experience in Active Directory.

Basic experience in cloud solutions.

Basic experience in federation services such as AD FS.

To Download It: https://gallery.technet.microsoft.com/Deep-Dive-in-Azure-Active-77d39370 

SalesForce with ADFS Integration for SSO – IOS devices cannot access the SalesForce page

Hello All,

Ahmad Yasin

In this article, we will discuss a small topic but it’s very important for most of the companies that Integrate Salesforce with Active directory Federation Service (ADFS) to achieve single Sign on (SSO).

For some reason, I tried to deployed ADFS with SalesForce to achieve SSO following below article from SalesForce site:

https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

Note: we will not discuss how to integrate SalesForce with ADFS in this article, for the deployment guide see: https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

After complete the integration between SalesForce and ADFS everything works as expected except the IOS devices. when the user try to access the SalesForce pagethey login to the SalesFroce page, then click on STS to reach the ADFS Page:

My ADFS URL is sts.mydummieslab.com as appears below, it will ask for on-premises credential as below:


After entered the credential, Damn, i got below error:

 

Dummies STS

An error occurred

An error occurred. Contact your administrator for more information.

Error details

  • Activity ID: 00000000-0000-0000-7100-00800000009a
  • Error time: Fri, 28 Apr 2017 16:59:06 GMT
  • Cookie: enabled

User agent string: Mozilla/5.0 (iPhone; CPU iPhone OS 10_3_1 like Mac OS X) AppleWebKit/603.1.30 (KHTML, like Gecko) Version/10.0 Mobile/14E304 Safari/602.1

As usual, i went to Google and bing my best friends and start searching, unfortunately, i didn’t find something that can help directly, but while am reading i find one important article which is: http://kb.tableau.com/articles/issue/error-saml-protocol-parameter-relaystate-was-not-found-or-not-valid-using-adfs-saml-with-ios ; this article mentioned the same error with different application but with IOS also, what i noticed in the article that the reason of the issue as per the Article is: iOS and OS X browsers, such as mobile and desktop Safari, truncate cookies larger than 4KB, which are required by Microsoft ADFS.

Above reason make me think in different way, for that I started to collect Fiddler traces to see whats happening in the Network level, configuring Fiddler to collect traces from IOS devices explained very well in Fiddler Article: http://docs.telerik.com/fiddler/Configure-Fiddler/Tasks/ConfigureForiOS

Note: I am not a fiddler specialist but i am doing my best to analysis the traces, if you find that i mentioned something wrong in the analysis don’t blame me 🙂

After collected the logs i found that the size of the packets (Cookies) exceed 4KB which maybe the cause in our case as below snapshots:

for now, i knew that there is some limitation in the cookies size and it seems (as per my understanding for Fiddler) that the size is more than 4KB, Then i start thinking what to do now ! Again went to my best friends Google and Bing but nothing found, suddenly i say ok let me try to change the HTTP Method used in the SalesForce, i am very lucky that i thought in this way because changes the SalesForce HTTP method from HTTP Post to HTTP redirect solve the issue totally, let me explain what i did exactly:

From the ADFS side, i made sure that the default configurations is the same and not changed as below:

Go to the SalesForce relying part that you already configured in the ADFS per SalesForce Article and make sure that the HTTP method binding is Set to POST as below:

From SalesForce admin page, open the single sign on configuration page, click on Edit to modify the SAML Single Sign on Setting as below:

You will find that the Service Provider Initiated Request Binding is set to HTTP Post as below (This configuration mentioned in the SalesFroce Article):

Now, this is the modification that you need to do, Just change Service Provider Initiated Request Binding to HTTP Redirect and save the configuration as below:

After that, Try the IOS it will work like a charm and of course in addition to other OS’s like windows and Android.

I don’t have enough info why this change solve the issue but at least it’s solve it 🙂 🙂

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.

 

 

Azure ADConnect Export Failed with Permission-issue error (Insufficient access rights to perform this operation)

Hello Guys,

while i am working in one of the ADConnect deployment, we faced an issue in the export operation with error “Permission-Issue” for some users as appears in below snapshot:

from above console, when we clicked on the one of the effected users to expand the error, we got below snapshot with an error “Insufficient access rights to perform this operation” as appears below:

when we went to the AD users and computers, we noticed that all effected users have disabled inheritance permission as appear below (since the button enable inheritance appears this mean the inheritance is disabled):

Simply, enabling the inheritance solve the issue and the ADConnect was able to export these identities.

Now, the important question is why to enable the inheritance !

the answer is very simple, Disable Inheritance means that the account no longer inherits permissions from a parent object (I.E. an OU), in most cases this happens when the object were added to privileged group such as domain admins group.

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin is a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.

Find Ahmad at Facebook and LinkedIn.