Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at best practices to handle Windows activation on non-domain-joined Web Application Proxy servers.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations.

If your Web Application Proxy servers are domain-joined, you can use Group Policy and Windows Server Update Services (WSUS) to take care of Windows Update. However, this option can’t be used for Web Application Proxy servers that are non-domain-joined and/or placed on a perimeter network (also commonly referred to as a DMZ network).

Why look at Windows Update for Web Application Proxies

Every software has bugs. It’s still a human job to produce code. Developers, testers and even quality assurance people also work on Monday mornings. We all make mistakes. It’s how we deal with failure, that defines us.

Microsoft software has bugs. Bugs may be innocent, or they may lead to serious problems like remote code execution, elevation of privilege, information disclosure, security feature bypasses, denial of service, spoofing and/or tampering. However, the way Microsoft handles fixing these bugs, stands out. In 2003, Microsoft started with a repetitive predictable and reported way of announcing and releasing updates to its software, including Windows, Windows Server, Office, Visual Studio, SQL Server, Exchange Server and many others: Patch Tuesday.

Below is a graphical representation of the problems solved in the September 10, 2019 update:

In recent years, Microsoft has split up the security updates from the quality improvement updates. Now, the second Tuesday of each month brings security updates. Quality updates are also released on Tuesday, but usually a week or two weeks after the security updates.

Web Application Proxies need the free updates Microsoft distributes.

Possible negative impact (What could go wrong?)

When Web Application Proxies do not install Windows Updates, they may remain vulnerable for common problems. While many admins think that a proper firewall rule prevents these attacks, some attacks operate at a higher layer than most firewalls operate; When the firewall allows TCP 443, it doesn’t merely allow the proper traffic for the Web Application Proxy. Similarly, next-generation firewalls and web application firewalls may inspect the flow of https traffic between the Internet and Web Application Proxies but may not detect the newest threats.

When Windows Servers do not install Windows Updates, their functionality may break, as fixes to the role are not added to the Operating System. This holds strongly for Windows Server 2012 R2-based Web Application Proxies, as the role was first introduced in this version and many updates were made to the role in the first year.

When Windows Servers do not install Windows Updates, they may lack new security features and settings. Updates to Root Certification Authorities (CAs), time zone updates and cipher suite updates are common updates that add to the information security baseline. The Extranet Smart Account Lockout feature in AD FS was distributed with a Windows Update to Windows Server 2016.

Four solutions for Windows Updates

There are four solutions to apply Windows Updates to non-domain-joined Web Application Proxies:

1. Configure to use Windows Update on the web
2. Configure to use your organization’s WSUS implementation
3. Manually install Windows updates
4. Use an update solution

How to do it

To apply Windows Updates to non-domain-joined Web Application Proxies, perform these actions, per scenario:

Configure to use Windows Update on the web

Microsoft offers a standardized method for downloading Windows updates from its webservers. This method is built-in, even in Server Core.

For this scenario, the following requirements need to be met:

• Each Web Application Proxy needs to be able to communicate to the following URLs using TCP 443 and TCP80, respectively:
  • http://download.windowsupdate.com
  • http://*.download.windowsupdate.com
  • http://download.microsoft.com
  • https://*.update.microsoft.com
  • http://*.update.microsoft.com
  • https://update.microsoft.com
  • http://update.microsoft.com
  • http://*.windowsupdate.com
  • http://*.windowsupdate.microsoft.com
  • http://windowsupdate.microsoft.com
  • https://*.windowsupdate.microsoft.com
  • http://ntservicepack.microsoft.com
  • http://wustat.windows.com
• Each Web Application Proxy needs to be able to verify the communication certificates and update signatures, by allowing access to the Certification Authorities (CAs) used.
• DNS-based name resolution to the Internet for each Web Application Proxy.
• An account with local administrator privileges on each Web Application Proxy.

Configuring automatic updates

Perform the following steps to configure a Server Core installation to use Windows Update on the web:

1. Sign in with an account with local administrator privileges.
2. Run sconfig.cmd.
   The Server Configuration utility starts.
3. Enter the number 5, followed by pressing the Enter key on the keyboard to enter the Windows Update Settings sub menu.
4. Press A for Automatic updates, followed by pressing Enter on the keyboard.
5. In the Update Settings dialog screen, click OK.

The Web Application Proxy will check for and install updates every day at 3:00 AM. The settings take effect immediately. No reboot is required. Repeat the above steps on each Web Application Proxy.

Configure to use your organization’s WSUS implementation

Windows Server Update Services (WSUS) enables admins to deploy the latest Microsoft product updates with full manageability of the distribution of updates in their networks.

Note:
WSUS can be deployed in a disconnected scenario, where updates and metadata are exported on one WSUS server and imported on another disconnected WSUS server. This scenario makes WSUS useable in highly-restricted perimeter networks, too.

For this scenario, the following requirements need to be met:

• A fully functional WSUS server needs to be implemented and synchronized with Microsoft Update.
• DNS-based name resolution to the Internet for each Web Application
  Proxy.
• An account with local administrator privileges on each Web Application
  Proxy.

Where the WSUS server addresses are commonly deployed using Group Policy, Web Application Proxies are typically not domain-joined. The following lines of Windows PowerShell ass the registry settings to point a Web Application Proxy to a WSUS server

Stop-Service -Name wuauserv

$Path = “HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate”

$WSUSAddress = “WSUSSERVER”

New-ItemProperty -Path $SChannelRegPath -Name DisableWindowsUpdateAccess `
–Value 1 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath -Name WUServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath -Name WUStatusServer `
-Value $WSUSAddress -PropertyType String

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name AUOptions `
-Value 5 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name NoAutoUpdate `
-Value 0 -PropertyType DWORD

New-ItemProperty -Path $SChannelRegPath+”\AU” -Name UseWUServer `
-Value 1 -PropertyType DWORD

Start-Service -Name wuauserv

The Windows Update client is now configured with Automatic Updates and polls the WSUS server for approved updates every 22 hours minus a random offset.

Repeat the above steps on the other Web Application Proxies.

Manually install Windows updates

In either of both scenarios, admins can manually check for updates and install updates.

For this scenario, the requirements need to be met for the previous scenarios, but most importantly an account with local administrator privileges on each Web Application Proxy is needed.

Perform these steps:

1. Sign in with an account with local administrator privileges.
2. Run sconfig.cmd.
   The Server Configuration utility starts.
3. Enter the number 6, followed by pressing the Enter key on the keyboard.
4. Choose between Search for (A)ll Updates or (R)ecommended Updates only by pressing either A or R on the keyboard, followed by pressing Enter on the keyboard.
5. Then, select between (A)ll updates, (N)o updates or (S)elect a single update, by pressing A, N or S on the keyboard, followed by pressing Enter on the keyboard.
6. Press Yes in the Restart Required dialog screen to restart the Web Application Proxy.

Repeat the above steps on the other Web Application Proxies.

Use an Update solution

3rd party patching solution might offer functionality to update Web Application Proxies. However, I would like to share a really simple solution: WSUSOffline.net,

Using “WSUS Offline Update”, you can update any computer running Microsoft Windows and Office safely, quickly and without an Internet connection, for free.

Especially its option to create an ISO file, that you can easily mount on virtual machines makes it a fast solution to update hosts in the perimeter network.

Checking which updates are installed

Throughout the lifetime of a Web Application Proxy, you might need to troubleshoot Windows Updates. It might help when you are trying to figure out whether an update is installed and the server needs rebooting or whether an update is not installed. (in which case you probably won’t need to reboot) The command to use is:

wmic.exe qfe list

Concluding

It’s your choice to create media to manually update your Web Application Proxies, or let them download updates from the Internet or WSUS Servers automatically. However, please remember to implement something to keep the systems in your Hybrid Identity implementation up to date.

Further reading

Windows Update troubleshooting
Fix Windows Update errors
Registry keys for configuring Automatic Updates & WSUS
WSUS Offline Update
How To: Remove WSUS Settings and Restore Windows Update Defaults
Configure a Server Core installation of Windows Server 2016, with Sconfig.cmd
How to Patch Windows Server Core 2016

The post HOWTO: Handle Windows Update on non-domain-joined Web Application Proxies appeared first on The things that are better left unspoken.

Raymond, Erwin, Martijn, Tom and I have dedicated time to organize a yearly Dutch event. We want to share the latest in our industry, without the marketing talk and without the corporate bullshit other events bring. In my utterly biased opinion¹, there’s only one organization in the Netherlands, that can pull that off.

Last year we organized the ‘Roast the Cloud’ event for KNVI members. The year before, we organized the ‘Windows as a Service’ event. It was a lot of fun! This year, we have further improved upon the formula, added some more fun elements and are back for another year.

About KNVI

The Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members, like the discount to my Active Directory Administration Cookbook.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

About the KNVI IT Infra Event of the Year

On Thursday October 10, 2019, we’ll transform the Carlton President Hotel in Maarssen Dutch into Walhalla for IT Professionals. We have speakers delivering nine 30-minute sessions in three blocks:

1. Managing IT, the new reality
   We’ll talk about DevOps as a way to manage teamwork and to manage servers. we’ll also talk about Mobile Device Management to manage devices beyond Windows-based devices.
2. Do away with legacy
   Many admins still manage their environments like it’s 2005. Typically, this means still imaging devices (with Altiris or Ghost, probably), without benefiting from cloud services, and Windows AutoPilot and experiencing increasing numbers of incidents with passwords. That’s why we’ll talk about Windows AutoPilot, Azure AD DS and Password-less.
3. The future of IT
   In our third block of sessions, we’ll look ahead to what’s happening in IT from an infrastructure point of view. Software-defined, privacy and quantum are the three keywords for this block of sessions.

After these session, we’ll ask the speakers back to the stage to discuss what regrettable moves to avoid and what recommended practices to embrace in the near future.

For immediate answers and discussions, we’ll have speakers in the ‘red room’ available, instead of hiding in a speaker room…

About my session

I’m not just involved in the planning and preparations for the event, I’m also actively presenting a session, together with Raymond Comvalius:

Password-less, or how to get rid of passwords for day-to-day IT Use

2:20PM – 3:05PM Dutch

81% of all hacks last year can be attributed to weak, leaked and standard passwords. Multi-factor authentication reduces these situation by 99,9%, but people don’t seem to like to hassle of it. If only we could live without passwords…

You can! In this session, Raymond and I look at Windows Hello for Business, Active Directory Federation Services (AD FS) and FIDO2 as the solution for end-users to no longer work with passwords and, in the process, work more securely than they do now.

Join us!

Register here. Dutch

One of the things we’ve learned last year is that many people wanted to join the event, but either didn’t have the money to join or didn’t want a KNVI membership.

As an IT Pro, you can join the event for € 99.
No strings attached. No nagging marketing afterwards. No privacy issues.
No membership.

Of course, as a member of KNVI, you can join the event for free, anyway.
There’s room for 150 people for this event. We haven’t filled all our seats, yet.

• ¹ I was a member of the board of the KNVI Special Interest Group (SIG) IT Infra.

The post I’m co-organizing the KNVI IT Infra Day of the Year appeared first on The things that are better left unspoken.

Roughly a year ago, we saw the release of Microsoft’s Azure Multi-Factor Authentication (MFA) Server, version 8.0.1.1. Last week, Microsoft released another minor version, dubbed version 8.0.2.2 that addresses a couple of issues you might experience with version 8.0.1.1.

What’s New

Fixed issue with AD Sync send email when user enabled state changes

In the Add Synchronization Item window, the option to send email for Only New Users is enabled by default:

However, an issue prevented sending the e-mail message when the Enabled state changed. This issue has been fixed.

Fixed upgrade issue with User Tags

In some scenarios, user tags did not survive Azure MFA Server upgrades.
This issue is now fixed in Azure MFA Server version 8.0.2.2.

Added Kosovo (+383) country code

Former Yugoslavia obtained its +38 code in the 1964 CCITT/ITU Blue Book. However, on October 1, 1993, this country code, was divided into +381 (Serbia), +382 (Montenegro), +385 (Croatia), +386 (Slovenia), +387 (Bosnia and Herzegovina), +389 (Macedonia) when Yugoslavia broke up. At that time, +380, +383 and +388 were not assigned.

+383 was assigned to Kosovo*, after Republic of Serbia and Kosovo reached an agreement in August 2015. Now, the +383 country code can also be used with Azure Multi-Factor Authentication Server.

Note:
Ukraine received the +380 country code in 1995, as it left the Russian Federation in 1991. This effectuated its split from the +7 country code. +388 is assigned to groups of countries. The European Telephony Numbering Space (ETNS) embraced +388 3 for Europe-wide services.

Added One-Time Bypass audit logging

In previous versions of Azure Multi-Factor Authentication Server, the MultiFactorAuth service did not log one-time bypasses. Starting with version 8.0.2.2, one-time bypasses are logged to MultiFactorAuthSvc.log.

Web Service SDK performance improvements

Azure MFA Server’s Web Service SDK offers access to the database and MFA functionality to the AD FS MFA Adapter (when installed), User Portal (when installed) and with third-party applications (when used). Performance improvements on this central communications hub to the back-end means these front-end services work faster, too.

Other minor bug fixes

While the above fixes could be classified as minor fixes, the team reports that they’ve fixed other minor issues in Azure Multi-Factor Authentication (MFA) Server as well.

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading the User Portal or AD FS adapter. Read the guidance in the How to Upgrade section in this blogpost for more information.

Download

You can download Azure Multi-Factor Authentication Server 8.0.2.2 here.
The download weighs 128.4 MB.

Version information

This is version 8.0.2.2 of Azure Multi-Factor Authentication (MFA) Server.
It was signed off on September 9, 2019.

The post Azure Multi-Factor Authentication Server 8.0.2.2 was released appeared first on The things that are better left unspoken.

Office 365 is the cloud service most organizations use. Some of them are not be aware Azure Active Directory lives underneath their cloud service or behind the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust (RPT) in Active Directory Federation Services (AD FS). That’s why I’ll present on NCComms’ Office 365 and SharePoint Connect 2019 – Community Edition in Haarlem on October 11, 2019.

About Office 365 and SharePoint Connect

The Office 365 and SharePoint Connect conference presents news and announcements from Microsoft Ignite as well as deeper dives into the key topics across Office 365, SharePoint, Azure, OneDrive and Teams. Speakers also include material on wider industry trends such as AI.

Learn how you can move yourself and your company forward with the expert speakers who share their experience, knowledge, and best practices, plus real-world project insights. PLUS – You also have the chance to find out more from the experts who bring you the very latest “What’s new” straight after Microsoft Ignite.

The Office 365 and SharePoint Connect 2018 conference returns to the Netherlands for the ninth year, this year. Speakers for this year’s Office 365 and SharePoint Connect include Adis Jugo, Donald Hessing, Jussi Roine, Luise Freese, Sjoukje Zaal and many others.

About my session

I’ll present one 45-minute session on:

A Life without passwords; dream or reality?

Room D, Friday October 11, 2019 3PM – 3:45PM

The early days of multi-user IT brought us passwords. However, we can safely conclude password-based authentication doesn’t cut it anymore. Recent research showed 81% of hacking-related breaches leveraged either stolen or weak passwords and 20% of support costs for enterprise IT departments are about forgotten passwords… Nobody loves multi-factor authentication either, because it’s complicated to implement and difficult to use.

“Users should never have to deal with passwords in their day-to-day lives.”
– Sander Berkouwer 

Join Sander Berkouwer, tenfold Microsoft MVP, in this engaging session on going password-less in your infrastructure. Learn the end-to-end solution, based on open standards, Microsoft technologies and the Microsoft Cloud that allows your organization(s) to minimize password usage and simplify credential management, so user credentials cannot be cracked, breached, or phished anymore.

Warning:
Be ready to start feeling the love from end-users again, for they no longer have to use technology that sucks…

Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at Office 365 & SharePoint Connect this October in the beautiful city of Haarlem, Netherlands.

Register here.

The post I’m speaking at Office 365 and SharePoint Connect 2019 – Community Edition appeared first on The things that are better left unspoken.

On September 10, 2019, Microsoft signed off on the first build of Azure AD Connect in the 1.4 version branch. Currently, this version is only available for organizations that have the Automatic Upgrade feature enabled. In the What’s Fixed section of the release notes for this version, Microsoft stated that:

Fixed a bug where non-Windows 10 computers were syncing unexpectedly.

The situation

Previously, Windows down-level computers joined to on-premises Active Directory Domain Services environments were incorrectly synchronized to Azure AD under some circumstances.

As an example of these circumstances, the userCertificate attribute value for Windows down-level devices in Active Directory is populated. But such devices in Azure AD always remained in the pending state because these Windows versions were not designed to be registered with Azure AD via Azure AD Connect.

The issue

Starting with version 1.4.x.0 of Azure AD Connect:

• Azure AD Connect stops synchronizing Windows down-level computers to Azure AD
• Azure AD Connect removes the previously incorrectly synchronized Windows down-level devices from Azure AD.
• Azure AD Connect might run into the Export Deletion Threshold.

Note:
If admins see the deletes of down-level Computer/Device objects in Azure AD exceeding the Export Deletion Threshold, it is advised that the customer allow these deletes to go through.

Some Azure AD admins may see some or all of their Windows down-level devices disappear from Azure AD.

However, Azure AD Connect will not delete any Windows down-level devices that were correctly registered with Azure AD by using the Workplace Join for non-Windows 10 computers package. Those devices will continue to work as expected for the purposes of device-based Conditional Access.

The cause

Microsoft is cleaning up device objects in Azure AD tenants, that add no value.

This is not a cause for concern, as these device identities were never actually used by Azure AD during Conditional Access authorization.

The solution

To get their Windows down-level devices registered correctly and ensure that such devices can fully participate in device-based conditional access, the devices need to Hybrid Azure AD Join, correctly.

Concluding

Changes in Azure AD Connect functionality to allow for increased security levels (in this case by removing stale and non-functional objects) may have an impact on the way Azure AD Connect behaves in your organization.

Further reading

KnowledgeBase: Azure AD Connect 1.3.20.0 enables Auto Upgrades in AD FS Scenarios 
KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal  
Azure AD Connect 1.4 introduces refined AD FS Management Capabilities 
Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)
HOWTO: Enforce Azure AD Connect to use TLS 1.2 only

The post KnowledgeBase: Azure AD Connect v1.4 deletes incorrectly synchronized objects for non-Windows 10 devices appeared first on The things that are better left unspoken.

I’m presenting at SharePoint Saturday Belgium.

About SharePoint Saturday Events

SPS Events is an all-volunteer organization that provides the tools and knowledge needed for groups and event leaders to organize and host SharePoint Saturday Events. SharePoint Saturday Events (SPS Events) are free one-day events held in different cities around the world, featuring sessions from influential and respected SharePoint professionals.

The SharePoint Saturday concept took shape in 2008, with the first SharePoint Saturday event held in early 2009. It grew from speakers who were speaking at Code Camps and SQL Saturdays on SharePoint topics who felt there was enough need in the SharePoint community to warrant their own dedicated events.

About SharePoint Saturday Belgium

On Saturday October 19, 2019, SPS Events hosts its second SharePoint Saturday Belgium event, filled with lots of  great sessions, interesting sponsors and of course, a famous SharePint at the end of the day.

What’s new with Microsoft SharePoint, Office 365, and Azure? Interested visitors will learn all about this on Saturday, October 19, at BluePoint Brussels.

SharePoint Saturday Belgium is organized by BIWUG.

About my session

I’ll present a 50-minute session:

Seven ways Identity enriches your Office 365 and Azure experience

Saturday October 19, 2019, 11:40AM – 12:30PM, Room 4

Azure and Office 365 rely on Azure Active Directory as their identity store.

As tenfold MVP, I know a lot about identity. My experience with numerous organizations, ranging from enterprises to small business, have taught me that good identity is important to embracing cloud services.

I’ll show you seven ways identity enriches the experience you, your colleagues and your customers have when using Azure and Office 365, in my typical humorous but straight to the point style.

Join us!

Join some of the very best independent experts from around the world, and Microsoft, as they come together at SharePoint Saturday Belgium this October.

Register here.

The post I’m speaking at SharePoint Saturday Brussels 2019 appeared first on The things that are better left unspoken.

Last week, on September 24, 25 and 26, I hosted three 60-minute webinars with Netwrix on my three favorite chapters in my Active Directory Administration Cookbook.

Over 1800 people have registered for these webinars. Now, a mere two working days after the last webinars, the Netwrix team has done everyone a huge favor by already placing the three video recordings online for everyone to watch:

https://www.netwrix.com/ad_admin_cookbook_nemea

Enjoy!

Simply press the red Watch now buttons and enjoy!
The slides are also available for you to download, although these webinars were mostly demos-only.

Note:
These webinars and their videos are offered free of charge, thanks to the sponsoring by Netwrix. By accessing the webinars, full-length videos and slides you agree to their privacy policy.

About Netwrix

Netwrix is a private IT security software company. They offer IT auditing solutions for systems and applications across your IT infrastructure. Netwrix  specializes in change, configuration and access auditing software with its Netwrix Auditor solution. Netwrix is a partner of Microsoft, VMware, EMC, NetApp and HP ArcSight.

If you’ve worked in highly-secure highly-regulated IT environments, you’re probably familiar with the Netwrix brand, because their Active Directory auditing solution is one of the best out there.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post The videos of my Netwrix webinars are now available appeared first on The things that are better left unspoken.

After meeting the people behind Professional Development Systems at several events in my region, we started talking about presenting a session at their flagship event: AppManagEvent. This year, it’s time to get going with it!

About AppManagEvent

AppManagEvent is the annual industry event around application management. The event provides its visitors a status update and a future update on the leading technology, tools, strategies, insights and trends around Application Management.

The 14th edition takes place on Friday October 11, 2019, with themes like Deployment, Security, Application Virtualization, MSIX, Win10 migration, Identity Management, IT Infra and much more.  It’s one day with great speakers, tech content, solution vendors in a professional atmosphere and at the Media Plaza at Jaarbeurs Utrecht in the “Supernova” area.

About my session

I will present a 45-minute session:

Identity, the solid base for your organization’s future

10:15 – 11AM

Recent IT disasters have proven that there’s no such thing as a safe network. Firewalls continue to lose their value. Munchhausen by proxy has got a whole new meaning. However, a new perimeter has arisen, focusing on the individuals in your organization and their behavior, but with extensive auditing and near-real time mitigating measures: Identity.

Frowned upon as mere ‘accounts’ in the old days, identity, and most importantly, hybrid identity with both Active Directory and Azure AD, offers all the richness needed to meet today’s needs head-on; One solution for cloud and on-premises? Off course. Multi-factor authentication? Built-in. Access based on device health and location? No problem. Attribute-based access control? Solved. Automated and delegated access reviews? Done. Self-service problem solving? Yes, shift left with confidence.

Join us!

There is still time to register for AppManagEvent 2019. Ticket sales stops on October 10 noon CEST. Tickets are available for € 125 per ticket.

Register here.

The post I’m speaking at AppManagEvent 2019 appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for September 2019:

What’s Planned

My Profile is re-naming and integrating with the Microsoft Office account page

Service category: My Profile/Account
Product capability: Collaboration

Starting in October, the My Profile experience will become My Account. As part of that change, everywhere that currently reads My Profile changes to My Account.

On top of the naming change and some design improvements, the updated experience will offer additional integration with the Microsoft Office account page. Specifically, you’ll be able to access Office installations and subscriptions from the Overview Account page, along with Office-related contact preferences from the Privacy page.

What’s New

Bulk manage groups and members using CSV files in the Azure AD portal Public Preview

Service category: Group Management
Product capability: Collaboration

Microsoft is pleased to announce public preview availability of the bulk group management experiences in the Azure AD portal. Admins can now use a CSV file and the Azure AD portal to manage groups and member lists, including:

• Adding or removing members from a group.
• Downloading the list of groups from the directory.
• Downloading the list of group members for a specific group.

Dynamic consent is now supported through a new admin consent endpoint

Service category: Authentications (Logins)
Product capability: User Authentication

Microsoft has created a new admin consent endpoint to support dynamic consent, which is helpful for apps that want to use the dynamic consent model on the Microsoft Identity platform.

New Azure AD Global Reader role

Service category: RBAC
Product capability: Access Control

The Global Reader role is the read-only counterpart to Global Administrator. Users in this role can read settings and administrative information across Microsoft 365 services, but can’t take management actions.

Microsoft has created the Global Reader role to help reduce the number of Global Administrators in organizations. Because Global Administrator accounts are powerful and vulnerable to attack, Microsoft recommends:

• that organizations have fewer than five Global Administrators.
• using the Global Reader role for planning, audits, or investigations.
• using the Global Reader role in combination with other limited administrator roles, like Exchange Administrator, to help get work done without requiring the Global Administrator role.

The Global Reader role works with the new Microsoft 365 Admin Center, Exchange Admin Center, Teams Admin Center, Security Center, Compliance Center, Azure AD Admin Center, and the Device Management Admin Center.

Access an on-premises Report Server from your Power BI Mobile app using Azure Active Directory Application Proxy

Service category: App Proxy
Product capability: Access Control

New integration between the Power BI mobile app and Azure AD Application Proxy allows you to securely sign in to the Power BI mobile app and view any of your organization’s reports hosted on the on-premises Power BI Report Server.

For information about the Power BI Mobile app, including where to download the app, see the Power BI site.

What’s Changed

New version of the AzureADPreview PowerShell module is available

Service category: Other
Product capability: Directory

New cmdlets were added to the AzureADPreview module, to help define and assign custom roles in Azure AD, including:

• Add-AzureADMSFeatureRolloutPolicyDirectoryObject
• Get-AzureADMSFeatureRolloutPolicy
• New-AzureADMSFeatureRolloutPolicy
• Remove-AzureADMSFeatureRolloutPolicy
• Remove-AzureADMSFeatureRolloutPolicyDirectoryObject
• Set-AzureADMSFeatureRolloutPolicy

The post What’s New in Azure Active Directory for September 2019 appeared first on The things that are better left unspoken.

Last Thursday, Raymond and I presented on password-less authentication for the Dutch Microsoft Azure User Group (WAZUG.nl) at Ordina’s Headquartes in Nieuwegein, the Netherlands.

After the splendid dinner, when the entire group gathered for the elevators to get to the 11th floor, we were already there, enjoying the views over Utrecht, set up and even recording a short interview with Iwan Bel from the WAZUG.nl user group.

After the meal and a short introduction by Ordina, it was our task to share our knowledge and experiences with passwords, multi-factor authentication and password-less authentication using Azure Active Directory and FIDO 2.0-based security keys.

After our presentation and a short break, Xander Gijtenbeek and John Bruin from Ordina’s new Mtech division shared their experiences with Application Insights, coupled with a Google AIY Projects Vision kit.

After that, we enjoyed drinks at the bar.

Thank you!

I had a lot of fun.

The post Pictures of WAZUG.nl 60 appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at properly securing relying party trusts on AD FS servers in terms of the signature hash algorithm.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Server Core Windows Server 2016 installations.

Why look at the signature hash algorithm for AD FS Relying Party Trusts

Active Directory Federation Services (AD FS) signs its tokens to relying party trusts, like Azure Active Directory to ensure that they cannot be tampered with.

This signature can be based on SHA1 or SHA256. Azure Active Directory supports tokens signed with an SHA256 algorithm since October 2016, and recommends setting the token-signing algorithm to SHA256 for the highest level of security.

Reasons why

Federation servers require token-signing certificates to prevent attackers from altering or counterfeiting security tokens in an attempt to gain unauthorized access to federated resources.

The private/public key pairing that is used with token-signing certificates is the most important validation mechanism of any federated partnership because these keys verify that a security token was issued by a valid partner federation server and that the token was not modified during transit.

It would be a shame if information could be created that would unlock the information encrypted through a collision attack, but that’s exactly what Google announced on February 2017 for SHA1 certificates after two years of research in collaboration with the CWI Institute in Amsterdam.

This collision attack urges to move from SHA1 to safer alternatives, such as SHA256.

Possible negative impact (What could go wrong?)

If changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 goes wrong, the functionality of the relying party trust becomes unavailable, in other words; access to the application or all applications connected to the platform on the other side of the relying party trust becomes unavailable.

If the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 change goes wrong for the ‘Microsoft Office 365 Identity Platform’ relying party trust, then access to popular functionality like Exchange Online, SharePoint Online, Teams, PowerBI and Dynamics 365 is lost and needs to be rebuild.

Getting Ready

To change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256, make sure to meet the following requirements:

System requirements

Make sure the AD FS servers are installed with the latest cumulative Windows Updates.

Privilege requirements

Make sure to sign in with an account that has privileges to create and/or change and link Group Policy objects to the Organizational Unit (OU) in which the AD FS servers reside.

Who to communicate to

As the AD FS servers operate as part of a chain, notify all stakeholders in the chain. This means sending a heads-up to the rest of the Active Directory team and the teams that are responsible for Azure AD, Office 365 and cloud applications. It’s also a good idea to talk to the people responsible for backups, restores and disaster recovery.

Important:
It is especially important to communicate to the teams that are responsible for the functionality connected through AD FS, as you must use the same algorithm for the AD FS RPT as the service provider on the other side of the RPT is expecting, SHA-1 or SHA-256, to generate the hash.

One of the challenges you can easily avoid through communications is that multiple persons and/or teams make changes to the configuration. When it breaks, you don’t want to roll-back a bunch of changes, just the one that broke it. Make sure you have the proper freeze/unfreeze moments to achieve that.

How to do it

To get an overview of the AD FS RPTs that do not use SHA256 as the AD FS token-signing hash algorithm, run the following line of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

Get-AdfsRelyingPartyTrust | select Name,SignatureAlgorithm

This will provide the names of the RPTs and their SignatureAlgorithm properties.

You can change the AD FS token-signing hash algorithm for an AD FS relying party using the following lines of Windows PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT –SignatureAlgorithm `
‘http://www.w3.org/2001/04/xmldsig-more#rsa-sha256′

Roll-back

To roll back the change, run the following lines of PowerShell when logged on with an account that has local administrative privileges on the Primary AD FS server:

$RPT = ‘Microsoft Office 365 Identity Platform’

Set-AdfsRelyingPartyTrust -TargetName $RPT –SignatureAlgorithm `
‘http://www.w3.org/2000/09/xmldsig#rsa-sha1‘

Concluding

Changing the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 from SHA1 provides a much smaller risk of collisions and therefore increases information security.

Make sure the service providers offering functionality through AD FS relying party trusts support SHA256 as the token-signing hash algorithm before changing it to avoid (temporary) loss of functionality.

Further reading

Change signature hash algorithm for Office 365 relying party trust
Token-Signing Certificates
Configuring the AD FS Token Signing and -Decrypting Certs for a longer lifetime

The post HOWTO: Change the AD FS token-signing hash algorithm for AD FS relying party trusts to SHA256 appeared first on The things that are better left unspoken.

I’m pleased to announce that I will be delivering a 4-hour workshop with Deji Akomolafe, Staff Solutions Architect at VMware, at VMware VMworld Europe 2019 in Barcelona on October 7th, 2019.

About VMware VMworld

VMworld is a global conference for virtualization and cloud computing, hosted by VMware. It is the largest virtualization-specific event. Each year, there is a VMworld US and a VMworld Europe event, addressing VMware’s two main target geographies.

VMworld Europe 2018 is hosted at the Fira Gran Via Convention Center in Barcelona, Spain from Monday November 4, 2019 to Thursday November 7, 2019.

About our session

I’ll make one main appearance during VMware VMworld Europe 2019, besides the obvious parties and gatherings.

Architecting and Implementing Microsoft Active Directory on VMware

BCA2161TE, level 300, October 7 10:30AM – 2:30PM

Active Directory Domain Services (AD DS) allows organizations to deploy a scalable and secure directory service for managing users, resources, and applications. Although virtualizing domain controllers has been a simple and supported operation for many years, many organizations have been reluctant to do so.

Organizations struggle to understand how to properly navigate and avoid the pitfalls (such as synchronization, convergence, security, time management, availability, and data integrity) inherent in virtualizing a production, enterprise-level AD DS infrastructure. Even when they have virtualized their domain controllers, admins still worry about the security, safety, and integrity of their ADDS infrastructure.

This session will discuss and demonstrate considerations and practices for optimally and securely virtualizing AD infrastructure.

Join us!

Join me while I take the stage with Deji.
Make your mark and register for VMware VMworld Europe 2019.

The post I’m speaking at VMware VMworld Europe 2019 appeared first on The things that are better left unspoken.

After many months of preparations, we ran the KNVI IT Infra Day of the Year last Thursday. Raymond, Erwin, Tom and I organized a day filled with a total of eleven sessions with topics for today’s IT Pros that want more out of life and their careers.

Tom kicked off the day with a warm welcome to the attendees. It marked the start of the ‘What’s New’ block of sessions. Peter Daalmans presented a 30-minute session on Mobile Device Management. My colleague Barbara Forbes presented a 30-minute session on Azure DevOps and Jeff Wouters presented on treating servers like cattle, not cats.

After a short break, Tom introduced the ‘Get rid of legacy’ block of sessions. Raymond Comvalius presented a 30-minute session on AutoPilot to get rid of imaging. Erwin Derksen presented a 30-minute session on Azure AD DS to get rid of legacy LDAP stores and Active Directory on-premises.

Then, Raymond and I presented a 30-minute session on password-less, as a way to get rid of passwords and to transition into a brave new world with stronger authentication, based on a 4-layer security model. As part of the session, we demoed Azure AD Join using the Authenticator App and the OneDrive Personal Vault.

After lunch, Tom kicked off the block of sessions where we make sure we don’t miss today’s big issues. Ronald Potharst presented on Software-defined Networking (SDN). Harold van de Kamp presented on privacy in Microsoft 365. Guido Steusel presented on what to expect in IT in the near future.

After another short break, Twan Paes presented the TeamPerformance loop. As organizers we took the stage again and rounded up our experiences with the event and we asked the attendees what they picked up during the day.

After that, of course, we had drinks at the restaurant of the Carlton President Hotel.

Thank you!

Thank you to all the attendees. Your feedback is invaluable. Thank you to the Carlton President Hotel and MOS Events for helping us organize this meetup. Until next year!

The post Pictures of the 2019 KNVI IT Infra Day of the Year appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Intranet Sites list in Internet Explorer.

Note:
This is the first part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Local Intranet zone. In the next part we look at the Trusted Sites zone.

Note:
Adding URLs to the Local Intranet zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Intranet Sites?

Active Directory Federation Services (AD FS), and certain functionality in Azure Active Directory leverage Windows Integrated Authentication to allow for Single Sign-on. (SSO).

Single Sign-on reduces prompt fatigue in people and thus makes them more aware of the moments when password prompts happen and (and this is the theory…) paying more attention to what they are doing with their passwords.

I’m not a psychologist, but I do know how to make Windows Integrated Authentication work with Internet Explorer.

Intranet Sites vs. Trusted Sites (with Default settings)

Internet Explorer offers built-in zones:

• Local intranet
• Trusted sites
• Internet
• Restricted sites

Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Local intranet zone, by default, offers a medium-low level of security, where Trusted sites allows for medium-level security. By default, the Local intranet zone allows for the following functionality beyond the Trusted sites zone:

• Local intranet does not allow ActiveX Filtering
• Local intranet allows Scriptlets
• Local intranet allows accessing data sources across domains (Trusted sites prompt)
• Local intranet allows scripting of Microsoft web browser control
• Sites in the Local intranet zone don’t prompt for client certificate selection when only one certificate exists
• Sites in the Local intranet zone may launch applications and unsafe files
• Sites in the Local intranet zone may navigate windows and frames across different domains
• Local intranet sites do not use the Pop-up Blocker feature
• Local intranet sites do not use the Defender SmartScreen feature
• Local intranet sites allow programmatic clipboard access
• Local intranet sites do not use the XSS Filter feature
• Local intranet sites allow user authentication

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Local intranet zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Local intranet zone, depending on the way you’ve setup your Hybrid Identity implementation:

https://<YourADFSFarmName>

When you use federation with Active Directory Federation Services (AD FS), the URL for the AD FS Farm needs to be added to the Local Intranet zone. As AD FS is authenticated against, it need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://login.microsoftonline.com

https://secure.aadcdn.microsoftonline-p.com

The https://login.microsoftonline.com and https://secure.aadcdn.microsoftonline-p.com URLs are the main URLs for authenticating to Microsoft cloud services. As these URLs are used to authenticate against, they need to be added to the Local intranet zone as, by default, this is the only zone for websites to allow for user authentication.

https://aadg.windows.net.nsatc.net

https://autologon.microsoftazuread-sso.com

If you use the Seamless Single Sign-On (3SO) feature in Azure AD Connect, then you’ll want to add the following URLS to the Local intranet zone:

1. https://aadg.windows.net.nsatc.net and
2. https://autologon.microsoftazuread-sso.com

These URLs need to be added to the Local intranet zone on all devices where people in the organization use the 3SO feature, as these are the URLs where they will authenticate against. Trusted sites, by default, do not allow this functionality.

If you don’t use the 3SO functionality, don’t add the above URLs.

https://account.activedirectory.windowsazure.com

It is still one of Microsoft’s recommendation to add the https://account.activedirectory.windowsazure.com URL to the Local intranet zone. However, an enhanced experience is available that no longer points employees to this URL, but instead to the https://myprofile.microsoft.com URL, that uses the normal authentication URLs.

The new enhanced experience is available in the Azure portal, under User settings, Manage user feature preview settings (in the User feature previews area) named Users can use preview features for registering and managing security info – enhanced.

If you’ve enabled the enhanced preview, don’t add the above URL.

How to add the URLs to the Local Intranet zone

To add the URLs to the Local Intranet zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console (gpmc.msc)
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu.
  The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane.
  The Show Contents window appears.

• Add the above URLs to the Local Intranet zone by entering the URL in the Value name column and the number 1 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

Concluding

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like Seamless Single Sign-on and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges
Group Policy – Internet Explorer Security Zones
Add Site to Local Intranet Zone Group Policy

The post HOWTO: Add the required Hybrid Identity URLs to the Local Intranet list of Internet Explorer and Edge appeared first on The things that are better left unspoken.

Even though Microsoft’s Identity focus moves towards the cloud, they are not forgetting their on-premises roots. Windows Server 2016 and Windows Server 2019 still receive updates. These are the updates and fixes we saw for September 2019:

Windows Server 2016

We observed the following updates for Windows Server 2016:

KB4516044 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4516044) updating the OS Build number to 14393.3204 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522010 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522010) updating the OS Build number to 14393.3206 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516061 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516061) updating the OS Build number to 14393.3242 includes the following Identity-related updates:

• It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
• It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
• It addresses an issue that causes the Security Authority Subsystem Service (LSASS) to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the –domain option.
• It addresses an issue with LdapPermissiveModify requests, which fail to make Active Directory (AD) group membership changes if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (SID) syntax. In this scenario, Active Directory returns a “SUCCESS” status even though the change did not occur.

Windows Server 2019

We observed the following updates for Windows Server 2019:

KB4512578 September 10, 2019

The September 10, 2019 update for Windows Server 2016 (KB4512578) updating the OS Build number to 17763.737 is a security update, including many security updates.

This update addresses CVE-2019-1273. This is an Important Active Directory Federation Services XSS Vulnerability.

A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (AD FS) does not properly sanitize certain error messages. An authenticated attacker could exploit the vulnerability by sending a specially crafted request to an affected AD FS server. An attacker who successfully exploited the vulnerability could then perform cross-site scripting attacks on affected systems and run scripts in the security context of the current user. The attacks could allow the attacker to read content that the attacker is not authorized to read, use the victim’s identity to take actions on the AD FS farm on behalf of the user, such as change permissions and delete content, and inject malicious content in the browser of the user.

The security update addresses the vulnerability by helping to ensure that AD FS error handling properly sanitizes error messages.

KB4522015 September 23, 2019

The September 23, 2019 update for Windows Server 2016 (KB4522015) updating the OS Build number to 17763.740 does not include Identity-related updates. It includes security updates to Internet Explorer, released out-of-band.

KB4516077 September 24, 2019

The September 24, 2019 update for Windows Server 2016 (KB4516077) updating the OS Build number to 17763.774 includes the following Identity-related updates:

• It addresses an issue that may cause the Local Security Authority Subsystem Service (LSASS) to stop working with an “0xc0000005” error.
• It addresses an issue that causes the lsass.exe service to stop working, which causes the system to shut down. This occurs when migrating Data Protection API (DPAPI) credentials using dpapimig.exe with the -domain option.
• It addresses an issue that prevents you from running the Active Directory Diagnostics Data Collector Set from the Performance Monitor for Domain Controllers. This causes the Data Collector Set name to appear empty. Running the Active Directory Diagnostics Data Collector Set returns the error, “The system cannot find the file specified.” Event ID 1023 is logged with the source as Perflib and the following messages:
  • Windows cannot load the extensible counter DLL “C:\Windows\system32\ntdsperf.dll.
  • The specified module could not be found.
• It addresses an issue that may cause authentication to fail for certificate-based authentication when the certificate authentication includes a cname as part of the pre-authentication request.
• It addresses a Lightweight Directory Access Protocol (LDAP) runtime issue for Domain Controller Locator-style LDAP requests. The error is, “Error retrieving RootDSE attributes, data 8, v4563.”
• It addresses an issue that causes LDAP queries that contain LDAP_MATCHING_RULE_IN_CHAIN (memberof:1.2.840.113556.1.4.1941) to intermittently fail on Windows Server 2019 domain controllers. However, these queries do not fail on domain controllers running previous versions of Windows Server.
• It addresses an issue that causes group membership changes in Active Directory groups to fail. This occurs if the Lightweight Directory Access Protocol (LDAP) client uses the Security Identifier (sID) Distinguished Name (DN) syntax after installing previous versions of NTDSAI.DLL. In this scenario, an issue with the LdapPermissiveModify (LDAP_SERVER_PERMISSIVE_MODIFY_OID) control causes Active Directory to incorrectly return a SUCCESS status even though the group membership change did not occur.
• It addresses an issue in which the Set-AdfsSslCertificate script is successful. However, it throws an exception during resource cleanup because the target server-side endpoint is no longer there.

This update includes so many improvements, that Joseph Ryan Ries, Escalation Engineer at Microsoft Corp., claims that Windows Server 2019 Domain Controllers are now ready for production…

The post On-premises Identity updates & fixes for September 2019 appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll look at the required Hybrid Identity URLs that you want to add to the Trusted Sites list in Internet Explorer.

Note:
This is the second part for adding Microsoft Cloud URLs to Internet Explorer’s zone. In this part we look at the Trusted Sites zone. In the previous part we looked at the Local Intranet zone.

Note:
Adding URLs to the Trusted Sites zone for Internet Explorer, also applies to Microsoft Edge.

Why look at the Trusted Sites?

Hybrid Identity enables functionality for people using on-premises user accounts, leveraging Azure Active Directory as an additional identity platform. By default, Azure AD is the identity platform for Microsoft Cloud services, like Exchange Online, SharePoint Online and Azure.

By adding the URLs for these services to the Trusted Sites list, we enable a seamless user experience without browser prompts or hick-ups to these services.

Internet Explorer offers built-in zones. Per zone, Internet Explorer is allowed specific functionality. Restricted Sites is the most restricted zone and Internet Explorer deploys the maximum safeguards and fewer secure features (like Windows Integrated Authentication) are enabled.

The Trusted Sites zone, by default, offers a medium level of security.

Possible negative impact (What could go wrong?)

Internet Explorer’s zones are defined with specific default settings to lower the security features for websites added to these zones.

When you use a Group Policy object to add websites that don’t need the functionality of the Trusted Sites zone to the zone, the systems in scope for the Group Policy object are opened up to these websites. This may result in unwanted behavior of the browser such as browser hijacks, identity theft and remote code executions, for example when you mistype the URLs or when DNS is compromised.

While this does not represent a clear and immediate danger, it is a situation to avoid.

Getting ready

The best way to manage Internet Explorer zones is to use Group Policy.

To create a Group Policy object, manage settings for the Group Policy object and link it to an Organizational Unit, Active Directory site and/or Active Directory domain, log into a system with the Group Policy Management Console (GPMC) installed with an account that is either:

• A member of the Domain Admins group, or;
• The current owner of the Group Policy Object, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked, or;
• Delegated the Edit Settings or Edit settings, delete and modify security permission on the GPO, and have the Link GPOs permission on the Organizational Unit(s), Site(s) and/or Domain(s) where the Group Policy Object is to be linked.

The URLs to add

You’ll want to add the following URLs to the Trusted Sites zone, depending on the way you’ve setup your Hybrid Identity implementation:

*.live.com

*.microsoft.com

*.microsoftonline.com

*.windows.net

ajax.aspnetcdn.com

microsoft.com

microsoftline.com

microsoftonline-p.net

onmicrosoft.com

The above URLs are used in Hybrid Identity environments. While they overlap with some of the URLs for the Local Intranet Zone, these URLs allow side services to work properly, too.

*.msappproxy.net

Web applications that you integrate with Azure Active Directory through the Azure AD Application Proxy are published using https://*.msappproxy.net URLs. Add the above wildcard URL to the Trusted Sites list, when you’ve deployed or are planning to deploy Azure AD App Proxy. If you use vanity names for Azure AD App Proxied applications, add these to the Trusted Sites list, as well.

Other Office 365 services

Most  Hybrid Identity implementations are used to allow access to Office 365 only. Last year, 65% of Hybrid Identity implementations are used to unlock access to one or more Office 365 services, like Exchange Online, SharePoint Online, OneDrive for Business and Teams, only. This blogpost focuses on the Hybrid Identity URLs, but you might want to add more Office 365 URLs and IP address ranges to the Trusted Sites list as you deploy, roll out and use Office 365 services. You can use this (mostly outdated) Windows PowerShell script to perform that action, if you need.

How to add the URLs to the Trusted Sites zone

To add the URLs to the Trusted Sites zone, perform these steps:

• Log into a system with the Group Policy Management Console (GPMC) installed.
• Open the Group Policy Management Console (gpmc.msc)
• In the left pane, navigate to the Group Policy objects node.
• Locate the Group Policy Object that you want to use and select it, or right-click the Group Policy Objects node and select New from the menu.
• Right-click the Group Policy object and select Edit… from the menu.
  The Group Policy Management Editor window appears.
• In the main pane of the Group Policy Management Editor window, expand the Computer Configuration node, then Policies, Administrative Templates, Windows Components, Internet Explorer, Internet Control Panel and then the Security Page node.

• In the main pane, double-click the Sites to Zone Assignment List setting.
• Enable the Group Policy setting by selecting the Enabled option in the top pane.
• Click the Show… button in the left pane.
  The Show Contents window appears.
• Add the above URLs to the Trusted Sites zone by entering the URL in the Value name column and the number 2 in the Value column for each of the URLs.
• Click OK when done.
• Close the Group Policy Editor window.
• In the left navigation pane of the Group Policy Management Console, navigate to the Organization Unit (OU) where you want to link the Group Policy object.
• Right-click the OU and select Link an existing GPO… from the menu.
• In the Select GPO window, select the GPO.
• Click OK to link the GPO.

Repeat the last three steps to link the GPO to all OUs that require it. Take Block Inheritance into account for OUs by linking the GPO specifically to include all people in scope.

Concluding

To enable functionality in a Hybrid Identity implementation, we need to open up the web browser to allow functionality for specific web addresses. By enabling the right URLs we minimize our efforts in enabling the functionality and also minimize the negative effect on browser security.

There is no need to add all the URLs to specific Internet Explorer zones, when you don’t need to functionality. However, do not forget to add the specific URLs when you enable specific functionality like the Azure AD Application Proxy and remove specific URLs when you move away from specific functionality.

Further reading

Office 365 URLs and IP address ranges
Group Policy – Internet Explorer Security Zones
Add Site to Local Intranet Zone Group Policy

The post HOWTO: Add the required Hybrid Identity URLs to the Trusted Sites list of Internet Explorer and Edge appeared first on The things that are better left unspoken.

Troubleshooting stories from the field are the best. That’s why I like writing them down. Although, sometimes they might appear as straight cases of schadenfreude, I feel there are lessons to be learned for anyone, if you’re willing to look closely and listen carefully.

Last week I experienced an issue with Azure AD Connect at a customer, that made absolutely no sense at all.

The situation

The customer has an Active Directory Domain Services environment, consisting of one Active Directory domain. The Active Directory domain is synchronized to Azure Active Directory using Azure AD Connect. Users authenticate to Azure AD using Active Directory Federation Services (AD FS).

To facilitate release management, we advised to implement a Staging Mode Azure AD Connect server and the accompanying processes. We asked an admin at the customer to get us an additional domain-joined virtual machine running Windows Server 2019.

We downloaded Azure AD Connect using the same account and ran the installer. We made the following choices:

• On the Welcome to Azure AD Connect screen, we checked the I agree to the license terms and privacy notice. option and clicked the Continue button.
• On the Express Settings screen, we clicked the Customize button.
• On the Install required components screen, we clicked the Install button.
• On the User sign-in screen, we selected Federation with AD FS as the sign on method and clicked the Next button to continue.

• On the Connect to Azure AD screen, we signed in with an account with the Global administrator role in Azure AD and clicked Next. After inserting the credentials, we performed multi-factor authentication.
• On the Connect your directories screen, we clicked the Add Directory button.
• In the AD forest account dialog screen, we kept the default option to Create new AD account and entered the credentials for the customer’s admin account:

The issue

Azure AD Connect validated the credentials, and threw an error:

Cannot establish a connection to the Domain Controller(s) associated to a forest named: ‘domain.tld‘. Please validate the following:

• The Credentials (Username and Password) you have provided are correct
• UDP and TCP port 389 are open in these DCs (you have to perform this manual check on the “Windows Firewall with Advanced Security” window on every Domain Controller) Learn more

This error is unexpected.

My troubleshooting

I started troubleshooting the issue.

I didn’t have to question whether the server was domain-joined; if it’s not domain-joined you can’t select Active Directory Federation Services (AD FS) as the authentication method to Azure Active Directory…

Am I logged in with a domain account or a local account?

The first question I wanted to solve is whether we were logged onto the Azure AD Connect installation using a domain account or a local account.

I started up a Command Prompt (cmd.exe) and used whoami.exe to view information for the signed-in account. We were signed in using an account that is a member of the Domain Admins group.

Can I resolve the domain in DNS?

I started up a Command Prompt (cmd.exe) and used nslookup.exe appended with the domain name. This returned the Domain Controllers without issues.

Can I communicate to the Domain Controllers?

As Azure AD Connect mentioned network connectivity was probably to blame for the error, I started up a PowerShell window and used Test-NetConnection to probe several of Active Directory’s common ports. This returned success values for all ports I tried on all Domain Controllers I tried. I guess this is not a Firewall issue, either…

What does Azure AD Connect think it actually is?

I decided to take a look at the Azure AD Connect diagnostics data. Azure AD Connect provides detailed output of all its actions in the C:\ProgramData\AADConnect folder.

I opened up the trace file and scrolled down to the bottom:

That’s where I read what was going on. It wasn’t a connectivity problem at al. The admin account simply lacked the Enterprise Admins group membership.

Actually, Azure AD Connect’s AD Forest account dialog screen, clearly states you need to specify an ENTERPRISE ADMIN USERNAME.

However, in an Active Directory environment with a single domain, the privileges for Domain Admins and Enterprise Admins are equal, as the Microsoft Docs on Default groups points out…

The solution

We asked the admin to add his account to the Enterprise Admins group. As this is a single domain, this change is performed without issues.

We signed off and on again after this change. We ran the Azure AD Connect wizard again and decided to remove the membership to the Enterprise Admins group after installing and configuring Azure AD Connect.

Concluding

Enterprise Admins privileges may be needed for Azure AD Connect configuration of the service account to communicate to Active Directory. Whether it makes sense or not…

Further reading

Leveraging Azure AD Connect Staging Mode for Release Management
From the Field: the Case of the Active Directory trust without DNS Suffixes
From the Field: The Case of the Unreanimatable Tombstone Objects
From the field: The Case of the Domain Controller that would not function after an Azure Site Recovery test failover

The post From the Field: The case of the unreachable forest on a domain-joined Azure AD Connect installation appeared first on The things that are better left unspoken.

After presenting at AppManagEvent 2019, I drove to Haarlem for the next event on my list: NC Communications’ Office 365 and SharePoint Connect.

This was a bittersweet event, as Nigel and Irene announced this 10th edition of Office 365 and SharePoint Connect, would be the last time they organize it. I’ll miss hanging out with my fellow community members, presenting on the topics I love and meeting new people at events like this.

I arrived in time for lunch, so enjoyed some sandwiches. After that, I found a quiet place to do the final touches on my presentation, including the focus by the Dutch NCSC on FIDO 2.0 Dutch and preparing the demos.

I presented a 45-minute session in the last session time slot. The room was half-filled, but everyone stayed for the session. Afterward, two guys from one of the Netherlands’ well-known service providers came up to me to thank me for the session. I might end up presenting at one of their internal days to their colleagues…

Thank you

Thank you to Nigel and Irene for organizing Office 365 and SharePoint Connect 2019 and inviting me as a speaker for another year. Thank you to all the attendees, especially the people in my session.

The post Pictures of Office 365 and SharePoint Connect 2019 – Community Edition appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we start looking at Azure AD Connect in-depth.

Why look at the Export Deletion Threshold

Azure AD Connect is responsible for synchronizing objects and their attributes. It uses rules to act in a certain way, based on certain input to guarantee certain output. In some cases, the straightforwardness of the rules may result in unwanted scenarios, such as deletion of all objects from Azure AD.

To circumvent this last situation, Microsoft has built in a deletion threshold into Azure AD Connect. When the threshold is reached while running an Export operation (writing to a connected directory), Azure AD Connect stops synchronizing to prevent further harm.

Now, there is a sweet spot to Azure AD Connect’s export deletion threshold:

• You don’t want to set the deletion threshold too low. Organizations rely on Azure AD Connect for their Identity and Access Management (IAM) processes. When synchronization stops, the process stops. Onboarding, offboarding, group membership changes; they all stop. You might hit the threshold often, when it is set too low.
• You don’t want to set the deletion threshold too high, either. If something does go wrong, you don’t want to lose most of the objects before finding out.

By default, Azure AD Connect’s object deletion threshold is set it at 500 objects.

Getting ready

To change the Export Deletion Threshold, you’ll need to have local privileges on each Windows Server running Azure AD Connect. You’ll need to be member of the local ADSyncAdmins group, or a member of the custom local group you may have selected as the Azure AD Connect Administrators group, during the installation of Azure AD Connect:

On the Azure AD side of things, you’ll need an account that has the Global administrator role assigned.

Additionally, make sure the Windows PowerShell Module for Active Directory is installed on each of the Azure AD Connect installations, to be able to run the below scripts.

Properly managing the Export Deletion Threshold

I feel there are three aspects to properly managing Azure AD Connect’s Export Deletion Threshold:

Set the threshold at 10% of your objects

A 500 object threshold does not make much sense in an organization with 50 people. The same threshold also doesn’t make sense in an organization with 900,000 people.

As a rule of thumb I configure Azure AD Connect’s Export Deletion Threshold at 10% of the number of median objects in Active Directory.

With default rules, Azure AD Connect synchronizes user objects, inetorgperson objects, contacts, groups and devices. User objects are the main concern for most organizations, but losing groups and devices might also hurt processes. Taking the number of objects in each of these three object types into consideration, we commonly observe that organizations have more groups than users (although a lot of groups will be empty) and more users than devices. This means 10% of your person objects in the metaverse (user objects and/or inetorgperson objects) is a safe value, but your needs may vary.

The below script provides information on the number of users, groups and devices within scope of your Azure AD Connect installation:

$c = Get-ADSyncConnector –Name domain.tld
$ous = ($c).Partitions.ConnectorPartitionScope.ContainerInclusionList

$ADUsers = @()
$ADGroups = @()
$ADComputers = @()

ForEach ($ou in $ous){
$ADUsers += (Get-ADUser -SearchBase $ou -Filter *)

}
ForEach ($ou in $ous){
$ADGroups += (Get-ADGroup -SearchBase $ou -Filter *)
}
ForEach ($ou in $ous){
$ADComputers += (Get-ADComputer -SearchBase $ou -Filter *)

}

Write-Host

Write-Host “Total number of users is” $ADUsers.count

Write-Host “Total number of groups is” $ADGroups.count

Write-Host “Total number of devices is” $ADComputers.count

Set it once for all your Azure AD Connect installations

When you have Staging Mode Azure AD Connect installations, you only need to configure the Export Deletion Threshold on one of your Azure AD Connect installations.

The Export Deletion Threshold is a per-Azure AD tenant setting. This is good news, as a Staging Mode Azure AD Connect installation gains the information automatically. It doesn’t perform exports today, but it could, one day, when it’s no longer in Staging Mode, but actively synchronizing.

Monitor threshold-related incidents

While it would seem advantageous to disable the Export Deletion Threshold in the actively synchronizing Azure AD Connect when making big changes, this defeats the purpose of the feature.

Include a step in your Azure AD Connect upgrade and management procedures to perform a synchronization cycle. The documentation on Azure AD Connect conveys when a Full Synchronization cycle needs to happen and when the normal delta synchronization cycles suffice.

Monitor for threshold-related incidents, in any of the below four ways:

1. Event log

Azure AD Connect writes to the event log on Windows Servers on which it is installed. You will see, in chronological order:

• A warning event with Event-ID 116 and source Directory Synchronization in the Application event log, showing you the current Export Deletion Threshold in relation to the amount of object deletions it is trying to export:

• An error event with Event-ID 906 and source Directory Synchronization in the Application event log with specific error code 95:

• An error event with Event-ID 6950 and source ADSync. in the Application event log, reiterating that the number of deletes exceed the deletion threshold count with error code 0x80231366 in several code blocks and files within Azure AD Connect:

2. Error in Azure AD Connect Synchronization Service

An export profile would show stopped-deletion-threshold-exceeded status in Azure AD Connect’s Synchronization Service Manager interface ().

3. Azure AD Connect Health

for organizations with Azure AD Premium licenses, Azure AD Connect Health shows a warning on the Alerts blade for Azure Active Directory Connect Servers in the Azure Portal:

Export to Azure Active Directory failed.

  

Issue
The export operation to Azure Active Directory Connector has failed. As a result, some objects may not be exported successfully to Azure Active Directory.
Fix
Please investigate the event log errors of export operation for further details.

4. Email

Eventually, an alert e-mail is sent to the technical contact for the Azure AD tenant, titled Servername: Export to Azure Active Directory failed – You have an important alert from Azure Active Directory, sent from azure-noreply@microsoft.com:

How to view the Threshold Configuration

To view the Export Deletion Threshold configuration on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Get-ADSyncExportDeletionThreshold

How to disable the Export Deletion Threshold

To disable the Export Deletion Threshold on an Azure AD Connect installation, run the following line of Windows PowerShell on an elevated prompt:

Disable-ADSyncExportDeletionThreshold

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

How to enable and set the Deletion Threshold

To set the number of objects for the Export Deletion Threshold on an Azure AD Connect installation, perform these steps:

Enable-ADSyncExportDeletionThreshold -DeletionThreshold 500

Provide the credentials of an Azure AD account with the Global Administrator role assigned to complete the command.

How to overcome hitting the Deletion Threshold

Your changes are desired

When you’re notified or experience the Export Deletion threshold, and the deletes are desired, you can perform the above three actions as parts of the steps below:

• Sign in to the actively synchronizing Azure AD Connect installation.
• Open an elevated Windows PowerShell window.
• View the Export Deletion Threshold value.
• (Disable the Export Deletion Threshold or configure the Export Deletion Threshold to a value that is higher than the number of deletions to be exported.
• Perform a synchronization cycle using the following line of Windows PowerShell

Start-ADSyncSyncCycle

• Enable and set the Export Deletion Threshold when you’ve disabled the Export Deletion Threshold previously, or set it back to the number it was configured to, when you’ve reconfigured it to a higher number in the previous steps.
• Close the Windows PowerShell window.
• Sign out.

Set the Export Deletion Threshold to the same value as set previously, or use the information on the situation as a lesson-learned and increase or decrease the threshold value accordingly.

When the deletions are a result of a configuration change, perform the same configuration change on the Staging Mode Azure AD Connect installation(s), unless the configuration change is one that is stored in Azure AD.

Your changes are undesired

When you’re notified or experience the Export Deletion threshold, and the deletes are undesired, roll back the configuration changes, or switch the actively synchronizing Azure AD Connect installation with a Staging Mode installation that still has the previous configuration.

Concluding

Azure AD Connect’s Export Deletion Threshold is a truly cool feature that might save your behind some day.

Don’t disable it. Tweak it. For many of the blogposts to come in this series, you’ll be glad you did.

Further reading

Azure AD Connect sync: Prevent accidental deletes

The post HOW TO: Properly set and manage Azure AD Connect’s Export Deletion Threshold appeared first on The things that are better left unspoken.

The Dutch Windows Management User Group (WMUG) is one of the more active IT Pro user groups in the Netherlands.

I was honored when they invited me to speak at their next meetup on Wednesday November 13, 2019. Of course, I’d present at this meetup; their fifth meetup this year!

About the Dutch Windows Management User Group (WMUG)

Windows Management User Group Netherlands (WMUG) is a Dutch user group offering a stage to share knowledge between fellow-IT Pros through regular and 100% community-driven user group meet-ups.

I know many of the persons running WMUG. I meet Kenneth van Surksum, Arie de Haan, Erik Loef and Bob Cornelissen regularly at events and worked together with Peter Daalmans.

About the WMUG  2019-5 Meetup

Windows Management User Group Netherlands (WMUG) organizes a free community event on Wednesday night November 13, 2019 at OGD ict-diensten in Delft, the Netherlands.

The event starts at 4:30 PM with presentations and people are welcomed at the venue from 4 PM onwards. After the first one-hour presentation by Patrick van den Born titled ‘Identity and Access Management with Ivanti’, I have the stage for a maximum of 45 minutes, because, right after my presentation, we’ll eat. After the 60-minute dinner break, Erwin Derksen discusses Azure AD Domain Services, before we get some drinks.

To me personally, presenting at a former employer feels extra special.

About my presentation

I’ll present a 45-minute session, titled

Azure AD Connect; How did you think it went?

5:30 PM – 6:15 PM

20 million organizations worldwide use Azure AD. The majority of them use Azure AD Connect to synchronize their on-premises Active Directory environment(s) with Azure AD. An organization can realize this in four clicks, but what exactly do you get? And is that sufficient?

In this session, I’ll show the ultimate possibilities of Azure AD Connect. Opportunities that you thought were not possible, but are certainly worthwhile for many organizations. In addition, I’ll share the experiences of my team, so that you can take the tips, tricks, do’s and especially the don’ts with you to your own (or future) implementations of Azure AD Connect.

Join us!

This promises to be an excellent event for those craving some in-depth identity and access management!
Register for this event for free. Dutch

The post I’m presenting at the Dutch Windows Management User Group 2019-5 Meetup appeared first on The things that are better left unspoken.