SS Technology Forum

SS Technology Forum

Computer Migration - Things to Consider

Here are a few points which you can consider while doing computer migration. These points are applicable to all migrations irrespective of the migration tool (ADMT, NetIQ, Quest etc)

Active Directory User Migration

Here is a graphical representation of the high level steps involved in an Active Directory migration using ADMT

User Migration and Merging Using Quest Migration Manager

Pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc

Microsoft Right Management Service (RMS)

Rights Management Service (RMS) is an add-on to many RMS aware applications. In this article my main focus is to explain how we can utilize RMS technology with Exchange 2003 and how we can take advantage of RMS technology to increase the email security

Microsoft ISA Server

I am sure we have all either encountered or heard of this "problem" one time or another if the ISA Server is part of the Active Directory Domain. Is it a problem?

Tuesday, May 3, 2016

Azure MFA–Directory Integration Filter

Here are a few options which you can use to filter objects from Active Directory when using  Directory Integration with Azure MFA.  The Azure on-premises MFA  server supports standard LDAP filter.  You can this filter in Directory Integration –> Synchronization –> User Filter:

image

For example,

if you want to filter or include users based on a group membership, you can use the memberOf attribute with distributedName of the security group as shown below:

(memberof=CN=MFASync,OU=Groups,DC=labanddemo,DC=com)

image

If you want filter or include users based on an attribute value, you can use (attributename=value) format as shown below:

(department=IT)

image

You can also use standard logical operator to combine your filter statement:

(|(memberof=CN=MFASync,OU=Groups,DC=labanddemo,DC=com)(department=IT))

image

Thursday, April 28, 2016

Azure MFA - ADFS Adaptor and pfsvcclientclr.dll Error

Problem Statement:

When using 7.0 version of Azure on-premises MFA server, you may receive an event ID 364 with “Could not load file or assembly 'pfsvcclientclr.dll' or one of its dependencies. The specified module could not be found” error message. 

Complete Error Message

System.IO.FileNotFoundException: Could not load file or assembly 'pfsvcclientclr.dll' or one of its dependencies. The specified module could not be found.

File name: 'pfsvcclientclr.dll'

   at pfadfs.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim identityClaim, IAuthenticationContext authContext)

   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)

   at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)

   at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Resolution:

Install:

  1. Visual C++ Redistributable x64 and x86 (https://www.microsoft.com/en-us/download/details.aspx?id=49984 )
  2. KB2919355 installed If you are using Windows Server 2012R2 (https://support.microsoft.com/en-us/kb/2919355)

Thursday, January 7, 2016

Azure MFA–Publishing MFA Portals using Web Applicaion Proxy

 

The goal is to publish on premises Microsoft Multi Factor Authentication (MFA) server portals using Web Application Proxy Service (not Azure Application Proxy!) The Microsoft MFA has the following 3 portals:

1. User Portal - The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal.

2. Web Service SDK - The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK.

3. Mobile App - The Mobile App section allows the administrator to configure settings for the Mobile App.  There is also a Mobile App Web Service which needs to be installed to support mobile app activations.

At the end of the configuration, my goal is to provide a single direction URL for User Portal, Web Service SDK and Mobile App shown below:

 

image

Tuesday, January 5, 2016

Azure–Add an Application from the Gallery

 

As shown below, you have the following three options when integrating an application in Azure (of course it is based on your application type). 

image

When adding a Custom application from the Gallery, you supposed to see the following configuration screen for the application integration:

image

Custom application is part of the Azure AD Premium offering. If you don’t have a premium license,  instead of the above screen, you will see a link Add an unlisted application your organization is using which points to the https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-custom-apps/ URL as shown below:

image

This issue can be resolved by assigning the premium license to the respective Azure Directory. If you don’t have premium license, you can obtain a trial license from here.

Friday, January 1, 2016

Microsoft Most Valuable Professional (MVP) Award

 

Microsoft Most Valuable Professional (MVP) Award – Enterprise Mobility

Perfect start to my 2016.  Received the Microsoft Most Valuable Professional (MVP) award for the 6th time.  https://mvp.microsoft.com/en-us/PublicProfile/4030770?fullName=Santhosh%20%20Sivarajan

Received the following good news this morning.

image

Dear Santhosh Sivarajan,
Congratulations! We are pleased to present you with the 2016 Microsoft® MVP Award! This award is given to exceptional technical community leaders who actively share their high quality, real world expertise with others. We appreciate your outstanding contributions in Enterprise Mobility technical communities during the past year.
Also in this email:

  • About your MVP Award Gift
  • How to claim your award benefits
  • Your MVP Identification Number
  • MVP Award Program Code of Conduct

The Microsoft MVP Award provides us the unique opportunity to celebrate and honor your significant contributions and say "Thank you for your technical leadership."

Patrick Malone
Director
Community & Advocacy Programs
Microsoft

Tuesday, November 17, 2015

AADSync to AADConnect Upgrade and Enterprise Admins group Error

The AADSync to AADCOnnect upgrade process is well documented in the https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-dirsync-upgrade-get-started/ article.

However, you may receive an error message “user is not part of the Enterprise Admins group” during the upgrade process, if you select the Express install option.  It seems like there is an issue using Express option during the upgrade process.  The workaround for this issue is to use Customize option and complete the upgrade/installation process.

Monday, November 9, 2015

AADConnect – An error occurred executing Create AD Trust task

Azure custom domain name verification process is little different if you are enabling SSO using ADFS (Federated domain).  If you select “I plan to configure the domain for a single sing-on with my local Active Directory” option, you will not get a TXT or MX record from this window for the domain verification. 

image

The TXT and MX records will be provided during the AADConnect configuration as shown in the following screenshot:
image

However, sometime you will get the AzureDomainNotVerifiedException error message during the AADConnect domain verification process.  The error messages and details are provided  below:

Create AAD Trust
Add error occurred executing CreAAD Trust task:  Exception of type ‘Microsoft.Online.Deployment.Types.AzureDomainNotVerifiedException’ was thrown.

clip_image001

Resolution / Workaround
1. Delete the custom domain from Azure. 
2.  Add a new custom domain and DO NOT select “I plan to configure the domain for a single sing-on with my local Active Directory” option.
3. Get the TXT record and verify the domain. 

4.  Perform AADConnect configuration. During this configuration, domain will be converted from Managed to Federated.

Tuesday, October 6, 2015

AADConnect – Password Writeback - Unable to Configure Password Writeback

This error message is little misleading “Ensure you have a required license”.  The issue is AADConnect cannot verify the licensing or any other information from Azure at this point. It could be a license or some other issues. You can get some additional information by verifying the Application Event log on the AADConnect server. 

Unable to configure password writeback.  Ensure you have a required license and consult the event log for additional information.

clip_image002

Event Log message:
Log Name:      Application
Source:        PasswordResetService
Date:          11/11/2015 11:01:20 AM
Event ID:      32011
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      AADConnect Server
Description:
TrackingId: f771fb12-ccca-49bc-80aa-7235c97369be, Error connecting to OnPremisesPasswordResetOnboarding Service, Details: System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:59.9589823. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'https://passwordreset.microsoftonline.com/OnboardingService/OnPremisesPasswordResetOnboardingService.svc/OnboardTenantForOnPremisesPasswordResetWithSymmetricKey' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IOnPremisesPasswordResetOnboarding.OnboardTenantForOnPremisesPasswordResetWithSymmetricKey(OnPremisesPasswordResetOnboardingRequest request)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.Invoke[TResult](Func`2 operation)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.InvokeWithRetry[TResult](Func`2 operation, String onboardingServiceUrl, String authenticationToken)
Event Xml:
http://schemas.microsoft.com/win/2004/08/events/event
"> 
   
    32011
    2
   0
    0x80000000000000
   
    8469
    Application
    AADConnect Server
   
 
 
    TrackingId: f771fb12-ccca-49bc-80aa-7235c97369be, Error connecting to OnPremisesPasswordResetOnboarding Service, Details: System.TimeoutException: The request channel timed out while waiting for a reply after 00:00:59.9589823. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout. ---> System.TimeoutException: The HTTP request to 'https://passwordreset.microsoftonline.com/OnboardingService/OnPremisesPasswordResetOnboardingService.svc/OnboardTenantForOnPremisesPasswordResetWithSymmetricKey' has exceeded the allotted timeout of 00:01:00. The time allotted to this operation may have been a portion of a longer timeout. ---> System.Net.WebException: The operation has timed out
   at System.Net.HttpWebRequest.GetResponse()
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   --- End of inner exception stack trace ---
   at System.ServiceModel.Channels.HttpChannelUtilities.ProcessGetResponseWebException(WebException webException, HttpWebRequest request, HttpAbortReason abortReason)
   at System.ServiceModel.Channels.HttpChannelFactory`1.HttpRequestChannel.HttpChannelRequest.WaitForReply(TimeSpan timeout)
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   --- End of inner exception stack trace ---
Server stack trace:
   at System.ServiceModel.Channels.RequestChannel.Request(Message message, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannel.Call(String action, Boolean oneway, ProxyOperationRuntime operation, Object[] ins, Object[] outs, TimeSpan timeout)
   at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
   at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
   at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
   at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
   at IOnPremisesPasswordResetOnboarding.OnboardTenantForOnPremisesPasswordResetWithSymmetricKey(OnPremisesPasswordResetOnboardingRequest request)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.Invoke[TResult](Func`2 operation)
   at Microsoft.CredentialManagement.OnPremisesPasswordReset.Library.OnboardingServiceConnector.InvokeWithRetry[TResult](Func`2 operation, String onboardingServiceUrl, String authenticationToken)
 


Resolution
According to the event log message, we had some type of connection time out issue. These types of errors are mainly due to firewall or proxy issues.  The required firewall and port details are documented in the
https://azure.microsoft.com/en-us/documentation/articles/active-directory-passwords-getting-started/#step-3-configure-your-firewall
article.  Make sure to enable these ports for password writeback configuration.

Step 3: Configure your firewall
After you have enabled Password Writeback in the Azure AD Connect tool, you will need to make sure the service can connect to the cloud.
1. Once installation is complete, if you are blocking unknown outbound connections in your environment, you will also need to add the following rules to your firewall. Make sure you reboot your AAD Connect machine after making these changes:
· Allow outbound connections over port 443 TCP
· Allow outbound connections to https://ssprsbprodncu-sb.accesscontrol.windows.net/

· When using a proxy or having general connectivity issues, allow outbound connections over port 9350-9354 TCP

Tuesday, September 22, 2015

Azure – Your account is temporarily locked to prevent unauthorized use

Here is the another common error message when dealing with directory and password synchronization. 

Error Message:

Your account is temporarily locked to prevent unauthorized use. Try again later. Contact Customer Support if the problem persists

Resolution:

Make sure the directory synchronization service account has proper permission in AD. Permission details are documented in this article - https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-account-summary/

The above error message is related to Replicating Directory Changes and Directory Changes All permission in AD. 

From https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-account-summary/ “If you intend to configure password sync to Azure AD, ensure this account has the following permissions assigned: -Replicating Directory Changes  -Replicating Directory Changes All”

Tuesday, September 8, 2015

Azure Password Reset – The Password you’ve selected does not meet your Active Directory password policy

This is a common error message when you try to reset a password from Azure management port or Self service portal.  The error message is very clear here - “The Password you’ve selected does not meet your local Active Directory password policy”.   So you have to start with your Active Directory password password policy. 

 

image

You also see a detailed information in Event log of your directory synchronization server. 

image

I have seen many issues related to Minimum Password Age value.  By default, it is 1 day.  If you are trying to change the password again on the same day , you may need to change value to 0.  Anyway, the error message from Azure is directly related to the configuration you have in your AD password policy as shown below: 

image

Popular Posts

Share

Twitter Delicious Facebook Digg Stumbleupon Favorites More