SS Technology Forum

SS Technology Forum

Computer Migration - Things to Consider

Here are a few points which you can consider while doing computer migration. These points are applicable to all migrations irrespective of the migration tool (ADMT, NetIQ, Quest etc)

Active Directory User Migration

Here is a graphical representation of the high level steps involved in an Active Directory migration using ADMT

User Migration and Merging Using Quest Migration Manager

Pre-creating user account in the target domain is a common scenario these days due to single-sign-on solution, HR management procedure etc

Microsoft Right Management Service (RMS)

Rights Management Service (RMS) is an add-on to many RMS aware applications. In this article my main focus is to explain how we can utilize RMS technology with Exchange 2003 and how we can take advantage of RMS technology to increase the email security

Microsoft ISA Server

I am sure we have all either encountered or heard of this "problem" one time or another if the ISA Server is part of the Active Directory Domain. Is it a problem?

Thursday, February 16, 2017

Azure MFA Server –Authentication Types (Part II)

Azure MFA–Authentication Type (Part I)

Azure MFA–Authentication Type (Part II)

Original post - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

The Microsoft Azure Multi-Factor Authentication (MFA) provides various authentication types when using an on-premises MFA server.  The Company Settings section allows the Multi-Factor Authentication (MFA) administrator to define company wide settings for all users. 

image_thumb28

The administrators can also make (or override)  individual user configuration from User Section.  

image_thumb30

An end user can make their own sections from the the User Portal.

image_thumb33

In general, the following authentication modes are available when using an on-premises MFA server. The purpose of this blog is to explain each of these authentication types and expected result with screenshots.  

  1. Phone call (Standard)
  2. Phone call (PIN)
  3. Text message (One-way OTP)
  4. Text message (Two-way OTP)
  5. Text message (One-way OTP + PIN)
  6. Text message (Two-way OTP + PIN)
  7. Azure Authenticator application (Standard)
  8. Azure Authenticator application (PIN)
  9. Azure Authenticator application (OATH token)
  10. Third Party OATH token

In this blog, I will be covering the following authentication types. 

  1. Azure Authenticator application (Standard)
  2. Azure Authenticator application (PIN)
  3. Azure Authenticator application (OATH token)
  4. Third Party OATH token

Review Part I of this blog for other authentication type details. 

The Azure Mobile App mode results in a notification being sent to the user's Azure Authenticator mobile app.  There are 2 different modes for Mobile App – Standard and PIN mode. 

Azure Authenticator application  -Standard

In this mode, user will be prompted for primary authentication using a user name and password and the second authentication is when the user receives a notification in the Azure Authenticator mobile app.

image

Expected Result

In Standard Mode, users will prompted to authenticate, deny, or deny and report fraud as shown below:

image

Azure Authenticator application – PIN

The PIN mode enhances the security of the Multi-Factor Authentication by requiring the user enter a PIN in the Azure Authenticator mobile app. 

image

Expected Result

In this mode, user will be prompted for primary authentication using a user name and password and the second authentication is when the user receives a notification in the Azure Authenticator mobile app to enter the PIN number as shown below:

image

Azure Authenticator application - OATH token

Oath Token mode results in the user being prompted for an OATH code to authenticate with Multi-Factor Authentication.  Time-based OATH codes can be generated by the Azure Authenticator Mobile App or a third-party token. We will start with Azure Authenticator Mobile App. As shown in the following screenshot, the OATH Tokens (Enable OATH Tokens) must be enabled in the MFA Server console to display a Time-based OATH codes in Azure Authenticator Mobile App.  keep in mind that the OATH Token method is only supported by RADIUS Authentication and IIS Authentication Form-Based Authentication.

image

After the activation of Mobile App, users can select OATH token mode from the User Portal or an administrator can configure this from a MFA server console. 

image

Expected Result

A Time-based OATH codes will be generated by Azure Authenticator Mobile App as shown below. 

image

This code needs to entered in the respective application to complete the second factor authentication.  image

Third Party OATH token

Azure MFA server supports a time based OATH (OATH – TOTP) third party tokens.  This is an alternative to using the Azure Authenticator mobile app as an OATH token (see the above scenario - Azure Authenticator application  -Standard).  OATH tokens can be added or imported prior to being associated with a user.  Administrators can associate users and tokens in the Multi-Factor Authentication Server  (as shown below) or the User Portal.  Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality.    A bulk token import and configuration is also supported by MFA Server .  An administrator can import OATH Token records from an input  file .  The secret keys must be in Base32 format

image

For this scenario, I am using Yubikey 4 (Yukico) OATH token as the third party OATH token.  You need to use Yubico Authentication application to get the OATH code from Yukikey.  Review my Azure MFA and Yubico OATH configuration blog for the configuration details. 

The OATH token option is same as the Azure Authenticator mobile app configuration as shown below:

image

Expected Result

In this scenario, you will be using the Time-based OATH codes generated by Yubico Authenticator application. 

image

This OATH code must be entered in the respective application to complete the second factor authentication. 

image

If you have Azure Mobile App OATH and a third party OATH token active for the same user, both token code will be valid. 

      Azure MFA–Authentication Type (Part I)

      Azure MFA–Authentication Type (Part II)

      Azure MFA Server–Authentication Types (Part I)

      Azure MFA Server–Authentication Type (Part I)

      Azure MFA Server–Authentication Type (Part II)

      Original post - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

      http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

      The Microsoft Azure Multi-Factor Authentication (MFA) provides various authentication types when using an on-premises MFA server.  The Company Settings section allows the Multi-Factor Authentication (MFA) administrator to define company wide settings for all users. 

      image

      The administrators can also make (or override)  individual user configuration from User Section.  

      image

      An end user can make their own sections from the the User Portal.

      image

      In general, the following authentication modes are available when using an on-premises MFA server. The purpose of this blog is to explain each of these authentication types and expected result with screenshots.  

      1. Phone call (Standard)
      2. Phone call (PIN)
      3. Text message (One-way OTP)
      4. Text message (Two-way OTP)
      5. Text message (One-way OTP + PIN)
      6. Text message (Two-way OTP + PIN)
      7. Azure Authenticator application (Standard)
      8. Azure Authenticator application (PIN)
      9. Azure Authenticator application (OATH token)
      10. Third Party OATH token

      We will start with standard Phone Call option.  The Phone call authentication type has two sub options:

      1. Phone call (Standard)
      2. Phone call (PIN)

      Authentication Type : Phone Call – Standard

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone call as shown below:

      image

      The first authentication is based on the configuration in MFA.  For example, for RADIUS, you an select  the following options from the Target tab:

      image

      The “from” telephone number can be customized from azure console (https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –>  Go to the Portal –> Configure –> Settings –> General Settings –> Caller ID Phone Number) as shown below:

      image

      Also, the Voice Messages can be customized based on your requirements. This option is available in https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –>  Go to the Portal –> Configure –> Voice Message section. 

      image

      Authentication Type : Phone Call – PIN

      In this scenario, we will use Phone call with PIN option. 

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone.  During the phone call, MFA will ask you to enter a personalized PIN. 

      image + image

      The PIN creation and enforcement is based on the following configuration in user section. 

      image

      You also have an option in Company Settings section to enforce default PIN rules as shown below:

      imageThe next authentication type is Text message.  Text Message type has four sub options:

      1. Text message (One-way OTP)
      2. Text message (Two-way OTP)
      3. Text message (One-way OTP + PIN)
      4. Text message (Two-way OTP + PIN)

      Authentication Type : Text message - One-way OTP

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) is sent to the user as shown below:

      image

      The user must enter this  One-Time Passcode (OTP) in the respective application to complete the authentication request.   You application must support Challenge – Response (Authentication Chaining). 

      image

      Authentication Type : Text message – Two-way OTP

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP).   The user must reply to the same  text message by entering the provided OTP to complete the authentication request as shown below:

      image

      Authentication Type : Text message - One-way OTP  + PIN

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) is sent to the user as shown below:

      image

      This One-Time Passcode (OTP) + PIN needs to be entered in the application to complete the authentication request.   

      image

      The PIN values is based on the configuration in the user or Company Settings:

      User settings:

      image

      Company Settings:

      image

      Authentication Type : Text message – Two-way OTP  + PIN

      image

      Expected Result

      In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on  a text message containing a One-Time Passcode (OTP) + PIN.   The user must reply to the same  text message by entering the provided OTP + their personal PIN to complete the authentication request as shown below:

      image

      I believe we have enough information and  screenshots for this blog Smile. I will cover the following authentication types in the Part-II of this blog:

      1. Azure Authenticator application (Standard)
      2. Azure Authenticator application (PIN)
      3. Azure Authenticator application (OATH token)
      4. Third Party OATH token

       

      Azure MFA Server–Authentication Type (Part I)

      Azure MFA Server–Authentication Type (Part II)

      Sunday, January 1, 2017

      Happy New Year – Microsoft Most Valuable Professional (MVP) Award 2017

      Happy New Year – Microsoft Most Valuable Professional (MVP) Award

      Received the Microsoft Most Valuable Professional (MVP) award this year also. Great start to 2017!

      MVP_2017

      Thursday, December 8, 2016

      PowerShell - Send Test Email (Office 365) Using PowerShell

       

      Here is a sample PowerShell script which can be to test email communication using a SMTP server. In this script, I am using Office 365 SMTP server, smtp.office365.com.

       

       

       

      Script:

       

      #

      #

      $SMTPServer = "smtp.office365.com"

      $EmailFrom = "Santhosh@virtualsecuritysolutions.com"

      $EmailTo = "santhosh@ss-ts.com"

      #

      #Send-MailMessage Reference - https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/send-mailmessage

      #

      #

       

      Write-Host "`t`tSelect 1 - SMTP Test Message with No Attachmnet" -ForegroundColor Red

      Write-Host "`t`tSelect 2 - SMTP Test Message" -ForegroundColor Red

      $Option = Read-Host

      #

      #

      #

      Function EmailTest_No_Attachment

      {

      #with no attachement

      #

      $Cred = Get-Credential

      $Sub = "SMTP Test Message - 1 - No Attachmnet"

      $Bmessage = "SMTP Test Message - 1 with Attachment"

      Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Sub -Body $Bmessage -SmtpServer $SMTPServer -Credential $cred -UseSsl -Port 587

      }

       

      Function EmailTest_With_Attachment

      {

      #with Attachment

      #

      $Cred = Get-Credential

      $Sub = "SMTP Test Message - 1 with Attachment"

      $Bmessage = "Test email body message - With Attachment"

      $MyAttachment =  "C:\temp\1.docx"

      Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Sub -Body $Bmessage -Attachments $MyAttachment -SmtpServer $SMTPServer -Credential $cred -UseSsl -Port 587

      }

       

      #

      #

       

      Switch ($Option)

          {

              1 {EmailTest_No_Attachment}

              2 {EmailTest_With_Attachment}

          default {"Invalid Selection"}

          }

       

      Script download options:

      1.        OneDrive - https://1drv.ms/t/s!AuVEEHIwTxv9h4ZXLslcu1MzA8ZSqw

      2.       TechNet Gallery - https://1drv.ms/t/s!AuVEEHIwTxv9h4ZXLslcu1MzA8ZSqw

       

       

      Thursday, October 20, 2016

      Windows Server 2016–Active Directory–Part1

      1. Part1 - Windows Server 2016 – Active Directory
      2. Part 2 - Windows Server 2016 – Active Directory – Temporary Group Memberships
      As you know, the latest version of Windows Server - Windows Sever 2016 - is currently available. It is available in Azure as well as I mentioned here.  You can read “what is new with Windows Server 2016” in this Microsoft article here.   In general, Windows Server 2016 provides:
      • Added layers of security - Enhance security and reduce risk with multiple layers of built-in protection.
      • New deployment options - Increase availability and reduce resource usage with the lightweight Nano Server.
      • Built-in containers - Develop and manage with agility thanks to Windows Server and Hyper-V containers.
      • Cost-efficient storage - Build highly available, scalable software-defined storage and reduce costs.
      • Innovative networking - Software-defined networking to automate with cloud-like efficiency.
      I am not going to the details of Windows Server 2016 or it’s capabilities here. You can read all that information in the above mentioned URL. My plan is to start a new blog series on Windows Server 2016 and Active Directory functionalities.  To begin this, I will add a new Widows Sever 2016 to my existing Active Directory 2012 domain and promote the Widows Sever 2016 as an additional domain controller. The Domain Promotion process is very similar to the previous versions of windows.
      There is an upgrade to Active Directory Schema. Shema can be upgraded during the domain promotion process. The new Schema or ObjectVersionNumber is 87. Some addition information is included here in my TechNet wiki article. You can verify this by using ADSI Edit or DSQuery or PowerShell commands.
      Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
      clip_image002
      dsquery * CN=Schema,CN=Configuration,DC=labanddemo,DC=com -scope base -attr objectVersion
      clip_image004
      As a reference, I have provided the following table that lists the Active Directory Schema and the corresponding Object Version:
      Active Directory Object Version
      Windows 2000 13
      Windows 2003 30
      Windows 2003 R2 31
      Windows 2008 44
      Windows 2008 R2 47
      Windows 8 Beta 52
      Windows 2012 56
      Windows 2012 R2 69
      Windows Server 2016 87

      ***ObjectVersion 39 - Please refer http://blogs.technet.com/b/askds/archive/2011/07/15/friday-mail-sack-peevish-nediquette-edition.aspx clip_image006
      Anyway, we can start this journey with DC promotion process. The following section provides step-by-step instructions.
      1. Join computer to your exiting Active Directory Domain.
      clip_image008
      2. Click OK on the Welcome window and restart the server. After the reboot, this server will be member server in your existing Active Directory Domain. By default, this server will be in Computer Container.
      clip_image010
      3. Login to the server using a domain credentials (domain\username). You need to have proper permission to upgrade the schema and add an additional domain controller.
      clip_image012
      4. Next step is to add ADDS server roles onto your new Windows Server 2016 server. Open Server Manger and select Add Roles and Features option.
      clip_image013
      5. Click Next on the Before you begin window.
      clip_image015
      6. Select Role-based or Feature-based installation option. Click Next.
      clip_image017
      7. On the Select Destination Server window, select your local Windows Server 2016 server. Click Next.
      clip_image018
      8. From Server Roles option, select Active Directory Domain Services. Accept the additional Role Feature requirements. Click Add Features.
      clip_image019
      9. Click Next on the Select Features window.
      clip_image021
      10. Click Next on Active Directory Domain Services window.
      clip_image022
      11. Select Install option to begin AD DS role installation Process.
      clip_image024
      12. Now you have installed the AD DS role onto your new Windows Server 2016. Next step is to add an additional domain controller for your existing domain. As you can see on the following screenshot, you need to perform some cognition and post-deployment option to complete this task. Click Close.
      clip_image025
      1. From Server Manager, select Promote this server to a domain controller option. This will initiate the DCPROMO (Yes. I still like this word!) process.
      clip_image027
      14. As you can see on the following screenshot, you have 3 options:
      1. Add a domain controller for an existing domain
      2. Add a new domain to an existing forest
      3. Add a new forest.
      4. For this exercise, you will be selecting the first option - Add a domain controller for an existing domain
      5. If you have only one domain and this new server is part of that domain, default domain name will be listed in the Domain column.
      6. Provide a domain credential with proper permission to perform these tasks. If the current/logged in user doesn’t have sufficient permission, you can select Change option to enter a new credential.
      clip_image029
      15. From the Domain Controller Options window,
      1. select the appropriate options for your environment. In my scenario, I will be selecting:
      1. Domain Name System (DNS) server
      2. Global Catalog (GC)
      2. Provide a password for Directory Service Restore Mode (DSRM)
      3. Click Next.
      clip_image031
      16. Click Next on the DNS Options window.
      clip_image033
      17. On the Additional Options window, select appropriate AD data replication option. I will be selecting Any Domain Controller option for this exercise. Click Next.
      clip_image035
      18. From Paths window, select appropriate path for AD Database and Log file. Click Next.
      clip_image037
      19. The next section will perform:
      1. Forest and Schema peroration for Windows Server 2016.
      2. Domain Preparation for Windows Server 2016.
      3. Click Next to continue.
      clip_image038
      1. Click Next to continue and begin the Prerequisites Check.
      2. Verify the Prerequisites Check result. Click Next to start the Domain Controller promotion process.
      clip_image040
      22. I have included the common Prerequisites warning information for your reference here.
      Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.
      For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
      This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
      A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "labanddemo.com". Otherwise, no action is required.
      23. Reboot the server after completing the DCPROMO process. After the restart, the new Windows Server 2016 will be an additional domain controller in your existing domain. The Schema will be upgraded to Windows Server 2016.
      I believe this is good for Part-1 of this blogs series. In Part-2, my plan to focus more on Active Directory related functionalities. Please post a comment here if you like to see an particular topic in this blog series.
      1. Part1 - Windows Server 2016 – Active Directory
      2. Part 2 - Windows Server 2016 – Active Directory – Temporary Group Memberships

      Popular Posts

      Share

      Twitter Delicious Facebook Digg Stumbleupon Favorites More