You are browsing the archive for 2013 July.

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8”

8:47 am in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

At a customer and integrating/managing Windows Phone 8 with Windows Intune and System Center Configuration Manager 2012 SP1 ? Using the Support Tool for Windows Intune Trial Management of Window Phone 8 (can be downloaded at http://www.microsoft.com/en-sg/download/details.aspx?id=39079) ?

The Support Tool for Windows Intune Trial Management of Window Phone 8 facilitates Microsoft System Center 2012 Configuration Manager admins to try out Windows Phone 8 software distribution scenarios during the Trial period.

However we couldn’t get our Windows phone 8 enrolled. It always came back with the following error on the phone : “We weren’t able to set up this company account on your phone”.

Verify the following before going forward :

  • If Are you using ADFS , check my previous blog post “Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)”.
  • Have you synced your AD accounts to Azure AD? Is dirsync working correctly ? Check from Azure AD that you see your local AD users there.
  • Make sure the UPN is set correctly to your Domain ( SCUG.be instead of scug.onmicrosoft.com)
  • Set CNAME to manage.microsoft.com

SNAGHTMLfb3cfe6

  • Reset your Users password. Because the user must reset the password after the first logon, logon to e.g. portal.manage.microsoft.com with the user account, before enrolling the device.
  • It is important that you first synchronize your AD users to Azure and after that add the user account to user collection that is allowed to enroll the devices. If you first add the user to the collection and the new user is not in Azure AD, you need to wait up to 24 h. (Tnx to my fellow MVP Panu Sauko!)
  • If you get the latter error message, change the language & regional settings of your mobile phone to en-US and try to enroll again. (Tnx to my fellow MVP Panu Sauko!)

Going down in the logs , by the way very difficult on a Windows phone 8 or Windows Intune side , the only option was to look into the System Center Configuration Manager Log files .

Looking in the dmpdownloader.log and found the following line appearing every time I tried to enroll the WP8 device . Strange .

ERROR: Service health log: WP appStoreURI is missing for account 73dab792-979c-40be-947b-b7c8040e725b and userId ******************************33d16d

image

Solution :

Apparently to that message , it seems that we have Certificate issues on the Company portal . After re-registering the steps below , it works . Before it executed also successfully ,and I thought everything was OK , but I was wrong. So if you have the above error message “ Service health log: WP appStoreURI is missing for account “ , it means there is something wrong with your company portal and signed certificates.

  • Step 1 : Disable the Windows Phone 8 support on the intune connector :

image

1.  Create your application “Company portal” that is included in the toolkit.

2. The first step to enable the management of Windows Phone 8 devices is to run the script that is included  cscript ConfigureWP8Settings.vbs <server> QuerySSPModelName . It is important to notate the Scope_ID<GUID> information as it will be used in the next step.

3.  Next we need to run the script again but this time in Save mode with the SSP name to populate the necessary certificate information that enables Windows Phone 8 Management.  The command will will use this time is: cscript ConfigureWP8Settings.vbs <server> SaveSettings <Company Portal name> where <Company Portal name> is the output for Model Name from the earlier step.

4.  After completion of the steps above, you can now verify that Windows Phone 8 device management is enabled.  

image

Now you can enroll your Windows Phone 8 devices in your Windows Intune Unified Trial Account. It works like a charm now .

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager)

11:24 am in ADFS, dirsync, FIM, intune by Kenny Buntinx [MVP]

 

In Windows Intune , you need dirsync to synchronize your users between on-premise AD and Azure AD. Already a few days we received a mail that states ": There was no AD synchronization with Azure AD” … Weird .

Running Dirsync for Windows Intune (same as Office 365) , which is actually a special version of FIM 2010 (Forefront Identity Manager).When installing Dirsync , by default it is set to synchronize your on premise Active Directory with Azure Active Directory for every 3 hours.

At first sight , Dirsync looks like a big black box .Event viewer is around , but doesn’t tell you much :

image

You won’t find any shortcut to the Synchronization Service Manager but you will find it here  "C:Program FilesMicrosoft Online Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe".

If you launch the Synchronization Service Manager , you will find the same information :

image

This error message doesn’t really tell you much, but if you look closely , “TargetWebService” is the connection to Azure AD and as you can see the status of “stopped-server-down”.

Digging deeper in to the event viewer , we found : “An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult: (0×80048831)”.Looking this up on the internet , this error message actually means is that the service account that you use to connect to Windows Intune has an expired password.

To fix this, open the “Windows Azure Active Directory Module for Windows PowerShell” and set a new password for the service account and to avoid it in the future add the parameter “–passwordneverexpires”

Set-MsolUserPassword –userPrincipalName dummy@intune.com -NewPassword "pa$$word"

Set-MsolUser –UserPricipalName dummy@intune.com –passwordneverexpires $true

Now go in to the Management Agents tab in Synchronization Service Manager, right-click on TargetWebService and click on Properties.Change your new password here

image

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)

8:33 am in ADFS, troubleshooting by Kenny Buntinx [MVP]

 

In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” and “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2” I explained the general design and installation steps for setting up SSO with ADFS 

I’ve been trying to find a good way to determine if ADFS 2.0 is functioning correctly , but it looks like a closed box.However crawling Google and looking for good and valuable information about how to verify the ADFS is functioning fine ,  could be found here :

http://www.dagint.com/2011/10/how-to-test-if-adfs-is-functioning/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2

12:09 pm in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Server 2012, WaveD, windows inune by Kenny Buntinx [MVP]

 

In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” I explained the genaeral design and concept for setting up SSO with ADFS  at “http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

This article takes it step-by-step through initializing a new domain in Windows Intune WaveD , its verification, and configuration for single sign-on. This guide will show how to perform these steps on Windows Server 2012 with AD FS 2.1.

Again our design we are going to follow :

SNAG-0333

Determine the ADFS Farm Name

We really need to get this information sorted first, because our certificate requests will be based on the FQDN of the farm name, and it isn’t possible to install ADFS services without a certificate.

We’ll use “Federation.scug.be” – this name will be used by by Windows Intune federation services. This certificate absolutely must be issued by a public CA.

Request a Certificate

Really quick overview of ADFS certificates: there are three certificates used by ADFS; one is used for server authentication and the remaining two certificates are used for ADFS token signing and verification

For best practice and supportability this certificate should NOT a wildcard certificate. However my wildcard certificates were working flawless, but if you go that way and something does not work later down the road, your support options may be limited at this time.

Service Account for ADFS Federation Service

Next, we will create a service account for the purpose of installing and running ADFS Federation Service. This service account will be used to perform initial installation of the service as well as the WID SQL databases. During this initial installation, the service creates certificate containers in Active Directory, as well as SPN records for the shared IIS pool identity. To perform these tasks, the service account must be at least a Domain Admin.

Install ADFS Service on the First Windows Server 2012 Server (FED1PRD.SCUG.BE)

Prerequisites :

  • Make sure that you installed the ADFS Services thru “Add Roles and Features”.
  • Make sure you have copied your *.SCUG.be certificate on your ADFS Servers
  • Make sure they are added to the domain
  • Your Active Directory Domain must be in Windows 2003 mixed or native mode.

1. Open the wizard and select “Create a new Federation Wizard” …

image

2. Provide your SSL certificate and Federation Service Name …

image

3. Provide your Service Account and password …

ADFS_3

4. Click Next tot continue after reviewing…

image

5. When everything is ok , click close to close the wizard.

clip_image002

Install ADFS Service on the Second Windows Server 2012 Server (FED2PRD.SCUG.BE)

1. Open the wizard and select “Add a federation server to an existing Federation Service” …

clip_image002[5]

2. Specify your primary federation Server name and your ADFS service account .

image

3. Click next to install and finish

clip_image002[7]

Important :

Create a host file on the FED1PRD.SCUG.BE and FED2PRD.SCUG.BE with the following line:

image

Now your ADFS Farm is installed and configured correctly.Now let’s show you how to introduce an AD FS Proxy Server.

In addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second hardware Network Load Balancing host. The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name (federation.SCUG.be) setting as the previous NLB cluster that you configured on the corporate network (Federation.scug.be). The federation server proxies should also be configured with Internet-accessible IP addresses.

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE

After that , Import your *.SCUG.BE certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

Install ADFS Proxy Servers on Windows Server 2012 Server (ADFSPROXY01 – ADFSPROXY02)

1. Select “ADFS Federation Services Proxy” thru “Add Roles and Features”.

clip_image002[9]

2. Leave the defaults selected and select “Next”

clip_image002[11]

3.Hit “install” button.

clip_image002[13]

Important :

Create a host file on the ADFSPROXY01 and ADFSPROXY with the following line:

 image

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on ADFSPROXY01 and ADFSPROXY02

After that , Import your *.SCUG.BE certificate on ADFSPROXY01 and ADFSPROXY02 in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

DNS Configuration

  • Configure internal DNS to point to the federation hosts cluster (NLB) IP
  • Set up a host (A) record for the domain (federation.scug.be) on a public-facing DNS server for external name resolution to point to the proxy servers cluster (NLB)

Optional – in case the proxy servers doesn’t have DNS connectivity to the internal DNS server, you can configure the host file (see above topic) on each server to resolve the AD FS host servers name

 

The end

Now your ADFS Farm is completely installed and configured correctly.

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and troubleshooting steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1

1:42 pm in ADFS, best practices, con, ConfigMgr 2012 SP1, intune, scc, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

With the SP1 release of System Center 2012 Configuration Manager, we now have the ability to connect to Windows Intune to manage mobile devices via the Internet. This allows you to use the Configuration Manager console to provision mobile devices, apply policy, and target apps to mobile devices even when those devices are not connected to the corporate network.

To provide users with an integrated sign-on experience (and reduce the need for administrators to manage two passwords for users) it is highly recommended that you deploy ADFS. ADFS provides the capability for a cloud server to leverage on-premise Active Directory credentials.

To deploy and configure ADFS 2.1 (server 2012) , follow the steps outlined below. This blog will cover the configuration and deployment work needed to successfully connect their device with corporate credentials . Before you install ADFS 2.1 on Windows Server 2012, you have to think through some of the requirements.

The benefits of implementing ADFS:

  • Improves user productivity by enabling true single sign-on to domain joined computers
  • Reduces usability issues by allowing users to use AD credentials to access all “Windows Intune" or “Office 365” services and not have to remember two identities and two passwords
  • Allows administrators the ability to enforce the organization’s password policies and account restrictions in both the on-premises and cloud-based organizations
  • Increases security of AD credentials since passwords are never synced to the cloud, all authentication happens on-premises
  • Reduces overall administration time and costs associated due to the above points

Based on a lot of TechNet articles , this was my design :

image

 

  • Will feature two ADFS farm servers (For redundancy reasons)
  • Will have two ADFS proxy servers (For redundancy reasons)
  • Will have one DirSync server (separate VM for preformance)
  • Will use a HW load balancer (Cisco , F5 , Citrix Netscaler) instead of Microsoft multicast NLB ( It doesn’t really work that well – or call it bad experiences) on both ADFS farm and ADFS proxy servers
  • Due to the size of the environment (Less than 50,000), WID (Windows Internal Database) server will have to be used
  • This WID SQL server will be running SQL Express edition.

In addition, we need to determine a few things upfront, as it will speed up the installation work. My personal experience is that you really need one of the internal Network guys from the customer to make this happen. We as “configmgr” guy’s are not familiar on how a customers network is organized and who is responsible for what part of the network)

  • External IP address of the federation service (In my example 212.x.x.x)
  • DMZ IP address of the federation service (which will be assigned to NLB as a shared virtual IP address , in my example 192.168.x.20)
  • DMZ server dedicated IP addresses (In my example 192.168.x.1 and 192.168.x.2) , they also reside in workgroup (not domain joined)
  • Internal ADFS farm shared virtual IP address assigned to the ADFS farm NLB (in my example 10.x.x.20)
  • Internal ADFS server dedicated IP addresses (in my example 10.x.x.1 and 10.x.x.2)
  • Fully qualified DNS name of the federation service, or ADFS FQDN (in my example Federation.SCUG.be) 
  • Service accounts used for various purposes in the setup
  • Public SSL certificate to secure traffic associated with ADFS. Certificates used for server authentication and token signing. Try to order a *.<yourdomainname> certificate.This will make your life much easier. (in my example *.SCUG.be) 
  • Necessary firewall ports are open from the Internet to ADFS Proxy server (port 443)
  • Necessary firewall ports are open from ADFS Proxy server to internal ADFS server (port 443)
  • Necessary firewall ports are open from the Internet to Dirsync server and visa versa (port 443)

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and installation steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP

MVP Award Renewal for 2013: Enterprise Client Management

5:24 pm in MVP by Kenny Buntinx [MVP]

 

I’m very proud to inform you that my MVP award got renewed for the year 2013 – 2014 on Enterprise Client Management. This is certainly a great honor for me.

Thank you Microsoft, blog readers and all the community members that helped me out!

Thanks for the recognition. I am delighted.

Kenny Buntinx

Enterprise Client Management MVP