You are browsing the archive for ADFS 2.1.

ITDevconnections session wrap-up : System Center 2012 R2 Configuration Manager and Intune: Setup and Deployment Notes from the Field, with a Focus on Single Sign-On

1:24 pm in ADFS, ADFS 2.1, ADFS 3.0, CM12, CM12 R2, CM12 SP1, Devconnections, ECM, intune, ITDevconnections, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that Tim De Keukelaere and myself presented. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

 

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, like the ADFS 2.1 blogs , but there isn’t much changed. I’ll start updating them as soon as I find time for it :-)

Find them here :

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I at http://scug.be/sccm/2014/01/09/conquering-byod-with-implementing-configmgr-2012-r2-and-windows-intuneadfs-wap-workplace-join-and-work-folders-part-i/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1 at http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2 at http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server at http://scug.be/sccm/2014/08/21/adfs-workplace-join-intune-profile-installation-failed-error-when-ios-device-is-workplace-joined-by-using-drs-on-a-windows-server-2012-r2-based-server/

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0×5 at http://scug.be/sccm/2014/01/22/adfs-2-1-in-combo-with-windows-intune-stops-working-with-error-15404-state-19-could-not-obtain-information-about-windows-nt-groupuser-domainadfs_srvc-error-code-0x5/

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot at http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What? At http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager) at http://scug.be/sccm/2013/07/18/windows-intune-dirsync-error-message-stopped-server-down-fim-synchronization-service-manager/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What?

12:15 pm in ADFS, ADFS 2.1, ADFS 3.0, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, intune, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, sso, Windows Intune, Windows Intune Extensions, windows inune by Kenny Buntinx [MVP]

 

This morning at a customer , I received the following mail in my mailbox , saying that my ADFS token would expire.

AD FS 2.0 or 2.1 and probably 3.0 generates each year by default a new self- signed certificate for token signing 20 days before the certificate expires . Rollover of the certificate , or generate a new certificate when the existing certificate is about to expire , and make them the primary certificate , applies only to self-signed certificates that are generated by AD FS 2.x . The token signing certificate is essential for the stability of the Federation Service . If this is changed, the change must be reported to Windows Azure AD . Otherwise fail applications for cloud services such as my Windows Intune Service.

image

When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 or Windows Intune that require updating the metadata, a similar issue arises. The “Microsoft Office 365 Federation Metadata Update Automation Installation Tool” script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

You must have the Microsoft Federation Metadata Update Automation Installation Tool download and configure your primary federation server or another recordable federation server, the Windows Azure AD Federation Metadata regularly automatically checks and updates so that changes in the certificate token-signing in the AD FS 2.1 Federation service will be copied automatically onto Windows Azure AD.

You can download the script here : http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

The script is called : O365-Fed-MetaData-Update-Task-Installation.ps1

To execute this tool successfully:

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell 
  • You need to have a functioning AD FS 2.0 Federation Service (execute this on your primary ADFS server)
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx0

When running the tool and you comply with the above prerequisites , the following screenshot appears as shown below :

image

It’s worth bearing in mind that the password policy will render the script unusable in the event of a password change on either the Windows Intune side with the MSOL account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet.

For example:  Set-MSOLUser –identity user@MyPreciousChosenDomain.onmicrosoft.com –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information and you would be in trouble big time!

To verify the scheduled task is executed correctly , open task scheduler and verify that the task is there :

image;-

That’s again an automated task , without worrying that your infrastructure is in danger :-)

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0x5

12:17 pm in ADFS, ADFS 2.1, CM12, CM12 R2, CM12 SP1, intune, sso by Kenny Buntinx [MVP]

 

One day my ADFS authentication for Configmgr 2012 R2 and Windows Intune suddenly stopped. I  came across the following on the Active Directory Federation Services farm which uses WID (Windows internal Database) to store its configuration.

image

In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘<Domain>\ADFS_srvc’, error code 0x5.

The solution: is to give the “Authenticated Users”  “Read Permissions” on the ADFS service account.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I

3:55 pm in ADFS, ADFS 2.1, ADFS 3.0, BYOD, WAP, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

In the next few posts, I wanted to take a look at the changes to be found in Windows Server 2012 R2 with respect to Active Directory Federation Services (AD FS) that is used for mainly Product and features such as “Windows Intune” , “Workplace Join” and “Work Folders” Introduced in windows 8.1 .

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision. Workplace Join allows unmanaged/untrusted operating systems such as Windows RT/Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Dropbox and Skydrive Pro, but without the web and sharing features. Like most Microsoft OS features, Work Folders is tied to a specific release of Windows; however according to this Channel 9 video, Microsoft will release Work Folders for Windows 7, iOS and “other devices“ soon.

For all that technology to make it work, you will need to implement ADFS 3.0 which is only available in Windows Server 2012 R2 . The current levels of AFDS are difficult to find, so I will list them once more :

  • ADFS 2.0 – Windows 2003/2008/2008R2 (supported only for SSO in Windows Intune)
  • ADFS 2.1 – Windows 2012 (supported only for SSO in Windows Intune)
  • ADFS 3.0 – Windows 2012 R2 (supports SSO in Windows Intune , Workplace Join and Work Folders)

To be able to support ADFS 3.0, we will need some prerequisites that I will list below:

  • Forest Functional Level = min 2003 or higher

To check the ForestLevel –> Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=vnextdemo,dc=be" -Properties * | Select objectVersion

  • Domain Controller OS = Min 2012 or higher

· If no DC 2012R2 then upgrade schema with Adprep. New Device class requires a schema change to Active Directory. For those upgrading an existing Windows setup, the appropriate files can be found on the R2 installation CD under D:\Support\ADPrep.

· If upgrading to 2012R2 for DC :

            • Execute following command PS C:\> netdom query FSMO
            • Then use the Move-ADDirectoryServerOperationMasterRole cmdlets to move them.  You can do this with a simple one liner! Move-ADDirectoryServerOperationMasterRole -identity "DC01" -OperationMasterRole 0,1,2,3,4

 

  • ADFS 3.0 and Web Application Proxy requires to be installed on Windows server 2012 R2 

 

In the next blog post , I will continue on how to setup the ADFS 3.0 to support “Windows Intune” , “Workplace Join” and “Work Folders”. So stay tuned for Part II

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP