You are browsing the archive for ADFS.

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]

 

As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a *.demolabs.be) . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :

image

 

Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate

image

 

  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Hybrid scenarios with System Center Configuration Manager 2012 R2 – Windows Intune – ADFS – WAP – NDES – Workplace Join: Hotfixes you really need in your environment.

8:26 pm in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, ConfigMgr, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, EMS, hybrid, intune, Intune Standalone, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, WAP by Kenny Buntinx [MVP]

 

To make the most out of you’re lab or production environment when going to implement several features that are combined when using System Center Configuration Manager 2012 R2 and Intune for mobile workforce deployment, I will advise you to install the following hotfixes :

For your System Center Configuration manager 2012 R2 environment and Windows Intune connector:

 

1. Install Cu3 KB2994331 . A lot of things are fixed in each Cu , but not every fix is noted down in the release notes. It is therefore very important that you install the latest cumulative updates in general !

Why CU’s Matter (again ! ) –> Pre CU3 NDES templates need to be recreated > Re-targeting from device to user is not sufficient as there no good migration happening when upgrading from Cu1 or Cu2 !

2. Install KB article 2990658 . This hotfix greatly reduces the time that’s required to execute a successful retire or wipe of an MDM device by using a notification to "push" these tasks. Without this hotfix, retire and wipe operations could require 24 hours to run successfully, because they relied on a "pull" mechanism of this frequency . This hotfix will probably included when the next Cumulative Update will be released.

3. Install KB article 3002291 . This hotfix will fix when a user becomes a cloud-managed user In Microsoft SystemCenter 2012 R2 Configuration Manager, a settings policy may not target the assignment for the user.

For your ADFS and WAP (Web Application Proxy) with Server 2012 R2 environment:

 

1. To fix the "Profile Installation Failed" error when iOS device is workplace-joined by using DRS on a Windows Server 2012 R2-based server , look at Knowledgebase article 2970746 and make sure you deploy KB2967917 on your WAP Server , which is the July 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2 .

2.  To fix the “Large URI request in Web Application Proxy fails in Windows Server 2012 R2” when deploying and NDES server thru the Web Application Proxy (WAP) , look at Knowledgebase article 3011135 (Issue found and resolved by Pieter Wigleven) and make sure you deploy KB3013769 on your WAP Server , which is the December 2014 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

For your CA (certificate Authority) infrastructure when you want to use NDES:

 

1. The issuing CA needs to be Windows Server 2008R2 (with KB2483564) or preferable with a Windows Server 2012 R2 OS.

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ITDevconnections session wrap-up : System Center 2012 R2 Configuration Manager and Intune: Setup and Deployment Notes from the Field, with a Focus on Single Sign-On

1:24 pm in ADFS, ADFS 2.1, ADFS 3.0, CM12, CM12 R2, CM12 SP1, Devconnections, ECM, intune, ITDevconnections, sccm, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM by Kenny Buntinx [MVP]

 

A big thanks to all who attended at our sessions that Tim De Keukelaere and myself presented. Below are the links to the blog posts we have made earlier and we referenced during the session! Hope to see you all again next year!

clip_image002

 

All blog posts where written when we encountered challenges or when we wanted to spread information. Some can be outdated, like the ADFS 2.1 blogs , but there isn’t much changed. I’ll start updating them as soon as I find time for it :-)

Find them here :

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I at http://scug.be/sccm/2014/01/09/conquering-byod-with-implementing-configmgr-2012-r2-and-windows-intuneadfs-wap-workplace-join-and-work-folders-part-i/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1 at http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2 at http://scug.be/sccm/2013/07/08/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved-part-2/

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server at http://scug.be/sccm/2014/08/21/adfs-workplace-join-intune-profile-installation-failed-error-when-ios-device-is-workplace-joined-by-using-drs-on-a-windows-server-2012-r2-based-server/

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0×5 at http://scug.be/sccm/2014/01/22/adfs-2-1-in-combo-with-windows-intune-stops-working-with-error-15404-state-19-could-not-obtain-information-about-windows-nt-groupuser-domainadfs_srvc-error-code-0x5/

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot at http://scug.be/sccm/2014/01/15/adfs-3-0-on-windows-2012-r2-adfssrv-hangs-in-starting-mode-and-makes-youre-domain-controller-unusable-after-reboot/

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment at http://scug.be/sccm/2014/06/08/windows-intune-configmgr-2012-notes-from-the-field-around-compliance-settings-and-enrollment/

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue ! at http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What? At http://scug.be/sccm/2014/04/23/configmgr-2012-windows-intune-sso-self-signed-certificate-for-token-signing-is-about-to-expire-now-what/

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8” at http://scug.be/sccm/2013/07/19/windows-phone-8-not-enrolling-with-the-support-tool-for-windows-intune-trial-management-of-window-phone-8/

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager) at http://scug.be/sccm/2013/07/18/windows-intune-dirsync-error-message-stopped-server-down-fim-synchronization-service-manager/

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server

4:59 am in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, intune, MDM, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, UDM, Workplace Join by Kenny Buntinx [MVP]

Hi,

We’ve got in our lab environment our 2012 R2 Workplace Join environment up & running with one Windows 8.1 client successfully browsing the claims app. When we tried to workplace join an IPAD device, it could go as far as the Workplace Join screen.

If you want to know what ‘Workplace join’ is and how to manage it, please visit my earlier blog post at  http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Attempt to install the profile resulted in two different errors:

– On the Ipad you should see the profile install fail on the iPad. Assuming that the Apple iOS device is configured by using the over-the-air enrollment. An Apple certificate for the IOS device is expired. In this situation, you receive an error message that resembles the following: ‘Profile Installation Failed the server certificate for federation server name/otaprofile/profile?operation=enroll is invalid.’

– If I look on the ADFS WAP server , I see the following issue in the eventvwr

clip_image001

There are two main places you can start when troubleshooting an iOS-specific issue. 

1) The DRS event logs on the AD FS server.  May shed some light as to what is wrong.
2) The iOS device logs.  You’ll need to download the iPhone Configuration Utility (works with iPads as well).  http://support.apple.com/kb/DL1466

Microsoft has released a Hotfix for this http://support.microsoft.com/kb/2970746. Make sure to download and install it !

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Configmgr 2012 & Windows Intune SSO : Self- signed certificate for token signing is about to expire. Now What?

12:15 pm in ADFS, ADFS 2.1, ADFS 3.0, ConfigMgr 2012, configmgr 2012 R2, ConfigMgr 2012 SP1, intune, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, sso, Windows Intune, Windows Intune Extensions, windows inune by Kenny Buntinx [MVP]

 

This morning at a customer , I received the following mail in my mailbox , saying that my ADFS token would expire.

AD FS 2.0 or 2.1 and probably 3.0 generates each year by default a new self- signed certificate for token signing 20 days before the certificate expires . Rollover of the certificate , or generate a new certificate when the existing certificate is about to expire , and make them the primary certificate , applies only to self-signed certificates that are generated by AD FS 2.x . The token signing certificate is essential for the stability of the Federation Service . If this is changed, the change must be reported to Windows Azure AD . Otherwise fail applications for cloud services such as my Windows Intune Service.

image

When the token signing certificate of your home AD FS organization expires, then federation metadata between AD FS and Office 365 falls out of synch. Equally, when changes are made on the Office 365 or Windows Intune that require updating the metadata, a similar issue arises. The “Microsoft Office 365 Federation Metadata Update Automation Installation Tool” script provide by the AD FS team checks the that federation metadata is validated regularly and any changes replicated between the two federating parties.

You must have the Microsoft Federation Metadata Update Automation Installation Tool download and configure your primary federation server or another recordable federation server, the Windows Azure AD Federation Metadata regularly automatically checks and updates so that changes in the certificate token-signing in the AD FS 2.1 Federation service will be copied automatically onto Windows Azure AD.

You can download the script here : http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc

The script is called : O365-Fed-MetaData-Update-Task-Installation.ps1

To execute this tool successfully:

  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell 
  • You need to have a functioning AD FS 2.0 Federation Service (execute this on your primary ADFS server)
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type ‘Federated’
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx0

When running the tool and you comply with the above prerequisites , the following screenshot appears as shown below :

image

It’s worth bearing in mind that the password policy will render the script unusable in the event of a password change on either the Windows Intune side with the MSOL account you specify and the Domain side with the user account used to initiate the scheduled task. It is possible to create service accounts to do this on both sides. However, I’d consider the security consequences of such a change before automatically doing so. This can be done on the O365 side with an Office 365 standard account via the Set-MSOLUser cmdlet.

For example:  Set-MSOLUser –identity user@MyPreciousChosenDomain.onmicrosoft.com –PasswordNeverExpires $true –StrongPasswordRequired $true

The account could also technically be a federated account, but I don’t believe that’s a good idea. In the event that the trust is broken, then a federated account won’t be able to connect to MSOL to update the federated domain information and you would be in trouble big time!

To verify the scheduled task is executed correctly , open task scheduler and verify that the task is there :

image;-

That’s again an automated task , without worrying that your infrastructure is in danger :-)

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS 2.1 in combo with windows Intune stops working with ‘Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘Domain\ADFS_srvc’, error code 0x5

12:17 pm in ADFS, ADFS 2.1, CM12, CM12 R2, CM12 SP1, intune, sso by Kenny Buntinx [MVP]

 

One day my ADFS authentication for Configmgr 2012 R2 and Windows Intune suddenly stopped. I  came across the following on the Active Directory Federation Services farm which uses WID (Windows internal Database) to store its configuration.

image

In words: An exception occurred while enqueueing a message in the target queue. Error: 15404, State: 19. Could not obtain information about Windows NT group/user ‘<Domain>\ADFS_srvc’, error code 0x5.

The solution: is to give the “Authenticated Users”  “Read Permissions” on the ADFS service account.

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

ADFS 3.0 on Windows 2012 R2: adfssrv hangs in starting mode and makes you’re domain controller unusable after reboot

8:48 pm in ADFS, ADFS 3.0, Global Managed Service Account, gmsa, intune, MDM, UDM, Windows Server 2012 R2, Windws Intune by Kenny Buntinx [MVP]

 

Background :

With the arrival of ADFS 3.0 in Windows Server 2012 R2 the use of IIS with AD FS in Windows Server 2012 R2 has been eschewed in favour of a move to kernel-mode (HTTP.SYS). The motive is to improve performance, provide greater sign-in customization options and to be able for co-locating ADFS and AD Domain Services on the same server (IIS on domain controllers is from a security perspective a big no-no).

As the use of federation services goes more mainstream in everyday use with Windows 8.1, office 365 , intune , azure and whatever cloud service they come up with , this shift is understandable and an important design consideration.  With the new kernel-mode approach, support for running under server core also appears as an option in the new release.

Problem :

In my lab , I Installed and configured ADFS 3.0 om my domain controller with a global managed service account (gmsa). This is a new feature since ADDS 2012 was introduced. After a server reboot , the ADFS services cannot start anymore and it always stay in "starting" state , making your DC unusable.

This issue appears to be gMSA related, when you install ADFS 3.0 on a 2012R2 running AD DS, than after the reboot (not always) gMSA fails to authenticate on behalf of the ADFS Service under which the service is configured to run.

Solution:

After investigation, I found an unacceptable workaround, which is to :

1. Reboot the ADDS/ADFS3.0 server, logon and immediately set the ADFS Service from Automatic (Delayed) to Manual.

2. Change the Microsoft Key Distribution Service (kdssvc) service to auto (instead of manual trigger) and restart the DC.

3. Logon and start the ADFS service (starts successfully)

4. Set the ADFS Service from Manual to Automatic (Delayed) .

5. Done.

Keep it coming. We’re all learning ADFS 3.0 for Windows Intune  :-)

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I

3:55 pm in ADFS, ADFS 2.1, ADFS 3.0, BYOD, WAP, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

In the next few posts, I wanted to take a look at the changes to be found in Windows Server 2012 R2 with respect to Active Directory Federation Services (AD FS) that is used for mainly Product and features such as “Windows Intune” , “Workplace Join” and “Work Folders” Introduced in windows 8.1 .

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision. Workplace Join allows unmanaged/untrusted operating systems such as Windows RT/Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Dropbox and Skydrive Pro, but without the web and sharing features. Like most Microsoft OS features, Work Folders is tied to a specific release of Windows; however according to this Channel 9 video, Microsoft will release Work Folders for Windows 7, iOS and “other devices“ soon.

For all that technology to make it work, you will need to implement ADFS 3.0 which is only available in Windows Server 2012 R2 . The current levels of AFDS are difficult to find, so I will list them once more :

  • ADFS 2.0 – Windows 2003/2008/2008R2 (supported only for SSO in Windows Intune)
  • ADFS 2.1 – Windows 2012 (supported only for SSO in Windows Intune)
  • ADFS 3.0 – Windows 2012 R2 (supports SSO in Windows Intune , Workplace Join and Work Folders)

To be able to support ADFS 3.0, we will need some prerequisites that I will list below:

  • Forest Functional Level = min 2003 or higher

To check the ForestLevel –> Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=vnextdemo,dc=be" -Properties * | Select objectVersion

  • Domain Controller OS = Min 2012 or higher

· If no DC 2012R2 then upgrade schema with Adprep. New Device class requires a schema change to Active Directory. For those upgrading an existing Windows setup, the appropriate files can be found on the R2 installation CD under D:\Support\ADPrep.

· If upgrading to 2012R2 for DC :

            • Execute following command PS C:\> netdom query FSMO
            • Then use the Move-ADDirectoryServerOperationMasterRole cmdlets to move them.  You can do this with a simple one liner! Move-ADDirectoryServerOperationMasterRole -identity "DC01" -OperationMasterRole 0,1,2,3,4

 

  • ADFS 3.0 and Web Application Proxy requires to be installed on Windows server 2012 R2 

 

In the next blog post , I will continue on how to setup the ADFS 3.0 to support “Windows Intune” , “Workplace Join” and “Work Folders”. So stay tuned for Part II

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8”

8:47 am in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

At a customer and integrating/managing Windows Phone 8 with Windows Intune and System Center Configuration Manager 2012 SP1 ? Using the Support Tool for Windows Intune Trial Management of Window Phone 8 (can be downloaded at http://www.microsoft.com/en-sg/download/details.aspx?id=39079) ?

The Support Tool for Windows Intune Trial Management of Window Phone 8 facilitates Microsoft System Center 2012 Configuration Manager admins to try out Windows Phone 8 software distribution scenarios during the Trial period.

However we couldn’t get our Windows phone 8 enrolled. It always came back with the following error on the phone : “We weren’t able to set up this company account on your phone”.

Verify the following before going forward :

  • If Are you using ADFS , check my previous blog post “Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)”.
  • Have you synced your AD accounts to Azure AD? Is dirsync working correctly ? Check from Azure AD that you see your local AD users there.
  • Make sure the UPN is set correctly to your Domain ( SCUG.be instead of scug.onmicrosoft.com)
  • Set CNAME to manage.microsoft.com

SNAGHTMLfb3cfe6

  • Reset your Users password. Because the user must reset the password after the first logon, logon to e.g. portal.manage.microsoft.com with the user account, before enrolling the device.
  • It is important that you first synchronize your AD users to Azure and after that add the user account to user collection that is allowed to enroll the devices. If you first add the user to the collection and the new user is not in Azure AD, you need to wait up to 24 h. (Tnx to my fellow MVP Panu Sauko!)
  • If you get the latter error message, change the language & regional settings of your mobile phone to en-US and try to enroll again. (Tnx to my fellow MVP Panu Sauko!)

Going down in the logs , by the way very difficult on a Windows phone 8 or Windows Intune side , the only option was to look into the System Center Configuration Manager Log files .

Looking in the dmpdownloader.log and found the following line appearing every time I tried to enroll the WP8 device . Strange .

ERROR: Service health log: WP appStoreURI is missing for account 73dab792-979c-40be-947b-b7c8040e725b and userId ******************************33d16d

image

Solution :

Apparently to that message , it seems that we have Certificate issues on the Company portal . After re-registering the steps below , it works . Before it executed also successfully ,and I thought everything was OK , but I was wrong. So if you have the above error message “ Service health log: WP appStoreURI is missing for account “ , it means there is something wrong with your company portal and signed certificates.

  • Step 1 : Disable the Windows Phone 8 support on the intune connector :

image

1.  Create your application “Company portal” that is included in the toolkit.

2. The first step to enable the management of Windows Phone 8 devices is to run the script that is included  cscript ConfigureWP8Settings.vbs <server> QuerySSPModelName . It is important to notate the Scope_ID<GUID> information as it will be used in the next step.

3.  Next we need to run the script again but this time in Save mode with the SSP name to populate the necessary certificate information that enables Windows Phone 8 Management.  The command will will use this time is: cscript ConfigureWP8Settings.vbs <server> SaveSettings <Company Portal name> where <Company Portal name> is the output for Model Name from the earlier step.

4.  After completion of the steps above, you can now verify that Windows Phone 8 device management is enabled.  

image

Now you can enroll your Windows Phone 8 devices in your Windows Intune Unified Trial Account. It works like a charm now .

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Windows Intune & Dirsync : Error message “stopped-server-down” (FIM Synchronization Service Manager)

11:24 am in ADFS, dirsync, FIM, intune by Kenny Buntinx [MVP]

 

In Windows Intune , you need dirsync to synchronize your users between on-premise AD and Azure AD. Already a few days we received a mail that states ": There was no AD synchronization with Azure AD” … Weird .

Running Dirsync for Windows Intune (same as Office 365) , which is actually a special version of FIM 2010 (Forefront Identity Manager).When installing Dirsync , by default it is set to synchronize your on premise Active Directory with Azure Active Directory for every 3 hours.

At first sight , Dirsync looks like a big black box .Event viewer is around , but doesn’t tell you much :

image

You won’t find any shortcut to the Synchronization Service Manager but you will find it here  "C:Program FilesMicrosoft Online Directory SyncSYNCBUSSynchronization ServiceUIShellmiisclient.exe".

If you launch the Synchronization Service Manager , you will find the same information :

image

This error message doesn’t really tell you much, but if you look closely , “TargetWebService” is the connection to Azure AD and as you can see the status of “stopped-server-down”.

Digging deeper in to the event viewer , we found : “An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. GetAuthState() failed with -2147186688 state. HResult: (0×80048831)”.Looking this up on the internet , this error message actually means is that the service account that you use to connect to Windows Intune has an expired password.

To fix this, open the “Windows Azure Active Directory Module for Windows PowerShell” and set a new password for the service account and to avoid it in the future add the parameter “–passwordneverexpires”

Set-MsolUserPassword –userPrincipalName dummy@intune.com -NewPassword "pa$$word"

Set-MsolUser –UserPricipalName dummy@intune.com –passwordneverexpires $true

Now go in to the Management Agents tab in Synchronization Service Manager, right-click on TargetWebService and click on Properties.Change your new password here

image

 

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management