You are browsing the archive for Cloud.

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]

 

As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a *.demolabs.be) . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :

image

 

Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate

image

 

  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

Windows Intune & ConfigMgr 2012 : Notes from the field around Compliance Settings and enrollment

4:00 pm in BYOD, Cloud, CM12, CM12 R2, configmgr 2012 R2, ConfigMgr 2012 SP1, ECM, email Profile, email Profiles, intune, iOS, ipa, Ipad, ITPROceed, MDM, OMA-DM, OMA-URI, personal, plist, policy, SCCM 2012, sccm 2012 R2, SCCM 2012 R2, SCCM 2012 SP1, UDM, windows 8.1, Windows Intune, Windows Intune Extensions, Windows Phone 8.1, Windws Intune, Work Folders, WP 8.1 by Kenny Buntinx [MVP]

 

Today there isn’t much hands on information about managing mobile devices such as Windows Phone , iPhone or Android using the MDM solution with Windows Intune and System Center Configuration Manager 2012 R2. This blog post is intended to give you better knowledge and to consolidate the earlier blogs I have been writing. Troubleshoot MDM in Intune / ConfigMgr

The big challenge is troubleshooting mobile device management in general, but particularly using ConfigMgr and Intune because a current Configmgr is a product that is known for its extensive logging.

With Windows Intune connected to System Center Configuration Manager 2012 R2, you have 6 log files on premise where you can look into:

  • ConnectorSetup.log (Records details of connector role installation)
  • FeatureExtensionInstaller.log (Records information about the installation and removal of individual extensions when they are enabled or disabled in the Configuration Manager console)
  • CertMgr.log (Records certificate and proxy account information)
  • Cloudusersync.log (Records license enablement for users)
  • DMPuploader.log (Records details for uploading database changes to Windows Intune)
  • DMPdownloader.log (Records details on downloads from Windows Intune)

1. Enrolling the mobile devices

  • OMA-DM and OMA-URI:

First of all, you will need to know what OMA-DM is. OMA-DM is an open standard that Apple – Android and Microsoft are using. All MDM solutions use the OMA-DM API to manage those devices. More information on OMA-DM can be found here.

Microsoft has released together with WP 8.1, a comprehensive guide called; ‘Windows Phone 8.1 MDM protocol documentation’. You will need this guide as a reference to find all custom not-so-out-of-the-box OMA-URI’s. An OMA-URI can be seen as a registry setting or hive. You can download it here.

If enrollment does not work, please verify that the right platform is selected in your “windows Intune Subscription”, otherwise you will get these kind of errors:

ERROR: Service health log: User ‘******************************32ad82′ is not eligible to enroll a device of type ‘WindowsPhone’. Reason ‘DeviceTypeNotSupported’.

clip_image002[4]

  • Enrollment for Windows Phone 8 or 8.1:

Enrollment for Windows Phone happens does not have the same experience like IOS or Android. With Windows Phone 8 or 8.1 you will need to go to the settings page and search for either ‘company portal’ or ‘workplace join’. Don’t you love Microsoft’s consistency here?

  • Trouble enrolling your Windows Phone?

SSP portal software Certificate Signing :

Make sure that your SSP portal software is signed with either your personal ‘Symantec Certificate’ you need to buy or you use the “support tool for Windows Intune”. Download the company portal at Windows Intune Company Portal for Windows Phone.

If the SSP Portal is not signed correctly or the certificate expired, your phones will stop enrolling and you’ll never get any error message. It just shows you on the phone it can’t find the server…

Read the release notes for sure :

Read here: http://technet.microsoft.com/en-us/library/jj662694.aspx

Windows Phone 8.1 devices fail to enroll with Windows Intune when device authentication is enabled in AD FS 2012 R2 (aka 3.0) called ‘Workplace Join’.

Issue: When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).

Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.

  • Your phone is enrolled and you want to protect it from enrollment?

You have corporate owned Windows Phones and you want the option when a ‘device owner’ in CM12 R2 is set to “corporate” , a user can’t un-enroll a “corporate” device and to prevent them from doing so , unless you are the ConfigMgr 2012 MDM admin.

As this seemed a logic to me, we couldn’t do it out of the box with windows phone 8 or 8.1 and Windows Intune. Missed opportunity, I would say. However with the launch of Windows Phone 8.1 at Build conference , there was a new set of OMA-DM management capabilities being added.

Read the complete blog post on how to do it here:

ConfigMgr 2012 R2 & Windows Intune UDM : How to prevent an “End-User” can un-enroll his “Corporate” Windows Phone 8.1 at http://scug.be/sccm/2014/04/24/configmgr-2012-r2-windows-intune-udm-how-to-prevent-an-end-user-can-un-enroll-his-corporate-windows-phone-8-1/

  • Enrollment for IOS or Android :

On an iOS device open the Apple App Store., search for Company Portal, select the Windows Intune Company Portal from the list of available apps. Once installed, open the application and ‘Click’ on Add Device, You will be presented with information about the portal, click on Add in the top right corner.

There are no specific requirements for enrolling Android devices except enrolling thru the Self Service Portal.

2. Debugging on the mobile devices

There really are not that much you can see in terms of what is going on between the Intune tenants in the cloud and the mobile device itself. There is no real interface to push or pull stuff so you are pretty much left in the dark many times.

However most of the changes made in ConfigMgr are replicated up to the Intune Cloud service every 5 minutes. Apart from that you just will have to wait for things to happen.

  • WP 8 / 8.1: Really nothing you can see on the device. No log file that you can find, retrieve or view. Microsoft should really do something about this.

 

  • IOS: Shake it, shake it hard! There is however one log file and that can be accessed from an iOS device by logging into the Company Portal app. After login, shake the iPhone or iPad. Shake the phone and you will see options to send the log file via email for further analysis.

Funny Note: The shake action is disable-able from iOS / Settings area.  For a fun practical joke on a colleague you can disable the shake action and see how long they shake the device before giving up!

  • Android: No specific experiences , but honestly , I don’t think there is something that Microsoft provides out of the box

If you get the UserLicenseTypeInvalid error message when trying to enroll an iOS/Andriod device , most likely this is due to users not being synced or having an issue with the Configmgr AD user discovery or if the ConfigMgr connector to the Intune service didn’t sync properly as than they are missing from the “Intune users” collection.

3. Targeting the mobile devices

Divide Mobile devices into different collections for Windows Phones, Windows RT, Android, iPads and iPhones if you for instance want to target different compliance settings to different sets of devices.

Create your collections based on the class “Mobile Device Computer System” where the “Device Model” is your key identifier.

  • The query to list all Windows Phone 8 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.0%"

  • The query to list all Windows Phone 8.1 in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_DEVICE_OSINFORMATION on SMS_G_System_DEVICE_OSINFORMATION.ResourceID = SMS_R_System.ResourceId where SMS_G_System_DEVICE_OSINFORMATION.Platform like "Windows Phone" and SMS_G_System_DEVICE_OSINFORMATION.Version like "8.1%"

  • The query to list all Windows Phone RT in a collection:

select SMS_R_System.ResourceId, SMS_R_System.ResourceType, SMS_R_System.Name, SMS_R_System.SMSUniqueIdentifier, SMS_R_System.ResourceDomainORWorkgroup, SMS_R_System.Client from SMS_R_System inner join SMS_G_System_COMPUTER_SYSTEM on SMS_G_System_COMPUTER_SYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_COMPUTER_SYSTEM.Model like "Surface%"

  • The query to list all iPhones in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%iphone%"

  • The query to list all iPads in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "%ipad%"

  • The query to list all Android in a collection:

select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,
SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,
SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_DEVICE_COMPUTERSYSTEM on SMS_G_System_DEVICE_COMPUTERSYSTEM.ResourceId = SMS_R_System.ResourceId where SMS_G_System_DEVICE_COMPUTERSYSTEM.DeviceModel like "Android%"

4. Targeting Applications on the mobile devices

WP 8 / 8.1:

You first need to join the Windows Phone Dev Center before you can request a code-signing certificate from Symantec. Your Windows Phone Dev Center account is required to obtain a code signing certificate from Symantec. If you are not in a hurry and want to do a POC or for a trial certificate, see Support tool for Windows Phone trial management .

This Symantec certificate is needed to deploy the company portal app. Download the company portal at Windows Intune Company Portal for Windows Phone.

Windows Phone 8.1 can handle *.xap, *.appx, *.appxbundle while windows phone 8.0 can only handle *.xap

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. It will silently install the application.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. It will silently install the application.

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Windows RT devices :

This post contains the steps which you, as an IT administrator, can perform to troubleshoot and investigate software distribution (download and install) issues on the Windows RT client

http://blogs.technet.com/b/configmgrteam/archive/2013/03/13/troubleshooting-windows-rt-client-software-distribution-issues.aspx

IOS:

To sideload an application *.ipa you need either to have developed it in-house or bought it from a developer who allows you to side load it and have a correct Apple developer account as well. https://developer.apple.com/programs/ios/

You cannot side load an app that you have downloaded and paid for in ITunes, which would be wrong in terms of license agreements. For those applications, you can create a link to the application in Appstore and distribute that link.

So if you want to side load an application that you bought from Appstore, I would suggest that you Contact that Company/developer and see if they are interested in selling the application to you that way instead of through the Appstore.

There are a number of ways of deploying apps to iOS devices throughout your enterprise. You can purchase and assign apps with MDM through the Volume Purchase Program (VPP), or create and deploy your own in-house apps by joining the iOS Developer Enterprise Program. Additionally, if you are in a shared-device deployment scenario you can install apps and content locally with Apple Configurator or your MDM solutions such as Windows Intune.

When deploying an IPA you have three options:

  • Deploy it as ‘Available’ to Users:

This will make the application published and available for install, but only in the SSP Portal.

  • Deploy it as ‘Required’ to Users:

This will install the app automatically for targeted users. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

  • Deploy it as ‘Required’ to Devices:

This will install the app automatically for targeted devices. A note will pop up on the screen of the iOS device asking if “Microsoft” is allowed to install the application. After clicking OK the app gets installed.

I have written a blog post to clarify the support around CM12 and intune : Deploying Windows *.ipa IOS Applications requires a *.plist file at http://scug.be/sccm/2014/03/18/cm12-and-intune-deploying-windows-ipa-ios-applications-requires-a-plist-file/

  • Remote Uninstall for apps deployed to users and devices:

This will silently uninstall the app automatically for targeted devices.

Android:

As I have not deployed any software to android devices so far, I am going to exclude this section from any comment.

5. Providing Company Resource Access the mobile devices

When a user enrolls their device into Windows Intune, an organization’s certificates, Wi-Fi, VPN, and email profiles can automatically be configured on the device.   This will enable users to quickly access internal corporate resources with the appropriate security configurations set, without having to call the help desk.  Access to email and corporate data stored in OneDrive for Business can be automatically restricted if a user tries to access those resources on a device which is not enrolled for management.  Access can automatically be restricted if the device is de-enrolled from Windows Intune or falls out of the compliance policy set by the administrator.  For example, if someone jailbreaks their previously-enrolled iPad, access to Exchange and OneDrive for Business can be revoked until the problem is corrected.

As a cloud service, The ‘Extensions for Windows Intune’ feature provides frequent, dynamic feature updates to System Center 2012 R2 Configuration Manager without any on-premises infrastructure update roughly every quarter. The product team is currently rolling out those updates to ConfigMgr thru the so called “Windows Intune extensions or ‘W.E.A.V.E’ feature which provides additional support for additional released Windows Intune features for Unified Device Management.

I have written a blog post that explains it into detail about those so called CM12 Intune extensions:

CM12 Extensions for Windows Intune: Resources and gotcha’s at http://scug.be/sccm/2014/02/11/cm12-extensions-for-windows-intune-resources-and-gotchas/

On the other hand we have:

Email Profiles:

Extensions like email profile provisioning make it very easy for end users to connect to corporate email from their mobile devices while at the same time, it ensures that administrators can protect corporate data by having the ability to selectively wipe email from lost or stolen mobile devices

The ConfigMgr administrator can now configure email profiles that supply both email server information and related policies.However sometimes the profile doesn’t come down and therefore I have written the following blob that explains into detail:

Configmgr 2012 and Intune: Provisioning Email Profiles and the why the profile may not turn up on devices such as an Ipad at http://scug.be/sccm/2014/03/21/sysctr-configmgr-2012-and-intune-provisioning-email-profiles-and-the-why-the-profile-may-not-turn-up-on-devices-such-as-an-ipad/

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Certificate Profiles:

Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service (NDES) role to provision authentication certificates for managed devices so that users can seamlessly access company resources.

For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

Certificate profiles in Configuration Manager provide the following management capabilities:

  • Certificate enrollment and renewal from an enterprise certification authority (CA) for devices that run iOS, Windows 8.1, Windows RT 8.1, and Android, These certificates can then be used for Wi-Fi and VPN connections.
  • Deployment of trusted root CA certificates and intermediate CA certificates to configure a chain of trust on devices for VPN and Wi-Fi connections when server authentication is required.
  • Monitor and report about the installed certificates.

TIP: Be aware that this profile can be deployed to ‘User based Collections’ or ‘Device based Collections’

VPN Profiles:

VPN profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor VPN profiles. By deploying these settings, you reduce the end-user effort that is required to connect to resources on the company network.

When a VPN profile deployment is removed, the VPN profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

Wi-Fi Profiles:

Wi-Fi profiles in System Center 2012 Configuration Manager provide a set of tools and resources to help you create, deploy, and monitor wireless network settings to devices in your organization. By deploying these settings, you minimize the effort that end users require to connect to corporate wireless networks.

When a Wi-Fi profile deployment is removed, the Wi-Fi profile is not removed from client devices. If you want to remove the profile from devices, you must manually remove it.

TIP: Be aware that this profile can only be deployed to a ‘User based Collections’

6. Calling Microsoft (Intune) Support

Do not hesitate to contact the Intune technical support whenever you encounter a problem. As you have no insight into Intune contacting support is many times the only way to figure it what is or what is not going on with your mobile device management.  Support phone numbers for Intune specifically are listed at the Microsoft Support web site.

They will need the following information to help you solving the case swiftly, please collect that information before calling Microsoft PSS/CSS

Search criteria

  • LSU, MSU, account id, user id(last 6 digits)
  • email domain or other feature specific keyword
  • Time of incident (time zone)
  • Logs (DMPUploader.log, DMPDownloader.log, CloudUserSync.log)

Example

  • AccountId : 21c26ac1……29b40f
  • LsuId           : LSUA01
  • MsuId         : MSUA01
  • UserID : ……d7facc
  • Domain : contoso.onmicrosoft.com

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Windows Phone 8 not enrolling with the “Support Tool for Windows Intune Trial Management of Window Phone 8”

8:47 am in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Windows Intune by Kenny Buntinx [MVP]

 

At a customer and integrating/managing Windows Phone 8 with Windows Intune and System Center Configuration Manager 2012 SP1 ? Using the Support Tool for Windows Intune Trial Management of Window Phone 8 (can be downloaded at http://www.microsoft.com/en-sg/download/details.aspx?id=39079) ?

The Support Tool for Windows Intune Trial Management of Window Phone 8 facilitates Microsoft System Center 2012 Configuration Manager admins to try out Windows Phone 8 software distribution scenarios during the Trial period.

However we couldn’t get our Windows phone 8 enrolled. It always came back with the following error on the phone : “We weren’t able to set up this company account on your phone”.

Verify the following before going forward :

  • If Are you using ADFS , check my previous blog post “Troubleshooting ADFS 2.1 Services for Windows Intune (WaveD)”.
  • Have you synced your AD accounts to Azure AD? Is dirsync working correctly ? Check from Azure AD that you see your local AD users there.
  • Make sure the UPN is set correctly to your Domain ( SCUG.be instead of scug.onmicrosoft.com)
  • Set CNAME to manage.microsoft.com

SNAGHTMLfb3cfe6

  • Reset your Users password. Because the user must reset the password after the first logon, logon to e.g. portal.manage.microsoft.com with the user account, before enrolling the device.
  • It is important that you first synchronize your AD users to Azure and after that add the user account to user collection that is allowed to enroll the devices. If you first add the user to the collection and the new user is not in Azure AD, you need to wait up to 24 h. (Tnx to my fellow MVP Panu Sauko!)
  • If you get the latter error message, change the language & regional settings of your mobile phone to en-US and try to enroll again. (Tnx to my fellow MVP Panu Sauko!)

Going down in the logs , by the way very difficult on a Windows phone 8 or Windows Intune side , the only option was to look into the System Center Configuration Manager Log files .

Looking in the dmpdownloader.log and found the following line appearing every time I tried to enroll the WP8 device . Strange .

ERROR: Service health log: WP appStoreURI is missing for account 73dab792-979c-40be-947b-b7c8040e725b and userId ******************************33d16d

image

Solution :

Apparently to that message , it seems that we have Certificate issues on the Company portal . After re-registering the steps below , it works . Before it executed also successfully ,and I thought everything was OK , but I was wrong. So if you have the above error message “ Service health log: WP appStoreURI is missing for account “ , it means there is something wrong with your company portal and signed certificates.

  • Step 1 : Disable the Windows Phone 8 support on the intune connector :

image

1.  Create your application “Company portal” that is included in the toolkit.

2. The first step to enable the management of Windows Phone 8 devices is to run the script that is included  cscript ConfigureWP8Settings.vbs <server> QuerySSPModelName . It is important to notate the Scope_ID<GUID> information as it will be used in the next step.

3.  Next we need to run the script again but this time in Save mode with the SSP name to populate the necessary certificate information that enables Windows Phone 8 Management.  The command will will use this time is: cscript ConfigureWP8Settings.vbs <server> SaveSettings <Company Portal name> where <Company Portal name> is the output for Model Name from the earlier step.

4.  After completion of the steps above, you can now verify that Windows Phone 8 device management is enabled.  

image

Now you can enroll your Windows Phone 8 devices in your Windows Intune Unified Trial Account. It works like a charm now .

image

Hope it Helps ,

Kenny Buntinx

MVP enterprise Client Management

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2

12:09 pm in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Server 2012, WaveD, windows inune by Kenny Buntinx [MVP]

 

In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” I explained the genaeral design and concept for setting up SSO with ADFS  at “http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

This article takes it step-by-step through initializing a new domain in Windows Intune WaveD , its verification, and configuration for single sign-on. This guide will show how to perform these steps on Windows Server 2012 with AD FS 2.1.

Again our design we are going to follow :

SNAG-0333

Determine the ADFS Farm Name

We really need to get this information sorted first, because our certificate requests will be based on the FQDN of the farm name, and it isn’t possible to install ADFS services without a certificate.

We’ll use “Federation.scug.be” – this name will be used by by Windows Intune federation services. This certificate absolutely must be issued by a public CA.

Request a Certificate

Really quick overview of ADFS certificates: there are three certificates used by ADFS; one is used for server authentication and the remaining two certificates are used for ADFS token signing and verification

For best practice and supportability this certificate should NOT a wildcard certificate. However my wildcard certificates were working flawless, but if you go that way and something does not work later down the road, your support options may be limited at this time.

Service Account for ADFS Federation Service

Next, we will create a service account for the purpose of installing and running ADFS Federation Service. This service account will be used to perform initial installation of the service as well as the WID SQL databases. During this initial installation, the service creates certificate containers in Active Directory, as well as SPN records for the shared IIS pool identity. To perform these tasks, the service account must be at least a Domain Admin.

Install ADFS Service on the First Windows Server 2012 Server (FED1PRD.SCUG.BE)

Prerequisites :

  • Make sure that you installed the ADFS Services thru “Add Roles and Features”.
  • Make sure you have copied your *.SCUG.be certificate on your ADFS Servers
  • Make sure they are added to the domain
  • Your Active Directory Domain must be in Windows 2003 mixed or native mode.

1. Open the wizard and select “Create a new Federation Wizard” …

image

2. Provide your SSL certificate and Federation Service Name …

image

3. Provide your Service Account and password …

ADFS_3

4. Click Next tot continue after reviewing…

image

5. When everything is ok , click close to close the wizard.

clip_image002

Install ADFS Service on the Second Windows Server 2012 Server (FED2PRD.SCUG.BE)

1. Open the wizard and select “Add a federation server to an existing Federation Service” …

clip_image002[5]

2. Specify your primary federation Server name and your ADFS service account .

image

3. Click next to install and finish

clip_image002[7]

Important :

Create a host file on the FED1PRD.SCUG.BE and FED2PRD.SCUG.BE with the following line:

image

Now your ADFS Farm is installed and configured correctly.Now let’s show you how to introduce an AD FS Proxy Server.

In addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second hardware Network Load Balancing host. The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name (federation.SCUG.be) setting as the previous NLB cluster that you configured on the corporate network (Federation.scug.be). The federation server proxies should also be configured with Internet-accessible IP addresses.

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE

After that , Import your *.SCUG.BE certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

Install ADFS Proxy Servers on Windows Server 2012 Server (ADFSPROXY01 – ADFSPROXY02)

1. Select “ADFS Federation Services Proxy” thru “Add Roles and Features”.

clip_image002[9]

2. Leave the defaults selected and select “Next”

clip_image002[11]

3.Hit “install” button.

clip_image002[13]

Important :

Create a host file on the ADFSPROXY01 and ADFSPROXY with the following line:

 image

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on ADFSPROXY01 and ADFSPROXY02

After that , Import your *.SCUG.BE certificate on ADFSPROXY01 and ADFSPROXY02 in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

DNS Configuration

  • Configure internal DNS to point to the federation hosts cluster (NLB) IP
  • Set up a host (A) record for the domain (federation.scug.be) on a public-facing DNS server for external name resolution to point to the proxy servers cluster (NLB)

Optional – in case the proxy servers doesn’t have DNS connectivity to the internal DNS server, you can configure the host file (see above topic) on each server to resolve the AD FS host servers name

 

The end

Now your ADFS Farm is completely installed and configured correctly.

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and troubleshooting steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP

Download the Latest Evaluation software to build your Private Cloud with System Center

7:10 pm in Cloud, Private Cloud, System Center by Kenny Buntinx [MVP]

Did you ever wanted to build and test out a  “Private Cloud” ? The core is the System Center suite.

In order to build and test out a “Private Cloud” with  the System Center and Hyper-V stack , you can find the following evaluation versions of the software below :

 

Datacenter or Enterprise editions to look at Hyper-V

Free Server just Hyper-V No Windows Server (Free)

VMware , Hyper-V or Xen can both be managed by this current product

The 2012 version of SCVMM . A better way to manage any virtualization and can work with different fabric.

Known as SCOM helps you monitor what’s going on real time with your operations

Known as SCCM, The product that helps you roll out clients or servers and properly configure them and baseline them.

The next version of SCCM which is really a brand new product.

 

Hope it Helps ,

 

Kenny Buntinx

·