You are browsing the archive for Server 2012.

Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 2

12:09 pm in ADFS, Cloud, CM12, ConfigMgr 2012 SP1, intune, SCCM 2012 SP1, Server 2012, WaveD, windows inune by Kenny Buntinx [MVP]

 

In my previous blog posts “Prepare to Install ADFS 2.1 Services to have SingleSignOn (SSO) in Windows Intune (WaveD) – Part 1” I explained the genaeral design and concept for setting up SSO with ADFS  at “http://scug.be/sccm/2013/07/04/prepare-to-install-adfs-2-1-services-to-have-singlesignon-sso-in-windows-intune-waved/

This article takes it step-by-step through initializing a new domain in Windows Intune WaveD , its verification, and configuration for single sign-on. This guide will show how to perform these steps on Windows Server 2012 with AD FS 2.1.

Again our design we are going to follow :

SNAG-0333

Determine the ADFS Farm Name

We really need to get this information sorted first, because our certificate requests will be based on the FQDN of the farm name, and it isn’t possible to install ADFS services without a certificate.

We’ll use “Federation.scug.be” – this name will be used by by Windows Intune federation services. This certificate absolutely must be issued by a public CA.

Request a Certificate

Really quick overview of ADFS certificates: there are three certificates used by ADFS; one is used for server authentication and the remaining two certificates are used for ADFS token signing and verification

For best practice and supportability this certificate should NOT a wildcard certificate. However my wildcard certificates were working flawless, but if you go that way and something does not work later down the road, your support options may be limited at this time.

Service Account for ADFS Federation Service

Next, we will create a service account for the purpose of installing and running ADFS Federation Service. This service account will be used to perform initial installation of the service as well as the WID SQL databases. During this initial installation, the service creates certificate containers in Active Directory, as well as SPN records for the shared IIS pool identity. To perform these tasks, the service account must be at least a Domain Admin.

Install ADFS Service on the First Windows Server 2012 Server (FED1PRD.SCUG.BE)

Prerequisites :

  • Make sure that you installed the ADFS Services thru “Add Roles and Features”.
  • Make sure you have copied your *.SCUG.be certificate on your ADFS Servers
  • Make sure they are added to the domain
  • Your Active Directory Domain must be in Windows 2003 mixed or native mode.

1. Open the wizard and select “Create a new Federation Wizard” …

image

2. Provide your SSL certificate and Federation Service Name …

image

3. Provide your Service Account and password …

ADFS_3

4. Click Next tot continue after reviewing…

image

5. When everything is ok , click close to close the wizard.

clip_image002

Install ADFS Service on the Second Windows Server 2012 Server (FED2PRD.SCUG.BE)

1. Open the wizard and select “Add a federation server to an existing Federation Service” …

clip_image002[5]

2. Specify your primary federation Server name and your ADFS service account .

image

3. Click next to install and finish

clip_image002[7]

Important :

Create a host file on the FED1PRD.SCUG.BE and FED2PRD.SCUG.BE with the following line:

image

Now your ADFS Farm is installed and configured correctly.Now let’s show you how to introduce an AD FS Proxy Server.

In addition to adding two federation server proxies, you must make sure that your perimeter network can also provide access to a Domain Name System (DNS) server and to a second hardware Network Load Balancing host. The second NLB host must be configured with an NLB cluster that uses an Internet-accessible cluster IP address, and it must use the same cluster DNS name (federation.SCUG.be) setting as the previous NLB cluster that you configured on the corporate network (Federation.scug.be). The federation server proxies should also be configured with Internet-accessible IP addresses.

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE

After that , Import your *.SCUG.BE certificate on FED1PRD.SCUG.BE and FED2PRD.SCUG.BE in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

Install ADFS Proxy Servers on Windows Server 2012 Server (ADFSPROXY01 – ADFSPROXY02)

1. Select “ADFS Federation Services Proxy” thru “Add Roles and Features”.

clip_image002[9]

2. Leave the defaults selected and select “Next”

clip_image002[11]

3.Hit “install” button.

clip_image002[13]

Important :

Create a host file on the ADFSPROXY01 and ADFSPROXY with the following line:

 image

Note: All the servers / clients communication is established over port 443, make sure that port 443 is allowed from and to the internal AD FS host server to the AD FS proxy servers, as well from the Internet to the AD FS proxy servers

 

Importing the Certificate on ADFSPROXY01 and ADFSPROXY02

After that , Import your *.SCUG.BE certificate on ADFSPROXY01 and ADFSPROXY02 in your website as described below :

After the certificate has been imported, you’ll want to verify it by going back to Server Certificates in IIS.

image

Next, you’ll need to add the Certificate to the Default Web Site.  With the Default Web Site Selected click Bindings.

image

Click Add

image

Choose Type https, IP addresss All Unassigned, and Port 443.  Then select the newly imported certificate and click Ok.

image

The site bindings should now look like:

image

 

DNS Configuration

  • Configure internal DNS to point to the federation hosts cluster (NLB) IP
  • Set up a host (A) record for the domain (federation.scug.be) on a public-facing DNS server for external name resolution to point to the proxy servers cluster (NLB)

Optional – in case the proxy servers doesn’t have DNS connectivity to the internal DNS server, you can configure the host file (see above topic) on each server to resolve the AD FS host servers name

 

The end

Now your ADFS Farm is completely installed and configured correctly.

This brings us to the end of this post. In the next few posts, we’ll cover additional configuration and troubleshooting steps and bring this Windows Intune SSO / ADFS 2.1 infrastructure on Windows Server 2012 to a usable state.

Stay Tuned !

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client MVP

CM12 SP1 Management Point will not install on Server 2012

9:19 am in ConfigMgr 2012, ConfigMgr 2012 SP1, MP, SCCM 2012, SCCM 2012 SP1, Server 2012 by Kenny Buntinx [MVP]

 

Hi,

I am using Windows Server 2012, SQL 2012 SP1 and SCCM 2012 sp1, and I have one Primary site with a remote site server that will host the DP and MP role.

I am trying to install the Management Point (using HTTP for client connections) but it fails.  did have the SCCM 2007 client install on this server due to a automatic build process with CM07 and that was the in the end the issue . The CM07 client left traces.

Looking throught the msisetup log which said a previous version was detected, I used ccmsetup /uninstall to remove the client (which gets rid of it from control panel), and then removed the MP, rebooted and tried to install the MP again. However, the MP still wouldn’t install.

mpmsi log as below:

[9:53:33] Failed to compile ‘D:\SMS_CCM\CcmExec_Global.mof’ (Phase: 3, Object: 5, Lines: 76 – 83, Error: 80041002)
[9:53:33] Compiled ‘D:\SMS_CCM\CCMVDI.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\ccmauthmessagehook.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\LocationServices.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\NetworkConfig.mof’
[9:53:33] Failed to compile ‘D:\SMS_CCM\PolicyDefaults.mof’ (Phase: 3, Object: 4, Lines: 49 – 57, Error: 80041002)
[9:53:33] Compiled ‘D:\SMS_CCM\PolicyAgentEvents.mof’
[9:53:33] Failed to compile ‘D:\SMS_CCM\StateMsgSchema.mof’ (Phase: 3, Object: 6, Lines: 89 – 94, Error: 80041002)
[9:53:33] Failed to compile ‘D:\SMS_CCM\DataTransferService.mof’ (Phase: 3, Object: 5, Lines: 318 – 323, Error: 80041002)
[9:53:33] Compiled ‘D:\SMS_CCM\CcmExec_MPFramework.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\SmsCommon.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\XmlStore.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\InventoryAgentEvents.mof’
[9:53:33] Compiled ‘D:\SMS_CCM\SWMtrEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\SWDistEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\SrcUpdateEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\PatchMgmtEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\SMSNapEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\MpStatusForwarderDefaults.mof’
[9:53:34] Failed to compile ‘D:\SMS_CCM\CcmExec_MP.mof’ (Phase: 3, Object: 1, Lines: 31 – 36, Error: 80041002)
[9:53:34] Compiled ‘D:\SMS_CCM\mp_pss.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\mp_ccmConfig.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\mp_ccmConfig_Defaults.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\MpEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\OSDEventClasses.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\DPStatus.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\ImgDeployEvents.mof’
[9:53:34] Compiled ‘D:\SMS_CCM\DCMClientEvents.mof’
[9:53:35] Compiled ‘D:\SMS_CCM\SUMEvents.mof’
[9:53:35] Compiled ‘D:\SMS_CCM\OOBMgmtEvents.mof’
[9:53:35] Compiled ‘D:\SMS_CCM\PwrEvents.mof’
[9:53:35] @@ERR:25140
MSI (s) (8C!1C) [09:53:35:212]: Product: ConfigMgr Management Point — Error 25140. Setup was unable to compile the file CcmExec_Global.mof
The error code is 80041002
Error 25140. Setup was unable to compile the file CcmExec_Global.mof
The error code is 80041002
CustomAction CcmRegisterWmiMofFile returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
MSI (s) (8C:70) [09:53:35:241]: Note: 1: 2265 2:  3: -2147287035
MSI (s) (8C:70) [09:53:35:248]: User policy value ‘DisableRollback’ is 0
MSI (s) (8C:70) [09:53:35:248]: Machine policy value ‘DisableRollback’ is 0
Action ended 09:53:35: InstallFinalize. Return value 3.

MPsetup.log is below:

<01/17/13 09:52:54> SMSMP Setup Started….
<01/17/13 09:52:54> Parameters: D:\SCCM\bin\x64\rolesetup.exe /install /siteserver:SCCM01 SMSMP 0
<01/17/13 09:52:54> Installing Pre Reqs for SMSMP
<01/17/13 09:52:54>         ======== Installing Pre Reqs for Role SMSMP ========
<01/17/13 09:52:54> Found 2 Pre Reqs for Role SMSMP
<01/17/13 09:52:54> Pre Req MSXML60 found.
<01/17/13 09:52:54> No versions of MSXML60 are installed.  Would install new MSXML60.
<01/17/13 09:52:54> Enabling MSI logging.  msxml6_x64.msi will log to D:\SCCM\logs\msxml6_x64MSI.log
<01/17/13 09:52:54> Installing D:\SCCM\bin\x64\00000409\msxml6_x64.msi
<01/17/13 09:52:54> msxml6_x64.msi exited with return code: 0
<01/17/13 09:52:54> msxml6_x64.msi Installation was successful.
<01/17/13 09:52:54> Pre Req SqlNativeClient found.
<01/17/13 09:52:54> SqlNativeClient already installed (Product Code: {D9DDE0F8-0CFD-4C0F-8A07-C815DE47FF4D}). Would not install again.
<01/17/13 09:52:55> Pre Req SqlNativeClient is already installed. Skipping it.
<01/17/13 09:52:55>         ======== Completed Installation of Pre Reqs for Role SMSMP ========
<01/17/13 09:52:55> Installing the SMSMP
<01/17/13 09:52:55> Passed OS version check.
<01/17/13 09:52:55> IIS Service is installed.
<01/17/13 09:52:55> No versions of SMSMP are installed.  Installing new SMSMP.
<01/17/13 09:52:55> Enabling MSI logging.  mp.msi will log to D:\SCCM\logs\mpMSI.log
<01/17/13 09:52:55> Installing D:\SCCM\bin\x64\mp.msi CCMINSTALLDIR="D:\SMS_CCM" CCMSERVERDATAROOT="D:\SCCM" USESMSPORTS=TRUE SMSPORTS=80 USESMSSSLPORTS=TRUE SMSSSLPORTS=443 USESMSSSL=TRUE SMSSSLSTATE=63 CCMENABLELOGGING=TRUE CCMLOGLEVEL=1 CCMLOGMAXSIZE=1000000 CCMLOGMAXHISTORY=1
<01/17/13 09:55:52> mp.msi exited with return code: 1603
<01/17/13 09:55:52> Backing up D:\SCCM\logs\mpMSI.log to D:\SCCM\logs\mpMSI.log.LastError
<01/17/13 09:55:52> Fatal MSI Error – mp.msi could not be installed.
<01/17/13 09:55:52> ~RoleSetup().
<01/17/13 09:59:03> ====================================================================

Solution :

I ran ccmclean, didn’t work for me initially. But this did the trick …

In an elevated Powershell window, run this:

Get-WMIObject -namespace “root” -query “SELECT * FROM __Namespace where name = ‘ccm’” | remove-wmiobject

It removes any last trace of ‘CCM’ from WMI. In my case I’d already uninstalled an old client and scoured the machine for any file or registry traces of ccm, but finally this worked.

Hope it helps ,

Kenny Buntinx