Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 6th, 2018 at Conference Center 1931 in Den Bosch. It’s a privilege to share the stage again with my buddy Raymond.

About Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, for the first time Experts Live is hosted at Conference Center 1931 in Den Bosch, and scheduled for Thursday June 6th, 2019. The event offers over 40 break-out sessions, an opening panel discussion and drinks afterward.

About my session

I’ll deliver a 60-minute session in the Microsoft 365 track, together with Raymond Comvalius:

Going password-less on-premises, how hard can it be?

11:30AM – 12:30PM, Room Limousin 2, level 400

Password-less… Microsoft’s marketing machine makes a bold case for it. When you’re with your head in the clouds. What’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!
Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption.

However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!
Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

The post I’m speaking at Experts Live Netherlands 2019 appeared first on The things that are better left unspoken.

Two weeks ago, I travelled to Portorož in Slovenia to deliver two 60-minute sessions at NT Konferenca.

I started early at one of my regular customers at 06:45 on Monday morning. After eight hours of work, I decided to drive to Schiphol airport. As I already saw notices of delays, I decided to take it easy and check in to KLM’s Crown Lounge for dinner.

With 90 minutes delay, we arrived at Paris Charles de Gaulle airport, where I promptly missed my connecting flight to Ljubljana. No worries, because Air France had no trouble booking me into a flight to Venice instead. After arriving there and a 2-hour cab ride, I arrived at the Grand Hotel in Portorož at 01:30. With nothing to see, I decided to go to bed.

The next morning I decided to go for a walk around the premises. Although the sun wasn’t out, Portorož showed its beautiful potential and history.

After my walk, I checked out the entrance and decided to register.

At 11:30, it was time for me to present my first presentation. In room Adria 2, we discussed the way organization may transition from on-premises identity to cloud-only identity and how some choices are not the brightest choices to make. That was fun.

After the presentation, I met up with the other speakers for lunch and for some coffee on the patio of the Grand Hotel.

At 16:30, I presented my second session on the eight common mistakes organizations make with Hybrid Identity, Active Directory Federation Services (AD FS) and Azure AD Connect. Good fun!

After the session, everyone gathered in front of the Grand Hotel to enjoy beer and network with other attendees, for NTK’s Beer 2 Beer event.

In the evening, we went for the ‘Hot and Heavy by St. Louis Band’ down the road in Portorož. We enjoyed food and drinks. I decided to take it easy, drink water and go to bed early.

At 03:00 my alarm went off to alert me of the cab ride that was scheduled for me at 03:30 to Ljubljana airport and back to the Netherlands…

Thank you!

Thank you to the NT Konferenca organization for organizing yet another successful event and inviting me as a speaker, to all my Balkan community friends and, of course, to all the people attending, sitting in on my sessions and, of course, the people with whom I had interesting discussions.

The post Pictures of NT Konferenca 2019 appeared first on The things that are better left unspoken.

There are several methods to create the Relying Party Trust (RPT) between Active Directory Federation Services (AD FS) and Azure Active Directory automatically:

• Using Azure AD Connect with the Use an existing AD FS farm option or the Configure a new AD FS farm option, when configuring Federation with AD FS as the authentication method.
• Using the Convert-MsolDomainToFederated Windows PowerShell cmdlet from the MSOnline PowerShell Module.

However, sometimes you can’t use the above methods. In this case, the only logical conclusion is to create the Relying Party Trust manually. But how do you create then exact same functionality as when you use the above method… or in the case of the Convert-MsolDomainToFederated cmdlet method, the full functionality?

I wrote this blogpost, after I’ve successfully switched the custom DNS domain name in Azure Active Directory to AD FS on a remote workstation, but wasn’t privileged to install the MSOnline PowerShell Module on an AD FS server, connect remotely to it, or create Relying Party Trusts. I had to provide the changes I needed to a more privileged person. I have full confidence you can come up with your own reasons…

This blogpost details the steps, relying solely on cmdlets from the ADFS PowerShell module. It’s a four-step procedure:

1. Creating the Relying Party Trust
2. Configuring the Relying Party Trust beyond defaults
3. Setting the claims issuance authorization rule
4. Setting the claims issuance transformation rules

Important!
The settings for the Relying Party Trust that is created with the below steps are an identical copy of the Relying Party Trust created with Azure AD Connect version 1.3.21.0. These settings may change over time. While all effort was aimed at providing the best information, it may no longer be accurate.

Creating the Relying Party Trust

Perform these steps to create the Relying Party Trust (RPT):

1. Sign in to an AD FS Server with local administrator privileges. When the AD FS farm leverages the Windows Internal Database (WID) replication method, sign in to the primary AD FS server, as it is the only AD FS server that has read/write access to the ADFSConfiguration database.
2. Open an elevated Windows PowerShell screen.
3. Enter the following lines of PowerShell:

Import-Module ADFS

Add-AdfsRelyingPartyTrust
-Name “Microsoft Office 365 Identity Platform” –MetadataUrl “https://nexus.microsoftonline-p.com/federationmetadata/2007-06/federationmetadata.xml”

Configuring the Relying Party Trust beyond defaults

With the above steps, many of the settings are configured perfectly for the Relying Party Trust. However, we need to set three more settings to make it perfect.

The first setting defines the additional WS-Fed Endpoints for the RPT. The other two settings enable monitoring of the RPT and automatic updating.

Enter the following lines of PowerShell, below the earlier ones to configure the settings:

$AdditionalWSFedEndpoint = @(
  “https://ccs.login.microsoftonline.com/ccs/login.srf”
  “https://ccs-sdf.login.microsoftonline.com/ccs/login.srf”
  “https://stamp2.login.microsoftonline.com/login.srf”
  )

Set-AdfsRelyingPartyTrust -TargetName “Microsoft Office 365 Identity Platform”
-AdditionalWSFedEndpoint $AdditionalWSFedEndpoint

-AutoUpdateEnabled $true
-MonitoringEnabled $true

Setting the claims issuance authorization rule

One of the other features of the Microsoft Office 365 Identity Platform RPT, is the default claims issuance authorization rule.

Let’s add it to the RPT by entering the following lines of PowerShell, below the earlier ones:

Set-AdfsRelyingPartyTrust -Targetname “Microsoft Office 365 Identity Platform” -IssuanceAuthorizationRules ‘ => issue(Type = “http://schemas.microsoft.com/authorization/claims/permit”, Value = “true”);’

Setting the claims issuance transformation rules

Now, all that’s left is to configure the claims issuance transformation rules. As this is the core of the magic of the Relying Party Trust, changes most often of all the RPT characteristics and requires custom rules in multi-domain scenario’s, I’m opting to create these rules using the Claims Generator on adfshelp.microsoft.com.

Perform these steps on any Internet-connected system:

1. Open a browser.
2. Navigate to adfshelp.microsoft.com.
3. On the main page, click Online Tools.
4. On the Online Tools Overview page, click the Azure AD RPT Claim Rules tile.
5. Follow the steps to generate the claims issuance transformation rules applicable to your organization.
6. After you’ve completed all the steps, the claims issuance transformation rules are presented as a PowerShell script, and as raw text.
7. Copy the contents of the PowerShell script into a file.
8. Transfer the file to the AD FS server.

Run the PowerShell script on the AD FS server, next.
After it’s done, it will create a Backup of the previously created claims issuance transformation rules. This file will be empty, as no claims issuance rules would have previously been configured. Close Windows PowerShell and log off, when done.

Concluding

It’s surprising how default the Microsoft Office 365 Identity Platform Relying Party Trust is, when you think about it…

Also, the documentation on the Add-AdfsRelyingPartyTrust PowerShell cmdlet is wrong at stating that the –Identifier parameter is required; when using either the –MetadataFile or –MetadataUrl parameter, it certainly isn’t.

Hat Tip

My colleague Barbara Forbes helped me with the Windows PowerShell antics for this blog post. I asked her help, because she uttered the immortal words ‘Surely some-one has figured this out already…’

The post Creating the ‘Microsoft Office 365 Identity Platform’ Relying Party Trust manually appeared first on The things that are better left unspoken.

Last month, my Active Directory Administration Cookbook was released by Packt.       To celebrate, my employer is hosting a Launch Party at our office in Leidschendam, near The Hague in the Netherlands.

The Launch Party offers the opportunity to Dutch people to get their copy of the Active Directory Administration Cookbook and have it signed.

About SCCT

SCCT is a cloud-first Microsoft-oriented systems integrator from the Netherlands. Our aim is to help organizations embrace Microsoft cloud solutions. SCCT was founded in 2014 by Harro Borghardt and Carlo Schaeffer. In 2017, Sander Berkouwer was named CTO at SCCT, completing the management team.

Join us!

We have created a Microsoft Excel Online Form, where you can provide information. Its purpose is to collect the necessary information for SCCT to successfully organize the Launch Party. It tells us how many people will attend the event and how many books we’ll need.

Please fill out the form Dutch if you would like to attend the Active Directory Administration Cookbook Launch Party.

The post Join the Active Directory Administration Cookbook Launch Party at SCCT appeared first on The things that are better left unspoken.

I missed out on VeeamON this year in Miami, FL…

I had other engagements with customers, with NT Konferenca in Slovenia and, as a repeat speaker, Techorama in Belgium in the week of May 20th. I had lots of fun, but I would have really liked to have visited the event and would have loved to have seen Rick Vanover dump the laptop in water, in real life.

The next best thing is now available though: Two keynotes and Top 7 sessions of VeeamON are now available online, for free!

Available videos

The following sessions are now available to view online, for free:

• The Vision keynote with Ratmir Timsahev, Veeam Co-Founder and Executive Vice President Sales and Marketing
• The Technology keynote with Danny Allen, Veeam Vice President Product Strategy
• Top 7 Worst Practices when using Veeam Backup & Replication with Edwin Weijdema, Veeam Solution Architect North East EMEA
• Veeam Agents: Tips, Tricks and What Not To Do with Tom Sightler, Veeam Vice President Product Management
• Ransomware Resiliency Tips for Veeam and the Veeam Vanguards with Rick Vanover, Veeam Senior Director Product Strategy
• Architecture, Installation and Design for Veeam Backup for Microsoft Office 365 with Niels Engelen, Veeam Global Technologist and Timothy Dewin, Veeam Enterprise Systems Engineer
• From the Architect’s Desk: Sizing with Tim Smith, Veeam Solutions Architect
• Cumolonimbus Cloud Tier Deep Dive and Best Practices with Dustin Albertson, Veeam Senior Cloud Architect Global Cloud Group and Anthony Spiteri, Veeam Senior Global Technologist Product Strategy
• Let’s Manage Agents with Dmitry Popov, Veeam Product Management

About VeeamON

VeeamON is the premier conference for Cloud Data Management. It allows attendees to gain valuable insights, training and connections with industry experts, learn how to capitalize on their existing virtualization, networking, storage and Veeam investments and discover the latest cloud technologies and how you can leverage your existing assets as part of a comprehensive availability strategy.

VeeamON 2019 took place at the Fontainebleau Miami Beach Conference Center. Veeam announced Veeam Availability Orchestrator (VAO) version 2, its new With Veeam partner program and its achievement of $1 billion in annual bookings.

Hungry for more?

Save the date for VeeamON 2020. Mark your calendar for VeeamON 2020 in Las Vegas,
Aria Hotel, May 4-6, 2020.

The post Two keynotes and Top 7 sessions of VeeamON are now available online appeared first on The things that are better left unspoken.

To celebrate the availability of the Active Directory Administration Cookbook, I decided to write a blogpost in the typical structure of a recipe in this book:

Disabling account enumeration

Use this recipe to disable account enumeration for an Azure Active Directory tenant. After completing this recipe, people with user accounts in the tenant will no longer be able to list the other accounts.

Getting ready

To complete this recipe, you’ll need to sign into the Azure AD tenant with an account that has the Global administrator role assigned to it.

This recipe does not require any additional licenses. The functionality described in this recipe is included in all Azure AD tenants, including those configured as Azure AD Free.

This recipe requires the MSOnline Windows PowerShell Module. Use the following line of Windows PowerShell on a Windows or Windows Server system that runs Windows PowerShell 5.0, or higher and has Internet connectivity, in an elevated Windows PowerShell window:

Install-Module MSOnline

Press Yes twice.

When the MSOnline Windows PowerShell Module is already installed, run the above line of Windows PowerShell to update it before continuing with the recipe.

How to do it

Perform these steps:

1. Open a Windows PowerShell window on the device or server where you have installed the MSOnline PowerShell module.
2. Execute the following line of PowerShell to import the MSOnline Windows PowerShell Module:
                 
   Import-Module MSOnline
                      
3. Execute the following line of PowerShell to sign into the Azure AD tenant:
                  
   Connect-MsolService
                 
4. The Sign in to Azure AD Connect Health Agent window appears:
              
   
                                      
5. Sign in with an account in Azure Active Directory that has the Global administrator role assigned.
6. Perform multi-factor authentication, when prompted.
7. Execute the following line of PowerShell to configure the Azure AD tenant:
                    
   Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false 
                            
8. Close Windows PowerShell.

How it works

This recipe uses the MSOnline Windows PowerShell module.

Microsoft recommends to use the newer AzureAD Windows PowerShell Module. However, as per version of this module, the functionality to perform the steps in this recipe is not (yet) available.

By importing the Windows PowerShell module before issuing cmdlets from the module, tab completion is available under all circumstances.

The Connect-MsolService cmdlet instructs PowerShell to connect to the Azure AD tenant. As no credentials are supplied in the above example, a prompt appears to ask for credentials. When multi-factor authentication, Azure AD Privileged Identity Management (PIM) or other information security measures are enabled, perform the required steps to successfully authenticate.

When successfully authenticated, the Set-MsolCompanySettings cmdlet configures the Azure AD tenant with the required settings.

There’s more!

To find the differences between the MSOnline and AzureAD Windows PowerShell modules and their history, look at the state of Azure AD PowerShell today.

There’s even more!

Account enumeration is labeled Account Discovery in the MITRE ATT@CK knowledgebase and tagged with ID T1087. Find out more about this adversary tactic and its impact by visiting the MITRE ATT&CK knowledgebase.

The post HOWTO: Disable account enumeration in Azure Active Directory appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

On deadlines and the typical process

When a publisher targets you as a new writer, you are typically asked to create an outline for the book they want you to write. A publishing board then decides if the right topics are present in the book, before providing a ‘Go!’ for the book.

When you write a book, a schedule is determined based on the outline, so all people know what is expected of them. Typically for every writer, their schedule features deadlines; points in time when content (usually defined per chapter for a technical book) is due.

There’s a perfectly valid reason for these deadlines: After first delivery, the content is then reviewed by an independent technical reviewer, then edited for readability, spelling and grammar by a team of content editors from your publisher and then reviewed by a technical person at the publisher to make sure everything checks out. Throughout the process, time is allocated for the writer to address the comments and changes made by everyone.

Stakes and tools

Just like every other situation in life, in the process, people have different stakes. The publishing board has a clear vision of the book in terms of the maximum total amount of pages, the topics and the search engine research that governs their choices.

The content editing team has clear expectations as well. For cookbooks at Packt, the chapters must not exceed 50 pages and should have twelve recipes per chapter. These are not ‘pages’ like you write them in Microsoft Word. No, Packt has its own portal where they require you to meet your deadlines in. This platform features a button labeled ‘View in PDF’, that will tell you how many pages a chapter would have (including its ToC, but you can deduct these)…

Changes to the schedule

I was happily writing a chapter every two weeks. Imagine my surprise when after having met ten of my deadlines, I got a call from my publisher, asking me to speed up content delivery…

Uhm, no. We have an agreement on a schedule.

Their proposal was to deliver a chapter every four days, for the last couple of chapters, resulting in a deadline for April 12th instead of May 18th, without additional compensation or a clear reason why. Also, the five days per chapter for reviews was condensed into a mere five days in total, adding to the amount of work that needed to be delivered.

I proposed an April 22nd deadline, allowing for one weekend per chapter. Given the Easter weekend with a couple of additional days off from work, April 29th would be my deadline for everything.

That was quick…

This proposal was quickly accepted. Too quickly, perhaps…

After this decision, the entire process started to come tumbling down. Instead of working on a chapter each weekend, I now also was pushed into resolving comments from the reviewers, the editors and everyone involved with the book during weekdays. Now, I was dealing with four persons at a time with different roles and different stakes.

I learned a great deal about my creative process when creating the Active Directory Administration Cookbook. Looking back, I realize that the schedule change robbed me from the one luxury I had to improve on the quality of the book: the ability to write something and then take another look at it afresh a week later.

Even when self-publishing, the above pitfall exists. The Project management triangle applies to books, too.

Picture by Georgie Pauwels, used under CC BY 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 3: Deadlines appeared first on The things that are better left unspoken.

Azure Active Directory is Microsoft’s Identity Management-as-a-Service solution, offering seamless access, easy collaboration, efficiency in IT processes and improved security and compliance. In its Release Notes for Azure Active Directory, Microsoft communicated the following planned, new and changed functionality for Azure Active Directory for May2019:

What’s Planned

Future support for only TLS 1.2 protocols on the Azure AD Application Proxy service

Service category: App Proxy
Product capability: Access Control

To help provide best-in-class encryption for our customers, Microsoft is limiting access to only TLS 1.2 protocols on the Azure AD Application Proxy service. This change is gradually being rolled out, first to customers who are already only using TLS 1.2 protocols.

Deprecation of TLS 1.0 and TLS 1.1 happens on August 31, 2019. Microsoft will provide additional advanced notice, so you’ll have time to prepare for this change. To prepare for this change make sure your client-server and browser-server combinations, including any clients your users use to access apps published through Application Proxy, are updated to use the TLS 1.2 protocol to maintain the connection to the Application Proxy service.

What’s New

Identity secure score is now available in Azure AD
General availability

Product capability: Identity Security & Protection

You can now monitor and improve your identity security posture by using the identity secure score feature in Azure AD. The identity secure score feature uses a single dashboard to help you:

• Objectively measure your identity security posture
• Plan for your identity security improvements
• Review the success of your security improvements

New App registrations experience is now available
General availability

Service category: Authentications (Logins)
Product capability: Developer Experience

The new App registrations experience is now in general availability. This new experience includes all the key features admins are familiar with from the Azure portal and the Application Registration portal and improves upon them through:

• Better app management. Instead of seeing their apps across different portals, admins can now see all their apps in one location.
• Simplified app registration. From the improved navigation experience to the revamped permission selection experience, it’s now easier for admins to register and manage apps.
• More detailed information. Admins can find more details about their app, including quickstart guides and more.

Conditional access for the combined registration process Public preview

Service category: Conditional Access
Product capability: Identity Security & Protection

Admins can now create Conditional Access policies for use by the combined SSPR/MFA registration page. This includes applying policies to allow registration if:

• Users are on a trusted network.
• Users are a low sign-in risk.
• Users are on a managed device.
• Users agree to the organization’s terms of use (TOU).

Use the usage and insights report to view your app-related sign-in data

Service category: Enterprise Apps
Product capability: Monitoring and Reporting

Admins can now use the usage and insights report, located in the Enterprise applications area of the Azure portal, to get an application-centric view of the sign-in data, including info about:

• Top used apps for your organization
• Apps with the most failed sign-ins
• Top sign-in errors for each app

Automate your user provisioning to cloud apps using Azure AD

Service category: Enterprise Apps
Product capability: Monitoring and Reporting

Follow these new tutorials to use the Azure AD Provisioning Service to automate the creation, deletion, and updating of user accounts for the following cloud-based apps:

• Comeet
• DynamicSignal
• KeeperSecurity

You can also follow this new Dropbox tutorial, which provides info about how to provision group objects.

New capabilities available in the Risky Users API for Identity Protection

Service category: Identity Protection
Product capability: Identity Security & Protection

Microsoft is pleased to announce that admins can now use the Risky Users API to retrieve users’ risk history, dismiss risky users, and to confirm users as compromised. This change helps admins to more efficiently update the risk status of their users and understand their risk history.

New Federated Apps available in Azure AD app gallery – May 2019

Service category: Enterprise Apps
Product capability: 3rd Party Integration

In May 2019, Microsoft has added these 21 new apps with Federation support to the app gallery:

1. Freedcamp
2. Real Links
3. Kianda
4. Simple Sign
5. Braze
6. Displayr
7. Templafy
8. Marketo Sales Engage
9. ACLP
10. OutSystems
11. Meta4 Global HR
12. Quantum Workplace
13. Cobalt
14. webMethods API Cloud
15. RedFlag
16. Whatfix
17. Control
18. JOBHUB
19. NEOGOV
20. Foodee
21. MyVR

Improved groups creation and management experiences in the Azure AD portal

Service category: Group Management
Product capability: Collaboration

Microsoft has made improvements to the groups-related experiences in the Azure AD portal. These improvements allow admins to better manage groups lists, members lists, and to provide additional creation options. Improvements include:

• Basic filtering by membership type and group type.
• Addition of new columns, such as Source and Email address.
• Ability to multi-select groups, members, and owner lists for easy deletion.
• Ability to choose an email address and add owners during group creation.

What’s Changed

Configure a naming policy for Office 365 groups in Azure AD portal General availability

Service category: Group Management
Product capability: Collaboration

Admins can now configure a naming policy for Office 365 groups, using the Azure AD portal. This change helps to enforce consistent naming conventions for Office 365 groups created or edited by users in your organization.

Microsoft Graph API endpoints are now available for Azure AD activity logs General availability

Service category: Reporting
Product capability: Monitoring & Reporting

Microsoft is happy to announce general availability of Microsoft Graph API endpoints support for Azure AD activity logs. With this release, admins can now use Version 1.0 of both the Azure AD audit logs, as well as the sign-in logs APIs.

The post What’s New in Azure Active Directory for May 2019 appeared first on The things that are better left unspoken.

Last week, I delivered a 60-minute session, together with Raymond Comvalius at Experts Live Netherlands at Congress Center 1931 in Den Bosch, the Netherlands.

I left home early to arrive at 7:15 at the venue. This left me with ample time to find a (charging) parking spot, get to the speaker room and change to the Experts Live Polo shirt, and still catch the 7:45 pre-keynote session; I attended Orin Thomas’s session on Securing Azure Networks. Then, onward to the keynote.

After the keynote, it was time for Raymond and me to start working on the slides. I sat down in the speaker area, where my book drew quite some attention.

At 11:30AM, it was showtime for Raymond and me: We were allowed to talk for 60 minutes to a room full of attendees on Active Directory, AD FS, Certification Authorities and Windows to express how Windows Hello for Business could be used on-premises to start the password-less journeys.

After the session we spoke with a couple of attendees and then headed off to lunch.

I attended some more sessions that caught my interest and stood in the crowd during the epic raffle with my colleagues Barbara Forbes and Michiel Dekker. Toni Petrina took a picture of use, before we headed off for a nice dinner just outside of Den Bosch.

Thank you!

Thank you to the ExpertsLive organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on our session and, of course, the people with whom I had interesting discussions.

The post Pictures of Experts Live Netherlands 2019 appeared first on The things that are better left unspoken.

Last week, Microsoft announced that Azure MFA Server will no longer be available for new deployments per July 1, 2019.

New customers who would like to require multi-factor authentication from their users should use cloud-based Azure Multi-Factor Authentication. Existing customers who have activated Azure MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.

I’m expecting organizations to make the move from Azure MFA Server to the Azure MFA service, leveraging one or more of the following options:

1. Integrating applications, systems and services with Azure AD and leveraging Conditional Access to trigger Azure MFA
2. Using the built-in AD FS Adapter in Hybrid Identity implementations, that is available for use in Active Directory Federation Services since the Windows Server 2016 Farm Behavioral Level (FBL) 
3. The Azure MFA NPS Extension to secure RADIUS-based access solutions, and/or switching Citrix NetScaler-based configuration over to the claims-based access model.

After organizations have successfully migrated over from Azure MFA Server to the Azure MFA service, their next task is to decommission the Azure MFA Server infrastructure.

In this blogpost, I’ll cover how to remove an Azure MFA Server Complete Deployment, as mentioned in the supported Azure MFA Server Deployment Scenarios and their pros and cons. Some steps may not be applicable to every Azure MFA Server deployment scenario.

Uninstalling and removing Azure MFA Server consists of these high-level steps:

• Disable and remove Azure MFA Server as MFA provider in AD FS
• Uninstall the Azure MFA Server Mobile Web Service
• Uninstall the Azure MFA Server User Portal
• Uninstall the Azure MFA Server Web Service SDK
• Remove Server reference from Azure AD
• Uninstall the central Azure MFA Server component
• Remove IIS
• Remove TLS Certificate
• Remove service accounts and groups from Active Directory
• Remove DNS records from DNS
• Remove the server from the domain
• Remove the server from the network

Let’s walk through these steps:

Disable and remove Azure MFA Server as MFA provider in AD FS

The Azure MFA Server adapter in AD FS might be configured to allow multi-factor authentication in relying party trusts (RPTs). The first thing we need to do is remove Azure MFA Server’s MFA Adapter as an MFA method.

Execute the following three lines of Windows PowerShell in an elevated Windows PowerShell window on the primary AD FS Server to unselect Azure MFA Server’s AD FS Adapter in AD FS’ global multi-factor authentication policy:

AD FS farms leveraging the Windows Internal Database (WID) feature one AD FS server that operates as the Primary AD FS server. It is the only server with read/write access to the AD FS Configuration database. In an AD FS farm, where SQL Server is used, all AD FS server have read/write access to the database and the below lines of Windows PowerShell can be executed on any of the AD FS servers in the AD FS farm.

$C = (Get-AdfsGlobalAuthenticationPolicy).AdditionalAuthenticationProvider

$C.Remove(“AzureMfaServerAuthentication“)

Set-AdfsGlobalAuthenticationPolicy -AdditionalAuthenticationProvider $C

Next, run the following lines of Windows PowerShell on all AD FS Servers in an elevated Windows PowerShell window, to remove Azure MFA Server’s AD FS adapter from these systems, followed by a restart of the AD FS service:

Unregister-ADFSAuthenticationProvider -Name AzureMFAServerAuthentication

Restart-Service -Name adfssrv

AD FS no longer knows about the Azure MFA Server Adapter and the Azure MFA Server. Now we can uninstall the components from the environment.

Use the following sequence (outside in):

• Uninstall the Mobile Web Service
• Uninstall the User Portal
• Uninstall the Web Service SDK
• Uninstall Azure MFA Server

Uninstall Azure MFA Server’s Mobile Web Service

Azure MFA Server 7.x’s Mobile Web Service offers the ability to people in the organization to register the Microsoft Authenticator app with the Azure MFA Server implementation.

Typically, you wouldn’t find Azure MFA Server’s Mobile Web Service in Azure MFA Server 8.x deployments, as the Mobile Web Service reference in Azure MFA Server’s User Portal was replaced with an iFrame that redirects to an Azure-based page. In this latter case, skip this paragraph.

To uninstall Azure MFA Server’s Mobile Web Service, perform these steps:

1. Sign in to the web server that hosts the Mobile Web Service.
2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
3. In the left navigation pane, navigate to Sites. Expand it.
4. Select the website or subfolder that corresponds to Azure MFA Server’s Mobile Web Service.
5. When Azure MFA Server’s Mobile Web Service is installed as a separate site, right-click the site, click on Manage Website and then select Stop.
6. In the action pane, click Basic Settings….
7. Note the information in the Physical Path: field.
8. Click OK to close the Edit Site pop-up.
9. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the main window of Internet Information Services (IIS) Manager, double-click Logging. Note the information in the Directory: field.
10. When Azure MFA Server’s Mobile Web Service is installed as a separate site, in the left navigation menu, right-click the site again and select Remove from the context-menu.
                       
    
                             
    Else, right-click the folder, and select Remove. Click Yes to confirm.
11. In the Confirm Remove pop-up window, click Yes.
12. In the left navigation menu, navigate to Application Pools. Expand it.
13. Right-click the application pool corresponding to Azure MFA Server’s Mobile Web Service and select Stop from the menu.
14. Right-click it again, and select Remove from the menu.
15. Click Yes to confirm.
16. Close Internet Information Services (IIS) Manager.
17. Open File Manager (explorer.exe)
18. Navigate to the folder that resembles the folder that was mentioned in the Physical Path: field of Azure MFA Server’s Mobile Web Service.
19. Remove the folder.
20. When Azure MFA Server’s Mobile Web Service ran as a separate website, navigate to the folder that resembles the folder that was mentioned in the Directory: field of Azure MFA Server’s Mobile Web Service’s logging properties and remove this folder, too.
21. Close File Explorer.

Uninstall Azure MFA Server’s Mobile Web Service from any Windows Server that offers it.

Uninstall Azure MFA Server’s User Portal

Use the following steps to uninstall Azure MFA Server’s User Portal in the same way as you have uninstalled Azure MFA Server’s Mobile Web Service from any Windows Server that offers it:

1. Sign in to the web server that hosts the User Portal.
2. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
3. In the left navigation pane, navigate to Sites. Expand
   it.
4. Select the website or subfolder that corresponds to Azure MFA Server’s User Portal.
5. When Azure MFA Server’s User Portal is installed as a separate site,
   right-click the site, click on Manage Website and then
   select Stop.
6. In the action pane, click Basic Settings….
7. Note the information in the Physical Path:
   field.
8. Click OK to close the Edit Site
   pop-up.
9. When Azure Server’s User Portal is installed as a separate
   site, in the main window of Internet Information Services (IIS)
   Manager, double-click Logging. Note the information in
   the Directory: field.
10. When Azure MFA Server’s User Portal is installed as a separate site, in the
    left navigation menu, right-click the site again and select Remove
    from the
    context-menu.
11. Else, right-click the folder, and select Remove.
    Click Yes to confirm.
12. In the Confirm Remove pop-up window, click
    Yes.
13. In the left navigation menu, navigate to Application Pools.
    Expand it.
14. Right-click the application pool corresponding to Azure MFA Server’s User Portal and select Stop from the menu.
    
                                
    
                                  
15. Right-click it again, and select Remove from the menu.
16. Click Yes to confirm.
17. Close Internet Information Services (IIS) Manager.
18. Open File Manager (explorer.exe)
19. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s User Portal.
20. Remove the folder.
21. When Azure MFA Server’s User Portal ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s User Portal’s logging properties and remove this folder,
    too.
22. Close File Explorer.

Uninstall Azure MFA Server’s Web Service SDK

Azure MFA Server’s Mobile Web Service and Azure MFA Server’s User Portal communicate to the central Azure MFA Server component using its Web Service SDK.

Azure MFA Server deployment scenarios, where the Mobile Web Service and User Portal are not used, or are deployed on the same server that runs the Azure MFA Server’s central component, do not use the Web Service SDK. In these scenarios, this paragraph can be skipped.

To uninstall the Web Service SDK, perform these steps:

1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
                         
   
                                
2. Select Multi-Factor Authentication Web Service SDK from the list of installed programs.
3. In the action bar on top of the list of installed programs, click Uninstall.
4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Web Service SDK?
5. After several short progress bars filling, Azure MFA Server’s Web Service SDK will be removed.
6. Close Programs and Features.
7. Open the Internet Information Services (IIS) Manager (InetMgr.exe).
8. In the left navigation pane, navigate to Sites. Expand
   it.
9. Select the website or subfolder that corresponds to Azure MFA Server’s Web Service SDK.
10. When Azure MFA Server’s Web Service SDK is installed as a separate site, right-click
    the site, click on Manage Website and then select
    Stop.
11. In the action pane, click Basic Settings….
12. Note the information in the Physical Path:
    field.
13. Click OK to close the Edit Site
    pop-up.
14. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the
    main window of Internet Information Services (IIS) Manager,
    double-click Logging. Note the information in the
    Directory: field.
15. When Azure MFA Server’s Web Service SDK is installed as a separate site, in the left
    navigation menu, right-click the site again and select Remove
    from the context-menu.
    Else, right-click the folder, and select Remove.
    Click Yes to confirm.
16. In the Confirm Remove pop-up window, click
    Yes.
17. In the left navigation menu, navigate to Application Pools.
    Expand it.
18. Right-click the application pool corresponding to Azure MFA Server’s Web Service SDK and select Stop from the menu.
19. Right-click it again, and select Remove from the menu.
20. Click Yes to confirm.
21. Close Internet Information Services (IIS) Manager.
22. Open File Manager (explorer.exe)
23. Navigate to the folder that resembles the folder that was mentioned in the
    Physical Path: field of Azure MFA Server’s Web Service SDK.
24. Remove the folder.
25. When Azure MFA Server’s Web Service SDK ran as a separate website, navigate to
    the folder that resembles the folder that was mentioned in
    the Directory: field of Azure MFA Server’s Web Service SDK’s logging properties and remove this folder,
    too.
26. Close File Explorer.

Remove Server references from Azure AD

To clean up the Azure AD tenant, delete the MFA Provider from Azure AD, since it’s no longer needed, even when you use Azure MFA with the NPS Extension for Azure MFA or Azure MFA with AD FS in Windows Server 2016 or Windows Server 2019. This paragraph also provides the ability to determine the primary server when there are multiple MFA Servers in the MFA Server group.

The steps in this paragraph depend on the way the Azure MFA Server implementation is licensed.

Perform these steps:

1. Open a web browser and navigate to the Azure Portal.
2. Sign in with an account that has the Global administrator role assigned.
   Perform Azure-based multi-factor authentication, when prompted.
3. In the left navigation menu, click Azure Active Directory.
4. In the Azure AD navigation menu, scroll down to the Security section.
5. Click MFA.

MFA Provider scenario

When the implementation uses an MFA Provider, perform these steps:

1. In the Multi-Factor Authentication navigation menu, click Providers.
2. Select a provider in the list of MFA providers to open its settings.
3. In the navigation menu for the MFA Provider, click Server Status.
4. In the list of Azure MFA Servers, take note of the Azure MFA Server installation that has the value Yes in the Master column.
5. Click on the … to the left of each of the Azure MFA Servers, and select Delete from the menu.
6. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.
                  
   Repeat steps 5 and 6 for each Azure MFA Server in the list.
                       
7. Delete the MFA Provider.

Hybrid Identity Scenario

When the implementation is licensed through Azure AD Premium license or another license that includes that license, perform these steps:

1. In the Multi-Factor Authentication navigation menu, click Server Status.
2. In the list of Azure MFA Servers, take note of the MFA Server installation that has the value Yes in the Master column.
3. Click on the … to the left of each of the Azure MFA Servers, and select Delete from the menu.
4. In the Delete Entry pop-up, click OK to acknowledge that the selected entry will be removed from the report.

Repeat steps 3 and 4 for each Azure MFA Server in the list.

Uninstall the central Azure MFA Server component    

The central Azure MFA Server component offers the Management User Interface, Directory Synchronization and other Azure MFA Server services that may be in use.

When multiple Azure MFA Servers are part of the implementation, uninstall the central Azure MFA Server component on the Master server last. This is the only Azure MFA Server that has read/write access to the phonefactor.pfdata file.

Perform the  To uninstall the central MFA Server components, perform these steps:

1. Press Win and X simultaneously, right-click the Start button and select Programs and Features from the top of the menu, or search for Programs and Features.
2. Select Multi-Factor Authentication Server from the list of installed programs.
3. In the action bar on top of the list of installed programs, click Uninstall.
4. Click Yes to answer the pop-up question Are you sure you want to uninstall Multi-Factor Authentication Server?
5. After several short progress bars filling, Azure MFA Server will be removed.
6. Close Programs and Features.
7. Open File Manager (explorer.exe)
8. Navigate to the C:\Program Files\Multi-Factor Authentication Server folder
   (or the installation location for Azure MFA Server, if you’ve changed it from the default during installation)
9. Delete the folder, including the Data and Logs subfolder and the files therein.
10. Close File Manager.
11. Restart the server.

Remove IIS

Skip this paragraph on Windows Servers that remain functioning as webservers, as the above steps will remove the Internet Information Services (IIS) role that hosts other IIS-based applications.

With all Azure MFA Server components removed, the servers in scope of the Azure MFA Server deployment no longer require Internet Information Services (IIS). Remove IIS from the server using the Remove roles and services wizard from Server Manager, or use the following line of Windows PowerShell in an elevated PowerShell window:

Uninstall-WindowsFeature -Name Web-Server,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Security,Web-Filtering,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase

Afterward, restart the server. For instance, using the following line of Windows PowerShell:

Restart-Server        

If there are any load-balancer rules directing traffic to Azure MFA Server’s former Mobile Web Service, User Portal or Web Service SDK, remove these, too.

Remove TLS Certificates

The local computer still has a TLS certificate stored in its certificate store. Remove the certificate for the Windows Servers in scope for the Azure MFA Server implementation from their local computer certificate stores.

Skip this paragraph if any of the Windows Servers in scope of the Azure MFA Server implementation remains a webserver, hosting websites over https using the same TLS certificate. However, when the time comes to renew the certificate, opt to remove any Azure MFA Server-specific DNS entries in the certificate request.

Perform these steps:

1. Open the Certificates MMC Snap-in for the local computer (certlm.msc)
2. In the left navigation pane, expand Personal, then Certificates.
3. In the main pane, select the TLS certificate that was used for Azure MFA Server’s Mobile Web Service, Azure MFA Server’s User Portal and/or Azure MFA Server’s Web Service SDK.
4. Right-click the certificate and select Delete from the menu.
                      
   
                           
5. Click Yes.
6. Close the Certificates MMC Snap-in.

If you have connected MFA Server’s Mobile Web SDK and User Portal to Azure MFA Server’s Web Service SDK using certificate authentication, remove these certificates, too.

Remove service accounts and groups from Active Directory

For typical Azure MFA Server deployments, there are two service accounts and one group in Active Directory Domain Services:

• The PhoneFactor Admins group in the Users container
• The service account for the Azure MFA Server itself
• The service account for the portals to connect to the Web Service SDK

Remove them all.

Remove the servers from the domain

Skip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Configure the Azure MFA Server as a member of the WORKGROUP workgroup, instead of the domain it’s a member of.

Restart the server, afterwards.

After a successful restart, remove the computer object from Active Directory Domain Services.

Remove DNS records from DNS

Skip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Many Azure MFA Servers are known in the internal network and the Internet with other names, than their hostnames.

Remove the A, AAAA and CNAME records, pointing to the host in the DNS zone for the internal network. Remove the A, AAAA and CNAME records, pointing to the host in the public DNS zone for the Internet.

Remove the servers from the network

Skip this paragraph for any Windows Server in scope of the Azure MFA Server implementation that remains on the network to service end-users.

Shut down the server. Remove the server from the virtualization platform, or disconnect the physical server and remove it from the server room.

This is also the perfect moment to remove any custom firewall rules you might have had in place to allow communications between the Mobile Web Service and/or User Portal and the Web Service SDK, and replication between MFA Servers.

Make sure the hosts from the Azure MFA Server implementation are correctly removed from monitoring, backup and other information security services, as well as the service catalog.

Concluding

The above paragraphs provide steps to clean Azure MFA Server implementations off a network. Following these steps, no remnants remain of this legacy product.               

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons 
HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1 
Things to know about Billing for Azure MFA and Azure MFA Server 
Ten Things you need to know about Azure Multi-Factor Authentication Server 

Further reading

Configure Azure MFA as authentication provider with AD FS   
Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication  
Azure: How to unregister and register MFA Server 6.x ADFS Authentication Provider 

The post HOWTO: Uninstall and Remove Azure MFA Server versions 7.x and 8.x Implementations appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

I thought writing a book would be a lot of fun because I am quite creative. That turned out to be quite an assumption…

About Cookbooks

A Technology cookbook, as it turns out, is a very specific book. Just like any ‘normal’ cookbook, it contains recipes. The term cookbook is used metaphorically to refer to any book containing a straightforward set of already tried and tested recipes or instructions for a specific field or activity, presented in detail so that the reader, who is not necessarily an expert in the field, can produce workable results.

As it turns out, my publisher is very specific about what a cookbook should look like on the inside.

The rules

Before starting writing my first chapter, I received a sample chapter with some comments on how to do things. After receiving my first feedback, though, I realized the list of rules for chapters and recipes is quite long. I particularly struggled with the following rules:

1. Every chapter starts with a short introduction followed by a list of all the recipes in the chapter.
2. Every recipe has the same headings in the same order; Getting Ready, How it’s done, and How it works. None of these headings may be omitted. Their order must not be changed. Additional headings may be added after these headings: There’s more and See also. In that order.
   For recipes that aren’t that technical, this is a burden Three recipes in particular (Chapter 1’s “Creating the right trust”, Chapter 11’s “Choosing the right AD FS Farm deployment method” and Chapter 12’s “Choosing the right Hybrid Identity authentication method”) proved opportunities for debate with the content team.
   Eventually, the headings grew on me, when I realized I could interpret them the way I wanted to. I mean; Getting a coffee is a good way to get ready, too…
3. Between every heading and a subheading, there needs to be text. This is when you add standard non-creative sentences in a book, like “Use this recipe to <title heading here> “, “This is how to <title heading here>”.
4. You can’t have multiple Warning, Information or Tip blocks without having paragraphs between them. Guess how many of these blocks I removed, just to comply with the rules that were punt in place to uphold the quality of the book…
5. When using steps in a graphical user interface in a recipe, at least one screenshot needs to be added between the steps in the recipe.
6. Screenshots require a lead-in.
7. Screenshots are always centered and the publisher adds a border.
   For three flowcharts in the book, I debated for weeks to not get this rule applied. Eventually they agreed, but only after I sent the PowerPoint version of the flowcharts by mail, so that they could create sufficiently high-resolution images to the book to circumvent jarring of edges.
8. You can’t quote the Microsoft KnowledgeBase or link to it, because there is no permission to do so, apparently.
9. The See also section of a recipe is to be used to point to other recipes in the book. However, the links in the PDF of the book, as a rule, only point to the start of the chapter. This makes for a lot of unnecessary scrolling for people wanting to use this functionality. I guess it’s why one of the other rules is “Chapters may not exceed 50 pages”.
10. You can add links in the See also sections of a recipe, but the links will not be shortened. Apparently, if a reader wants to use the link, it will have to be typed manually into the browser…

The sample chapter

In the end, the sample chapter proved a disaster. The introduction for the chapter came after the list of recipes. Its comments around screenshots didn’t mention any lead-ins, but instead suggested captions below the screenshot. The editing team ‘created’ lead-ins, which I subsequently had to change, because they consistently referred to the wrong action.

To add to insult, the sample chapter was shared in Microsoft Word format.

Concluding

Interestingly, when I show people the cookbook, their reaction is that its style is really ‘Microsofty’, meaning that people experience the style of the book as the style of Microsoft Official Curricula.

I feel it’s positive feedback. I guess I’m ready to contribute to these now, too. I’ve been a Microsoft Certified Trainer (MCT) for the last five years, so why not.

Picture by Sandwich, used under CC BY-NC-ND 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 4: Rules of Engagement appeared first on The things that are better left unspoken.

This weekend marks 13 years of me sharing my thoughts, knowledge and experiences on this blog, titled The Things That Are Better Left Unspoken. Thirteen years ago, in June, 2006, I posted the first blog post here.

That’s as many years as there are stripes in the US flag.

Today, almost 1000 posts, several whitepapers and the Active Directory Administration Cookbook later, I’m still enjoying blogging, sharing and informing you on Microsoft products, technologies, features and news.

To me, it’s not something that is tied to an employer, residence, a specific time of day, recognitions from Microsoft, Veeam or VMware… That’s why I’m sure I can share that I’ll continue blogging, sharing and informing you.

Enjoy!

Related blogposts

Ten Years of Blogging 
Nine Years of blogging, sharing and informing 
Eight years of blogging

The post 13 Years Better Left Unspoken appeared first on The things that are better left unspoken.

On Thursday June 20, 2019, the Active Directory Administration Cookbook was officially launched in the Netherlands at the SCCT office in Leidschendam.

I had invited my family, my closest friends, the people with whom I have worked together in recent years at several Identity-related projects and everyone else who would be interested in attending.

At 5:30 PM, Harro Borghardt kicked off the launch with a short introduction. Then, I gave a short talk about my experiences creating the book and thanking people present.

Then, I signed the first book for my parents. Their support, patience and listening, combined with the support from my wife and daughter helped me through the inevitable rough patches in such a journey.

By popular demand, I signed books for everyone present.

Then, we all called it a night and went home.

Do you want your copy of the Active Directory Administration Cookbook signed, like this guy? Leave a comment below.

The post Pictures of the Dutch Active Directory Administration Cookbook Launch appeared first on The things that are better left unspoken.

It’s a recommended practice to disable weak ciphers and encryption algorithms. Some standards require this. As technology evolves, the list of available ciphers and their priority in encryption negotiations changes. This limits the risk of losing confidentiality on communications between systems, applications and (cloud) services.

While you’ve probably heard of disabling 3DES and all versions of SSL, one other recommendation rears its ugly head: disable RC4_HMAC_MD5.

About RC4_HMAC_MD5

RC4_HMAC_MD5 means it’s Ron Rivest’s stream Cipher 4 (RC4) with Hashed Message Authentication Code (HMAC) using the Message-Digest algorithm 5 (MD5) checksum function.

When Microsoft released Windows 2000 Server and Active Directory, Microsoft supported backward compatibility with Windows NT and Windows 95. This support entailed support for different clients and enable them to communicate using Kerberos. The easy way to do this was to use the NTLM password hash as the Kerberos RC4 encryption private key used to encrypt/sign Kerberos tickets. Because of this, RC4_HMAC_MD5 takes center stage in several Kerberos attacks, including Kerberoasting.

How to disable RC4_HMAC_MD5 in Active Directory

Follow these steps to disable RC4_HMAC_MD5 in Active Directory:

1. Sign in with an account that is a member of the Domain Admins group of the Active Directory domain for which you want to disable RC4_HMAC_MD5.
2. Open the Group Policy Management Console (gpmc.msc).
3. In the left navigation pane, browse to the Default Domain Controllers Group Policy object.
4. Right-click the object and select Edit… from the context menu.
5. Navigate to Computer Configuration, Policies, Windows Settings, Security Settings, Local Policies and then Security Options,.
6. Select the Network Security: Configure encryption types allowed for Kerberos group policy setting.
7. Double-click the setting to edit it.
8. Select the Define these policy settings option.
9. In the list of available encryption types, deselect RC4_HMAC_MD5.
10. Close the Group Policy setting.
11. Close the Group Policy Management Console.

Impact

There is a situation where the above security measure impacts functionality: When you disable RC4_HMAC_MD5, Azure AD Connect will no longer be able to offer Seamless Single Sign-On (S3O).

This is made clear in the Troubleshoot Azure Active Directory Seamless Single Sign-on page. If you want Azure AD Connect’s Seamless Single Sign-on functionality to work, RC4_HMAC_MD5 will need to be available.

Further actions

If you would like Microsoft to address this issue in Azure AD Connect, please vote or this change on the Azure Feedback website.

Further reading

SSL and TLS Deployment Best Practices
RC4 in TLS is Broken: Now What?
Prioritizing Schannel Cipher Suites
Cipher Suites in TLS/SSL (Schannel SSP)
245030 How to restrict the use of certain cryptographic algorithms and protocols
How Do I Remove Legacy Ciphers (SSL2, SSL3, DES, 3DES, MD5 and RC4) on NetScaler?
A Cipher Best Practice: Configure IIS for SSL/TLS Protocol
How to disable RC4 and 3DES on Windows Server?

The post Knowledgebase: Azure AD Connect’s Seamless SSO breaks when you disable RC4_HMAC_MD5 appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

As I mentioned previously, the process allows for checks and balances. There are stakeholders; people with roles.

My process

I must admit, I had a rough start writing my book. I decided to write a book about Windows Server 2019 and deliver my first chapter on October 15th. I expected Microsoft to release Windows Server 2019 at its Ignite 2018 event, and I figured I could start running Windows Server 2019-based virtual machines in Microsoft Azure Infrastructure as a Service (IaaS) on October 1st, 2018.

I was wrong… Microsoft released Windows Server 2019, but due to quality issues, didn’t release Windows Server 2019 until a whole month later. There was no way to test my command lines and PowerShell scripts. I was basically writing in the dark.

Luckily I didn’t write about Hyper-V Server 2019, as this product was only released last week, after being delayed for over six months.

About the technical reviews

Luckily, I knew I could rely on the process.

My technical reviewer (TR) would trace all my steps and note any inconsistencies in the texts, steps and commands. Then, a technical person from my publisher would do the same thing and come up with any items the two of us might have missed.

Official confirmations

Two days before the last deadline, I received a message from my publisher:

I need to discuss about codes in the chapters.

 

Can you please give a confirmation that they are working fine… We know that the TR has made suggestions for the codes and you have implemented it, but we need some sort of official confirmation… Unfortunately, the TR did not seem to add this in the questionnaire.

 

We did not find anything erroneous as such at our end… Also, the TR also did not flag anything. it’s just that as a protocol, we have to check it with you as well. Do not worry… the quality of the book is not hampered.

I was wrong…

I decided to check the scripts. I had performed most actions in the Active Directory Administrative Center, and copied the PowerShell commands from there, most of the time.

This is when I found out, no-one checked the command lines and PowerShell scripts in the book.

My technical reviewer even suggested some edits for readability that actually broke the lines of PowerShell involved. My publisher couldn’t perform technical reviews, because of some missing technology capabilities on their end.

I went through all the commands and scripts and edited them at break-neck speed. There were 17 commands that needed corrections. Corrections a technical reviewer could have easily picked up on, but apparently didn’t.

But … the quality of the book is not hampered. No.

Picture by Louise McLaren, under CC BY 2.0 license. Adjusted in size.

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 5: Quality Assurance appeared first on The things that are better left unspoken.

On June 20, 2019, we officially launched the Packt Active Directory Administration Cookbook in the Netherlands. I signed a ton of books.

After that fun event I was approached by the Royal Dutch Association of Information and IT Professionals (KNVI). They were interested in the book as well. As the book applies to a fairly large number of their members, we agreed upon a second event: “Active Directory, What’s Cooking?”.

About KNVI

The Dutch Professional Association of Information and IT Professionals (KNVI) is an independent platform for sharing professional knowledge and expanding the personal networks of ICT Pros, information professionals, students and employers who want to keep their employees up to date.

KNVI organizes multiple meetings per month, publishes AG Connect both online and in print, and offers discounts to its members.

KNVI is a merged organization of several professional associations, including the Dutch Networking User Group (Ngi-NGN) and the Dutch Association for Documentary Information and Organization Administration (SOD).

About KNVI “Active Directory, What’s Cooking?”

On July 9, 2019, KNVI organizes the “Active Directory, What’s Cooking?” event for its members at the Hitland Golf Club in Nieuwerkerk aan den IJssel.

Starting at 6PM, we are going to enjoy a BBQ. Then, at 8 PM, Erwin Derksen and I will share our experiences with Active Directory and Azure AD.

Part of my experiences is in the Active Directory Administration Cookbook. I will tell a bit about how the book fits in my ambition and strategy for “Better Active Directory admins and environments without breaking the bank”.

Members of KNVI will be able to purchase the Packt Active Directory Administration Cookbook with 40% discount, spending only € 32 instead of the normal Dutch price of € 52 for the book.

Join KNVI and the event!

It’s not too late to join KNVI Dutch.
This is a prerequisite to being able to attend the KNVI “Active Directory, What’s Cooking?” event.

Subscriptions to KNVI for students are a mere EUR 30 per year. Subscriptions for individuals start at EUR 99,00 per year for members aged 27 and below, for retirees and for unemployed people. Other individual subscriptions set you back EUR 165 per year. Organizational subscriptions are available upon request.

I’m sure you can do the math how many books you need to buy to break even.

The post Join us for the KNVI "Active Directory, What’s Cooking?" Event appeared first on The things that are better left unspoken.

Today, I received a localized e-mail from the Microsoft Most Valuable Professional (MVP) Award team:

In Dutch, it reads:

Beste Sander Berkouwer,

Nogmaals presenteren we u met genoegen de 2019-2020 Microsoft Most Valuable Professional (MVP) Award als erkenning van uw buitengewone leiderschap in technische community’s. We waarderen uw uitmuntende bijdragen in de volgende technische community’s in het afgelopen jaar:

• Enterprise Mobility

Uw MVP Award-cadeaupakket is onderweg. U ontvangt binnen vijf werkdagen een verzendingsmelding. Om toegang te krijgen tot alle Award-voordelen, voltooit u de MVP-activeringsstappen hierna.

This roughly translates to the messages I have been receiving from 2009 till 2016 on January 1st of these years and from July 1st, 2017 onward; I’m still worthy of the MVP badge.

It’s an honor to be part of this wonderful group of people helping others and closing the feedback circle with Microsoft, especially for the situations in which people use Microsoft products in ways Microsoft has never imagined.

Thank you!

The post I’m a 2019-2020 Microsoft MVP appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

Let’s harden the Web Application Proxy installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces even further.

Note:
This blogpost assumes you’re running Web Application Proxies as non-domain-joined Server Core Windows Server 2016 installations. If your Web Application Proxies are domain-joined, use Group Policy to disable unnecessary services instead of PowerShell.

Unnecessary services

Services that are of no use to Web Application Proxies can be disabled.

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

• Computer Browser (browser)
• Net.Tcp Port Sharing Service (NetTcpPortSharing)
• Routing and Remote Access (RemoteAccess)
• Smart Card (SCardSvr)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on Server Core installations of Windows Server 2016. These can be disabled:

• Internet Connection Sharing (ICS) (SharedAccess)
• Link-Layer Topology Discovery Mapper (lltdsvc)
• Print Spooler (Spooler)
• Printer Extensions and Notifications (PrintNotify)
• Smart Card Device Enumeration Service (ScDeviceEnum)
• Windows Insider Service (wisvc)

Harden services

Disable unnecessary services

To disable these services, run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccess –StartupType Disabled

Stop-Service SharedAccess

Set-Service lltdsvc –StartupType Disabled

Stop-Service lltdsvc 

Set-Service Spooler –StartupType Disabled

Stop-Service Spooler 

Set-Service PrintNotify –StartupType Disabled

Stop-Service PrintNotify 

Set-Service ScDeviceEnum –StartupType Disabled

Stop-Service ScDeviceEnum 

Set-Service wisvc –StartupType Disabled

Stop-Service wisvc

Re-enable services

To re-enable the above services to their previous state, run the following Windows PowerShell script, when logged on with an account that has local administrative privileges on the Web Application Proxy:

Set-Service SharedAccess –StartupType Manual

Set-Service lltdsvc –StartupType Manual

Set-Service Spooler –StartupType Automatic

Start-Service Spooler 

Set-Service PrintNotify –StartupType Manual

Set-Service ScDeviceEnum –StartupType Manual

Set-Service wisvc –StartupType Manual

Concluding

Disable unnecessary services on all Web Application Proxies throughout the Hybrid Identity implementation using the Windows PowerShell script above.

The post HOWTO: Disable Unnecessary Services on Web Application Proxies appeared first on The things that are better left unspoken.

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Today, let’s talk about how a diverse team, consisting of people from multiple cultures added value f*cked sh*t up.

The last mile is the longest one

Once I was done writing the chapters, all I learned I needed to do was to copy all the command lines and PowerShell scripts from the book into separate files on GitHub, write the hardware and software list (listing all the hardware and software used for all the recipes) and write the Preface.

This last item proved to be the hardest, even though I only needed to describe the purpose and scope of the book…

A matter of style…

One of the content editors has been bugging me throughout the process with her unneeded and frustrating edits. It started with ‘correcting’ the ActiveDirectory PowerShell module name in the Import-Module command, by adding a space and continues throughout the book with other corrections, where she would continue to edit “The … screen appears.” with “The … screen will appear.” like we were working with some really slow domain controllers, and ‘Click Next >’ with ‘Click on Next >’.

With the help of the technical editor, all these corrections were corrected back, except one.

The one that got away

As I was writing the Preface to the book, it was my job to describe the contents for each chapter. For chapter 3, I wrote:

Chapter 3, Managing Active Directory Roles and Features, covers FSMO roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

Deliberately, I chose not to explain the FSMO acronym. I felt that when people wanted to know what it meant, they would look it up in the chapter anyway.

In the version of the book a week before publishing, the Preface was edited. The above piece of text now read:

Chapter 3, Managing Active Directory Roles and Features, covers Flexible Single Operations Master (FSMO) roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

That’s right. The editor thought it was wise to introduce the acronym in the Preface. As a matter of style, all introductions for acronyms are noted as bold text.

In the final book, however, this particular sentence reads:

Chapter 3, Managing Active Directory Roles and Features, covers Flexible Single Operations Master (FSOM) roles and global catalog servers for addressing all your organization’s multi-forest and multi-domain needs.

That’s right. A completely new acronym is introduced for Active Directory, because someone didn’t pay attention to write it down perfectly, and then edited it some more to make it look really ridiculous. As it is the only acronym introduced on the page, and therefore the only bold text, it stands out like a sore thumb.

Just don’t

When you know nothing about Active Directory and its acronyms, please keep as far away as possible from editing a book on it. Just don’t.

Picture by Fellowship of the Rich, under CC BY-NC-ND 2.0 license. Edited in size

Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

The post Experiences with Being Published, Part 6: A Matter of Style appeared first on The things that are better left unspoken.

Most Microsoft-based Hybrid Identity implementations use Active Directory Federation Services (AD FS) Servers, Web Application Proxies and Azure AD Connect installations. In this series, labeled Hardening Hybrid Identity, we’re looking at hardening these implementations, using recommended practices.

In this part of the series, we’ll harden the AD FS Server installations, by disabling unnecessary services running on it. This way, we lower their attack surfaces.

Note:
This blogpost assumes you’re running AD FS Servers as domain-joined Windows Server 2016 Server Core installations. However, as management of AD FS on Server Core installations is PowerShell-only, we also include information for AD FS Servers running Windows Server 2016with Desktop Experience (Full).

Unnecessary services

By default

The following Windows services are disabled, by default, on Server Core installations of Windows Server 2016:

• Computer Browser (browser)
• Net.Tcp Port Sharing Service (NetTcpPortSharing)
• Routing and Remote Access (RemoteAccess)
• Smart Card (SCardSvr)
• Auto Time Zone Update (tzautoupdate)
• Microsoft App-V Client (AppVClient)
• Offline files (cscService)
• User Experience Virtualization Service (UevAgentService)
• Windows Search (WSearch)

These services do not require any further attention.

Additional services

The following Windows services are enabled and have Manual or Automatic startup types on installations of Windows Server 2016 with the Desktop Experience (Full Installations). These can be disabled:

• ActiveX Installer (AxInstSV) (AxInstSV)
• Bluetooth Support Service (bthserv)
• CDPUserSvc (CDPUserSvc)
• Contact Data (PimIndexMaintenancesvc)
• dmwappushsvc (dmwappushsvc)
• Downloaded Maps Manager (MapsBroker)
• Geolocation Service (lfsvc)
• Internet Connection Sharing (ICS) (SharedAccess)
• Link-Layer Topology Discovery Mapper (lltdsvc)
• Microsoft Account Sign-in Assistant (wlidsvc)
• Microsoft Passport (NgcSvc)
• Microsoft Passport Container (NgcCtnrSvc)
• Network Connection Broker (NcbService)
• Phone Service (PhoneSvc)
• Print Spooler (Spooler)
• Printer Extensions and Notifications (PrintNotify)
• Program Compatibility Assistant Service (PcaSvc)
• Quality Windows Audio Video Experience (QWAVE)
• Radio Management Service (RmSvc)
• Sensor Data Service (SensorDataService)
• Sensor Monitoring Service (SensrSvc)
• Sensor Service (SensorService)
• Shell Hardware Detection (ShellHWDetection)
• Smart Card Device Enumeration Service (ScDeviceEnum)
• SSDP Discovery (SSDPSRV)
• Still Image Acquisition Events (WiaRpc)
• Sync Host (OneSyncSvc)
• Touch Keyboard and Handwriting Panel (TabletInputService)
• UPnP Device Host (upnphost)
• User Data Access (UserDataSvc)
• User Data Storage (UnistoreSvc)
• WalletService (WalletService)
• Windows Audio (Audiosrv)
• Windows Audio Endpoint Builder (AudioEndpointBuilder)
• Windows Camera Frame Server (FrameServer)
• Windows Image Acquisition (WIA) (stisvc)
• Windows Insider Service (wisvc)
• Windows Mobile Hotspot Service (icssvc)
• Windows Push Notifications System Service (WpnService)
• Windows Push Notifications User Service (WpnUserService)
• Xbox Live Auth Manager (XblAuthManager)
• Xbox Live Game Save (XblGameSave)

Unnecessary tasks

On Windows Server installations with Desktop Experience, two scheduled tasks exist that can be removed without consequences on AD FS Servers:

1. \Microsoft\XblGameSave\XblGameSaveTask
2. \Microsoft\XblGameSave\XblGameSaveTaskLogon

Harden Services

As the AD FS Servers are part of Active Directory Domain Services, the best way to disable the unnecessary Windows Services is through Group Policy.

Follow these steps:

1. Sign in with an account that is a member of the Domain Admins group, or with an account that is delegated to create and link Group Policy objects (GPOs) to Organizational Units (OUs).
2. Open the Group Policy Management console (gpmc.msc).
3. In the left navigation pane, navigate to the Organizational Unit (OU) where the AD FS Servers reside.
4. Right-click the OU and select Create a GPO in this domain, and Link it here….
5. In the New GPO pop-up, provide a name for the Group Policy Object, corresponding to the naming convention for Group Policy objects in the environment.
6. Click OK
7. Back in navigation pane of the Group Policy Management console, expand the OU and click on the Group Policy object link.
8. Click OK in the Group Policy Management Console pop-up, explaining You have selected a link to a Group Policy Object (GPO). Except for changes to link properties, changes you make here are global to the GPO, and will impact all other location where this GPO is linked.
9. Right-click the Group Policy object and select Edit… from the context menu.
   The Group Policy Management Editor window appears.
10. In the left navigation pane, under Computer Configuration, expand the Policies node.
11. Expand the Windows Settings node.
12. Expand the Security Settings node.
13. Select System Services.

14. In the main pane, for each service in the above list, double-click the service, and then select the Define this policy setting option and select the Disabled service startup mode.
15. When done, close the Group Policy Management Editor window.
16. Close the Group Policy Management Console window.
17. Sign out.

Remove Scheduled Tasks

As the AD FS Servers are part of Active Directory Domain Services, the best way to remove the unnecessary scheduled tasks is through Group Policy Preferences.

Note:
Do not place Group Policy settings and Group Policy preferences in the same Group Policy object, as this will result in synchronous processing behavior and slowness during startups of the AD FS Servers.

Follow these steps:

1. Sign in with an account that is a member of the Domain Admins group, or with
   an account that is delegated to create and link Group Policy objects (GPOs) to
   Organizational Units (OUs).
2. Open the Group Policy Management console (gpmc.msc).
3. In the left navigation pane, navigate to the Organizational Unit (OU) where
   the AD FS Servers reside.
4. Right-click the OU and select Create a GPO in this domain, and Link
   it here….
5. In the New GPO pop-up, provide a name for the Group Policy
   Object, corresponding to the naming convention for Group Policy objects in the
   environment.
6. Click OK
7. Back in navigation pane of the Group Policy Management console,
   expand the OU and click on the Group Policy object link.
8. Click OK in the Group Policy Management
   Console pop-up, explaining You have selected a link to a Group
   Policy Object (GPO). Except for changes to link properties, changes you make
   here are global to the GPO, and will impact all other location where this GPO is
   linked.
9. Right-click the Group Policy object and select Edit… from
   the context menu.
   The Group Policy Management Editor window
   appears.
10. In the left navigation pane, under Computer Configuration,
    expand the Preferences node.
11. Expand the Control Panel Settings node.
12. Expand the Scheduled Tasks node.
13. In the main pane, right-click on Scheduled Tasks and select New  and then Scheduled Task from the context menu.

14. In the New Task Properties window,select Delete as the action and provide the name of the scheduled task, exactly as provided above.
15. Click OK.
16. Repeat steps 13-15 for the second task.
17. When done, close the Group Policy Management Editor
    window.
18. Close the Group Policy Management Console window.
19. Sign out.

Concluding

Disable unnecessary services on all AD FS Servers throughout the Hybrid Identity implementation using Group Policy.

The post HOWTO: Disable Unnecessary Services and Scheduled Tasks on AD FS Servers appeared first on The things that are better left unspoken.