probe

Posted on January 20, 2017January 20, 2017 By Luben Kirov

Microsoft has a very nice post on how to setup Traffic manager in front of an ADFS farm for high availability, where both sites are in Azure but in different GEO locations or one in Azure and one on premises. The Article is located here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-adfs-in-azure-with-azure-traffic-manager. What the article lacks is how to setup proper ADFS monitoring, which monitors both tte WAP and the ADFS service, at the moment the article only goes into details which monitor the WAP service.

So this post will go over how to configure your environment so the health point will report the status of both WAP and ADFS.

Some info before we begin:

The solutions is achieved by monitoring the /adfs/probe/ on the ADFS server via the WAP proxy
The solution will report failure if the WAP proxy is not forwarding or the ADFS service is down. So we are monitoring the whole solution.
It will work if you have an external load balancer in front of the WAP servers and an internal one in front of the ADFS servers, for simplicity I will outline how it’s done on the non-load-balanced solution but it’s the same procedure for both.
You can’t monitor /adfs/probe on the WAP server as that will only give you the status of the WAP server
You can create a rule on the WAP server to redirect /adfs/probe to the ADFS server, but it will get ignored and show you the status of the WAP server.
I tested this on Server 2016 but it will work for 2012 R2 as well
If you are using 2012 R2 make sure you update your WAP to the latest version so you can forward HTTP traffic
We use HTTP as this prevents certificate problems and because Traffic manager does not support SNI.
You can’t monitor the “/federationmetadata/2007-06/federationmetadata.xml” because the way you set this up for Traffic manager means you are monitoring the ADFS on a different DNS so the request will not be forwarded.

Essentially this is what we are doing

Once you setup the environment as per Microsofts Article above we need to do the following:

The variables for my test environment:

ADFS URL and Federation Service Name – test123.blah.local
Traffic Manager DNS – adfstest.trafficmanager.net
WAP server public IP dns (this can be replaced by a load balancer) – http://mytestadfsa.westeurope.cloudapp.azure.com
Custom monitor path (you can choose anything but the default which is /adfs/) – /adfsprobe/

The Steps:

Change the Traffic Manager Configuration to point to our custom monitor path for the endpoint monitoring

Create an HTTP rule on the WAP server in the Remote Access Management Console to forward (via Pass- through) the WAP DNS + our custom monitor path to the ADFS server. I assume that your WAP server host file has been modified to point the ADFS URL to the ADFS internal IP or load balancer IP

Install IIS (it’s usually installed by default with ADFS) + URL Rewrite (https://www.iis.net/downloads/microsoft/url-rewrite) + Application Request Routing (https://www.iis.net/downloads/microsoft/application-request-routing) on the ADFS server.
Create a new application under the Default Web Site call it the same name you used for your custom monitor path nd then create a new URL Rewrite Rule

The rule to be created is Reverse Proxy with the following settings:

And finally change your Public DNS record and create a CName for your ADFS URL (test123.blah.local) to point to the traffic manager DNS name (adfstest.trafficmanager.net)

And you are done.

Powershell Add-Computer error when executed remotely.

Posted on January 9, 2017January 9, 2017 By Luben Kirov

Windows

When you execute the PowerShell command: “Add-Computer -DomainName “contoso.com” -Credential $domainjoinuser -Restart” remotely or in a non-interactive environment you may get the following error:

1	Computer 'XXXXX' failed to join domain 'contoso.com' from its current workgroup 'TEST' with following error message: Unable to update the password. The value provided as the current password is incorrect.

The root of the problem is (given that your password is correct) when running things interactively the domain is pre-appended and as such you only need to provide the user. But in a non-interactive environment, the domain is not known as such it’s a very simple fix, make sure you either include the short domain names like “contoso\DMAdmin” or the full FQDN “[email protected]. The error occurred for me by running an Azure custom script which called a PowerShell script non-interactively.

The ACL RemoveAccessRule Not Working

Posted on January 8, 2017January 8, 2017 By Luben Kirov

Windows

If you try and modify the ACL via PowerShell but the command RemoveAccessRule is not working, by that I mean you run it no errors come up but the rules and not being removed. The problem is that inheritance is turned on and you are trying to remove a rule that is obtained from inheritance. To fix this problem you first need to disable inheritance, save the rule and then get the acls again. After that remove will work. Code can be found below:

$datadiskpath = "D:\MyData"

mkdir $datadiskpath

$acl = Get-ACL -Path $datadiskpath

$acl.SetAccessRuleProtection($True, $True)

Set-Acl -Path $datadiskpath -AclObject $acl

$acl = Get-ACL -Path $datadiskpath

$acl.Access | Where-Object {$_.IdentityReference -eq "BUILTIN\Users"} | Foreach-Object {$acl.RemoveAccessRule($_) | Out-Null}

Set-Acl -Path $datadiskpath -AclObject $acl

New Virtual Disk Error “UseMaximumSize” (Storage Pool)

Posted on January 8, 2017 By Luben Kirov

Windows

This is a heads up post for anyone who is creating a new virtual disk from a storage pool in Storage Spaces. If you are creating a disk and want to use the “Maximum size” parameter then you have to make sure that the Provisioning type is set to Fixed and not Thin. This is a normal expected behaviour as the Thin disk expands automatically and take space as it needs so you can’t pre-located 100% of the size, you will need to specify an initial disk size. For fixed size “-ProvisioningType Fixed” you can use the “-UseMaximumSize” parameter.

The unfriendly Powershell Error:

New-VirtualDisk : Invalid Parameter

Activity ID: {93f131a2-3dcd-4878-ac95-8c7b127609d5}

At line:1 char:2

+ New-VirtualDisk -FriendlyName "Data Disk" -ProvisioningType "Thin" - ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidArgument: (StorageWMI:ROOT/Microsoft/...SFT_StoragePool) [New-VirtualDisk], CimEx

ception

+ FullyQualifiedErrorId : StorageWMI 5,New-VirtualDisk

The GUI Error:

Web Application Proxy Event ID 12019 – (0x8007007b)

Posted on December 21, 2016December 31, 2016 By Luben Kirov

Windows

For anyone that has received the below WAP error, especially in Server 2016, please make sure that the published application name does not have any forward slashes “/”.

It seems to like other characters like: “wqe.()-_\sdfds123″££$%%” but not forward slashes.

Log Name: Microsoft-Windows-WebApplicationProxy/Admin

Source: Microsoft-Windows-WebApplicationProxy

Date: 12/21/2016 12:16:05 PM

Event ID: 12019

Task Category: None

Level: Error

Keywords:

User: NETWORK SERVICE

Computer: Testprooo

Description:

Web Application Proxy could not create a listener for the following URL: http://xxxxxx.com/.

Cause: The filename, directory name, or volume label syntax is incorrect.

(0x8007007b).

Event Xml:

<Channel>Microsoft-Windows-WebApplicationProxy/Admin</Channel>

<Computer>Testprooo</Computer>

</System>

<Data Name="Url">http://google.com/</Data>

<Data Name="Cause">The filename, directory name, or volume label syntax is incorrect.

(0x8007007b)</Data>

</EventData>

</Event>

Microsoft Dynamics NAV 2015 Wildcard Certificate Problem

Posted on November 15, 2016November 17, 2016 By Luben Kirov

Windows

I had a problem the other day trying to get Dynamics NAV 2015 to work with a wildcard certificate.While the server started ok, clients couldn’t connect and the error message at the end of this post appeared. The problem seem that you need to define the DnsIdentity on all clients, seems like the client application can’t recognize wildcard dns names automatically and you need to define it yourself. The down side of this is that all clients need to make this modification, while using normal certificates connect clients automatically. So if you do decide to go down this route be aware of this. The fixes are defined below.

To fix it on the client side:

modify the “C:\Users\username\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\80\ClientUserSettings.config” to include the proper certificate name for DnsIdentity :

1	<add key="DnsIdentity" value="example.com"/>

To fix it on the Nav Server Web Instance:

you can modify the web.config of your Nav web instance for example “C:\inetpub\wwwroot\Mynav” to include the proper certificate name for DnsIdentity :

1	<add key="DnsIdentity" value="example.com"/>

You can also run the powershell command from Navs powershell:

1	New-NAVWebServerInstance -WebServerInstance Mynav -Server "test.example.com" -ServerInstance DynamicsNAV80_Instance

The error on the Nav Web Instance or Client:

"Error accessing Website Microsoft Dynamics NAV 2015 Web Client

Message: The client could not establish a connection to the Microsoft Dynamics NAV Server.

Reason = "Configuration setting 'DnsIdentity' has an invalid value"

Description = "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'test.example.com' but the remote endpoint

provided DNS claim 'example.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'example.com'

as the Identity property of EndpointAddress when creating channel proxy. ""

How To Install Oracle Instant Client v12 For Xampp v7, v5.5 & v5.6 (Windows)

Posted on November 12, 2016November 15, 2016 By Luben Kirov

Windows

Below you will find the instructions on how to configure/install and enable the Oracle Instant Client for XAMPP v7, v5.5 and v5.6.

Download and install XAMPP from https://www.apachefriends.org/download.html
Modify the php.ini in “C:\xampp\php”
- Uncomment the following line “;extension=php_oci8_12c.dll ; Use with Oracle Database 12c Instant Client”
- Restart Apache
Download the 32 bit (PHP is 32 bit so no need to 64) Oracle Instant Client from http://www.oracle.com/technetwork/topics/winsoft-085727.html
- You need both Instant Client Package – Basic and Instant Client Package – SDK
- Unzip both in “C:\php-sdk\oracle\x86\instantclient_12_1″ and “c:\php-sdk\oracle\x86\instantclient_12_1\sdk” respectivly
Add the directory “C:\php-sdk\oracle\x86\instantclient_12_1″ to the windows path veritable
- Under system Properties click Environment Variables
- Edit the Path variable
- You need to reboot windows
(Optional)If you want to specify the oracle connections in the tnsnames.ora file:
- Create a file called “tnsnames.ora” in “C:\php-sdk\oracle\x86\instantclient_12_1″
- Add your oracle connections to the file as described here: https://docs.oracle.com/cd/B28359_01/network.111/b28317/tnsnames.htm#NETRF007
- Create a new environmental variable called “TNS_ADMIN” with the value of “C:\php-sdk\oracle\x86\instantclient_12_1″
- Reboot Windows

Thats it 🙂

ADFS 3.0 Cancel Button Redirection and Password Change Link

Posted on October 19, 2016 By Luben Kirov

Windows

ADFS 3.0 Cancel Button Redirection

I got asked the other day if i can get the ADFS cancel button on the Update Password page (Expired Password) to redirect back to the original page. After some searching i found a lot of people asking for this feature but no solutions. So below is my own coded solution to solve this problem all you need to do is add it to the end of onload.js, instruction are below the code.

The code will work with:

All java enabled browsers
Will work with any domain
Will work with expired password redirection
Will work with all endpoints
- /adfs/ls/idpinitiatedsignon.aspx
- /adfs/oauth2/authorize
- /adfs/ls/

var RedirectToPage = function () {

var CurrentUrl = window.location.href;

var UrlParts = CurrentUrl.split("origin=");

var PathParts = UrlParts[1].split("&username=");

var RedirectUrl = UrlParts[0].replace("/adfs/portal/updatepassword", decodeURIComponent(PathParts[0]));

RedirectUrl = RedirectUrl.replace(/&$/, '');

location.href = RedirectUrl;

return false;

}

document.getElementById("cancelButton").onclick = RedirectToPage;

Use the following steps when customizing the onload.js for the AD FS service (Note these steps are taken from: https://technet.microsoft.com/en-us/library/dn636121.aspx).

Customizing onload.js for the AD FS Service

To add your custom logic to onload.js, you need to first create a custom web theme. The theme that is shipped out-of-the-box is called Default. You can export the default theme and use it so that you can start quickly. The following cmdlet creates a custom web theme, which duplicates the default web theme:

                                      
                                                1
                                              
                                                New-AdfsWebTheme –Name custom –SourceName default

You can then export the custom or default web theme to get onload.js file. To export a web theme, use the following cmdlet:

                                      
                                                1
                                              
                                                Export-AdfsWebTheme –Name default –DirectoryPath c:\theme

You will find onload.js under the script folder in the directory that you specify in the export cmdlet above and add your custom logic to the script (see use cases in the Example section below).

Make the necessary modification to customize onload.js based on your need.

Update the theme with the modified onload.js. Use the following cmdlet to apply the update onload.js to custom web theme:

                                      
                                                1
                                              
                                                Set-AdfsWebTheme -TargetName custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="c:\theme\script\onload.js"}

To apply the custom web theme to AD FS, use the following cmdlet:

                                      
                                                1
                                              
                                                Set-AdfsWebConfig -ActiveThemeName custom

Password Change Link

So with the above implementation (which works great for expired passwords) we also needed to modify our password change link for any users wanting to change there password via ADFS before it has expired as show in the below screen shot:

The below code will give you exactly that ability, implementation instruction are located below. You only need to modify the text in the <p> </p> tags to whatever suits your needs. Please leave the link section “<a onclick=”RedirecToPSChange()” href=”#”>” as is or the script will not work.

<p>To change your password please click <a onclick="RedirecToPSChange()" href="#">here</A></p><p>For a

forgotten password or other problems please contact the service

desk: t: +XXXXXXXXXX e: service.desk@gi-architects.com </p>

var RedirecToPSChange = function () {

var TheCurrentUrl = window.location.href;

var TheUrlParts = TheCurrentUrl.split("/adfs/");

if (/[?]/.test(TheUrlParts[1])){

var TheExtraUrlParts = TheUrlParts[1].split("?");

var TheOrigin =encodeURIComponent("/adfs/" + TheExtraUrlParts[0]);

var TheUsername =encodeURIComponent(document.getElementById("userNameInput").value);

var TheLink = TheUrlParts[0] + "/adfs/portal/updatepassword?"+TheExtraUrlParts[1]+"&origin=" + TheOrigin + "&username=" + TheUsername;

window.location.assign(TheLink);

} else {

var TheOrigin =encodeURIComponent("/adfs/" + TheUrlParts[1]);

var TheUsername =encodeURIComponent(document.getElementById("userNameInput").value);

var TheLink = TheUrlParts[0] + "/adfs/portal/updatepassword?origin=" + TheOrigin + "&username=" + TheUsername;

window.location.assign(TheLink);

}

</script>

The above code can be loaded easily by running the Set-ADFSGlobalWebContent and passing the whole code. Tip you single quotes as shown below:

ADFS 3.0 default login domain

Posted on October 18, 2016 By Luben Kirov

Windows

The below script is a modification of the Microsoft script found here: https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx. I have added some extra feature missing from the original as well as the ability for default login domain to work in the change password dialog as well. The script below will give you the following benefits:

The ability to set a default domain for ADFS both on the login page and in the change password page.
Other users can still specify a domain or a UPN in which case the script will not append the domain to the front
Works on any Java enabled browser

You only need to change the “MYDOMAIN” in the two places below and that’s it the script is ready. Then just add it to the end of onload.js, you can use the instructional on https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx for instructions on how to load it.

if (typeof Login != 'undefined'){

var u = new InputUtil();

var e = new LoginErrors();

var userName = document.getElementById(Login.userNameInput);

var password = document.getElementById(Login.passwordInput);

if (userName.value && !userName.value.match('[@\\\\]'))

{

var userNameValue = 'MYDOMAIN\\' + userName.value;

document.forms['loginForm'].UserName.value = userNameValue;

}

if (!userName.value) {

u.setError(userName, e.userNameFormatError);

return false;

}

if (!password.value)

{

u.setError(password, e.passwordEmpty);

return false;

}

if (password.value.length > maxPasswordLength) {

u.setError(password, e.passwordTooLong);

return false;

}

document.forms['loginForm'].submit();

return false;

};

}

if (typeof UpdatePassword != 'undefined'){

UpdatePassword.submitPasswordChange = function () {

var u = new InputUtil();

var e = new UpdErrors();

var userName = document.getElementById(UpdatePassword.userNameInput);

var oldPassword = document.getElementById(UpdatePassword.oldPasswordInput);

var newPassword = document.getElementById(UpdatePassword.newPasswordInput);

var confirmNewPassword = document.getElementById(UpdatePassword.confirmNewPasswordInput);

if (!userName.value || !userName.value.match('[@\\\\]')) {

var userNameValue = 'MYDOMAIN\\' + userName.value;

document.forms['updatePasswordForm'].UserName.value = userNameValue;

}

if (!oldPassword.value) {

u.setError(oldPassword, e.oldPasswordEmpty);

return false;

}

if (oldPassword.value.length > maxPasswordLength) {

u.setError(oldPassword, e.oldPasswordTooLong);

return false;

}

if (!newPassword.value) {

u.setError(newPassword, e.newPasswordEmpty);

return false;

}

if (newPassword.value.length > maxPasswordLength) {

u.setError(newPassword, e.newPasswordTooLong);

return false;

}

if (!confirmNewPassword.value) {

u.setError(confirmNewPassword, e.confirmNewPasswordEmpty);

return false;

}

if (newPassword.value !== confirmNewPassword.value) {

u.setError(confirmNewPassword, e.mismatchError);

return false;

}

var error = document.getElementById('error');

error.innerHTML = '';

return true;

};

}

Programmatically authenticate against Apache CXF Fediz with ADFS Token

Posted on October 16, 2016October 16, 2016 By Luben Kirov

Powershell, Windows

A couple of weeks ago we had to interface with an application running on Tomcat using Apache CXF Fediz as it’s authentication mechanism. We had successfully tied the application to work with our ADFS 3.0 server using SAML 1 tokens. While this worked wonderfully for users using web browsers we had problems getting it to work programmatically with Powershell. This was needed for some API calls and we had to authenticate with ADFS first.

So below you will find the script we used along with it’s description, I have actually posted two scripts one where you obtain an initial cookie from the application as this was a requirements and a second one where an initial coockie is not neeed. If you get the message “HTTP Status 408 – The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser” then you need to use the cookie method.

So how does the script work:

First it obtains the needed cookie from the Apache application and stores it in a web session
Then it creates the envelope for the soap call to the ADFS server, we are requesting an “urn:oasis:names:tc:SAML:1.0:assertion” but you can request an “urn:oasis:names:tc:SAML:2.0:assertion” if need be.
It then makes a post request to the ADFS server with the envelope in the body

Once it receive the reply we need to clean it as we only require the body section example of the result:

1	<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust”>..............<t:RequestSecurityTokenResponse>

The script then loads the result into a hashtable
It then makes a post request with the hashtable in the body to the Apache application using the Websession we initially established
Once that is complete we can use the web session to make any api calls we like eg(getting a status)

For application requiring an initial cookie:

$GetAvar = Invoke-WebRequest -Uri "https://apache.application.com" -Method GET -SessionVariable myWebSession

$federationServer = "adfs.gi-architects.co.uk"

$appliesTo = "https://apache.application.com"

$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"

$username = "useraccount"

$password = "userpassword"

$rst= [String]::Format(

'<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">{0}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:UsernameToken><o:Username>{1}</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{2}</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><a:EndpointReference><a:Address>{3}</a:Address></a:EndpointReference></wsp:AppliesTo><t:KeySize>0</t:KeySize><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType></t:RequestSecurityToken></s:Body></s:Envelope>', `

$endpoint,

$username,

$password,

$appliesTo)

$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"

$tokenXml = [xml]$webresp.Content

$wresult = $tokenXml.Envelope.Body.InnerXml

$wa = "wsignin1.0"

$postParams = @{wa=$wa;wresult=$wresult}

$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -WebSession $myWebSession

Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession

For application not requiring to obtain an initial cookie:

$federationServer = "adfs.gi-architects.co.uk"

$appliesTo = "https://apache.application.com"

$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"

$username = "useraccount"

$password = "userpassword"

$rst= [String]::Format(

$endpoint,

$username,

$password,

$appliesTo)

$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"

$tokenXml = [xml]$webresp.Content

$wresult = $tokenXml.Envelope.Body.InnerXml

$wa = "wsignin1.0"

$postParams = @{wa=$wa;wresult=$wresult}

$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -SessionVariable myWebSession

Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession