We have Azure Ad Connect server setup just as a test scenario currently. Its occurred to us that as the relationship is one way and our passwords are being passed up to the web- what protection do we have against brute force attacks? Does the logon page itself have a logout. What if the user installed Lync 2013 and then used brute force to log in that way?
I'm guessing we probably need ADFS
Hi,
What is the advantage of specifying a farm in the AD connect wizard?
We're using a federated SSO with authentication happening at our on premise servers - this works fine. I'd like to implement password write-back later on.
I've done a DirSync upgrade to AD Connect - there was never any option of specifying ADFS settings. I'm now looking at setting up a staging mode AD Connect server, as there's no way to export settings from my active AD Connect server, I'm looking at a manual install for the staging server. On the install page I'm being asked for ADFS farm settings, should I add these?
Thanks
I am new to Azure and have been tasked with finding a way to do this: We have several applications which run on local computers unattended. They use a scheduler to start up. We would like them to retrieve SQL Server log in credentials from AD on Azure. These credentials should also limit them to db-reader and db-writer. No updates or deletes.
I was specifically asked to create clusters on Azure/AD (but I'm not sure what that means and I could not ask at the time); assign the machine IDs to the clusters, then provision them with the rights from AD to SQL Server.
This was a design approach to keep the SQL Server connection strings off the local computers to preserve security. The local machines are not under our control.
Is this possible? Easy? Obvious? Any help is GREATLY appreciated.
RON
From Raj @RajSenap via Twitter
Hello, I am trying to install Active Directory Domain Controller Forest using Azure VM extension. Is there a way I can specify the local path for ModulesUrl. The examples I am seeing all seem to assume that the module is in github or some source repository. If I need to specify the local path, should I specify like "ModulesUrl": "\\TemplateModules\http://MyModule.ps1.zip ",
Thanks for the info, we're looking into it and we'll keep you updated. ^AL
Customer experiencing issues trying to install active directory domain controller forest.
VIA DM
Thanks,
@AzureSupport
Hey. I have a little problem with my access to the virtual server, which is installed on the cloud service Microsoft Azure.
With all the service providers and the different places you have access to our server (the path to\\ garant.cloudapp.net server , IP 52.169.157.65). BUT, there is a service provider (Rostelecom) is a provider of Russia, and so with the service provider does not have access to our server.
And it does not matter from what city, from which machine I'm trying to get there provider Rostelecom, no access. I talked with the programmers of the provider and they checked all the possible options, confirm that indeed in our life does not have access.
The reason for such behavior of the system is not clear, because of restrictions on their storpony no. IP Internet channel, the place from which we can not give to go - static. (78.37.63.248). Name of the hosting provider: ppp78-37-63-248.pppoe.komi.dslavangard.ru
Please, if there is such an opportunity, to deal with this problem. See if this address is not present in your black list?
If you have questions, ask, answer any. At the moment, due to lack of access to the workplace, at the point in which the service provider Rostelecom, a person can not function normally. We need access to our virtual server.
Answer please write to the address sysadmin@garantkomi.ru
Hi,
today I wanted to set up Active Directory Resource Pool Synchronization in my cloud-only Project Server environment. But that fails.
Short explaination: One of the Project Server libraries (dlls) builds a DirectorySearcher object that uses"CN=Partitions, ..." as search root. As I am using Azure Active Directory (Domain Services) I do not have access to that AD path.
Here are the detailed results of my investigation:
1. Adding a group for Active Directory Resource Pool Synchronization using PWA Settings is not possible. When trying to save the settings this error occurs: "The People Picker field contains unresolved or local entities, please correct this."
2. Adding a group using PowerShell works: Enable-SPProjectActiveDirectoryEnterpriseResourcePoolSync -Url "..." -GroupUids ([Guid[]]"...")
3. Invoking a sync job using Invoke-SPProjectActiveDirectoryEnterpriseResourcePoolSync -Url "..." generates the following errors in the SharePoint ULS log (shortened):
Failed to determine fqdn/netbios mapping of server *****.onmicrosoft.com. exception: System.Runtime.InteropServices.COMException (0x8007200A):
The specified directory service attribute or value does not exist.
at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
at System.DirectoryServices.DirectoryEntry.Bind()
at System.DirectoryServices.DirectoryEntry.get_AdsObject()
at System.DirectoryServices.DirectorySearcher.FindAll(Boolean findMoreThanOne)
at Microsoft.Office.Project.Server.BusinessLayer.ActiveDirectoryUtility.DomainResolver.ResolveServer(String server)
4. Then I disassembled the Microsoft.Office.Project.Server.dll to see what happens inside ResolveServer. Here is the PowerShell equivalent of the code:
$server = "*****.onmicrosoft.com"
$entry1 = New-Object System.DirectoryServices.DirectoryEntry -ArgumentList "LDAP://$server/RootDSE"
$singleValue = $entry1.configurationNamingContext
$path = "LDAP://$server/CN=Partitions,$singleValue"
$entry2 = New-Object System.DirectoryServices.DirectoryEntry -ArgumentList $path
$directorySearcher = New-Object System.DirectoryServices.DirectorySearcher -ArgumentList $entry2
$directorySearcher.Filter = "(&(objectCategory=crossref)(netBiosName=*)(ncName=DC=*******,DC=onmicrosoft,DC=com))"
$directorySearcher.PropertiesToLoad.Add("ncName");
$directorySearcher.PropertiesToLoad.Add("netBiosName");
$directorySearcher.FindAll()5. Executing that script generates the same error I see in the ULS log. If I remove the part"CN=Partitions," from $path the script works.
Is there some way how to make the Active Directory Resource Pool Synchronization work with Azure Active Directory?Thanks
Philip
Hello,
I have installed the newest version of Azure AD Connect that supports auto upgrade. I have also made sure the auto upgrade is enabled. My question is are there any logs about if it can successfully check for upgrade? I have asked the firewall people to allow the ips and urls it needs access to but want to validate it is working.
Thanks!
Shawn
Hi there
I'm trying to do a POC with Azure AD
We have opted to use the Azure resource deployment
I'm wondering if I'll able to add the VM's created in ARD to the domain ?
Or like most features it is just supported in classic deployment?
Thanks
Sathish
Hello,
Is it possible to link AD premium reports to SCOM 2012 so that we can schedule automated reports that are emailed out? I'm looking for reports on things like anomalous logins and leaked credentials being sent out.
Thanks
From @NiFangNYC via twitter:
The customer has a Web App and has been trying to configure authentication and is using the Azure Active Directory.
"I integrated SSO to a WPF app registered in Azure AD as a native client app, but user is asked to give consent every time."
Thanks,
@AzureSupport
We have a suite of console applications which are in different locations around the country. So each location, LOC1, LOC2, LOC3, has App1, App2, App3. The apps run as console apps and start up automatically when the machine is turned on. They are controlled by the task manager.
As these are C# apps they make their DB connection with data from appSettings, so it is in plain text. It seems it might be safer if the apps acquired their connection string from AD.
We would like to limit the data connection to db reader and db writer; no updates or deletes. No structure modification. This is so if the computers (which are not in our physical control) were compromised the damage would be limited. And if the machine was removed from the environment it would be unable to log into AD (right?)
So we would be maintaining a service account in AD. Each set of machines would constitute a rack so the machines would get their account settings on a per rack basis.
Does this make any sense?
Brian Hoyt
Now I am able to set user's manager value using user1.Manager=user2 as DirectoryObject, user's manager can be updated but cant be cleared. I use user1.Manager=null, but manager value donot change. When I change the user2 value, user1's manage update. New user2 still does't work. Another issue, even I can see the user manage has value in the Azure classic portal, I still cant get value when I reload the code in C# backstage: IUser user = activeDirectoryClient.Users.GetByObjectId("*******").ExecuteAsync().Result; user's manager is null.
User manager here:
Thanks for your any suggestions.
I've created a Web App project in VS 2015 using default template. and hosted it in Azure. When I run that project it prompts me for the authentication and after hitting sign in button, it goes into infinite loop.
I've found this working couple of times. but most of the time it doesn't work. I put tracing in it keep executing "OpenIDConnectAuthentication" again and again and also, keep adding new entries in TokenCache database. Here is my code for configureAuth.
public void ConfigureAuth(IAppBuilder app)
{
app.SetDefaultSignInAsAuthenticationType(CookieAuthenticationDefaults.AuthenticationType);
app.UseCookieAuthentication(new CookieAuthenticationOptions());
app.UseOpenIdConnectAuthentication(
new OpenIdConnectAuthenticationOptions
{
ClientId = clientId,
Authority = authority,
PostLogoutRedirectUri = postLogoutRedirectUri,
Notifications = new OpenIdConnectAuthenticationNotifications()
{
//
// If there is a code in the OpenID Connect response, redeem it for an access token and refresh token, and store those away.
//
AuthorizationCodeReceived = (context) =>
{
Trace.TraceWarning("Authorization Code Received!");
var code = context.Code;
ClientCredential credential = new ClientCredential(clientId, appKey);
string signedInUserID = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.NameIdentifier).Value;
AuthenticationContext authContext = new AuthenticationContext(authority, new ADALTokenCache(signedInUserID));
AuthenticationResult result = authContext.AcquireTokenByAuthorizationCode(
code, new Uri(HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Path)), credential, graphResourceId);
return Task.FromResult(0);
}
}
}
);
// This makes any middleware defined above this line run before the Authorization rule is applied in web.config
app.UseStageMarker(PipelineStage.Authenticate);
}and here is my AdalTokenCache Class:
public class ADALTokenCache : TokenCache
{
private ApplicationDbContext db = new ApplicationDbContext();
private string userId;
private UserTokenCache Cache;
public ADALTokenCache(string signedInUserId)
{
// associate the cache to the current user of the web app
userId = signedInUserId;
Trace.TraceWarning("Logged in User ID: " + userId);
this.AfterAccess = AfterAccessNotification;
this.BeforeAccess = BeforeAccessNotification;
this.BeforeWrite = BeforeWriteNotification;
// look up the entry in the database
Trace.TraceWarning("Total Cached Records " + db.UserTokenCacheList.Count().ToString());
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
// place the entry in memory
this.Deserialize((Cache == null) ? null : MachineKey.Unprotect(Cache.cacheBits,"ADALCache"));
}
// clean up the database
public override void Clear()
{
base.Clear();
var cacheEntry = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
db.UserTokenCacheList.Remove(cacheEntry);
db.SaveChanges();
}
// Notification raised before ADAL accesses the cache.
// This is your chance to update the in-memory copy from the DB, if the in-memory version is stale
void BeforeAccessNotification(TokenCacheNotificationArgs args)
{
if (Cache == null)
{
// first time access
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
}
else
{
// retrieve last write from the DB
var status = from e in db.UserTokenCacheList
where (e.webUserUniqueId == userId)
select new
{
LastWrite = e.LastWrite
};
// if the in-memory copy is older than the persistent copy
if (status.First().LastWrite > Cache.LastWrite)
{
// read from from storage, update in-memory copy
Cache = db.UserTokenCacheList.FirstOrDefault(c => c.webUserUniqueId == userId);
}
}
if (Cache == null)
Trace.TraceWarning("Cache is null");
else
Trace.TraceWarning("Cache is not null");
this.Deserialize((Cache == null) ? null : MachineKey.Unprotect(Cache.cacheBits, "ADALCache"));
}
// Notification raised after ADAL accessed the cache.
// If the HasStateChanged flag is set, ADAL changed the content of the cache
void AfterAccessNotification(TokenCacheNotificationArgs args)
{
Trace.TraceWarning("After Access Notification!");
try
{
// if state changed
if (this.HasStateChanged)
{
Trace.TraceWarning("1");
Cache = new UserTokenCache
{
webUserUniqueId = userId,
cacheBits = MachineKey.Protect(this.Serialize(), "ADALCache"),
LastWrite = DateTime.Now
};
Trace.TraceWarning("2");
// update the DB and the lastwrite
db.Entry(Cache).State = Cache.UserTokenCacheId == 0 ? EntityState.Added : EntityState.Modified;
Trace.TraceWarning("3");
Trace.TraceWarning("User Token Cache ID:" + Cache.UserTokenCacheId.ToString());
db.SaveChanges();
Trace.TraceWarning("4");
this.HasStateChanged = false;
}
else
Trace.TraceWarning("Cache State not changed");
}
catch (Exception ex)
{
Trace.TraceWarning("Error in After Access Notification: " + ex.Message + "\n" + ex.StackTrace);
}
}
void BeforeWriteNotification(TokenCacheNotificationArgs args)
{
// if you want to ensure that no concurrent write take place, use this notification to place a lock on the entry
}
public override void DeleteItem(TokenCacheItem item)
{
base.DeleteItem(item);
}
}How can I troubleshoot to find out what is that making Authentication to go in infinite loop ?
Thanks,
Himal
Himal Patel
Hi,
I upgraded DirSync to AD Connect recently and ran a sync job, everything was working fine. I used the set-adsyncscheduler to set the sync schedule to every 2 hours. This was working fine until around 14 hours later - the sync cycle hadn't executed.
Oddly enough, when I ran get-adsyncscheduler, the NextCycleStartTimeinUTC showed around 4 hours in the past. Using "start-ADSyncSyncCyle -PolicyType Delta" replied with an error about "A sync cycle has already been requested". Looking at the event logs showed this message repeatedly
Scheduler::SchedulerThreadMain : Maintenance or Sync cycle not being run because mutex acquisition failed. Will retry in 10 seconds.
On a separate server, I've installed AD Connect in staging mode, which shouldn't have any impact on the active AD Connect server.
Restarting the syncrhonisation service worked and the servers ran OK, but I'm concerned this might crop up again. Has anyone seen this before?
hi
my AADConnect installation work for some days after first installation.
after that for unkonow reason Synchronization Service did not start,
I tried all fix guide w/o success so in the end we uninstalled AADConnect.
but when I try to install it again I get an error on Synchronization Service installation.
"Unable to install the Synchronization Service"
AzureActiveDirectorySyncEngine Error: 906 : Error uninstalling msi package 'Synchronization Service.msi'. Please look at log 'C:\Users\Administrator\AppData\Local\AADConnect\Synchronization Service_Uninstall-20160323-231829.log' for more details
I didn't found any solutions, could you help me?
thanks
Matteo
I am trying to provision our Custom App with Azure AD. The URL get hit but we get the error - The given key was not present in the dictionary. Please check the service.
The below is what I am able see. After we get the response we get the error "The given key...." error, should I be sending something else in the response?
Also I noticed the number ofter /Users/ keeps changing on every request. Is this how it should be?
Request
GET /pmlapi/scim/Users/442a0182-4684-42de-a95c-cf77d3b7fa9e
Headers
Adscimversion e2874dc6-7be8-4310-851b-4901ab3147a0
Authorization Bearer R294W35GCXKU
Response
{
"totalResults": 0,
"itemsPerPage": 10,
"startIndex": 1,
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"resources": []
}
Hello,
Is a limitation for how many devices can one user register in AAD?<o:p></o:p>
For example: If I am an IT admin to manage all corporate laptops. I use a generic IT_Admin account to join all devices to Azure AD. All devices will be showing under IT_Admin user account in AAD portal. Is there a limit how many device this account could have? Can I use one generic IT_Admin account to join AAD for 1000/ 5000 corporate laptops?
Thanks