ADMX Backed – The Office Case

This case come from one of my customer, they followed the Chrome example available at code.vmware.com, but didn’t seems to work correctly for the Office ADMX available from Microsoft, as the profile said “Install Failed”.

Step 1 – Reproduce

Created a custom XML in the console in this format :

<Add>
 <CmdID>2</CmdID>
 <Item>
  <Target>
   <LocURI>./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/OfficeADMX/Policy/Office16</LocURI>
  </Target>
  <Data>{AMDX DATA HERE converted from <value> to &lt;value&gt; }</Data>
 </Item>
</Add>

Continue reading

How to check the Immutable ID/Source Anchor

This article expains how to check which attribute is used as the source anchor for the synchronization between Active Directory and Azure Active Directory.

PowerShell

0 – Install necessary PowerShell Modules, if needed.

Install-Module MSOnline
Import-Module MSOnline

1 – Get User Immutable ID from Azure.

Connect-MSOLService
Get-MsolUser -UserPrincipalName user@domain.tld | select ImmutableID

Continue reading

Active Directory – Password Reset on a PDC

I had an issue in my lab where the PDC emulator changed his password while the IPv6 communication was not properly up and running, and so 2 different password were register on my 2 DCs,  this remember that IPv6 is the preferred network in Windows and been like that since Vista.

Nothing new in the this article, but just some precision, as the documentation can be confusing sometimes and we tend to forget things.

The architecture is the following:

DC1 : Server 2012R2

DC2 : Server 2016 (All FMSO hosted) – The culprit

First thing to check is the DNS and point the network card of DC2 to the working DC, as DC2 DNS server might not be working properly, in my case DC2 didn’t had IPv6 records while DC1 had them and since the DNS zone is replicated via AD, we clearly see an issue here.

Continue reading

Encrypting File System

A lot of folks have the perception that EFS is complicated as it may use PKI management (not mandatory) and messing around with the Key can result in a data loss but in fact it’s rather simple and you need to have some concept specific to EFS. Let’s dive into it.

While EFS have been used in enterprises for quite some times, it came back in the spotlight with Windows Information Protection (WIP) (More info on WIP later).

Continue reading

ADFS Authentication with Office 365

  1. User go to an Office 365 url
  2. User is redirected to Microsoft Federation Gateway (login.microsoftonline.com)
  3. User enter his UPN
  4. UPN is recognized by the MFG as a federated domain
  5. User is redirected to the ADFS Server
  6. User use his Kerberos TGT (Ticket Granted Ticket) ticket to authenticate
  7. ADFS send the TGT ticket to the domain controller
  8. ADFS receive a Service Ticket telling who is the user
  9. ADFS use the Service Ticket to query Active Directory for user attribute (UPN, First Name, Last Name, etc.)
  10.  ADFS build a SAML token with user attribute
  11. ADFS server post this SAML token via User browser to MFG
  12. MFG verifies the SAML token signature to validate that is the right ADFS server
  13. MFG create his own SAML token (UPN is inside)
  14. The MFG SMLA token is post back to Office 365 platform using the user browser
  15. Office 365 look for an account with the user UPN