Pictures of NT Konferenca 2019

NT Konference 2019

Two weeks ago, I travelled to Portorož in Slovenia to deliver two 60-minute sessions at NT Konferenca.

I started early at one of my regular customers at 06:45 on Monday morning. After eight hours of work, I decided to drive to Schiphol airport. As I already saw notices of delays, I decided to take it easy and check in to KLM’s Crown Lounge for dinner.

With 90 minutes delay, we arrived at Paris Charles de Gaulle airport, where I promptly missed my connecting flight to Ljubljana. No worries, because Air France had no trouble booking me into a flight to Venice instead. After arriving there and a 2-hour cab ride, I arrived at the Grand Hotel in Portorož at 01:30. With nothing to see, I decided to go to bed.

The next morning I decided to go for a walk around the premises. Although the sun wasn’t out, Portorož showed its beautiful potential and history.

A lonely olive tree at Hotel Vile Park in Portoroz (click for larger photo)
An overview of the St Bernardin Resort with Croatia on the horizon (click for larger photo)The 15th-century St. Bernardin Church (click for larger photo)
Portoroz (click for larger photo, by the NTK organization)

After my walk, I checked out the entrance and decided to register.

GrandHotel St Bernardin Entrance (click for larger photo by NTK Organization)GrandHotel St Bernardin Entrance (click for larger photo by NTK Organization)NTK 19 Speaker Badge (click for larger photo)

At 11:30, it was time for me to present my first presentation. In room Adria 2, we discussed the way organization may transition from on-premises identity to cloud-only identity and how some choices are not the brightest choices to make. That was fun.

Introduction Slide for 'Your Identity Roadmap to 2022'

After the presentation, I met up with the other speakers for lunch and for some coffee on the patio of the Grand Hotel.

Coffee Moment with the Community (click for larger photo)

At 16:30, I presented my second session on the eight common mistakes organizations make with Hybrid Identity, Active Directory Federation Services (AD FS) and Azure AD Connect. Good fun!

After the session, everyone gathered in front of the Grand Hotel to enjoy beer and network with other attendees, for NTK’s Beer 2 Beer event.

Taking it easy at the NTK Party with water. Vladimir approves. (Click for larger photo)

In the evening, we went for the ‘Hot and Heavy by St. Louis Band’ down the road in Portorož. We enjoyed food and drinks. I decided to take it easy, drink water and go to bed early.

At 03:00 my alarm went off to alert me of the cab ride that was scheduled for me at 03:30 to Ljubljana airport and back to the Netherlands…

             

Thank you! Thumbs up

Thank you to the NT Konferenca organization for organizing yet another successful event and inviting me as a speaker, to all my Balkan community friends and, of course, to all the people attending, sitting in on my sessions and, of course, the people with whom I had interesting discussions.

0  

I’m speaking at Experts Live Netherlands 2019

Advertised as the biggest Microsoft IT Pro event in the Netherlands, Experts Live Netherlands will take place Tuesday June 6th, 2018 at Conference Center 1931 in Den Bosch. It’s a privilege to share the stage again with my buddy Raymond.

   

About Experts Live

Experts Live

Experts Live is an independent platform for IT Professionals on Microsoft solutions. A platform for and by the community. Almost every year, Experts Live organizes its knowledge event in the Netherlands. Started as an idea from a small group of Dutch Microsoft MVPs, Experts Live has become the largest Microsoft community event in the Netherlands, with over a thousand visitors.

Both national and international speakers update the visitors in one day on the latest Microsoft technologies. Subsequently, through the years, many famous and notorious speakers delivered sessions on the Experts Live events.

This year, for the first time Experts Live is hosted at Conference Center 1931 in Den Bosch, and scheduled for Thursday June 6th, 2019. The event offers over 40 break-out sessions, an opening panel discussion and drinks afterward.

   

About my session

I’ll deliver a 60-minute session in the Microsoft 365 track, together with Raymond Comvalius:

Going password-less on-premises, how hard can it be?

11:30AM – 12:30PM, Room Limousin 2, level 400

Password-less… Microsoft’s marketing machine makes a bold case for it. When you’re with your head in the clouds. What’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!
Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption.

However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!
Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

Join us!

Experts Live Netherlands hasn’t sold out yet, but there’s only a handful of tickets left. Snag yours before it’s too late Dutch and join us!

0  

Experiences with Being Published, Part 2: Tools, Tools, Tools

This entry is part 2 of 3 in the series Experiences with Being Published

tools

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Let’s talk about the tool I had to use and you, when you work together with a publisher, might need to use, too.

 

TypeCloud

My publisher uses a WordPress-based, web-based solution, called TypeCloud. My deadlines required me to provide my content in this tool. From the start, I worried about my productivity, but I was in for a bigger surprise.

At the start of the project, I thought I had ample time to meet my deadlines, as I was scheduled to spend roughly 35 hours on planes in a couple of weeks,  However, an online platform to work with means you can’t access it, when you don’t have an Internet connection… Resolving comments, impossible.

Dell Ultrasharp U3818DW MonitorAs this tool is WordPress-based, it uses WordPress’ one page lay-out with the classic editor. When writing chapters of 50 pages, this lay-out is extremely tiresome. When comparing this experience with Microsoft Word, where I would have five pages open side by side on a 38-inch widescreen monitor, it made no sense at all.

So, I decided to write my chapters offline in Microsoft Word and copy the contents over to TypeCloud, when done.

 

Not so fast…

The first thing I figured out was, that TypeCloud doesn’t really like Edge, Internet Explorer, Chrome or FireFox. Google’s Chrome seemed the only browser that kinda worked… However, even when using Chrome, though, when copying over text from Word to TypeCloud, lay-out got lost and heading levels 1 and 2 got converted to paragraphs. Several formatting options were only available in TypeCloud and needed to be adjusted manually. Screenshots needed to be uploaded manually and then linked to from TypeCloud. Also, I would better not mess with tables, because the browser would just freeze up.

Each chapter, next to creating the content, I struggled with TypeCloud for another six hours to get the content into the tool my publisher uses.

 

If it worked at all…

If it worked, I could meet my deadlines with a lot of frustration. But of course… there were outages and periods of time where the tool didn’t work 100%. I couldn’t meet one of my deadlines, because TypeCloud was down one weekend. Another weekend, I had trouble uploading screenshots, leading to remarks from the editor complaining about the lack of screenshots…

 

We’re all struggling

The publisher’s aim is to have one system where every letter for every book is stored with absolute integrity. That’s why their employees have to work with it, too. Some of them have even created enhancements to get sufficiently productive to meet their deadlines.

As there was no mention of TypeCloud in the contract, prospective writers should ask about tooling to use, before signing. It could just prevent wrecking fourteen Sunday nights.

 

Picture by Kunkelstein, used under CC BY-NC 2.0 license. Adjusted in size.

 


Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

KnowledgeBase: Azure AD Connect upgrade is not reflected in the Office 365 Portal

Microsoft’s Azure AD Connect version 1.3.20 was quickly superseded by version 1.3.21.0 to fix an elevation of privilege vulnerability, but it appears to exhibit unexpected behavior for some organization running it.

      

The situation

You have an Active Directory Domain Services (AD DS) environment, and you synchronize objects to an Azure AD tenant, leveraging Azure AD Connect, Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory. You have licensed Azure AD Premium and leverage Azure AD Connect Health to manage the Hybrid Identity implementation.

You have recently upgraded Azure AD Connect to version 1.3.21.0

You determine the version of Azure AD Connect in the Office 365 Portal:

  1. You navigate a browser to the Office 365 Portal.
  2. You sign in with an account that has administrative privileges. You perform multi-factor authentication, when prompted.
  3. In the top left menu, you click on the waffle menu and select Admin from the menu.
  4. In the left navigation menu of the Microsoft 365 admin center, you click on Azure Active Directory in the Admin centers section.
    The Azure Active Directory admin center opens in a new tab or window.
  5. In the left navigation menu, click on Azure Active Directory.
  6. In Azure Active Directory’s secondary navigation menu, click Azure AD Connect.
  7. In Azure AD Connect’s main window follow the link to Azure AD Connect Health.
  8. In Azure AD Connect’s secondary navigation menu, click Sync services.
  9. In the main window, click the Azure AD tenant name to drill into its properties.
  10. In the tenant’s Azure AD Connect Health pane, click Azure Active Directory Connect Servers.
  11. In the Server List pane, click the name of the Windows Server on which you recently upgraded Azure AD Connect.
  12. In the server’s blade, click the Properties tile.

            

The issue

The Office 365 portal does not reflect the updated version, even though Azure AD Connect upgraded successfully.

                

The solution

This behavior is unexpected.

To resolve this you need to import the AdSync module and then run the
Set-ADSyncDirSyncConfiguration Windows PowerShell cmdlet on the Windows Server running Azure AD Connect.

Perform these steps to resolve the issue on each of the Azure AD Connect installations in use:

  1. Sign into the Windows Server running Azure AD Connect.
  2. Open an elevated Windows PowerShell window.
  3. Run the following line of Windows PowerShell:
           
    Import-Module ADSync
          
  4. Next, run the following line of Windows PowerShell:
             
    Set-ADSyncDirSyncConfiguration -AnchorAttribute “”
                
  5. Close the Windows PowerShell window.
  6. Sign out.

Perform the above steps on each Windows Server running Azure AD Connect in your environment, when one or more Staging Mode Azure AD Connect installations are present.

                 

Concluding

While the above issue is a cosmetic issue for most organizations, it might be an important issue for organizations that monitor the health of their Azure AD Connect installations through the Office 365 and Azure AD portal. In the latter case, it’s nice to know how to fix it.

Further reading

Azure AD Connect 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000) 
Azure AD Connect 1.3.20.0 offers the next level of identity synchronization  
Azure AD Connect 1.2.70.0 updates the non-standard connectors 
Azure AD Connect 1.2.69.0 fixes an issue with Device Write-Back 
Azure AD Connect 1.2.68.0 fixes an issue with the MSOnline PowerShell Module 
Azure AD Connect 1.2.67.0 fixes an issue with Password Writeback
Azure AD Connect moves to TLS 1.2-only with version 1.2.65.0

2  

Pictures of Techorama Belgium 2019

Techorama Belgium 2019

Lat week, on Wednesday May 22, I delivered a 60-minute presentation at Techorama Belgium 2019.

After a day of travel and, luckily, lunch at home, I arrived at the Antwerpen Kinepolis at 3PM. As the presentation was scheduled for 4:30PM, I was right on track to begin creating the slide deck for one of my favorite topics in Identity. Winking smile

Up in the Air (click for larger photo)
Kinepolis (click for larger photo)2019 Speaker Gift, awesome! (click for larger ophoto, by Christina Wheeler)

As I made my way to the speaker room, I ran into several people I know. I spoke to Vitorrio Bertocci, Michael van Horenbeeck and Aleksandar Nikolic while getting the ready-made slides into the Techorama PowerPoint template.

Techorama Posters (click for larger photo by Aleksandar Nikolic)In the Techorama Tunnel with Aleksandar (click for larger photo by Michael Van Hybrid)Robots on Display in the Techorama Speaker Room (click for larger photo)

I started my session at 4:30PM and made the conscious decision, together with the audience, to stop 5 minutes prior to the end time, so people would have a chance to get a nice seat for the Closing Keynote with astronaut André Kuipers. As we had ample time to discuss going password-less on-premises, there was even time for a little Q&A during the session.

Windows Hello vs. Windows Hello for Business (click for original photo by Mathijs Hofkens)

After the session, I headed straight home to enjoy a meal with my family. The upside of an event just around the corner of the Dutch border, means it’s only a 90-minute drive back home.

  

Thank you! Thumbs up

Thank you to the Techorama organization for organizing yet another successful event and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom I had interesting discussions.

0  

Azure AD Connect version 1.3.21.0 fixes an elevation of privilege vulnerability (CVE-2019-1000)

Hot on the heels of Azure AD Connect version 1.3.20.0, Microsoft released version 1.3.21.0 earlier this week to address an elevation of privilege vulnerability.

Azure AD Connect is Microsoft’s free Hybrid Identity bridge product to synchronize objects and their attributes from on-premises Active Directory Domain Services (AD DS) environments and LDAP v3-compatible directories to Azure Active Directory.

    

About the vulnerability  

The vulnerability, known as CVE-2019-1000, could allow an attacker to execute two Windows PowerShell cmdlets in the context of a privileged account, and perform privileged actions.

To exploit this, an attacker would need to authenticate to the Azure AD Connect server. The two cmdlets can be executed remotely only if remote access is enabled on the Azure AD Connect server.

This security update address the issue by disabling these cmdlets.

   

About the fix

The vulnerability is fixed in version 1.3.21.0 of Azure AD Connect.
This release of Azure AD Connect was signed off on on May 14th, 2019 and made available for download on that same date.

    

Download

You can download version 1.3.21.0 of Azure AD Connect here.
The download weighs 90,1 MB.

0  

Experiences with Being Published, Part 1: Accusations of Plagiarism

This entry is part 1 of 3 in the series Experiences with Being Published

plagiarism

As a published technical writer, I’ve had my share of experiences working with a publisher and its editors for a period of seven months. For my own sanity, I’ll post some of my experiences in this series of blogposts on Experiences with Being Published. I feel these stories can be quite entertaining, and I might even get a smile on my face when I look back at these stores in a couple of years’ time…

Today, let’s talk about plagiarism, because throughout the process of creating content for my book I was heavily accused of this…

 

The situation

Let me first point out, why my publisher decided to contact me to write the Active Directory Administration Cookbook. This blog, and my thirteen-year tenure, provided the publishing board with sufficient confidence that I could write a book on Active Directory and Azure AD.

Indeed, this blog contains a lot of information and HowTo’s on how to perform certain tasks in the worlds of Active Directory and Azure Active Directory…

 

The definition of plagiarism

Here’s the definition of plagiarism from dictionary.com:

noun

  1. an act or instance of using or closely imitating the language and thoughts of another author without authorization and the representation of that author’s work as one’s own, as by not crediting the original author: It is said that he plagiarized Thoreau’s plagiarism of a line written by Montaigne.
  2. a piece of writing or other work reflecting such unauthorized use or imitation: “These two manuscripts are clearly plagiarisms,” the editor said, tossing them angrily on the floor.

 

Imagine my surprise

I was happily writing chapters for my book and meeting my deadlines. In the meantime, my content editor would go through the content I produced and provide feedback.

One of the pieces of feedback I received for Chapter 1, literally, was:

I just ran the plagiarism tool to check the originality of the chapter. Around 20% content of the chapter has been found to be taken from your blog: https://dirteam.com/sander/

 

Please note that we cannot include any content in the book that’s freely available online even when it’s from the author’s own blog or website. There’s a number of problems here, the main issues being:

  • Original content: If our content appears elsewhere for free, many customers would be disinclined to spend money on our products.
  • Value: For those who do buy the book, they could feel that they’re not getting adequate value for money once they discover they could have already found this content elsewhere. This might drive them to leave poor reviews, and they might even interpret the unoriginal content as malicious plagiarism.

There are two solutions to this:

  1. take down the blog post
  2. Rewrite the content from scratch

The easiest solution would be the former, though either is acceptable. Please refer the attached plagiarism report for your reference.

Surprised smile

This person actually wanted me to choose between two evils; take down the blogposts that are available for free here, while not even remotely resembling the type of content in the book, or adopt a different writing style and keep that up throughout the book so to distinguish my previous writing from the writing in the book…

 

In the end…

Of course, I didn’t delete blog posts.

Editors will use ‘plagiarism’ tools to check content. According to the definition, what I did wasn’t plagiarism. I adopted an improved writing style that is more clear and concise than the one I used here. You may have noticed elements of the new style in recent blogposts, already. With a growth mindset, I embraced the feedback and tried to apply it in a constructive manner.

In the end, the entire Chapter 1 is available for you to read on the website of the publisher, if you use the Preview Online button on their website. Disappointed smile

 

Picture by Twitter trends 2019, used under CC BY 2.0 license. Adjusted in size.


Learn the intricacies of managing Azure AD, Azure AD Connect as well as Active Directory for Identity and Access Management (IAM) in the cloud and on Windows Server 2019.

Get up to date! Get your 620-page, 147-recipe copy of the Active Directory Administration Cookbook, today. Buy it from Packt directly, or through your favorite local reseller.

0  

HOWTO: Install Azure Multi-Factor Authentication (MFA) Server 8.0.1.1

How To...

This blogpost details how to setup and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product in an existing environment.

It details how to install and configure the base components: The MFA Server, the Web Service SDK and the User Portal.

 

Before you begin

Before you begin, you should have access to the following information:

  • The DNS domain name of your organization’s Active Directory Domain Services (AD DS) environment
  • Credentials for an account that is a member of the Domain Admins group in Active Directory
  • Credentials for an account that has the Global administrator role assigned in Azure AD

Of course, it’s a good idea to make a back-up of your Domain Controllers and test one of the backups in a separate networking environment to make sure you’re able to restore.

Overview

The implementation performed, resembles the Stretched deployment in terms of the supported Azure MFA Server deployment scenarios, discussed earlier:

MFA Stretched Deployment Scenario

Requirements

For this scenario, two Windows Server installations are needed:

  1. MFA1 – This server becomes the Azure MFA Back-end Server (Master)
  2. WEB1 – This server becomes the Azure MFA Web Server

These servers will have to have .NET Framework 4 installed and be made members of an existing Active Directory environment. For the purpose of this blogpost, two Windows Server 2016-based installations will be deployed.

Microsoft disabled the ability to create MFA Providers in Azure AD per September 1st, 2018. If you haven’t registered an MFA Provider before this date, all user accounts in scope for MFA Server need to be synchronized from Active Directory to Azure AD. The easiest way to do this, is using Azure AD Connect with Express Settings. Afterward, Azure AD Premium (P1) licenses need to be assigned to them (or an overarching license that includes this license, like Azure AD Premium Premium (P2), or Microsoft 365 E3)

As part of basic information security, traffic to the MFA User Portal and to the MFA Web Service SDK is encrypted. For this purpose, we will need valid TLS certificates. Install corresponding TLS certificates in the Personal stores of the Local Machine on both MFA1 and WEB1.

Download MultiFactorAuthenticationServerSetup.exe from the MFA Server download page and place it on the disks of server MFA1.

 

Step 1: Install and configure MFA Server on MFA1

The Central MFA Server component communicates with the cloud-based MFA Point of Presence (PoP) to perform authentications and with on-premises systems like RADIUS clients and Domain Controllers.

Perform the following steps to install and configure Microsoft’s on-premises Azure Multi-factor Authentication (MFA) Server product on Windows Server MFA1:

  1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
  2. Open File Explorer.
  3. Navigate to the folder where you’ve placed the Azure MFA Server installation files:

    MFA Setup files in the Downloads folder

  4. Double-click MultiFactorAuthenticationServerSetup.exe.
  5. In the Open File – Security Warning pop-up window, click Run.

    Install the Visual C++ Runtime

  6. In the Multi-Factor Authentication Server pop-up window (depicted above), click Install to install the Visual C++ “14” Runtime Libraries.
  7. For Microsoft Visual C++ 2017 Redistributable (x86), select the I agree to the license terms and conditions option and click Install afterward. Click Close when setup is successful.
  8. Repeat the above step for the x64 package.
    The Multi-factor Authentication Server screen will appear.
    (This may take a while…)
  9. On the License Agreement page, select the I Agree option.
  10. Click Next >.

    Select Installation Folder for Azure MFA Server

  11. On the Select Installation Folder page (see above), click Next >.
  12. On the Installation Complete page, click Finish.

    Activate MFA Server

    The Multi-Factor Authentication Server management user interface appears, as depicted above.

  13. The first thing to configure is the activation of the MFA Server, as the Activate screen is shown. Here, we have to enter activation credentials. On server MFA1, or on an Internet-connected workstation, perform the following actions to create the activation credentials:
    1. Open a web browser and navigate to the Azure Portal.
    2. Sign in with an account that has the Global administrator role assigned.
      Perform Azure-based multi-factor authentication, when prompted.
    3. In the left navigation menu, click Azure Active Directory.
    4. In the Azure AD navigation menu, scroll down to the Security section.
    5. Click MFA.
    6. In the scenario where an MFA Provider is present:
      1. In the Multi-Factor Authentication navigation menu, click Providers.
      2. Select a provider in the list of MFA providers to open its settings.
      3. In the navigation menu for the MFA Provider, click Server Settings.
      4. In the MFA Provider’s Server Settings, follow the Generate link.
    7. In the scenario of Hybrid Identity:
      1. In the Multi-Factor Authentication navigation menu, click Server settings.
      2. Follow the Generate link.
  14. Copy the generated activation credentials into the Multi-Factor Authentication Server management user interface.
  15. Click Activate within 10 minutes of generating the credentials, as the credentials automatically expire after this time period.

    Configure MFA Server

  16. In the Multi-Factor Authentication Server pop-up window (depicted above), click Yes to enable and configure replication by running the Multi-Server Configuration Wizard.

    Azure MFA Server's Multi-Server Configuration Wizard

    The Multi-Server Configuration Wizard appears (see the above screenshot).

  17. On the Enable Replication Between Servers, click Next >.
  18. On the Secure Communication page, unselect the Certificates option.
  19. Click Next >.

    Configuring Active Directory for MFA Server

  20. On the Active Directory page, click Next >.

    MFA Server's Multi-Server Configuration Complete

  21. On the Multi-Server Configuration Complete page, click Finish.

The server will reboot.

 

Step 2: Configure AD Sync on MFA1

The central MFA Server component uses its own database to store information on user objects. The best approach in a Microsoft-oriented environment is to configure automatic synchronization of user objects from Active Directory to MFA Server’s phonefactor.pfdata database.

After installation and reboot, perform these steps on Windows Server MFA1 to configure Active Directory synchronization:

  1. Sign into Windows Server MFA1, using an account that is a member of the Domain Admins group and assigned local administrative privileges on the server.
  2. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
  3. In the left icon pane, select Directory Integration.
  4. Navigate to the Synchronization tab:

    Configure MFA Server's AD Sync

  5. On the Synchronization tab, enable the Enable synchronization with Active Directory option. Additionally, enable the Remove users no longer in Active Directory option.

 

Step 3: Configure the Web Service SDK on MFA1

To allow other MFA Server components, like the MFA User Portal and the MFA AD FS Adapter, to communicate with the central MFA Server component, install and configure Internet Information Services (IIS) and the Web Service Software Development Kit (SDK) on Windows Server MFA1:

  1. Open an elevated PowerShell window, and execute the following line of PowerShell:

    Install-WindowsFeature Web-WebServer,Web-Http-Redirect,
    Web-Basic-Auth,Web-Asp-Net45,Web-Metabase -IncludeManagementTools

  2. Close the PowerShell window.
  3. Open the Multi-Factor Authentication Server management user interface from the Start Menu.
  4. In the left icon pane, select Web Service SDK.

    Install Web Service SDK...

  5. Click the Install Web Service SDK… button.

    Select Installation Address for MFA Server's Web Serivce SDK

    The Multi-Factor Authentication Web Service SDK window appears (see above).

  6. On the Select Installation Address click Next >.
  7. On the Installation Complete page, click Close.
  8. Close the Multi-Factor Authentication Server management user interface.

 

Step 4: Create the Web Service SDK service account and configure the service

To accommodate authentication to the Web Service SDK, a service account is needed, that is also a member of the PhoneFactor Admins group. Then, the Web Service SDK Application Pool needs to be configured with this service account.

Perform these steps on a Domain Controller, a domain-joined Windows Server with the Active Directory Domain Services Remote Server Administration Tools (RSAT) or a domain-joined Windows installation with the Remote Server Administration Tools (RSAT) installed:

  1. Use an account that is a member of the Domain Admins group, or has delegated permissions to create user objects in Active Directory.
  2. Open the Active Directory Administrative Center from the Start Menu.
  3. At the top of the left navigation menu, switch to Tree view.
  4. Navigate to the Users container.
  5. In an empty space, right-click and select New, then User from the context menu.

    Create User

    The Create User: window appears, as depicted above.

  6. Type a Full name: and User SamAccountName: for the service account.
  7. Type the password for the service account twice.
  8. Select the Other password options option, and select Password never expires.
  9. Select the Protect from accidental deletion option.
  10. Scroll down to the Member Of section.
  11. Click the Add… button.

    Add User to Group

    The Select Groups pop-up window appears (see above).

  12. Type the PhoneFactor Admins group.
  13. Click Check Names.
  14. Click OK.
  15. Click OK to create the service account.
  16. Sign out.

Perform the following steps on Windows Server MFA1:

  1. Sign into Windows Server MFA1, using an account that is a member of the local administrators group.
  2. Open the Internet Information Services (IIS) Manager from the Start Menu.
  3. In the left navigation menu of IIS Manager, expand the Sites node.
  4. Select the Default Web Site.
  5. In the Actions pane to the right, click Bindings….

    Internet Information Services (IIS) Manager

  6. In the Site Bindings pop-up window, click Add…

    Add a site binding

  7. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
  8. Back in the Site Binding window, click Close.
  9. In the left navigation menu of IIS Manager, expand the Application Pools node.
  10. In the main pane, select the MultiFactorAuthWebServiceSDK application pool.
  11. In the Actions pane on the right, click Advanced Settings…
  12. From the list of settings, under Process Model, select Identity.
  13. Click the button with the three dots to the right of ApplicationPoolIdentity.

    The Application Pool Identity window appears.

  14. Select Custom account.

    Click Set….

    Set credentials for an IIS Application Pool

    The Set Credentials pop-up window appears (see above).

  15. Enter the User name: of the Web Service SDK service account in the format DOMAIN\ServiceAccount.
  16. Enter the password for the service account twice.
  17. Click OK.
  18. Click OK.
  19. Click OK.
  20. Close Internet Information Services (IIS) Manager.

The Web Service SDK is now available via the following url: https://mfa1.domain.tld/multifactorauthwebservicesdk/

Step 5: Install the User Portal on WEB1

The MFA Server User Portal allows administrators, delegated service desk personnel and end-users to modify MFA settings and preferences. The User Portal will be installed on a separate Windows Server-based web server: WEB1.

Perform the following steps on Windows Server MFA1 to get the Multi-Factor Authentication Server User Portal Installer to Windows Server WEB1:

  1. Open File Explorer.
  2. Navigate to the installation folder of MFA Server. By default, this location is:
    C:\Program Files\Multi-Factor Authentication Server\

    MFA Server's User Portal Installer in the MFA Server Installation Folder

  3. Copy MultiFactorAuthenticationUserPortalSetup64.msi.
  4. Paste the Multi-Factor Authentication Server User Portal Installer on the disk of Windows Server WEB1.
  5. Close File Explorer.
  6. Sign out.

Perform these steps to install MFA Server’s User Portal on Windows Server WEB1:

  1. Sign into Windows Server WEB1, using an account that is a member of the local administrators group.
  2. Open an elevated PowerShell window, and execute the
    following line of
    PowerShell:

    Install-WindowsFeature Web-WebServer,Web-Asp-Net45,Web-Metabase -IncludeManagementTools

  3. Close the PowerShell window.
  4. Open File Explorer.
  5. Navigate to the folder where you’ve placed the Multi-Factor Authentication Server User Portal Installer
    file:

    MFA Server's User Portal Installer in Downloads

  6. Double-click MultiFactorAuthenticationUserPortalSetup64.msi.

    Select Installation Address for MFA User Portal

    The Multi-Factor Authentication User Portal appears (see above).

  7. On the Select Installation Address page, click Next >.
  8. On the Installation Complete page, click Close.
  9. Open the Internet Information Services (IIS) Manager from
    the Start Menu.
  10. In the left navigation menu of IIS Manager, expand
    the Sites node.
  11. Select the Default Web Site.
  12. In the Actions pane to the right, click
    Bindings….
  13. In the Site Bindings pop-up window, click Add…
  14. In the Add Site Binding add a binding for https. Select the appropriate TLS certificate and click OK.
  15. Back in the Site Binding window, click Close.
  16. Close Internet Information Services (IIS) Manager.
  17. Switch to the File Explorer window.
  18. Navigate to the file location with the User Portal files. By default, this location is:
    C:\inetpub\wwwroot\MultiFactorAuth

    Web.Config file in MFA User Portal Folder
  19. Open Web.Config in Notepad.

    Web.Config

  20. In the appSettings section, make four changes:
    1. On line 9, change the value for USE_WEB_SERVICE_SDK from “false” to “true“.
    2. On line 10, add the domain name and username for the service account that runs the application pool of the Web Service SDK, i.e. DOMAIN/Svc_MFASDK.
    3. On line 11, add the password.
    4. On line 60, in the ApplicationSettings section, change https://www.contoso.com/MultiFactorAuthWebServiceSdk/PfWsSdk.asmx
      to the url of the Web Service SDK, i.e. https://mfa1.domain.tld/multifactorauthwebservicesdk/PfWsSDK.asmx
  21. From Notepad’s File menu, select Save.
  22. From Notepad’s File menu, select Exit.
  23. Close File Explorer.
  24. Sign out.

The MFA User Portal is now available via the following url:
https://web1.domain.tld/multifactorauth

 

Concluding

Having written how to install and configure MFA Server 6.3 on 4Sysops.com four years ago, I’m amazed how much easier it is today to install Microsoft’s on-premises Azure Multi-Factor Authentication (MFA) Server, today.

Related blogposts

Supported Azure MFA Server Deployment Scenarios and their pros and cons
Connecting to Azure MFA Server’s Web Service SDK using certificate authentication
Choosing the right Azure MFA authentication methods
Azure Multi-Factor Authentication Server 8.0.1.1 was released

2  

Pictures of the 2019 Heliview IAM Congress

Last week, Heliview organized its annual Identity and Access Management (IAM) congress at the Nieuwegein Business Center.

Booth Materials (click for larger photo, by Carlo Schaeffer)SCCT Booth (click for larger photo, by Carlo Schaeffer)ChupaChups at the SCCT Booth (click for larger photo)
Empty Room - Quiet before the storm (click for larger photo)Goody bags for all attendees (click for larger photo, by Carlo Schaeffer)

To set up our booth, Carlo and I arrived early. We swiftly set it up and then enjoyed a cup of tea as the start of our day. This also allowed for some time to canvas the room.

Full Room :-) (Click for larger photo, by Carlo Schaefer)

At 11AM, I presented a 25-minute session on Decentralized Identities. I took questions after the session, while the next speaker set up. We also received a lot of positive feedback after the session.

During the day we had a lot of interesting conversations with both existing and potential customers. It strengthened their belief in the Microsoft cloud solution for providing and governing identity and access control leveraging Azure Active Directory.

Closing Keynote Audience (click for larger photo, by Heliview)
Meeting Tables (Click for larger photo)Let the drinks flow! (Click for larger photo)
Expo (Click for larger photo, by Heliview)

After the closing keynote by Maria Genova, drinks were served. After 6PM, we tore down our booth and headed home. Content.

   

Thank you! Thumbs up

Thank you to Heliview for organizing yet another successful IAM congress and inviting me as a speaker once again, and to all the people attending, sitting in on my session and, of course, the people with whom we had interesting discussions.

0  

I’m speaking at Techorama Belgium 2019

Techorama - Deep knowledge IT conference - Anwerp, Belgium

I’m proud to share that I’ll be presenting at Techorama Belgium for my third year in a row as an accepted speaker for Techorama Belgium 2019.

 

About Techorama

Techorama Belgium is a yearly international technology conference that takes place at Kinepolis Metropolis Antwerp. Techorama welcomes 1700 attendees, a healthy mix between developers, IT Professionals, Data Professionals and SharePoint professionals. Techorama’s commitment is to create a unique conference experience with quality content and the best speaker line-up.

Techorama Belgium 2019 is held from May 20, 2019 to May 22, 2019.

 

About my session

I’m presenting a 60-minute session as part of the Modern Workplace track:

Going Password-less on-premises, how hard can it be?

Wednesday May 22, 2019 4:30PM-5:30PM, Room 10

Password-less… Microsoft’s marketing machine makes a bold case for it… when you’re with your head in the clouds. But what’s the real story for hybrid scenarios? What’s the deal for pure on-premises environments?

Find out in this session how far you can take your password-less journey!

Microsoft has spun up its latest Identity-related marketing vehicle: password-less. With Azure AD, we’re seeing high adoption of features like Windows Hello for Business, Single Sign-On and even some FIDO2 adoption. However, when Hybrid Azure AD Join rears its ugly head, things get a bit more complicated… and don’t even get us started on going password-less on-premises!

Let’s get a closer look at Windows Hello for Business, authentication assurance, trust types and all the on-premises requirements to fulfil to get to this promise of a world with lesser passwords.

 

Join us!

Techorama Belgium 2019 has almost sold out. You can still buy one of the last tickets here. When you’re among the lucky people to have grabbed a ticket, join me for this session.

We’ll have a lot of fun! Emoticon met brede lach

 

Further reading

Pictures of Techorama Belgium 2018
I’m speaking at Techorama Belgium 2018
Pictures of Techorama 2017
I’m speaking at Techorama Belgium 2017

0