I’m speaking at Microsoft Network 7

Last year, I spoke at Microsoft NetWork 6 in Neum, Bosnia and Herzegovina. This year, the organization has invited me back to present another session:

 

About Microsoft Network

Microsoft Network 7

Micosoft’s NetWork conference is a yearly event in the city of Neum in Bosnia and Herzegovina. It offers a range of great speakers like Adis Jugo, Aleksandar Nikolic, Srđan Stević, Luka Manojlovic, Mustafa Toroman, Slavko Kukrika, , Nenad Trajkovski and Romeo Mlinar.

The event is held at the Grand Hotel, Neum between April 19 and April 21, 2017.
On Wednesday, the conference starts with a keynote at 6PM. Thursday and Friday are packed with 45-minute sessions on both IT Pro and Developer-related topics.

Grand Hotel Neum

Its twitter hashtag is #MSNetWork.

 

About my session

You can find me in Sala 3 on Thursday April 20 from 5 PM till 5:45 PM. I’ll be presenting the 45-minute, level 300 version of:

Azure AD Connect, Inside Out

New hybrid cloud scenarios introduce new identity challenges. But how do you overcome these? How do you properly design and implement Hybrid Identity in real world scenarios? In this demo-packed session, I turn Microsofts free Hybrid Identity ‘bridge’ product, Azure AD Connect, inside out, showing all the good stuff, but also the gory details! This session is one no Active Directory admin should miss!

 

See you there?

0  

Azure Multi-Factor Authentication Server 7.3.0.3 with lots of improvements

After January’s Azure Multi-Factor Authentication Server version 7.2.0.1 release, over the weekend, Microsoft released version 7.3.0.0 of its on-premises Azure Multi-Factor Authentication Server with a lot of performance improvements and other fixes. 

While the changes mentioned in the change log aren’t world shocking, this release should alleviate much of the problems you might have with this product.

 

What’s New

AD FS adapter performance improvements

Azure Multi-Factor Authentication (MFA) Server’s Active Directory Federation Services (AD FS) adapter was put through its paces and several areas have been identified to improve its performance.

Since most organization get on the MFA Server bandwagon using the AD FS Adapter, this is very welcome.

Fix AD FS adapter to handle cultures that aren’t associated with a locale ID

Another improvement in the Active Directory Federation Services (AD FS) adapter has to do with multi-language setups.

Tags performance improvements

In organizations with multi-forest, multi-domain environments with many groups, assigning tags could be terribly slow. Using Global filters was the work around to this, but introduces other challenges,

Log request IDs to allow correlation with backend logs

With the advent of the Web Service SDK Logging feature in Azure Multi-Factor Authentication Server version 7.2.0.1, putting together the jigsaw puzzle with information from each of the logs is improved with the request ID.

Modified AD sync service to clear phone numbers that are cleared in the directory

When you use the Directory Integration feature, and clear the phone number attribute for a (group of) user(s), Azure Multi-Factor Authentication (MFA) Server would not clear it in its database. Starting this version, it does, overriding the ‘keep synchronized’ setting.

Fix for RADIUS one-way text message fallback to OATH token

Fallback methods play an important role in multi-factor authentication, so it’s good to see fixes and improvements in this area.

Fix for passwords that contain leading or trailing spaces

Even though passwords are securely interchanged for the initial handshake towards the Identity Provider (Active Directory, LDAP), in cases with passwords that contain leading or trailing spaces, things might go wrong. This is now fixed.

Change mobile app references from Azure Authenticator to Microsoft Authenticator

While one team may change things, another team might not be able to change gears that fast. After the change from Azure Authenticator to Microsoft Authenticator in last August, the Azure Multi-Factor Authentication (MFA) Server team has finally been able to change all the references in their user interfaces and admin interfaces.

 

Known Issues

Windows Authentication for Remote Desktop Services (RDS) is not supported for Windows Server 2012 R2.

  

Upgrade considerations

You must upgrade MFA Server and Web Service SDK before upgrading AD FS adapter.
Read the guidance in the How to Upgrade section in this blogpost for more information.

  

Download

Version 7.3.0.3 of the on-premises Azure Multi-Factor Authentication (MFA) Server can be downloaded via the old-fashioned Azure Management Portal or straight from the MFA Management Portal:

  1. Log on to the Azure Portal.
  2. In the column on the left that lists all the available items and services, scroll down until you reach ACTIVE DIRECTORY.
  3. In the main pane, select the default directory.
  4. Just above the list of directories, click the text MULTI-FACTOR AUTH PROVIDERS.
  5. Click the Multi-Factor Authentication Provider that you’ve configured for your organization and is marked as Active in the STATUS column.
  6. Click MANAGE in the bottom pane on the general settings for the Multi-Factor Authentication Provider.
  7. This will redirect you to your tenant view of the PhoneFactor Portal.
  8. In the main pane of the portal click on the Downloads header.
  9. Click the Download link below the list of supported platforms.

Save MultiFactorAuthenticationServerSetup.exe to a network location where you can use it from each of the Windows Servers that have Azure Multi-Factor Authentication installed.

 

Concluding

Azure Multi-Factor Authentication Server version 7.3.0.3 adds a lot of performance improvements and other fixes. 

While the changes aren’t world shocking, this release should alleviate much of the problems you might have with this product. I recommend to upgrade to this version to get rid of them.

Related blogposts

Azure Multi-Factor Authentication Server version 7.2.0.1 adds Oracle LDAP Support
Azure Multi-Factor Authentication Server version 7.1.2.1 for your convenience 
Azure Multi-Factor Authentication Server version 7.0.2.1 is here  
Azure Multi-Factor Authentication Server reaches version 7.0.0.9

0  

Whitepaper: What’s New in Active Directory Domain Services since Windows Server 2008 R2

WhitepaperThe last couple of months, I have actively worked together with Veeam to profile their excellent Veeam Explorer for Active Directory and to help people get more out of their current investments in on-premises Active Directory Domain Services.

One of the projects we’ve worked on is a whitepaper that details what’s new in Active Directory Domain Services since Windows Server 2008 R2, how organizations can benefit from these features and the requirements to enable and/or use each of these features.

 

About the whitepaper

Veeam whitepaper: What's New in Active Directory

While Active Directory (AD) has been around since Windows 2000 Server, Microsoft has continued to make adjustments and introduce features in newer Windows Server releases, especially in Windows Server 2012. What’s New in Active Directory 2016 covers different AD features and the requirements to enable them.

Scalability boundaries

Learn about two big changes made by Microsoft in Windows Server 2012, which now allow AD environments to grow more easily, and beyond the limitations encountered by AD administrators.

Deployment and migration features

Microsoft has released many improvements to make DC deployment and migration better than ever. Have you ever wondered how to prevent possible issues after a schema update? Do you know how to make your DC aware of the virtual environment to prevent data loss? Have you thought about using DC cloning so you can quickly create a replica DC for DR purposes? Have you heard about the new ways to promote a machine to DC? How about preparing an automatic update for the AD domain and a forest for new versions? Keep reading this white paper, we’ve got you covered!

Security features

In Windows Server 2012 and WS 2012 R2, a couple of features have been introduced to enable domain admins to further lock down their AD environments. One new security feature is the Flexible Authentication Secure Tunneling (FAST) or Kerberos Armoring. Start solving common security problems with Kerberos and make sure that clients will never return to less- secure legacy protocols or weaker cryptographic methods.

On top of all that security goodness, Windows Server 2016 brings Privileged Access Management (PAM) that allows admins to only have administrative privileges when they need them through auto-expiration of these privileges. Did you know that PAM is the only secure way you could actually regain control over a compromised AD environment without throwing it away?

Manageability features

Learn about Active Directory Administrative Center (dsac.exe), which was first introduced with Windows Server 2008 R2. Read about Active Directory Administrative Center’s serious overhaul in Windows Server 2012. In addition to providing Graphical User Interfaces (GUIs) to new features in Active Directory 2012, the functionality has expanded to manage features that were previously only manageable on the command line.

Mobility features

Has your organization adopted a Hybrid Identity approach towards Azure Active Directory? Your AD can help get the devices your users use into Azure Active Directory with the help of Azure AD Connect and (optionally) AD FS. These features are not just Windows 10 devices, either.

 

Read it

You can download the Whitepaper from Veeam after registration.
It’s a PDF file, weighing 653 KB. It was last released in March 2017.

 

About me

Sander BerkouwerI am an MCSA, MCSE, MCT, Microsoft Most Valuable Professional (MVP) and Veeam Vanguard. Working for SCCT, a Dutch IT services provider, I have ample experience with deploying and maintaining Microsoft technologies in hundreds of environments, ranging from four to four hundred thousand seats, both on-premises and in the cloud.

0  

I’m speaking at Lowlands Unite! Netherlands Edition

Next week, on Tuesday April 11, 2017, I’ll be delivering a 60-minute session on the Ten most common mistakes when deploying Active Directory Federation Services (AD FS) and Hybrid Identity and how to avoid them at Lowlands Unite! Netherlands Edition.

 

About Lowlands Unite!

LowLands Unite! Netherlands Edition

Lowlands Unite! is the joint event by the Dutch Windows Management User Group (WMUG) and the System Center User Group (SCUG) Belgium. As you might have learned in school, the two countries are often referred to as the low lands (in terms of sea level, not mood) For the Dutch WMUG, this is the first full-day event and it’s promising to be huge! (Believe me.)

For the location, WMUG choose EndemolShine, the studios in Amsterdam where a lot of popular television formats are recorded. We’re turning this inspiring location into an excellent event location for April 11, 2017, with tasty food, great lighting, and, of course, excellent sessions.

The ten speaking slots are all filled with great sessions in the Enterprise Mobility Suite / Enterprise Client Management track and the Azure / Operations Management Suite and System Center (AOS) track. With 9 Microsoft MVPs and a Microsoft Evangelist, you’re bound to learn something.

 

About my session

I’m delivering one 60-minute session:

Ten most common mistakes when deploying AD FS and Hybrid Identity and how to avoid them

9:50 AM – 10:50

Active Directory Federation Services (AD FS) is the Microsoft technology to bridge your on-premises Identity systems towards cloud Identity providers, like Azure Active Directory. Colleagues depend on a reliable, yet cost effective deployment of AD FS and it’s our jobs as IT Pros to make it happen.

This session covers the 10 most common mistakes we see in the field in organizations that have deployed AD FS and Hybrid Identity. Learn from their mistakes, whether you’ve already deployed AD FS and want to make your implementation more robust, or holding off deploying AD FS to not step into these pitfalls.

 

Join us!

Despite this event being free, this event hasn’t sold out.

This means there’s still time to join me, the other speakers, your fellow Dutch-speaking IT Pros and, of course, our sponsors, including SCCT, my current employer.

Join us!

Can’t make it on April 11? No worries.
SCUG Belgium is expected to organize a similar event in Belgium in Fall 2017. Glimlach

0  

Pictures of the Amsterdam Microsoft Tech Summit

The past two days, the Amsterdam RAI was the venue for Microsoft’s 2016-2017 Tech Summit. I attended this event as an expert, just like many of the other Dutch Microsoft MVPs who also received an invitation to staff.

Tech Summit Banners at the Amsterdam RAI (photo from Microsoft Netherlands)
Microsoft Tech Summit banner at the Public Transportation Route (click for larger photo)The Tech Summit Entrance (photo by Carlo van Venrooij)

On Thursday May 23, I headed for the Amsterdam RAI. Expecting little, I was surprised to see broad invitations to all attendees for the 5PM – 6 PM Ask the Experts reception in Hall 10.

Ask The Experts Reception Announcement (photo by James van den Berg)

On Thursday I performed several labs on demand. It’s great to have such an opportunity during events like this.

Labs On Demand (photo by James van den Berg)

Since all presentations were being recorded and all slides are available through the Tech Community website after registration, this felt like the best way to spend my time. With the Azure Portal, Office 365 experience and Intune capabilities rapidly, I spent time doing labs in each of these areas.

Around five ‘o clock I made it back to Hall 10. The area was filling up pretty rapidly. I met with a lot of acquaintances and had wonderful conversations with a lot of people. 

MVPs at the Amsterdam Tech Summit (photo by Hassan Fadili)

All the Dutch MVPs attending the event gathered for a group picture at around 5:15 PM. At around 6 PM the fun was over and everybody headed home.

Friday May 24, I arrived at the Amsterdam RAI rather late. Friday was a beautiful day, so after the event, a couple of us went for diner in Amterdam. Beats the traffic, every time.

A beautiful Amsterdam afternoon (click for original photo)

I was home late Friday night, but very satisfied.

Thank you! Glimlach

0  

Join me for the Amsterdam Microsoft Tech Summit

As part of a global series of events, on Thursday March 23 and Friday March 24, Microsofts hosts the Tech Summit in the Amsterdam RAI.

Since, from a global point of view, this event takes place in my backyard, I’ll be there as an Ask the Expert, together with many of my Dutch MVP peers.

 

About the Microsoft Tech Summit

Microsoft Tech Summit Amsterdam

Microsoft Tech Summit is a free, two-day technical training for IT professionals and developers with experts who build the cloud services across Microsoft Azure, Office 365, and Windows 10.

Whether you know your way around the cloud or just getting started, learn from over 50 technical training sessions and hands-on labs to help you build your cloud skills. Deep dive into the latest innovations covering a range of topics across Microsoft Azure and the hybrid platform including security, networking, data, storage, identity, mobile, cloud infrastructure, management, DevOps, app platform, productivity, collaboration and more.

Connect with Microsoft engineering experts from Redmond, technology partners and your industry peers who can help you get the most out of the cloud.

 

About Ask the Experts

Access hundreds of Microsoft engineers and tech leaders ready to help you tackle your toughest dilemmas – they’re up for the challenge.

A bunch of us will be at the event for the entire two days. Expect the usual suspects. But, it’ll get really exciting between 5PM and 6PM on March 23. This is the official Ask the Experts moment, when we’ll be joined by the speakers, drinks and finger food. Knipogende emoticon

 

See you there?

0  

Branding your Hybrid Identity Solution, Part 6: The Azure Multi-Factor Authentication Server User Portal

BrandingTo avoid service desk calls, you can implement Azure Multi-Factor Authentication Server’s User Portal. Colleagues enrolled in Azure Multi-Factor Authentication can access this portal to change their phone number(s), change their verification method and/or enroll and/or remove devices with the Azure Authenticator app. Even if they screw up their verification options badly, they can still access the User Portal by answering their security questions again. (if enabled)

 

Choosing your approach

Stylesheets and Graphical resources

There are two methods to apply most of the branding:

  1. Overwrite the graphical resources and css files in the default theme folder.
  2. Copy over the default theme folder, rename it, do all the customizations in that theme and then configure the User Portal to use your theme instead of the default theme.

In both cases, you would replace the default images with new ones of the same name, or adding images and changing the references to the images in the cascading stylesheet.

The second method is the preferred way, because your customizations will not be overwritten during upgrades of the Azure Multi-Factor Authentication Server product. To implement it, go into the web.config file in the web folder of the Azure MFA User Portal and change the line that begins with

<pages theme=”Default”

Replace “Default” with the name of your new folder and the new design will then be used. Be sure to make a backup of the web.config file since it will get overwritten during future upgrades.

Going further

However, both methods may lack the customizations you’d want. Then, you’ll have to resort to editing the *.aspx files. If you do that, you should make a backup of the modified page(s), because each subsequent upgrade to the Azure Multi-Factor Authentication Server product and User Portal overwrites the custom pages created.

We’ll look at going each route, with detailed steps per example:

 

Adding a Custom theme

To add a custom theme to your Azure Multi-Factor Authentication Server User Portal(s), follow these steps:

  1. Log on interactively to the Windows Server hosting the Azure Multi-Factor Authentication Server User Portal with a user account that has administrative privileges.
  2. Open File Explorer and navigate to the folder where the Azure Multi-Factor Authentication Server User Portal is installed. By default, it is located in C:\inetpub\wwwroot\MultiFactorAuth.
  3. Navigate to the \App_Themes subfolder. You’ll see a folder named Default.
  4. Right-click the folder and select Copy from the context menu.
  5. Now, right-click an empty space below the Default folder in the File Explorer user interface and select Paste from the context-menu.
  6. Right-click the newly created folder and select Rename from the context menu. Rename the folder to something appropriate. I chose to rename it to Custom.
  7. In File Explorer, go up one level. This brings you back to the folder where the Azure Multi-Factor Authentication Server User Portal is installed.
  8. Select the web.config file.
  9. Right-click it, and select Edit from the context menu. This will open Notepad, by default.
  10. In Notepad, in the Edit menu, choose Find… or type Ctrl + F simultaneously.
  11. In the Find dialog, search for Default.
     
    Finding "Default" in the Web.Config file of the Azure Multi-Factor Authentication Server User Portal (click for original screenshot)
  12. Change the text Default between the quotes to the name of your folder. In my case, I replaced it with Custom.
  13. Save the web.config file.
  14. Close Notepad.

If you have more than one (web)server hosting your Azure Multi-Factor Authentication Server User Portal, perform these steps on all the other servers as well. It is best to perform these changes on the servers in your acceptance environment, before making the changes in your production environment.

Now you can replace all the graphical resources and change the cascading stylesheet (*.css-file) without problems:

  • \images\change_mode.png
  • \images\change_phonenumber.png
  • \images\change_pin.png
  • \images\correct.png
  • \images\customize_180x100.png
  • \images\icon_help_sm.gif
  • \images\incorrect.png
  • \images\one-time_bypass.png
  • \images\PF_th_back.png
  • \images\phoneFactor_logo.png
  • \images\PN_app_back.gif
  • \images\security_questions.png
  • \images\topNav_gradient.png
  • \images\userAdmin_32x32.png
  • \images\userAdmin_180x100.png
  • \images\users_32x32.png
  • \images\users_180x100.png
  • \StyleSheet.css

Note:
The files noted in grey, above, are files I usually leave alone.

If you do run into problems, simply change the theme name in the web.config and start over in a fresh copy of the Default theme. Again, make sure to make this change on all servers running the Azure Multi-Factor Authentication User Portal.

 

Adding a disclaimer, option 1

Unfortunately, the Azure Multi-Factor Authentication Server User Portal does not natively support adding a disclaimer text, but we can add it. We can even create a different disclaimer for several languages. We’ll abuse the Version and Copyright labels to this purpose.

The easiest way that I found to add a disclaimer is to perform the following steps:

  1. Log on interactively to the Windows Server hosting the Azure Multi-Factor Authentication Server User Portal with a user account that has administrative privileges.
  2. Open File Explorer and navigate to the folder where the Azure Multi-Factor Authentication Server User Portal is installed. By default, it is located in C:\inetpub\wwwroot\MultiFactorAuth.
  3. Navigate to the \App_LocalResources subfolder.
  4. Click on the navigation_menu.ascx.resx file to select it and then right-click it. Select Edit from the context menu. This should open Notepad.
  5. Copy the contents of the lblCopyrightResource1.Text label (Default value is © 2016 Microsoft. All rights reserved.) before the contents of the lblVersionResource1.Text and place a space between the two texts. This way, the label for the Version in the User Portal is prepended by the Copyright notice.

    Prepending the contents of the "lblCopyrightResource1.Text" value to the "lblVersionResource1.Text" value (click for original screenshot)

  6. Now, we can abuse the lblCopyrightResource1.Text label for our disclaimer. Replace the default text with your disclaimer text.
  7. Save the navigation_menu.ascx.resx file.
  8. Close Notepad.

You might have noticed that the \App_LocalResources subfolder contains several files with filenames starting with navigation_menu.ascx. These files contain the language-specific labels for the Graphical User Interface (GUI) elements of the Azure Multi-Factor Authentication Server User Portal. The navigation_menu.ascx.nl.resx file, for instance contains the Dutch labels.

Note:
You might also notice, that Microsoft hasn’t really updated these files regularly. The language-independent copyright notice mentions 2016 as the copyright date, whereas the language-specific copyright notices mention 2013. Even when you’re not adding a disclaimer, you might as well fix this oversight in your Azure Multi-Factor Authentication Server User Portal(s).

 

Adding a disclaimer, option 2

Now, the above method to add a disclaimer, actually adds a disclaimer to every page in the Azure Multi-Factor Authentication Server User Portal, not just the login page. If you really want the disclaimer to show on the login page of the the Azure Multi-Factor Authentication Server User Portal, follow these steps:

  1. Log on interactively to the Windows Server hosting the Azure Multi-Factor Authentication Server User Portal with a user account that has administrative privileges.
  2. Open File Explorer and navigate to the folder where the Azure Multi-Factor Authentication Server User Portal is installed. By default, it is located in C:\inetpub\wwwroot\MultiFactorAuth.
  3. Click on the login.aspx file to select it and then right-click it. Select Edit from the context menu. This should open Notepad.
  4. In the file, find a good place to provide the disclaimer text. You might opt to place it between the login fields elements and the login button element, before these elements, or after the login button element. The login button element is identified by:

    Button ID=”btnLogin”

  5. Copy the first line of one of the login field labels and place it between, before or after the elements, but before the </div> tag. Then, change it to make it read:

    <h5><asp:Label ID=”lblDisclaimer” runat=”server” Text=”Your disclaimer text here“></asp:Label></h5>
     
  6. Save the login.aspx file.
  7. Close Notepad.

You might notice that I’m not copying over the lbl values or introducing a new lblDisclaimerResource1. This is the way to make your disclaimer available in multiple language depending on the browser language settings used by your colleagues, but the downside is that you will have to define the lblDisclaimerResource1 in each of the login.aspx.xx.resx files in the the \App_LocalResources subfolder… If your organization has different disclaimers for each of the languages/countries you do business in, than this is the way to go. Otherwise, it’s a lot of work to implement only one language-specific disclaimer…

Unfortunately, this second option for adding a disclaimer involves editing the *.aspx files of your Azure Multi-Factor Authentication Server User Portal(s). You might have a hard time getting Microsoft support for your implementation, until you revert the changes.

 

Concluding

Many Azure Multi-Factor Authentication Server User Portals are not branded. The information above provides guidance on applying branding and implementing disclaimers for your implementation.

Your Azure Multi-Factor Authentication Server User Portals could look like this, with just five minutes of work:

Example of a branded Azure Multi-Factor Authentication Server User Portal (click for original screenshot)

Further reading

Add a banner to login portal
Deploy the user portal for the Azure Multi-Factor Authentication Server
Install MFA User Portal
When you should use Azure MFA and when you should use MFA Server

0  

Join me for an Active Directory Backup and Recovery webinar, in cooperation with Veeam

Active Directory: Backup and Recovery

This year, as a Veeam Vanguard, I’m hosting a series of three Active Directory Domain Services webinars, together with Timothy Dewin and hosted by Veeam.

With the basics and most of the virtualization gotcha;s covered, on March 21, it’s time for the topic everyone has been waiting for: Backup and Recovery.

It’s the last webinar in the series, so we’re turning the tables on the format: This time, Timothy will present the session, and I’m there to interrupt him so he can answer all the questions you might have as an attendee.

You can join the EMEA session at 2 PM CET, or you can join the Americas session at 1 PM EDT. Both sessions are (nearly) identical.

 

Sign up

Sign up for these webinars for free here.

 

About the Veeam Active Directory Webinars

The Active Directory Deep Dive series of webcasts consists of three Active Directory Domain Services-oriented webinars, that I’m hosting together with Timothy Dewin and Veeam.

February 21: Active Directory 101

Get into Active Directory basics and best practices, including:

  1. Deep dive into specifics of Active Directory service roles
  2. Domain Controllers deploying, grouping and interaction with DNS and DHCP services
  3. Proper configuration of AD

March 7: Active Directory and Virtualization

Deep dive into the latest changes of Active Directory, including:

  1. Challenges and recommendations with virtualizing Domain Controllers
  2. How Domain Controller Cloning saves your bacon
  3. Five key enhancements in Active Directory security in Windows Server 2016

March 21: Active Directory Backup and Restore

Do you know how many people couldn’t restore their ADs due to bad configuration?
Learn how to:

  1. Accordingly configure your backup jobs
  2. Avoid fails at restores
  3. Verify the recoverability of every Active Directory backup

Each webinar is repeated on the same day, to accommodate attendees around the globe. The first session is scheduled for 2PM CET. The second session is scheduled for 1PM EDT.

0  

Branding your Hybrid Identity Solution, Part 5: Azure Multi-Factor Authentication Server’s AD FS Adapter implementation

BrandingOnce you’ve branded the Active Directory Federation Services (AD FS) and Azure Active Directory pages, you might want to apply your corporate branding to the Active Directory Federation Services Adapter pertaining to your on-premises Azure Multi-Factor Authentication (MFA) Server.

For AD FS running on Windows Server 2012 R2, this means that the Azure Multi-Factor Authentication (MFA) adapter plugs into the Active Directory Federation Services (AD FS) login pages.

 

Customizing the MFA Choice prompt

When your Active Directory Federation Services (AD FS) implementation features more than one Multi-Factor Authentication adapter, users that are required to perform multi-factor authentication, are prompted for a choice for the additional verification.

Note:
In environments where multi-factor authentication is critical to secure access to highly-classified data, it’s best to implement (at least) two multi-factor authentication solutions. This way, one can fail, without degrading the level of authentication assurance.

Since MFA adapters in Windows Server 2012 R2 are defined as a global setting, the choice cannot be made for the end-user, when you have multiple MFA adapters.

When, for instance, you use certificate-based authentication and Azure Multi-Factor Authentication, you will see the following text displayed in the custom authentication rendering area:

For security reasons, we require additional information to verify your account
Sign in using an X.509 certificate

Multi-Factor Authentication

 

Of course, this isn’t very consistent in the labels for the authentication method, so you might want to change the label for Azure Multi-Factor Authentication to read something like Sign in using Azure MFA or Sign in using PhoneFactor.

The labels for the additional verification are based on the localization settings of the browser the end-user is using. It does not use the language specified for the user object in the Azure Multi-Factor Authentication Server database.

So, for the languages in use, we’ll change the label for the Azure Multi-Factor Authentication (MFA) adapter for Active Directory Federation Services (AD FS) in the AD FS configuration. This is only possible through Windows PowerShell.

Note:
The labels showed above are the default labels for the Authentication Providers in AD FS.

MFA Server Version 7.1.0.2 and below

To change the label for Azure Multi-Factor Authentication, regardless of locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMultiFactorAuthenticationServerDisplayname Sign in using MFA

To change the label for Azure Multi-Factor Authentication for a specific locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMultiFactorAuthenticationServer -Locale en-us -Displayname Sign in using MFA

To get a list of all your modifications, use the following PowerShell one-liner:

Get-ADFSAuthenticationProviderWebContent

To remove a modification you’ve made above, use the Remove-ADFSAuthenticationProviderWebContent in the same fashion as you would change them, using the –Name and. optionally, the –Locale parameters.

MFA Server Version 7.2.0.1 and up

To change the label for Azure Multi-Factor Authentication, regardless of locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMFAServerAuthenticationDisplayname Sign in using MFA

To change the label for Azure Multi-Factor Authentication for a specific locale, use the following PowerShell one-liner:

Set-ADFSAuthenticationProviderWebContent -Name AzureMFAServerAuthentication -Locale en-us -Displayname Sign in using MFA

List modifications

To get a list of all your modifications, use the following PowerShell one-liner:

Get-ADFSAuthenticationProviderWebContent

To remove a modification you’ve made above, use the Remove-ADFSAuthenticationProviderWebContent in the same fashion as you would change them, using the –Name and. optionally, the –Locale parameters.

 

Branding MFA User Enrollment through AD FS

By default, the Allow user enrollment setting for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS) is off.

Settings for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS) in Azure MFA Server (click for original screenshot)

When you’ve enabled Allow user enrollment for the Azure Multi-Factor Authentication Adapter for Active Directory Federation Services (AD FS), (and restarted the MFA User Portal website), user enrollment is enabled and branding is applied to the enrollment process using the AD FS Branding configuration.

Sure enough, this takes care of all the branding needs your organization might have.

 

Concluding

Customizing the way Active Directory Federation Services (AD FS) and Azure Multi-Factor Authentication (MFA) Server interact, follows AD FS branding, mostly.

Further reading

ADFS: Certificate Authentication with Azure AD & Office 365
Leverage Multi-Factor Authentication Server for Azure AD single sign-on with AD FS

0  

Important Update for Active Directory Federation Services (MS17-019, KB4010320, CVE-2017-0043)

Today, for its March 2017 Patch Tuesday, Microsoft released an important security update for Active Directory Federation Services (AD FS).

The security update addresses a vulnerability that could allow information disclosure if an attacker sends a specially crafted request to an ADFS server, allowing the attacker to read sensitive information about the target system..

 

About the vulnerability

An information disclosure vulnerability exists when Windows Active Directory Federation Services (AD FS) honors XML External Entities. An authenticated attacker who successfully exploited this vulnerability would be able to read sensitive information about the target system.

To exploit this condition, an authenticated attacker would need to send a specially crafted request to the AD FS implementation.

Note that the information disclosure vulnerability by itself would not be sufficient for an attacker to compromise a system. However, an attacker could combine this vulnerability with additional vulnerabilities to further exploit the system.

The vulnerability is described in detail in CVE-2017-0043.

Affected Operating Systems

This security update is rated Important for all supported releases of Windows Server:

  • Windows Server 2008,
  • Windows Server 2008 R2,
  • Windows Server 2012,
  • Windows Server 2012 R2, and
  • Windows Server 2016

 

About the update

The update addresses the vulnerability by adding additional verification checks in ADFS and causing it to ignore malicious XML External Entities.

To apply the update, install the following update per Windows and/or Windows Server version:

Windows Server 2008 with Service Pack 2 x86 KB3217882
Windows Server 2008 with Service Pack 2 x64 KB3217882
Windows Server 2008 R2 with Service Pack 1 KB4012212 or KB4012217
Windows Server 2012 KB4012214 or KB4012217
Windows Server 2012 R2 KB4012216 or KB4012213
Windows Server 2016 KB4013429

 

Call to action

I urge you to install the necessary security updates  on Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in a test environment as soon as possible, assess the risk and possible impact on your production environment and then, roll out this update to Windows Server installations, acting as Active Directory Federation Services (AD FS) Servers, in the production environment.

0