Aug 252014
 

IMG_0363_Medium

Well, I’ve finally managed to assemble the dream – a proper work space for working on servers, workstations, laptops and the like.  It’s been years since I’ve been in a position to put something together, but a few weeks ago I managed to finalize the installation.

IMG_0364_MediumIMG_0365_Medium

Aside from the home handyman capabilities this set up allows, the integrated LCD monitor, 5-port gigabit switch, waterproof keyboard and wireless mouse set under a twin pair of halogen lights gives me a place to bring equipment for full analysis and tinkering.

That is… assuming it‘s not freezing in the garage – the room isn’t insulated (yet) so there’s still that barrier to entry.  Have you got a similar work space?

Aug 212014
 

It’s been over two years since my last foray into the murky waters of Active Directory Federation Services (ADFS) 2.0 and it came past due for a return to claims-based authentication and federation.

My previous journeys were somewhat chronicled here and here.  This time around though, I’m going to be focusing on the latest and greatest – meaning Windows Server 2012 R2 (with update), which has been a far more pleasant journey thus far.

I literally started from scratch, because I rather like the environment to be clean before establishing a baseline configuration.  From my earlier article:

so if you’re going to do this properly, get your certificates sorted out up front.  My approach is to install and configure an Enterprise Certificate Authority and issue certificates from there.  Then, it’s just a matter of trusting the root CA (signing) certificate in your environment, and your cert chain should be valid

I’m excited to say I took my own advise and started with the basics first.  As you may recall from my earlier writing, my preferred scenario architecture is the segregation of external and internal entities by way of separate Active Directory forests.

As last time, I’m working predominantly with an initial set of four separate virtual servers, configured as follows:

image

Using an Enterprise CA, I trust the root CAs and then issue certificates as needed, and manage the DNS within each Active Directory forest.  This time around I fully configured the CAs in both domains for web enrolment and device enrolment as well as updating group policy to include the Enrolment Policy locations.

 

image

I also added the Root CAs of each domain to the Trusted Root Certificate store in the opposite domain’s DC (where AD FS is located) so that the federation Uris would be valid when the trusts were established.

Believe it or not, this doesn’t take very long to set up.  Configuring each domain at the same time (in parallel), I had most of the configuration working and tested in about an hour or so.  Having done it many times before, I knew the correct order to install and configure which makes a huge difference.

Installing IIS on the CA server also means you can avoid having to install IIS on the domain controller server, which is a nice win in terms of resource minimisation. 

Since we’re dealing with a few certificates here and there, it’s important to remember that clients/machines that do not trust the root CA signing certificate will experience warnings or other inconveniences – in other words, don’t do this in a Production environment unless it’s only used solely in-house, where you can deploy the CA signing certificate into the trusted root CA stores. 

External AD FS installations should always be signed using a certificate from an external (public) CA like https://www.startssl.com which offers free class-1 certificates.

image
Certificate Path

My Desired Outcome

What I want to be in a position to do is to offer users a choice of realms:

image

For the sake of keeping things clear, I’ve labelled the relying parties to indicate which domain they live in, but you probably would label the DMZ as ‘External Users’.

What should happen, once a user has authenticated, is that their subsequent requests to claims-aware applications shouldn’t require any further authentication, and their identity should be available across both environments.

Generating Valid Certificates – The Low Effort Way

Another tip – the AD FS installation expects a certificate (plus private key) with the common name of the ADFS service you’re going to configure to be in the .pfx format.

if you want a fast way of generating a web server certificate and you have an Enterprise CA installed and configured within the domain, you can switch to IIS Manager and request a Domain Certificate when viewing the server features (under Server Certificates):

image

Here you can add the common name and friendly names

imageimage

When you’ve entered the information, the wizard will go off and request a Web Server certificate based on the common name, and then will automatically store it in the Computer Account’s Certificate store.  You can fire up MMC and add the Certificates snap in (FIle –> Add/Remove Snap In) making sure you select ‘Computer account’ along the way:

imageimage

Once the certificate is located, you can simply export it including the private key.  Just move the exported .pfx file to the ADFS host, and you’re ready to install with a valid certificate.

A word about ADFS installation

I’m not going to go into detail about how to set up AD FS 3.0 itself, the existing documentation on the Internet is quite accurate, and honestly, if you’ve established the environment correctly, it’s really not tricky to do.  In Windows Server 2012 R2, ADFS 3.0 is a bona fide server role (in 2008/R2 the server role was ADFS 1.0/1.1, 2.0 was a separate download & install).

Sanity Checking the ADFS configuration

As mentioned in an earlier post, a quick browse to the following location: https://<your adfs location>/federationmetadata/2007-06/federationmetadata.xml should yield a metadata response:

image

Summary

This was just a brief intro to the environment I’ve configured, I’ll be going into more detail about how to live in a claims-aware environment in subsequent articles.

Jul 242014
 

image

Today I authenticated to the Azure portal to look at setting up a new Azure service when I took note of the alert (above) which popped up from the notification bar. 

So what are subscriptions and directories? 

Subscriptions and directories are accessed via the Subscriptions menu within the portal:

image
You can have multiple subscriptions under a directory, and multiple assets (databases, sites etc.) linked to subscriptions.

 

Term Description
Subscription* Subscriptions are a container for billing, but they also act as a security boundary: each subscription has a Service Administrator (SA) who can add/remove/modify Azure resources in that subscription by using the Azure Management Portal (https://manage.windowsazure.com/).
Directory* The Directory defines a set of users, which can be Organizational (i.e. sourced in that Directory) or Foreign (such as Microsoft Accounts).

* Source

My situation

I noticed that my SQL Azure databases weren’t listed with all the other usual assets, like Web Sites and so forth.

It was a few seconds later when I understood what was going on.  I recently had all my current Azure assets migrated from another Microsoft Account to my current one, and this process went well with no loss of connectivity and no need for me to have to upload or reconfigure existing sites and services.

However, whilst the SQL Azure databases have been migrated and are now associated with my new Microsoft Account, they are linked against an expiring subscription.  Since this is a bit tricky to explain, I’ve tried to illustrate the scenario with a diagram:

image

My question is: is it possible to move the items linked to Directory ‘B’ into Directory ‘A’?

More information on the subscription/directory structure

Then I came across this post on the TechNet forums, which links to a Word document which outlines the changes to Azure which occurred late last year.  From the document:

For users with subscriptions across multiple directories, they have the ability to switch the current context of the Azure Management Portal by using the Subscription Filter. Under the covers, this results in a separate login to a different Directory, but this is accomplished seamlessly using single sign-on (SSO).

Operations such as moving resources between subscriptions can be more difficult as a result of this single directory view of subscriptions. If necessary, the subscriptions may first need to be associated to the same directory (using the Edit Directory feature in Settings à Subscriptions) in order to perform the resource transfer.

Success

After reading one of Scott Gu’s blog posts from the TechNet forum post, I achieved the desired outcome.  To borrow from that article:

If you have already have multiple directories and multiple subscriptions within your Windows Azure account, we have done our best to create a good default mapping of your subscriptions->directories as part of today’s update.  If you don’t like the default subscription-to-directory mapping we have done you can click the Settings tab in the left-hand navigation of the Windows Azure Management Portal and browse to the Subscriptions tab within it:

image

If you want to map a subscription under a different directory in your account, simply select the subscription from the list, and then click the “Edit Directory” button to choose which directory to map it to.  Mapping a subscription to a different directory takes only seconds and will not cause any of the resources within the subscription to recycle or stop working.  We’ve made the directory->subscription mapping process self-service so that you always have complete control and can map things however you want.

Source: http://weblogs.asp.net/scottgu/windows-azure-backup-services-release-hyper-v-recovery-manager-vm-enhancements-enhanced-enterprise-management-support

Once you have moved the subscription’s directory, all the assets follow to the target directory.  Now all that’s left to do is move my assets from one subscription to another:

image

Shouldn’t be too hard, right?  I’ll have to get back to you about that… 

Maybe the new Portal might help?

new-portal

new-portal-dashboard

?