Aug 212014

It’s been over two years since my last foray into the murky waters of Active Directory Federation Services (ADFS) 2.0 and it came past due for a return to claims-based authentication and federation.

My previous journeys were somewhat chronicled here and here.  This time around though, I’m going to be focusing on the latest and greatest – meaning Windows Server 2012 R2 (with update), which has been a far more pleasant journey thus far.

I literally started from scratch, because I rather like the environment to be clean before establishing a baseline configuration.  From my earlier article:

so if you’re going to do this properly, get your certificates sorted out up front.  My approach is to install and configure an Enterprise Certificate Authority and issue certificates from there.  Then, it’s just a matter of trusting the root CA (signing) certificate in your environment, and your cert chain should be valid

I’m excited to say I took my own advise and started with the basics first.  As you may recall from my earlier writing, my preferred scenario architecture is the segregation of external and internal entities by way of separate Active Directory forests.

As last time, I’m working predominantly with an initial set of four separate virtual servers, configured as follows:


Using an Enterprise CA, I trust the root CAs and then issue certificates as needed, and manage the DNS within each Active Directory forest.  This time around I fully configured the CAs in both domains for web enrolment and device enrolment as well as updating group policy to include the Enrolment Policy locations.



I also added the Root CAs of each domain to the Trusted Root Certificate store in the opposite domain’s DC (where AD FS is located) so that the federation Uris would be valid when the trusts were established.

Believe it or not, this doesn’t take very long to set up.  Configuring each domain at the same time (in parallel), I had most of the configuration working and tested in about an hour or so.  Having done it many times before, I knew the correct order to install and configure which makes a huge difference.

Installing IIS on the CA server also means you can avoid having to install IIS on the domain controller server, which is a nice win in terms of resource minimisation. 

Since we’re dealing with a few certificates here and there, it’s important to remember that clients/machines that do not trust the root CA signing certificate will experience warnings or other inconveniences – in other words, don’t do this in a Production environment unless it’s only used solely in-house, where you can deploy the CA signing certificate into the trusted root CA stores. 

External AD FS installations should always be signed using a certificate from an external (public) CA like which offers free class-1 certificates.

Certificate Path

My Desired Outcome

What I want to be in a position to do is to offer users a choice of realms:


For the sake of keeping things clear, I’ve labelled the relying parties to indicate which domain they live in, but you probably would label the DMZ as ‘External Users’.

What should happen, once a user has authenticated, is that their subsequent requests to claims-aware applications shouldn’t require any further authentication, and their identity should be available across both environments.

Generating Valid Certificates – The Low Effort Way

Another tip – the AD FS installation expects a certificate (plus private key) with the common name of the ADFS service you’re going to configure to be in the .pfx format.

if you want a fast way of generating a web server certificate and you have an Enterprise CA installed and configured within the domain, you can switch to IIS Manager and request a Domain Certificate when viewing the server features (under Server Certificates):


Here you can add the common name and friendly names


When you’ve entered the information, the wizard will go off and request a Web Server certificate based on the common name, and then will automatically store it in the Computer Account’s Certificate store.  You can fire up MMC and add the Certificates snap in (FIle –> Add/Remove Snap In) making sure you select ‘Computer account’ along the way:


Once the certificate is located, you can simply export it including the private key.  Just move the exported .pfx file to the ADFS host, and you’re ready to install with a valid certificate.

A word about ADFS installation

I’m not going to go into detail about how to set up AD FS 3.0 itself, the existing documentation on the Internet is quite accurate, and honestly, if you’ve established the environment correctly, it’s really not tricky to do.  In Windows Server 2012 R2, ADFS 3.0 is a bona fide server role (in 2008/R2 the server role was ADFS 1.0/1.1, 2.0 was a separate download & install).

Sanity Checking the ADFS configuration

As mentioned in an earlier post, a quick browse to the following location: https://<your adfs location>/federationmetadata/2007-06/federationmetadata.xml should yield a metadata response:



This was just a brief intro to the environment I’ve configured, I’ll be going into more detail about how to live in a claims-aware environment in subsequent articles.

Jul 242014


Today I authenticated to the Azure portal to look at setting up a new Azure service when I took note of the alert (above) which popped up from the notification bar. 

So what are subscriptions and directories? 

Subscriptions and directories are accessed via the Subscriptions menu within the portal:

You can have multiple subscriptions under a directory, and multiple assets (databases, sites etc.) linked to subscriptions.


Term Description
Subscription* Subscriptions are a container for billing, but they also act as a security boundary: each subscription has a Service Administrator (SA) who can add/remove/modify Azure resources in that subscription by using the Azure Management Portal (
Directory* The Directory defines a set of users, which can be Organizational (i.e. sourced in that Directory) or Foreign (such as Microsoft Accounts).

* Source

My situation

I noticed that my SQL Azure databases weren’t listed with all the other usual assets, like Web Sites and so forth.

It was a few seconds later when I understood what was going on.  I recently had all my current Azure assets migrated from another Microsoft Account to my current one, and this process went well with no loss of connectivity and no need for me to have to upload or reconfigure existing sites and services.

However, whilst the SQL Azure databases have been migrated and are now associated with my new Microsoft Account, they are linked against an expiring subscription.  Since this is a bit tricky to explain, I’ve tried to illustrate the scenario with a diagram:


My question is: is it possible to move the items linked to Directory ‘B’ into Directory ‘A’?

More information on the subscription/directory structure

Then I came across this post on the TechNet forums, which links to a Word document which outlines the changes to Azure which occurred late last year.  From the document:

For users with subscriptions across multiple directories, they have the ability to switch the current context of the Azure Management Portal by using the Subscription Filter. Under the covers, this results in a separate login to a different Directory, but this is accomplished seamlessly using single sign-on (SSO).

Operations such as moving resources between subscriptions can be more difficult as a result of this single directory view of subscriptions. If necessary, the subscriptions may first need to be associated to the same directory (using the Edit Directory feature in Settings à Subscriptions) in order to perform the resource transfer.


After reading one of Scott Gu’s blog posts from the TechNet forum post, I achieved the desired outcome.  To borrow from that article:

If you have already have multiple directories and multiple subscriptions within your Windows Azure account, we have done our best to create a good default mapping of your subscriptions->directories as part of today’s update.  If you don’t like the default subscription-to-directory mapping we have done you can click the Settings tab in the left-hand navigation of the Windows Azure Management Portal and browse to the Subscriptions tab within it:


If you want to map a subscription under a different directory in your account, simply select the subscription from the list, and then click the “Edit Directory” button to choose which directory to map it to.  Mapping a subscription to a different directory takes only seconds and will not cause any of the resources within the subscription to recycle or stop working.  We’ve made the directory->subscription mapping process self-service so that you always have complete control and can map things however you want.


Once you have moved the subscription’s directory, all the assets follow to the target directory.  Now all that’s left to do is move my assets from one subscription to another:


Shouldn’t be too hard, right?  I’ll have to get back to you about that… 

Maybe the new Portal might help?




Jul 202014

IMG_9975_Medium  IMG_9976_Medium

Hi There,

Today we’re taking a look at the rather appealing Kensington KeyFolio Executive with Bluetooth keyboard.  As regular readers would know, I’m a bit of a keyboard junkie, and I have developed a number of mobile keyboard solutions over the years.

Here’s one of my favourites – a Think Outside foldaway Bluetooth keyboard.

My foldaway keyboard

I include a photo of it here for comparison purposes – although they serve slightly different purposes, the KeyFolio I think achieves a far superior experience.  Let’s take a look.

The contents of the packaging are snapped in the picture below.  It’s a pretty straightforward setup, and quite a sleek looking folio, to be honest!

Unpacking / Box contents

Unpacking takes seconds, and everything’s already ready to go.  I was a little uncertain about how to insert the iPad into the folio – there’s what looked like an adhesive layer on the kickstand, and it looked so sticky, I feared the adhesion might be permanent!

USB charging cable attached

However, after some research on the Kensington website, it turns out that the adhesive isn’t adhesive per se, it’s an advanced seal using thousands of tiny suction points, and won’t ever lose its adhesion.  You can quite easily release a device without damage to it or to the folio.

IMG_9988_Medium IMG_9981
Screenshot of the suction technology / Bluetooth pairing

Once installed, I powered on the keyboard and easily paired the tablet using BlueTooth.  The keyboard is actually rechargeable via a supplied USB cable.  That’s very handy, but in my experience you get quite a lot of life out of the keyboard before requiring any charge.

USB Cable

The kickstand is removable, as is the supplied folio card holder.  This can be useful if you wish to make better use of the space around you.  As you can see from the photos, the previously mentioned suction adhesive holds the tablet in place with no problems.

Kickstand / iPad attached to kickstand

It’s quite easy to use the folio and any devices attached either with the kickstand separate or within the folio, as you can see from the photo below.

iPad attached to the Folio

This would be most excellent for use when flying, for example, or any occasion where space is at a premium,  As the folio is quite light, you wouldn’t have trouble carrying it on trips or in an office environment.

Folio fully expanded

The folio, when opened completely, is actually quite large and well laid out, although it zips down into a parcel only slightly larger than a standard iPad.  The Bluetooth keyboard is slightly magnetized (to hold the base of a tablet in place) and also is removable.

The keyboard experience is actually very impressive for a mobile one.  I mentioned earlier, my old favourite mobile keyboard from Think Outside is well out matched by this Kensington.  As an Architect, I do a lot of writing, and as an IT consultant I tend to do a lot of it either on client sites or when I’m out and about.  As a consequence, I’ve used a lot of keyboards in the past 30 years, and they just keep getting better.

This folio is exactly what the doctor ordered, and has enabled me to integrate an iPad into my weekly consulting work.  The folio also doubles as a bit of a mobile workspace, in other words, a convenient way to store the various hard copy designs and specifications which “cross my desk” from time to time.  As a result, I heartily endorse this mobile solution.

You can find a very convenient range of Kensington Folios over at MobileZap where they have a great range of accessories, many (like this one) are perfect for the iPad Air.