Monitoring ADFS through AAD Connect Health Agent

The AAD Connect comes with a Health Agent which monitors the AAD Connect and logs in to Azure AD.

The events can be viewed from portal.office.com and Choose Azure Active Directory. Under Manage -> Choose Azure AD Connect.

On the right pane, under Health and Analytics -> Click Azure Active Directory Connect HealthScreen Shot 2018-08-17 at 13.24.27

Now that we know how AAD Connect is being monitored by AAD Connect Health Agent, the same agent can also be used to monitor ADFS server and ADFS-Proxy server as well.

To do so,

  1. Download the AAD Connect Health Agent from https://www.microsoft.com/en-us/download/details.aspx?id=48261
  2. Run the setup, make sure you are installing ADFS agent.Screen Shot 2018-08-17 at 12.56.02
  3. It will prompt you to “Configure now”.  Click on it.
  4. You will see the followingCapture

Make sure you have enabled auditing on ADFS server to capture those events on Azure portal.

To do so,

  1. Open windows powershell on ADFS server,
  2. Run the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

3. Open AD FS management console, Click on “Edit Federation Service Properties”, Under Event tab, check all the events.

adfs console

Once you’ve done that, you can see events will start showing up on Azure Active Directory Connect Health

Of course you can monitor lot of events.  To know more,

https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs

VJ

 

.Net framework update causes AAD Connect to crash or CPU goes up to 100%

A recent .Net frame work update is causing the AAD Connect server to crash or the CPU utilization goes up to 100%

Go to Task manager and check the list of processes,

If MIcrosoft.Online.Reporting.MonitoringAgent.Startup is consuming high CPU or

If you have the following update,

KB4338420

Windows Server 2008

KB4338606

Windows Server 2008 R2

KB4054542

Windows Server 2012

KB4054566

Windows Server 2012 R2

KB4054590

KB4338814

KB4338419

KB4338605

KB4345418

General

Then update your Azure AD Connect Health Agent as soon as possible to avoid or stop a major issue in your infrastructure.

Use following link to know how to update them,

https://docs.microsoft.com/en-gb/azure/active-directory/connect-health/active-directory-aadconnect-health-agent-install#download-and-install-the-azure-ad-connect-health-agent

Reference: https://support.microsoft.com/en-gb/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync

 

Cannot add new connectors – AADConnect

AAD Connect is very flexible when the organization expands but at the sametime we should make sure the AAD Connect is up-to-date to coupe with the changes.

One of the incident that I’ve encounter may help others.

Issue : Cannot add new connectors to AAD Connect

I wanted to add a new forest to sync up to the Azure AD. All these users are going to be in the same office 365 Tenant.

Symptoms:

When i add the connector (Microsoft way – Using AAD Connect wizard), I get the following error

E_MMS_SCHEMA_CLASS_NOT_FOUND

When i check the logs,

schema

Troubleshooting:

  • Ports
    • Checked the ports to see if the domain is reachable
    • Made sure the domain name is resolved to the right ip’s
  • The schema made be feel that, the service account doesn’t have rights on the forest that is being added
    • Checked the permisisons –  it is all good
    • Changed the permission to Domain admin
  • Adding new connector
    • Added a new connector manually (click the new connector from Synchronization service console)
    • Pointed to the forest
    • When i did the right-click and “Search Connector space”, i can see all the objects from the domain (it wont sync anyway as the sync rule wont get populated, if you use “Create” connector)

At this point, i understood that it is not a problem with the forest that i’m trying to add.

I ran the wizard without adding the connector, i got the same error.  So this proves that there is an issue with the existing connector.

Resolution:

I ran refresh schema on all the existing connector.  I found one of the connector had a schema changes which wasn’t picked up by the AAD Connect (One of the forest administrator installed Exchange server in their infrastructure)

tempsnip

After refreshing the schema, i ran the wizard, it went like a charm.

 

 

Password hash sync is not working for sub-domains – AAD Connect

Issue: The password sync for sub-domains are not working

Data Collected:

  1. The password hash sync for the root domain and selective sub-domains are working without any problem
  2. The user and other objects from the selected OU of the all the root domain and the sub-domain works without any issues
  3. There is no sync errors for the object which doesn’t sync the password
  4. When a password has been reset for the object from the sub-domain, there is no event id 656 or 657 logged on the AAD Connect server
  5. Properties of the connectors shows that sub-domain Directory partition has been checked.

Troubleshooting:

Before I proceed, I have done everything mentioned in the article below,

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnectsync-troubleshoot-password-hash-synchronization

  1. Checked whether password hash is enabled – It is
  2. When I run the following command,

Invoke-ADSyncDiagnostics –PasswordSync

From the following screenshot it shows that the sub-domains directory partition not considered as domain.

1

  1. Ran the above command against the object in the sub-domain for which the password sync is not working

Invoke-ADSyncDiagnostics -PasswordSync -ADConnectorName <Name-of-AD-Connector> -DistinguishedName <DistinguishedName-of-AD-object>

2

If you look closely, it says that it is available in metaverse database but an error for the objects of the sub-domain

“There is no password has synchronization rule for AD Connector space object”

  1. But that’s not right as you can see from below screenshot, There is a sync rule for “In from AD – User AccountEnabled” is true

3

 I didn’t bother to get deep in to the sync rule as the installation not customized.  I was sure that the domain partition is not recognized

  1. The domain partitions are selected in the connector properties.

To check this,

  • Right click on the connector
  • Choose properties
  • From the popup window, click on “Configure Directory Partitions”

I now came to conclusion that the domain partition is not recognised but from the GUI it shows it is selected.

After some googling, I found 3 interesting cmdlets

  • Enable-ADSyncConnectorPartition
  • Enable-ADSyncConnectorPartitionHierarchy
  • Update-ADSyncConnectorPartition

There is no explanation of these cmdlets but I did manage to run it but with no success.

Resolution:

So finally I’ve gone back to basics of powershell.

Get-ADSyncConnector

4

This gives me list of connectors.  I need the first connector (where the sub-domain is)

$c = Get-ADSyncConnecor

I’m interested in the first connector and its partition, I’m assign that into the variable

$adConn= $c[0]

$AdConn.Partitions

This will list down the list of partitions under that connector.  There are about 5 partition, out of that last 2 partition’s object is having problems

5

If you closely look in the attribute called “IsDomain” is set to “False”, but the same is “True” for the rest of the domain partition (Its not in the screenshot though)

This exactly the same reason when we ran the password sync troubleshooter, it said that the sub-domain in questions is not a domain

To change this value, run the following command, for 2 sub-domains

$adConn.Partitions[5].IsDomain=$true

$adConn.Partitions[6].IsDomain=$true

After the change it will look like below

6

We are not done yet.  This should take care of the password sync but

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $false

Set-ADSyncAADPasswordSyncConfiguration -SourceConnector “domain.net” –TargetConnector “domain.onmicrosoft.com – AAD” -Enable $True

Soon after this, the eventlog shows lot of 656 events indicating that password sync of the objects from sub-domains are syncing.

 VJ

 

Unable to login to Office 365 Tenant

I’ve encountered an interesting issue that may be well useful to troubleshoot and how to fix it

Issue : Users are unable to login to http://portal.office.com.  They get the following error

Login-Error

Analysis :

The error message itself is not very useful.  So, i had to collect few information to know what is going on

  1. AAD Connect for that tenant is still running.  There is a recent delta sync success in the logs
  2. Everyone including the Global administrator cannot login
  3. I can login with the cloud-only account
  4. Checked with other tenants, and there is no news from MS on the message center (this rules out if this is a Microsoft issue)
  5. Password change seems to be replicating.  There are some logs for the users who recently changed their password
  6. The AAD connect version is 1.1.5

The information collected was not so very useful at all except one thing

Full/Delta Synchronization is working without any issue

Troubleshooting:

Ran Fiddler from the machine  where i tried logging to office 365 and found an interesting information.

Fiddlerlog

If you closely look at it, the authentication is being redirected.

So, this generally happens if there is an ADFS server.

There is another instance that this could happen which is “Pass-Through Authentication” Feature enabled on AAD Connect.

To know more about it,

User sign-in with Azure Active Directory Pass-through Authentication

https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-pass-through-authentication

Long story short about the process,

  1. The user tries login to https://portal.office.com or trying to access any office application
  2. Once the credentials are provided by the user, Azure AD, on receiving the request to sign in, places the username and password (encrypted by using the public key of the Authentication Agents) in a queue.
  3. An on-premises Authentication Agent retrieves the username and encrypted password from the queue.
  4. The agent decrypts the password by using its private key.
  5. The agent validates the username and password against Active Directory by using standard Windows APIs, which is a similar mechanism to what Active Directory Federation Services (AD FS) uses. The username can be either the on-premises default username, usually userPrincipalName, or another attribute configured in Azure AD Connect (known as Alternate ID).
  6. The Agent cannot send evaluation request back to Azure AD and failed to respond if the authentication is (success, failure, password expired, or user locked out)

Solution:

The pass-through authenticate is failing for some reason.  This proves the fact that “Full/Delta Sync” is working because the service account is cloud only account.

Disabled the pass-through authentication on AADConnect using AAD Connect wizard and revert it to password-hash synchronization

Multi-Factor Authentication – Office 365

Muli-Factor Authentication using Office 365 is widely used.  MFA can be used for all the application that integrates with Office 365 services.

The first an foremost is to assign license to the users.  The license can be

  1. MFA Stand-alone License
  2. MFA license that comes along with other services.  License such as Enterprise Mobility + Security (E3)
  3. MFA Consumption based

There are 2 usage models,

  • Per user based – This is based on number of license that you assigned to the user.  If you have bought 100 E3 license, the billing is calculated only for the users who has this license assigned, not 100.
  • Per Authentication – This is based on number of authentication

Type of usage

Office 365 services only – Once a license is assigned to the user, thats pretty much it.  All we have to do is to enable MFA for the users and enforce it.  MFA settings are completely controlled from Office 365 portal.

On-prem Azure MFA – This is a server installed on-prem and works with Office 365 MFA.  This helps to make use of MFA for applications like Citrix.  (Expect more applications in this list in future).

NPS extension for NPS servers – This is purely for Network policy server.  To have MFA enabled for users who connects through NPS server, can make use of this extension.

 

Good news for Office 365 Hybrid Customer – Delegate Access is now possible for cross-premises Mailboxes

Hybrid customer always complaint about the fact that Office 365 users not being able to delegate access to On-prem (Or) On-prem users not being able delegate to Office 365.

The good news is that Microsoft started allowing this feature from April 2018.

To enable cross premises delegation you first need to configure:

  • For on-prem user to become a delegate of an Cloud user

Set-OrgnizationConfig -ACLableSyncedObjectEnable $True

  • For cloud user to become a delegate of an on-prem user

msExchRecipientDisplayType attribute for the remote mailbox in on-prem AD to be set to -1073741818

       Get-ADUser vijay.ragavan@ultima.com -Properties msExchRecipientDisplayType |         where {$_.msExchRecipientDisplayType -eq -2147483642} | Set-ADUser -Replace            @{msExchRecipientDisplayType = -1073741818}

Now you can ask the user to use their outlook to allow the delegation.  Send-AS and on-behalf also works as per the below article

Refer:

https://support.microsoft.com/en-us/help/3064053/overview-of-delegation-in-an-office-365-hybrid-environment

 

Hope this is useful.

VJ

AzuMFA Extension for NPS – Stopped working

So, Azure MFA Extension for NPS was setup RDS and it was working till last week.

Issue:

Allow of sudden the MFA notification stopped.  User no longer get notification on their mobile, text or a call when they try to sign into any server through RDS (Outside the network)

Diagnosis :

  • When we tried the office 365 portal, it worked just fine.  Users got their notification on to their device and allowed to access the portal.
  • In the logs, we see lot of
    • Source:        Microsoft-AzureMfa-AuthZ
    • Event ID:      4
    • Description:
    • NPS Extension for Azure MFA: Radius request is missing NAS Identifier and Nas IpAddress attribute.Populating atleast one of these fields is recommended
  • Authentication with Azure MFA
    • Source:        Microsoft-AzureMfa-AuthZ
    • Event ID:      2
    • Computer:      PCC-EUN-DC-02.tpcc.prostate-cancer.org.uk
    • Description:
    • NPS Extension for Azure MFA: Unknown exception

So, at this point I don’t know what was wrong, as it was working without any issues.  No changes made recently

After having to go through the following article

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/nps-extension-vpn

https://docs.microsoft.com/en-us/azure/multi-factor-authentication/multi-factor-authentication-nps-extension

The line which struck me is the following.

The NPS Extension for Azure MFA is available to customers with licenses for Azure Multi-Factor Authentication (included with Azure AD Premium, EMS, or an MFA stand-alone license). Consumption-based licenses for Azure MFA such as per user or per authentication licenses are not compatible with the NPS extension.

For testing, i assigned a MFA Standalone license for a user – It worked.

But still i was confused why it was working all this while? After speaking to MS, the preview version was active and MS their functionality for 30 more days so the client can choose a plan. (Client claimed that they never received any communication)

Hope this helps.

VJ

 

KB4011273 – CAUSES OUTLOOK ADD-IN ISSUES

Recently Microsoft released office security that created lot of issues for the clients who heavily uses outlook add-ins for business purposes.

Some of them are Enterprise vault, Sales force and so on.

Thought there is a fix released by MS on February release, upon testing the result didn’t change.

So, if you decide to uninstall that patch you can either use your patch management software like SCCM or WSUS. But if you want a quick if you don’t have a patch management software, the follow the instructions,

  1. Create a .bat file with the following and save in sysvol folder on a DC@echo offmsiexec.exe /package {90140000-001A-0409-0000-0000000FF1CE} /uninstall {6DE885AE-8E0F-4FEA-8AA2-77D455F8A6AA} /qn /quiet /norestart

    exit

  2. Create a GPO that applies to all the workstations (if that is what you intended to do)
  3. Edit the policy and Navigate to “Policies->Windows settings->Scripts->Go to properties of Startup, Add the script to the list

User needs to reboot the machine to make sure it removes the patch successfully.

Note: I’ve seen cases that this patch got installed directly but not through SCCM or WSUS.  Though there is a GPO to restrict the update.  If you have an idea how this patch could have installed, comment.

Microsoft Intune – Things to remember before you use new Azure integrated Intune

As you may already know that Microsoft decided and moved from Classic Intune to Azure integrated Intune.  There are few things that needs to considered before you decide to use Azure integrated Intune for patch management.

  • The app groups that are created in Classic intune are being migrated to Azure integrated Intune.  These groups cannot be used in Classic intune anymore.  If you would like to patch the workstations with the existing group or create a new groups, it wont work – Microsoft acknowledged this as bug and awaiting resolution (This has been resolved now)
  • If there is a policy that exists in the Classic portal and you are using Azure integrated intune, and has a software update ring, then there might be a policy conflict.  Make sure the Classic Intune are removed.
  • Classic Intune can only manage the devices using Intune management agent.  Azure integrated Intune can manage the devices only if the device is enrolled as Mobile Device.  If the agent is present in the workstations, it cant be enrolled as mobile device.  So first thing you should do is to remove the Agent.
  • If the Agent is present in the workstation it cant be enrolled to new Azure integrated Intune.  You have to uninstall the agent, you can use https://gallery.technet.microsoft.com/Uninstall-the-Intune-b42111d1.  This will create a Schedule Tasks.  It may take about 5 to 10 mins.  It uses ProvisioningUtil.exe located under C:\Program Files\Microsoft\OnlineManagement\Common.  If you have custom installation path or if the exe doesn’t exist, then you might need to install the Agent again and run this script again.
  • If you are planning to migrate to Azure integrated Intune from Classic Intune, make sure the device is not listed in the Classic portal.  If the device is visible, then before enrolling, make sure the workstation entry is removed from the Classic portal.  Sometimes you may see entries in both the portal, In that case, you have to remove the device from both the portal, and re-enroll.
  • Finally, version upgrade of windows 10 is not straight forward.

Hope this helps

VJ