Deploying and Managing PKI inside Microsoft

Posted on October 23, 2011 by Dominik Zemp

Deploying and managing a Public Key Infrastructure (PKI) is key for every private and public cloud environment. Simply think about all those components, services, processes, etc. that are base upon a computer or web serer (SSL) certificate. But of course, it’s not just a technology. The technology to issue a certificate and revoke another certificate is important for a private and public cloud, but the corresponding security policy, certificate policy, and certificate practice statement is even more important!

Because a well managed PKI deployment is so important, have a look at the recently published Microsoft IT Showcase Deploying and Managing PKI inside Microsoft. You can find this IT Showcase on http://technet.microsoft.com/en-us/library/cc964304.aspx.

Posted in Active Directory Certificate Services | Tagged , | Leave a comment

Update Rollup 1 for Active Directory Federation Services (AD FS) 2.0

Posted on October 17, 2011 by Dominik Zemp

Microsoft released a first update rollup for AD FS 2.0 four days ago. The update rollup does not just fix bugs, it includes new capabilities especially for an Office 365 deployment:

  • Multiple Issuer Support – previously, Microsoft Office 365 customers who require single sign-on (SSO) by using AD FS 2.0 and use multiple top level domains for users’ user principal name (UPN) suffixes within their organization (for example, @contoso.us or @contoso.de) are required to deploy a separate instance of AD FS 2.0 Federation Service for each suffix. After you install this Update Rollup on all the AD FS 2.0 federation servers in the farm and follow the instructions of using this feature with Office 365, new claim rules will be set to dynamically generate token issuer IDs based on the UPN suffixes of the Office 365 users. As a result, you do not have to set up multiple instances of AD FS 2.0 federation server to support SSO for multiple top level domains in Office 365.
  • Client Access Policy Support – today, Office 365 customers do not have the capability to use AD FS 2.0 to restrict extranet access across all the endpoints to corporate resources within Office 365. This update enables organizations to configure these kinds of policies.
  • Congestion Avoidance Algorithm – this algorithm implements the logic on the AD FS 2.0 federation server proxy to reject external client authentication requests if the AD FS 2.0 federation server is overloaded.
  • Additional AD FS 2.0 performance counters

You can find more information about the update rollup 1 on Active Directory Update Rollup 1 for Federation Services (AD FS) 2.0

Posted in Active Directory Federation Services (AD FS) 2.0 | Tagged | Leave a comment

Forefront TMG 2010 SP2 and Forefront UAG 2010 SP1 Update 1

Posted on October 17, 2011 by Dominik Zemp

Microsoft recently announced the availability of two new updates for their Forefront Edge products:

  • Service Pack 2 for Forefront TMG 2010
  • Update 1 for Forefront UAG 2010 Service Pack 1

You can download the SP2 for TMG on http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=27603 and the Update 1 for UAG SP1 on http://www.microsoft.com/downloads/details.aspx?FamilyID=15218e0c-309a-49e1-8e19-1b3141428e21. And of course, you can find more information about the new capabilities and fixed bugs on this sites.

But what’s regarding co-existence of both new updates? Can I install the TMG SP2 on my UAG box? Can I install the SP1 Update 1 when TMG SP2 is installed?
No worries, the installation of UAG SP1 w/o Update 1 is fully supported with TMG SP2. And regarding the installation order, Microsoft recommends starting from the new SP2 for TMG.

So finally, happy updating…

Posted in Forefront, Forefront|TMG, Forefront|UAG | Tagged , | Leave a comment

Resource Links for Active Directory Federation Services (AD FS) 2.0

Posted on September 27, 2011 by Dominik Zemp

AD FS 2.0 is a really important building block for cloud identity management – not just for single sign-on against Office 365! Smile

If you are interested in AD FS 2.0, you will love this TechNet wiki page:

AD FS 2.0 Content Page, http://social.technet.microsoft.com/wiki/contents/articles/2735.aspx

You can find many information on that wiki page, so here’s the short TOC list:

  • Learn about AD FS 2.0
  • Research AD FS 2.0 Solutions
    • Integration with Microsoft cloud products
    • Integration with Microsoft on-premises products
    • Interoperability with non-Microsoft products
    • Case studies
  • Design and Deploy AD FS 2.0
  • Manage AD FS 2.0
  • Troubleshoot AD FS 2.0
  • QFEs Related to AD FS 2.0
  • Additional AD FS 2.0 References

  • Community Resources

Posted in Active Directory Federation Services (AD FS) 2.0 | Tagged | Leave a comment

Microsoft acquires BHOLD technology assets

Posted on September 23, 2011 by Dominik Zemp

Very interesting…

Today Microsoft announced that they have acquired technology assets from BHOLD, a dutch vendor of Access Governance technology. Microsoft thus now owns technology which has been missing in their IAM portfolio until now. Microsoft thus enters the Access Governance market. Whether that will happen through enhancements of their existing FIM 2010 product or by adding another product based on the BHOLD technology hasn’t been announced yet. Anyhow, the deal will change the Access Governance market, particularly regarding the offerings which are targeted to complement Microsoft FIM.

KuppingerCole will follow up on this news and provide further information as soon as it is available. Overall, this acquisitions proves that Microsoft continues investing in the broader IAM space and thus rates this market segment as important to their customers. For existing BHOLD customers, the acquisition provides new opportunities given that they are working with a much bigger vendor now. However, the impact on existing customers can be rated first when the Microsoft roadmap is unveiled. In general we recommend existing BHOLD customers to stay calm until more information is available. For customers investing or planning to invest into FIM 2010, the acquisition is definitely good news because it means that FIM will grow beyond the somewhat technical approach into a more business-oriented solution over time. However, without the roadmap being unveiled it is hard to predict when Microsoft customers really will benefit.

Source: http://blogs.kuppingercole.com/kuppinger/2011/09/23/microsoft-acquires-bhold-technology-assets/

You can find more information here as well: http://www.microsoft.com/pathways/bhold/

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

The Possible Future of Windows DirectAccess

Posted on September 21, 2011 by Dominik Zemp

Last week during the BUILD conference, Scott Roberts presented an early look of the possible future of Windows DirectAccess. You can find the recording of this session on http://channel9.msdn.com/Events/BUILD/BUILD2011/SAC-668T.

Three big enhancements in Windows 8 DirectAccess are:

  • Support of a multi-site deployment (multi-geo / multi-entry points)
  • Trusted Platform Module (TPM) as a key storage (used for authentication)
  • Simplified deployment without the need of a Public Key Infrastructure (PKI)
Posted in Windows DirectAccess | Tagged , | Leave a comment

How to Migrate an ILM Rule Extension (Source Code) to FIM 2010

Posted on September 13, 2011 by Dominik Zemp

An often raised question in an ILM migration project is how the custom source code (rule extension for Management Agents or the Metaverse) has to be migrated.

With this post, I want to highlight the necessary steps when migrating an ILM rule extension to FIM 2010:

  1. Copy the source code (Visual Studio project) from the \SourceCode folder from the ILM server to the FIM server
  2. Open the Visual Studio project with Visual Studio 2008 or Visual Studio 2010 (Visual Studio will automatically upgrade the project)
  3. Change the platform target to x64 (solution Properties > Build)
    image
  4. * Reference the new Microsoft.MetadirectoryServicesEx assembly (delete the reference to the Microsoft.MetadirectoryServices.dll and add a new reference to the Microsoft.MetadirectoryServicesEx.dll)
    image
  5. Recompile all code using .Net 3.5
  6. Perform complete end-to-end testing

* Your upgraded rule extension might still references the old Microsoft.MetadirectoryServices assembly. This version was released in earlier versions of the sync server. Although it is possible to recompile your rule extension with the old assembly reference, it is recommended to reference to the new assembly, that allows for strong-name signing of rules extensions and of data source extensions. You can find both assemblies in the \bin\Assemblies folder of FIM:image

Of course, a test environment for the migration is highly recommended although not mentioned in the list above. Smile

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

FIM 2010 Updates

Posted on September 12, 2011 by Dominik Zemp

A page that you should bookmark: http://social.technet.microsoft.com/wiki/contents/articles/fim-2010-build-overview.aspx

This wiki lists all available updates for FIM 2010.

Posted in Forefront, Forefront|Forefront Identity Manager | Tagged | Leave a comment

Microsoft Private Cloud Goes Social

Posted on September 7, 2011 by Dominik Zemp

The following communities and social efforts are available around private cloud – it’s all about social marketing:

Posted in Uncategorized | Tagged | Leave a comment

How to Remove a Federated Domain in Office 365?

Posted on September 5, 2011 by Dominik Zemp

Agreed, a simple question. But the answer is not that simple… The removal of a federated domain in Office 365 can be a challenging activity, with a lot of manual tasks.

The following approach is really simple. Simple because you don’t have to touch any on-premise object (user and group). This is usually necessary when you want to delete federated users and groups in Office 365 – a pre-requirements before you can remove the entire domain!

But please be aware of the following note:

This approach is NOT supported in a productive environment!
Please use this approach ONLY in a test/development environment!

Unsupported way to remove all federated users and groups

And now this super secret approach, which again, is not supported!

It’s all about the Dirsync tool, that you have to modify – that means, you have to modify the Management Agent (MA) for your on-prem Active Directory. The AD MA can be configured via the Dirsync console, as follows:

image

Yes, you’re right. The Dirsync tool actually is just a pre-configured MIIS installation. To configure the AD MA, click on the SourceAD MA and select Properties. Then click on the Configure Directory Partitions hub and click the button Containers…

image

Then follow the following steps…

  1. Change the password of the MSOL_AD_Sync account OR use another account
  2. Change the container selection in the SourceAD MA to an empty OU
  3. Run the  Full Import and Full Sync run profile of the SourceAD MA
  4. Run the Full Confirming Import run profile of the TargetWebService MA
  5. Run the Export run profile of the TargetWebService MA

Supported way to remove all federated users and groups

The official and supported way to get rid of a federated domain is:

You must update all user accounts that have that domain assigned as the UPN to use a different UPN suffix, either:

1. Update UPNs in Active Directory and then run DirSync to update cloud user accounts’ UPNs.

OR

2. Update UPNs in Active Directory and use the update-MSOLUserPrincipalName cmdlet to manually change the cloud UPN of each user.

Posted in Active Directory Federation Services (AD FS) 2.0, Office 365 | Tagged , , | Leave a comment