My ADFS Claims Rules Journey – Part 1

 

 

係做MDM嘅過程,自己一即避免嘅係唔好用Office365。
點解咁諗?係因為若無辦法好好Restrict 街外Unauthorized Access的話。User可以隨便加Email account收Email,咁整套MDM相等明存實亡。

而普遍用Mail多嘅,自己首先會針對點樣封Exchange Online,不論係Android/iOS 嘅Native Client,甚至係Outlook Mobile App,都係要封嘅對象。

首先要提嘅係,真係多得iOS11係17年九月出左,啲花左唔小時間做落嘅Claims Rule 失效。

簡單以條片嚟做Sample,同iOS11之前嘅差別。當用噤Sign-In之後,會redirect 去另一個WebPage去繼續Authentication 。呢種就係Passive Authentication

講咁多做咩?就係Passive Authentication(Modern Authentication)令到以往做落嘅Claim rules 廢武功。

以下係 係iOS 11 前用緊嘅rules

exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy”]) &&

exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application”, Value =~ “Microsoft.Exchange.ActiveSync”])
&&

NOT exists([Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid”, Value == “S-1-5-21-xxxxxxx”])
&&

NOT exists([Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip”, Value =~ “\bxxx\.xxx\.xxx\.xxx\b”])
=> issue(Type = “http://schemas.microsoft.com/authorization/claims/deny”, Value = “true”);

原意解說:

Rule1 當Connection係由街外,

Rule 2 Client Type係ActiveSync,

Rule 3 User唔屬於Permitted Group

Rule 4 唔係由指定ActiveSync Proxy IP Connect過黎

全部符合 就會俾Deny Claim

因為Rule2係Passive Authentication 再無X-MS-Client-Application嘅claim value,無辦法確定Client Application Type,結果會係同其他Browser Based Application 一樣Allow Access

 

To Be Continue in Part 2

 

Reference from Link1

Background

Based on the latest beta builds, Apple has added OAuth 2.0 support for Microsoft Exchange accounts in iOS 11, showing an increased commitment to device security. In my opinion, this may be iOS 11’s least talked about, but most impactful feature for enterprises because of the implications for securing iOS with Office 365 and Exchange Online. Let’s dig deeper.

A Brief History on Securing Exchange ActiveSync

Prior to iOS 11’s OAuth 2.0 implementation, ActiveSync email clients such as iOS’s native email handled account authentication to Exchange Online exclusively via something called an Active Profile. The Active Profile defines ActiveSync authentication techniques for non-browser or modern authentication-based clients.

On-premises Microsoft Exchange servers are deployed on secure networks behind layers of firewalls and only accessible to email clients through ActiveSync Proxies. Administrators have significant granular access control via proxies, especially in allowing access to the Exchange servers only from the trusted IP addresses of the proxies. MobileIron’s Sentry is an extra-powerful ActiveSync proxy for mobile devices because the Sentry allows or denies ActiveSync access to the Exchange server based on both device and application posture received from the policy engine on MobileIron Core or Cloud. With Sentry, only trusted mobile devices can access ActiveSync email; users attempting to access email from untrusted mobile devices are denied by the Sentry. Thousands of large enterprises protect their on-premises Exchange servers with Sentry today.

Reference from Link2

In a Passive authentication scenario, the user signs in through a Web form displayed by the identity provider and the user is requested to log in. In Active authentication scenario, the user is authenticated using thick clients. As the thick client does not support redirection, Office 365 gets the credentials and validates the authentication with Access Manager by communicating directly with it.

Reference Video from Link3

Reference from Link4

Another point that you have to account for in redesigning your claims rules is the fact that the Client application clam (http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application) is no longer present for any ADAL-enabled client.

Reference URL

https://www.mobileiron.com/en/smartwork-blog/practicing-safe-security-ios-11-and-office-365

https://www.netiq.com/documentation/netiqaccessmanager4_appliance/identityserverhelp/data/b1afcrj9.html

https://blog.peterdahl.net/2017/09/12/ios-11-provides-support-for-oauth-2-0-in-the-native-mail-app/

Adjust your AD FS claims rules to account for Modern authentication

Work Place by Facebook integrate with Azure AD – Part III

 

 

 

 

Part III

做完對上兩邊Config,係時間測試下成果。

首先係去 “https://mydomain.facebook.com”
WorkPlace login page 顯示 “Your company has enabled single sign-on.”
變成冇得係到用”UserName/Password” Auth

“User Name / Password”  vs “SSO”

 

 

 

 

 

 

 

 

 

 

 

當噉”Log In” 就會Redirect 去Azure嘅Login Page (第一步成功)

 

 

 

 

 

之後就變成同Office365 Login 一樣,需要用 AD Credentail / Client Certificate 做 Auth

係已經Join Domain嘅PC。因為有Kerberos Auth,當Page redirect去到Azure Login,只需要打Username (UPN),往後嘅login process就會用Kerberos 完成

Work Place by Facebook integrate with Azure AD – Part II – Azure AD Enterprise App Configuration / Work Place SSO Authentication

 

 

 

 

Part II

續Part I。Work Place Subdomain 準備就絮~開始戲肉。SAML Config。 如SalesForce一樣,大路嘅Idp(ADFS / Azure AD /G Suite / OKTA / One Login / Ping Identity)都有article講點做。基於Domain 已經係 Azure AD 上面Federated,亦即係同Office365 一樣, 會返ADFS Server 做Auth / MFA。 所以係唔需要考慮ADFS 個article 點做。

SAML configuration 唔難。基本都係兩邊資料 Copy n Paste。 但係最鑊,最怕就係兩邊各自各描述。Field名唔知邊個對邊個。

今次都係,先Configure 係Azure AD,First Try照跟Article係唔夠Parameters

大路照跟可以,但係留意以下Step3 >>>>>> 跟Azure咁做係誤以為夠。第一唔清楚咩係Identifier。跟Azure Article 咁做係唔夠,Sequence亦唔啱。 第一唔清楚咩係Identifier。。。。亦要Tick “Show advanced URL settings”嘅CheckBox

係要返WorkPlace, Dashboard,Authentication,係SAML Authentication 呢個Page 下面嘅Info

Azure “Identifier” = WorkPlace “Audience URL”                                             >>> “https://www.facebook.com/company/15digitvalue”

Azure “Reply URL” = WorkPlace “ACS (Assertion Consumer Service) URL” >>> “https://domain.facebook.com/work/saml.php”

Confusing Sample from Azure

3. On the Workplace by Facebook Domain and URLs section, perform the following steps:

Configure Single Sign-On

a. In the Sign-on URL textbox, type a URL using the following pattern: https://<instancename>.facebook.com

b. In the Identifier textbox, type a URL using the following pattern: https://www.facebook.com/company/<instancename>

係Azure做完上半,噉Save。 再Scroll Down落下面噉”Configure Workplace by Facebook”。 接落嚟嘅Information要放返落WorkPlace嘅Authentication Page。
WorkPlace呢邊係兩個URL相對容易啲啲,不係啲名都係唔match

Azure “Azure AD Single Sign-On Service URL” >>> WorkPlace “SAML URL”

Azure “Azure AD SAML Entity ID” >>> WorkPlace “SAML Issuer URI”

最後當然係Paste 返係Azure Download 嘅Signing Cert落去。 先去噉”Test SSO”。先會Pass 個Test Auth。

Cont’d @ Part III

Reference Link

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-facebook-at-work-tutorial

https://developers.facebook.com/docs/workplace/authentication/sso

Work Place by Facebook integrate with Azure AD – Part I – Subscription + Upgrade to Premium Work Place Premium

 

 

 

 

 

絕對唔係新野。 一兩年前記得叫Facbook for Work,但係搵唔到方法申請。機緣下 上星期睇到Azure 嘅article。

WorkPlace by FB要開Account唔難,去https://facebook.com/work 用Corporate Email account就開到。但就咁普通係做唔到任何Customization嘅(包括Authentication Integration)…….. e.g. “https://work-xxxxxxxx.facebook.com”

所以。。 第一件事係upgrade去Work Place Premium。 Procedure都係基本verify domain ownership。 一係Domain RootLevel 嘅Web Server Webpage放token,另一選擇就係DNS 落 TXT Record (後者絕對易做得多,但係估唔到FB Support話睇唔到我隻Domain host 係邊,唔講 TXT Record 個做法我知……玩野)

時間關係。。 兩日等左 DNS Record Creation 同往後FB嘅vertificaton,之後再需要等FB Subdoamin 由https://work-xxxxxxxx.facebook.com 變成我哋嘅 “https://mymdomain.facebook.com”

當Domain完全轉好(係會慢慢逐小逐小變出嚟,所以收左FB Email話Verification OK,最後都等左兩個鐘(封Mail講十分鐘OK….呃人)

Cont’d – Part II

Reference Link

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-facebook-at-work-tutorial

https://developers.facebook.com/docs/workplace/authentication/sso

Active Directory Certificate Authority Sha1 to Sha2 Migration 實錄

 

做PKI,玩Cert related 嘅東東。唔係Public , 就係Private。
Public Cert 大多係用$$解決到。但係Internal CA唔同,整個CA又起,生Template 去到派Cert都要理。 起唔難。 但係Cert做Migration,甚至因為hash algorithm 進步已顯生嘅問題先係難。

基於Sha1已經唔安全,而Windows Server 2003 base CA 嘅 “Microsoft Strong Cryptographic Provider” 亦唔Support SHA2。所以需要Migrate 兼轉去新嘅 Key Storage Provider (KSP)

Backup , Migration, Restore Procedure 跟M$ Article 都重OK。CA Backup, Registry 同CA Root Cert/ Private Key 絕對唔可以懶。 自己係呢個migration整鑊個一次,無backup神仙都難救…………………

下面第一條link , 絕對有伏。照跟就回衰。。

自己最後搵到第三條link,同自己失敗嘅經歷,係backup CA Root Cert/同往後restore用 .P12 format係會安全啲。

 

https://blogs.technet.microsoft.com/askds/2015/10/26/sha1-key-migration-to-sha256-for-a-two-tier-pki-hierarchy/

Credit and Reference:

https://technet.microsoft.com/en-us/library/ee126140%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

Extremely Useful Step by Step Guide

https://ammarhasayen.com/2015/02/04/sha-2-support-migrate-your-ca-from-csp-to-ksp/

 

 

Exchange 2013 EAS / EWS Multi Instance後續

 

 

 

 

 

基於係一部Exchange CAS之內同意可以用唔同嘅Authentication Method (Password, Kerberos, Certificate) 。 而發現Exchange EWS係會兩個instance 同時response(Password Auth / Certificate Auth) , 邊成Outlook Client 當要用Web Service做notification嘅時候,IIS出現 Error 500 0 64。

“POST /EWS/Exchange.asmx – 443 – 10.0.1.35 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.7927;+Pro) – 500 0 64 15”

但係點解呢?

係無人講EWS Multi Instance嘅情況之下,搵左四日都無咩頭粹。 方向改變諗如何令Outlook 只搵Default 個EWS,而MobileDevice 既Mail Profile 因為由MDM (MobileIron) 控制,所以EWS 係指定用Cert Auth。再引伸落去諗就係AutoDiscover 去做Restriction。 亦發現用 ‘https://testconnectivity.microsoft.com’ 去試會出現 Failure。原因係用咗CBA 嘅 EWS vDIR….. Test Failed….

最後好彩地搵到Hints,就係AutoDiscover WebSite 嘅URL。 當初係用CNAME 指去 CAS 嘅 internal name。呢個就係Root Cause。

搵出嘅係,當DNS 搵AutoDiscover而係用 CNAME point去CAS internal name。 當用CAS internal name 去 用EWS。係會兩個site用晒。

相信係有幾多個EWS 都會用晒,因為所有Exchange Virtual Directory確實係under同一部機。

所以係呢種設定下AutoDiscover嘅DNS record轉成Host (A) Point 死 Default WebSite EWS 嘅IP…

但原本問題仍然未解決……

To be Continue….

Refernce site:

https://forums.iis.net/t/1230097.aspx?http+500+0+64+IIS+with+Client+Certificate+Required

Quote:

500 = Internal Server Error

64 = The specified network name is no longer available.

https://support.microsoft.com/en-us/help/940726/outlook-2007-security-warning-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

Quote:

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as “mail.contoso.com.”

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Exchange 2013 – Web Service(EWS) Virtual Directory Creation

 

 

 

 

 

Microsoft EWS Virtual Directory,比create ActiveSync Virtual Directory更古怪,更小人討論

絕對會諗所有creation可以係Exchange Management Shell做到,但係”偉大”嘅M$再一次俾Surprise我哋。。。

最後我試出黎嘅結果係。。。。

EWS Virtual Directory Creation – 係用普通PowerShell ,再用”AddPSSnapin Microsoft.Management.PowerShell.E2010″
睇到呢到,你無睇錯。。係2010 Module
點解我知?就係因為錯誤哋create左多一個PowerShell VirtualDirectory 係Default Web Site,但係又remove唔到…….
最後搵到expect exchange有人講同一問題……

Create PowerShell vDir – Exchange Managment PowerShell

Remove PowerShell vDir – Normal PowerShell + PSSnapin (E2010)

Create – Web Services vDir – Normal PowerShell + PSSnapin (E2010)

Remove Web Service vDir – Exchange Managment PowerShell

Reference site

https://www.experts-exchange.com/questions/26813020/remove-powershellvirtudirectory-not-working.html

http://hkeylocalmachine.com/?p=180

Microsoft ActiveSync – New EAS Website with Certificate Base Authentication(CBA) in same server

為左唔使起多部CAS,但又可以試CBA, 只係用加多一張NIC,多一粒IP。 絕對係快靚正。

但係,係deployment嘅過程,係絕對俾Exchange/IIS玩死。

呢下Website嘅步驟絕對無錯(推薦第一個)
遇到問題如下
1。同一張NIC用二粒IP,係setup時會衍生Host 錯IP問題,所以唔建議
2。當中避免用IIS去Set,特別係Step 11開clientCertificateMappingAuthentication,同埋最尾enable “Require Client Certificate”

雖然係IIS都會改到,但係偉大嘅M$話Exchange 野應該返Exchange Admin Center(EAC)做,同SharePoint 一樣……

唔相信….我自己得到嘅代價,就係唔同嘅IIS Error。。
可能係403.7 ,接403.16……..
再唔係,出Error 500。。恭喜~GameOver。。。 遇過好幾次,要delete site,由頭再嚟…..

3。EWS IIS Error 413, 唔Fix, Notification亦會停唔work

需要改以下

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config
2. Replace the value “uploadReadAheadSize” of 0 to 1048576 (bytes) in both files

4。最後,亦係最奇怪。 話Server Local Machine Trust Root Authority 太多Cert,最後係用條 filter script 搵返啲 Intermediate Cert,再搬反走佢。。。。

而Client Device用嘅Cert,可以係有AD Enrolment Policy 由GPO落。 Domain Member PC 係Login 時自動安落PC….
又或者由MDM,從SCEP Profile 落Cert都可以。
最重要係Cert既Subject 係User Email Address, Cert 入面SAN 有User DN, UPN就會認得到

Filter Script…

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

https://support.microsoft.com/en-hk/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requests-with-http-403.7-or-403.16-errors

https://support.microsoft.com/en-hk/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012

Reference

Step 11. Enabled cba on the ActiveSync website from elevated command prompt.
a. APPCMD.EXE set config “EAS_CBA/Microsoft-Server-ActiveSync” -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True” /commit:apphost

Additional EAS vDir creation

In Exchange Mgmt shell:

Command: New-ActiveSyncVirtualDirectory -WebSiteName “EAS_CBA” -ExternalUrl https://mailcba.domain.com/Microsoft-Server-ActiveSync -Server servername -InternalURL https://mailcba.domain.com/Microsoft-Server-ActiveSync

Setup Procedure Reference

http://www.o-xchange.com/p/configuring-exchange-active-sync-for.html

https://blogs.technet.microsoft.com/exchange/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync/

http://i-evgeny.blogspot.hk/2015/09/exchange-2013-413-request-entity-too.html

Microsoft OCSP configuration procedure , 唔duplicate template必定會fail

Setup 唔難,但係好高機會睇漏,唔duplicate template

Reference

https://blogs.technet.microsoft.com/yungchou/2013/10/22/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-2-of-2/

http://www.tech-coffee.net/public-key-infrastructure-part-8-ocsp-responder/

https://jorgequestforknowledge.wordpress.com/category/active-directory-certificate-services-adcs/ocsp/

 

RODC + Remote Desktop Gateway + Remote Desktop Authentication Certificate

有趣又古怪嘅buildup。
係用嘅benifits 絕對有,自己用Mac係有用VPN同冇,電力耐用明顯有增加.

整體Concept非常簡單。 RDP over SSL,即係可以代表替唔需要VPN.

Microsoft 有三個做法,但係自己覺得用RODC Extend隻AD點都會有用。clip_image010_thumb

 

 

 

 

 

 

Deploy RODC 絕對唔難,
Pre-config 定RODC Machine account 同放夠用嘅Port就一定join到。

但係Member server join就開始奇怪。 自己嘅做法係先係RODC用command gen好file,之後再係target server load返個file.

Provision – File Generation / File Load

djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos

當全部setup好,就剩下Add Role, 非常簡單。 只係allow authorize user group用就完成.

係setup 完成後,再進一步諗再將Trust Network入面所以有機RemoteDesktop Auth 嘅 Self-Signed Cert 轉成internalCA  sign

同樣地, Trust Zone轉好易, 但係DMZ入面嘅Member Server亦需要更多procedure, 需要安裝Certificate Enrollment Web Services(Username Password), 新嘅Certificate Template for DMZ,同最後需要command手動轉Remote Desktop Listener Cert

Reference:

Remote Desktop Gateway

https://blogs.technet.microsoft.com/enterprisemobility/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules/

http://www.lemonbits.com/2014/06/20/installing-standalone-remote-desktop-gateway-on-the-windows-server-2012-r2-without-complete-remote-desktop-services-infrastructure/

RODC Setup

https://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx#run_join_script

Offline Join

https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx

Trusted Remote Desktop Auth Certificate

https://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html

Certificate Enrollment Web Services

https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/

Remote Desktop Listener Certificate

https://support.microsoft.com/en-us/kb/3042780