Category: MDM

Work Place by Facebook integrate with Azure AD – Part II – Azure AD Enterprise App Configuration / Work Place SSO Authentication

 

 

 

 

Part II

續Part I。Work Place Subdomain 準備就絮~開始戲肉。SAML Config。 如SalesForce一樣,大路嘅Idp(ADFS / Azure AD /G Suite / OKTA / One Login / Ping Identity)都有article講點做。基於Domain 已經係 Azure AD 上面Federated,亦即係同Office365 一樣, 會返ADFS Server 做Auth / MFA。 所以係唔需要考慮ADFS 個article 點做。

SAML configuration 唔難。基本都係兩邊資料 Copy n Paste。 但係最鑊,最怕就係兩邊各自各描述。Field名唔知邊個對邊個。

今次都係,先Configure 係Azure AD,First Try照跟Article係唔夠Parameters

大路照跟可以,但係留意以下Step3 >>>>>> 跟Azure咁做係誤以為夠。第一唔清楚咩係Identifier。跟Azure Article 咁做係唔夠,Sequence亦唔啱。 第一唔清楚咩係Identifier。。。。亦要Tick “Show advanced URL settings”嘅CheckBox

係要返WorkPlace, Dashboard,Authentication,係SAML Authentication 呢個Page 下面嘅Info

Azure “Identifier” = WorkPlace “Audience URL”                                             >>> “https://www.facebook.com/company/15digitvalue”

Azure “Reply URL” = WorkPlace “ACS (Assertion Consumer Service) URL” >>> “https://domain.facebook.com/work/saml.php”

Confusing Sample from Azure

3. On the Workplace by Facebook Domain and URLs section, perform the following steps:

Configure Single Sign-On

a. In the Sign-on URL textbox, type a URL using the following pattern: https://<instancename>.facebook.com

b. In the Identifier textbox, type a URL using the following pattern: https://www.facebook.com/company/<instancename>

係Azure做完上半,噉Save。 再Scroll Down落下面噉”Configure Workplace by Facebook”。 接落嚟嘅Information要放返落WorkPlace嘅Authentication Page。
WorkPlace呢邊係兩個URL相對容易啲啲,不係啲名都係唔match

Azure “Azure AD Single Sign-On Service URL” >>> WorkPlace “SAML URL”

Azure “Azure AD SAML Entity ID” >>> WorkPlace “SAML Issuer URI”

最後當然係Paste 返係Azure Download 嘅Signing Cert落去。 先去噉”Test SSO”。先會Pass 個Test Auth。

Cont’d @ Part III

Reference Link

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-facebook-at-work-tutorial

https://developers.facebook.com/docs/workplace/authentication/sso

Work Place by Facebook integrate with Azure AD – Part I – Subscription + Upgrade to Premium Work Place Premium

 

 

 

 

 

絕對唔係新野。 一兩年前記得叫Facbook for Work,但係搵唔到方法申請。機緣下 上星期睇到Azure 嘅article。

WorkPlace by FB要開Account唔難,去https://facebook.com/work 用Corporate Email account就開到。但就咁普通係做唔到任何Customization嘅(包括Authentication Integration)…….. e.g. “https://work-xxxxxxxx.facebook.com”

所以。。 第一件事係upgrade去Work Place Premium。 Procedure都係基本verify domain ownership。 一係Domain RootLevel 嘅Web Server Webpage放token,另一選擇就係DNS 落 TXT Record (後者絕對易做得多,但係估唔到FB Support話睇唔到我隻Domain host 係邊,唔講 TXT Record 個做法我知……玩野)

時間關係。。 兩日等左 DNS Record Creation 同往後FB嘅vertificaton,之後再需要等FB Subdoamin 由https://work-xxxxxxxx.facebook.com 變成我哋嘅 “https://mymdomain.facebook.com”

當Domain完全轉好(係會慢慢逐小逐小變出嚟,所以收左FB Email話Verification OK,最後都等左兩個鐘(封Mail講十分鐘OK….呃人)

Cont’d – Part II

Reference Link

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-facebook-at-work-tutorial

https://developers.facebook.com/docs/workplace/authentication/sso

Exchange 2013 EAS / EWS Multi Instance後續

 

 

 

 

 

基於係一部Exchange CAS之內同意可以用唔同嘅Authentication Method (Password, Kerberos, Certificate) 。 而發現Exchange EWS係會兩個instance 同時response(Password Auth / Certificate Auth) , 邊成Outlook Client 當要用Web Service做notification嘅時候,IIS出現 Error 500 0 64。

“POST /EWS/Exchange.asmx – 443 – 10.0.1.35 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.7927;+Pro) – 500 0 64 15”

但係點解呢?

係無人講EWS Multi Instance嘅情況之下,搵左四日都無咩頭粹。 方向改變諗如何令Outlook 只搵Default 個EWS,而MobileDevice 既Mail Profile 因為由MDM (MobileIron) 控制,所以EWS 係指定用Cert Auth。再引伸落去諗就係AutoDiscover 去做Restriction。 亦發現用 ‘https://testconnectivity.microsoft.com’ 去試會出現 Failure。原因係用咗CBA 嘅 EWS vDIR….. Test Failed….

最後好彩地搵到Hints,就係AutoDiscover WebSite 嘅URL。 當初係用CNAME 指去 CAS 嘅 internal name。呢個就係Root Cause。

搵出嘅係,當DNS 搵AutoDiscover而係用 CNAME point去CAS internal name。 當用CAS internal name 去 用EWS。係會兩個site用晒。

相信係有幾多個EWS 都會用晒,因為所有Exchange Virtual Directory確實係under同一部機。

所以係呢種設定下AutoDiscover嘅DNS record轉成Host (A) Point 死 Default WebSite EWS 嘅IP…

但原本問題仍然未解決……

To be Continue….

Refernce site:

https://forums.iis.net/t/1230097.aspx?http+500+0+64+IIS+with+Client+Certificate+Required

Quote:

500 = Internal Server Error

64 = The specified network name is no longer available.

https://support.microsoft.com/en-us/help/940726/outlook-2007-security-warning-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

Quote:

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as “mail.contoso.com.”

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Microsoft ActiveSync – New EAS Website with Certificate Base Authentication(CBA) in same server

為左唔使起多部CAS,但又可以試CBA, 只係用加多一張NIC,多一粒IP。 絕對係快靚正。

但係,係deployment嘅過程,係絕對俾Exchange/IIS玩死。

呢下Website嘅步驟絕對無錯(推薦第一個)
遇到問題如下
1。同一張NIC用二粒IP,係setup時會衍生Host 錯IP問題,所以唔建議
2。當中避免用IIS去Set,特別係Step 11開clientCertificateMappingAuthentication,同埋最尾enable “Require Client Certificate”

雖然係IIS都會改到,但係偉大嘅M$話Exchange 野應該返Exchange Admin Center(EAC)做,同SharePoint 一樣……

唔相信….我自己得到嘅代價,就係唔同嘅IIS Error。。
可能係403.7 ,接403.16……..
再唔係,出Error 500。。恭喜~GameOver。。。 遇過好幾次,要delete site,由頭再嚟…..

3。EWS IIS Error 413, 唔Fix, Notification亦會停唔work

需要改以下

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config
2. Replace the value “uploadReadAheadSize” of 0 to 1048576 (bytes) in both files

4。最後,亦係最奇怪。 話Server Local Machine Trust Root Authority 太多Cert,最後係用條 filter script 搵返啲 Intermediate Cert,再搬反走佢。。。。

而Client Device用嘅Cert,可以係有AD Enrolment Policy 由GPO落。 Domain Member PC 係Login 時自動安落PC….
又或者由MDM,從SCEP Profile 落Cert都可以。
最重要係Cert既Subject 係User Email Address, Cert 入面SAN 有User DN, UPN就會認得到

Filter Script…

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

https://support.microsoft.com/en-hk/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requests-with-http-403.7-or-403.16-errors

https://support.microsoft.com/en-hk/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012

Reference

Step 11. Enabled cba on the ActiveSync website from elevated command prompt.
a. APPCMD.EXE set config “EAS_CBA/Microsoft-Server-ActiveSync” -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True” /commit:apphost

Additional EAS vDir creation

In Exchange Mgmt shell:

Command: New-ActiveSyncVirtualDirectory -WebSiteName “EAS_CBA” -ExternalUrl https://mailcba.domain.com/Microsoft-Server-ActiveSync -Server servername -InternalURL https://mailcba.domain.com/Microsoft-Server-ActiveSync

Setup Procedure Reference

http://www.o-xchange.com/p/configuring-exchange-active-sync-for.html

https://blogs.technet.microsoft.com/exchange/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync/

http://i-evgeny.blogspot.hk/2015/09/exchange-2013-413-request-entity-too.html

Microsoft EMS Intune – WP8.1 / Windows 10 PC – ADFS / MFA Registration 奇怪打loop事件

index

 

呢個絕對係要話比M$ 玩起嘅一樣野。 到呢家估計三個月,無人話到畀我知道有咩相關。 以自己所以了解係。 Azure Cloud MFA 同 On-Premises MFA Server 並唔會共存。但係Intune Portal 嘅 MFA option 只睇Cloud MFA。 所以出事。。。 而呢個option.. 只對WP/ Windows PC 有反應。。。 可惡 M$。。。

如果有用ADFS, 有 set MFA。 下面個checkbox一定唔可以tick!@#$%^&*()_

 

PS. 04/May/2016 遲來的答案。 終於搵到你…

How to configure multi-factor authentication in Microsoft Intune – Part 2: The single sign-on method

Note: It’s important to not configure any additional multi-factor authentication settings. Not in the global authentication policy and not in the Microsoft Office 365 Identity Platform authentication policy. Configuring these settings will cause multi-factor authentication to be triggered for more then just the device enrollment in Microsoft Intune. ”

Intune_Cloud_MFA

ADFS 3.0 -> MFA Setup Configuration

mfa_thumb

 

 

 

 

基於被M$ 挑機話玩 ADFS 要用 On-Premises MFA 先夠好。 (往後就係問 M$點解 Cloud MFA 做唔到Intranet IP by pass MFA)

用最簡單嘅方法係 MFA server 安係 ADFS 同一部幾。 安裝同大部分configure 以下面URL為好, 比Microsoft Official Article 更方便

Reference

https://4sysops.com/archives/azure-multi-factor-authentication-part-7-securing-ad-fs/

但係,要提及 MFA User Portal會無神神黐線 login 唔到, 甚至影響到一般用嘅ADFS 爛page。係安裝途中Reboot Server多的事…….

最後最經典嘅係Microsoft 嘅 article 錯誤勁多。 PowerShell Commmand 自己砌但係用黎包Parameter 嘅 Symbol 要估。。

” ?
‘ ?
` ?

Register ADFS Adapter落MFA Server 嘅information missing。 完全係因為好運先係另一個WordPress 到睇到。

Between <WebServiceSdkUrl> and </WebServiceSdkUrl>, enter the address for the Web Service SDK on (one of) your Multi-Factor Authentication Server installation(s). By default, this address is https://<FQDN>/MultiFactorAuthWebServiceSDK    (/pfwssdk.asmx) <- 夠膽死無左條尾完全無提。Result就係浪費一日去搵點解!@#$%^&*()_

2016-01-06 00.51.21

最後。 Problem Solve!