Microsoft EMS Intune – WP8.1 / Windows 10 PC – ADFS / MFA Registration 奇怪打loop事件

index

 

呢個絕對係要話比M$ 玩起嘅一樣野。 到呢家估計三個月,無人話到畀我知道有咩相關。 以自己所以了解係。 Azure Cloud MFA 同 On-Premises MFA Server 並唔會共存。但係Intune Portal 嘅 MFA option 只睇Cloud MFA。 所以出事。。。 而呢個option.. 只對WP/ Windows PC 有反應。。。 可惡 M$。。。

如果有用ADFS, 有 set MFA。 下面個checkbox一定唔可以tick!@#$%^&*()_

 

PS. 04/May/2016 遲來的答案。 終於搵到你…

How to configure multi-factor authentication in Microsoft Intune – Part 2: The single sign-on method

Note: It’s important to not configure any additional multi-factor authentication settings. Not in the global authentication policy and not in the Microsoft Office 365 Identity Platform authentication policy. Configuring these settings will cause multi-factor authentication to be triggered for more then just the device enrollment in Microsoft Intune. ”

Intune_Cloud_MFA

ADFS Server SSO / MFA Server Web Portal 神秘 Down 機事件

adfs-logo

 

問題詳細原因不明,特別係MFA User Portal 係本身起好嘅 個幾星期未曾出現,直接今日下午。
至於ADFS SSO 因為ADFS Server DNS record misconfigure 亦係奇怪。
雖然好大成數係自己過失。

最後得出嘅結論係。 – Intranet DNS Zone
1。 ADFS SERVER – ADFS farm name 係intranet 必定係server 自己
2。 Published URL 必定要係Load Balancer IP

ADFS 3.0 -> MFA Setup Configuration

mfa_thumb

 

 

 

 

基於被M$ 挑機話玩 ADFS 要用 On-Premises MFA 先夠好。 (往後就係問 M$點解 Cloud MFA 做唔到Intranet IP by pass MFA)

用最簡單嘅方法係 MFA server 安係 ADFS 同一部幾。 安裝同大部分configure 以下面URL為好, 比Microsoft Official Article 更方便

Reference

https://4sysops.com/archives/azure-multi-factor-authentication-part-7-securing-ad-fs/

但係,要提及 MFA User Portal會無神神黐線 login 唔到, 甚至影響到一般用嘅ADFS 爛page。係安裝途中Reboot Server多的事…….

最後最經典嘅係Microsoft 嘅 article 錯誤勁多。 PowerShell Commmand 自己砌但係用黎包Parameter 嘅 Symbol 要估。。

” ?
‘ ?
` ?

Register ADFS Adapter落MFA Server 嘅information missing。 完全係因為好運先係另一個WordPress 到睇到。

Between <WebServiceSdkUrl> and </WebServiceSdkUrl>, enter the address for the Web Service SDK on (one of) your Multi-Factor Authentication Server installation(s). By default, this address is https://<FQDN>/MultiFactorAuthWebServiceSDK    (/pfwssdk.asmx) <- 夠膽死無左條尾完全無提。Result就係浪費一日去搵點解!@#$%^&*()_

2016-01-06 00.51.21

最後。 Problem Solve!

Exchange 2013 OWA/ECP < - > ADFS Authentication

adfs-logo

呢個Topic,自己絕對會評定為今年做過,繼多年前SharePoint 2010後,最難,最好玩嘅一樣。

基如ADFS 3.0已有,拍Microsoft O365/Azure 嘅SSO 亦係兩日內起身。諗唔出有啲咩理由唔去做埋佢

ADFS30

 

整個setup進行左三日.當中要提最難,係一路失敗當中research / adjustment.

而令到咁長時間嘅原因係以下……

1. Exchange Server 2013:避免問題(亦發現太耐無更新,由SP1 upgrade 去 CU10)

2. ADFS Server Signing Token Certificate : 絕對係一個意外收穫嘅做法。 同時亦證明只需要Update Azure AD 一次就得,唔會影響舊有 Federation Trust

“Update-MSOLFederatedDomain –DomainName”

https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-o365-certs/

http://hazelnest.com/blog/blog/2015/07/05/exchange-2013-using-adfs-to-authenticate/

http://nikpatel.net/2014/12/22/renew-expired-adfs-token-certificates-for-adfs-2-0-and-sharepoint-2013-on-premises/

3. Exchange Server Internal/External Url : Reference URL 無一個係用 .local Domain……而係Exchange configure ECP/OWA (一定要 ECP 先, OWA 後)用ADFS 前。

$uris = @(” https://mail.contoso.nl/owa”,”https://mail.contoso.nl/ecp“)
Set-OrganizationConfig -AdfsIssuer “https://adfs.contoso.nl/adfs/ls/” -AdfsAudienceUris $uris -AdfsSignCertificateThumbprints “FD6C58A0589F398FBDAE144EA0A1A1EDC718EC11“

Get-EcpVirtualDirectory | Set-EcpVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -AdfsAuthentication $true -BasicAuthentication $false -DigestAuthentication $false -FormsAuthentication $false -WindowsAuthentication $false 

兩者define 嘅URL 一定要係Internal。不然就係失敗收場…………IMG-20151207-WA0000

 

 

 

 

 

Reference

http://nilsvanwoensel.azurewebsites.net/?p=137

PS.。 後話… 基於比M$ 班人挑機話ADFS Server 唔用埋MFA 唔Pro。 下一個大Change就係 Azure MFA On Premises Server with ADFS

Windows 10 Start Button 死直實錄

Win10

如果有一日你用Windows10嘅時候,  Click Start button無反應 , 甚至出?Critical Error:  Your start menu isn’t working.  We’ll try to fix it the next time you sign in.  ”

Windows10_Critical

恭喜你, 你都遇到呢個目前無得救嘅問題。 唯一期待你自己有enable System Restore。
我自己遇過三次,頭兩次Win 10 Reset…. 第三次System Restore 解決。。。 M$!@#$%?&*()

http://answers.microsoft.com/en-us/windows/forum/windows_10-update/win-10-critical-error-your-start-menu-isnt-working/4e89669d-9a26-48f3-8762-d425cb4eb7d5?auth=1

SharePoint 2013 My Site Host setup

index

超級難,同以往係SharePoint 2010 做嘅setup 大大不同。
參考Reference如下。

係開始 config 前需必須要 Meta Data Service 同 User Profile Synchronization  Services Start起

https://technet.microsoft.com/en-us/library/gg750257%28v=office.14%29.aspx#farmAcct

My Site Host Setup

https://technet.microsoft.com/en-us/library/ee624362.aspx#timerjobs

http://thuansoldier.net/?p=2326

http://community.bamboosolutions.com/blogs/sharepoint-2013/archive/2013/02/11/how-to-configure-my-site-in-sharepoint-2013.aspx  – Most details

http://blog.sharedove.com/adisjugo/index.php/2012/07/25/visual-guide-setting-up-my-sites-in-sharepoint-2013/

My Site Host 嘅Document Library 係咪integrate 去 One Drive 有待測試….

亦再次忘記唔應該用 site root level…