終於整好,點都要多謝MI Community 入面article嘅。
過程唔係複雜, 但係只講自己錯左啲咩。。 就係次序。。。
好慘,好慘。。。。 點解諗得咁慢呢
一個低級錯誤。 Wildcard (Any)冇放最後。。。 Solved and Completed
Category: IT
初試SAML大集會 ….. 1.OKTA 2.Sales Force 3.ADFS
絕對係新挑戰 !!!!!
SAML 一直係以往唔多敢去掂嘅野。相比Kerberos,SAML有自己覺得好難睇嘅XML (Recursive xml)。諗起都怕怕。怕怕。
基如嚟緊好高機會要用同自己嘅未雨綢繆,決定放手睇睇佢……
第一係搵用嘅IdP(Identity Provider) 同SP(Service Provider)
雖然已經有ADFS係到可用, 但係ADFS唔係呢個今次Buildup最初會用嘅。
SalesForce已知嘅係大路嘅Service Provider。。 Production 要錢無可能。但係Developer Edition係兩個User免費 ,未搵到有無Support。 超孤寒。。。。
已IdP係搵嘅當中睇到OKTA。。 佢對比好啲。 三個App,一百個User係永久免費,亦有Support。 好啲
好。。。 準備完成。。 開工
大至上嘅Concept
AD 係Identity Source, 最初令自己亂嘅係點開OKTA嘅UserID.
因為係未安OKTA Agent同AD link埋之前。 OKTA 自己嘅user account都係用同一個domain suffix. Password 一樣會難去確定。
但係發現當安完OKTA Agent match 好user之後。 係得返AD password. 即係唔需要搵account 做local account。
之後係Salesforce拖OKTA。
兩者integration當個中有個伏位係OKTA。 Support SAML 嘅 App 當中,Salesforce App有三個。而”Salesfforce.com(Federate ID)”係有問題,唔work。。。 因此咁而報case support。。
開始時候做法幾乎一樣,都係要諗用另一個account作為Full Rights Admin。亦因為呢個原因。係Salesforce create自己嘅account用唔同Password。
係OKTA加Salesforce app, 同Salesforce 裡面config Single Sign-On幾乎係照跟就可以。所以假若唔係 “Salesforce(Federate ID)”出事。。
係可以兩日整好。。。
Set好後不論係 SP Initiated(Salesforce 會有多個Auth Option)還是IdP Initiated(OKTA App list,SSO 直接list)都會 開到。。
最後,係Salesforce 駁ADFS。
步驟唔多,仍然要係Salesforce portal加Single Sign-On setting
但係伏位係ADFS Server入面嘅Issuer
當開 FederationMetadata 睇嘅時候
“https://adfsserver.domain.com/federationMetadata/2007-06/FederationMetadata.xml”
ADFS 入面嘅Metadata.xml , 佢嘅Element名叫”entityID”, 而個名同ADFS server Web URL睇落一樣,但係佢唔係https,係http 。
呢一樣錯,就會fail。
SAML Assertion會check 到mismatch。。。。
Done ! That’s it
Reference:
Salesforce integration with OKTA
http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html
Salesforce integrate with ADFS 3.0
Troubleshooting Tools
SharePoint 2013 – SAML Auth
對比Kerberos, SAML絕對係未明但係照跟照做嘅。 係本身行緊嘅SharePoint2013 幾乎無變動,只需要Extend 其中一個 Web Application作為Target. 其餘只係跟Sample Syntax照改。 Sample 有 minor typo mistake但係唔會死人
Reference
痛苦嘅AD Upgrade/Phase Out, Exchange 2003/2007 Removal.
因為從來未做過,步驟係錯嘅。
第一錯,係AD Site,未除Decommision Exchange 2003/2007 前,唔應該dcpromo DC…… 基於呢個咁愚蠢嘅apporach. 隻Exchange 2003 係係ADSIEdit強行Delete… , Server remove registry… 真係笨到無朋友
第二錯,Public Folders… 呢一樣野點去到Replica.係有Exchange20032/07, 到呢家得返隻2010…係唔同嘅。最後到比我搵到有人講。。 頂!@#$%?&*(! M$ !!!
最後(唔係我錯)…. Remove Exchange 2007… 再俾多個error我睇
“Error: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160”
要係 %SystemRoot%/System32/inetsrv/metabase.xml .. 有三行有會有IpSecurity=”” , 全部 Delete 佢先可以uninstall到Exchange2007…
Shit !@#$%^&*()_
Reference Information:
The Resolution
I spoke to a Microsoft exchange architect named Indarraaj. He informed me that this is this error is by design. You can only have one exchange 2003 and one exchange 2007 server as a replica at these parent level public folders. However if you look at the sub folders, it is possible to add all your servers as replica’s. As long as you add all your servers as replica’s to your sub folders you will be fine.
I asked him why this was not documented on the internet anywhere, as I did research this pretty intensively and there was hardly any information! He said there is a KB article for this however it is a Microsoft internal KB which is not available externally for the public! I think this is pretty strange, if this error is by design, shouldn’t Microsoft at least document this if every exchange organisation around the world experiance this issue at a given time when migrating from exchange 2003 to 2007?
Anyway all in all just check the child public folders and ensure that the replica’s are set right on them.
http://clintboessen.blogspot.hk/2009/06/cannot-add-replicas-to-certain-system.html
https://social.technet.microsoft.com/Forums/exchange/en-US/18fbfc64-eae5-4660-8f7e-b57f35dc862e/iis-ip-restriction-on-cas-server-destroys-it?forum=exchangesvrgenerallegacy
MFA Server upgrade 6.3.1 > 7.0.2 . 後知後覺~中伏了~
咩都唔使講~.Net2.0轉去.Net4.0 ADFS Adapter 改名,要用舊source先uninstall,再用新source再安個,再Register Adapter…
M$記:你玩得透。。。。~!@#$%?&*()
Reference site:
http://c7solutions.com/2016/04/upgrading-azure-multi-factor-authentication-server
http://c7solutions.com/2016/04/upgrading-mfa-6-3-1-to-version-7
Microsoft EMS Intune – WP8.1 / Windows 10 PC – ADFS / MFA Registration 奇怪打loop事件
呢個絕對係要話比M$ 玩起嘅一樣野。 到呢家估計三個月,無人話到畀我知道有咩相關。 以自己所以了解係。 Azure Cloud MFA 同 On-Premises MFA Server 並唔會共存。但係Intune Portal 嘅 MFA option 只睇Cloud MFA。 所以出事。。。 而呢個option.. 只對WP/ Windows PC 有反應。。。 可惡 M$。。。
如果有用ADFS, 有 set MFA。 下面個checkbox一定唔可以tick!@#$%^&*()_
PS. 04/May/2016 遲來的答案。 終於搵到你…
How to configure multi-factor authentication in Microsoft Intune – Part 2: The single sign-on method
“Note: It’s important to not configure any additional multi-factor authentication settings. Not in the global authentication policy and not in the Microsoft Office 365 Identity Platform authentication policy. Configuring these settings will cause multi-factor authentication to be triggered for more then just the device enrollment in Microsoft Intune. ”
Postfix incoming/outgoing mail routing 實作
玩自己隻Domain Linux server咁多年.從來都無點諗要多機黎form Infra. 哩個星期終於出現 需要prepare Zimbra 而有呢個做法嘅需要。
皆因唔想浪費 N年前起落嘅 CentOS server. 作為SMTP gateway 亦唔需要再reg DNS Record. Outbound SMTP relay 做得多。 但係Inbound絕對係第一次。
過程整足一日,但係明白之後絕對可以再諗得更複雜。
基本需求。。
同一Domain下,黎緊Zimbra email嘅email會經舊server(Gateway) route(relay)入, Outbound 同樣 relay 出。
但係唯一exception.因為舊Server已有自己account用緊,需要keep住唔可以比account嘅email 都route走。
首先要係 postfix 既config /ect/postfix/main.cf, 加呢句 “transport_maps = hash:/etc/postfix/transport”
之後戲肉,係 /etc/postfix/transport 入面最低, 加以下
自己要留住唔route嘅email address , 接住係自己機器收
- user@example.com local:$myhost
其餘整個Domain都會relay去後面
- example.com relay:[Zimbra FQDN]
做完之後只需要 行一次 postmap /etc/postfix/transport。
再reload postfix 就OK。有趣嘅係,係一路試嘅過途中。 竟然出現local DNS唔識resolve 隔離部機。。 最後原因係DNS Zone file 錯。。。
Reference
transport(5): Postfix transport table format – Linux man page
Infrastructure
雖然遲左好多。但都好過冇
ADFS Server SSO / MFA Server Web Portal 神秘 Down 機事件
問題詳細原因不明,特別係MFA User Portal 係本身起好嘅 個幾星期未曾出現,直接今日下午。
至於ADFS SSO 因為ADFS Server DNS record misconfigure 亦係奇怪。
雖然好大成數係自己過失。
最後得出嘅結論係。 – Intranet DNS Zone
1。 ADFS SERVER – ADFS farm name 係intranet 必定係server 自己
2。 Published URL 必定要係Load Balancer IP
ADFS 3.0 -> MFA Setup Configuration
基於被M$ 挑機話玩 ADFS 要用 On-Premises MFA 先夠好。 (往後就係問 M$點解 Cloud MFA 做唔到Intranet IP by pass MFA)
用最簡單嘅方法係 MFA server 安係 ADFS 同一部幾。 安裝同大部分configure 以下面URL為好, 比Microsoft Official Article 更方便
Reference
https://4sysops.com/archives/azure-multi-factor-authentication-part-7-securing-ad-fs/
但係,要提及 MFA User Portal會無神神黐線 login 唔到, 甚至影響到一般用嘅ADFS 爛page。係安裝途中Reboot Server多的事…….
最後最經典嘅係Microsoft 嘅 article 錯誤勁多。 PowerShell Commmand 自己砌但係用黎包Parameter 嘅 Symbol 要估。。
” ?
‘ ?
` ?
Register ADFS Adapter落MFA Server 嘅information missing。 完全係因為好運先係另一個WordPress 到睇到。
Between <WebServiceSdkUrl> and </WebServiceSdkUrl>, enter the address for the Web Service SDK on (one of) your Multi-Factor Authentication Server installation(s). By default, this address is https://<FQDN>/MultiFactorAuthWebServiceSDK (/pfwssdk.asmx) <- 夠膽死無左條尾完全無提。Result就係浪費一日去搵點解!@#$%^&*()_
最後。 Problem Solve!
You must be logged in to post a comment.