Traffic Manager Endpoint monitor and ADFS /adfs/probe

Microsoft Azure, Windows

Microsoft has a very nice post on how to setup Traffic manager in front of an ADFS farm for high availability, where both sites are in Azure but in different GEO locations or one in Azure and one on premises. The Article is located here: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-adfs-in-azure-with-azure-traffic-manager. What the article lacks is how to setup proper ADFS monitoring, which monitors both tte WAP and the ADFS service, at the moment the article only goes into details which monitor the WAP service.

So this post will go over how to configure your environment so the health point will report the status of both WAP and ADFS.

Some info before we begin:

  • The solutions is achieved by monitoring the /adfs/probe/ on the ADFS server via the WAP proxy
  • The solution will report failure if the WAP proxy is not forwarding or the ADFS service is down. So we are monitoring the whole solution.
  •  It will work if you have an external load balancer in front of the WAP servers and an internal one in front of the ADFS servers, for simplicity I will outline how it’s done on the non-load-balanced solution but it’s the same procedure for both.
  • You can’t monitor /adfs/probe on the WAP server as that will only give you the status of the WAP server
  • You can create a rule on the WAP server to redirect /adfs/probe to the ADFS server, but it will get ignored and show you the status of the WAP server.
  • I tested this on Server 2016 but it will work for 2012 R2 as well
  • If you are using 2012 R2 make sure you update your WAP to the latest version so you can forward HTTP traffic
  • We use HTTP as this prevents certificate problems and because Traffic manager does not support SNI.
  • You can’t monitor the “/federationmetadata/2007-06/federationmetadata.xml” because the way you set this up for Traffic manager means you are monitoring the ADFS on a different DNS so the request will not be forwarded.

Essentially this is what we are doing

adfs_probe_check

Once you setup the environment as per Microsofts Article above we need to do the following:

The variables for my test environment:

  • ADFS URL and Federation Service Name – test123.blah.local
  • Traffic Manager DNS – adfstest.trafficmanager.net
  • WAP server public IP dns (this can be replaced by a load balancer) – http://mytestadfsa.westeurope.cloudapp.azure.com
  • Custom monitor path (you can choose anything but the default which is /adfs/) –  /adfsprobe/

The Steps:

  • Change the Traffic Manager Configuration to point to our custom monitor path for the endpoint monitoring

configuration-microsoft-azure

  • Create an HTTP rule on the WAP server in the Remote Access Management Console to forward (via Pass- through) the WAP DNS + our custom monitor path to the ADFS server. I assume that your WAP server host file has been modified to point the ADFS URL to the ADFS internal IP or load balancer IP

wap-rule

iis-url-rewrite

  • The rule to be created is Reverse Proxy with the following settings:

arp-rule

  • And finally change your Public DNS record and create a CName for your ADFS URL (test123.blah.local) to point to the traffic manager DNS name (adfstest.trafficmanager.net)

And you are done.

Powershell Add-Computer error when executed remotely.

Windows

When you execute the PowerShell command: “Add-Computer -DomainName “contoso.com” -Credential $domainjoinuser -Restart” remotely or in a non-interactive environment you may get the following error:

The root of the problem is (given that your password is correct) when running things interactively the domain is pre-appended and as such you only need to provide the user. But in a non-interactive environment, the domain is not known as such it’s a very simple fix, make sure you either include the short domain names like “contoso\DMAdmin” or the full FQDN “DMAdmin@contoso.com. The error occurred for me by running an Azure custom script which called a PowerShell script non-interactively.

The ACL RemoveAccessRule Not Working

Windows

If you try and modify the ACL via PowerShell but the command RemoveAccessRule is not working, by that I mean you run it no errors come up but the rules and not being removed.  The problem is that inheritance is turned on and you are trying to remove a rule that is obtained from inheritance. To fix this problem you first need to disable inheritance, save the rule and then get the acls again. After that remove will work. Code can be found below:

 

New Virtual Disk Error “UseMaximumSize” (Storage Pool)

Windows

This is a heads up post for anyone who is creating a new virtual disk from a storage pool in Storage Spaces. If you are creating a disk and want to use the “Maximum size” parameter then you have to make sure that the Provisioning type is set to Fixed and not Thin. This is a normal expected behaviour as the Thin disk expands automatically and take space as it needs so you can’t pre-located 100% of the size, you will need to specify an initial disk size. For fixed size “-ProvisioningType Fixed” you can use the “-UseMaximumSize” parameter.

The unfriendly Powershell Error:

The GUI Error:

virtualdisk-error

Web Application Proxy Event ID 12019 – (0x8007007b)

Windows

For anyone that has received the below WAP error, especially in Server 2016, please make sure that the published application name does not have any forward slashes “/”.

It seems to like other characters like: “wqe.()-_\sdfds123″££$%%” but not forward slashes.

 

Microsoft Dynamics NAV 2015 Wildcard Certificate Problem

Windows

I had a problem the other day trying to get Dynamics NAV 2015 to work with a wildcard certificate.While the server started ok, clients couldn’t connect and the error message at the end of this post appeared. The problem seem that you need to define the DnsIdentity on all clients, seems like the client application can’t recognize wildcard dns names automatically and you need to define it yourself. The down side of this is that all clients need to make this modification, while using normal certificates connect clients automatically. So if you do decide to go down this route be aware of this. The fixes are defined below.

To fix it on the client side:

modify the “C:\Users\username\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\80\ClientUserSettings.config” to include the proper certificate name for DnsIdentity :

To fix it on the Nav Server Web Instance:

you can modify the web.config of your Nav web instance for example “C:\inetpub\wwwroot\Mynav” to include the proper certificate name for DnsIdentity :

You can also run the powershell command from Navs powershell:

 

The error on the Nav Web Instance or Client:

How To Install Oracle Instant Client v12 For Xampp v7, v5.5 & v5.6 (Windows)

Windows

Below you will find the instructions on how to configure/install and enable the Oracle Instant Client for XAMPP v7, v5.5 and v5.6.

  1. Download and install XAMPP from https://www.apachefriends.org/download.html
  2. Modify the php.ini in “C:\xampp\php”
    • Uncomment the following line “;extension=php_oci8_12c.dll  ; Use with Oracle Database 12c Instant Client”
    • Restart Apache
  3. Download the 32 bit (PHP is 32 bit so no need to 64) Oracle Instant Client from http://www.oracle.com/technetwork/topics/winsoft-085727.html
    • You need both Instant Client Package – Basic and Instant Client Package – SDK
    • Unzip both in “C:\php-sdk\oracle\x86\instantclient_12_1″ and “c:\php-sdk\oracle\x86\instantclient_12_1\sdk” respectivly
  4. Add the directory “C:\php-sdk\oracle\x86\instantclient_12_1″ to the windows path veritable
    • Under system Properties click Environment Variables
    • system-properties
    • Edit the Path variable
    • environment-variables
    • You need to reboot windows
  5. (Optional)If you want to specify the oracle connections in the tnsnames.ora file:

Thats it 🙂

 

ADFS 3.0 Cancel Button Redirection and Password Change Link

Windows

ADFS 3.0 Cancel Button Redirection

I got asked the other day if i can get the ADFS cancel button on the Update Password page (Expired Password) to redirect back to the original page. After some searching i found a lot of people asking for this feature but no solutions. So below is my own coded solution to solve this problem all you need to do is add it to the end of onload.js, instruction are below the code.

The code will work with:

  • All java enabled browsers
  • Will work with any domain
  • Will work with expired password redirection
  • Will work with all endpoints
    • /adfs/ls/idpinitiatedsignon.aspx
    • /adfs/oauth2/authorize
    • /adfs/ls/

Use the following steps when customizing the onload.js for the AD FS service (Note these steps are taken from: https://technet.microsoft.com/en-us/library/dn636121.aspx).

Customizing onload.js for the AD FS Service

  1. To add your custom logic to onload.js, you need to first create a custom web theme. The theme that is shipped out-of-the-box is called Default. You can export the default theme and use it so that you can start quickly. The following cmdlet creates a custom web theme, which duplicates the default web theme:

  2. You can then export the custom or default web theme to get onload.js file. To export a web theme, use the following cmdlet:

    You will find onload.js under the script folder in the directory that you specify in the export cmdlet above and add your custom logic to the script (see use cases in the Example section below).

  3. Make the necessary modification to customize onload.js based on your need.

  4. Update the theme with the modified onload.js. Use the following cmdlet to apply the update onload.js to custom web theme:

  5. To apply the custom web theme to AD FS, use the following cmdlet:

Password Change Link

So with the above implementation (which works great for expired passwords) we also needed to modify our password change link for any users wanting to change there password via ADFS before it has expired as show in the below screen shot:

adfs-password-change-link-screen

The below code will give you exactly that ability, implementation instruction are located below. You only need to modify the text in the <p> </p> tags to whatever suits your needs. Please leave the link section “<a onclick=”RedirecToPSChange()” href=”#”>” as is or the script will not work.

The above code can be loaded easily by running the Set-ADFSGlobalWebContent and passing the whole code. Tip you single quotes as shown below:

adfs-password-change-link

ADFS 3.0 default login domain

Windows

The below script is a modification of the Microsoft script found here: https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx. I have added some extra feature missing from the original as well as the ability for default login domain to work in the change password dialog as well. The script below will give you the following benefits:

  • The ability to set a default domain for ADFS both on the login page and in the change password page.
  • Other users can still specify a domain or a UPN in which case the script will not append the domain to the front
  • Works on any Java enabled browser

You only need to change the “MYDOMAIN” in the two places below and that’s it the script is ready. Then just add it to the end of onload.js, you can use the instructional on https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx for instructions on how to load it.

 

Programmatically authenticate against Apache CXF Fediz with ADFS Token

Powershell, Windows

A couple of weeks ago we had to interface with an application running on Tomcat using Apache CXF Fediz as it’s authentication mechanism. We had successfully tied the application to work with our ADFS 3.0 server using SAML 1 tokens. While this worked wonderfully for users using web browsers we had problems getting it to work programmatically with Powershell. This was needed for some API calls and we had to authenticate with ADFS first.

So below you will find the script we used along with it’s description, I have actually posted two scripts one where you obtain an initial cookie from the application as this was a requirements and a second one where an initial coockie is not neeed. If you get the message “HTTP Status 408 – The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser” then you need to use the cookie method.

So how does the script work:

  • First it obtains the needed cookie from the Apache application and stores it in a web session
  • Then it creates the envelope for the soap call to the ADFS server, we are requesting an “urn:oasis:names:tc:SAML:1.0:assertion” but you can request an “urn:oasis:names:tc:SAML:2.0:assertion” if need be.
  • It then makes a post request to the ADFS server with the envelope in the body
  • Once it receive the reply we need to clean it as we only require the body section example of the result:
  • The script then loads the result into a hashtable
  • It then makes a post request with the hashtable in the body to the Apache application using the Websession we initially established
  • Once that is complete we can use the web session to make any api calls we like eg(getting a status)

 

For application requiring an initial cookie:

For application not requiring to obtain an initial cookie: