Error :
Encountered error during federation passive request.
Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/idinitatedsignon.aspx to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)
Solution:
1) Check the SPN on the service account (In my case it is a GMSA)
2) Check if your service account has rights on the certificate
This happens when you have a VM (running in azure ). A VNET is not assigned to the VM and we are trying to assign it a static IP. We would keep on getting the above error which is in the subject. To over come this we need to follow the steps mentioned below
1) Delete the VM from the azure console but DONOT DELETE THE DISK.
2) Create a Vnet (assign a subnet to it)
3) Recreate the VM and attach the disk which was NOT deleted in step one.
4) Now run the below cmdlet
Get-AzureVM -ServiceName fazalsfirstvm -Name fazalsfirstvm | Set-AzureStaticVNetIP -IPAddress 10.0.0.6 | Update-AzureVM
Hope this helps.
My new post published on the MEA GBS Blog about Group Managed Service Accounts in Windows Server 2012 R2.
Temporarily disable WinRE when taking a system image backup
Note WinRE will be disabled in the backup image. Therefore, you have to enable it after you do a system recovery from this image.
1.Right-click the Start button, and then click Command Prompt (Admin) to open an elevated Command Prompt window.
2.Disable WinRE by running the following command:
reagentc /disable
3.Run the system image backup function.
4.Enable WinRE by running the following command:
reagentc /enable
Hello Everyone – Below is the link for Part 1 and 2 of the Video series on the New Features of Windows Server 2012 Active Directory which I have created.
Next Video would be on GMSA’s. Any feedback would be appreciated.
Hello Everyone – First of all I would like to Thank everyone who have liked my Blog post’s and have taken out the time to give there feedback on the Blog. One feedback from the user was that instead of I doing the screen shots it would be better if I can do a video Blog series. Hence, I have decided to do a series on “” New features of Windows Server 2012 Active Directory “”. I would be posting the videos soon. Hope you all would like it. Once again Thank You all for your feedback. It keeps me motivated and energized :).
What is DNS at present?
DNS performs the name to IP resolution and much more …. I am sure everyone knows this and hence would not spend time talking about it on this blog.
If you type ”www.bing.com‘ this request would first go to the resolver (go to Run à Ncpa.cpl) which is present on the client machine. Now it would look at the DNS setting defined on the resolver and send the query to the Primary DNS Server with the following information:
i)Query itself Example for bing.com : i.e. 16-bit transaction ID (XID), port 52 and UDP protocol (all this info would be tagged
with the query)
Now the resolver on the client waits for a response with same information which is tagged with the query, anyone who replies with the information would be first accepted by the resolver on the client and the rest would be discarded. So what if an hacker replies first and it can safely redirect you to a bogus website which has the same layout as your original website and may get access to your credentials (e.g. of Hotmail etc.) And then use them to go in drafts or some hidden folder to get your bank account number and details (possibly).
Question) How can a client guess a query type, XID Value and Port?
Answer) Query name and the XID value is seen in clear text
in the request. Port of DNS is 53.
Windows Server 2008 R2 has a feature know as Source Port Randomization and in this for every communication it chooses a different port to communicate with the Server. EG
Now you would be like cool ‘I AM SAFE’. My answer would be oOh Yes. Before it took a hacker to poison
your cache in a minute. Now it would take him some hours:).
Now your question is …. Doesn’t it have a method for Data integrity?
Simple answer is no! so what happens is if I am a client and I send a response to my local DNS Server which then sends the request to my ISP DNS Server. Let us assume that my Local DNS Server receives a reply first from the hacker and not the ISP ? The scenario explained is called DNS cache poisoning. Where now the hacker has set the TTL for 1 year and this record is
in the cache of the DNS Server and stays in there for one year. Now all the clients would be using this entry which points to a Bogus IP + Website. (Wow aren’t the hackers really doing a good job)
Question) I have heard of a term called secure dynamic updates. Doesn’t that use Mutual authentication?
Answer )Yes it does but that is the only point where DNS does Mutual authentication. For the rest of the stuff it never does any Mutual Authentication.
I was just scrolling some article and just read that the Root DNS Server is now DNSSEC enabled. So lets us understand what would I need to do if my domain is hosted as ‘’Company.fazal.gov’’. On my internal DNS Server I have a zone which is representing ‘’Company.fazal.com’’. So I would need to complete two tasks here:
1) Sign my zone (Which means we would Add a signature for each record 🙂 )
2)Create the key pairs.
Now the key pairs which have been created I would send these key pairs to the people which host “.GOV”. They would take my Key pair and sign my key pair. Which means that there is a list of signed Keys maintained by the ‘’.GOV’’(DSRecord). Now If my client would send a DNS query to the DNS server. They can both verify with the help of the key pairs and thus the hacker gets
out of the picture.
Note: Dynamic updates are automatically disabled on a DNSSEC-signed zone. Windows Server® 2008 R2 DNS server supports the signing of static zones only. You must use Dnscmd.exe or DNS Manager to add more resource records to a zone and the zone must be re-signed.
Hope this proves useful – happy reading!
After the First ADRMS Blog I got to know that I cannot use the name PTCL.
Now the domain name is fazal.com
Machine names are the same but instead of PTCL I have named them like
Khi-ADRMS, Khi-SQL, Khi-CA and so on.
So now we have a good basic understanding of what ADRMS does. Let us start with creating templates now for ADRMS .
One of the Things which I forgot to mention was:
If you have clients which are using Windows XP SP3. Then you need to install an ADRMS Client.
Click Next and Next and the client is installed.
Creating a Folder where the Templates can be saved
Click Finish
Now go on the SQL Server and verify that these XML Files are created.
Now Installing the ADM Template so that we can define the Template Location for Microsoft office Documents using Group Policy.
Import the ADM File.
Now go on the client and run GPUPDATE /Force
Now Let us say that we don’t want out client to use Office 2007 now to encrypt messages using ADRMS.
Click on Enable Exclusion
Now Click on Exclude Application
The above is Just an Example. Not even sure if this is correct as in the Maximum version.[Hope you got the understanding by seeing the above snapshot]
Definitely not a good idea to click finish so click Cancel 
Now What if there are certain users whom you do not want to send RMS Encrypted document to?
Let us block adrms1@fazal.com [which means that ADRMS2 would not be able to send RMS encrypted message to ADRMS1]
Not Click on Exclude User.
Now let us Verify by logging with User 2 and Creating a rights protected document and then logging on with User 1 to open that Document.
Now logging in with ADRMS1
Now Let us remove Adrms1 and then try again.
Now we have deleted the user and also disabled the exception
Let us restart IIS on ADRMS Server.
Now back on the client
And it Opens
We can exclude earlier version of RMS Client using Lockbox version.
Machines used.
1)DC named as = PTCL-DC [Windows Server 2008 R2]
2)Exchange 2010 Sp1 = PTCL-EXCH [Windows Server 2008 R2]
3)MOSS 2007 = Moss [Windows Server 2003 R2]
4)Sql Server 2008 SP1 = PTCL-SQL
Let us start with Installing a Certificate authority on Windows Server 2008 R2 machine which is joined to the Domain.
The Goal of this LAB is that Users get familiar with the process of Installing Certificate Authority and then enroll certificates for their ADRMS and Exchange 2010 OWA.
Accept the Defaults of IIS
Click on install and wait for the installation to Finish and then restart the Machine.
After the machine is re booted
If we check under Issued certificates at present none of the certificates are issued.
Now go on the DC and run GPUPDATE /force
Now go back on the CA and view the issued certificates
This means that the CA is working as expected.
Don’t be surprised by reading the title. I just wanted to highlight a common mistake which is done by most of the customers that I have been too.
Open the machine named PTCL-ADRMS
Note the name of the machine 
[hint to what would be going wrong]
Click on next and try entering the user account which you are logged in as and give the password [The error says that Installation account could not be the same as the service account]
Let us go In active Directory users and computers and create a User account
Now Let us go back on the ADRMS Machine.
Now this is where everything goes wrong.
Make sure that the account your are doing the installation is the member of Enterprise Admin for this step
Click Next and Next again
![clip_image002[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0024.jpg "clip_image002[4]")
Click Install
![clip_image004[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0044.jpg "clip_image004[4]")
Now Verify that these groups are present
![clip_image006[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0064.jpg "clip_image006[4]")
Log off and Log back in
![clip_image008[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0084.jpg "clip_image008[4]")
![clip_image010[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0104.jpg "clip_image010[4]")
Have a Good Look at the Licensing path.
Now the Question in your mind would be that we have done everything and installed everything but where is the DOING IT ALL WRONG PART J
Trust me it is just around the corner. J
Now let us test it on the client.
Let us go in Exchange 2010 and create a new user
Please Go in services and check if all the exchange related services have started J
![clip_image013[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0134.png "clip_image013[4]")
You know the password J
Next and then New
Create another user named ADRMS2
Now Open the Windows 7 machine and log in
![clip_image019[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0194.jpg "clip_image019[4]")
Go in C Drive and create a word document by this name J
![clip_image021[4]](https://fazalmkhan.files.wordpress.com/2011/02/clip_image0214.jpg "clip_image021[4]")
Notice that the machine is doing the bootstrap process{If this step hangs than log in to Outlook once}
Now Click on More Options
You can give Finer Permission from here
Access Content Programmatically could be used if you are using MACROS
Open this word file with Notepad now
Note that Every RMS Encrypted document has this URL Stamped. Now if ever you decide to Load Balance this RMS Cluster you cannot because you have hard coded the URL with the machine name. Another Problem is that all content is hardcoded with http and now If you setup Https than still all clients would use http.
That is why it is said to use Cnames in DNSJ
Now let us verify that RMS Really works
Press 
on Windows 7 VM and switch user
Let us go in C Drive and try to open the document.(ADD THE URL IN THE INTERNET EXPLORER LIKE YOU DID BEFORE)
Again Boot Strap would occur first and remember to open outlook if it hangs J
Notice the document is all greyed out J
Now stay logged in as ADRMS2 and create the document by the same name as shown below and give ADRMS1 read only rights.
Make Sure that you don’t open this document by logging in with another user.(Will see in the Lab why)
Now go on the ADRMS Server and Export a few files (What they do is a secret at the moment J)
Exporting the TUD on the desktop
Exporting the TPD
Please give the password as Win2003
Removing the ADRMS Server and doing the corrected installation now. Lets see the difference J
Safe to remove ADRMS now
Uncheck ADRMS
Now Click Remove.
Now it is uninstalling ADRMS.
In the meantime let’s go to DNS and create a CName Record as this is a proper installation now.
CName record for SQL is already created
Now back to the ADRMS machine and let us re provision the Server with SQL as its database now.
Click on Validate and you will get an error J
This is because the account does not have rights on the SQl Server.
Check the SQL Server and the services are up
Go on the SQL Machine and open SQL Server Management studio.
Click ok
Now Back to the ADRMS Server
And Click on Validate and it should give no errors now and click on next
Next Install and DONE J
Log Off and Log back in.
Try opening the ADRMS console and we are here with an error
Now Press ok and Open IIS
Click on Server Certificates
Now Click Finish
Now click on Bindings
Click ok and close
Now go into the ADRMS console and press Refresh
Why are we presented with this ? (Do ask me and If you know than please tell me J)
Click on yes and now click on
Why wasn’t that Screen prompted now ? [Try giving the answer in the comment section below 
]
Now let us set these URL’s through Group Policy so that users are not prompted for password again and again
Now go in the DC and open GPMC
Click
Click on Edit.
Donot forget to click Add
Now Add it in Local Intranet Sites.
Click OK and close GPMC
Go on the Client machine now and run Gpupdate /force
Verify it and If it is not populated than you can add it for now
Now Log on with ADRMS user 1 and try opening the file which was encrypted by ADRMS2
Notice that it is trying to find the server but the URL has now been changed and this TUD is no longer there.(RAC which user is presenting is no more trusted by this ADRMS Server)
Now the reason is that These clients have been bootstrapped by the old RMS Server and it is no more there now
Go in this location and see all the certificates issued by the old RMS Server in the bootstrap process.
GIC = RAC
I know you don’t trust me and want to read from ADRMS itself J
Let us go on the ADRMS Server and view it.
Click Finish
This is failing because the RAC is not trusted as it was issued by another ADRMS.
Now how should we fix this ?
There are two answers
1)Import the TUD which we exported
2)Delete the DRM folder on the client and let it get bootstrap with the new RMS Server.
What are the draw backs ?
2)We cannot open the old documents than.
Now as the discussion is done let us Import the TUD.
Let us now go on the client with ADRMS1 and verify where are we now
Press NO and Log Off here
Log in with ADRMs2 and verify the same thing with the other document.
This document was opened because the client already had the End user License issued from the old ADRMS Server.
Let us again go back to ADRMS Server and verify what happened wrong with ADRMS1 user
EU cannot be issued because new ADRMS server does not have the private key to decrypt the content.
Let us now import the certificate that we exported
Let us now Open the document with the ADRMS1 user which didn’t opened before.
And it opens J
Now we need to make sure that on all the documents that all my users encrypt with ADRMS should have the new Server named stamped . So we would need to develop a Script to delete the DRM folder on all the clients.
Now Let us do this manually from our client.
Now let us Encrypt a document and see how the machine bootstraps again.
Just a hint J
This should appear
And we see the RAC and CLC and Machine cert. J
Hope this was Informative and we would be doing the Integration with Moss, Exchange 2010 and learn more about ADRMS.
Today a Customer asked me this Question. After placing a considerable amount of thaught I came up with this Answere
1) Based on my experience, we cannot prevent users from deleting emails from his own Inbox. The SELF account must have the Full Access permission on the mailbox.
As a workaround (not actually a workaround but another scenario to achieve this through reviewer permission), you may create another mailbox account (e.g. bob) for the user (e.g. administrator), and then grant bob Reviewer permission on both the mailbox level and Inbox level. Like below:
After that, bob can open the administrator’s Inbox in Outlook via File -> Open -> Other User’s Folder, and he can only view the emails.This seems to be the only way to achieve your specific objective.
Hope this is helpful for someone.
Fazal's Space 