Latest Entries »


Error :
Encountered error during federation passive request.

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/idinitatedsignon.aspx to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Solution:

1) Check the SPN on the service account (In my case it is a GMSA)

GMSA screenshot

2) Check if your service account has rights on the certificate

Permission

 

Advertisements

This happens when you have a VM (running in azure ). A VNET is not assigned to the VM and we are trying to assign it a static IP. We would keep on getting the above error which is in the subject. To over come this we need to follow the steps mentioned below
1) Delete the VM from the azure console but DONOT DELETE THE DISK.
2) Create a Vnet (assign a subnet to it)
3) Recreate the VM and attach the disk which was NOT deleted in step one.
4) Now run the below cmdlet
Get-AzureVM -ServiceName fazalsfirstvm -Name fazalsfirstvm | Set-AzureStaticVNetIP -IPAddress 10.0.0.6 | Update-AzureVM

Hope this helps.


My new post published on the MEA GBS Blog about Group Managed Service Accounts in Windows Server 2012 R2.

http://blogs.technet.com/b/meagbs/archive/2015/06/01/webcast-video-group-managed-service-accounts.aspx


Temporarily disable WinRE when taking a system image backup

Note WinRE will be disabled in the backup image. Therefore, you have to enable it after you do a system recovery from this image.

1.Right-click the Start button, and then click Command Prompt (Admin) to open an elevated Command Prompt window.
2.Disable WinRE by running the following command:
reagentc /disable
3.Run the system image backup function.
4.Enable WinRE by running the following command:
reagentc /enable


Hello Everyone – Below is the link for Part 1 and 2 of the Video series on the New Features of Windows Server 2012 Active Directory which I have created.

 

http://blogs.technet.com/b/nepapfe/archive/2013/11/08/windows-2012-active-directory-domain-services-videos.aspx

 

Next Video would be on GMSA’s. Any feedback would be appreciated.


Hello Everyone – First of all I would like to Thank everyone who have liked my Blog post’s and have taken out the time to give there feedback on the Blog. One feedback from the user was that instead of I doing the screen shots it would be better if I can do a video Blog series. Hence, I have decided to do a series on “” New features of Windows Server 2012 Active Directory “”. I would be posting the videos soon. Hope you all would like it. Once again Thank You all for your feedback. It keeps me motivated and energized :).

DNSSEC in Windows Server 2008 R2


What is DNS at present?

DNS performs the name to IP resolution and much more …. I am sure everyone knows this and hence would not spend time talking about it on this blog.

If you type ”www.bing.comthis request would first go to the resolver (go to Run à Ncpa.cpl) which is present on the client machine. Now it would look at the DNS setting defined on the resolver and send the query to the Primary DNS Server with the following information:

i)Query itself Example for bing.com : i.e. 16-bit transaction ID (XID), port 52 and UDP protocol (all this info would be tagged
with the query)

Now the resolver on the client waits for a response with same information which is tagged with the query, anyone who replies with the information would be first accepted by the resolver on the client and the rest would be discarded. So what if an hacker replies first and it can safely redirect you to a bogus website which has the same layout as your original website and may get access to your credentials (e.g. of Hotmail etc.)  And then use them to go in drafts or some hidden folder to get your bank account number and details (possibly).

Question)  How can a client guess a query type, XID Value and Port?

Answer) Query name and the XID value is seen in clear text
in the request. Port of DNS is 53.

Windows Server 2008 R2 has a feature know as Source Port Randomization and in this for every communication it chooses a different port to communicate with the Server. EG

Now you would be like cool ‘I AM SAFE’. My answer would be oOh Yes. Before it took a hacker to poison
your cache in a minute. Now it would take him some hours:)
.

Now your question is …. Doesn’t it have a method for Data integrity?

Simple answer is no! so what happens is if I am a client and I send a response to my local DNS Server which then sends the request to my ISP DNS Server. Let us assume that my Local DNS Server receives a reply first from the hacker and not the ISP ? The scenario explained is called DNS cache poisoning. Where now the hacker has set the TTL for 1 year and this record is
in the cache of the DNS Server and stays in there for one year. Now all the clients would be using this entry which points to a Bogus IP + Website. (Wow aren’t the hackers really doing a good job)

Question)  I have heard of a term called secure dynamic updates. Doesn’t that use Mutual authentication?
Answer )Yes it does but that is the only point where DNS does Mutual authentication. For the rest of the stuff it never does any Mutual Authentication.

I was just scrolling some article and just read that the Root DNS Server is now DNSSEC enabled. So lets us understand what would I need to do if my domain is hosted as ‘’Company.fazal.gov’’. On my internal DNS Server I have a zone which is representing ‘’Company.fazal.com’’. So I would need to complete two tasks here:

1) Sign my zone  (Which means we would Add a signature for each record 🙂 )

2)Create the key pairs.

Now the key pairs which have been created I would send these key pairs to the people which host “.GOV”. They would take my Key pair and sign my key pair. Which means that there is a list of signed Keys maintained by the ‘’.GOV’’(DSRecord). Now If my client would send a DNS query to the DNS server. They can both verify with the help of the key pairs and thus the hacker gets
out of the picture.

Note: Dynamic updates are automatically disabled on a DNSSEC-signed zone.  Windows Server® 2008 R2 DNS server supports the signing of static zones only. You must use Dnscmd.exe or DNS Manager to add more resource records to a zone and the zone must be re-signed.

Hope this proves useful – happy reading!


After the First ADRMS Blog I got to know that I cannot use the name PTCL.

Now the domain name is fazal.com

Machine names are the same but instead of PTCL I have named them like

Khi-ADRMS, Khi-SQL, Khi-CA and so on.

So now we have a good basic understanding of what ADRMS does. Let us start with creating templates now for ADRMS .

One of the Things which I forgot to mention was:

If you have clients which are using Windows XP SP3. Then you need to install an ADRMS Client.

clip_image001

Click Next and Next and the client is installed.

Creating a Folder where the Templates can be saved

clip_image003

clip_image004

clip_image006

clip_image008

clip_image010

Click Finish

clip_image012

clip_image014

clip_image016

clip_image018

Now go on the SQL Server and verify that these XML Files are created.

clip_image020

Now Installing the ADM Template so that we can define the Template Location for Microsoft office Documents using Group Policy.

clip_image021

clip_image023

Import the ADM File.

clip_image024

clip_image026

clip_image028

Now go on the client and run GPUPDATE /Force

clip_image030

Now Let us say that we don’t want out client to use Office 2007 now to encrypt messages using ADRMS.

clip_image032

Click on Enable Exclusion

Now Click on Exclude Application

clip_image034

The above is Just an Example. Not even sure if this is correct as in the Maximum version.[Hope you got the understanding by seeing the above snapshot]

Definitely not a good idea to click finish so click Cancel Smile

Now What if there are certain users whom you do not want to send RMS Encrypted document to?

Let us block adrms1@fazal.com [which means that ADRMS2 would not be able to send RMS encrypted message to ADRMS1]

clip_image036

Not Click on Exclude User.

clip_image038

clip_image040

Now let us Verify by logging with User 2 and Creating a rights protected document and then logging on with User 1 to open that Document.

clip_image042

Now logging in with ADRMS1

clip_image044

Now Let us remove Adrms1 and then try again.

Now we have deleted the user and also disabled the exception

clip_image046

Let us restart IIS on ADRMS Server.

clip_image047

Now back on the client

clip_image049

And it Opens Smile

clip_image051

We can exclude earlier version of RMS Client using Lockbox version.

clip_image053


Machines used.

1)DC named as = PTCL-DC [Windows Server 2008 R2]

2)Exchange 2010 Sp1 = PTCL-EXCH [Windows Server 2008 R2]

3)MOSS 2007 = Moss [Windows Server 2003 R2]

4)Sql Server 2008 SP1 = PTCL-SQL

Let us start with Installing a Certificate authority on Windows Server 2008 R2 machine which is joined to the Domain.

The Goal of this LAB is that Users get familiar with the process of Installing Certificate Authority and then enroll certificates for their ADRMS and Exchange 2010 OWA.

image

image

image

image

image

image

image

image

image

image

image

image

image

image

Accept the Defaults of IIS

image

image

Click on install and wait for the installation to Finish and then restart the Machine.

image

image

After the machine is re booted

image

If we check under Issued certificates at present none of the certificates are issued.

 

image

Now go on the DC and run GPUPDATE /force

image

 

Now go back on the CA and view the issued certificates

image

This means that the CA is working as expected.

Now Let us start with Doing ADRMS the wrong way Sad smile

 

Don’t be surprised by reading the title. I just wanted to highlight a common mistake which is done by most of the customers that I have been too.

Open the machine named PTCL-ADRMS

clip_image001

clip_image005

clip_image006

clip_image007

clip_image009

Note the name of the machine Smile with tongue out [hint to what would be going wrong]

clip_image002

clip_image004

clip_image006

clip_image008

clip_image010

Click on next and try entering the user account which you are logged in as and give the password [The error says that Installation account could not be the same as the service account]

Let us go In active Directory users and computers and create a User account

clip_image011

clip_image012

clip_image013

Now Let us go back on the ADRMS Machine.

clip_image017

clip_image021

Now this is where everything goes wrong.

clip_image022clip_image023clip_image025

clip_image027

Make sure that the account your are doing the installation is the member of Enterprise Admin for this step

clip_image029

Click Next and Next again

clip_image031

clip_image002[4]

Click Install

clip_image004[4]

Now Verify that these groups are present

clip_image006[4]

Log off and Log back in

clip_image008[4]

clip_image010[4]

Have a Good Look at the Licensing path.

Now the Question in your mind would be that we have done everything and installed everything but where is the DOING IT ALL WRONG PART J

Trust me it is just around the corner. J

Now let us test it on the client.

Let us go in Exchange 2010 and create a new user

Please Go in services and check if all the exchange related services have started Jclip_image012

clip_image013[4]

clip_image014

You know the password J

clip_image015

clip_image016

Next and then New

Create another user named ADRMS2

Now Open the Windows 7 machine and log in

clip_image017

clip_image019[4]

Go in C Drive and create a word document by this name J

clip_image021[4]

clip_image023

Notice that the machine is doing the bootstrap process{If this step hangs than log in to Outlook once}

clip_image024

Now Click on More Options

You can give Finer Permission from here

Access Content Programmatically could be used if you are using MACROS

clip_image028

clip_image030

Open this word file with Notepad now

clip_image031

clip_image033

Note that Every RMS Encrypted document has this URL Stamped. Now if ever you decide to Load Balance this RMS Cluster you cannot because you have hard coded the URL with the machine name. Another Problem is that all content is hardcoded with http and now If you setup Https than still all clients would use http.

That is why it is said to use Cnames in DNSJ

Now let us verify that RMS Really works

Press clip_image034 on Windows 7 VM and switch user

clip_image035

Let us go in C Drive and try to open the document.(ADD THE URL IN THE INTERNET EXPLORER LIKE YOU DID BEFORE)

clip_image037

Again Boot Strap would occur first and remember to open outlook if it hangs J

clip_image039

Notice the document is all greyed out J

Now stay logged in as ADRMS2 and create the document by the same name as shown below and give ADRMS1 read only rights.

Make Sure that you don’t open this document by logging in with another user.(Will see in the Lab why)

clip_image041

clip_image043

Now go on the ADRMS Server and Export a few files (What they do is a secret at the moment J)

clip_image045

Exporting the TUD on the desktop

clip_image046

Exporting the TPD

clip_image048

Please give the password as Win2003

clip_image049clip_image050clip_image052

Removing the ADRMS Server and doing the corrected installation now. Lets see the difference J

clip_image054

clip_image055

clip_image056

Safe to remove ADRMS now

clip_image057

Uncheck ADRMS

clip_image059

Now Click Remove.

Now it is uninstalling ADRMS.

In the meantime let’s go to DNS and create a CName Record as this is a proper installation now.

clip_image061

clip_image062

CName record for SQL is already created

Now back to the ADRMS machine and let us re provision the Server with SQL as its database now.

clip_image063

clip_image065

clip_image067

clip_image069

clip_image071

Click on Validate and you will get an error J

clip_image073

This is because the account does not have rights on the SQl Server.

Check the SQL Server and the services are up

clip_image075

clip_image076

Go on the SQL Machine and open SQL Server Management studio.

clip_image077

clip_image079

clip_image081

Click ok

Now Back to the ADRMS Server

And Click on Validate and it should give no errors now and click on next

clip_image083

clip_image085

clip_image087

clip_image089

clip_image091

clip_image093

clip_image095

clip_image097

Next Install and DONE J

Log Off and Log back in.

clip_image098

Try opening the ADRMS console and we are here with an error

clip_image099

Now Press ok and Open IIS

clip_image101

Click on Server Certificates

clip_image102

clip_image103

clip_image104

Now Click Finish

clip_image106

Now click on Bindings

clip_image107

clip_image108

Click ok and close

Now go into the ADRMS console and press Refresh

clip_image110

clip_image111

Why are we presented with this ? (Do ask me and If you know than please tell me J)

Click on yes and now click on

clip_image112

clip_image114

Why wasn’t that Screen prompted now ? [Try giving the answer in the comment section below Smile]

clip_image115

clip_image116

Now let us set these URL’s through Group Policy so that users are not prompted for password again and again

Now go in the DC and open GPMC

clip_image118

clip_image119

Clickclip_image121

Click on Edit.

clip_image123

clip_image124

clip_image125

clip_image126

Donot forget to click Add

Now Add it in Local Intranet Sites.

Click OK and close GPMC

Go on the Client machine now and run Gpupdate /force

Verify it and If it is not populated than you can add it for now

clip_image128

Now Log on with ADRMS user 1 and try opening the file which was encrypted by ADRMS2

clip_image129

clip_image130

Notice that it is trying to find the server but the URL has now been changed and this TUD is no longer there.(RAC which user is presenting is no more trusted by this ADRMS Server)

Now the reason is that These clients have been bootstrapped by the old RMS Server and it is no more there now

clip_image131

Go in this location and see all the certificates issued by the old RMS Server in the bootstrap process.

clip_image133

GIC = RAC

I know you don’t trust me and want to read from ADRMS itself J

Let us go on the ADRMS Server and view it.

clip_image135

clip_image137

Click Finish

clip_image138

This is failing because the RAC is not trusted as it was issued by another ADRMS.

clip_image140

Now how should we fix this ?

There are two answers

1)Import the TUD which we exported

2)Delete the DRM folder on the client and let it get bootstrap with the new RMS Server.

What are the draw backs ?

2)We cannot open the old documents than.

Now as the discussion is done let us Import the TUD.

clip_image142

clip_image144

Let us now go on the client with ADRMS1 and verify where are we now

clip_image145

clip_image146

Press NO and Log Off here

Log in with ADRMs2 and verify the same thing with the other document.

clip_image148

This document was opened because the client already had the End user License issued from the old ADRMS Server.

Let us again go back to ADRMS Server and verify what happened wrong with ADRMS1 user

clip_image150

clip_image152

EU cannot be issued because new ADRMS server does not have the private key to decrypt the content.

Let us now import the certificate that we exported

clip_image154

clip_image156

Let us now Open the document with the ADRMS1 user which didn’t opened before.

clip_image157

clip_image159

And it opens J

clip_image161

Now we need to make sure that on all the documents that all my users encrypt with ADRMS should have the new Server named stamped . So we would need to develop a Script to delete the DRM folder on all the clients.

Now Let us do this manually from our client.

clip_image162

clip_image163

Now let us Encrypt a document and see how the machine bootstraps again.

Just a hint J

clip_image165

This should appear

And we see the RAC and CLC and Machine cert. J

clip_image167

Hope this was Informative and we would be doing the Integration with Moss, Exchange 2010 and learn more about ADRMS.


Today a Customer asked me this Question. After placing a considerable amount of thaught I came up with this Answere

1) Based on my experience, we cannot prevent users from deleting emails from his own Inbox. The SELF account must have the Full Access permission on the mailbox.

As a workaround (not actually a workaround but another scenario to achieve this through reviewer permission), you may create another mailbox account (e.g. bob) for the user (e.g. administrator), and then grant bob Reviewer permission on both the mailbox level and Inbox level. Like below:

After that, bob can open the administrator’s Inbox in Outlook via File -> Open -> Other User’s Folder, and he can only view the emails.This seems to be the only way to achieve your specific objective.

Hope this is helpful for someone.