Office 365 provides various authentication options, such as cloud-IDs, Password Hash Synchronization or federated identities. Leaving out the specifics on how each of these options work, all of them are configured per domain. Whenever trying to access services in Office 365, the user is required to authenticate using its User Principal Name. For sake of simplicity, the general advise it to configure the UPN to match the email address which makes it less confusing for them.
The April 2015 Security Bulletin, Microsoft released an update for Active Directory Federation Service 3.0 which comes with Windows Server 2012 R2.
According to the documentation, the vulnerability would allow an attacker to gain access to an application – such as Office 365. Apparently the flaw is in the logoff process. As I understand it from the limited information available, although the user appears to have logged off, the logoff actually failed allowing an attacker to re-use the existing token to access the application as the user.
Although the bulletin mentions that Microsoft has no knowledge of any cases where this vulnerability was exploited, I personally wouldn’t wait for it to happen to me… 🙂
More information can be found here: https://technet.microsoft.com/library/security/MS15-040
As mentioned before, the purpose of this article series is to explore 3rd-party federation solutions that work with Office 365 and which can be an alternative to a Windows’ built-in ADFS server role. In this first article however, I will be discussing a solution which is somewhat different from the others that I will be looking into.
In fact, this solution is not really very different from a regular deployment. The company behind this solution is Celestix, whom have made their name with similar approaches for TMG, UAG and before that ISA servers. This time around, they [Celestix] have made an ADFS appliance out of a ‘regular’ Windows Server 2012 R2 machine. Through a custom web page, which is built into the appliance as a service in Windows, you have the ability to easily configure ADFS and DirSync by following a couple steps in the “Quick Setup Wizard”. Under the hood, the wizard will configure Microsoft’s implementation of ADFS and DirSync for you.
(the appliance’s web portal)
For this article series, Celestix was so kind to send me a (test)example of their A-Series (3400) appliance which is targeted at small to medium-sized organizations. The appliance is built on top of an Intel i5 CPU with a total of 8GB of RAM. Based on my experiences in the field, this ought to be more than enough for most (smaller) environments. There’s also a larger model which – by taking a look at the specs – is targeted more at the enterprise level. The CPU is upgraded to an Xeon E3 and comes with 16GB of RAM. More importantly though, the big brother (A-6400) comes with 2 redundant hot-swappable hard drives and powers supplies, whereas its little brother doesn’t have any of that.
It’s safe to assume that an appliance would cost anywhere between $ 4,000 and $ 5,000 (but don’t hold me to that!). For that kind of money – even though it includes the license for Windows too – it would be nice to have had at least a redundant hard drive; just for peace of mind. But then again, not many vendors offer that with their entry-level models.
(unboxing the appliance)
Celestix also has a solution for the ADFS Proxy role, which is built into their E-Series “Cloud Edge” appliance. I haven’t tested that appliance myself, but I can only assume it operates in a similar way as the A-Series. If you want a highly available setup, you will have to purchase at least 4 devices –just like you would do for a regular Windows-based ADFS setup; 2 Cloud Edge devices (to replace the ADFS proxy servers) and 2 A-Series appliances for the ADFS servers.
It is true that you could setup a (virtual) machine yourself and go through the configuration just as easy –that is if you know the steps to execute. But on the other hand, the configuration of ADFS in Windows Server 2012 R2 has become quite easy to do. On top of that, Microsoft is putting quite a bit effort into making it even more easy through e.g. Azure AD Connect; a solution which lets you configure DirSync and AD FS through a wizard. And that solutions comes for “free”… (although nothing is truly free; there’s always some overhead to take into account). Another thing I’m a little “worried” about is the device’s ability to upgrade specific software components. Right now, the appliance is equipped with ‘regular’ DirSync (not AAD Sync). If you are not looking to configure a multi-organization hybrid deployment or if you don’t have multiple forests, this should not be a problem at this very moment. But on the other hand, Microsoft has already mentioned that AAD Sync is the successor to DirSync which means the latter will disappear at some point.
It will be interesting to see how Celestix will deal with the upgrade to AADSync on the same appliance. As you might know, there is no in-place upgrade and switching from the one to the other is (sometimes) a little daunting. The current guidance for the upgrade is to uninstall DirSync and then install AADsync, at least – that’s the theory! And we all know how theories work in real life… When I spoke with the Celestix folks, they told me they were already working on figuring out a way to deal with this and they are also working on a version of their appliance that comes with AAD Sync out-of-the box.
A good thing about this appliance – unlike most other appliance – is that you have full control over the underlying operating system: you can RDP into it at any time and make changes where needed – of course, within the guidance of the vendor! But when it comes to ADFS or DirSync, this means that you could implement custom ADFS Claim Rules or configure some filtering rules. Unfortunately, there is no web interface for that.
One thing which I didn’t particularly like is how one would deal with high availability – but that might be a personal thing. When purchasing multiple devices, the web interface allows you to start the Windows Network Load Balancin management interface to setup an array and include multiple appliances. While NLB might work just fine, I’m not particularly fond of it. Also, the web interface launches the Windows NLB console; there’s no built-in wizard which guides you through the setup. I would have loved to see this feature be developed a little more – for instance including a wizard which sets up Windows Network Load Balancing, or which includes additional health checks over the built-in TCP connection-based health check. It is do-able, there are even some code samples that you can find on the internet: http://msdn.microsoft.com/en-us/library/cc307934(v=vs.85).aspx
I’m not saying it’s easy per se, but it would provide a lot of value for the audience which I think would benefit most from these kind of appliances.
Configuring AD FS & DirSync
Now that we’ve discussed the device a little, let’s take a look at home to start configuring it.
After having it connected to the network, I used the dial button on the device to do the basic networking configuration (assigning IP address etc). The configuration itself went fairly easy, but I was unable to connect to the device afterwards. It left me baffled for a moment, but after rebooting the appliance, I could connect to the web interface just right.
The first thing that I noticed is how clean the interface is. It’s particularly easy to navigate, and I had no problems finding what I needed. Through the Start menu-item, you can launch the Quick Setup Wizard where you immediately get the opportunity to join the machine to the domain.
Next up is a (mandatory) reboot, just like you would expect when joining a Windows machine to a domain:
After each reboot, the wizard will automatically continue where it left off. The next step is to start configuring ADFS. I chose to configure ADFS in the most simple way possible, using the built-in Windows Internal Database:
Oddly enough, the appliance does not allow you to generate a CSR. This means that you already have to have exported the certificate (with public key) before. It’s not a big deal, but it would have been nice if one could really work ‘from scratch’ here:
I chose the easy route: using Windows’ built-in database. The wizard also allows you to integrate with an existing SQL server – which is a requirement/recommendation for larger deployments:
Just like the wizard in Windows, you get a summary before firing of the wizard which will configure AD FS.
For those who have setup AD FS in Windows Server 2012 R2 before, you will notice that the wizard which Celestix uses is very similar: all the steps in this wizard are also the ones that you have to step through when configuring a Windows ADFS server.
It takes a few minutes to setup AD FS. Once this is done, you can go back to the wizard, which will then give you the option to configure “Office 365 Integration”. This means as much as: setup DirSync.
Next, you have to enter the Office 365 (Global Administrator) credentials, and you choose which domain you want to federate:
At this point, the appliance was giving me a hard time. It wouldn’t continue and displayed the following error message. As any administrator would do, I restarted it and was able to move on.
On the next page, I was able to specify some settings for DirSync. If you have setup DirSync manually before, I’m sure you will recognize them:
And that was it. After clicking “Next”, DirSync ran and I was able to successfully logon using ADFS:
The ADFS login-page. Just as you would expect:
What I particularly like about this solution is that it has some built-in reports. This can be very useful as the built-in AD FS roles does not come with that capability and looking for the right events in the Event Viewer can be time-consuming (unless you have already some reporting solution / PowerShell script that does that for you).
The first report is the ADFS Activity Report which gives you more information about the current authentication requests etc. I’ve simulated some failed logons and they showed up promptly (and correctly) in the interface:
The second report is more of a health statistics page. It will tell you if the required components are running and display some statistics about general usage.
The beauty of these reports are their simplicity. Unfortunately, I have not found a way to configure an alert when multiple failed logons occur. I was assured by Celestix that this is something they are working on for the future, and I welcome that. It would be really helpful if the right people in the organization would get a message when you might be under attack (or when just “more than usual” failed login attempts happen…).
In order not to go overboard with this article, there are some features (which are less important to the “ADFS Aspect” of the appliance) that I did not discuss. For instance, the web interface allows you to restrict access through the device’s Jog Dial (by configuring a password) and
I really liked the appliance, though I cannot speak to its performance and operations over time. Aside of some occasional hiccups (i.e. having to reboot the appliance through the wizard), I’ve had no problems configuring and getting it to work in a matter of a little more than one hour. Given that this is a v1-version, I trust these little wrinkles will sort themselves out shortly.
All things considered, some might find value in such an appliance, others might not. It all depends on what you are looking for. Personally, I don’t think there’s much value to be found if you are looking something to “replace” your AD FS servers with. However, if you take into account the (childishly) easy web interface and the built-in reports or if you have a small deployment and do not want the burden to manage additional servers, it might be a different story!
Stay tuned as in the next part of this article series, I will be discussing Okta for Office 365!
Recently, I bumped into Jaap Wesselius’ article about an issue he encountered about Hybrid Free/Busy lookups failing. As this relates to Hybrid Exchange, I was – of course – intrigued and remembered that I (once) encountered a similar scenario, but could not remember how I resolved the problem back then.
After some digging, I came across the following KB article which describes the behavior of Free/Busy requests and why they might fail of Outlook Anywhere is disabled (blocked) on the user-level: http://support2.microsoft.com/kb/2734791/en-us?sd=rss&spid=13159
To make a long story short, if Outlook Anywhere is disabled at the user level, Autodiscover does not return the External EWS URL which is required to make the Free/Busy call.
The solution is as simple as the problem itself: re-enable Outlook Anywhere for the user and you would be fine. Of course, this might – depending on your environment – be a little challenging. This being said, however, I do suggest that you configure and (if possible) use Outlook Anywhere as it will make your life easier down the road (e.g. for migrations to Exchange 2013).
In 2013, Exchange Server MVP Mike Crowley wrote a script which would interactively report on the Office 365 Directory Synchronization tool. In 2014, Mike and I worked to update the script so that an HTML report would be generated. This would allow you to schedule the script and have the output emailed to you without the need to run the script interactively.
Before you can actually run the script, you will have to install SQL PowerShell on the AADSync machine first. DirSync had this installed by default, but it seems that AADSync does not. To install the SQL PS module, you must install the following components separately:
- Microsoft® System CLR Types for Microsoft® SQL Server® 2012
- Microsoft® SQL Server® 2012 Shared Management Objects
- *Microsoft® Windows PowerShell Extensions for Microsoft® SQL Server® 2012
The binaries can be installed from the installation instructions on the following page: http://www.microsoft.com/en-us/download/details.aspx?id=29065
Once you have installed the components, run the following command from the AADSync server and verify that the SQLPS module is listed:
Once you have verified the SQLPS module is installed and available, you can run the script.
Please use the script for what it’s worth, and always test in a lab first. Comments/feedback and feature requests are always welcome!
Today, Microsoft released its latest updates for Exchange 2007, 2010 and 2013.
The updates for Exchange 2007 and 2010 mostly evolve around the Daylight Saving Time changes and a bunch of fixes for the latter version.
Cumulative Update 6 for Exchange 2013 doesn’t introduce any new feature or feature changes, but I’m happy to see that the Hybrid Configuration Wizard bug – which caused the HCW to fail – is now included by default. An Interim Update was already available, but it’s nice to see it included into the full build.
Along with a bunch of other fixes, Cumulative Update 6 now also closes the gap with Office 365 when it comes to Public Folder performance and scalability: you can now also deploy up to 100,000 public folders on-premises. Along with this change, there are some other (minor) behavioral changes which Microsoft outlined beautifully here.
For more information on these updates, have a look at the following announcements for Microsoft:
As posted here, Microsoft today released Cumulative Update 5 for Exchange 2013. At first sight, this update doesn’t appear to make lots of changes – at least not visibly. However, it does contain a lot of fixes and, as you will find out, there have been some changes to the Hybrid Configuration Wizard as well.
New options in the Hybrid Configuration Wizard
Whenever you enable an organization for a hybrid deployment in CU5, you will find the following new option:
21Vianet is Microsoft’s partner which offers Office 365 in China. You could say that they “host” Office 365 for Chinese customers as outlined in this Press Release
MRS Proxy now configured automatically
This is one of my personal asks for quite a long time now. Although the HCW already did an excellent job configuring all the components for a hybrid deployment, it did not enable the MRS Proxy on the Exchange Web Services Virtual Directory. Even though you could do it yourself with only a single command, I’m a big fan of having the HCW take care of this. It’s one less thing you can forget yourself!
OAuth now configured automatically
You’ll also notice that towards the end, the Hybrid Configuration Wizard will now prompt you to configure oAuth automatically:
The wizard will then automatically redirect you to a webpage where you’ll be asked to start the configuration (again):
Once you click configure, you will be asked to download an application which will automatically configure oAuth for you. Because it seems to be browser-integrated, you cannot run this step from a computer other than your Exchange Server and then copy over the executable. Beware and make sure that you run the HCW from the Exchange server itself instead from a remote workstation, like I tried the first time…
Once the first application was downloaded, you’ll be asked to run it:
Note: make sure that *.configure.office.com is added to your trusted sites or that you at least allow content to be downloaded from that website.
Then, after this first application ran, you’ll be prompted for an identical, second, application. Only this time the application (or assistant, if you will) will be a bit bigger: 22.2 MB instead of 18MB.
Once the second assistant completed successfully, you’ll see the following:
In fact, all that these “applications” do, is configure oAuth as outlined in the following article: http://technet.microsoft.com/en-us/library/dn594521(v=exchg.150).aspx
Note The configuration of the Intra-Organization Connector is the only thing that’s already handled by the Hybrid Configuration Wizard itself.
It’s definitely a good thing this is now done automatically. However, I would love to see it be more integrated with the HCW. At the moment, these changes don’t show up in the Hybrid Configuration Wizard logs.
It was already clear that Microsoft is moving forward with oAuth; potentially to replace other technologies currently used in Hybrid deployments. Personally, I wouldn’t be too surprised to see oAuth take over the duties from Microsoft’s Federation Gateway in the future. Not sure if this will actually happen, but it seems like a good thing. If you have ever been in a discussion with a pesky security administrator you would understand why… But don’t expect that to happen in a few months’ time though – as long as Exchange 2010 is officially supported, I reckon Microsoft will have to keep the MFG around.
It’s surely a good thing to move forward with oAuth as it has the potential to solve some long-standing issues regarding the handling of authentication and security in a cross-premises scenario like a hybrid deployment.