Tracing Issued Claims in ADFS
$timeView=-5if($Args.count -gt 0) {$timeView=$args[0]}$StartTime = (Get-Date).AddMinutes($timeView)$output=Get-WinEvent -FilterHashtable @{
LogName = “Security”;
StartTime = $StartTime;
ID = 501}$output |fl
“Total issued claims:$($output.Count) $($timeView) minute view”
Sudden Access Denied in Group Join Approval Workflow in MIM 2016
On a Windows Server 2012 R2 server, running latest version of MIM 2016 on SPS Foundation 2013 with roll-ups; after editing the default Owner Approval workflow I started to get the following error when attempting to Join or Leave any groups with Ownership Approval:
I cried, then I cried some more. Then I went and visited Mr. Google (What if Google was a Guy?) and stumbled upon this gem from the Technet forums that turned out to be the resolution… yes, it’s a FIM bug that’s still in MIM… not a feature 🙂
Error message from Event ID 3:
Microsoft.ResourceManagement.Service: System.NullReferenceException: Object reference not set to an instance of an object.
at Microsoft.ResourceManagement.Workflow.Hosting.HostActivator.ActivateHost(ResourceManagementWorkflowDefinition workflowDefinition, Boolean suspendWorkflowStartupAndTimerOperations)
at Microsoft.ResourceManagement.Workflow.Hosting.WorkflowManager.StartWorkflowInstance(Guid workflowInstanceIdentifier, KeyValuePair`2[] additionalParameters)
When a new approval workflow is created and approval activity is placed in this workflow it contains the following element in a XOML definition:
(…)
xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=3.5.0.0 (…)
Above is from the standard approval workflow delivered with FIM that works out of the box, after editing the standard workflow or in any custom authorization workflow you create it changes to the following:
(…) xmlns:ns1=”clr-namespace:System.Workflow.Activities;Assembly=System.WorkflowServices, Version=4.0.0.0, (…)
…Editing the XOML in Extended Attributes and changing it back to 3.5.0.0 and saving the workflow resolves the issue. The bad news is it breaks again the next time you do any editing of the workflow 🙁
Details:
Unexpected timeout issue when updating FIM 2010 to latest roll-up package
This one came as a surprise – the setup of the latest FIM 2010 roll-up was repeatedly timing out and Event ID: 6311 and 6401 kept popping up in the Application log during the operation.
After a couple of pints of coffee I eventually decided to run Procmon from Sysinternals to peek at what was going on while the setup was apparently sitting around doing nothing.
Turns out there were 521,750 ghost items with names such as Sync Rule Callout <GUID> and Common MA Callout Extension>GUID> hanging around in the hidden ExtensionsCache folder under the Synchronization Service installation directory.
Stopping the FIMSync Service prior to deleting the ghost items not only allowed the update to proceed but also markedly improved performance on the MA’s on the box by at least a factor of ~3.
Office 365: Using Lync or Skype on Linux
When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:
– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers
– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console
– This was fixed upstream in v 1.18.4
– This bug is invisible when the user has the same UPN and SIP address
– On the AD FS server side a workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)
Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments. Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.
The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:
- Office 365 ProPlus activation may require explicit sign-in
- InTune customers using SCCM connectors may require additional configuration.
Further details:
Configuring Alternate Login ID [for AD FS 3.0]
https://technet.microsoft.com/en-us/library/dn659436.aspx?f=255&MSPPError=-2147217396
The SIPE project
http://sipe.sourceforge.net/
Pidgin IM
http://pidgin.im/
Office 365: Using Lync or Skype on Linux
When you have a *nix crowd to cater for in your Office 365 or Lync deployment the following information will be useful:
– You can use the SIPE plugin to enable your *nix users to chat on O365 or Lync servers with several IM products, f.x. Pidgin
– There’s a client-side bug in pidgin-sipe v. 1.18.2 where it used the user’s SIP address entered as the login address being presented to the ADFS server regardless of what was entered into the console
– This was fixed upstream in v 1.18.4
– This bug is invisible when the user has the same UPN and SIP address
– On the AD FS server side a possible workaround would be to allow extended attribute lookup during logon (f.x. use the ‘mail’ attribute if it matches the SIP address)
Note: The Alternate Login ID feature is not compatible with Exchange Online Hybrid Deployments.
Customers that wish to configure Exchange Online Hybrid Deployments with Office 365 must not configure Alternate Login ID.
The Alternate Login ID feature may impact various other Azure AD and Office 365 scenarios including:
- Office 365 ProPlus activation may require explicit sign-in
- InTune customers using SCCM connectors may require additional configuration.
Further details:
Configuring Alternate Login ID [for AD FS 3.0]
https://technet.microsoft.com/en-us/library/dn659436.aspx?f=255&MSPPError=-2147217396
Pidgin IM
http://pidgin.im/
The SIPE project
http://sipe.sourceforge.net/
FIM Azure AD Management Agent returns error Stopped-Extension-DLL-Exception on Full Import or Delta Import
After enabling the new Intune Mobile Device Management features inside the O365 tenant and enrolling some new devices into Intune you now have device objects in your Azure AD tenant to deal with.
The next time you do a Full Import or Delta Import you will most likely encounter a DLL Exception error in the FIM console.
If you debug the Azure connector further using the ILSpy tool and trace what line it is failing on it will most likely be this:
SchemaType schemaType = this.targetDirectorySchema.get_Types()[text];
Errors logged in the Application log:
FIMSynchronizationService Event 6801
The extensible extension returned an unsupported error.
The stack trace is:
“System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEntryChange(SyncObject syncObject)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep)
Forefront Identity Manager 4.1.3634.0″
DirectorySynchronization Event 109:
Failure while importing entries from Windows Azure Active Directory. Exception: System.Collections.Generic.KeyNotFoundException: The given key was not present in the dictionary.
at System.Collections.Generic.Dictionary`2.get_Item(TKey key)
at System.Collections.ObjectModel.KeyedCollection`2.get_Item(TKey key)
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetConnectorSpaceEntryChange(SyncObject syncObject)
at System.Linq.Enumerable.WhereSelectListIterator`2.MoveNext()
at System.Collections.Generic.List`1.InsertRange(Int32 index, IEnumerable`1 collection)
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep).
Updating the Schema for the Management Agent for the Azure AD tenant in the FIM Synch console and adding the missing object type (Device) to the Azure AD Management Agent resolved the issue in my case.
Other scenarios known to return Stopped-Extension-DLL-Exception error in the FIM Synch console:
- The password of your Azure AD Synch service account has expired
- You have outdated binaries of the MSOL Sign-in Assistant installed
- You have removed the default objects from the WAAD Synch configuration (Contact or Group when a Contact or Group is present in WAAD)
- The Azure AD Subscription is inactive or expired
Further details:
Windows Azure Active Directory Connector for FIM 2010 R2 Technical Reference
https://msdn.microsoft.com/en-us/library/dn511001(v=ws.10).aspx
ILSpy Visual Studio extension
https://visualstudiogallery.msdn.microsoft.com/8ef1d688-f80c-4380-8004-2ec7f814e7de
Using the ILSpy extension
https://channel9.msdn.com/coding4fun/blog/ILSpy-the-Visual-Studio-Extension
Decompiler tools for the .NET framework
http://blogs.msdn.com/b/amb/archive/2011/05/24/decompiling-tools-for-net-framework.aspx
[Troubleshooting] Connectors: Azure Active Directory Connector: stopped-extension-dll-exception
http://blogs.msdn.com/b/ms-identity-support/archive/2014/01/28/troubleshooting-connectors-azure-active-directory-connector-stopped-extension-dll-exception.aspx
The version of the AAD connector has a dependency on the Azure Active Directory Sign-in Assistant, a.k.a. Microsoft Online Services Sign-in Assistant, version 7.250.4551.0 or later
http://blog.msresource.net/2014/01/21/microsoft-online-coexistence-security-dynamicpinvokeexception-failed-to-get-address-for-method-createidentityhandle2-from-library/
Azure AD Sync failing
http://exchangeserverpro.com/azure-active-directory-synchronization-failing-stopped-extension-dll-exception-error/
Troubleshooting synchronization with Windows Azure Active Directory (WAAD) Parts 1-3
http://www.msexchange.org/articles-tutorials/exchange-server-2013/management-administration/troubleshooting-synchronization-windows-azure-active-directory-waad-part1.html
AD attributes the Azure AD FIM Connector rules extension requires in order to synch users to Office 365
The O365 connector for FIM 2010 comes with a C# rules extension that contains the checks below, most likely the same code is present in both DirSync and AADSync (I mean why break stuff that works).
If any of the checks fail the user being checked won’t be added to the Azure AD Management Agent and will not synch to the cloud.
From \AADConnectorMFSample\AADRulesExtensions on http://www.microsoft.com/en-us/download/details.aspx?id=41165:
// Only provision to Office365 if:
// all the REQUIRED attributes are present,
// even though we flow them out on EAF rules
// we should block here so we do not create
// a new connector if the ingredients are missing
//
trace.TraceWarning(“Object Filtered because AccountEnabled != True”);
trace.TraceWarning(“Object Filtered because msExchHideFromAddressLists == TRUE and a connected object’s RDN contains ‘MSOL'”);
trace.TraceWarning(“Object Filtered because MailNickname or SamAccountName Starts With ‘CAS_'”);
trace.TraceWarning(“Object Filtered because iscriticalSystemObject == TRUE”);
trace.TraceWarning(“Object Filtered because MV Object is NOT a Mail Enabled Group AND SamAccountName is NULL.”);
trace.TraceWarning(“Object Filtered because MailNickname contains ‘{‘ OR SamAccountName contains ‘}'”);
trace.TraceWarning(“Object Filtered because MV.SamAccountName is not present”);
trace.TraceWarning(“Object Filtered because mailNickname starts with ‘SystemMailbox{‘”);
trace.TraceWarning(“Object Filtered because samAccountName equals ‘SUPPORT_388945a0′”);
trace.TraceWarning(“Object Filtered because samAccountName equals ‘MSOL_AD_Sync'”);
trace.TraceWarning(“Object Filtered because displayname is not present on mail enabled group”);
trace.TraceWarning(“Object filtered because its source object is CNF mangled. DN”, mvEntry.ObjectID.ToS tring());
See also http://blogs.technet.com/b/juanand/archive/2011/07/06/office-365-directory-synchronization-tidbits-part-1.aspx
MBAM, Bitlocker and Compliance
A couple of months ago I was involved in a divestiture project where we used MBAM from the MDOP suite to manage the Bitlocker disk encryption deployment across the company laptops.
It’s a great product that has gotten less attention than it deserves due to it being bundled and buried deep inside the MDOP suite but there are two thorns that stick out like rusty nails in it.
- Cumbersome initial installation requiring a lot of manual steps
- Limited options for filtering out specific types of machines (i.e. portables vs. non-portables when you’re only interested in the portables)
#1 – Redmond, please!! Do better, don’t be evil 🙂
#2 Fortunately, one of my colleagues is a Reporting Services wizard and we were able to modify the compliance reports to include some more useful fields for filtering than the defaults – as seen below where we added a Computer Type field and filter out everything but laptops (Portable/Non-Portable, Non-TPM).
With these additional hacks the MBAM product works wonders and would be worth a separate purchase but consider that with the MDOP package you get AGPMC, DART and Med-V and you have a killer deal. Did I mention that it also has a Self-Service portal for Helpdesk and Users?
The one remaining concern is that MBAM doesn’t have any automatic pruning of stale records. That concern is however addressed by the add-on MBAM Data Compliance Cleanup Tool. The latest update to the tool makes it compatible with MBAM 2.5.
The Missing Lync
How present are you?
Office applications that integrate with IM applications and generate a presence accomplish this by contacting the IM application that is listed as the default as per the corresponding registry key (DefaultIMApp).
This is frequently populated with the name of the last IM application that was installed on the machine.
In some cases the IM application even monitors the registry key and overrides any changes made to the default IM application by other IM applications (shades of IE/Firefox/Chrome default browser ping-pong).
From the perspective of the IM application this may sound like a perfectly logical idea as it is making sure it is the default. If you are trying to either integrate several different IM applications on the same workstation or you want to select a specific application yourself to be the default for any presence information in Sharepoint, Outlook, etc. then it becomes a real headache when one application insists on setting itself as the default regardless of your wishes.
The net effect will be that only the default IM application will count as a valid Presence for the user, if the user isn’t active in that application then the user doesn’t generate any presence in Sharepoint or Office.
I.e.
- the user will be signed in to one IM application on the workstation (f.x. Lync 2013 or Skype for Business)
- another IM application has overwritten the HKCU\Software\IM Providers\DefaultIMApp registry key (f.x. Jabber or Communicator 2007)
- that IM application isn’t currently active on the workstationEnd result: The user doesn’t generate a presence even if he or she is active on the Lync or Skype application
HKCU\Software\IM Providers\DefaultIMApp
This key specifies the IM application Office integrates with when it starts up
(From https://msdn.microsoft.com/en-us/library/jj900715(v=office.15).aspx#off15_IMIntegration_SetRegistry)
How Office integrates with an IM client application
- It checks the registry to discover the default IM client application and then connects to it.
- It authenticates with the IM client application.
- It connects to specific interfaces that are exposed by the IM client application.
- It determines the capabilities of the currently signed-in user (local user), including getting the user’s contacts, determining the user’s presence, and determining the user’s IM capabilities (instant messaging, video chat, VOIP, and so on).
- It gets presence information for the local user’s contacts.
- When the IM client application shuts down, the Office 2013 application silently disconnects.
Further reading:
http://blogs.msdn.com/b/dvespa/archive/2014/08/06/im-presence-provider-outlook-handbook.aspx
https://support.microsoft.com/en-us/kb/2794968
https://supportforums.cisco.com/discussion/12361916/jabber-phone-mode-breaks-lync-presence-outlook
http://blogs.msdn.com/b/rathomas/archive/2012/12/04/outlook-2013-users-are-unable-to-see-the-presence-info-in-outlook.aspx