Estonian e-Residency

I just applied for e-Residency in Estonia!

snip_20151215123126

As an e-Resident you are issued a secure digital identity by the government of Estonia. This enables you to use services provided by the Estonian state agencies and private sector. Thing you can do:

  • Establish a company online
    Estonian companies can be established, registered, and administered entirely online.
  • Open a bank account in Estonia
    Estonia is well-known for its user-friendly and secure online banking. The e-Resident smart ID card is approved by LHV, Swedbank and SEB banks in Estonia, with others planned in future.
  • Digitally sign documents and contracts
    Digital signatures have been available in Estonia since 2000 and are used daily. More than 200 million digital signatures have been created in Estonia since inception.

As someone interested in digital identities I think this is fantastic stuff, and heralds the coming of a new age of business. Looking forward to visiting the Estonian consulate in Oslo to pick up my ID card.

Read more about Estonian e-resicency here:

  • https://en.wikipedia.org/wiki/E-residency_of_Estonia
  • https://e-estonia.com/e-residents/services-and-benefits/

 

Office 365 Hybrid Configuration Wizard fails due to DateTime.MinValue issue

I was helping a customer set up a hybrid Exchange environment recently. When the time came to run  the Office 365 Hybrid Configuration Wizard we received this error:

utc

The error given is:

The UTC time represented when the offset is applied must be between year 0 and 10,000.
Parameter name: offset

I asked the Internet and quickly discovered that this is not a Hybrid Configuration issue, but rather some bug in the .NET framework DateTime function. I soon found this page (quite old as you can see). To quote the author: The value of DateTime.MinValue cannot be cast to a DateTimeOffset if you are east of London!

So the solution in our case was to temporarily set the time zone of the server where we ran the Hybrid Configuration Wizard to UTC (Coordinated Universal Time), aka. GMT.

Connecting to an Azure AD joined machine with an Azure AD user account over Remote Desktop

Introduction

Windows 10 introduces the ability to join a computer to the cloud directory service Azure AD. This is very similar to the traditional domain join, where you join a computer to an Active Directory domain, run on-premises by one or more Domain Controllers. Both operations lets the computer operate within a common security context and benefit from Single Sign-On (SSO) to all resources that share the same security context. However, joining Azure AD instead of a traditional domain can break things or make them more difficult. There are many examples of this, but the one I want to discuss here is connecting with Remote Desktop (RDP) to an Azure AD joined computer with a user account from Azure AD. Just to be clear; the connection we want to establish is to an Azure AD joined computer, logging on with an account from Azure AD. This account can either be synced from on-premises or be mastered in the cloud, and both federated and password logons are supported. We do not depend on any local accounts on the computer, using tricks such as adding an Azure AD work account to a local account or a Microsoft Account (MSA), this is pure Azure AD.

Connecting Successfully

There are some obvious prerequisites for this to work:

  • The computer must be joined to Azure AD
  • Remote Desktop connections must be enabled and allowed through the host firewall
  • Any other firewall between you and the computer must allow the Remote Desktop protocol

The key to connecting is having Windows 10 present an desktop login screen:

win10rdp2

That means that we must disable any form of single sign-on or integrated authentication. This requires the following steps:

  • On the Windows 10 computer; disable Network Level Authentication (NLA) for Remote Desktop Connections
    Open System Properties and navigate to the Remote tab. Under Remote Desktop; make sure Allow remote connections to this computer is enabled, and that Allow connections only from computers running Remote Desktop with Network Level Authentication is unchecked.
    win10rdp3
    This will disable the ability on the host to require that authentication happens before a user session is created.
  • On the computer you are connecting from create an RDP file and add the following settings to it:
    enablecredsspsupport:i:0
    authentication level:i:2
    Again, these settings disables sending any credentials automatically to the host computer. Leaving Windows with no choice but to display a desktop logon screen. The easiest way to create an RDP file is to open the remote desktop client, enter the name or IP of the computer you want to connect to and then his Save As. This will produce an RDP file that you can add/edit the necessary settings in. For those interested, most of the settings you can specify in an RDP file are listed here. In theory you could also add these settings on the command line, but I have not worked that out.

The last trick to make this work involves the username you specify on the logon screen. It must be in the following format:

AzureAD\<full UPN in Azure AD>

e.g. AzureAD\morgan.simonsen@langskip.no

This is a non-intuitive format for those of us who have connected to Windows over RDP in the past, but it is what works. I have not been able to connect with any other combination of domain, username, DNS domain or UPN, but this may very well change soon.

UPDATE 2015-11-7: On Windows 10 build 10586 the AzureAD prefix is no longer needed. You can just use your UPN.

Closing remarks

When you are joined to Azure AD we are naturally also authenticating against Azure AD, but it might be that you have federated Azure AD against an ADFS server, in which case authentications are redirected back to on-premises. Depending on your setup for authentication you will see the following differences:

Azure AD authenticated users will display the logged on user as: AzureAD\<concatenated display name>. Federated tenants will display the logged on user as <on-premises NetBIOS domain name>\<on-premises sAMAccountName>. This difference is visible if you use the whoami utility or look at the environment variables. Just to be clear, these differences do not have anything to do with remote desktop connections, they are just a consequence of joining Azure AD.

Connecting with a local account to a Windows 10 computer joined to Azure AD would as it does for any other Windows computer.

This is probably not how Microsoft would like us to connect to Azure AD joined machines so we can expect NLA authenticated connections to work some time in the future.

Happy connecting!

Morgan

How to find the GUID of your Azure AD tenant

All Azure AD tenants are named as sub-domains of the root onmicrosoft.com. For example yourcompany.onmicrosoft.com. Some very early adopters of eg. Office 365 might also have tenant names that look like this emea.microsoftonline.com, but AFAIK all new tenants will inherit the onmicrosoft.com domain. But names are fickle, so every Azure AD tenant also has a Globally Unique IDentifier, or GUID that is guaranteed to be unique (as the name implies) within Azure AD.

When you sign up for a service like Office 365, which uses Azure AD in the same way Exchange Server uses Active Directory. You can immediately start using services like Exchange Online and Skype with your default Azure AD tenant domain. Needless to say, it is not a user friendly domain name, either for logons or receiving email, so almost everyone adds one or more custom domains.

Sometimes it might be useful to know what the GUID of your tenant is. Perhaps you need it to file a support request, or you want to work out what is going on when you do federated sign-ons against Azure AD or you are working with Azure AD B2B.

Finding the GUID is not as easy as you might think. It is not displayed in the Azure AD portal, nor is it available in Azure AD PowerShell. You actually have to dig a little to find it. Sometimes it pops up in your browser address bar when you log in, but you have to be sure that it actually is your GUID that is display there, and not someone else’s.

Here is the easiest way I have found to display the GUID:

  1. Log into the Azure AD Portal (manage.windowsazure.com)
  2. Find or create a custom application that is integrated with your Azure AD tenant. To create a new application is very easy and you can immediately delete it once you have what you want.
  3. Press the View Endpoints button at the bottom of the screen.
    azureadguid1
  4. In the dialogue that pops up, your GUID is the long sting directly behind login.microsoftonline.com:
    azureadguid2
  5. Copy your GUID and store it in a safe place.

If I come up with an easier way to find the tenant GUID I will update this post.

Morgan

Azure AD Sync/Connect Events

Here is a table of Azure AD Sync/Connect related entries that you will find in the Application log of your sync server. Use this table to quickly create filers and find what you are looking for. This is not a complete list!

Event IDLevelSourceTextDescriptionFamily
601InformationDirectory SynchronizationPassword Synchronization Manager has started. Indicates the password sync manager process has started for the specified AD domain.Password hash synchronization/write-back
605InformationDirectory SynchronizationThe following password changes failed to synchronized and have scheduled for retry.



Lists password changes that were note successful.Password hash synchronization/write-back
609InformationDirectory SynchronizationPassword Synchronization service has stopped.Password hash synchronization/write-back
611InformationDirectory SynchronizationDirectory Synchronization full sync is in progress. Password synchronization agent will be paused until directory synchronization full sync is complete.

Password sync is pausing until regular sync completes.Password hash synchronization/write-back
650InformationDirectory SynchronizationProvision credentials batch start. Count: <#>, TrackingID : Signifies the start of a credentials (password) sync batch. This event will repeat for each batch.Password hash synchronization/write-back
651InformationDirectory SynchronizationProvision credentials batch end. Count: 37, TrackingID : Signifies the end of a credentials (password) sync batch. This event will repeat for each batch.Password hash synchronization/write-back
653InformationDirectory SynchronizationProvision credentials ping start. TrackingID : Password hash synchronization/write-back
654InformationDirectory SynchronizationProvision credentials ping end. TrackingID : Password hash synchronization/write-back
656InformationDirectory SynchronizationPassword Change Request - Anchor : , Dn : , Change Date : The Anchor value will be found in Azure AD as the sourceAnchor attribute, thus connecting an on-premises object with a cloud object. Each event will have up to about 50 entries.Password hash synchronization/write-back
657InformationDirectory SynchronizationPassword Change Result - Anchor : , Dn : , PwdChangeOnLogon=, Result : .
Indicates the result of a particular password change operation against Azure AD. This event will repeat and include up to 50 entries.Password hash synchronization/write-back
658InformationDirectory SynchronizationWindows credential sync is disabled in the registryPassword hash synchronization/write-back
659InformationDirectory SynchronizationIsForcePasswordChangeOnLogonFeatureEnabled=Password hash synchronization/write-back
104InformationDirectory SynchronizationExport:: Iteration: <#>, Current batch size: <#>, Exported total: <#>, Successful total: <#>, TrackingId: .ExportObject import/synchronization/export
105InformationDirectory SynchronizationImport:: Iteration: <#>, Current batch size: <#>, Imported total: <#>, More: , TrackingId: , SyncCookie: .ImportObject import/synchronization/export
106ErrorDirectory SynchronizationFailed to connect to Windows Azure Active Directory during export. Exception: Microsoft.Online.Coexistence.ProvisionException: An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException: SetCredential() failed. Contact Technical Support.
at Microsoft.Online.Coexistence.Security.LiveIdentityManager.OpenIdentity(String federationProviderId, String userName, String password)
at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
--- End of inner exception stack trace ---
at Microsoft.Online.Coexistence.ProvisionHelper.WindowsLiveExceptionHandler(WindowsLiveException ex)
at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.Initialize()
at Microsoft.Azure.ActiveDirectory.Connector.DirSyncConfigurationAdapter.GetCurrentCloudDirSyncConfiguration()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.OpenExportConnection(KeyedCollection`2 configParameters, Schema schema, OpenExportConnectionRunStep openExportConnectionRunStep).
Object import/synchronization/export
109ErrorDirectory SynchronizationFailure while importing entries from Windows Azure Active Directory. Exception: Microsoft.Online.Coexistence.ProvisionException: An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException: SetCredential() failed. Contact Technical Support.
at Microsoft.Online.Coexistence.Security.LiveIdentityManager.OpenIdentity(String federationProviderId, String userName, String password)
at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.GetNextBatch()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep).
Object import/synchronization/export
114InformationDirectory SynchronizationExport cycle completed. Tracking id: Export. This event will repeat for each cycle.Object import/synchronization/export
115InformationDirectory SynchronizationProvisioningServiceAdapter::ExecuteWithRetry: Action: ProvisionCredentials, Attempt: 0, Exception: Microsoft.Online.Coexistence.ProvisionRetryException: An error occurred. Error Code: 51. Error Description: Access to Azure Active Directory has been denied. Contact Technical Support. Tracking ID: bd0defbf-77ce-4ee6-afe6-6ec73537325e Server Name: .
at Microsoft.Online.Coexistence.ProvisionHelper.AdminWebServiceFaultHandler(FaultException`1 adminwebFault)
at Microsoft.Online.Coexistence.ProvisionHelper.InvokeAwsAPI[T](Func`1 awsOperation, String opsLabel)
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.<>c__DisplayClassb.b__a()
at Microsoft.Azure.ActiveDirectory.Connector.ProvisioningServiceAdapter.ExecuteWithRetry(String actionName, Action action).
Object import/synchronization/export
116InformationDirectory SynchronizationCalling UpdateDirSyncConfiguration with: [CloudDirSyncConfiguration [PreventAccidentalDeletion DeletionPrevention=EnabledForCount, ThresholdCount=500, ThresholdPercentage=0], [CurrentExport DirSyncObjectAdds=0, DirSyncObjectDeletes=0, DirSyncObjectUpdates=0, DirSyncClientMachineName=, TotalConnectorSpaceObjects=2722], [Writeback UnifiedGroupContainer=, UserContainer=]]Object import/synchronization/export
116InformationDirectory SynchronizationGetting the current DirSyncConfiguration.Object import/synchronization/export
116InformationDirectory SynchronizationReturned configuration: [CloudDirSyncConfiguration [PreventAccidentalDeletion DeletionPrevention=EnabledForCount, ThresholdCount=500, ThresholdPercentage=0], [CurrentExport DirSyncObjectAdds=0, DirSyncObjectDeletes=0, DirSyncObjectUpdates=9, DirSyncClientMachineName=, TotalConnectorSpaceObjects=2722], [Writeback UnifiedGroupContainer=, UserContainer=]]Object import/synchronization/export
117InformationDirectory SynchronizationImport prefetch:: Start - , End , Idle 00:00:00Object import/synchronization/export
904InformationDirectorySyncClientCmdImport/Sync/Export cycle completed (Initial).
Starting: Device Certificate Sync Step...
Finished: Device Certificate Sync Step. Duration: 0.045 sec.
Finished: Purging Run History. Duration: 0.144 sec.
Finished: Running the AAD Password Reset Feature. Duration: 0.746 sec.
Starting: Purging Run History...
Finished: Device Certificate Sync Step. Duration: 0.043 sec.
Starting: Initializing the program configuration...
Starting: Device Certificate Sync Step...
Starting: Purging Run History...
Finished: Purging Run History. Duration: 0.72 sec.
Starting: Getting the AAD Connector Name...
Finished: Getting the AAD Connector Name. Duration: 0.679 sec.
Finished: Getting the AD Connector Names. Duration: 0.879 sec.
Finished: Initializing the program configuration. Duration: 0.039 sec.
Starting: Getting the AD Connector Names...
Exporting to all Sources
Finished
Exporting to Target
Synchronizing from all Sources
Synchronizing from Target
AAD password reset is not currently configured.
Finished: Running the AAD Password Reset Feature. Duration: 9.605 sec.
Starting: Running the AAD Password Reset Feature...
Import/Sync/Export cycle completed (Delta).
Finished: Executing the run profiles. Duration: 104.649 sec.
Exporting to all Sources
Synchronizing from all Sources
Synchronizing from Target
Importing
Import/Sync/Export cycle started (Delta).
Initializing
Import/Sync/Export cycle completed (Delta).
Finished: Executing the run profiles. Duration: 18.283 sec.
Events from the DirectorySyncClientCmd.exe tool used by Task Scheduler and Azure AD Connect setup to run sync.Object import/synchronization/export
904InformationMicrosoftAzureActiveDirectoryClientStarting: Setting up the ......
Finished: Running SyncScheduler task.. Duration: 0.131 sec.
Starting: Enabling SyncScheduler task....
Finished: Running SyncScheduler task.. Duration: 2.573 sec.
Starting: Running SyncScheduler task....
Finished: Enabling SyncScheduler task.. Duration: 2.17 sec.
Starting: Setting up the ......
Finished: Setting up the .... Duration: 0.789 sec.
904InformationAzureActiveDirectorySyncEngineEach event displays one of the install/setup/uninstall steps of Azure AD Connect setup.Setup
905WarningDirectorySyncClientCmdAttempting to obtain Azure AD Sync Scheduler mutex
905WarningAzureActiveDirectorySyncEngineRemoveSqlLocalDbInstance: Error while removing database ADSync. This may be expected. Details: Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessExecutionFailedException: Exception: Execution failed with errorCode: 1.

Details: Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : SQL Server Network Interfaces: The specified LocalDB instance does not exist.
[x89C50107]. .
Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : Login timeout expired.
Sqlcmd: Error: Microsoft SQL Server Native Client 11.0 : A network-related or instance-specific error has occurred while establishing a connection to SQL Server. Server is not found or not accessible. Check if instance name is correct and if SQL Server is configured to allow remote connections. For more information see SQL Server Books Online..

at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartProcessCore(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile, Boolean hideWindow, Boolean waitForExit)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ProcessAdapter.StartBackgroundProcessAndWaitForExit(String fileName, String arguments, String workingDirectory, NetworkCredential credential, Boolean loadUserProfile)
at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.SqlCmdAdapter.ExecuteCommand(String arguments, NetworkCredential credential)
at Microsoft.Azure.ActiveDirectory.Synchronization.Setup.SynchronizationServiceSetupTask.<>c__DisplayClass1d.b__1c()
906ErrorDirectorySyncClientCmdDirectorySyncClientCmd: invalid command line argument: (INTIAL)
2001InformationADSyncThe service was started successfully.Service
2002InformationADSyncThe service was stopped successfully.Service
6012WarningADSyncThe management agent failed on run profile "Full Import" because the management agent did not import any objects during the run step.
6100WarningADSyncThe management agent step execution completed on run profile "Full Synchronization" with errors.

Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "458"
Export Errors : "0"
Warnings : "0"

User Action
View the management agent run history for details.
6105WarningADSyncThe management agent step execution completed on run profile "Full Import" but some objects had exported changes that were not confirmed on import.

Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "0"
Warnings : "5"

User Action
View the management agent run history for details.
6110WarningADSyncThe management agent step execution completed on run profile "Full Import" but the watermark was not saved.

Additional Information
Discovery Errors : "0"
Synchronization Errors : "0"
Metaverse Retry Errors : "0"
Export Errors : "0"
Warnings : "0"

User Action
View the management agent run history for details.
6126WarningADSyncThe management agent completed run profile "Delta Import" with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.

User Action
To ensure the updated rules are applied to all objects, a run with step type of full import and full synchronization should be completed.
6127WarningADSyncThe management agent completed run profile with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization.

User Action
To ensure the updated rules are applied to all objects, a run with step type of full synchronization should be completed.
6201InformationADSyncThe server encryption keys have been successfully created.

User Action
Store a backup of the encryption keys in a secure location. This will be required for server restore operations.
6801ErrorADSyncThe extensible extension returned an unsupported error.
The stack trace is:

"Microsoft.Online.Coexistence.ProvisionException: An unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. ---> Microsoft.Online.Coexistence.Security.WindowsLiveException: SetCredential() failed. Contact Technical Support.
at Microsoft.Online.Coexistence.Security.LiveIdentityManager.OpenIdentity(String federationProviderId, String userName, String password)
at Microsoft.Online.Coexistence.ProvisionHelper.GetLiveCompactToken(String userName, String userPassword)
--- End of inner exception stack trace ---
at Microsoft.Azure.ActiveDirectory.Connector.GetImportEntriesTask.GetNextBatch()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntriesCore()
at Microsoft.Azure.ActiveDirectory.Connector.Connector.GetImportEntries(GetImportEntriesRunStep getImportEntriesRunStep)
Azure AD Sync 1.0.8667.0"
6803ErrorADSyncThe management agent failed on run profile "Export" because the server encountered errors.
6941ErrorADSyncECMA2 MA export run caused an error.

Error Name:
Error Detail:

Tracking Id:
DataValidationFailed
InvalidSoftMatch
AttributeValueMustBeUnique
IdentityDataValidationFailed
6943InformationADSyncPassword sync started for management agent .
0ErrorDirectory SynchronizationAn unknown error occurred with the Microsoft Online Services Sign-in Assistant. Contact Technical Support. SetCredential() failed. Contact Technical Support. (0x8009000B)

 

Speaking at Nordic Infrastructure Conference (NICConf) 2016

Just got a confirmation for two of my session suggestions for NIC 2016. Join me in Oslo February 3-5th 2016!

Here are the sessions I will be giving:

Azure AD B2B and B2C: The next generation collaboration has arrived
Level: 300
Azure AD Business-2-Business and Business-2-Consumer are two new features of the global trust fabric that is Azure Active Directory. With Azure AD B2B many of the identity challenges of collaborating with partners are no longer relevant. The complexities and cost of federation, and the security issues with maintaining accounts for your partners are no longer necessary. Join me to learn how to use these new features to allow anyone you choose to securely use your applications and access your data. We will also cover B2C where Azure AD finally integrates with the major social identity providers like Google, Microsoft Accounts and Facebook to allow you to share data and applications with consumers.
Azure AD Domain Controller Services (DC-as-a-Service): Get rid of Windows Server AD once and for all
Level: 300
Azure AD offers the next generation identity platform built from the ground up to enable the cloud. As more and more organizations adopt and move to Azure AD the need for the traditional Active Directory infrastructure dimishes. But it can be very hard to get rid of our oldest AD dependent applications. With Azure AD Domain Controller Services we can finally take this last step and retire our old domain controllers. Azure AD DCaaS can use Azure AD to emulate a domain controller and thus let us run all our legacy applications while only using Azure AD. Join me in this sessions for a highly technical overview of this new technology.

Hope to see you there!

Morgan

Some thoughts on Group Policy design

Group Policy has been with us for well over 12 years now and has turned out to be a good tool for deploying configurations to your users, servers and clients. A summary of Group Policy in general is beyond what I want to say here so for anyone looking for that before reading on have a look here.

A major tenet of Group Policy and Active Directory site, domain and OU design is to group users by common denominators and configure Group Policy for them. For instance you might want to use a geographical approach and group your users according to geograpihal location. All users from Europe in one OU and all from Asia in another. Each would get a GPO setting the common configuration that all users in any give location should have. Another approach would be to group by function. Lets say we place all users beloning to our R&D deparment in one OU, regardles of physical location.

New preview version of Azure AD PowerShell available (Yes, it now supports ADAL!)

I guess the title says it all!

Here is the link to the Microsoft Connect site to download:

http://connect.microsoft.com/site1164/

Connect-MSOLService now brings up the familiar ADAL prompt with MFA and ADFS support etc. Make sure to read the release notes included, and you should probably uninstall the Microsoft Online Sign In assistant.

Here are the changes:

  • Dependency on the Microsoft Online Service sign in assistant removed.
  • Name of module updated Windows Azure -> Microsoft Azure
  • Connect-MsolService parameter -CurrentCredentials removed.
  • Connect-MsolService parameter -AccessToken added to enable AAD Connect, and other callers to use the PowerShell as a client library.
  • New device management cmdlets:
    • Get-MsolDevice
    • Enable-MsolDevice
    • Disable-MsolDevice
    • Remove-MsolDevice

Few apparent changes in the list of installed products though:

Before:

aad_ps_adal_before

After:

aad_ps_adal_after

Morgan

Office Modern Authentication (ADAL) and Autodiscover

The introduction of Active Directory Authentication Library (ADAL) support in Office 2013 and Office 265 ProPlus is great news. The Office suite of applications is now able to take advantage of advanced authentication options like federated SSO and MFA. Using ADAL with Office is referred to using Office with modern authentication. Modern authentication was recently made available to everyone and all you need to do to start using it is add three registry keys. You can find all the information you need here:

http://blogs.office.com/2015/03/23/office-2013-modern-authentication-public-preview-announced/

I recently ran into a problem with using ADAL in Office, which I think is a bug. When you try to connect to a new mailbox in Outlook using Autodiscover, and who doesn’t, Outlook is unable to successfully connect to the mailbox. From my testing, this problem is present in version 15.0.4693.1002 of Office 2013/365 ProPlus (a.k.a. March 2015 Update), which is the first version to include ADAL support.

You can look at the change log for Office here: https://support2.microsoft.com/gp/office-2013-365-update

Check your Office version by going to FileAccount and looking at Product Information:

image

The problem manifests itself when using the Account Setup Wizard.You enter your name, email address and password. Outlook queries Autodiscover DNS records for your domain. When your settings have been discovered you are asked to authenticate against the service. This authentication does not used ADAL in my experience, but displays an old fashioned authentication prompt. However, because of the bug, you will never get this far. Instead the wizard will inform you that it cannot find your settings.

To fix this, simply update to the latest version of Office. The most recent update, at the time of this writing, is version 15.0.4711.1003 (a.k.a. April 2015 update).

None of the fixes in this update specifically addresses this problem, as described in this post, but there is some mention about not being able to add a new account if your are using ADAL in Office and the account uses basic authentication in this KB article:

https://support.microsoft.com/en-us/kb/2965218

  • When you enter incorrect credentials for an account that makes some mailbox connections use Active Directory Authentication Library (ADAL) authentication and some connections use basic authentication, you are not prompted to enter credentials again, and Outlook cannot connect to mailboxes by using basic authentication.
  • When you enable the Active Directory Authentication Library (ADAL)-based authentication for Outlook 2013, you may be unable to add Office 365 accounts that use basic authentication. If you have enabled the ADAL-based authentication for Outlook 2013 that has an Office 365 account configured and the account uses basic authentication, you cannot connect to the account.

Anyway; updating resolves the problem.

RunAs Radio Azure RMS Podcast

I just spent half an hour talking to RunAs Radio host Richard Campbell about Azure RMS. The show will go live on May 13th.

RunAs Radio is a weekly Internet Audio Talk Show for IT Professionals working with Microsoft products. The full range of IT topics is covered from a Microsoft-centric viewpoint.

I was not aware of RunAs Radio myself but they have a lot of great content, and are now on my list of podcasts I subscribe to, If you are are a technologist interested in Microsoft products I highly recommend you do the same!

http://www.runasradio.com/

Thanks to Richard and everyone else at RunAs Radio for having me on the show,

Information wants to be free!