IT Consultant Everyday Notes

Just some problems/solutions storage

Category Archives: Security

SCCM: SCCM CB–list of communication ports

 

SCCM_CB_Intune_Architecture_Diagram

 

Excel spreadsheet can be downloaded from:  https://gallery.technet.microsoft.com/List-of-SCCM-ConfigMgr-CB-d8c72077

SCCM: Vulnerability Assessment Configuration Pack

Available for IIS, SQL and Windows OS itself.

Can be downloaded here  more details in SCCM team blog.

ADFS: Integration with VMWare Virtual Cloud Director

 

Milos and I tested an integration between VMWare Virtual Cloud Director (VCD) and Microsoft SSO implementation – ADFS installed on Windows Server 2012 R2. We used this ARTICLE in Dutch as a guidance.

1. Install ADFS role on 2012 R2 Server

2. Plan a name for ADS services. The name cannot be the same as the server name: if your server called server1.yourdomain.com call ADFS as sso.yourdomain.com  for example. Think abut external name if applicable. Request a certificate with EKU = Server Authentication (from WEB template) for the server. ADFS supports wildcard certificates or add all your ADFS service names to it as Subject Alternative Names (SANs)

3. Create an account for ADFS or use Group Managed Service Account (GMSA).

3.1 To create a GMSA:

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
New-ADServiceAccount FsGmsa –DNSHostName server1.yourdomain.com -ServicePrincipalNames https/server1.yourdomain.com

3.1 Create a test user in AD and set its email. Email is important it will be used for claims.

4. Add KDS Root Key (if not added with GMSA)

Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

2. Go to ADFS roles and Click Additional Configuration Required. Configure ADFS (default configuration with Internal Database)

3. Add SSO.yourdomain.com to your DNS to be sure both VCD and Clients can resolve it.

4. After installation go to https://sso.yourdoamin.com/FederationMetadata/2007-06/FederationMetadata.xml and save it.

———————————   VCD SIDE   ———————————————-

5. Log on to VCD as administrator https://vcd.yourdomain.com/cloud/org/yourorg/.

6. Go to Administration-Federation

7. Select SAML Identity Provider

8. Copy content of XML file saved in step 4.

9. Go to User Management – Import Users and import a user as SAML User  with Name ID matching to e-mail of the user in Active Directory. For example user@yourdomain.com

10. Open Internet Explorer and navigate to https://vcd.yourdomain.com/cloud/org/yourorg/saml/metadata/alias/vcd save the file.

11. Copy vcd file to ADFS as vcd.xml

————————————————–  ADFS Part   ————————————————————–

12. Configure Relying Part Trust

12.1 login to ADFS as a Domain Administrator

12.2 Open ADFS Management Console

12.2 Right-Click “Relying Party Trust” and select “Add Relying Party Trust”

12.3 Click Start

12.4 Select “Import data about the relying party from a file and point the Wizard to the file saved in step 11

12.5 Click Ok in Warning Window

12.6 Add a Display name (for ex. VCD)

12.7 Do not add Multi-factor authentication or rules. Just finish the Wizard.

12.8 Right-Click newly created Relying Party Trust and select Properties

12.9 Under Advanced tab switch Hash Algorithm to SHA-1

i13. n original step it is marked as Optional but we found iintegration does not work without it. So, open PowerShell as Administrator and run:

Add-PSSnapin Microsoft.Adfs.Powershell       <—– NOT REQUIRED FOR Server 2012 R2
Set-ADFSRelyingPartyTrust -TargetName “vCD” -EncryptClaims $False

14. Configure ADFS Claims

14.1 Right-Click Relying Party Trust created in step 12. And select Edit Claim Rules

14.2 Click Add Rule

14.2.1 Select Send LDAP Attribute as Claims; Click Next

14.2.2 Add Claim Rule Name (for example “LDAP Attribute E-Mail Address”)

14.2.3 Select Active Directory as Attribute Store

14.2.4 In LDAP Attribute column select “E-mail Addresses”

14.2.5 In Outgoing Claim Type select “E-Mail Address”

14.2.6 Click Finish

14.3. Click Add Rule again

14.3.1 Select Transform an Incoming Claims; Click Next

14.3.2 Add Claim Rule Name (for example “Transform an incoming claims”)

14.3.3. In Incoming Claim type select “ E-MAil Address”

14.3.4 In Outgoing Claim Type select “Name ID”

14.3.5 Verify Pass through all claim values is selected

14.3.6 Click Finish

At this point you should have two rules like this:

 

image

ADFS is configured and you should be able to connect to VCD via ADFS

Server 2012: Remote Desktop access–“Insert smart card”

Issue: You try to RDP to a Windows Server 2012. There is no place to type a password on Logon page. There is a message “Insert smart card” instead even though Smart Card authentication is not configured.

Resolution: Log on locally with Administrator credentials. Remove profile of the user you logged on as. Try to RDP again to recreate the profile.

 

Note: it looks like the issue occurres only if you logged with your account locally first. Account with profile created during RDP session are not affected.