Good Practices for Managing Microsoft Azure Subscriptions

We’ve published some updated guidance for Service Admin account management based on the new RBAC access control techniques now available in Azure. While the classic non-RBAC portal is required, the content in the post here is still very relevant though!

Overview

Over the years it has been drilled into me to use “Least Privilege” access whenever and however possible. Least Privilege is all about limiting users, systems, and services to only those privileges which are absolutely essential to get the job done.… [Keep reading] “Good Practices for Managing Microsoft Azure Subscriptions”

SSL SAN Certificate Request and Import from PowerShell

===========================================================================
Updated 5 August 2013: allow wildcard subject names e.g. “CN=*.showcase.kloud.com.au” which get written to disk as ‘star.domain’ e.g. ‘star.showcase.kloud.com.au’
===========================================================================

Automating a certificate request with PowerShell should not be hard – but it is. Exchange has had offline certificate requests with New-ExchangeCertificate since PowerShell was introduced with Exchange 2007. Lync has had online certificate requests using Request-CsCertificate since Lync 2010 and GUI based online requests from the OCS days. I had a requirement to script the request, issuing and importing of a certificate request including multiple domain SAN (Subject Alternate Name) entries.… [Keep reading] “SSL SAN Certificate Request and Import from PowerShell”

AWS Web Architecture 101 – Lessons Learned

This blog discusses some of the lessons learned in implementing a Web Architecture with RDS. We walk through some key elements and highlight some gotchas  to be mindful of.

Scenario

The components for this scenario include:

  • Virtual Private Cloud (VPC) with a public subnet and a private subnet.
  • ELB for  Web Traffic
  • IIS Web Server instance
  • MS SQL RDS instance
  • Jump box for management connectivity

One of the first implementation considerations in AWS is how you will setup your network.[Keep reading] “AWS Web Architecture 101 – Lessons Learned”

Microsoft FIM: Working with Domino Connector v8

We don’t always work with all of the ‘latest’ or ‘bleeding edge’ software here at Kloud, and occasionally us Identity Management consultants have to delve into the past and use some knowledge once thought lost from the world. Okay, so it’s not that bad, but I did find myself having to work with IBM Domino Server version 8 and FIM R2’s ECMA based Lotus Domino Management Agent (or ‘Connector’ in the new language) for a bi-directional sync between Domino and Active Directory (Exchange, Lync etc.).… [Keep reading] “Microsoft FIM: Working with Domino Connector v8”

Windows Azure Active Directory Module and Online Services Sign-in Assistant

Back in 2012, we talked about Office 365 – PowerShell Setup.  This was back in the days prior to the Microsoft Online Services Sign-in Assistant RTW, and before Windows 8 had gained a lot of traction.  Recent updates however have not made this such a straightforward process.

My first attempt at installing the Windows Azure Active Directory Module on Windows 8 failed with the error “must have microsoft online services sign-in assistant version 7.0 or greated installed”.  … [Keep reading] “Windows Azure Active Directory Module and Online Services Sign-in Assistant”

AD FS and self-signed Token-Signing certificates

AD FS uses Token-Signing certificates to digitally sign security tokens generated by the service. This signature provides evidence that a security token has not been modified during transit. The public key of the Token-Signing certificate is provided during establishment of federation trusts so that the application or service receiving a signed security token can verify the signature.

Recently a Kloud client raised a query about the use of self-signed certificates versus use of a commercial certificate from a public certificate authority for the AD FS Token Signing certificate.… [Keep reading] “AD FS and self-signed Token-Signing certificates”

Publish Lync 2013 with 2012 R2 Preview Web Application Proxy

I discussed the new Windows 2012 R2 Preview Web Application Proxy (WAP) remote access role in a previous post Windows 2012 R2 Preview Web Application Proxy – Exchange 2013 Publishing Tests. I showed how to publish Exchange 2013 (except for Outlook Anywhere which isn’t working) and a claims based application.

In this post I am going to cover:

Publishing Lync Applications

Lync has a few different namespaces that need to be published:

  • Lync External Web Services (which includes the Lync Web App and Lync Scheduler)
  • Lync meeting join
  • Lync dialin page
  • Lyncdiscover for client autodiscover
  • Office Web Apps Server for PowerPoint sharing

Lync applications cannot use Preauthentication and have to use Pass-through which lets the backend server provide authentication.… [Keep reading] “Publish Lync 2013 with 2012 R2 Preview Web Application Proxy”

Resource Based Kerberos Constrained Delegation

Big changes have occurred in the Kerberos authentication space with the introduction of Windows Server 2012. For this blog I’ll focus on Kerberos Constrained Delegation and Protocol Transition, highlighting what Server 2012 brings to the table, and how the changes can be used to improve security in a typical deployment scenario.

Kerberos Delegation Explained

To start, a high level explanation of Kerberos delegation – it enables an account to impersonate another account for the purpose of providing access to resources.… [Keep reading] “Resource Based Kerberos Constrained Delegation”

ELBs do not cater for your environment? Set up HAProxy for your IIS servers

Recently we encountered a scenario where we needed to look for an alternative for Amazon Web Services (AWS) Elastic Load Balancing (ELB) due to an existing IIS configuration used in an organisation.  We found that HAProxy was the best candidate in terms of simplicity & the suitability for scenario we were addressing.

This post will show you how you can leverage HAProxy to load balance IIS web servers hosted in AWS EC2 and explain briefly why HAProxy is best suited to address our scenario.… [Keep reading] “ELBs do not cater for your environment? Set up HAProxy for your IIS servers”

The changing role of the CIO

With the growth and commoditization of computing resource, and the inevitable introduction of cloud computing, both as a software, platform and infrastructure services, the Chief Information Officer’s role will change significantly over the next two years.  Cloud computing provides incredible agility for those organizations equipped to utilize it, Business Process Outsourcing is providing increasing levels of workforce flexibility, and with the commoditization of design and development resources, how does this rapid ability to affect change effect the CIO?[Keep reading] “The changing role of the CIO”