'Strong Name Verification' Issue with adding new Connectors in AAD Connect

21st of May, 2018 / / No Comments

I’ve been updating and installing the latest versions of AAD Connect recently (v1.1.750.0 to the latest v1.1.819.0) and noticed that I could not create a brand new custom ‘Connector’ using any of the following out of the box Connector templates:

  • Generic SQL
  • Generic LDAP (didn’t happen to me but I’ve seen reports it’s impacting others)
  • PowerShell
  • Web Service

The message in the AAD Connect Synchronisation Engine would appear as:
“The extension could not be loaded”
each time I tried to create a Connector with any of the above templates.… [Keep reading] “'Strong Name Verification' Issue with adding new Connectors in AAD Connect”

'Generic' LDAP Connector for Azure AD Connect

3rd of November, 2017 / / 7 Comments

I’m working for a large corporate who has a large user account store in Oracle Unified Directory (LDAP).   They want to use these existing accounts and synchronise them to Azure Active Directory for Azure application services (such as future Office 365 services).
Microsoft state here that Azure Active Directory Connect (AAD Connect) will, in a ‘Future Release’ version, provide native LDAP support (“Connect to single on-premises LDAP directory”), so timing wise I’m in a tricky position – do I guide my customer to attempt to use the current version? … [Keep reading] “'Generic' LDAP Connector for Azure AD Connect”

Automatically Provision Azure AD B2B Guest Accounts

19th of September, 2017 / / 4 Comments

Azure ‘Business to Business’ (or the catchy acronym ‘B2B’) has been an area of significant development in the last 12 months when it comes to providing access to Azure based applications and services to identities outside an organisation’s tenancy.
Recently, Ryan Murphy (who has contributed to this blog) and I have been tasked to provide an identity based architecture to share Dynamics 365 services within a large organisation, but across two ‘internal’ Azure AD tenancies.
Dynamics 365 takes its identity store from Azure AD; if you’re assigned a license for Dynamics 365 in the Azure Portal, including in a ‘B2B’ scenario, you’re granted access to the Dynamics 365 application (as outlined here).  … [Keep reading] “Automatically Provision Azure AD B2B Guest Accounts”

Migrating 'SourceAnchor' from 'ObjectGUID' using new AAD Connect 1.1.524.0

31st of May, 2017 / / 9 Comments

I count myself lucky every now and again, for many reasons.  I have my health.  I have my wonderful family.
Today, however, it’s finding out the latest version of AAD Connect (v1.1.524.0) will probably give me back a few more months of my life.
The reason?  My customer’s chosen configuration of their AAD Connect to choose the default value of ‘ObjectGUID’ for their ‘SourceAnchor’ value.
Now, for most organizations with a single AD forest, you’re laughing. … [Keep reading] “Migrating 'SourceAnchor' from 'ObjectGUID' using new AAD Connect 1.1.524.0”

Check Patch Status of 'WannaCrypt' / 'WannaCry' using PowerShell

15th of May, 2017 / / 5 Comments

A short but sweet blog today, mindful that today most Australians will be coming back to work after the ‘WannaCrypt’ attack that was reported in the media on Friday.
I would like to just point out the work of Kieran Walsh – he’s done the ‘hard yards’ of extracting all of the Knowledge Base (KB) article numbers that you need to be searching for, to determine your patching status of Microsoft Security Bulletin MS17-010  (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx[Keep reading] “Check Patch Status of 'WannaCrypt' / 'WannaCry' using PowerShell”

Azure MFA: Architecture Selection Case Study

14th of March, 2017 / / 4 Comments

I’ve been working with a customer on designing a new Azure Multi Factor Authentication (MFA) service, replacing an existing 2FA (Two Factor Authentication) service based on RSA Authenticator version 7.
Now, typically Azure MFA service solutions in the past few years have been previously architected in the detail ie. a ‘bottom up’ approach to design – what apps are we enforcing MFA on? what token are we going to use? phone, SMS, smart phone app? Is it one way message, two way message?… [Keep reading] “Azure MFA: Architecture Selection Case Study”

Introduction to MIM Advanced Workflows with MIMWAL

16th of February, 2017 / / 1 Comment

Introduction

Microsoft late last year introduced the ‘MIMWAL’, or to say it in full: (inhales) ‘Microsoft Identity Manager Workflow Activity Library’ – an open source project that extends the default workflows & functions that come with MIM.
Personally I’ve been using a version of MIMWAL for a number of years, as have my colleagues, in working on MIM projects with Microsoft Consulting.   This is the first time however it’s been available publicly to all MIM customers, so I thought it’d be a good idea to introduce how to source it, install it and work with it.… [Keep reading] “Introduction to MIM Advanced Workflows with MIMWAL”

Setting up your SP 2013 Web App for MIM SP1 & Kerberos SSO

3rd of February, 2017 / / No Comments

I confess: getting a Microsoft product based website working with Kerberos and Single Sign On (i.e. without authentication prompts from a domain joined workstation or server) feels somewhat of a ‘black art’ for me.
I’m generally ok with registering SPNs, SSLs, working with load balancing IPs etc, but when it comes to the final Internet Explorer test, and it fails and I see an NTLM style auth. prompt, it’s enough to send me into a deep rage (or depression or both).… [Keep reading] “Setting up your SP 2013 Web App for MIM SP1 & Kerberos SSO”

Avoiding Windows service accounts with static passwords using GMSAs

21st of October, 2016 / / 3 Comments

One of the benefits of an Active Directory (AD) running with only Windows Server 2012 domain controllers is the use of ‘Group Managed Service Accounts’ (GMSAs).
GMSAs can essentially execute applications and services similar to an Active Directory user account running as a ‘service account’.  GMSAs store their 120 character length passwords using the Key Distribution Service (KDS) on Windows Server 2012 DCs and periodically refresh these passwords for extra security (and that refresh time is configurable).… [Keep reading] “Avoiding Windows service accounts with static passwords using GMSAs”

Filtering images across a custom FIM / MIM ECMA import MA

22nd of August, 2016 / / No Comments

A recent customer had a special request when I was designing and coding a new ECMA 2.2 based Management Agent (MA) or “Connector” for Microsoft Forefront Identity Manager (FIM).

(On a sidenote: FIM’s latest release is now Microsoft Identity Manager or “MIM”, but my customer hadn’t upgraded to the latest version).

Kloud previously were engaged to write a new ECMA based MA for Gallagher 7.5 (a door security card system) to facilitate the provisioning of access and removal of access tied to an HR system.… [Keep reading] “Filtering images across a custom FIM / MIM ECMA import MA”