Identity and Access Management – Page 28

Resource Based Kerberos Constrained Delegation

11th of July, 2013 / Mark Southwell / 17 Comments

Big changes have occurred in the Kerberos authentication space with the introduction of Windows Server 2012. For this blog I’ll focus on Kerberos Constrained Delegation and Protocol Transition, highlighting what Server 2012 brings to the table, and how the changes can be used to improve security in a typical deployment scenario.

Kerberos Delegation Explained

To start, a high level explanation of Kerberos delegation – it enables an account to impersonate another account for the purpose of providing access to resources.… [Keep reading] “Resource Based Kerberos Constrained Delegation”

Windows 2012 R2 Preview Web Application Proxy – Exchange 2013 Publishing Tests

3rd of July, 2013 / Marc Terblanche / 51 Comments

==================
Updated: 10 September 2013

Tested after Windows 2012 R2 RTM released to Technet and Outlook Anywhere works now
Updated PowerShell deployment of Web Application Proxy blog after testing with RTM – see http://blog.kloud.com.au/2013/08/14/powershell-deployment-of-web-application-proxy-and-adfs-in-under-10-minutes/

==================
Updated: 15 July 2013

I have heard from a member of the Web Application Proxy product group who said there is a bug in the Preview version that prevents Outlook Anywhere from working. They say it will be fixed in the RTM version
Lync 2013 and Office Web Apps 2013 have been tested and work with some configuration changes.

… [Keep reading]

Office 365: To Federate or Not to Federate… that is the Question

5th of June, 2013 / Michael Pearn / 8 Comments

Yesterday, Microsoft released a new version of their ‘DirSync’ utility (http://technet.microsoft.com/en-us/library/dn246918.aspx) which up until yesterday provided a basic ‘copy’ of your local Active Directory accounts (Active Directory Domain Service or ‘AD DS’) from your premises to the MS Cloud directory (referred to as ‘Azure Active Directory’) for Office 365 (and other Cloud apps such as Team Foundation Service (TFS Online).

This blog is written for those considering moving to Office 365 (or have moved to Office 365) but haven’t identified any other application in the organisation apart from Office 365 that requires Active Directory Federation Services and SAML/WS.Federation… [Keep reading] “Office 365: To Federate or Not to Federate… that is the Question”

BHOLD SP1 Core Portal Role Management for Dummies

20th of May, 2013 / Michael Pearn / 8 Comments

I’ve had the rare luxury of time in learning BHOLD SP1 for a customer recently and I thought I’d share the basics of what I’ve learned about the product. There’s very little in the way of information in the public realm about BHOLD SP1, particularly as Microsoft have made significant changes to the database schema for Service Pack 1 of BHOLD, so I thought I’d share some learnings.

Beware, this is a ‘BHOLD for Dummies’ scenario where all you might like to do is develop a quick scenario to show off BHOLD’s capabilities in role management.… [Keep reading] “BHOLD SP1 Core Portal Role Management for Dummies”

Fixing issues with BHOLD SP1 FIM Integration MSI installation

17th of May, 2013 / Michael Pearn / No Comments

For those struggling to get their BHOLD SP1 demo working in a Windows 2008 R2 64-bit environment, I’ve recently run into two critical errors I thought I would blog about as they took me and my colleague Stefan Buchman some hair pulling time to work through. As this is a bleeding edge release, there isn’t much in the way of public information about others running into these errors so I thought I’d blog their fixes in case others were struggling.… [Keep reading] “Fixing issues with BHOLD SP1 FIM Integration MSI installation”

An Overview of Server Name Indication (SNI) and Creating an IIS SNI Web SSL Binding Using PowerShell in Windows Server 2012

18th of April, 2013 / Stefan Buchman / 7 Comments

One of the frustrating limitations in supporting secure websites has been the inability to share IP addresses among SSL websites. In the day, there were a few ways to solve this limitation. One, you could use multiple IP addresses, binding a SSL certificate to each combination of an IP address and standard SSL port. This has been the best method to date but it is administratively heavy and not necessarily a good use of valuable IP addresses.… [Keep reading] “An Overview of Server Name Indication (SNI) and Creating an IIS SNI Web SSL Binding Using PowerShell in Windows Server 2012”

Azure AD and the Progression of Microsoft Identity and Access Management

16th of April, 2013 / Michael Pearn / 1 Comment

Defining Microsoft IDAM

The words ‘Identity and Access Management’ (IDAM) mean different things to different people – and a lot of confusion still reigns about what this area represents to an IT department. However, it’s generally agreed that a good corporate IDAM policy can drive down cost, increase security and provide significant user experience benefits to approved applications as they are introduced to an IT environment.

These improvements can broadly be categorised into the following areas:

• Single Sign On (usually abbreviated to ‘SSO’) – a user provides a single factor (99% of the time a password) and gets access to not just one application but a suite of applications after authenticating once without being prompted again for credentials.… [Keep reading] “Azure AD and the Progression of Microsoft Identity and Access Management”

Adding Additional Nodes to a Forefront Identity Manager 2010 R2 Service Pack 1 SharePoint 2013 Farm

15th of April, 2013 / Stefan Buchman / 3 Comments

Microsoft recently released Service Pack 1 for Forefront Identity Manager 2010 R2. With the release of Service Pack 1 came some really good support for the latest elements that form the foundation of the FIM Portal, namely Windows Server 2012 and SharePoint Foundation 2013.

While basing the FIM 2010 R2 SP1 Portal on a SharePoint 2013 Foundation doesn’t offer any feature advantages over SharePoint 2010, it does provide compatibility with Windows Server 2012 which SharePoint 2010 won’t do until the release of Service Pack 2.… [Keep reading] “Adding Additional Nodes to a Forefront Identity Manager 2010 R2 Service Pack 1 SharePoint 2013 Farm”

Office 365 Preview and Windows Azure Active Directory Rights Management

28th of November, 2012 / Joel Neff / 2 Comments

Recently I was asked to implement an Office 365 Preview for Enterprises tenant that would demonstrate the new functionality provided by Windows Azure Active Directory Rights Management (AADRM). Windows Azure Active Directory is the cloud identity management service that underpins Office 365 and many other Microsoft cloud products; you can read more about it here.

Rights Management Services (RMS) are a feature set that allows for the protection of information, regardless of where it goes or who it is sent to.… [Keep reading] “Office 365 Preview and Windows Azure Active Directory Rights Management”

Office 365 Smart Links

12th of October, 2012 / David Ross / 8 Comments

So you’re using Federated Identities with SharePoint Online…

You may have noticed that every 1-2 days you have to re-authenticate to SharePoint Online. This is the result of an Office 365 security feature that defines a 10 hour SharePoint cookie expiration. This authentication behavior is different to BPOS SharePoint Online, where users would be prompted to authenticate one time only. If you have come from BPOS, this change in SharePoint authentication behavior is probably undesirable. If you were excited about a transparent ‘single sign-on’ experience with AD FS 2.0 and Office 365, you might even be a little disappointed.… [Keep reading] “Office 365 Smart Links”