Configuring Azure Multifactor Authentication with Exchange 2013 SP1

March 2, 2014 4 comments

Thanks to Raymond Emile from Microsoft COX, the guy responded to me instantly and hinted me around the OWA + basic Auth, Thanks a lot Ray…

In case you missed it, Azure has a very cool new feature called Azure multifactor authentication, using MFA in Azure you can perform multifactor for Azure apps and for on-premise apps as well.

In this blog, we will see how to configure Azure Cloud MFA with Exchange 2013 SP1 on premise, this will be a long blog with multiple steps done at multiple levels, so I suggest to you to pay a very close attention to the details because it will be tricky to troubleshoot the config later.

here are the highlevel steps:

  • Configure Azure AD
  • Configure Directory Sync.
  • Configure multifactor Authentication Providers.
  • Install/Configure MFA Agent on the Exchange server.
  • Configure OWA to use basic authentication.
  • Sync Users into MFA agent.
  • Configure users from the desired login type.
  • Enroll users and test the config.

so let us RNR:

Setting up Azure AD/MFA:

Setting up Azure AD/MFA is done by visiting https://manage.windowsazure.com , here you have 2 options (I will list them because I had them both and it took me a while to figure it out):

    • If you have never tried azure, you can sign up for a new account and start the configuration.
    • If you have Office 365 enterprise subscription, then you will get Azure AD configured, so you can sign in into Azure using the same account in Office 365 and you will find Azure AD configured for you (I had this option so I had to remove SSO from the previous account and setting it up again).

Once you login to the portal, you can setup Azure AD by clicking add:

image

Since I had Office 365 subscription, It was already configured, so if you click on the directory, you can find list of domains configured in this directory:

image

If you will add a new domain, click on add and add the desired domain, you will need to verify the domain by adding TXT or MX record to prove you domain ownership, once done you will find the domain verified and you can configure it, the following screenshots illustrates the verification process:

image

image

image

image

 

Once done, go to Directory Integration  and choose to activate directory integration:

image

 

One enabled, download the dirsync tool on a computer joined to the domain:

image

Once installed, you will run through the configuration wizard which will ask you about the azure account and the domain admin account to configure the AD Sync:

image

image

image

image

image

image

Once done, you can check the users tab in Azure AD to make sure that users are sync’d to Azure successfully:

image

If you select a user, you can choose to Manage Multifactor Authentication

image

you will be prompt to add a multifactor authentication provider, the provider essentially controls the licensing terms for each directory because you have per user or per authentication payment, once selected you can click on manage to manage it:

image

Once you click manage, you will be taken to the phonefactor website to download the MFA agent:

image

click on downloads to download the MFA agent, you will install this agent on:

  • A server that will act as MFA agent and provides RADIUS or windows authentication from other clients or
  • Install the agent on the Exchange server that will do the authentication (frontend servers).

Since we will use Exchange, you will need to install this agent on the Exchange server, once install you will need to activate the server using the email and password you acquired from the portal:

image

Once the agent installed, it is time to configure the MFA Agent.

Note: the auto configuration wizard won’t work, so skip it and proceed with manual config.

Another note: FBA with OWA won’t work, also auto detection won’t work, so don’t waste your time.

Configuring the MFA Agent:

I need to stress on how important to follow the below steps and making sure you edit the configuration as mentioned or you will spend hours trying to troubleshoot the errors using useless error codes and logs, the logging still poor in my opinion and doesn’t provide much information for debugging.

the first step is to make sure the you have correct name space and ssl certificate in place, typically you will need users to access the portal using specific FQDN, since this FQDN will point to the Exchange server so you will need to publish the following:

  • Extra directories for MFA portal, SDK and mobile app.
  • or Add a new DNS record and DNS name to the ssl certificate and publish it.

In my case, I chose to use a single name for Exchange and MFA apps, I chose https://mfa.arabcloud.tv, MFA is just a name so it could be OWA, mail or anything.

SSL certificate plays a very important role, this is because the portal and mobile app speaks to SDK over SSL (you will see that later) so you will need to make sure that correct certificate in place as well as DNS records because the DNS record must be resolvable internally.

once the certificate/DNS issue is sorted, you can proceed with the install, first you will install the user portal, users will use this portal to enrol as well as configuring their MFA settings.

From the agent console, choose to install user portal:

image

It is very important to choose the virtual directory carefully, I highly recommend changing the default names because they are very long, in my case I chose using MFAPORTAL as a virtual directory.

image

image

image

image

once installed, go the user portal URL and enter the URL (carefully as there is no auto detection or validation method), and make sure to enable the required options in the portal (I highly recommend enabling phone call and mobile app only unless you are in US/EU country then you can enable text messages auth as well, it didn’t work with me because the local provider in Qatar didn’t send the reply correctly).

image

Once done, Proceed with SDK installation, again, I highly recommend changing the name, I chose MFASDK

image

image

Once installed, you are ready to proceed with the third step, installing the mobile app portal, to do this browse to the MFA agent installation directory, and click on the mobile app installation, also choose a short name, I chose MFAMobile

image

image

Once Installed, you will have to do some manual configuration in the web.config files for the portal and the mobile app.

You will have to specify SDK authentication account and SDK service URL, this configuration is a MUST and not optional.

to do so, first make sure to create a service account, the best way to do it is to fire you active directory users and computers management console, find PFUP_MFAEXCHANGE account and clone it.

Once cloned, open c:\intepub\wwwroot\<MFAportal Directory> and <MFA Mobile App Directory> and edit their web.config files as following:

For MFA portal:

image

image

For MFA mobile App:

image

image

Once done, you will need to configure the MFA agent to do authentication for IIS.

Configure MFA to do authentication from IIS:
To configure MFA agent to kick for OWA, you will need to configure OWA to do basic authentication, I searched on how to do FBA with MFA, but I didn’t find any clues (if you have let me know).

Once you configured OWA/ECP virtual directories to do basic authentication, go to the MFA agent , from there go to IIS Authentication , HTTP tab, and add the OWA URL:

image

Go to Native Module tab, and select the virtual directories where you want MFA agent to do MFA authentication (make sure to configure it on the front end virtual directories only):

image

Once done….you still have one final step which is importing and enrolling users…

to import users, go to users, select import and import them from the local AD, you can configure the sync to run periodically:

image

Once imported, you will see your users, you can configure your users with the required properties and settings to do specific MFA type, for example to enable phone call MFA, you will need to have the users with the proper phone and extension ( if necessary):

image

You can also configure a user to do phone app auth:

image

Once all set, finally, you can enrol users.

Users can enrol by visiting the user portal URL and signing with their username/password, once signed they will be taken to the enrolment process.

for phone call MFA, they will receive a call asking for their initial PIN created during their configuration in MFA, once entered correctly, they will be prompted to enter a new one, once validated the call will end.

in subsequent logins, they will receive a call asking them to enter their PIN, once validated successfully, the login will be successful and they will be taken into their mailbox.

in mobile app, which will see here, they will need to install a mobile app on their phones, once they login they can scan the QR code or enter the URL/Code in the app:

image

image

image

Once validated in the app, you will see a screen similar to this:

Screenshot_2014-03-02-21-06-37

Next time when you attempt to login to OWA, the application will ask you to validate the login:

Screenshot_2014-03-02-21-14-30

Once authentication is successful, you will see:

Screenshot_2014-03-02-21-07-56

and you will be taken to OWA.

Final notes:

again, this is the first look, I think there are more to do, like RADIUS and Windows authentication which is very interesting, also we can configure FBA by publishing OWA via a firewall or a proxy that does RADIUS authentication + FBA which will work.

I hope that this guide was helpful for you.

5 life lessons I learned while playing chess

February 22, 2014 Leave a comment

I play chess, every day, it is a hobby since college days, I love the game and its need to think and the way it requires you to think.

I am not a master I play and lose a lot, but it is hard to lose, and after over 14 years of playing chess, I learned few valuable lessons. In this article, I will share them and show you them in action.

Lesson 1: You need to be careful when you are close to Win.

I can not tell you how many games I played where people snapped and made uncommonly silly mistakes when they were about to win, including me. The following game is a perfect example of that:

http://goo.gl/Au5vjv

I was winning, obviously the game was about to end, what was the logical move, any move other than moving the queen to C8, that was my move, and I lost the queen for no apparent reason other than I thought it ended.

In life, it is the same, when you are close to win, either it is exam, job, deal or anything, you need to make sure you will close it, do not snap at the last mile, keep the same performance and attitude to make sure you will WIN and end up WINNING BIG.

Lesson2: Don’t give up; no matter how f**ked you are:

I can not tell how many games I played and when I kill the queen people give up and resign, toooo many games.

I found that people give up early and easily, and a lot of them snap (check lesson #1), my 2 cents in chess and life don’t give up, no matter how deep in shit you are in, think strategically and move tactically, the queen is not your strongest piece on the chess board; your brain is the strongest piece on the board and in life, use it.

Check this game:

http://goo.gl/eg9ss0

I played this game against a extremely experienced player I took care and played the king gambit which should guarantee a exceptionally strong dynamic during the game as I was playing with white, but guess what, he set me up, and I lost the queen, and I couldn’t castle, I thought about giving up, but I didn’t, moved correctly and ended up advancing with 2 pieces.

So, chess and life are about your choices and moves, decide carefully.

Lesson3: Easy wins are not always easy

In chess, players target the rook as a highly valuable piece, it is the most valuable after the queen (of course skipping the king).

In a lot of games, you might see an easy target, but you need to be careful of what is the current situation, you need to think what others will do and don’t buy into a simple target because others might hit back hard.

check this game: http://goo.gl/n1nRGj

I was attacking the king side, obviously the other played didn’t think carefully about his current position, and bought the idea of forking the queen and rook, he ended up with a sad situation and position.

Also in life, don’t buy easy wins and target, they are lovely and sometimes you have/must use them, but you have to think ahead; what is behind them and will they benefit me?!

Lesson4: No matter how careful you are, sometimes you f*ck up:

I play careful and systematic games against experiences players, wither I play with white or black; I use a exceedingly systematic approach to avoid any surprises.

But no matter how careful I am, or you are or will, sometimes we do stupid stuff. We will always do stupid and foolish stuff, it is part of life.

check the following game:

http://goo.gl/5Lah4E

again, king gambit, everything is progressing as should be, but in the seventh move I did what, I took the pawn with the bishop, what the hell I was thinking, I don’t know.

I had experienced player against me, I lost a valuable piece, and the game still in the beginning, it is a tough situation, but I decided to recover and come back.

as you can see, I pushed with some tactical moves to prevent the queen from castling, and strategically to attack with the Rook and queen.

I ended up with a check mate. that was impressive and valuable lesson to me. In life, sometimes you do stupid things, disastrous to the point you might think I can’t come back from this.

But when you face these situations, it is time to apologize to others or to yourself, put a plan, gather yourself and recover, you can always do that, no matter how hard the situation you are in.

Lesson5: Chess about the bottom line, so is life:

Chess about mating the king, it is not about taking the queen or having more pawns, it is about someone who wins at the end, simple as that.

A lot of people forget this rule; I can’t tell how many time people ran after a hanging pawn or a piece and had to pay the price for it.

check this game: http://goo.gl/xWt4Kb

the guy went after the hanging pawn; I lined up the 2 rooks and the queen, setup the attack and launched it. he paid the price.

same in life, it doesn’t matter how many presentation you have done in your job, how many hour you worked; if you don’t have results, it is useless.

a Slick Way to to bypass Terminal Services Remote Apps/ Citrix XenApp to gain access to command line from Internet Explorer

January 20, 2014 2 comments

Today, a friend of mine who works in our security team, shared with me a slick way to bypass published applications (in our case IE) to gain command line and PowerShell access.

Although users will have access based on his permissions; so if he is a user he won’t be able to do much, yet , in my opinion it bypasses the hall point of Remote Apps/ Citrix XenApp and gives the user access to execution capabilities on the server, if he is a knowledgeable enough, he will be able to compromise the server.

Setup:

XenApp 6.5 Server on Windows Server 2008 R2 with all patches installed, Only IE published.

How to:

Since IE is published only, we assume that user has no execution capabilities on the server, to gain access to PowerShell or command line, do the following:

  • From IE open help.
  • Within help, search for notepad.
  • click on How I can How can I use my devices and resources in a Remote Desktop session?
  • image

  • Scroll down and click open notepad

image

  • once note pad opened (note that we have access to another application now), type in the file PowerShell and save the file as filename.bat.
  • once you saved the file, from Internet Explorer choose, file, Open and open the saved file and voilaaaa, you have powershell and cmd access.

although we can discuss for years if this is a security issue or not, I believe it is for some organizations and it sheds some light on a area where people can bypass a specific published application and gain execution mechanism on servers, Any thoughts ?!

You receive error message : ERROR: MsiGetActiveDatabase() failed. Trying MsiOpenDatabase(). while installing VMware SRM 5.5 and installation fails

January 16, 2014 Leave a comment

If you are installing VMware SRM 5.5 you might get the following error message in installer:

Can not start VMware Site Recovery Manager Service.

when digging in the installation logs you will find the following error message:

ERROR: MsiGetActiveDatabase() failed. Trying MsiOpenDatabase().

To fix this issue, change the logon on the VMware Site Recovery Manager service from Local System to an Account with the DB Owner on the database.

Categories: VMware, VMware SRM

vCloud Director automation via Orchestrator, Automating Org,vDC,vApp Provisioning via CSV Part4 – Adding Approval and Email Notifications

January 12, 2014 Leave a comment

This is the final blog of this series, in the previous 3 parts:

Par1: http://autodiscover.wordpress.com/2013/11/05/vcloud-orchestrator-automating-orgvdcvapp-provisioning-via-csv-part1/

Part2: http://autodiscover.wordpress.com/2013/11/11/vcloud-orchestrator-automating-orgvdcvapp-provisioning-via-csv-part2reading-csv-files/

Part3: http://autodiscover.wordpress.com/2013/12/23/vcloud-director-automation-via-orchestrator-automating-orgvdcvapp-provisioning-via-csv-part3-adding-nics-cpu-and-modify-memory/

we explored how to automate most of cloud provisioning elements including organizations, vDCs, vAPPs and Virtual machine and customizing their properties like adding vNICs, VHDs and memory/CPU.

In this final part, we will explore how we can add approval cycle to the above provisioning.

In our Scenarios, we will send an email notification to the administrator that include the CSV file used to generate the cloud as attachment, and include a hyperlink to approve/deny the request, let us see how we can do it.

Import the PowerShell Plugin:

We will use Powershell to send email notifications, I tried to use Javascripting but had no luck with attaching the CSV, Powershell comes to rescue here, so you need to import the powershell plugin to your Orchestrator through the Orchestrator configuration interface:

image

Once you import the powershell plugin, make sure to restart the VCO.

When you complete the restart, go to add a powershell host, you need to make sure that remote powershell is enabled on the server, once done kick of the add powershell host workflow:

image

image

image

if you are adding a kerberos host, make sure to type the username in UPN or email format otherwise you will get this weird error: Client not found in Kerberos database (6) (Dynamic Script Module name : addPowerShellHost#16)

Once added you are ready to go.

Building the Approval workflow:

Build a workflow that includes user interaction and decision as following:

image

The attributes are defined as following:

image

the scriptable task, sends email notification with attachments as we said, let us the Javascript portion of it:

//var scriptpart0 = "$file =c:\\customer.csv"

// URL that will open a page directly on the user interaction, so that user can enter the corresponding inputs
var urlAnswer = workflow.getAnswerUrl().url ;
var orcdir = "C:\\orchestrator\\" ;
var fileWriter = new FileWriter(orcdir + name+".html")
var code =     "<p>Click Here to <a href=\"" + urlAnswer + "\">Review it</a>";

fileWriter.open() ;

fileWriter.writeLine(code) ;
fileWriter.close() ;

var output;
var session;
try {
    session = host.openSession();
    var arg = name+".html";
    Server.log (arg);
    var script =  ‘& "’ + externalScript + ‘" ‘ + arg;
    output = System.getModule("com.vmware.library.powershell").invokeScript(host,script,session.getSessionId()) ;
} finally {
    if (session){
        host.closeSession(session.getSessionId());
    }
}

 

The script attaches the CSV file, then starts the powershell script from the host and attaching the HTML file (in the arguments, this HTML file contains a link to approve the reqeust, and it was built in the above Javascript), let us see the powershell script:

Param ($filename)
$file = "c:\orchestrator\customer.csv"
$htmlfile = "C:\orchestrator\" + $filename
$smtpServer = "vcenter.tsxen.com"

$att = new-object Net.Mail.Attachment($file)
$att1 = new-object Net.Mail.Attachment($htmlfile)

$msg = new-object Net.Mail.MailMessage

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$msg.From = "emailadmin@test.com"

$msg.To.Add("administrator@tsxen.com")

 

$msg.Subject = "New Cloud is requested"

$msg.Body = "A new cloud service is request, attached the generation file, you can approve the request using the below link"

$msg.Attachments.Add($att)
$msg.Attachments.Add($att1)

$smtp.Send($msg)

$att.Dispose()

 

Now you are ready to go, let see the outcome:

If you run the script successfully, you will receive the following email notification:

image

you can see the link to approve the request and the CSV file included in the email to approve it, if you click on the link, you can see the request and approve/deny it:

image

What is next:

You might think this is the end, however it is not, this blog series is the foundation of cloud automation and it is just a placeholder, cloud automation can go epic, here is some improvement suggestions for people who might want to take it further:

  • Add error checking, the script is error checking free which might raise serious issues in production environment.
  • Add More logging.
  • Add automation to network provisioning and vShield operations.
  • Automate application provisioning on top of provisioned VMs.

the above is a small list, we can spend years adding to this list, but those are the areas that I will be working on in the upcoming version of this script.

Till next.

Optimizing WAN Traffic Using Riverbed Steelhead–Part 2-Optimizing Exchange and MAPI traffic

January 6, 2014 Leave a comment

In part one http://autodiscover.wordpress.com/2014/01/02/enhancing-wan-performance-using-riverbed-steelheadpart1-file-share-improvements/ we explored how we can optimize SMB/CIFS traffic using Steelhead appliances, in part 2 we will explore how we can optimize MAPI Connections.

WARNING: Devine Ganger, a fellow Microsoft Exchange MVP warned me that MAPI traffic optimization works in very specific scenarios, so you might want to go ahead and try it, but I checked the documentation an in my lab and it worked, of course my lab doesn’t reflect real life scenarios.

Joining Steelhead to Active Directory Domain:

In order to optimize MAPI traffic, you must join the Steelheads to Active Directory domain, this is because if you don’t you will see the MAPI traffic but Steelheads won’t be able to optimize it because it is encrypted, to allow Steelhead to Decrypt the traffic you need to join it to Active Directory and configure delegation.

image

as you can see above, the Steelhead compressed the traffic, but didn’t have a visibility on the contents and couldn’t optimize it further, now let us see what to do.

To join the Steelhead to Active Directory, visit the configuration/Windows Domain and add the Steelhead as RODC or Workstation if you prefer:

image

(You need to do this for both sides steelheads).

Once done, you will see the Steelhead appear in AD as RODC:

image

Now you need to configure account delegation, create a normal AD account with mailbox, I will call this account MAPI, once created, add the SPN to it as following:

setspn.exe -A mapi/delegate MAPI

Once done, Add the delegation to the Exchange MDB service in the delegation tab:

image

Once add, go to Optimization/Windows Domain Auth and add the account:

image

Test the delegation and make sure it works fine:

image

Now go to Optimizaiton/MAPI and enable Outlook Anywhere optimization and MAPI delegated Optimization:

image

And restart the optimization service, then configure the other Steelhead with the same config.

Now let us test the configuration and see if Steelhead works or not Winking smile.

 

while checking the realtime monitoring, the first thing you will not that the appliance detected the traffic as Encrypted MAPI now:

image

I will send a 5 MB attachment from my client which resides at the remote branch to myself (sending and receiving), let us see the report statistics:

image

image

You can see now the some traffic flows, since it is decrypted now it has been compressed and reduced in size, the WAN traffic is 3 MB and WAN traffic is 1.8 MB, then while receiving the email, it received the email as 5 MB but can you see the WAN traffic, it is 145 KB only, because the attachment wasn’t sent over the WAN it was received by the client from the Steelhead.

now let us send the same attachment again and see how the numbers will move this time.

image

can you see the numbers, the WAN traffic was around 150 KB (the email header..etc), but the attachment didn’t travel over the WAN, it is clear the attachment traveled over the LAN in sending and receiving but didn’t traverse the WAN and the WAN traffic was massively reduced, impressive ha…

Enhancing WAN performance using Riverbed Steelhead–Part1– File Share Improvements

January 2, 2014 Leave a comment

WAN is the issue, I loved what Riverbed said in their document explaining WAN bandwidth (it is an scapegoat), yes it is. If something is not right at the apps it is the WAN’s issue.

I had a decent networking experience, and I dealt in the past with several networking products, but this is the first time I see a product with such easy configuration steps , and  can expose deep insights about what is happening in the network, and work.

Installing Riverbed Steelhead virtual appliance:

You can download the virtual appliance from here keep in mind that you will need to ask for 2 demo keys because Riverbed appliances work in pairs.

Once downloaded, import the OVF (you can import it to ESXi or Hyper-v or VMware workstation). the only note here is to pay attention to network cards connectivity, when you import the appliance to your hypervisor, the NIC ordering is as following:

image

Running the Configuration wizard:

Once the appliance started, you will be prompted with the configuration wizard, alternatively you can start it by going into enable mode and running

#Config t

(Config)”#Configurations jump-start

The wizard will ask you for several questions (Check the list here https://support.riverbed.com/download.htm?filename=doc\steelhead\8.5.1\html\vsh_8.5.1_icg\index.html&displayHtmlWindow=true&displayHtml=true) but here are several notes will help you in placing and configuring your steelhead appliance”:

- Steelhead is preferred to be physically in-line with traffic, meaning that traffic passes the WAN through the steelhead appliance.

- Steelhead appliance is not a routing device, it passes the traffic transparently from clients/servers/routers/switches so it is like a bridge, it optimizes the traffic on the fly without altering source/destination IPs or ports (unless it is installed as proxy which is a separate discussion)

- Steelhead appliances have LAN interface which is connected to the LAN side and WAN interface which is connected to the WAN side (router), there is a virtual in-path interface that is created and assigned IP, the in-path interface will be used in configuring peering rules and in-path rules.

- WAN/LAN interfaces can’t be connected to the same layer 2 domain or a loop error will be logged and interfaces shutdown.

- To be able to start the configuration wizard, LAN/WAN interfaces must not be shutdown, to do so you must issue the command no in-path lsp enable which disables link state propagation. I had to do this because when i ran the configuration wizard I kept getting “Setting IP address on invalid interface” error.

Lab Setup:

The lab setup is very simple, but you will need to pay attention to steehead cabling or you will get errors or optimization will not work.

My lab setup is:

DC (IP 192.168.32.137) => Riverbed 1 (In Path Interface 192.168.32.175) => Windows Machine as a router (NIC 1 IP is 192.168.32.18) (NIC 2 IP is 192.168.33.157) => Riverbed 2 (IP 192.168.33.175) => File Server (IP 192.168.33.156)

if you configuring the Windows Router machine correctly and configured machines pointing the router as default GW, you will be fine and ping should be working correctly.

now let us configure a VERY simple peering rule to optimize the traffic.

Peering rules allows the steelhead appliance to react to probe queries from other appliances, think about it is defining another peer in a remote site to optimize the traffic directly.

You can also use in-path rules but it uses discovery rules so I believe peering rules are much simpler.

to create a peering rule, from configuration menu select peering rules and configure peering rule to match all the traffic coming from all sources to all destination and optimize it with the other peer IP (192.168.33.175). you will have to the same with the other side appliance

image

That is it!!! really, you are done, let us see the effect of the optimization.

to see it, I had to record a video, because it was unbelievable, I haven’t edited the video by any mean, just watch it below (here I am copying 50 MB file (.net framework 4 ISO), the first copy is not optimized and the WAN speed is about 500 KB, the second copy is optimized, let us see how fast it was Open-mouthed smile

Follow

Get every new post delivered to your Inbox.

Join 675 other followers

%d bloggers like this: