Skip to main content
Secure RDWeb using Azure Multi-Factor Authentication
ADFS WAP: How to configure SSO with RDWeb
1. System Deploy
- ADFS : th-adfs2012.mfalab3.com
- ADFS WAP : th-adfs2012wap.mfalab3.com
- RDWeb : th-rds.mfalab3.com
A public IP for ADFS WAP points to ADFS/RDS as well
2. Setting on ADFS
Create a Relying Parth Trust
3. Setting on ADFS WAP
Create WAP Application,
Add-WebApplicationProxyApplication -Name 'rdweb' -ExternalUrl 'https://th-rds.mfalab3.com/rdweb/' -BackendServerURL 'https://th-rds.mfalab3.com/rdweb/' -ExternalPreAuthentication ADFS -ADFSRelyingPartyName rdweb1 -ExternalCertificateThumbprint '67D438BDDBB455E53CA83D6F5DEC34CC546F711A'
4. Setting on RDS
Important : Change authentication method to "Windows"
https://social.technet.microsoft.com/Forums/office/en-US/999f56fa-a218-41b0-86ee-2845269d93ef/rdweb-authentication?forum=winserverTS
5. Setting on the Client Computers
6. See how it works
Azure Automation step-by-step guide for Auto-Shutdown Virtual Machine.
- Create an Azure account
- Go "setting" and assign the user as the Co-administrator
- Select automation and create an Automation Account, in this example "gwauto"
- Select the created Automation Account
- Create a new runbook, in the example, "shutdown-vm"
- Click runbook "shutdown-vm" to create/edit a script
- Click Author -> insert script -> Test -> Publish
===================== Script example of shutdown-vm=====================
workflow shutdown-vm
{
$username = "azureauto@mfa01.onmicrosoft.com"
$pass = " "
$password=$pass|ConvertTo-SecureString -AsPlainText -Force
$mycred = new-object -typename System.Management.Automation.PSCredential -argumentlist $username,$password
Add-AzureAccount -Credential $mycred
$AzureSubscriptions = Get-AzureSubscription
foreach ($subscription in $AzureSubscriptions)
{
Select-AzureSubscription -SubscriptionName $subscription.SubscriptionName
#Write-Host $subscription.SubscriptionName
foreach ($vm in Get-AzureVM)
{
$name = $vm.Name
$servicename = $vm.ServiceName
If($vm.Status -ne 'StoppedDeallocated')
{
# Add the VM's which should not be shutdown
Stop-AzureVM -Service $servicename -name $name -Force
}
}
}
}
- Schedule the runbook
Azure: How to unregister and register ADFS Authentication Provider (MFA)
When Azure subscription is changed,due to a provider change, Azure Multi-Factor Authentication(AKA, MFA) must be unregistered and registered again by following method.
1. Un-register MFA provider, on ADFS Global Authentication Policy, uncheck WindowsAzureMultiFactorAuthentication checkbox.
Go to PowerShell prompt, then run
PS C:\Program Files\Multi-Factor Authentication Server> Unregister-AdfsAuthenticationProvider –Name"WindowsAzureMultiFactorAuthentication"
WARNING: PS0103: The authentication provider was successfully unregistered from the policy store. Restart the A
D FS Windows Service on each server in the farm.
Restart ADFS services
PS C:\Program Files\Multi-Factor Authentication Server> net stop adfssrv
The Active Directory Federation Services service is stopping.....
The Active Directory Federation Services service was stopped successfully.
PS C:\Program Files\Multi-Factor Authentication Server> net start adfssrv
The Active Directory Federation Services service is starting....
The Active Directory Federation Services service was started successfully.
Go back to ADFS Global Authentication Policy and see if there is no "WindowsAzureMultiFactorAuthentication"
2. Register MFA provider again,
To register again, run following from PowerShell prompt
PS C:\Program Files\Multi-Factor Authentication Server> .\Register-MultiFactorAuthenticationAdfsAdapter.ps1
WARNING: PS0114: The authentication provider was successfully registered with the policy store. To enable this
provider, you must restart the AD FS Windows Service on each server in the farm.
Restart ADFS services
PS C:\Program Files\Multi-Factor Authentication Server> net stop adfssrv
The Active Directory Federation Services service is stopping.....
The Active Directory Federation Services service was stopped successfully.
PS C:\Program Files\Multi-Factor Authentication Server> net start adfssrv
The Active Directory Federation Services service is starting....
The Active Directory Federation Services service was started successfully.
Go back to ADFS Global Authentication Policy and see if "WindowsAzureMultiFactorAuthentication" is back.
Azure Multi-Factor Authentication : Import users from multiple domains(Forest Trust)
Here are a simple step by step guide and instruction how to import/synchronize users from forest/domain trust
- System deployment example
- AD netbios 1 : th–ad02, Domain 1 : mfalab4.com
- AD netbios 2 : th–ad03, Domain 2 : mfalab5.com
- Configuration of Forest/Domain trust
- Check if both domain trust are listed from Multi-Factor Authentication Directory Sync
Configure Sharepoint access from External network
Step 1. From Central Administration, select "Configure alternative access mapping".
Step 2. Select URL to be edited and click "Edit Public URLs".
Step 3. Enter desired IP or URL shown below.
Step 4. Enter desired IP or URL shown below.
See Also
Create a custom VM into Existing Resource Group using Azure RM PowerShell
#Install Azure RM module if missing and Login to Azure
Install-Module -name AzureRM -AllowClobber
Login-AzureRmAccount
Get-AzureRmSubscription
#Set Variables
$subscriptionId = 'd855443e-XXXX-4a82-9a63-XXXXXXXXXXXX
$storageAccountName = 'YourStorageAccountName'
$sourceImageUri = https://YourStorageAccountName.blob.core.windows.net/vhds/YourUploadedVHDName.vhd'
$resourceGroupName = "YourResourceGroupName"
$locationName = "YourLocationName" => Ex) Japan East
$vnetName = "YourExistingVirtualNetworkName"
$vmnetinf = "YourNewNetworkInterfaceName"
$backendSubnetName = "YourExistingSubNetName"
$remoteAccessNSGName = "YourNewNSGName "
$vmname = "YourNewVMName"
$vmSize = "YourNewVMSize" => Ex) Standard_D1
$osDiskName = $vmname+'_osDisk'
$virtualNetwork = Get-AzureRmVirtualNetwork -ResourceGroupName $resourceGroupName -Name $vnetName
$publicIp = New-AzureRmPublicIpAddress -Name $vmname -ResourceGroupName $ResourceGroupName -Location $locationName -AllocationMethod Dynamic
$networkInterface = New-AzureRmNetworkInterface -ResourceGroupName $resourceGroupName -Name $vmnetinf -Location $locationName -SubnetId $virtualNetwork.Subnets[0].Id -PublicIpAddressId $publicIp.Id
$vmConfig = New-AzureRmVMConfig -VMName $vmname -VMSize $vmSize
$vmConfig = Set-AzureRmVMOSDisk -VM $vmConfig -Name $osDiskName -VhdUri $sourceImageUri -CreateOption Attach -Windows
$vmConfig = Add-AzureRmVMNetworkInterface -VM $vmConfig -Id $networkInterface.Id
$vm = New-AzureRmVM -VM $vmConfig -Location $locationName -ResourceGroupName $resourceGroupName
Hello world!
Welcome to Technet. This is your first post. Edit or delete it, then start blogging!
How to add Apps like Facebook, Google, Twitter to Azure AD
This is a step-by-step guide for enabling Azure Multi-Factor Authentication when logging in Azure AD liked Apps (such as Google App/Facebook/Twitter...).
The example I have used is for Facebook here.
Before get started, please enable Multi-Factor Authentication for users to log in using the link below:
https://social.technet.microsoft.com/wiki/contents/articles/32129.how-to-enable-multi-factor-authentication-for-azure-ad-account-login.aspx
1. Navigate to Active Directory and select a Directory
2. Go to APPLICATIONS and select one, "Facebook selected here"
3. Click CONFIGURE, turn "ENABLE ACCESS RULES" "ON"
4. To assign users/groups
5. To assign users/groups continue
6. Enter Login ID and Password for App (ex. Facebook)
7. Verify a user has been added
8. Click "DASHBOARD" to check login URL
9. Browse copy URL
10. Log in again
11. Installation pop-up for application dashboard
12. Here you go !!
How to enable Multi-Factor Authentication for Azure AD account login
This is a step by step guide for enabling Azure Multi-Factor Authentication for Azure AD Users.
The procedure is pretty straight forward,
1. Login into Azure Portal -> Active Directory -> Users -> Manage MULTI-FACTOR AUTH at the bottom
2. Select a user/users to enable Multi-Factor Authentication
3. Pop-up displays, continue "enable Multi-Factor Authentication"
4. Confirm "enabled"
5. Continue "Enforce"
6. Continue "Enforce"
7. Navigate to "Manage user settings"
8. Select the option below then save
9. Log out and log back in to Azure portal using "Multi-Factor Auth enabled user account"
10. You are redirected to the authentication method page
Select the authentication method then log back in, you will get with a phone call/SMS/Phone App notification depends on the method selected above.
11. Log back into Azure Portal
Thanks !!
How to guide : Graphical desktop (X Windows System) access to Azure Linux VM
From the client,
Download x2goclient, https://wiki.x2go.org/doku.php/doc:installation:x2goclient
From the server
Install X2Go Server
sudo apt-get install python-software-properties
sudo apt-get install software-properties-common
sudo add-apt-repository ppa:x2go/stable
sudo apt-get update
sudo apt-get install x2goserver x2goserver-xsession
MATE Bindings
sudo apt-get install x2gomatebindings
KDE Plasma Bindings
sudo apt-get install plasma-desktop
XFCE Bindings
sudo apt-get install xfce4
LXDE Bindings
sudo apt-get all x2golxdebindings
RDP Bindings
sudo apt-get install xrdp
Check if x2goserver is running
ubuntu:~$ service --status-all | grep x2go
[ + ] x2goserver
How to request an Azure Support.
Please follow the simple procedure below to create an Azure Support for Technical, Billing and Subscription issues.
To begin with, check the link to make sure if you have support plans https://azure.microsoft.com/en-us/support/plans/
1. Browse Azure Portal, https://portal.azure.com
2. Click "?" at top-right corner à New Support Request
3. Select Basic information, then Next
4. Fill up Problem information, then Next
5. Fill up Contact information, then Create
6. Support case has been created
That's it !! You will be contacted by Microsoft Azure Support Engineer as your support plans.
https://azure.microsoft.com/en-us/support/plans/
How to use Azure Linux VM as an FTP server
The following resources are used for setting up Azure Linux VM for FTP server.
- Linux OS : ubuntu
- vsftpd
1. Create a Linux VM with Ubuntu : th-ubuntu.cloudapp.net
2. Setup end point : port 60001, 60002 are added in the example
3. Install vsftpd
sudo apt-get install vsftpd
4. Configure /etc/vsftpd.conf : an example attached
listen=YES
#anonymous_enable=YES
local_enable=YES
write_enable=YES
ls_recurse_enable=NO
dirmessage_enable=YES
use_localtime=YES
xferlog_enable=YES
xferlog_std_format=NO
log_ftp_protocol=YES
connect_from_port_20=YES
chown_uploads=NO
xferlog_file=/var/log/vsftpd.log
ascii_upload_enable=NO
ascii_download_enable=NO
ftpd_banner=Welcome to Taehee's FTP service.
local_root=/home/ftp
pam_service_name=vsftpd
rsa_cert_file=/etc/ssl/private/vsftpd.pem
pasv_enable=YES
pasv_min_port=60001
pasv_max_port=60002
port_enable=YES
pasv_addr_resolve=NO
file_open_mode=0666
local_umask=0022
5. Restart vsftpd,
root@th-ubuntu:~# service vsftpd restart
6. Create a user, "ftpuser" in this example
7. Change directory ownership
root@th-ubuntu:~# chown ftpuser:ftpuser /home/ftp
8. Test from winscp, click "Advanced and set Directories with /home/ftp".
HowTo : Azure Linux VM OS partition expansion
- Run followin Azure powershell,
Login-AzureRmAccount
Get-AzureRmSubscription
$subscriptionId = "Your Subscription ID"
$rgName = "YourResourceGroupName"
$vmName = "th-centos"
$vm = Get-AzureRmVM -ResourceGroupName $rgName -Name $vmName
PS C:\> Stop-AzureRmVM -ResourceGroupName $rgName -Name $vmName
OperationId :
Status : Succeeded
StartTime : 2016-11-28 PM 2:44:30
EndTime : 2016-11-28 PM 2:46:41
Error :
PS C:\> $vm.StorageProfile.OSDisk.DiskSizeGB = 130
PS C:\> Update-AzureRmVM -ResourceGroupName $rgName -VM $vm
RequestId IsSuccessStatusCode StatusCode ReasonPhrase
--------- ------------------- ---------- ------------
True OK OK
PS C:\Users\taelee> Start-AzureRmVM -ResourceGroupName $rgName -Name $vmName
OperationId :
Status : Succeeded
StartTime : 2016-11-28 PM 3:07:53
EndTime : 2016-11-28 PM 3:08:26
Error :
- Ubuntu would not require the following, for CentOS in this example
[taehee@th-centos ~]$ hostnamectl
Static hostname: th-centos
Icon name: computer-vm
Chassis: vm
Machine ID: e57a6b05e3d34a59b561f002e224d65a
Boot ID: 7348830553774bbe90f54883d716ef2a
Virtualization: microsoft
Operating System: CentOS Linux 7 (Core)
CPE OS Name: cpe:/o:centos:centos:7
Kernel: Linux 3.10.0-327.18.2.el7.x86_64
Architecture: x86-64
[root@th-centos /]# fdisk /dev/sda
Welcome to fdisk (util-linux 2.23.2).
Changes will remain in memory only, until you decide to write them.
Be careful before using the write command.
Command (m for help): u
Changing display/entry units to cylinders (DEPRECATED!).
Command (m for help): p
Disk /dev/sda: 136.4 GB, 136365211648 bytes, 266338304 sectors
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk label type: dos
Disk identifier: 0x000dd16b
Device Boot Start End Blocks Id System
/dev/sda1 * 1 3917 31456256 83 Linux
Command (m for help): d
Selected partition 1
Partition 1 is deleted
Command (m for help): n
Partition type:
p primary (0 primary, 0 extended, 4 free)
e extended
Select (default p): p
Partition number (1-4, default 1): 1
First cylinder (1-16578, default 1):
Using default value 1
Last cylinder, +cylinders or +size{K,M,G} (1-16578, default 16578):
Using default value 16578
Partition 1 of type Linux and of size 127 GiB is set
Command (m for help): w
The partition table has been altered!
Calling ioctl() to re-read partition table.
WARNING: Re-reading the partition table failed with error 16: Device or resource busy.
The kernel still uses the old table. The new table will be used at
the next reboot or after you run partprobe(8) or kpartx(8)
Syncing disks.
[root@th-centos /]# shutdown -r -t 0
Shutdown scheduled for Mon 2016-11-28 06:35:04 UTC, use 'shutdown -c' to cancel.
[root@th-centos /]#
Broadcast message from root@th-centos (Mon 2016-11-28 06:34:04 UTC):
The system is going down for reboot at Mon 2016-11-28 06:35:04 UTC!
- Log back in to "th-centos"
[root@th-centos ~]# xfs_growfs -d /dev/sda1
meta-data=/dev/sda1 isize=256 agcount=4, agsize=1966016 blks
= sectsz=512 attr=2, projid32bit=1
= crc=0 finobt=0
data = bsize=4096 blocks=7864064, imaxpct=25
= sunit=0 swidth=0 blks
naming =version 2 bsize=4096 ascii-ci=0 ftype=0
log =internal bsize=4096 blocks=3839, version=2
= sectsz=512 sunit=0 blks, lazy-count=1
realtime =none extsz=4096 blocks=0, rtextents=0
data blocks changed from 7864064 to 33290440
[root@th-centos ~]# df -h
Filesystem Size Used Avail Use% Mounted on
/dev/sda1 127G 1.5G 126G 2% /
devtmpfs 1.7G 0 1.7G 0% /dev
tmpfs 1.7G 0 1.7G 0% /dev/shm
tmpfs 1.7G 8.3M 1.7G 1% /run
tmpfs 1.7G 0 1.7G 0% /sys/fs/cgroup
/dev/sdb1 50G 53M 47G 1% /mnt/resource
tmpfs 345M 0 345M 0% /run/user/1000
Implementation Azure Multi-Factor Authentication with Citrix XenApp
This guide will show how to secure Citrix XepApp server using Azure Multi-Factor Authentication
1. Configuration on XenApp server
2. Configuration on IIS server
3. Configuration on Azure Multi-Factor Authentication server
4. Test authentication
5. Test result - cont.
6. Authenticated
Multi-Factor Authentication for Securing RD Gateway Server
System Environment
Configuration
1. Select MFA as an RADIUS Proxy
2. NPS server configuration
3. NPS server configuration - cont #1
4. NPS server configuration - cont #2
5. NPS server configuration – cont #3
6. NPS server configuration – cont #4
7. NPS server configuration – cont #5
8. MFA server configuration - Client
9. MFA server configuration - Target
10. Testing
When connecting Remote Computer via RD Gateway server, MFA will proceed upon entering login credentials.
Powershell Script: Task scheduler - Scheduling shutdown Azure VMs
In this article, you will be able to setup TASK schedule to run Azure PowerShell script.
Automatic shutdown VMs will be used as an example – Save Money!!
Table of Contents
1. Create a schedule
2. Triggers(Daily in the example)
3. Enter "powershell.exe" and location of the script in "Add arguments"
Example of "PowerShell scripts to shutdown VM script"
Download script from : https://social.technet.microsoft.com/wiki/contents/articles/30929.azure-automation-step-by-step-guide-for-auto-shutdown-virtual-machine.aspx
Publish Azure MFA user portal via ADFS WAP(Web Access Proxy)
I often wonder why most of ADFS WAP technet articles are verbose,
Here goes important checkpoints to publish a web page via ADFS WAP, an example of page used here is Azure MFA(Multi-Factor Authentication) User Portal.
The page won't cover ADFS installation but ADFS WAP.
1. System Diagram
Hostname FQDN Intranet IP
ADFS WAP th-adfs2012WAP.mfalab3.com 10.0.0.6 ==> !! Not domain joined !!
ADFS server th-adfs2012.mfalab3.com 10.0.0.5
AD/MFA : th-ad01.mfalab3.com 10.0.0.4
2. Check Certificate issued and distributed, type the command "dir Cert:\LocalMachine\My" on both ADFS and ADFS WAP
PS C:\Users\taehee\Desktop> dir Cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
---------- -------
EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB CN=th-adfs2012.mfalab3.com
3. Install ADFS WAP PS C:\Users\taehee\Desktop> Install-WebApplicationProxy -CertificateThumbprint 'EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB' -FederationServiceName th-adfs2012.mfalab3.com
cmdlet Install-WebApplicationProxy at command pipeline position 1
Supply values for the following parameters:
Message Context Status
------- ------- ------
The configuration completed successfully. DeploymentSucceeded Success
4. Check the certificate
PS C:\Users\administrator\Desktop> netsh http show sslcert
SSL Certificate bindings:
-------------------------
IP:port : 0.0.0.0:443
Certificate Hash : ef623c4a0fe2c4e3a43ca4b8f4f0c9410393e5db
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : th-adfs2012.mfalab3.com:443
Certificate Hash : ef623c4a0fe2c4e3a43ca4b8f4f0c9410393e5db
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : localhost:443
Certificate Hash : ef623c4a0fe2c4e3a43ca4b8f4f0c9410393e5db
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : AdfsTrustedDevices
DS Mapper Usage : Disabled
Negotiate Client Certificate : Disabled
Hostname:port : th-adfs2012.mfalab3.com:49443
Certificate Hash : ef623c4a0fe2c4e3a43ca4b8f4f0c9410393e5db
Application ID : {5d89a20c-beab-4389-9447-324788eb944a}
Certificate Store Name : MY
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Disabled
Negotiate Client Certificate : Enabled
PS C:\Users\administrator\Desktop> Get-AdfsSslCertificate
HostName PortNumber CertificateHash
-------- ---------- ---------------
th-adfs2012.mfalab3.com 443 EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB
localhost 443 EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB
th-adfs2012.mfalab3.com 49443 EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB
5. Publish Azure MFA user portal(Pass Through)
PS C:\Users\taehee\Desktop> Add-WebApplicationProxyApplication -BackendServerURL 'https://th-ad01.mfalab3.com/MultiFactorAuth/' -ExternalCertificateThumbprint 'EF623C4A0FE2C4E3A43CA4B8F4F0C9410393E5DB'-ExternalURL 'https://th-adfs2012wap.mfalab3.com/MultiFactorAuth/' -Name 'MFA User Portal' -ExternalPreAuthentication PassThrough
PS C:\Users\taehee\Desktop> Get-WebApplicationProxyApplication
Name ExternalUrl BackendServerUrl ExternalPreauthentication ID
---- ----------- ---------------- ----------------- --
MFA User Portal https://th-adfs2012wap.mfalab... https://th-ad01.mfalab3.com/M... PassThrough 54CA9F83-3689-C58C-0A6F-950EC262DF0F
6. Confirm Publishing from ADFS WAP management console
7. Error messages and troubleshooting : Most likely related to Certificates
Problem -
Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation service.
Error: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
Solution -
On ADFS WAP server, install certificate and check " netsh http show sslcert" or "Get-AdfsSslCertificate"
Problem -
Install-WebApplicationProxy : An error occurred when attempting to establish a trust relationship with the federation service.
Error: Unauthorized. Verify that the service account has administrative access on the target Federation Server.
Solution -
Check if adfssrv(ADFS service) account is a member of "domain administrators".
Query request for Azure Usage/Billing API using Postman
Reference Link to query report.
https://msdn.microsoft.com/library/en-us/Mt218998.aspx
Generate Bearer Token
Login-AzureRmAccount
$AccountName ="azureauto@AADTenants.onmicrosoft.com"
$Password = "UserPassword"
$PayLoad="resource=https://management.core.windows.net/&client_id=xxxxxxxxxxxxxxxxxxxxx&grant_type=password&username="+$AccountName+"&scope=openid&password="+$Password
$Response=Invoke-WebRequest -Uri "https://login.microsoftonline.com/Common/oauth2/token" -Method POST -Body $PayLoad
$ResponseJSON=$Response|ConvertFrom-Json
$ResponseJSON
Results,
From Postman
Remove Office 365 federation from ADFS server
1. Check federation status,
PS C:\Users\administrator> Get-MsolDomain | fl name,status,auth*
Name : mfalab3.com
Status : Verified
Authentication : Federated
2. From ADFS server, run following Powershell commands.
Set-MsolADFSContext -Computer th-adfs2012
Set-MsolDomainAuthentication -Authentication Managed -DomainName mfalab3.com
Get-MsolDomain | fl name,status,auth*
(Note : th-adfs2012 : adfs server, mfalab3.com : test domain name)
3. Check federation status again,
PS C:\Users\administrator> Get-MsolDomain | fl name,status,auth*
Name : mfalab3.com
Status : Verified
Authentication : Managed
4. Login to O365 to check if it is not redirected to ADFS server
Secure RDWeb using Azure Multi-Factor Authentication
1. Change RDWeb authentication mode from "Forms" to "Windows"
Edit C:\Windows\Web\RDWeb\Pages\web.config
<authentication mode="Windows"/>
<!--
<authentication mode="Forms">
<forms loginUrl="default.aspx" name="TSWAAuthHttpOnlyCookie" protection="All" requireSSL="true" />
</authentication>
-->
.
.
.
<system.webServer>
<!--
<modules runAllManagedModulesForAllRequests="true">
<remove name="FormsAuthentication" />
<add name="RDWAFormsAuthenticationModule" type="Microsoft.TerminalServices.Publishing.Portal.FormAuthentication.TSDomainFormsAuthentication" />
</modules>
<security>
<authentication>
<windowsAuthentication enabled="false" />
<anonymousAuthentication enabled="true" />
</authentication>
</security>
-->
2. Add URL for RDWeb access in Azure MFA server
3. Browse RDWeb page on the client and enter credential
Popular posts from this blog
Windows Azure:新计划程序服务,读取访问同步冗余存储以及监测更新 [原文发表地址] Windows Azure: New Scheduler Service, Read-Access Geo Redundant Storage, and Monitoring Updates [原文发表时间] December 12, 2013 12:41 PM 今天早上我们推出了windows Azure的另一组增强功能。今天的新功能包括: 程序调度:新的windows Azure计划程序服务 存储:新的同步读写冗余存储方案 监测:windows Azure服务的监测及诊断的增强功能 所有的这些改进现在都可以使用(注意有些功能仍然是在预览)。下面是有关他们的更多详细信息: 程序调度:新的windows Azure计划程序服务 我很高兴宣布我们可以预览新的Windows Azure调度服务。Windows Azure调度服务允许你安排启用HTTP/S端点的任务或者按你制定的任何计划向存储队列上发送信息。使用调度程序,你可以创建可靠的调用Windows Azure内部或外部服务的任务并且按照常规计划立刻运行或者设置他们在未来某刻运行。 想要开始使用调度程序,首先你需要在 Windows Azure Preview 页面上为预览进行注册。一旦在预览页中注册成功后,你可以登陆到管理门户并且开始使用它。 创建一个调度任务 一旦你在你的订阅中启用调度预览,你可以用以下几个简短步骤很容易的创建一个新的任务。 在Windows Azure门户管理网站内单击 新建-> 服务程序 -> 调度 –> 自定义创建: 选择一个你想要运行任务的Windows Azure 区域,之后选择一个已有的任务收集器或者创建一个新的并把任务加进去: 之后你就能定义你的任务操作。在本例中,我们会创建一个向web站点发送GET 请求的HTTP 操作(你也可以使用其他的HTTP协议,像HTTPS)。 对于处理长时间的请求或者在脱机状态启用某项服务,你也许更期望给存储队列添加一些信息而不是坚持启用一个Web 服务。要给存储队列添加信息你只需要选择存储队列作为你的操作,之后创建或选择一个存储帐号及队列用来发送请求: 一旦你定义了你要
Command option update
AD RMS to AD RMS to Azure Information Protection Part 1 The Scenario: So, you have read my previous blog posts about AD RMS side-by-side migration and Enterprise Migration from AD RMS to AIP using SCCM but unfortunately both of those articles assume best case scenario for the original AD RMS cluster. Sadly, that is not always the way things work. In the real world, the AD RMS instance may have been initially installed on Windows Server 2003 using RMS 1.0 and was subsequently upgraded to 2008 R2 keeping all of the settings pretty much the same. This usually means using http only and having no CNAMEs for AD RMS or SQL. This makes my happy articles on upgrading to newer versions of AD RMS or to AIP a lot less straightforward. Let's fix that. The Setup: Luckily, most of the concepts for migration are the same as what I documented in the previous two articles, so I am going to happily plagerize reuse the content in those articles to make something new. This a
Exclude a path from WSS 3.0 on Windows Server 2008
Recursive CTEs continued ... In this post, I will finish the discussion of recursive CTEs that I began in my last post. I will continue to use the CTE examples from Books Online . To run these examples, you'll need to install the Adventure Works Cycles OLTP sample database . In my last post, I explained that all recursive queries follow the same pattern of one or more anchor sub-selects and one or more recursive sub-selects combined by a UNION ALL. Similarly, all recursive query plans also follow the same pattern which looks like so: |--Index Spool(WITH STACK) |--Concatenation |--Compute Scalar(DEFINE:([Expr10XX]=(0))) | |-- ... anchor sub-select plan(s) ... |--Assert(WHERE:(CASE WHEN [Expr10ZZ]>(100) THEN (0) ELSE NULL END)) |--Nested Loops(Inner Join, OUTER REFERENCES:([Expr10YY], [Recr10XX], ...)) |--Compute Scalar(DEFINE:([Expr10ZZ]=[Expr10YY]+(1)))
Comments
Post a Comment