ADFS and wAP trust breaks with 500 Internal Server error

April 21, 2020 Mohammed Hamada Leave a comment

Error code

Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.

When it occurs:

If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.

WAP Server

In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.

Investigation and Solution:

After investigating the WAP proxy it seems it had couple of problems:

1- Could not resolve ADFS server name on WAP Server.

In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.

2- The Web Application Proxy Service would not start.

The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.

Event Viewer Errors

There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.

The one which mostly got my attention was the 224:

The federation server proxy configuration could not be updated with the latest configuration on the federation service.

Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.

Resolution:

From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.

Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.

Dir Cert:\localmachine\my

This should show the certificates you have got on your store.

Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust

Install-WebApplicationProxy –CertificateThumbprint “Enter Certificate ThumbPrint here” –FederationServiceName “ADFS Public FQDN Here”

After few moments you should see that WAP services went back to normal and you can now login your users to Office 365 portal through ADFS.

Active Directory, Azure, Powershell

Reset Azure VM Admin password with Domain Controller installed

April 20, 2020 Mohammed Hamada Leave a comment

Active Directory Admin Password

We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.

The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.

I had another user created for backup but it seems that user was also changed.

The usual method of resetting Azure VM is going through portal or PowerShell

Resetting Via Azure Portal

When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:

Failed to reset RDP configuration

VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

Through PowerShell

To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.

$vmName = 'YOURVMNAMEHERE'
$resourceGroupName = 'YOURRGHERE'
$vm = Get-AzureRmVm -Name $vmName -ResourceGroupName $resourceGroupName

Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.

$credential = Get-Credential

Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.

$extensionParams = @{
    'VMName' = $vmName
    'Username' = $Credential.UserName
    'Password' = $Credential.GetNetworkCredential().Password
    'ResourceGroupName' = $resourceGroupName
    'Name' = 'AdminPasswordReset'
    'Location' = $vm.Location
}

$result = Set-AzureRmVMAccessExtension @extensionParams

Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.

$vm | Restart-AzureRmVM

While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.

Solution

The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.

Once you get the script ready to change the administrator Password you can upload the script and deploy it.

Let’s get the script ready and demonstrate these steps one by one.

– On my Computer I will write a tiny script that will say

Net User domainadmin Adm!nPassw0rd1

– Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.

– Go to Extensions.

– Click on Add

– Select Custom script Extension

– Click Create

– Browse the PowerShell script on your Desktop.

– Select Storage Account

– Select an existing container or create new one

– Upload the file to the container

Result

Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.

Through PowerShell

After this I was able to access the machine again using the new password in the script.

ref:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

https://mcpmag.com/articles/2017/12/13/azure-vm-password-with-powershell.aspx

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-local-password-without-agent

Exchange 2010, Exchange 2013, Exchange 2016, Exchange 2019, Security

Microsoft Exchange Vulnerability affects all Exchange versions

February 13, 2020 Mohammed Hamada Leave a comment

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Security Vulnerability

Date of Publishing: February/11/2020

Microsoft has announced a vulnerability has been found in all Exchange Server 2010 through 2019 versions, The vulnerability allows an attack to send a specially crafted request to the affected server in order to exploit it.

When could this happen?

A remote code execution vulnerability exists in Microsoft Exchange Server when the server fails to properly create unique keys at install time.

Knowledge of a the validation key allows an authenticated user with a mailbox to pass arbitrary objects to be deserialized by the web application, which runs as SYSTEM.

The security update addresses the vulnerability by correcting how Microsoft Exchange creates the keys during install.

Affected Versions:

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30
Microsoft Exchange Server 2013 Cumulative Update 23
Microsoft Exchange Server 2016 Cumulative Update 14
Microsoft Exchange Server 2016 Cumulative Update 15
Microsoft Exchange Server 2019 Cumulative Update 3
Microsoft Exchange Server 2019 Cumulative Update 4

Solution:

Until now Microsoft has not provided any solution or work around to cover this vulnerability.

Mitigations

Microsoft has not identified any mitigating factors for this vulnerability.

Workarounds

Microsoft has not identified any workarounds for this vulnerability.

NOTE:

Keep an eye on the below link for any change

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0688

Security, Windows 10

Microsoft Windows 10 security updates KB4532695 and KB4528760 causes TPM driver to fail and results in windows 10 BSOD

January 29, 2020 Mohammed Hamada Leave a comment

Windows 10 Update :

Yesterday and today Microsoft released KB4532695 and KB4528760 causes TPM 2.0 driver to stop functioning and causes BSOD with error “Memory Management” Issue.

Windows Hello Face Authentication

In the first KB Microsoft says they have improved the accuracy of Windows Hello Face authentication however this would cause your PIN to be reset, TPM driver stop functioning and BitLocker to change in Pause state.

Check KB Article here

The BSOD will generate an event ID 1001 stating the bugcheck code and saves a dump. ( I haven’t analyzed that yet).

I suggest not to run it till Microsoft releases a bug fix

Exchange Online, Office 365, Office365, Powershell

Upgrading Exchange Online PowerShell to V2 Module

January 28, 2020 Mohammed Hamada Leave a comment

Managing Exchange Online

If you have Exchange Online and your users are MFA enabled then you most likely will be using Exchange Online’ s ECP (Exchange Control Panel or Admin Center) to connect to Exchange Online PowerShell through the Hybrid Windows since this is the only supported way with MFA.

Clicking on Configure would install the PowerShell Module of Exchange Online which looks like the below screenshot.

New PowerShell with MFA support

If you have launched Exchange Online PowerShell today then you most likely have noticed there’s a red line stating the possibility to try the new (Preview Version) of Exchange PowerShell V2 .

Microsoft has recently released a new version of Exchange Online PowerShell Module which supports MFA and can be run directly from your computer without the need to login to Exchange Online Admin Center and download any files from there. Check details in this link

As stated in the article, the Module is just in preview so it has some known and maybe unknown bugs as well.

How to Install it?

The installation process is pretty straightforward, Launch Windows PowerShel as an Administrator (It’s required for the installation).

Run these 4 cmdlets

Set-ExecutionPolicy RemoteSigned

Install-Module PowershellGet –Force

Update-Module PowershellGet

Install-Module -Name ExchangeOnlineManagement

You might get a warning that the Module you’re about to install is from an Untrusted Repository, Accept it by typing Y and hit enter

Type the following cmdlet to ensure that Exchange Online Management module is installed

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

Connecting to Exchange Online

To connect to Exchange Online, Run the following cmdlet along with the new parameter –EnableErrorReporting which gives the ability to record all the cmdlets that you have run along with errors generated as well.

Connect-ExchangeOnline -EnableErrorReporting -LogDirectoryPath e:\ExchOnlineLogs.txt -LogLevel All

After connecting, I am going to try and run two commands the Old Cmdlets and New Cmdlet and see the difference between them:

Get-CASMailbox -ResultSize 10
Get-EXOCasMailbox -ResultSize 10

The new Cmdlet has much more details, although it says that it runs faster but it took few seconds more than the old one to run (Probably first time).

After you run those two Cmdlets, There will be two files generated in the log directory which we have pointed the parameter to save files to.

The CSV files have details about the two cmdlets and the HTTP Method they are utilizing in order to connect along the Request and response latency.

This new version seems to be extremely useful esp in environments where such deep details are needed for troubleshooting issues.

Stay tuned for more

Reference:

https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps

Security, Windows 10

Warning for millions of Windows 10 users

January 27, 2020 Mohammed Hamada Leave a comment

The “Windows List” website, which follows the news of the famous operating system “Windows 10“, issued a warning to the users of the Operating system after it monitored a new security update for the operating system, which is “KB4528760” causing serious problems, noting that the problem “appears to be widespread now.”

Related image

In its interpretation of the sequence of events, the site says that this update initially fails to install on the device, issuing “a number of general error messages” that do not provide any indication of the cause of the problem, then the problem escalates as the next time you restart the computer it fails to boot .

“The recent update KB4528760 for Windows 1909 (the Windows build version number) appears to cause problems with some computers and prevents them from Starting up, causing the oxcooooooe error code. The number of devices affected by this problem has increased after installing this update,” says a user on the official Microsoft Community Forum. .

Image result for windows 10 error code oxcooooooe

Some users attribute the problem to Microsoft’s Connect app, which the company has terminated. Although it is not the only scenario of the cause of the problem, the users who installed the app or had it installed and then uninstalled it, have been particularly severely affected. It is only Windows Vista that completely re-installs the Windows 10 operating system.

What increases the importance of the warning issued by “Windows Light” is precisely that Microsoft is not yet aware of this problem. Indeed, until the moment the company states on the support page of the latest update that it is “currently not aware of any problems with this update.”

This is a recurring series of slow responses in recent years, as Windows 10 users have experienced problems caused by system updates, and this is disappointing because it encourages users to continue to download the update that might harm their computers

The good thing here is that Microsoft is working on substantive modifications to improve the updates of “Windows 10”, but the bad thing is that the process of testing the modifications in its entirety is fundamentally flawed, according to the site mentioned

Azure, Microsoft, Virtual Machine Manager

Deploy Azure Linux and Windows servers in 10 mins via cli

January 16, 2020 Mohammed Hamada Leave a comment

This is a step by step guide about deploying Linux or Windows servers on Azure via CLI.

Why Cli?

Some people prefer using Linux rather than PowerShell and it seems sometimes easier and faster to learn esp if you’re not GUI type of person.

Installation Options

If you’re working on Windows and would like to use CLI, you’ll have two options to install CLI

Option 1

Run Azure CLI installation directly from your Powershell (PowerShell needs to run from a privileged account)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’

As soon as you run this command, it’ll take about 5 mins or less depending on the connection you have.

Option 2

Download the MSI file directly from MS’s link and install it on your Computer.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Connect to Azure CLI from PowerShell

Run PowerShell or CMD and type the following command to connect

Az Login then hit enter

As soon as you type this, a web page will be launched asking you for your Azure Account credentials so open the session for your Cli window.

The moment you verified your account, PowerShell will list your azure plans that you have / had before.

If you’re going to use Linux (Ubuntu, Debian) flavor then you’d have to following the following instructions

Manual install instructions

If you don’t want to run a script as superuser or the all-in-one script fails, follow these steps to install the Azure CLI.

Get packages needed for the install process:

bash


sudo apt-get update

sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg

Download and install the Microsoft signing key:

bash


curl -sL https://packages.microsoft.com/keys/microsoft.asc | 

    gpg --dearmor | 

    sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg &gt; /dev/null

Add the Azure CLI software repository:

bash


AZ_REPO=$(lsb_release -cs)

echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | 

    sudo tee /etc/apt/sources.list.d/azure-cli.list

Update repository information and install the

azure-cli

package:

bash
```
sudo apt-get update

sudo apt-get install azure-cli
```

Run the Azure CLI with the

command. To sign in, use the az login command.

Run the

login

command.

Azure CLI

Try It
```
az login
```
If the CLI can open your default browser, it will do so and load an Azure sign-in page.

Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.
Sign in with your account credentials in the browser.

To learn more about different authentication methods, see Sign in with Azure CLI.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

We will start first by creating a Resource Group for our Machine, calling it a AzureLinuxServersGroup to easily identify that this group contains our Linux Servers

az group create –name AzureLinuxServersGroup –location westeurope

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

First, How we know which Image to use and if that will be proper for our deployment?

To answer that, we will use the following command which will view the available latest edition Linux OS with different flavors.

I would like to use CentOS since its identical to RedHat and used by majority of Enterprises.

To list the Images, Enter the following command

az vm image list –output table

Notice there are many columns, The one which we are going to use in terminal command line is the UrnAlias. It’s important to remember this.

az vm create \

–resource-group AzureLinuxServersGroup \

–name AzureCentOSWP \

–image CentOS \

–admin-username Moh10lyUser \

–generate-ssh-keys

Since we are using Bash, It’s a case sensitive and it complained about user having capital letters. So we’ll go ahead and use small letters

After running the command with small letters, it’s telling us where we can find the keys in order for us to reach and get them to use later to login to this newly created machine.

SSH key files ‘/home/moh10ly/.ssh/id_rsa’ and ‘/home/moh10ly/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.

The deployment of the machine takes about 3 mins, and it’ll be created with the default minimum resources. Let’s view

Our machine is ready to be accessed now

In order for you to get the SSH Keys, you’ll have to have a bit of knowledge

I am going to go the location mentioned previously after creating a machine and copy the keys from the bash screen into a file. Save the file and Import it into SSH client which I will be using (Bitvise in my case).

From the bash screen goto cd /

Cd /home/user/.ssh/

Cat id_rsa hit enter and copy the key and save it into notepad.

Cat id_rsa.pub and copy/save into a notepad as the public key.

After loading both keys, I was able to successfully login to the Server

Get a list of Azure VMS

az vm image list

Let’s List and deploy a WordPress on CentOS

To view the list of available CentOS images, we’ll use the following cli command

az vm image list -f CentOS –all

The image needs to be grabbed from dockerhub URL

cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type Linux –image cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008 –dns-name-label azmohlinux –ports 22

Create Windows Server core with IIS

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type windows –image mcr.microsoft.com/windoervercore/centos –dns-name-label azmohlinux –ports 22ws/servercore/iis:nanoserver –dns-name-label azmohiis –ports 80

Here we go I got a machine ready (took about 5 mins)

azmohiis.westeurope.azurecontainer.io

To delete the container, you can write the following

az container delete –resource-group mohazbackupgroup –name mohcontainer

Stay tuned for more articles about Azure.

Security, Windows 10, Windows Server

MICROSOFT EXPOSES A SECURITY ISSUE THAT AFFECTS MILLIONS OF WINDOWS 10 COMPUTERS, RDP AND DHCP ON WIN2008R2

January 15, 2020 Mohammed Hamada Leave a comment

Windows 10 Crypto API Spoofing

Microsoft has released a new security patch for a vulnerability that could affect millions of Windows 10 Users world wide. The decades old CryptoAPI tool validates and signs packages/software which could be utilized by hackers/developers to sign and execute illegitimate software thus would allow users to run anything without user’s nor Antivirus/Internet Security software’s notice.

Microsoft mentioned that the vulnerability could also allow hackers to change or modify encrypted communications.

It’s important to notice that CryptoAPI is a legacy API that’s being replace by a new CNG (Cryptography Next Generation API) which also supports CryptoAPI.

CryptoAPI Key Storage Architecture

cryptoapi architecture

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Windows 2008 R2, Windows 7 RDP

A day ago Microsoft released two very important security patches on May 14, 2019. One of these patches has been detected in the RDP service (CVE-2019-0708) which affects Windows 7 and Windows 2008 R2. According to MS’s Article a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests. This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

The other one is in the DHCP service (CVE-2019-0725), and both exploitations are very critical. When we look at CVE-2019-0708, which is related to the RDP service, we see that attackers are able to run code on systems by sending specially produced packages without any user interaction and authentication and manage to install malware like Ransomware or other execution files.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725

Sources:

Microsoft, NSA, Other Security Researchers

ChatBot, Google cloud, Monitoring

Freely Monitoring your Servers with Google Chat App Notifications

January 8, 2020 Mohammed Hamada Leave a comment

Monitoring:

Monitoring is considered one of the most important process in today’s world of Technology. Most Datacenters have their private monitoring systems with automation tools that would trigger failover, or Disaster Recovery in case of downtime being noticed and this is extremely costly operation.

What to Monitor?

CPU Usage, Memory Consumption, I/O, Network, Disk Usage, Process etc. Server Monitoring also helps in capacity planning by understanding the server’s system resource usage.

Other services can be monitored like Web Servers, FTP, Mail Servers or anything else if it’s publicly accessible.

Using UPTimeRobot Monitoring

Uptime Robot Monitoring is a free-commercial service that has rich monitoring features where you can monitor your services/servers on 1 minute interval and get alerted by Email, SMS, Phone Apps e.g. (Telegram, Google Chat, or Skype).

The Free version

In the free version Monitoring you can add services based on ports and protocols or Servers. This might look limited to some but since it’s free of charge it can be very useful for small or startup companies with couple of servers.

– Limited up to 50 Monitors.

– No SMS.

– Check interval is 5 mins.

– Logs are not kept

The Commercial Version:

In the commercial version you pay a small fee of 4.5$ a month, an you’d get the following:

– Up to 50 Monitors.

– 20 SMS.

– Check interval is 1 mins.

– Logs are kept for 2 years.

Adding a Server to Monitor:

After you create an account on UpTimeRobot.com you can easy add a site or a service to monitor right away and the monitoring will initiate after 5 minutes then it’ll report if the service,server you added is up or down.

Click on + Add New Monitor

Next add the website, In my case i’ll add my own website and see how it works and then choose Google Chat (Since I already have the integration on).

Once ready, click on create monitor

That should add the website directly into the List of monitored services:

If you click on the Monitor, you’ll get the stat figure of how long has your website been on/off

After waiting roughly 35 mins, I can see now that my website is up and running without any problem. The monitoring probe counts by milliseconds so you’ll be able to see if there’s any interruption in the connection to your website/server.

Integration with Google Chat

Requirements:

Google Suit.
Google Admin Account
Create a Google Chat Room
Configure WebHooks

The integration between Google chat and UpTimeRobot requires Google G Suits account

I will login to my G account with admin user

Next go to Chat admin console

https://chat.google.com/u/1/

Create a room, Call it UpTimeRobot

Once Created, Click on the … dots next to Now

Now Configure WebHooks

Call this UpTimeRobotContact and save

This should create a URL for you, Something that looks like this! This

https://chat.googleapis.com/v1/spaces/AAAAcUvSsqs/messages?key=AIzaSyDdI0hCZtE6vySjMm-WEfRq3CPzqKqqsHI&token=qSlBYydgUj2mqqC8o_DIDY_RqcMaiI%3D

Adding Members (To get notifications)

On the right side Add People and Bots

Add a user to receive notifications once any server or service is down.

Once you add a user, you’ll notice that the admin user’s notification below saying he/she added a user to the Room.

Uptime Robot Configuration:

In order for this to work we’ll have to finish the work on the UpTimeRobot portal

Inside Uptime Robot, create a new alert contact in My Settings>Alert Contacts>Add new>Google Hangouts Chat using the previously created Hangouts Chat web-hook URL.

When we choose the Google Hangouts Chat, We will have to give the following:

Friendly name for the monitor.
Provide the webhook URL which was created previously.
You can add a custom message to identify something related to the monitoring.
Enable notifications for, You can choose to get notifications only when the site/service is up or down or both.

After adding this, You need to download one or two apps to get alerts to your Cell Phone:

Google Chat
UPtime Robot

What do Alerts Look like?

As soon as your system goes down, Google Chat will sends you a push notification to your phone, if you’re using UpTime Robot and you’re logged in to the account then you’ll get another identical notification at the same time indicating your system’s status if it goes down or back up.

Like this you can add up to 50 monitors including all kinds of services, ports, protocols.

The notification also comes with an interesting tone so you could easily tell if the sound is for “System Down” or “System is up” kind of state.

This has personally helped me keep my system up 24/7 and interfere whenever there’s any downtime noticed.

I hope this article helps and in case you have any question please leave a comment or get in touch with me info@moh10ly.com

References:

https://blog.uptimerobot.com/new-feature-google-hangouts-chat-notifications/

https://chat.google.com/u/1/

ADFS, Office 365, Office365

Error After Migrating ADFS from 2012R2 to 2016

January 7, 2020 Mohammed Hamada Leave a comment

The Story:

You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.

This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.

I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.

Symptoms

On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

At line:1 char:1

Trying to update the database from 1 to 2,3 will also fail with the following error:

Invoke-AdfsFarmBehaviorLevelRaise

Error:

Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.

Troubleshooting:

If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String

On ADFS Server

Open Windows PowerShell

Enter the following:
$adfs = gwmi -Namespace root/ADFS -Class SecurityTokenService

and hit Enter
Enter the following:
$adfs.ConfigurationDatabaseConnectionString

and hit enter.
You should see the connect string information.

Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv

Run SQL Server 2017 Database Engine Tuning Advisor as an administrator

Use the Server name as this

\\.\pipe\MICROSOFT##WID\tsql\query

As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.

After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.

After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?

Solution

Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).

So the steps to fix this issue is

Taking a VM Snapshot/Checkpoint/Backup.
Download Microsoft SQL Server Management Studio from this link https://go.microsoft.com/fwlink/?linkid=864329
Install Microsoft SQL Server Management Studio on ADFS Server
Run MS SQL Server Management Studio as Administrator
In the Server Name type :

\\.\pipe\MICROSOFT##WID\tsql\query

Leave the Authentication as it is and logon.

From the SQL Object Explorer right click and Delete the AdfsConfigurationV3 and leave AdfsConfiguration Database only.

After deleting the Database, Start ADFS Service to make sure that it can load the old database without an issue.
Then run the cmdlet Invoke-AdfsFarmBehaviorLevelRaise and Accept by typing Y and Enter.

This might take about 5 minutes to finish.

When this process is done, You should see the following message indicating the success of the Database Upgrade.

To double check, We will run the cmdlet Get-AdfsFarmInformation

Updating Certificate

After this success, I am going to run the cmdlet below to replace the current certificate with the new one

Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff

And here we go. It works perfectly fine

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

Error code

When it occurs:

WAP Server

Investigation and Solution:

1- Could not resolve ADFS server name on WAP Server.

2- The Web Application Proxy Service would not start.

Event Viewer Errors

Resolution:

Active Directory Admin Password

Resetting Via Azure Portal

Through PowerShell

Solution

Result

Through PowerShell

CVE-2020-0688 | Microsoft Exchange Validation Key Remote Code Execution Vulnerability

Security Vulnerability

When could this happen?

Affected Versions:

Microsoft Exchange Server 2010 Service Pack 3 Update Rollup 30

Microsoft Exchange Server 2013 Cumulative Update 23

Microsoft Exchange Server 2016 Cumulative Update 14

Microsoft Exchange Server 2016 Cumulative Update 15

Microsoft Exchange Server 2019 Cumulative Update 3

Microsoft Exchange Server 2019 Cumulative Update 4

Solution:

Mitigations

Workarounds

NOTE:

Windows 10 Update :

Windows Hello Face Authentication

Managing Exchange Online

New PowerShell with MFA support

How to Install it?

Set-ExecutionPolicy RemoteSigned

Install-Module PowershellGet –Force

Update-Module PowershellGet

Install-Module -Name ExchangeOnlineManagement

Import-Module ExchangeOnlineManagement; Get-Module ExchangeOnlineManagement

Connecting to Exchange Online

Reference:

Why Cli?

Installation Options

Option 1

Option 2

Connect to Azure CLI from PowerShell

Manual install instructions

Get packages needed for the install process:

Download and install the Microsoft signing key:

Add the Azure CLI software repository:

Update repository information and install the azure-cli package:

Run the login command.

Sign in with your account credentials in the browser.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

To list the Images, Enter the following command

Get a list of Azure VMS

Let’s List and deploy a WordPress on CentOS

Create Windows Server core with IIS

Windows 10 Crypto API Spoofing

CryptoAPI Key Storage Architecture

Download Patch

Windows 2008 R2, Windows 7 RDP

Download Patch

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

Download Patch

Sources:

Monitoring:

What to Monitor?

Using UPTimeRobot Monitoring

The Free version

The Commercial Version:

Adding a Server to Monitor:

Integration with Google Chat

Next go to Chat admin console

Adding Members (To get notifications)

Uptime Robot Configuration:

What do Alerts Look like?

References:

The Story:

Update repository information and install the

azure-cli

package:

Run the

login

command.