Monthly Archives: May 2015

ADFS behind Websense or Bluecoat causes CRL check to fail

Scenario: You configure a relying party trust in ADFS for SSO. ADFS event logs show this error: “The encryption certificate of the relying part trust … is not valid. It might indicate that the certificate has been revoked, expired, or that the certificate chain is not trusted.”

image

After verifying that the certificate chain is valid the next thing to check is whether the ADFS server can make an outbound port 80 call to the HTTP path defined in the relying part trust’s SSL certificate for the Certificate Revocation List (CRL).

The easiest thing to do is browse to the internet from the ADFS server to make sure outbound port 80 is open.

But if the ADFS server sits behind a proxy server, then the winhttp service will not automatically inherit the proxy server settings from Internet Explorer.

You can configure the winhttp service to use the proxy server. Run this on the ADFS server in an elevated CMD session:

netsh winhttp import proxy source=ie

https://social.technet.microsoft.com/Forums/windowsserver/en-US/47345c69-7b68-4f09-907e-43ed2805cac0/adfs-30-signing-certificate-crl-check-with-http-proxy-to-the-internet?forum=Geneva

The above article also says you can disable ADFS from performing a CRL check, but this should only be used for troubleshooting, because CRL checking is a good idea for security (what if the certificate was compromised?).
Set-AdfsClaimsProviderTrust -TargetName “<IDP name>” -SigningCertificateRevocationCheck None

What I learned at the Microsoft Ignite Conference (Chicago 2015)

The 2015 Microsoft Ignite Conference (May 4 – 8) was held in Chicago and included over 1,000 sessions on a range of Microsoft technologies.  The conference sessions and focused intent seemed to me to be predominately focused on the new “Cloud First” and “Mobile First” mission statement for Microsoft.

Historically, Microsoft uses events like Ignite to announce new products and features, so it is always an exciting time for IT Pro’s and customers alike.

I was fortunate enough to attend several of the sessions on Azure and Office 365, and I’m eager to share some of the highlights here. This is not intended to be an exhaustive or comprehensive list of what was unveiled, but rather, just my own individual experience and take-aways. I plan on watching several sessions that I missed – and you can too (see ‘Catching Up’ at the bottom of this blog post). 

For Julia White’s (General Manager of O365 Marketing) overview of Ignite, I recommend reading her blog post (here). Jennifer Marsman also wrote a great recap of the Build conference (here).

Azure Stack

Azure Stack is the private cloud version of what is known as Azure today. There was some initial confusion at the conference on whether this was a replacement for Azure Pack. When I spoke to the product managers at Microsoft, they said if customers are happy with their existing Azure Pack, that’s great, keep using it. But for those customers who want the same exact code as what is running in the Public Cloud, then Azure Stack is for them. Azure Pack relied upon System Center whereas Azure Stack will not. I would not be too shocked if Azure Pack is shelved because there appears to be clear overlap between these two private cloud offerings.

Azure Stack is scheduled for GA in H2 2015. When Azure Stack is released, it will not have all 48+ of the features in the public version of Azure, but it will have Compute and a few others.

Azure

  • Azure now has datacenters in more locations than Google and AWS combined
  • Venkat Gattamneni posted that Azure shines bright at Ignite! that “…in the last 12 months, we’re proud to have added over 500 features and services to the platform.”
  • Azure Resource Manager will allow you to deploy Gallery templates to both Azure Stack and Azure IaaS Public Cloud.
    In his blog post, Corey Sanders goes into lots of detail about ARM, templates etc. He says “This new template language will enable you to easily stitch together VMs, Virtual Networks, Storage Accounts, NICs, Load-balancers, and other PaaS services, like App Service and SQL Databases, in a single coherent application model.”
    The construction of a .JSON file is all that is required. Azure Resource Manager enables you to build and manage large scale applications in an agile and repeatable manner. Complex networking infrastructures can now be composed using simple JSON templates. Azure Resource Manager enables additional capabilities such as Role Based Access Control (RBAC), tagging of resources, and advanced auditing for resource usage. The significant change that ARM introduces is that when creating a VM in ARM mode, there is no dependency upon a cloud service. This enables ARM to spin up thousands of VM’s without the previous limitation that a cloud service imposed on a VM. For example, previously you could only deploy 50 virtual machines in a cloud service. So now, with a .JSON file, you can spin up 100 VM’s without the limitation of a cloud service holding you back.
  • DNS as a Service.  Think GTM (Global Traffic Management) in the Cloud. Azure DNS uses anycast networking, so that each DNS query is answered by the closest available DNS server. The only drawback is there is no GUI interface (yet) – just PowerShell management for now.  50 cents per DNS zone and 20 cents per million DNS queries.
  • Azure Cloud Service now supports multiple VIP’s
  • Several security enhancements: Host Guardian Service, Virtual Secure Mode, and Shielded VM: This is a virtualized vTPM module to support the encryption of guest virtual machines. Requires TPM 2.0.
  • Several network enhancements, ex: User defined routes, IP Forwarding, Floating Nics, ExpressRoute Premium Add-on. This add-on enables up to 10,000 BGP routes. Once your traffic enters an ExpressRoute meet-me site, you can reach ANY Azure region across the globe. Reserved IP addresses can now be moved between services. This supports scenarios where you want to quickly move an external IP between VMs.
  • Azure VPN gateway now supports Site-to-Site VPN and ExpressRoute coexistence.
    For additional details: http://azure.microsoft.com/blog/2015/05/05/new-networking-capabilities-for-a-consistent-connected-and-hybrid-cloud/
  • I learned that the Azure AD Proxy connector supports multiple connectors for automatic load balancing. On the roadmap is the ability to pin a particular app to a connector.
  • Azure Data Lake is “A hyper scale repository for big data analytic workloads.” See “What’s a Data Lake?” And check out Introducing Azure Data Lake for more info and to sign up to get notified when a preview is available. You might also watch this 3 minute video.
  • The public preview of client-side encryption in the Azure Storage client library for .NET. You can use client-side encryption to encrypt blob data, table data (you select the properties to encrypt), and queue messages. Client-side encryption also integrates with Azure Key Vault and allows for integrating with other key management systems if you prefer. client-side encryption blog post
  • Import/Export now also supports up to 6 TB hard drives. Click (here) for more information.
  • Azure Site Recovery enables customers to deploy application-aware availability on demand solutions. Azure Site Recovery solutions have been tested and are now supported for SharePoint, Dynamics AX, Exchange 2013, Remote Desktop Services, SQL Server, IIS applications and System Center family like Operations Manager. Read all the details in Abhishek Agrawal’s blog post
  • The Cloud Application Discovery feature is now Generally Available and integrated into the Azure preview portal. This tool can help identify ‘shadow IT’ where users are using 3rd party SaaS apps like DropBox without letting IT know about it. You get started by adding “Azure AD Cloud App Discovery” in the new Azure portal. You must first have an Azure AD Premium license assigned before you can use this tool. Cloud App Discovery enables you to:
    • Discover cloud applications in use within your organization
    • Identify which users in your organization are using an application
    • Export data so you can analyze it offline in other tools
    • Prioritize applications to bring under IT control, with single sign-on and user management.

Office 365

  • Equinix, AT&T, and BT will be the first MPLS carriers to enable connectivity between Office 365 and on-premises network (coming) Q3 2015. This enables end-to-end QoS which is particularly helpful when considering the Skype for Business Online (Formerly Lync Online) capabilities coming in September that will enable PSTN (dial tone) for outbound and inbound enterprise voice phone calls in the Cloud.
  • Sway is now part of Office 365. See this blog post for more information.

  • Office Delve organizational analytics. Provides an interactive dashboard for teams and individuals to identify key trends across employee engagement, team connections and even views like work life balance

  • Significant improvements in Office 365 Video management are coming. Admins will have the ability to remove or manage posted videos. Ability to share externally is coming too.

  • Significant improvements in Office 365 Groups management are coming (naming conventions, etc). A mobile app for Groups is coming.

  • Riverbed WAN optimization appliances can de-dupe Exchange Online traffic and SharePoint Online traffic by having your internal CA issue a certificate to masquerade as Outlook.com or Sharepoint.com. 90% traffic reduction in Exchange Online traffic! Downloading a 20 megabyte file from SharePoint Online would normally take ~60 seconds whereas with Riverbed it is 33x faster.

  • There is a new compliance center for Office 365 coming that will allow you to create one DLP policy that will then apply to SharePoint Online, OneDrive, Exchange and also the Office 2016 clients. For example, you can be in an Excel worksheet and type in a credit card number and you will get a policy tip notification that it is a violation of policy to have credit card data in Excel. Interesting!

  • There is a new Knowledge Management Portal for Office 365. Delve Boards are the building blocks. “Add to board” button will be added everywhere throughout Office 365.

  • This doesn’t belong in this category, but SharePoint 2010 farms will not have a direct upgrade path to SharePoint 2016. They will have to be upgraded to 2013 first (double-hop migration).

  • Modern Authentication for Office 2013 clients. http://channel9.msdn.com/Events/Ignite/2015/BRK3136

Exchange 2016

  • Architecture. CAS Role goes away. http://blogs.technet.com/b/exchange/archive/2015/05/05/exchange-server-2016-architecture.aspx
  • Deploying 2016
  • Exchange Server is now supported in Azure IaaS on Azure premium storage. Why anyone would do this… is for another blog post.
  • OAUTH now has a wizard in Exchange 2013 and 2016. This enables cross-premises Discovery and MRM. Also, cross-premises free/busy will attempt to use OAUTH first before the MSFT Federation Gateway, so it is a good idea to use OAUTH when possible. Why not?

Skype for Business

  • Broadcast Meetings up to 10,000 participants (up from 250 in Lync Online)
  • IIS ARR servers can be configured for Edge Caching – this enables users to view the skype broadcast meeting from the local cache rather than hammering the internet egress.
  • Call Quality Dashboard is available for download. Offers aggregated call quality information for on-premise deployments. In addition to a set of system reports that will be created as part of the install to help you view and diagnose network infrastructure issues affecting call quality, you will also be able to quickly and easily create additional reports tailored to your needs.
    http://www.microsoft.com/en-us/download/details.aspx?id=46916
  • To get the new Skype directory to appear, you need to remove the previously configured Skype Public Provider.
    See this article for more information: Enabling Skype Federation with Skype for Business Server or Skype for Business Online

Microsoft Operations Management Suite (OMS)

  • Click (here) for more details.
  • Includes Security Threat Analysis

Windows 10

  • Cortana is connected to PowerBI in the Windows 10 start menu

  • Device Guard in Windows 10

  • Windows Update for Business

Devops

Nano server is a tiny version of Windows Server.  Remember Windows Server Core? It’s like that but is 20x times smaller, hence the name “Nano.” In the demo I saw, the whole server consumed only 128 MB of Ram, and only 500 MB of hard disk space. Wow! From what I can tell, it is only managed externally through WMI or PowerShell, so there is no GUI or security logon inside of it.

Windows Nano Server was previously announced in April, but there were several more sessions on it at Ignite. Nano Server is best understood in the context of DevOps and the containerization of Docker. From what I can tell, Nano has little use outside of a development strategy that includes containerization (aka Docker).

Catching Up

All the ignite sessions and PPT presentations are available at Channel9 and here.

Vlad Catrinescu (MVP) posted a powershell script on Technet that allows you to download all the Ignite Videos and presentations. Or if you don’t have 300GB of disk space, you can also create a filter to just download the content you want, ex:

.\downloadignitevideosandslidesv4.ps1 -keyword “SharePoint,Azure,System Center
https://gallery.technet.microsoft.com/all-the-Ignite-Videos-and-b952f5ac

Read my LinkedIN post “Suggestions for staying on top of technology trends

Random Insights