Santhosh Sivarajan's Blog

PoweShell TTUC (Tips, Tricks and Useful Commands) #114 – Move Files and Folders

noreply@blogger.com (Blog-5) — Fri, 30 Mar 2018 07:00:00 +0000

PowerShell TTUC (Tips, Tricks and Useful Commands) - #114

Create a folder and assign appreciate permission using PowerShell

$OutputLocation = "C:\Temp\Folder1"
$adminUser = "Domain\Admin1"

#
if (-not(test-path $OutputLocaiton)) #verify the existance of "C:\Temp\Folder1" fodler
{
#if not create a new folder
New-Item -ItemType directory -Path $OutputLocaiton | out-null
$cACL = Get-Acl $OutputLocaiton
$nACL = New-Object system.security.accesscontrol.filesystemaccessrule($adminUser,"Fullcontrol","Allow")
$cACL.SetAccessRule($nACL)
Set-Acl $OutputLocaiton $cACL

}

Reference - How to Handle NTFS Folder Permissions, Security Descriptors and ACLs in PowerShell

Update Group Membership – PowerShell Script

noreply@blogger.com (Blog-5) — Mon, 26 Mar 2018 07:00:00 +0000

If you have multiple domains or performing a user or group migration, you may need to manually update (depend on your scenario) the source or target group membership. This script can be used to update group membership based on source user’s group membership. The input for this script the user name (sAMAccountName) and it assumes that the source and target sAMAccountName are the same.

Input file (Users.csv) Format:

Script validates users in the source domain and collect “memberof” details and then add the target user (migrated user) to the same group. At the end of the operation, the source user and the target user (migrated user) will be part of same security group in the source domain.

You can see some other “Update Group Membership” script here - http://portal.sivarajan.com/2014/01/update-group-membershippowershell-script.html

Script:

# Update Group Membership

# Santhosh Sivarajan (Santhosh@Sivarajan.Com)

Clear

Import-Module ActiveDirectory

$userN = ""

$GroupDetails = ""

$Group = ""

$GroupsDN = ""

$uValidation = ""

$tagetDomain = "labanddemo.com"

$Cdate = (Get-Date).tostring("dd-MM-yyyy-hh-mm-ss")

$SGBeforeUpdateFile = New-Item -type file -force "C:\Temp\Groups_Before_$Cdate.csv"

$SGAfterUpdateFile = New-Item -type file -force "C:\Temp\Groups_After_$Cdate.csv"

Import-CSV "C:\Temp\Users.csv" | % {

$userN = $_.userName

$sourceDomain = $_.Domain

$uValidation = Get-ADUser -filter {sAMAccountName -eq $userN} -Server $tagetDomain

If($uValidation -eq $Null)

{

Write-Host "User $userN Doesn't Exist in $tagetDomain Domain"

$errorFile = New-Item -type file -force "C:\Temp\Error_$Cdate.csv"

"User $userN Doesn't Exist in $tagetDomain Domain"| Out-File $errorFile -encoding ASCII -append

}

Else

{

$userN | Out-File $SGBeforeUpdateFile -encoding ASCII -append

$GroupDetails = get-aduser -Server $sourceDomain -identity $userN -Properties memberof

$GroupsDN = $GroupDetails.memberof

$GroupsDN | Out-File $SGBeforeUpdateFile -encoding ASCII -append

foreach ($Group in $GroupsDN)

{

$MigrateduserN = Get-ADUser $userN -Server $tagetDomain -Properties DistinguishedName

Write-host "Adding User -> $MigrateduserN"

Write-host "To Group -> $Group"

Add-ADGroupmember -Server $sourceDomain -Identity $Group -Members $MigrateduserN

$members = Get-ADGroupmember -Server $sourceDomain -Identity $Group

$GroupName = Get-ADGroup -Server $sourceDomain $Group

$GroupName.Name | Out-File $SGAfterUpdateFile -encoding ASCII -append

$members.distinguishedName | Out-File $SGAfterUpdateFile -encoding ASCII -append

Write-host "....Done!" -ForegroundColor Green

Write-host ""

}

Download:

You can also download the script from the following locations:

OneDrive
TechNet Gallery

Group Membership Report – PowerShell Script

noreply@blogger.com (Blog-5) — Fri, 23 Mar 2018 07:00:00 +0000

Another “Group Membership Report” script. You can see some of the previous versions here - http://portal.sivarajan.com/2010/08/list-group-members-in-active.html.

This script provides the group membership details based on user name. You can include all user names in an input file (Users.csv) in the following format:

Script uses Get-ADUser cmdlet to validate the user first then get the user membership using the “memberof” properties. Output/report will be in the GMReport_$Cdate.csv file. Error message will be captured in Error_$Cdate.csv file.

Script:

#Group Membership Report – PowerShell Script

#Santhosh Sivarajan (santhosh@sivarajan.com)

Clear

Import-Module ActiveDirectory

$userN = ""

$GroupDetails = ""

$Group = ""

$GroupsDN = ""

$uValidation = ""

$Cdate = (Get-Date).tostring("dd-MM-yyyy-hh-mm-ss")

$Report = New-Item -type file -force "C:\Temp\GMReport_$Cdate.csv"

Import-CSV "C:\Temp\Users.csv" | % {

$userN = $_.userName

$sourceDomain = $_.Domain

$uValidation = Get-ADUser -filter {sAMAccountName -eq $userN} -Server $sourceDomain

If($uValidation -eq $Null)

{

Write-Host "User $userN Doesn't Exist in $sourceDomain Domain"

$errorFile = New-Item -type file -force "C:\Temp\Error_$Cdate.csv"

"User $userN Doesn't Exist in $sourceDomain Domain"| Out-File $errorFile -encoding ASCII -append

}

Else

{

$userN | Out-File $SGBeforeUpdateFile -encoding ASCII -append

$GroupDetails = get-aduser -Server $sourceDomain -identity $userN -Properties memberof

$GroupsDN = $GroupDetails.memberof

$GroupsDN | Out-File $SGBeforeUpdateFile -encoding ASCII -append

}

Download:

You can also download the script from the following locations:

OneDrive
TechNet Gallery

Advanced Threat Analytics–Attack Simulation and Demo – Part1

noreply@blogger.com (Blog-5) — Fri, 22 Dec 2017 08:00:00 +0000

Advanced Threat Analytics–Attack Simulation and Demo–Part1

Advanced Threat Analytics–Attack Simulation and Demo–Part2

Advanced Threat Analytics–Attack Simulation and Demo–Part3

Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating

We will start with the most obvious one! – ATA communication issue. In this scenario, I am using ATA Light Weight Gateway(LWGW). In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers.

To simulate this scenario,

Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.
- DsQuery Server -Forest
Stop the ATAGateway service remotely
- Here are a few scripts - Script1 or Script2 or Script3 – if you want to go a script based approach
- Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway

You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center.

Suspicious Activity Simulation #2- Honey Token Account Activities

In general, the Honey Token accounts are non-interactive accounts. These accounts can be dummy accounts for detect malicious activities.

To simulate this scenario,

Create two 2 user accounts in Active Directory (ATA-Test1 and ATA-Test2)
Add ATA-Test2 to Domain Admins group
Get the SID of ATA-Test1 and ATA-Test2 using PowerShell or DSQUERY command
- dsquery * -filter (samaccountname=ata-test1) -attr objectsid (Reference)
- Get-ADUser Ata-test1 -Properties objectSID (Reference)
Add this SID as Honey token accounts (ATA Console –> Configuration –> Detection –> Honeytoken Account SIDs). Save the configuration.
Establish an integrative logon session using these accounts. You can RDP into a machine use these accounts

Honey Token accounts (non-sensitive)

You will receive the following alert/email with recommended actions in the ATA console.

Honey Token accounts (Sensitive)

Since ATA-Test2 account is a domain admin account, you will receive the same alert with "Sensitive (S )" indicating that this account is a high privileged account in Active Directory.

Suspicious Activity Simulation #3 – Massive Object Deletion

Bulk object deletion can be a suspicious activity in an Active Directory environment. ATA can alert alert you based on massive object deletion activities.

To simulate this scenario,

Create a few users in Active directory. Here is a sample PowerShell script which you can use to create test accounts in Active Directory

Clear
Import-module activedirectory
$pass = ConvertTo-SecureString "MyPassword0!" –asplaintext –force
for ($i=0;$i -lt 100;$i++)
{
$accountname = "Test-Account$i"
Write-Host "Creating $accountname" -NoNewline
New-ADUser –SamAccountName $accountname –name $accountname -OtherAttributes @{'description'="ATA Test User Account"} -Path "OU=Test Accounts,OU=User Accounts,DC=labanddemo,DC=com"
Set-ADAccountPassword –identity $accountname –NewPassword $pass
Write-Host "...Done"
}

Make sure ATA is "learned" about these account.
Delete these accounts from Active Directory

You will receive the Massive Object Deletion alert in the ATA console right away as shown below.

Suspicious Activity Simulation #4 - Reconnaissance using DNS

The DNS or name resolution information in a network would be useful reconnaissance information. In general, DNS data contains a list of all the servers and workstations and the mapping to their IP addresses. Verifying this information may provide attackers with a detailed view of the environment allowing attackers to focus their efforts on the relevant entities.

For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command.

To simulate this scenario,

Logon to a remote server.
Open Command Prompt and run NSLOOKUP command
From the NSLOOKUP window, run LS command to list the DNS zone

You will receive the following Reconnaissance using DNS alert the ATA console.

Advanced Threat Analytics–Attack Simulation and Demo–Part1

Advanced Threat Analytics–Attack Simulation and Demo–Part2

Advanced Threat Analytics–Attack Simulation and Demo–Part3

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server

noreply@blogger.com (Blog-5) — Sat, 11 Nov 2017 08:00:00 +0000

Related Blogs:

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/06/configuring-yubikey-yubico-oath-token.html
Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Microsoft Azure MFA on-premises server supports a time based OATH (OATH – TOTP) third party tokens. This is an alternative to using the Azure Authenticator Mobile App as an OATH token. You can see other MFA authentication options in my Azure MFA Server–Authentication Types (Part I) and Azure MFA Server–Authentication Types (Part II) blogs. The OATH tokens can be added or imported prior to being associated with a user. Administrators can associate users and tokens in the Multi-Factor Authentication Server or the User Portal. Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality. A bulk token import and configuration is also supported by MFA Server . An administrator can import OATH Token records from an input file . The secret keys must be in Base32 format.

This blog provides step-by-step instructions in configuring Deepnet SafeID OATH token with Microsoft Azure MFA server. I am using DeepNet Security's SafeID Classic model for this testing. You can review different token models and details on their website.

Requirements:

The following are the pre-requirements to complete this configuration.

Microsoft Azure MFA on-premises server
Deepnet SafeID hardware
Secret Key for your DeepNet SafeID. You will receive an email with Secret Key after the purchase.

Review the following Azure MFA Server Authentication Types blog if you are not familiar with authentication configuration in Azure MFA Server:

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Azure MFA Server – Configuration for third Party OATH

First step in this process is to add third party OATH Tokens in Azure MFA Server. You can either add these tokens individually or perform a bulk import using an input file.

To add an OATH token,

Logon to your MFA application server. Open Multi-Factor Authentication Server UI and Select OATH Token icon.
Click Add option from OATH Token window.
Enter your Secret Key token Details
1. Serial Number – Required. Enter the serial number of your SafeID. This will be in the back of the Secret Keyas shown below or it will be the email you received from DeepNet.
3. Secret Key – Required. This is the Secret Key (Base32). You have to receive this information from DeepNet. You will receive an email from Deepnet with Secret Key after the purchase
4. Manufacturer – Optional. Enter DeepNet Security as the manufacturer.
5. Model – Optional. Enter SafeID as model type.
6. Start date – Optional
7. Expiration date – Optional
8. Time interval – Required. Select 60 seconds.
9. Username: Associate a user with this OATH token. You can manually enter the username or Select Useroption to identify a user.
11. Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
13. Enter the current code from DeepNet SafeID from the Synchronize OATH Token window to complete token configuration in MFA Server. Click OK.

Note1: MFA server validates the OATH code against the OATH token secret key and synchronizes the OATH token's time if they are valid. If there are not valid, you will see the following error message:

Note2: Azure Multi-Factor Authentication Server supports bulk import of token records by using an input CSV file. The file must be in a supported format and may be partially or fully encrypted with a password.

Sample Input File

To perform a bulk import,

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Could not load file or assembly ‘PfPskcClr, Version=0.0.0.0, Culture=neutral, PublicKey Token=null’ or one of its dependencies. A strongly-named assembly is required. (Exception from HRRESULT:0X8013100)

Azure MFA Server – End User Validation Using DeepNet SafeID OATH Token

The final step in this process is to validate the DeepNet SafeID configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon
From right pane, open the user properties by double clicking the user object.
This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.
To validate this configuration, select out test user object and from the bottom of the window, select Test option.
User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test.
Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.
Get the current OATH code from your DeepNet SafeID.
Enter the current code in the OATH Code window in the MFA application . Click OK.
You will see the authentication status/result as shown below:

Related Blogs:

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/06/configuring-yubikey-yubico-oath-token.html
Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server

noreply@blogger.com (Blog-5) — Fri, 13 Oct 2017 07:00:00 +0000

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html
Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Requirements:

The following are the pre-requirements to complete this configuration.

YubiKey Personalization Tool – Installation and Configuration

Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens. So you need to make sure that your YubiKey is in Yubico OTP Mode using the YubiKey Personalization Tool. Other configurations are optional for Microsoft Azure MFA server configuration and testing.

The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:

Yubico OTP
OATH-HOTP
Static Password
Challenge-Response

Download YubiKey Personalization Tool and run yubikey-personalization-gui-3.1.24.exe file to compete the tool installation.

Insert YubiKey into the USB port. You may see the Device Setup windows as shown below. Complete the drive installation process.
Open YubiKey Personalization Tool. Make sure:
1. YubiKey Personalization Tool has successfully identified your YubiKey.
3. Yubico OTP displayed as supported method in Features Supported section.
You will see all the current OTP configuration in Yubico OTP tab shown below. I am going to a use the default configuration for this testing.

YubiCo Authenticator Application – Installation and Configuration

Download YubiCo Authenticator Application and run yubioath-desktop-3.0.1-win.exe file to complete the application installation.

Open YubiCo Authenticator Application
From File menu, select Add option (File –> Add)
From the New Credential window:
1. Enter Credential Name – An identifier or a display name for the credential.
2. Secret Key – It is a Base32 key. Review this If you are not familiar with supported numbers or characters in Base32 encoding.
3. Select Time based (TOTP) option. Microsoft Azure MFA server supports only the OATH TOTP (time-based)tokens.
4. Number of digits – You can select 6 or 8 digits as OATH token length.
6. Require touch - If you select this option, end user has to touch the YubiKey to generate an OATH token. User will prompted with the following message:
8. Click OK to save the configuration
10. You will see the newly add account in the Yubico Authenticator window.

Now we have completed the YubiKey account configuration. We can move on to Azure MFA server to configure the OATH token.

Azure MFA Server - Configuration for third Party OATH

Review the following Azure MFA Server Authentication Types blog if you are not familiar with authentication configuration in Azure MFA Server:

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

To add OATH Token in Azure MFA Server,

Open Multi-Factor Authentication Server UI and Select OATH Token icon.
Click Add option from OATH Token window.
Enter your YubiKey token Details
1. Serial Number – Required. Enter the YubiKey serial number. This will be in the back of the Yubikey as shown below:
3. Secret Key – Required. This is the Secret Key (Base32) you have configured using the Authentication Application.
4. Manufacturer – Optional. Enter Youbico as the manufacturer.
5. Model – Optional. Enter your YubiKey model type.
6. Start date – Optional
7. Expiration date – Optional
8. Time interval – Required. You can select the default 30 seconds value. By default, YubiKey changes the 6-8 digit code every 30 seconds.
9. Username: Select the user for this OATH token. You manually enter the username or Select User option to identify a user.
10. Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
12. Generate a new OATH from Yubico Authentication app using the button.
14. Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server.

Sample Input File

To perform a bulk import,

Select OATH Token icon and select Import.
Select the input file and click Import.

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Azure MFA Server – End User Validation Using YubiKey OATH Token

The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon
From right pane, open the user properties by double clicking the user object.
This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.
To validate this configuration, select out test user object and from the bottom of the window, select Test option.
User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test.
Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.
To generate a new OATH code, open Yubico Authenticator App and pressing the button . The OATH code will be displayed as shown below:
Enter the current OATH code in the OATH Code in the MFA application window. Click OK.
You will see the authentication status/result as shown below:

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html
Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html
Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Enable Phone Sign-In–Microsoft Authenticator

noreply@blogger.com (Blog-5) — Tue, 18 Apr 2017 23:26:00 +0000

Alex Simons has recently blogged on "No password, phone sign in for Microsoft accounts". This a great enhancement in Microsoft second factor or "no password" technology.

There are a few things you need to consider to complete "phone sign" option.

If you have Microsoft Authenticator configured for your personal account, you will see an option from the dropdown menu to select Enable phone sign-in.

But you don't see this option If you are adding a new Microsoft account on an iPhone. Microsoft will automatically set it up for you by default. So add your Microsoft Account and login to a Microsoft service using this account. You will see an additional "password less" (use the Microsoft Authenticator app instead) sign in option as shown below:

If you don't configure or add your Microsoft account in your Authenticator App, you don't see a "use the Microsoft Authenticator app instead" option. Instead, you will have only see the password sign-in option as shown below:

You will see the following verification message on your login screen and on your mobile device.

If you are adding a new account on an Android device , It will be enabled by default and prompt you to complete it.

Duplicate Attribute Resiliency - New Identity Synchronization Feature

noreply@blogger.com (Blog-5) — Fri, 31 Mar 2017 14:51:00 +0000

I just received an email with a subject of "New Identity Synchronization Feature Being Enabled - Duplicate Attribute Resiliency". Microsoft has provided detailed information in this email. I thought that was interesting and of course very useful! Great job Microsoft and looking forward to receiving these types of additional information about upcoming features.

Here are the details of Duplicate Attribute Resiliency:

A new feature called Duplicate Attribute Resiliency is being introduced in order to eliminate friction caused by duplicate UserPrincipalName and ProxyAddress conflicts when running one of Microsoft’s synchronization tools. This new feature is being rolled out across all of Azure Active Directory, and will be enabled for your tenant on 04/19/2017. The new behavior that this feature enables is in the cloud portion of the sync pipeline, therefore it is client agnostic and relevant for any Microsoft synchronization product including Azure AD Connect, DirSync and MIM + Connector. Please read on to learn how this change impacts the way Azure Active Directory handles these specific certain types of Identity synchronization errors.

Current behavior

If there is an attempt to provision a new object with a UPN or ProxyAddress value that violates this uniqueness constraint, Azure Active Directory blocks that object from being created. Similarly, if an object is updated with a non-unique UPN or ProxyAddress, the update fails. The provisioning attempt or update is retried by the sync client upon each export cycle, and continues to fail until the conflict is resolved. An error report email is generated upon each attempt and an error is logged by the sync client.

New Behavior - with Duplicate Attribute Resiliency

Instead of completely failing to provision or update an object with a duplicate attribute, Azure Active Directory “quarantines” the duplicate attribute which would violate the uniqueness constraint.
If this attribute is required for provisioning, like UserPrincipalName, the service assigns a placeholder value. The format of these temporary values is “+<4digitnumber>@.onmicrosoft.com”.
If the attribute is not required, like a ProxyAddress, Azure Active Directory simply quarantines the conflict attribute and proceeds with the object creation or update.
Upon quarantining the attribute, information about the conflict is sent in the same error report email used in the old behavior. However, this info only appears in the error report one time, when the quarantine happens, it does not continue to be logged in future emails. Also, since the export for this object has succeeded, the sync client does not log an error and does not retry the create / update operation upon subsequent sync cycles.

The way all other types of errors are processed remains unchanged, this feature is only relevant for duplicate UserPrincipalName and ProxyAddress conflicts.

To read more about the behavior change along with identifying and resolving conflicts, please see this article: Identity synchronization and duplicate attribute resiliency

Azure MFA Server –Authentication Types (Part II)

noreply@blogger.com (Blog-5) — Thu, 16 Feb 2017 15:40:00 +0000

Azure MFA–Authentication Type (Part I)

Azure MFA–Authentication Type (Part II)

Original post - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

The Microsoft Azure Multi-Factor Authentication (MFA) provides various authentication types when using an on-premises MFA server. The Company Settings section allows the Multi-Factor Authentication (MFA) administrator to define company wide settings for all users.

The administrators can also make (or override) individual user configuration from User Section.

An end user can make their own sections from the the User Portal.

In general, the following authentication modes are available when using an on-premises MFA server. The purpose of this blog is to explain each of these authentication types and expected result with screenshots.

Phone call (Standard)
Phone call (PIN)
Text message (One-way OTP)
Text message (Two-way OTP)
Text message (One-way OTP + PIN)
Text message (Two-way OTP + PIN)
Azure Authenticator application (Standard)
Azure Authenticator application (PIN)
Azure Authenticator application (OATH token)
Third Party OATH token

In this blog, I will be covering the following authentication types.

Azure Authenticator application (Standard)
Azure Authenticator application (PIN)
Azure Authenticator application (OATH token)
Third Party OATH token

Review Part I of this blog for other authentication type details.

The Azure Mobile App mode results in a notification being sent to the user's Azure Authenticator mobile app. There are 2 different modes for Mobile App – Standard and PIN mode.

Azure Authenticator application -Standard

In this mode, user will be prompted for primary authentication using a user name and password and the second authentication is when the user receives a notification in the Azure Authenticator mobile app.

Expected Result

In Standard Mode, users will prompted to authenticate, deny, or deny and report fraud as shown below:

Azure Authenticator application – PIN

The PIN mode enhances the security of the Multi-Factor Authentication by requiring the user enter a PIN in the Azure Authenticator mobile app.

Expected Result

Azure Authenticator application - OATH token

Oath Token mode results in the user being prompted for an OATH code to authenticate with Multi-Factor Authentication. Time-based OATH codes can be generated by the Azure Authenticator Mobile App or a third-party token. We will start with Azure Authenticator Mobile App. As shown in the following screenshot, the OATH Tokens (Enable OATH Tokens) must be enabled in the MFA Server console to display a Time-based OATH codes in Azure Authenticator Mobile App. keep in mind that the OATH Token method is only supported by RADIUS Authentication and IIS Authentication Form-Based Authentication.

After the activation of Mobile App, users can select OATH token mode from the User Portal or an administrator can configure this from a MFA server console.

Expected Result

A Time-based OATH codes will be generated by Azure Authenticator Mobile App as shown below.

This code needs to entered in the respective application to complete the second factor authentication.

Third Party OATH token

Azure MFA server supports a time based OATH (OATH – TOTP) third party tokens. This is an alternative to using the Azure Authenticator mobile app as an OATH token (see the above scenario - Azure Authenticator application -Standard). OATH tokens can be added or imported prior to being associated with a user. Administrators can associate users and tokens in the Multi-Factor Authentication Server (as shown below) or the User Portal. Users can associate themselves with an OATH token during User Portal enrollment or using the OATH Token menu option when the User Portal is configured to provide this functionality. A bulk token import and configuration is also supported by MFA Server . An administrator can import OATH Token records from an input file . The secret keys must be in Base32 format.

For this scenario, I am using Yubikey 4 (Yukico) OATH token as the third party OATH token. You need to use Yubico Authentication application to get the OATH code from Yukikey. Review my Azure MFA and Yubico OATH configuration blog for the configuration details.

The OATH token option is same as the Azure Authenticator mobile app configuration as shown below:

Expected Result

In this scenario, you will be using the Time-based OATH codes generated by Yubico Authenticator application.

This OATH code must be entered in the respective application to complete the second factor authentication.

If you have Azure Mobile App OATH and a third party OATH token active for the same user, both token code will be valid.

Azure MFA–Authentication Type (Part I)

Azure MFA–Authentication Type (Part II)

Azure MFA Server–Authentication Types (Part I)

noreply@blogger.com (Blog-5) — Thu, 16 Feb 2017 15:39:00 +0000

Azure MFA Server–Authentication Type (Part I)

Azure MFA Server–Authentication Type (Part II)

Original post - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

The administrators can also make (or override) individual user configuration from User Section.

An end user can make their own sections from the the User Portal.

Phone call (Standard)
Phone call (PIN)
Text message (One-way OTP)
Text message (Two-way OTP)
Text message (One-way OTP + PIN)
Text message (Two-way OTP + PIN)
Azure Authenticator application (Standard)
Azure Authenticator application (PIN)
Azure Authenticator application (OATH token)
Third Party OATH token

We will start with standard Phone Call option. The Phone call authentication type has two sub options:

Phone call (Standard)
Phone call (PIN)

Authentication Type : Phone Call – Standard

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone call as shown below:

The first authentication is based on the configuration in MFA. For example, for RADIUS, you an select the following options from the Target tab:

The “from” telephone number can be customized from azure console (https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –> Go to the Portal –> Configure –> Settings –> General Settings –> Caller ID Phone Number) as shown below:

Also, the Voice Messages can be customized based on your requirements. This option is available in https://manage.windowsazure.com/ –> Active Directory –> Configure –>Multi-factor Authentication –> Manage Service Settings –> Go to the Portal –> Configure –> Voice Message section.

Authentication Type : Phone Call – PIN

In this scenario, we will use Phone call with PIN option.

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on the phone. During the phone call, MFA will ask you to enter a personalized PIN.

The PIN creation and enforcement is based on the following configuration in user section.

You also have an option in Company Settings section to enforce default PIN rules as shown below:

The next authentication type is Text message. Text Message type has four sub options:

Text message (One-way OTP)
Text message (Two-way OTP)
Text message (One-way OTP + PIN)
Text message (Two-way OTP + PIN)

Authentication Type : Text message - One-way OTP

Expected Result

The user must enter this One-Time Passcode (OTP) in the respective application to complete the authentication request. You application must support Challenge – Response (Authentication Chaining).

Authentication Type : Text message – Two-way OTP

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on a text message containing a One-Time Passcode (OTP). The user must reply to the same text message by entering the provided OTP to complete the authentication request as shown below:

Authentication Type : Text message - One-way OTP + PIN

Expected Result

This One-Time Passcode (OTP) + PIN needs to be entered in the application to complete the authentication request.

The PIN values is based on the configuration in the user or Company Settings:

User settings:

Company Settings:

Authentication Type : Text message – Two-way OTP + PIN

Expected Result

In this mode, user will be prompted for first authentication using a user name and password and then the second authentication is based on a text message containing a One-Time Passcode (OTP) + PIN. The user must reply to the same text message by entering the provided OTP + their personal PIN to complete the authentication request as shown below:

I believe we have enough information and screenshots for this blog . I will cover the following authentication types in the Part-II of this blog:

Azure Authenticator application (Standard)
Azure Authenticator application (PIN)
Azure Authenticator application (OATH token)
Third Party OATH token

Azure MFA Server–Authentication Type (Part I)

Azure MFA Server–Authentication Type (Part II)

Happy New Year – Microsoft Most Valuable Professional (MVP) Award 2017

noreply@blogger.com (Blog-5) — Sun, 01 Jan 2017 16:04:00 +0000

Happy New Year – Microsoft Most Valuable Professional (MVP) Award

Received the Microsoft Most Valuable Professional (MVP) award this year also. Great start to 2017!

PowerShell - Send Test Email (Office 365) Using PowerShell

noreply@blogger.com (Blog-5) — Thu, 08 Dec 2016 15:22:00 +0000

Here is a sample PowerShell script which can be to test email communication using a SMTP server. In this script, I am using Office 365 SMTP server, smtp.office365.com.

Script:

$SMTPServer = "smtp.office365.com"

$EmailFrom = "Santhosh@virtualsecuritysolutions.com"

$EmailTo = "santhosh@ss-ts.com"

#Send-MailMessage Reference - https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/send-mailmessage

Write-Host "`t`tSelect 1 - SMTP Test Message with No Attachmnet" -ForegroundColor Red

Write-Host "`t`tSelect 2 - SMTP Test Message" -ForegroundColor Red

$Option = Read-Host

Function EmailTest_No_Attachment

{

#with no attachement

$Cred = Get-Credential

$Sub = "SMTP Test Message - 1 - No Attachmnet"

$Bmessage = "SMTP Test Message - 1 with Attachment"

Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Sub -Body $Bmessage -SmtpServer $SMTPServer -Credential $cred -UseSsl -Port 587

}

Function EmailTest_With_Attachment

{

#with Attachment

$Cred = Get-Credential

$Sub = "SMTP Test Message - 1 with Attachment"

$Bmessage = "Test email body message - With Attachment"

$MyAttachment = "C:\temp\1.docx"

Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $Sub -Body $Bmessage -Attachments $MyAttachment -SmtpServer $SMTPServer -Credential $cred -UseSsl -Port 587

}

Switch ($Option)

{

1 {EmailTest_No_Attachment}

2 {EmailTest_With_Attachment}

default {"Invalid Selection"}

}

Script download options:

1. OneDrive - https://1drv.ms/t/s!AuVEEHIwTxv9h4ZXLslcu1MzA8ZSqw

2. TechNet Gallery - https://1drv.ms/t/s!AuVEEHIwTxv9h4ZXLslcu1MzA8ZSqw

Windows Server 2016–Active Directory–Part1

noreply@blogger.com (Blog-5) — Thu, 20 Oct 2016 07:00:00 +0000

Part1 - Windows Server 2016 – Active Directory
Part 2 - Windows Server 2016 – Active Directory – Temporary Group Memberships

As you know, the latest version of Windows Server - Windows Sever 2016 - is currently available. It is available in Azure as well as I mentioned here. You can read “what is new with Windows Server 2016” in this Microsoft article here. In general, Windows Server 2016 provides:

Added layers of security - Enhance security and reduce risk with multiple layers of built-in protection.
New deployment options - Increase availability and reduce resource usage with the lightweight Nano Server.
Built-in containers - Develop and manage with agility thanks to Windows Server and Hyper-V containers.
Cost-efficient storage - Build highly available, scalable software-defined storage and reduce costs.
Innovative networking - Software-defined networking to automate with cloud-like efficiency.

I am not going to the details of Windows Server 2016 or it’s capabilities here. You can read all that information in the above mentioned URL. My plan is to start a new blog series on Windows Server 2016 and Active Directory functionalities. To begin this, I will add a new Widows Sever 2016 to my existing Active Directory 2012 domain and promote the Widows Sever 2016 as an additional domain controller. The Domain Promotion process is very similar to the previous versions of windows.
There is an upgrade to Active Directory Schema. Shema can be upgraded during the domain promotion process. The new Schema or ObjectVersionNumber is 87. Some addition information is included here in my TechNet wiki article. You can verify this by using ADSI Edit or DSQuery or PowerShell commands.
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion

dsquery * CN=Schema,CN=Configuration,DC=labanddemo,DC=com -scope base -attr objectVersion

As a reference, I have provided the following table that lists the Active Directory Schema and the corresponding Object Version:

Active Directory	Object Version
Windows 2000	13
Windows 2003	30
Windows 2003 R2	31
Windows 2008	44
Windows 2008 R2	47
Windows 8 Beta	52
Windows 2012	56
Windows 2012 R2	69
Windows Server 2016	87

***ObjectVersion 39 - Please refer http://blogs.technet.com/b/askds/archive/2011/07/15/friday-mail-sack-peevish-nediquette-edition.aspx
Anyway, we can start this journey with DC promotion process. The following section provides step-by-step instructions.

Join computer to your exiting Active Directory Domain.

2. Click OK on the Welcome window and restart the server. After the reboot, this server will be member server in your existing Active Directory Domain. By default, this server will be in Computer Container.

3. Login to the server using a domain credentials (domain\username). You need to have proper permission to upgrade the schema and add an additional domain controller.

4. Next step is to add ADDS server roles onto your new Windows Server 2016 server. Open Server Manger and select Add Roles and Features option.

5. Click Next on the Before you begin window.

6. Select Role-based or Feature-based installation option. Click Next.

7. On the Select Destination Server window, select your local Windows Server 2016 server. Click Next.

8. From Server Roles option, select Active Directory Domain Services. Accept the additional Role Feature requirements. Click Add Features.

9. Click Next on the Select Features window.

10. Click Next on Active Directory Domain Services window.

11. Select Install option to begin AD DS role installation Process.

12. Now you have installed the AD DS role onto your new Windows Server 2016. Next step is to add an additional domain controller for your existing domain. As you can see on the following screenshot, you need to perform some cognition and post-deployment option to complete this task. Click Close.

From Server Manager, select Promote this server to a domain controller option. This will initiate the DCPROMO (Yes. I still like this word!) process.

14. As you can see on the following screenshot, you have 3 options:
1. Add a domain controller for an existing domain
2. Add a new domain to an existing forest
3. Add a new forest.
4. For this exercise, you will be selecting the first option - Add a domain controller for an existing domain
5. If you have only one domain and this new server is part of that domain, default domain name will be listed in the Domain column.
6. Provide a domain credential with proper permission to perform these tasks. If the current/logged in user doesn’t have sufficient permission, you can select Change option to enter a new credential.

15. From the Domain Controller Options window,
1. select the appropriate options for your environment. In my scenario, I will be selecting:
1. Domain Name System (DNS) server
2. Global Catalog (GC)
2. Provide a password for Directory Service Restore Mode (DSRM)
3. Click Next.

16. Click Next on the DNS Options window.

17. On the Additional Options window, select appropriate AD data replication option. I will be selecting Any Domain Controller option for this exercise. Click Next.

18. From Paths window, select appropriate path for AD Database and Log file. Click Next.

19. The next section will perform:
1. Forest and Schema peroration for Windows Server 2016.
2. Domain Preparation for Windows Server 2016.
3. Click Next to continue.

Click Next to continue and begin the Prerequisites Check.
Verify the Prerequisites Check result. Click Next to start the Domain Controller promotion process.

22. I have included the common Prerequisites warning information for your reference here.

Windows Server 2016 domain controllers have a default for the security setting named "Allow cryptography algorithms compatible with Windows NT 4.0" that prevents weaker cryptography algorithms when establishing security channel sessions.
For more information about this setting, see Knowledge Base article 942564 (http://go.microsoft.com/fwlink/?LinkId=104751).
This computer has at least one physical network adapter that does not have static IP address(es) assigned to its IP Properties. If both IPv4 and IPv6 are enabled for a network adapter, both IPv4 and IPv6 static IP addresses should be assigned to both IPv4 and IPv6 Properties of the physical network adapter. Such static IP address(es) assignment should be done to all the physical network adapters for reliable Domain Name System (DNS) operation.
A delegation for this DNS server cannot be created because the authoritative parent zone cannot be found or it does not run Windows DNS server. If you are integrating with an existing DNS infrastructure, you should manually create a delegation to this DNS server in the parent zone to ensure reliable name resolution from outside the domain "labanddemo.com". Otherwise, no action is required.

23. Reboot the server after completing the DCPROMO process. After the restart, the new Windows Server 2016 will be an additional domain controller in your existing domain. The Schema will be upgraded to Windows Server 2016.
I believe this is good for Part-1 of this blogs series. In Part-2, my plan to focus more on Active Directory related functionalities. Please post a comment here if you like to see an particular topic in this blog series.

Part1 - Windows Server 2016 – Active Directory
Part 2 - Windows Server 2016 – Active Directory – Temporary Group Memberships

Microsoft Advanced Threat Analytics (ATA) - Attack Simulation and Demo

noreply@blogger.com (Blog-5) — Wed, 05 Oct 2016 07:00:00 +0000

Microsoft Advanced Threat Analytics (ATA) is an user and entity behavior analytics solution to identify and protect protect organizations from advanced targeted attacks (APTs). You can read more information about Microsoft Advanced Threat Analytics (ATA) here. The purpose of this blog is to provide a few methods which can be used to simulate and demonstrate some of the basic attacks for demo and testing purpose.
Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating
We will start with the most obvious one! – ATA communication issue. In this scenario, I am using ATA Light Weight Gateway(LWGW). In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers.
To simulate this scenario,

Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.
- DsQuery Server -Forest
Stop the ATAGateway service remotely
- Here are a few scripts - Script1 or Script2 or Script3 – if you want to go a script based approach
- Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway

You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center.

Suspicious Activity Simulation #2- Honey Token Account Activities
In general, the Honey Token accounts are non-interactive accounts. These accounts can be dummy accounts for detect malicious activities.
To simulate this scenario,

Create two 2 user accounts in Active Directory (ATA-Test1 and ATA-Test2)
Add ATA-Test2 to Domain Admins group
Get the SID of ATA-Test1 and ATA-Test2 using PowerShell or DSQUERY command
- dsquery * -filter (samaccountname=ata-test1) -attr objectsid (Reference)
- Get-ADUser Ata-test1 -Properties objectSID (Reference)
Add this SID as Honey token accounts (ATA Console –> Configuration –> Detection –> Honeytoken Account SIDs). Save the configuration.
Establish an integrative logon session using these accounts. You can RDP into a machine use these accounts

Honey Token accounts (non-sensitive)
You will receive the following alert/email with recommended actions in the ATA console.

Honey Token accounts (Sensitive)
Since ATA-Test2 account is a domain admin account, you will receive the same alert with "Sensitive (S )" indicating that this account is a high privileged account in Active Directory.

Suspicious Activity Simulation #3 – Massive Object Deletion
Bulk object deletion can be a suspicious activity in an Active Directory environment. ATA can alert alert you based on massive object deletion activities.
To simulate this scenario,

Create a few users in Active directory. Here is a sample PowerShell script which you can use to create test accounts in Active Directory

Clear
Import-module activedirectory
$pass = ConvertTo-SecureString "MyPassword0!" –asplaintext –force
for ($i=0;$i -lt 100;$i++)
{
$accountname = "Test-Account$i"
Write-Host "Creating $accountname" -NoNewline
New-ADUser –SamAccountName $accountname –name $accountname -OtherAttributes @{'description'="ATA Test User Account"} -Path "OU=Test Accounts,OU=User Accounts,DC=labanddemo,DC=com"
Set-ADAccountPassword –identity $accountname –NewPassword $pass
Write-Host "...Done"
}

Make sure ATA is "learned" about these account.
Delete these accounts from Active Directory

You will receive the Massive Object Deletion alert in the ATA console right away as shown below.

Suspicious Activity Simulation #4 - Reconnaissance using DNS
The DNS or name resolution information in a network would be useful reconnaissance information. In general, DNS data contains a list of all the servers and workstations and the mapping to their IP addresses. Verifying this information may provide attackers with a detailed view of the environment allowing attackers to focus their efforts on the relevant entities.
For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command.
To simulate this scenario,

Logon to a remote server.
Open Command Prompt and run NSLOOKUP command
From the NSLOOKUP window, run LS command to list the DNS zone

You will receive the following Reconnaissance using DNS alert the ATA console.

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server

noreply@blogger.com (Blog-5) — Tue, 05 Jul 2016 07:00:00 +0000

Related Blogs:

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/06/configuring-yubikey-yubico-oath-token.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Requirements:

The following are the pre-requirements to complete this configuration.

Microsoft Azure MFA on-premises server
Deepnet SafeID hardware
Secret Key for your DeepNet SafeID. You will receive an email with Secret Key after the purchase.

Review the following Azure MFA Server Authentication Types blog if you are not familiar with authentication configuration in Azure MFA Server:

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Azure MFA Server – Configuration for third Party OATH

First step in this process is to add third party OATH Tokens in Azure MFA Server. You can either add these tokens individually or perform a bulk import using an input file.

To add an OATH token,

Logon to your MFA application server. Open Multi-Factor Authentication Server UI and Select OATH Token icon.
Click Add option from OATH Token window.
Enter your Secret Key token Details
1. Serial Number – Required. Enter the serial number of your SafeID. This will be in the back of the Secret Keyas shown below or it will be the email you received from DeepNet.
3. Secret Key – Required. This is the Secret Key (Base32). You have to receive this information from DeepNet. You will receive an email from Deepnet with Secret Key after the purchase
4. Manufacturer – Optional. Enter DeepNet Security as the manufacturer.
5. Model – Optional. Enter SafeID as model type.
6. Start date – Optional
7. Expiration date – Optional
8. Time interval – Required. Select 60 seconds.
9. Username: Associate a user with this OATH token. You can manually enter the username or Select User option to identify a user.
11. Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
13. Enter the current code from DeepNet SafeID from the Synchronize OATH Token window to complete token configuration in MFA Server. Click OK.

Sample Input File

To perform a bulk import,

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Azure MFA Server – End User Validation Using DeepNet SafeID OATH Token

The final step in this process is to validate the DeepNet SafeID configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon
From right pane, open the user properties by double clicking the user object.
This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.
To validate this configuration, select out test user object and from the bottom of the window, select Test option.
User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test.
Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.
Get the current OATH code from your DeepNet SafeID.
Enter the current code in the OATH Code window in the MFA application . Click OK.
You will see the authentication status/result as shown below:

Related Blogs:

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/06/configuring-yubikey-yubico-oath-token.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Configuring YubiKey / Yubico OATH Token with Microsoft Azure MFA Server

noreply@blogger.com (Blog-5) — Mon, 27 Jun 2016 07:00:00 +0000

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Requirements:

The following are the pre-requirements to complete this configuration.

YubiKey Personalization Tool – Installation and Configuration

The YubiKey Personalization Tool can be used to program the two configuration slots. Also, it can be used to personalize the YubiKey in the following modes:

Yubico OTP
OATH-HOTP
Static Password
Challenge-Response

Download YubiKey Personalization Tool and run yubikey-personalization-gui-3.1.24.exe file to compete the tool installation.

Insert YubiKey into the USB port. You may see the Device Setup windows as shown below. Complete the drive installation process.
Open YubiKey Personalization Tool. Make sure:
1. YubiKey Personalization Tool has successfully identified your YubiKey.
3. Yubico OTP displayed as supported method in Features Supported section.
You will see all the current OTP configuration in Yubico OTP tab shown below. I am going to a use the default configuration for this testing.

YubiCo Authenticator Application – Installation and Configuration

Download YubiCo Authenticator Application and run yubioath-desktop-3.0.1-win.exe file to complete the application installation.

Open YubiCo Authenticator Application
From File menu, select Add option (File –> Add)
From the New Credential window:
1. Enter Credential Name – An identifier or a display name for the credential.
2. Secret Key – It is a Base32 key. Review this If you are not familiar with supported numbers or characters in Base32 encoding.
3. Select Time based (TOTP) option. Microsoft Azure MFA server supports only the OATH TOTP (time-based) tokens.
4. Number of digits – You can select 6 or 8 digits as OATH token length.
6. Require touch - If you select this option, end user has to touch the YubiKey to generate an OATH token. User will prompted with the following message:
8. Click OK to save the configuration
10. You will see the newly add account in the Yubico Authenticator window.

Now we have completed the YubiKey account configuration. We can move on to Azure MFA server to configure the OATH token.

Azure MFA Server - Configuration for third Party OATH

Review the following Azure MFA Server Authentication Types blog if you are not familiar with authentication configuration in Azure MFA Server:

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

To add OATH Token in Azure MFA Server,

Open Multi-Factor Authentication Server UI and Select OATH Token icon.
Click Add option from OATH Token window.
Enter your YubiKey token Details
1. Serial Number – Required. Enter the YubiKey serial number. This will be in the back of the Yubikey as shown below:
3. Secret Key – Required. This is the Secret Key (Base32) you have configured using the Authentication Application.
4. Manufacturer – Optional. Enter Youbico as the manufacturer.
5. Model – Optional. Enter your YubiKey model type.
6. Start date – Optional
7. Expiration date – Optional
8. Time interval – Required. You can select the default 30 seconds value. By default, YubiKey changes the 6-8 digit code every 30 seconds.
9. Username: Select the user for this OATH token. You manually enter the username or Select User option to identify a user.
10. Click OK to complete. The Synchronize OATH Token dialog will prompt for the current OATH code to synchronize the OATH token and verify the configuration.
12. Generate a new OATH from Yubico Authentication app using the button.
14. Enter this code in the Synchronize OATH Token window to complete token configuration in MFA Server.

Sample Input File

To perform a bulk import,

Select OATH Token icon and select Import.
Select the input file and click Import.

Note3: you may receive the following error message when you click on Import button. There is an update/hotfix for this issue.

Unhandled exception has occurred in your application. If you click Continue, the application will ignore this error and attempt to continue. If you click Quit, the application will close immediately.

Azure MFA Server – End User Validation Using YubiKey OATH Token

The final step in this process is to validate the YubiKey configuration and authentication experience from an end user perspective.

To configure OATH token as the authentication type for an end user:

From Multi-Factor Authentication Server UI, Select Users icon
From right pane, open the user properties by double clicking the user object.
This will open User Properties / Edit User window as shown below. Make sure that the OATH Token is selected as the authentication type for this test user.
To validate this configuration, select out test user object and from the bottom of the window, select Test option.
User will be prompted for first /primary authentication using a user name and password. Enter the User name and Password for the user, then click Test.
Then it will prompt you for the secondary authentication. In this scenario, it the OATH Code.
To generate a new OATH code, open Yubico Authenticator App and pressing the button . The OATH code will be displayed as shown below:
Enter the current OATH code in the OATH Code in the MFA application window. Click OK.
You will see the authentication status/result as shown below:

Related blogs:

Configuring Deepnet Security SafeID OATH Token with Microsoft Azure MFA Server - http://portal.sivarajan.com/2016/07/configuring-deepnet-security-safeid.html

Azure MFA with pGina and Local Authentication - http://portal.sivarajan.com/2015/09/azure-mfa-with-pgina.html

Azure MFA Server –Authentication Types (Part I) - http://portal.sivarajan.com/2016/05/azure-mfa-serverauthentication-type.html

Azure MFA Server –Authentication Types (Part II) - http://portal.sivarajan.com/2016/06/azure-mfa-server-authentication-type.html

Advanced Threat Analytics–Attack Simulation and Demo–Part1

noreply@blogger.com (Blog-5) — Thu, 23 Jun 2016 07:00:00 +0000

Advanced Threat Analytics–Attack Simulation and Demo–Part1

Advanced Threat Analytics–Attack Simulation and Demo–Part2

Advanced Threat Analytics–Attack Simulation and Demo–Part3

Suspicious Activity Simulation #1 – ATA Gateway Stopped Communicating

We will start with the most obvious one! – ATA communication issue. In this scenario, I am using ATA Light Weight Gateway (LWGW). In this case Microsoft Advanced Threat Analytics Gateway (ATAGateway) service should be running on Domain Controllers.

To simulate this scenario,

Identify all Domain Controllers from the forest/domain. You can use the following DSQUERY command to get all DCs from the domain.
- DsQuery Server -Forest
Stop the ATAGateway service remotely
- Here are a few scripts - Script1 or Script2 or Script3 – if you want to go a script based approach
- Or we can use a simple SC command – SC \\Lab-DC01 stop ATAGateway

You will receive the following high alert – ATA Gateway Stopped Communicating – in Health Center.

Suspicious Activity Simulation #2- Honey Token Account Activities

In general, the Honey Token accounts are non-interactive accounts. These accounts can be dummy accounts for detect malicious activities.

To simulate this scenario,

Create two 2 user accounts in Active Directory (ATA-Test1 and ATA-Test2)
Add ATA-Test2 to Domain Admins group
Get the SID of ATA-Test1 and ATA-Test2 using PowerShell or DSQUERY command
- dsquery * -filter (samaccountname=ata-test1) -attr objectsid (Reference)
- Get-ADUser Ata-test1 -Properties objectSID (Reference)
Add this SID as Honey token accounts (ATA Console –> Configuration –> Detection –> Honeytoken Account SIDs). Save the configuration.
Establish an integrative logon session using these accounts. You can RDP into a machine use these accounts

Honey Token accounts (non-sensitive)

You will receive the following alert/email with recommended actions in the ATA console.

Honey Token accounts (Sensitive)

Since ATA-Test2 account is a domain admin account, you will receive the same alert with "Sensitive (S )" indicating that this account is a high privileged account in Active Directory.

Suspicious Activity Simulation #3 – Massive Object Deletion

Bulk object deletion can be a suspicious activity in an Active Directory environment. ATA can alert alert you based on massive object deletion activities.

To simulate this scenario,

Create a few users in Active directory. Here is a sample PowerShell script which you can use to create test accounts in Active Directory

Clear
Import-module activedirectory
$pass = ConvertTo-SecureString "MyPassword0!" –asplaintext –force
for ($i=0;$i -lt 100;$i++)
{
$accountname = "Test-Account$i"
Write-Host "Creating $accountname" -NoNewline
New-ADUser –SamAccountName $accountname –name $accountname -OtherAttributes @{'description'="ATA Test User Account"} -Path "OU=Test Accounts,OU=User Accounts,DC=labanddemo,DC=com"
Set-ADAccountPassword –identity $accountname –NewPassword $pass
Write-Host "...Done"
}

Make sure ATA is "learned" about these account.
Delete these accounts from Active Directory

You will receive the Massive Object Deletion alert in the ATA console right away as shown below.

Suspicious Activity Simulation #4 - Reconnaissance using DNS

For this simulation, the plan is to perform a DNS zone lookup using NSLOOKUP LS command.

To simulate this scenario,

Logon to a remote server.
Open Command Prompt and run NSLOOKUP command
From the NSLOOKUP window, run LS command to list the DNS zone

You will receive the following Reconnaissance using DNS alert the ATA console.

Advanced Threat Analytics–Attack Simulation and Demo–Part1

Advanced Threat Analytics–Attack Simulation and Demo–Part2

Advanced Threat Analytics–Attack Simulation and Demo–Part3

Azure – Custom NameId Support in SAML Attribute

noreply@blogger.com (Blog-5) — Tue, 17 May 2016 07:00:00 +0000

Now Azure supports extension attributes (1-15) as Name Identifier (nameid) in SAML token. This option is available for both Gallery and Custom applications.

Using the Claims Editor, now you can select, Extension Attributes 1 –10 as the unique identifier.

Previously, we had only a few attribute options (user.mail , user.onpremisessamaccountname , user.userprinciplenae and ExtractMailPrefix() fuciton) as name identifier. We couldn’t use any custom values using extension attribute.

Azure MFA–Directory Integration Filter

noreply@blogger.com (Blog-5) — Tue, 03 May 2016 07:00:00 +0000

Here are a few options which you can use to filter objects from Active Directory when using Directory Integration with Azure MFA. The Azure on-premises MFA server supports standard LDAP filter. You can this filter in Directory Integration –> Synchronization –> User Filter:

For example,

if you want to filter or include users based on a group membership, you can use the memberOf attribute with distributedName of the security group as shown below:

(memberof=CN=MFASync,OU=Groups,DC=labanddemo,DC=com)

If you want filter or include users based on an attribute value, you can use (attributename=value) format as shown below:

(department=IT)

You can also use standard logical operator to combine your filter statement:

(|(memberof=CN=MFASync,OU=Groups,DC=labanddemo,DC=com)(department=IT))

Azure MFA - ADFS Adaptor and pfsvcclientclr.dll Error

noreply@blogger.com (Blog-5) — Thu, 28 Apr 2016 07:00:00 +0000

Problem Statement:

When using 7.0 version of Azure on-premises MFA server, you may receive an event ID 364 with “Could not load file or assembly 'pfsvcclientclr.dll' or one of its dependencies. The specified module could not be found” error message.

Complete Error Message

System.IO.FileNotFoundException: Could not load file or assembly 'pfsvcclientclr.dll' or one of its dependencies. The specified module could not be found.

File name: 'pfsvcclientclr.dll'

at pfadfs.AuthenticationAdapter.IsAvailableForUser(Claim identityClaim, IAuthenticationContext context)

at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.IsAvailableForUser(Claim identityClaim, IAuthenticationContext authContext)

at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.ProcessContext(ProtocolContext context, IAuthenticationContext authContext, IAccountStoreUserData userData)

at Microsoft.IdentityServer.Web.Authentication.External.ExternalAuthenticationHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.Authentication.AuthenticationOptionsHandler.Process(ProtocolContext context)

at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Resolution:

Install:

Visual C++ Redistributable x64 and x86 (https://www.microsoft.com/en-us/download/details.aspx?id=49984 )
KB2919355 installed If you are using Windows Server 2012R2 (https://support.microsoft.com/en-us/kb/2919355)

Azure Authenticator–Unable to add the account

noreply@blogger.com (Blog-5) — Tue, 09 Feb 2016 20:00:00 +0000

Error:

During activation Azure Authenticator application generates the following error message on Android device. This URL and code works on Apple and Microsoft mobile devices.

Unable to add the account. We couldn’t add the account as your device does not trust the activation URL. Please contact your IT administrator

Troubleshooting steps:

Try to activate the account using Apple or Microsoft device
Verify the URL publishing configuration. Are you publishing the Microsoft MFA Mobile App using Windows Application Proxy?

Solution / Workaround:

The issue is not really related to MFA or certificate configuration. The issues is more related to how you publish the Mobile App URL to the internet. If you are using Web Application Proxy for publishing the URL (http://portal.sivarajan.com/2016/01/azure-mfapublish-mfa-portals-using-web.html), there is an issue with Server Name Indication (SNI) certifies and Android devices. You can try one of the workaround mentioned in that article.

Other option is to publish the Mobile app URL using some other method as mentioned here - http://portal.sivarajan.com/2016/01/azure-mfapublish-mfa-portals-using-web.html

SharePoint 2013 Products Preparation Tool–Stuck in Configuration Application Server Role, Web Server (IIS) Role

noreply@blogger.com (Blog-5) — Tue, 12 Jan 2016 08:00:00 +0000

Issue:

SharePoint 2013 Products Preparation Tools stuck during the “Now Installing Prerequisites” stage with Configuration Application Server Role. web Server (IIS) Role as show below:

Solution / Workaround

The Server Manger is causing the issue here. Make sure Server Manger is not running in the background. Closing Server Manager application will complete the pre-requisite installation successfully.

Azure MFA–Publishing MFA Portals using Web Applicaion Proxy

noreply@blogger.com (Blog-5) — Thu, 07 Jan 2016 14:00:00 +0000

The goal is to publish on premises Microsoft Multi Factor Authentication (MFA) server portals using Web Application Proxy Service (not Azure Application Proxy!) The Microsoft MFA has the following 3 portals:

1. User Portal - The User Portal section allows the administrator to install and configure the Multi-Factor Authentication User Portal.

2. Web Service SDK - The Web Service SDK section allows the administrator to install the Multi-Factor Authentication Web Service SDK.

3. Mobile App - The Mobile App section allows the administrator to configure settings for the Mobile App. There is also a Mobile App Web Service which needs to be installed to support mobile app activations.

At the end of the configuration, my goal is to provide a single direction URL for User Portal, Web Service SDK and Mobile App shown below:

Azure–Add an Application from the Gallery

noreply@blogger.com (Blog-5) — Tue, 05 Jan 2016 14:00:00 +0000

As shown below, you have the following three options when integrating an application in Azure (of course it is based on your application type).

When adding a Custom application from the Gallery, you supposed to see the following configuration screen for the application integration:

Custom application is part of the Azure AD Premium offering. If you don’t have a premium license, instead of the above screen, you will see a link Add an unlisted application your organization is using which points to the https://azure.microsoft.com/en-us/documentation/articles/active-directory-saas-custom-apps/ URL as shown below:

This issue can be resolved by assigning the premium license to the respective Azure Directory. If you don’t have premium license, you can obtain a trial license from here.

SharePoint 2013 Product Preparation tool–There was an error during installation

noreply@blogger.com (Blog-5) — Mon, 04 Jan 2016 08:00:00 +0000

Issue:

The SharePoint 2013 Product Preparation tool failed with following error message:

There was an error during installation. The tool was unable to install application server Roles, Web Server (IIS) Roles.

Solution:

https://support.microsoft.com/en-us/kb/2765260

Workaround:

By default, the installation process is looking for ServerManagerCMD.exe to execute these task. Verify that the ServerManagerCMD.exe exist in C:\Windows\System32\ folder. The ServerManagerCMD.exe command is available only on servers that are running Windows Server 2008 or Windows Server 2008 R2. The Servermanagercmd.exe command has been deprecated, and is not available in Windows Server 2012. Recommended option is to use Windows PowerShell cmdlets. In Windows Server 2012, ServerManager.exe file exist in C:\Windows\System32\ folder. As a workaround, you can copy the ServerManager.exe to ServerManagerCMD.exe to complete the pre-requisite installation.

Addition info: