Archives

All posts for the month June, 2014

Cloning a 2008 R2 ADFS Server

Posted by James F. Prudente on June 13, 2014
Posted in: Uncategorized. Leave a comment

I’ve written before about some of the challenges we’ve run into while implementing ADFS for Office 365. Now that we’re making more use of O365, I decided it was time to add a second ADFS server for redundancy. Given that our existing ADFS server is virtual, I thought it would be quicker to clone it and make the necessary changes rather than install another server from scratch. I was partially right.

As it turns out, cloning an existing ADFS server is pretty easy. Unfortunately it took some time to track down the various changes that needed to be made for everything to work properly, but I’m summarizing the process here in case I can save another admin the effort.

  • Clone the system however you like.
  • Sysprep the clone (c:\windows\system32\sysprep\sysprep.exe) making sure to check the “Generalize” option, which generates a new SID.

  • After sysprep reboots the system, you will have to go through the initial out-of-box setup again. Reconfigure networking as appropriate and join the clone to your domain.
  • Once this is done, all you have to do to add the clone to the existing federation server farm. This is where I ran into a problem though, and ultimately why I’m posting this info.

    On the clone (let’s call it ADFS2 to make things simpler), the “AD FS 2.0 Windows Service” started but trying to access the federation metadata via https://servername/federationmetadata/2007-06/federationmetadata.xml resulted in a “503 Service Unavailable” error. Checking the AD FS 2.0 Log turned up five errors, all of which referenced issues with the certificates used for ADFS signing.

    During processing of the Federation Service configuration, the element ‘serviceIdentityToken’ was found to have invalid data. The private key for the certificate that was configured could not be accessed. The following are the values of the certificate:”

    Each error showed a different element but was otherwise the same. In all cases, the errors pointed towards an issue with the ADFS service account being unable to access the private keys for the certificates.

    This is where things get a little complicated. ADFS relies on three certificates to make everything work. I’ve redacted a lot in the screenshot below, but you can see the three certificates. During a standard ADFS install, the “Service communications” certificate should be a 3rd party certificate that’s trusted (Verisign, etc.) but the Token-decrypting and Token-signing certificates are typically self-signed.

    The “Service communications” certificate, being a public cert, is the easiest to address. Open the certificates MMC snap-in and connect to the ADFS computer’s certificate store. Your service certificate should be in the Personal folder. If you right-click the certificate, then select “All Tasks” and then “Manage Private Keys…” you can verify that your ADFS service account has read permission on the private key. In my case, the account appeared to have permission though as it turns out, it did not.

    In the process of troubleshooting, I deleted the certificate from ADFS2. I then exported it from ADFS1, including the private key, and re-imported it to ADFS2. Once I did that and checked permissions on the private key (on ADFS2), I ran into something strange…the ADFS service account was missing, and in its place was an unresolvable GUID. I deleted the GUID and re-added the ADFS service account. I restarted the AD FS 2.0 service, and found that the first error pertaining to the serviceIdentity token was gone, but the others were still present.

    It took me a while to find the other two certificates. They’re actually in the personal certificate store for your ADFS service user, so you’ll need to log on to the server with your service user’s credentials to access them. Unfortunately, while the certificates console shows a valid private key for both certs, you cannot export that key, nor can you “Manage” it as per above to review or change the permissions.

    The final solution actually turned out to be pretty simple. I deleted both certs entirely on ADFS2, then re-ran the ADFS wizard and re-added ADFS2 to the ADFS farm. Doing so recreated the certificates and set whatever permissions were necessary. Problem solved.

    Long story short…if I were to do this again, I would delete all three certificates from the cloned system before running the ADFS wizard. I’m not sure if you would still need to manually reset the permissions on the private key for the Service communications certificate, but I’m inclined to think not.

    Keep in mind even after adding the additional ADFS server you need to sort out load-balancing so both servers can be used for authentication requests.

    Bonus Tip: If during testing you notice that Chrome, Firefox, or any other non-IE browser repeatedly prompts for credentials, that’s normal. By default the ADFS install will have IWA with Extended Protection enabled, which only works for Internet Explorer. If you need to disable this to support other browsers, you can.

The Myth of the Low-Cost Windows Alternative

Posted by James F. Prudente on June 12, 2014
Posted in: Opinion, Uncategorized. Leave a comment

In my position, rarely does a day go by without some vendor hawking the latest non-Microsoft device that will solve all of our computing problems. Whether they are iPads, Chromebooks, Kindles, or Android-based, they all share one thing in common: none of them run Windows. These vendors (Apple excluded) almost always share the same pitch as well, focusing on how much lower their per-device cost is versus an equivalent Windows device, and how that lower purchase price will allow us to put more technology in the hands of students.

Obviously it doesn’t take any technical knowledge to recognize one can purchase more $199 Kindles than $499 Windows tablets given a fixed amount of dollars, but to only consider the capital expenditure is a mistake. The reality is that for an organization that already supports Windows (i.e. everyone), bringing in a new non-Windows platform will substantially add to support costs and other operational expenses. There are also significant issues surrounding device limitations and user experience that must also be considered.

Now before I go any further, let me own up to the fact that yes, I’m a strong Microsoft proponent. Detractors would probably consider me a “fanboi,” but I speak from experience, not blind devotion. I’ve used many of the other platforms out there. I’ve supported OSX, installed and run Linux on the desktop, currently manage a number of Linux servers, own two iPads, and heck, I even ran OS/2 Warp and was anti-Microsoft for a while. I have no problem calling out Microsoft when they do something stupid, but the reality is Windows can do pretty much anything you need it to, and generally does it pretty well.

Back to the topic at hand, it’s difficult to explain the hidden costs of ‘cheap’ devices to non-technical people because they typically don’t even recognize all of the behind-the-scenes work that goes into keeping an environment running smoothly. Whether Microsoft or not, things like user authentication, device lockdown policies, OS and software deployment, anti-virus, content filter integration, and many other systems are absolutely essential yet completely invisible to end-users. A new platform means new ways are needed to satisfy these needs, and often means purchasing new software solutions to do so.

The irony is the better job an organization does supporting Windows, the higher the incremental cost of introducing a non-Windows platform. Why? Consider software installation: if you’re still (shudder!) doing this manually, it doesn’t make a huge difference if you’re doing so on a Windows PC or an Android tablet. But if you’ve automated the process using a deployment solution, you lose all of that efficiency when working on another platform. Similarly, if you don’t lock down your Windows PCs then you may not care about doing so on other devices, but if you currently use group policy to control what users can and cannot do, losing that functionality may be unacceptable and having to learn a new system to replicate it takes a lot of time.

And time, as they say, is money. Or more specifically staff. IT departments are continually asked to do more with fewer people, and it’s precisely the efficiency gained through automated processes that allow many IT departments to survive with skeleton staffs. Any organization that introduces a new non-Windows platform needs to be willing to hire additional staff to support it. That’s irrespective of the quantity of devices purchased; it’s simply the addition of a new platform that triggers the additional workload, NOT the volume of those new devices. Good IT departments design systems to scale, so adding more of the same devices is a relatively trivial task, while adding even a small number of new devices is far more complicated.

There is also often a steep user learning curve when new platforms are introduced. Even someone who may be familiar with using an iPad (for example) is going to have to learn how that device integrates with the organization’s network, how authentication to network resources is handled, how (or if) web content is filtered, how common file formats are (or are not) read, etc. This all results in lost productivity, further eroding the theoretical “savings” of these low-cost devices.

Finally, the dramatic loss of flexibility compared to a Windows device cannot be ignored either. Any non-Windows device is only going to be able to offer a subset of the functionality of a Windows PC. That may be fine if all one cares about is browsing the web, but inevitably once a device is purchased, the end-user or organization wants to do more with it. “We just want to do x” with a device turns into “well, we want to do y as well” and then “what do you mean we can’t do z?” For instance, we have a heavily used web-based system of which 90% will run fine on an iPad, but that last 10% requires Java. If the user doesn’t care about that last 10% the iPad is perfectly fine, but once they do, you have an expensive paperweight because it simply cannot run the full application. I’ve seen this scenario manifest itself time and time again. Sacrificing flexibility at the altar of cost savings is fine right up until you need your cheap device to do something it can’t.

In “Economics in One Lesson,” famed economist Henry Hazlitt speaks to the difficulties in measuring or recognizing unseen costs. It is far easier to see a bridge being built, he says, than to appreciate the things that didn’t happen because money was taken to build that bridge. In the same fashion, it is far easier to see how many more devices can be purchased by going with a low-cost alternative than to recognize the inevitable increase in operational expenses and lost productivity that results from introducing a new, non-Windows platform. Once one factors in those additional costs it becomes apparent that while low-cost non-Windows devices may seem like a bargain, they simply trade one set of expenses for another, and sacrifice flexibility in the process.

Save the Kindle for reading romance novels and the iPad for playing Angry Birds; love it or hate it, Windows remains the best and most economical choice for getting actual work done.