Forefront Identity Manager vNext is now known as Microsoft Identity Manager (MIM)

Yesterday, Wednesday April 23rd 2014, Microsoft announced the roadmap for Forefront Identity Manager 2010, known as FIM 2010.  The new product will be called Microsoft Identity Manager (MIM) and will be availabl in H1CY15.  The official announcement was posted to the Server & Cloud Blog: http://blogs.technet.com/b/server-cloud/archive/2014/04/23/forefront-identity-manager-vnext-roadmap-now-microsoft-identity-manager.aspx

The product is used to be renamed and was formerly known as MMS, MIIS, ILM, (ILM V2), FIM.
With the new name Microsoft shifts the product to a new central strategy and deliveres some nice features.

Even though I'm not to keen on the new name I'm confident that I have backed on the right horse.

Cheers!

Chris

View certificate properties via Powershell (and some RDP stuff)

Hi all,

we've implemented Windows Remote Desktop Services at a customer and were facing those ugly security popus asking if we trust the publisher even though the certificate was issued by the customers PKI and was valid and trusted by the client (certificate chain was installed on the client, CLR was reachable and so on).

It's not a bug...its a feature according to Microsoft. :-)
You can get rid of these popups configuring a GPO that specifies valid publishers.
http://technet.microsoft.com/de-de/library/cc771261(v=ws.10).aspx
The GPO requires the SHA1 thumbprint of the certificate. We fiddled around copying the thumbprint from the certificate UI, the GPO was applied but we were still seeing the popup.

This was caused by a none-printable character which we copied from the certificate UI into the GPO. Very ugly. :-)
Therefore I created this simple Powershell script to get the thumbprint in the right format (no spaces, upper case and most important no none-printable characters).

$cert1 = New-Object System.Security.Cryptography.X509Certificates.X509Certificate „my certificate.cer“

$cert1.GetCertHashString()

The last line returns the thumbprint of the certificate e.g. BCE26899803C4806911B01F969FF7721562E07D6

You can find more methods here:
http://msdn.microsoft.com/en-us/library/system.security.cryptography.x509certificates.x509certificate.aspx

more information can be founde here:
https://blogs.technet.microsoft.com/askpfeplat/2017/12/18/remote-desktop-connection-rdp-certificate-warnings/

Happy coding
Chris

Enable FIM and PCNS logging

FIM 2010 and the PCNS service can make use of the Application log to record events. In order to get more details on password synchronisation we can set the logging level to high and check the Application log during the initial configuration an deployment of PCNS.

For FIM 2010, there are four different logging levels that are controlled by adding the FeaturePwdSyncLogLevel (REG_DWORD) entry to the following registry subkey:

      HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\FIMSynchronizationServices\Logging

0 = Minimal Logging
1 = Normal logging (default)
2 = High logging
3 = Verbose logging

For PCNS, there are also four logging levels that are again controlled by adding the EventLogLevel (REG_DWORD) entry to the following registry subkey:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PCNSSVC\Parameters

0 = Minimal Logging
1 = Normal logging (default)
2 = High logging
3 = Verbose logging

A reboot is required in order for the changes to be applied.

Have fun and check the logs
Chris

Manually create certificate signing requests

It's been quite a while since my last post due to different reasons. :-)
Today I would like to show you how to manually create a certificate signing request (CSR).

The Internet Information Server (IIS) and many other applications which make use of or require certificates provide wizzards in the administration user interface to request and install certificates.

I would like to explain two different ways how to request a certificate manually. The manual steps are required if web enrollment is not available, the current logged on user or computer has no enroll permissions on a certificate template or the certification authority (CA) is not available (e.g. no Active Directory integrated Enterprise CA or not in the same forest as the leveraging computer)

Method 1 – Use certreq to create a CSR and certreq to issue the certificate

1. Creating an INF file to set the certificate properties

Use Notepad or any other text editor to create the following sample INF file according to your needs. Safe the file as myCSR.inf for example

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=MyServer.christianlechner.blogspot.de" ;For a wildcard use "CN=*.christianlechner.blogspot.de" for example

; For an empty subject use the following line instead or remove the Subject line entierely
; Subject =

Exportable = FALSE                  ; Private key is not exportable KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1                         ; AT_KEYEXCHANGE
KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
MachineKeySet = True                ; The key belongs to the local computer account
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
SMIME = FALSE
RequestType = CMC

; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below

[Strings]
szOID_SUBJECT_ALT_NAME2 = "2.5.29.17"
szOID_ENHANCED_KEY_USAGE = "2.5.29.37"
szOID_PKIX_KP_SERVER_AUTH = "1.3.6.1.5.5.7.3.1"
szOID_PKIX_KP_CLIENT_AUTH = "1.3.6.1.5.5.7.3.2"

[Extensions]
%szOID_SUBJECT_ALT_NAME2% = "{text}dns=computer1. christianlechner.blogspot.de&dns=computer2. christianlechner.blogspot.de"
%szOID_ENHANCED_KEY_USAGE% = "{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%"

[RequestAttributes]
CertificateTemplate= WebServer

Notes:

If you don’t know the template name or want to specifie it when issueing the certificate, remove the RequestAttributes section.

The specification of the enhanced key usage OID is not explicitly required since the EKU is defined in the certificate template. The OID in the INF file above is for explanatory purposes
You can click on “OK” for the template not found UI from certreq if the client has no access to templates.

You can ignore the unreferenced “[Strings]” section dialog when it appears

2. Useing the INF file when creating the REQ file

The following command-line command will generate key material and turn the INF file into a certificate signing request (CSR) which can then be handed over to the CA to issue the certificate.

certreq –new MyCSR.inf CSR.req

Once the certificate request was created you can verify the request with the following command:

certutil –dump CSR.req

3. Submitting the REQ file to the CA

If the CA is reachable via RPC over the network (computer and CA are member oft he same Active Directory domain and computer or user hast he permissions to enroll a certificate), use the following command to submit the certificate request directly to the CA:

certreq –submit CSR.req

You will get a selection dialog to select the CA from. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately.

If RPC traffic is not allowed or the CA is not member of the same Active Directory or maybe not a Windows based CA, transfer the certificate request to the CA and perform the above command locally at the CA (if it is a Windows CA otherwise you the respective command on the Linux/Unix based CA).

If the certificate template name was not specified in the certificate request above, you can specify it as part of the submission command:

certreq -attrib "CertificateTemplate:webserver" –submit CSR.req

4. Installing the certificate at the IIS or ISA computer

Once the certificate was issued copy it to the target computer. Run the following command to install the certificate.

certreq –accept ssl.cer

The installation actually puts the certificate into the computer’s personal store. The certificate will be linked to the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate itself.

After performing steps 1 to 4 the certificate will show up in the IIS or any other application and can be bound to the application or a website.

Method 2 – Use the MMC to create a CSR

Open the MMC and add the „Certificates“ snap-in. Open the „User“ or „Computer“ store depending on your required certificate.

Under „Advanced Operations“ select „Create Custom Request“.

Confirm the „Before you Begin“ page by clicking „Next“.

Click „Proceed without enrollment policy“ on the „Select Certificate Enrollment Policy“ page and click „Next“.

Depending on the use case select „CNG key“ or „Legacy key“ on the „Custom request“ page and click „Next“.

Open the „Properties“ window from the „Certificate Information“ page to enter all required certificate properties to the request.

After you’ve entered all required properties (e.g. SubjectName, Organization, Key length, …) finally click „Next“ and save the CSR somewhere.

You can now submitt the CSR according to method 1 or directly via MMC on the CA itself.

Have fun

Chris

Active Directory Property Sets and Default Security Descriptors

Every object class definition in the Active Directory schema has the option to define a “defaultSecurityDescriptor” value which holds the initial ACL that will apply to any new instances of that object when they are created. This rule doesn’t hold true if you specify a security descriptor explicitly when creating an object, however, as in this case the defaultSecurityDescriptor will be ignored.
The default value for the defaultSecurityDescriptor for the user class has a couple of entries in it which most administrators don’t know about, and fortunately neither do many end users. Out of the box, the user which an object in AD represents has the permissions to modify quite a few attributes on their own account. Anyone who can figure out how to make an LDAP call against their object in the directory or can use the Active Directory Users and Computers snap-in can take advantage of this. The easiest way to edit or view the value for this attribute is using the Active Directory Schema MMC.
By default the Active Directory Schema MMC snap-in is not available on a domain controller or any member server or client computer with the RSAT tools installed. To use it you must first register the COM DLL it depends on by running “regsvr32 schmmgmt.dll” from an elevated command prompt. Once you have done this, you will be able to open a new MMC and go to File->Add/Remove Snap-ins and add the Active Directory Schema snap-in to your console.
Browse to the Classes folder and then open the properties of the user class. Switch to the Default Security tab and click Advanced.
If you sort the list on the Name column and scroll down to SELF, you’ll see three entries (highlighted in red below) which are interesting for this article:

These three ACEs grant the user permissions to write to the attributes in those three property sets for their account. (personal information, phone and mail options and web information) If you’re not familiar with Property Sets, they’re a construct that allows you to group attributes and apply security for all the attributes in a single ACE which applies to the property set. An easy way to get a nice list of the attributes in these property sets is with the tool adfind. You can download adfind on the following webpage http://www.joeware.net/freetools/tools/adfind/index.htm. Now that we’ve got adfind we need to convert the friendly display name (e.g. Personal Information) into the GUID of the property set. We need to do this with the other two permissions as well.

adfind -sc findpropsetrg:"Personal Information"

You should get a result similar to this:

AdFind V01.37.00cpp Joe Richards (joe@joeware.net) June 2007

Using server: DC01.intern.lechner-online.net:389
Directory: Windows Server 2003
Base DN: cn=extended-rights,CN=Configuration,DC=inter,DC=lechner-online,DC=net

dn:CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=inter,DC=lechner-online,DC=net
>rightsGuid: 77B5B886-944A-11d1-AEBD-0000F80367C1

You can paste the found GUID into a second adfind command to list all of the attributes in the property set that are writeable by the user itself:

adfind -sc propsetmembersl:"77b5b886-944a-11d1-aebd-0000f80367c1"

Depending on your Active Directory schema and maybe preceded changes, your results might vary a bit:

assistant
c
facsimileTelephoneNumber
homePhone
homePostalAddress
info
internationalISDNNumber
ipPhone
l
mobile
mSMQDigests
mSMQSignCertificates
otherFacsimileTelephoneNumber
otherHomePhone
otherIpPhone
otherMobile
otherPager
otherTelephone
pager
personalTitle
physicalDeliveryOfficeName
postalAddress
postalCode
postOfficeBox
preferredDeliveryMethod
primaryInternationalISDNNumber
primaryTelexNumber
publicDelegates
registeredAddress
st
street
streetAddress
telephoneNumber
teletexTerminalIdentifier
telexNumber
thumbnailPhoto
userCert
userCertificate
userSharedFolder
userSharedFolderOther
userSMIMECertificate
x121Address

If you’ve got an automated system that populates any of these attributes (e.g. an identity management system like Microsoft FIM2010 or SAP Netweaver Identity Manager), hypothetically an end user could put other data in them and start breaking processes. I’ve only ever heard once or twice of this happening, and I’m not fully aware of all the implications of removing these ACEs if you wanted to prevent the possibility. Keep in mind that this is applied as an individual ACE to each user as it’s created, so, in order to clean this up in an existing forest you’d need a script to go through and remove the ACEs from each user individually. New users would get the updated defaults based on modifying the defaultSecurityDescriptor of the user class, though.

Have fun
Chris

Userfull Powershell Scripts

Hi there,
you can download some helpfull Exchange Powershell Scripts on my Google Page.
http://sites.google.com/site/chrislechn/powershell

I'll upload more scripts later on.

Enjoy the scripts and please leave a comment if you like them.

Chris

Change Exchange NDR message language

When Exchange needs to send a NDR message it will by default try to detect the language of the received message and send the NDR back in the same language. In my case it should be send in Spanish because the customer is Spanish and the Exchange is hosted Germany and installed with English language.

Sometimes it will not be able to detect the language of the received message and therefore sends the NDR in the language that is default for the configuration.

To set the default NDR language you have to run a PowerShell command.

Use the following command to set the default language to English for NDRs

Exchange 2007

NDRs for mails received from external domains:

Set-TransportServer <HubTransportServerName> -ExternalDsnDefaultLanguage en-us

And for NDRs for mails received from internal domains

Set-TransportServer < HubTransportServerName > -InternalDsnDefaultLanguage en-us

The setting has to be set for every transport server in your exchange organization.

Exchange 2010

In exchange 2010 it only has to be set once for the whole Exchange 2010 organization. This is why I love Exchange 2010.

NDRs for mails received from external domains:

Set-TransportConfig -ExternalDsnDefaultLanguage en-us

And for NDRs for mails received from internal domains

Set-TransportConfig -InternalDsnDefaultLanguage en-us

If possible you should always user automatic language detection.

The automatic detection of language for NDR can be enabled by running the following commands:

Exchange 2007

Set-TransportServer < HubTransportServerName > -ExternalDsnLanguageDetectionEnabled $true

and

Set-TransportServer < HubTransportServerName > -InternalDsnLanguageDetectionEnabled $true

Exchange 2010

Set-TransportConfig <OrganizationIdParameter> -ExternalDsnLanguageDetectionEnabled $true

and

Set-TransportConfig <OrganizationIdParameter> -InternalDsnLanguageDetectionEnabled $true

This is the regarding article from Microsoft

http://technet.microsoft.com/en-us/library/bb124151.aspx

Have a nice day…. I hope this will help somebody.

Chris