Get Started with the Enterprise Mobility Suite

undefinedOver the next six weeks I’ll provide along with my colleagues Valerie Siroux and Arjan Vroege several webinars on Microsoft Enterprise Mobility Suite. If you want to know more about for instance Azure Active Directory Premium, Microsoft Intune, Azure Rights Management Services, you can not miss these webinars.

Learn more about EMS in 6 webinars

On the following dates will take place the Enterprise Mobility Suite webinars. Please note that these webinars are taught in English. Through the links below you can register free of charge.

Continue reading “Get Started with the Enterprise Mobility Suite”

Advertisements

Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation

Last week I faced a challenge publishing non-claims-aware application (SharePoint 2013) using Kerberos Constrained Delegation (KCD) by Web Application Proxy (WAP).

ADFS cross forest Mirosoft Intune Infrastructure

The customer environment consists of a multi-forest active directory where user accounts and server objects each stored in a separate forest. Due to the introduction of Microsoft Enterprise Mobility Suite (EMS) we added a public User Principal Name (UPN) which was required to log on using a public domain namespace.

Continue reading “Name Suffix Routing into the rescue publishing Non-Claims-Aware application using Kerberos Constrained Delegation”

Create DNS records for Microsoft Intune including Workplace Join & Work Folders

In order to take benefit of all related services to Microsoft Intune and attached services regarding Enterprise Mobility Suite (EMS) a number of DNS records must be added in your public DNS namespace. Hereby an overview of DNS records required including their associated services.

Just to be sure yourdomain.com is used as fictive placeholder and must be replaced with your own organization (public) namespace.

Entry Type Address Purpose
enterpriseenrollment.yourdomain.com CNAME manage.microsoft.com To ease enrollment process of mobile devices
sts A Required for single-sign on (SSO) and points to your AD FS server(s)
enterpriseregistration A sts.yourdomain.com Required for Workplace Join (device registration discovery)
enterpriseregistration.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
enterpriseregistration.region.yourdomain.com CNAME enterpriseregistration.windows.net Required for Azure Workplace Join (device registration discovery)
workfolders CNAME workfolders.yourdomain.com Points to your Workfolders enabled File Server(s)
discovery A discovery.yourdomain.com Required for discovery Work Folders URL

Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario

Last week I came across a scenario where Alternate Login ID feature of Active Directory Federation Services (AD FS) came at its best.

Scenario

Part of an Enterprise Mobility Suite (EMS) implementation we were facing a challange to overcome. In this scenario the customer has multi-forest (fictive contoso.local & adatum.local) AD structure with a two-way forest trust relationship. The user resources are currently located in te frabrikam.local (blue) where all server resources are part of the contoso.local (grey) domain including AD FS.

ADFS cross forest Mirosoft Intune Infrastructure

As fabrikam.com is the public domain namespace used, we added a UPN suffix for the fabrikam.local domain to make sure the user objects synced from the on-premise Active Directory – by Azure Active Directory Sync – matches the public User Principal Name (UPN) domain namespace.

Continue reading “Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario”

Troubleshooting: Federation for Windows Intune

During a Windows Intune proof of concept (PoC) I was facing some issues configuring federation in order to enable Signle Sign On (SSO).

Proxy Authentication

When configuring federation we couldn’t convert the the default domain to a federated domain type. By using the –Verbose –Debug parameters of convert –MsolDomainToFederated cmdlet the root cause became clear. Proxy Authentication was required and therefore we couldn’t convert the domain. One down two to go!

clip_image001_thumb[3] Continue reading “Troubleshooting: Federation for Windows Intune”

Deploy Active Directory Federation Services (AD FS) 3.0 in a pre Windows Server 2012 R2 era

As you probably know a prerequisite for implementing Active Directory Federation Services (AD FS) based on Windows Server 2012 R2 is to have at least a Windows Server 2012 R2 domain controller available in your infrastructure.

image

This in order to take benefit of using Group Managed Service Accounts (GMSA – generated and maintained by the Key Distribution Service (KDS) on at least Windows Server 2012 domain controllers). The same applies to Device Registration service (DRS) aka Workplace Join, which is responsible for activation and enrolment of controlled devices and represented by a new schema class in Active Directory Domain Services (AD DS). Continue reading “Deploy Active Directory Federation Services (AD FS) 3.0 in a pre Windows Server 2012 R2 era”

Windows Intune "Sorry, but we’re having trouble signing you in" error "80041317"

Make sure when updating your configuration settings of the federated domain for the on-premises Active Directory Federation Services (AD FS) service these settings are updated to the Windows Azure Active Directory (Windows Azure AD) authentication system. Last week I updated my on-premises token-signing certificate without updating federation trust data. This causes the claim that the AD FS service supplies to be malformed and therefore rejected by the Windows Azure AD authentication system.

When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Windows Azure, or Windows Intune from a sign-in webpage whose URL starts with “https://login.microsoftonline.com/login,” authentication for that user fails. Additionally, the user receives the following error message:

Sorry, but we’re having trouble signing you in
Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error:
80041317 or 80043431

Continue reading “Windows Intune "Sorry, but we’re having trouble signing you in" error "80041317"”