Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario

Last week I came across a scenario where Alternate Login ID feature of Active Directory Federation Services (AD FS) came at its best.

Scenario

Part of an Enterprise Mobility Suite (EMS) implementation we were facing a challange to overcome. In this scenario the customer has multi-forest (fictive contoso.local & adatum.local) AD structure with a two-way forest trust relationship. The user resources are currently located in te frabrikam.local (blue) where all server resources are part of the contoso.local (grey) domain including AD FS.

ADFS cross forest Mirosoft Intune Infrastructure

As fabrikam.com is the public domain namespace used, we added a UPN suffix for the fabrikam.local domain to make sure the user objects synced from the on-premise Active Directory – by Azure Active Directory Sync – matches the public User Principal Name (UPN) domain namespace.

Continue reading “Use Alternate Login ID implementing Enterprise Mobility Suite in a Multi-Forest scenario”

Troubleshooting: Federation for Windows Intune

During a Windows Intune proof of concept (PoC) I was facing some issues configuring federation in order to enable Signle Sign On (SSO).

Proxy Authentication

When configuring federation we couldn’t convert the the default domain to a federated domain type. By using the –Verbose –Debug parameters of convert –MsolDomainToFederated cmdlet the root cause became clear. Proxy Authentication was required and therefore we couldn’t convert the domain. One down two to go!

clip_image001_thumb[3] Continue reading “Troubleshooting: Federation for Windows Intune”

Deploy Active Directory Federation Services (AD FS) 3.0 in a pre Windows Server 2012 R2 era

As you probably know a prerequisite for implementing Active Directory Federation Services (AD FS) based on Windows Server 2012 R2 is to have at least a Windows Server 2012 R2 domain controller available in your infrastructure.

image

This in order to take benefit of using Group Managed Service Accounts (GMSA – generated and maintained by the Key Distribution Service (KDS) on at least Windows Server 2012 domain controllers). The same applies to Device Registration service (DRS) aka Workplace Join, which is responsible for activation and enrolment of controlled devices and represented by a new schema class in Active Directory Domain Services (AD DS). Continue reading “Deploy Active Directory Federation Services (AD FS) 3.0 in a pre Windows Server 2012 R2 era”

Windows Intune "Sorry, but we’re having trouble signing you in" error "80041317"

Make sure when updating your configuration settings of the federated domain for the on-premises Active Directory Federation Services (AD FS) service these settings are updated to the Windows Azure Active Directory (Windows Azure AD) authentication system. Last week I updated my on-premises token-signing certificate without updating federation trust data. This causes the claim that the AD FS service supplies to be malformed and therefore rejected by the Windows Azure AD authentication system.

When a federated user tries to sign in to a Microsoft cloud service such as Office 365, Windows Azure, or Windows Intune from a sign-in webpage whose URL starts with “https://login.microsoftonline.com/login,” authentication for that user fails. Additionally, the user receives the following error message:

Sorry, but we’re having trouble signing you in
Please try again in a few minutes. If this doesn’t work, you might want to contact your admin and report the following error:
80041317 or 80043431

Continue reading “Windows Intune "Sorry, but we’re having trouble signing you in" error "80041317"”

Secure Application Access by using AD FS and UAG – UAG acting as ADFS Proxy Topology (via Security and Identity in the Cloud)

In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into  such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications. Today’s demonstration shows a different UAG/ADFS topology, … Read More

via Security and Identity in the Cloud