BM-Bloggers

The blogs of Black Marble staff

Azure AD Connect–Upgrade to 1.1.533.0 and Change of Source Anchor to mS-DS-ConsistencyGuid

As I blogged yesterday, I upgraded our instance of Azure AD Connect to what was, at the time, the latest version, 1.1.524.0. Subsequently, Microsoft Security Advisory 4033453 was published indicating that an upgrade to version 1.1.533.0 was very strongly recommended.

As before, the upgrade went smoothly, however there were a couple of additional points of note during the upgrade:

  1. Running the Azure AD Connect msi gave the following warning (note that I appended the version number to the file name in this example):
    Azure AD Connect 1.1.533 SmartScreen Warning
    I’m assuming that this will be fixed shortly Smile
  2. Once the upgrade was complete, the following warning was shown:
    Source Anchor Using objectGUID
    ’Azure Active Directory is configured to use AD attribute objectGUID as the source anchor attribute. It is strongly recommended that you let Azure manage the source anchor for you. Please run the wizard again and select Configure Source Anchor.
    Re-running the wizard and selecting the ‘Configure Source Anchor’ task allowed Azure AD Connect to pick ‘mS-DS-ConsistencyGuid’ as the source anchor, and all configuration occurs automatically. At the end of the process however another warning is shown indicating that if ADFS is managed externally to Azure AD Connect, then claim rule changes are required to align the new Source Anchor with the value returned and users may not be able to log in unless these changes are made.
    In our case, this means that changes need to be made to the ADFS rules for the Office 365 relying party trust.. To make these changes, the following steps were taken:
    1. On the ADFS Server, expand ADFS, then Trust Relationships, then click on Relying Party Trusts. Right-click the ‘Microsoft Office 365 Identity Platform’ and select ‘Edit Claim Rules…’:
      O365 Relying Party Trust
    2. Select rule 1 and click the ‘Edit Rule…’ button.
    3. The original rule was:
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
        => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,objectGUID;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
      The only change that was required was to change objectGUID to mS-DS-ConsistencyGuid, I.e.
      c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname"]
        => issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/claims/UPN", "http://schemas.microsoft.com/LiveID/Federation/2008/05/ImmutableID"), query = "samAccountName={0};userPrincipalName,mS-DS-ConsistencyGuid;{1}", param = regexreplace(c.Value, "(?<domain>[^\\]+)\\(?<user>.+)", "${user}"), param = c.Value);
    4. Save the rule and double-check that you can authenticate to Office 365.

Some background to the issue of ImmutableID and the value to select for Source Anchor for Office 365 can be found at https://blog.msresource.net/2015/05/20/revisiting-the-microsoft-online-immutable-id-design-decision/

Azure AD Self-Service Password Reset Issues

We recently saw an issue with Azure AD self-service password reset (SSPR). It’s been working fine for us for ages, ever since we first configured it using DirSync, but recently users started seeing the following message:

Please Contact Your Admin

Get back into your account

Please contact your admin

We’ve detected that your user account password is not managed by Microsoft. As a result, we are unable to automatically reset your password.

You will need to contact your admin or helpdesk for any further assistance.

As we’d made no changes, we were obviously concerned!

Initially I took the following steps to try and resolve the issue:

  1. Ensured that the OS patch levels of the servers (Azure AD Connect, ADFS, WAP) were up-to-date, which they were.
  2. Upgraded Azure AD Connect to the most recent version. The version we were running was a little behind, but not significantly so. During the upgrade process, the wizard takes you through what you’d normally see if you reconfigure Azure AD Connect and select the ‘customize synchronization options’ task. The optional features selected were still the same as we’d picked the previous time we’d upgraded, and included ‘password writeback’.

Unfortunately none of the steps taken above made any difference.

Looking in the configuration page for Azure AD in the old portal, I noticed that the ‘Password write back service status’ was still set to ‘Not configured’:

Password Write Back Service Status Not Configured 

Which, bearing in mind I’d just upgraded Azure AD Connect and been through the configuration wizard and seen that this option was ticked, should not as far as I was concerned be the case.

To correct the issue therefore, I took the following steps:

  1. Launched the configuration of Azure AD Connect and selected the ‘customize synchronization options’ task.
  2. When presented with the optional features configuration page of the wizard, unticked the ‘password writeback’ option and then completed the configuration.
  3. Repeated the above steps, but this time ensured that the ‘password writeback’ option was ticked:
    Azure AD Connect Password Writeback Config Option

Checking the configuration page in the old Azure Portal again, the status of the ‘Password write back service’ is now ‘Configured’ and the correct SSPR prompts are again being displayed to users.

Restarting VS Code fixed NPM INSTALL intermittent EPERM issues

Whilst doing some NPM build work for VSTS Extensions I kept getting intermittent EPERM errors about renaming Windows files during NPM install (as discussed on GitHub)l. When you get this it completely blocks any development.

As the Github issue discusses there are many possible reasons for this issue, and many proposed potential solutions. However the only one that worked for me was to restart VS Code; as this appeared to be locking the node_modules folder somehow. This was even though I could delete it via Windows Explorer without any problems.

A quick restart of VS Code and all was good again for a while, good enough to work with.

Duplicate project GUID blocking SonarQube analysis of Windows 10 Universal Projects

I have working on getting a Windows 10 Universal application analysed with SonarQube 6.x as part of a VSTS build. The problem has been that when the VSTS task to complete the SonarQube analysis ran I kept getting an error in the form

 

WARNING: Duplicate project GUID: "8ace107e-8e3c-4a1b-9920-e76eb1db5e53". Check that the project is only being built for a single platform/configuration and that that the project guid is unique. The project will not be analyzed by SonarQube. Project file: E:\Build1\_work\58\s\BlackMarble.Victory.Common.Module.csproj

… plus loads more similar lines.
The exclude flag has been set so the project will not be analyzed by SonarQube. Project file: E:\Build1\_work\58\s\BlackMarble.Victory.Ux.Common.csproj
… plus loads more similar lines.

WARNING: Duplicate project GUID: "1e7b2f4e-6de2-40ab-bff9-a0c63db47ca2". Check that the project is only being built for a single platform/configuration and that that the project guid is unique. The project will not be analyzed by SonarQube. 2017-06-09T15:50:41.9993583Z ##[error]No analysable projects were found but some duplicate project IDs were found. Possible cause: you are building multiple configurations (e.g. DEBUG|x86 and RELEASE|x64) at the same time, which is not supported by the SonarQube integration. Please build and analyse each configuration individually.
Generation of the sonar-properties file failed. Unable to complete SonarQube analysis.

Turns out the issue was that even though my CI build was only set to create an x86|Debug build the act of creating the .APPX package was causing both x64 and ARM builds to be build too, this was too much for SonarQube as it though I had a multiplatform build..

The answer was to pass a parameter into the Visual Studio build task to disable the creation of the .APPX package.

The parameter override required is /p:AppxBundle=Never. This overrides the setting of Always that was set in the .CSProj file.

 

image

Once this change was done analysis completed as expected. Just need to fix all the issues it found now!

Book Review: Windows Virus and Malware Troubleshooting by Andrew Bettany and Mike Halsey

Summary: A very useful volume that discusses what malware is, how to defend against it and how to remove it. Clear and simple instructions are given on ways to improve security on your PC, as well as how to deal with malware that may end up on your PC. Recommended.

Presented in a very easy to read writing style, this book immediately appeals due to the clear, concise and no-nonsense approach taken when discussing malware, what it is, how it can attack and affect your PC, how to defend against it and what to do if the worst should happen and your PC gets infected.

The first chapter provides a nice potted history of viruses and malware on PCs, discussing the various types and how both the proliferation and seriousness of infections has risen from the very first, typically benign examples to the modern day infections such as ransomware that has been in the news so much recently.

Chapter 2 deals with prevention and defence, and introduces the many security features that are built into modern versions of Microsoft Windows to help stop the initial infection. There’s a clear progression in security features as newer versions of Windows have been introduced, and it’s interesting to compare the versions of Windows that were most susceptible to the recent ‘WannaCry’ ransomware attack. Looking at the features discussed (and having been to a few presentations on the subject), this provides an excellent set of reasons for an upgrade to Windows 10 if you’ve not already done so!

Chapter 3 discusses defence in depth and includes information on firewalls, including the Windows firewall, as well as organisational firewalls (I.e. hardware firewalls and appliances) and how to generate a multi-layer defence. While at first glance this section appears to be more targeted at the organisational user, it’s actually also targeted at the home user with a hardware router/firewall combination, and some clarification that this is the case would, I feel, have been useful here. This chapter also bizarrely includes a section on keylogging software, which I feel would have been more useful in the first chapter

This chapter also provides some information on blacklists and whitelists (I.e. internet filtering) and the Internet of Things (IoT). For both of these sections I feel that there’s perhaps been a bit of a lost opportunity, for example a brief discussion of the filtering options available might have been helpful for home users (e.g. my Netgear router at home comes complete with an OpenDNS-based filtering option that can be enabled and configured quickly and easily and seems to provide reasonable protection) and further information on IoT security recommendations, particularly changing the default username and password on devices would be beneficial here.

Chapter 4 deals with identifying attacks starting with how malware infects a PC and providing pointers on how to identify both internal and external attacks. I was very pleased in this section to see information on social engineering and the role that this plays in malware infections.

Chapter 5 provides a very useful list of external resources that can be utilised to help protect your PC and clean a malware infection, including the Microsoft Malware Protection Center, a great location for finding updates, additional security recommendations and products etc. This chapter also provides some limited information on third-party tools that are available. Again, I would have liked to see a more expansive list here, and it’s worth mentioning that many anti-virus vendors provide a free option of their products.

Chapter 6 deals with manually removing malware, and for me this was probably the most useful part of this book. What do you do when malware has ended up on your PC despite your best efforts and you’re now having issues running the automated tools to get rid if it? This chapter helps in this scenario, and provides some steps to take to identify what’s running on the PC, suspend and/or kill the process and remove the infection. In particular I’m pleased to see the Microsoft Sysinternals tools discussed (albeit briefly) as they are my ‘go to’ toolset when dealing with an infection on a PC. If you’re interested in these and how they can be used, it’s worth looking at some of Mark Russinovich'sCase of the Unexplained’ videos as Mark goes through the use of these tools in more detail.

There are one or two downsides; the book is only a slim volume. This has both plusses and minuses insofar as being slim, more people are likely to read it end-to-end and therefore benefit the most from it, however in one or two areas a few more details might be appreciated. For such a slim volume, it’s also more expensive than I would hope for at an RRP of £14.99, which may limit its take-up.

All in all however this is a very easily accessible book that provides great guidance on how to secure your PC, what to watch out for and how to deal with a malware infection. I’ll be encouraging a few people I know to buy a copy and read it!

Title: Windows Virus and Malware Troubleshooting
Author(s): Andrew Bettany, MVP and Mike Halsey, MVP
Publisher: Apress
ISBN-13: 978-1-4842-2606-3

Test-SPContentDatabase False Positive

I was recently performing a SharePoint 2013 to 2016 farm upgrade and noticed an interesting issue when performing tests on content databases to be migrated to the new system.

As part of the migration of a content database, it’s usual to perform a ‘Test-SPContentDatabase’ operation against each database before attaching it to the web application. On the farm that I was migrating, I got mixed responses to the operation, with some databases passing the check successfully and others giving the following error:

PS C:\> Test-SPContentDatabase SharePoint_Content_Share_Site1

Category        : Configuration
Error           : False
UpgradeBlocking : False
Message         : The [Share WebSite] web application is configured with
                  claims authentication mode however the content database you
                  are trying to attach is intended to be used against a
                  windows classic authentication mode.
Remedy          : There is an inconsistency between the authentication mode of
                  target web application and the source web application.
                  Ensure that the authentication mode setting in upgraded web
                  application is the same as what you had in previous
                  SharePoint 2010 web application. Refer to the link
                  "
http://go.microsoft.com/fwlink/?LinkId=236865" for more
                  information.
Locations       :

This was interesting as all of the databases were attached to the same content web application, and had been created on the current system (I.e. not migrated to it from an earlier version of SharePoint) and therefore should all have been in claims authentication mode. Of note also is the reference to SharePoint 2010 in the error message, I guess the cmdlet hasn’t been updated in a while…

After a bit of digging, it turned out that the databases that threw the error when tested had all been created and some initial configuration applied, but nothing more. Looking into the configuration, there were no users granted permissions to the site (except for the default admin user accounts that had been added as the primary and secondary site collection administrators when the site collection had been created), but an Active Directory group had also been given site collection administrator permissions.

A quick peek at the UserInfo table for the database concerned revealed the following (the screen shot below is from a test system used to replicate the issue):

UserInfo Table

The tp_Login entry highlighted corresponds to the Active Directory group that had been added as a site collection administrator.

Looking at Trevor Seward’s blog post ‘Test-SPContentDatabase Classic to Claims Conversion’ blog post showed what was happening. When the Test-SPContentDatabase cmdlet runs, it’s looking for the first entry in the UserInfo table that matches the following rule:

  • tp_IsActive = 1 AND
  • tp_SiteAdmin = 1 AND
  • tp_Deleted = 0 AND
  • tp_Login not LIKE ‘I:%’

In our case, having an Active Directory Group assigned as a site collection administrator matched this set of rules exactly, therefore the query returned a result and hence the message was being displayed, even though the database was indeed configured for claims authentication rather than classic mode authentication.

For the organisation concerned, having an Active Directory domain configured as the site collection administrator for some of their site collections makes sense, so they’ll likely experience the same message next time they upgrade. Obviously in this case it was a false positive and could safely be ignored, and indeed attaching the databases that threw the error to a 2016 web application didn’t generate any issues.

Steps to reproduce:

  1. Create a new content database (to keep everything we’re going to test out of the way).
  2. Create a new site collection in the new database adding site collection administrators as normal.
  3. Add a domain group to the list of site collection administrators.
  4. Run the Test-SPContentDatabase cmdlet against the new database.

Book your free place at a Global DevOps Bootcamp venue for the 17th June 2017 event

Are you enthused by the all news at Build 2017?

Do you want to find out more about VSTS, DevOps and Continuous Delivery?

 

Well why not take the chance to join us on June 17th at Black Marble, or one of the over 25 other venues around the world for the first Global DevOps Bootcamp?

gdb-logo (002) (002)

The Global DevOps Bootcamp is a free one-day event hosted by local passionate DevOps communities around the globe. Find your local venue on the Global DevOps Bootcamp website or search for Global DevOps Bootcamp on EventBrite

Learn about the latest DevOps trends, ‘get your hands dirty during the Hackaton’, gain insights in new technologies and share experiences with other community members. All based around the concept of "From Server to Serverless in a DevOps world". The Global DevOps Bootcamp is all about DevOps on the Microsoft Stack

 

Remember, places are limited at all venues so make sure you get your name down soon to avoid disappointment

Options migrating TFS to VSTS

I did an event yesterday on using the TFS Database Import Service to do migrations from on premises TFS to VSTS.

During the presentation I discussed some of the other migration options available. Not everyone needs a high fidelity migration, bring everything over. Some teams may want to just bring over their current source or just a subset of their source. Maybe they are making a major change in work practices and want to start anew on VSTS.

To try to give an idea of the options I have produced this flow chart to help with the choices

Click for a PDF version

image

It mentions a few 3rd party tools in the flowchart, so here are some useful links

Also, if you find yourself in the orange box at the bottom and don’t want to use the TFS Database Import Service for some reason, have a look at this post I did on Microsoft’s UK Developers site. It might give you some ideas

o7 is back in Store

Several years ago, for the launch of Windows Phone 7, we built a game based on work we did on helping teaching AI with .NET.

o7 was born.  A great game, and now it is back in glorious UWP for Windows 10.

Try it out and let us know what you think.

 o7

Get it here.

 

b

Regional Director

 

Once again I am so very proud to announce I have been selected to continue as a Regional Director for Microsoft for another two years.

The Regional Directors are a truly extraordinary set of individuals and I am humbled every time I’m in their company.  Not only for their extraordinary depth of knowledge and level of technical skills, but also for a passion as deep as mine for helping and supporting the community of developers across the world.

 Microsoft-Regional-Director-logo-600x140

For those out there supporting my endeavours for helping the community, thank you.

 

b.