Search This Blog

Thursday, 22 December 2016

Azure / Office 365 Pass Through Authentication / Selective Authentication & Sub-Domain

Azure / O365 Pass Through Authentication / Selective Authentication & Sub-Domain

PTA
As you may have seen PTA (Pass Through Authentication)  is now in preview. Which in general terms is great news for Standard Azure / O365 Installs to remove the reliance ADFS.
However, as anything new, let’s see the where the limitations are….(AKA Finger in socket test). This also sparked a couple other scenarios…(side related), which I just wanted to share.

So a real life scenario is here we need to provide “selective authentication” within the same tenant .  (Basically we need to direct users from @xyz.com domain and Abc.com domains to their own hosted ADFS AD / service for Authentication. Mainly for autonomous control and not relying on someone else’s  infrastructure (Apart from the AD Connect server)
 This is done by registering each domain with Azure and providing the ADFS Sign-in URL`s…Job done..! (New-msolfederateddomain / convert-MsolDomainToFederated)
(We could use a Shared ADFS service, but this would need “Full forest Trusts” / connected WAN etc.., but as mentioned, antonymous control is key here)

So each domain will provide their own ADFS, Which does the job..(but needs an awful lot of kit spread around the place let’s say ~6 Servers per ADFS solution (2 WAP, 2 ADFS, 2 DC`s + DMZ`s, Load Balancers!), so for example  say we have 5 ADFS solutions, ~30 servers….and so on…

So…  PTA, so what can PTA bring to the table in this scenario. (bearing in mind still in preview). Do we just  stick some agents on DC`s and remove the 30 Plus servers  and DMZ`s, Load Balancers?
Mmm., But what about “selective authentication”, as the whole point is we don’t want to rely on someone else’s servers / forest ?...  , so looking under the bonnet a little (fine print), it turns out that “multi-forest” is supported but must have a “Trust” in place..  so the assumption is that this relys on UPN Suffix routing to route the request to the relevant DC…  (I have posted this question to the site above for response).
So in this scenario, PTA would fail, as we do not have Trusts or Routing or DNS in place for cross forest !



Selective Authentication / Sub-Domains
So, the above investigative work highlighted some potential gotcha`s, with selective authentication withinin the same tenant and what’s possible across tenants.

So, Scenario., we have contoso.com in our tenant, using ADFS and all good.  , We then purchase a new company, and we want them to be known and use NW.contoso.com …. (but as above they are still technically separate, own AD, ADFS, exchange….).
so we add the NW.contoso.com sub-domain to our O365 Tenancy, all good, and we want to enable their local ADFS federation to authenticate anyone using @nw.contoso.com…
So we go and we set this up accordingly in ADFS…..  (Convert-MsolDomainToFederated -DomainName nw.contoso.com –SupportMultipleDomain). Etc…… BUT. ! WTF?



And if we try and login to O365. The new domain will be recognised, but redirected to the parent domains ADFS….!!  Ouch..
Why !?  well, This is down to the inherited link to the parent domain that is created by default if the parent domain already exists…..


So..what now.  well, in all honestly not a lot, and if you’re in this position, it’s down to poor planning or just not knowing, what you know now !!!
However one option (other than rip it up and start again), and one I didn’t think possible.  (but have tested and is valid).  You can actually assign a subdomain to a new O365 tenancy / Azure, even if the parent domain is registered elsewhere in azure !!!!! So the restriction in azure are only at one level, which for a change is a nice little quirk…J

So……… what if your loaded with this before hand ? can we get this solution to fly ? using a single tenant……YES !!!!
As per the accredited link, we simply need to register the subdomains before we create the Parent domain, as you can see, this breaks the root domain link…



We can then assign the required “selective authentication” against these sub-domains from the required ADFS servers.



…but, again a down side, once the parent is created, any additional sub-domains will pick up the inheritance from the parent….. and root authentication traffic to the parent ADFS…


One for the back pocket if nothing else….

Monday, 12 December 2016

Quest Migration Manager (MAGE) Microsoft.Exchange.WebServices.Data.ServiceResponseException: Access is denied. Check credentials and try again.

Issue
During a Mailbox or Calendar sync job, you may receive an error similar to the below on a particular mailbox (s).

"Microsoft.Exchange.WebServices.Data.ServiceResponseException: Access is denied. Check credentials and try again. "

All permissions are set correctly and you can connect via EWSEditor , All AD permissions look correct (inheritance, Full Access)

Problem
Time for spot the difference.  For some reason the "Self" permission was not showing in Exchange Management Shell. (Even though was showing in AD!!)

Missing Self Permission

Added Self Permission

Solution
Re-Add the self permission via EMC and re-synchronize the mailbox. Viola !!!