Thursday, September 20, 2012

iO6

Just a day into the release of the new iO6 and I feel like I've just gotten a mixed bag of improvements and odd ball changes.  The new map is cool, Siri is improved (yep, she can still find strippers but now she also can tell the score of the football game).

I have not played around with the iPad or iPhone much in the last day; but I am not a fan of the new phone app (it is not as attractive as the old one) but I do like the feel of the new stores.

Also (this might have been there before and just because my phone was not hooked to the cloud I did not see it) but I now have all of my music that is in the cloud on my phone

So I am excited that I can now find out how bad the Rams lost without typing anything and that strippers are still just a click away but time will tell on the passport (it needs more partner applications and stores will have to know how to handle it) as well as the other improvements.

Wednesday, September 19, 2012

Microsoft Certified Masters

A little more than a week into my Microsoft Certified Master's rotation I am sitting here going through troubleshooting skills for AD and other technologies thinking about the upcoming test and practical (which is really just a simulation of real word issues).  

It is a fascinating experience, getting to sit in a room with a group of people who have a great deal of experience working with Active Directory and many of Microsoft's other products.  There are some very smart people sitting in a very close space!

As one guy reminds us, he is very much a type A personality.  The rest of us just kind of laugh, we are all type A.

However, my thoughts tonight turn towards more of where directory services is going in the future.  Microsoft has been pitching the idea that Windows 2012 is the server built from the cloud up for a while, and they really like their new Azure AD (which is really just directory services in the cloud).  Combine that information with their history of going toe to toe with Oracle in the DB market and VMWare in the virtual server market, both places that Microsoft has made HUGE strides forward with the 2012 versions of their software.  Now that Microsoft has put themselves in a place where there technologies have reached a mature point, they can turn their guns on the next big target:

Identity management.

To this point, Microsoft has kind of toyed around with it through their FIM solution; but you take that, combine in token services through ADFS, mix in some directory services through AD DS, and you put it all in a stable environment like Windows 2012 and they have an opportunity to push into a market that has so far been dominated by two different groups:

On premise identity management, providing companies with a way to present a single identity to each user that they use to access "everything" within their walls (and sometimes in the cloud, although it usually takes a combination of products).

In the cloud identity providers, which is really a very new market.  Companies like OneLogin have put themselves in a good position in this market.  Virtually replacing an on premise ADFS (or other SAML) solution.  However the cloud solutions do not extend very well inside the boundaries of the company itself. 

Microsoft, on the other hand, already has ties into a identity solution in the cloud (through their Live ID), has the leading on premise directory service (Active Directory) and has been managing SAML (token based), PKI (certificate based), and encrypted access for a long time. Add in their FIM product which is a good tool for interacting between directory services and you have what could be a very impressive identity management solution if the pieces are assembled correctly.

I imagine a time when users are able to take their identity with them from company to company and use it to authenticate into services like you do with a Facebook account.  While at the same time companies are able to accept that identity, merge it into their environment and provide controls around access and gain insight into their own employees.

The solution could empower both employers and employees alike!

What kicked off this stream of thought?  A PowerPoint presentation I came across while studying: http://download.microsoft.com/download/d/0/8/d08e709d-e760-45c7-80c7-e20727e993b4/IDENTITY_RAFAL/Identity_and_Access_Management_Overview.ppt

Wednesday, July 25, 2012

Windows 2012 Licensing

Microsoft is changing things up a bit as they launch Windows 2012, the new server OS.  They are going to just two editions:

Standard Edition and Datacenter Edition.

Any copies of Enterprise Edition that are owned in the world (in Software Assurance) will convert to 2 standard licenses.

All features will be avaliable in both editions of Windows 2012.  The only difference being the virualization allowance.  With each license of Standard that you apply to a server you will be able to host up to two VMs.  You can stack copies of Standard on a server to increase that number as well.

Datacenter Edition will continue to provide unlimited free VMs.

The licensing for both editions is based on a two processor server and you license servers by their physical hardware (in other words VMs cannot be licensed). 

With the move to 2012, the Enterprise and Web Server versions are being elimiated.  One to reduce the costs / complexity of licensing and one due to the lack of popularity.

You can read more here: http://download.microsoft.com/download/4/D/B/4DB352D1-C610-466A-9AAF-EEF4F4CFFF27/WS2012_Licensing-Pricing_FAQ.pdf

Saturday, May 26, 2012

Handy ADFS / Claims Based Identity Links

Microsoft Windows Identity Foundation:
http://msdn.microsoft.com/en-us/security/aa570351.aspx
http://msdn.microsoft.com/en-US/evalcenter/dd440951.aspx

Microsoft's Claim Based Identity and Access Control (2nd Edition)
http://msdn.microsoft.com/en-us/library/ff423674.aspx

MSDN Magazine:
http://msdn.microsoft.com/en-us/magazine/cc163366.aspx

ADFS:
http://technet.microsoft.com/library/dd727958(WS.10).aspx

Claims Based Identity & Access Control Guide (Codeplex)
http://claimsid.codeplex.com/

Exchange Cross Forest Work

Perhaps you are caught up in the work of migrating users from one domain to another (then again perhaps you actually have really fun things to do besides dealing with the politics of moving people across domains).  One interesting thing that makes sense when you look at it but at first glance is a bit confusing is establishing Exchange permissions.

There are really two types of Exchange permissions when dealing with mailboxes.  There is full access and send as/on behalf of.  I say there are two permissions because send as and on behalf of, while assigned differently are generally assigned the same way.

So on to the story!  While moving people's mailboxes from domain A to domain B we discovered that going into Exchange and saying "Hey, grant this dude full access" via the MMC just was not getting us where we wanted to be (in other words, they got no access at all).  It was not till we sat down and really thought about the "Full Access" requirements.

So you have "Joe User" logging into his PC in domain A with the account DomainA\joe.user and the mailbox that Joe users is on domain B.  For that to work, there is a disabled account setup in Domain B that the linked mailbox is tied too.  That disabled account in turn is tied to Joe.User in Domain A (with me so far)?

So Joe logs in with his Domain A account and accesses his mail in Domain B.  Then comes along Sally User and Joe wants her to have full access to his mailbox.  So there we were thinking "Dude, this is easy, right click, Full Access, Sally, click a few times, get some Cheetos.

Sally fires up her Outlook, opens up Joe's mailbox and BAM, no access!

So what happened?  Well, Sally is just like Joe and she is logging into Domain A as DomainA\Sally.User and then accessing her mailbox (which has that same linked mailbox type with a disabled user in Domain B).  Then she clicks on Joe's mailbox and it tosses the error.  Well... Sally is trying to open Joe's mailbox as DomainA\Sally.User, not DomainB\Sally.User (the linked mailbox account) and we did not grant rights to that Sally!  We granted them to the linked mailbox and the account in Domain B.

Darn silly of us; but why doesn't Exchange tell us?  Well... my guess is it is partly evil with a chance of this is why they have Exchange experts and tech support.

So you have to get a little brave and fire up the old PowerShell and get Sally the access she so desperately needs!  That command looks a little like this:

Add-ADPermission -Identity ”joe.user” -User ”DomainA\sally.user” -AccessRights ‘FullAccess’

The thing to note is that you only have to identify Joe's mailbox (in Domain B) but you have to qualify Sally's account in Domain A with the domain name.

Easy right?  Well, here comes another twist!  Want to grant send as rights or send on behalf of?  Well, you can do that from the MMC or via PowerShell.  The reason this works is because it is not a permission that is checked as you access the system, it is checked on the Exchange server as the email is sent.

So Exchange says "Hey, an email from Sally's account going out as Joe.  Does her mail account have that right?  Well, the mail account is the Domain B linked account.  There you can go into the MMC, right click, send as, add the user, click a few times, and you'll get some tasty success action!

You can also dig into the account and grant send on behalf of rights.

One last thing to note.  If you grant "Send on Behalf of" and "Send As" rights to the same account, it will send on behalf of, not send as.  So keep an eye on that!

All of this might not be new to those of you out there that know more than me (which covers just about everyone) but I learned something that day, and it was jolly good!