TechOnTip Weblog

Run book for Technocrats

ADFS SAML Claim: Windows Domain Name (NetBIOS)

Posted by Brajesh Panda on March 28, 2017

As there are no attributes in Active Directory which can show you which domain the user account belongs to, I have designed my SAML claim rules to retrieve NetBios name of the Active Directory Domain Name.

  1. Create a new claim description
    1. ADFS Management Console – Service – Claim Description – Create a new
    2. Give a name,
    3. Supply Claim Type, like http://custom.techontip.dom/adattribute/windowsdomainname
  2. Claim Rule 1: Create a Claim Rule to capture / add all AD groups into claim

c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname”, Issuer == “AD AUTHORITY”]

=> add(store = “Active Directory”, types = (“http://schemas.xmlsoap.org/claims/Group”), query = “;tokenGroups(domainQualifiedName);{0}”, param = c.Value);

  1. Claim Rule 2: Select Only one group. Here I will select Domain\Domain Users Group.

c:[Type == “http://schemas.xmlsoap.org/claims/Group”, Value =~ “(?i)Domain Users“]

=> issue(claim = c);

  1. Claim Rule 3: Use RegexReplace to replace \Domain Users and pass on the remaining value to newly created claim description

c:[Type == “http://schemas.xmlsoap.org/claims/Group”, Value =~ “(?i)Domain Users”]

=> issue(Type = “http://custom.colliersadfs.com/adattribute/windowsdomainname”, Value = RegexReplace(c.Value, “\\[^\n]*”, “”));

Claim rules need to be in order.

In Claim rule 2: “(?i) means not case sensitive

In Claim rule 3: “\\[^\n]*”; means 1st back slash and everything after it. To capture the black shlash you have to mention two back slashes (\\) but if it is other special character like , or @ no need of double characters.

Here is a nice article about RegEx in Claim rule

https://social.technet.microsoft.com/wiki/contents/articles/16161.ad-fs-2-0-using-regex-in-the-claims-rule-language.aspx

Posted in Mix & Match | 2 Comments »

Replacing legacy Domain Controller Certificates

Posted by Brajesh Panda on January 13, 2017

Original article: http://www.open-a-socket.com/index.php/2012/11/21/replacing-legacy-domain-controller-certificates/

Something you may have noticed in your journey on the road to AD enlightenment is that if you deploy a new Microsoft Enterprise Certificate Authority (CA) and publish the default templates, your Domain Controllers will automatically enroll for a certificate. The template used is the DomainController V1 certificate, which has been around since Windows 2000 days.

But what if you wanted to assign a different certificate based on the most recent template designed for use with DCs (KerberosAuthentication)? Easy, you would think, given that the DCs have this in-built autoenrollment capability. All I would need to do is unpublish the old DomainController template, publish the new KerberosAuthentication template, ensure that DCs have autoenroll permissions on the template and then perform a Certutil –pulse command on the DCs. Right? Wrong. It’s actually not that straightforward. From what I have managed to infer (no one will provide me with a definitive answer) it seems the in-built auto-enrollment feature of Domain Controllers is tied specifically to the legacy DomainController template. In other words it will only work with the DomainController template and no other.

The only way I can get the DCs to successfully autoenroll for a certificate based on the KerberosAuthentication template is to follow the steps shown below.

1. Ensure the Domain Controllers group has permissions on the KerberosAuthentication template (it has by default).

2. Modify the properties of the KerberosAuthentication template to add the DomainController, DirectoryEmailReplication and DomainControllerAuthentication templates to the list of superseded templates

3. Publish the KerberosAuthentication template

4. Modify a GPO linked to the Domain Controllers OU to enable the “Certificate Services Client – Auto-Enrollment setting as shown below.

5. Wait for policy to apply to the DCs (or run gpupdate /force).

6. Runcertutil –pulse from an elevate CMD prompt to force re-enrollment.

7. Confirm that a new certificate has been issued based on the KerberosAuthentication template and that the old certificate based on the DomainController template has been automatically removed.

Posted in Mix & Match | Leave a Comment »

Get child objects thru ADSI & Powershell

Posted by Brajesh Panda on January 3, 2017

For example exchange org details..

$ForestRootDSE= (Get-ADRootDSE).rootDomainNamingContext

$config = [ADSI]"LDAP://CN=Microsoft Exchange,CN=Services,CN=Configuration,$ForestRootDSE"

$orgName = $config.psbase.children | where {$_.objectClass -eq ‘msExchOrganizationContainer’}

$orgName.name

$orgName.objectVersion

I have to understand little more about psbase. Seems like more methods are available under psbase ($config.psbase | gm) & mostly used with ADSI, WMI or XML kind of stuff. Folks says; PSBase lets you get at the “raw” object behind the object PowerShell exposes by default; in other words, PSBase lets you get at all the properties and methods of the object.

https://blogs.technet.microsoft.com/heyscriptingguy/2008/03/12/hey-scripting-guy-how-can-i-use-windows-powershell-to-add-a-domain-user-to-a-local-group/

https://blogs.msdn.microsoft.com/powershell/2006/11/24/whats-up-with-psbase-psextended-psadapted-and-psobject/

Posted in Mix & Match | Leave a Comment »

Active Directory LDAP filters

Posted by Brajesh Panda on October 26, 2016

http://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx

Posted in Mix & Match | Leave a Comment »

Powershell Tip: Date Formatting ISO 8601

Posted by Brajesh Panda on October 10, 2016

Convert current date to ISO 8601 format (like 2016-10-10T16:35:48.477):  Get-Date -format s

Convert ISO 8601 format to Powershell’s date time format:  [datetime]::Parse($date). where $date has the ISO 8601 input.  Here is the reference to one of my old post which converts user input to powershell’s DateTime format.

Here are two other interesting articles.

https://technet.microsoft.com/en-us/library/ee692801.aspx

https://blogs.technet.microsoft.com/heyscriptingguy/2010/08/03/how-to-express-dates-in-different-fashions-with-windows-powershell/

image001

image001

Posted in Powershell | Leave a Comment »

Powershell: Use Convert-String to parse email addresses

Posted by Brajesh Panda on September 13, 2016

Feed: GoateePFE
Posted on: Tuesday, September 13, 2016 8:14 AM
Author: Ashley McGlone
Subject: Use the new PowerShell cmdlet Convert-String to parse email addresses

Tired of hacking away at RegEx and string functions to parse text? This post is for you!

New toys

PowerShell 5.x includes a number of new features. One of the lesser-known and incredibly powerful is the string conversion set of cmdlets. The names are very similar. Check out how Get-Help describes them:

PS C:\> Get-Help Convert*-String | Format-Table Name,Synopsis -AutoSize
Name Synopsis
---- 

Posted in Mix & Match | Leave a Comment »

Powershell – Change CSV Headers

Posted by Brajesh Panda on September 2, 2016

CSV file has below headers and I want to change them by appending 1 to each one of them.

Name, samaccountname, ComputerEnabled, User, UserEnable, UserOffice, UserDepartment

$headers = "name1","samaccountname1","ComputerEnabled1","User1","UserEnabled1","UserOffice1","UserDepartment1"

Get-Content C:\AdobeStandard.csv -Encoding Default | Select-Object -Skip 1 | ConvertFrom-CSV -UseCulture -Header $headers

http://powershell.com/cs/blogs/tips/archive/2016/09/02/replacing-csv-file-headers.aspx

Posted in Mix & Match | Leave a Comment »

Azure Backup Reporting

Posted by Brajesh Panda on August 10, 2016

In the absence of any good reporting mechanism for Azure Backup Agents, I have created this one for my work. We just start backing up some branch file servers to Azure and that number will go up. So for now it is okay, will see what improvements I can do to this. If you have an idea please suggest or implement and send me a copy 😉

Download from here.

# Base Script
# Added Recovery Points
# Convert UTC times to server's local time

# Add all of your servers computer accouts to a group called Azure_Backup_reporting
$AzureBackupAgents = Get-ADGroupMember Azure_Backup_Reporting | select Name

$Consolidated = @()

foreach($Node in $AzureBackupAgents)
{
 $Agent = $Node.Name
 $AGent
 # Select last 10 Azure Backup Jobs from the remote server
 $AgentReports = Invoke-Command -ComputerName $Agent -ScriptBlock `
 {
 # Find time (ticks) offset between Local and UTC. 
 $Date = Get-Date;
 $UTC = $Date.ToUniversalTime();
 $OffSet = $Date – $UTC;
 # Find last 10 job details
 Get-OBJob -Previous 10 | select Jobtype, `
 @{Name="StartTime"; Expression ={($_.JobStatus.StartTime).AddTicks($OffSet.Ticks)}}, `
 @{Name="EndTime"; Expression ={($_.JobStatus.EndTime).AddTicks($OffSet.Ticks)}}, `
 @{Name="JobState"; Expression ={$_.JobStatus.JobState}}, `
 @{Name="BackupSizeInGB"; Expression ={($_.JobStatus.DatasourceStatus.ByteProgress.Progress / 1GB).ToString('#.##')}}, `
 @{Name="TotalSizeInGB"; Expression ={($_.JobStatus.DatasourceStatus.ByteProgress.Total / 1GB).ToString('#.##')}}, `
 @{Name="FailedFileLog"; Expression ={$_.JobStatus.FailedFileLog}}
 }
 
 # Filter & Select last 24 hours logs 
 $Day = (Get-Date).AddHours(-24)
 $Filtered = $AgentReports | where{$_.StartTime -gt $Day} | Sort StartTime -Descending | Select @{Name="AgentName"; Expression ={$_.PSComputerName}}, JobType, StartTime, Endtime, JobState, BackupSizeInGB, TotalSizeInGB, FailedFileLog
 ($Filtered | Measure-Object).Count
 $Consolidated += $Filtered
}
$Node = $null

# Recovery Point Details
$Consolidated | Add-Member -MemberType NoteProperty TotalRPs ''
$Consolidated | Add-Member -MemberType NoteProperty OldestRP ''
$Consolidated | Add-Member -MemberType NoteProperty LatestRP ''

foreach($Node in $Consolidated)
{
 $RecoveryPoints = Invoke-Command -ComputerName $Node.AgentName -ScriptBlock `
 {
 Get-OBAllRecoveryPoints | Sort-Object backuptime
 }
 $Node.TotalRPs = ($RecoveryPoints | Measure-Object).Count
 $Node.OldestRP = $RecoveryPoints[0].BackupTime
 $Node.LatestRP = $RecoveryPoints[-1].BackupTime
}

 # HTML Formating; Styles to be placed in the header
 $a = "<style>"
 $a = $a + "BODY{font-family: Verdana, Arial, Helvetica, sans-serif;font-size:10;font-color: #000000}"
 $a = $a + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
 $a = $a + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color: #E8E8E8}"
 $a = $a + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black}"
 $a = $a + "</style>"

 # Mail Alert
 $MailSubject = "Consolidated Azure Backup Report for Last 24hrs"
 $MailBody = $Consolidated | Select AgentName,JobType,StartTime,EndTime,JobState,BackupSizeInGB,TotalSizeInGB,TotalRPs,OldestRP,LatestRP,FailedFileLog | ConvertTo-Html -Head $a

 # Mailout the Report
 $smtpServer = "smtp.server.name"
 $msg = new-object Net.Mail.MailMessage
 $smtp = new-object Net.Mail.SmtpClient($smtpServer)

 $msg.From = "AzureBackupAdmin@abc.com"
 $msg.To.Add("Admin@abc.com")
 $msg.Subject = $MailSubject
 $msg.Body = $MailBody
 $msg.IsBodyHTML=1
 $smtp.Send($msg)

Email Output looks like below;

azuer backup

Posted in Azure, Powershell | 4 Comments »

Upgrade Windows 10 Pro to Enterprise

Posted by Brajesh Panda on August 9, 2016

From an elevated command prompt run changepk.exe and supply the MAK activation key. It will take 15-20mins to finish the upgrade & couple of times auto reboot to get converted to enterprise edition.

Posted in Mix & Match | Leave a Comment »

CRL vs OCSP

Posted by Brajesh Panda on July 26, 2016

Here is a nice article which describes Certificate Revocation List vs Online Certificate Status Protocol.

https://www.fir3net.com/Security/Concepts-and-Terminology/certificate-revocation.html

Credit goes to Mr. R DONATO

Ricky Donato is the Founder and Chief Editor of Fir3net.com. He currently works as a Principal Network Security Engineer and has a keen interest in automation and the cloud.

You can find Ricky on Twitter @f3lix001

INTRODUCTION

Certificate Revocation is used within PKI (Public Key Infrastructure) to instruct the client that the certificate can no longer be trusted. This is required in scenarios where the private key has been compromised.

CERTIFICATE TYPES

Prior to a CA issuing a certificate to a company the CA performs a level of validation on the authenticity that the company are who they say they are. There are 3 levels of validation ranging from DV (lowest) level all the way up to EV (highest).

Domain Validation (DV) – This type of certificate is the least expensive of the 3. It requires a basic form of domain validation to be performed. Validation is performed by email.
Organization Validation (OV) – When obtaining an OV certificate the company name is checked against a company register, i.e Chamber of Commerce.
Extended Validation (EV) – Like OV a company search is performed, however the physical location is also checked and the contact who requested the certificate is also validated.

REVOCATION METHODS

CRL (Certificate Revocation) was first released to provide the CA with the ability to revoke certificates., however due to limitations with this method it was superseded by OCSP.

Below details each of these methods along with their main advantages and disadvantages.

CRL

CRL (Certificate Revocation Lists) contains a list of certificate serial numbers that have been revoked by the CA. The client then checks the serial number from the certificate against the serial numbers within the list (sample shown below).

Revoked Certificates:
Serial Number: 2572757EAAF2BEC5980067579A0A7705
Revocation Date: May 1 19:56:10 2013 GMT
Serial Number: 776DDD15D25C713616E7D4A8EACFB4A1
Revocation Date: May 24 13:03:16 2013 GMT

To instruct the client on where to find the CRL, a CRL distribution point is embedded within each certificate (shown below),

X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:D1:6D:2E:7C:5C:AD:14:FC:2A:72:92:C2:82:CB:B9:6E:DC:A5:C4:02
 X509v3 Subject Key Identifier:
35:42:17:CF:F0:9A:FF:B7:9F:FC:C5:A4:95:D6:68:4F:97:81:1E:1D
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Certificate Policies:
Policy: 1.3.6.1.4.1.6449.1.2.2.43
CPS: https://cps.trust-provider.com
Policy: 2.23.140.1.2.2
 X509v3 CRL DistributionPoints:
 URI:http://crl.trust-provider.com/McAfeeOVSSLCA.crl

The main disadvantages to CRL are :

· Can create a large amount of overhead, as the client has to search through the revocation list. In some cases this can be 1000’s of lines long.

· CRLs are updated periodically every 5-14 days. Potentially leaving the attack surface open until the next CRL update.

· The CRL is not checked for OV or DV based certificates. Checked for EV certificates.

· If the client is unable to download the CRL then by default the client will trust the certificate.

OCSP

OCSP (Online Certificate Status Protocol) removes many of the disadvantages of CRL by allowing the client to check the certificate status for a single certificate.

The OCSP process in shown below,

1. Client receives certificate.

2. Client sends OCSP Request to a OCSP Responder (over HTTP) with the certificates serial number.

3. OCSP Responder replies with a certificate status of either Good, Revoked or Unknown (shown below)

Response verify OK
0x25F5V12D5E6FD0BD4EAF2A2C966F3B4aE: good
 This Update: Jan 19 00:24:56 2011 GMT
 Next Update: Jan 26 00:24:56 2011 GMT

The main advantage to OCSP is that because the client can query the status of a single certificate, rather then having to download and parse an entire list there is much less overhead on the client and network.

However the main disadvantages to OCSP are,

· OCSP Requests are sent for each certificate. Because of this there can be a huge over head on the OCSP Responder (i.e the CA) for high traffic websites.

· If the private key was comprised the attacker would need to leverage a MITM attack to intercept and pose as the server. Because most browsers slienty ignore OCSP if the protocol times out OCSP can still not be considered a 100% reliable method for mitigating HTTPS server key comprises.

· The OCSP is not enforced for OV or DV based certificates. Checked for EV certificates.

OCSP STAPLING

OCSP Stapling resolves the overhead issues with OCSP and CRL by having the certificate holder (i.e the server) periodically performing the OCSP Request. The OCSP Response is then sent back to the client (i.e stapled) during the SSL handshake.

NOTE The OCSP Response is signed by the CA to ensure that it has not been modified before being sent back to the client.

The main disadvantages with OCSP Stapling are,

· Only supported within TLS 1.2.

· It is still not supported by many browsers . This results in either the OCSP validity method not being used or standard OCSP being used instead.

REFERENCE

OCSP

https://www.grc.com/revocation/commentary.htm

OCSP Stapling

http://en.wikipedia.org/wiki/OCSP_stapling<

Certificate Types / Browser Functionality

http://blog.spiderlabs.com/2011/04/certificate-revocation-behavior-in-modern-browsers.html

Posted in Mix & Match | Leave a Comment »

Powershell with Internet Proxy Servers

Posted by Brajesh Panda on June 24, 2016

https://dscottraynsford.wordpress.com/2016/06/24/allow-powershell-to-traverse-a-secure-proxy/

Posted in Mix & Match | Leave a Comment »

ADFS: NameID Claim with Additional Properties

Posted by Brajesh Panda on May 26, 2016

Lately I was doing a SAS application (Axxerrion) integration with our ADFS. And they had a requirement to get a few things as additional properties i.e. spnamequalifier, namequalifier & nameID format to be mentioned as transient.

Here what I came up with. They also needed UPN for validation. So in 1st rule I am creating two outgoing claims. In 2nd custom rule, I am adding attributes to the Outgoing NameID claim. Final claim screenshot is at the bottom.

Claim Rules

Rule 1:

claim

 

 

 

 

 

 

 

 

 

Rule 2:

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“]

=> issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier“, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format“] = “urn:oasis:names:tc:SAML:2.0:nameid-format:transient”, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/namequalifier“] = “https://<Adfs_URL>/adfs/ls/“, Properties[“http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier“] = “https://test.axxerion.us/axxerion/“);

Saml Claim thru SAML Tracer

Posted in ADFS | Leave a Comment »

Powershell Trick: Execute Logon Script as per Group Membership

Posted by Brajesh Panda on May 22, 2016

If((Get-ADPrincipalGroupMembership $env:username).name -like “Domain Users”)

{Write-Host “Yes”}

Change the Write-Host section with the action script, what you want to execute. I think this is what you want.

Here $env:username gets the logged on user name. It is like “whoami” command, without the domain info. You can get domain info using $env:USERDNSDOMAIN

Posted in Mix & Match, Powershell | Tagged: | Leave a Comment »

Powershell Trick: Convert TXT to HTML and Send Email

Posted by Brajesh Panda on May 17, 2016

If you want to get contents from a txt file and send its content in email body, this trick will do the job. My txt file has multiple separate lines, like general error files.

So this trick joins all lines with <BR> HTML encode to introduce line breaks. If you do not use this encode and just do get-content, all lines will be messed like a paragraph and will be hard to read.

$Body = (Get-Content <File Path>) -join ‘<BR>’

After you encode the html, make sure use BodyAsHtml to set outgoing email format. So email client will convert html page back to readable format.

Send-MailMessage -From <> -To <> -Subject <Message> -Body $Body -BodyAsHtml -SmtpServer smtp.server

Posted in Mix & Match, Powershell | Tagged: | Leave a Comment »

Powershell Trick: Capture Valid IP

Posted by Brajesh Panda on April 30, 2016

[ipaddress]$ipaddress = Read-Host “Type valid ip”

https://communary.net/2014/11/12/quick-tip-validate-ip-address-parameter-in-custom-functions/

Posted in Mix & Match, Powershell | Tagged: | Leave a Comment »

 
%d bloggers like this: