Archives mensuelles : octobre 2013

Update Rollup 4 for System Center 2012 Service Pack 1

J’ai un peu de retard mais le Rollup 4 pour la gamme System Center 2012 SP1 est sorti la semaine dernière. Cela concerne donc tous les produits de la gamme System center 2012. Avant de se lancer dans l’installation, attention à bien lire les remarques de la KB. C’est pas toujours aussi simple pour tous les produits (SCVMM) ainsi que l’ordre d’installation.

 

BenoîtS – Simple and Secure by Design but Business compliant.

Tips for your DirectAccess OTP deployment

While troubleshooting a lab for a customer of mine, I discovered that troubleshooting OTP problems can be painful, especially if you do not know some Jedi Minds tricks. So use the force (and your Brain).

 

OTP Status on Remote Access Management Console

According to the Remote Access Console, My DirectAccess infrastructure have a problem with OTP feature. But I can notice currently connected DirectAccess Clients. And OTP authentication process was successful for them. So What does the console test?

0

Technically, the Remote Access Management Console test network connectivity with Network Policy Server that will manage authentication requests to OTP infrastructure. This test include :

  • NPS network connectivity
  • User authentication

 

But witch user are we talking of? After some research and network traces, it’s the DAProbeUSer account that is used by the Remote Access Management Console to test authentication process every five minutes.

image

 

My recommendation is to use these registry key to configure an alternate password for this account (even if it does not exists in Active Directory) and allow user authentication for this user into your OTP infrastructure. 

 

From my point of view, this test prove nothing as this account does not exists in Active Directory and is not recognized by your OTP infrastructure.

4

It only prove that your OTP infrastructure is able to deny authentication requests.

 

Alternate test

I have a better tests, just test the OTP process responsible for authentication. In UAG 2010, it was a dedicated portal trunk. In Windows Server 2012, it’s much more simple :

1

 

Yes, in Windows Server 2012, OTP authentication process rely on a old school ISAPI extension running inside IIS. Take a look at the Internet Information Services console on your DirectAccess gateway.

3

 

You will find a dedicated web site running with it’s own application pool. Calling the DAAUTHOTP.DLL allow to test this ISAPI extension and provide an essential information : Time. Time synchronization is critical to OTP authentication.

 

On DirectAccess client-side

On client side, you can also call the DirectAccess OTP ISATAP extension. It’s reachable even outside IPSEC tunnels.

2

 

That’s a good thing to monitor using System Center Operation manager 2012/2012R2. Web Application Availability Monitoring is a useful feature for that.

And the OTPCredentialProvider event log located on your DirectAccess clients (if you installed the DirectAccess Connectivity Assistant on Windows 7), give enough details to troubleshoot OTP authentication problems.

5

Don’t forget to enable this event log if your want to read something.

 

Stay tuned for other DirectAccess OTP deployment tips.

 

BenoîtS – Simple and Secure by Design but business compliant

The 0x80040008 DirectAccess + OTP case

I was recently involved in a DirectAccess + OTP deployment. The DirectAccess setup began like a charm (Powershell based) but strange things began to happened when I added OTP authentication feature for Windows 7 DirectAccess clients. From an end-user point of view, here is the problem :

0

 

My first reaction was to Google Bing the does not help a lot. Let’s trace this problem into all layers of the DirectAccess  OTP authentication process.

 

Trace from the URA console

That was the begin of this long journey. According to the Dashboard view of the Remote Access Management Console everything is healthy.

1

 

So problem, may not be located on the URA server. If you know how OTP work with DirectAccess, you should know that the URA server is configured as a RADIUS client that send authentication requests to a RADIUS server. In my case, this RADIUS server is a dedicated Network Policy Server that include the GEMALTO NPS extension for GEMALTO Server SA. Illustration bellow is one of the message I found in the application event log of my NPS server.

2

 

According to this event, GEMALTO NPS extension successfully authenticated my user. This second event prove that this authentication was performed with Username and OTPPassword and not user password.

3

 

This point is very important because the Network Policy role included with Windows Server 2012 does not support the Challenge/response exchange Radius messages. This information if critical when you setup your GEMALTO NPS Extension.

image

 

With this second message, I’m sure that the NPS agent returned a positive result for my authentication request.4

 

At last, this ultimate NPS message prove that the Network Policy Server granted user access. So there is no problem with Network Connections or Network policies. Definitively, my problem is not an OTP problem.

5

 

Back to the client-side

If problem is not located on server side, let’s come back to client side. By default, the OtpCredentialProvider/Operational log is not enabled and is only available is you install the DirectAccess Connectivity Assistant on your Windows 7 computer. This is a PKI problem.

6

 

DirectAccess OTP authentication process is described on TechNet at this location : http://technet.microsoft.com/en-us/library/jj134161.aspx. The DirectAccess computer will use a specially designed certificate to sign a certificate request generated to prove OTP user authentication. In my case, the signing certificate is present in my DirectAccess.

 

Move to the ADCS-side

If we have a certificate request problem, we should have a certificate request denied in the ADVS console. Now we know it’s a ADCS related problem, not a DirectAccess or OTP.

7

 

Let’s have a look at the URAOTPLogin certificate template.

8

 

First thing I noticed about this certificate template is the key length. I was aware that minimum key length requested by Microsoft operating system is now 1024 bits (unless you did not installed associated KB).

image

 

I tried with a 1024 minimum key size, but it did not solved the problem. If key length is not the problem, let see on the signature side.

9

 

After some tests, I enforced cryptographic provider to “Microsoft RSA SChannel Cryptographic Provider” and found it was the root cause of the problem.

10

 

Enabling OTP DirectAccess capability is a simple checkbox in the Remote Access Management Console but rely on precise certificate templates prerequisites and specific OTP configuration.

 

BenoîtS – Simple and Secure by Design but Business compliant

DirectAccess Best Practice and troubleshooting book available

I’m please to discover that my valuable MVP colleague Jordan KRAUSE from IVONetwork published his DirectAccess book in the early days of September (OK I’m a little late). His book aim two goals :

  • Provide best practice for your DirectAccess deployment
  • Provide detailed troubleshooting steps for common DirectAccess problems

cover

 

This book provide valuable information for your DirectAccess deployments. You will escape from common misconfiguration that could lead your DirectAccess project to failure. Planning is the key factor for DirectAccess projects. The two last chapter cover common problem encountered during DirectAccess deployments. This book worth the money. By now with Ben Ari book, you have no excuse to do not deploy DirectAccess in your environment .

Congratulation Jordan.

 

Benoît – Simple and Secure by design but Business compliant

Deploying DirectAccess with least privileges

Since Windows Server 2012, deploying DirectAccess became so simple, too simple (It’s by design now ). We just need domain admin privileges to perform the operation. That’s far away from a least privilege level. From a security guy point of view we should be able to deploy DirectAcecss with the least privileges as possible. fasten your seatbelt and take an aspirin, you’re welcome to that journey.

 

Let’s start easy

Let’s see how to perform a DirectAccess deployment with limited set of privilèges with a DirectAccess infrastructure based on Windows Server 2012. Starting point, this TechNet section :

image

 

According to this documentation, its possible and even documented :

  • GPOs must exists before configuration activation
  • User activating DirectAccess configuration must have “Full GPO permission” on created GPOs
  • GPOs should be linked but it’s not mandatory

 

I provided all theses detailed information to the Active Directory team. I was ready to deploy DirectAccess for my customer. That’s now that problems appears. First problem located in the Remote Access Management Console. I logged onto my URA server with an account having the following privileges :

  • Local administrator level of the URA Server
  • Full control permission on GPO “GPO DA CLIENT”
  • Full control permission on GPO “GPO DA SERVER”

0APPLYDABUG

OK, it’s not a problem, just a warning. Technically speaking, my user account performing the operation have no delegation to create and manage WMI filters in group policies for my Active Directory Domain. Could it be a problem? No, unless you need to use the “Enable DirectAccess for mobile computers only” Option. In my case, I don’t need this privilege.

 

I follow my path into DirectAcecss configuration without problem until activation process :

1APPLYDABUG

 

Technically, the wizard cant create GPOs with default name using my least privilege account. We will use the change link to see that deeper.

2APPLYDABUG

Simple problem and simple solution. The wizard try to create DirectAccess GPOs with default names. Because my account have least privileges, it’s not possible. Let solve this minor problem with the browse button and select our pre-existing GPOs.

3APPLYDABUG

One problem closed, a new one arise. It could be so simple. Here again, it’s just a warning. In my case, the wizard is unable to link my GPOs at the root of the Active Directory because my account does not have required privileges for that. This is only a warning. I will have to ask the Active Directory team to link my GPOs. From a security guy point of view it’s a good thing.

Until now, deploying DirectAccess with a least privilege account seems to be an easy thing. In illustration bellow I can the that the red cross icon was replaced with a simple warning. Let’s apply this configuration and celebrate a new successful DirectAccess deployment.

4APPLYDABUG

 

Ouch. Congratulations will have to wait. We have a major problem here.

5APPLYDABUG

 

Is there a doctor in the place?

Yes I need a doctor for that (now your aspirin should be useful). How is it possible to have a denied access error to a group policy witfor witch we have a “Full control” permission on a GPO. I need a doctor, the doctor with his tool. Doctor, would you lend my your sonic screwdriver?

6APPLYDABUG

 

Let’s start with a small tip from the doctor, with the help of his sonic screwdriver. Let’s grab the Powershell command that generated this error.

7APPLYDABUG

 

And see what it look like in PowerShell mode.

8APPLYDABUG

 

It seems to be a permission problem on the GPO, there is no doubt about it. I asked the Active Directory team to verify permission on the GPO. They confirm the “Full control” permission on the GPO. That’s strange because the wizard did not warn me about that.

 

That’s here begin the twilight zone

It’s the twilight zone because here what we have in the Group Policy Management Console.

9APPLYDABUG

We can see my least privileges account having exactly the same permissions on the Group Policy “GPO DA Server”. If we have the same permission (and there is no deny permission), how could it be possible to have an access denied error. OK, let’s go deeper in the twilight zone and compare detailed permissions with the ”old school method”, before GPMC. Here is the “Domain admin group” detailed permissions :

10APPLYDABUG

 

And the “least privilege account”. OK, we have something strange.

11APPLYDABUG

 

In the GPMC console, both security objects objects have the same level of privileges but if we have a closer look at detailed permissions, it’s not the case. Let sum up :

  • Both security objects have the same permission level in GPMC but It’s not the case in the “Group Policy Editor”
  • “Domain Admin group” does not have “Full control permission” and my least privilege account have it
  • “Domain Admin group” does not have “Apply group policy permission” and my least privilege account have it
  • “Domain Admin group” have “special permissions” and my least privilege account not.

 

It’s interesting. My least privilege account seems to have more permissions than the default domain admin group. Why would I have an access denied error message in such situation? Let’s have a global view of the permissions with the “Advanced button”.

 

Doctor do you have an idea or do you escape?

That was a shock for me but the advanced view confirmed that my least privilege account have more permissions than the default domain admin group.

12APPLYDABUG

Doctor response was easy.

13APPLYDABUG

But let’s be more logic. Full control level is only a combination of permission on specific attributes. Let’s see the combination for the domain admin group.

13APPLYDABUG

So the only missing permissions are  “Full control » and “All extended rights”. Let’s remove theses permissions for my least privilege account.

14APPLYDABUG

Now, both accounts have the same permissions. Let’s check that.

15APPLYDABUG

 

Almost perfect. We just need to remove the “Apply group policy permission”. Now we have exactly the same permissions for both security objects.

16APPLYDABUG

 

We will apply the same fix to the other group policy object. In GPMC, there is no change, even if we fixed some special permissions (if the doctor have an opinion about it, …).

17APPLYDABUG

 

You’re joking?

Does my least privilege account had too much privilege? It’s not possible. Yes, but someday with a little help of bugs, … I removed permissions given to my least security account to solve the problem. And the problem is solved.

18APPLYDABUG

 

At last, we can see that because my least privilege account does not have permission on attribute “GPLINK” at the root of the domain the wizard cant link my GPOs. It’s normal, the Active Directory team did not linked my GPOs at the moment I generated my DirectAccess configuration.

 

Conclusion

This experience lead to multiple conclusions :

  • There might be something wrong with the URA activation process, code review might be necessary at this level
  • Don’t trust the first error message you see. In our case, I did not have exact required permission.
  • Stop watching Doctor who series 

 

Doctor I give you back your sonic screwdriver.

 

BenoîtS – Simple and Secure by Design but Business compliant (And Doctor Who addict)

Ouvrage gratuit sur Azure

Azure est un domaine qui évolue à très grande vitesse. Pour s’en donner une idée, il suffit de consulter le blog de Scott GUTHRIE. Histoire de nous aider à suivre ce domaine, Microsoft propose un ouvrage sur le sujet. Un ouvrage gratuit et très complet puisque des domaines tels que l’authentification multi-facteurs y sont documentés.

azurebook

Si maintenant l’ouvrage est maintenu à jour au fur et à mesure des nouvelles fonctionnalités d’Azure, ce serait parfait.

 

BenoîtS – Simple and Secure by Design

Give me five, MVP Enterprise Security MVP renewed

It’s always a good surprise to receive this mail from Microsoft each year. I’ve been reviewing my post one year ago to look if i reached some of my goals :

 

Only PowerShell is missing from the list. That’s a subject I will try to improve during this year. Cloud scenarios provide some incredible scenarios for that.

 

BenoîtS – Simple and Secure by Design but business compliant