2025-06-17

ADFS certificate renew with Azure, Entra ID and M365

We have ADFS 4.0 farm without WAP (security reasons) so we don't have strict accessibility from Internet - only communication between on-premise and Azure from selected networks and addresses. Why it is important? Probably we've been had some issue with renewal process.
According to Renew federation certificates for Microsoft 365 and Microsoft Entra ID we should enable rollover on certificates and after controlled switch between primary and secondary certificates our federation between Azure and ADFS should be updated, but:
  • the next signing certificate on Azure was from two periods ago (one period is 2 years, so it was 4 years old, now we have certs from 2025 to 2027, previous period it was 2023 to 2025, but two periods ago it was 2021 to 2023)
  • so the next signing certificate wasn't updated till 4 years
  • on daily basis we have AutoCertificateRollover disabled
  • when it should be enabled? just before enforced generation of the new certificates? it wasn't
  • so we changed it manually - after replacement of certificates (flip between secondary and primary) they've been exported to base64, imported in powershell (copy paste from .cer file to variable)
  • connection to Entra - Connect-Entra -Scopes 'Domain.ReadWrite.All' (different possible values are like User.ReadWrite.All, Directory.ReadWrite.All, Group.ReadWrite.All - not suitable in our case)
  • and update using Update-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' (like contoso.com) -InternalDomainFederationId 'our-federation-id' -signingcertificate $variableWithCert
  • at first we've tested on -nextsigningcertificate, later on -signingcertificate
  • confirmation on Get-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' -InternalDomainFederatoinId 'our-federation-id' (pipe) Format-list - there we could confirmed that certificates were replaced
  • additional confirmation was on Teams on mobile devices - after logout and logon it was obious that it is working


Pay Attention!!! You must have BGA account without MFA (if you have enabled MFA) - probably You will have issues connecting to Azure after certificate replacement. Maybe You should open connection (powershell session) before any steps - just in case.

2025-04-27

huge netbios traffic - after print server removal, next part

After print server removal (guys responsible of print servers) every workstation is trying to find print server which is unavailable. We have still wins servers but addresses are removed from wins and dns servers. So every 30 seconds every of 20k workstations is trying to find names at first by querrying wins, later by broadcasts. Finally network traffic from this source is huge. I must try to remove registry entries for missing print servers.

2025-04-25

IBM MQ amq4036 access not permitted

A fresh, new installation, MQ 9.x (I'm not a MQ guy), Windows Active Directory but MQ not integrated with Active Directory - only local accounts. Windows 2019 as an operating system. All users in next statements are local admins - all of them. Some of them have amq4036 access error, but rest of them can open MQ Explorer and view status of Queue Manager. User-A have access and have had access before on and old version of server and still have access on the new server (current). User-B0 (me) hasn't got access to the old server and has got access to the new server (queue manager), User-B1 (also me) the same - access to the new queue manager (I can see status), User-B2 (also me, again) - still has access.

User-E0 - admin of the old queue manager hasn't got access - with error amq4036, User-E1 (the same guy, but different account, also local administrator of Windows machine) - hasn't got access to the new queue manager.

I've compared attributes on accounts, groups, number of groups, parameters and I've got no clue what is the source of this problem.

2025-04-22

ADFS loop detection

Loop detection cookie on Technet

monitor ADFS logons

From Technet :
- events on ADFS: 1200,1201,1203,1206,1210
- events on WAP: 224, 245, 396, 12025, 13015, 13046, 14027, 14032

- events on ADFS - Security - 299, 401, 403, 404, 410, 412, 431, 500, 501, 502, 503, 510, 1200

event Security:299, AD FS Auditing, Classic - Audit Success, Information - token is issued; connection with different events on Instance ID; relaying party identifier

event Security:401, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:403, AD FS Auditing, Classic - Audit Success, Information - HTTP request was received, Instance ID, Activity ID, client IP, caller identity, details, request header in ID 510

event Security:404, AD FS Auditing, Classic - Audit Success, Information - HTTP response was dispatched, Instance ID, Activity ID, headers in ID 510

event Security:410, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:412, AD FS Auditing, Classic - Audit Success, Information - token for relaying party was successfully authenticated, instance ID in event 501 - caller identity, Activity ID, Instance ID

event Security:431, AD FS Auditing, Classic - Audit Success, Information - active request was received, key type, request type, Activity ID

event Security:500, AD FS Auditing, Classic - Audit Success, Information - issued claims; connection with different events on Instance ID

event Security:501, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; caller identity

event Security:502, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; onBehalf of identity

event Security:503, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; actAS identity

event Security:510, AD FS Auditing, Classic - Audit Success, Information - header for request from event ID 403, Instance ID

event Security:1200, AD FS Auditing, Classic - Audit Success, Information - valid token issued; connection with different events on Instance ID

event Security:1206, AD FS Auditing, Classic - Audit Success, Information - sign out request Activity ID

ADFS how to remove claim from output?

Should I focus on the question "how to remove claim"? But this is false question - I'm the administrator so it strictly depends on me what will be issued... So why I want to remove claim if I can just not issue this claim? Sorry, stupid question... But why I'm just looking for this statement/command with adfs? I'm trying to log adfs activity and I have an idea to store some activity data in sql database - querying for some claim, but this claim can be just included in input stream without issueing it.

Can it be a bottleneck? yes, of course, but I'm looking for how to better monitor activity on many apps - we have above 200 (two hundred) apps - some of them are in dev or test flavor so they are not heavily used, for production apps workload is huge. So this is only thinking.

2025-04-11

upn change for M365 migration concerns

In infrastructure with PaloAlto, ActiveDirectory and VPN on Cisco AnyConnect after upn change we have a problem with access to infrascture. As I can remember - our envrionment - PaloAlto and AnyConnect have problem w with recognition of proper source domain (we have few domains) so after change of upn to a new value (equal to email address) workstation moves to different access policy for unknown users - it has access to selected infrastructure servers, but on user level there is no access to any components (for example rdp connections).