2025-06-17

ADFS certificate renew with Azure, Entra ID and M365

We have ADFS 4.0 farm without WAP (security reasons) so we don't have strict accessibility from Internet - only communication between on-premise and Azure from selected networks and addresses. Why it is important? Probably we've been had some issue with renewal process.
According to Renew federation certificates for Microsoft 365 and Microsoft Entra ID we should enable rollover on certificates and after controlled switch between primary and secondary certificates our federation between Azure and ADFS should be updated, but:
  • the next signing certificate on Azure was from two periods ago (one period is 2 years, so it was 4 years old, now we have certs from 2025 to 2027, previous period it was 2023 to 2025, but two periods ago it was 2021 to 2023)
  • so the next signing certificate wasn't updated till 4 years
  • on daily basis we have AutoCertificateRollover disabled
  • when it should be enabled? just before enforced generation of the new certificates? it wasn't
  • so we changed it manually - after replacement of certificates (flip between secondary and primary) they've been exported to base64, imported in powershell (copy paste from .cer file to variable)
  • connection to Entra - Connect-Entra -Scopes 'Domain.ReadWrite.All' (different possible values are like User.ReadWrite.All, Directory.ReadWrite.All, Group.ReadWrite.All - not suitable in our case)
  • and update using Update-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' (like contoso.com) -InternalDomainFederationId 'our-federation-id' -signingcertificate $variableWithCert
  • at first we've tested on -nextsigningcertificate, later on -signingcertificate
  • confirmation on Get-MgDomainFederationConfiguration -DomainId 'our.federated.domain.com' -InternalDomainFederatoinId 'our-federation-id' (pipe) Format-list - there we could confirmed that certificates were replaced
  • additional confirmation was on Teams on mobile devices - after logout and logon it was obious that it is working


Pay Attention!!! You must have BGA account without MFA (if you have enabled MFA) - probably You will have issues connecting to Azure after certificate replacement. Maybe You should open connection (powershell session) before any steps - just in case.

2025-04-27

huge netbios traffic - after print server removal, next part

After print server removal (guys responsible of print servers) every workstation is trying to find print server which is unavailable. We have still wins servers but addresses are removed from wins and dns servers. So every 30 seconds every of 20k workstations is trying to find names at first by querrying wins, later by broadcasts. Finally network traffic from this source is huge. I must try to remove registry entries for missing print servers.

2025-04-25

IBM MQ amq4036 access not permitted

A fresh, new installation, MQ 9.x (I'm not a MQ guy), Windows Active Directory but MQ not integrated with Active Directory - only local accounts. Windows 2019 as an operating system. All users in next statements are local admins - all of them. Some of them have amq4036 access error, but rest of them can open MQ Explorer and view status of Queue Manager. User-A have access and have had access before on and old version of server and still have access on the new server (current). User-B0 (me) hasn't got access to the old server and has got access to the new server (queue manager), User-B1 (also me) the same - access to the new queue manager (I can see status), User-B2 (also me, again) - still has access.

User-E0 - admin of the old queue manager hasn't got access - with error amq4036, User-E1 (the same guy, but different account, also local administrator of Windows machine) - hasn't got access to the new queue manager.

I've compared attributes on accounts, groups, number of groups, parameters and I've got no clue what is the source of this problem.

2025-04-22

ADFS loop detection

Loop detection cookie on Technet

monitor ADFS logons

From Technet :
- events on ADFS: 1200,1201,1203,1206,1210
- events on WAP: 224, 245, 396, 12025, 13015, 13046, 14027, 14032

- events on ADFS - Security - 299, 401, 403, 404, 410, 412, 431, 500, 501, 502, 503, 510, 1200

event Security:299, AD FS Auditing, Classic - Audit Success, Information - token is issued; connection with different events on Instance ID; relaying party identifier

event Security:401, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:403, AD FS Auditing, Classic - Audit Success, Information - HTTP request was received, Instance ID, Activity ID, client IP, caller identity, details, request header in ID 510

event Security:404, AD FS Auditing, Classic - Audit Success, Information - HTTP response was dispatched, Instance ID, Activity ID, headers in ID 510

event Security:410, AD FS Auditing, Classic - Audit Success, Information - request context headers, Activity ID

event Security:412, AD FS Auditing, Classic - Audit Success, Information - token for relaying party was successfully authenticated, instance ID in event 501 - caller identity, Activity ID, Instance ID

event Security:431, AD FS Auditing, Classic - Audit Success, Information - active request was received, key type, request type, Activity ID

event Security:500, AD FS Auditing, Classic - Audit Success, Information - issued claims; connection with different events on Instance ID

event Security:501, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; caller identity

event Security:502, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; onBehalf of identity

event Security:503, AD FS Auditing, Classic - Audit Success, Information - issued claims; groups (if issued as claim); connection with different events on Instance ID; actAS identity

event Security:510, AD FS Auditing, Classic - Audit Success, Information - header for request from event ID 403, Instance ID

event Security:1200, AD FS Auditing, Classic - Audit Success, Information - valid token issued; connection with different events on Instance ID

event Security:1206, AD FS Auditing, Classic - Audit Success, Information - sign out request Activity ID

ADFS how to remove claim from output?

Should I focus on the question "how to remove claim"? But this is false question - I'm the administrator so it strictly depends on me what will be issued... So why I want to remove claim if I can just not issue this claim? Sorry, stupid question... But why I'm just looking for this statement/command with adfs? I'm trying to log adfs activity and I have an idea to store some activity data in sql database - querying for some claim, but this claim can be just included in input stream without issueing it.

Can it be a bottleneck? yes, of course, but I'm looking for how to better monitor activity on many apps - we have above 200 (two hundred) apps - some of them are in dev or test flavor so they are not heavily used, for production apps workload is huge. So this is only thinking.

2025-04-11

upn change for M365 migration concerns

In infrastructure with PaloAlto, ActiveDirectory and VPN on Cisco AnyConnect after upn change we have a problem with access to infrascture. As I can remember - our envrionment - PaloAlto and AnyConnect have problem w with recognition of proper source domain (we have few domains) so after change of upn to a new value (equal to email address) workstation moves to different access policy for unknown users - it has access to selected infrastructure servers, but on user level there is no access to any components (for example rdp connections).

2025-04-05

change upn for M365 migration

Some company with near 25k identities (above 30k accounts - many persons or identities have few accounts). Now in process of the big jump on clouds - Exchange Online and SharePoint Online.
And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
  • at first look we can recognize few apps with invalid access due to upn change
  • if a user provide valid email outlook will work properly
  • we don't know what will be affected by this change - we have 300-400 apps so impact is unknown

2025-03-03

SQL MA schema refresh error

SQL MA failed to retrieve schema with error 0x80231100. For me sollution was simple - add port to SQL server (replacement of old server and tests with a new server). So from someSQL.some.domain to someSQL.some.domain,4773 - is enough to refresh schema.

2025-03-01

dns record timestamp in Active Directory partition

how to force AD to replicate timestamps? I can't use Scavanging - too many different objects - huge risk of loss of data, I can't enforce every device to reregister.
Idea to enable scavanging on zone is useless - as long as I will not run it on server level this setting is useless.
The only way is to remove stale records tracked by timestamp distributted accross thirty domain controllers (in four domains). We can recognize records from workstations (laptops, pc and virtual desktops) by ip addresses, but why it can be automated?