Author: Kent

I'm a Microsoft MVP on Microsoft Identity Manager and concidered a subject matter expert on other Microsoft Security products.

Checking account status when using Smart Card against UAG

Posted on by

If you enable Smart Card authentication in UAG you might run into a problem where UAG allows users access even though the Active Directory account is disabled. In this post I will show you how I solved that problem at a customer.

If you follow the TechNet guide to Configuring SSL client certificate authentication you will find that UAG will allow access to a user even if the account is disabled or locked in Active Driectory. As long as the certificate is ok and mappes to a user in AD it will allow access. At a customer of mine this was not the wanted scenario and they did not want to revoce the certificates either since certificates (Smart Cards) where distributed to vendors and other non-employees. They wanted to be able to disable the AD account and thereby denying access to the UAG portal.

The Solution

In the guide (step 7) you will find that you will make a copy of the repository_for_cert.inc template and rename it to the Authentication_Server_Name.inc. In that file the first function is called CheckCredentials looking like this.

function CheckCredentials(user_name,password)
if user_name = "" then
CheckCredentials = false
SendFailToAuthenticateMsg "Did not get user name"
else
CheckCredentials = true
end if
end function

What I did was to add a new function call to this function getting something like this.
function CheckCredentials(user_name,password)
if user_name = "" then
CheckCredentials = false
SendFailToAuthenticateMsg "Did not get user name"
else
Accountlock = CheckAccountlock(user_name)
if Accountlock = true then
CheckCredentials = false
SendFailToAuthenticateMsg "Account disabled in AD"
else
CheckCredentials = true
end if
end if
end function

The SendFailToAuthenticateMsg “Account disabled in AD” will show in the logs of UAG and will tell you why the authentication failed.

The new function CheckAccountLock gave me a problem. UAG does not run this as an account with access to AD. So I ended up creating a read-only service account I could tell my function to use to check the user account in AD. The final function looked something like this.

function CheckAccountlock(user_name)
Const ADS_UF_ACCOUNTDISABLE = &H0002
'create connection
set connAD = CreateObject("ADODB.Connection")
connAD.Provider = "ADsDSOObject"
connAD.Properties("User ID") = "AD\UAG_ReadAD"
connAD.Properties("Password") = "SomePassword"
connAD.Properties("Encrypt Password") = true
connAD.Open
'Search user
strBase = "<LDAP://DC=ad,DC=company,DC=com>"
strFilter = "(sAMAccountName=" & user_name & ")"
strAttributes = "sAMAccountName,userAccountControl"
strScope = "subtree"
strFullCommand = strBase & ";" & strFilter & ";" & strAttributes & ";" & strScope
set rsADUserInfo = CreateObject("ADODB.Recordset")
set rsADUserInfo = connAD.Execute(strFullCommand)
if not rsADUserInfo.EOF then
uac = rsADUserInfo("userAccountControl")
end if
if uac AND ADS_UF_ACCOUNTDISABLE Then
CheckAccountlock = true
Else
CheckAccountlock = false
end if
'Close
set rsADUserInfo = Nothing
connAD.Close
set connAD = Nothing
end function

I do think that there are more elegant ways of solving this problem. But time in this case was short and I was happy to have solved the customers problem. Feel free to comment if you have some ideas on how to improve this solution.

FIM 2010 R2 is RTM

Posted on by

Yesterday FIM 2010 R2 RTM release was made available on MSDN. Within a week it should be available on all license channels.

If you have been playing around with the RC release that was available on Microsoft Connect, you will not be able to upgrade to RTM. Read about that and other interesting stuff in the FIM 2010 R2 Release Notes.

BHOLD Suite for FIM 2010 avialable for download.

Posted on by

Microsoft BHOLD Suite extends the capabilities of FIM 2010 by adding role-based access control to FIM 2010, enabling organizations to define user roles and to control access to sensitive data and applications in a way that is appropriate for those roles.

Yesterday the BHOLD Suite addon for FIM 2010 was made available on MSDN. Within a week it should be available on all license download sites.

Please read more about it on http://aka.ms/BHOLD.

TechDays in Sweden

Posted on by

Today TechDays starts in Sweden. Great stuff covering Nextperience will be presented. I will not make any presentations this year but many of my MEET friends will.

Just look at the list below and realize many of them will be available for sessions and discussions at TechDays in Örebro in next few days. Don’t miss it!

UAG Security Bulletin MS12-026

Posted on by

Today Microsoft released a Security Bulletin for UAG, this Bulletin is rated Important. As with all other UAG updates, these packages are not pushed out via Windows Update/Microsoft Update or any of the other automated patching mechanisms, this is because of the special order that needs to be followed for array deployments (array manager first and then rest of the nodes). Following are the relevant links:

FIM 2010 Update Rollup 2

Posted on by

FIM 2010 Update Rollup 2 will go live on Microsoft Update  today, February 28 at 10 am Pacific time. In addition to including all servicing changes made since RTM, this rollup:

  • Adds support for the new Extensible Connectivity Management Agent 2.0 (ECMA 2) framework
  • Addresses a possible performance issue for installations with many dynamic groups or criteria-based sets whose membership criteria include several conditions
  • Reverts a change in the previous hotfix release that treated SQL wildcard characters as literals
  • Addresses a number of other issues.

Especially interesting is the reappearing support for wildcards. Hotfix rollup 2520954 removed support for using the following characters as SQL wildcard characters in queries, in dynamic group filters, and in set filters:

  • Underscore (_)
  • Percent (%)
  • Opening bracket ([)

The functionality was used by many of my customers preventing them from updating their FIM. This hotfix reverts the earlier change.

For details, see KB2635086

Microsoft Showcase – UAG

Posted on by

Magnus Lindkvist, Chief Security Advisor at Microsoft Sweden and I talk (in Swedish) about UAG in this Microsoft Showcase movie.

If you have trouble watching the Silverlight movie below try this WMV version.


Hopefully more movies will published in the future, I will also try to convince MS that English subtitles would be nice to have, or maybe I will find time to record some in English.

Isaac Asimov – Foundation Universe

Posted on by

One of my favorite writers is Isaac Asimov. I am at the moment in the process of re-reading the complete series of books included in the Foundation Universe series (15 books). I am reading them in the order as suggested by Asimov himself before he passed away.

For thoose of you that do not know who Asimov is, or what the Foundation series  are. I would like to point out the fact that the Foundation series was awarded the Hugo Award for Best All-Time Series in 1966 in competition with the well known Lord of the Rings series written by J.R.R. Tolkien.

Below is a list of the books and the order to read them. The table contains the order no, the year the book was published, the name of the book and some comments.

1 1982 The Complete Robot Collection of thirty-one robot short stories written between 1939 and 1977.
2 1954 The Caves of Steel This is the first of the robot novels.
3 1957 The Naked Sun The second robot novel.
4 1983 The Robots of Dawn The third robot novel. Hugo Award nominee, 1984. Locus Award nominee, 1984
5 1985 Robots and Empire The fourth robot novel. Locus Award nominee, 1986
6 1951 The Stars, Like Dust This is the first of the Empire novels.
7 1952 The Currents of Space The second Empire novel.
8 1950 Pebble in the Sky The third Empire novel, however, it was Asimov’s first full novel to be published.
9 1988 Prelude to Foundation This is the first Foundation novel. Locus Award nominee, 1989
10 1993 Forward the Foundation The second Foundation novel (although it was the last written by Asimov himself).
11 1951 Foundation The third Foundation novel. Actually, it is a collection of four stories, originally published between 1942 and 1944, plus an introductory section written for the book in 1949. Published, slightly abridged, as part of an Ace Double paperback, D-110, with the title “The 1000-Year Plan”, in 1955.
12 1952 Foundation and Empire The fourth Foundation novel, made up of two stories, originally published in 1945. Published with the title ‘The Man Who Upset the Universe’ as a 35c Ace paperback, D-125, in about 1952.
13 1953 Second Foundation The fifth Foundation novel, made up of two stories, originally published in 1948 and 1949.
14 1982 Foundation’s Edge The sixth Foundation novel. Nebula Award nominee, 1982. Hugo Award winner, 1983. Locus Award winner, 1983
15 1986 Foundation and Earth The seventh Foundation novel. Locus Award nominee, 1987

Hope you will enjoy reading this series as much as I am.

QA Gate Improved in FIM 2010 R2

Posted on by

Customers using the Self-Service Password Reset feature of FIM 2010 have reported some concerns that users do not answer the “security” questions seriously. They might answer “A” for all questions for example, just to get rid of being required to register for SSPR. In R2 this behaviour can be prevented!

Look at the screenshot below from FIM 2010 R2 RC released yesterday.

QA Gate in FIM 2010 R2

QA Gate in FIM 2010 R2

In the new QA gate you can force the users to not having the same answers to two questions and also define a regular expression that the answers need to satisfy.

In my opinion this will increase the number of users who will answer the questions seriously!