The Subject says it all. I'm about to convert a regular domain to a federated domain and can't find a clear answer to my question.
We have a Microsoft RDS service and if I convert to a federated domain while people are connected will they notice an interruption or will everything just keep working?
Related
I'm setting up Single Sign On for Jaspersoft Server to work with Azure AD. I found in the Azure Market we have jasper server supported
https://azuremarketplace.microsoft.com/en-us/marketplace/apps/aad.jasperserver?tab=Overview
but I can't find any relate document in anywhere. I think my approach may not correct.
Any advise is really appreciate.
Thanks
The app today can be used with Azure AD for password based SSO.
This doc talks about password SSO. If Jaspersoft supports SCIM, AAD can do provisioning to them.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-sign-in-problem-password-sso-gallery#configure-the-application-for-password-single-sign-on
Is it possible to develop a basic client/server Forms app (suppose I could develop the server side as a service, but would rather not) that can prove that a user account within a 2012 R2 Active Directory domain can authenticate with an application residing on a server on a trusted 2003 domain, using NTLM? If so, what specifically within my application would I need to do to force such a behaviour?
The detail:
I am responsible for performing an upgrade of Active Directory from 2003 to 2012 R2 (raising of the Forest and Domain Functional Level). There is a legacy application which does not support Kerberos authentication and a lot of doubt that this mission critical application will still work after the domain upgrade. To complicate the matter, the user accounts are in the domain to be upgraded and the application backend is hosted on a trusted domain that will not be upgraded.
I am required to first of all test the process and outcome within a test lab (replica of the live environment). I am unable to replicate the application as it is to big and complicated to do so. One of the tests I need to satisfy is to verify that a user can be authenticated by a trusted domain using NTLM (not Kerberos).
It turns out that you can use the age old DOS "NET USE" command to verify NTLM authentication. "NET" only uses NTLM :)
I have a question about installing SQL server and a SP2016 development farm. I can install both but my boss asked me questions about installing SPN (Service Principal Name) in the AD. But I don't know why and how an SPN is linked with SQL and SharePoint.
I've done some research on the web and got some terms "Kerberos" but I installed SharePoint with NTLM. Help me understand why SPNs would be useful in this case.
What is a Service Principal Name?
The SPN represents the service entry point into your SQL server for clients to find (using DNS) when they will be using Kerberos authentication.
SPNs are written as a service followed by the fully-qualified DNS name of the IP host the service is running on, (and sometimes optionally, appended with the Kerberos realm name appended to the end). For example if your SQL server were named 'sqlserver1' and your AD domain name was 'acme.com' would be written as: MSSQLsvc/sqlserver1.acme.com.
The SPN itself is found inside the Kerberos database, and clients during the authentication process reach out to DNS to find the IP target host and the Kerberos database (KDC) holding the service principal, grab a Kerberos service ticket from the KDC and use that to single sign-on authenticate to the server running on the target service named in the SPN.
Configuring SPNs
In AD, in the properties of the computer object representing your SQL server, you will add the SPN, and optionally configure Kerberos delegation for that service. You could optionally add the SPN to a user account running the SQL service in AD instead.
In your scenario, Kerberos should actually be the primary authentication method, with NTLM used only as a fallback. If you setup up DNS, AD, Kerberos delegation and the target server correctly, you should never have to fallback to NTLM. With SharePoint, you would use Kerberos to SSO into SharePoint, and then you could optionally allow Kerberos delegation for that same user account to be able to run SQL statements own the SQL DB server as themselves.
None of this is for the faint of heart, and I have actually not setup this precise scenario myself, I just know the underlying concepts; instead my experience is mainly setting up Kerberos SSO to Active Directory authentication to web applications running on Linux platforms. But you asked what an SPN was for and that's what I've answered.
Further Reading
I googled and found this link for you for actually setting up your scenario, it talks about configuring SharePoint with Active Directory with SQL server using Kerberos delegation: Plan for Kerberos authentication in SharePoint 2013
Users will be out in the field collecting data on windows client app in areas with poor internet connection. Days or even weeks at a time away from any network connection. The lucky ones will bring their laptop back to a regional office to sync the data they've collected when they login to the company network. Others will have to resort to plugging into a client/customer internet connection and/or Internet Cafe connection to perform the data sync.
The app stores the data on a local sql server 2008 R2 express database and the client will initiate a database sync to the SQL Server 2008 standard in HQ as and when connection is available.
User Authentication and role based security are requirements of the App. Which method should I be using: Forms Authentication or Windows Authentication ? (And I think I've come across a 3rd type called Custom Authentication ?)
Sorry, I'm really lost on the authentication stuff - first time doing it and not sure of the pros & cons of each type. Can anyone advise which I should be using for this scenario ?
UPDATE: I've actually got the synchronization working now using the SQL Server's external ip address in the connection string and SQL Authentication for the user logins. Would this be an accepted practice or am I violating any security principles?
I still have to get to the role based security piece - can role based security work with SQL Authentication?
Also, new wrinkle: turns out that some of the remote users once they have been issued their laptop from Head Office may never login to the organisation's Domain again so their Login's Trust relationship with the domain expires after a few months. Therefore, I guess Windows Authentication is not viable anyway...
How will you connect to the HQ db server?
Imo the safest solution would be to sync over WCF (sample with SqlCompact to Sql Server over WCF with N-tier here). You can then implement whatever authentication scheme you want depending on the kind of security (transport and/or message) you implement in WCF. See this and this for more info.
is it possible to use a database created in a Azure VM as a data source for model which is created in Azure Analysis Services?
So far, when I specify connection properties for the model in the web designer and test connection, I get an error stating "a connection was successfully established with the server, but then an error occurred during the login process. (provider SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
I can connect to the server via SSMS and via RDP.
I created a self-signed certificate in the azure key vault and was able to make the SQL server use it. However I can't seem to find out how to make use of it when connecting the model.
Does anyone know if it's possible and if so, what should I do to make it work?
In the end I managed to make it work. For anyone with similar problem, I will write my solution below.
For the error "The certificate chain was issued by an authority that is not trusted" - just as discussed in the thread linked by TJB in comment, this was because I did not have a CA signed certificate, but a self-signed one.
A CA signed certificate from Azure would probably solve the issue, but I tried the Let's Encrypt site (also linked in the other thread). The issue I had with Let's Encrypt was that I had a windows server, while they natively support linux-based systems.
However I found an article by Daniel Hutmacher called Encrypting SQL Server connections with Let’s Encrypt certificates which was solving the very issue I had.
(as for the client tool, the current version is different from the one described in the article, but you can still download the old version on github. I used the lastest november 2017 release). With this I was able to generate and add a CA signed certificate to SQL server.
At this point, I created a model in Azure Analytics Services, used Azure Database as type of source/connection and filled in the connection to my VM SQL server. I saw my database tables, but when I tried to query data, I got a new error, stating that the AAS need an On-premise data gateway set up.
The Microsoft docs Install and configure an on-premises data gateway describes how to install on-premise data gateway on the VM, but if you are like me and use personal account for azure, you will have issues binding your account to the gateway. The solution as hinted here is to create a new account in Azure Active Directory (I created a new user and registered it under my azure custom domain, so the login looked like XXX#zzz.onmicrosoft.com). I gave the user admin role, so as to temporarily avoid any azure permission setbacks. Next I added the user to my subscription via Subscriptions -> "My_subscription" -> Access Control (IAM) and assigned an owner role to the AD user.
Now back on my VM I could bind the new user's account to the gateway (don't forget to change the gateway's region to your preferred region before finishing the setup).
Next, on Azure I created an "on-premise data gateway" service (do note you need to select same region as the one which your VM gateway is located under). I am not sure now, if only the new AD user I created could see the gateway, so in case you do not see it, try the AD user as well.
Last but not least, in the Azure Analytics services I went to the "on-premises data gateway" settings and set it to use the one I just created.
With this I was able to create the model and query the data from database.
Note:
In the model web designed for analytics services I happened to be logged in under the AD user, not under my personal account. Attempting to change the account to my personal one ended up in login failure, however after a few such attempts and opening multiple web designers in separated tabs, I correctly logged in under my personal account. After a while I could no longer replicate the issue.
I guess the issue may have been that I was logged in to Azure under both my personal account and the AD user at the same time in same browser when setting eveything up.