ADFS WAP Proxy – An error occurred when attempting to establish a trust relationship with the federation service.

Environment

  • Windows 2012 R2 server on the LAN with the Active Directory Federation Service Role installed
  • Windows 2012 R2 server in the DMZ with the Remote Access role and the Web Application Proxy (WAP) feature installed

Problem

Getting the following error running the Web Application Proxy Configuration Wizard

“An error occurred when attempting to establish a trust relationship with the federation service. Error:  The request was aborted:  Could not create SSL/TLS secure channel”

Event ID 393 was written to the event log

This is a relatively common error and is usually related to a problem with the certificates, ports, or permissions of the account used to run the wizard.  A quick search of the web and you will find plenty of examples and solutions.

However, I have to admit, that after a lot of troubleshooting I was stumped.  I opened a support ticket with the good folks at Microsoft Premier Support.  After a 6 hour remote support session (with a great engineer), we found the problem.

A network trace from both the Proxy and the ADFS, and a seemingly unrelated Event ID 36874 on the ADFS server provided the clues as to the cause of the problem.

Cause

The template that the Windows 2012 R2 servers had been deployed which included server hardening – specifically with cipher, protocols, hashes and multiple subkeys with values disabled.

The hardened server registry for the Security Providers looked like this

The specific server hardened registry keys were as follows:

  1. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]
    1. “Enabled”=dword:00000000
  2. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]
    1. “Enabled”=dword:00000000
  3. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]
    1. “Enabled”=dword:00000000
  4. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]
    1. “Enabled”=dword:00000000
  5. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]
    1. “Enabled”=dword:00000000
  6. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]
    1. “Enabled”=dword:00000000
  7. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]
    1. “Enabled”=dword:00000000
  8. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
    1. “Enabled”=dword:00000000
  9. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
    1. “Enabled”=dword:00000000
  10. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
    1. “Enabled”=dword:00000000
  11. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]
    1. “Enabled”=dword:00000000
  12. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]
    1. “Enabled”=dword:00000000
  13. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168/168]
    1. “Enabled”=dword:00000000
  14. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]
    1. “Enabled”=dword:00000000
  15. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]
    1. “Enabled”=dword:00000000
  16. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]
    1. “Enabled”=dword:ffffffff
  17. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]
    1. “Enabled”=dword:ffffffff
  18. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]
    1. “Enabled”=dword:ffffffff
  19. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]
    1. “Enabled”=dword:00000000
  20. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]
    1. “Enabled”=dword:00000000
  21. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]
    1. “Enabled”=dword:ffffffff
  22. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  23. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  24. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  25. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  26. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
    1. “DisabledByDefault”=dword:00000001
    2. “Enabled”=dword:00000000
  27. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  28. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  29. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  30. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  31. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  32. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  33. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
    1. “Enabled”=dword:00000000
    2. “DisabledByDefault”=dword:00000001
  34. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
    1. “Enabled”=dword:ffffffff
    2. “DisabledByDefault”=dword:00000000
  35. [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
    1. “Enabled”=dword:ffffffff
    2. “DisabledByDefault”=dword:00000000

 

Solution

Removed the hardened SCHANNEL registry keys on both the ADFS & PROXY servers and rebooted.

The cleaned up registry look like this

Advertisements

Upload of data to Microsoft Intune failed

Problem

When attempting to add an app to the Intune portal using the Intune Software Publisher as described here you get the following error message:

UploadtoIntuneFailed-1

Reviewing the WindowsIntuneSoftwarePublisher.log in C:\Users\username\AppData\Local\Temp\SoftwarePublishing

Shows the following error “The remote server returned an error: (401) Unauthorized”

UploadtoIntuneFailed-2

Solution

In my case, while the user account used to add the app to Intune was a global admin, it did not have an EM+S license assigned.

The solution was to assign an EM+S license to the account

UploadtoIntuneFailed-3

After that, the app data uploaded successfully to Intune

UploadtoIntuneFailed-4

Using the Office 365 Groups Send-as and Send-on-behalf feature

The capability to grant Send-as and Send-on-behalf permissions to an Office 365 Group is a straight forward process and clearly documented here.

Sending an email on behalf of an Office 365 Group via Outlook is the same familiar process as sending on behalf of another user – show the “From” field, click the “From” drop down, choose “other email address” and select the address.

pic1

What is less intuitive is doing this using the Office 365 web interface via portal.office.com

First you need to show the “From” field by clicking the arrow below the compose page and selecting “Show From”

pic2

When you click on the “From” drop down, you will not see an option to choose an alternative address

pic3

Instead, what you need to do is right click on the address in the “From” field and choose “Remove”

pic4

Once removed, you can type the address you want to send as

pic5

Microsoft Intune Mobile Application Management (MAM) policy changes not working

The following blog describes the solution to a scenario I encountered whereby changes to a Microsoft Intune mobile application management (MAM) policy would not take effect

Environment

In preparation for rolling out an MS Intune Mobile Application Management (MAM) policy to Outlook for iOS clients I created a test policy to enable pin protection and applied it to a test user account.  The steps used can be found here

In summary

  1. Create a test user and assign a Microsoft Intune license via portal.office.com
  2. SummaryStep1
  3. Create a user group to apply the app protection policy to, and assign the test user to the group, again via portal.office.com
  4. SummaryStep2
  5. Create an App protection policy via portal.azure.com
  6. SummaryStep3
  7. Configure the policy settings (e.g. Require PIN access)
  8. SummaryStep4
  9. Choose Apps to associate with policy (e.g. Outlook)
  10. SummaryStep5
  11. Deploy policy to test group
  12. SummaryStep6

This worked well.  After the policy applied, when I opened Outlook for iOS as the test user I was prompted to enter a pin

PinPrompt

Note:  It can take up to 8 hours for a newly deployed app protection policy to be applied.

Problem

The problem arose when I removed the test MAM policy (or more specifically, removed the test user from the group “Test – MAM Policy”). I expected that the pin protection settings would no longer apply.  However, the test user continued to be prompted to enter a pin, even after waiting sufficient time for the changes to take effect.

Solution

It was the “Common IT administrator issues” section of the Troubleshoot Mobile Application Management guide that pointed me in the right direction.  Specifically, this section which indicated that I may need to force a sync of the Outlook for iOS client for the changes to take effect

Guide1

I used the following steps to force a sync of the Outlook for iOS client:

  1. From the Outlook app, click on settings
  2. Settings
  3. Select the test Office 365 account and then choose “Reset Account”
  4. ResetAccount

This forced a sync of the Outlook client.  Next time I opened the Outlook app, the pin protection policy had been removed.

Microsoft Intune Useful Links & Information

Microsoft Intune Useful Links & Information

The following is a collection of links to Microsoft Intune resources that may be useful to anyone looking to get started with Intune

Training Guides

  1. Microsoft Virtual Academy Intune Training
  2. Intune documentation
  3. What to tell your end users about using Microsoft Intune

Blogs, Videos & Customer Stories

  1. Whats New
    1. Intune Standalone & General Product Updates
      1. https://aka.ms/intunenew
    2. Intune Hybrid What’s New
      1. https://aka.ms/hybridwhatsnew
    3. Blogs
      1. Brad Anderson’s Blog http://aka.ms/bradsblog
      2. Simon May’s Blog http://simon-may.com
      3. Enterprise Mobility & Security Blog http://aka.ms/mobsecblog
      4. Intune Support Blog http://aka.ms//intunesupportblog
    4. Forums
      1. Microsoft Intune UserVoice
        1. https://microsoftintune.uservoice.com
      2. Microsoft Intune Forums
        1. https://aka.ms/intuneforum

Useful Tools

  1. System Centre Configuration Manager Hybrid Diagnostic Tool
    1. https://www.microsoft.com/en-us/download/details.aspx?id=53306

Support Information

  1. Engage the Intune FastTrack Centre for deployment assistance
    1. https://fasttrack.microsoft.com/
  2. How to engage Premier Support for technical help and troubleshooting
    1. https://aka.ms/intunesupport

How to get a detailed list of all your Configuration Manager Deployments using Powershell

In this blog I will show you step by step how to quickly get a detailed list of all your Configuration Manager deployments, output in Excel table format, including the following details

  • Application Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID

You can also download this guide from the Technet Gallery here

First, open the System Center Configuration Manager Console

SCCMDeployments1

Click on the down arrow in the upper right hand corner and choose “Connect via Windows Powershell”.  This opens PowerShell with the Configuration Manager module loaded.  Type the following command (use whatever path you want to save the output)

Get-CMDeployment | Export-csv -NoTypeInformation c:\temp\Deployments.CSV

SCCMDeployments13

 

Next, open the Deployments.CSV file using Microsoft Excel.

Highlight / select all the rows and columns with data, select the “Insert” Tab, click on “Table”

SCCMDeployments16

Make sure to tick “My table has headers”, the click OK

SCCMDeployments11

You now have an excel spreadsheet, in table format, with detailed information about all your deployments including

  • Application Name
  • Software Name
  • Assignment ID
  • CI_ID
  • Collection
  • Collection Name
  • DeploymentID
  • Creation Time
  • Deployment Time
  • Enforcement Deadline
  • PackageID

SCCMDeployments12