Adfs on Janik von Rotz

Configure hybrid search results from SharePoint Online in SharePoint on-premise

Wed, 14 May 2014 07:03:29 +0000

This post of is part of my Install SharePoint 2013 Three-tier Farm project. Get the latest version of this article here: https://gist.github.com/10871110

Introduction

In this post I’ll show you how to get search results from your SharePoint Online in your SharePoint 2013 on-premise search center.

Requirements

User synchronisation ActiveDirectory to Office 365 with DirSync
DirSync password sync or ADFS SSO
SharePoint Online
SharePoint 2013 on-premise
- Enterprise Search service
- SharePoint Online Management Shell

Instructions

All configuration will be done either in the Search Administration of the Central Administration or in the PowerShell console of your on-premise SharePoint 2013 server.

Set up Sever to Server Trust

Export certificates

To create a server to server trust we need two certificates.

[certificate name].pfx: In order to replace the STS certificate, the certificate is needed in Personal Information Exchange (PFX) format including the private key.

[certificate name].cer: In order to set up a trust with Office 365 and Windows Azure ACS, the certificate is needed in CER Base64 format.

First launch the Internet Information Services (IIS) Manager
Select your SharePoint web server and double-click Server Certificates
In the Actions pane, click Create Self-Signed Certificate
Enter a name for the certificate and save it with OK
To export the new certificate in the Pfx format select it and click Export in the Actions pane
Fill the fields and click OK Export to: C:\[certificate name].pfx Password: [password]
Also we need to export the certificate in the CER Base64 format. For that purpose make a right-click on the certificate and click on View…
Click the Details tab and then click Copy to File
On the Welcome to the Certificate Export Wizard page, click Next
On the Export Private Key page, click Next
On the Export File Format page, click Base-64 encoded X.509 (.CER), and then click Next.
As file name enter C:\[certificate name].cer and then click Next
Finish the export

Import the new STS (SharePoint Token Service) certificate

Let’s update the certificate on the STS. Configure and run the PowerShell script below on your SharePoint server.

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# import it
Set-SPSecurityTokenServiceConfig -ImportSigningCertificate $PfxCert

Type Yes when prompted with the following message.

You are about to change the signing certificate for the Security Token Service. Changing the certificate to an invalid, inaccessible or non-existent certificate will cause your SharePoint installation to stop functioning. Refer to the following article for instructions on how to change this certificate: http://go.microsoft.com/fwlink/?LinkID=178475. Are you sure, you want to continue?

Restart IIS so STS picks up the new certificate.

& iisreset
& net stop SPTimerV4
& net start SPTimerV4

Now validate the certificate replacement by running several PowerShell commands and compare their outputs.

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"

# get the encrypted pfx certificate object
New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# compare the output above with this output
(Get-SPSecurityTokenServiceConfig).LocalLoginProvider.SigningCertificate

Establish the server to server trust

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}
Import-Module MSOnline 
Import-Module MSOnlineExtended

# set the cerficates paths and password
$PfxCertPath = "c:\[certificate name].pfx"
$PfxCertPassword = "[password]"
$X64CertPath = "c:\[certificate name].cer"

# set the onpremise domain that you added to Office 365
$SPCN = "sharepoint.domain.com" 

# your onpremise SharePoint site url
$SPSite="http://sharepoint"

# don't change this value
$SPOAppID="00000003-0000-0ff1-ce00-000000000000"

# get the encrypted pfx certificate object
$PfxCert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $PfxCertPath, $PfxCertPassword, 20

# get the raw data
$PfxCertBin = $PfxCert.GetRawCertData()

# create a new certificate object
$X64Cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2

# import the base 64 encoded certificate
$X64Cert.Import($X64CertPath)

# get the raw data
$X64CertBin = $X64Cert.GetRawCertData()

# save base 64 string in variable
$CredValue = [System.Convert]::ToBase64String($X64CertBin)

# connect to office 3656
Connect-MsolService

# register the on-premise STS as service principal in Office 365

# add a new service principal
New-MsolServicePrincipalCredential -AppPrincipalId $SPOAppID -Type asymmetric -Usage Verify -Value $CredValue
$MsolServicePrincipal = Get-MsolServicePrincipal -AppPrincipalId $SPOAppID
$SPServicePrincipalNames = $MsolServicePrincipal.ServicePrincipalNames
$SPServicePrincipalNames.Add("$SPOAppID/$SPCN")
Set-MsolServicePrincipal -AppPrincipalId $SPOAppID -ServicePrincipalNames $SPServicePrincipalNames

# get the online name identifier
$MsolCompanyInformationID = (Get-MsolCompanyInformation).ObjectID
$MsolServicePrincipalID = (Get-MsolServicePrincipal -ServicePrincipalName $SPOAppID).ObjectID
$MsolNameIdentifier = "$MsolServicePrincipalID@$MsolCompanyInformationID"

# establish the trust from on-premise with ACS (Azure Control Service)

# add a new authenticatio realm
$SPSite = Get-SPSite $SPSite
$SPAppPrincipal = Register-SPAppPrincipal -site $SPSite.rootweb -nameIdentifier $MsolNameIdentifier -displayName "SharePoint Online"
Set-SPAuthenticationRealm -realm $MsolServicePrincipalID

# register the ACS application proxy and token issuer
New-SPAzureAccessControlServiceApplicationProxy -Name "ACS" -MetadataServiceEndpointUri "https://accounts.accesscontrol.windows.net/metadata/json/1/" -DefaultProxyGroup
New-SPTrustedSecurityTokenIssuer -MetadataEndpoint "https://accounts.accesscontrol.windows.net/metadata/json/1/" -IsTrustBroker -Name "ACS"

Add a new result source

To get search results from SharePoint Online we have to add a new result source. Run the following script in a PowerShell ISE session on your SharePoint 2013 on-premise server. Don’t forget to update the settings region

if(-not (Get-PSSnapin "Microsoft.SharePoint.PowerShell" -ErrorAction SilentlyContinue)){Add-PSSnapin "Microsoft.SharePoint.PowerShell"}

# region settings 
$RemoteSharePointUrl = "http://[example].sharepoint.com"
$ResultSourceName = "SharePoint Online"
$QueryTransform = "{searchTerms}"
$Provier = "SharePoint-Remoteanbieter"
# region settings end

$SPEnterpriseSearchServiceApplication = Get-SPEnterpriseSearchServiceApplication
$FederationManager = New-Object Microsoft.Office.Server.Search.Administration.Query.FederationManager($SPEnterpriseSearchServiceApplication)
$SPEnterpriseSearchOwner = Get-SPEnterpriseSearchOwner -Level Ssa  

$ResultSource = $FederationManager.GetSourceByName($ResultSourceName, $SPEnterpriseSearchOwner)
if(!$ResultSource){
    Write-Host "Result source does not exist. Creating..."
    $ResultSource = $FederationManager.CreateSource($SPEnterpriseSearchOwner)
}

$ResultSource.Name = $ResultSourceName
$ResultSource.ProviderId = $FederationManager.ListProviders()[$Provier].Id
$ResultSource.ConnectionUrlTemplate = $RemoteSharePointUrl
$ResultSource.CreateQueryTransform($QueryTransform)
$ResultSource.Commit()

Add a new query rule

In the Search Administration click on Query Rules
Select Local SharePoint as Result Source
Click New Query Rule
Enter a Rule name f.g. Search results from SharePoint Online
Expand the Context section
Under Query is performed on these sources click on Add Source
Select your SharePoint Online result source
In the Query Conditions section click on Remove Condition
In the Actions section click on Add Result Block
As title enter Results for “{subjectTerms}” from SharePoint Online
In the Search this Source dropdown select your SharePoint Online result source
Select 3 in the Items dropdown
Expand the Settings section and select “More” link goes to the following URL
In the box below enter this Url https://[example].sharepoint.com/search/pages/results.aspx?k={subjectTerms}
Select This block is always shown above core results and click the OK button
Save the new query rule

Source

Display hybrid search results in SharePoint Server 2013
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync
Office 365-Configure Hybrid Search with Directory Synchronization –Password Sync –Part2

ADFS Login Customization

Fri, 18 Oct 2013 13:04:41 +0000

The purpose of this article is to show the intention and implemention of the most common modifications for the ADFS login page.

Out of the box the login form should look like this:

The f.e. is by default the page url, this can confuse the user, due they expect something like “your login” or “Office365 Login”.

To add a logo you simply edit the web.config file.


<!--
<add key=”logo” value=”logo.png” />
-->

This label is part of the page’s localization, that means you have to edit the language resource file.

The localization files are stored under App_GlobalResources there you’ll find one file for every language CommonResources.en.resx.

Edit the file of your language an replace the “hint” with you definition.

In the root folder of the login page in the folder MasterPages is a file named MasterPage.master. This file defines the look of the login page. To hide the title just comment this part out.

<!--
<div class="GroupLargeMargin">
<div class="TextSizeXLarge">
<asp:Label ID="STSLabel" runat"server"></asp:Label>
</div>
</div>
-->

With Office365 and ADFS it’s possible to login from the microsoft Office365 login page or via a smart link to get directly redirected to the ADFS login page.

The Office365 login page will process the username you enter and if it’s a on premise user you’ll get redirected to the ADFS login page. By default the ADFS login page doesn’t care about the username you’ve provided at the Office365 login page. To populate the username into the login field the ADFS page has be modified like this:

Process username from the url parameter.


public void Application_BeginRequest()
{


HttpRequest request = HttpContext.Current.Request;
HttpResponse response = HttpContext.Current.Response;

if ( !String.IsNullOrEmpty( request.Params["username"] ) )
{
     HttpCookie cookie = new HttpCookie( "Office365Username", request.Params["username"] );
     cookie.Expires = DateTime.UtcNow.AddMinutes( 10 );
     Response.Cookies.Add( cookie );
}

Add the username parameter to the username box.


using System;

Paste the following code:


using System.Web;

Find the following and set your cursor to the next line down:


protected void Page_Load( object sender, EventArgs e )
{

Paste the following code:


HttpCookie cookie = Context.Request.Cookies.Get( "Office365Username" );

if ( null != cookie && !String.IsNullOrEmpty( cookie.Value ) )
{
     UsernameTextBox.Text = cookie.Value;
     cookie.Expires = DateTime.UtcNow.AddDays( -1 );
     cookie.Value = "";
     Context.Response.Cookies.Add( cookie );
}

Save and Close FormsSignIn.aspx.cs

Handling user password change and expiration issues with Office365 and ADFS – Part 2

Mon, 23 Sep 2013 08:50:49 +0000

https://janikvonrotz.ch/2013/08/08/handling-user-password-change-and-expiration-issues-with-office365-and-adfs-part-1/

This is part two of my experience in handling the password change office365 architecture issue.

Last time I’ve built a simple script to notificate the users about the status of their passwords. In the mean time we (me and another employ of the “vbl Informatik”) built a simple website for the office365 users to change their password.

The whole project is now available on https://codeberg.org/janikvonrotz/ActiveDirectory-Password-Change

Checkout the instructions in the readme fileto set up the password change website.

If you have setup the website already I recommend you to include the site with a sharepoint webpart here’s an example:

Office365 ADFS Chrome Login fails

Tue, 10 Sep 2013 13:49:40 +0000

Today I experienced an exotic behaviour, a client couldn’t access his Office365 page due he wasn’t able to login on the ADFS authentication prompt.

After googling and binging (just kidding, NERD) I found a simple solution.

[caption id=“attachment_498” align=“aligncenter” width=“714”] To turn Extended Protection off, on the AD FS server, launch IIS Manager, then, on the left side tree view, access Sites -> Default Web Site -> adfs -> ls. Once you’ve selected the “/adfs/ls” folder, double-click the Authentication icon, then right-click Windows Authentication and select Advanced Settings… On the Advanced Settings dialog, choose Off for Extended Protection.[/caption]

Disabling the extended windows authentication protection solved this issue, but I have to admit I’m not quite sure about services depending on this settings, maybe you’ll experience some other errors related to the ADFS service.

Manage ActiveDirectory Distribution Groups

Tue, 27 Aug 2013 12:39:11 +0000

With Office365 connected with an ADFS you have to redesgin your Exchange distribution groups. ADFS only syncs distribution groups that have these definitions:

My idea was simple, I’m developing a script that creates for every OU and child OU I’m chosing in the ActiveDirectory structure a distribution list containing the users of the chosen OU recursively.

While developing this I’ve added some cool features, in addition you can:

By default the script will only add enabled users with an email address.

This script makes use of the PowerShell Profile environment, f.e. the function Send-PPErrorReport sends an error report per email when the script fails or produces problems.

<#
$Metadata = @{
    Title = "New ActiveDirectory Distribution Groups"
    Filename = "New-ADDistributionGroups.ps1"
    Description = "Create or update ActiveDirectory distribution groups"
    Tags = "powershell, activedirectory, distribution, groups, create, update"
    Project = ""
    Author = "Janik von Rotz"
    AuthorContact = "https://janikvonrotz.ch"
    CreateDate = "2013-08-27"
    LastEditDate = "2013-09-30"
    Url = "https://gist.github.com/6352037"
    Version = "1.1.0"
    License = @'
This work is licensed under the Creative Commons Attribution-ShareAlike 3.0 Switzerland License.
To view a copy of this license, visit https://creativecommons.org/licenses/by-sa/3.0/ch/ or
send a letter to Creative Commons, 444 Castro Street, Suite 900, Mountain View, California, 94041, USA.
'@
}
#>

#--------------------------------------------------#
# modules
#--------------------------------------------------#
Import-Module ActiveDirectory

# set OUs where the distributions groups should be enabled
$OUs = @(
    @{Name = "OU=Betrieb,OU=vblusers2,DC=vbl,DC=ch"},
    @{Name = "OU=Direktion,OU=vblusers2,DC=vbl,DC=ch"},
    @{Name = "OU=Finanzen,OU=vblusers2,DC=vbl,DC=ch"},
    @{Name = "OU=Personal,OU=vblusers2,DC=vbl,DC=ch"},
    @{Name = "OU=Technik,OU=vblusers2,DC=vbl,DC=ch"}
)

# list of users to exclude in distribution groups
$ExcludeUsers = "abascan","ba test","ba-service"

# list of distribution groups to exclude
$ExcludeOUs = "Verwaltungsrat"

# special configuration to handle special
$Configs = @(
    @{
        Name = "GL";
        Options = @("UpdateFromGroups");
        AddGroups = @("Geschäftsleitung Gruppe")
    },
    @{
        Name = "GL erw";
        Options = @("UpdateFromGroups");
        AddGroups = @("Erweiterte Geschäftsleitung Gruppe")
    },
    @{
        Name = "Alle";
        Options = @("UpdateFromGroups");
        AddGroups = @("Technik","Betrieb","Personal","Finanzen","GL","Kommunikation","Sekretariat")
    },
    @{
        Name = "Alle mit Arbeitsplatz";
        Options = @("UpdateFromGroups","RemoveGroups");
        AddGroups = @("Alle");
        RemoveGroups = @("SPO_365E1License")
    },
    @{
        Name = "Alle ohne Arbeitsplatz";
        Options = @("UpdateFromGroups");
        AddGroups = @("SPO_365E1License");
    },
    @{
        Name = "Fahrdienst A - Hermann M";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst A - Hermann M Gruppe");
    },
    @{
        Name = "Fahrdienst A - Segui M";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst A - Segui M Gruppe");
    },
    @{
        Name = "Fahrdienst B - Nietlispach M";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst B - Nietlispach M Gruppe");
    },
    @{
        Name = "Fahrdienst B - Zaugg D";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst B - Zaugg D Gruppe");
    },
    @{
        Name = "Fahrdienst C - Habegger R";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst C - Habegger R Gruppe");
    },
    @{
        Name = "Fahrdienst C - Malbasic N";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst C - Malbasic N Gruppe");
    },
    @{
        Name = "Fahrdienst D - Küchler P";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst D - Küchler P Gruppe");
    },
    @{
        Name = "Fahrdienst D - Zimmermann L";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst D - Zimmermann L Gruppe");
    },
    @{
        Name = "Fahrdienst E - Bechter K";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst E - Bechter K Gruppe");
    },
    @{
        Name = "Fahrdienst E - Brunner R";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst E - Brunner R Gruppe");
    },
    @{
        Name = "Fahrdienst F - Bieri René";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst F - Bieri René Gruppe");
    },
    @{
        Name = "Fahrdienst F - Bieri Urs";
        Options = @("UpdateFromGroups");
        AddGroups = @("Fahrdienst F - Bieri Urs Gruppe");
    },
    @{
        Name = "Verkehrsdisponnenten";
        Options = @("UpdateFromGroups");
        AddGroups = @("F_Verkehrsdisponnenten");
    },
    @{
        Name = "Personalkommission";
        Options = @("UpdateFromGroups");
        AddGroups = @("Personalkommission Abteilung");
    }
)

# get all OUs recursive
$OUs = $OUs | %{Get-ADOrganizationalUnit -Filter "*" -SearchBase $_.Name} | where {-not ($ExcludeOUs -contains $_.Name)}

# check in every OU if a distribution group with the same name as the OU exist
$OUs | %{$OU = $_.DistinguishedName;
    if(Get-ADGroup -Filter {SamAccountName -eq $_.Name -and GroupCategory -eq "Distribution"} | Where-Object{$_.DistinguishedName -like "*$OU"}){

        Write-Host "Update users in distribution group $($_.Name)."
        $ADGroup = Get-ADGroup -Filter {SamAccountName -eq $_.Name -and GroupCategory -eq "Distribution"}
        Get-ADGroupMember -Identity $ADGroup | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}
        Get-ADUser -Filter {EmailAddress -like "*"} -SearchBase $OU | where {$_.enabled -eq $true -and -not ($ExcludeUsers -contains $_.Name)} | where{$_ -ne $null} | %{Add-ADGroupMember -Identity $ADGroup -Members $_}

    }else{

        Write-Host "Create distribution group $($_.Name)."
        New-ADGroup -Name $_.Name -SamAccountName $_.Name -GroupCategory Distribution -GroupScope Universal -DisplayName $_.Name -Path $($_.DistinguishedName) -Description "Distribution group for $($_.Name)."
        $ADGroup = Get-ADGroup $_.Name
        Get-ADUser -Filter {EmailAddress -like "*"} -SearchBase $_.DistinguishedName | where {$_.enabled -eq $true -and -not ($ExcludeUsers -contains $_.Name)} | where{$_ -ne $null} | %{Add-ADGroupMember -Identity $ADGroup -Members $_}
    }
}

# custom configuration
$Configs | %{

    $ADGroup = Get-ADGroup -Identity $_.Name
    $Config = $_

    if($_.Options -match "UpdateFromGroups"){

        Write-Host "Add users from $($Config.AddGroups) to $($ADGroup.Name)."
        Get-ADGroupMember -Identity $ADGroup | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}
        $Config.AddGroups | %{Get-ADGroupMember -Identity $_ -Recursive | Get-ADUser | where {($_.enabled -eq $true) -and -not ($ExcludeUsers -contains $_.Name)}} | select -Unique | %{Add-ADGroupMember -Identity $ADGroup -Members $_}

    }

    if($_.Options -match "RemoveGroups"){

        Write-Host "Remove users from $($Config.RemoveGroups) in $($ADGroup.Name)."
        $ADGroupMembers = Get-ADGroupMember -Identity $ADGroup
        $Config.RemoveGroups | %{Get-ADGroupMember -Identity $_ -Recursive | Get-ADUser | where {($ADGroupMembers -match $_) -and ($_.enabled -eq $true) -and -not ($ExcludeUsers -contains $_.Name)}} | select -Unique  | %{Remove-ADGroupMember -Identity $ADGroup -Members $_ -Confirm:$false}

    }
}

if($error){
    Send-PPErrorReport -FileName "activedirectory.mail.config.xml" -ScriptName $MyInvocation.InvocationName
}

Latest version of this script: https://gist.github.com/6352037