Keeping AD FS Integrated Windows Authentication (IWA/WIA) Clients Signed In

Over the last couple of years we’ve started doing less AD FS work, with the advent of Password Hash Sync for Azure AD sign-on, and Microsoft’s continued investment in Azure AD Premium. We’ve also seen a few organisations struggle to operate AD FS successfully, even if I personally like the technology. So I’ve changed our approach to unveil all of this with as much realism as possible, and to draw some feature comparisons in both directions. We also spend a lot of time talking about expectations of SSO, and how the ways we think about SSO on the web aren’t quite as automatic as what we get with Windows hashes and tickets.

So… what this means is that we don’t do as much AD FS work anymore, and when Microsoft released a hotfix for AD FS in the August 2014 update rollup, it didn’t catch my eye. This hotfix and the related configuration that needs to be added to the AD FS trust with Azure AD are documented in the newer Configure Persistent Single Sign-On article, and I first picked up on this configuration in the Azure MFA article for AD FS. At any rate, this configuration specifies two new Issuance Transformation Claims Rules for the AD FS Relying Party Trust with Azure AD (AKA “Microsoft Office 365 Identity Platform”):

Continue reading “Keeping AD FS Integrated Windows Authentication (IWA/WIA) Clients Signed In”

How to enable Lync audio within a Remote Desktop session

I’ve been working from home a bit more lately, and with that, I’ve been fine-tuning how I work. For instance, I’ve been using the “Use all my monitors” setting in order to stretch my remote desktop session across two screens. In Windows 8 this is a big improvement, as your monitors can be different resolutions and it supports that just as if you were at your desk.

Continue reading “How to enable Lync audio within a Remote Desktop session”

Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy

Over the last year I’ve spent a decent chunk of my time shaping and delivering Identity and Access Management workshops for Office 365 projects at Content and Code. This is generally underpinned by Active Directory Federation Services v2.0 (ADFS). In fact I don’t think we’ve done a single Office 365 project without it. Along the way I’ve become acquainted with many of the nuances of the sign on and sign out experiences as they differ across Office 365 services, client applications and different (valid) network perimeter technologies. In this post I will mainly focus on the security implications of publishing ADFS through ISA or TMG Reverse Proxies in the place of ADFS Proxy servers. In the majority of our engagements we’ve considered this option (potentially allowing our clients to consolidate infrastructure) since ISA, TMG or similar Reverse Proxies are commonly deployed. Yet we need to evaluate with full awareness of how ADFS operates without a Claims-aware Reverse Proxy such as the ADFS Proxy. This gets pretty technical, so I’m assuming some high-level familiarity with ADFS, Reverse Proxies and Office 365.

Contents

Continue reading “Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy”

Lync, Strings and Cans

Like a lot of people in the Microsoft partner community, I’ve been catching up with Lync this year and digging in to the finer details with a few of my colleagues. One thing we wanted to understand better was the routing between two users over a LAN, a private WAN, or some other connection where all the necessary network ports would be open. Would these clients communicate peer-to-peer? If so, does it always behave the same way, how is it accomplished and what might go wrong?

First, consider an organisation with offices across multiple floors or buildings. Lync may be a very effective means of connecting these employees despite their relatively close proximity. If this traffic can route locally it can be a big plus – especially if there’s lots of media traffic. Second, consider an organisation with multiple branches. They invested in private WAN links to connect these branches and don’t necessarily want to route Lync traffic over their internet connections if they can avoid it. For some organisations these will be non-issues, since Lync traffic is optimised for the WAN, but for other organisations this may be important – particularly if they’re in a part of the world where internet connections are slow or expensive (or both). So we went about testing this with the Lync 2010 client and Office 365 users (the behaviour is the same with Microsoft Online IDs or federated users).

Continue reading “Lync, Strings and Cans”

No Lossless Audio With Zune

UPDATE 9 May 2012: This article has been out there for nearly 18 months but I’ve only just got a comment today that’s invalidated it. In short, everything here is accurate until you get to the point when you synchronise to your Windows Phone with Zune. At that point, Zune will transcode Lossless WMA files to MP3, even if the conversion settings are set to, “Only convert media files that aren’t supported by the device”. As described here, my device does support these files! Evidently, as James Shiers points out, the problem is not device support, but that the Zune software doesn’t support Lossless WMA (no citation unfortunately). What makes this even more confusing is that the quality settings are greyed out until you select the other option, so there’s no indication that this might be happening. In fact, the only real clue you have in the Zune client is that the file size will be smaller than the original.

All of this is a bit embarrassing since it proves I couldn’t tell the difference from 320 kbps mp3, which was the whole point of the effort to begin with, but there you go… :/I’ll leave the post in place,  in case the transcoding process is useful to anyone, and in case a new means of syncing supports these files in future.

Original post
When I’m not wearing my SharePoint hat, I try to find the time to make electronic music. Over the last few years I’ve invested a great deal of time and effort moving from a PC-based Digital Audio Workstation (DAW) to an entirely outboard setup, with a large mixing console and various synths, drum machines, sequencers, samplers and dynamics processors. All of this suits me greatly, as it means I’m doing one less thing in front of the computer screen.

Continue reading “No Lossless Audio With Zune”

Office Web Apps Infrastructure Considerations

I’ve recently been involved in a somewhat unusual client engagement, in that I was designing and delivering the infrastructure without knowing the shape of the IA or solution architecture. Obviously, this imposed some restrictions on what we could define, but it also meant that I had to handle some aspects of the engagement that would normally be taken care of by other colleagues. To that end, I suppose some of these considerations aren’t purely infrastructure-specific, but they could be in an engagement like this one and they’re things that infrastructure people should understand. Hopefully it’ll be useful for solutions people as well.

Continue reading “Office Web Apps Infrastructure Considerations”

User Profile Service Connection and Slow First Page Load

I’m presently running some quite methodical SharePoint 2010 development environment performance tests, as we’re finding that the Dell XPS M1330 we’ve been using for the last few years doesn’t really cut it in some scenarios. This has been an on-going issue for some time where I work, but it’s only recently been prioritised at the top of my workload. That it is now my top priority should give some indication how important these issues are for any company that spends significant time customising SharePoint. I’ll be discussing this wider project in more detail once I’ve finished my testing in the next couple of weeks, but for now I wanted to share a provisional finding about connecting Web Applications to the User Profile Service Application.

Continue reading “User Profile Service Connection and Slow First Page Load”

Save Behaviour in SkyDrive and Office Web Apps

Being the good SharePoint advocate that I am, I recently tried out the Office Web Apps in SkyDrive (Windows Live) for collaboration with my wife (primarily expenses spread sheets, etc). I’ve always found Google Docs to be lacking in many ways and I wanted to get more experience with the Office Web Apps since I typically use the full Office 2010 client at work. Despite a few annoyances, we were getting on reasonably well, especially since it’s free. I needed to crack a document open in the full version of Excel 2010 to format in anger once, but this is an acceptable compromise for a free, web-based document store.

Fast-forward to the other day and my wife decided to use the Office Web Apps to draft a document rather than using Microsoft Works or Open Office (the other options on her home laptop). Despite some slow responses periodically, all seemed to work well, or so she thought until she got in to work the next day and opened up a blank document.

Continue reading “Save Behaviour in SkyDrive and Office Web Apps”