Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy

Over the last year I’ve spent a decent chunk of my time shaping and delivering Identity and Access Management workshops for Office 365 projects at Content and Code. This is generally underpinned by Active Directory Federation Services v2.0 (ADFS). In fact I don’t think we’ve done a single Office 365 project without it. Along the way I’ve become acquainted with many of the nuances of the sign on and sign out experiences as they differ across Office 365 services, client applications and different (valid) network perimeter technologies. In this post I will mainly focus on the security implications of publishing ADFS through ISA or TMG Reverse Proxies in the place of ADFS Proxy servers. In the majority of our engagements we’ve considered this option (potentially allowing our clients to consolidate infrastructure) since ISA, TMG or similar Reverse Proxies are commonly deployed. Yet we need to evaluate with full awareness of how ADFS operates without a Claims-aware Reverse Proxy such as the ADFS Proxy. This gets pretty technical, so I’m assuming some high-level familiarity with ADFS, Reverse Proxies and Office 365.

Contents

Continue reading “Office 365 Single Sign Out with ISA or TMG as the ADFS Proxy”

Failed Detection of PeopleILM Components and User Profile Synchronisation Service DCOM 10016 Errors

In my last post, I described some of the security considerations that influence an administrator’s response to event log clutter generated by DCOM errors. There are known remedial steps for most of these errors, but the impact of fixing them is often poorly understood, so I tried to clear some of that up. In this post, I’ll review how I’ve responded to the User Profile Synchronisation Service’s DCOM 10016 errors and the corollary MsiInstaller warnings with these security considerations in mind.

Failed Detection of PeopleILM Components

According to Microsoft KB article 2473430, these events occur, “while attempting to manage a User Profile Service Application”. To be more specific, the symptoms are described as:

When you attempt to manage the User Profile Service Application via Central Admin on a SharePoint Server 2010 with the User Profile Synchronization service started after an IISReset, the following warnings are logged in the application log of the SharePoint server…

Personally, I’ve never been able to pin down a firm cause of these events, so I’m happy to go with this Microsoft description, although I struggled to replicate this recently. Regardless, I’ve certainly seen the events in a large number, if not all User Profile Synchronisation Service instances I’ve encountered/built. One thing I find interesting is that these MsiInstaller warnings are accompanied by DCOM 10016 errors on the Windows Installer Service (DCOM component {000C101C-0000-0000-C000-000000000046}) and a few MsiInstaller warnings that closely resemble the Product Version Job DCOM permission errors I’ve spoken to before. This is what we’re looking at:

Continue reading “Failed Detection of PeopleILM Components and User Profile Synchronisation Service DCOM 10016 Errors”

DCOM Security for SharePoint Administrators

In a server administrator’s never-ending battle with log clutter, DCOM errors have proven to be some of the most persistent and poorly-understood events – especially with SharePoint. Our community has been building up remedial practices for the most common of these errors, but changes to the number and complexity of these fixes over the last few years call for a deeper look at what we’re changing, and the effects of these changes beyond a reduction in red and yellow icons in the event logs. In this post I’ll talk about some of the fundamental concepts from a Systems dude’s perspective and along the way I hope to convey a better understanding of Windows itself.

Continue reading “DCOM Security for SharePoint Administrators”

SharePoint Server 2010 Search Scopes and Pre-Windows 2000 Compatibility Access

Back in the pre-release days of SharePoint 2010, one of the most reliable sources of information on infrastructure issues was Russ Maxwell’s SharePoint Brew blog. It’s still a great resource, although he’s posting less frequently now than he was during the beta. In this post I want to share my findings regarding Pre-Windows 2000 Compatibility Access group rights in Active Directory. Everything I have to say is supplementary to Russ’s foundational explanation of Why the tokenGroupsGlobalAndUniversal (TGGAU) attribute matters in SharePoint 2010. I’m picking the discussion up from his closing comment, “At a minimum, certain service accounts like the search service account need to be a member of this group.”

Continue reading “SharePoint Server 2010 Search Scopes and Pre-Windows 2000 Compatibility Access”

Conficker Protection Breaks Search

A couple of months ago I was happily building a client’s SharePoint Server 2010 farm when I stumbled at Search. The Service Application provisioned fine, but when I pushed out topology changes I started to have problems. Later, these problems returned in different forms, but the root cause appears to have been consistent. In this post I will review the symptoms, the single fix and the reason why this issue emerged in this environment. I’ll also look at some unexpected permission changes that occur when new servers receive Search Service Instances.

Continue reading “Conficker Protection Breaks Search”

Office Web Apps Infrastructure Considerations

I’ve recently been involved in a somewhat unusual client engagement, in that I was designing and delivering the infrastructure without knowing the shape of the IA or solution architecture. Obviously, this imposed some restrictions on what we could define, but it also meant that I had to handle some aspects of the engagement that would normally be taken care of by other colleagues. To that end, I suppose some of these considerations aren’t purely infrastructure-specific, but they could be in an engagement like this one and they’re things that infrastructure people should understand. Hopefully it’ll be useful for solutions people as well.

Continue reading “Office Web Apps Infrastructure Considerations”

ASP.NET Padding Oracle Fix and Risks

As most SharePoint, security and .NET professionals will know by now, a hotfix for the Padding Oracle vulnerability in ASP.NET was released out-of-band on Tuesday. A live TechNet Webcast with a Q&A was held with Dave Forstrom, Director, Response Communications and Dustin Childs, Senior Security Manager. I’ve put together these rough notes from that webcast, as I think this information needs to reach a wider audience.

This is intended to be a (very) rough guide to the webcast content, and I make no claims about the accuracy – I’ve purely attempted to repeat a small portion of what was discussed on the webcast – some of which was covered very quickly. If any of this is of particular interest, I suggest watching the webcast. I’m primarily interested in motivating people to apply the patch while repeating some of the considerations that should be… considered before doing so.

Continue reading “ASP.NET Padding Oracle Fix and Risks”