ADFS 4.0 idpinitiatedsignon Error

Hi all,

The other day I was creating an ADFS lab in order to test some features and configurations, as you will probably know, a quick way to test an ADFS deployment is to access the idpinitiatedsignon sign page.

After I deployed my ADFS farm, I tried to access and I received the following error message: “The resource you are trying to access is not available. Contact your administrator for more information.”

At the beginning it was annoying, because I was thinking that I did someone incorrectly, so I spend some time thinking about what I did wrong, I checked the event log and I saw the following:

Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
Relying Party:
Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

So, indeed what it is saying is that the idpinitiatedsignon property is disabled. So, to check if it is this, you can execute the following PS command in the ADFS farm:

Get-AdfsProperties | fl *idpinitiatedsignon*

adfs.png

As you can see in the picture, it was disabled, so in order to solve this problem, just run the following command:

Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

After that, all my problems were solved 😊

Planner, Project, task list… which tool should I use?

Most of my customers are confused with the introduction of Planner in Office 365 and its use to track activities or projects inside the company.

The main idea of this post is to resume which option is best to tackle activities in projects and tasks. So, what we have? What we should choose in each case?

  • Microsoft Project: it is used in Project management, a tool that allows to have in one site all the projects, and at the same time have a lot of tools to integrate the projects and manage them. The main drawback that it very hard to implement inside a company.
  • Microsoft Planner: it is used to manage little projects or to manage activities in workgroups. The great advantage of this tool is that requires a low effort to implement it.
  • SharePoint Task list: it’s a kind a task management, in this case allows to manage task individually.

So now, we’re going to take a deeper look to these options:

Product Advantages Drawbacks
Microsoft Project Detail of resources, calendars and assignations

Management of hours

Gantt diagram

Report diagram

Possibility to integrate with PowerBI

Integrate with SharePoint

Risk Management

 Knowledge of management

High license cost

It is necessary to associate a mail to the sites

 
Microsoft Planner Very easy for the user

Centralize projects in one site

Graphics to report activities and state of the projects

Mailbox for each project

It is included in Office 365 license

 Only is it possible to relate tasks by 3rd party solutions

Gantt diagram with 3rd party solutions
SharePoint Task List Possibility to create and assign task to users

Possibility to relate tasks

Send mails when activities are completed or assigned

See how tasks are delayed or personalized views by user

It is possible to synchronize it with Project

 It is necessary to create a list for each Project

Does not exist a site where is it possible to see all the tasks lists

No possibility to see a graphic

That’s all, till next time!

Configuring Proxy PACs

Being immersed in Office 365 pilots and adoptions, a lot of questions are fired by the customers, some of them are related with networking requirements. Most of the times, I am able to give them some guidance on how to configure environments and give to them some best practices, but in occasions, happens that they had a lot of customizations in the proxy servers in order to control the server communications to the outside.

But I have found some posts in the technet blogs about how to automate the configuration of ProxyPac. With these scripts, we’re able to configure the proxies and configure the bypass list in the server as well as configure the outbound firewall rules to allow to access to the appropriate IPs and URLs.

I’m sure that with all this stuff, we will able to save enough time to be focused in other important things.

So, if you want to automate the configuration of ProxyPac’s and do you want to automate it, I strongly recommend visiting the follow links and extract the info from it:

https://blogs.technet.microsoft.com/undocumentedfeatures/2016/08/18/updates-to-office-365-proxy-pac-generator/

https://blogs.technet.microsoft.com/undocumentedfeatures/2015/11/16/office-365-pac-file/

https://blogs.technet.microsoft.com/undocumentedfeatures/2016/04/06/deploying-the-office-365-proxy-pac-to-manage-your-users/

https://gallery.technet.microsoft.com/office/Office-365-Proxy-Pac-60fb28f7

 

ADFS: Configure your password change

Users are always allowed or forced to change their passwords, and sometimes this actions increment the amount of work to IT. However, in ADFS 3.0 include a feature that enable a self-service portal password change available for your end-users.

So this post tries to follow the steps to configure it:

  • First, enable the Password Change Portal:Open your AD FS Management tool on the primary server, navigate to the EndPoints under Services\Endpoints. At the bottom you will see the /ADFS/portal/updatepassword/ endpoint, right click it and choose enable. Right click again and choose enable on proxy.
  • Test change password portal: browse to https://sts.domain.com/adfs/portal/updatepassword you will similar to the adfs login page where you can update your password
  • Enable password expiry notification: You can configure Active Directory Federation Services (AD FS) to send password expiry claims to the relying party trusts (applications) that are protected by ADFS. To do this it is necessary to configure a Claim Rule:

c1:[Type == “http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”%5D => issue(store = “_PasswordExpiryStore”, types = (“http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime”, “http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays”, “http://schemas.microsoft.com/ws/2012/01/passwordchangeurl”), query = “{0};”, param = c1.Value);

  • Finally: you can tweak your ADFS login page to show a link to the change password portal

That’s all!

Ref: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/configure-ad-fs-to-send-password-expiry-claims

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/ad-fs-user-sign-in-customization

 

Set up working hours in Google calendar

A lot of us have very busy schedules each and every day.  Somehow, we manage to get through all the meetings and events throughout the day and make our way home to family, friends, and pets.  To ensure that we are able to separate our work life from our personal life, Google Calendar gives us the option to set up our working hours.  These hours are the hours that we are typically in the office and available for meetings and/or events.  Let’s take a look at how to set up our working hours below.

Once you have your Google Calendar open, locate and click on the gear in the upper right hand corner and then click on ‘Settings.’  Scroll down until you see the section for “Working Hours.”

calendarwh.png

This feature is very helpful if you are a busy person and need to have some ‘me’ time. Now, this doesn’t mean that you can’t attend events that are scheduled outside of your working hours … you’re just professionally informing the parties that you are typically not available outside of the set hours.

New Flow templates for Planner

Do you need to automate your tasks into Planner and don’t know how to do it? Today, is your lucky day, recently, Microsoft Flow is updating their flow templates to cover migration tasks to Planner and able to manage them from there.

So, the new available templates are the following:

Create planner tasks for flagged emails in Office 365: with this flow, will be possible to create tasks in Planner from all the Outlook mails that have been flagged in our inbox. Every flagged mail, will be created and assigned to us. Great start 🙂

On new SharePoint items create Planner task and assign to creator: Most of my customers demand this, they have a task list in SharePoint, and they want a solution to automate this “migration” to Planner. So, when new items are added to the SharePoint task list, new item will be created in Planner and assigned to the person who created the task.

And finally, an option to migrate from the competitor Trello to Microsoft Planner: will be possible to get a task created in Microsoft Planner for each card added to a list in Trello.

I hope that Microsoft will continue updating those kinds of templates to offer new features and new possibilities.

till next time!

Team drives in GSuite

Few days ago, the only solution that GSuite offers to share files was Google Drive, it was focused more on individual users rather than in teams, meaning that files were uploaded in personal folders and then shared with colleagues to collaborate with them.

But what happens when a user leaves the company? All their Google Drive account was deleted as well resulting in unwanted loss of important company information. But recently, Google has launched Team Drive to solve this 😊

Team Drives was announced last September and it was possible to access to it in Early Adopt program, but now is in GA. The main purpose of Team Drive id a management tool for businesses, where users can drop documents, presentations, and more stuff to store in the cloud and share with co-workers.

So, when a user is added to a team, all the files will be instantly accessible, and the same behaviour happens when a user leaves the company, no files will be lost or deleted. Moreover, a user can only have edit access, meaning that the user will be able to create and add files, but won’t be possible to delete or move any files.

Individuals can be a member of multiple Team Drives. Each is shown in the Team Drives section. Also very Team Drive can have different members (including external users) and permissions

If you want more info about Team Drive:

https://gsuite.google.com/learning-center/products/drive/get-started-team-drive/