Search This Blog

Friday, September 15, 2017

ADFS trics for MFA

ADFS access control rules to disable MFA for Office 365 application if usrs are connecting from intranet, Lync clients and enforce MFA for member of AD group:

$rp = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
$groupMfaClaimTriggerRule = 'NOT EXISTS([Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)skype"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)ACOMO"]) && NOT EXISTS([Type=="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent", Value =~ "(?i)lync"]) => add(type = "http://schemas.company.com/not_lync", value = "true" );
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-5-21-796845957-688789844-854245398-6148"]  && c2:[Type =="http://schemas.company.com/not_lync", Value== "true"] && c3:[Type =="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value== "false"]=> issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'

Set-AdfsRelyingPartyTrust –TargetRelyingParty $rp –AdditionalAuthenticationRules $groupMfaClaimTriggerRule


We use this rule to let Lync on Premises users to use Exchange online

Thursday, August 31, 2017

Powershell module for DNS of Windows 2008R2

Here is a module that you can use on legacy servers http://dnsshell.codeplex.com/, once instaled you can run as example get-dnsrecord

But if you have Windows 2012 R2 you do not need external module anymore, use build-in Get-DnsServerResourceRecord and enjoy.



Thursday, August 17, 2017

PSTN gateway not recognised by Lync 2013 mediation

Getting an error with SIP trunk TLS after deployment of new SBC:

Log Name:      Lync Server
Source:        LS Mediation Server
Date:          8/16/2017 12:36:43 PM
Event ID:      25075
Task Category: (1030)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      xx
Description:
Mediation Server encountered an invalid setting that has been ignored.

Setting: PSTNGatewayService Fqdn: xx;trunk=yy
Reason: [Config] A Gateway Peer's (xx) internal settings are not configured correctly: NextHopPort = 5067, TransportType = TLS, NextHopIpAddress = N/A

Cause: Settings configured incorrectly.
Resolution:
Reconfigure the specified setting.


Double checking certificates, DNS, topology did not reveal any discrepancy, all looks correct. Do I need restart server?

The solution was to re-publish same topology second time, this time Mediation refreshed it's internal tables correctly and let SIP trunk to get up.