Facebook Workplace:- SSO ADFS

Facebook Workplace:- SSO ADFS

I decided to write this article as if anyone is an early adopter like us for Facebook Workplace and has SSO issues on ADFS as the documentation here at the time of writing is limited and makes some assumptions. I will try and save you some of the time with a few tips below

TLDR:- If like me the main issue for login loops is either the users are not set to SSO or you get the following error

SSO Not Authenticated
The SAML Response was invalid. Please check that all fields are correct and try again. 

Well, this part is most likely down to the email address not matching or even better a trailing / at the end of the ADFS URL’s! (I wasted an hour or so on this)

The next piece of advise I will give you is if you are going to use Azure AD as an IDP provider for the user’s detail get the SSO working before setting this up. Otherwise, you need to delete the users or use the bulk edit tool to set everyone to SSO within the People menu. Press the Edit People button

Within this menu select download CSV, this will then generate an email to the admin user you are logged in as.

Once downloaded open the file and you will now see that you can change users on mass from password to SSO

The way you can tell that a user is SSO or not is by hitting the … at the end of a user, below is a pre-synced user before SSO

And this is an SSO user, as you can see the force SAML authentication part appears

But of course first you need to get SSO working and this is probably why you are here. Firstly the documentation you follow from Facebook may differ as this all depends on the version of ADFS you are using. I was using Server 2016 and not 2012 like their screenshots so just follow this the best you can. You will also notice at the time of writing when you follow the hyperlink for next steps in the PDF you get this page, don’t panic! I listed out what I did below.

I fumbled along and came up with the below from what I gathered from the data in the PDF guide

 

Now you will hit Test SSO and now get the same error as I did

I even got the following error in my ADFS logs whilst I was playing around with the transforms. If you get this then you may have a typo in them as the E-Mail Address field is case sensitive and slightly different and again typed wrong in the PDF versus the screenshot

Description:
The SAML authentication request had a NameID Policy that could not be satisfied.
Requestor: https://www.facebook.com/company/COMPANYID
Name identifier format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
SPNameQualifier:
Exception details:
MSIS7070: The SAML request contained a NameIDPolicy that was not satisfied by the issued token. Requested NameIDPolicy: AllowCreate: True Format: urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress SPNameQualifier: . Actual NameID properties: null.

I played around with this for a bit thinking I had done something wrong as when you copy the URLs from your ADFS config like below they have a / at the end of them, ignore this… it appears the URL generated by the SSO in Facebook already adds this. Remove this from your URLs above so they now look like this

If you press Test SSO again now if all things are in order you should now see the following

You will also notice the form will refuse to save until you get the above message. You may also need to add additional email domains to allow single sign-on depending on their primary email address.

Toggling Users:- If you need to toggle a specific user between password and SSO select the … at the end of the user and scroll to the bottom and change the login with

 

VMware VRDCEX – On HP Mixed Reality (Windows VR)

VMware VRDCEX – On HP Mixed Reality (Windows VR)

So I am at it again… I was very very lucky to get a HP mixed reality headset for Christmas mainly down to the fact I like being purchase savvy and the laptop I purchased (sorry my amazing wife as a present) wasn’t only on offer but it still qualified for the headset for free! I thought again this was going to be a very drawn out process and well due to the work I did with the Oculus well it took me all of 20 minutes to get this up and going! The nice thing is its a little easy to set up if I want to demo this out anywhere!

There are only a few steps some hopefully oblivious you miss and others you need to do but go open my other guide in another tab here! (just for reference)

Step 1. Get all the required files for VRDCEX by cloning/downloading the GitHub Repo and getting the build from here  

Step 2. Extract both these files to a common location, I decided to put these under the below folder but its fine to chose your own

Step 3. Go setup your Windows Mixed Reality Headset as you usually would if you haven’t already done so

Step 4. Go grab the latest copy of Steam and Steam VR once Steam is setup. This essentially works as our translator/interpreter for our Mixed reality headset. so we don’t need any coding. Before we start to configure VRDCEX we need to launch Steam VR just to ensure it can see the Mixed reality headset. You will also need the following plugin from here via Steam. I found I had to reboot once or twice and ensure that playing around with the Mixed Reality portal being open or not

 

 

For any demo’s I usually try and use Standing Only as space is usually limited, you may also get the very cool Portal inspired intro to help you configure the headset… I am not sure if  you will see all this below or if it was because I also have the Oculus available on my machine.

If you have got this far hopefully you will now see the below. Try and put on the headset and just make sure that SteamVR does load before continuing

You can see Steam sees the Mixed Reality and Oculus with their respective components


Step 5. Lets get down to the main bit and install/configure VRDCEX. Firstly go back to Steam and select add game at the bottom of your games list. 

From here select browse and navigate to where you extracted your downloads earlier and select the executable. Hit add selected programs and you should now see this appear in your Steam library.

Step 6 (Optional). Go to your extracted files and find the assets folder and wire mock. Create a shortcut on your desktop for On-Prem_Endpoint.bat. You will also need the latest version of Java JRE. The nice thing about this is until you are ready it allows you to play with the app by emulating vCenter.

I used JRE 8U151 for my configuration 
Double click your shortcut but you will need to override Windows 10 protection as it was downloaded

Check that everything is running by going to https://localhost:8082 before proceeding

Step 7. It sounds odd but go and launch the exe but don’t really worry about your headset. You need to do this as it generates a configuration file under your app data folder that you need to amend. Close the VRDCEX app once its opened and then open the config file. In mine I have put the Wireframe emulator in step 5 but you can put in your own vCenter here at any point.

Step 8. Enjoy…. Go back to Steam and launch your App! Put on your headset and enjoy your virtual datacenter

I have done a little demo video of it running just to show you the subtlety of the way Steam pulls in the Windows controllers VS the Hive or Oculus its really quite clever

 

SharePoint 2016 Phone Book

SharePoint 2016 Phone Book

Another SharePoint post but I thought this may help people and me again one day. The basis of my Phone Book came from the following two articles but I found one or two things that I thought in my opinion made it a little better

http://www.sharepointconfig.com/2013/05/how-to-create-a-simple-sharepoint-2013-people-directory/

http://en.share-gate.com/blog/corporate-directory-sharepoint-search

My first addition was other phone numbers to the profile such as Mobile or desk extension. Secondly a picture but it appears that feature is dropped from AD sync so far in SharePoint 2016.

I also found that the search had to be specific and lets be fair we don’t always want to type the full name i.e Joseph Hausmann or we may only know part or be worried about the spelling. The above articles assume you know the exact name. So when building the query if you put the following in it will allow partial names for searches.

{SearchBoxQuery}* contentclass:*spspeople

In regards to mapping the additional attributes I used a photo one here as a base line and the below to to find the AD attribute to map.

https://technet.microsoft.com/en-us/library/hh147510.aspx

http://www.kouti.com/tables/userattributes.htm

The main one I wanted was the users mobile and I hope to be able to add the internal extension some how too.

One thing I also hope to fix is sort by last name rather than first but maybe leave that for another day!

Updating Mass Office 365 User details when not AD synced

Updating Mass Office 365 User details when not AD synced

A little while back I came across an issue where someone didnt sync their AD to Office 365 as they had two separate domains. There was quite a lot of planning and politics prior to getting one domain. All the users had their email in Office 365 but this also caused a lack of love with the details in Office 365 having two offices and domains.

My main challenge was to get the phone numbers updated in Outlook so each of the offices could easily call one another. As a bonus I also included photos of staff due to people visiting each office and all the new staff starting too. This is the reason for my main picture due to the fear of calling and everything feeling a little isolated a bit like a village.

First lets drag back some details

Set-ExecutionPolicy RemoteSigned

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “https://ps.outlook.com/powershell/” -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session
get-user | select WindowsEmailAddress,Title,Department,Office,Phone,Mobilephone | Export-CSV c:\scripts\useroutput.csv

Once this has completed open the csv file within c:\scripts\useroutput.csv, change the first tab from WindowsEmailAddress to login_name.  Update any of the required fields and save this to c:\scripts\userlist.csv

You will also need to add a photo column and in here set the path for your photo. I usually use 800×600 via IrfanView as they are then usually under the 64k JPG limit.

This is also a great time to audit your users and their details and job titles with HR as you can just send them the list.

Once you have all this you can then set the update off. You may see a load of yellow warnings if things aren’t changed but don’t worry!

Set-ExecutionPolicy RemoteSigned

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “https://ps.outlook.com/powershell-liveid/?proxymethod=rps” -Credential $cred -Authentication Basic -AllowRedirection

Import-PSSession $session

$user_file = Import-CSV c:\scripts\userlist.csv
$user_file | ForEach {Set-user $_.login_name -Title $_.title -Department $_.department -Office $_.office -Phone $_.Phone -Mobilephone $_.Mobilephone ; $user1 = ([Byte[]] $(Get-Content -Path $_.photo -Encoding Byte -ReadCount 0)) ; set-userphoto -identity $_.login_name -picturedata $user1 -Confirm:$false} >> c:\scripts\logfile.txt

I haven’t used this in a while and couldn’t test again but hope it helps someone out there. Use at your own risk but if you do find a way of making it better do let me know..

SharePoint 2016 with Server 2016 tips and tricks

SharePoint 2016 with Server 2016 tips and tricks

When not tinkering in my VMware environment day to day the other part of my role is for application specialism. This has recently got me looking into SharePoint 2016 so that we can have a central place for reports and other services. Initially I thought this would be a walk in the park as I had the dev one up in a day or two but when scaling out odd things happen and you soon realise some things are missing since the 2013 edition.

The major grips so far are:-

  • The setup wizard well should it even be there! Only 1 page now and should you be really using it anyway.
  • The user profile service has been cut back. Microsoft doesn’t think anyone was syncing AD, yes it was clunky but you could generate an awesome phonebook from it along with other things. This then causes the people search to do weird things or not work at all. Its been replaced my Microsoft Identity Manager of which I don’t think is cheap and I still need to look into.
  • There is no update to SharePoint designer and you just use the 2013 edition.

So onto the tips to save you time when installing and configuring.

1. Installing on Server 2016

You will soon find the pre reqs don’t want to install no matter what. I found that if you run the following commands in an elevated PowerShell first you are golden

Add-WindowsFeature Web-Server,Windows-Identity-Foundation,NET-Framework-45-ASPNET,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,Web-Lgcy-Mgmt-Console,Web-Lgcy-Scripting,Web-Mgmt-Tools,Web-WMI,Web-Common-HTTP,NET-HTTP-Activation,NET-Non-HTTP-Activ,NET-WCF-HTTP-Activation45 -Source ‘Z:\sources\sxs’

I found this here and it worked perfectly after my old snippets didn’t work

2. Tips on user accounts

I would highly suggest the first portion of this guide for recommend user accounts to use for your installation. You can always substitute your service account acronyms in if needed

3. Creating an Alias to connect to the SQL server

I would follow this guide regardless, its great anyway as it provides you easy flexibility to move the database to other SQL servers or instances too in the future

4. Always on availability

This guide is great on how to set up your always on servers and witness server step by step

 

As my install goes on I hope to add more guides, especially if I can get the user profile sync to work in some fashion.