Adding Duo 2FA to Microsoft ADFS
KB ID 0001656 Problem I did a Duo run through a few weeks ago, and to be honest their documentation is usually pretty good. I was spinning this up as a PoC for a client so I thought I’d put my take on the procedure here. ADFS Duo Pre-Requisites I already have a Duo Authentication Proxy server setup and my users are enrolled, you will need to set this up first. See the following article; Duo: ADSync and Enroll Users via SMS Log...
PowerShell: Disable MFA For All O365 Users
KB ID 0001655 Problem If you have something boring/repetitive to do then Powershell is your friend! I needed to do this for a client that’s replacing their Office365/Azure AD MFA (Multi Factor Authentication) with Duo. Solution Connect to your Microsoft Services Online, i.e. Office365/Azure, using your administrative credentials with the following command; Connect-MsolService Then (Note: I’ve got more than 1000 users so I...
Group Policy: Item-Level Targeting
KB ID 0001654 Problem Yesterday I wrote a post about Deploying a ‘Mapped’ Drive to a couple of users using Group Policy. This received a comment that was basically ‘Why not simply use Client Targeting?’ To be fair that’s a good point, I was using a Group Policy Preference and they can be specifically targeted. So here’s how to do that. Solution If you do not already have one, create a group for your...
Configuring Cisco HSRP
KB ID 0000946 Problem Cisco HSRP: Normally your client machines have one route off the network, (their default gateway). But what if that goes down? HSRP aims to solve this problem by assigning a ‘Virtual IP address’ to your default gateway (or default route). So that IP can be shared amongst two or more possible devices (routers, or layer 3 switches). Above, we have a client 192.168.1.10 that has two possible routes off...
Apply Group Policy To a Security Group
KB ID 0001653 Problem On EE this morning someone asked how to map a drive to only two users, so that wherever they logged in, they got their mapped drive. Seemed like a good Idea for a post so here you go; Solution If you do not already have one, create a group for your users. Add the users, (as appropriate). On a Domain Controller > Administrative Groups > Locate the OU that contains your users (Note: if your group members are...
Outlook: ADFS Error 0xCAA70010
KB ID 0001652 Problem While trying to connect Outlook (2016) to an Office 365 email account; We can’t connect you It looks like we can’t connect you to one of our services the moment. Please try again later, or contact your helpdesk if the issue persists. 0xCAA70010 {ADFS-URL} Solution This was happening because my ADFS server was using a ‘self-signed’ certificate (i.e. not a purchased one). This should NEVER...
DHCP Scope: Full of BAD_ADDRESS Entries
KB ID 0001651 Problem I had a client machine struggling to get an DHCP address, and when I looked in DHCP the scope it was full of this; BAD_ADDRESS This address Is Already in Use Solution A tour of Google and forums is full of posts by people with this problem, and other than, ‘Oh I looked in the logs and fixed it’ (with no mention of what log, or where this log was), or ‘Yeah I used Wireshark and located a problem...
AnyConnect: Enable Duo 2Factor Authentication
KB ID 0001650 Problem I was asked if I’d ever set this up the other week. Surprisingly I had not, I’d deployed Duo for other things, but not for Cisco AnyConnect. As I had some other ‘Duo’ related tasks coming up, I was deploying it on the test bench, then adding in my Cisco ASA and AnyConnect wasn’t much more work! Here’s my topology; My ASA is running version 9.1 My Duo Authentication Proxy is...
Unable to Connect to the Synchronisation Service
KB ID 0001649 Problem I’m doing some work for a client that has Azure AD Sync running, and we keep kicking each other off the server, so I thought I’d login with another account. However, when I tried to open the Synchronisation Service Manager; Unable to connect to the Synchronisation Service Some possible reasons are: 1) The service is not started. 2) Your account is not a member of the requires security group. See the...
Duo: ADSync and Enroll Users via SMS
KB ID 0001648 Problem Before you can use Duo 2FA/MFA you need to have your users enrolled. Theres a number of ways to enrol them, you can bulk email them, or manually add them. Below I’m going to Sync Duo with my Active Directory, so that if users are members of a specific AD group, they will ‘appear’ in the Duo Admin Portal. Then I’m going to enter a users mobile phone number and send them an SMS to enrol....