Adding Duo 2FA to Microsoft ADFS

KB ID 0001656

Problem

I did a Duo run through a few weeks ago, and to be honest their documentation is usually pretty good. I was spinning this up as a PoC for a client so I thought I’d put my take on the procedure here.

ADFS Duo Pre-Requisites

I already have a Duo Authentication Proxy server setup and my users are enrolled, you will need to set this up first. See the following article;

Duo: ADSync and Enroll Users via SMS

Log into the the Duo Admin Portal > Applications > Protect an Application > Search for and select Microsoft ADFS > Protect This Application.

 Copy the Integration Key, Secret Key and the API hostname to notepad.

Download the Duo AD FA MFA Adapter on your ‘first‘ ADFS server. Enter the information you copied to Notepad, (above). Tick ‘Bypass Duo Authentication when offline’, and because my users are logging on with their Office 365 UPNs, I’m also ticking ‘Use UPN username format’ (SEE USERNAME NORMALISATION NOTE BELOW.)

Note: I only have one ADFS server, if you have an ADFS Server farm you will need to install each one with the SAME shared session key, you can generate one of these yourself in PowerShell with the following commands;

[box]

$bytes = new-object "System.Byte[]" 30
(new-object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes($bytes)
[Convert]::ToBase64String($bytes)

[/box]

I only have one, so I’ll simply ‘Generate new session key‘ > Finish the install wizard.

Note: If one has already been deployed, and you don’t know the key, go to the ADFS server on which it’s working, and look in the following registry key.

[box]

HKEY_LOCAL_MACHINE\SOFTWARE\Duo Security\DuoAdfs\AKey

[/box]

USERNAME NORMALISATION: Because I’m logging users on with UPNs (first-name.last-name.domain-name.com) Back in the Duo Portal under protected applications Microsoft ADFS > Set username normalisation to ‘None” > Scroll down and save the change.

Server 2019 Only: I’m deploying on Server 2019 so I also need to execute the following Powershell command, you will need to enter YOUR API Hostname (you copied above).

[box]

Set-AdfsResponseHeaders -SetHeaderName "Content-Security-Policy" -SetHeaderValue "default-src 'self' 'unsafe-inline' 'unsafe-eval'; img-src 'self'; frame-src api-xxxxxxxx.duosecurity.com"

[/box]

Launch the ADFS Management Console > Authentication Methods > Additional Authentication Methods > Edit.

Tick ‘Duo Authentication for AD FS {version}’ > Apply > OK.

Relying Party Trust > Here I have my Office 365 trust, yours may be for something else! Edit Access Control Policy.

Click ‘Use Access Control Policy’ > The one I want is ‘Permit Everyone and Require MFA for Specific Group‘. This way I can select who gets 2FA challenged, and I can migrate users slowly into this group once I know they are enrolled, (also I use the same group to Sync the users to Duo to make things simple). Change the <parameter> and locate you domain security group.

Now when the users connect to ADFS, after they logon, they are challenged to provide 2FA authentication.

like so;

Related Articles, References, Credits, or External Links

NA

PowerShell: Bulk Add/Remove Users From Groups

KB ID 0001475

Problem

I had to do this a few weeks ago, so I documented it. I had a list of usernames in a CSV file and I needed to bulk-add them to a security group.

Bulk Add Group Users Solution

Firstly you will need the usernames (sAMAccountNames) in .csv format like so,  (Note: As a header Im using User-Name.) I’ve saved the file to C:\Temp on my server.

Execute the following commands;

[box]

Import-Module ActiveDirectory 

Import-Csv -Path “C:\Temp\Users-To-Add.csv” | ForEach-Object {Add-ADGroupMember -Identity “Group-Name” -Members $_.’User-Name’}

[/box]

And there’s our users;

Bulk Remove Group Users Solution

Use the following command;

[box]Import-Csv -Path “C:\Temp\Users-To-Remove.csv” | ForEach-Object {Remove-ADGroupMember -Identity “Group-Name” -Members $_.’User-Name’ -Confirm:$false}[/box]

Now if we check the group, the users have gone;

Related Articles, References, Credits, or External Links

PowerShell: Bulk Enable / Disable Users

Exchange Bulk Export / Import Mail Contacts

Bulk Export Users From One Domain, and Import Into Another

PowerShell: Add All Members of an OU to a Security Group

Cisco AnyConnect With Server 2016 NPAS (RADIUS) Different Groups

KB ID 0001474

Problem

A few years ago I replaced a firewall that was setup like this, and while it took me a while to work out what was going on, I remember thinking it was an elegant solution. Fast forward to today, and I’m now working with the guy who set it up! (Kudos to Paul White).

So when I had a client with a similar requirement, I sat down fired up the lab, and documented it.

What was used;

  • Windows 10 Remote Client
  • AnyConnect v4 Client
  • Server 2016 NAP (NPAS) Server
  • Windows 2016 Domain.
  • Cisco vASA (v9.2)

Solution

Deploy Microsoft NAP

Rather than reinvent the wheel, I’ve already ran though this. Use the link (below) to install the role, add the ASA as a RADIUS client, then return here (before configuring any policies!)

Windows Server 2016 & 2012 Setup RADIUS for Cisco ASA 5500 Authentication

Configure NAP Network Policies For Group Authentication

Firstly you will need some groups setup in AD, with some users in them, for testing.

Then, on your NAP Server create a Network Policy (for each group), like so;

Add the ‘User Group Condition’ with the correct AD Group for this policy.

Add the ‘Client Friendly Name‘ condition, and set to to the name you used for the RADIUS client.

Next > Next > Add in ‘Unencrypted (PAP SPAP)‘ > Next > No.

Next > Add > Select ‘Class’ > Add  > Enter ‘ou={Name-of-Cisco-Group-Policy-To-Apply}‘ > OK > Close > Next > Finish.

Cisco ASA Configuration

[box]

First, configure RADIUS AAA;

!

aaa-server PNL-RADIUS protocol radius

aaa-server PNL-RADIUS (inside) host 192.168.110.19

 key 666999

 radius-common-pw 666999

 exit

!

Create a ‘Pool’ of IP addresses for the remote clients;

! 

ip local pool POOL-ANYCONNECT-SN 192.168.249.1-192.168.249.254 mask 255.255.255.0

!

Create some ‘Objects’ one for the Pool you created above, one for the server(s) that everyone can access, and one for the server(s) only restricted users can access;

!

object network OBJ-ANYCONNECT-SN

  subnet 192.168.249.0 255.255.255.0

!

object-group network OBJ-USER-ACCESS-SERVERS

 description Servers than can be accessed by VPN-USER-ACCESS AD Group

 network-object host 192.168.110.10

!

object-group network OBJ-RESTRICTED-ACCESS-SERVERS

 description Servers than can only be accessed by VPN-RESTRICTED-ACCESS AD Group

 network-object host 192.168.110.19

!

Enable Webvpn and AnyConnect;

!

webvpn

  enable outside

  no tunnel-group-list enable

  anyconnect image disk0:/anyconnect-win-4.6.00362-webdeploy-k9.pkg 1

  anyconnect image disk0:/anyconnect-macos-4.6.00362-webdeploy-k9.pkg 2

  anyconnect enable

!

Create the ACLs for your TWO AD user groups;

!

access-list ACL-VPN-USER-ACCESS-SERVERS extended permit ip object-group OBJ-USER-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

!

access-list ACL-VPN-RESTRICTED-ACCESS-SERVERS permit ip object-group OBJ-USER-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

access-list ACL-VPN-RESTRICTED-ACCESS-SERVERS permit ip object-group OBJ-RESTRICTED-ACCESS-SERVERS object OBJ-ANYCONNECT-SUBNET

!

Stop NAT being performed on the remote AnyConnect traffic;

!

nat (inside,outside) 1 source static any any destination static OBJ-ANYCONNECT-SN OBJ-ANYCONNECT-SN no-proxy-arp route-lookup

!

Each Group-Policy (below) wont have its own tunnel-group so you need to enable RADIUS on the default web tunnel-group, and assign the IP Pool you created (above). Note: I’m allowing authentication to fall back to LOCAL in case the RADIUS server fails;

!

tunnel-group DefaultWEBVPNGroup general-attributes 

 authentication-server-group PNL-RADIUS LOCAL

 address-pool POOL-ANYCONNECT-SN

!

Finally, create a group-policy that the NAP server will tell the ASA to allocate to the users of the AD Groups (VPN-USER-ACCESS, and VPN-RESTRICTED-USER-ACCESS);

!

group-policy GP-USER-ACCESS-SERVERS internal

group-policy GP-USER-ACCESS-SERVERS attributes

 dns-server value 192.168.110.10

 vpn-idle-timeout 30

 vpn-tunnel-protocol ssl-client

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ACL-VPN-USER-ACCESS-SERVERS

 default-domain value test.net

!

group-policy GP-RESTRICTED-ACCESS-SERVERS internal

group-policy GP-RESTRICTED-ACCESS-SERVERS attributes

 dns-server value 192.168.110.10

 vpn-idle-timeout 30

 vpn-tunnel-protocol ssl-client

 split-tunnel-policy tunnelspecified

 split-tunnel-network-list value ACL-VPN-RESTRICTED-ACCESS-SERVERS

 default-domain value test.net

!

[/box]

Related Articles, References, Credits, or External Links

Thanks to Paul White and Trevor Stanley.

Windows Server 2016 & 2012 Setup RADIUS for Cisco ASA 5500 Authentication

Windows Server 2008 R2 – Configure RADIUS for Cisco ASA 5500 Authentication

Cisco ASA5500 Client VPN Access Via RADIUS (Server 2003 & IAS)

Cisco – Testing AAA Authentication (Cisco ASA and IOS)

SQL Install Error “SQL Server Browser Service Group Does Not Exist”

KB ID 0000689 

Problem

Seen when reinstalling SQL 2008 R2 on a domain controller. Note: as a background the SQL Server was installed previously and then the server was promoted to a domain controller. Then when the attempt to reinstall SQL was carried out this happened:

Microsoft SQL Server 2008 R2 Setup
The following error has occurred.
SQL Server Browser service group does not exists. Check for earlier failures in the setup

Note: Yes thats a typo, but there is a typo in the error message.

Solution

1. You need to create the group(s) manually, logon to a domain controller > Windows Key+R (to run) > type ‘dsa.msc’ > Enter.

2. Create two Windows security groups called;

[box]

SQLServer2008SQLBrowserUser${ServerName}
SQLServer2005SQLBrowserUser${ServerName}

[/box]

3. Retry the install.

Related Articles, References, Credits, or External Links

NA

Windows Server – Fine Grained Password Policies

KB ID 0000765 

Problem

Before server 2008 if you wanted more than one password policy, you had to create a sub domain just to do that! with Server 2008 we were given fine grained password policies, which were fine (if a little clunky), and involved you creating ‘Password Settings Objects’.

They were a pain if you were not used to them e.g. five minutes is entered as 00:00:05:00. But now Microsoft have made things a LOT EASIER (though they made a good job of hiding it!).

Solution

1. From Server Manager (ServerManager.exe) > Local Server > Tools > Active Directory Administrative Center.

2. System container.

3. Password Settings Container.

4. New > Password Settings > Configure as required > Add > Locate the Security group you want to apply the policy to > OK > OK.

Note: The Precedence dictates which policy will apply if the same user has multiple policies applied to them.

5. You can then create other policies to apply to different groups.

To See What Policies are Applying to a User

6. Locate the user (while still in Active Directory Administrative Center) Right click > View resultant password settings > If a policy is in place it will open.

7. If there is no policy in place you will see, “User does not have resultant fine grained password settings. Please check the user’s domain password settings”.

 

Related Articles, References, Credits, or External Links

NA