Gist

Contains GitHub Gists

MIM PAM Automated Installation Script

, 2 Comments

I have been doing a fair bit of work with MIM PAM recently, finding a few issues. This has meant that I have re-installed the application (post-SharePoint Foundation), in my lab, a few times.

I was getting a little bored of clicking through the options, ticking boxes and refilling the URL’s etc. Then I spotted on the CD/ DVD, a batch file in the Service and Portal folder – called “Service and Portal_Reference_For_PAM_Install.bat“.

A quick look showed that this would automate MIM PAM installation. However, there was no documentation to go with it – notably to clarify which accounts were referred to by  “ADMIN_USER = Administrator” and “SYNC_ADMIN = FIMSyncAdministrator”. A quick google revealed no relevant results…. So, take a snapshot and start trying accounts….. Based on the MSI command run at the end of the script Admin User relates to the SERVICE_ACCOUNT_NAME. So, in my case that relates to the MIMService account.

Thus, my complete working script is as below. Note – my PAM domain is a sub-domain of oholics.net called “priv“, my MIM PAM server is called “mimpam

Note that the following lines will need to be amended – 7, 10, 17, 19, 20, 21, 22, 35, 54, 55, 62, 63, 70, 71.

Also, note the script assumes that you have a folder C:\Temp to write the log to – if you don’t you’ll get EXIT CODE: 1622

Nice bit of automation – run the file, then make coffee or whatever – certainly something fulfilling 🙂

A little update – the script in its current form is not perfect. Note that the MSI switches include: MAIL_SERVER=”%MACHINENAME%” and SQLSERVER_SERVER=”%MACHINENAME%” – Meaning that both attributes will be set to the local machine name. Set some more attributes and changes the MSI arg’s to suit.

Additionally, I have been testing the RESTful interface over the last few days and have seen some oddities – whether these are related to using this script to install is under investigation…..

@ECHO OFF
REM ********************************************
REM Environment Parameters
ECHO Setting Environment Parameters...
REM ********************************************
SET MSIROOTFOLDER=D:
SET MSILOCATION=%MSIROOTFOLDER%\Service and Portal
SET MSIFILENAME=Service and Portal.msi
SET LOGFILENAME=C:\Temp\%MSIFILENAME%-%time:~0,2%_%time:~3,2%_%time:~6,2%.log
REM ********************************************
REM Networking Parameters
ECHO Setting Networking Parameters...
REM ********************************************
SET MACHINENAME=%COMPUTERNAME%
SET DOMAINNAME=priv
IF "%1" neq "" SET DOMAINNAME=%1
SET DOMAIN_SUFFIX=oholics.net
SET ADMIN_USER=MIMService
SET SYNC_ADMIN=MIMMA
SET ADMIN_PASS=YourMIMServicePassword
SET FEATURES_TO_INSTALL=CommonServices,WebPortals,PAMServices
SET REBOOT=ReallySuppress
SET SQMOPTINSETTING=1
SET ACCEPT_EULA=1
SET FIREWALL_CONF=1
REM ********************************************
REM SharePoint Parameters
ECHO Setting SharePoint Parameters...
REM ********************************************
SET SHAREPOINTUSERS_CONF=1
SET SHAREPOINT_URL=http://mimpam.priv.oholics.net:82
IF "%2" neq "" SET SHAREPOINT_URL=%2
REM ********************************************
REM Registration Portal Parameters
ECHO Setting Registration Portal Parameters...
REM ********************************************
SET REGISTRATION_PORTAL_URL=http://localhost:8080
REM ********************************************
REM REST Parameters
ECHO Setting REST Parameters...
REM ********************************************
SET MIMPAM_REST_API_PORT=8086
REM ********************************************
REM PAM Monitoring Service Parameters
ECHO Setting PAM Monitoring Service Parameters...
REM ********************************************
SET PAM_MONITORING_SERVICE_ACCOUNT_DOMAIN=%DOMAINNAME%
SET PAM_MONITORING_SERVICE_ACCOUNT_NAME=MIMMonitor
SET PAM_MONITORING_SERVICE_ACCOUNT_PASSWORD=YourMIMMonitorPassword
REM ********************************************
REM PAM Component Service Parameters
ECHO Setting PAM Component Service Parameters...
REM ********************************************
SET PAM_COMPONENT_SERVICE_ACCOUNT_DOMAIN=%DOMAINNAME%
SET PAM_COMPONENT_SERVICE_ACCOUNT_NAME=MIMComponent
SET PAM_COMPONENT_SERVICE_ACCOUNT_PASSWORD=YourMIMComponentPassword
REM ********************************************
REM PAM REST API App Pool Parameters
ECHO Setting PAM REST API App Pool Parameters...
REM ********************************************
SET PAM_REST_API_APPPOOL_ACCOUNT_DOMAIN=%DOMAINNAME%
SET PAM_REST_API_APPPOOL_ACCOUNT_NAME=MimSharePointSvc
SET PAM_REST_API_APPPOOL_ACCOUNT_PASSWORD=YourMimSharePointSvcPassword
REM ********************************************
REM Preparing the setup parameters
ECHO Preparing the setup parameters...
REM ********************************************
SET COMMAND=MSIEXEC /i "%MSILOCATION%\%MSIFILENAME%" SQMOPTINSETTING=%SQMOPTINSETTING% MAIL_SERVER="%MACHINENAME%" ^
SQLSERVER_SERVER="%MACHINENAME%" SERVICE_ACCOUNT_NAME="%ADMIN_USER%" SERVICE_ACCOUNT_PASSWORD="%ADMIN_PASS%" ^
SERVICE_ACCOUNT_DOMAIN="%DOMAINNAME%" SERVICE_ACCOUNT_EMAIL="%ADMIN_USER%@%DOMAINNAME%.%DOMAIN_SUFFIX%" ^
RUNNING_USER_EMAIL="%ADMIN_USER%@%DOMAINNAME%.%DOMAIN_SUFFIX%" SYNCHRONIZATION_SERVER_ACCOUNT="%DOMAINNAME%\%SYNC_ADMIN%" ^
SYNCHRONIZATION_SERVER="%MACHINENAME%" SERVICEADDRESS="%MACHINENAME%" SHAREPOINTUSERS_CONF=%SHAREPOINTUSERS_CONF% ^
REGISTRATION_PORTAL_URL="%REGISTRATION_PORTAL_URL%" SHAREPOINT_URL="%SHAREPOINT_URL%" ADDLOCAL="%FEATURES_TO_INSTALL%" ^
PAM_MONITORING_SERVICE_ACCOUNT_DOMAIN=%PAM_MONITORING_SERVICE_ACCOUNT_DOMAIN% ^
PAM_MONITORING_SERVICE_ACCOUNT_NAME=%PAM_MONITORING_SERVICE_ACCOUNT_NAME% PAM_MONITORING_SERVICE_ACCOUNT_PASSWORD=%PAM_MONITORING_SERVICE_ACCOUNT_PASSWORD% ^
PAM_COMPONENT_SERVICE_ACCOUNT_DOMAIN=%PAM_COMPONENT_SERVICE_ACCOUNT_DOMAIN% PAM_COMPONENT_SERVICE_ACCOUNT_NAME=%PAM_COMPONENT_SERVICE_ACCOUNT_NAME% ^
PAM_COMPONENT_SERVICE_ACCOUNT_PASSWORD=%PAM_COMPONENT_SERVICE_ACCOUNT_PASSWORD% PAM_REST_API_APPPOOL_ACCOUNT_DOMAIN=%PAM_REST_API_APPPOOL_ACCOUNT_DOMAIN% ^
PAM_REST_API_APPPOOL_ACCOUNT_NAME=%PAM_REST_API_APPPOOL_ACCOUNT_NAME% PAM_REST_API_APPPOOL_ACCOUNT_PASSWORD=%PAM_REST_API_APPPOOL_ACCOUNT_PASSWORD% ^
ACCEPT_EULA=%ACCEPT_EULA% MIMPAM_REST_API_PORT=%MIMPAM_REST_API_PORT% FIREWALL_CONF=%FIREWALL_CONF% REBOOT="%REBOOT%" /l*v "%LOGFILENAME%" /quiet
REM ********************************************
REM Running the installation
ECHO Running the installation ...
REM ********************************************
ECHO %COMMAND%
%COMMAND%
ECHO EXIT CODE: %ERRORLEVEL%
REM ********************************************
REM Finished
ECHO Finished
REM ********************************************
EXIT /B %ERRORLEVEL%
view raw service_and_portal_reference_for_pam_install.bat hosted with ❤ by GitHub

Delegating Group Management – Using the Lithnet FIM PowerShell Module

, , , , , 0 Comments

Within my AD structure, group management is delegated within certain OU’s, I now need to replicate that functionality in the FIM portal.

The is no real way of identifying which groups should be managed by whom, except the OU within which the group currently resides.

So, to start off with I need to get the parent OU of the group into the portal:

Import the OU into the MV:

Case "adOU-Group-ADMA-Import"
mventry("adOU").Value = Replace(csentry.DN.ToString, csentry.RDN.ToString & ",", "")
view raw adou-group-adma-import.vb hosted with ❤ by GitHub

Setup an export flow for adOU into the portal.

Then, by using the Lithnet PowerShell Module, we can create all the sets and MPR’s required, below is a sample for creating one delegated “collection”. In production, my XML file is much bigger – delegating group management to around ten different groups.

Note, that you first need to create references to all users who might be given the rights to manage groups. This includes the FimServiceAdmin and FimServiceAccount – referenced by their ObjectID, the others are referenced by their AccountName. All members referenced in this section, are added to the __Set:GroupValidationBypassSet. This set is defined in the non-administrators set – not in this set – this bypasses the group validation workflow:

AllNonAdministratorsSet

Create a set of groups to be managed – the filter being the OU that the groups belong to & MembershipLocked=False

Create a set of administrators for this delegation – adding the explicit members

Then create the two MPR’s to allow the members of the administrative set to manage those groups – the first MPR allows modification (Read, Add and Remove) of the ExplicitMember attribute, while the second allows creation and deletion.

<?xml version="1.0" encoding="utf-8" ?>
<Lithnet.ResourceManagement.ConfigSync>
<Variables>
<Variable name="#domain#" value="%userdomain%"/>
<Variable name="#PATH#" value ="C:\some-path\" />
</Variables>
<Operations>
<!-- Create a Bunch of References to Recipients -->
<ResourceOperation operation="None" resourceType="Person" id="user1">
<AnchorAttributes>
<AnchorAttribute>AccountName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="none" name="AccountName">user1</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create Reference to Recipient -->
<ResourceOperation operation="None" resourceType="Person" id="user2">
<AnchorAttributes>
<AnchorAttribute>AccountName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="none" name="AccountName">user2</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create Reference to Recipient -->
<ResourceOperation operation="None" resourceType="Person" id="user3">
<AnchorAttributes>
<AnchorAttribute>AccountName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="none" name="AccountName">user3</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create Reference to Recipient -->
<ResourceOperation operation="None" resourceType="Person" id="FIMServiceAccount">
<AnchorAttributes>
<AnchorAttribute>ObjectID</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="none" name="ObjectID">1009a2cb-e7f8-4db9-9f02-04b91b1d966d</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create Reference to Recipient -->
<ResourceOperation operation="None" resourceType="Person" id="FIMServiceAdmin">
<AnchorAttributes>
<AnchorAttribute>ObjectID</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="none" name="ObjectID">7fb2b853-24f0-4498-9534-4e10589723c4</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- MPR's Sets etc: -->
<!-- GroupValidation Bypass Set -->
<ResourceOperation operation="Add Update" resourceType="Set" id="GroupValidationBypassSet">
<AnchorAttributes>
<AnchorAttribute>DisplayName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="replace" name="DisplayName">__Set:GroupValidationBypassSet</AttributeOperation>
<AttributeOperation operation="replace" name="Description">This set bypasses Group Management Workflow</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user2</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user1</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">FIMServiceAccount</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">FIMServiceAdmin</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user3</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create ABC Manual Groups Set -->
<ResourceOperation operation="Add Update" resourceType="Set" id="ABCManualGroupsSet">
<AnchorAttributes>
<AnchorAttribute>DisplayName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="replace" name="DisplayName">__Set:ABC Manual Groups</AttributeOperation>
<AttributeOperation operation="replace" name="Description">Use this set to allow ABC helpdesk staff to administer these groups.</AttributeOperation>
<AttributeOperation operation="replace" name="Filter" type="filter">/Group[(adOU = 'OU=Manual Groups,OU=ABC,DC=blah,DC=ac,DC=uk') and (MembershipLocked = False)]</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- Create ABC Manual Group Administrators Set -->
<ResourceOperation operation="Add Update" resourceType="Set" id="ABCManualGroupsAdministratorsSet">
<AnchorAttributes>
<AnchorAttribute>DisplayName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="replace" name="DisplayName">__Set:ABC Manual Groups Administrators</AttributeOperation>
<AttributeOperation operation="replace" name="Description">Use this set to allow ABC helpdesk staff to administer these groups.</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user1</AttributeOperation>
<AttributeOperation operation="add" name="ExplicitMember" type="xmlref">user2</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- ABC Manual Group Modify MPR -->
<ResourceOperation operation="Add Update" resourceType="ManagementPolicyRule" id="ABCManualGroupModifyMPR">
<AnchorAttributes>
<AnchorAttribute>DisplayName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="replace" name="DisplayName">__MPR:Group management: ABC Manual Group administrators can update ABC Manual group resources</AttributeOperation>
<AttributeOperation operation="replace" name="Description">Allows ##xmlref:ABCManualGroupsAdministratorsSet:DisplayName## members to modify membership of ABC Manual Groups</AttributeOperation>
<AttributeOperation operation="replace" name="Disabled">false</AttributeOperation>
<AttributeOperation operation="replace" name="GrantRight">true</AttributeOperation>
<AttributeOperation operation="replace" name="ManagementPolicyRuleType">Request</AttributeOperation>
<AttributeOperation operation="replace" name="PrincipalSet" type="xmlref">ABCManualGroupsAdministratorsSet</AttributeOperation>
<AttributeOperation operation="replace" name="ResourceCurrentSet" type="xmlref">ABCManualGroupsSet</AttributeOperation>
<AttributeOperation operation="replace" name="ResourceFinalSet" type="xmlref">ABCManualGroupsSet</AttributeOperation>
<AttributeOperation operation="add" name="ActionType">Read</AttributeOperation>
<AttributeOperation operation="add" name="ActionType">Add</AttributeOperation>
<AttributeOperation operation="add" name="ActionType">Remove</AttributeOperation>
<AttributeOperation operation="add" name="ActionParameter">ExplicitMember</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
<!-- ABC Manual Group Create/Delete MPR -->
<ResourceOperation operation="Add Update" resourceType="ManagementPolicyRule" id="ABCManualGroupCreateDeleteMPR">
<AnchorAttributes>
<AnchorAttribute>DisplayName</AnchorAttribute>
</AnchorAttributes>
<AttributeOperations>
<AttributeOperation operation="replace" name="DisplayName">__MPR:Group management: ABC Manual Group administrators can create and delete ABC Manual group resources</AttributeOperation>
<AttributeOperation operation="replace" name="Description">Allows ##xmlref:ABCManualGroupsAdministratorsSet:DisplayName## members to Create and Delete ABC Manual Groups</AttributeOperation>
<AttributeOperation operation="replace" name="Disabled">false</AttributeOperation>
<AttributeOperation operation="replace" name="GrantRight">true</AttributeOperation>
<AttributeOperation operation="replace" name="ManagementPolicyRuleType">Request</AttributeOperation>
<AttributeOperation operation="replace" name="PrincipalSet" type="xmlref">ABCManualGroupsAdministratorsSet</AttributeOperation>
<AttributeOperation operation="replace" name="ResourceCurrentSet" type="xmlref">ABCManualGroupsSet</AttributeOperation>
<AttributeOperation operation="replace" name="ResourceFinalSet" type="xmlref">ABCManualGroupsSet</AttributeOperation>
<AttributeOperation operation="add" name="ActionType">Create</AttributeOperation>
<AttributeOperation operation="add" name="ActionType">Delete</AttributeOperation>
<AttributeOperation operation="add" name="ActionParameter">*</AttributeOperation>
</AttributeOperations>
</ResourceOperation>
</Operations>
</Lithnet.ResourceManagement.ConfigSync>
view raw groupdelegation.xml hosted with ❤ by GitHub

Use Import-RMConfig -File <PathToXML> -Preview -Verbose to validate your xml and see what it would do. Drop the “-Preview” to make the change

An Alternative To Using The Generic Array From File Function

, , 0 Comments

While looking to improve on my method of getting exceptions or a long list of mail suffixes into an array, to be checked during code execution, I came across this: https://msdn.microsoft.com/en-us/library/windows/desktop/ms696048(v=vs.85).aspx

This seemed to me to be a really nice solution, just defining all exceptions and suffixes within one file, read it in on code execution, then check for existence or whatever in the code.

So, given the following xml file:

<rules-extension-properties>
<mail-suffixes>
<values>blah.ac.uk,moo.ac.uk,meow.ac.uk,woof.ac.uk,squawk.ac.uk,hiss.ac.uk,neigh.ac.uk</values>
</mail-suffixes>
<ignore-email-address-errors>
<values>smartypants@woof.ac.uk</values>
</ignore-email-address-errors>
<ignore-functional-id-owner>
<values>random.person@someother.ac.uk</values>
</ignore-functional-id-owner>
</rules-extension-properties>
view raw rules-config.xml hosted with ❤ by GitHub

Add the System.Xml Import and declare the variables, so they are global:

Imports Microsoft.MetadirectoryServices
Imports System
Imports System.directoryservices
Imports ActiveDs
Imports System.Globalization
Imports Microsoft.MetadirectoryServices.Logging
Imports System.IO
Imports System.Xml
Public Class MAExtensionObject_MYADMA
Implements IMASynchronization
'Date & Logginglevel variables for logging files:
Dim dtDateNowHour As Integer = Date.Now.Hour
Dim dtDateNowDay As Integer = Date.Now.Day
Dim dtDateNowMonth As Integer = Date.Now.Month
Dim dtDateNowYear As Integer = Date.Now.Year
Dim loggingLevel As Integer = 0
Dim ValidMailSuffixes As String
Dim IgnoreFunctionalIDOwner As String
Dim IgnoreEmailAddressErrors As String
view raw declarations.vb hosted with ❤ by GitHub

Add the code to read the xml file into the Initialize Sub:

Public Sub Initialize() Implements IMASynchronization.Initialize
Try
Dim config As XmlDocument = New XmlDocument()
config.Load("C:\FIMControl\rules-config.xml")
'
Dim suffixesnode As XmlNode = config.SelectSingleNode("rules-extension-properties/mail-suffixes")
Dim suffixvaluenode As XmlNode = suffixesnode.SelectSingleNode("values")
Dim suffixesvalue As String = suffixvaluenode.InnerText
ValidMailSuffixes = suffixvaluenode.InnerText
'
Dim ieaenode As XmlNode = config.SelectSingleNode("rules-extension-properties/ignore-email-address-errors")
Dim ieeavaluenode As XmlNode = ieaenode.SelectSingleNode("values")
Dim ieaevalue As String = ieeavaluenode.InnerText
IgnoreEmailAddressErrors = ieeavaluenode.InnerText
'
Dim ifionode As XmlNode = config.SelectSingleNode("rules-extension-properties/ignore-functional-id-owner")
Dim ifiovaluenode As XmlNode = ifionode.SelectSingleNode("values")
Dim ifiovalue As String = ifionode.InnerText
IgnoreFunctionalIDOwner = ifiovaluenode.InnerText
Catch nre As NullReferenceException
'If a tag does not exist in the xml, then the stopped-extension-dll error will be thrown.
Throw nre
Catch e As Exception
Throw e
End Try
End Sub
view raw initializesub.vb hosted with ❤ by GitHub

Then, when you wish to look for those values within those variables – just like in the last post:

Case "emailAddressPresent-ADMA-Import"
'AD attributes required: mail and msExchHomeServerName
' Default setting = False
mventry("emailAddressPresent").Value = "False"
If csentry("mail").IsPresent And csentry("msExchHomeServerName").IsPresent Then
Dim suffix() As String = Split((csentry("mail").Value), "@")
If ValidMailSuffixes.Contains(suffix(1).ToLower) Then
mventry("emailAddressPresent").Value = "True"
Else
'If a suffix from the above is not found - raise an error, so that the suffix can be added to the text file or simply sorted out - where a mistake was made.
Throw New Exception("Invalid email suffix found: " & suffix(1))
End If
ElseIf csentry("mail").IsPresent And csentry("mailNickName").IsPresent Then
'This person is a mail enabled user, maybe with an island site email address or just something else, so we want them to be able to be added to distribution lists....
mventry("emailAddressPresent").Value = "True"
End If
view raw emailaddresspresent-adma-import.vb hosted with ❤ by GitHub

An Update on my Generic Array From File post

, , 0 Comments

In this post: https://blog.oholics.net/a-generic-array-from-file-function-to-cope-with-inevitable-exceptions/, I documented a method of generating an array of values from a text file.

While I was happy that this method worked, I was not entirely happy with the fact that I still had some hard coded values in the code. However, the way that the function operated meant that if I took my collection of mail suffixes (20+) and added them all to the text file, then the array would be built for each and every user that passed through the dll, not too efficient!

So, I was looking for something a little more elegant. I was happy for the array to simply be defined when the dll was loaded.

Here is my solution:

At the beginning of my AD MA, I declare my dates and logging levels etc, then generate those arrays using the function. These arrays are now static and are good for processing all users without being regenerated.

Public Class MAExtensionObject_MYADMA
Implements IMASynchronization
'Date & Logginglevel variables for logging files:
Dim dtDateNowHour As Integer = Date.Now.Hour
Dim dtDateNowDay As Integer = Date.Now.Day
Dim dtDateNowMonth As Integer = Date.Now.Month
Dim dtDateNowYear As Integer = Date.Now.Year
Dim loggingLevel As Integer = 0
'
Dim ValidMailSuffixes As ArrayList = generateArrayFromFile("C:\FIMControl\ValidMailSuffixes.txt") ' Extra suffixes can be added to the text file defined here
Dim IgnoreFunctionalIDOwner As ArrayList = generateArrayFromFile("C:\FIMControl\IgnoreFunctionalIDOwner.txt") ' Extra odd functionalID owners can be added to the text file defined here
Dim IgnoreEmailAddressErrors As ArrayList = generateArrayFromFile("C:\FIMControl\IgnoreEmailAddressErrors.txt") ' Extra odd email addresses can be added to the text file defined here
'
Public Function generateArrayFromFile(ByVal file As String) As ArrayList
Dim arrayFromFile As New ArrayList()
Try
Dim reader As New System.IO.StreamReader(file)
While Not (reader.Peek() = -1)
arrayFromFile.Add(reader.ReadLine())
End While
reader.Close()
reader.Dispose()
Catch ex As IOException
arrayFromFile.Add(ex.ToString())
End Try
Return arrayFromFile
End Function
view raw declarations.vb hosted with ❤ by GitHub

When I wish to look into the array to validate a valid email suffix for example, I go from this (as in the last post):

Case "emailAddressPresent-ADMA-Import"
'AD attributes required: mail and msExchHomeServerName
' Default setting = False
mventry("emailAddressPresent").Value = "False"
If csentry("mail").IsPresent And csentry("msExchHomeServerName").IsPresent Then
Dim suffix() As String = Split((csentry("mail").Value), "@") 'mail.Split("@")
'Valid/allowed email suffixes are defined in the following array (amend as appropriate):
Dim validMailAddresses() As String = {"blah.ac.uk", "foo.ac.uk", "bar.ac.uk", "otherorg.ac.uk"}
If (Array.IndexOf(validMailAddresses, suffix(1).ToLower) <> -1) Then
mventry("emailAddressPresent").Value = "True"
ElseIf generateArrayFromFile("C:\FIMControl\AdditionalValidMailSuffixes.txt").Contains(suffix(1).ToLower) Then ' Extra suffixes can be added to the text file defined here
mventry("emailAddressPresent").Value = "True"
Else
'If a suffix from the above is not found - raise an error, so that the suffix can be added to the array/ text file or simply sorted out - where a mistake was made.
Throw New Exception("Invalid email suffix found: " & suffix(1))
End If
ElseIf csentry("mail").IsPresent And csentry("mailNickName").IsPresent Then
'This person is a mail enabled user, maybe with an island site email address or just something else so we want them to be able to be added to distribution lists....
mventry("emailAddressPresent").Value = "True"
End If
view raw emailaddresspresent-adma-import.vb hosted with ❤ by GitHub

To this:

Case "emailAddressPresent-ADMA-Import"
'AD attributes required: mail and msExchHomeServerName
' Default setting = False
mventry("emailAddressPresent").Value = "False"
If csentry("mail").IsPresent And csentry("msExchHomeServerName").IsPresent Then
Dim suffix() As String = Split((csentry("mail").Value), "@")
If ValidMailSuffixes.Contains(suffix(1).ToLower) Then
mventry("emailAddressPresent").Value = "True"
Else
'If a suffix from the above is not found - raise an error, so that the suffix can be added to the text file or simply sorted out - where a mistake was made.
Throw New Exception("Invalid email suffix found: " & suffix(1))
End If
ElseIf csentry("mail").IsPresent And csentry("mailNickName").IsPresent Then
'This person is a mail enabled user, maybe with an island site email address or just something else, so we want them to be able to be added to distribution lists....
mventry("emailAddressPresent").Value = "True"
End If
view raw emailaddresspresent-adma-import.vb hosted with ❤ by GitHub

Much cleaner – plus all suffixes can now just reside in a text file.

Note that updates to the text file will only be realised if the dll is reloaded and the array is regenerated. I believe that this is after 5 minutes of inactivity and seems to hold true from testing.

Process To Email The Manager Of A Service Account When Their End Date Is Approaching

, , , 0 Comments

A long term goal of mine, has been to get “account requestors” to take ownership of their Service Accounts.

Attempts have been made by my predecessors to record an owner of a service account, but it has simply been done as a string attribute of the AD object. Thus, when the person leaves and the account is deleted, the service account becomes orphaned, with an reference to a long forgotten ID.

So thinking of a way to carry this out….. I am already using the email address of the owner of an administrative account to make decisions about whether the administrative account should be enabled or disabled – based on the end date of the owner – discovered by looking up the email address in the MV.

I figured that I could do something similar for those Service Accounts. I’ll be creating service accounts via the portal, the owner of the account will be assigned to the manager attribute. So, how can I get the email address of the manager into the MV as a thing that I can lookup??? I can’t do an advanced flow rule on the FIMMA, and even if I could, Manager is a reference attribute, so I can’t do it anyway… I found an article about dereferencing another attribute, that get me going down this path….. The solution is simple. Create a new attribute and binding in the portal – “ManagerEmailAddress”, then setup a workflow as follows:

GetManagerEmailAddressWF

When the account falls into scope, the managers email address is set into that new attribute – in the sync engine create a direct flow to put that into the MV (I’m using “serialNumber” – for one reason or another, that I wont go into :)).

I have on the import from AD, some code to set an MV boolean flag – “functionalID” – if the DN of the person object contains the strings found in the Service Account OU’s, thenfunctionalID = True. This attribute is pushed into the portal and is used in set definitions.

So, I’m getting there. Now I need something to set another flag in the MV that will go to the portal. this one defines if the owner of the Service Account is approaching their end date (30 days prior):It is defined on the Import from AD and populates the MV attribute “functionalID-owner-expiring”

Case "functionalID-owner-expiring-ADMA-Import"
If csentry.DN.ToString.ToLower.Contains("service") Or csentry.DN.ToString.ToLower.Contains("somethingelse") Then
If mventry("serialNumber").IsPresent Then
Dim AdminEntry() As MVEntry = Utils.FindMVEntries("mail", mventry("serialNumber").Value)
If AdminEntry.Length <> 0 Then
'We got an entry, so work with it... If the employeeEndDate of the parent account is within 30 days, set the flag - used in the portal to email the manager of the account.
If AdminEntry(0).Item("employeeEndDate").IsPresent Then
Dim EndDate As Date = DateTime.ParseExact(AdminEntry(0).Item("employeeEndDate").Value.ToString, "yyyy-MM-ddTHH:mm:ss.000", provider).Date
Dim nowTime As Date = Date.Now.Date.AddDays(30)
If EndDate <= nowTime Then
'the parent account will be disabled within 30 days, so set the expiry flag in the MV to true:
mventry("functionalID-owner-expiring").BooleanValue = True
ElseIf EndDate > nowTime Then
'the parent account is still active so set the flag to false:
mventry("functionalID-owner-expiring").BooleanValue = False
End If
End If
ElseIf AdminEntry.Length = 0 Then
If Not generateArrayFromFile("C:\FIMControl\IgnoreFunctionalIDOwner.txt").Contains(mventry("serialNumber").Value.ToLower) Then
Throw New FailedSearchException("Functional ID Owner NOT Found!" & mventry("accountName").Value.ToLower)
End If
End If
End If
view raw functionalid-owner-expiring-adma-import.vb hosted with ❤ by GitHub

Of course after initial code definition, I found another of those inevitable exceptions, so added the generateArrayFromFile function, with a reference (in txt file) to the email address that should be ignored.

Create attribute and binding in the portal for FunctionalID-owner-expiring

Setup an Export in the FIMMA for the new attribute

Create a set: FunctionalID = True and FunctionalID-owner-expiring = True.

Create notification workflow and mail template: notification to [//Target/Manager], then the set transition MPR.

I think I have it, just need to do a little testing to see that it works as expected.

I’m still a long way from the stated goal, as I still need to find “owners” for all of those accounts that have been created in the past.

A Generic Array From File Function To Cope With Inevitable Exceptions

, , 0 Comments

In the last few days, I have had a few more exceptions to cope with in my FIM Config.

  1. Another new mail suffix
  2. A user who is employed by one tenant, who has that tenants email address suffix; but who is on secondment to another tenant, who have a different mail suffix. The users attributes have been changed in the HR system, so that they gain access to the stuff in the other tenant, which is controlled by automatic groups, based on attribute data!

So, I’d been thinking for a while about having a method to add exceptions without having to add them to the code directly and thus forcing a rebuild followed by full syncs. I found a nice function to read a text file to an array, this is added to the top of the dll after the lines:

Public Class MAExtensionObject_YourMA
Implements IMASynchronization

Public Function generateArrayFromFile(ByVal file As String) As ArrayList
Dim arrayFromFile As New ArrayList()
Try
Dim reader As New System.IO.StreamReader(file)
While Not (reader.Peek() = -1)
arrayFromFile.Add(reader.ReadLine())
End While
reader.Close()
reader.Dispose()
Catch ex As IOException
arrayFromFile.Add(ex.ToString())
End Try
Return arrayFromFile
End Function
view raw generatearrayfromfile.vb hosted with ❤ by GitHub

So, to put this use – take my previous port regarding generating validating email addresses: https://blog.oholics.net/defining-a-unique-email-address-and-validating-mail-suffix/, at line 97 I ask “Does the suffix match?” This chunk is now as follows:

'Does the suffix match?
If mventry.Item("mail").Value.ToLower.IndexOf(mailSuffix.ToLower) = -1 Then
'the suffix does not match, so raise an error..... Unless, the email address (in lower case) is in the text file referenced below...
If Not generateArrayFromFile("C:\FIMControl\IgnoreEmailAddressErrors.txt").Contains(mventry("mail").Value.ToLower) Then
Throw New Exception("Wrong email suffix for user with email address: " & mventry("mail").Value & " , suffix should be " & mailSuffix)
End If
End If
view raw suffixnomatch.vb hosted with ❤ by GitHub

So, the referenced file simply has the email address of the user that I don’t want to be alerted about. If the email address does not match the expected value, look in the array generated from the text file; if it in not in there either raise an error to get this fixed or investigated.

Regarding the valid mail suffixes – I posted about this already: https://blog.oholics.net/emailaddresspresent-flag-setting-and-checking-email-suffix-validity/.

I have a hardcoded list of those that are already in use in the dll, if the suffix is not found in that array, it does a lookup of the array generated from the “suffixes” text file, if it is not in there it raises an error:

Case "emailAddressPresent-ADMA-Import"
'AD attributes required: mail and msExchHomeServerName
' Default setting = False
mventry("emailAddressPresent").Value = "False"
If csentry("mail").IsPresent And csentry("msExchHomeServerName").IsPresent Then
Dim suffix() As String = Split((csentry("mail").Value), "@") 'mail.Split("@")
'Valid/allowed email suffixes are defined in the following array (amend as appropriate):
Dim validMailAddresses() As String = {"blah.ac.uk", "foo.ac.uk", "bar.ac.uk", "otherorg.ac.uk"}
If (Array.IndexOf(validMailAddresses, suffix(1).ToLower) <> -1) Then
mventry("emailAddressPresent").Value = "True"
ElseIf generateArrayFromFile("C:\FIMControl\AdditionalValidMailSuffixes.txt").Contains(suffix(1).ToLower) Then ' Extra suffixes can be added to the text file defined here
mventry("emailAddressPresent").Value = "True"
Else
'If a suffix from the above is not found - raise an error, so that the suffix can be added to the array/ text file or simply sorted out - where a mistake was made.
Throw New Exception("Invalid email suffix found: " & suffix(1))
End If
ElseIf csentry("mail").IsPresent And csentry("mailNickName").IsPresent Then
'This person is a mail enabled user, maybe with an island site email address or just something else so we want them to be able to be added to distribution lists....
mventry("emailAddressPresent").Value = "True"
End If
view raw emailaddresspresent-adma-import.vb hosted with ❤ by GitHub

Console App for enumerating userAccountControl integer values

, 0 Comments

When trying something new out with FIM Development, I often see how to do it in a console app beforehand. Then once I have the process/ method worked out, I translate it into FIM code. Usually this is a very clean process and is quicker than editing the FIM code directly, then doing sync’s on individual accounts.

When I was initially looking at exporting userAccountControl values to AD, I used Jorge’s code snippet: https://jorgequestforknowledge.wordpress.com/2010/07/29/managing-the-useraccountcontrol-attribute-in-ad-by-fim/ as the basis for my code. Initially, I had some difficulty understanding the differences between the “Or’s and And’s”, so used a console app to understand what integer values the different combinations made. The list of flags can be found here: https://msdn.microsoft.com/en-us/library/windows/desktop/aa772300(v=vs.85).aspx

My userAccountControl Export code became a bit of a monster, due to the number of rules needed to match the existing configuration.

The console app is super simple – fiddle with the different flags and operators to see the different results:

Imports ActiveDs
Module Module1
Sub Main()
Dim UACValue1 As Long
Dim UACValue2 As Long
Dim UACValue3 As Long
UACValue1 = ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT Or ADS_USER_FLAG.ADS_UF_DONT_EXPIRE_PASSWD And (Not ADS_USER_FLAG.ADS_UF_ACCOUNTDISABLE)
UACValue2 = ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT Or ADS_USER_FLAG.ADS_UF_PASSWD_CANT_CHANGE Or ADS_USER_FLAG.ADS_UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
UACValue3 = ADS_USER_FLAG.ADS_UF_NORMAL_ACCOUNT Or ADS_USER_FLAG.ADS_UF_SMARTCARD_REQUIRED Or ADS_USER_FLAG.ADS_UF_TRUSTED_FOR_DELEGATION
Console.WriteLine(UACValue1 & " " & UACValue2 & " " & UACValue3)
Console.ReadLine()
End Sub
End Module
view raw console-app.vb hosted with ❤ by GitHub

Note, that you need to add the reference to “Active DS Type Library”, else you will get squiggles under “ADS_USER_FLAG”:

AddDSRef

Amending/ Changing IE Proxy Settings, Continued

, 0 Comments

After sorting through the data that I obtained from the collection script, removing duplicates, etc. The result set was slightly messier than I expected, quite a few manually added entries and incorrect ones.

Anyway, to get the bulk of the changes implemented, I’m just targeting the large expected set – those with VPN settings labelled SITE1 PPTP and SITE1 VPN (anonymised…). Those with SITE2 PPTP have the settings, that were previously enforced by another script, have them enforced here too. This script will take the place of the existing one.

New machines, who do not have the settings already have them defined. Anyway here it is:

' LOOKUP_SET_IE_VPN_PROXIES.VBS
' Jon Bryan Jan 2016
' Run as a user logon script, via GPO.
' Fixes those defined VPN Proxy settings "SITE1 PPTP" and "SITE1 VPN" - no tick boxes or text boxes filled.
' Retains and enforces the normal value for SITE2 based VPN Proxy settings.
' Will replace the existing SET_IE_VPN_PROXIES.VBS script, if the expected VPN Proxy settings are not found, they are added.
'
OPTION EXPLICIT
ForceScriptEngine("cscript")
Const HKEY_CURRENT_USER = &H80000001
Dim WSHNetwork, strComputer, strKeyPath, arrValueNames, arrValueTypes, i, strValueName, objReg, arrValues, errReturn, arraystrValueName
Set WSHNetwork = CreateObject("WScript.Network")
strComputer = WSHNetwork.ComputerName
arraystrValueName=""
Set objReg=GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections"
objReg.EnumValues HKEY_CURRENT_USER, strKeyPath, arrValueNames, arrValueTypes
For i=0 To UBound(arrValueNames)
If arrValueNames(i)="DefaultConnectionSettings" or arrValueNames(i)="SavedLegacySettings" or arrValueNames(i)="" Then
'Do Nothing
Else
strValueName = arrValueNames(i)
'Setup collection of "VPN Names" to check through at the end - used to see if the normal ones are there and add if not.
If arraystrValueName="" Then
arraystrValueName=strValueName
Else
arraystrValueName=arraystrValueName & "," & strValueName
End If
' Enforce SITE2 PPTP settings - standard - proxy.pac
If strValueName = "SITE2 PPTP" Then
arrValues = Array(70,0,0,0,3,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,39,0,0,0,104,116,116,112,58,47,47,109,121,112,114,111,120,121,115,101,114,118,101,114,46,98,108,97,104,46,99,111,109,47,112,114,111,120,121,46,112,97,99,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
errReturn = objReg.SetBinaryValue (HKEY_CURRENT_USER, strKeyPath, strValueName, arrValues)
End If
' Enforce new SITE1 settings - blanking all ticks and dialogs - looking for two names.
If strValueName = "SITE1 PPTP" Then
arrValues = Array(70,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
errReturn = objReg.SetBinaryValue (HKEY_CURRENT_USER, strKeyPath, strValueName, arrValues)
End If
If strValueName = "SITE1 VPN" Then
arrValues = Array(70,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
errReturn = objReg.SetBinaryValue (HKEY_CURRENT_USER, strKeyPath, strValueName, arrValues)
End If
End If
Next
'Check for existence of VPN settings that should be pushed out be default:
If Instr(arraystrValueName ,"SITE1 PPTP") = 0 then
' SITE1 PPTP not found, so add it
strValueName = "SITE1 PPTP"
arrValues = Array(70,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
errReturn = objReg.SetBinaryValue (HKEY_CURRENT_USER, strKeyPath, strValueName, arrValues)
End If
If Instr(arraystrValueName ,"SITE2 PPTP") = 0 then
' SITE2 PPTP not found, so add it
strValueName = "SITE2 PPTP"
arrValues = Array(70,0,0,0,3,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,39,0,0,0,104,116,116,112,58,47,47,109,121,112,114,111,120,121,115,101,114,118,101,114,46,98,108,97,104,46,99,111,109,47,112,114,111,120,121,46,112,97,99,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0)
errReturn = objReg.SetBinaryValue (HKEY_CURRENT_USER, strKeyPath, strValueName, arrValues)
End If
'TIDY UP
Set WSHNetwork = Nothing
Set strComputer = Nothing
Set objReg = Nothing
Set strKeyPath = Nothing
Set arrValueNames = Nothing
Set arrValueTypes = Nothing
Set i = Nothing
Set strValueName = Nothing
Set arrValues = Nothing
Set errReturn = Nothing
Set arraystrValueName = Nothing
'++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sub ForceScriptEngine(strScriptEng)
' Forces this script to be run under the desired scripting host.
' Valid arguments are "wscript" or "cscript".
' The command line arguments are passed on to the new call.
Dim arrArgs
Dim strArgs
For Each arrArgs In WScript.Arguments
strArgs = strArgs & " " & Chr(34) & arrArgs & Chr(34)
Next
If Lcase(Right(Wscript.FullName, 12)) = "\wscript.exe" Then
If Instr(1, Wscript.FullName, strScriptEng, 1) = 0 Then
CreateObject("Wscript.Shell").Run "cscript.exe //Nologo " & _
Chr(34) & Wscript.ScriptFullName & Chr(34) & strArgs
Wscript.Quit
End If
Else
If Instr(1, Wscript.FullName, strScriptEng, 1) = 0 Then
CreateObject("Wscript.Shell").Run "wscript.exe " & Chr(34) & _
Wscript.ScriptFullName & Chr(34) & strArgs
Wscript.Quit
End If
End If
End Sub
view raw lookup_set_ie_vpn_proxies.vbs hosted with ❤ by GitHub

Yubikey Neo

, , 0 Comments

So this is not directly relevant to FIM per se, but it falls under the kind of IdM/ Authentication umbrella, so I thought it belonged here….

In December 2014, I bought a Yubikey Neo. I wanted to see how it could be used to harden access to some sensitive “stuff”.

These are really cool devices; they are relatively inexpensive (~£36), yet provide a bunch of functionality all on one device, some of which I have not used.

The components that I did use were:

  • Yubico OTP – the One Time Passcode functionality that is present OOB – used to sign into the Yubico Forums
  • U2F – I use this for 2FA for my Google accounts and this blog – it is very simple to set up this 2FA method across multiple services. Look here for more information: https://www.yubico.com/applications/fido/
  • SmartCard (PIV) – this was the part that I was really interested in for securing stuff within the enterprise. I had recently installed a Windows PKI Infrastructure, so used that to generate trusted SmartCard Logon Certificates to install onto the devices. Look here for configuration docs: https://developers.yubico.com/yubico-piv-tool/

As with most of these things the documentation was initially difficult to read, there were various command line tools to manage different aspects of the Yubikeys, some of them had bugs at the time.

Anyway, long story short, back then I got it configured just how I wanted and used it daily ever since. However, just before Christmas, the SmartCard certificate that I had generated the previous year expired. Thus, the SmartCard functionality of the Yubikey became invalid.

I generated myself a new certificate from my CA, then came to try to remove the old certificate from one of my Yubikeys. I could not because I needed to authenticate against the device to carry out this action. The authentication string (aka password) is called the Management Key, that is (should be) changed from the default value when configuring the device. I went on the scrounge trying to find the key for this particular device, I found my old notes (command line dumps) from the previous year, there were a few management Keys within but not one for this particular device.

So, I might as well reset it, back to the docs: https://developers.yubico.com/yubico-piv-tool/YubiKey_PIV_introduction.html, in order to be able to reset the device, I first need to lock the device, by providing bad PIN and PUK values:

yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a verify-pin -P 4711
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a change-puk -P 4711 -N 67567
yubico-piv-tool -a reset
view raw yubico-piv-tool-reset.txt hosted with ❤ by GitHub

OK, so now I need a new management key….. The docs use dd to generate the key:

key=`dd if=/dev/random bs=1 count=24 2>/dev/null | hexdump -v -e '/1 "%02X"'`
echo $key
yubico-piv-tool -a set-mgm-key -n $key
view raw generate-management-key.sh hosted with ❤ by GitHub

At the time, I didn’t have easy access to a Unix system to do this, but more importantly I wanted to find a way to achieve the same result in Windows, using PowerShell. This would allow me to script the whole process. Here is the script to create the management key (For info about what “{0:X2}” means, look here: http://www.powershellmagazine.com/2012/10/12/pstip-converting-numbers-to-hex/)

$i=0
Do
{
$rnd=get-random -Minimum 0 -Maximum 255
$result=$result+"{0:X2}" -f $rnd
$i=$i+1
}
Until($i -eq 24)
Write-Host "Management Key:" $result
view raw generate-management-key.txt hosted with ❤ by GitHub

I have now re-written a script that I put together last year to add initialise a new or reset Yubikey (with PIV support) and add a user SmartCard certificate from a Windows CA:

#===================================================================================================
# Generate the Management Key:
$i=0
Do
{
$rnd=get-random -Minimum 0 -Maximum 255
$MgmtKey=$MgmtKey+"{0:X2}" -f $rnd
$i=$i+1
}
Until($i -eq 24)
Write-Host "Management Key:" $MgmtKey
#===================================================================================================
# Setup some Variables:
$PIN=98765432
$PUK=23894832
$Template="CertificateTemplate:My_Smartcard_Logon" # SmartCard Logon Template name from your CA
$DN="/CN=MyAccount/OU=myOU/DC=blah/DC=ac/DC=uk/" # ADDN of the user requesting the certificate
$Path="C:\<SomePath>\yubico-piv-tool-1.2.2-win64\bin"
#===================================================================================================
# Initialise the Yubikey:
Invoke-Expression -Command "$path\yubico-piv-tool.exe -a set-mgm-key -n $MgmtKey"
Invoke-Expression -Command "$path\yubico-piv-tool.exe --key=$MgmtKey -a change-pin -P 123456 -N $PIN"
Invoke-Expression -Command "$path\yubico-piv-tool.exe --key=$MgmtKey -a change-puk -P 12345678 -N $PUK"
Invoke-Expression -Command "$path\yubico-piv-tool.exe -a verify-pin -P $PIN"
#===================================================================================================
# Generate, request and install the SmartCard Certificate:
Invoke-Expression -Command "$path\yubico-piv-tool.exe --key=$MgmtKey -s 9a -a generate -o $Path\public.pem"
Invoke-Expression -Command "$path\yubico-piv-tool.exe -a verify-pin -P $PIN -s 9a -a request-certificate -S $DN -i $Path\public.pem -o $Path\request.csr"
Invoke-Expression -Command "certreq -config '<FQDN of CA Server>\<Name Of Certification Authority>' -submit -attrib $Template $Path\request.csr $Path\cert.crt"
Invoke-Expression -Command "$path\yubico-piv-tool.exe --key=$MgmtKey -s 9a -a import-certificate -i $Path\cert.crt"
Invoke-Expression -Command "$path\yubico-piv-tool.exe --key=$MgmtKey -a set-chuid"
#===================================================================================================
view raw yubikey-piv-initialisation.txt hosted with ❤ by GitHub

U2F Login for WordPress – OPENSSL_VERSION_NUMBER Undefined

, 0 Comments

While looking to get this working: https://github.com/shield-9/u2f-login/, I was seeing errors in the http logs referring to OPENSSL_VERSION_TEXT. These were being generated by the following lines in the u2f.php file:

public function __construct($appId, $attestDir = null) {
if(OPENSSL_VERSION_NUMBER < 0x10000000) {
throw new Error('OpenSSL has to be atleast version 1.0.0, this is ' . OPENSSL_VERSION_TEXT, ERR_OLD_OPENSSL);
}
$this->appId = $appId;
$this->attestDir = $attestDir;
}
view raw openssl_version_number.php hosted with ❤ by GitHub

After running a few more tests, it seemed that this PHP Constant should have been defined, but was not. Goggling didn’t provide any quick answers, but I soon worked it out for myself.

In the php.ini file (under arch in /etc/php/), uncomment the line: “extension=openssl.so” and restart httpd. Once the extension is enabled, the Constant is then available.

In the end I did not use this plugin, I was unable to register my Yubikeys. The plugin seems to have been superseded by this one: http://github.com/georgestephanis/two-factor/. In order to have the ability to use U2F login using this plugin, the openssl.so extension has to be enabled; otherwise, the U2F login option is not available.

1 2 3 4 5