Windows or Office deployment: it’s Microsoft’s shout

Adexis is known in Adelaide as the number one experts in SCCM and windows deployment. Did you know you can engage an Adexis expert and have Microsoft pick up the tab?

moneyMany customers aren’t aware that they’re entitled to a little golden nugget called Desktop Deployment Planning Services. DDPS  is a benefit provided by Microsoft to customers who purchase Software Assurance through their Volume Licensing whereby you can engage qualified partners to provide services for you and Microsoft will put in the dollars. In addition to our SCCM and deployment expertise, Adexis is also a qualified Desktop Deployment Planning Services partner, meaning you can engage under this scheme.
Through this scheme we can help you to plan and/or impliment on-premise, cloud-based or hybrid solutions for the deployment of windows and office to your user base utilising products including SCCM, Windows, Office and Office365.

Imagine for example you would like to try out Windows 10 for your users. In order to do that you would need to assess it’s suitability and compatibility, plan an upgrade of SCCM to 1606 or later, plan the windows deployment and impliment both solutions. These are services that Adexis can help you with and can be provided for under Desktop Deployment Planning Services. Perhaps you’ve been thinking about doing an upgrade like this but budget constraints have proven to be a challenge, this is where DDPS comes in.

Microsoft does have some strict guidelines on how these services can be utilised however. For example, they can only be utilised for the improvement of your environment using approved products. So, don’t be thinking “I can get that tricky issue fixed in my SCCM environment”, Microsoft won’t cover that one. Engagements are set up in groups of days and can allocate funds of between $3000 and $15,000.

So, you’ve decided you’d like to utilise your entitlement, how do you go about it?
The first step is to call us and let us know what you have in mind. We can provide some guidance on what is eligible and what would need to be covered by you. You should also check your eligibility with Microsoft by visiting the Volume Licensing Service Centre. You can also download the DDPS Fact Sheet for more information. Once we’ve worked together to come up with a scope of work and an understanding on it’s eligibility for DDPS, you can assign a voucher to Adexis to start the work. Here’s how;

1. Sign into VLSC.
2. Select Software Assurance from the top menu.
3. Click Planning Services. This will take you to the Manage Software Assurance Benefits page.
4. Click the LicenseID for which you want to manage Planning Services. This will take you to the Benefit Summary page.
5. Select Planning Services.
6. Select the voucher type and service level (length of the engagement in days).
7. Assign the Planning Services voucher to a project manager within your organization by entering their name and email address, and any special instructions.
8. Click Confirm Voucher Assignment.
9. Once the voucher is created, click Assign Voucher. This takes you to a benefit details page confirming voucher information, including voucher status and expiration date.
10. You can then assign this voucher to Adexis by searching for our name or using our Microsoft ID: 1388832
That’s it!
We manage the rest of the paperwork on your behalf and you’re good to go with your engagement.

To find out more or to get started on your engagement under Microsoft Software Assurance Planning Services with Adexis give us a call on (08) 7228 6188 or email us at Contact@Adexis.com.au

ADFS, WAP and updating their public certificates

Renewing public certificates within an environment is always a bit of a pain – especially when you use the same certificate on a range of different systems and have to update each manually! When you’ve got a number of web-based systems that you publish externally, using a reverse proxy such as a Microsoft Web Application Proxy (WAP) can make the task a little less tedious.

With WAP, you can use a single wildcard certificate to publish any number of web-based services to the public internet. When you need to update the public certificate, you only need to update it in the one place – you don’t need to update each individual web service. In addition, WAP can also act as an Active Directory Federation Services Proxy (ADFS Proxy) – this allows you to present your ADFS infrastructure to the public internet without directly exposing your ADFS server(s).

In general, ADFS and WAP should go hand-in-hand. Internal clients hit the ADFS server directly (via the ADFS namespace), while external clients communicate via the WAP. By doing this, you can also set up different rules in ADFS to define what should happen for external authentication requests, compared to internal authentication requests (e.g: 2-factor auth for external, windows auth for internal).

Now, both ADFS and WAP need to have a public-signed certificate. What happens when those certificates expire? Obviously you need to renew them and update the configuration – which is what prompted me to write this article. Usually this is a pretty simple process – you import the new certificate into the local computer certificate store on each of your ADFS/WAP servers, then update the configuration.

Initially I noticed I was getting the following in the event logs of the WAP server:

I had a look at the certificate on the ADFS server and sure enough, the certificate thumbprint matched the expired certificate on the ADFS server. Since I was using that certificate on the WAP server as well, I needed to update it in both systems. I started by importing the new public wildcard certificate into both the ADFS and WAP servers.

The next step is to update the configuration. For ADFS, you can pull up the ADFS console and go to the Service\Certificate node. From there, you select the ‘Service Communications’ certificate, hit the ‘Set Service Communications Certificate’ link, then follow the wizard. Then in the ADFS event log I started getting:

Whoops, I forgot to give access to the service account for the private key! In the Certificate Management console, locate the public cert, right-click, select ‘All Tasks’ – ‘Manage Private Keys’ and make sure the service account has full access. I restarted the ADFS service (adfssrv) and the ADFS server looked to start up successfully. Or so I thought.

Assuming ADFS was all good, I then proceeded to update the main proxy certificate in WAP. To do this you really only have the option to use a powershell command:

…and of course I was still getting trust errors. In the end I removed and re-added the WAP role to the server (it was a development environment – and since the rules and configuration are stored with ADFS, it’s wasn’t a huge issue). When trying to re-create the trust to the ADFS server via the wizard, I was getting a trust error – along with the following in the event log:

Odd. I could resolve and ping the ADFS server (both directly and via the ADFS namespace) – and the credentials used were an administrator on the remote server. The new certificate was showing correctly in the ADFS console, and the event logs on the ADFS server indicated it was all fine. So I started going through all the config via Powershell instead. After a bit of investigation, I ran the Get-AdfsSslCertificate  command. Despite the ADFS console showing the correct certificate, powershell was still showing the old one!

I ran: Get-ChildItem -path cert:\LocalMachine\My  to get the thumbprint of the new certificate, then Set-AdfsSslCertification thumbprint <newthumbprint>  to set it. I restarted the service with  Restart-Service adfssrv and double-checked the certificate. Ok, NOW we were looking good.

As it turns out, the GUI wizard will update the configuration in the ADFS database, but not the binding on HTTP.sys.

I re-ran the WAP wizard and everything started working correctly.

One other thing to take note of – the above commands are all about updating certificates specifically for ADFS and the ADFS Proxy (WAP) – if you have additional published rules in WAP, you’ll need to update the certificate thumbprint against those as well!