Welcome!

Microservices Expo Authors: Liz McMillan, Pat Romanski, Gopala Krishna Behara, Sridhar Chalasani, Tirumala Khandrika

Related Topics: Microsoft Cloud, Mobile IoT, Microservices Expo, Containers Expo Blog, Silverlight, Agile Computing

Microsoft Cloud: Blog Post

Why Windows Server 2012 R2: Step-by-Step Workplace Join

Bringing Peace of Mind for BYOD

In Kevin Remde's post this week he talked about many new features for Windows Server 2012 R2 Active directory.  You can find his great post here: What’s New for Active Directory in Server 2012 R2.  One of the new functionalities he mentioned was Workplace Join.  Workplace join allows you to deal with the explosion of devices (Windows and Non-Windows (like iOS) connecting to your organization.  This has you constantly trying to maintain your organizations compliance and security.  Especially with users located all around the world across multiple platforms and devices this is a challenge.

imageIf this sounds like you currently or is soon going to be you then you will want to check out Workplace join.  Workplace join allows users to register devices (including IOS) for single sign-on and access to corporate data.  In today’s article I am going to take a look at how to set this feature up step by step.

This feature does require Windows Server 2012 R2, and you will need to configure Active Directory and Active Directory Federation Services to make this work.  Additionally you will need to create an Enterprise Certificate Authority for the certificates you will need for this service to work properly.  Overall the process is straight forward, but you will need to make sure you dot all your I’s and cross your T’s.  For my environment, I created 4 separate virtual machines to test this out.  I created an AD DC, AD FS server, a Web Server (for testing) and a Windows 8,1 client.  The full configuration and the test application for this configuration can be found here, it is an excellent article: Set up the lab environment for AD FS in Windows Server 2012 R2

Configure the Domain Controller
On the DC you will need to make a Globally Managed Service Account (GMSA).  The GMSA account is required during the AD FS installation and configuration.

  1. Open a PowerShell command window and type:
    Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)

    New-ADServiceAccount FsGmsa -DNSHostName adfs1.contoso.com -ServicePrincipalNames http/adfs1.contoso.com

Note:  This command is for a domain name contoso.com and if your ADFS server is named adfs1.

Configure Your Certificate
When you configure your domain controller you will also want to add and configure the certificate authority services.  Here is a great article for this process here: Configure SSL/TLS  on a Web site in the domain with an Enterprise CA.  However, when you create the certificate you will want to allow for…Also check John’s video out below for a little more detail on how the certificates work.  This is also something you want to make sure you follow closely.

cert

Configure Active Directory Federation Services
On the AD FS server you will need to enroll the certificate from the article above on configuring your Enterprise CA.  When you bring the cert in you will want to make sure you configure it with the follow attributes

  • Subject Name (CN): adfs1.contoso.com
  • Subject Alternative Name (DNS): adfs1.contoso.com
  • Subject Alternative Name (DNS): enterpriseregistration.contoso.com

After you have configure your certificate you need to add the ADFS role

  1. Log onto the server using the domain administrator account ([email protected]).
  2. Open Server Manager. To do this, click Server Manager on the Start screen, or Server Manager in the taskbar on the desktop. In the Quick Start tab of the Welcome tile on the Dashboard page, click Add roles and features. Alternatively, you can click Add Roles and Features on the Manage menu.
  3. On the Before you begin page, click Next.
  4. On the Select installation type page, click Role-based or feature-based installation, and click Next.
  5. On the Select destination server page, click Select a server from the server pool, verify that the target computer is highlighted, and then click Next.
  6. On the Select server roles page, click Active Directory Federation Services, and then click Next.
  7. On the Select features page, click Next.
  8. On the Active Directory Federation Service (AD FS) page, click Next.
  9. After you verify the information on the Confirm installation selections page, select the Restart the destination server automatically if required check box, and then click Install.
  10. On the Installation progress page, verify that everything installed correctly, and then click Close.

After the role is installed you will need to configure the service.  On the Server Manager Dashboard page, click the Notifications flag, and then click Configure the federation service on the server This is for a domain name confoso,com and an ADFS server named adfs1.

  1. The Active Directory Federation Service Configuration Wizard is launched.1.On the Welcome page, select Create the first federation server in a federation server farm and click Next.
  2. On the Connect to AD DS page, specify an account with domain administrator permissions for the contoso.com AD domain that this computer is joined to and then click Next.
  3. On the Specify Service Properties page, do the following and then click Next:
    • Import the SSL certificate that you have obtained earlier. This is the required service authentication certificate. Browse to the location of your SSL certificate.
    • Provide a name for your federation service, type adfs1.contoso.com. This is the same value you provided when enrolling an SSL certificated in AD CS.
    • Provide a display name for your federation service, type, Contoso Corporation.
  4. On the Specify Service Account page, select Use an existing domain user account or group Managed Service Account and then specify the GMSA account (fsgmsa) you created when setting up the domain controller.
  5. On the Specify Configuration Database page, select Create a database on this server using Windows Internal Database and then click Next.
  6. On the Review Options page, verify your configuration selections and click Next.
  7. On the Pre-requisite Checks page, verify that all pre-requisite checks were successfully completed, and then click Configure.
  8. On the Results page, review the results and whether the configuration has completed successfully, and then click Next steps required for completing your federation service deployment.

You will also need to run some PowerShell commands and configurations to finish the ADFS configuration.  In a PowerShell command window run the following commands:

Initialize-ADDeviceRegistration

When prompted for a service account, type contoso\fsgmsa$ (Or whatever account you created)

Enable-AdfsDeviceRegistration

device

NEXT STEP IMPORTANT: After you have run the PowerShell command on your ADFS server open the AD FS Management console.  Navigate to Authentication Policies. Select Edit Global Primary Authentication. Select the checkbox next to Enable Device Authentication and then click OK.

Lastly, you will need to make sure you have the following DNS records for the Device Registration Services.

Entry

Type

Address

adfs1

A

IP address of the AD FS server

enterpriseregistration

Alias (CNAME)

adfs1.contoso.com

You can use the following procedure to add a host (A) resource records to corporate DNS for federation server and the device registration service.

  1. On DC1, from Server Manager, from the Tools menu, click DNS to open the DNS snap-in.
  2. In the console tree, expand DC1, expand Forward Lookup Zones, right-click contoso.com, and then click New Host (A or AAAA).
  3. In Name, type the name you will use for your AD FS farm, for this walkthrough, type adfs1.
  4. In IP address, type the IP address of the ADFS1 server. Click Add Host.
  5. Right-click contoso.com, and then click New Alias (CNAME).
  6. In the New Resource Record dialog box, type enterpriseregistration in the Alias name box.
  7. In the Fully Qualified Domain Name (FQDN) of the target host box, type adfs1.contoso.com and click OK.

Configure Windows Client

  1. Log on to your Windows 8 Client with your Microsoft account.
  2. On the Start screen, open the Charms bar and then select the Settings charm. Select Change PC Settings.
  3. On the PC Settings page, select Network and then click Workplace.
  4. In the Enter your UserID to get workplace access or turn on device management box, type <login name>@<domain.com> and then click Join.
  5. When prompted for credentials, type your domain credentials and Click OK.
  6. You should now see the message: This device has joined your workplace network.

If you want to learn how to set this up for your iOS devices check out this article: Walkthrough Guide- Workplace Join with an iOS Device

As you can see there a lot of moving parts to get this in working, and from my experience you want to make sure you get the certificates correct or you will be troubleshooting into the late evening.  Smile

If you want to see this in action, check out this great video by John Savill:

For the full list in the series:  Windows Server 2012 R2 Launch Blog Series Index #WhyWin2012R2

More Stories By Matt Hester

Matt Hester is a Senior Information Technology Professional Evangelist for Microsoft. Matt has been involved in the IT Pro community for over 20 years. Matt is a skilled and experienced evangelist presenting to audiences nationally and internationally. Prior to joining Microsoft Matt was a highly successful Microsoft Certified Trainer for over 8 years. After joining Microsoft, Matt has continued to be heavily involved in IT Pro community as an IT Pro Evangelist. In his role at Microsoft Matt has presented to audiences in excess of 5000 and as small as 10. Matt has written 4 articles for TechNet magazine. In addition Matt has published 3 books:

You can contact Matt off his blog at http://aka.ms/matthester

@MicroservicesExpo Stories
"We got started as search consultants. On the services side of the business we have help organizations save time and save money when they hit issues that everyone more or less hits when their data grows," noted Otis Gospodnetić, Founder of Sematext, in this SYS-CON.tv interview at @DevOpsSummit, held June 9-11, 2015, at the Javits Center in New York City.
In his General Session at DevOps Summit, Asaf Yigal, Co-Founder & VP of Product at Logz.io, explored the value of Kibana 4 for log analysis and provided a hands-on tutorial on how to set up Kibana 4 and get the most out of Apache log files. He examined three use cases: IT operations, business intelligence, and security and compliance. Asaf Yigal is co-founder and VP of Product at log analytics software company Logz.io. In the past, he was co-founder of social-trading platform Currensee, which w...
Cloud Expo, Inc. has announced today that Andi Mann returns to 'DevOps at Cloud Expo 2017' as Conference Chair The @DevOpsSummit at Cloud Expo will take place on June 6-8, 2017, at the Javits Center in New York City, NY. "DevOps is set to be one of the most profound disruptions to hit IT in decades," said Andi Mann. "It is a natural extension of cloud computing, and I have seen both firsthand and in independent research the fantastic results DevOps delivers. So I am excited to help the great t...
As Enterprise business moves from Monoliths to Microservices, adoption and successful implementations of Microservices become more evident. The goal of Microservices is to improve software delivery speed and increase system safety as scale increases. Documenting hurdles and problems for the use of Microservices will help consultants, architects and specialists to avoid repeating the same mistakes and learn how and when to use (or not use) Microservices at the enterprise level. The circumstance w...
This week's news brings us further reminders that if you're betting on cloud, you're headed in the right direction. The cloud is growing seven times faster than the rest of IT, according to IDC, with a 25% spending increase just from 2016 to 2017. SaaS still leads the pack, with an estimated two-thirds of public cloud spending going that way. Large enterprises, with more than 1,000 employees, are predicted to account for more than half of cloud spending and have the fastest annual growth rate.
SYS-CON Events announced today that CA Technologies has been named “Platinum Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY, and the 21st International Cloud Expo®, which will take place October 31-November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. CA Technologies helps customers succeed in a future where every business – from apparel to energy – is being rewritten by software. From ...
Cloud Expo, Inc. has announced today that Andi Mann and Aruna Ravichandran have been named Co-Chairs of @DevOpsSummit at Cloud Expo 2017. The @DevOpsSummit at Cloud Expo New York will take place on June 6-8, 2017, at the Javits Center in New York City, New York, and @DevOpsSummit at Cloud Expo Silicon Valley will take place Oct. 31-Nov. 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
In recent years, containers have taken the world by storm. Companies of all sizes and industries have realized the massive benefits of containers, such as unprecedented mobility, higher hardware utilization, and increased flexibility and agility; however, many containers today are non-persistent. Containers without persistence miss out on many benefits, and in many cases simply pass the responsibility of persistence onto other infrastructure, adding additional complexity.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his general session at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore...
Microservices (μServices) are a fascinating evolution of the Distributed Object Computing (DOC) paradigm. Initial design of DOC attempted to solve the problem of simplifying developing complex distributed applications by applying object-oriented design principles to disparate components operating across networked infrastructure. In this model, DOC “hid” the complexity of making this work from the developer regardless of the deployment architecture through the use of complex frameworks, such as C...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
Buzzword alert: Microservices and IoT at a DevOps conference? What could possibly go wrong? In this Power Panel at DevOps Summit, moderated by Jason Bloomberg, the leading expert on architecting agility for the enterprise and president of Intellyx, panelists peeled away the buzz and discuss the important architectural principles behind implementing IoT solutions for the enterprise. As remote IoT devices and sensors become increasingly intelligent, they become part of our distributed cloud enviro...
@DevOpsSummit has been named the ‘Top DevOps Influencer' by iTrend. iTrend processes millions of conversations, tweets, interactions, news articles, press releases, blog posts - and extract meaning form them and analyzes mobile and desktop software platforms used to communicate, various metadata (such as geo location), and automation tools. In overall placement, @DevOpsSummit ranked as the number one ‘DevOps Influencer' followed by @CloudExpo at third, and @MicroservicesE at 24th.
SYS-CON Events announced today that Outlyer, a monitoring service for DevOps and operations teams, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outlyer is a monitoring service for DevOps and Operations teams running Cloud, SaaS, Microservices and IoT deployments. Designed for today's dynamic environments that need beyond cloud-scale monitoring, we make monitoring effortless so you...
In his session at @DevOpsSummit at 19th Cloud Expo, Robert Doyle, lead architect at eCube Systems, will examine the issues and need for an agile infrastructure and show the advantages of capturing developer knowledge in an exportable file for migration into production. He will introduce the use of NXTmonitor, a next-generation DevOps tool that captures application environments, dependencies and start/stop procedures in a portable configuration file with an easy-to-use GUI. In addition to captur...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin, ...
All clouds are not equal. To succeed in a DevOps context, organizations should plan to develop/deploy apps across a choice of on-premise and public clouds simultaneously depending on the business needs. This is where the concept of the Lean Cloud comes in - resting on the idea that you often need to relocate your app modules over their life cycles for both innovation and operational efficiency in the cloud. In his session at @DevOpsSummit at19th Cloud Expo, Valentin (Val) Bercovici, CTO of Soli...
Both SaaS vendors and SaaS buyers are going “all-in” to hyperscale IaaS platforms such as AWS, which is disrupting the SaaS value proposition. Why should the enterprise SaaS consumer pay for the SaaS service if their data is resident in adjacent AWS S3 buckets? If both SaaS sellers and buyers are using the same cloud tools, automation and pay-per-transaction model offered by IaaS platforms, then why not host the “shrink-wrapped” software in the customers’ cloud? Further, serverless computing, cl...
Growth hacking is common for startups to make unheard-of progress in building their business. Career Hacks can help Geek Girls and those who support them (yes, that's you too, Dad!) to excel in this typically male-dominated world. Get ready to learn the facts: Is there a bias against women in the tech / developer communities? Why are women 50% of the workforce, but hold only 24% of the STEM or IT positions? Some beginnings of what to do about it! In her Day 2 Keynote at 17th Cloud Expo, Sandy Ca...