Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Oct 02
Windows Server 2016 – ADFS 4 idpinitiatedsignon is disabled by default

As you may know, a quick way to test your ADFS deployment is to access the idpinitiatedsignon sign page.

As usual, I tried it after deploying my new ADFS 4.0 server and… got this error message

The resource you are trying to access is not available. Contact your administrator for more information.

image

And the following event is logged

Log Name:      AD FS/Admin
Source:        AD FS
Date:          2/10/2016 7:22:24 AM
Event ID:      364
Task Category: None
Level:         Error
Keywords:      AD FS
User:         
Computer:     
Description:
Encountered error during federation passive request.

Additional Data

Protocol Name:
 

Relying Party:
 

Exception details:
Microsoft.IdentityServer.Web.IdPInitiatedSignonPageDisabledException: MSIS7012: An error occurred while processing the request. Contact your administrator for details.
   at Microsoft.IdentityServer.Web.Protocols.Saml.IdpInitiatedSignOnRequestSerializer.ReadMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.HttpSamlMessageFactory.CreateMessage(WrappedHttpListenerRequest httpRequest)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlContextFactory.CreateProtocolContextFromRequest(WrappedHttpListenerRequest request, ProtocolContext& protocolContext)
   at Microsoft.IdentityServer.Web.Protocols.Saml.SamlProtocolHandler.CreateProtocolContext(WrappedHttpListenerRequest request)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.GetProtocolHandler(WrappedHttpListenerRequest request, ProtocolContext& protocolContext, PassiveProtocolHandler& protocolHandler)
   at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

 

So basically, this says the idpinitiatedsignon is disabled; which is quite annoying.

So, looking at the ADFS properties (Get-AdfsProperties | fl *idpinitiatedsignon*) for the page it shows indeed this is disabled

image

To solve it, just run Set-AdfsProperties -EnableIdpInitiatedSignonPage $true

image 

Oct 01
Windows Server 2016 – ADFS 4.0 now support certificate authentication on port 443

You may already know that ADFS 3.0 (on Windows Server 2012 R2) already supports certificate authentication BUT using a different communication port than 443 (in fact 49443).

With ADFS 4.0 (on Windows Server 2016), the certificate authentication can now use the 443 communication port, making thing easier to implement multi factor authentication using user certificate.

To be take advantage of this new capability, you need to update your ADFS certificate to include the following hostname certauth.<your ADFS URL> – like certauth.fs.mydomain.com if your ADFS URL is fs.mydomain.com. If the certificate does not include this additional hostname, ADFS Certificate Based Authentication will continue to use 49443 port.

Also reminder you still need to include the enteprisregistration hostname too if you plan to enable Device Registration.

Sep 28
Office 365 – You can now see if OneDrive is provisioned for a user using the administration portal

You can now see if OneDrive for Business ‘personal’ space has been provisioned for user, including quota and size limits, from the Office 365 Administration portal.

Just logon to the Office 365 Administration portal with a global administrator account, go to the Users\Active Users and select the user you want to check. On the right pane, you will see a new OneDrive section with the provisioning details

image 

Sep 28
Skype for Business / Office 365 – Troubleshoot your Skype for Business Hybrid configuration

As you know you can setup your On Premises Lync/Skype for Business deployment to work in hybrid mode with Skype for Business Online (as you can do with Exchange).

That said this configuration is not always as smooth and easy as it is for Exchange and you may ended with issues.

Knowing that Microsoft has developed a PowerShell script to help you troubleshoot such situation; even off course a single script may not be able to identify all issues, it will help you anyway as it covers the most frequent misconfiguration the support faced.

You can download it from https://gallery.technet.microsoft.com/Validate-your-Lync-Server-017ed501\

You will need to have also the Skype for Business Online PowerShell module installed (https://www.microsoft.com/en-us/download/details.aspx?id=39366) and run the script from a Lync/SfB front end server with an account granted with RTCUniversalServerAdmins and administration rights on the Skype for Business Online tenant (either Office 365 Global admin or Skype for Business administrator.

Sep 27
Office 365 – Preview of the new OneDrive for Business client

It has been announced at the Ignite Conference at Atlanta.

A preview of the new OneDrive for Business client is now available.

The following are part of the improvements coming with the new version – some have been long waited:

  • Ability to sync SharePoint Online document libraries – until then you were still obliged to use the ‘old’ O4B client while you were using the (so called) NextGen client to sync your personal OneDrive and your OneDrive for Business spaces (already included in the preview)
  • Activity center to have an activity view at glance (already included in the preview)

In addition of these client side updates, additional major updates for the web browser as well as the mobile client

  • 20 new file types supported for preview and rich thumbnails(rolling out by the end of this year)
  • Download multiple files at once (zipped) – finally Smile (rolling out by the end of this year)
  • Notification for the mobile client (already available – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=817)

and many more to come.

So, let’s go back to the client side.

You can get the preview version here https://go.microsoft.com/fwlink/?linkid=828410

You will need to download the new client (http://go.microsoft.com/fwlink/?LinkId=823059) and a registry key to activate the new capabilities (http://go.microsoft.com/fwlink/?LinkId=827743)

You need to stop synching your libraries with the current client

Close your current client instances and start installing the new client and regkey

image

Once the setup is completed, close again the instance automatically started and activate the registry key; the following key and value are added

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\OneDrive]
"TeamSiteSyncPreview"=dword:00000001

Start your client again (use OneDrive and not OneDrive for Business)

image

To start synching a SharePoint library, you need to connect to the library using the web browser and then choose Sync (as you did with the current version); there is not yet (?) the ability to setup the sync directly from the client

 imageimageimageimage

Then within your Windows Explore you should see something like <your tenant name> where your SharePoint libraries will be sync – you may still view the ‘SharePoint’ as it comes with the current version of O4B

image 

imageimage

Sep 26
Office 365 – Be notified when peoples are sharing content with you on SharePoint Online and OneDrive for Business

A new feature is being rolled out (first tenant and then general availability – expected to be completed by the end of the year) which will notify end-user by mobile push notification (same than the one you get when a new email arrived in your inbox) when someone is sharing content with them using SharePoint Online or OneDrive for Business.

This settings is enabled by default and can be managed by SharePoint Online administrators through the SharePoint Online administration center (within the Settings section)

image 

Sep 26
Office 365 – Enable Office 365 CDN for your SharePoint Online tenant

With Office 365 CDN (Content Delivery Network) you can improve the performance when accessing your SharePoint Online tenant by using a geo-distributed caching proxy; only static content (like picture files) is cached.

This CDN capability can be a great improvement when accessing content hosted on your tenant when connected from a location far away from your Office 365 hosting location.

This capability can also be used by developer to improve access to their application developed on top of SharePoint Online.

Check if CDN is enabled

As usual with Office 365, you will need to use the SharePoint Online PowerShell – as usual recommendation always try to use the latest version  available at https://www.microsoft.com/en-us/download/details.aspx?id=35588

  • Logon to your SharePoint tenant

$cred = Get-Credential

Connect-SPOService -Url https://<your tenant>-admin.sharepoint.com -Credential $creds

  • Get your current tenant configuration

Get-SPOTenant | fl *cdn*

Check the value for PublicCdnEnabled parameter; if the value is False, then this is not enabled

image

Enable CDN

As you are already authenticated and connected thanks to the previous step, just run the command

Set-SPOTenant -PublicCdnEnabled $true

You also update the default file types allowed for CDN using the command

Set-SPOTenant -PublicCdnAllowedFileTypes "CSS,EOT,GIF,ICO,JPEG,JPG,JS,MAP,PNG,SVG,TTF,WOFF,TXT"

Add the a CDN origin; this is the URL pointing to the document library (or asset library) you want to enable for CDN

New-SPOPublicCdnOrigin –URL https://<your tenant>.sharepoint.com/.sites/doclib

You can see the list of all CDN origin using the command Get-SPOPublicCdnOrigins

If you need to remove a CDN origin, just use Remove-SPOPublicCdnOrigin –Identity <id> where the ID is the value of the ID parameter you got using the Get-SPOPublicCdnOrigins

Sep 25
Windows 10 – BitLocker Recovery Key for Azure AD Joined devices

This procedure applies only for Windows 10 devices which have been configured as Azure AD Joined.

From time to time, you may need to access advanced recovery options for your Windows 10 device but these options may failed to work because you are using BitLocker to encrypt your drive.

You may already know the procedure to recover BitLocker keys when using your Microsoft Account or when your device is an Active Directory domain joined:

But what about Azure AD Joined devices? Well, as for an AD Joined device, your BitLocker recovery key is saved but in Azure AD.

The good point for Azure AD Joined devices is this is a self-service process – meaning you do not need to contact your IT administrator to recover the key; you only need another device on which you can logon to Azure AD.

Recover your BitLocker Recovery Key from Azure AD

image

image

  • Select the device for which you want to get the recovery key

image 

That is a simple as this Smile

Sep 22
Azure / Office 365 – Azure AD Connect now support proxy authentication

If you are working with Office 365 and/or Azure services, you already know that you can synchronize your Active Directory to Azure Active Directory services with the directory synchronization tool Azure AD Connect.

It has been a very long wait (since the first version of the MS cloud services, BPOS) to get the synchronization tool to support proxy authentication but this is finally here.

To take advantage of this feature, you need to update the machine.config file for the .Net Framework

  • the file is located in C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config
  • you need to add the following lines at the end of the file; where <PROXYADDRESS> is the address of your proxy (IP, server name…) and <PROXYPORT> the proxy port to use
    <system.net>
        <defaultProxy enabled="true" useDefaultCredentials="true">
            <proxy
            usesystemdefault="true"
            proxyaddress="http://<PROXYADDRESS>:<PROXYPORT>"
            bypassonlocal="true"
            />
        </defaultProxy>
    </system.net>
 
Sep 19
SCCM 2012 R2 – Management Point returns HTTP 500 another solution

This is a common issue with SCCM,: getting the management point in error with HTTP 500 error.

On a fresh install of SCCM 2012 R2 version 1511, I got this '’famous’ HTTP 500 error after installing the Management Point.
SCCM has been installed with no role except the Service Connection Point, then it has been updated with all the latest updates available and only then I start activating the different roles I wanted.

There is a lot of posts or forums talking about this situation with multiple possible solutions; unfortunately none of these solutions worked.

At the end I found the solution:

  • open a command prompt using Run As Administrator
  • Access C:\Windows\System32\inetsrv\ directory
  • Run the following command appcmd.exe set config -section:system.webServer/httpCompression /-[name='xpress']

image 

  • Wait a little bit
  • Then restart the SMS Executive service to force SCCM to install/complete the install of the management point role

 

That’s it; the MP HTTP 500 error is now solved

1 - 10Next

 ‭(Hidden)‬ Blog Tools

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. He has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitors.

 Copyright

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010