MIM Portal & Application Context Authentication

The intention of this write-up is that you are modifying MIM Portal to switch email notifications to use the Application Context Authentication method as opposed to an SMTP relay or other method that uses a log on name and password. Basic Authentication will be deprecated somewhere around October 2022.  A Modern Authentication needs to be used by then.  This write-up addresses that need.

Prerequisites

Modify the MIM Service/Portal Configuration

For an existing installation of MIM Portal, access the registry at:

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\{…}

  • Search through the list of Registry Key’s to find Microsoft Identity Manager Service and Portal.
  • Locate the UninstallString value and copy the Data information.

Open an Elevated Command Prompt and paste the registry data. 

  • To create a log entry for the configuration do the following:
    • At the end of the copied data, add “/lvxi* c:\directory\logfile.log

Run through the Configuration

After executing the msiexec string in the previous section, follow along the install steps outlined at:

Install Microsoft Identity Manager Service and Portal for Azure AD Premium customers | Microsoft Docs

In Step 2, skip the part about the elevated cmd prompt since you began with the UninstallString data.

Starting at the Welcome Screen, click Next.

  • From the Change, repair, or remove installation screen click Change. Click Next.
  • At the step below choose Office 365 and then Application Context Authentication. Click Next.
Image 2: Pick Mail server type
Image 3: Select Authentication type
  • When you arrive at the Configure Common Services screen, populate the fields with the saved Application ID, Tenant ID, and Client Secret from earlier. Click Next.
image 4: Provide Azure specific ID values
  • A few screens later you will encounter another screen.  You will need to type the password of the MIM Service account.  The Service Email Account will not require a password at this point but an email address format used in the image will be required. Click Next.
Image 5: Provide Service Account and Service Email details
  • Finish clicking through the remaining screens.  Click Install when finished making changes.

Check Event Logs

After doing the install, check the Event Viewer.  Navigate to Custom Views | Administrative Events.

You should see Event ID 12 Source Microsoft.ResourceManager

The Forefront Identity Manager Service cannot connect to the Exchange Web Service.

The connection failure may be due to a network failure, firewall configuration error, or other connection issues. Additionally, the failure may be due to incorrect Exchange Web Service configuration.

Verify that the Exchange Web Service is reachable from the Forefront Identity Manager Service computer. Ensure that Exchange is running, that the network connection is active, and that the firewall is configured properly. Last, ensure that the Exchange Web Service configuration is correct in the Microsoft.ResourceManagemenet.Service.exe.config file.

Additionally, if you enable a Trace on MIM Service you see:

Could not get access token for office365 mailbox. Probably registry value is empty because token was not obtained.  Please ensure that mailbox configuration is valid and restart service.

NOTE: From MIM Portal version 4.6.607, this error will appear in the Application log in Event Viewer.

Additional Configurations Changes

TLS 1.2 and Strong Ciphers will be needed for everything to work properly.

Disable TLS 1.0 and 1.1, then Enable TLS 1.2.    See https://docs.microsoft.com/en-us/troubleshoot/azure/active-directory/enable-support-tls-environment?tabs=azure-monitor#enable-tls-12-on-client-or-server-operating-systems-

Essentially in PowerShell it will look like this:

Disable TLS 1.0

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server’ -Name ‘Enabled’ -Value ‘0’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server’ -Name ‘DisabledByDefault’ -Value 1 -PropertyType ‘DWord’ -Force

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client’ -Name ‘Enabled’ -Value ‘0’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client’ -Name ‘DisabledByDefault’ -Value 1 -PropertyType ‘DWord’ -Force

Write-Host ‘TLS 1.0 has been Disabled.’

Disable TLS 1.1

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server’ -Name ‘Enabled’ -Value ‘0’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server’ -Name ‘DisabledByDefault’ -Value 1 -PropertyType ‘DWord’ -Force

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client’ -Name ‘Enabled’ -Value ‘0’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client’ -Name ‘DisabledByDefault’ -Value 1 -PropertyType ‘DWord’ -Force

Write-Host ‘TLS 1.1 has been Disabled.’

Enable TLS 1.2

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server’ -Name ‘Enabled’ -Value ‘1’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server’ -Name ‘DisabledByDefault’ -Value 0 -PropertyType ‘DWord’ -Force

New-Item ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client’ -Name ‘Enabled’ -Value ‘1’ -PropertyType ‘DWord’ -Force

New-ItemProperty -Path ‘HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client’ -Name ‘DisabledByDefault’ -Value 0 -PropertyType ‘DWord’ -Force

Write-Host ‘TLS 1.2 has been Enabled.’

Enable Strong Cipher for newer .Net Framework

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SystemDefaultTlsVersions’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319’ -Name ‘SystemDefaultTlsVersions’ -Value ‘1’ -Type DWord

Enable Strong Cipher for older .Net Framework

This section is especially important as the email notifications would not work until I enabled Strong Ciphers on the older .Net Framework.

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v2.0.50727’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v2.0.50727’ -Name ‘SystemDefaultTlsVersions’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v2.0.50727’ -Name ‘SchUseStrongCrypto’ -Value ‘1’ -Type DWord

New-ItemProperty -Path ‘HKLM:\SOFTWARE\Microsoft\.NetFramework\v2.0.50727’ -Name ‘SystemDefaultTlsVersions’ -Value ‘1’ -Type DWord

All the PowerShell code listed above for TLS and Strong Ciphers can be written as one PowerShell file and run.  This will reduce implementation of the entire process significantly.

Azure ID storage locations

It is important to note that certain registry locations store the Azure-specific information (e.g., Tenant ID, Application ID, Client ID)

HKLM:\SOFTWARE\ Microsoft\Forefront Identity Manager\2010\Service

Check out EncryptedExchangeOnlineClientSecret (NOTE, this not the actual clientsecret), ExchangeOnlineApplicationID, and ExchangeOnlineTenantID.

O365 Access Token gets written to this location:

HKU:\MIMService_SID\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Service

  • You will need to look up the mimservice account SID on the server.  From an elevated cmd prompt type:  wmic useraccount get name, sid

Author

Leave a Reply