Category: Uncategorized


How the Modern Authentication Protocol Works

Once Modern Authentication is enabled a user will authenticate with one of the Office 365 services and they will be issued both an Access Token and a Refresh Token.  The Access Token is a short-lived token, valid for about 1 hour’s time.  The Refresh Token is longer-lived and can by valid for up to 90 days in some cases.  These longer cases include frequent use and when the user’s password has not changed.  The Access Token is what is used to gain access to the Office 365 services, and when the Access Token expires the Office client will present the Refresh Token to Azure Active Directory and request a new Access Token to use with the service.  The default lifetime for a Refresh Token is 14 days.  Features such as Conditional Access Policies may force users to sign-in again even though the Refresh Token is still valid.

How to use Modern Authentication

Client supportability

Modern Authentication is automatically on for Office 2016 client apps.

To enable modern authentication for any devices running Windows (for example on laptops and tablets) that have Microsoft Office 2013 installed, you need to set the following registry keys. The keys have to be set on each device that you want to enable for modern authentication:

REGISTRY KEY TYPE VALUE
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL REG_DWORD 1
HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version REG_DWORD 1

These can be changed manually or through a Group Policy object.

Office 2013 must be build 15.0.4605.1003 or higher (March 2015 PU)

Other Operating Systems

Modern authentication uses OAuth 2.0 standards and is supported on multiple platforms, including OSX, iOS, Android, and Windows.

Client supportability matrix: https://blogs.office.com/2015/11/19/updated-office-365-modern-authentication-public-preview/

Must be using MAPI / HTTP

We need to validate that every client is using MAPI over HTTP as this is a requirement for Modern Authentication.

The support article KB2937684 gives you some more info around ensuring MAPI-HTTP is enabled for your Office 2013/2016 client.

Office 365 services

Exchange Online is off by default.

  1. Connect to Exchange Online PowerShell as shown here.
  2. Run the following command in Exchange Online PowerShell:

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

  1. To verify that the change was successful, run the following command in Exchange Online PowerShell:

Get-OrganizationConfig

Format-Table -Auto Name,OAuth*

SharePoint Online is on by default.

Skype for Business Online is off by default.

  1. Connect to Skype for Business Online using remote PowerShell: https://aka.ms/SkypePowerShell 
  2. Run the following command:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

  1. Verify that the change was successful by running the following:

Get-CsOAuthConfiguration

How Modern Authentication Works for Office 2016 / 2013

Office 2016 clients support modern authentication by default, and no action is needed for the client to use these new flows. However, explicit action is needed to use legacy authentication.

Office 2013 client apps support legacy authentication by default. Legacy means that they support either Microsoft Online Sign-in Assistant or basic authentication. For these clients to use modern authentication features, the Windows client must have registry keys set. (See notes above)

Exchange Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant Authentication behavior with modern authentication turned off for the tenant (default)
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.
Office 2016 Yes, EnableADAL=0 No Basic authentication Basic authentication
Office 2013 No No Basic authentication Basic authentication
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then basic authentication is used. Server refuses modern authentication when the tenant is not enabled.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_echangeonline

SharePoint Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant (default) Authentication behavior with modern authentication turned off for the tenant
Office 2016 No, or EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication only. Failure to connect.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sharepointonline

Skype for Business Online

Office client app version Registry key present? Modern authentication on? Authentication behavior with modern authentication turned on for the tenant Authentication behavior with modern authentication turned off for the tenant (default)
Office 2016 No, or EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled.
Office 2016 Yes, EnableADAL = 0 No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 No No Microsoft Online Sign-in Assistant only. Microsoft Online Sign-in Assistant only.
Office 2013 Yes, EnableADAL = 1 Yes Modern authentication is attempted first. If the server refuses a modern authentication connection, then Microsoft Online Sign-in Assistant is used. Server refuses modern authentication when Skype for Business Online tenants are not enabled. Microsoft Online Sign-in Assistant only.

Source: https://support.office.com/en-us/article/How-modern-authentication-works-for-Office-2013-and-Office-2016-client-apps-e4c45989-4b1a-462e-a81b-2a13191cf517#bk_sfbo

Additional Notes

ADFS

With modern authentication, all clients will use Passive Flows (WS-Federation), and will appear to be browser traffic to AD FS.

ADFS client access filtering policies

Once Modern Authentication has been enabled, any client access filtering policies will need to be changed as follows:

Current client access filtering policy After enabling  modern authentication Action needed
1 Block all external access to Office 365 Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) None
2 Block all external access to Office 365 except Exchange ActiveSync Continue to rely on existing ADFS policies (client traffic now comes in on WS-Federation endpoint) None
3 Block all external access to Office 365 except Browser-based apps Implement conditional policies in Office 365/Azure AD to block “Rich Client” traffic (allow on ADFS). This scenario is not yet supported for public preview and we recommend organizations that rely on this scenario to not onboard their tenants for modern authentication.

Source:  https://social.technet.microsoft.com/wiki/contents/articles/30253.office-2013-and-office-365-proplus-modern-authentication-and-client-access-filtering-policies-things-to-know-before-onboarding.aspx

Advertisements

http://superuser.com/questions/680541/accept-remote-desktop-connections-in-windows-7-home-premiume

Switch to using PowerShell, and follow the instructions at the following site to enable history:

http://blogs.msdn.com/b/powershell/archive/2006/07/01/perserving-command-history-across-sessions.aspx

Alternatively, in cmd.exe, you can use “doskey /history” at the end of your session to show what you typed in that session, but theres no way to really load it into the next session

I’ve found 3 ways, neither of which require switching to PowerShell:

Install Clink (http://mridgers.github.io/clink/), which enhances cmd.exe with persistent history and much more. Just install it and then open cmd as normal.

Install TCC/LE free version (http://jpsoft.com/), which is a separate program, again providing an enhanced version of cmd.exe.

Install cygwin  (https://www.cygwin.com/). It also provides some others functionalities that Linux has but Windows not.

2013 in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 33,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 12 sold-out performances for that many people to see it.

Click here to see the complete report.

Windows Server 2012 resources

What’s new in Windows Server 2012 ? : http://technet.microsoft.com/library/hh831769.aspx

also the main Technet home page: http://technet.microsoft.com/en-US/

Install, deploy, migrate to Windows 2012 RC DataCenter: http://technet.microsoft.com/library/hh831620.aspx

Download Windows server 2012 RC: http://technet.microsoft.com/en-us/evalcenter/hh670538.aspx

 

You cannot logon interactively on a Windows computer and you don’t have domain account with the right privileges, here are some techniques

to reset a lost/forget admin or local account’s password:

1- Paying method: If you are covered by the MS software assurance, you are eligible to the MDOP “Microsoft Desktop Optimization Pack”: http://www.microsoft.com/en-us/windows/enterprise/products-and-technologies/mdop/default.aspx

In that case, you can use the MS DaRT to burn a boot CD in order to recover your lost password. The Emergency Repair CD is based on well-known Winternals ERD toolset. The ERD contain the “locksmith” utility in order to recover your local accounts.

2- Free method: The other solution that requires no extra tool (but need the Windows DVD) is the method based on Utilman.exe substitution: http://sburke.eu/blog/2012/01/reset-windows-passwords-for-vista-7-and-2008-server/

3- Free method: Another method based on USB or Boot CD (based on linux tools): http://pogostick.net/~pnh/ntpasswd/

Web resource: http://www.openntf.org/internal/home.nsf/project.xsp?action=openDocument&name=Command%20Line%20EMail%20Client

Mercurial 101

Mercurial est un système de gestion de version distribué. De fait, chaque client dispose de l’intégralité des versions, et les échanges ne passent pas forcément par un serveur central.
http://www.siteduzero.com/tutoriel-3-196002-gerer-vos-projets-avec-mercurial.html#ss_part_2

http://druil.net/mercurial-un-systeme-de-gestion-de-versions/

Quelques usages:

  • un développement en solo, et boum on a tout cassé ! Le problème : on a modifié des dizaines de fichiers avant d’arriver à ce magnifique résultat… Mercurial permet de récupérer n’importe quelle version de fichier que vous avez sauvegardé !
  • un développement en solo encore mais vous naviguez souvent entre plusieurs machines (maison, boulot, portable…) avec un dépôt online vous pouvez synchroniser tout votre développement sans vous demander où se trouve la dernière version à jour de votre logiciel !
  • un développement en équipe ? Alors là Mercurial vous montrera toute sa puissance! Vous pouvez vous organiser comme des patates que ça sera même pas grave ! Il vous faudra juste vous habituer à merger (ce qui arrive plus fréquemment en fin de projet quand il faut vite finir !).
  • un développement en équipe, mais vous partez en vacances et vous voulez absolument travailler ? Faites vos versions en local et préparez-vous à faire un merge du tonnerre en rentrant de vacances !

Mercurial en image:
http://sequanux.org/pipermail/sequanux-belfort/attachments/20090613/7038d0da/attachment-0002.png

Download Mercurial for Unix/Linux or Windows:
http://mercurial.selenic.com/downloads/

http://www.commentcamarche.net/faq/192-numeriser-ses-cassettes-audio-ou-vinyles-sur-cd-ou-disque-dur