Skip to content

Seamless SSO Configuration Tutorial Part 1

This configuration tutorial is for an unroutable single forest domain. Unroutable domains are any top-level domains that cannot be used on the internet such as .local. The scenario is an on-premise Active Directory domain with a Forest Functional Level of Windows Server 20102 R2 that need seamless single-sign-on (SSO) for Microsoft 365 online resources such as SharePoint and Teams for better user experience and easier administration.

Part one will cover the installation and configuration of Azure AD Connect. Part two will cover the Group Policy settings needed for Chrome and Firefox to enable the use of Seamless SSO, and the process to see what is copied and matched from your on-premise Active Directory to Azure AD.

I had to visit more websites than I care to count to complete the Seamless SSO with password hash sync rollout. I will link, collect, and annotate everything you will need for this scenario in this series of articles. My hope is to save you time and frustration with this project.

You must have domain administrator permissions on the Domain Controller and Microsoft 365 to complete the actions in this tutorial. You must be running Windows Server 2012 or newer except for Server Essentials versions to use Azure AD Connect.

Warning: SSO’s weak point when it comes to security is the convenience of accessing multiple services with a single set of credentials. All of those services will be compromised if the password and username are disclosed. Choosing a strong passphrase and management is paramount. I recommend creating a passphrase using at least three unrelated words that are a minimum of four characters in length then add some complexity such a capital letter(s), a number(s), and a special character. The key is that the passphrase must be memorizable and changed only when confirmed as disclosed to reduce the management burden for employees. Go here for an excellent explanation of password strength in terms of entropy.

The first step is to add your routable email domain as an Alternative userPricipleName (UPN) suffix “@domain.com.”

  • Open Active Directory Domains and Trusts (image 1)
  • Right-click Active Directory Domains and Trusts and select Properties (image 2)
  • Enter the routable domain in the Alternative UPN suffixes box then click add (image 3)
  • Image 1

If you have accounts that don’t need to be synced to Azure AD create a new Organizational Unit (OU) for the users that have Microsoft 365 mailboxes. I named my OU Azure AD Connect Sync. Move the users with mailboxes to the new OU to make the next few steps smoother.

To create a new OU for the users you want to sync with Azure AD:

  • Open Active Directory Users and Computers
  • Right-click your local domain
  • Hover your mouse over New
  • Select Organizational Unit
  • Enter the name you’ve chosen
  • Make sure Protect container from accidental deletion is selected
  • Click OK

If you have few users to move to the new OU:

  • Right-click the user you want to move
  • Select Move
  • Select the OU you created for Azure AD sync
  • Click OK

If you prefer to use PowerShell, you can use the PowerShell script below. Test the script on a small number of users (or test user accounts) to make sure it behaves as expected. I find it faster to use Control or Shift to select users to move to the new OU.

Move-ADObject -Identity "CN=First Last,CN=Users,DC=Domain,DC=Local" -TargetPath "OU=Azure AD,DC=Domain,DC=Local"

Now you must change the UPN suffix for all of the users that have Microsoft 365 mailboxes in Active Directory. If you have few users then change the UPN suffix by hand is suitable. If you have a lot of users, there is a PowerShell script you can use to change the UPN suffix en masse.

To change the UPN suffixes individually:

  • Open Active Directory Users and Computers
  • Double-click a username to open Properties (you can also right-click the username and select Properties)
  • Select the Account tab
  • Select the drop-down box with the unroutable domain
  • Select the routable domain from the UPN suffix list
  • Click OK to save the change

To change the UPN suffixes en masse replace domain.local and domain.com in the PowerShell script below with your unroutable and routable domain respectively. If you need to select users based on OU, add -SearchBase $ou after Get-ADUser.

$LocalUsers = Get-ADUser -Filter "UserPrincipalName -like '*domain.local'" -Properties userPrincipalName -ResultSetSize $null
$LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("@domain.local","@domain.com"); $_ | Set-ADUser -UserPrincipalName $newUpn}

In either choice of how you change the UPN suffix, you must make sure that the username portion of the UPN matches the username of their email address. Azure AD Connect uses the UPN as the source anchor to match on-premise account to Azure AD accounts.

Go here to download Azure AD Connect.

The first screen you’re met with when running the installer asks you to agree to license terms and the privacy notice. Check I agree then click Next.

This screen is where you select Customize. Don’t use the express settings because we will not have the opportunity to test before going live with auto-synchronization.

You don’t need to make a selection for this screen unless your environment warrants one of the options. Click Install.

Microsoft SQL 2012 Express, Native Client, Command Line Utilities, Synchronization Service, and Microsoft Visual C++ 2013 Redistributable will be installed.

After installation, you’ll be met with the User Sign-In screen. Select Password Hash Synchronization and Enable single sign-on then click Next.

This screen is where we connect to our Azure AD tenant using global administrator credentials e.g., username@domain.onmicrosoft.com then click Next.

After signing in with the Microsoft 365 tenant administrator account you will connect your on-premise directory to Microsoft 365. Click Add Directory.

After clicking Add Directory you must supply Enterprise Admin credentials that have sufficient permissions to read and write to the on-premise Active Directory forest. Leave Create new AD account selected and use the Schema or Domain Admin account of your on-premises Active Directory. I used the domain\user format without the domain suffix. Click Next after clicking OK and the process for adding the directory is finished.

Now you’ll see an Azure AD sign-in configuration screen where you’ll select your attribute used to sign-in to Microsoft 365. Since you’ve aligned the username portion of the UPN in your on-premise Active Directory you should leave the UPN selected. Your unroutable UPN suffix for your on-premise Active Directory can’t sync with Azure. Select Continue without matching all UPN suffixes to verified domains at the bottom of the window. Click Next.

This next screen is where you’ll filter which on-premise Active Directory user objects will be matched with Azure AD user objects. Select Sync selected domains and OUs. Deselect all boxes except for the OU you created for Microsoft 365 mailboxes and Computers. Computers must be selected because Azure AD will create an object that is needed for reliable synchronizing. Click Next.

On the Uniquely identifying your user’s screen leave the default selections. Azure AD will use the mS-DS-ConsistencyGuid to match users by default (sourceAnchor). The mS-DS-ConsistencyGuid replaces the objectGUID in Azure AD Connect version 1.1.524.0 and later. The ConsistencyGuid is automatically configured during installation. Since this is a single forest, users are represented only once in our directory. If you want to dig into how accounts are hard and soft matched using the source Anchor go here.

For the Filter user and devices screen, leave Synchronize all users and devices selected because we are filtering synchronized objects by OU. Click Next.

On the Optional features screen, password hash synchronization is already checked. Select Password writeback if you have the password self-service reset option configured for Microsoft 365. Password writeback allows Azure AD to update your on-premise Active Directory user objects password if they perform a reset. Click Next.

The Enable single sign-on screen already contains the credentials needed because we supplied them in the step where you connect your on-premises Active Directory to Azure AD. Click Next.

The Ready to configure screen is where we’ll make selections to put the installation is staging mode to give us an opportunity to see what would be replicated before making real-world changes. Uncheck Start the synchronization process when configuration completes, and check the Enable staging mode box. Click Install.

A Handy Reference for Windows Logon Types with Status and Substatus Codes

This list of logon types and status/substatus for Event ID 4625 comes from Microsoft documentation for threat-protection auditing, and is beneficial for analysts and people that are curious about what is going on in their PC.

Logon typeLogon titleDescription
2InteractiveA user logged on to this computer.
3NetworkA user or computer logged on to this computer from the network.
4BatchBatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention.
5ServiceA service was started by the Service Control Manager.
7UnlockThis workstation was unlocked.
8NetworkCleartextA user logged on to this computer from the network. The user’s password was passed to the authentication package in its unhashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext).
9NewCredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections.
10RemoteInteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop.
11CachedInteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials.
Status\Sub-Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request.
0xC0000064User logon with misspelled or bad user account
0xC000006AUser logon with misspelled or bad password
0XC000006DThis is either due to a bad username or authentication information
0XC000006EUnknown user name or bad password.
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation.
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (aka logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed.
0XC0000192An attempt was made to logon, but the Netlogon service was not started.
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine.

The Twisted Reality of Military Leadership

I’ve been mulling over writing an article about how the military, specifically the Army, fails to teach leadership and do right by soldiers at an alarming rate for some time, but when a friend of mine retweeted the thread below, I finally found the motivation to move my words from tweet storms to something more lasting. I will break down the thread into individual tweets where I will explain my thoughtcrimes and the personal impact as a result.

Here is the context of the situation. I will be referring to “a policy doesn’t exist” in the above tweet later.

This attempted corrective action by these NCO’s highlight the most basic failing of leadership. What reason does the NCO’s have to yell at anyone, junior enlisted or otherwise, in this situation? A snap reaction like this is a result of continuing basic training like attitudes toward decision making. You’re taught to react and be loud about with your reaction through marching and running cadence, and the reliance on muscle memory developed during training.

The purpose of basic training is to teach the baseline standards of military dress, survival, marching, shooting, follow orders without question, and how to handle fear in a simulated combat environment. NCO’s often continue similar behaviors of Drill Sergeants in garrison and are never taught that there are a time and place for yelling and, in general, flipping out on soldiers. Some NCO’s figure out that combat NCO shouldn’t be garrison NCO unless there’s specific training that requires it such as at the National Training Center. The former outweighs the latter by a wide margin.

The effect of having drone NCO’s is an atmosphere of fear rather than teamwork, and the teamwork that happens under this fear is often touted as a success despite the often needed herculean effort needed to accomplish tasks. A lot of times, the reaction from NCO’s rise to the level of psychopathic by using threats of physical harm, screaming in soldier’s faces, and smoking someone (physical exercise) until they become ill. Often this is explained away as being necessary because the lives of teammates are at risk in combat or that it’s “just the Army way.” Pure. Psychopathy.

The saying “you might be stupid but at least you’ll be strong” is a confession by NCO’s that they have failed to lead through teaching rather than the soldier being unable to correct their incompetencies, but is almost always taken as the soldier being a continual mess up.

I wax poetic on my personal website about hiding behind rank and chronic mismanagement that soldiers pay the price for unnecessarily.

This is where cognitive dissonance begins to show. My words are not an indictment of the thread’s author, but on the broken system that produces these interactions. They have no idea what to do because they’ve always been taught to unquestionably follow orders.

The 8A Blue Book contains all of the standards for the 8th Army in South Korea. Although the Sergeant Major is correct in that standing at attention is not in the Blue Book, standards can be exceeded and individual camps can have separate policies dictating that you’re to stand at attention for TAPS, but this is never discussed…because of a book or something.

There’s a root cause analysis waiting to happen in the first sentence of this tweet, but alas it’s a missed opportunity. These NCO’s were told to stand at attention for TAPS by someone for some reason, and that should be explored in the event that standing at attention for TAPS is or isn’t policy and correction can take place on part of the Sergent Major or these junior/mid NCO’s. I’ll touch on the last sentence of this tweet in what I have to say about the next tweet because they go hand-in-hand.

I’m resisting hitting the caps lock for this paragraph, wish me luck.

NCO’s haven’t lost their power. Based on the drug problems, alcohol problems, overall low moral I’d say NCO’s having unchecked power is one of the driving causes BECAUSE OF THE VERBAL AND PSYCHOLOGICAL ABUSE.

I tried.

You have to ask yourself what kind of leader pits junior enlisted and NCO’s against each other when the abuse that’s doled out in the name of “life and death” “corrective action?” The answer is a bad leader, and the Army is full of them.

Being with the people is certainly the right track, but instead of going around proselytizing maybe you should ask questions then sit and listen. Humility is an admirable trait for a leader.

The way professional is tossed around in the Army reminds me of the movie Man on Fire where every character involved in abducting and killing children that he faces says “I’m just a professional.”

Right. Better.

Thanks for being a good sport?

I’ve been verbally stoned to death by peers and had my family threatened for voicing the problems with “leadership” in the Army. I’ve been yelled at in the middle of dining halls and humiliated because I stood up and identified abuse and didn’t back down when I was told to know my role.

But sure, keep patting yourselves on the back.

Business Email Compromise: A Case Study

Update: The screen capture below was taken from the Parents Nest page on Facebook. The only parent to get through to anyone at Charter School Associates that can provide information didn’t receive any of the phishing emails and was given a head in the sand denial about the email compromise.

Pinellas Academy of Math and Science (PAMS) experienced business email compromise on Tuesday, June 6th. Based on my experience as a Chief Information Security Officer and the information in the Verizon 2019 Data Breach Investigations Report I will give a rundown of what happened, what should have happened, and what could have happened. This analysis will be conducted with some speculation because of the information vacuum that PAMS has put parents in due to minimal communication about the compromise. I will provide the most likely scenario’s for the speculative portions.

The Compromise

Two phishing emails were sent from two different PAMS email addresses. The first email was received by several people (total recipients unknown) at 12:45 PM on Tuesday, June 6th. Approximately 24 hours later, a second phishing email from a different PAMS email address was sent out and reported by several people (total recipients unknown). Both email accounts that were compromised had communication with most of the parents and faculty, making them high-value targets and the targeting of these accounts appears intentional.

There is the possibility that the targeting of these two accounts was random (value-wise) and the attacker hit pay dirt by chance.

After speaking to one of the account owners, just after the second phishing email was received, it was apparent they weren’t phished for the email account credentials leaving credential stuffing the likely culprit. Credential stuffing is where someone reuses a password on multiple accounts (email, Netflix, etc.) and one of the services where they reused a password is compromised, dumped on the internet where attackers buy the email/password lists, then try the email address and password combo on commonly used services.

Another possible scenario is that malware resides on the computer and is capturing every keystroke and sending the captured data to a remote server where the attacker later analysis the data for useful information. Malware being on the computer is a less likely scenario, but should still be considered and checked for by running an anti-virus scan and looking at operating system logs.

What concerned me is that 24 hours after the first phishing email was received was when they notified IT of the compromise – moments before I called. All subsequent communication with the school faculty turned protective of the incident. Any information that I gave to the faculty returned a reply that my information would be passed along to IT and any information I requested went unanswered. Based on the responses shortly after IT was notified, and that there was no compromise notification after 24 hours there’s a good chance they are trying to sweep this incident under the rug except for the Parents Nest post where parents were told not to open the email and that the problem was being fixed.

The difference with this incident and credential stuffing is that these were PAMS email addresses. While the PAMS email addresses could have been used to sign up for accounts the likelihood is low making a case for intentional targeting stronger because a degree of open-source intelligence (OSINT) would be required to tie a non-PAMS address to an individual that worked at PAMS, then use methods to discover the individuals PAMS email address. OSINT involves using various search engines to find information on people such as public records for speeding tickets, voter registration records, social media (Facebook, Twitter), and people finder websites such as the White Pages, and Fast People Search.

I left the IT Director of Charter School Associates a voicemail on Wednesday, June 7th after the second phishing email was received. When speaking with the receptionist at Charter School Associates, I kind of gathered that information security was a secondary duty to IT staff, and that there are no dedicated information security employees – a common occurrence. I asked to speak with someone that had information security responsibilities then I was transferred to the IT Director. I have not had my phone call returned as of Tuesday morning, June 11th.

At this point, it’s impossible to know how many parents were phished for their email account credentials and have an attacker going through the details of their lives as you read this. All because the communication channels, the school has weren’t used to notify all (if not most) parents of the compromise, and a central point of communication for questions and answers about what’s happening and when was not established. Something else to keep in mind is that we don’t know how long the attackers had access to the email accounts before the phishing emails were sent out. It’s possible that the attacker had days, weeks, or even months of access. The amount of time the attacker had access to the accounts whether it was days or months is enough time to scrape personal information such as name’s, email addresses, phone number’s, physical and mailing addresses, birthday’s, and possibly social security numbers because you might or might not be surprised what people will put in an email.

Communication

The reason for the unknown total of recipients is due to who received the emails first. PAMS has a private Facebook group called Parents Nest where announcements, news, and questions about the school can be answered. Parents Nest is ran by parents of students that go to PAMS, but is not directly supported by the school. Since the Parents Nest isn’t an official PAMS Facebook group, PAMS has not gone to any lengths to advertise Parents Nest existence so only a fraction of the parents have joined the group.

Parents Nest is where all of the communication about the compromise happened. PAMS has a mass communication system in place that uses email and text messages to disseminate information. No word about the compromise came through email nor text message leaving anyone that wasn’t a member of Parents Nest unaware that an attack was underway unless individuals are able to recognize a phishing email.

The Email

After looking at the header information in the email it appears that the email did originate from within Office 365 which is what the school uses.

Email header information from the phishing email

In the image above the mailbox type is hosted, has the originating organization as PAMS, and lines above the part I took a screen clip of verifies the sender mailbox as active. The IP address points to webmail (office.com) being the place the email was sent from.

The method that was used to execute this phish is more sophisticated than what I usually see. The link in the email brings you to box.com (a cloud storage provider) where there’s a shared file that looks like a webpage and has a link in the middle. The link on the page in box.com brings you to the actual phishing page where you are asked to sign-in to view a protected document using Gmail, Outlook.com, Hotmail, and several other options.

The link inside phishing email one
The link inside phishing email two

The reason for using a cloud storage provider to host the real phishing link in two different shared files is two-fold. 1) cloud storage providers go to great lengths to keep their service from being placed on any malicious URL blacklists, thusly, app.box.com/s/<file name> will pass incoming and outgoing spam filters, and 2) phishing pages can be set up and deleted quickly using different service accounts to maximize the length of time the attacker can collect email credentials. The email addresses used for the Box.com phishing page accounts likely to belong to victims.

Here are some findings from the Verizon Data Breach Report that give you a better idea of why these compromises happen.

  • Financially motivated breaches fell from 76% to 71%
  • 90% of malware arrived via email
  • 60% of web application attacks were on cloud-based email servers
  • Most email threats and BEC [Business Email Compromise] attacks only resulted in data breaches because multi-factor authentication had not been implemented
  • 52% of cyberattacks involve hacking
  • 34% of attacks involved employees
  • 43% of cyberattacks were on small businesses
  • There has been a six-fold decrease in attacks on HR personnel
  • Misconfiguration of cloud platforms accounted for 21% of breaches caused by errors

A Better Response

Once there was evidence that one email account had shown signs of compromise a breach notification should have been sent out over text message and email to reach as many people as quickly as possible alerting that phishing emails had been sent from an account and do not click on any links inside of PAMS emails until further notice. If a phishing email hadn’t been sent the response would have been different because there wasn’t immediate danger of compromise outside of PAMS. The notification would come after mitigation (password reset, two-factor authentication) and an investigation into whether or not data had been taken that would include what Charter School Associates did, when they did it, what they found as a result of the investigation, and any steps that people would need to take to protect themselves if sensitive data was stolen.

Upon indication that a second email account had been compromised within 24 to 48 hours, a password reset for all PAMS email accounts should’ve been initiated, and another alert sent via text message and email stating that an email account had been compromised and do not click any links in emails from PAMS until further notice. In addition to the mass password reset a password history restriction of at least three passwords should be implemented if it hasn’t been already. A password history restriction means that you can’t use the last three passwords you’ve had for that email account.

Based on the time of day the emails were sent, the attacker is doing a good job of blending in with normal traffic patterns for email use at the school. The mass password reset is due to two compromises close together leaving the presumption that more accounts could be compromised. Instead of waiting for each account to have indicators of compromise, it’s best to take care of all accounts at once. An investigation into what happened and when would be greatly aided by turning on much of the logging in Office 365 so you can gather as many details of activity as possible. Also, Office 365 offers several options for two-factor authentication that includes a randomly generated passcode, a phone call, a smart card, and a biometric device making better security possible for any budget.

What’s at the core of proper incident response is policies and procedures that each employee must be informed of so they can report suspicious activity promptly (ASAP/immediately). A policy would have dictated that there was to be a breach notification and procedures would have shown when and how to conduct a breach notification, and who the responsible party is for sending out the notification. A policy would dictate the extent that IT is to investigate and remediate compromises (scenario wise) while procedures and guidelines would dictate what to do in each scenario and who to contact when a third-party incident response is needed.

In conclusion, the school has sensitive information on you and your children, and you have the right to know when that information falls into the wrong hands. PAMS is obligated to do what a school at their size and funding can do to protect the information of parents and students. Based on what they didn’t do publicly and how they became tight-lipped, they fell well short of minimal expectations. A lot has been said by PAMS by what they haven’t said throughout this incident.

An Underestimated Use Case

When WEBGAP Go was launched in March, we anticipated that privacy would be a peripheral use, but what we did not realize is that customers saw the benefit of WEBGAP as a privacy solution more than an anti-malware solution. The companies that have an interest in our WEBGAP Pro product have been an even mix of privacy and anti-malware with specific privacy features that are not available with our Go product. The privacy aspect of WEBGAP Go is the focus of this article.

We are frequently asked if WEBGAP Go is a VPN because that is how it appears to customers. In a sense, WEBGAP can function as a VPN in that your web browsing is seen at an IP address that is not your homes and allows access to blocked websites, but browsing from another IP address is one component of privacy that is native to WEBGAP based on how it is engineered.

We use non-persistent browsing sessions that keep cookies from being stored until manually deleted. If you are logged into a website through WEBGAP, such as HubSpot, for example, and have selected “keep me logged in” then log out of WEBGAP you will have to log in to HubSpot again when you revisit whether it is through WEBGAP or your host browser.

When it comes to the visibility of the URL of the websites you are visiting through WEBGAP, everything after the query character (“?”) in the URL is not captured in web proxies nor any other device or software that has URL visibility except for the host browser. If you were to visit HubSpot through WEBGAP, you would see “https://webgap.me/?url=https%3A%2F%2Fwww.hubspot.com%2F” as the URL, but URL filters such as antivirus and web proxies see only “https://webgap.me/.” One of the aspects of privacy is having your data under your control. Any websites that you visited through WEBGAP can be quickly deleted from the host browser.

Browser fingerprinting is defined by the Electronic Frontier Foundation as “a method of tracking web browsers by the configuration and settings information they make visible to websites, rather than traditional tracking methods such as IP addresses and unique cookies.” WEBGAP does not block browser fingerprinting techniques, but it does give the same fingerprint every time which effectively prevents any discernable pattern of device and website use. The components of browser fingerprinting that remain the same with each attempt is the user agent string, HTTP ACCEPT headers, screen resolution and color depth, the timezone, browser extensions and plugins, installed fonts, JavaScript execution, the hash of pixels generated by canvas fingerprinting, the hash of pixels generated by WebGL fingerprinting, systems platform, system language, and touchscreen support.

The more people that browse the web with WEBGAP the more obfuscated fingerprint data is collected and sold to data brokers and Ad companies making it increasingly difficult to build a profile for not only you but everyone else that uses WEBGAP.