PowerShell – HTTP Authentication

#Authentication Parameters
#Credential used after initial communication
$Credentials=Get-Credential

#Building Authorisation Header for initial communication not used afterwards
$Base64Auth=[System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($Credentials.GetNetworkCredential().username + ":" + $Credentials.GetNetworkCredential().password ))
$BasicCredentials = "Basic " + $Base64Auth

$headers = @{"tenant-code" = $tenantAPIKey; "Authorization"= $BasicCredentials}

$Output = Invoke-RestMethod -Method Post -Credential $Credentials -Uri $URI -Body $Body -ContentType $ContentType -Headers $headers 

VPN – L2TP Error 809

If you’re using L2TP with IPSec.

Windows doesn’t activate NAT-T by default (Windows 10 included) you need to add a registry key:

To create and configure the

AssumeUDPEncapsulationContextOnSendRule

registry value, follow these steps:

  • Log on to the Windows Vista client computer as a user who is a member of the Administrators group.
  • Right Click Start, click Run, type regedit, and then click OK. If the User Account Control dialog box is displayed on the screen and prompts you to elevate your administrator token, click Continue.
  • Locate and then click the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PolicyAgent

  • On the Edit menu, point to New, and then click DWORD (32-bit) Value.
  • Type AssumeUDPEncapsulationContextOnSendRule, and then press ENTER.
  • Right-click AssumeUDPEncapsulationContextOnSendRule, and then click Modify.
  • In the Value Data box, type one of the following values:
    • 0
      A value of 0 (zero) configures Windows so that it cannot establish security associations with servers that are located behind NAT devices. This is the default value.
    • 1
      A value of 1 configures Windows so that it can establish security associations with servers that are located behind NAT devices.
    • 2
      A value of 2 configures Windows so that it can establish security associations when both the server and the Windows Vista-based or Windows Server 2008-based VPN client computer are behind NAT devices.
  • Click OK, and then exit Registry Editor.
  • Restart the computer.

Validate that the windows service: IPSec Policy Agent is started.

 

Source: https://support.microsoft.com/en-us/kb/926179

ADFS Authentication with Office 365

  1. User go to an Office 365 url
  2. User is redirected to Microsoft Federation Gateway (login.microsoftonline.com)
  3. User enter his UPN
  4. UPN is recognized by the MFG as a federated domain
  5. User is redirected to the ADFS Server
  6. User use his Kerberos TGT (Ticket Granted Ticket) ticket to authenticate
  7. ADFS send the TGT ticket to the domain controller
  8. ADFS receive a Service Ticket telling who is the user
  9. ADFS use the Service Ticket to query Active Directory for user attribute (UPN, First Name, Last Name, etc.)
  10.  ADFS build a SAML token with user attribute
  11. ADFS server post this SAML token via User browser to MFG
  12. MFG verifies the SAML token signature to validate that is the right ADFS server
  13. MFG create his own SAML token (UPN is inside)
  14. The MFG SMLA token is post back to Office 365 platform using the user browser
  15. Office 365 look for an account with the user UPN