I’ve been struggling for a few months to find the answers to all of life’s questions… err.. I mean how to integrate an RSA SecurID soft-token with the VMware View iPad Client.
Why?
- PCI Compliance requires multi-factor authentication for remote access to your cardholder data environment. It’s also a good security practice if you use remote access.
- RSA SecurID is the most widely used form of multi-factor authentication, but there are certainly other options (Note: View only supports integration with RSA or RADIUS at this time).
- Users do not have to carry around a physical RSA keyfob.
- Users do not have to pull up the RSA app on their mobile device and remember the 8-digit token then fly over to the vmware view app and type in that code all within the 60- (or 30-) second window. That’s a little much for some folks to handle.
The intended audience of this technical post is your “all-in-one” administrator (like me) or a team of administrators across your compliance/security, VDI, or vSphere IT groups.
Read more >>
Posted By:
Phillip Reynolds | Tags:
Active Directory,
Compliance,
compliance requirements,
eGroup,
EMC,
multifactor authentication,
PCI-DSS,
RSA,
RSA SecurID,
SecurID,
security,
South Carolina,
VDI,
View,
VMware,
VMware View
Along with the Active Directory Recycle Bin, a tremendous benefit to upgrading your Active Directory functional levels to 2008 R2 is the ability to use DFSR replication between domain controllers. With 2003 and earlier, domain controllers used File Replication Services to replicate directories like SYSVOL. FRS has several drawbacks such as having to retransmit entire files and minimal self-healing capabilities.
With 2008 and later versions, you can migrate from FRS to DFSR (Distributed File System Replication). DFSR can replicate only changed bits (useful for large logon scripts, company wallpaper, install files, and other items commonly found in the SYSVOL directory) and has more robust self-healing capabilities for conflict resolution.
Domains that are installed with 2008 or later functionality will have DFSR enabled by default. This procedure is only necessary for domains and forests that have been upgraded from 2003.
Read more >>
Upgrading your Active Directory domains and forests to the Windows Server 2008 R2 functional level can streamline some administrative functions. The biggest benefit of the 2008 R2 forest functional level is the Active Directory Recycle Bin. If you’ve ever had to use Directory Services Restore Mode to resurrect AD tombstones and retrieve deleted objects, you’ll love this feature.
How do I enable it?
- With a single line of Powershell (replace contoso.com and DC=contoso,DC=com with your domain name):
-
Enable-ADOptionalFeature –Identity ‘CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=contoso,DC=com’ –Scope ForestOrConfigurationSet –Target ‘contoso.com’
What are some benefits?
- Object SIDs are maintained after the restore
- Group membership is maintained after the restore
- Objects can be restored from 60-180 days after their deletion (varies per domain)
- Entire OUs and child objects can be restored with a single action
- Complex structures such as DNS zones can be restored with all records intact
Read more >>
Often times, you may have custom attributes setup in Active Directory or some other source where your user profile information comes from. Here’s how to map those custom attributes to profile properties in SharePoint 2010
- Log in to Central Administration
- Go to Manage Service Applications
- Click on your User Profile Service Application
- Click on ‘Manage User Properties’
- Scroll down the list of properties until you see the one you want to map and edit it.
- On the ‘Edit User Profile Property’ page, scroll to the bottom until you see the ‘Property Mapping for Synchronization’ section.
- If this section has the correct mapping listed then should go to Step 10. If nothing is listed, then please proceed to the next step.
- The next section is the ‘Add New Mapping’ section. Select the Source, Attribute, and Direction of the new mapping and click ‘Add’. If no sources are available, ensure that you have setup the connection to your active directory instance.
- Once successfully added, click ‘OK’
- Go back to the User Profile Service Application page and start a Full Synchronization.
- Start Profile Synchronization
- Select ‘Start Full Synchronization’ and click ‘OK’.
- Once the synchronization has completed, go to ‘Manage User Profiles’.
- Find the name of the user you want to check for the imported attribute and choose ‘Edit My Profile’
- Scroll down to the property that you imported and verify that the correct data is there.
SharePoint’s User Profile Synchronization service is by FAR it’s most complicated and painful part to deal with. It is a bear to setup, modify, and maintain. To add to that, if you are importing supplemental User Profile Properties from a BCS connection, like SQL, then you should know that importing URL and Person data types are not supported.
For example, if you have a SQL Table with a “Manager” field in it; you cannot import that field into the “Manager” Profile Property in SharePoint. There is a very ugly and unsupported way of doing this here, but I would not recommend it.
The best solutions?
1. Import these fields directly into AD from whatever connection your BCS connection is pulling from. This is fairly simple when using Microsoft’s AD API.
2. Create a Timer Job Definition that uses the BCS connection to get the Profile Properties from SQL and then use the SharePoint API to manually set the properties on each user’s profile.
Here’s a really good post that explains how the User Profile Synchronization service works.
