-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathPasswordWriteback_ConnectivityTests.ps1
More file actions
133 lines (88 loc) · 5.41 KB
/
Copy pathPasswordWriteback_ConnectivityTests.ps1
File metadata and controls
133 lines (88 loc) · 5.41 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
# Verify SSPR writeback config is enabled \ started and onboarding is not required
$aadconnector = Get-ADSyncConnector | ? {$_.Name -match " - AAD"}
Get-ADSyncAADPasswordResetConfiguration -Connector $aadconnector.Name
# From event logs check the most recent service bus heartbeat (should be every ~ 5 minutes) and copy the Namespace and Endpoint
$date = (Get-Date).AddHours(-1)
$output = Get-WinEvent -FilterHashTable @{ LogName = "Application"; ProviderName = "PasswordResetService"; Id = 31019; StartTime = $date } | Select -First 2 TimeCreated, Message | fl *
# Based on results customize below variable examples with the two namespace\endpoints in use
$Namespace1 = "ssprdedicatedsbprodncu"
$Endpoint1 = "91ceb514-5ead-468c-a6ae-048e103d57f0_2e53b84b-d06a-4e44-9f79-cd3d7f7814f7"
$Namespace2 = "ssprdedicatedsbprodscu"
$Endpoint2 = "91ceb514-5ead-468c-a6ae-048e103d57f0_7bc234a4-5dd9-46b3-a136-1876080cb275"
# Export PasswordReset + ADSync Event Logs for last 48 hours and upload to support case DTM for review
wevtutil.exe epl Application C:\Temp\PasswordResetServiceLogs.evtx /ow:True /q:"*[System[Provider[@Name='PasswordResetService'] and TimeCreated[timediff(@SystemTime) <= 172800000]]]"
wevtutil.exe epl Application C:\Temp\AdSyncLogs.evtx /ow:True /q:"*[System[Provider[@Name='ADSync'] and TimeCreated[timediff(@SystemTime) <= 172800000]]]"
# Verify DNS Resolution
$IP1 = (Resolve-DnsName "$Namespace1.servicebus.windows.net").IP4Address
$IP1
$IP2 = (Resolve-DnsName "$Namespace2.servicebus.windows.net").IP4Address
$IP2
# Check for the persistent outbound connection established to service bus relay
$process = get-process -Name miiserver
Get-NetTCPConnection -State Established -OwningProcess $process.Id -RemotePort 443 -RemoteAddress $IP1
Get-NetTCPConnection -State Established -OwningProcess $process.Id -RemotePort 443 -RemoteAddress $IP2
# Verify browser can connect to full endpoint and the expected response "MissingToken: The request contains no authorization header" is returned, if there is any other response could be outbound connectivity issue
Start-Process msedge.exe -ArgumentList "https://$Namespace1.servicebus.windows.net/$Endpoint1 -inprivate"
Start-Process msedge.exe -ArgumentList "https://$Namespace2.servicebus.windows.net/$Endpoint2 -inprivate"
# Response should be "401 Unauthorized" if it is anything else there could be outbound connectivity issue
Invoke-RestMethod -Method Get -Uri "https://$Namespace1.servicebus.windows.net/$Endpoint1"
# Response should be "401 Unauthorized" if it is anything else there could be outbound connectivity issue
Invoke-RestMethod -Method Get -Uri "https://$Namespace2.servicebus.windows.net/$Endpoint2"
# Run SSL\TLS tests from https://learn.microsoft.com/en-us/entra/identity/hybrid/connect/reference-connect-tls-enforcement#powershell-script-to-check-tls-12
Function Get-ADSyncToolsTls12RegValue
{
[CmdletBinding()]
Param
(
# Registry Path
[Parameter(Mandatory=$true,
Position=0)]
[string]
$RegPath,
# Registry Name
[Parameter(Mandatory=$true,
Position=1)]
[string]
$RegName
)
$regItem = Get-ItemProperty -Path $RegPath -Name $RegName -ErrorAction Ignore
$output = "" | select Path,Name,Value
$output.Path = $RegPath
$output.Name = $RegName
If ($regItem -eq $null)
{
$output.Value = "Not Found"
}
Else
{
$output.Value = $regItem.$RegName
}
$output
}
$regSettings = @()
$regKey = 'HKLM:\SOFTWARE\WOW6432Node\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'
$regKey = 'HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SystemDefaultTlsVersions'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'SchUseStrongCrypto'
$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'
$regKey = 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'Enabled'
$regSettings += Get-ADSyncToolsTls12RegValue $regKey 'DisabledByDefault'
$regSettings
### Testing outbound block behavior
# Enable Windows Firewall
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled True
# Resolve the IP address of service bus endpoints
$servicebusIP1 = [System.Net.Dns]::GetHostAddresses("$Namespace1.servicebus.windows.net").IPAddressToString
$servicebusIP2 = [System.Net.Dns]::GetHostAddresses("$Namespace2.servicebus.windows.net").IPAddressToString
# Create an outbound rule to block traffic to www.google.com
New-NetFirewallRule -DisplayName "Block Service Bus IP1" -Direction Outbound -Action Block -RemoteAddress $servicebusIP1
New-NetFirewallRule -DisplayName "Block Service Bus IP2" -Direction Outbound -Action Block -RemoteAddress $servicebusIP2
#Reset firewall
Remove-NetFirewallRule -DisplayName "Block Service Bus IP1"
Remove-NetFirewallRule -DisplayName "Block Service Bus IP2"
Set-NetFirewallProfile -Profile Domain,Public,Private -Enabled False