Archives: Service News

I’m back to report that this work is complete. All www.netid.washington.edu pages have a redirect to the new IT Connect location. If you have bookmarks or links to www.netid pages, you can now update them.

 

Here is an orientation for the refactored documentation site:

• Use of UWWI has been replaced. ‘UWWI user’ and ‘UWWI group’ has been replaced with NETID user and NETID group. Exceptions include a few pictures (hunting down source files) and references which are out of our direct control (e.g. the UW NetID Support Tool still uses “UWWI” so our documentation must continue to reflect that). Feel free to let us know about “UWWI” instances you think we missed. J
• The Communications page notes how to get ahold of us for urgent issues, and introduces the service mailing lists and how to subscribe or unsubscribe. Child pages include an index of all the MI service documentation (including pages not in IT Connect), all service newsletters, and all service notifications (since 2012). In addition to being an archive, this provides a different way for service customers to keep in touch—instead of being on this mi-announce mailing list, you can monitor that location instead. I’d stress that the index page is a good way to find things quickly.
• The Service Design page includes capability maps that outline what we provide and our thoughts about the future, the architecture guide, and policy documents. This is mostly content that IT staff might need to reference to find out how the service is designed. Some of this content has gotten minor updates, and I’ve noted gaps for future documentation. Documenting our Entra ID integration is the most notable gap.
• The Other Help page includes content which is only indirectly related to the MI service. These are typically topics for which we are the subject matter experts for or where additional explanation or background will help the UW community. The venerable ‘Windows domain setup at UW’ document is a good example of the type of document here. Clearly separating these documents provides a clearer expectation boundary about how these documents relate to the MI service. The FAQ is under here and has gotten a topical re-organization and some pruning. If you haven’t seen the extensive Entra ID terminology part of that FAQ, it’s worth a look.
• And then the rest of the top-level pages are aligned with the capabilities the MI service provides: Software, Authentication integration, Entra ID, and Delegated OUs.
  • The MS product activation document is under a Software page in anticipation of other software capabilities being added to the MI service in the future.
  • The LDAP configuration, Getting Started: NETID Trusts, and Firewalls with NETID domain are high volume documents under the Authentication integration page.
  • The Entra ID tenant guidance and Entra ID Applications pages are high interest documents under the Entra ID page. I’d recommend reviewing these if you haven’t seen them.
  • The Delegated OUs page has many child pages, too numerous to mention. It is worth pointing out that all capabilities which are constrained to OU customers are under here, things like DFS, AD-CS based certificates, and DDNS.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

 

 

From: Brian Arkills Sent: Thursday, April 28, 2016 3:15 PM To: ‘mi-announce@uw.edu’ <mi-announce@uw.edu> Subject: Microsoft Infrastructure documentation migration/consolidation

 

We’re combining our documentation into IT Connect. A few exceptions that don’t work well on that platform will remain in the UW-IT Wiki.

 

What and When:

Over the next several weeks, we will be migrating the Microsoft Infrastructure documentation into IT Connect (https://it.uw.edu). Our documentation will live under https://it.uw.edu/wares/msinf/.

 

Our content has been splattered across multiple locations, including a web hosting platform we run for ourselves. It doesn’t make sense for us to run something separate, and consolidating on IT Connect should improve discoverability of that content.

 

Related to the service rename previously announced, we’ve already moved most of the content that was previously in the UW-IT wiki space named UW Windows Infrastructure to the IT Connect location noted above.

 

What You Need to Do:

This notice is partly advisory so you know to expect some changes, but you may also have an action to take.

 

If you host links to our content or have bookmarked pages, you may want to update them. Where we can, we’ll put in page redirects to the new location and maintain those old pages for 3 months to facilitate this. Because this documentation migration is not complete and will span a couple week period, we’ll send another note when we’re done so you know when to do that activity.

 

More Information:

Unfortunately, not all of our content can move to IT Connect. A few things will need to be on the UW-IT Wiki platform. We’ll clearly link to those pages, have navigation aids from those pages back to IT Connect, and clearly note that this wiki space is an ancillary location. That ancillary UW-IT Wiki space is https://wiki.cac.washington.edu/display/MSINF/Microsoft+Infrastructure, and it’ll have things like request forms, the public proposals with analysis we’ve previously shared, and other documents with flexible editing needs.

 

The web location www.netid.washington.edu will retire in about 3 months. It served us nicely for 10 years. J

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

 

The Entra ID Help Desk Card is being implemented to help ensure users have an easy way to get assistance.

 

What and When:

Today the Help Desk Card capability in our Entra ID tenant is being enabled. When users click on the help icon in applications which support this, they’ll be presented with contact information which can allow them to easily get help.

 

The following information will be present:

UW IT

+1 (206) 221-5000

help@uw.edu

http://www.washington.edu/itconnect  

 

What You Need to Do:

Nothing, this notice is informational only so you aren’t surprised by the change.

 

More Info:

Please refer to https://support.office.com/en-US/client/results?Shownav=true&lcid=1033&ns=O365ENTADMIN&version=15&ver=15&services=INTUNE_O365%2cYAMMER_EDU%2cSHAREPOINTWAC_EDU%2cMCOSTANDARD%2cSHAREPOINTSTANDARD_EDU%2cEXCHANGE_S_STANDARD&HelpID=O365E_CustomHelpDesk for more information about this capability.

 

Brian Arkills

UW Windows Infrastructure Service Manager

 

The UW Windows Infrastructure has deployed a public key infrastructure consisting of a 2 tier certificate authority, whose initial purpose is to provide automatic certificate enrollment and certificate deployment for delegated OU computers running Windows.

 

What and When:

On 10/16/2015, UWWI deployed an Active Directory published root certificate authority named netid-root-CA. Being AD published means that domain-joined computers trust it by default.

 

On 10/23/2015, UWWI deployed an Active Directory integrated issuing certificate authority named netid-issuing-CA. Being AD integrated means that:

• domain-joined computers trust it by default,
• domain users and computers can request and retrieve certificates from it, leveraging the secure channel trust already in place
• issued certificates can be published to the appropriate AD object (which enables a variety of uses)
• certificate revocation lists are published to AD, enabling domain-joined computers to reliably determine whether a given certificate is still valid

 

Like the UW Services CA, these certificate authorities are not publicly trusted. This limits their usefulness to UW internal purposes—for example, you wouldn’t use this CA to enable HTTPS for a public website.

 

In the near future, on a per OU basis, we’ll provide a group which OU admins will be member managers for. You can add computers as members to this group to direct them to automatically enroll for a “Computer” certificate, with client authentication and server authentication uses. Unlike most other certs you’ve used, these certs automatically get renewed, and require no further human involvement. More details on the nature of these certs is available below. More details on this coming capability will be shared when this is ready.

 

What You Need to Do:

At this time nothing. We wanted to let security conscious customers know that we changed the certificate authority trust of domain-joined computers intentionally as part of a planned release. We’ve mentioned this intention several times over the last year, and the deployment of capabilities is now approaching.

 

We’ll let you know when we have enabled this new capability for your OU. At that time, you can add computers to a group and get automatic certificate enrollment to these computers.

 

More Info:

This capability was added due to strong customer interest in lowered costs for certificate management. Based on customer need analysis, there were enough internal-only uses and cost-savings to move forward, even though this may make the UW certificate story a little more complicated. Given how handy an AD integrated CA is, we believe there will be more use cases identified and future capabilities–in fact, there is currently customer interest in exploring three other use cases. More information on these use cases and future capabilities will be coming over the next few months.

 

Do be aware that for UW internal use cases you may need to ask a service to trust the netid-root-CA and netid-issuing-CA in order to leverage the client authentication capability. For example, the Groups Web Service does not currently trust these certificates.

 

If you need to get a copy of the CA certs, they are available at:

http://thrawn.uw.edu/CertEnroll/cracken.netid.washington.edu_netid-issuing-CA.crt

http://thrawn.uw.edu/CertEnroll/madine.netid.washington.edu_netid-root-CA.crt

 

Additional details on the “Computer” certificate:

Validity: 1 year

Renewal: 6 weeks

Private key is not exportable

Minimum key size of 2048

Subject name is based on dnsHostname attribute of AD computer object

 

Additional technical details on the two new certificate authorities:

Both are implemented in a manner such that if we later needed to, we can meet FIPS compliance, although at this time we are not using a HSM module for private key storage. The root CA is designed to be an “offline” CA hosted in Azure, brought online at least once a year to republish the certificate revocation list (CRL). Hosting this CA in Azure allows us to save costs since it is offline most of the time, and their hosting practices are as good or better than ours (e.g. they have rolling audits to meet various regulatory certifications). We are hoping that in the future Microsoft provides a virtual HSM capability for AD-CS integrated with its Azure Key Vault.

 

Brian Arkills

UW Windows Infrastructure Service Manager

A new group policy object at the root of the NETID domain is being created. This GPO will only apply to computers which are opted into applying it.

 

What and When:

Today UWWI will create a new GPO called ‘AD-CS Auto-enrollment’ at the domain root.

 

This GPO will enable auto-enrollment for the certificate services client. This GPO will only apply to computers which:

1. Are members of the group u_windowsinfrastructure_adcs_autoenroll
2. Do not have GPO inheritance blocking.

 

What You Need to Do:

Nothing. There is no immediate impact to you.

 

At this time, none of your computers are affected. You may choose to opt your computers into this as part of the emerging Active Directory Certificate Services (AD-CS) service option. More on this is forthcoming.

 

More Info:

The specific setting in this GPO is:

Computer/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client – Auto-Enrollment Settings/

Automatic certificate management=Enabled

Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates=Enabled

Update and manage certificates that use certificate templates from Active Directory=Enabled

 

Enabling this client computer setting is required to provide the AD-CS service option with auto-enrollment. We’ve purposely scoped this change so you retain management of your computers; you need to take an action for this computer configuration to affect you. Our goal is to respect your autonomy in how you manage your computers. However, it makes a lot of sense to have a single toggle which enables a desired outcome, so we’ve designed this mechanism in such a way that your intention and the desired outcome is directly connected.

 

Put in a more concrete way, in the future, you may choose to have some of your computers automatically get a certificate by adding them to a group. By adding them to this group, you’ll be allowing this GPO to configure the client-side setting and allow access to a specific certificate template. The end result will be that those computers will automatically end up with a certificate. J

 

If you have computers in an OU which blocks inheritance, there are workarounds that are in our customer documentation, so no worries.

 

We’re pretty close to releasing this new service option, and will be sending a little more info to the uwwi-discuss@uw.edu mailing list for eager folks to kick the tires. You can expect further details here soon. For your benefit, below I’ve included the prior change we made to enable this emerging service option.

 

If you have questions about this change, please send an email to help@uw.edu with “UWWI AD-CS autoenrollment change” in the subject line.

 

Brian Arkills

UW Windows Infrastructure Service Manager

UW-IT

 

From: Brian Arkills Sent: Monday, November 2, 2015 1:09 PM To: ‘uwwi-announce@uw.edu’ <uwwi-announce@uw.edu> Subject: Certificate services for delegated OUs

 

The UW Windows Infrastructure has deployed a public key infrastructure consisting of a 2 tier certificate authority, whose initial purpose is to provide automatic certificate enrollment and certificate deployment for delegated OU computers running Windows.

 

What and When:

On 10/16/2015, UWWI deployed an Active Directory published root certificate authority named netid-root-CA. Being AD published means that domain-joined computers trust it by default.

 

On 10/23/2015, UWWI deployed an Active Directory integrated issuing certificate authority named netid-issuing-CA. Being AD integrated means that:

• domain-joined computers trust it by default,
• domain users and computers can request and retrieve certificates from it, leveraging the secure channel trust already in place
• issued certificates can be published to the appropriate AD object (which enables a variety of uses)
• certificate revocation lists are published to AD, enabling domain-joined computers to reliably determine whether a given certificate is still valid

 

Like the UW Services CA, these certificate authorities are not publicly trusted. This limits their usefulness to UW internal purposes—for example, you wouldn’t use this CA to enable HTTPS for a public website.

 

In the near future, on a per OU basis, we’ll provide a group which OU admins will be member managers for. You can add computers as members to this group to direct them to automatically enroll for a “Computer” certificate, with client authentication and server authentication uses. Unlike most other certs you’ve used, these certs automatically get renewed, and require no further human involvement. More details on the nature of these certs is available below. More details on this coming capability will be shared when this is ready.

 

What You Need to Do:

At this time nothing. We wanted to let security conscious customers know that we changed the certificate authority trust of domain-joined computers intentionally as part of a planned release. We’ve mentioned this intention several times over the last year, and the deployment of capabilities is now approaching.

 

We’ll let you know when we have enabled this new capability for your OU. At that time, you can add computers to a group and get automatic certificate enrollment to these computers.

 

More Info:

This capability was added due to strong customer interest in lowered costs for certificate management. Based on customer need analysis, there were enough internal-only uses and cost-savings to move forward, even though this may make the UW certificate story a little more complicated. Given how handy an AD integrated CA is, we believe there will be more use cases identified and future capabilities–in fact, there is currently customer interest in exploring three other use cases. More information on these use cases and future capabilities will be coming over the next few months.

 

Do be aware that for UW internal use cases you may need to ask a service to trust the netid-root-CA and netid-issuing-CA in order to leverage the client authentication capability. For example, the Groups Web Service does not currently trust these certificates.

 

If you need to get a copy of the CA certs, they are available at:

http://thrawn.uw.edu/CertEnroll/cracken.netid.washington.edu_netid-issuing-CA.crt

http://thrawn.uw.edu/CertEnroll/madine.netid.washington.edu_netid-root-CA.crt

 

Additional details on the “Computer” certificate:

Validity: 1 year

Renewal: 6 weeks

Private key is not exportable

Minimum key size of 2048

Subject name is based on dnsHostname attribute of AD computer object

 

Additional technical details on the two new certificate authorities:

Both are implemented in a manner such that if we later needed to, we can meet FIPS compliance, although at this time we are not using a HSM module for private key storage. The root CA is designed to be an “offline” CA hosted in Azure, brought online at least once a year to republish the certificate revocation list (CRL). Hosting this CA in Azure allows us to save costs since it is offline most of the time, and their hosting practices are as good or better than ours (e.g. they have rolling audits to meet various regulatory certifications). We are hoping that in the future Microsoft provides a virtual HSM capability for AD-CS integrated with its Azure Key Vault.

 

Brian Arkills

UW Windows Infrastructure Service Manager

A new automated X.509 certificate enrollment and issuance capability is now available to delegated OU customers.

 

What and When:

Delegated OU customers can use the group service to cause a X.509 certificate to be automatically issued to a Windows computer in their delegated OU. Other than adding the computer to the group, there is no manual effort required, and the certificate will be automatically renewed when it approaches its end date.

 

The Certificate Authority which issues the certificate is not signed by a publicly trusted root CA but is trusted by all computers joined to the NETID domain. This CA meets the same kinds of use cases as the “UW CA”, but there is no labor involved in certificate deployment and none of the ugly certificate expiration problems, so we believe you’ll find this highly useful as an IT cost-savings measure.

 

What You Need to Do:

If you’d like to make use of this new capability, we’d recommend you read https://wiki.cac.washington.edu/x/_69NB, especially the ‘How to Use this Service Option’ section.

 

More Information:

Behind the scenes, the group membership change triggers application of a domain GPO which enables auto-enrollment on that computer, and grants the autoenroll permission to a specific certificate. The client computer does a little dance with AD to find issuing CAs and templates it has permissions for, and requests all certificates for which it is entitled via an RPC connection to the CA. The CA automatically approves/issues the requested cert and the client computer places the cert in its local certificate store.

 

It’s pretty neat stuff that seems like magic compared to the highly manual certificate process involved with the UW CA and InCommon CA that consumes lots of time.

 

There’s lots more information at the customer documentation URL above.

 

As noted previously, if you have another use case you’d like to explore, let us know.

 

We are exploring a couple use cases for the future, including a custom template paired with auto-enrollment, possibly leveraging this new infrastructure to enable a multi-factor authentication solution like Microsoft Passport, and will also consider adding a web service enrollment agent which would allow non-Windows and non-domain joined computers to get in on the automated goodness. J

 

Brian Arkills

UW Windows Infrastructure Service Manager

UW-IT

 

From: Brian Arkills Sent: Friday, December 18, 2015 9:57 AM To: ‘uwwi-announce@uw.edu’ <uwwi-announce@uw.edu> Subject: new domain GPO

 

A new group policy object at the root of the NETID domain is being created. This GPO will only apply to computers which are opted into applying it.

 

What and When:

Today UWWI will create a new GPO called ‘AD-CS Auto-enrollment’ at the domain root.

 

This GPO will enable auto-enrollment for the certificate services client. This GPO will only apply to computers which:

1. Are members of the group u_windowsinfrastructure_adcs_autoenroll
2. Do not have GPO inheritance blocking.

 

What You Need to Do:

Nothing. There is no immediate impact to you.

 

At this time, none of your computers are affected. You may choose to opt your computers into this as part of the emerging Active Directory Certificate Services (AD-CS) service option. More on this is forthcoming.

 

More Info:

The specific setting in this GPO is:

Computer/Policies/Windows Settings/Security Settings/Public Key Policies/Certificate Services Client – Auto-Enrollment Settings/

Automatic certificate management=Enabled

Enroll new certificates, renew expired certificates, process pending certificate requests and remove revoked certificates=Enabled

Update and manage certificates that use certificate templates from Active Directory=Enabled

 

Enabling this client computer setting is required to provide the AD-CS service option with auto-enrollment. We’ve purposely scoped this change so you retain management of your computers; you need to take an action for this computer configuration to affect you. Our goal is to respect your autonomy in how you manage your computers. However, it makes a lot of sense to have a single toggle which enables a desired outcome, so we’ve designed this mechanism in such a way that your intention and the desired outcome is directly connected.

 

Put in a more concrete way, in the future, you may choose to have some of your computers automatically get a certificate by adding them to a group. By adding them to this group, you’ll be allowing this GPO to configure the client-side setting and allow access to a specific certificate template. The end result will be that those computers will automatically end up with a certificate. J

 

If you have computers in an OU which blocks inheritance, there are workarounds that are in our customer documentation, so no worries.

 

We’re pretty close to releasing this new service option, and will be sending a little more info to the uwwi-discuss@uw.edu mailing list for eager folks to kick the tires. You can expect further details here soon. For your benefit, below I’ve included the prior change we made to enable this emerging service option.

 

If you have questions about this change, please send an email to help@uw.edu with “UWWI AD-CS autoenrollment change” in the subject line.

 

Brian Arkills

UW Windows Infrastructure Service Manager

UW-IT

 

From: Brian Arkills Sent: Monday, November 2, 2015 1:09 PM To: ‘uwwi-announce@uw.edu’ <uwwi-announce@uw.edu> Subject: Certificate services for delegated OUs

 

The UW Windows Infrastructure has deployed a public key infrastructure consisting of a 2 tier certificate authority, whose initial purpose is to provide automatic certificate enrollment and certificate deployment for delegated OU computers running Windows.

 

What and When:

On 10/16/2015, UWWI deployed an Active Directory published root certificate authority named netid-root-CA. Being AD published means that domain-joined computers trust it by default.

 

On 10/23/2015, UWWI deployed an Active Directory integrated issuing certificate authority named netid-issuing-CA. Being AD integrated means that:

• domain-joined computers trust it by default,
• domain users and computers can request and retrieve certificates from it, leveraging the secure channel trust already in place
• issued certificates can be published to the appropriate AD object (which enables a variety of uses)
• certificate revocation lists are published to AD, enabling domain-joined computers to reliably determine whether a given certificate is still valid

 

Like the UW Services CA, these certificate authorities are not publicly trusted. This limits their usefulness to UW internal purposes—for example, you wouldn’t use this CA to enable HTTPS for a public website.

 

In the near future, on a per OU basis, we’ll provide a group which OU admins will be member managers for. You can add computers as members to this group to direct them to automatically enroll for a “Computer” certificate, with client authentication and server authentication uses. Unlike most other certs you’ve used, these certs automatically get renewed, and require no further human involvement. More details on the nature of these certs is available below. More details on this coming capability will be shared when this is ready.

 

What You Need to Do:

At this time nothing. We wanted to let security conscious customers know that we changed the certificate authority trust of domain-joined computers intentionally as part of a planned release. We’ve mentioned this intention several times over the last year, and the deployment of capabilities is now approaching.

 

We’ll let you know when we have enabled this new capability for your OU. At that time, you can add computers to a group and get automatic certificate enrollment to these computers.

 

More Info:

This capability was added due to strong customer interest in lowered costs for certificate management. Based on customer need analysis, there were enough internal-only uses and cost-savings to move forward, even though this may make the UW certificate story a little more complicated. Given how handy an AD integrated CA is, we believe there will be more use cases identified and future capabilities–in fact, there is currently customer interest in exploring three other use cases. More information on these use cases and future capabilities will be coming over the next few months.

 

Do be aware that for UW internal use cases you may need to ask a service to trust the netid-root-CA and netid-issuing-CA in order to leverage the client authentication capability. For example, the Groups Web Service does not currently trust these certificates.

 

If you need to get a copy of the CA certs, they are available at:

http://thrawn.uw.edu/CertEnroll/cracken.netid.washington.edu_netid-issuing-CA.crt

http://thrawn.uw.edu/CertEnroll/madine.netid.washington.edu_netid-root-CA.crt

 

Additional details on the “Computer” certificate:

Validity: 1 year

Renewal: 6 weeks

Private key is not exportable

Minimum key size of 2048

Subject name is based on dnsHostname attribute of AD computer object

 

Additional technical details on the two new certificate authorities:

Both are implemented in a manner such that if we later needed to, we can meet FIPS compliance, although at this time we are not using a HSM module for private key storage. The root CA is designed to be an “offline” CA hosted in Azure, brought online at least once a year to republish the certificate revocation list (CRL). Hosting this CA in Azure allows us to save costs since it is offline most of the time, and their hosting practices are as good or better than ours (e.g. they have rolling audits to meet various regulatory certifications). We are hoping that in the future Microsoft provides a virtual HSM capability for AD-CS integrated with its Azure Key Vault.

 

Brian Arkills

UW Windows Infrastructure Service Manager

What and When:

Over the next month or so, we’ll be updating our references to UW Windows Infrastructure (and UWWI) to Microsoft Infrastructure. You will see documentation and mailing lists like this one be updated to reflect this name change. We will likely also update our name in more obscure places, e.g. we are considering a change to our Groups Service stem.

 

What You Need to Do:

Nothing. This is an advisory note to keep you informed so you aren’t taken by surprise by planned service offering name change activities.

 

More Info:

 

This mailing list is replaced with mi-announce@uw.edu. This is the last email you’ll see to uwwi-announce@uw.edu.

 

Uwwi-discuss@uw.edu is replaced by mi-discuss@uw.edu. I’ll send a separate note to that list.

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT

 

 

We’re combining our documentation into IT Connect. A few exceptions that don’t work well on that platform will remain in the UW-IT Wiki.

 

What and When:

Over the next several weeks, we will be migrating the Microsoft Infrastructure documentation into IT Connect (https://it.uw.edu). Our documentation will live under https://it.uw.edu/wares/msinf/.

 

Our content has been splattered across multiple locations, including a web hosting platform we run for ourselves. It doesn’t make sense for us to run something separate, and consolidating on IT Connect should improve discoverability of that content.

 

Related to the service rename previously announced, we’ve already moved most of the content that was previously in the UW-IT wiki space named UW Windows Infrastructure to the IT Connect location noted above.

 

What You Need to Do:

This notice is partly advisory so you know to expect some changes, but you may also have an action to take.

 

If you host links to our content or have bookmarked pages, you may want to update them. Where we can, we’ll put in page redirects to the new location and maintain those old pages for 3 months to facilitate this. Because this documentation migration is not complete and will span a couple week period, we’ll send another note when we’re done so you know when to do that activity.

 

More Information:

Unfortunately, not all of our content can move to IT Connect. A few things will need to be on the UW-IT Wiki platform. We’ll clearly link to those pages, have navigation aids from those pages back to IT Connect, and clearly note that this wiki space is an ancillary location. That ancillary UW-IT Wiki space is https://wiki.cac.washington.edu/display/MSINF/Microsoft+Infrastructure, and it’ll have things like request forms, the public proposals with analysis we’ve previously shared, and other documents with flexible editing needs.

 

The web location www.netid.washington.edu will retire in about 3 months. It served us nicely for 10 years. J

 

Brian Arkills

Microsoft Infrastructure Service Manager

UW-IT