Cloud printing with uniFLOW part 1.

So.. you have moved everyone to your new and shiny Microsoft 365 tenant and everything is cloud only. And with all the new collaboration software out there like Microsoft Teams print is a thing of the past, but suddenly a user knocks on your office door and wants to print out their email(!) You start to panic because no one would need to print in 2019? Or would they? How do we setup a print environment for the cloud era? In today’s blog I will guide you on how to import users from your Azure AD Domain Services via S(ecure)LDAP to your Uniflow server.

But what is Azure AD Domain Services? And why would you need it when you have Azure AD? Short answer is: If you have a legacy application / software that dosen’t support Azure AD modern authentications protocols and require to do LDAP queries, you will need Azure AD Domain Services to provide that option. In short, it’s like having two domain controllers in the cloud, but as a service. You won’t be able to access the underlaying “VMs” . So you won’t need to think about updates and so on. Just like a cloud service should be.

Prerequisites

  • Azure subscription
  • Microsoft Azure tenant
  • Azure AD Domain Services (This is a additional costs)
  • Certificate (self signed in this blog post)
  • Uniflow 2019 LTS SR1 or later

You can add Azure AD Domain Services from the marketplace if you haven’t set it up already. I won’t cover that in this blog. There’s plenty of information on this if you google it, or use the official docs from Microsoft. https://docs.microsoft.com/en-us/azure/active-directory-domain-services/create-instance

Go to your Azure AD Domain Services.

Click on your managed Domain.

Click on Secure LDAP

Now you need to create a certificate to enable Secure LDAP. You can skip this step if you have used a valid domain name and a CA authority, just use a certificate from that service and upload it. Generate a self-signed certificate if you have set up your Azure AD Domain Services on a managed .onmicrosoft.com domain. Open powershell, edit and paste the following code.

$lifetime=Get-Date
New-SelfSignedCertificate -Subject manageddomain.onmicrosoft.com `
  -NotAfter $lifetime.AddDays(730) -KeyUsage DigitalSignature, KeyEncipherment `
  -Type SSLServerAuthentication -DnsName *.manageddomain.onmicrosoft.com, manageddomain.onmicrosoft.com, 0.0.0.0

Change manageddomain.onmicrosoft.com to fit your needs and add the public ip if you don’t have the possibility to do a DNS redirection. You can find the public ip under properties on the Azure AD Domain Services tab.

After you have executed the script it will generate a certificate. You need to export it, with and without the private key. The one with the private key is for Azure AD Domain Services and the one without is for the client, in this case the Uniflow Server.

Open MMC and add the Certificate Snap-in.

Choose Computer Account.

Select Local Computer then Finish. Then the OK button.

Under “Personal -> Certificates” you will se your self-signed certificate.

Right click and choose All Tasks -> Export. In the next dialog box click “Next

Choose “Yes, export the private key” then click “Next

You must export the private key for the certificate, or else enabling secure LDAP will fail.

Select “Include all certifactes in the certification path if possible” and only this. Then click next.

Then you need to provide a password. You will need this later when you upload this to Azure AD Domain Services. In the “File to Export” page specify a name and save it somewhere.

Now go back to the Azure AD Domain Services page in your webbrowser and upload your certificate. Fill in your password.

It will take between 10 to 15 minutes for this to finish. When it’s done you need to enable “Allow Secure LDAP access over the internet“, this will also take som time.

Note: When you enable “Allow Secure LDAP access over the internet” you will be susceptible for bruteforce attacks. When you created the Azure AD Domain services it also includes a Network Connection Gateway. You need to lock down the public ip of the Azure AD Domain services to your external ip so only your internal servers are able to reach this address on the Secure LDAP port.

From the side menu select the Resource group you used for Azure AD Domain Services.

Find the Network security group. And click it.

Select Inbound security rules, and add a new rule.

In the source IP addresses enter the public ip of the servers that should reach this service. In this case the Uniflow server. On the rest of the options select the same as in the screenshot above.

Now its time to install the client certificate and the LDAP import from Azure AD Domain services to Uniflow.

On your print server: open MMC and add the certificate snap-in. Select “computer account” and then “Local computer”

Browse to “Trusted Root Certificate” and Add the client certificate that you exported previously

Right click on “Certificates” and click “All Tasks -> Import

Click “Next

Select your Certificate (the one without the private key) and click “Open

Select “Place all certificates in the following store” the Certificate store should be “Trusted Root Certification Authorities” then click “Next

Then click “Finish“.

You should now see the certificate in the store.

For Uniflow to access the Azure AD Domain services it needs a user for doing queries. When Azure AD Domain services were created it also created a group called “AAD DC Administrator”. We need to make a service account a member of this group so it can do LDAP queries. In this example I just made a regular cloud only user. So go to your AAD, make a new user and add it as a member to this group. Remember the password, you will need to use it later on the Uniflow server.

Now we need to add UPN as a identity type in uniFLOW. Click on “Server Config” then “General Settings” and select “Identity Types“.

Then click on “Add Identity Type

Then select “Email Address” in Identity Category and type in “UPN” in the two other rows as the picture above.

Now, open your uniFLOW Server Configuration website. And click “Connections” then “LDAP

Create a new LDAP connection by pressing the “flower” symbol in the right upper corner.

In the “General” tab you need to configure the following options

  • Name – Give the LDAP connecton a name of your choosing.
  • uniFLOW Server – Select “All” or the specified uniFLOW server that you want to run this task.
  • LDAP Server Name – Put in the External IP address to your Azure AD Domain services. Use /V3 for forcing the protocol version. uniFLOW defaults to Version 2 if you dont specify this, Azure AD Domain services only supports Version 3. Choose port 636 as this is the default port for secure LDAP.
  • Enter the username and password for the service account you created earlier, and click “Test connection to LDAP Server!” this may take a some time depending on how many object you have.
  • LDAP Directory Name (Distinguished) – This usually populate it self, but you should scope it down to “AADDC Users
  • Optional LDAP Filter Expressions – You should filter out your searches even more with this
(&(objectClass=user)(title=teacher)(userPrincipalName=*yourtenant/dns.com))

You can modify the above LDAP filter example to your preferences .

On the “Field Scheme” tab you choose what LDAP attributes you should pull out and map to your uniFLOW values. You should atleast configure the following

  • UPN {userPrincipalName}
  • SMTP Mail Address – {mail}
  • NAME – {displayName}
  • LDAP Login – {mail}

You can configure this to your own liking, this is just an example.

When you are done, you should click “Save + Back

Now we need to run the LDAP task, click “Server Config” then “Tasks

Then create a new task

On the “General” tab give the task a name, optionally make it run on a schedule. Before you do, you should test it out first and se if you get all the objects and values you want.

On the “Special” tab you can configure the behaviour of the current task, what LDAP connectors it should consider etc..

Choose the options that fit your needs. But if you have more than one configured LDAP connector you should probably just select the AADDS in this instance. When done, click “Save + Back

Then click the “Run” button, your uniFLOW server should start to populate with objects. This may take some time.

Sources: Microsoft Docs, Uniflow Docs

Thats it! In Part 2 I will show you what you need to do on the client operation system, and cover how uniFLOW identifies print jobs from cloud only users.