Error: Two disks have been found on node node1 that cannot be distinguished from one another

I was trying to create a failover cluster in Windows Server 2012 R2 (Creating a Windows Server 2012 R2 Failover Cluster using StarWind iSCSI SAN v8) and I ran the “Validate Configuration…”.  Once validation was complete, the validation report gave me the Error:

Two disks have been found on node node1 that cannot be distinguished from one another. The disks involved have disk signature <Signature>, SCSI page 83h VPD descriptor <GUID>, SCSI page 80h VPD Serial Number <Serial Number>. Please verify the storage configuration. You must either mask (unpresent, detach) one of these LUNs at this node, or, run validation and specify a disk list that includes only one of these disks, for example by using the Test-Cluster cmdlet in Windows PowerShell

After searching all over, I finally found an article that pointed me in the right direction:

Windows Server 2012 / 2008R2 with iSCSI error 80 or 83 VPD[http://culmor.blogspot.com/2013/03/windows-server-2012-2008r2-with-iscsi.html]

This article didn’t have my fix, but it did state that “The error probably relates to your MPIO configuration”.  That’s when I found two listings in my iSCSI Initiator’s Favorite Targets screen.  I removed one of the listings and bam!…Error gone.

iSCSI.FavoriteTargets

 

The issue for me turned out to be that I had multiple virtual adapters (vNICs) that pointed to the SAN provider.  By removing one of them, it removed the duplicate SAN devices.

 

Multi-Factor Authentication & SharePoint

WHY MULTI-FACTOR AUTHENTICATION

Multi-Factor authentication is an idea that has long been overdue for most internet facing sites as most of them today are in-secure in their implementations utilizing single factor authentication.  Bad actors have long found ways to intercept identities and passwords (due to lax password rules and policies, identity breaches, spyware, and social engineering) making single factor authentication insufficient security for most organizations in today’s world.

Most internet facing SharePoint sites never had to worry too much about this as most traditional on premise internet facing SharePoint site implementations are extranet sites using reverse proxy solutions utilizing AD identities.  These identities most often had stronger passwords, policies, and encryption…buffering them from most bad actor efforts.  They however still vulnerable to identity breaches, spyware, and social engineering attacks.

However, things are changing…

Going forward, most SharePoint sites will be public facing in some form or another.  Take for example that Claims authentication could be delegated to Facebook or LinkedIn or (as of SharePoint 2013 SP1) on premise users can have access to OneDrive.  Or that they may be using Provider hosted SharePoint Apps that are hosted in the cloud, or that these SharePoint farms might be a hybrid implementation utilizing Office 365 or they may even exist entirely in a cloud infrastructure such as Azure.  Sure, Microsoft has built security using standards that are effective and secure for single factor authentication, but this doesn’t stop bad actors from breaking security using identity breaches, spyware, and social engineering.  This is where the multi-factor authentication shines.

By forcing users to not only enter identity information, but to also validate them using another communications method such as SMS, email, or even voice calls (among others), it prevents most identity breaches, spyware, and social engineering type attacks.  This is becoming more and more important as more of our information (including personally identifiable information [PII]) continues to move to the cloud, including information in SharePoint.

 

IMPLEMENTATION OPTIONS FOR ON PREMISE MULTI-FACTOR AUTHENTICATION

So the next step is to figure out how to implement Multi-Factor authentication for an on premise SharePoint site.  Currently I can only see four options (if you know of others, please notify me):

 

Option 1: Use simple Azure Multi-Factor authentication

This will require that you store your user identities in AD on Azure. This is usually a non-starter for most organizations as they typically store their identities in on premise AD.  There are ways to perform AD synching in order to replicate on premise identities in the cloud, but this is neither simple, nor is it without governance issues in most cases.

This would be the approach I would use if it was ok to store user identities in Azure AD such as typical Office 365 scenarios.

See Multi-Factor Authentication documentation for details: http://azure.microsoft.com/en-us/documentation/services/multi-factor-authentication/

 

Option 2: Use ADFS

ADFS will authenticate based on user certificates from the local certificate store or claims providers. This will however require extensive configuration of ADFS and implementation of trusted identity provider inside SharePoint.  This may get simpler in the next version of Windows Server.

As it stands today, this should only be chosen in scenarios for non-cloud based Single Sign On applications, and not for simpler scenario such as typical Multi-Factor authentication due to the complexity of the implementation.  If however you want to implement the secondary authentication method via a 3rd party secure provider (such as RSA SecurID), this is likely the approach you should take.

See Under the hood tour on Multi-Factor Authentication in ADFS for details: http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

 

Option 3: Implement forms authentication and customize the login page to implement Multi-Factor authentication

First you can authenticate the user using your favorite identity store (such as AD or Asp.Net membership provider) and then you would use custom logic for SMS, email, or voice calls authentication.  A team of skilled developers could be able to implement this, however you will need a provider service to send and receive the secondary authentication communications.

This should be the solution if you want to implement Multi-Factor authentication in-house only.

 

Option 4: Implement an Azure Multi-Factor Authentication Server in your on premise environment and use the Azure Multi-Factor Authentication Service

This is really a combination of options 1 and 3.  It uses Azure for the Multi-Factor Authentication Service (in Azure) and it uses the Azure Multi-Factor Authentication Server (on premise install on a server with internet access).  The benefit here is that you don’t have to do custom development or maintain any code.  Rather you perform a server installation and configuration only.

This should be the solution if you want to implement Multi-Factor authentication with no development involved using user identities in your on premise AD store.  This is also the solution if you are considering cloud based Single Sign On applications.

Below shows the overview video of how the process would work:

Azure.MultiFactorAuthentication.OnPremise.929x493

 

See Enabling Multi-Factor Authentication for On-Premises Applications and Windows Server for details: http://technet.microsoft.com/en-au/library/dn249467.aspx

 

In most on premise SharePoint use cases, Option 4 will be the best solution…

SharePoint 2010/2013 Single-Multi Server Installation using AutoSPInstallerGUI

We’ve all heard of and many of us have used AutoSPInstaller for provisioning SharePoint servers and farms.  Yet until now, I never heard of AutoSPInstallerGUI.  This amazes me as it significantly simplifies script based implementations of SharePoint servers and farms.  Here is a great walk-through…

http://sharepoint-community.net/profiles/blogs/sharepoint-2010-2013-single-multi-server-installation-using

SharePoint 2013 and Office 365 with Yammer Integration

Service Pack 1 for SharePoint 2013 introduced Office 365 for MySites/OneDrive for Business and Yammer integration. This is a simple post detailing how an administrator would go about setting this functionality up.

http://thesharepointfarm.com/2014/02/new-surface-features-sharepoint-2013-sp1/

The Expense of Application Pools

The advise for SharePoint in terms of configuring Application Pools has changed over time. Back in 2007, everything was to be separate (within various limits). Or for “security purposes”, Service Applications had to run under unique identities. But starting late into SharePoint 2010’s lifecycle, with the increase use of BPOS and eventually SharePoint Online in Office 365, Microsoft changed their tune telling us that less was far better. One thing I hadn’t seen was why it was better, and I was surprised by the results. Less really is better!

http://thesharepointfarm.com/2014/08/expense-application-pools/

What is the SharePoint Configuration Cache?

Clearing the Configuration Cache (aka Timer Job Cache) seems like the panacea of SharePoint fixes. While we’re told to do this, it often comes with a lack of understanding of what the Configuration Cache actually is. This post also explores the inner workings of the Configuration Cache.

http://thesharepointfarm.com/2014/02/what-is-the-sharepoint-configuration-cache/