From 1964c5f58c3e7e748e2d972ce1d158e018075e44 Mon Sep 17 00:00:00 2001 From: timahenning Date: Wed, 1 Jun 2022 06:12:21 -0700 Subject: [PATCH] Removed some trailing spaces. --- ...fore the hands-on lab - Hybrid identity.md | 19 ++--- .../HOL step-by step - Hybrid identity.md | 77 +++++++++--------- README.md | 3 +- .../WDS student guide - Hybrid identity.md | 28 +++---- .../WDS trainer guide - Hybrid identity.md | 43 +++++----- ...rainer presentation - Hybrid identity.pptx | Bin 4482252 -> 4482244 bytes 6 files changed, 83 insertions(+), 87 deletions(-) diff --git a/Hands-on lab/Before the hands-on lab - Hybrid identity.md b/Hands-on lab/Before the hands-on lab - Hybrid identity.md index 9dab811..d25fdc5 100644 --- a/Hands-on lab/Before the hands-on lab - Hybrid identity.md +++ b/Hands-on lab/Before the hands-on lab - Hybrid identity.md @@ -12,7 +12,6 @@ Before the hands-on lab setup guide [May 2022] - Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. @@ -56,13 +55,13 @@ Microsoft and the trademarks listed at focusing on its integration with Active Directory and its B2B capabilities. ### Task 2: Validate the role in the Azure subscription -1. Log in to the Azure portal at , select **All services**. Then search for and select **Subscriptions**. +1. Log in to the Azure portal at , and select **All services**. Then search for and select **Subscriptions**. ![In this screenshot, the Azure portal is depicted with 'sub' typed into the search bar and 'subscriptions' highlighted in the results.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/SelectSubscriptions.png "Search for and select Subscriptions in the Azure portal") @@ -152,7 +151,7 @@ Timeframe: 150 minutes Invoke-Command -ComputerName $vmNames {Set-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -Name "ConsentPromptBehaviorAdmin" -Value 00000000} ``` - > **Note:** To run multiple PowerShell scripts in the same file, you can highlight a specific portion of the script and select **Run Selection** next to the green play button. + > **Note:** To run multiple PowerShell scripts in the same file, you can highlight a specific portion of the script and select **Run Selection** next to the green play button. ![In this screenshot, the PowerShell is depicted with the script listed above pasted in.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/PSScript.png "PowerShell with the script pasted into it") @@ -254,17 +253,17 @@ Timeframe: 150 minutes !["Select additional tasks screen in the Visual Studio Code installer with all checkboxes selected."](images/Hands-onlabstep-bystep-HybridIdentityImages/media/vscodeadditionaltasks.png "Visual Studio Code installer with all options selected") -11. Within the Remote Desktop session to **DC1**, start File Explorer, navigate to the folder where you downloaded both files, right-click on the file **CreateDemoUsers.ps1**, select **Properties**, in the **CreateDemoUsers.ps1 Properties** dialog box, check the **Unblock** checkbox and select **OK**. +11. Within the Remote Desktop session to **DC1**, start File Explorer, navigate to the folder where you downloaded both files, right-click on the file **CreateDemoUsers.ps1**, select **Properties**, in the **CreateDemoUsers.ps1 Properties** dialog box, check the **Unblock** checkbox, and select **OK**. 12. Within the File Explorer window, right-click on the file **CreateDemoUsers.ps1** again and select **Open with Code**. 13. Close the **Get Started** tab in Visual Studio Code and then click to install the PowerShell extension. - !["Visual Studio Code with the Get Started tab open and the popup to install PowerShell. The x to close the Get Started Tab and the Install button for the PowerShell extension are both highlighted."](images/Hands-onlabstep-bystep-HybridIdentityImages/media/vscode-getstarted.png "Visual Studio Code Get Started") + !["Visual Studio Code with the Get Started tab open and the pop-up to install PowerShell. The x to close the Get Started Tab and the Install button for the PowerShell extension are both highlighted."](images/Hands-onlabstep-bystep-HybridIdentityImages/media/vscode-getstarted.png "Visual Studio Code Get Started") -14. In the resulting popup window, select **Trust Workspace & Install** +14. In the resulting pop-up window, select **Trust Workspace & Install** - !["The popup to trust the workspace and install the PowerShell extension in Visual Studio Code. The Trust Workspace and Install button is selected."](images/Hands-onlabstep-bystep-HybridIdentityImages/media/vscode-powershell.png "Visual Studio Code Trust Workspace & Install") + !["The pop-up to trust the workspace and install the PowerShell extension in Visual Studio Code. The Trust Workspace and Install button is selected."](images/Hands-onlabstep-bystep-HybridIdentityImages/media/vscode-powershell.png "Visual Studio Code Trust Workspace & Install") 15. In the **Visual Studio Code** window, change line **148** from: @@ -278,7 +277,7 @@ Timeframe: 150 minutes $UserCount = 2500 #Up to 2500 can be created ``` -16. In **Visual Studio Code**, save the change. Then, in **Windows PowerShell**, run the **CreateDemoUsers.ps1** script to create a lab environment organizational unit hierarchy and populate it with test user accounts. +16. In **Visual Studio Code**, save the change. Then, in **Windows PowerShell**, run the **CreateDemoUsers.ps1** script to create a lab environment organizational unit hierarchy, and populate it with test user accounts. 17. Within the **Windows PowerShell** window, run the following script to modify the settings of the AD user accounts you will use in this lab: @@ -302,7 +301,7 @@ Timeframe: 150 minutes Get-ADGroup -Identity 'Enterprise Admins' | Add-ADGroupMember -Members 'CN=Ayers\, Ann,OU=NJ,OU=US,OU=Users,OU=Demo Accounts,DC=corp,DC=contoso,DC=com' ``` -18. Within the **Windows PowerShell** window, add the following script to the script pane, and run it to create additional organizational units named **Servers** and **Clients** and move the **APP1** computer account to the first of them: +18. Within the **Windows PowerShell** window, add the following script to the script pane, and run it to create additional organizational units named **Servers** and **Clients**, and move the **APP1** computer account to the first of them: ```pwsh New-ADOrganizationalUnit -Name 'Servers' -Path 'OU=Demo Accounts,DC=corp,DC=contoso,DC=com' diff --git a/Hands-on lab/HOL step-by step - Hybrid identity.md b/Hands-on lab/HOL step-by step - Hybrid identity.md index 28d41b7..d462a9a 100644 --- a/Hands-on lab/HOL step-by step - Hybrid identity.md +++ b/Hands-on lab/HOL step-by step - Hybrid identity.md @@ -78,7 +78,7 @@ Microsoft and the trademarks listed at **Note**: You will configure attribute-level filtering before enabling the synchronization process. - > **Note**: Installation should take about 2 minutes. 25. On the **Configuration complete** page, select **Exit**. @@ -480,7 +479,7 @@ In this task, you will install Azure AD Connect. ### Task 7: Enable Active Directory Recycle Bin -In this task, you will enable Recycle Bin in the Contoso Active Directory domain. +In this task, you will enable Recycle Bin in the Contoso Active Directory domain. 1. Within the Remote Desktop session to **DC1**, on the Tools menu in the Server Manager console, start **Active Directory Administrative Center**. @@ -556,7 +555,7 @@ In this task, you will configure Azure AD Connect attribute level filtering that 7. When presented with a **Warning** dialog box displaying that message stating that **A full import and full synchronization will be run on 'corp.contoso.com' during your next synchronization cycle**, select **OK**. - > **Note**: This should bring you back to the View and manage your synchronization rules interface, with the new rule listed at the top of the rule list. + > **Note**: This should bring you back to the View and manage your synchronization rules interface, with the new rule listed at the top of the rule list. ![In this screenshot, the synchronization rules editor with the newly created Custom in from AD - UPN Filter rule is highlighted.](images/2020-04-27-23-44-31.png "View new rule") @@ -716,7 +715,7 @@ In this task, you will configure Azure AD Connect device synchronization options 7. Switch back to the Remote Desktop session to **APP1** and start a **Command Prompt**. -8. From the Command Prompt window, check the Azure AD registration status of APP1 by running the following: +8. From the Command Prompt window, check the Azure AD registration status of APP1 by running the following: ```txt dsregcmd /status @@ -799,9 +798,9 @@ In this exercise, you will optimize authentication, authorization, and access co In this task, you will create and configure Active Directory groups that will be used to control authentication, authorization, and access control and synchronize them to the Contoso Azure AD tenant. -1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Active Directory Users and Computers** console. +1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Active Directory Users and Computers** console. -2. In the **Active Directory Users and Computers** console, expand **corp.contoso.com** on the left and navigate to **Demo Accounts > Groups**. +2. In the **Active Directory Users and Computers** console, expand **corp.contoso.com** on the left and navigate to **Demo Accounts > Groups**. ![In this screenshot, the Active Directory Users and Computers console is depicted with the left navigation expanded to 'corp.contoso.com' > 'Demo Accounts' > 'Groups' with 'Groups' selected.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/NodeNavigation.png "Navigate to DemoAccounts > Groups in Active Directory Users and Computers") @@ -929,7 +928,7 @@ This task will enable password writeback and Self-Service Password Reset (SSPR) In this task, you will implement Azure AD password protection for Windows Server Active Directory. -1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Group Policy Management** console. +1. Within the Remote Desktop session to **DC1**, on the **Server Manager** window, under **Tools**, start the **Group Policy Management** console. 2. In the **Group Policy Management** console, navigate to **Forest: corp.contoso.com > Domains > corp.contoso.com** on the left, right-click **Default Domain Policy** and select **Edit**. @@ -937,7 +936,7 @@ In this task, you will implement Azure AD password protection for Windows Server 3. In the **Group Policy Management Editor**, navigate to **Computer Configuration > Policies > Windows Settings > Security Settings > Account Policies > Account Lockout Policy**. -4. Set the value of the **Account lockout threshold** to **10**, select **OK**, and accept the settings in the **Suggested Value Changes**. +4. Set the value of the **Account lockout threshold** to **10**, select **OK**, and accept the settings in the **Suggested Value Changes**. ![In this screenshot, the Group Policy Management Editor is depicted with the 'Account lockout threshold properties' dialog open with the required settings selected and the 'Suggested Value Changes' dialog open with the OK button selected.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/AzureADPasswordProtectionPolicy_ADLockout.png "Group policy management") @@ -1002,7 +1001,7 @@ In this task, you will implement Azure AD password protection for Windows Server Register-AzureADPasswordProtectionForest -AccountUpn 'john.doe@.onmicrosoft.com' ``` -18. Switch to the Remote Desktop session to the **DC1** virtual machine, where you are signed in as the user **CORP\demouser** with the **demo@pass123** password. +18. Switch to the Remote Desktop session to the **DC1** virtual machine, where you are signed in as the user **CORP\demouser** with the **demo@pass123** password. 19. Within the Remote Desktop session to **DC1**, start the Edge browser and navigate to the **Azure AD Password Protection for Windows Server Active Directory** page at the URL below. Select **Download** under **Azure AD Password Protection for Windows Server Active Directory**. Download and install **AzureADPasswordProtectionProxySetup.exe** with the default options. @@ -1016,7 +1015,7 @@ In this task, you will implement Azure AD password protection for Windows Server In this task, you will enable Azure AD Identity Protection. -1. After **DC1** reboots, connect to **DC1** via Remote Desktop. When prompted to sign in, use the **demouser** name with the **demo\@pass123** password. +1. After **DC1** reboots, connect to **DC1** via Remote Desktop. When prompted to sign in, use the **demouser** name with the **demo\@pass123** password. 2. Within the Remote Desktop session to **DC1**, start the Edge browser and navigate to the Azure portal at the URL below: @@ -1190,7 +1189,7 @@ In this task, you will implement Azure AD Conditional Access Policies. ![In this screenshot, the New blade of the Azure portal is depicted with the '0 controls selected' button selected and the Grant blade open with the required options chosen along with the Select button.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/AzureADConditionalAccess_AccesscontrolsGrant.png "Access controls Grant settings") -30. Back on the **New** blade, in the **Access controls** section, select **0 controls selected** under **Session**. +30. Back on the **New** blade, in the **Access controls** section, select **0 controls selected** under **Session**. 31. Review the **Session** blade settings but do not modify them. Close it when you are finished. @@ -1200,7 +1199,7 @@ In this task, you will implement Azure AD Conditional Access Policies. 33. Back on the **Conditional Access - Policies** blade, select **What If**. -34. On the **What If** blade, specify the following settings and select **What If**: +34. On the **What If** blade, specify the following settings, and select **What If**: - User: **Teresa F. Bell** @@ -1288,7 +1287,7 @@ Duration: 90 minutes **Overview** -In this exercise, you will configure access to an on-premises Integrated Windows Authentication app (implemented as the default IIS website) from the internet by installing and configuring Azure AD Application Proxy. You will test access to this application by using a Contoso Azure AD tenant user account and using a Fabrikam Azure AD tenant user account configured as a guest account in the Contoso Azure AD tenant. +In this exercise, you will configure access to an on-premises Integrated Windows Authentication app (implemented as the default IIS website) from the internet by installing and configuring Azure AD Application Proxy. You will test access to this application by using a Contoso Azure AD tenant user account and using a Fabrikam Azure AD tenant user account configured as a guest account in the Contoso Azure AD tenant. ### Task 1: Install and configure Azure AD Application Proxy @@ -1320,7 +1319,7 @@ In this task, you will configure an Azure AD Application Proxy application. 1. On the **Contoso - Application proxy** blade, select **+ Configure an app**. -2. On the **Add your own on-premises application** blade, specify the following settings and select **+ Add**. +2. On the **Add your own on-premises application** blade, specify the following settings, and select **+ Add**. - Name: **APP1 Default Web Site** @@ -1354,7 +1353,7 @@ In this task, you will configure an Azure AD Application Proxy application. 5. On the **APP1 Default Web Site - Users and groups** blade, select **+ Add user/group**. -6. On the **Add Assignment** blade, specify the following settings and select **Assign**: +6. On the **Add Assignment** blade, specify the following settings, and select **Assign**: - Users and groups: **Engineering** @@ -1382,7 +1381,7 @@ In this task, you will configure an Azure AD Application Proxy application. > **Note**: The HTTP service class is one of the built-in services that act as an alias to the HOST SPN. For more information, refer to **How to use SPNs when you configure Web applications that are hosted on Internet Information Services** at . -11. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**. +11. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**. 12. In the **Active Directory Users and Computers** console, select **View** and, in the **View** menu, enable **Advanced Features**. @@ -1394,11 +1393,11 @@ In this task, you will configure an Azure AD Application Proxy application. 14. In the **DC1 Properties** window, switch to the **Delegation** tab and select the option **Trust this computer for delegation to specified services only**. -15. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**. In the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1**. Select **Check Names** to verify the name resolves, and select **OK**. +15. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**. In the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1**. Select **Check Names** to verify the name resolves, and select **OK**. ![In this screenshot, the 'DC1 Properties' window is depicted with the Delegation tab selected with the 'Trust this computer for delegation to specified services only' and 'Use any authentication protocol' options and the 'Add' button selected.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/DelegationConfiguration.png "Delegation configuration") -16. In the **Add Services** window, select the **http** entry and select **OK**. +16. In the **Add Services** window, select the **http** entry and select **OK**. ![In this screenshot, 'Add Services' window is depicted with the 'http' entry selected along with the OK button.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/AzureADApplicationProxy_Delegation_http.png "Delegation http") @@ -1418,7 +1417,7 @@ In this task, you will configure an Azure AD Application Proxy application. ### Task 4: Create an Azure Active Directory tenant and activate an EMS E5 trial -In this task, you will create another Azure Active Directory tenant representing the Fabrikam organization with the following settings: +In this task, you will create another Azure Active Directory tenant representing the Fabrikam organization with the following settings: - Organization name: **Fabrikam** @@ -1614,7 +1613,7 @@ In this task, you will create and configure Azure AD guest accounts in the Conto 12. When prompted, change the password for the **jane.doe** Fabrikam Azure AD user account. - > **Note**: If you receive the message **We've seen that password too many times before. Choose something harder to guess**; you'll need to modify the password until it is unique enough to be accepted. + > **Note**: If you receive the message, "**We've seen that password too many times before. Choose something harder to guess**", you will need to modify the password until it is unique enough to be accepted. 13. In the Azure portal, sign out from the Contoso Azure AD tenant and close the in private/incognito browser window. @@ -1742,11 +1741,11 @@ In this task, you will configure an Azure AD Application Proxy application for B Install-Module AzureAD ``` -33. Execute the script and ensure it did not return any error messages. +33. Execute the script and ensure it did not return any error messages. > **Note**: You can schedule script execution regularly by using Windows Scheduled Tasks. Refer to the **Readme - Script to pull Azure AD B2B users on-prem_v1.0.3.pdf** file for details. -34. Switch back to the Azure Active Directory Users and Computers console and verify that a user account of **jane.doe** is listed in the **Demo B2B Accounts\\Enabled** organizational unit. You may have to refresh the console. +34. Switch back to the Azure Active Directory Users and Computers console and verify that a user account of **jane.doe** is listed in the **Demo B2B Accounts\\Enabled** organizational unit. You may have to refresh the console. > **Note**: In a production environment, you could provide access to Integrated Windows Authentication apps by leveraging Microsoft Identity Manager. You can also give access to on-premises apps that support SAML-based authentication directly from the Azure portal. Refer to Grant B2B users in Azure AD access to your on-premises applications at for more information. @@ -1760,7 +1759,7 @@ In this task, you will configure an Azure AD Application Proxy application for B https://myapps.microsoft.com ``` -2. When prompted, sign in by using the **jane.doe** Fabrikam Azure AD user account. +2. When prompted, sign in by using the **jane.doe** Fabrikam Azure AD user account. 3. Once signed in, select the **Jane Fabrikam** icon in the upper right corner of the Application Access Panel page and, in the dropdown menu, select **Switch organization**. @@ -1859,7 +1858,7 @@ In this task, you will promote the newly created VM to a domain controller and c 10. Right-click the network connection icon on the taskbar to open the **Network and sharing center**. 11. Select **Ethernet** next to **Connections**. - + 12. When the **Ethernet Status** tile opens, select **Properties**. 13. On the **Ethernet Properties** tile, select **Internet Protocol Version 4 (TCP/IPv4)**, and select **Properties**. @@ -1874,7 +1873,7 @@ In this task, you will promote the newly created VM to a domain controller and c ![After the virtual machine restarts, select to promote the server by selecting the flag in the Server Manager, as shown in this screenshot.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/promotedc.png "Promote the server to a DC") -17. Select **Add a domain controller to an existing domain**, select **Select**. +17. Select **Add a domain controller to an existing domain**, select **Select**. ![This screenshot shows the deployment configuration to add an existing domain by selecting select.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/existingdomain.png "Add DC to an existing domain") @@ -1964,13 +1963,13 @@ In this task, you will install and configure Azure AD Connect in standby mode. T 11. Make sure the tab Connectors is still selected. Then, for each Connector with type **Active Directory Domain Services**, select **Run**, select **Delta Synchronization**, and **OK**. -12. Select the Connector with type **Azure Active Directory (Microsoft)**. Select **Run**, select **Delta Synchronization**, and **OK**. +12. Select the Connector with type **Azure Active Directory (Microsoft)**. Select **Run**, select **Delta Synchronization**, and **OK**. ### Task 4: Configure Azure AD Application Proxy for BDC-1 VM In this task, you will configure Azure AD Application Proxy for the BDC-1 VM. -1. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**. +1. Within the Remote Desktop session to **DC1**, in the Server Manager console, select **Tools** and then select **Active Directory Users and Computers**. 2. In the **Active Directory Users and Computers** console, select **View** and, in the **View** menu, enable **Advanced Features**. @@ -1982,17 +1981,17 @@ In this task, you will configure Azure AD Application Proxy for the BDC-1 VM. 4. In the **BDC-1 Properties** window, switch to the **Delegation** tab and select the option **Trust this computer for delegation to specified services only**. -5. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**, in the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1** and select **OK**. +5. Select the option **Use any authentication protocol**, select **Add**, in the **Add Services** window, select **Users or Computers**, in the **Select Users or Computers** dialog box, in the **Enter the object names to select** text box, type **APP1** and select **OK**. ![In this screenshot, the 'DC1 Properties' window is depicted with the Delegation tab selected with the 'Trust this computer for delegation to specified services only' and 'Use any authentication protocol' options and the 'Add' button selected.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/DelegationConfiguration2.png "Delegation configuration") -6. Back in the **Add Services** window, select the **http** entry and select **OK**. +6. Back in the **Add Services** window, select the **http** entry and select **OK**. ![In this screenshot, 'Add Services' window is depicted with the 'http' entry selected along with the OK button.](images/Hands-onlabstep-bystep-HybridIdentityImages/media/AzureADApplicationProxy_Delegation_http2.png "Delegation http") 7. In the **DC1 Properties** window, select **OK**. -**Summary** +**Summary** In this exercise, you installed and configured a backup domain controller, set it up for Azure AD Connect standby synchronization, and added redundancy with the Azure AD Connect pass-through agents and Application proxy. You have now configured a resilient and available hybrid identity architecture. @@ -2022,7 +2021,7 @@ In this exercise, you installed and configured a backup domain controller, set i **Lab summary** -In this hands-on lab, you set up and configured a number of different hybrid identity scenarios. The scenarios involved an Active Directory single-domain forest named corp.contoso.com in this lab environment consisted (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. You explored Azure AD-related capabilities that allowed you to integrate Active Directory with Azure Active Directory, optimized hybrid authentication and authorization, and provided secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations. +In this hands-on lab, you set up and configured a number of different hybrid identity scenarios. The scenarios involved an Active Directory single-domain forest named corp.contoso.com in this lab environment consisted (for simplicity reasons) of a single domain controller named DC1 and a single domain member server named APP1. You explored Azure AD-related capabilities that allowed you to integrate Active Directory with Azure Active Directory, optimized hybrid authentication and authorization, and provided secure access to on-premises resources from the Internet for both organizational users and users who are members of partner organizations. ## After the hands-on lab @@ -2032,4 +2031,4 @@ Duration: 20 Minutes 1. Now that the HOL is complete, delete all of the Resource Groups created for this HOL. You will no longer need those resources, and it will be beneficial to clean up your Azure Subscription. In addition, remove the verified domain from the Contoso Azure AD tenant. -You should follow all steps provided *after* attending the Hands-on lab. \ No newline at end of file +You should follow all steps provided *after* attending the Hands-on lab. diff --git a/README.md b/README.md index 0e3bd2c..6058d3f 100644 --- a/README.md +++ b/README.md @@ -1,7 +1,7 @@ # Hybrid identity Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with the majority of its infrastructure running on the Windows platform. Contoso has recently upgraded its Active Directory environment to Windows Server 2016, and it is in the process of migrating its desktops from Windows 7 to Windows 10. - + Contoso is facing challenges related to increased mobility of its workforce and providing access to its services to other financial partners. Contoso is looking to improve security while providing users with self-service capabilities around device, account, and password management. To drive better integration with partners, Contoso needs to provide access to some existing internal applications while maintaining a high level of security for applications hosted in the cloud and on premises while minimizing the effort required to manage customer identities. May 2022 @@ -62,6 +62,7 @@ In this hands-on lab you will setup and configure a number of different hybrid i We welcome feedback and comments from Microsoft SMEs & learning partners who deliver MCWs. ***Having trouble?*** + - First, verify you have followed all written lab instructions (including the Before the Hands-on lab document). - Next, submit an issue with a detailed description of the problem. - Do not submit pull requests. Our content authors will make all changes and submit pull requests for approval. diff --git a/Whiteboard design session/WDS student guide - Hybrid identity.md b/Whiteboard design session/WDS student guide - Hybrid identity.md index 82ec5a3..fc1b46a 100644 --- a/Whiteboard design session/WDS student guide - Hybrid identity.md +++ b/Whiteboard design session/WDS student guide - Hybrid identity.md @@ -28,7 +28,7 @@ Microsoft and the trademarks listed at - [Hybrid identity whiteboard design session student guide](#hybrid-identity-whiteboard-design-session-student-guide) - - [Abstract and learning objectives](#abstract-and-learning-objectives) +[Abstract and learning objectives](#abstract-and-learning-objectives) - [Step 1: Review the customer case study](#step-1-review-the-customer-case-study) - [Customer situation](#customer-situation) - [Customer needs](#customer-needs) @@ -44,11 +44,11 @@ Microsoft and the trademarks listed at | | Microsoft Enterprise Mobility + Security options | | | Windows authentication - Kerberos constrained delegation with Azure Active Directory | | -| Plan a passwordless authentication deployment in Azure Active Directory | | \ No newline at end of file +| Plan a passwordless authentication deployment in Azure Active Directory | | diff --git a/Whiteboard design session/WDS trainer guide - Hybrid identity.md b/Whiteboard design session/WDS trainer guide - Hybrid identity.md index 1bdbc98..4b9a54c 100644 --- a/Whiteboard design session/WDS trainer guide - Hybrid identity.md +++ b/Whiteboard design session/WDS trainer guide - Hybrid identity.md @@ -12,7 +12,6 @@ Whiteboard design session trainer guide May 2022 - Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. @@ -192,10 +191,10 @@ Directions: With all participants in the session, the facilitator/SME presents ### Customer situation -Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform. +Contoso is a medium size financial services company with its headquarters in New York and a branch office in San Francisco. It is currently operating entirely on-premises, with majority of its infrastructure running on the Windows platform. Contoso is facing challenges related to increased mobility of its workforce. In particular, in order to drive down its office space costs, Contoso management is considering implementing a flexible work arrangement policy which would allow its employees to work on designated days from home, using either corporate- and employee-owned devices. However, the Contoso's Information Security team expressed concerns about insufficient controls that would prevent access from unauthorized or non-compliant systems. In addition, there are concerns regarding using traditional VPN technologies or DirectAccess, which tend to provide excessive access to on-premises infrastructure. - + **Existing Contoso Active Directory environment** Contoso has a single domain Active Directory forest which was implemented over a decade ago. The domain was assigned a non-routable DNS name contoso.local. While the Directory Services team considered renaming the domain, this has never been implemented due to potential negative implications of such change. Contoso does own a publicly routable DNS domain name contoso.com. @@ -209,11 +208,11 @@ Contoso is exploring the option of transitioning its operations into a more inte The identity component of the target design should facilitate step-up authentication and per-application permissions based not only on the properties of users' accounts but also on the state of these users' devices. To maximize security, Contoso wants to minimize or even eliminate persistent assignments of privileged roles for identity management, but, at the same time, such arrangement must account for break-glass scenarios, allowing for a non-gated emergency use of privileged accounts. For obvious reasons, such accounts need to be closely monitored and audited. Another Information Security concern is accidental exposure of users' passwords. Contoso would like to minimize their use in lieu of more secure authentication methods. In situations where passwords are required, users should also be able to both change and reset them without having to rely on HelpDesk services. At the same time, any on-premises Active Directory user account restrictions, such as allowed sign-in hours must be honored. Similarly, the existing Active Directory password policies must apply, although the head of Information Security would like to enhance them by preventing use of common terms within password values. - + Besides enhancing self-service user capabilities, Contoso wants to optimize end-user experience, especially in environments where users might be using several different devices. The user-defined settings, such as accessibility or app customization should be consistent across all devices. - + In addition, Contoso needs to expand its customer base through partnership with other financial institutions and providing direct access to its services to external clients. As part of this effort, Contoso established a business relationship with Fabrikam, which manages an extensive portfolio of mortgage related products. Contoso intends to provide Fabrikam with access to its internal Windows Integrated Authentication-based web applications that could be integrated with the existing Fabrikam's products. The access methodology needs to account for the fact that in recent years, Fabrikam has modernized its technology and moved its operations almost entirely to Microsoft Azure. - + To facilitate the expansion of their customer base, Contoso started developing a number of applications intended to be available both via web and from mobile devices. Historically, such applications were hosted in on-premises data centers and relied on an internally developed identity management product. Going forward, Contoso wants to minimize the effort managing customer identities. The management team of Contoso, including its CIO, Andrew Cross, emphasized the need for resiliency and Service Level Agreements associated with each of the identity-related components that are part of the target design. At the same time, they are also interested in minimizing additional infrastructure requirements to implement the design. @@ -264,7 +263,7 @@ The management team of Contoso, including its CIO, Andrew Cross, emphasized the 3. The choice of Azure AD edition required to satisfy Contoso's requirements -4. The Service Level Agreements associated with the choice of the Azure AD edition +4. The Service Level Agreements associated with the choice of the Azure AD edition 5. Requirements necessary to minimize dependency on passwords in lieu of more secure authentication methods @@ -465,7 +464,7 @@ Have the table attendees reconvene with the larger session group to hear a subje 1. Remote users must be able to sign into their devices by using their Active Directory credentials. -2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted). +2. Existing Active Directory user sign-in hours and password policies must be preserved (although allowed password values could be further restricted). 3. User sign-in experience should be simplified by minimizing the number of sign-in prompts and limiting the use passwords in lieu of more secure authentication methods. @@ -497,7 +496,7 @@ Have the table attendees reconvene with the larger session group to hear a subje - Contoso has not implemented any cloud-based services, including an Azure AD tenant and an Azure subscription. - Implementing the hybrid identity model will allow Contoso to take advantage of such technologies and capabilities as: + Implementing the hybrid identity model will allow Contoso to take advantage of such technologies and capabilities as: - Passthrough authentication with Seamless Single Sign-On @@ -535,7 +534,7 @@ Have the table attendees reconvene with the larger session group to hear a subje - Contoso will provision a new Azure Active Directory tenant with a custom, publicly routable domain name and use Azure AD Connect in order to integrate it with an on-premises Active Directory environment. - - Contoso will purchase Azure AD Premium P2 licenses for its users, in order to provide the ability to implement: + - Contoso will purchase Azure AD Premium P2 licenses for its users, in order to provide the ability to implement: - Azure AD Privileged Identity Management. This will allow designated users to temporarily elevate their privileges to manage other user accounts with auditing automatically enabled for all elevation events. @@ -549,7 +548,7 @@ Have the table attendees reconvene with the larger session group to hear a subje - Password Protection for Windows Server Active Directory (available starting with Azure AD Premium P1). This will allow imposing restrictions on allowed password values. - - Self-service password reset/change/unlock with on-premises writeback (available starting with Azure AD Premium P1). + - Self-service password reset/change/unlock with on-premises writeback (available starting with Azure AD Premium P1). ![High level architecture consisting of the on-premises environment represented by a rectangle on the left hand side, two cloud outlines representing the Azure AD tenant of Contoso and Fabrikam on the right hand side, and the Microsoft Intune icon in the middle. The on-premises environment contains an icons representing Active Directory domain controllers, providing such functionality as Azure AD Connect-based synchronization with attribute level filtering and password writeback, Azure AD Application Proxy with its on-premises connector, Service Connection Point for Hybrid Azure AD join, and Passowrd Protection DC Agent. There is also a web server icon, representing the hybrid Azure AD joined server hosting the APP1 application, used also as the Password Application Proxy. The Contoso Azure AD tenant provides such functionality as Azure AD application proxy, My Apps portal, Automatic Intune enrollment, Enterprise State Roaming, Conditional Access, Azure AD Identity Protection, Azure AD Privileged Identity Management, Azure AD MFA, and Self-Service Password Reset.](images/Whiteboarddesignsessiontrainerguide-HybridIdentityimages/media/preferred-solution-high-level.png "Diagram of hybrid infrastructure") @@ -596,15 +595,15 @@ Have the table attendees reconvene with the larger session group to hear a subje - Authentication method - - For pass-through authentication, you need to install at least one or more (three are recommended) lightweight Authentication Agents on your on-premises computers running Windows Servers 2012 R2 or newer with TLS 1.2 enabled. The computers hosting the agents must have direct access to Active Directory domain controllers and outbound access to internet. The first agent is installed automatically on the computer hosting Azure AD Connect once you choose to use pass-through authentication. To install additional agents, you can download their setup files from the **Pass-through authentication** blade (accessible via **Azure AD Connect** blade in the **Azure Active Directory** section of the Azure portal). Installation can be performed interactively (you will be prompted to sign in with an account that has been assigned the Azure AD Global Administrator role) or via an unattended deployment script. + - For pass-through authentication, you need to install at least one or more (three are recommended) lightweight Authentication Agents on your on-premises computers running Windows Servers 2012 R2 or newer with TLS 1.2 enabled. The computers hosting the agents must have direct access to Active Directory domain controllers and outbound access to internet. The first agent is installed automatically on the computer hosting Azure AD Connect once you choose to use pass-through authentication. To install additional agents, you can download their setup files from the **Pass-through authentication** blade (accessible via **Azure AD Connect** blade in the **Azure Active Directory** section of the Azure portal). Installation can be performed interactively (you will be prompted to sign in with an account that has been assigned the Azure AD Global Administrator role) or via an unattended deployment script. - Filtering - Azure AD Connect offers a number of different filtering options that determine the scope of synchronized Active Directory objects. While organizational unit-based filtering is the most straightforward to configure option, the scope can be based on a value of individual Active Directory attributes, which offers object-level granularity. - - Configuring attribute-based filtering relies on declarative provisioning, which is configurable by using Synchronization Rules Editor, included in the installation of Azure AD Connect. It can be applied when importing objects from Active Directory into to the metaverse (inbound) or when exporting objects from the metaverse to Azure AD (outbound). The recommended approach involves inbound filtering because this is easiest to maintain. Outbound filtering might be required in some scenarios, such as, for example, joining objects from more than one Active Directory forest before applying the filtering logic. + - Configuring attribute-based filtering relies on declarative provisioning, which is configurable by using Synchronization Rules Editor, included in the installation of Azure AD Connect. It can be applied when importing objects from Active Directory into to the metaverse (inbound) or when exporting objects from the metaverse to Azure AD (outbound). The recommended approach involves inbound filtering because this is easiest to maintain. Outbound filtering might be required in some scenarios, such as, for example, joining objects from more than one Active Directory forest before applying the filtering logic. - - In inbound filtering, the scope determines which objects to synchronize or not synchronize. The scope has a group and a clause to determine when a sync rule is in scope. A group contains one or many clauses. There is a logical *AND* between multiple clauses, and a logical *OR* between multiple groups. Objects which are supposed to be synchronized to Azure AD must have the metaverse attribute **cloudFiltered** not set to a value to be synchronized. If this attribute's value is set to **TRUE**, then the object is not synchronized. It is important to note that, in general, this attribute should not be set to **FALSE**. To make sure that multiple rules can affect its value, the attribute is supposed to have the value of either **TRUE** or **NULL** (not set). There are, however, scenarios where the choice of **FALSE** is appropriate, such as, so called *positive* filtering, where you do specify which objects to include (rather than exclude) based on the value of their designated attribute. + - In inbound filtering, the scope determines which objects to synchronize or not synchronize. The scope has a group and a clause to determine when a sync rule is in scope. A group contains one or many clauses. There is a logical *AND* between multiple clauses, and a logical *OR* between multiple groups. Objects which are supposed to be synchronized to Azure AD must have the metaverse attribute **cloudFiltered** not set to a value to be synchronized. If this attribute's value is set to **TRUE**, then the object is not synchronized. It is important to note that, in general, this attribute should not be set to **FALSE**. To make sure that multiple rules can affect its value, the attribute is supposed to have the value of either **TRUE** or **NULL** (not set). There are, however, scenarios where the choice of **FALSE** is appropriate, such as, so called *positive* filtering, where you do specify which objects to include (rather than exclude) based on the value of their designated attribute. - Contoso will use a combination of the organizational unit-based filtering and the *positive* filtering based on the value of the userPrincipalName attribute. In particular, user objects to be synchronized will need to have the domain suffix portion of their userPrincipalName attribute match the custom, verified DNS domain name of the Azure AD tenant. This value can be set individually on per user object level as part of staged implementation of the proposed hybrid identity solution. @@ -660,7 +659,7 @@ Have the table attendees reconvene with the larger session group to hear a subje Some of the risk detections detected by Azure Active Directory Identity Protection occur in real time and some require offline processing. Administrators can choose to block users who exhibit risky behaviors and remediate manually, require a password change, or require a multi-factor authentication as part of their Conditional Access policies. - - Customers also need to choose the authentication methods that they want to make available for users. It is important to allow more than a single authentication method so that users have a backup method available in case their primary method is unavailable. The methods include: + - Customers also need to choose the authentication methods that they want to make available for users. It is important to allow more than a single authentication method so that users have a backup method available in case their primary method is unavailable. The methods include: - Notification through mobile app @@ -728,7 +727,7 @@ Have the table attendees reconvene with the larger session group to hear a subje - **Azure AD tenant** performs the authentication of remote users attempting to access on-premises applications. - - **Application Proxy service** hosted by Azure AD passes the sign-in token from the user to on-premises instances of Application Proxy Connector. + - **Application Proxy service** hosted by Azure AD passes the sign-in token from the user to on-premises instances of Application Proxy Connector. - **Application Proxy Connector** is a lightweight, stateless agent running on an on-premises Windows Server 2012 R2 or newer with direct connectivity to the target application. The server needs to have TLS 1.2 enabled before you install the Application Proxy connector. The connector manages communication between the on-premises application and the Application Proxy service via an outbound, persistent connection, which eliminates dependency on a perimeter network or open inbound ports on perimeter firewalls. In general, connectors can run on a Windows server that is not domain-joined. However, scenarios that require single sign-on (SSO) to applications which rely on Integrated Windows Authentication (IWA), it is necessary to use a domain-joined machine. In such scenarios, the connector machines must be domain-joined in order to perform Kerberos Constrained Delegation on behalf of the users of the published applications. This is one of the requirements that applies to the proposed solution. @@ -736,7 +735,6 @@ Have the table attendees reconvene with the larger session group to hear a subje - **On-premises applications** deliver required functionality to users once their access requests are authenticated. - *Assessing resiliency aspects of a hybrid identity solution* 1. What are provisions that eliminate single points of failure in your design? @@ -750,7 +748,7 @@ Have the table attendees reconvene with the larger session group to hear a subje You can use password hash synchronization as a backup authentication method for pass-through authentication, to address scenarios in which the agents cannot validate users' credentials because Active Directory domain controllers are unavailable or unreachable. By combining password hash synchronization and pass-through authentication, users will be able to authenticate directly against Azure AD in cases where the latter fails. Another mitigation approach involves extending your Active Directory environment to Azure. To accomplish this, you need to establish a hybrid network connection (such as Site-to-Site VPN or ExpressRoute) between your on-premises data center and an Azure virtual network and -deploy additional domain controllers of the on-premises Active Directory domain into that virtual network, as well as install additional pass-through authentication agents on Azure virtual machines within the same virtual network. This minimizes the possibility of network connectivity issues affecting communication between Active Directory and Azure AD. +deploy additional domain controllers of the on-premises Active Directory domain into that virtual network, as well as install additional pass-through authentication agents on Azure virtual machines within the same virtual network. This minimizes the possibility of network connectivity issues affecting communication between Active Directory and Azure AD. - Azure AD Connect synchronization engine @@ -794,7 +792,7 @@ deploy additional domain controllers of the on-premises Active Directory domain - Azure AD Connect passthrough authentication agent - - Authentication requests are dynamically distributed across all available Authentication Agents, so no explicit failover is required. + - Authentication requests are dynamically distributed across all available Authentication Agents, so no explicit failover is required. - Azure AD Password Protection for Windows Server Active Directory @@ -860,7 +858,7 @@ deploy additional domain controllers of the on-premises Active Directory domain - Enforce multi-factor authentication to activate any roles - - Ensure that a rationale is provided as part of elevation approval process + - Ensure that a rationale is provided as part of elevation approval process - Configure notifications triggered by activation of privileged roles @@ -868,7 +866,7 @@ deploy additional domain controllers of the on-premises Active Directory domain - Track elevation events - **Note**: Privileged Identity Management requires Azure AD Premium P2 licensing. + **Note**: Privileged Identity Management requires Azure AD Premium P2 licensing. *Optimizing access control and management of applications and devices* @@ -920,10 +918,9 @@ deploy additional domain controllers of the on-premises Active Directory domain For more information regarding this subject, refer to *Technical and feature overview of Azure Active Directory B2C* at - ## Checklist of preferred objection handling -1. Our Active Directory domain is using a non-routable domain name. We cannot risk renaming it in order to implement single sign-on with Azure Active Directory. +1. Our Active Directory domain is using a non-routable domain name. We cannot risk renaming it in order to implement single sign-on with Azure Active Directory. **Potential Answer:** Contoso does not have to rename their Active Directory domain in order to integrate with an Azure Active Directory tenant. Such integration is possible regardless of the DNS name of the Active Directory domain. What's important in order to ensure single sign-on experience for Active Directory users accessing cloud-based resources is to ensure that there is a match between the userPrincipalName in Active Directory and Azure AD. This is Microsoft's recommended approach. It is also possible to configure **Alternate Login ID**, which makes it possible to choose another attribute to designate the sign-in user names. The impact of this choice differs depending on the authentication method. For more information regarding **Alternate Login ID**, refer to Microsoft Docs at . diff --git a/Whiteboard design session/WDS trainer presentation - Hybrid identity.pptx b/Whiteboard design session/WDS trainer presentation - Hybrid identity.pptx index 5a01eed685cfbb0f508ce1bbd35a63debb6dc9ce..0c0eec68574146e0f2afc1742ef8cc8f9af36e7d 100644 GIT binary patch delta 17418 zcmZ9S2Rzl$|Nq@(6WJFwvafVPz2){T= z9B1&M@k=BjG*m{CK#{$qc+~uWWPn-LlO#yUunBxIB0^;k7c7k8b$VOfdYZz)v4uND zm?6&6)z{p=BjlM=e`vq4(2=cPf1_F*e?_%D?tEV0=n}U{Gytnp{=;FBr{S|KRxa>~ zMH@?NgZ*p9_`7a zoAw9jNORqqIL$n``1;?uakH(K-Q=1>$yU`9%kzJ;+JE_VoLSU#?M%w*8#^r8eDkmR zjAP_gV~&SL)~!zdZFc4O=+AiU<6S~;@&;h|G+Y9}fD^_oQ`RmTocsuLS%@shOXZI*(c z@y>{jJcDNSyQ+3EJ|RgXXSvMWmTu84{M>m)c*W}xUvF*=>cf!_XGoEEC(W%+EN?2l z9!BdGl3&mFwqfr{XV%y2m-+>DZ!P67XSRR(nzUiRW&ed+62G_0&3TZs4K?-ps?|^I z*QC{4*?WxRZDxn`pG{v@kSiyjh8|8emugYEmHwur_D|PhH;dp@i$LcS+U9GyC7kFF zwbdM4oK@U!T)UNUb~@4TE%&37?N!N7H}Y-hKAU1;cCA39-*)C<;}ok_<;F7K+g{}Y zkIsHyz@&)h_HDi2pyJN8dXd=8gyRm5na<%kmqf3uPRrx)^Oi~%Neie-VIF_<@nnYx zdXH7{%b-Kgn*WR(ySj{L=25C#(T9Ypwy8f?12cbSi_c!|wbgo`rYxnAr?Sp*hEG9s zBwj*5FVTLX#dYC&ZrX;g)hyYd%;-&v8(&a-1N;rdo77(hcRIe8dGj*<(5s(~E>C8+ zXXsU=i(FEfP*g1=i_5nQj49i`zO&KCQqJ7>w)2ZMjv)s1gp0Fc}rKm=QXz{tg0I=TVgr>#^U|5?=pG)rxw;8zsz|n zb4Pe^Rz{$f?d(bUBk008l0;d4>Y0z|_5?!+8TpWeF|lEi0}b1Fj1;>NJ5WQ)q7x;nQ6mi3aPPhvHN_L+;G{FOE>*f8VMlCvqQz`-eYZGMr>qFMur%i~3FGh0VK zje9T!f+GFA|EM21`mOC*=9d+|hmTBN?X?lS7r!T9G&4iI_Yvmg()G#z{NP~Zly;M{ zPTHrUffL;=Wn7EP&OM&l*YoPnb?ZM#Z*ISQvSF2_^k}bP{+}nNNnNaNBfspEHDNQh z-4}zOc5dB!?(kOU`%e>F{On&;OP@ZYv9Uf|ee-0o`}OFj%GiQKf79z89`xKix2xc@ z^s6g>2NaU-9(*@LY6>0hFgX=(zL4(-eO)=}*@)lbpa+c)JEoDkik9=CkG zeYZu_%%f7tAbG}RPL5vD<=uw~6K?6F->^^aIb4PHJ}kABeWe+kXOvyniwFgt{ke_ve4%K3@xrrCr42=L zt_JbNyl0)tnm5tU7xIr=`^hx~yH|b!L6~H=6#vZBkp;468W@imJ@=r~E7zqQAPC5O%u0#deGFmRa=e3q=eY zy-kuLVbYJ_W{3q2kib+29i87>LxwH9Q*N3X1ej5HHf$T^`E=5+DEuM_dO*E zV7X67ycEp48b-o4+{JU9J9sWth3AD&@%gn>Kp9nzuy5@H<)le07w+mLME?)lI07B2 zmXLT+-7V5fEVLAF?R*o@Rd0~gNtp0;e7#e}I2pQzmm7-kvPB{380_NM8yMl>U3j1n$tU$-cP>Hg?Ml2OuZtuN5~g;6WI#gwLu~tk*Z-N& z#$3`MHl2ezhqLkJVCV1&#b@F9)=WIt%fNFkgy&z<@M-m=LS7ax2s6ldI^U%Pdj1r) z7dDMI<+{LNnFl|tf4Y%9oaR&ZhNc|j>%$DA@IDgrU|y(q2~!A-CQ)TE?cG!n8j1yt zN$#YMlaL8sd>=-YBV*SBsT!QvJtyiX5sYp}y-dRnt5Pp5!XArJF;VQbF!e13D-fib zP_SdXRAnl*f|I(Aiq%l4kz~y5FXbo|>zt+pQZdf2l+6_E>PN~}3dU7RIY7lWeIltW z!zv`nnQ=(!51dLBSICjdSa=&5%{VIiyg^ZCGQn628$YD}g zEidJz9VX~W(G$ZwcTvDyxt|g$h4O{K9U}qm9VwI`D#{loT1#U|S(K+j*xq8w87ijt zoNPwLj#f~jspya>IQI2Wq%rHe6hA7~TniKntEWUr@qQ9{vvZKf!9kTpQ4$n6#5+V` zuog7#YS^{%eEhb1k!4mQlw-~1Y}ZQsN~lP6#oWZ|vM#%L+)S{`h?lf2jn>@i#5ldG_D-NfNv3~U z)|(9a2~$>rX?&is97R0DVU6EC?xj5G7w)>So@AFU)6URMXB{_vTkKK0ez2OykMQxim+h`wFL@6k=k+qH-z3kh2 zyFI5V``nP)*o3q!628>lwnXwU)j3*yeSDyolMY|(!P^%PvV%soq{#P0d*t@^O^aB0U)b)z}f6SEIdQZvoeu@q&cEh9t2 zniq6h^lsKqJn9KE49vc@>WxgN?~~1%euW(tO)`Oh2EOz2o+~)kFf5&S@ZJ^v-Hb}r zTsOtq-t#(q<(K0uvL7vOTrueBv-+${nxmP~aKhTGms}pF_b+PLlC7xpfUeG29ptA_l&P|M$}(^cz5qqe6Pgj^4Z>a)-hE&oZ9-7L%uY zKjSp*y1%2ltL&7-VZ~oomTFW9rw!TG)I7T{;ry?V8{IER%Ig5OCNO7ihYycmrsch* zq*XThlPDlkJL{5S=jX45pDJaqn%q=7?~bY6UJ4BpSP5xcSlFqpa7~J(2F!425W?*&sUc?sF zH+qGqO77-{rr6vuJ@77cOIM z;CBCY{^`^1(#EGZe_6qraafkBXK(x!Sxz}D%RP`E;;L2g?Lc?EzpJ!a{o4&rA*O4c z65dWN&MR;HyJ3UrAB~2OyPKn{rxNA2PWMf6PtAVw3Ku5f$G& z(LX-5Hy-KiirBlr^8J+;+}|zeg(q{Y6oiMOqhlObbbmRtGtSmI;lemeSTW6oGkC$( zh&)yeS3pk&U!Lql~zBRgmJZezPE}zZ@vWy zG#6jb`kfvv5nwvja&@lL{X*$vf+8lVe zcJJ6>UfvzXzfsUTioE+^hU;FVA*TCE-lkyVrhEH@QM!vKRb3CPJKWfx<+NE&?6EP; zn2d!O(p+2~d%-2HXG)rD-yltr|_5f;B49+-TTyIod20S*gRV5b6*O zJ0eCaq@inSVBX9{lf~`})9z8QP(GR>C*lK&0hNH;6Pe~lMZu~7PW`3&QIIrVd@)14 zKtWB*pjh~ux|o7x|DgUMW76NKQB>5g0)18rQf08ypQwox6pw4JF1R)8zNc!_&ELuOHC_~pJVza-phBhp z3=^I~6{KLYsnn%Z#Dh~SP8gh$Or=v%l_GQ&kVp+9qd+Jko4*tpj2cVbM8!g*sXKZDYOsf^F`EW z%H%_HXK78?-!7W07oM_MoB=rs)`C6-Y^m}{bq(z! zwoezY>g%9FUek`}e>OsnkQ~^oEy1>MBXt~mWQ|w3T2X^Zn5iXRUc3R%-&^X81)YBcfE$^-!mxT z@KA>EvhrCxKerEZv|r#q{Y319e$Kn&HV+=kHWC*3nH)yK2HunXNoa=jpPo&~urbxc zZ@h%(84`GYSRAi?+es6KjWOZmMOIswLNVPcT9C9M>0sR| zy2p%>zvGO;qJc;nFQzz6bJoEYPtpM3UBs9qX<#Nvnqg;S zbSk(Z@j&8*#0QBVk^m$@NDCkdK@x_v5RwQaQAlEt#34yQl7u7$i4I8`k_;qSNQ)pX zh9n0`9?}v>3Xl{bDM3<(v=ovGq-Bs)A*o?H73$o5G1q=_V%L6hoxF#A-ojaih_&tW zywDJi=f zlzwdQvG=$dAXF2uJ?5eO=&(_l!b(gcby+l*JX{bHJ#+ehOWBa^+w&l;s#keGK-#1ihuyi1bfZ>2Z8A324& z3GswJ`gq=x*&GtNZ9fP)ju02ZyVe` zdtQB9Z8hsu`irsrf~7z5wbiO!J$b+KXqr6=r*Q{!`PXJ;ZoaL%=1|!5Ky2kcJ(09X zvMKjo?$Q0%Sp9D6LPeiS``v3BiN}7u7>RE)>)wHx9}2dYbt8{W5etV7i80$9Y{rEK;daHicyh?ZBpnXcM zZ{|K{v*@(li%-p^AL}o~z8LpRd-WDVE+EM$G-TCM3H%6GLei3x$Dqg)uzL`3gPM9>lYB?4z zlzVc}S@-nvlHVcvp#q$d?exTrDfUK^OIMptKitJdc~bH;j+M|f<&cauaV{#g)p9MA zSIQ`%*ewlQakO3L%@D{HYLA|@XLQqzP)av zpFpv3Lj76s(XIi9Ud8&&_9o94GB%sbbH8Z_6Wsf7RI$1J#W$0QGJTiDe=cz+UR*4R zQVmmm-yipPAYehUXFEbRMzr9o`(h zH#Xfi76{DTs_;`}JwV z-btI|9b`VY3XOQj_}&u@inzJ%;TNs_>f09>&)%`N^1PC0(zCQYC#cc!a-a35J(q2+ zWNI&N%k)nU_xAGsJF0nk@^4G&o+CMt`$~egV+;0|6<;~jxgq!1@~Yu8L?M<>EO*Y|2wQgo0Ad2$;!u_g%W22^i5@Fj)xC+TH5e)#_S8wnwjdz zy?=P_dr!*kTO+SEC5N(KXB0=L=S3%T9uK7pmaPsJdgS}Q<8Ds(2V)zzVa2%N*K#Xl zEn2TW%$EE7?pVfn^5g^0%hYc<*HVk%u7CK-`FGW~_UV4gV#(!=XW;S$6`GxQ?8eO>9N3sa=2J7ad9NRQ zt|4&A)z}>6y;+X}7hc_v!?{w1&+S%lt@$cb{o(IUm%<$!DbG&4kac!;@zCeLtt3b? zy76`QMBC1Lud8(Ae;*TgR58_ZffZJsapZ*jpT8HkO*Sb7&zTRb+qv5&`rhM?iJaSq zz7+A+*7Wavc>PDw$v(Y;h$CNm;wlPm(WqYpghIX~ynSh|S@Oj{=5E#YN8yyj#vckR z#YN+7%j=#*g+E$%+~-@Y(Qm5#()CFkCY#jF8^z6CGcp&<3CktM(NqRGL{GXFX&J0P z%^?MqIT}ZoN9-G~V?r5t-O4$GAJa^T$49Y5kfS5&QBJ|&I3O*lod z9py&X_aX7E#I0dL%$sL=*qdkiwYf3U>c*I~y2)liOm521<}Px@J#cqj5K|XofYpT< zZcT`BR5ryNmCf#|VS+dGDr8ZC*MDv?XP2AAoL#;gJG*>E-FS?Tw=U-6tygRlBj{j; z2|BEt4kKTLytJ>p{P?u*`*g8K16Gfz z13NBjvQC}2)SSI3#f)2`YWQyGd(mjVf$s6(v3LFtmmNwkSI@Yac*@_Tlq2l6N9INw z&r4VI_2e8kFGx<;&MsIudH?w-f3;s>`OmAo?yHnr-gI9Ybu=w2|3--KnW^>R+K2XM z_%bckSeL)#mpWbPu=TWZ+HT>k&B|`reX``5L&{`o4l8MQ+ErO37o@=oI=`1$UehaF zlcyNNH91yUDA+`ceNL)d(L!1nWQu*}X&W{k%P!iaZqQO`&QCwZEppj5Z~6`#9pR_by|X4%Fs>JG8FCwCk@>D(}4bMWPN59y6E zR7a5ompVlJj3!?mNb(lla{8mSHg{mAYuWJ{&Zgk$UzrCl{v{=TykWGxvv2*5%taRu zSIDI)h(vluhrPQSU3eg@|0C<*`y{hshLO&B>_&~`^;fho&i!g@Rc70TXl)1HZ=P%Q z{ndL)|8L{Fr75LZVpwnm!<|g4j=uBU5PSZZp-f_J4St|4`uG*sjG)q&9cPzsztrA$NnyF0rH@x_uONOhUZrqUBv z9*k~3$g{xIjTMlzw$Hzb;c@x#4bg_tBkf_|9hx3G|9BGgUdueeZ%=mi2Zh}HhL74q z8>X|Wt2IXpmThny*_I`8=dy^!BA2P}9ivr-#>~o17spt2f?(z+y<*zM&9{(AkCMPHIxboR_-Sf9^-s{WNJ2V#9Eu607xBhB4 z_X7nKJMr}G)TXXo-?3n4aMKpaEX9~(S-#on#wjdSPrG=}oD-@x2gswUg}ljzAIsea zh3>f~^S`jK5|Zp(c*t?)(wa=m?8uSHZO(bs##t&>kE11ou)Ofz*w8e8<;Wv_e-wDf z_v))y)rkbP$$e9@E!S18c>DCmn)wJp>udo6$&s833w|I7Iu_xcU)31iU`sz&=6icuEGw!VaCL!u@cKz#$$lV7_M617x zO#1K6u_H0`t+O4xIsCLZ^Mvj8z4v`;u;l7(qZ5x*ZTMNWzF#=so~DP7eB^R0GD$Nm z@ZR$TTN_w>S}V2un$R}~6R(LT4H~-4e(x%3tP!uM3qHYFdDO)zyp8Tq_eDSKykon{ z>Ylx~2bOQ+HSM!ZvYPZnw7waVdBGsA^J*#uGbEgkaETz;Z^N8kOxGmK;cZ;jCY{7p0hYG&bBerg# z+Y>YDWal~_O(*hQaLYS!>dp+`;7Qw_!99U$d`f}8?2?wn9P-&Ex52Miwe={^9SP1~ zaRxVxvWNMxv?LF+V}jdstDwASMEq5&ZlY41pT~Aza_&wiKC!^C>4B!6T`|8BT zr0nCbGr#X6UGjdXep`ywu8@@UYwrV%doR~H^%}>laj2cCJC(njQvFzLI3s9v*>$Vm zhu2Old9we2q8INm?fWNKXocgE-wMYk1=0`1t!ZAqedXKiJtq&fS_$;!2y-sbKJ+!< zgn#|6Vi7fmqtCmpPeo&iXU+xlC5M3a%_yio7<=I-cgBnQE0* zWxD==v%_`ECce3$8*S6aV>VbnEwk*Y8MSfFS~V+Vv|-@T#|eXyXj@HQ)xZ%(Q`Dcy z7fsZ_cl~nfu7s2S{z`p}+IlQ|ZDN1san(s*`W->9l<>YzBKEkMEfn7H7oM>X4OM>4)F_3)e63Q849dhCB%~Y+yVhA-zuwIud;f+4fHi1F{c)N|b;ky8VeEjfaiU z$)^R->spc&Iz7(NCtndH#30n*(IRwG4YF@ytRbHfNwGgEf(n`#n&ctLly9vfXdEx+ zEJ``ENCNG727i%pQxxLk`0u~n$nzOv4e2hr0RNFiwNTVqk_h_sjG;-2M9R;h>Jkcs z|H$=bDWwZUQ0;Su7FnKwzTr%5{XARW3~av*UQS`z(9(V~g;Gv92=V`S5RP1jd1EVX z6n8QC$I5@=rHw`F#NuF=MzYUs~rp}kE@p5|>UQTa^K@E_0 zI}GZ4dA{}(AaZNTeEAt(K2|oruR*X5jk$cVAlg3tU*V6 zpo7wd1bYFD{6~rqGA}^b%b_zbpgS)Rq&+D41-P%P66`&0n9wAIdM}77Jwk+ofHU(# zFSwmo5$rc^XkJSQ(>@T6R)jbTg5-m4_JRAU6RPWn@m@K>^ac81uU@zl#JV4v==l&L z83df4wf)efB#dB^17MKcO9&5KcpW0dg#m^b9-%=euZbeay9prFK_C?;2@-Y;1~eXo z0YwuCvTu-~MOk{5gjy0IRI3)R>Ptr-2N^0z`vbIGnThH~8B*v%4g7sK>;qIgXQ8$M zh9oNc06*lAbA)()pTvj4T;V{-jzO!8YywZ!0`?e#RyT79a$yWwHJm5JmofPLL*R%I zGJD71B@gAI(vL9Ks%98V=rgq9zetea79d+cGlZq_027E7t5WCSSp0v^eB(THVuGQA z;E(GLHOT9u&T@ZuDi#1_x@F#a6L?4H`lB>iFR*u6Ao_~WWKPn(d(g3(a?7*#q zysD zfdy{tCGj9D2Dm+N_r@E9`&9>YqJeh;fA^=8{cj@iNrp1IhI5qLic1n~xJxBmkIn^%Eb0Cz(a0(>9G4`<{B0T3nAc(18dy2XVY>nf5e2X9S;M=E% z4!j1@|AMH#4gx{og%Dc)8jcQkAAz^x7$Py~WV3#P2;n3FCr$$dsRMz`a1uI55Z)X( zribxk`uP>$6E9IIer~=z2Ur8gxi~I;Mc@h=laB0gGB`w#6Ce-?Cp>Qm;+6qT&0j%N z2<>2BUkrwcI!y$1{FbnfzAvGP_geyIfItxZ!QO`h?+84X3hrxT@MsY)$gVmwLR87X zvk4v}LMIoF5(MHz;Oxgq-Ft#W;sjzv=;Rk4@S`M!v~U7pBJ9q-j^S7jHQ>9;{gK#^ zKlr9W_z0b1@QH-Z@KR-w)@~{%lEVM^17Rd|%AN@}f4GDxj)#-bDdF%%ecrlgHIow^ zfCv)=u_Z#t^gDx>a^dHE*SNCLN*tBR0IGE-ql+TUMd-5(AP9;1cSv(DcIA1z z5+Y^(tt{Neu1ugqB?Qp?Tgef?t~A9fA+F}%%B{ikm3qi@l0m1ufWPO>&!EME2_FLqt(S3tt?rkBA>=z4!dPsC;RcVC`IX8d&L0eM)cga+ z;mBko?w<^8%4LkLTyW*_jICBy(KyldpU|IqD;xdB4Tn0|YU5onZ2Sd=ydE~n_yva1 zezw|D1BTDIVf#xqGX4#Q4{z8i^gb9){|1A@C>y=N4TWQD6YHN{2&)6iyYhOH`bB}t|br#klxC{A&<5^RJ4x6DA} zB55`%zzv(_*y{HTY$Ak0(aD(#D1wVAgIcbTX($jv(vd%ohnM157Ulkd_li1I^qL36 zM_jDZA{rRa!9$mBIq1dMgzzr@3*Oykgb2aK_0@!^ z!o`QRY+EClGmW1qlorIKlb2e~!?Zl6HhJ4dqWl%g7aa)mN)r6uOGw~+=}eG!IN3x7 zBI8bw1Tqi^>Y|g~wh}~-0wj+DB;A)FeH7@lb2}kas33$xa3PEKQJGp~+i*fW#zp*Y zLWs~nH0~#aej7Yqw!pQROglmlZceCP9YqLdT(C|M;xaC(V+p}*hlX5S&~Q4DAm&_9 zZFCkF*5p0u#I6tEuq=xZs@x#Ho+re9Txeb*L_IEouM$F(2SnjDLL`|`;Lvu$q20#= zgN@!G@J-yKSdI&8vUeo`t$6|FRudu%7X!8UbY##dFKms}V?xY1P&m;FJ|;W{HxlGH zA8hOdAM`)`oFJmRQVBTpD#rzyY~Phgq0eQ_+R*6a|ztN#RA~bfzjL0-`YhX`s9K zv!RnTxaKypU3Ndgl`9Rd<92NHMVhHkk$0dXyD4Zh|2j~k3vJ3BsVK~zCX0UQ!jeOA zWaG(31vpxaqc{F+j1ij+- z;RhN}34uR!3TG<23kd$9p?&!K`UiF3Hi*p?G@$D&99_+3qfT`|5E?|MT)N0cCvY^Q z2FUU%d*+5Xf_Nc1WwLl4DWGvYddM9|FK@D4>1yDD_#rxljIoggj_#@gT6UL>eyRe3 zpdvcu_tG-5}ho|kD~OLBIxFKc$YY?3}^F{65uYmf3O~o zA(Dwsu2lR7LqroN`hbTrx#D#bOaG}$QGzBA=0qn;ssDo+IEH8^I(e)1KX_6RFhoAV zEll?xdcL`41j#?!Fk9|Hw998iFEGOPZofJpxlEiXqUi%P`1#`T&-Za_{#sPGhN*B{JUgk##iJz=5zVaAR7V+d}|eW?1Km)U=CteFd;m1pg}wy5I8@p+zKFrj+menOPs!ubF(9rJ52LHsbLGhj2f93-gE zT9~B&Awt-dfCcVU!sx;}rW85!Fo7j4z_a%VA-ryYC(;7enGs2lX1w|lixAgKq1qIp z|K~?}c9fve>%h_(MTl3p7&u0VT-_|qrNxCS)7|Jr0#GHhX ztqsh3Qw(8QRrQ~9Y#w`@A~4w!R=f=!D)DY??}BIkCOYp4i6d|&?%5qrh^;l?k+p*5 z98Mres1;O4!&4~UMc93)K4%68d%lZ=)5Pyt(HcCdNrYhGB0HH7eYm)Hh7bleAjZxT zA{iGGDTEk&{C}o4or+^u5*f*_gi$YSgiTRIgmpn9Sm%GI;>KO#yYzy7lWD>hr zY6}gVvXHzpQvt1f23I3^`Vc}(pVQ#|-4-rHVdwC=CCJAPTE%4(;tnqIa|n^x0>gxT zgQpaAdl;tnJb{Dk!PB2hhzGd%d4Uiw+o8ey@1U{cKf?&;5p_Eq@Xs;$k5>H>@nh}B zf8uWell3p-9tEV`4ejC6rYhMkpCE@Fq5F_4gy_P>sjGz0+yo-OfDkdbcu+`)AzZvF zB1HcHbO~2HAyhvIQ~IMNY^leTMi8qD-#i^*J)w69d}kf*{s70TMH}34cL^+@ z1Ma;zxmrz-qiex9|Cv=5$B$|V?5+()2=!%e)9ZT#CgT`lf9d48`vfV}0s`T`Y@>7? zfkia|Lp(4W8$TfM(WQVt;Exqf4+-+Aoytd?zhC75?|ejHO?fav^e~;A^q3%BazIw% zWNg!9B6XfUzFwTFC&B5`bW&-z1f)N6l|Fe@V z1U`mih-`+PY$XT;H?zN$hr>$?nchy|>tbMpXlFXvsDmI}IDvp?c8{An3G5{bcyJ*Y zBf1D8Eds<^7|7{vg2cfq8G^`YcGI~Y0_)(|8eZ(k(!Fe>5Rk?Ad!%t6K|BS4KnOJ) zx_*M(766jT2P9&EAkFTug!#{}duf1Q4-zc->QQYh%MWaMr*$?PR20opUpS&kXu{gNrA9E7m zGDR9jt6gCYPaR-UtG6%}DRW~q6tD%}T_cug(f|1rnWeykl()cD8zR2{ed&3(j0e5- z1g`52&)t=(Jjm7^*7Hn*$&0SL0jkmAK}~L82*H(zFAs`!14EEI7$7+O-@YV+c+f>p zrZQUN3D%fd_>Nt{Ery&R1}+^ZN!?mV79Z=L2Pm;L9n|juUG4OMdAFhz2BCb>T-mK@7CHK;J3q%$aRsIJ5!TV$k0V+@O8L* z!89Sx8(!)ibdmgnmEvf~4c=uhF!YfCZkS&O1bNdb>6ZFvvk%jpQqgLFvV33}5adm# zWLX=b#S=6Ma4sus|OZ(EdBzbgAvuju9B;&(0~t9L1sRr4I&zK$p61vv>JJDV=AcrH)u5 z^cQuH!LcpO*KTK6_%1E)aQME5f3JjC4MD+weIpOi8<-ek`NFt=>(M!1rW%4Mj(@`{ Ql$9GL4ZbZQ(Gl%I_NKCD z3ZaRT|8+aQzn}mA-|KasbAR5~bzk>5^Es|w7e`aepk%T6(Xy{Bk=S%WDJ1Zj@|CFU zqs*qD+auGg{~aK~#gC^eg_Tf(@|b?xhM?5G@H<+snmQ#B3-F&+l(7Y%>alo+yk z>5zro!QMHiqjt-!JG@(Re6Gy!yBcre>$6s4g z4niWf{PZt#nY!I)6a?l)ZrB@FI%e`WsVPsv+0)n2;@Iwc%CCrY;~U+f$3%Pu!!I0b z`zq^=CYLnxTzHtI+a~Lj88AX4+8@6E6r8nmxO;SmN%hw}$tN;np0!h*D-(`t44e@mH76*QiRp&i?c1vi7QR`)gNx^hP~i5&pE5HL!xi?#59T|aBgyGU8i>kI3K&NnVnwu?Lh3GV7hB(DBM$D_Ruuv0B85^Mha)C z(24!p(YsCm1W>QMG`TfEd%>{PyUBI)oz2pb+BLSlYpS*e>Yko;C}dGXTK+YEb*IVS zO-sHvC-$$gsb{Nh_@Y{^AlejspjYf~kPfS; zhjM>K>Hfl6i4*q>R8PN5)+ZJ|POZAXug35J z{hw6>oCDre?}Sqq7F~~DZu=uT;>i|)^7KNVM4MTW2RgByEJvJWUN|lnAmVPI3yiWbG2N5aV+1hZmB@Vn|<+(e{$W1M`T6AQh#zr*Pqvj zs5R0x64V(~^U(2kP|Kf`+uW)9`k9?5kGJwD)BXZy6sd z+nq4$@T;h&6X^aUmehl1anS?B-_LLn6R%ED&WIuYe=l!~5f(qXQ%>PSt*I21?LVS8h z(T4f}-sUx6ezhL9C~$x!f+C<1%B-V|5J9!LA-je$pF+H>q8y_TcPg=SbOq-7%W>VS z4A+fHad&bhn9z&yw!a8Cde{d6HzY#9--VQ6qTmgN(*J=DeJnoIR7nv*-LEN)sIdJ% z-tAzRn)Q`tn041bly^i`BW`@)3s>NNjk4yJbJeTdik!YoAED&P^2D zgf)0@Sx}csbQe%;X+*>;4A}hZsl=BQiYt|vyhB+=BQ|8>Hr}}uDGCuuP$Xex9zh*3 zyP?C;+Y~9ZvKu7Sdnlm#J@ikQY#6G;)1;?U%n?XK%!4`X;!# zPab-IVZG6hO}cMKVqE5|O!#%Eg7Wyu?*}dRKQs6vgG$-<4>omv_@JA#cdeT6FV7_s z#VW7wc&w3a%Qsk%7u8(e`mA8$i^_XR0+;w}jW^@{EfQn_spMN+C4U$tNA9!Q)jvETM-qRmr62jF`I75mAqYUki#}eS1Q(H z#I1_jwEpBKo`zH&vw6pi=LI`)B(^%K$Vt3mN-$=<$>O$oWu>2Pr626HtNe47tVY*n zdzpfYlR?QthrVm{tUq?pU_5u!?POp6gZW>b7muAfYVWt|wPl3F4Ih zhj}2``=m9Ebvz4# zz^R^t+~ZgL9L~OpeOXdU?e!}+SjgZ+R%BgIEUb=rvy0|^<-vhhFI(Tb>QyS1om-*T zX0qqwanHhlK_ZiH+>k%^?7%>Ga+9fJ5b7PQnXJ`Iw+?yY_VxKML#<=ax4sG#qg-NV z%XwNBA*~`*H6nS}SYkl1d{>y@oVF~vHp`;fT6el;ZPI#$M&}rm4oez^y)psdEIZej{m3?@Ba2{*qZoXqCKB(I9}K}Sn%S;h1!K>RyS7e7~m|*)2a;DwTbwC z*GBR5zNBi)=MToE9^Uh^5jm>Nvvq|;v-q2@GG`8*V(b&71g$?}Dm|ROFNqajz45ZO zXbwm7#bT4gLI>tIj;uD2vQbGry=fKO@~o7+Cyao0?b)xk_|@ zj4DMq9i@aY(Ah4Q2yr5d(n2SCgQyzwP~m#E2%5OVP(X}Ni~%C=BV!JQ5K5#bo+U2z z;`-qpy!GzJ+ndU?^J>IrCf%Hle$k*|@<|$#@U){v3LsvWe*^95f-e)KfU)vcb6vE$=wwO+=Zes*dP$>g!g8FnOQQ=Foks*d!7@H`B_#s-W z6TxX_1XECe;J@9;R?v7Q3Ew7$9EDKn!jY5KfK9HNp@>31K-WGWX**3t&f#B#~&}sw^g)jUi@&0OMO(Aa8^*#nyvr5Pyfg4 zpQVbG^2(LhHH6+CVO)xHN(_3r{FrK=P6KDBT1iWG(Lnr8B`;a+L(9@uWN8n_Iz=kE z2U|yz`4r=WXT-lbn7T zuE~1`*44|sUoO!d`@-8~y<_DtcYlY>m%#m&Kl+^f)@C#x3JFYGa9Avy9_jp8$v?jR zNIJ(=OzeF6ljJmpQi0ElNXxjRCl@GetJq}qqcI`lw6cL%-)*_bC;Nn=nGcL(2${=T zF~M;ee1&0a#b@421RyB54 zY(SL1*(etk@qyt$gmM;?|xf9JO1kXZwep{w=yRX%jGDfj;J z*`HsqLG0pV=kCX~`npsuteIid zyPwgp{>tm|a<$0SKbKuTen4(iGgYf+drnz&L#0FI)!@^Crx!m}{9N7`cXS7j%i!vB zbh9SI%}3+cygwZ~s=WWECt4q+vTkrqX1SSf^gq9Nk@6Mw?Ahwe&t!3*v)aBc){l$2 zaKY{sZ!<56J>~f7h}noFs%l=E?{@X!DgnklU(1hc>8>9P$FB~@6mgg6`B{H*GcuMGL(iI^I`7d9?p>ikDF>K5g7{I*+hLra^cHMCdbUhOk&t!r8O;8b4c8Yg>p-B=MY^+v-Z9T>EHWi@2nkf_N05Kt=-CT; z)8&|lg~ukN(kxS>8tJu@HpcCbOg+WAi^bU+P44Wu>vs3r(#F86@7Ld3UM_k&(@a-z zB+=+~Lrc((Scm+@W3OAn&KB~tRe1G3kk9|2K8{w7-3Tr5e%8WFI+R(nW4}XRT;$$2 z+Y1Iut`6np9_`xqG>5;AZk?YTtv25bQR^uWvL7>OxU#I|5lNtd>2ROV=C-WO{zgbuCW_;+G9vxu_gn2p#EnM&zKQ@h!3my5mbs%IW^ zZ7~|r=GCp*SC`^AahtI8{WwvzEOy>_ePU&Dv5(Pr&ubk)55}ry`50aCh&)9zN>=7{ zXl2Z<9UIDw>bmhpLc3M4THU|X;iK;s{iKygPTh{a5Z4!+T@^b!eBIBBNw>ql9y>P> z$Km7KZuS}#te`8pc_g^*HEn0RFX1b7H!FP_DvaXSd(gGCb-v$``EALSx4!L@>*k&M zx0I_)wE52)XdlXSuFt=CqhXz7Z)b*%?WpvY+Iv3*0o_?aJd8OH->3xSZNe zBZQ5qgaoloih5%%v9SclwJOFP^EpDtQx8M#w~R#;;!z>CCBMM~Jn|aX--=LE8AQ_` z%Ah!r@spy>O&tDC(W9ah-=H^BEyf%o>no*#f{gy7g9j<%40KByA|Kicqp9&=IM4}A z3&uto(XfcIhDK~NWdzcR0RsliV7nfJLnYL;7)$97H5lr2qELmgkVbSVFuG{Od;vzD z1Q9++Po0bYaUj=75yicNr|Z&}cyxii^f|MLwe56CZesrjdNYHNtEYP~2;XY@BO1|J zMn6g?dWz{2RN`SFU6)31zoKW+i0EhZJv73!fbK>oL(I;U*~e=>0Te{Z0C9 z2BOPBceA7Dazx8D`auSfdzt=+PPikw8w1Uj{nut0N0+6cw@kJO0lpJ7V%`fpEZs=@ zJ1WuyOopJIqia)%E2rsZRO0$k`X6pW;5qgidJ0?gX~n-YqdkS0HbpA>2La7kP=7tLcfngy$pddD@yWR~E_pFbq)@3*HSrZ(~dl zt9%%rEQyg%3{eVNynqIj1zo{wmLd_7${3I!2nSOdMfmv#SPxtM27u|C5k%r9RqZem}7AEwjYkW%o`1F}fu0f-y zST$92>CVb0uU;P7KmN^8_p^?l*f~>M+p;;s9BZ4|KbjxK?P>hRUQ#3}rk-9XQTR`U zi|xz#Df=1Avjmb(gHCt=C&&GzA2kr`w ztP9b49(m=-gS6GB_2gr%&D9_D{+e@Tq2Eq^v$4ZmQn&7!cTqYj_@b{YN@Qe&j=wZ4 zTuH zysiGc>$y;e+)!QS&E2Ex7Vf`MX8IxQ?@vlo*pjg4A0F`Ub3b?IR#JJ3uzF6%Xt0hwBte^ZrL1<)OggMY?8s-+U`4wx2O` zs@DxEP?TN0_4=>s z^o^lC+fyV%OLkEmEqP;vdMjln`xbT|JA0*xw^KSkeq43s2gS$3gVDtmr&VZ68$?AE zi@u)s($2KyDqVP*Q>JkHOsnV7n?sgqBK${s)HHqHzjdD*D9ERsA-XJ(X?16=*M|cZ zdy}ts?>Z-)d%m{tChPEJ+323a1u^@=WjaFiZbW4i*JSpxK3u~Ts*LegmsYh}{O48fELxE^rcm3G+^UIY5 zd$Y{L)B+XWcxy?e=H1$Ss(7L9)3e0^@%|5~d{!dM4u@pOE>zzcUl?Bzos#xqygTLf z7W&}xTPmsEa(k9&805aV$tgTVi3qIAZwb?*)Sh$=Ew$Tu{;$jOPKBi7DOWD7n2>xw z?C~tD);VGQb&uPd1H*krLh7s;4PUloE5`K>t>$HTjW7SIam~5yg6z4WTb4V{yI-`` zII@*r@a^Gi2Dt&2C1D-5z3tcI&VLF|J7%MC(`R)~lFtXNtOsY86c@S3ba5_Mzf|0J zvY0Y=&x?J{UFDCv!xz<^*x%f7TKmyu`GHm6e)G>Q{iH1POsCfQQh;({9q;y=ZeQhY zn_N677!Vtg4;}oVP*Ks9D*mvBWB((kSYgMH+SE3_>(}H3XKhh_CZBQ8?b>Op zj$xtgeioeZZ>Tcm?}3JO>nsK)sFw}pVxups>MEuleinP`czWCCStC3jzOO9UV`3NE zpmC;iUsYuVw`k5MJ@wNC3yQ`~y02&b(y$5}QcKeesi0pfiM_nG*RJsH`&ngM*L`+R z_kolj;K7U+Jr>dT?=n?pU~b=|)q&`NqbUZQ(7x zekVu$UU{wVlxy!5Op35zR+uhsRFn3oS>o9@$r1Q$eJ;sG+IdpmZehX3nqJ}8ER|5H zgu5#itF~<|__gB>SM%@frUP#G?%Xy%$!rYa-19$YyV|mf2z^>1(M!%9ah&;#n3Zp~0Q9@3^B#?(y$DQ8sV5;^mj9d1m!W2T$m-ja}dc2&sfg?OF!gDJaR#h!2&z!}FtvWgtvgU(}C7 z$m!)`zVPG*T_U+b@6=PY49wwafB2yALlJ-?2t^2rFcfSPg(3z;9Et=KNhnfKW5}%&aXXyxDjW(QLfkiZ3_sqZ3|t5!b|vE938WR9~vaz z2h*&JBe;JpQQgpcMlD!`(y7gkm8-7n$YKn|tY*F7) zv4-_OHas@Any2f}EyecPR(4H2~mn|5&ez4v{(wxT6C$Oe8#I zX;L^HSA|*U6r%@oHue^4$`u^tH@aJGR$g>0dZm=<*)_{cZhz|!y{_~ueb=_xZ$t!s z&N{AJ8M1ipg`!$U(9_M--dln$*+aRG?sKn3tSReBA8N7Jb*wPgi!V;#RlPr?U9~Uh zWeSH+&8_E__A;7^b<$JhcIj7G8++d7vdc9&sfir+rwG^2pA$1U=kU$? z&*P)@*CX_o6eH>rJD;E(&s_Y|uRB|O3&?-Fe517eML(YsLjm`r&py)$yCSu)L#-3$ z!*}=Uy$yMxyt!DRL-In7f#&_-H%dD94CdL_nSVZWePes3Z?TfUEv>O&H{U5@@lx>s zw#=wt?F-I{0FzoRM~8RjTg5lm3uo9Y7vkLLDB3)HGrNap`?WxZ@7y8{`I`azZpd%& z5M)%guv-K&l+}W5AM%Q;3B(NaSn4fZcjfnqoepmw4VLR?+a2!^-u=}>_)Efzn(K#x zDvY+&9FR=^ocHi;WPL|kOvCfY7iPogc*dji9zow+Iv#OoPF>5rRJYoFIWp_*;X_BZ zZCR4AYkrkn7JI*w!`8g>hAO$H4jb-`C|>g=1f?uExjS~FxK+R!ijdZODrXsg{{*S!w+FYlOzW zs|$`4@fjE<`(9jcb;@LIlTgkX&sl%;`K}$=Ws|32FL{*X?fQ3?eS-e4xWVeK0*A~{ ziQCCrFH+*I@?|c&oSRd;>}&L6-Thty9*<&{kHp1T@EzuNDqd9~9M2NozLJyD|J_S9 zf`9ElB^&0ZEuKG5epjjC-}a2^-s8)b+rQj$GUGtyrF0|CsLl?Fi$gmTGXqpN?26Ve z-mH@&_uk_C6T7H}r-IHtXPw(8uVnu*7y+YQMP=Cx)qj0KMywVdXY-3D@$NVyJxOx5BprxOq z5M5oo&3aeUF$ZQ$NXy@YwLALd2DC%lbmiMxF4iUo#AuIRb$1ty?@^)5cTXG4S4uhO zI&K?t5n}o|f zQ>yPLPGcSKm~w;Vxy78T+)f%tkNrG#TXs%ywR3TG&BXX-J*OCJ8n+gAiNVrJtz)Jg zpTn)jmN6p_&T^@aHLEGOx-6?dKmC$`e_3T;aG+xv{Hy#F1JV)a_MJv?@g$1z-_74^^K6k&eZHPOP5p zY-CdbA8KgjEGA_gnp@7YrW{1xu%livCws~(XX#SMtfxe*6N@p`Aa;SRhyc82O#h?V zlD?J|EM1Bd3a((WsG-gzdkc*E#f20Cl^|wsB!v?Qiak0~3EpvmBzuP)B!fvIR|P_O z&(tKnpiZHqs48$aJ~f5rBM+NTO@W<>dcufPMz{PQUeViqO2Nd=>K49rFm+hVI475x5xFfkEiNU zxZeK)y{Lsn)GC@{(sjT>%BJcYaJ{~2s(uyflpa)72VpImrjSNGn04Bx>f3N#wg(QT zG|H`q2Y5PauLsw@p{e6*)_~1FVpsi;MmO=_ouV7y4AGdFGCl_*B^V7ifIl}68fk!& z#*v4@Kn{&8O{#_n#@B2JSO z?I0-ckjQ&zl43|Q|M%c*}f0pVCzJR$5>>oMfy!F z@%Sciev0&(z*)v;3Zc`$sAv31QHDiq5Gh2OLHyl=teRobmmVbHg@Z8o~&w{tO8O(3y(C*Z62kBgN zfNZUSSo}C2*|UNzizux?wmu<= zaVyK1di*ICGU!|qOzuJ}T<(eRr2vzPeT&m_Y6ke0=YO6Kb%5#I28D z1^Bw*&QC)x2H|i(Iua8N;?c;wCoik*85CY}(IGWyy1DKL@>~_Z1GZtDjRXlxOsY*2 z85MGtm^ev^Np)|=LMb+&LC6o>d<%~nO zH>FY4IBO+!g(*__4SSkB3dZ}7j_5hwE3HN%e_+4d1$p89d3ThB_d*-vCtw%lgPibw zY%{uw_fCOm81K`!Bg?X?AMVr%P(S8bBm-g%)6+~AffSv^czMc?QUqdgW+hS-g3j}>D0C(Tw;%|b3n?xX!;-q<*H?SI98vDm%aPR# z%Q5xR136VpDwhZ8ejT?p_a?AYp_Mz@OVm@j(dI`P&)@Y`BYtcGkiD z!T`EKLqZVKF@$t-?1CX^3&Ri~MT<#`44w9T4+@zJgXf)nq~~5?i2X4PMT@|kUSpwp zloVnjAiPhK!V8P!Gg#PDKSYx7j|dC}(!Hi{0n#zky&S>4h>Ail#<8TQohW$rt%ji# zqiHAecd#0=`Y^-`nD-`3^9oSNQESCl=Ua)kuFqHI0Nb+T?G2KAd{ z{g@bZVuFLMxH}yzs~$SxtcFe?*fQ(?wcxXp=C7LzuXMMKv{;h7EzX)`@{ z<&vJ;@I~L^4AFl+nu@MPK7Ju*ZKk_;0qLHP-64~0dTnkzgXqq1d#n_PWqJObbmEZ! zCrEK)(%5gNM+|9hOf*LVoV*K3r*#sr^eH8zNX4S1f)rn|kgX+!r6dT~MpB%|BEE?f z^473`0WB;Mx&LO$ad9d9_bCRonl|h!hvrGKrBDsLjM4^rrblF6jSm#g!`qKJ&qo^S zsDQIhp$hoayR8D|s(n*j3q9_K3m)=2m^AB8)2>r*w>vQM{5*~BfkKe*F}*%v{nI?X z6rxVOVx-#NOv5jcQzfY_8Sc&|k zA(7c^7uv;NQ&@ZI{RiEg4eboaraeD`LUF&K!@_YIy8jCTv$4{hq#B*`Z02m6$wsg!zarr<2F#LJ6$m5&ToZ7jqrEX?`6P zPJw|-WW_XEjuB+ROdp7c_S1ZLCGhpIq18G}ql!2Go(Yoe*$O166^|TGczY3 z;6x7Y?{^p+B-6~a!4Kl8iDzJ&%6FJbasWv-Vp8`FNJ$V$gfM~B8zyypCrL8DLN2{Y zIm`_*aG2B|AtVkO1U&WW2NH4M&alaU?#Z1Wh0X zXl4_W1k$FBZ8sFbJNObwgcTXwQ(tuuWD3n}vO0xyh*X3okUuoj#-Bsl%&`r!ikP&_ zn(0H=0}44{R8~8UA~1q9qnQyt)sYbf6(9m6AI-FJH6M+q&jJSAmlxnS%)=NzL?zH?vi0Y;mM#Oyx)AbHIUxn=F_$1J8AY zgEDpMeUk&57yk^KHg0kQ;}fDYaElyZ$h(@^RgmNihe+%IDOpUawCoJLL=K)9xw3$t zDa^n_vVb8~Yi76t)fo;~u>)jrF{zUCXJE+YVxV<6xeGG7nA8nAGi+4c1hTux8v`}K z0EybLm5}QT20t>#scHLhlT(Id6Q@YJ2+G6xUyuaGq;52s5or?>A~neXCd_7FNsJ>f z9$Gj97s>#>WDmICitKXnbLevFXSg-SJS-9)v4>wykV*z$q}U`;$0Q09Ya5bO;Lih) zSvEZh&!r@u`fAW>2aaLONFs+F&0#RK1Y3BcT}_{ZLh(SpNCR?SHH|bdO2H@*vf`$^ z-b({=!pP2d8lA<6f>GPHDWrrfrD0`G;tu!iMc3@u<_OZ)W*)7Jp(t9Dt%?e)8NBF; z3R{z!vkxzd3KCRh8&UK3qi8)ax3j@K^>M0P1%f?4K>EDEK7|L7l?nLBsj&^IWntK| zo>GHWnF6a+1BZ8qN$-i}a37!gs8*%P7C?^bY$0kZhqN762gmLsDSeITPty|sj2?U=#kemDeTJ@H6=|CT^;z;4@3n8xPK#0ivnN!5xcl z@ZzfnEAsmi3E{W05p_;7DT2PS7>J<<%d;F_ho?@7ZT}w4so}0lA+hjxa8x(IFNIgh z5f1Hu5l*e6gEq{|`x=SiDa?&pu;a1oB!Oo(H!?E>a`pyE6m~(=sgH>hX3+FuDv9A; zgd2Uqj_=Y)vST+mt~7#GX#Z#0#|Rdw?s%@EgpT3&G5tPm(rF z_!a>XDjm=v5pV1ACxbDyA*MX*R}Pf3gX1X%Vi28+%!k_2JGJpkXe^cKTR zO`c<{f}T#mVbC%M$0aXFBJ>wXI3`P9l4K($QXiq|FLP+>|BA$aqv4naE`nnk_j;OO zN4;1E{A^nS`0^VPubc#2*!FMNsf8rIg0baA@SgfLD6|k_rx%g7FW7e50tQj>b~?5N zoE;6tQ{v)zc%$;P1naL760`!y$6&G)-`16pkQLkuWyDGHSziq56CvVWbT}P7^75vAEn!3X7#6@>)o-FdafpT@Pya;1n!h2B%?H9Y?6b6s6l-lk_;gRNDi)j`Qp{Qo;&Lx3 zys*goNQ#9IA#ND{maaxjkA_l@I@ZJ7mD=EQvKD?gj(j4Ww}L>Bsy*{3pHM$s?+&Kg zXm}%AWX}J|;GXegR&;=Y^SL$9iVFCjtdJNuGYIu7193L8)zM2gcsz@KV<0_WUihJo zKiD0?NNOC;S~s|WlRVf=iEZ<_r!voW`}=M8)1BJtBdZGd^0)*$`xtN|cQ<$}@O!XT zq_->}owxgK3h>qq*zUc>PhTf^#}@Qz1AI{9wS`}Ziw&mxirxUt|E}al85^K4N33?P z<3`)C62vONgBuNLfxE>9IHzB@vsEP8H~zo)M(BknTLPVNhZe~{xzRuF&>nIUnKb2G z9<&K7NCTX?0P`AA5N7D}NNUU1zwdcxV^nS-`^!m)$I!pUdk z3pZ*=iJLj{H;+)A4;(S$O|U-F@I2VWo{zpmZ0dq1NMsXRRr5a?bCO(KBL58sHRtCn zu1!I{QyG=I-oe3BC$`*FmJB3b>Ql+Y%l|gXe}iIu;c^Xwz9