Posts

Showing posts from 2016

Authentication vserver cannot be bound to a CS server if VPN server is already bound to it

Image
The title is a bit of a mouth full!  Basically with NetScaler 11 onwards, Content Switching is now supported for both web applications and NetScaler Gateway.  This is great news which will allow people to conserve more services behind less IP addresses. I wanted to test this out for myself, so I span up a NetScaler in my lab and started the configuration.  I wanted to enable AAA so that I could pre-authenticate requests into my web applications (Outlook Web Access in my lab).  The below picture shows an overview (check out the Citrix article it is linked from!) http://support.citrix.com/article/CTX201949 Firstly I completed the NetScaler Gateway Wizard and ensured that I could authenticate and launch desktops from my XD7.11 lab. Next I followed Dave Bretty's blog to Content Switch the NetScaler Gateway VS and a newly created VS for OWA. Then I created an Authentication VS, then created a policy which say any requests to the AAA address would go to the...

Using PowerShell to update Visio diagrams

Image
Being in IT or architecture generally means using Visio, FACT! I have been completing lots of work in Visio recently as part of document migration into a Enterprise Architecture tool called iServer.  This required me to dust off my knowledge of VBA and creating lots of macros.  I am not a massive fan of macros, they seem really archaic. In the more recently iterations of these scripts, I realised that I could use PowerShell to complete the same tasks.  PowerShell is something I am far more comfortable with and because it sits outside of the application itself, there is more opportunity to run scripts against a larger set of files. Rather than bore you with some of the scripts I created for my business process diagrams, the below example is a script which you can use to update IT related documents. Below I have a rack diagram I created in Visio.  It has four servers and one router with their names added to ShapeData and a Data Graphic which shows this as ...

Using a Password Manager

Image
Using a password manager has been something I have toyed with for a number of years.  The more and more that services are being hacked and data is being exposed, my normal approach of just tiering passwords per application importance just wasn't cutting it anymore. You only have to follow haveibeenpwnd on twitter to see how many data breaches have been loaded into the service run by Computer Security legend Troy Hunt. So I decided to give it a go. User Experience Now my biggest concern of using a password manager was the user experience, especially when using it on a machine that I cannot load extensions on e.g. My work XenApp server. I had a quick look through the options and initially tried 1Password as it had a 6 month free trial.  I quickly dismissed this as an option for a couple of reasons. 1.  The login process on the webpage was a bit too complicated then it needed to be.  When going to the web interface, you had to enter my in the below text bo...

Secure your phone against 2FA skimming

Image
Google recently introduced a new faster method of 2 step verification.  Instead of using Google Authenticator or SMS as a mechanism to enter a verification code, they simply send a push notification to your mobile device. It is simple and if you don't use it, you should turn it on ! But today, for some reason, the push notification didn't arrive.  So I asked Google to try a different method. I chose SMS and a moment later I was sent a text method with a code (partially blanked out below) MFA code is visible when locked Now you can see that my phone is locked, but the whole code is visible.  This got me very paranoid, imagine being away from your phone for 5 minutes and someone guessing your password and then using this to bypass two factor authentication?  Or thinking about it, my bank uses one time passcodes (OTP) before transferring large amounts of cash....scary! No thanks Thankfully, Android has a mechanism to make this more secure.  If y...

Gathering MX Records for Office 365 Domains

Image
I have come across the need for a simple output of MX records for each domain in an Office 365. An Office 365 tenant can contain multiple domains in a verified or unverified state. This script simply outputs the MX records for each domain that has been verified into a CSV file named after the tenant ID.  The CSV file is output to the %temp% by default. You will need to run the script inside a PowerShell session connected to Office 365. #This script collects the MX records for all domains which have been verified in an O365 tenant. #Run the script from within an O365 PowerShell session. #Author: Ben Owens #Date: 03/10/2016 $temp = $env:temp $TenantID = Get-MSOLDomain | Where { $_ .IsInitial -eq "TRUE" } | Select Name -ExpandProperty Name $Domains = Get-MSOLDomain | Where { $_ .Status -eq "Verified" } | Select Name $MXRecords = ForEach ( $Domain in $Domains ) { Resolve-DnsName -Name $Domain .Name -Type MX | Where { $_ .QueryType -eq ...

Last week/this week

Image
What have I learnt in the last week or so? Resetting domain admin password I had an old Exchange 2010 lab environment which I needed to use to test some TLS settings.  I booted it up, typed my password and bam.....not accepted. I tried a few variations of the password and nothing!  Scratching my head and a Google later I came across this https://4sysops.com/archives/forgot-the-domain-admin-password/ This blog post describes how you can use the Windows ISO to open command prompt on the DC, replace utilman.exe with cmd.exe.  Boot up the DC again and then click the Accessibility option on the login screen. Instead of launching utilman.exe it launches cmd.exe.  More crucially, it does this under the SYSTEM context.  So basically you have access to the whole machine.  A net use command later and the admin password is reset. It worked perfectly, but it is rather unsettling.  If this was being used as a mechanism to attack your network, you ca...

This week...

Image
What have I learnt this week? Wireless Whilst 5GHz channels do not overlap, it all depends on how your access points are configured.  We found that setting up different APs on adjacent channels seemed good, but realised that the APs was broadcasting 80mhz wide and therefore caused overlap. We reduced this down to 40Mhz which decreased the interference but it is also worth bearing in mind that narrowing this channel will slightly decrease total throughput. I found this decent webpage which covers the above and other Enterprise WiFi considerations. http://www.metageek.com/training/resources/design-dual-band-wifi.html On this, I updated my WiFi logging powershell script.  It collects data every 2 seconds and includes channel being used which is useful for the above. 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 While ( $a = 1) { Try { Sleep 2 $time = Get-Date -Format T ...

What have I learnt..in the last few days

Image
I had planned on completing one of these blog posts each day, but it became apparent on Friday that this was clearly a step too far. Work has been crazy busy at the moment and when I get home I would rather spend time with the family than make blogging my number 1 priority! Anywho, the plan is to make these a little less regular, maybe once a week. So what have I learnt this week? Amazon Dash Ariel Dash Button Amazon released the Amazon Dash button in the UK last week.  The idea is that you put a branded button in certain locations around your home.  When you run out of a specific item (e.g. washing powder) you press the Ariel Amazon Dash button on your washing machine.  This will contact Amazon and get your Ariel product delivered the next day. Neat idea, slightly overkill I think, but neat! But how does it work?  How long do they last? Well I came across this pretty decent teardown blog post from Matthew Petroff . https://mpetroff.net/2015/05...

WHILT

Image
Azure AD domains So you may remember that a couple of days ago I blogged that it was only possible to have one domain associated with an Azure AD tenant.  Well this is kind of true, but not entirely. In fact, in Azure AD you can add the same domain name to different AD tenants without any error message whatsoever.  It is only at the point where you verify the domain that it pops up with this error. Windows programs on Chromebooks I saw this tweet earlier today There is a piece of software called Crossover which is currently in preview.  It will allow you to run Windows applications on Intel based Chromebooks.  I wrote a blogpost a while back which explained why I wouldn't buy a Chromebook .  This piece of software will potentially eliminate these type of concerns. I am currently looking at purchasing a cheap laptop to replace my Asus UL20a which is pretty old now.  The laptop is fine, but the battery is fairly knackered (2 hours max)...

WHILT

Image
What have I learnt today? Webcam fail in Windows 10 anniversary I read a tweet shortly after the Windows anniversary update stating that lots of webcams have stopped working.  I didn't think too much of it until I tried to join a VC this morning using Polycom RealPresence Desktop app.  It kept crashing when joining the VC and my brain kicked into gear.   I found the following link and applied the workaround registry settings and my webcam worked again! http://searchenterprisedesktop.techtarget.com/blog/Windows-Enterprise-Desktop/Possible-Fix-for-Win10-AU-Webcam-Fail (edit the registry at your own risk!)  HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Media Foundation\Platform HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\Platform EnableFrameServerMode, and its DWORD value should be set to 0 (zero). The background is that in previous versions of Windows, only 1 application was able to access a webcam a...

What Have I Learnt Today? (WHILT)

Image
When I am really busy at work, it can seem as though I haven't developed or learnt anything at all.  After a few weeks of this, you can end up feeling stale or unenthusiastic about your job. In actual fact, even through those really busy days where you attend meetings which don't necessarily require your input, you do repetitive tasks or just don't have time to think, you still learn things. I think it is really important to learn new skills and this set of blog posts will help me reflect on the little things I pick up on a day to day basis.   Most of the time they will be technical tidbits, but there might be the odd random fact too. I will call these posted "What Have I Learnt Today?" or WHILT. So what have I learnt today? Azure AD tenants I needed to do some research into Azure AD topologies to help with some merger work we have coming up. I came across this great little article on the Microsoft website https://azure.microsoft.com/en-gb/do...

Exchange Free/Busy Calendar Sharing

Image
Recently we had a request to be able to share calendar with an external organisation that we are working on a project with.  In the old days of Exchange, the only way of achieving this in a seamless way was to setup trusts or use things IIRU and IIFP. Since Exchange 2010, Microsoft have introduced the Microsoft Federation Gateway.  This allows companies to setup a trust to Microsoft which can be used to gain scheduling information with a third parties once policies have been configured on both parties Exchange environment. https://technet.microsoft.com/en-us/library/dd335198(v=exchg.141).aspx This looked like a pretty straight forward task and certainly a LOT easier than setting up direct trusts or sharing keys.  Unfortunately it wasn't quite that straight forward. These were the Issues we ran into and the relevant fix. 1.   Cannot create Organisational Relationship for third party. Also when running get-federationinformation Powershell cmdlet, it errors. ...

Cannot add certificate to Netscaler

Image
Recently I blew the dust off my lab environment and decided to look into configuring ADFS proxy through Netscaler.  The first task of this install is to install a publicly trusted SSL certificate on the Netscaler. Once I created a CSR and got it signed by my CA I was ready with the files I needed, namely A PFX file (private key which is used to decrypt SSL traffic on the Netscaler) CA bunlde (files which are used to encrypt traffic and for clients to decide whether to trust their connection to me) When importing the files onto the Netscaler, I kept getting the following error message. "Invalid private key, or PEM pass phrase required for this private key" Quick Google search reveals an old CTX article . The resolution is to export the private key to a new file on the shell of the Netscaler.  This didn't really satisfy my curiosity as to why this error was occurring. After a bit more Googling I found the following CTX.  How to Convert PFX Certi...