Sunday, October 23, 2016

Authentication vserver cannot be bound to a CS server if VPN server is already bound to it

The title is a bit of a mouth full!  Basically with NetScaler 11 onwards, Content Switching is now supported for both web applications and NetScaler Gateway.  This is great news which will allow people to conserve more services behind less IP addresses.

I wanted to test this out for myself, so I span up a NetScaler in my lab and started the configuration.  I wanted to enable AAA so that I could pre-authenticate requests into my web applications (Outlook Web Access in my lab).  The below picture shows an overview (check out the Citrix article it is linked from!)

http://support.citrix.com/article/CTX201949

Firstly I completed the NetScaler Gateway Wizard and ensured that I could authenticate and launch desktops from my XD7.11 lab.

Next I followed Dave Bretty's blog to Content Switch the NetScaler Gateway VS and a newly created VS for OWA.

Then I created an Authentication VS, then created a policy which say any requests to the AAA address would go to the authentication VS.  Lastly I went to bind the policy to my Content Switch VS.  I received the titled error message.


This left me scratching my head for a while.  The VPN server that is mentioned is the NetScaler Gateway VS.  Then it struck me, the NetScaler Gateway is completing pre-authentication, I should just be able to use this VS.

I went into the LB VS for OWA and under authentication I chose Form Based Authentication, Authentication FQDN needs to be the NS gateway address.  Lastly ensure that the NetScaler Gateway VS is the one that is being used for NS gateway.


After saving this, when trying to go to email URL (email.domain.com) the NetScaler should redirect this to the NS Gateway URL (xendesktop.domain.com).  After successfully authenticating, the NetScaler should redirect to the email URL (email.domain.com) and if you have IWA enabled on your exchange server, you should be presented with your inbox!

Sam

Friday, October 21, 2016

Using PowerShell to update Visio diagrams

Being in IT or architecture generally means using Visio, FACT!

I have been completing lots of work in Visio recently as part of document migration into a Enterprise Architecture tool called iServer.  This required me to dust off my knowledge of VBA and creating lots of macros.  I am not a massive fan of macros, they seem really archaic.

In the more recently iterations of these scripts, I realised that I could use PowerShell to complete the same tasks.  PowerShell is something I am far more comfortable with and because it sits outside of the application itself, there is more opportunity to run scripts against a larger set of files.

Rather than bore you with some of the scripts I created for my business process diagrams, the below example is a script which you can use to update IT related documents.

Below I have a rack diagram I created in Visio.  It has four servers and one router with their names added to ShapeData and a Data Graphic which shows this as a bubble.

Before


Now, wouldn't be cool if you could update all of your documents with IP address without having to sit there typing it in?  Well that is what I did!


This is the result

After
Here is the script which completes this task

#Ask the user which folder the files are stored
$location = read-host "Where are the files stored"
#Get all visio files in the location specifed
$files = get-childitem $location | where {$_.Name -match ".vsd"}

#loop that will go through each visio file in the folder
ForEach ($File in $Files){

#create Visio com object
$visio = New-Object -comobject Visio.Application

#open next file in list
$Visio.Documents.Open($file.fullname)

#loop that will go through each shape on the page
ForEach ($vsoShape In $visio.application.activepage.shapes) {

#get master, if Server or Router, then do an NSlookup of the name and apply the resultant IP address to the shape in question
$master = $vsoShape | select -expand Master 
If($master.name -eq "Server" -or $master.name -eq "Router 1")
{

$networkname = $vsoshape.cells("Prop.NetworkName").ResultStr(0)
$ipaddress = Resolve-DnsName $networkname | select IPaddress | foreach {$_.IPaddress}
$vsoCell = $vsoShape.Cells("Prop.IPaddress")
$vsoCell.formula = """$ipaddress""" 

}
}

#save the document
$visio.Application.ActiveDocument.Save()
#quit visio afterwards
$visio.Application.Quit()

}

You can see how this script could be edited to complete any manner of tasks.  If the information was in the Shape text itself you could use this

$characters = $vsoShape | select -Expand Characters
$char = $characters.textasstring

To see what else you can do programmatically with Visio, please see the MSDN page.

Got any tedious Visio task that you could do with automating?  Let me know in the comments.

Wednesday, October 19, 2016

Using a Password Manager

Using a password manager has been something I have toyed with for a number of years.  The more and more that services are being hacked and data is being exposed, my normal approach of just tiering passwords per application importance just wasn't cutting it anymore.

You only have to follow haveibeenpwnd on twitter to see how many data breaches have been loaded into the service run by Computer Security legend Troy Hunt.

So I decided to give it a go.

User Experience

Now my biggest concern of using a password manager was the user experience, especially when using it on a machine that I cannot load extensions on e.g. My work XenApp server.

I had a quick look through the options and initially tried 1Password as it had a 6 month free trial.  I quickly dismissed this as an option for a couple of reasons.

1.  The login process on the webpage was a bit too complicated then it needed to be.  When going to the web interface, you had to enter my in the below text box and press continue.  Seems odd, I suspect it might be due that you could host the vault in your own location.

What?  Entering my and pressing enter gets you through
2.  There isn't a full featured Windows application or Chrome extension on Windows.  This made it pretty laborious to add new passwords or auto sign in to applications.

After this, I looked at LastPass

I was immediately more impressed.  The 14 day trial was nice but only allowed access to use from one device, which was frustrating.  The pro service is only $12 a year though, so I stumped up the cash and really went to town.

Now...I would love to show you some screenshots and talk you through my setup, but I don't really fancy publicly showing which sites and services I use!

Below is a screenshot from the lastpass website which shows the interface of the websites you have saved.  You can use this as a launchpad to open your web applications.


So far so good, but what about machines without the ability to install extensions etc?  Well, going to lastpass.com and logging in with your master password brings up the same interface.  Now you can't launch the applications natively, but you can copy the passwords to the clipboard and paste them in.

Some services will try and stop password from being pasted in to try and makes things more "secure".  This isn't a great idea and if you want to read more on this, check out this blog from none other than Troy Hunt.

Generating new passwords
After installing the extension to Chrome (or equivalent), when you try and sign up to a new service, you will see an icon which allows you generate a new random password


How easy is that!

Saving existing passwords
When logging in to an existing website, you will be presented with the banner asking to save this site.  If this is not appropriate, you can say never which will stop this from popping up.



Mobile
What about Mobile?  Well I was very impressed here.  The mobile app comes with a built in browser which can be used to auto login to web applications.  But what about native apps or you just prefer using something like Chrome?

LastPass makes use of the accessibility options in Android.  This allows them to review the screen estate and paste your login credentials in the appropriate fields


In practice, you can see that logging into the MyFitnessPal app, you can open the LastPass helper and it will either auto fill the screen, or let you copy/paste the password.


LastPass also allows you to use Google Authenticator as two factor authentication when logging into your vault from a new device.  As you are putting a large emphasis on one master password, two factor authentication is an absolute must!

Conclusion
The process of moving old accounts over to using new randomly generated passwords took a bit of time, but overall I am very pleased.  I think having a password manager has taken a lot of stress away from me when signing up for new services.

I don't have to try and categorise a website and choose an appropriate password.  I don't have to worry about websites weird password policies and whether I have had to make odd variations to an existing passwords.

I just sign up, use a random generated password, save it, forget about it.

Now is LastPass the right platform?  It works well for my needs but I am sure others would work perfectly well for others.  Let me know if you use a password manager and how it works for you.

Thursday, October 06, 2016

Secure your phone against 2FA skimming

Google recently introduced a new faster method of 2 step verification.  Instead of using Google Authenticator or SMS as a mechanism to enter a verification code, they simply send a push notification to your mobile device.

It is simple and if you don't use it, you should turn it on!

But today, for some reason, the push notification didn't arrive.  So I asked Google to try a different method. I chose SMS and a moment later I was sent a text method with a code (partially blanked out below)
MFA code is visible when locked
Now you can see that my phone is locked, but the whole code is visible.  This got me very paranoid, imagine being away from your phone for 5 minutes and someone guessing your password and then using this to bypass two factor authentication?  Or thinking about it, my bank uses one time passcodes (OTP) before transferring large amounts of cash....scary!

No thanks

Thankfully, Android has a mechanism to make this more secure.  If you go to Sound & Notifications > App Notifications > Messaging

From here you can turn on the setting to Hide Sensitive Content

Enable "Hide Sensitive Content"
I tested the two factor authentication again after turning this setting on and results are below.  A lovely hidden SMS!
MFA code is hidden until unlock
You can achieve a similar result in iOS

Sam

Monday, October 03, 2016

Gathering MX Records for Office 365 Domains

I have come across the need for a simple output of MX records for each domain in an Office 365.

An Office 365 tenant can contain multiple domains in a verified or unverified state.

This script simply outputs the MX records for each domain that has been verified into a CSV file named after the tenant ID.  The CSV file is output to the %temp% by default.

You will need to run the script inside a PowerShell session connected to Office 365.



#This script collects the MX records for all domains which have been verified in an O365 tenant.
#Run the script from within an O365 PowerShell session.
#Author: Ben Owens
#Date: 03/10/2016

$temp = $env:temp
$TenantID = Get-MSOLDomain | Where {$_.IsInitial -eq "TRUE"} | Select Name -ExpandProperty Name
$Domains = Get-MSOLDomain | Where {$_.Status -eq "Verified"} | Select Name
$MXRecords = ForEach ($Domain in $Domains) {Resolve-DnsName -Name $Domain.Name -Type MX | Where {$_.QueryType -eq "MX"}}
$MXRecords | Export-CSV "$Temp\$TenantID-mxrecords.csv" -NoTypeInformation
$Output = "$Temp\$TenantID-mxrecords.csv"
$Output
Notepad $Output

Example Output:

Friday, September 30, 2016

Last week/this week

What have I learnt in the last week or so?

Resetting domain admin password
I had an old Exchange 2010 lab environment which I needed to use to test some TLS settings.  I booted it up, typed my password and bam.....not accepted.

I tried a few variations of the password and nothing!  Scratching my head and a Google later I came across this

https://4sysops.com/archives/forgot-the-domain-admin-password/

This blog post describes how you can use the Windows ISO to open command prompt on the DC, replace utilman.exe with cmd.exe.  Boot up the DC again and then click the Accessibility option on the login screen.


Instead of launching utilman.exe it launches cmd.exe.  More crucially, it does this under the SYSTEM context.  So basically you have access to the whole machine.  A net use command later and the admin password is reset.

It worked perfectly, but it is rather unsettling.  If this was being used as a mechanism to attack your network, you can protect yourself in a few ways
  • Alert if machine are rebooted.  Clearly DCs shouldn't be rebooted unless there are planned updates or similar.  This will not stop the attack, but will inform you that something is fishy.
  • Restrict physical access - easier said than done, especially if VMs are involved.  I did this whilst remotely connected to my home lab miles away!
  • Encrypt the local drives - this will stop someone from see the local file system when mounting an ISO.
Google Duo
Google released a simple VC application called Duo.  I guess this is mechanism to compete with FaceTime.  Feature wise it does overlap with Hangouts, but the Duo seems far simpler.

https://duo.google.com/



As you can see above, after opening the application, you have one option "Video Call".  Once you press this, you are presented with a list of people in your phone book who have the application running.  Easy!

FolderMill
I found a piece of software called FolderMill.  This software is designed to sit on a file server, monitor a specific folder for files and then complete a set of actions.

These actions could include, converting to PDF or printing.


This looks like a really useful application for small businesses who want to automate parts of their business processes without having to complete custom development or buy some hefty expensive off the shelf product.



Friday, September 16, 2016

This week...

What have I learnt this week?

Wireless
Whilst 5GHz channels do not overlap, it all depends on how your access points are configured.  We found that setting up different APs on adjacent channels seemed good, but realised that the APs was broadcasting 80mhz wide and therefore caused overlap.


We reduced this down to 40Mhz which decreased the interference but it is also worth bearing in mind that narrowing this channel will slightly decrease total throughput.
I found this decent webpage which covers the above and other Enterprise WiFi considerations.

http://www.metageek.com/training/resources/design-dual-band-wifi.html

On this, I updated my WiFi logging powershell script.  It collects data every 2 seconds and includes channel being used which is useful for the above.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
While($a = 1)
{

Try
        {
        Sleep 2
    $time = Get-Date -Format T
    $ping = test-connection 8.8.8.8 -count 1 -ErrorAction Stop | foreach { $_.responsetime}
    $signal = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+',''
    $BSSID = (netsh wlan show interfaces) -Match '^\s+BSSID' -Replace '^\s+BSSID\s+:\s+',''
    $Channel = (netsh wlan show interfaces) -Match '^\s+Channel' -Replace '^\s+Channel\s+:\s+',''
    $Profile = (netsh wlan show interfaces) -Match '^\s+Profile' -Replace '^\s+Profile\s+:\s+',''
    $output = $time + "," +$ping + "," + $Signal + "," + $BSSID + "," + $Profile + "," + $channel
    Write-Host "Response Time is $Ping , $Signal , $BSSID , $Channel"
    
   Out-File -FilePath c:\temp\reportGoogle.csv -InputObject $output -append
   
        }
Catch
    {
    $ping = "Request Timed Out"
    write-host $ping
    $signal = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+',''
    $BSSID = (netsh wlan show interfaces) -Match '^\s+BSSID' -Replace '^\s+BSSID\s+:\s+',''
    $Profile = (netsh wlan show interfaces) -Match '^\s+Profile' -Replace '^\s+Profile\s+:\s+',''
      $Channel = (netsh wlan show interfaces) -Match '^\s+Channel' -Replace '^\s+Channel\s+:\s+',''
     $output = $time + "," +$ping + "," + $Signal + "," + $BSSID + "," + $Profile  + "," + $channel
    Out-File -FilePath c:\temp\reportGoogle.csv -InputObject $output -append
    Continue
    }
 
Finally{
 Out-File -FilePath c:\temp\reportGoogle.csv -InputObject $output -append}        } 

By the way, I use http://hilite.me/ to add this code to the blog.

CVV
I saw that Troy Hunt had verified another data breach, one with a huge amount of records that includes items like Card Verification Values (CVV).  This is that little 3-4 number code which is on the back of credit/debit cards (or front of AMEX). 

https://www.troyhunt.com/someone-just-lost-324k-payment-records-complete-with-cvvs/

Under PCI DSS rules, companies should not actually store this value on their systems.  This is why some web providers ask you for your CVV even though you have stored your main number and the expiry date.

But some retailers do not store this value and you can still make payments without any issue (Amazon one click anyone?).  Troy shares the following link in his article. 


http://security.stackexchange.com/questions/21168/how-does-amazon-bill-me-without-the-cvc-cvv-cvv2

So it looks like you don't actually require the CVV to make a payment, but companies are often provided a discount by their bank/payment processor for transactions with CVV.  This encourages its usage and decreases fraud.

Amazon have clearly taken the decision to ignore the CVV and pay a slightly higher fee per transaction.  They can keep fraud low by completing checks on all of the other information you need to provide for an account and tracking your history of purchases.  The money that Amazon makes because of the convenience one click must outweigh the costs of fraudulent purchases easily.

Export Public Folders
Someone asked me this week how to export some contact information from Public Folders, specifically the titles for a huge contact list.  My mind immediately went to Powershell on the server side, but after a little searching around it appeared there wasn't an obvious cmdlet for it.

Quick Google later and I came across the following stack overflow page

http://stackoverflow.com/questions/13350783/exchange-powershell-contacts-from-public-folder

Using Powershell on a client computer with Outlook installed can be used to get at all of the information in all of your folders.  I adapted the example provided in the link above for my example.


1
2
3
4
5
6
7
8
$Outlook       = New-Object -com Outlook.Application 
$Namespace     = $outlook.GetNamespace("MAPI") 
$PublicFolder  = $Namespace.Folders.Item("Public Folders – [email protected]")
$PublicFolders = $PublicFolder.Folders.Item("All Public Folders")
$Sublevel1 = $PublicFolders.Folders.Item("Sublevel1")
$ContactsList   = $Sublevel1.Folders.Item("ContactList")
$Contacts = $ContactsList.Items
$contact | select title

The output is what we needed for this data migration exercise. 


It needs some cleansing obviously!

Wednesday, September 07, 2016

What have I learnt..in the last few days

I had planned on completing one of these blog posts each day, but it became apparent on Friday that this was clearly a step too far.

Work has been crazy busy at the moment and when I get home I would rather spend time with the family than make blogging my number 1 priority!

Anywho, the plan is to make these a little less regular, maybe once a week.

So what have I learnt this week?

Amazon Dash

Ariel Dash Button
Amazon released the Amazon Dash button in the UK last week.  The idea is that you put a branded button in certain locations around your home.  When you run out of a specific item (e.g. washing powder) you press the Ariel Amazon Dash button on your washing machine.  This will contact Amazon and get your Ariel product delivered the next day.

Neat idea, slightly overkill I think, but neat!

But how does it work?  How long do they last?

Well I came across this pretty decent teardown blog post from Matthew Petroff.

https://mpetroff.net/2015/05/amazon-dash-button-teardown/

The button only uses a single AAA battery which is soldered in.  The way the button works means it only uses minimal energy.  The button should easily last longer than the button will be useful.

Interestingly, if you pair the button with an Android device, it will use WiFi.  But if you have an iOS device, it uses Ultrasound.  That is cool.

Single Cell WiFi

A large part of last week was spent troubleshooting WiFi issues in one of main offices.  We use a system from a company called Meru (recently purchased by Fortinet).  Their offering utilises a Single Cell architecture.

This means that all Access Points broadcast their SSIDs on the same channel.  This can be really useful to easily provision sites as there is less need to do site surveys and plan your channel layout when provisioning a new office.  In my experience, office moves usually involve IT being left way down the list people with advance notice, so having something which can be rolled out relatively quickly and require less physical resource is a thumbs up.

But, there is some concerns around throughput which this blog post goes into.

https://community.spiceworks.com/topic/989074-why-zero-hand-off-aka-single-cell-architecture-does-not-work-very-well

Our issue wasn't throughput related, but congestion related and the sheer amount of people in our tiny office.  We are running a programme of work to implement an ERP system which involves many people from the business, system integrators and third parties.

In the last week, the WiFi performance has gone off a cliff.  Lots of dropped packets between laptops and APs.  We used spectrum analyser to see if there was any external interference, but nothing.

We then took a new AP and published a different SSID on a different 5GHZ channel.  This worked perfectly.  If I moved this SSID onto the 5GHZ channel used by our other APs, the performance was also terrible.  This also tallies up with an increase of people who are working in the office on a permanent basis.

So it seems that if you have Single Cell Architecture, be really careful of the density of devices in small offices.  Someone suggested more APs, but I think this would just contribute to the problem more than anything.

Our current plan is to change half of the APs to one channel and the other half to something else to try and ease the congestion in the air.

To try and help troubleshoot this, I used the following Powershell script.  This would ping Google's DNS servers every 2 seconds and if the response time is greater than 200ms (or timed out) it would add the response time, signal strength, the station connected to and SSID to a csv file.  If 5 of these occur in a row, it would add something to the CSV to this affect.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
$errornumber = 0
$outputreport = "c:\temp\reportgoogle.csv"
While($a = 1)
{
Try
        {
        Sleep 2
    $time = Get-Date -Format T
    $ping = test-connection 8.8.8.8 -count 1 -ErrorAction Stop | foreach { $_.responsetime}
    $signal = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+',''
    $BSSID = (netsh wlan show interfaces) -Match '^\s+BSSID' -Replace '^\s+BSSID\s+:\s+',''
    $Profile = (netsh wlan show interfaces) -Match '^\s+Profile' -Replace '^\s+Profile\s+:\s+',''
    Write-Host "Response Time is $ping"
    $output = $time + "," +$ping + "," + $Signal + "," + $BSSID + "," + $Profile
   
If ($ping -gt 200)  {
   Out-File -FilePath $outputreport -InputObject $output -append
   $errornumber +=1
   }
Else{$errornumber = 0}
        }
Catch
    {
    $ping = "Request Timed Out"
    $errornumber +=1
    write-host $ping
    $signal = (netsh wlan show interfaces) -Match '^\s+Signal' -Replace '^\s+Signal\s+:\s+',''
    $BSSID = (netsh wlan show interfaces) -Match '^\s+BSSID' -Replace '^\s+BSSID\s+:\s+',''
    $Profile = (netsh wlan show interfaces) -Match '^\s+Profile' -Replace '^\s+Profile\s+:\s+',''
     $output = $time + "," +$ping + "," + $Signal + "," + $BSSID + "," + $Profile
    Out-File -FilePath $outputreport -InputObject $output -append
    Continue
    }

Finally{
 $output = "SLOW OVER LAST TEN SECONDS"
 If ($errornumber -gt 5){Out-File -FilePath $outputreport -InputObject $output -append}
        }
}

And Finally

HIIT (High Intesity Interval Training) has been discussed as a shortcut to exercise for years.  Last week, the BBC ran the following article which is also part of the TV series "Trust Me I'm a Doctor".

http://www.bbc.co.uk/news/magazine-37249021

They ran tests to help prove or disprove HIIT as a credible alternative to the standard mantra of 150 minutes of moderate exercise a week.

The Results were pretty impressive.  The group who completed 15 minutes of HIIT across three sessions a week actually had a 17% greater VO2 max than the group who did 150 minutes of moderate exercise.

Pretty impressive, I might make my next run based on Tabata

Sam

Thursday, September 01, 2016

WHILT

Azure AD domains
So you may remember that a couple of days ago I blogged that it was only possible to have one domain associated with an Azure AD tenant.  Well this is kind of true, but not entirely.

In fact, in Azure AD you can add the same domain name to different AD tenants without any error message whatsoever.  It is only at the point where you verify the domain that it pops up with this error.



Windows programs on Chromebooks

I saw this tweet earlier today




There is a piece of software called Crossover which is currently in preview.  It will allow you to run Windows applications on Intel based Chromebooks.  I wrote a blogpost a while back which explained why I wouldn't buy a Chromebook.  This piece of software will potentially eliminate these type of concerns.


I am currently looking at purchasing a cheap laptop to replace my Asus UL20a which is pretty old now.  The laptop is fine, but the battery is fairly knackered (2 hours max).  I was looking at HP Streams, Lenovo 100s ideapads and the like, but a Chromebook could be a good option now!

You can find more information here

https://www.codeweavers.com/products/crossover-android

And Finally

Here are some Chromebooks for sale....Shall I?

https://www.amazon.co.uk/Lenovo-11-6-Inch-Chromebook-Laptop-Black/dp/B01GCNZ79C/
https://www.amazon.co.uk/ASUS-Chromebook-C201PA-FD0011-11-6-Inch-Notebook/dp/B01AWHN3AY/

Wednesday, August 31, 2016

WHILT

What have I learnt today?


Webcam fail in Windows 10 anniversary


I read a tweet shortly after the Windows anniversary update stating that lots of webcams have stopped working.  I didn't think too much of it until I tried to join a VC this morning using Polycom RealPresence Desktop app.  It kept crashing when joining the VC and my brain kicked into gear.  

I found the following link and applied the workaround registry settings and my webcam worked again!


(edit the registry at your own risk!) 

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Media Foundation\Platform

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Media Foundation\Platform

EnableFrameServerMode, and its DWORD value should be set to 0 (zero).

The background is that in previous versions of Windows, only 1 application was able to access a webcam at any one point.  This release introduces a service called Windows Camera Frame Service.  The idea is that all applications will be able to access the webcam at the same time.  This is particularly useful for the new authentication methods Microsoft have been advertising on the TV.

To introduce this service, Microsoft had to turn off compression of the webcam stream to stop the inevitable CPU increase of a bunch of different applications all trying to uncompress the stream at the same time.

The downside of this is that most USB webcams and even integrated cameras are connected using USB2 interfaces which can only transmit 480MB/s.  Using compression allows HD to flow quite freely over USB2, but turn off compression and you have a big problem.  The above registry key disables this new mode.

Dropbox Hack was real

There has been talk for quite some time about a mythical hack of Dropbox which happened in 2012.  Well this morning the mythical status was stripped away as top notch security guru Troy Hunt validated the dumps as real.  There are 60M records inside the dump but fortunately passwords with weaker hashes have been salted and the strong hashes are unsalted.  If this has been the other way around, it could have been carnage!


If you haven't come across Troy's website haveibeenpwned, I recommend you go visit it and see if your details are contained in the many numbers of hacks which have taken place over the years.


Meeting details button in OneNote


This one is fairly minor, but recently I made the switchover from keeping notes in Google Keep to OneNote.  The flexibility of OneNote was attractive.  Today I realised that you can press this little beauty of a button whilst in a note and select a meeting from your Outlook Calendar, then all of the meeting details including title, agenda and attendees are copied to your note!  Amazing

More details here

And Finally.....

Sweat doesn't smell
It is the bacteria which lives on your skin that feeds on the oily sweat from certain areas (!) which creates the odour.  

Tuesday, August 30, 2016

What Have I Learnt Today? (WHILT)

When I am really busy at work, it can seem as though I haven't developed or learnt anything at all.  After a few weeks of this, you can end up feeling stale or unenthusiastic about your job.

In actual fact, even through those really busy days where you attend meetings which don't necessarily require your input, you do repetitive tasks or just don't have time to think, you still learn things.

I think it is really important to learn new skills and this set of blog posts will help me reflect on the little things I pick up on a day to day basis.
 
Most of the time they will be technical tidbits, but there might be the odd random fact too.

I will call these posted "What Have I Learnt Today?" or WHILT.

So what have I learnt today?

Azure AD tenants

I needed to do some research into Azure AD topologies to help with some merger work we have coming up.



I came across this great little article on the Microsoft website

https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnect-topologies/

The main takeaway is that you can only have one FQDN namespace (fabrikam.com) associated with a single AD tenant.  If you have a merged organisation, you can either have different AD tenants but you will need to use different UPNs or you will need to sync the AD objects to the same AD tenant.

Powershell Test-Connection

I was working somewhere with a poor wifi connection which had a really high latency.  When I realised it was rubbish, I ran a continuous ping to help notice when it occurred.

I thought it would be good to run a powershell script which would then alert me when latency went above say 200ms for more than 5 pings (or timed out).  I thought getting this information out of a ping string would be a pain in the backside.  Quick Google later and I come across Test-Connection

https://technet.microsoft.com/en-us/library/hh849808.aspx

Fantastic, the result of this command makes the information easily accessible .  This will come in really useful for other scripts too.


And Finally

I have no idea what Tottenham Hotspur's transfer strategy is, they seem to be selling all of our players!


Tuesday, July 26, 2016

Exchange Free/Busy Calendar Sharing

Recently we had a request to be able to share calendar with an external organisation that we are working on a project with.  In the old days of Exchange, the only way of achieving this in a seamless way was to setup trusts or use things IIRU and IIFP.

Since Exchange 2010, Microsoft have introduced the Microsoft Federation Gateway.  This allows companies to setup a trust to Microsoft which can be used to gain scheduling information with a third parties once policies have been configured on both parties Exchange environment.

https://technet.microsoft.com/en-us/library/dd335198(v=exchg.141).aspx

This looked like a pretty straight forward task and certainly a LOT easier than setting up direct trusts or sharing keys.  Unfortunately it wasn't quite that straight forward.
These were the Issues we ran into and the relevant fix.

1.  Cannot create Organisational Relationship for third party. Also when running get-federationinformation Powershell cmdlet, it errors.

FIX = Allow unauthenticated proxy server access from CAS servers to autodiscover address of third party exchange.

2.  Cannot successfully complete a Test-OrganizationRelationship powershell cmdlet.


FIX = Enable WSsecurity for EWS and Autodiscover virtual directories.  This was already set to true, but resetting this to true fixed this issue.

3.  Lastly, Free/Busy information worked one way, but not the other.

Works from Lab into Enterprise

Fails from Enterprise into Lab

FIX = Enable Outlook logging, attempt the Free/Busy test and in resultant FB log file it shows a proxy 407 authentication issue.  The fix is to allow unauthenticated access to the EWS path from all the CAS servers.

I found the two following blogs very useful through this process.  If you are struggling and the above doesn't work for you, then go check these links out.

https://johanveldhuis.nl/exchange-federation-deel-i/
https://lynclogix.wordpress.com/2014/04/22/exchange-federation-freebusy-drops-the-soap-header/

Thanks
Sam

Tuesday, March 01, 2016

Cannot add certificate to Netscaler

Recently I blew the dust off my lab environment and decided to look into configuring ADFS proxy through Netscaler.  The first task of this install is to install a publicly trusted SSL certificate on the Netscaler.

Once I created a CSR and got it signed by my CA I was ready with the files I needed, namely

  • A PFX file (private key which is used to decrypt SSL traffic on the Netscaler)
  • CA bunlde (files which are used to encrypt traffic and for clients to decide whether to trust their connection to me)
When importing the files onto the Netscaler, I kept getting the following error message.

"Invalid private key, or PEM pass phrase required for this private key"

Quick Google search reveals an old CTX article.

The resolution is to export the private key to a new file on the shell of the Netscaler.  This didn't really satisfy my curiosity as to why this error was occurring.

After a bit more Googling I found the following CTX. 


This article explains that you can manually import the PFX file, but in a format that the Netscaler will be able to use.

Once this task was completed, adding the certificate bundle to this PFX file worked perfectly.

Sam