Authentication vserver cannot be bound to a CS server if VPN server is already bound to it

The title is a bit of a mouth full!  Basically with NetScaler 11 onwards, Content Switching is now supported for both web applications and NetScaler Gateway.  This is great news which will allow people to conserve more services behind less IP addresses.

I wanted to test this out for myself, so I span up a NetScaler in my lab and started the configuration.  I wanted to enable AAA so that I could pre-authenticate requests into my web applications (Outlook Web Access in my lab).  The below picture shows an overview (check out the Citrix article it is linked from!)

http://support.citrix.com/article/CTX201949

Firstly I completed the NetScaler Gateway Wizard and ensured that I could authenticate and launch desktops from my XD7.11 lab.

Next I followed Dave Bretty's blog to Content Switch the NetScaler Gateway VS and a newly created VS for OWA.

Then I created an Authentication VS, then created a policy which say any requests to the AAA address would go to the authentication VS.  Lastly I went to bind the policy to my Content Switch VS.  I received the titled error message.

This left me scratching my head for a while.  The VPN server that is mentioned is the NetScaler Gateway VS.  Then it struck me, the NetScaler Gateway is completing pre-authentication, I should just be able to use this VS.

I went into the LB VS for OWA and under authentication I chose Form Based Authentication, Authentication FQDN needs to be the NS gateway address.  Lastly ensure that the NetScaler Gateway VS is the one that is being used for NS gateway.

After saving this, when trying to go to email URL (email.domain.com) the NetScaler should redirect this to the NS Gateway URL (xendesktop.domain.com).  After successfully authenticating, the NetScaler should redirect to the email URL (email.domain.com) and if you have IWA enabled on your exchange server, you should be presented with your inbox!

Sam

Read More

Using PowerShell to update Visio diagrams

Being in IT or architecture generally means using Visio, FACT!

I have been completing lots of work in Visio recently as part of document migration into a Enterprise Architecture tool called iServer.  This required me to dust off my knowledge of VBA and creating lots of macros.  I am not a massive fan of macros, they seem really archaic.

In the more recently iterations of these scripts, I realised that I could use PowerShell to complete the same tasks.  PowerShell is something I am far more comfortable with and because it sits outside of the application itself, there is more opportunity to run scripts against a larger set of files.

Rather than bore you with some of the scripts I created for my business process diagrams, the below example is a script which you can use to update IT related documents.

Below I have a rack diagram I created in Visio.  It has four servers and one router with their names added to ShapeData and a Data Graphic which shows this as a bubble.

Before

Now, wouldn't be cool if you could update all of your documents with IP address without having to sit there typing it in?  Well that is what I did!

This is the result

After

Here is the script which completes this task

#Ask the user which folder the files are stored
$location = read-host "Where are the files stored"
#Get all visio files in the location specifed
$files = get-childitem $location | where {$_.Name -match ".vsd"}

#loop that will go through each visio file in the folder
ForEach ($File in $Files){

#create Visio com object
$visio = New-Object -comobject Visio.Application

#open next file in list
$Visio.Documents.Open($file.fullname)

#loop that will go through each shape on the page
ForEach ($vsoShape In $visio.application.activepage.shapes) {

#get master, if Server or Router, then do an NSlookup of the name and apply the resultant IP address to the shape in question
$master = $vsoShape | select -expand Master 
If($master.name -eq "Server" -or $master.name -eq "Router 1")
{

$networkname = $vsoshape.cells("Prop.NetworkName").ResultStr(0)
$ipaddress = Resolve-DnsName $networkname | select IPaddress | foreach {$_.IPaddress}
$vsoCell = $vsoShape.Cells("Prop.IPaddress")
$vsoCell.formula = """$ipaddress""" 

}
}

#save the document
$visio.Application.ActiveDocument.Save()
#quit visio afterwards
$visio.Application.Quit()

}

You can see how this script could be edited to complete any manner of tasks.  If the information was in the Shape text itself you could use this

$characters = $vsoShape | select -Expand Characters
$char = $characters.textasstring

To see what else you can do programmatically with Visio, please see the MSDN page.

Got any tedious Visio task that you could do with automating?  Let me know in the comments.

Read More

Using a Password Manager

Using a password manager has been something I have toyed with for a number of years.  The more and more that services are being hacked and data is being exposed, my normal approach of just tiering passwords per application importance just wasn't cutting it anymore.

You only have to follow haveibeenpwnd on twitter to see how many data breaches have been loaded into the service run by Computer Security legend Troy Hunt.

So I decided to give it a go.

User Experience
Now my biggest concern of using a password manager was the user experience, especially when using it on a machine that I cannot load extensions on e.g. My work XenApp server.

I had a quick look through the options and initially tried 1Password as it had a 6 month free trial.  I quickly dismissed this as an option for a couple of reasons.

1.  The login process on the webpage was a bit too complicated then it needed to be.  When going to the web interface, you had to enter my in the below text box and press continue.  Seems odd, I suspect it might be due that you could host the vault in your own location.

What?  Entering my and pressing enter gets you through

2.  There isn't a full featured Windows application or Chrome extension on Windows.  This made it pretty laborious to add new passwords or auto sign in to applications.

After this, I looked at LastPass

I was immediately more impressed.  The 14 day trial was nice but only allowed access to use from one device, which was frustrating.  The pro service is only $12 a year though, so I stumped up the cash and really went to town.

Now...I would love to show you some screenshots and talk you through my setup, but I don't really fancy publicly showing which sites and services I use!

Below is a screenshot from the lastpass website which shows the interface of the websites you have saved.  You can use this as a launchpad to open your web applications.

So far so good, but what about machines without the ability to install extensions etc?  Well, going to lastpass.com and logging in with your master password brings up the same interface.  Now you can't launch the applications natively, but you can copy the passwords to the clipboard and paste them in.

Some services will try and stop password from being pasted in to try and makes things more "secure".  This isn't a great idea and if you want to read more on this, check out this blog from none other than Troy Hunt.

Generating new passwords
After installing the extension to Chrome (or equivalent), when you try and sign up to a new service, you will see an icon which allows you generate a new random password

How easy is that!

Saving existing passwords
When logging in to an existing website, you will be presented with the banner asking to save this site.  If this is not appropriate, you can say never which will stop this from popping up.

Mobile
What about Mobile?  Well I was very impressed here.  The mobile app comes with a built in browser which can be used to auto login to web applications.  But what about native apps or you just prefer using something like Chrome?

LastPass makes use of the accessibility options in Android.  This allows them to review the screen estate and paste your login credentials in the appropriate fields

In practice, you can see that logging into the MyFitnessPal app, you can open the LastPass helper and it will either auto fill the screen, or let you copy/paste the password.

LastPass also allows you to use Google Authenticator as two factor authentication when logging into your vault from a new device.  As you are putting a large emphasis on one master password, two factor authentication is an absolute must!

Conclusion

The process of moving old accounts over to using new randomly generated passwords took a bit of time, but overall I am very pleased.  I think having a password manager has taken a lot of stress away from me when signing up for new services.

I don't have to try and categorise a website and choose an appropriate password.  I don't have to worry about websites weird password policies and whether I have had to make odd variations to an existing passwords.

I just sign up, use a random generated password, save it, forget about it.

Now is LastPass the right platform?  It works well for my needs but I am sure others would work perfectly well for others.  Let me know if you use a password manager and how it works for you.

Read More

Secure your phone against 2FA skimming

Google recently introduced a new faster method of 2 step verification.  Instead of using Google Authenticator or SMS as a mechanism to enter a verification code, they simply send a push notification to your mobile device.

It is simple and if you don't use it, you should turn it on!

But today, for some reason, the push notification didn't arrive.  So I asked Google to try a different method. I chose SMS and a moment later I was sent a text method with a code (partially blanked out below)

MFA code is visible when locked

Now you can see that my phone is locked, but the whole code is visible.  This got me very paranoid, imagine being away from your phone for 5 minutes and someone guessing your password and then using this to bypass two factor authentication?  Or thinking about it, my bank uses one time passcodes (OTP) before transferring large amounts of cash....scary!

No thanks

Thankfully, Android has a mechanism to make this more secure.  If you go to Sound & Notifications > App Notifications > Messaging

From here you can turn on the setting to Hide Sensitive Content

Enable "Hide Sensitive Content"

I tested the two factor authentication again after turning this setting on and results are below.  A lovely hidden SMS!

MFA code is hidden until unlock

You can achieve a similar result in iOS

Sam

Read More

Gathering MX Records for Office 365 Domains

I have come across the need for a simple output of MX records for each domain in an Office 365.

An Office 365 tenant can contain multiple domains in a verified or unverified state.

This script simply outputs the MX records for each domain that has been verified into a CSV file named after the tenant ID.  The CSV file is output to the %temp% by default.

You will need to run the script inside a PowerShell session connected to Office 365.

#This script collects the MX records for all domains which have been verified in an O365 tenant.
#Run the script from within an O365 PowerShell session.
#Author: Ben Owens
#Date: 03/10/2016

$temp = $env:temp
$TenantID = Get-MSOLDomain | Where {$_.IsInitial -eq "TRUE"} | Select Name -ExpandProperty Name
$Domains = Get-MSOLDomain | Where {$_.Status -eq "Verified"} | Select Name
$MXRecords = ForEach ($Domain in $Domains) {Resolve-DnsName -Name $Domain.Name -Type MX | Where {$_.QueryType -eq "MX"}}
$MXRecords | Export-CSV "$Temp\$TenantID-mxrecords.csv" -NoTypeInformation
$Output = "$Temp\$TenantID-mxrecords.csv"
$Output
Notepad $Output

Example Output:

Read More