Azure AD Proxy, OpenID SSO, and Azure AD Request Identification via Header Values

Backstory

I recently found myself writing some OpenID/SSO code and realized that for some reason Azure AD Proxy doesn’t rewrite the header value for replyurl. This means that while you connect to Azure AD Proxy to access your app, when your internal app then attempts to authenticate to Azure AD via OpenID (or SAML), once it is successful it returns you to the internal URL not the proxied url.

Manually Setting the RedirectUri / Reply URL

First you must understand, you can not set this value on the Azure side, it MUST be set on the app. In our case we wrote our own app so to fix it we wrote code to trap the event for OnRedirectToIdentityProvider and then set our own hardcoded Azure AD Proxy external URL. We cleaned this up by making the external URL a parameter in the configuration file instead of code itself.

options.Events.OnRedirectToIdentityProvider = (context) => {
    context.ProtocolMessage.RedirectUri = <Azure AD External URL/SSOpath>;
    await Task.FromResult(0);
}

Determining an Azure AD Proxy Client Request from a Normal one

Next up we didn’t want to just hard code the azure external url. This would mean we could never use the internal URL for testing. So we also added in a check of the following request header value:

Name: HTTP_X_MS_PROXY
Value: AzureAD-Application-Proxy

We now check to see if HTTP_X_MS_PROXY is present and if so change the RedirectUri to the Azure AD Proxy External URL. Otherwise, we let it return the internal URL.

Calendar Invites from Office 365 forwarded to GMail / G-Suite lack Accept / Reject buttons

This post might be a bit of bear. I write it mainly for myself as a point of reference but perhaps it can help others.

In our case, we had recently acquired a new company that used Google G-Suite / GMail. While we waited to migrate them over we setup Mail Enabled User Objects (without Mailboxes) on Office 365 as Stubs. These stubs provided GAL entries for these employees and leveraging the “targetAddress” attribute forwards all emails to those users mailboxes on G-Suite (a different email domain).

For the most part this worked well. We get Calendar Free / Busy from the objects as well email forwarding worked. Except sometimes Calendar Invites did not have accept or reject buttons.

We finally got to the bottom of this… has everything to do with two factors (both are really the same but worth going through the motions)

  • TNEFEnabled Flagging must be set to $False ($null isnt good enough) in PowerShell
  • “Use Rich-Text Format” Set to “Never” in the ECP/Mail Flow/Remote Domains/<domain>

Connect to Microsoft Exchange Online PowerShell Module then run this:

Get-RemoteDomain | select Name, TNEFEnabled

If you dont have the GMail / GSuite domain listed add it with new-remotedomain:

New-RemoteDomain -Name <Name of External Domain> -DomainName domain.com

Then run this command:

Set-RemoteDomain -Identity -TNEFEnabled $false

Next up we want to validate things with RTF

  • Goto the ECP: https://outlook.office.com/ecp
  • Navigate to Mail flow on the Left
  • Navigate to Remote Domain on the top
  • Find the domain in question
  • Ensure “Use rich-text format:” is set to “Never”

That should be it, within 30 minutes or so to have setting sync to all exchange servers it should be working once more.

What I think I understand better now is the MS KB Docs are incorrect, $null on TNEFEnabled means to default to user defaults. You must use $False to force the corrective action.

Fix: NVidia Shield (Moonlight) selecting the wrong Monitor

A while back I stopped paying for consoles and put my efforts to a good PC rig. However I still like laying down on the couch and using a XBOX Controller. Moonlight fixed this for me (using a 4K Apple TV and full ethernet) . Full FPS, full resolution (with RTX I might add), no lag, perfection!

But there was a problem when I upgraded my PC. Moonlight kept using the right (wrong) monitor instead of dead center. This made it so I would have to get up, go in my office and force the game onto the wrong monitor (or worse).

However after a lot of trial and error I figured out how to fix it.

First you need to make sure the monitor in question is in fact the “BIOS Default”. What does that mean? Well for me, when I power on the tower the Dell logo shows up on that screen. I had to swap around DP cables until that happened.

Next you need your preferred monitor to be the Windows first found. Notice I didn’t say primary? NVidia doesn’t respect the primary monitor flag (they should but they dont).

Some background: Windows makes “profiles” for every unique pairing of monitors. It does this by using Monitor Serial Numbers which is why swapping cables doesn’t really fix the issue. My assumption is NVidia looks for Monitor 00 and that’s the one it uses. So the real trick is to get WINDOWS to address your preferred monitor first.

To get Windows to make your preferred monitor #00 (what I am calling first found) you need to figure out which cable its connected to. Make sure its the only one attached, then go to the following section of the registry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration

Delete all the sub keys of Configuration. I did this a few times, never did me much harm although be aware it could create issues for you. A system restore point might be a good idea or at least an export of Configuration *(right click -> export).

Then disconnect all other monitors except the one you care about and reboot. Once rebooted plug in your other monitors. You will have to reorder them again. And that should do it.

I figured this out after realizing even after purging drivers and configs I found it odd Windows always knew how to put the monitor order back to gather again (even when swapping cables). That is how I found these keys which kills that saved profile. The only other part to figure out was how to make sure the monitor I cared about was first.

Hope it helps and happy gaming!

Unauthorized 401 when calling Coldfusion CFC Component WebService on IIS

If you just setup a fresh Coldfusion/IIS box and all of a sudden you check one of your CFC Component WebServices and get a 401 you are not alone!

I bet you went to the folder and triple checked IIS that Anonymous Authentication was enabled and everything else was disabled and yet still didnt work. Right about that time perhaps you start questioning everything you know in this world. I mean IIS is set to anonymous yet it’s telling you its not authenticating as if it were sent to Windows Authentication.

The Solution

Rest assured, you are not losing it. Simply you like me likely made the mistake of blanket turning on Windows Authentication at the root which in turned enabled it for the virtual folder:

/jakarta

CFC’s must pass back to this folder since they are processed server side. Anyways the easy solution is to set /jakarta folder to Anonymous Authentication.

Hey if this helped you or you know something I should add to make it better, please leave it in the comments!

-Eric

Fix: Windows 10 Start Menu (and Modern Subsystem) Freezes and Stops Working

Nothing gets me more upset than seeing a common issue that never seems to get fixed. Since Windows 10 inception I have noticed a rather odd issue that occurs about weekly where my Start Menu, all Metro (Modern) Apps, and even Internet Explorer (which is odd given its a Win32 App) locks up, freezes, and just plan stops working.

The only obvious cure had been to reboot the PC.

However through alot of trial an error have figured out a workaround to get your PC back on its feet.

The Workaround

  • Simply open Task Manager (CTRL + SHIFT + ESC)
  • Click More Details (if needed)
  • Go to Details
  • Locate: siHost.exe
  • Right Click, End Process Tree

Note: This may need to be done twice in my testing but should always return the start menu after that second try. Many times it only takes once.

More Detail

You may notice when this happens that there are the following events in the event logs:

The program ShellExperienceHost.exe version 10.0.10586.218 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 2290
Start Time: 01d1a082cc447ca3
Termination Time: 4294967295
Application Path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Report Id: 524e2a97-0c76-11e6-8dae-64006a80564a
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Also you may see errors about SearchUI.exe

 

Workaround: Chrome will not PIN sites to Windows 10 Taskbar

I could rant for a long while about how Microsoft removed the verb “Pin to Taskbar” from the Shell.Application COM object but I won’t. I will simply say that I think they did that to keep OEM’s from putting crap on it when you buy a new PC. However as so often is the case, there was unintended side effects. Reasonable use cases like Chrome being able to PIN websites and Corporate IT being able to PIN corporate applications comes to mind. Lets not talk about how anti-competitive it looks when Internet Explorer (IE) is able to still pin items to the taskbar yet 3rd Party browsers like Chrome are left in the dust.

Ok I said I wouldn’t rant, here is the workaround.

  • Simply do the normal process in Chrome to PIN something to the start menu.
  • Then go here:
    • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      • Note: <username> will be your username you use to logon to Windows. If you dont know it simply go to c:\users and you should be able to figure it out
  • Find the shortcut Chrome created for your website, right click and you will see “PIN to Taskbar”

Also thanks to Reddit for figuring this out:

Chrome "Add To Taskbar" Issue
byu/Shinenite inWindows10

Leave a comment if it helped you!

-Eric

Fix | Windows 10, “the connection cannot proceed because authentication is not enabled”

Ah security, the balance between not allowing access at all and allowing too much access.

In Windows 10 Microsoft changed RDP’s defaults. They modified the default for “SecurityLayer” from 0 to 2. Even if you go into the user interface and disable: “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” Still doesn’t change that value to a 2.

Simple fix:

  1. Open RegEdit
  2. Navigate to this Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Change “SecurityLayer” to a zero
  4. Reboot and done!

Fix | NVidia Control Panel will not save

Just got Lightroom 6!! Finally they are using the GPU to make things faster. Just one problem, its using my crappy Intel 4600 GPU instead of the NVidia Quadro K1100M in my dual GPU Notebook.

Adobes own advise from their FAQ is to disable the Intel Card. I tried that, all it did is screw up almost everything on the PC. Thanks Adobe for that… So looking around the interwebs I found way too many people having this issue but none having a good solution.

After about 3 hours of messing around with ProcessMon.exe I discovered it was trying to write to c:\ProgramData\NVidia Corporation\Drs folder. Only problem is that folder did not exist.

Simply create the folder, and give “everyone” full control in the security Tab and you should be good to go.

One thing to note, it seemed like it took two saves to start working for me, not sure what that was about but finally I was able to use the “Managed 3D Settings” part of the NVidia Control Panel to set Lightroom.exe to use the NVidia GPU.

Hope it helps you!

-Eric

Installing Windows 8 RTM to Apple Macbook Air (Boot Camp)

Hey everyone, I wanted to make a few notes to help others get Windows 8 running on their Macbook Air without it locking, freezing, or poor network performance.

First we should stop that whole freezing problem or you will get very upset in the middle of a driver install (been there.)

You need to open a command prompt as administrator. You can do this by clicking start, then typing “cmd” right clicking on the cmd icon and selecting “Run as Administrator’”

Once open run this command:

bcdedit /set disabledynamictick yes

For those who want to know what this does please check out this great post: http://www.withinwindows.com/2012/06/28/workaround-for-windows-8-freezing-issues/

Once installed you will need reboot then install the boot camp drivers. This is done by making the install disk in Apple OS (Mountain Kitty). THERE IS NO DOWNLOAD LINK FOR THIS! DARN YOU APPLE!!! WHAT A PAIN! /RANT OFF

Once you have the Boot Camp disk, copy the contents to a folder on your desktop. Right click on the setup.exe, go to the compatibility tab, then click “Change settings for all users” button on the bottom.

On the next screen change the  “run this program in compatibility mode for:” to Windows 7. Additionally check off the bottom box for “run this program as an administrator”.

Then click OK, then OK again, then run the setup.exe

Once installed go ahead and reboot. This should get you part of the way.

Don’t delete that BootCamp Install folder just yet, deep in there we need the following folder. Just be aware, we will use it soon.

\Drivers\NVidia\NVidiaChipset64

Now lets click the start button, type “device manager” and click the settings “thing” on the top right to discover the “device manager” icon from the remains of the control panel.

Once device manager is open we have a few things to do. First lets take care of those two peskey un-drivered devices “coprocessor” and “SM Bus”.

Right click on one at a time and update the driver. Direct Windows to that folder on the desktop for \Drivers\NVidia\NVidiaChipset64 (or 32 if you are running x86). This folder should be able to updated both missing drivers.

NEXT lets go ahead and change the WiFi driver back to the native Windows 8 driver (Bootcamp had replaced it with a lesser driver that has some issues only in windows 8.)

Simply find the Wireless Network Adapter, its something like “Boardcom 802.11n” right click then “update driver software”, then Search Automaticly for updated drivers.

Thank should do it. Go ahead and reboot one last time for good measure.

Hopefully that saves some of you some time. IF I have helped you all I ask in return is leave a comment and say so. I get a great kick out of it.

Cheers!

-Eric

SCVMM 2012 | Force Remove vCenter Server

If you are reading this you likely took the plunge into Microsoft Virtual Machine Manager 2012, you added in your VMWARE vCenter, migrated some VM’s and then tried to jettison the old vCenter  that is no longer around.

If you did you likely got this error message:

VMM cannot complete the VMware operation on the <server> server because of the error: “Unable to connect to the remote server

image

You may have went for extra credit and run this powershell command without luck as well:

Get-VirtualizationManager -ComputerName <server> | Remove-VirtualizationManager

See unlike Remote-VMHost that has the –force switch you don’t have a –force switch with Remove-VirtualizationManager.

What is an admin to do??

Well if you are extremely irresponsible and want to blindly follow a guy with a blog who happened to find a way that at least looks like it worked then good Sir or Madam you are in the right place!!!

SQL Studio with Admin Rights

First you will need to run SQL Studio Manager with rights to the DB. If you have this then move on to the next section.

If like me you didn’t end up having permission to the default instance then run this nifty sysInternals tool PSEXEC:

PSEXEC –i –s cmd (make sure to run with admin rights)

If that works and you now have a cmd prompt go ahead and type whoami just for fun. you will see you are NT Authority\Local System!

Now go ahead and run the SQL Studio Manager from this command prompt. Given each version of SQL has this in a different location the easiest way would be to look at the properties of the start menu shortcut to find the full path to the executable.

The Query

Ah now once in SQL Studio with rights to the DB simple run this query to force remove the vCenter from your VMM instance.

HEY!!! SERIOUSLY I HAVE NO IDEA IF THIS IS SAFE!! USE AT YOUR OWN RISK.

DECLARE @computername varchar(255)
SET @computername = ‘<servername>’
DELETE FROM [tbl_ADHC_AgentServerRelation] WHERE AgentServerID = (select top 1 AgentServerID from tbl_ADHC_AgentServer where Computername = @computername)
DELETE FROM [tbl_ADHC_AgentServer] WHERE AgentServerID = (select top 1 AgentServerID from tbl_ADHC_AgentServer where Computername = @computername)
DELETE FROM [tbl_ADHC_Host] WHERE [HostID] = (select top 1 HostID from tbl_ADHC_Host where ComputerName = @computername)

Now, if I you know a better way please leave a comment.

If this helped you, please leave a comment. Love knowing my time wasn’t wasted.

If you are Microsoft and you feel I am leading people off a cliff, PLEASE PLEASE leave me a comment.

In any event, hope it helps and enjoy!

-Eric