Azure AD Proxy, OpenID SSO, and Azure AD Request Identification via Header Values

Backstory

I recently found myself writing some OpenID/SSO code and realized that for some reason Azure AD Proxy doesn’t rewrite the header value for replyurl. This means that while you connect to Azure AD Proxy to access your app, when your internal app then attempts to authenticate to Azure AD via OpenID (or SAML), once it is successful it returns you to the internal URL not the proxied url.

Manually Setting the RedirectUri / Reply URL

First you must understand, you can not set this value on the Azure side, it MUST be set on the app. In our case we wrote our own app so to fix it we wrote code to trap the event for OnRedirectToIdentityProvider and then set our own hardcoded Azure AD Proxy external URL. We cleaned this up by making the external URL a parameter in the configuration file instead of code itself.

options.Events.OnRedirectToIdentityProvider = (context) => {
    context.ProtocolMessage.RedirectUri = <Azure AD External URL/SSOpath>;
    await Task.FromResult(0);
}

Determining an Azure AD Proxy Client Request from a Normal one

Next up we didn’t want to just hard code the azure external url. This would mean we could never use the internal URL for testing. So we also added in a check of the following request header value:

Name: HTTP_X_MS_PROXY
Value: AzureAD-Application-Proxy

We now check to see if HTTP_X_MS_PROXY is present and if so change the RedirectUri to the Azure AD Proxy External URL. Otherwise, we let it return the internal URL.

PowerShell Error: The underlying connection was closed: An unexpected error occurred on a send

I got mad the other day, trying to do a simple wget (i.e. invoke-webrequest) to an Azure Function I made and I was getting:

The underlying connection was closed: An unexpected error occurred on a send

I tried switching to .NET Webclient but still same error.

What was more frustrating is that it worked on my dev machine, worked on the server I was running to code on in a browser, just not in powershell.

The Fix

Apparently PowerShell version 5 defaults to TLS 1.0. Azure Functions require TLS 1.2. The fix is super simple, just add this in your code on its own line:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

Windows Update Stuck on “Searching for Updates” on Windows Server 2012 R2

This one was a nightmare. If you search the internet for “Searching for Updates” you will find a lot of pages but none that I saw had this resolution.

In my case on my server the problem was actually related to Flash updates. After working with Microsoft Support it was discovered that a large number of pending Adobe Flash updates were causing the search to never finish so the fix was to manually update Flash.  This was done by installing KB3214628

Hope this helps someone else out, this took MS Support weeks to figure out.

-Eric

Secure PowerShell Scripts running via Windows Task Scheduler using MD5 Hashes to safeguard against Tampering

Over the years the number of Task Scheduled based PowerShell scripts has increased. However, this poses serious potential security risks.

The Security Issue

Given that these tasks commonly run as a service account, with additional rights, it is a potential attack vector.

Simply changing the underlying script can allow a hacker access to anything the service account has access to.Even signing the scripts can be useless as the system can be configured to ignore signing.

The Solution

I have created this one-liner that Task Scheduler can use that will only run the script if the hash of the script matches the hash listed in the one-liner. If someone tries to change this in Task Scheduler they would be required to reenter the proper password.

powershell.exe -command if ([System.BitConverter]::ToString((New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes(‘C:\temp\test.ps1‘))) -eq ‘33-CD-2A-54-ED-F3-0F-94-5F-D2-97-D9-FE-4F-45-79‘) {. c:\temp\test.ps1} else {Send-MailMessage -SmtpServer smtp.server.domain.com -From whatever@domain.com -To you@domain.com -Subject ‘Failed to Run Script – Hash Not Correct’}

Notes about One Line Script Executor

  • You need to replace c:\temp\test.ps1 with the path to your script. (two places in this example)
  • You must supply the hash of the script. (use the following command to get it)

[System.BitConverter]::ToString((New-Object -TypeName System.Security.Cryptography.MD5CryptoServiceProvider).ComputeHash([System.IO.File]::ReadAllBytes(‘C:\temp\test.ps1‘)))

  • Script will email you if hash fails.
    • Change TO: and FROM: to match your needs.
  • Do NOT use double quotes in this script, do NOT forget that CMD will pass this to PowerShell, and will strip out double quotes.

If this helped you or perhaps you have suggestions to make it better, please do leave them in the comments.

Enjoy

-Eric

Unauthorized 401 when calling Coldfusion CFC Component WebService on IIS

If you just setup a fresh Coldfusion/IIS box and all of a sudden you check one of your CFC Component WebServices and get a 401 you are not alone!

I bet you went to the folder and triple checked IIS that Anonymous Authentication was enabled and everything else was disabled and yet still didnt work. Right about that time perhaps you start questioning everything you know in this world. I mean IIS is set to anonymous yet it’s telling you its not authenticating as if it were sent to Windows Authentication.

The Solution

Rest assured, you are not losing it. Simply you like me likely made the mistake of blanket turning on Windows Authentication at the root which in turned enabled it for the virtual folder:

/jakarta

CFC’s must pass back to this folder since they are processed server side. Anyways the easy solution is to set /jakarta folder to Anonymous Authentication.

Hey if this helped you or you know something I should add to make it better, please leave it in the comments!

-Eric

Fix: Windows 10 Start Menu (and Modern Subsystem) Freezes and Stops Working

Nothing gets me more upset than seeing a common issue that never seems to get fixed. Since Windows 10 inception I have noticed a rather odd issue that occurs about weekly where my Start Menu, all Metro (Modern) Apps, and even Internet Explorer (which is odd given its a Win32 App) locks up, freezes, and just plan stops working.

The only obvious cure had been to reboot the PC.

However through alot of trial an error have figured out a workaround to get your PC back on its feet.

The Workaround

  • Simply open Task Manager (CTRL + SHIFT + ESC)
  • Click More Details (if needed)
  • Go to Details
  • Locate: siHost.exe
  • Right Click, End Process Tree

Note: This may need to be done twice in my testing but should always return the start menu after that second try. Many times it only takes once.

More Detail

You may notice when this happens that there are the following events in the event logs:

The program ShellExperienceHost.exe version 10.0.10586.218 stopped interacting with Windows and was closed. To see if more information about the problem is available, check the problem history in the Security and Maintenance control panel.
Process ID: 2290
Start Time: 01d1a082cc447ca3
Termination Time: 4294967295
Application Path: C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
Report Id: 524e2a97-0c76-11e6-8dae-64006a80564a
Faulting package full name: Microsoft.Windows.ShellExperienceHost_10.0.10586.0_neutral_neutral_cw5n1h2txyewy
Faulting package-relative application ID: App

Also you may see errors about SearchUI.exe

 

Workaround: Chrome will not PIN sites to Windows 10 Taskbar

I could rant for a long while about how Microsoft removed the verb “Pin to Taskbar” from the Shell.Application COM object but I won’t. I will simply say that I think they did that to keep OEM’s from putting crap on it when you buy a new PC. However as so often is the case, there was unintended side effects. Reasonable use cases like Chrome being able to PIN websites and Corporate IT being able to PIN corporate applications comes to mind. Lets not talk about how anti-competitive it looks when Internet Explorer (IE) is able to still pin items to the taskbar yet 3rd Party browsers like Chrome are left in the dust.

Ok I said I wouldn’t rant, here is the workaround.

  • Simply do the normal process in Chrome to PIN something to the start menu.
  • Then go here:
    • C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
      • Note: <username> will be your username you use to logon to Windows. If you dont know it simply go to c:\users and you should be able to figure it out
  • Find the shortcut Chrome created for your website, right click and you will see “PIN to Taskbar”

Also thanks to Reddit for figuring this out:

Chrome "Add To Taskbar" Issue from Windows10

Leave a comment if it helped you!

-Eric

Fix | Windows 10, “the connection cannot proceed because authentication is not enabled”

Ah security, the balance between not allowing access at all and allowing too much access.

In Windows 10 Microsoft changed RDP’s defaults. They modified the default for “SecurityLayer” from 0 to 2. Even if you go into the user interface and disable: “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)” Still doesn’t change that value to a 2.

Simple fix:

  1. Open RegEdit
  2. Navigate to this Key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Change “SecurityLayer” to a zero
  4. Reboot and done!

Fix | NVidia Control Panel will not save

Just got Lightroom 6!! Finally they are using the GPU to make things faster. Just one problem, its using my crappy Intel 4600 GPU instead of the NVidia Quadro K1100M in my dual GPU Notebook.

Adobes own advise from their FAQ is to disable the Intel Card. I tried that, all it did is screw up almost everything on the PC. Thanks Adobe for that… So looking around the interwebs I found way too many people having this issue but none having a good solution.

After about 3 hours of messing around with ProcessMon.exe I discovered it was trying to write to c:\ProgramData\NVidia Corporation\Drs folder. Only problem is that folder did not exist.

Simply create the folder, and give “everyone” full control in the security Tab and you should be good to go.

One thing to note, it seemed like it took two saves to start working for me, not sure what that was about but finally I was able to use the “Managed 3D Settings” part of the NVidia Control Panel to set Lightroom.exe to use the NVidia GPU.

Hope it helps you!

-Eric

Bug | Android | Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED)

Quick one… After spending far too much time I figured it out an issue where I was getting the following error in Chrome on Android when trying to access a SSL website I hosted at my home on port 2000..

“Error 111 (net::ERR_TUNNEL_CONNECTION_FAILED)”

Some extra details… this was on my Nexus 4 on AT&T running first 4.2.1 then 4.2.2.

The real issue, Android for some unknown reason will not allow you to use unstandard ports for SSL (i.e. only port 443 works when using https)

I confirmed this by trying a SSL website on port 2000 using my wifes iphone on AT&T. Sure enough it worked fine. So its not AT&T. Also worth pointing out it works fine on wifi.

Hopefully this is just a bug and will be fixed in the future. The only thing I could do was move my SSL website to the standard port 443.

There was zero info on this on the net so I wanted to get it out there. Hope it sheds some light on it for you. If it did leave a comment so I know.