New-Object PSObject Problem with Azure Automation

Posted on December 31, 2016December 31, 2016 By Luben Kirov

I found a weird behaviour in Azure automation, if you use “New-Object PSObject” it runs perfectly fine when the script is executed directly (via the portal or the Powershell command “Start-AzureRmAutomationRunbook”). However if you try and do an inline call from another workbook it fails and errors out with something like:

1 2	<strong class="azc-log-stream-error">New-Object PSObject â€“Property $CurrentProperties </strong>

the code i used initially was (snippet):

1 2	$CurrentProperties = @{Veriable1=$_.var1;Color="red"} $AllObjects += New-Object PSObject –Property $CurrentProperties

It seems like this command is no longer supported or runs correctly when the child workbook is called by another workbook. To get around this i recommend using the Powershell v3 method which works perfectly:

1	$AllObjects += [PSCustomObject]@{Veriable1=$_.var1;Color="red"}

Azure Public and Internal Load balancer for the same availability set

Posted on December 21, 2016December 31, 2016 By Luben Kirov

Microsoft Azure

This is one people keep asking me which Microsoft hasn’t published officially. Currently Microsoft Azure allows you to have a public and private load balancer in front of the same availability set.

You can also link both load balancer to the same machines in the availability set. This will enable your servers to have a load balanced private and public IP, which comes in real handy.

You can also link the public to some of the machines and the private to other machines in the availability set.

Web Application Proxy Event ID 12019 – (0x8007007b)

Posted on December 21, 2016December 31, 2016 By Luben Kirov

Windows

For anyone that has received the below WAP error, especially in Server 2016, please make sure that the published application name does not have any forward slashes “/”.

It seems to like other characters like: “wqe.()-_\sdfds123″££$%%” but not forward slashes.

Log Name: Microsoft-Windows-WebApplicationProxy/Admin

Source: Microsoft-Windows-WebApplicationProxy

Date: 12/21/2016 12:16:05 PM

Event ID: 12019

Task Category: None

Level: Error

Keywords:

User: NETWORK SERVICE

Computer: Testprooo

Description:

Web Application Proxy could not create a listener for the following URL: http://xxxxxx.com/.

Cause: The filename, directory name, or volume label syntax is incorrect.

(0x8007007b).

Event Xml:

<Channel>Microsoft-Windows-WebApplicationProxy/Admin</Channel>

<Computer>Testprooo</Computer>

</System>

<Data Name="Url">http://google.com/</Data>

<Data Name="Cause">The filename, directory name, or volume label syntax is incorrect.

(0x8007007b)</Data>

</EventData>

</Event>

OMS and Power BI Integration Schedule

Posted on December 21, 2016December 21, 2016 By Luben Kirov

Microsoft Azure

This is more of a gotcha than anything else but when you’re setting up a schedule to export OMS queries/logs to Power BI please be aware that the initial schedule you setup will also be the historical data it retrieves. What I mean by that is, if I setup a schedule for 24 hours (which is currently the max) in its initial sync it will export the data from that point back 24 hours. So don’t be surprised if you only have the last x amount of data, once the schedule is running it will keep exporting every x hours or minute whatever you have setup so your data over time will grow beyond the schedule you initially setup.

This does raise some concerns and questions:

What happens if the sync fails, most likely you will lose some data and it will not be consistent
How do I export all the data and sync I? For the moment you can export it to CSV and then import it in PowerBI.
You could cheat and set a schedule for 24 hours let it sync and then change it to an hour, this will at least get you the 24 hours rather than just an hour of historical data
Is this going to change as this feature is still in preview?

Intune Remote Wipe for Mac OS X

Posted on November 16, 2016November 16, 2016 By Luben Kirov

Microsoft Azure

As i couldn’t find this information anywhere online and had to get confirmation from Microsoft i am posting it here. As of writing this article and most likely for at least the next 3 months Microsoft Intune does not support Remote wipe, both Full and Selective for OSX (macOS). So take this into account when plaing your deployments.

Intune does however support Windows, Android and the ISO as described here https://docs.microsoft.com/en-gb/intune/deploy-use/use-remote-wipe-to-help-protect-data-using-microsoft-intune

Microsoft Dynamics NAV 2015 Wildcard Certificate Problem

Posted on November 15, 2016November 17, 2016 By Luben Kirov

Windows

I had a problem the other day trying to get Dynamics NAV 2015 to work with a wildcard certificate.While the server started ok, clients couldn’t connect and the error message at the end of this post appeared. The problem seem that you need to define the DnsIdentity on all clients, seems like the client application can’t recognize wildcard dns names automatically and you need to define it yourself. The down side of this is that all clients need to make this modification, while using normal certificates connect clients automatically. So if you do decide to go down this route be aware of this. The fixes are defined below.

To fix it on the client side:

modify the “C:\Users\username\AppData\Roaming\Microsoft\Microsoft Dynamics NAV\80\ClientUserSettings.config” to include the proper certificate name for DnsIdentity :

1	<add key="DnsIdentity" value="example.com"/>

To fix it on the Nav Server Web Instance:

you can modify the web.config of your Nav web instance for example “C:\inetpub\wwwroot\Mynav” to include the proper certificate name for DnsIdentity :

1	<add key="DnsIdentity" value="example.com"/>

You can also run the powershell command from Navs powershell:

1	New-NAVWebServerInstance -WebServerInstance Mynav -Server "test.example.com" -ServerInstance DynamicsNAV80_Instance

The error on the Nav Web Instance or Client:

"Error accessing Website Microsoft Dynamics NAV 2015 Web Client

Message: The client could not establish a connection to the Microsoft Dynamics NAV Server.

Reason = "Configuration setting 'DnsIdentity' has an invalid value"

Description = "Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'test.example.com' but the remote endpoint

provided DNS claim 'example.com'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'example.com'

as the Identity property of EndpointAddress when creating channel proxy. ""

How To Install Oracle Instant Client v12 For Xampp v7, v5.5 & v5.6 (Windows)

Posted on November 12, 2016November 15, 2016 By Luben Kirov

Windows

Below you will find the instructions on how to configure/install and enable the Oracle Instant Client for XAMPP v7, v5.5 and v5.6.

Download and install XAMPP from https://www.apachefriends.org/download.html
Modify the php.ini in “C:\xampp\php”
- Uncomment the following line “;extension=php_oci8_12c.dll ; Use with Oracle Database 12c Instant Client”
- Restart Apache
Download the 32 bit (PHP is 32 bit so no need to 64) Oracle Instant Client from http://www.oracle.com/technetwork/topics/winsoft-085727.html
- You need both Instant Client Package – Basic and Instant Client Package – SDK
- Unzip both in “C:\php-sdk\oracle\x86\instantclient_12_1″ and “c:\php-sdk\oracle\x86\instantclient_12_1\sdk” respectivly
Add the directory “C:\php-sdk\oracle\x86\instantclient_12_1″ to the windows path veritable
- Under system Properties click Environment Variables
- Edit the Path variable
- You need to reboot windows
(Optional)If you want to specify the oracle connections in the tnsnames.ora file:
- Create a file called “tnsnames.ora” in “C:\php-sdk\oracle\x86\instantclient_12_1″
- Add your oracle connections to the file as described here: https://docs.oracle.com/cd/B28359_01/network.111/b28317/tnsnames.htm#NETRF007
- Create a new environmental variable called “TNS_ADMIN” with the value of “C:\php-sdk\oracle\x86\instantclient_12_1″
- Reboot Windows

Thats it 🙂

ADFS 3.0 Cancel Button Redirection and Password Change Link

Posted on October 19, 2016 By Luben Kirov

Windows

ADFS 3.0 Cancel Button Redirection

I got asked the other day if i can get the ADFS cancel button on the Update Password page (Expired Password) to redirect back to the original page. After some searching i found a lot of people asking for this feature but no solutions. So below is my own coded solution to solve this problem all you need to do is add it to the end of onload.js, instruction are below the code.

The code will work with:

All java enabled browsers
Will work with any domain
Will work with expired password redirection
Will work with all endpoints
- /adfs/ls/idpinitiatedsignon.aspx
- /adfs/oauth2/authorize
- /adfs/ls/

var RedirectToPage = function () {

var CurrentUrl = window.location.href;

var UrlParts = CurrentUrl.split("origin=");

var PathParts = UrlParts[1].split("&username=");

var RedirectUrl = UrlParts[0].replace("/adfs/portal/updatepassword", decodeURIComponent(PathParts[0]));

RedirectUrl = RedirectUrl.replace(/&$/, '');

location.href = RedirectUrl;

return false;

}

document.getElementById("cancelButton").onclick = RedirectToPage;

Use the following steps when customizing the onload.js for the AD FS service (Note these steps are taken from: https://technet.microsoft.com/en-us/library/dn636121.aspx).

Customizing onload.js for the AD FS Service

To add your custom logic to onload.js, you need to first create a custom web theme. The theme that is shipped out-of-the-box is called Default. You can export the default theme and use it so that you can start quickly. The following cmdlet creates a custom web theme, which duplicates the default web theme:

                                      
                                                1
                                              
                                                New-AdfsWebTheme –Name custom –SourceName default

You can then export the custom or default web theme to get onload.js file. To export a web theme, use the following cmdlet:

                                      
                                                1
                                              
                                                Export-AdfsWebTheme –Name default –DirectoryPath c:\theme

You will find onload.js under the script folder in the directory that you specify in the export cmdlet above and add your custom logic to the script (see use cases in the Example section below).

Make the necessary modification to customize onload.js based on your need.

Update the theme with the modified onload.js. Use the following cmdlet to apply the update onload.js to custom web theme:

                                      
                                                1
                                              
                                                Set-AdfsWebTheme -TargetName custom -AdditionalFileResource @{Uri=’/adfs/portal/script/onload.js’;path="c:\theme\script\onload.js"}

To apply the custom web theme to AD FS, use the following cmdlet:

                                      
                                                1
                                              
                                                Set-AdfsWebConfig -ActiveThemeName custom

Password Change Link

So with the above implementation (which works great for expired passwords) we also needed to modify our password change link for any users wanting to change there password via ADFS before it has expired as show in the below screen shot:

The below code will give you exactly that ability, implementation instruction are located below. You only need to modify the text in the <p> </p> tags to whatever suits your needs. Please leave the link section “<a onclick=”RedirecToPSChange()” href=”#”>” as is or the script will not work.

<p>To change your password please click <a onclick="RedirecToPSChange()" href="#">here</A></p><p>For a

forgotten password or other problems please contact the service

desk: t: +XXXXXXXXXX e: service.desk@gi-architects.com </p>

var RedirecToPSChange = function () {

var TheCurrentUrl = window.location.href;

var TheUrlParts = TheCurrentUrl.split("/adfs/");

if (/[?]/.test(TheUrlParts[1])){

var TheExtraUrlParts = TheUrlParts[1].split("?");

var TheOrigin =encodeURIComponent("/adfs/" + TheExtraUrlParts[0]);

var TheUsername =encodeURIComponent(document.getElementById("userNameInput").value);

var TheLink = TheUrlParts[0] + "/adfs/portal/updatepassword?"+TheExtraUrlParts[1]+"&origin=" + TheOrigin + "&username=" + TheUsername;

window.location.assign(TheLink);

} else {

var TheOrigin =encodeURIComponent("/adfs/" + TheUrlParts[1]);

var TheUsername =encodeURIComponent(document.getElementById("userNameInput").value);

var TheLink = TheUrlParts[0] + "/adfs/portal/updatepassword?origin=" + TheOrigin + "&username=" + TheUsername;

window.location.assign(TheLink);

}

</script>

The above code can be loaded easily by running the Set-ADFSGlobalWebContent and passing the whole code. Tip you single quotes as shown below:

ADFS 3.0 default login domain

Posted on October 18, 2016 By Luben Kirov

Windows

The below script is a modification of the Microsoft script found here: https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx. I have added some extra feature missing from the original as well as the ability for default login domain to work in the change password dialog as well. The script below will give you the following benefits:

The ability to set a default domain for ADFS both on the login page and in the change password page.
Other users can still specify a domain or a UPN in which case the script will not append the domain to the front
Works on any Java enabled browser

You only need to change the “MYDOMAIN” in the two places below and that’s it the script is ready. Then just add it to the end of onload.js, you can use the instructional on https://technet.microsoft.com/en-us/library/dn636121(v=ws.11).aspx for instructions on how to load it.

if (typeof Login != 'undefined'){

var u = new InputUtil();

var e = new LoginErrors();

var userName = document.getElementById(Login.userNameInput);

var password = document.getElementById(Login.passwordInput);

if (userName.value && !userName.value.match('[@\\\\]'))

{

var userNameValue = 'MYDOMAIN\\' + userName.value;

document.forms['loginForm'].UserName.value = userNameValue;

}

if (!userName.value) {

u.setError(userName, e.userNameFormatError);

return false;

}

if (!password.value)

{

u.setError(password, e.passwordEmpty);

return false;

}

if (password.value.length > maxPasswordLength) {

u.setError(password, e.passwordTooLong);

return false;

}

document.forms['loginForm'].submit();

return false;

};

}

if (typeof UpdatePassword != 'undefined'){

UpdatePassword.submitPasswordChange = function () {

var u = new InputUtil();

var e = new UpdErrors();

var userName = document.getElementById(UpdatePassword.userNameInput);

var oldPassword = document.getElementById(UpdatePassword.oldPasswordInput);

var newPassword = document.getElementById(UpdatePassword.newPasswordInput);

var confirmNewPassword = document.getElementById(UpdatePassword.confirmNewPasswordInput);

if (!userName.value || !userName.value.match('[@\\\\]')) {

var userNameValue = 'MYDOMAIN\\' + userName.value;

document.forms['updatePasswordForm'].UserName.value = userNameValue;

}

if (!oldPassword.value) {

u.setError(oldPassword, e.oldPasswordEmpty);

return false;

}

if (oldPassword.value.length > maxPasswordLength) {

u.setError(oldPassword, e.oldPasswordTooLong);

return false;

}

if (!newPassword.value) {

u.setError(newPassword, e.newPasswordEmpty);

return false;

}

if (newPassword.value.length > maxPasswordLength) {

u.setError(newPassword, e.newPasswordTooLong);

return false;

}

if (!confirmNewPassword.value) {

u.setError(confirmNewPassword, e.confirmNewPasswordEmpty);

return false;

}

if (newPassword.value !== confirmNewPassword.value) {

u.setError(confirmNewPassword, e.mismatchError);

return false;

}

var error = document.getElementById('error');

error.innerHTML = '';

return true;

};

}

Programmatically authenticate against Apache CXF Fediz with ADFS Token

Posted on October 16, 2016October 16, 2016 By Luben Kirov

Powershell, Windows

A couple of weeks ago we had to interface with an application running on Tomcat using Apache CXF Fediz as it’s authentication mechanism. We had successfully tied the application to work with our ADFS 3.0 server using SAML 1 tokens. While this worked wonderfully for users using web browsers we had problems getting it to work programmatically with Powershell. This was needed for some API calls and we had to authenticate with ADFS first.

So below you will find the script we used along with it’s description, I have actually posted two scripts one where you obtain an initial cookie from the application as this was a requirements and a second one where an initial coockie is not neeed. If you get the message “HTTP Status 408 – The time allowed for the login process has been exceeded. If you wish to continue you must either click back twice and re-click the link you requested or close and re-open your browser” then you need to use the cookie method.

So how does the script work:

First it obtains the needed cookie from the Apache application and stores it in a web session
Then it creates the envelope for the soap call to the ADFS server, we are requesting an “urn:oasis:names:tc:SAML:1.0:assertion” but you can request an “urn:oasis:names:tc:SAML:2.0:assertion” if need be.
It then makes a post request to the ADFS server with the envelope in the body

Once it receive the reply we need to clean it as we only require the body section example of the result:

1	<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust”>..............<t:RequestSecurityTokenResponse>

The script then loads the result into a hashtable
It then makes a post request with the hashtable in the body to the Apache application using the Websession we initially established
Once that is complete we can use the web session to make any api calls we like eg(getting a status)

For application requiring an initial cookie:

$GetAvar = Invoke-WebRequest -Uri "https://apache.application.com" -Method GET -SessionVariable myWebSession

$federationServer = "adfs.gi-architects.co.uk"

$appliesTo = "https://apache.application.com"

$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"

$username = "useraccount"

$password = "userpassword"

$rst= [String]::Format(

'<s:Envelope xmlns:s="http://www.w3.org/2003/05/soap-envelope" xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:u="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd"><s:Header><a:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</a:Action><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">{0}</a:To><o:Security s:mustUnderstand="1" xmlns:o="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd"><o:UsernameToken><o:Username>{1}</o:Username><o:Password Type="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-username-token-profile-1.0#PasswordText">{2}</o:Password></o:UsernameToken></o:Security></s:Header><s:Body><t:RequestSecurityToken xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust"><wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy"><a:EndpointReference><a:Address>{3}</a:Address></a:EndpointReference></wsp:AppliesTo><t:KeySize>0</t:KeySize><t:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</t:KeyType><t:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</t:RequestType><t:TokenType>urn:oasis:names:tc:SAML:1.0:assertion</t:TokenType></t:RequestSecurityToken></s:Body></s:Envelope>', `

$endpoint,

$username,

$password,

$appliesTo)

$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"

$tokenXml = [xml]$webresp.Content

$wresult = $tokenXml.Envelope.Body.InnerXml

$wa = "wsignin1.0"

$postParams = @{wa=$wa;wresult=$wresult}

$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -WebSession $myWebSession

Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession

For application not requiring to obtain an initial cookie:

$federationServer = "adfs.gi-architects.co.uk"

$appliesTo = "https://apache.application.com"

$endpoint = "https://" + $federationServer + "/adfs/services/trust/2005/usernamemixed"

$username = "useraccount"

$password = "userpassword"

$rst= [String]::Format(

$endpoint,

$username,

$password,

$appliesTo)

$webresp = Invoke-WebRequest $endpoint -Method Post -Body $rst -ContentType "application/soap+xml"

$tokenXml = [xml]$webresp.Content

$wresult = $tokenXml.Envelope.Body.InnerXml

$wa = "wsignin1.0"

$postParams = @{wa=$wa;wresult=$wresult}

$temp = Invoke-WebRequest -Uri "https://apache.application.com" -Method POST -ContentType "application/x-www-form-urlencoded" -Body $postParams -SessionVariable myWebSession

Invoke-WebRequest -Uri "https://apache.application.com/web/session.xql?action=status" -Method Get -WebSession $myWebSession