Fixing invalid SamAccountName in Azure AD Domain Services

Azure AD user had been initially created with a typo on his name. All the attributes had since then been fixed or so it looked like.

Everything else worked fine, but this particular user could not log-on to Azure AD Domain Services connected Remote Desktop servers with his domain\username style account.

Turned out, the old name (which had been fixed) was still there. Running the command:

Get-ADUser -Filter 'Name -like "John"

revealed the users SamAccountName attribute contained the typo. Same thing was visible in the “Active Directory Users and Computers”, in the pre Windows 2000 logon field.

The fix was simple. The SamAccountName is synced from Azure Active Directory, where the attribute is called “mailNickname”. The command line az tool can be used to update the attribute:

az ad user update --id john.doe@example.org --mail-nickname john.doe

Then just waiting a while and the SamAccountName had been updated on the Azure AD Domain Services managed domain.

Posted in Azure |

Using Azure.Storage module from Azure PowerShell function

I was building a simple tool to automate some uploads to Azure Blob Storage in Azure Functions. Decided to use PowerShell for that, since well, sounds like a job for PowerShell!

Getting the script to work on my computer was easy, getting it to work on Azure Functions.. not that easy. I wanted to use the Azure.Storage PowerShell module and turns out you need to have a few small things right for this to work. Looking back, it would have been easier to just use built in Invoke-WebRequest to also do the uploads.

File structure from my project:

MyProj
+-- MyFunction/
|   + function.json
|   + run.ps1
+-- Modules/
|   +-- Azure.Storage/
|       +-- 4.6.1/
|           + -- (lots of files)
+-- host.json
+-- requirements.psd1 

The modules folder contains the external Azure.Storage module my script needs. I downloaded this using the following command. This also downlaoded the AzureRM module to the folder, but I simply removed that since this one is not needed (scroll down to see why).

Save-Module Azure.Storage -Path .\Modules

In the host.json we enable the dependency management. This allows the usage of the Az module, without including it separately in the project:

{ 
    "version": "2.0",
    "managedDependency": {
        "Enabled": "true"
    }
} 

requirements.psd1 is simply referencing the Az module:

@{
    Az = "1.*"
} 

I’m using a timer to trigger the function, so function.json is straightforward. Btw, some examples omitted the “name” in the bindings, but omitting this seemed to cause errors.

{
    "bindings": [
      {
        "name": "Timer",
        "type": "timerTrigger",
        "direction": "in",
        "schedule": "0 0 7 * * Mon"
      }
    ]
  } 

And below is an excerpt from the function itself, run.ps1. I have omitted the actual functionality. The important thing is to include the Enable-AzureRmAlias. This is needed because the automatic dependency management works with the new Az modules, while the old Azure Storage library wants to use the AzureRM modules (which I could not get to work with Azure Functions). Calling this Enable-AzureRmAlias will create aliases that point to the new Az functions.

param($Timer)
Enable-AzureRmAlias
$context = New-AzureStorageContext -ConnectionString "BlobEndPoint..."
 Set-AzureStorageBlobContent -Force -Context $context -Container "MyContainer" -File myFile.txt 
 
Posted in Azure |

Site-to-site VPN with Meraki and Azure

After setting up point-to-site VPNs on Azure, I thought I’d just throw in quickly also a site-to-site connection between the office Meraki MX device and the Azure VPN gateway.

Turned out it was not so straightforward. The VPN gateway on Azure was route based, which means IKEv2. To my surprise the Cisco Meraki devices don’t support IKEv2. Only IKEv1. There’s a long-running discussion chain on the Meraki support site regarding this topic. Seems to be you should not hold your breath while waiting for the IKEv2 support to arrive.

The incompatibility between Azure and VPN is also stated in the Azure documentation. Apparently there’s also some potential compability issues also with the policy based VPN gateways as Microsoft says Meraki is “not supported” with them as well. Meraki is also pointing out the potential issues on their support pages.

The official recommendation from Meraki is to just go with the vMX100 virtual appliance, which is available on both AWS and Azure.

Other options seems to be running a custom VM with Ubuntu/strongSwan. Maybe pfSense would also do.

Edit: 20th of May 2019. According to discussions on Meraki site the IKEv2 support is finally rolling out. Requires the latest firmware and you need to request support to enable the feature.

Posted in Azure |

Ping with timestamps

Sometimes it is handy to run ping on the background to monitor network connectivity. Combine Microsoft PowerShell and the PsPing utility from Microsoft and you get a nice logging solution with shows on each line a timestamp and the results from the ping.

Ordinary ping:

psping -t -i 10 server1.example.org |Foreach{"{0} - {1}" -f (Get-Date),$_} | Tee-object -FilePath ping_log.txt

TCP port ping:

psping -t -i 10 server1.example.org:80 |Foreach{"{0} - {1}" -f (Get-Date),$_} | Tee-object -FilePath port_log.txt

Explanations:

  • -t parameter means run until stopped
  • -i 10 means ping every 10 seconds
  • PowerShell foreach loops through the results add timestamp to each line
  • PowerShell Tee-object is like Unix tee command which both saves the input and sends it to stdout

Credits for the Foreach ping solution: http://stackoverflow.com/a/40591307/350615

Posted in Windows |

Git on Windows & Github, authentication suddenly stopped working

I’m using Github 2FA and git on Windows with the Windows Credentials store credential helper. This can be configured with
git config --global credential.helper wincred

Couple of times git has suddenly started complaining “remote: Repository not found” when trying to do a pull on existing project. I haven’t figured out what is causing this, but the solution that works:

  1. Clear the existing credentials. This is done by starting up Windows “credential manager” just type this to “Run… ” or find it via Control panel (this is part of Windows). Look for github related things and remove them
  2. After this, git should ask again for your username when you try to do an operation that requires authentication. With two factor authentication you can’t just enter the username and password. Instead of password you need to use “personal access token” which can be generated on Github web pages. Click your profile icon and selected “Personal access tokens” from the menu on the left. Generate either a new token or reset the existing one so that you get access to the token which is a hex string.
  3. Login with your Github username and the access token. Once you have done this, you should see an entry for git:https://<username>@github.com on in the Windows Credentials Manager.
Posted in Misc |

QC35, Windows, Bluetooth audio

I started investigating pairing problems with my Bose QC35 headphone/headset and Windows. At first I was wondering why I actually see two separate QC35 devices with different icons in the pairing list. Soon I figured out the other one was “headphones” and the other one “hands-free” device. If I wanted to just listen to audio, the headphones was enough. In order to use QC35 in Skype, I had to enable the other one as well. For headphone use the audio quality was acceptable. In Skype is was quite horrible – which was not something I expected. Something had to be wrong, so I started digging..

Bluetooth specifications define bunch of various profiles for different services. For this post the relevant profiles are A2DP (Advanced Audio Distribution Profile), HPF (Hands-free profile) and HSP (Headset profile). When you are listening to high quality sound through your bluetooth headphones, you are using A2DP. A2DP supports stereo sound and quality is reasonably good. For headset use A2DP is no good, it can only transport audio to one direction (and in addition it has a bit higher latency, something like 120ms. In order to also use the microphone in the headset (to transfer audio to computer) you need to switch to HPF/HSP.

The audio quality of standard HPF is not exactly stunning. To make things better, version 1.6 of the profile introduces support for wideband audio. This is implemented using the same SBC codec that is mandatory for the A2DP profile. To make things complicated, the wideband audio is not a mandatory feature of the 1.6 specification.

Apparently some manufacturers are not so much touting the different bluetooth profiles and versions they support. Despite some serious Googling I was unable to find an official specification document from Bose. Luckily the manufacturers are required to submit very detailed information about their Bluetooth compatibility things to the Bluetooth SIG and the information is published on Bluetooth.org.

Looking for things is pretty easy. Head to their search for listings page and type in the name of the product. In this case “QuietComfort 35”. From the results pick the right product, and from the details page choose “Display ICS details”. The information we are interested in can be found from “Profile ICS” tab. The codec for wide band audio is called mSBC (I assume the “m” stands for “mono”). In the table for QC35 you can see that this is not supported. So no wide band audio for QC35. I found this somewhat suprising, I would have assumed the flagship device from Bose would come with all the goodies.

Another top-of-the line product is Sennheiser PXC 550. I checked the Bluetooth.org listing and same thing – no wide band audio support. However the listing shows PXC 550 does support aptX. I have yet to figure out if this is something just for playback or if it applies to recording side as well.

I then continued the investigations with my old and forgotten Nokia Purity Pro headset. This is already quite old device, maybe from around 2012. For my surprise, the pages show mSBC as supported for Nokia Purity Pro.

Ok, so my head phones don’t support wide band audio, but how about my computer? I’m running trusty old Lenovo T440p, with Intel Bluetooth chip. Intel claims support for wide-band speech, but they also say Windows 8 and Windows 8.1 support audio profiles natively. Which I believe means that I need to check what Windows supports. This information can be found from MSDN. Bluetooth Version and Profile Support in Windows 10 document Microsoft specifies the HFP version supported is 1.5, which indicates that wide band audio is not supported (this is different for Windows Phone 10, which does support 1.6).

Posted in Misc |

Get SSL cert in PFX format using OpenSSL

Steps for getting SSL certificate in pfx format (suitable for Azure for example)

openssl req -new -nodes -keyout mycert.key -out mycert.csr -newkey rsa:2048

Upload CSR, get the Certificate and save it local file. Get the intermediate certificates (if needed).

Concatenate the intermedia certs to one file:

cat AddTrustExternalCARoot.crt COMODORSA* > intermediates.crt

Export:

openssl pkcs12 -chain -export -out mycert.pfx -inkey mycert.key -in mycert.crt -CAfile intermediates.crt
Posted in Azure |

Azure, add IP address to cloud service

Azure now supports multiple IP addresses per cloud service. This means you can for example host multiple web sites, each running in different IP address on one cloud service (1..n virtual machines).

Right now it seems to be be possible to manage this only via the Azure PowerShell commandlets. After adding a secondary IP for my cloud service I was no longer able to manage the end points via Azure management web site or the command line tools.

In brief the commands to create a new reserved IP address and create a load balancer that uses the IP are following:

# Create a new reserved IP address
New-AzureReservedIP –ReservedIPName "MyIP"  –Location "West Europe"

# Create load balancer and end points that use the reserved IP
# Here I'm adding it to two virtual machines which are part of the cloud service
Get-AzureVM -ServiceName myservice -Name vm01`
| Add-AzureEndpoint -Name myEndpoint -LoadBalancedEndpointSetName http`
    -Protocol tcp -LocalPort 8001 -PublicPort 80 -VirtualIPName MyIP -DefaultProbe `
| Update-AzureVM

Get-AzureVM -ServiceName myservice -Name vm02`
| Add-AzureEndpoint -Name myEndpoint -LoadBalancedEndpointSetName http`
    -Protocol tcp -LocalPort 8001 -PublicPort 80 -VirtualIPName MyIP -DefaultProbe `
| Update-AzureVM

# To see the endpoints for VM
Get-AzureVm -ServiceName myservice  -name vm01 | Get-AzureEndpoint

Posted in Azure |

Azure CLI tools, Credentials have expired, please reauthenticate

After installing Azure CLI tools and trying to use them on the first time on Windows, I started getting “Credentials have expired, please reauthenticate Detailed error message from ADAL is as follows: Error: Entry not found in cache.” error message. A regular logout/login did not fix the issue in my case.

I did not figure out the exact reason for the error, but a fix was simple. First logout using

azure logout <username>@<domain>

Then issue a command to clean up(?) the credentials:

%APPDATA%\npm\node_modules\azure-cli\bin\windows\creds.exe  -d -t AzureXplatCli:target=* -g

And after that login again.

Posted in Azure |

IntellijJ IDEA: Maven home directory is invalid

When creating a new project based on Maven archetype IntelliJ IDEA wants know certain Maven related directories. It took few minutes to figure out what IDEA actually wants here and answering wrong gives the not very informative “Maven home directory is invalid” -error message.

The Maven home directory is the place where your Maven installation is located. It is not your personal Maven directory, which in Windows is usually c:\users\<username>\.m2

idea-maven-settings

 

The “Maven home directory is invalid” message would be a lot more helpful if IDEA would tell WHY it thinks the directory is not valid. If you are trying to find a specific file or sub directory – please tell me.

Posted in Misc |