I've created a .net application with Azure AD B2B and it works fine, but whenever i try to login it redirect to Microsoft page there it ask for credentials then it come back to my application.
Redirects create user confusion. I want to create the full user experience without the customer leaving our Application. We want to take advantage of secure technologies though.
Is there any way to consume a Azure AD services which help us to login AzureAD without redirecting to Microsoft page?
Please advice!
This is impossible.
This is for the security consideration. The web app which protected by Azure Active Directory requires to login the users via the page proved by Microsoft. This is how OAuth 2.0 Authorization Framework work. You can refer the flow from below. The Authorization Server stands the server provided by Microsoft.
+--------+ +---------------+
| |--(A)- Authorization Request ->| Resource |
| | | Owner |
| |<-(B)-- Authorization Grant ---| |
| | +---------------+
| |
| | +---------------+
| |--(C)-- Authorization Grant -->| Authorization |
| Client | | Server |
| |<-(D)----- Access Token -------| |
| | +---------------+
| |
| | +---------------+
| |--(E)----- Access Token ------>| Resource |
| | | Server |
| |<-(F)--- Protected Resource ---| |
+--------+ +---------------+
If the web app provided the login-page to input the Azure AD account, the site looks like a phishing site which will not be trusted by users.
Related
I am trying to use Keycloak admin REST API to recreate an access token when I have a valid refresh token.
I have accomplished that, by invoking with POST /auth/realms/{realm}/protocol/openid-connect/token.
The problem is that the endpoint also returns a new refresh token each time. Is this the way a JWT authorisation flow should work?
I think the correct flow would be to only get a new access token when the auth endpoint is invoked, and when the refresh token expires, to sign in again to acquire a new refresh token; Not to get a new refresh token each time we query for a new access token.
I have also read this stack overflow post. Am I missing something here?
You may find a pic with the request below:
Using one-time refresh token is a modern best practice, because that allows the authorization server to kick out the user if the same refresh token is used twice.
How can that happen? well for example if the refresh token is stolen, then the hacker and your application will both try to use it! Otherwise it is a bit harder to detect hackers in the system
First of all you mix up two things.
Open ID Connect Authentication with JWT and Oauth authorization tokens and refresh tokens.
This are two different objects.
You will get a new OAuth refresh token each time you obtain an access token. This is the way OAuth grants you a "endless session" but with the option to deny a new access token at any try of exchange.
Also see from RFC https://datatracker.ietf.org/doc/html/rfc6749#section-1.5
+--------+ +---------------+
| |--(A)------- Authorization Grant --------->| |
| | | |
| |<-(B)----------- Access Token -------------| |
| | & Refresh Token | |
| | | |
| | +----------+ | |
| |--(C)---- Access Token ---->| | | |
| | | | | |
| |<-(D)- Protected Resource --| Resource | | Authorization |
| Client | | Server | | Server |
| |--(E)---- Access Token ---->| | | |
| | | | | |
| |<-(F)- Invalid Token Error -| | | |
| | +----------+ | |
| | | |
| |--(G)----------- Refresh Token ----------->| |
| | | |
| |<-(H)----------- Access Token -------------| |
+--------+ & Optional Refresh Token +---------------+
Figure 2: Refreshing an Expired Access Token
I am looking for the powershell scripts/commands to get the details of below points
| Key | OutPut |
| ------------------------------ | ---------------- |
| Seurity [FIPS Alogithm Policy] | Enabled/Disabled |
| Is Client SSL 2.0 Enabled? | Enabled/Disabled |
| Is Server SSL 2.0 Enabled? | Enabled/Disabled |
| Is Client SSL 3.0 Enabled? | Enabled/Disabled |
| Is Server SSL 3.0 Enabled? | Enabled/Disabled |
| Is Client TLS 1.1 Enabled? | Enabled/Disabled |
| Is Server TLS 1.1 Enabled? | Enabled/Disabled |
| Is Client TLS 1.2 Enabled? | Enabled/Disabled |
| Is Server TLS 1.2 Enabled? | Enabled/Disabled |
I have tried the below code but getting different different errors.
$Socket = New-Object System.Net.Sockets.Socket([System.Net.Sockets.SocketType]::Stream, [System.Net.Sockets.ProtocolType]::Tcp)
$Socket.Connect($ComputerName, $Port)
$NetStream = New-Object System.Net.Sockets.NetworkStream($Socket, $true)
$SslStream = New-Object System.Net.Security.SslStream($NetStream, $true)
$SslStream.AuthenticateAsClient($ComputerName, $null, $ProtocolName, $false)
I have Sql Server 2014 installed with the latest updates.
I am looking for the Correct Powershell scripts to get the details for the FIPS Algorithm status and the status of protocol (SSL and TLS) for client/server.
I tried the above code but its not working.
Is it possible to manually map all users when switching the Azure Active Directory connection for Azure DevOps?
The directory that we're switching to has guest accounts for the source UPN set up for 95% of the users in ADO, so they're automatically mapped. Rather than that happening, we'd like to map each source user to their new UPN in the destination domain.
What's happening
| Source UPN | Source Type | | Destination UPN | Destination Type |
| ---------- | ----------- | ---- | --------------- | ---------------- |
| user#a.com | Member | \ | user#b.com | Member |
| | | -> | user#a.com | Guest |
What we want to happen
| Source UPN | Source Type | | Destination UPN | Destination Type |
| ---------- | ----------- | ---- | --------------- | ---------------- |
| user#a.com | Member | ---> | user#b.com | Member |
| | | | user#a.com | Guest |
Is it possible to manually map all users when switching the Azure Active Directory connection for Azure DevOps?
I am afraid there is no such way to manually map all users when switching the AAD connection for Azure DevOps. Automatically map behavior is by designed, in order to provide us with convenience when switching AAD.
If we want to manually map the users, we need to delete those users from target AAD before switching AAD. In this case, when we switch AAD, Azure Devops says "X member(s) of the xxx organization can't sign in because they're not in the XX AAD. Delete any unwanted users in Organization settings, and then Resolve for remaining members.". Hit the resolve button a page shows up with the Users, then we can match them manually.
In my Windows Firewall, I've created certain rules that give me more control over my PC. But my rules have become somewhat useless since Windows and other apps are kept adding rules that I don't want.
I've tried to prevent this from happening, but the only way I've found is to use a third-party tool like Tinywall, which isn't exactly what I'm looking for.
So, to fix this, I want to create a PowerShell script that will disable and rename all rules that are not added by me. This way, I can manage them easily.
Rules that are added by me can be easily recognized because all of them start with certain words.
In this case, let's assume it starts with either 'Sample XYZ' or 'Sample ABC'.
Sample XYZ - Windows Update
Sample ABC - MPC-HC
Sample ABC - Firefox
Sample XYZ - Windows News
So far, this is what I have done.
In this part, the script will filter all the rules that I have created and then it'll disable & block all other rules.
To my surprise, this is working as expected.
# This will get all firewall rules
$NR = Get-NetFirewallRule
# This will exclude all the rules added by the user
$NR = $NR | Where-Object DisplayName -NotMatch "Sample ABC"
$NR = $NR | Where-Object DisplayName -NotMatch "Sample XYZ"
# Disable all other rules that are not added by the user
$NR | Set-NetFirewallRule -Enabled False
# Set rules' action to block
$NR | Set-NetFirewallRule -Action Block
These are the parts that don't work.
Task: Add a custom word to the beginning of the rules' display name
Example: If a rule name is 'Microsoft Photos', then it'll be renamed to 'IDWTFR - Microsoft Photos'.
# Add a custom word to the beginning of the rules' display name
# Custom word = 'IDWTFR - '
# Attempt 01: Fail
$NR | Set-NetFirewallRule -DisplayName "IDWTFR - " + $NR.DisplayName
# Attempt 02: Fail
$NR = $NR | ForEach-Object -MemberName DisplayName "IDWTFR - " + $NR.DisplayName | Set-NetFirewallRule
Task: Add unwanted rules to a group named 'Junk Rules'.
# Add to a group
# Attempt 01: Fail
$NR | Set-NetFirewallRule -DisplayGroup "Junk Rules"
To clarify it a bit more, this is the summary of what I am trying to do.
+-----------------------------+---------------------------+----------------+----------------+----------------+-------------+
| Rule Name | New Rule Name | Group | Action | Status | Created by |
+-----------------------------+---------------------------+----------------+----------------+----------------+-------------+
| Sample XYZ - Windows Update | Same as before | Same as before | Same as before | Same as before | User |
| Sample ABC - MPC-HC | Same as before | Same as before | Same as before | Same as before | User |
| Sample ABC - Firefox | Same as before | Same as before | Same as before | Same as before | User |
| Sample XYZ - Windows News | Same as before | Same as before | Same as before | Same as before | User |
| Microsoft Photos | IDWTFR - Microsoft Photos | Junk Rules | Block | Disable | Not by user |
| App Installer | IDWTFR - App Installer | Junk Rules | Block | Disable | Not by user |
| Feedback Hub | IDWTFR - Feedback Hub | Junk Rules | Block | Disable | Not by user |
| Microsoft Edge | IDWTFR - Microsoft Edge | Junk Rules | Block | Disable | Not by user |
+-----------------------------+---------------------------+----------------+----------------+----------------+-------------+
I'm new to PowerShell, so any help will be appreciated. Thanks.
Since this is your special use case, it's going to a challenge for one to validate without setting up an environment as close as possible to what you show here. I am in no position to do that.
Yet, looking at what you say you have done, here is a refactor option to try. Refactor a bit (again, not tested)
# Get all firewall rule name, and filter out the named rules
Get-NetFirewallRule |
Where-Object -Property Name -notlike 'Sample ABC|Sample XYZ' |
ForEach {
# Disable all other rules that are not added by the user
Set-NetFirewallRule -Name $PSItem.DisplayGroup -Enabled False
# Set rules' action to block
$PSItem.DisplayName |
Set-NetFirewallRule -Action Block
# Rename firewall rule
If ($PSItem.DisplayName -like '*Microsoft*')
{Rename-NetFirewallRule -Name $PSItem.DisplayName -NewName "IDWTFR-$($PSitem.DisplayName)"}
# Create new firewall group
$PSItem.Group = 'JunkRules' |
Set-NetFirewallRule -NewDisplayName $PSItem.DisplayName
}
Is it possible to run and access a mesos master on a machine that is placed behind a proxy?
I have successfully succeeded to deployed a MesosMaster/Marathon/MesosSalve on my local infrastructure.
The problem arises when I want to put the MesosSlave somewhere in the internet, so that MesosSlave and MesosMaster shall communicate through public IPs
My conf is the following:
Internet My Infra
.----------------------. .-----------------. .-----------------. .-------------------------------------------------.
| Mesos Slave VM | | Front Machine | | Proxy | | Tool-VM |
| 178.22.17.248 | | 39.224.147.94 | | 10.2.0.57 | | 10.1.10.176 |
|----------------------| | my.domain.com | |-----------------| | 192.168.5.1 (docker bridge) |
| | |-----------------| | | |-------------------------------------------------|
| | | | | | | |
| __________ | | __________ | | __________ | | .-----------------------------. |
| [_...__..5051.°]| |[_..5050.__...°] |<---|[_..5050.__...°] |<------------^| | Mesos-Master Container | |
| | | | | | \ __________ | 192.168.5.4 (docker bridge) | |
| | | __________ | | __________ | |[_..5050.__...°]^|-----------------------------| |
| | |[_..2181.__...°] |<---|[_..2181.__...°] |<------------^| \ __________ | |
| | | | | | \ __________ |[_..5050.__...°] | |
| | | | | | |[_..2181.__...°]^| __________ | |
| | | | | | | \[_..2181.__...°] | |
| | | | | | | '-----------------------------' |
'----------------------' '-----------------' '-----------------' '-------------------------------------------------'
However:
My domain infra redirect everthing that arrives from outside on ports 5050 (for Mesos) and port 2181 (zookeeper) ONLY for requests that are addressed to the domain 'my.domain.com' (which is a virtualhost of 39.224.147.94). But not for the other requests (that are arriving on 39.224.147.94).
So I try to execute the service through CLI for the moment:
Execute Mesos Master(in Mesos Master Container)
/usr/sbin/mesos-master --ip=192.168.5.4 --work_dir=~/Mesos/mesos-0.23.0/workdir/ --zk=zk://192.168.5.4:2181/mesos --quorum=1 --log_dir=/var/log/mesos --external_log_file=/dev/stdout
Execute Marathon (in Mesos Master Container)
/usr/bin/marathon --zk zk://192.168.5.4:2181/marathon --master zk://my.domain.com:2181/mesos
Execute Mesos Slave (in Mesos Slave VM)
/usr/sbin/mesos-slave --master=my.domain.com:5050 --work_dir=/var/lib/mesos/agent --port=8009 --containerizers=docker --executor_registration_timeout=3mins --log_dir=/var/log/mesos
The Mesos Master can see the Slave resources.
However, when I send a Job through Marathon, this job stay in a waiting state.
It seems that the slave is not able to communicate on the hostname of the Master, but only using it's public IP:
I have this in the Slave logs:
New master detected at master#39.224.147.94:5050
However incoming traffic on 39.224.147.94:5050 is blocked by my infra (only my.domain.com:5050 is accepted)
So, is it possible to create a connection between Master and Slaves, using domain names, but not IPs?
It's a bit confusing to bee honest. What I don't understand is that you seem to use the 192.168.5.4 ip for the Master process, but it's nowhere to be found in your diagram. I'd expect to use 39.224.147.94 instead.
Furthermore, I'd recommend to use the ip addresses instead of hostname in all connection strings, you're using a mixture...
Additionally, you can try to set the LIBPROCESS_IP environment variable to the respective ip addresses for the agent and Marathon processes.
Another question would be why you use such an old version of Mesos... Mesos 1.1.0 is out already!