Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

[Aside] Quote

Listening to “The End of the Affair” narrated by the amazing Colin Firth (a pleasure so far to listen to! wow). This sentence caught my attention:

How twisted we humans are, and yet they say a God made us; but I find it hard to conceive of any God who is not as simple as a perfect equation, as clear as air.

[Aisde] Random Stuff

Changing the colors in Vim so it looks better in PuTTY. I live with this usually (as I don’t spend much time in Linux nowadays) until I Googled today and found an easy fix for this. Thanks to this post: “:color desert” (where desert is an example color).

Testing SSL in SMTP (thanks to):

That link is a good reference on Postfix SSL too.

[Aside] Various ADFS links

No biggie, just as a reference to myself:

[Aside] Quote

Came across this when listening to “Fahrenheit 451”:

We cannot tell the precise moment when friendship is formed. As in filling a vessel drop by drop, there is at last a drop which makes it run over; so in a series of kindnesses there is at last one which makes the heart run over.

It’s from a book by James Boswell and the full paragraph is worth reading.

[Aside] Various Azure links

My blog posting has taken a turn for the worse. Mainly coz I have been out of country and since returning I am busy reading up on Azure monitoring.

Anyways, some quick links to tabs I want to close now but which will be useful for me later –

  • A funny thing with Azure monitoring (OMS/ Log Analytics) is that it can’t just do simple WMI queries against your VMs to check if a service is running. Crazy, right! So you have to resort to tricks like monitor the event logs to see any status messages. Came across this blog post with a neat idea of using performance counters. I came across that in turn from this blog post that has a different way of using the event logs.
  • We use load balancers in Azure and I was thinking I could tap into their monitoring signals (from the health probes) to know if a particular server/ service is up or down. In a way it doesn’t matter if a particular server/ service is down coz there won’t be a user impact coz of the load balancer, so what I am really interested in knowing is whether a particular monitored entity (from the load balancer point of view) is down or not. But turns out the basic load balancer cannot log monitoring signals if it is for internal use only (i.e. doesn’t have a public IP). You either need to assign it a public IP or use the newer standard load balancer.
  • Using OMS to monitor and send alert for BSOD.
  • Using OMS to track shutdown events.
  • A bit dated, but using OMS to monitor agent health (has some queries in the older query language).
  • A useful list of log analytics query syntax (it’s a translation from old to new style queries actually but I found it a good reference)

Now for some non-Azure stuff which I am too lazy to put in a separate blog post:

  • A blog post on the difference between application consistent and crash consistent backups.
  • At work we noticed that ADFS seemed to break for our Windows 10 machines. I am not too clear on the details as it seemed to break with just one application (ZScaler). By way of fixing it we came across this forum post which detailed the same symptoms as us and the fix suggested there (Set-ADFSProperties -IgnoreTokenBinding $True) did the trick for us. So what is this token binding thing?
    • Token Binding seems to be like cookies for HTTPS. I found this presentation to be a good explanation of it. Basically token binding binds your security token (like cookies or ADFS tokens) to the TLS session you have with a server, such that if anyone were to get hold of your cookie and try to use it in another session it will fail. Your tokens are bound to that TLS session only. I also found this medium post to be a good techie explanation of it (but I didn’t read it properly*). 
    • It seems to be enabled on the client side from Windows 10 1511 and upwards.
    • I saw the same recommendation in these Microsoft Docs on setting up Azure stack.

Some excerpts from the medium post (but please go and read the full one to get a proper understanding). The excerpt is mostly for my reference:

Most of the OAuth 2.0 deployments do rely upon bearer tokens. A bearer token is like ‘cash’. If I steal 10 bucks from you, I can use it at a Starbucks to buy a cup of coffee — no questions asked. I do not want to prove that I own the ten dollar note.

OAuth 2.0 recommends using TLS (Transport Layer Security) for all the interactions between the client, authorization server and resource server. This makes the OAuth 2.0 model quite simple with no complex cryptography involved — but at the same time it carries all the risks associated with a bearer token. There is no second level of defense.

OAuth 2.0 token binding proposal cryptographically binds security tokens to the TLS layer, preventing token export and replay attacks. It relies on TLS — but since it binds the tokens to the TLS connection itself, anyone who steals a token cannot use it over a different channel.

Lastly, I came across this awesome blog post (which too I didn’t read properly* – sorry to myself!) but I liked a lot so here’s a link to my future self – principles of token validation.

 

* I didn’t read these posts properly coz I was in a “troubleshooting mode” trying to find out why ADFS broke with token binding. If I took more time to read them I know I’d get side tracked. I still don’t know why ADFS broke, but I have an idea.

[Aside] Quote from Mythos

Listening to Stephen Fry’s Mythos and I loved this epitaph from one of the stories. That of Phaëthon, son of Phoebus Apollo the sun God, who rode his father’s sun chariot for a day but lost control and ended up scorching Africa in the process (thus creating the Sahara desert). This epitaph was offered by the American classicist Edith Hamilton.

Here Phaëthon lies who in the sun-gods chariot fared.
And though greatly he failed, more greatly he dared.

[Aside] Sherlock Holmes quote

Was listening to “The Mystery of the Cardboard Box” in the bus after a particularly shitty day and loved this ending paragraph. It resonated with me.

“What is the meaning of it, Watson? said Holmes solemnly as he laid down the paper. “What object is served by this circle of misery and violence and fear? It must tend to some end, or else our universe is ruled by chance, which is unthinkable. But what end? There is the great standing perennial problem to which human reason is as far from an answer as ever.”

[Aside] Meetings without slides

Liked this –

For every meeting, someone from the meeting has prepared a six-page, narratively structured memo that has real sentences and topic sentences and verbs. It’s not just bullet points. It’s supposed to create the context for the discussion we’re about to have.

Especially the point about creating context.

This is from an interview with Jeff Bezos where he mentions Amazon has banned PowerPoint presentations in meetings.

By forcing the presenter to creative a narrative it gets them thinking more about the topic and understand the topic well. Similarly by forcing the attendees to read the memo it forces them to not just skim through the slides but to internalize it. Nice!

[Aside] Various DNS stuff

No point to this post except as a reference for my future self. I wanted to mention some of the links here to a colleague of mine today but couldn’t remember them. Finally had to search through my browser history. Easier to just put them here for later reference. :)

Via this Pi-Hole page – OpenNIC and DNS.Watch. Both are for uncensored results etc., with the former having additional TLDs too. Sadly neither supports edns-client-subnet so I can’t really use it. :( If I query www.google.com via one of these I get results that are 150-220ms away. Same query via Google DNS or OpenDNS gives me results that are 8ms away!

I hope to implement DNSCrypt-proxy on my Asus router this weekend (time permitting). Seems to be straight-forward to setup on Asus Merlin as there’s an installer and also available via AMTM. My colleague is currently using DNSCrypt.nl as the upstream resolver, but he also mentioned an alternative he hopes to try.

It’s funny there’s a lot more talk about DNS encryption these days. I happened to get on it coz I got the Asus Merlin running at home again recently and also coz of the CloudFlare DNS announcement. I’ve generally been in a geeky mode since then and checking out things like Pi-Hole etc. And just the other day I read an Ars Technica article about DNS encryption and today it turns out my colleague implemented DNSCrypt at his home just today morning.

Something else I hope to try – dunno where though – is the Knot DNS Resolver.

Lastly, totally unrelated but as a reference to myself – I didn’t know there was an open source version of the Synology OS called XPEnology, and I didn’t know of these picoPSU power supplies. So cool! Also, Netgear R7800 seems to be a good router to keep in mind for the future.

Bug in Apple ad

Came across this Verge article today about a bug in iOS now appearing in an ad. Funny!

I’ve been hating iOS since version 11. It’s not as butter smooth as before. There’s jerky animations, regular crashes, an overall feeling of something not right. In fact, I switched to the iOS Beta channel on my main device last month hoping that at least any newer fixes will get pushed there first (along with any newer bugs too, but I am stuck with those anyways :p). Gone are the days when iOS was stable and “just worked”.

I don’t mind the mismatched fonts and stuff. Yes they reflect an attention to lack of detail and are symptomatic of the larger problem but I can live with those. It’s just the jarry animations and general slowness that get to me.

On top of that Audible on iPhone – which probably my #1 used app – is rubbish. It constantly freezes and crashes. Irritating!

[Aside] ESXi and NTP

Two posts as a reference to myself –

[Aside] Web Servers

I came across these recently and wanted to put them here as a bookmark to myself.

  • h5ai – A modern file browsing UI for web server. Looks amazing!
  • HFS – HTTP File Server. It’s a web server and also a way to send and receive files over HTTP. I haven’t used it by my colleagues recently did.
  • Fenix – A web server you can run on your desktop or laptop. Looks nice too!
  • TinyWeb – A very tiny web server you can run on your desktop or laptop.
  • Caddy – an HTTP/2 web server with automatic HTTPS. Got to check it out sometime.

[Aside] XenApp beta testing with Application Groups

Application Groups is a new feature introduced in XenApp and XenDesktop 7.9 (speaking of which: XenApp and XenDesktop are the same thing just that different functionality is exposed based on the license. I kind of knew this, but thanks to proper testing by James Rankin as shown in his YouTube video I can now say this with confidence). I’d thought of writing a blog post on this but (a) I am lazy and (b) this blog post from Citrix explains it much better. Take note of the example they give with beta testers – that’s just what I do in my environment too.

Machine Catalogs contain your machines. Delivery Groups target a subset (or entirety) of the machines in a Machine Catalog. Delivery Groups can contain machines from multiple Machine Catalogs but a single machine can only be a member of one Delivery Group.

Typically you’d create Machine Catalogs and assign machines from these to a Delivery Group. Then you’d define applications in the Delivery Group and assign users who can access them. When you use Application Groups, however, you continue to assign users in Delivery Groups but now you associate the Application Group with one or more Delivery Groups and define applications in the Application Group. You can set priorities for the Delivery Groups within an Application Group, and if an application is present in more than one Delivery Group (and the user launching the application has permissions to these Delivery Groups) then it is launched from the Delivery Group with the higher priority (a lower number has higher priority).

Once we start using Application Groups there’s no need to define applications in Delivery Groups.

Application Groups also help in targeting specific machines in a Delivery Group. As I mentioned above a Delivery Group can contain machines from multiple Catalogs. Using Application Groups its possible that some users are “pinned” to applications from machines in specific Machine Catalogs.

Here are more links on how Application Groups can be used along with tags:

[Aside] How to roam AppData\Local too

Came across this video from James Rankin. Apart from being an excellent video, it has one important thing which I felt I must note down here as a reference to myself. I always thought AppData\Local and AppData\LocalLow were not synced as part of your roaming profile because they were special in some way. Today I realized that there’s nothing special about them. They are not synced because of a key called ExcludeProfileDirs in HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon. Any folder mentioned there is not synced as part of your roaming profile. Nice!

So to make AppData\Local roam, simply remove it from that registry key. Then selectively add any sub-folders you might want to exclude.

[Aside] ADFS and Windows Proxy

Quick shout out to this blog post on where to set the Internet Proxy for ADFS. Basically, you gotta set it via netsh winhttp proxy.