I've been doing this for a while and the reason for "hiding" behind "nzpcmad" longer exists.
So jump over here for my new blog!
Thanks for all the comments and input over the years!
I will still monitor the blog for comments etc.
Enjoy!
Tuesday, September 22, 2020
Tuesday, March 31, 2020
Misc : One million hits
I don't blog much here anymore but just hit a milestone:
Over a million hits!!!
Somewhat humbled to think I've helped a large percentage of those.
Enjoy!
Over a million hits!!!
Somewhat humbled to think I've helped a large percentage of those.
Enjoy!
Friday, March 08, 2019
AD : Domain Controller password policy
Every now and then you get an error:
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
So you need to find out the allowed length in the password policy.
An easy way to do this is to run:
secpol.msc
Other reasons for this message are that you have already changed your password in the last 24 hours or that you have reused a password that you used in the last 24 passwords.
Enjoy!
"Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain."
So you need to find out the allowed length in the password policy.
An easy way to do this is to run:
secpol.msc
Other reasons for this message are that you have already changed your password in the last 24 hours or that you have reused a password that you used in the last 24 passwords.
Enjoy!
Wednesday, February 27, 2019
IdentityServer: IResourceOwnerPasswordValidator
I was looking at idsrv4 and how to integrate it with a custom user store. In this case it was SQL Server.
idsrv4 uses .NET Core 2.2 but a lot of the samples I found were for earlier versions of .Net Core.
Some of the samples used IUserService but I couldn't find that.
So Mr Google to the rescue.
e.g.
https://stackoverflow.com/questions/35304038/identityserver4-register-userservice-and-get-users-from-database-in-asp-net-core
"In IdentityServer4. IUserService is not available anymore, now you have to use IResourceOwnerPasswordValidator to do the authentication and to use IProfileService to get the claims."
The problem I have with this is that Resource Owner Password is not just a random method name. It's the name of an OAuth flow! Most people don't realise this.
My client used implicit flow. Using IResourceOwnerPasswordValidator makes no sense.
So you can just use a controller to authenticate the user like the AccountController.
Enjoy!
idsrv4 uses .NET Core 2.2 but a lot of the samples I found were for earlier versions of .Net Core.
Some of the samples used IUserService but I couldn't find that.
So Mr Google to the rescue.
e.g.
https://stackoverflow.com/questions/35304038/identityserver4-register-userservice-and-get-users-from-database-in-asp-net-core
"In IdentityServer4. IUserService is not available anymore, now you have to use IResourceOwnerPasswordValidator to do the authentication and to use IProfileService to get the claims."
The problem I have with this is that Resource Owner Password is not just a random method name. It's the name of an OAuth flow! Most people don't realise this.
My client used implicit flow. Using IResourceOwnerPasswordValidator makes no sense.
So you can just use a controller to authenticate the user like the AccountController.
Enjoy!
Tuesday, January 29, 2019
Azure : Web API - The requested resource does not support http method 'GET'
I was running a web API on Azure and doing a POST.
The full error is:
{
"Message": "The requested resource does not support http method 'GET'."
}
That's weird because the method is decorated with [HttpPost] and I was doing a POST.
Then I noticed that I was calling Azure with a http connection.
Changing to https fixed the issue.
Enjoy!
The full error is:
{
"Message": "The requested resource does not support http method 'GET'."
}
That's weird because the method is decorated with [HttpPost] and I was doing a POST.
Then I noticed that I was calling Azure with a http connection.
Changing to https fixed the issue.
Enjoy!
Thursday, December 06, 2018
ADFS : MSIS7042 - The same client browser session has made '6' requests
The full error message is:
Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '7' seconds. Contact your administrator for details.
There are many causes for this; one being the "missing /" on the identifier.
I found one recently where I was running an ASP.NET MVC application inside VS that was authenticated via ADFS. This used the OWIN WS-Fed middleware.
I couldn't authenticate because of this error.
ADFS will only accept https connections so the RP was configured with a:
https://localhost/...
endpoint
But on VS, inside "Properties / Web", I noticed that the URL was:
http://localhost/...
Setting this to https fixed the problem.
Go figure.
I found a similar solution here.
Enjoy!
Exception details: Microsoft.IdentityServer.Web.InvalidRequestException: MSIS7042: The same client browser session has made '6' requests in the last '7' seconds. Contact your administrator for details.
There are many causes for this; one being the "missing /" on the identifier.
I found one recently where I was running an ASP.NET MVC application inside VS that was authenticated via ADFS. This used the OWIN WS-Fed middleware.
I couldn't authenticate because of this error.
ADFS will only accept https connections so the RP was configured with a:
https://localhost/...
endpoint
But on VS, inside "Properties / Web", I noticed that the URL was:
http://localhost/...
Setting this to https fixed the problem.
Go figure.
I found a similar solution here.
Enjoy!
Friday, November 23, 2018
Azure AD : Getting the UPN
I've been playing around with the custom SAML connection in Azure AD and the "claims transformations" that you can do e.g. tolower.
My interest was Guest accounts.
The user screens don't show the UPN so I needed to do this with PowerShell.
connect-azuread -tenant tenantname
Get-AzureADUser -Filter "userType eq 'Guest'" -All $true | select Displa
yName,UserPrincipalName,Mail,Department,UserType,CreationType,RefreshTokensValid
FromDateTime,AccountEnabled
This displays:
DisplayName : Joe
UserPrincipalName : joe@company.com#EXT#@tenantname
Mail : joe@company.com
Department :
UserType : Guest
CreationType : Invitation
RefreshTokensValidFromDateTime : 21/11/2018 11:13:58 p.m.
AccountEnabled : True
Or if you wanted the top 10:
Get-AzureADUser -Filter "userType eq 'Guest'" -Top 10 | select DisplayNa
me,UserPrincipalName,Mail,Department,UserType,CreationType,RefreshTokensValidFro
mDateTime,AccountEnabled
Or complex filter:
Get-AzureADUser -Filter "mail eq 'joe@company.com' and userType eq '
Guest'"
If you want to see the full list of Azure AD attributes with the complete schema, use:
Get-AzureADUser -All $true | fl > allad.txt
Enjoy!
My interest was Guest accounts.
The user screens don't show the UPN so I needed to do this with PowerShell.
connect-azuread -tenant tenantname
Get-AzureADUser -Filter "userType eq 'Guest'" -All $true | select Displa
yName,UserPrincipalName,Mail,Department,UserType,CreationType,RefreshTokensValid
FromDateTime,AccountEnabled
This displays:
DisplayName : Joe
UserPrincipalName : joe@company.com#EXT#@tenantname
Mail : joe@company.com
Department :
UserType : Guest
CreationType : Invitation
RefreshTokensValidFromDateTime : 21/11/2018 11:13:58 p.m.
AccountEnabled : True
Or if you wanted the top 10:
Get-AzureADUser -Filter "userType eq 'Guest'" -Top 10 | select DisplayNa
me,UserPrincipalName,Mail,Department,UserType,CreationType,RefreshTokensValidFro
mDateTime,AccountEnabled
Or complex filter:
Get-AzureADUser -Filter "mail eq 'joe@company.com' and userType eq '
Guest'"
If you want to see the full list of Azure AD attributes with the complete schema, use:
Get-AzureADUser -All $true | fl > allad.txt
Enjoy!
Wednesday, October 24, 2018
Azure B2C : Calling a web API from Azure AD B2C using data types
There is a good overview here.
In terms of the data types that you can pass, these can be:
The above is the XML to define some of the claim types.
In terms of the JWT returned, the claims look like:
Enjoy!
In terms of the data types that you can pass, these can be:
- boolean
- date
- dateTime
- int
- long
- string
- stringCollection
- alternativeSecurityIdCollection
The above is the XML to define some of the claim types.
In terms of the JWT returned, the claims look like:
Enjoy!
Tuesday, September 11, 2018
Monday, August 27, 2018
stackoverflow : Top 1%
Finally got there:
There are over 9 million users on stackoverflow and currently I'm sitting at:
Now it gets into the decimals e.g. top 0.5 %
Enjoy!
There are over 9 million users on stackoverflow and currently I'm sitting at:
Now it gets into the decimals e.g. top 0.5 %
Enjoy!
Friday, August 24, 2018
Misc : My audience
Just out of interest, my audience as reported by Blogger.
Strange that Google has "Unknown Region"?
Chrome is way ahead on the browsers and Windows is way ahead on the OS.
Would have thought the iPad figure would be higher but maybe iPad users have no interest in Identity :-)
Enjoy!
Strange that Google has "Unknown Region"?
Chrome is way ahead on the browsers and Windows is way ahead on the OS.
Would have thought the iPad figure would be higher but maybe iPad users have no interest in Identity :-)
Enjoy!
C# : Invalid URI
The full message is:
"Invalid URI : The hostname could not be parsed".
I get this using the URIBuilder class.
Since it was complaining about the hostname I checked the DNS, I checked that I could ping it, I tried the IP address etc. etc.
Eventually worked out that it was because the password contained special characters.
You are apparently supposed to URL encode them.
Just changed the password to use letters and numbers and all was well.
Somewhat misleading error message :-)
Enjoy!
"Invalid URI : The hostname could not be parsed".
I get this using the URIBuilder class.
Since it was complaining about the hostname I checked the DNS, I checked that I could ping it, I tried the IP address etc. etc.
Eventually worked out that it was because the password contained special characters.
You are apparently supposed to URL encode them.
Just changed the password to use letters and numbers and all was well.
Somewhat misleading error message :-)
Enjoy!
Subscribe to:
Posts (Atom)