Falcon Momot's questions

I was trying to get a bearer token from the headers Easy Auth injects into requests to my Azure App Service to provide users who want to make API calls to my application, but the token from the token store that's provided in X-MS-TOKEN-AAD-ACCESS-TOKEN is not valid. It is in some kind of internal or encrypted format and starts with PAQABAAAAAAD-- and not ey like a JWT. The X-MS-TOKEN-AAD-ID-TOKEN is valid, but it doesn't get renewed when I visit /.auth/refresh.

I tried following the instructions at http://jsandersblog.azurewebsites.net/2020/01/17/easy-auth-using-x-ms-token-aad-access-token-as-a-bearer-token/ to get a real bearer token, but Resource Explorer gives me this:

Cannot execute the request for site ... because the site is running on auth version v2

What to do?

I'm trying to set up AAD with Okta, and find that when users visit the App Embed link and it posts their SAML response to https://login.microsoftonline.com/login.srf, they get an unhelpful error:

AADSTS50107: Requested federation realm object 'http://okta.com/..............' does not exist

I already set up an external identity provider. How do I get it to recognize my domain?

When setting up an ospf instance, in-filter and out-filter allow us to control which filter chains will be used to decide what routes get added to the routing table, propagated without adding them to the routing table, dropped, or logged. But with IPv6 and ospf-v3, the option is not accepted.

Does this mean one cannot filter OSPF-v3 routes? We do not want to publish every single route on every connected link? Because if so we cannot use OSPF-v3; some interfaces have multiple addresses, some of which we need to route in IGP and some of which will ruin our virtual circuit GRE tunnels or violate IXP policies.

I need to encapsulate IPv4 in IPv6 for routing purposes. One end is a Linux box running quagga, and the other end is a Mikrotik CCR2004. How?

I want to generate an SSHFP record for my Mikrotik CCR2004 running RouterOS 6.47.4, without getting the key over the network. How can I do this from the console?

GPS and NTP are two very typical time sources when accurate clocks are required. However, each has an important failing. NTP does not provide authentication of the time source, and so may be vulnerable to spoofing. GPS doesn't work very well inside the walls of a datacentre.

Accurate time is an operational concern for any number of reasons, as well as being a security concern due to things like session token lifetimes, key expiration, rate limiting, time-of-day restrictions, and behavioural pattern analysis in support of anti-fraud measures. Clock retrogression introduces instability in some network protocols which may create exploitable scenarios; IRC privilege escalation or impersonation ("split riding") is the typical example.

It is also extremely important that this time be consistent with time obtained from standard sources, to avoid drift during network disruption (or exploitation by time service disruption).

Accordingly, what technology or technique can be used to supply accurate and trusted time (within one second preferably) in sync with UTC, where GPS and other radio clocks are ineffective, while avoiding the need to manually true the time source frequently?

This is a Canonical Question about DoS and DDoS mitigation.

I found a massive traffic spike on a website that I host today; I am getting thousands of connections a second and I see I'm using all 100Mbps of my available bandwidth. Nobody can access my site because all the requests time out, and I can't even log into the server because SSH times out too! This has happened a couple times before, and each time it's lasted a couple hours and gone away on its own.

Occasionally, my website has another distinct but related problem: my server's load average (which is usually around .25) rockets up to 20 or more and nobody can access my site just the same as the other case. It also goes away after a few hours.

Restarting my server doesn't help; what can I do to make my site accessible again, and what is happening?

Relatedly, I found once that for a day or two, every time I started my service, it got a connection from a particular IP address and then crashed. As soon as I started it up again, this happened again and it crashed again. How is that similar, and what can I do about it?

I find that, when trying to run windows 8 on Xen cloud (and also when running it in ESXi), the installer bluescreens with

0x0000005D (UNSUPPORTED PROCESSOR)

Initially I thought it was giving the VM a 32-bit processor (I was using a 64-bit image), but this was not the case. PAE is enabled. What else could this be?

Additionally, trying to do it on VMWare ESXi allows it to boot, but it remains on the loading screen forever during the first reboot during setup. Why?

I was testing something in my lab: I created an account, and then added a deny ACL to the domain, applying to that and all descendant objects, denying full control. However, I found that using adfind as the denied account, I was still able to list users (but some properties were hidden)!

I found that when applying a deny full control ACL only to the user caused the user to be hidden. However, the inherited permissions are shown and appear to deny everything.

Why is the inherited ACL not sufficient to prevent user listing?

The platform in this case is windows server 2008 R2.

I have a piece of software that deploys a local account on workstations via an MSI and creates a profile for it. In versions of windows prior to windows 8, the first time this account was used it would go through all the initial profile setup tasks that it does. However, in windows 8, this screen is replaced by a welcome/tutorial video that I can't figure out how to disable. This means that the first time users load this account, which is done infrequently, they will be presented with an interactive windows tutorial (awkward).

Is there a GPO or a registry setting we can deploy that will prevent this video from being shown? I realize it will have to do the profile setup tasks, but in this particular use case, it would be much better to have a please wait screen or something, rather than an interactive tutorial.

I am using windows server 2008. I have a domain with one domain controller (this is a dev environment). I edited the AD schema and created a custom attribute called TestAttribute2 (the LDAP name is testAttribute2) with a syntax of numerical string, single valued, with no minimum or maximum. The attribute's OID was 1.3.6.1.4.1.39668.21769.1.1.1. I also created another test attribute with a Microsoft-issued OID of 1.2.840.113556.1.8000.2554.37861.10620.51629.17372.38569.15288078.14709744.1.2. The attribute is nonindexed, active, not replicated to the GC, not copied when duplicating, and not indexed for containerized searches. I then added this attribute to the person class.

Whenever I try to set either of those custom attributes using the attribute editor function of the AD Users and Computers MMC, or ADSI Edit, MMC crashes, and the attribute remains unset. However, other custom attributes with similar OIDs but with other syntaxes (CI string and Unicode string) can be set with no crash. What am I doing wrong?