If I have example.com in my DNS suffix search list and I open a browser and type www then the browser will talk to the OS which will talk to DNS; if www fails to resolve, my OS will append the items from my suffix search list until one succeeds; www.example.com succeeds so I get an IP which my request will be sent to.

However, looking at the request my browser sends, the host header is set to www as that's what was typed in the address bar, even though that's not the FQDN that was eventually resolved to the IP. This means that if the web server uses hostname binding it has to listen for www as well as the FQDN of www.example.com, or it will fail to recognise the request as being one it should handle.

Do any browsers have functionality to automatically get the resolved FQDN back from the OS / are there any settings that can be tweaked to enable this? If there isn't such functionality, is there a reason (e.g. perhaps the OS doesn't expose info on the FQDN which successfully resolved for some security reason?), or is this scenario just too niche for anyone to have implemented?

I have an application gateway for which my backend settings are configured with health probes allowing status 200-499 as healthy (I've included the 4xx series codes as some solutions have site roots which return 404 whilst have content under other paths, and some sites return a 403 automatically for an unauthorised user / I don't want those to impact the backend health status / I wanted my solution to be as generic as possible so I can reuse the same settings across a series of sites to minimise effort when onboarding new sites).

However, my backend health shows one of my sites as returning HTTP 463 status codes (so the backend is still healthy, but this response is unexpected). Further, if I navigate to the URI of the listener associated with this backend, I get stuck in a 301 redirect to/from the same site. I do have redirects configured:

• The backend redirects from / to /login.aspx for an unauthenticated user. This uses relative paths, so isn't impacted by the AppGW's hostname or frontend vs backend protocol.
• The AppGW has HTTP and HTTPS listeners, the HTTP rule redirects to the HTTPS listener, whilst the HTTPS rule is associated with the backend.

However, even if I remove those features, I get the same behaviour.

Other sites on the same AppGW are setup in the same way, but don't have this issue.

I have a PowerShell script for testing redirects: Get-HttpUrlRedirects. If we assume the configuration was for example.com, the EXPECTED output of running Get-HttpUrlRedirects -Url 'http://example.com' -Verbose would be:

VERBOSE: Redirecting to [https://example.com/]
VERBOSE: Redirecting to [https://example.com/login.aspx]
Url                                             StatusCode
---                                             ----------
http://example.com/                                    301
https://example.com/                                   302
https://example/login.aspx                             200

Whilst the ACTUAL output is:

VERBOSE: Redirecting to [https://example.com/]
VERBOSE: Redirecting to [https://example.com/]
VERBOSE: Redirecting to [https://example.com/]
VERBOSE: Redirecting to [https://example.com/]
Url                                             StatusCode
---                                             ----------
http://example.com/                                    301
https://example.com/                                   301
VERBOSE: Redirecting to [https://example.com/]
https://example.com/                                   301
VERBOSE: Redirecting to [https://example.com/]
https://example.com/                                   301
VERBOSE: Redirecting to [https://example.com/]

# etc - I hit ctrl + C to terminate when I see this loop occurring

Question

Is it valid for a subdomain to use different nameservers to the parent domain without the parent domain's DNS servers providing NS records for the subdomain?

For example:

• Running Resolve-DnsName -Name example.com -Type NS -Server 1.1.1.1 returns ns1.example.com; so ns1.example.com is the authoritative name server for example.com.
• Running Resolve-DnsName -Name subdomain.example.com -Type NS -Server 1.1.1.1 returns ns2.example.com; so ns2.example.com is the authoritative name server for subdomain.example.com.

I would expect that ns1.example.com would contain the NS recordset for subdomain.example.com to tell the client "I don't manage this subdomain's NS records, for those, talk to its name servers". I.e. I'd expect Resolve-DnsName -Name subdomain.example.com -Type NS -Server ns1.example.com to return ns2.example.com.

Note: If the subdomain used the same NS servers as its parent, I wouldn't expect a respose to the above.

(Resolve-DnsName is just an nslookup command, where the Name argument is FQDN to fetch, Server is the nameserver to query against, and Type allows us to specify the sort of DNS Record we're after).

Is my understanding correct, or can a subdomain have different nameservers to its parent without its parent domain hosting NS records for the subdomain?

Context

We have an intermittent issue with MS Dynamics 365 for Finance and Operations where occasionally users browsing to an instance will see the below error:

The site can’t be reached
Check if there is a typo in EXAMPLE.operations.dynamics.com
If spellling is correct, try running Windows Networkk Diagnostics.
DNS_PROBE_FINISHED_NXDOMAIN

The users are using the correct URI/hostname.

Typically this issue will resolve itself after ~30 mins. We see this for both production (EXAMPLE.operations.dynamics.com and test (EXAMPLE.sandbox.operations.dynamics.com).

On investigation, if I try to resolve the FQDN using our corporate DNS service it fails to resolve; confirming the browser's error; but when we resolve against a public DNS service (e.g. CloudFlare's 1.1.1.1) things generally resolve correctly. Note: we've also seen this issue where users working remotely (not using our corporate DNS service) have the same issue / here their ISP's DNS service shows that it's failing to resolve the FQDN.

I believe the problem relates to DNS, and that CloudFlare's DNS has generally been more reliable as they cache DNS entries for longer (or since their servers are hit more often, that makes it more likely that they'll have cached entries).

Specifically, when there's an issue resolving the FQDN for our environment, I can generally resolve it against CloudFlare's DNS and against MS's authorative name servers for that subdomain (as you'd expect)... but trying to get the authorative name servers for the subdomain from the authorative name servers for their parent domain fails; e.g. see the 2 highlighted errors below:

Is this an issue with my understanding of DNS (meaning the root cause of our issues requires more investigation on our side), or is this a configuration issue with MS's implementation?

Note: I've reached ou to MS Support for the above, but the team who support Dynamics are an application support team, so were unable to assist with DNS/infrastructure related issues or to route my ticket to a team who could help.

When sending mails through our Exchange 365 service those mails get through successfully, but if we look at the mail headers we see that where the sender and recipient are in our tenant the mail's actually failed SPF; whilst if we sent mails to a third party (e.g. to a gmail address) the SPF is correct.

Specifically we see that the mail sent internally shows as having an IP in the ip6:2603:1000::/24 range (e.g. 2603:10a6:400:49::16... and that IP is not listed on spf.protection.outlook.com.

Similarly, when checking the headers of mails sent to third parties we see a DKIM selector is included in the mail's header. For those sent to other mailboxes within our tenant, no such header exists.

Others have been reporting the same for several years. Like those others I've spoken to MS support, but this scenario is off-script for them, so that got me nowhere.

My guess is that MS don't care about SPF/DKIM when messages are within tenant, as they know those mails are valid, so they don't filter them. However, I can't find any documenation to confirm this, and this seems wrong (e.g. if your mail client has its own logic to validate these, how would it know to trust them). This is a frustrating issue as when investigating real email issues it's harder to say whether mails failing these checks indicates a real issue, or, as valid mails also fail these checks, we're looking in the wrong place.

When creating a new VM via the Azure Portal we only see Datacenter Edition, yet the docs seem to make it clear that Standard Edition is a valid option in Azure; although you have to create your own image for this.

It seems odd that given Standard Edition is supported, there isn't a default image for it. Is this just MS trying to encourage people to use the more expensive option by making that path the more convenient, or is there some technical reason why Standard Edition isn't available OOTB (e.g. whilst it can be used are there significant restrictions which would recommend against this)?

When researching this most posts lead to Hybrid Benefit, but my understanding is that this option's for where you have on-prem servers, allowing you to use the same license for an Azure VM and an on-prem device; or else allowing you to use licenses you'd previously purchased to avoid paying again for licenses in Azure. I'm not interested in that; but rather in new VMs created directly in Azure, where we only need the features offerred by Standard Edition, and don't want to pay more for functionality we're not using.

Before we create our own Windows Server 2022 Standard Edition image to avoid this extra cost I'm hoping to understand if there's further implications.

Problem

I've created a certificate through AD certificate services, but it has the error "The issuer of this certificate could not be found." despite the full chain being present in the PFX.

Context

I've created a code signing certificate from our org's AD Certificate Services server, using the standard code signing template, and exporting the created cert (with exportable private key).

We're having issues using this certificate to sign code, despite our root cert being trusted on all corporate devices.

On investigation, if I convert the PFX to a PEM (with file extension .CER) and open it in a text editor I can see client, intermediate, and root certs listed in the PEM file. However, if I double click this CER file (i.e. to open it in crypto shell extensions), the certificate path tab only shows the client cert & shows certificate status as "The issuer of this certificate could not be found.".

Looking at the client's issuer it correctly names the intermediate certificate.

If I copy the intermediate and root certificates from the PEM file into their own, save that as a .CER and open it then the intermediate and root certificates are correctly listed. The issuer of the client exactly matches the issued to of the intermediate; and the issuer of the client exactly matches the subject name of the intermediate.

To convert PFX to PEM I'm using openssl.exe pkcs12 -in "mycert.pfx" -out "mycert.cer" -nokeys -passin "pass:mypassword"

Question

If using Azure Firewall's DNS Proxy with internal DNS severs behind this same firewall, what happens to requests for external DNS records (i.e. does this cause an infinite loop where the DNS server requests records from a public DNS server, but this request gets caught by the FW and sent back to the internal DNS server)?

Context

We have a secure hub/vwan in Azure where all inter-vnet traffic goes via the firewall, as does all ingress and egress traffic for our network.

We're looking to enable DNS Proxy on the firewall to allow us to use FQDNs in our rules.

We've specified custom DNS servers on our FW too (which seems acceptable per this screenshot from MS Docs. In the screenshot they're using an internal IP and MS's special 168.63.129.16 IP. For ours, we have the internal IPs of our 2 domain controllers, and those are setup with conditional forwards to 168.63.129.16 for those domains on which we have private endpoints with private dns zones.

My worry is that with DNS Proxy enabled, since traffic from our DCs to the internet goes via this firewall, will it intercept their queries for public DNS and cause an infinite loop, resulting in any requests for external DNS info to fail (once any previously cached entries expire)?

Similarly, would requests to 168.63.129.16 (via the conditional forwarder) also be seen as going to the internet & thus intercepted?

The screenshot in the docs implies we can add 168.63.129.16 as a DNS server on the firewall... but would that be treated as a round-robin with the other DNS servers (i.e. so requests for internal zones would sometimes fail as 168.63.129.16 doesn't know of our internal zones beyond the Azure private dns zones, but sometimes return an expected response when hitting our internal DNS servers), or is there some order of preference where 168.63.129.16 is only contacted if our internal DNS servers don't have a record?

If this infinite loop is a possibility, what's the correct fix? Do we just route outbound traffic from our DCs as next hop 0.0.0.0/0 (which then impacts all traffic, not just port 53), or is there a better solution?

Is type microsoft.authorization/roledefinitions available through Azure Resource Graph?

Context

I'm hoping to query Azure Resource Graph to fetch all roles which have specific permissions. Looking around I found microsoft.authorization/roledefinitions which seems to be a good starting point; it's documented here and is listed under tables in Azure Resource Graph Explorer / double clicking it adds the line | where type == "microsoft.authorization/roledefinitions" which seems promising.

However, when I run the below Kusto this type doesn't show up:

Search-AzGraph -query @'
resources 
| where type startswith "Microsoft.Aut" 
| distinct type
'@

The response is simply:

type
----
microsoft.automation/automationaccounts
microsoft.automation/automationaccounts/runbooks

I do have access to view role definitions though; as running Get-AzRoleDefinition produces a list of results.

Is there something more I need to do to make this type visible via Kusto; or is it simply not yet available through ARG?

We've noticed an issue with our HR system where users request leave, this approval is sent to their manager, and when their manager clicks the link to approve it they see an error saying that the leave is already approved... That seems to be because Outlook sends a GET request to the HR system's approval URI in order to check whether the link is maliscious; but in doing so it approves the employee's leave. Note: this GET request is sent even before the email is previewed / isn't triggered by any action of the recipient user.

The HR system is a third party, with poor support, so they've not been able to confirm our theory on what's going on... However, I've tested by sending a mail from an external email address which contains a link to a website that I support (but is not in Outlook's verified domains list). Looking at the logs on my server I see that moments after this test email arrives in my mail client (without me clicking the link or even previewing the email's content), sure enough a GET request shows up in my logs from an IP that belongs to MS (according to a whois on the IP).

That seems pretty damming... but then we work with other systems which have single click links (both for approvals, and also many emails which contain unsubscribe links or verify my email links that work with a single click / don't require manual follow-up) and we don't seem to have similar issues with those; and it feels unlikely that in all those cases the sites owners have blacklisted the MS IPs associated with SafeLinks (especially as if it were that simple to get around, a malicious actor could also use such a trick to dodge safelinks protection).

• Is our theory on SafeLinks causing the approvals likely to be correct?
• If so, is there some explanation of why it's not impacting more systems?

I have an ASP.Net site hosted in IIS 10 on Windows Server 2019 DataCenter in Azure. This site has only Windows Authentication enabled.

When I access the site directly (http://mysite-backend.example.com) I'm prompted for credentials, after which all works as expected. When I access the site via the App Gateway (configured with private IP) (https://mysite.example.com) I'm prompted for credentials, after which I'm again prompted for requests for additional resources (hosted on the same site, with no special rules for any subfolders). I'm repeatedly prompted until I click Cancel at which point I see a 401 for the resource's request in Chrome's Network log.

One of the resources that I get this issue with is a GET request for favicon.png. If I access the resource directly (https://mysite.example.com/favicon.png) all works, but when I access the site's page causing a request for this resource to be sent by the browser as part of the page's resources, I see the error. This implies that the resource is accessible; but something about how it's handled within the "transaction" is causing issues.

I've tried with different browsers, including with a fresh install / from a different client device, to ensure there's nothing cached causing issues. Additionally I have Disable Cache checked in the F12 Network settings to ensure I'm doing complete requests / fair comparisons between the two sites.

The backend pool only has 1 node. The backend settings say to use the backend pool's hostname instead of the frontend's - so from the web server perspective the requests look similar.

In the web server's Security event log I'm seeing failed logons (event id 4625) with my test username; confirming that the request is making it to the backend server with the right username (and I've been very careful to ensure I'm consistently entering the correct password / have done it many times to remove the chance of human error / have tried both using and also overwriting the saved password). If I try too many times my test account gets locked out (i.e. in AD the lockedout attribute is set to true); after which all requests get 401 responses (understandably).

I've checked the App Gateway logs to confirm that it's not blocking anything. I also setup a custom WAF rule for this site and set it to detection only mode to ensure that it can't block requests; just in case something was getting blocked but not logged.

I enabled failed request tracing for status 401 on the backend server; that shows the 401 as coming from:

-MODULE_SET_RESPONSE_ERROR_STATUS 

ModuleName: IIS Web Core 
Notification: AUTHENTICATE_REQUEST 
HttpStatus: 401 
HttpReason: Unauthorized 
HttpSubStatus: 2 
ErrorCode: Access is denied. (0x80070005) 
ConfigExceptionInfo

Note: The resources which are blocked (i.e. get 401 responses) is generally consistent when I'm testing on the same device within a given time period; but if I test a different day or on a different device I may see different resources getting blocked. The first time I test on any device (mostly) I see two xhr POST requests to /subfolder###/Search pages fail, then after a few tests on that device other resources seem to become tainted. This feels like they're the main cause - but something then causes an issue with the session.

I'm trying to get access to the backend site's sourcecode to better understand what those Search endpoints have coded in them to understand if that may be causing the issue.

In the meantime, any ideas anyone here may have would be very much appreciated... Thanks in advance.

Update: calling the Search endpoint directly also results in an HTTP 200 / valid response:

$resp = Invoke-RestMethod -Method Post -Uri 'https://mySite.example.com/subfolder###/Search' -Form @{recordsToTake=25;recordsToSkip=0;sortColumn='CategorieName';sortDirection='Ascending'} -Credential $cred -StatusCodeVariable sc;"Status $sc";$resp

We have a domain which has 11 includes; so is failing SPF validation as it's gone over the limit. Most of the lookups are for third party resources, so flattenning the SPF record isn't ideal; we'd rather ensure that things are updated dynamically when the third parties update their records.

One of the lookups is a legacy value that we've not found documentation for; so we're not sure whether it's required... we're asking around before we remove it, but it's a large company with lots of cul-de-sacs and crevices in which requirement owners hide, so checking such things takes time.

We're thinking that having more than 10 lookups is only an issue for those records which exceed the 10th lookup; all values prior to that should succeed even if there are more in total. As such, if we can move the unknown lookup to the end that will reduce the risk of something we care about being impacted.

• Is that assumption correct / do the first 10 SPF lookups work when there are more than 10 in total?

• If so, what is the 11th record - i.e. are the lookups calculated breadth first, depth first, or is it not specified so depends on provider?

Question

Are there any ways to improve metadata operation performance between a Linux based container running under Azure App Service and a mounted volume hosted in Azure Files?

Context

I recently migrated a solution which had everything on one server to an Azure based solution where:

• The code runs on a container hosted under Azure App Service.
• Those files which are part of the business data are on Azure Files (i.e. a share under an Azure Storage Account) / mounted on the container (via the app service's Settings > Configuration > Path Mappings section).

This has introduced some performance issues with operations which search through a folder to see if certain files exist. That's currently done via PHP's file-exists function.

When testing on my local device, I can improve performance by appending :cached to the bind parameter; e.g. --mount type=bind,source=d:\my\host\path,target=/var/my/container/path:cached; but I can't find an option to do anything similar in Azure App Service.

My container's running Linux (Ubuntu:21:10); and I've read that SMB metadata operations (including checking if a file exists) have a higher overhead in Linux than Windows; so perhaps that's related (i.e. as Azure Files uses SMB); though I'm not certain (as the path is mounted to the container, so the container OS may not be aware of the underlying implementation).

I've enabled large file shares to increase the IOPs available to the file share; but it's made no difference (which given this is a metadata rather than IO performance issue, makes sense).

At present I'm thinking the solution would be to update the code to keep a representation of the file structure in the app's database so we can query that to get the same information faster; but this has the downside that every operation to upload or deleted a file needs to also update the database to keep disk and db info in sync / duplicates where information's held; so I'm keen to solve this infrastructure issue rather than recode if possible.

I'm trying to create a TXT DNS record with name _acme-challenge.www on Google Domains to allow me to validate my DNS (i.e. via _acme-challenge.www.example.com). I've already validated the domain itself; but want to validate the www subdomain so I can provide this in the certificate's Subject Alternative Name. When attempting this, the page gives error: Failed to save changes to domain settings for example.com.

Is what I'm attempting valid / if so can anyone suggest what I may be missing?

Question

Is there a "correct" / standard way to distinguish Service Accounts from User Accounts in AD?

More Info

In certain scenarios we have systems running under AD Credentials (i.e. under a Service Account). These Service Accounts are created in exactly the same way as user accounts; the only difference being the name and description. A few things have been done to make a distinction between the two account types (e.g. which OU the account is in, whether "password never expires" is enabled, if "service account" is in the description), but there's no one rule which can be applied to everything to clearly distinguish between the two.

Going forwards we're looking to improve this / spring clean things to make a distinction clear. We'll likely use both the OU and Description fields for this purpose.

Before doing this though I wanted to check; is the a way in which this should be done; i.e. some attribute specifically for this purpose (maybe an objectCategory value different to Person?), or a recognised standard naming convention, or does each company figure out their own approach?

The Search-ADAccount cmdlet has switches -AccountDisabled, -AccountExpired and -AccountInactive; the results of which may not be mutually exclusive nor inclusive.

i.e. an account which was disabled yesterday but has only been inactive for 1 week may not show up as disabled if our timespan is -90 days. Conversely an account which has not yet been disabled but hasn't been used in a while would show up as inactive but not disabled.

Is there a way to use these switches to list all disabled, expired OR inactive accounts; or do I have to run three queries then do a | select * -unique to remove duplicates?

Background

We're currently upgrading an old app from running on Windows Server 2003 to running it on Windows Server 2012.

Users and other systems communicate with this system via HTTP (i.e. users accessing the website), FTP (files to sync data from client devices) and Windows Shares (files to sync data from devices which don't have FTP capabilities).

To do this migration, I'd like to disable the current live system and repoint users to the new one. I want to ensure the old website, FTP and file shares are inaccessible so there's no chance of anyone communicating to the old locations (i.e. I want them to get an error if they somehow reach the old system; so we know there's an issue rather than waiting for someone to notice integrity issues due to (say) files queueing up on the shares).

However, after the migration we'll be running some tests to know if all's worked. If there are issues we may wish to roll back to the current solution - I want this to be painless & as risk free as possible.

For FTP: I'll stop & the FTP (FileZilla) service; meaning for roll back I just have to start this service and it will be instantly accessible, without any additonal configuration (e.g. recreating users & permissions).

For HTTP: I'll stop the IISAdmin and W3Svc services; same reasoning as above.

Question:

Is there a simple way to disable network sharing (i.e. make windows shares innaccessible without changing the permissions on those shares / their config) on Windows Server 2003 without losing configuration settings?

I've recently started seeing the below error when attempting to check in code to TFS:

The underlying connection was closed: A connection that was expected to be kept alive was closed by the server.

The TFS service is hosted by our vendor. When I connect directly to the internet I'm able to check in code. However when I connect via our LAN (which means I either go through a proxy server, or can reconfigure my connection to bypass the proxy and instead go via the firewall) I receive the above error. Equally consultants from the vendor based on site who VPN from our LAN to our vendor's network don't see the issue.

This issue is not unique to me, but is common to anyone trying to check in to TFS from our network (without VPN).

Only check-ins seem to be affected. Checking out code, browsing the repository, viewing history, or accessing the portal all work as expected.

When I look at the HTTP traffic using Fiddler I can see a number of HTTP 401 errors from posts to the urls /tfs/myCompanyName/VersionControl/v1.0/upload.ashx, /tfs/myCompanyName/VersionControl/v3.0/repository.asmx and /tfs/myCompanyName/VersionControl/v1.0/repository.asmx.

To our knowledge there have been no changes by the vendor to their TFS or firewalls, and on our side no changes to the proxy or firewall; but this functionality worked 2 weeks ago, and has stopped working now, so something's changed...

Any thoughts on what this could be, or how we could go about troubleshooting?

Thanks in advance.

Currently we're having formatting issues when printing from a Windows 2008 server via TS Easy Print which we don't see when printing from Windows Server 2008 R2.

Clients are running windows 7 with a mix of RDP 7.1 and 8.0.

The windows 2008 server is running RDP 6.1. The windows 2008 R2 server is running RDP 8.0.

My theory is that it's the server's protocol version affecting whether users have formatting issues. See similar issue which prompted this thought.

I've found a lot of upgrades for various OS client's RDP versions, but so far can't find an option to upgrade the Windows 2008 server version of the protocol, though can't find anything saying which RDP versions are available for each server version.

Question

Is there an update to upgrade Windows Server 2008 (R1)'s Remote Desktop Protocol beyond 6.1?

I'm trying to search through the windows event log for anything where the event data contains the string TCP Provider, error: 0 as part of a longer error message. To do this I created the code below:

<QueryList>
  <Query Id="0" Path="Application">
    <Select Path="Application">*[System[Provider[@Name='MyDemo' or @Name='AnotherDemo'] and (Level=2 or Level=3)]][EventData[Data[contains(.,'TCP Provider, error: 0')]]]</Select>
  </Query>
</QueryList>

However this is seen as an invalid query - I'm guessing the contains statement is not recognised (as it looks like a special version of the XPath syntax is being used here. Does anyone know if what I'm attempting is possible / how to go about doing this?

Thanks in advance,

JB

Background

I'm creating a service to allow support staff to enable their firecall accounts out of hours (i.e. if there's an issue in the night and we can't get hold of someone with admin rights, another member of the support team can enable their personal firecall account on AD, which has previously been setup with admin rights). This service also logs a reason for the change, alerts key people, and a bunch of other bits to ensure that this change of access is audited / so we can ensure these temporary admin rights are used in the proper way.

To do this I need the service account which my service runs under to have permissions to enable users on active directory. Ideally I'd like to lock this down so that the service account can only enable/disable users in a particular AD security group.

Question

How do you grant access to an account to enable/disable users who are members of a particular security group in AD?

Backup Question

If it's not possible to do this by security group, is there a suitable alternative? i.e. could it be done by OU, or would it be best to write a script to loop through all members of the security group and update the permissions on the objects (firecall accounts) themselves?

Thanks in advance.

Additional Tags

(I don't yet have access to create new tags here, so listing below to help with keyword searches until it can be tagged & this bit editted/removed) DSACLS, DSACLS.EXE, FIRECALL, ACCOUNT, SECURITY-GROUP