Archive
Converged Microsoft Account and Azure Active Directory Programming Model – #Microsoft, #Azure
Wow, finally Microsoft is doing something about the Microsoft Account and Azure AD identity “mess”! đ
Until now, building an application that worked with both personal and business accounts from Microsoft required integrating with two different technology stacks. Not only that, you had to have separate buttons in your app where your user needed to choose, up front, to sign-in with a personal account or a work or school account.
With the v2 app model preview, it is possible to sign-in both personal and work users with a single button. Let’s take a quick look at the end user’s experience. We begin with your application, with the addition of a “Sign-in with Microsoft” button.
We’re using the Microsoft brand because end users don’t know about Azure or Azure Active Directory. But they do know that Windows, Outlook, OneDrive, Xbox, and Office 365 are services from Microsoft and they need an account from Microsoft to sign-in there.
When the user clicks the button, they come to a consolidated sign-in page:
The user enters their username. Under the covers we figure out if the username corresponds to a personal account or a work account. Then we take the user to the right page to enter their password. Today this may involve a redirect â in the future we’ll optimize this out.Â
Read more here!
//Richard
Penetration testing tips for your NetScaler – via @neilspellings – #Citrix, #NetScaler
This is a really good blog post by Neil! Keep up the good work! đ
When working on Netscaler implementation projects, most of which tend to be internet-facing, one aspect that most organisations always perform is a penetration test. Having been through a number of these over the years, I thought it would be a good idea to share my experiences and some of the common aspects that get highlighted, to enable you to âpass first timeâ without having any remedial actions to work through and costly re-tests to perform.
The Netscaler has a number of IPs (NSIP, SNIP/MIP, Access Gateway VIPs etc) so what should you test against? The answer may well depend on corporate policy, but I usually test the internet-facing Access Gateway VIP and the management interface (NSIP). I also usually include StoreFront in any internal tests as this is an integral component of the overall solution, but I wonât cover StoreFront in this post.
Of course technically âbad guysâ can only reach internet-facing IP addresses (as permissioned by your external firewall) but I recommend including internal-facing IPs for  any DMZ-hosts to understand your exposure should another DMZ host get compromised (as your attacker can now potentially access internal IPs so the external firewall rules no longer protect you)
- Remove unnecessary management tools (telnet and FTP are considered insecure so should alwaysbe disabled). Also remove SNMP if your Netscalers are not being monitored or managed by an external monitoring service.
- Ensure that âSecure access onlyâ is selected to force SSL access to the GUI
- Ensure that management applications are only available on an internal IP (NSIP or SNIP). Open the IP properties for the IP addresses that wonât be used for management and untick âEnable management accessâ
Â
- Change the default nsroot password to something long (obvious youâd think but youâd be amazed how many Netscalers Iâve seen that I can just log straight into using the default credentials!)
- If you have set up integrated AD authentication via LDAP for administrative access to the GUI, ensure that you have protected access using a filter group, otherwise anyone with a valid AD account will be able to access your Netscaler GUI (although they wonât be able to make any changes, itâs still not a good idea them having this access!)
- If you are using…
Continue reading here!
//Richard
The IT Melting Pot! 