Month: October 2017
Remove – AzureRmApplicationGateway
If you want to remove Azure Application Gateway Backend HTTP Settings / Probe configs / Backend Address Pools / HTTP Listeners or something else from the Azure Application Gateway, you might end up with the same Microsoft Doc’s as me.
https://docs.microsoft.com/en-us/powershell/module/azurerm.network/remove-azurermapplicationgatewaybackendhttpsettings?view=azurermps-4.4.1
As you see from the post it tells you what to do, but when you check the config in the Portal, it is not gone.
What is missing from the information feed here is that you get the Azure Application Gateway info, then you remove it, and get the code to define it, so the missing ingredient is:
Set-AzureRmApplicationGateway -ApplicationGateway $AppGw
That way you list out the current config, then get the new config, then SET the new config.
And now it is correct in the GUI too 🙂
Can I add CPU Core and RAM to Azure VM?
Change the name of your new Azure subscription
This is not a straight forward thing, even do you would think so.
1. Open browser, enter the following: https://account.windowsazure.com/Subscriptions
- Sign inn with your Azure Subscription Owner ID
- Press the Subscription you want to change the name of
- On the right hand side, “Edit Subscription details”
- Enter the new name bellow “ SUBSCRIPTION NAME”
Name is now changed, but you need to give access to the subscription, so that you can use it in your environment.
2. Still in the account.windowsazure.com/subscriptions view
- Press the Portal icon upper right
- Find the subscriptions icon on the left side menu
- Press the subscription you want to give access to
- Press the MSN icon, so you can choose Users
- Press Add
- Choose the access level you want to delegate, and find the user.
Now you can utilize the new subscription in your Azure portal
Azure Admin Pages / URLs
There are so many different locations for Azure Subscription Management and what you can do where. So I have for my own sake made this list.
- View billing
- Add and View Subscriptions
- Add and View Subscriptions
- Delegate the use of Subscription (so it shows up in the Azure Portal for the Administrators (that are to use it))
- Manage most Azure stuff
- View and Use Subscription
- Rename, Add and View Subscriptions
It is a pain in the ass to remember the different locations, but here have it (for now)
Create #HASHED password file for PowerShell use
Connect to Azure/Office365 based on encrypted txt file
$encrypted = Get-Content “D:\Scripts\Azure_Encrypted_Password.txt” | ConvertTo-SecureString
Get MAC address from remote computer
In some settings you need to get a remote computers MAC addresses. And you don’t have access to it physically.
- Open a CMD window with you Administrative user (one that has admin access to computer objects)
- Ping the computer name (to get IP)
f.eks: PING COMPUTERNAME
Wait for reply.. 192.168.25.25 - type inn getmac /s 192.168.25.25 /v
Now you get a list with the MAC addresses.
Update UPN on multiple users
I recently did an LDIFDE import of a lot of users to a test domain, and the UPN is not sett on the user objects.
So to change/set the UPN for all my users in the test domain I used this little string. Worked like a charm
I gets all the users objects in the Domain Sameie.com, and it sets the UPN to username@sameie.info
Get-ADUser -searchbase “DC=sameie,DC=com” -filter * | foreach {set-adusers $_ -userprincipalname (“{0}@{1}” -f $_.samaccountname,”sameie.info”)}
Azure Server Sizes and information regarding them
This information is collected from: Cynthia Nottingham, and her article: virtual-machines-windows-sizes
The standard sizes consist of several series: A, D, DS, F, Fs, G, and GS. Considerations for some of these sizes include:
- D-series VMs are designed to run applications that demand higher compute power and temporary disk performance. D-series VMs provide faster processors, a higher memory-to-core ratio, and a solid-state drive (SSD) for the temporary disk. For details, see the announcement on the Azure blog, New D-Series Virtual Machine Sizes.
- Dv2-series, a follow-on to the original D-series, features a more powerful CPU. The Dv2-series CPU is about 35% faster than the D-series CPU. It is based on the latest generation 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) processor, and with the Intel Turbo Boost Technology 2.0, can go up to 3.1 GHz. The Dv2-series has the same memory and disk configurations as the D-series.
- F-series is based on the 2.4 GHz Intel Xeon® E5-2673 v3 (Haswell) processor, which can achieve clock speeds as high as 3.1 GHz with the Intel Turbo Boost Technology 2.0. This is the same CPU performance as the Dv2-series of VMs. At a lower per-hour list price, the F-series is the best value in price-performance in the Azure portfolio based on the Azure Compute Unit (ACU) per core.
The F-series also introduces a new standard in VM size naming for Azure. For this series and VM sizes released in the future, the numeric value after the family name letter will match the number of CPU cores. Additional capabilities, such as optimized for premium storage, will be designated by letters following the numeric CPU core count. This naming format will be used for future VM sizes released but will not retroactively change the names of any existing VM sizes which have been released.
- G-series VMs offer the most memory and run on hosts that have Intel Xeon E5 V3 family processors.
- DS-series, DSv2-series, Fs-series and GS-series VMs can use Premium Storage, which provides high-performance, low-latency storage for I/O intensive workloads. These VMs use solid-state drives (SSDs) to host a virtual machine’s disks and also provide a local SSD disk cache. Premium Storage is available in certain regions. For details, see Premium Storage: High-performance storage for Azure virtual machine workloads.
- The A-series VMs can be deployed on a variety of hardware types and processors. The size is throttled, based upon the hardware, to offer consistent processor performance for the running instance, regardless of the hardware it is deployed on. To determine the physical hardware on which this size is deployed, query the virtual hardware from within the Virtual Machine.
- The A0 size is over-subscribed on the physical hardware. For this specific size only, other customer deployments may impact the performance of your running workload. The relative performance is outlined below as the expected baseline, subject to an approximate variability of 15 percent.
The size of the virtual machine affects the pricing. The size also affects the processing, memory, and storage capacity of the virtual machine. Storage costs are calculated separately based on used pages in the storage account. For details, see Virtual Machines Pricing Detailsand Azure Storage Pricing.
The following considerations might help you decide on a size:
- The A8-A11 sizes are also known as compute-intensive instances. The hardware that runs these sizes is designed and optimized for compute-intensive and network-intensive applications, including high-performance computing (HPC) cluster applications, modeling, and simulations. For detailed information and considerations about using these sizes, seeAbout the A8, A9, A10, and A11 compute intensive instances.
- Dv2-series, D-series, G-series, and the DS/GS counterparts are ideal for applications that demand faster CPUs, better local disk performance, or have higher memory demands. They offer a powerful combination for many enterprise-grade applications.
- The F-series VMs are an excellent choice for workloads that demand faster CPUs but do not need as much memory or local SSD per CPU core. Workloads such as analytics, gaming servers, web servers, and batch processing will benefit from the value of the F-series.
- Some of the physical hosts in Azure data centers may not support larger virtual machine sizes, such as A5 – A11. As a result, you may see the error message Failed to configure virtual machine or Failed to create virtual machine when resizing an existing virtual machine to a new size; creating a new virtual machine in a virtual network created before April 16, 2013; or adding a new virtual machine to an existing cloud service. See Error: “Failed to configure virtual machine” on the support forum for workarounds for each deployment scenario.
HTTP 400 IIS Token Bloat
October 30, 2017
Active Directory, Security, Server, Tips and Trix, Windows
No Comments
vincent
An old “friend” keeps keeps showing up in different environments. So since my old Blog is gone, I will add this again.
But this time I’ll just copy the info from Microsoft’s website.
Thank you Microsoft: https://support.microsoft.com/en-us/help/2020943/-http-400—bad-request-request-header-too-long-error-in-internet-info
HTTP 400 – Bad Request (Request Header too long)” error in Internet Information Services (IIS)
Symptoms
A domain user attempts to browse to a website hosted on Internet Information Services (IIS) 6.0 or higher by using Internet Explorer 6.0 or later. The website is configured to use Kerberos authentication. Instead of receiving the expected web page, the user is presented with an error message similar to the following:
Cause
This issue may occur when the user is a member of many Active Directory user groups. When a user is a member of a large number of active directory groups the Kerberos authentication token for the user increases in size. The HTTP request that the user sends to the IIS server contains the Kerberos token in the WWW-Authenticate header, and the header size increases as the number of groups goes up. If the HTTP header or packet size increases past the limits configured in IIS, IIS may reject the request and send this error as the response.
Resolution
To work around this problem, choose one of the following options:
A) Decrease the number of Active Directory groups that the user is a member of.
OR
B) Modify the MaxFieldLength and the MaxRequestBytes registry settings on the IIS server so the user’s request headers are not considered too long. To determine the appropriate settings for the MaxFieldLength and the MaxRequestBytes registry entries, use the following calculations:
New resolution for problems with Kerberos authentication when users belong to many groups
http://support.microsoft.com/kb/327825
NOTE: Depending on your application environment, you could also consider configuring the web site to use NTLM instead of Kerberos to work around this problem. Some application environments require Kerberos to be used for delegation purposes, and Kerberos is more secure than NTLM, so it is recommended that you do not disable Kerberos before considering the security and delegation ramifications of doing so.
More Information
By default, the MaxFieldLength registry entry is not present. This registry entry specifies the maximum size limit of each HTTP request header. The MaxRequestBytes registry entry specifies the upper limit for the total size of the Request line and the headers. Typically, this registry entry is configured together with the MaxRequestBytes registry entry. If the MaxRequestBytes value is lower than the MaxFieldLength value, the MaxFieldLength value is adjusted. In large Active Directory environments, users may experience logon failures if the values for both these entries are not set to a sufficiently high value.
For Internet Information Services (IIS) 6.0 and later, the MaxFieldLength and MaxRequestBytes registry keys are located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters. Configure them as shown in the following table:
Alternatively you may set the registry keys to their maximum values shown below. The Administrator should consider all potential security ramifications if he makes any changes to the registry settings:
IMPORTANT: Changing these registry keys can be considered extremely dangerous. These keys allow larger HTTP packets to be sent to IIS, which in turn may cause Http.sys to use more memory and may increase vulnerability to malicious attacks.
NOTE: If MaxFieldLength is configured to its maximum value of 64KB, then the MaxTokenSize registry value should be set to 3/4 * 64 = 48KB. For more information on the MaxTokenSize setting, please see the Microsoft knowledge base article KB327825 listed below.