Saturday, February 4, 2023

New Number matching Azure MFA feature impact Microsoft RDGW & NPS extension


Are you using Microsoft Native Remote Desktop Gateway (RDGW) in combination with the NPS extension to secure your RDGW with MFA? Prepare for this change which will be enforced tenant-wide for all users starting February 27, 2023!

Number matching is a security upgrade to traditional second factor notifications in Microsoft Authenticator. Microsoft will remove the admin controls and enforce the number match experience.

This is what Microsoft recommends

"We highly recommend enabling number matching in the near term for improved sign-in security. Relevant services will begin deploying these changes after February 27, 2023 and users will start to see number match in approval requests. As services deploy, some may see number match while others don't. To ensure consistent behavior for all users, we highly recommend you enable number match for Microsoft Authenticator push notifications in advance."

While this adds and unlocks security capabilities and options, there is a downside if you currently use RD Gateway with the NPS Extension for Azure MFA. If you need more background information on how this works, check out this article I published back in 2017, which is still relevant: The Microsoft Platform: Securing RD Gateway with MFA using the new NPS Extension for Azure MFA!

The impact on RD Gateway + NPS Extension

The reason of the impact is that NPS does not support number matching. However, the latest NPS extension does work with One-Time Password (OTP) methods like e.g. the OTP available in Microsoft Authenticator. Generally, you need to make sure that you run the latest version of the NPS extension. For more information on supported versions and what (registry) workaround you can use and other requirements that apply, follow this guide

If your organization uses Remote Desktop Gateway and the user is registered for OTP code along with Microsoft Authenticator push notifications, the user won't be able to meet the Azure AD MFA challenge and Remote Desktop Gateway sign-in will fail.

Release notes on this change

Below is a snippet of the release notes of the NPS extension version 1.2.2131.2 that address the change that Microsoft made.

"...Changed the default value of OVERRIDE_NUMBER_MATCHING_WITH_OTP from False to a Microsoft managed value. There is no change to the current authentication experience for users. Microsoft will begin enabling number matching for all users of the Microsoft Authenticator app starting 27th of February 2023.
After this date, if your organization has not set the OVERRIDE_NUMBER_MATCHING_WITH_OTP value to False, your Microsoft Authenticator users will be required to enter an OTP code instead of the Approve/Deny push notification experience..."

Solution (more of a workaround)

What you can do to prevent failed sign-ins after February 27, 2023 is the following. Set OVERRIDE_NUMBER_MATCHING_WITH_OTP = FALSE.

To create the registry key that overrides push notifications on your NPS Server:

1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa.
4. Restart the NPS Service.

What this does is fall back to Approve/Deny push notifications when using Microsoft Authenticator.

Monday, January 16, 2023

ChatGPT to author Bicep templates?

I'm sure that by now many have heard about ChatGPT. If not, ChatGPT is a large language model developed by OpenAI. It is based on the GPT (Generative Pre-training Transformer) architecture, which was trained on a massive amount of text data to generate human-like text. ChatGPT is fine-tuned to perform specific language tasks such as answering questions, generating text and more. It uses the latest advances in neural network technology to understand and respond to natural language input in a way that mimics human conversation. It can be used for various applications such as chatbots, automated customer service, language translation and more.

I took ChatGPT for a spin to see how accurate and detailed it would be to write (Infra as) Code. Somehow Bicep felt like a good candidate! (in case you don't know why, follow this link 😊)

The first question I asked was to author a simple Bicep template to create a Vnet.

No alt text provided for this image

I was blown away by the initial response which came back instantly! That looks awesome for a first try! Do note that ChatGPT says Bicep is still in preview. The reason is that ChatGPT is trained on a large dataset of text data that was current as of 2021, so it may not have information that is more recent than that. The training data used to build the model is also constantly being updated, so the information available to ChatGPT may change over time.

Also note that ChatGPT gave some advise on network designs as well, how cool is that!

A best practice however would be to use a parameter instead of 'resourceGroup().location'. So lets tell ChatGPT to adapt to that and also tell it to to make resourceGroup().location the default value of the parameter.

No alt text provided for this image

That was easy! Next, we'll tell it to use a different API version when dealing with VNets.

No alt text provided for this image

There we go. Finally, lets see if it can also generate a parameters file with a couple of sample values. Of course it can!

No alt text provided for this image

And this is just scratching the surface on what ChatGPT is able to do based on a simple example, there is so much more!

ChatGPT can help with writing code by providing code snippets, examples, and templates for a specific programming language or framework. It can also help with troubleshooting errors by providing solutions to common problems. Additionally, ChatGPT can assist with understanding the proper syntax and usage of a particular command or function by providing explanations and documentation.

ChatGPT can also help with writing code by providing suggestions for code improvements and better practices and by suggesting alternative ways to implement a certain functionality. It can also help with understanding and working with complex code by providing explanations of the code's behavior and providing examples of how to use it.

It's important to note that while ChatGPT can help with writing code, it's not a replacement for human programmers. ChatGPT can provide suggestions and examples, but it can't replace the experience and understanding of the problem domain that a human developer has.

Strong advise: do not blindly trust AI generated code for production environments. Use AI to assist you, not to replace you.

And guess what...part of this article was actually written by ChatGPT itself! Did you notice that? The possibilities are endless and I'm looking forward to test driving this some more! What are your thoughts?

Monday, July 11, 2022

RDP Shortpath in action!

 What is RDP Shortpath?

RDP Shortpath is all about offering better reliability and consistent latency for Azure Virtual Desktop (AVD). For a regular AVD session, all traffic is always tunneled through a gateway that is hosted by Microsoft as part of the AVD Service in Azure. RDP Shortpath allows direct RDP traffic from client to host and, after authentication and authorization, essentially bypasses the Gateway.

You might be familiar with the RD Gateway role as part of Remote Desktop Services. This role provides a similar service as it also tunnels RDP Traffic from the RD Client towards the RD Session host by only requiring outbound TCP traffic over 443 (SSL). There are distinct differences however. First, the AVD Gateway is hosted and controlled by Microsoft so you don’t see it in your subscription and it is managed and maintained for you. Second, AVD Gateway does not require you to open port 3389 from gateway to host as the AVD Agent on the host only requires outbound ports. The latter is called reverse connect and allows full separation between the gateway and host. Very important from a security standpoint of course.

Why is this important to the topic of RDP Shortpath? The AVD Gateway only support RDP-TCP, meaning we cannot leverage RDP-UDP. If you’ve worked with RDS before, you’ll know that having RDP-UDP available significantly boosts the overall RDP experience. This is especially the case how graphics intensive applications or applications that are latency-sensitive. Ever since the release of AVD (and before that WVD), there has been a big ask for RDP-UDP and it has been on the radar and roadmap for some time.

With RDP Shortpath, Microsoft delivered this promise. This allows for direct communication from the AVD Client to the AVD host. This reduces round-trip time, improving user experience, especially with latency-sensitive applications. RDP Shortpath does not replace reverse connect as all session brokering is still performed by the AVD Control Plane.

RDP Shortpath comes in two different options

The first option is RDP Shortpath for managed networks. For this option your AVD Clients needs direct TCP port 3389 to the host. This option is mostly ment for trusted connections like Express Route and Site-To-Site VPN. You can also use a public IP on the host, but for security reasons I would advise against that. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for managed networks.

The second option is Azure Virtual Desktop RDP Shortpath for public networks, which is currently into public preview. For this option, no TCP port 3389 to the host is required and as a result, a private network like Express Route or Site-To-Site VPN is also not required. More information on the setup and the requirements can be found here: Azure Virtual Desktop RDP Shortpath for public networks (preview).

Although RDP Shortpath for public networks is still into public preview (Microsoft recommends to not use it for production yet and configure it on a validation host pool), my experiences with the feature have been super great so far.

Enable RDP Shortpath for public networks preview

To participate in the RDP Shortpath for public networks preview, all you have to do is add the registry entry ICEControl as shown below.

REG ADD “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” /v ICEControl /t REG_DWORD /d 2 /f

And to disable RDP Shortpath for public networks preview, simply remove the ICEControl registry entry as shown below.

REG DELETE “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations” /v ICEControl /f

Confirm RDP Shortpath is operational

Once enabled, the easier way to confirm that RDP Shortpath for public network is working (also applies to managed networks) is by clicking on the Connection information in the blue bar. As you can see below, it says ‘UDP is enabled’ and the further down states UDP as the transport protocol.

Putting RDP Shortpath to action

Over time, I have performed several tests with RDP Shortpath both for Public as well as for private networks, even when RDP Shortpath was still in technical preview. A subset of those videos are available on my YouTube channel.

In my most recent test from last week, I took RDP Shortpath for Public Networks to the test using an NVads A10 v5-series Session Host in Azure Virtual Desktop. These VM’s are powered by a NVIDIA A10 GPU. What’s also great about the NVads A10 v5 series is that it allows you to select models with a partial GPU. So for scenarios where a full A10 GPU is not required, you can also select a size with 1/2, 1/3 or even 1/6 of a GPU. Back in March of this year, when this new series was still ito preview, Michel Roth (Microsoft Azure HPC team), wrote a great article called Why the NVads A10 v5 series lowers AVD costs even further which contains interesting insights into the benefits and costs.

Back to my test case. To testdrive RDP Shortpath on the GPU enabled machine in a fun way, I used GTA5 running inside the AVD Session Host! The results were amazing. As you can see in the screenshot below the round trip latency was only 8ms and 49 frames per second. During this test run the frames per second fluctuated between 46 and 50 frames per second.

Want to see it in action? below is a link to the video I published last week! AVD — GPU — RDP Shortpath demo, with GTA — YouTube

Tuesday, July 5, 2022

Parallels RAS 19 Expression based filtering and Multiple Multi-factor Authentication (MFA) providers!

 This is article number three in a series I’m publishing on Parallels Remote Application Server version 19. In the previous two articles I discussed support for Let’s Encrypt and integration with MSIX app attach.

Expression based filtering & policies

Multiple Multi-factor Authentication (MFA) providers.

Wednesday, June 8, 2022

Parallels Remote Application Server version 19 now supports Let’s Encrypt!

 On June 1st 2022 Parallels released Remote Application Server 19 Public Preview! This version comes with a lot of new exciting features! In a previous article I focused on the MSIX app attach support. In this article I want to address the support for Let’s Encrypt!

  1. You need a publicly accessible domain that resolves to the Secure Gateway directly or through third-party load balancers.
  2. On the the Secure Gateway, port 80 must be opened for incoming Let’s Encrypt requests

Wednesday, June 1, 2022

Parallels Remote Application Server version 19 Public Preview!

 Parallels just released Remote Application Server 19 Public Preview! This version comes with a lot of new exciting features!

  • Amazon Web Services (AWS) as a cloud provider — Parallels RAS 19 extends the list of supported cloud computing providers by integrating with Amazon EC2. This integration will allow customers to utilize RAS Templates based on Amazon EC2 instances and build hybrid and cloud environments with a unified administrative and end-user experience.
  • MSIX app attach Integration — Parallels RAS 19 provides a new and modern application delivery method — Application Packages, based on MSIX app attach. This App Layering technology enables customers to separate applications from the core operating system and deliver applications to users dynamically. This makes it easier to create a RAS template and get more control by providing the right application for the right user.
  • Let’s Encrypt Certificate Management — Let’s Encrypt (LE) is a global Certificate Authority (CA). This organization behind LE is non-profit and provide free SSL/TLS certificates with each certificate valid for 90 days, thus requiring to be renewed during the period. Parallels RAS 19 includes automated certificate management which provides the ability to issue, renew and revoke certificates directly from the RAS Console.
  • Parallels Client for Windows on ARM64 — Parallels Client for Windows has been rebuilt and optimized to natively run on machines that are powered by ARM64 processors which were created to be more lightweight and power-efficient.