ngix reverse proxy for ADFS 3.0 server

2016-03-22 / Linux, Microsoft / 1 Comments

Problem:
After setting up a nginx reverse proxy for a ADFS 3.0, instead of MS WAP, it was coming back connection reset by peer. When browsing to the site via IP or anything other than the original hostname it would return this error.

Nginx for some reason was not passing the host header in the reverse proxy request. When connecting to the backend server it was only using the IP of the upstream server causing ADFS to not accept connections.

Solution:

1. Run the below command get get the certhash and the appid from the ADFS server
netsh http show sslcert

2. Run the command to enable http.sys to listen on all IPs with this certificate.
netsh http add sslcert ipport=0.0.0.0:443 certhash=5117dffde15446cf1cfd8bd855cfef25202c6c17 appid='{5d89a20c-beab-4389-9447-324788eb944a}'

Keep in mind if you have other things running on this server it could cause conflict. However, if its setup correctly, nothing else should be on the server.

The nginx config looked like this

upstream adfs_backend {
    server 1x2.xx8.xx.xx:443;
    keepalive 100;
}

server {
        listen   443;
        server_name xxsecurity.customer.com;
        ssl    on;
        ssl_certificate    /etc/ssl/private/adfs.cer;
        ssl_certificate_key    /etc/ssl/private/adfs.key;


     location / {
        proxy_pass https://adfs_backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_http_version 1.1;
    }
}
Read More

PowerShell script to modify local account password on multiple remote computers

2015-07-02 / Microsoft, PowerShell, Server / 0 Comments

I had a need to do this for a client.

Problem: Need to change a single user’s account password and flags across multiple systems

Solution:
You can use this script to modify a local user’s password across multiple machines. It will check that the machine is reachable (by ping) and it will set the account to never expire and enabled (userflag 66048)

Modify the $user and $password fields with their desired strings and update the $computers path to the computers.txt file with a list of computers
Run the PowerShell script as someone who is administrator on the machines in the computers.txt file

$computers = Get-Content -path C:\temp\computers.txt
$user = "USER"
$password = "PASSWORD"
Foreach ($computer in $computers)
{
    #Start-Sleep 1
    $ErrorMessage = ""
    $FailedItem = ""
    $localuser = ""
     
    if (Test-Connection $computer -ErrorAction stop -count 3 -Quiet)
    {
        try
        {
            $localuser = [adsi]"WinNT://$computer/$user,user"
             
            if ($localuser.Path -ne $null)
            {
                $localuser.SetPassword($Password)
                $localuser.userflags = 66048
                $localuser.SetInfo()
                Write-Host "Password changed on: $computer" -ForegroundColor Green
            }
            else
            {
                Write-Host "$user not found on: $computer" -ForegroundColor Red
            }
        }
        catch
        {
            Write-Host "Error changing password on: $computer" -ForegroundColor Red
            #$ErrorMessage = $_.Exception.Message
            #$FailedItem = $_.Exception.ItemName
            #Write-Host $ErrorMessage -ForegroundColor Gray
            #Write-Host $FailedItem -ForegroundColor Gray
        }
    }
    else
    {
        Write-Host "Unable to connect, not changing password on: $computer" -ForegroundColor Red
    }
}
Read More