by Contributed | Jun 23, 2021 | Technology
This article is contributed. See the original author and article here.
Our guest blogger, Lex Thomas, writes about ASCENT cases that are escalated and require networking expertise, usually with tracing. He joins us today to hopefully save everyone some troubleshooting time. Edited with added context by Jarred Mooney, Customer Engineer.
Today I had an Issue that I want to share because I am hearing that it’s widespread. SQL Reporting Service (SSRS) “Fails to Connect”, but in this case the cause can take a while to track down.
In today’s security-minded environment companies are disabling support for TLS 1.0 and 1.1 and forcing TLS 1.2/1.3.
That’s a great thing.
But I have run into several situations where applications seem to break, and unless you understand the correlation between TLS restrictions being added and applications failing to connect to SQL Server Reporting Services, it’s easy to miss this one.
Setup:
I have added the registry keys to disable TLS, so if you do not have them, you do now.
Here is a decent Article on doing that.
Transport Layer Security (TLS) registry settings | Microsoft Docs
Now, back to our Reporting Services Issue…
SSRS Fails to Connect:
I got an Ascent Case and the issue appeared to be networking. Generally, when I hear the words “Can’t Connect,” I Immediately think Firewall or issue with a target service and I ask for a network trace.
That’s exactly what I asked for here.
Here is what I Look For, and why:
First, we have to Be able to Connect Via TCP. That means we have be able to do a 3 Way Hand shake: (Here is what that looks like):
The Client Sends a SYN request to the Endpoint ( ….S…. )
The Server Sends and ACK SYN (..A….S… )
And the Client Responds With an ACK (….A…..)
If that fails, we have one of 2 possibilities.
- A Firewall or
- The service we want to talk to is not running on the box at that IP address.
Second, we Need to Negotiate TLS. When that’s Successful, It looks like this:
In the Client Hello - We Send Information that the Server Needs to Understand the TYPE of TLS Request: TLS Version, Cipher Suites etc..
If the TCP Session succeeds, and the TLS Session Negotiation is successful, we connect!
Now the Strange Part:
When SSRS Fails in this specific case, you can see below that it opens the TCP session and immediately closes it.
Notice No TLS Handshake.
Why Does This Happen?
This happens because an application it trying to USE a TLS/SSL Version that is disabled.
In the above example, SSRS can connect to the target, TCP Works! But it immediately tears the TCP session down because the application is TRYING TO FORCE TLS 1.0.
TLS 1.0 is disabled on this box, so the Client Hello never gets sent and the application “SRSS” logs this as a Connection Failure.
It’s Important to understand that the TCP Connection worked but the TLS SESSION failed.
So again, why did this Happen?
It happened because in this case SRSS was using an older version of .NET Framework.
.NET Framework negotiates TLS/SSL independently of the O.S. by Default (at least this version), and I suspect anything written earlier than a couple years ago does the same.
So in this case:
- SRSS calls .NET and asks for a TLS Session
- .NET tries to use TLS 1.0 even though its Disabled at the system level.
- The TCP Session Is Established
- The Client Hello is Not Passed (because TLS 1.0 Is disabled)
- The TCP Session Gets Torn Down.
HOW TO FIX:
Note: While enabling TLS 1.0 would work here, it’s not the correct solution and should be avoided..)
Here is the Correct Solution:
Add SystemDefaultTLSVersions and Set that DWORD to 1. This instructs .NET to use the system–defined TLS Settings. The registry entries look similar to this (depending on your .NETFramework versions):
For 64-bit Apps:
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv4.0.30319] – “SystemDefaultTlsVersions”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREMicrosoft.NETFrameworkv2.0.50727] – “SystemDefaultTlsVersions”=dword:00000001
For 32-bit Apps:
[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv2.0.50727] – “SystemDefaultTlsVersions”=dword:00000001
[HKEY_LOCAL_MACHINESOFTWAREWOW6432NodeMicrosoft.NETFrameworkv4.0.30319] – “SystemDefaultTlsVersions”=dword:00000001
Making this change will allow .NET Apps to use the OS-Level TLS Settings.
There you have it!
by Contributed | Jun 23, 2021 | Technology
This article is contributed. See the original author and article here.
Starting today you no longer need to choose between Windows and Linux for your production IoT solutions. You can leverage the best of both platforms by running Linux workloads on Windows IoT devices using Azure IoT Edge for Linux on Windows, known as EFLOW, which is now generally available.
Enterprises have told us that they want to take advantage of the large number of Linux-based cloud-native containerized workloads on the edge, especially for AI/ML. Many of those same customers also value the unique benefits of Windows IoT, such as the ability to create interactive user interfaces with natural input, enterprise grade device management tools, world-class security, 10-years of long-term servicing from kernel to shell, and a worldwide update service. Yet deploying, managing, and maintaining both Linux and Windows IoT devices is time consuming and expensive. EFLOW allows existing Windows IoT customers to retain their existing devices, tooling, and application investments, while also running Linux containers on the same devices. Conversely, enterprises with existing Linux investments who are interested in the benefits of Windows IoT have a migration path to bring their Linux application code to Windows.
EFLOW is a lightweight Linux VM from Microsoft designed for production edge deployments. It is based on CBL-Mariner, a Linux distribution developed by Microsoft. It includes Azure IoT Edge to facilitate easy integration with the cloud and deployment of workloads from Azure IoT Hub to Windows IoT devices on the edge. It also supports access to commonly used hardware in IoT and embedded devices, including TPM, serial, and Nvidia T4 and Quadro/GeForce GPUs for AI/ML acceleration. We plan to extend support to Intel iGPUs for AI/ML use cases by the end of the year. Furthermore, EFLOW supports deployment of the VisionOnEdge (VoE) solution template, which illustrates how customers can create their own AI/ML solution, using third party or Azure technologies, such as Azure Video Analyzer. As a developer, you can use VoE as a starting point or you may choose to implement your own custom modules using the Linux distribution of your choice. You can develop the solution using the Windows Subsystem for Linux (WSL), which is based on the same CBL-Mariner Linux OS as EFLOW. Alternatively, the Azure Marketplace from Microsoft offers prebuilt 1P solutions, such as SQL Edge and OPC Publisher, as well as 3P modules from some of our Partners (eg. OpenVino) that can be deployed as-is. Either way, running Azure-connected Linux modules on Windows IoT becomes a seamless part of an intelligent edge solution.
Windows IoT is deployed in millions of devices around the world in numerous industries including manufacturing, retail, medical equipment, and public safety. Customers choose Windows to power their edge operations because it is an out-of-the-box platform to create locked-down, interactive user experiences with natural input, provides world class security, enterprise grade device management, and 10 years of servicing, allowing customers to build solutions that are designed to last. With EFLOW, customers will now be able to benefit from running Linux workloads on production Windows IoT deployments, leverage the advances in cloud-native development, and easily connect the solution to Azure.
EFLOW is available on all Hyper-V capable Windows 10 installations. This makes 100s of millions of existing devices EFLOW capable, which can easily be managed and connected through Azure.
Learn more about EFLOW by watching the IoT show:
Detailed documentation to get started is available at https://aka.ms/AzIoTEdgeforLinuxOnWindows
If you want to stay up to date and get notified of future updates to Azure IoT Edge for Linux on Windows, you can register using this link. Note that the information you will share will only be used by Microsoft for the purpose of keeping you informed about this product.
by Contributed | Jun 23, 2021 | Technology
This article is contributed. See the original author and article here.
Join us on Saturday, June 26 from 10AM-4PM PT for a special virtual event in partnership with Warner Bros., Space Jam: A New Legacy, and Banneky. We’ll have athletes, gamers, game producers, and coders on hand to help you learn new coding skills and explore the intersection between sports, gaming, entertainment, and tech!
The event will feature Sceptic, a teen pro gamer, FaZe Clan, 27-time esports champions, Gaby Ponce, Leader of Team Xbox Latinx, and Microsoft Cloud Advocates Sana Ajani, Ornella Altunya, April Speight, and Chloe Condon in a mix of panels, live coding, and opportunities to learn something new!
You’ll have four topics to choose from – software engineering, sports, hardware engineering, and gaming – pick one, or attend them all! You can expect to hear about:
- Getting started with Visual Studio Code and the new Learn modules inspired by Space Jam: A New Legacy
- The future of careers in gaming
- Building gaming PCs and game consoles
- A day in the life of a content creator
- Diversity in careers in gaming and entertainment
On top of these awesome sessions, you’ll also have the chance to win FaZe Clan merchandise, Xbox controllers, and Surface books!
Check out https://banneky.com/FindYourSeat for more details.
A bit about our partners:
Warner Bros. is the home of Tune Squad and the upcoming film Space Jam: A New Legacy, but have you heard of Banneky? Banneky is an education tech platform for middle and high school students who love art, sports, and gaming. On their site, you’ll find fun math and science lessons and behind the scenes access to the brands and influencers you love.
A bit about the film:
Welcome to the Jam! Basketball champion and global icon LeBron James goes on an epic adventure alongside timeless Tune Bugs Bunny in the animated/live-action event “Space Jam: A New Legacy,” from director Malcom D. Lee and an innovative filmmaking team including Ryan Coogler and Maverick Carter.
This transformational journey is a manic mashup of two worlds that reveals just how far some parents will go to connect with their kids. When LeBron and his young son Dom are trapped in a digital space by a rogue A.I., LeBron must get them home safely by leading Bugs, Lola Bunny, and the whole gang of notoriously undisciplined Looney Tunes to victory over the A.I.’s digitized champions on the court: a powered-up roster of basketball starts as you’ve never seen them before. It’s Tunes versus Goons in the highest-stakes challenge of his life, that will redefine LeBron’s bond with his son and shine a light on the power of being yourself. The ready-for-action Tunes destroys convention, supercharge their unique talents and surprise even “Kin” James by playing the game their own way.
by Contributed | Jun 23, 2021 | Technology
This article is contributed. See the original author and article here.
Hello,
With the recent Executive Order on Improving the Nation’s Cybersecurity mandating Zero Trust Architecture and multifactor authentication, you may be wondering what those requirements are and how you can use the tools you have in Azure AD to meet the standards.
I am excited to share with you new guidance within our public documentation. This guidance is tailored to help you meet government and industry identity requirements using Azure Active Directory. Microsoft documents how we as a company meet many of these standards. While you can leverage our compliance, there are often “shared responsibilities” beyond what Microsoft accreditation provides. This new prescriptive guidance is designed to help you meet these identity requirements using Azure Active Directory.
As an example, let us consider meeting FedRAMP High controls IA-2 (1-4). To understand these requirements, one would have to start with FedRAMP Security Controls Baseline, dive into NIST SP 800-53 Rev. 4 which builds on NIST SP 800-63 Rev. 3 which in turn builds on NIST FIPS 140-2. You get the idea…lots of “light” reading. Alternatively, one could leverage the standards & compliance section which provides prescriptive guidance for meeting this control by:
(a) configuring Conditional Access (CA) policies to require MFA,
(b) configuring device management policies and CA policies such that sign-in to these managed devices would require MFA,
(c) viable MFA options meeting NIST Authentication Assurance Level (AAL) 3 as required by FedRAMP High and
(d) use of PIM to eliminate privileged local access without PIM activation.
I am happy to announce the first two content sets under the new standards & compliance area: Configure Azure Active Directory to meet NIST Authenticator Assurance Levels
We have started with NIST 800-63 – Digital Identity Guidelines which is a well understood framework for digital identities that many other standards and regulations use as a building block.
This guidance details how you can use Azure Active Directory to meet NIST Authentication Assurance Levels (AAL) and maps these AAL’s to all available authentication methods.
Configure Azure Active Directory to meet FedRAMP High Impact level
Many US federal agencies as well as cloud solution providers (CSPs) delivering cloud services to these agencies must meet requirements of the FedRAMP program. We anchored our guidance around the FedRAMP High baseline to cover the most stringent set of identify related controls. This approach allows customers who need to adhere to lower FedRAMP baselines to use this guidance as well.
US Government agencies will soon be required to have fully adopted multifactor authentication. Check out our resources to Enable MFA in your organization to verify explicitly as part of your Zero Trust approach.
We would love to hear more from all of you on what standards, regulations, or other compliance frameworks with identity requirements you would like to meet with Azure Active Directory. We will continue to review standards, regulations, or other compliance frameworks and where appropriate, produce guidance to help our customers meet their identity requirements using Azure Active Directory.
Learn more about Microsoft identity:
by Contributed | Jun 23, 2021 | Technology
This article is contributed. See the original author and article here.
We’re excited about what Yammer has launched recently. Take a look at some of the latest updates to Yammer.
Easily upload OneDrive files or select from Shared Libraries directly into Yammer discussions
Now you can upload OneDrive files into Yammer discussions and select files from shared libraries. Learn more details here. With the new file picker experience, employees working in Yammer can upload files stored in their OneDrive or SharePoint, making it a familiar experience for sharing and collaborating with colleagues across the organization.
Community members will have the same abilities to edit, annotate and comment on documents as they do in OneDrive or SharePoint.
More ways to customize Yammer feeds with Yammer embed
You can enable conversations on your own sites or bring in existing conversations by embedding Yammer feeds. You can use this new widget configuration to quickly create and customize them to better fit the needs of your community, enabling you to embed your Yammer home, community, user, topic, or web link feed right into your site. Visit this site to get started.
Simply select the type of feed you’d like to embed, search the feed by name, customize it to your liking, and publish. A preview of your feed will be shown. Click ‘Get Code’ to retrieve the code you’ll need to embed in your site.
We’re continuing to add new embed customizations so let us know any future improvements you’d like to see.
New announcement delivery options
Learn how you can use Essential Announcements in your communities as a way to keep community members engaged and informed in important changes and news.
Community admins and network admins can now choose to set any type of post as an ‘essential announcement’. Community admins can change the delivery options before they post, which will notify all community members by email. This will override individual community member email notification settings.
Measure the reach and impact of Yammer discussion with Conversation insights
You can now view Yammer conversation insights which gives data to how content is performing across communities. You can see understand how engagement impacts the conversation, how people react, and see how “viral” the conversation is within the organization.
Content creators, communicators and community managers can use these insights to build engaging content that resonates with the community and beyond. You can access these insights in Yammer on the web or the Communities app in Microsoft Teams.
Pin important posts in Yammer communities
Community admins can pin any type of post in their Yammer community. While this feature launched a few months ago, now Yammer will automatically collapse pinned posts after a user has seen the message. This can help with “pinned post” fatigue if they are a frequent visitor but keeps essential information easily accessible.
New Yammer training videos
Get up and running with the new Yammer with these four new training videos. Share these will your communities and they continue to learn the nuts and bolts of building and engaging with employees in their communities. There are videos about conversations and discovery, notifications and announcements, how to administer Yammer communities and the building blocks of Yammer network administration.
These videos have also been updated in the Microsoft 365 Learning Pathways for easy access to learning directly from your organization.
What’s coming soon?
See what else Yammer has planned on our public roadmap and keep an eye on this blog for more news, updates, and best practices relating to Yammer and communities in Microsoft 365.
Recent Comments