Category Archives: Miscellaneous

How I work with multiple identities in Google Chrome

Introduction

I spend my time working with public cloud services for a large number of organizations. That means many, many different user accounts to keep track of. The tool I use most to interact with these services is the web browser. As you all know browsers try to make life easy for their users, and therefore they cache a lot of information, including logins, cookies and AuthN tokens (these are cookies too). All in an effort to make it easy for an end user to get to his stuff quickly. But we are not end users are we…? For me all this caching is very inconvenient when I need to be someone other than my own identities, which is all the time. And not only that but at the same time that i want to operate as myself. Here is how I have this set up today.

The Browser

For me Google Chrome works best. It has the features I need, simple as that. My reasons are laid out below.

Securing Login Information

I keep all my login information secure in a KeePass 2 database. I choose KeePass 2 because it has good encryption (AES-256), great multi-platform support, lots of plugins, good security features like automatic workspace lock, is open-source and free. I keep my KeePass databases in a cloud storage account protected with Multi-Factor Authentication (MFA). KeePass lets me generate long, complex passwords easily so I never (ever) reuse passwords anywhere.

main_big

Accessing Login Information Easily

I mentioned that KeePass has great plugin support. One of my favorite plugins is KeePassHttp, which exposes password entries securely over HTTP. It creates a local HTTP endpoint that authorized clients can talk to. Authorization is controlled in KeePass and is thus protected by the KeePass master password and any other factors you may have chosen.

keepasshttp

KeePassHttp together with the Chrome extension chromePass completes this setup by serving up the necessary login information based on URL. chromePass connects to KeePassHttp and retrieves the login information from the KeePass database that matches the URL of the site you are visiting. If several entries match you get a list to choose from. By default KeePass will not just serve up the login information, you have to approve it from a prompt displayed by KeePass.

chromePass

Multiple Personalities – in a good way

The final piece of the puzzle is the Chrome plugin MultiLogin. It takes care of the problem of the browser trying to cache your login information and state in cookies. Whenever you hit the MultiLogin button Chrome starts a completely clean browser tab that is not related in any way to what is going on in any other tabs. Each new MultiLogin tab is identified by a number so you can easily tell them apart. All tabs with the same identifier share the same state, so you can have several tabs where you are the same user. Everything in the MultiLogin tabs is destroyed when you close Chrome so nothing will be remembered.

I use regular Chrome tabs for my own private web surfing, and Chrome caches my logins and stores cookies just like normal. For everything else I use MultiLogin tabs. This also has the added security benefit of never storing any session or AuthN cookies when you close Chrome.

multilogin

Unfortunately the developer has removed MultiLogin from the Chrome Store for unknown reasons, and I have not been able to find a replacement. I was lucky enough to install it when it was available, so thanks to Chrome’s roaming extension feature I get it on all my computers. If you still want to get MultiLogin there are instructions here for installing it manually.

UPDATE 27.10.2016: A new Chrome extension called openMultiLogin has been released that replicates the functionality of MultiLogin. Check it out in the Chome extensions store.

Good luck!

Error 0x80070001 on Windows 10 when trying to install a new app

This is slightly off topic for me, but because I spent quite a bit of time on figuring it out and could not find this documented anywhere else, I thought I would write it up quickly.

At some point I could no longer install any new apps from the Windows Store on my Surface 3 Pro Windows 10 machine. Apps already installed would update fine, but new ones could not be added. The error was:

“Try that again. Something went wrong. The error code is 0x8007001, in case you need it”.

If we translate that number to a human readable form we get:

Incorrect function.

Not much to go on. I initially thought this was something to do with either the modern app framework or Windows installation and tried things like resetting the store with (WSReset.exe) and scanning the system files with SFC.EXE. None of these things helped. In the end it turned out that is was related to my SD card. I had an  SD card installed and had previously moved a few apps to it. Apps that were so large that I didn’t want them eating up my system drive. Moving these apps somehow caused all new apps from then on to try to install on the SD card, or at least rely on it for something during the install. I shut down the computer, removed the card and could then install apps again. At this point I also reinserted the card and could now also install new apps with the card inserted. Some setting somewhere had obviously been changed. I do not know the root cause of this behavior, which is always annoying, but I am prepared to accept that I made it work.

Updating already installed apps worked because they were all on the correct (C:) drive. The default install location for apps was also set to the C: drive, which makes this even stranger…

Hope this helps someone. Happy installing!

Obtaining the latest setup binaries for the OneDrive Next Generation Sync Client

Microsoft is working on creating a unified OneDrive Windows sync client for both consume OneDrive and OneDrive for Business. This is very good news and you can read all about it here.

But the download links on the Office support pages are not for the latest version of the Next Generation Sync client (ODNGSC). At the time of this writing the latest version is 17.3.6349.0306, but the download link is for 17.3.6302.0225.  So why does this matter? The ODNGSC updates itself as part of an Office 2016 update cycle or individually. When you deploy the client you might have some issues that are blocking you, stopping you from completing setup. If that is the case the client cannot update itself, because initial setup has not been completed. So you can’t get the version that might fix your setup problem. Catch 22.

Right now, one such problem is trying to use ODNGSC in Azure RemoteApp (ARA) images. In ARA users’ profiles are redirected to profile disks (VHDs) stored in Azure storage accounts. The redirection happens by using a reparse point linking the VHD to the user’s %USERPROFILE% path. The ODNGSC will not accept a path that includes a reparse point so you cannot install the client. If this error was fixed in a more recent release than the one currently installed or available for download, you would face the above problem. (So right now, this trick does not help you, but it serves to explain why I wanted to get to the latest client binaries.)

To work around this and perform initial setup with the latest ODNGSC, do this:

On a machine that has the latest version, navigate to:

%LOCALAPPDATA%\Microsoft\OneDrive\Update

In that folder you will find the setup file (OneDriveSetup.exe) for the latest client. If you look in the Update.xml file in the same directory you will also find the URL of where that client was downloaded, something like https://oneclient.sfx.ms/Win/Team/17.3.6349.0306/OneDriveSetup.exe.

Estonian e-Residency

I just applied for e-Residency in Estonia!

snip_20151215123126

As an e-Resident you are issued a secure digital identity by the government of Estonia. This enables you to use services provided by the Estonian state agencies and private sector. Thing you can do:

  • Establish a company online
    Estonian companies can be established, registered, and administered entirely online.
  • Open a bank account in Estonia
    Estonia is well-known for its user-friendly and secure online banking. The e-Resident smart ID card is approved by LHV, Swedbank and SEB banks in Estonia, with others planned in future.
  • Digitally sign documents and contracts
    Digital signatures have been available in Estonia since 2000 and are used daily. More than 200 million digital signatures have been created in Estonia since inception.

As someone interested in digital identities I think this is fantastic stuff, and heralds the coming of a new age of business. Looking forward to visiting the Estonian consulate in Oslo to pick up my ID card.

Read more about Estonian e-resicency here:

  • https://en.wikipedia.org/wiki/E-residency_of_Estonia
  • https://e-estonia.com/e-residents/services-and-benefits/

 

Speaking at Nordic Infrastructure Conference (NICConf) 2016

Just got a confirmation for two of my session suggestions for NIC 2016. Join me in Oslo February 3-5th 2016!

Here are the sessions I will be giving:

Azure AD B2B and B2C: The next generation collaboration has arrived
Level: 300
Azure AD Business-2-Business and Business-2-Consumer are two new features of the global trust fabric that is Azure Active Directory. With Azure AD B2B many of the identity challenges of collaborating with partners are no longer relevant. The complexities and cost of federation, and the security issues with maintaining accounts for your partners are no longer necessary. Join me to learn how to use these new features to allow anyone you choose to securely use your applications and access your data. We will also cover B2C where Azure AD finally integrates with the major social identity providers like Google, Microsoft Accounts and Facebook to allow you to share data and applications with consumers.
Azure AD Domain Controller Services (DC-as-a-Service): Get rid of Windows Server AD once and for all
Level: 300
Azure AD offers the next generation identity platform built from the ground up to enable the cloud. As more and more organizations adopt and move to Azure AD the need for the traditional Active Directory infrastructure dimishes. But it can be very hard to get rid of our oldest AD dependent applications. With Azure AD Domain Controller Services we can finally take this last step and retire our old domain controllers. Azure AD DCaaS can use Azure AD to emulate a domain controller and thus let us run all our legacy applications while only using Azure AD. Join me in this sessions for a highly technical overview of this new technology.

Hope to see you there!

Morgan

RunAs Radio Azure RMS Podcast

I just spent half an hour talking to RunAs Radio host Richard Campbell about Azure RMS. The show will go live on May 13th.

RunAs Radio is a weekly Internet Audio Talk Show for IT Professionals working with Microsoft products. The full range of IT topics is covered from a Microsoft-centric viewpoint.

I was not aware of RunAs Radio myself but they have a lot of great content, and are now on my list of podcasts I subscribe to, If you are are a technologist interested in Microsoft products I highly recommend you do the same!

http://www.runasradio.com/

Thanks to Richard and everyone else at RunAs Radio for having me on the show,