Category Archives: IT Pro

FIDO2 AAGUID lists

Posted on by
1

AAGUID lists per vendor

This post is a personal repository of the FIDO2 AAGUID lists for the security keys from different vendors. That way I have a quick reference publically available for my own use whilst helping others find them as well.

FEITIAN FIDO2 AAGUID lists

Product TypeFIDO2 AAGUID
FIDO Java card 2c0df832-92de-4be1-8412-88a8f074df4a
FIDO fingerprint card 8c97a730-3f7b-41a6-87d6-1e9b62bda6f0
MultiPass FIDO 310b2830-bd4a-4da5-832e-9a0dfc90abf2
iePass FIDO 6e22415d-7fdf-4ea4-8a0c-dd60c4249b9d
ePass FIDO833b721a-ff5f-4d00-bb2e-bdda3ec01e29
ePass FIDO NFC ee041bce-25e5-4cdb-8f86-897fd6418464
BioPass K26/K27 77010bd7-212a-4fc9-b236-d2ca5e9d4084
BioPass K26/K27 Plusb6ede29c-3772-412c-8a78-539c1f4c62d2
BioPass K45 77010bd7-212a-4fc9-b236-d2ca5e9d4084
BioPass K45 plus b6ede29c-3772-412c-8a78-539c1f4c62d2
Allin Pass 2ded745-4bed-47d4-abaa-e713f51d6393

Yubikey FIDO2 AAGUID lists

For an online version from the vendor, see YubiKey Hardware FIDO2 AAGUIDs – Yubico

Product Name or Laser MarkingFirmwareFIDO2 AAGUID
YubiKey 5 (USB-A, No NFC)5.1cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5 (USB-A, No NFC)5.2, 5.4ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5 NFC5.1fa2b99dc-9e39-4257-8f92-4a30d23c4118
YubiKey 5 NFC5.2, 5.42fc0579f-8113-47ea-b116-bb5a8db9202a
YubiKey 5 NFC FIPS5.4c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5 Nano5.1cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5 Nano5.2, 5.4ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5 Nano FIPS5.473bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C5.1cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C5.2, 5.4ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5C FIPS5.473bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C Nano5.1cb69481e-8ff7-4039-93ec-0a2729a154a8
YubiKey 5C Nano5.2, 5.4ee882879-721c-4913-9775-3dfcce97072a
YubiKey 5C Nano FIPS5.473bb0cd4-e502-49b8-9c6f-b59445bf720b
YubiKey 5C NFC5.2, 5.42fc0579f-8113-47ea-b116-bb5a8db9202a
YubiKey 5C NFC FIPS5.4c1f9a0bc-1dd2-404a-b27f-8e29047a43fd
YubiKey 5Ci5.2, 5.4c5ef55ff-ad9a-4b9f-b580-adebafe026d0
YubiKey 5Ci FIPS5.485203421-48f9-4355-9bc8-8a53846e5083
Security Key By Yubico5.1f8a011f3-8c0a-4d15-8006-17111f9edc7d
Security Key By Yubico5.2b92c3f9a-c014-4056-887f-140a2501163b
Security Key NFC5.16d44ba9b-f6ec-2e49-b930-0c8fe920cb73
Security Key NFC5.2149a2021-8ef6-4133-96b8-81f8d5b7f1f5
Per product and interface type

FIDO2 AAGUIDDescription
149a2021-8ef6-4133-96b8-81f8d5b7f1f5Security Key by Yubico with NFC
2fc0579f-8113-47ea-b116-bb5a8db9202aYubiKey 5 Series with NFC
6d44ba9b-f6ec-2e49-b930-0c8fe920cb73Security Key by Yubico with NFC
73bb0cd4-e502-49b8-9c6f-b59445bf720bYubiKey 5 FIPS Series
85203421-48f9-4355-9bc8-8a53846e5083YubiKey 5Ci FIPS
b92c3f9a-c014-4056-887f-140a2501163bSecurity Key by Yubico
c1f9a0bc-1dd2-404a-b27f-8e29047a43fdYubiKey 5 FIPS Series with NFC
c5ef55ff-ad9a-4b9f-b580-adebafe026d0YubiKey 5Ci
cb69481e-8ff7-4039-93ec-0a2729a154a8YubiKey 5 Series
ee882879-721c-4913-9775-3dfcce97072aYubiKey 5 Series
f8a011f3-8c0a-4d15-8006-17111f9edc7dSecurity Key by Yubico
fa2b99dc-9e39-4257-8f92-4a30d23c4118YubiKey 5 Series with NFC
FIDO MDS

TrustKey FIDO2 AAGUID lists

Again, for an on line version from the vendor, see TrustKey Product IDs – Steen Harbach AG

ProductModelVIDPIDAAGUID
G310eFA3100x311F0x4A1A95442b2e-f15e-4def-b270-efb106facb4e
G320eFA3200x311F0x4C2A87dbc5a1-4c94-4dc8-8a47-97d800fd1f3c
T110eTA1100x311F0xA7F9da776f39-f6c8-4a89-b252-1d86137a46ba
T120eTA1200x311F0xA6E9e3512a8a-62ae-11ea-bc55-0242ac130003

Your organization does not allow you to add your account to Microsoft Authenticator

Posted on by
3

Your organization does not allow you to add your account to Microsoft Authenticator

I was testing a bunch of scenarios with passwordless authentication in Azure Active Directory on a weekend. Things were looking good. I created some test accounts and played with a bunch of permutations to see how things behaved, Think about Conditional Access policies in combination with authentication methods, etc. The aim was to have multiple passwordless authentication options per user for redundancy. On top of that, I want to have this for multiple accounts (separation of duties). That latter requirement tripped me up.

I succeeded at most of my goals. But at one moment I received the following error trying to register the Microsoft Authenticator app on my phone for one of my test users. Warning “Account not added” and the message “Your organization does not allow you to add your account to Microsoft Authenticator” What’s going on here?

Your organization does not allow you to add your account to Microsoft Authenticator

Passwordless sign-in with the Microsoft Authenticator app

First of all, before you can create this new strong credential, there are prerequisites. One prerequisite is that you must register the device on which you installed the Microsoft Authenticator app within the Azure AD tenant to an individual user. In that requirement lies the answer to our error message.

Set up phone sign-in
Device Registration and Set screen lock
Your organization does not allow you to add your account to Microsoft Authenticator
I already have this device registered for another account

Currently, you can only register a device in a single tenant. This means you can enable only one work or school account in the Microsoft Authenticator app for passwordless sign-in.

So we can only use our smartphone with the Microsoft Authenticator app in a single-tenant, with a single user. And that’s why I got the error. I already had another test user on that phone set up sign-in without a password. My device is already registered for another user in Azure AD in that tenant. There can be only one.

Do note that you can still use the authenticator app as an MFA method with your password. It is the passwordless scenario that doesn’t work under these conditions.

Achieving my goals

This is annoying when testing but it can also be annoying in real life. I tend to have multiple accounts in an Azure AD. I log in with a different account depending on what work I need to do and what roles/rights this requires. That’s why I like FIDO2 security keys with biometrics as a passwordless option.

What I need is a passwordless solution I can use with multiple accounts in the same and other tenants. That, I can do this with my FIDO2 BioPass security key from FEITIAN just fine. I can register my security key with multiple accounts and be on my way. With one smartphone with the Microsoft Authenticator app installed, you cannot add multiple accounts on the phone for passwordless authentication (device registration) at this moment in time. That’s what the error message means to tell you but the wording confused me for a while.

A VM that would not route

Posted on by
Reply

A VM that would not route

This blog post will address a troubleshooting exercise with a VM (virtual machine) that would not route. As it turned out it had the default gateway set to 0.0.0.0 next to the actual gateway IP address. The VM did its job as the workload it serves is in the same subnet as the client, as it happens in the same subnet of the DC and DNS. This meant it did not lose its trust with Active Directory.

But the admins could not RDP into that VM, nor would it update, But as it did its job, many months went by until it fell too far behind in updates so they could not ignore it anymore. That’s how things go goes in real life.

Finding & fixing the issue

Superficially the configuration of the VM was totally OK. The gateway for the NIC is correct.

Under Advanced we see no other entries that would cause any issues.

But we could not deny that we had a VM that would not route at hand. Let’s figure this out and fix it.

So what does one do? If you don’t trust the CLI, check the GUI, and if you don’t trust the GUI check the CLI. As in the GUI, everything seemed fine we checked via the CLI. Name resolution worked fine, both internally and externally when checking this with nslookup. But actually getting anywhere not on the same subnet was not successful. Naturally, I did check if any forward proxy was in play but that was not the case and, this was an issue for more use cases than HTTP(S).

When I ran ipconfig /all I quickly saw the culprit. We have a Default Gateway entry pointing to 0.0.0.0 next to one for the actual gateway!

So where does that come from? Not from the GUI settings, that we can see. So I ran route print and that show us the root cause

So we needed to drop the route sending traffic for 0.0.0.0 to its own IP address as the gateway. They missed this as it does not show up in the GUI at all.

I dropped all persistent routes for 0.0.0.0 via route delete 0.0.0.0.0 mask 0.0.0.0. I check if this deleted all persistent routes via route print.

At that moment routing won’t work and we need to add the gateway back to the NIC. YOu can use the GUI or route add -p 0.0.0.0 MASK 0.0.0.0 192.168.2.7 IF 9 Once I did that things lit up. We could download and install updates from the WSUS server, they had remote desktop access again. Routing worked again in other words.

How did it happen? Ah, somewhere, somehow, someone added that route. I am not paid to do archeology or forensics in this case so, I did not try to find out the what, when, and why. But my guess is that VM had another NIC at a given time with those setting and they removed it from the Hyper-V setting without cleaning up, leading to that setting being left behind in the routing table leaving a gateway 0.0.0.0 on the NIC that is only visible in via ipconfig /all. Or they have tried to add a gateway manually to address this or another issue.

A final note

When faced with this issue, some folks on the internet will tell you to reset the TCP/IP stack and Winsock with netsh, or add a new NIC with a new IP (dynamically or via DHCP) and dump the old one. But this is all bit drastic. Check the root cause and try to fix that first. You can try drastic measures when all else fails.

IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 2022

Posted on by
5

IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 2022

In this blog post, we will show you how to test IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 2022. As most of you know by now, Microsoft has released Windows Server 2022 on August 18th, 2021. There are a lot of new and interesting capabilities and features. Some of them are only available in Windows Server 2022 Azure edition. The good news is that in contrast to SMB over QUIC, QUIC for IIS is available in any version of Windows Server 2022.

This will not work out of the box, but I will demonstrate how I got it to work.

Getting TLS 1.3 to work

HTTP/3 uses QUIC for its transport, which is based on TLS 1.3 and Windows Server 2022 supports this. This is due to http.sys which leverages msquic. I have written about QUIC in SMB over QUIC Technology | StarWind Blog (starwindsoftware.com) and discussed SMB over QUIC in-depth in SMB over QUIC: How to use it – Part I | StarWind Blog (starwindsoftware.com) and SMB over QUIC: Testing Guide – Part II | StarWind Blog (starwindsoftware.com).

HTTP/3 avoids “head of line” (HOL) blocking at the transport layer even for multiple streams. This is an improvement over HTTP/2 that still suffered from HOL despite heaving multiple streams in a single connection versus multiple connections in HTTP/1.1. As HTTP/3 leverages TLS 1.3 it also benefits from the benefits it offers.

However, you need to opt-in for TLS 1.3 to work. We do that via a registry key. 

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableHttp3 /t REG_DWORD /d 1 /f

Without TLS 1.3 you cannot have QUIC and HTTP/3 used QUIC for its transport. You will need to restart http.sys or restart the server.

Below you see HTTP/2 traffic and it is leveraging TLS 1.3

When you check the certificate in the browser you can see that TLS 1.3 is used.

You can also see TLS 1.3 and TCP in WireShark.

Getting QUIC to work

Now we are not done yet, your while you now will see HTTP/2 traffic use TLS 1.3 you won’t see QUIC yet. For that, we need to add another registry key.

The web service or site will need to advertise it is available over HTTP/3. For this, we can use “Alt-Svc” headers in HTTP/2 responses or via HTTP/2 ALTSVC frames. Clients who connect over HTTP/2 can now learn the service’s HTTP/3 endpoint and, if successful, use HTTP/3.

This process happens by sending an HTTP/3 ALPN (“Application-layer Protocol Negotiation”) identifier along with the HTTP/2 responses. the HTTP3/ALPN advertises a specific version of HTTP/3 that the client can use for future requests.

The HTTP/2 ALTSVC frames can be sent via http.sys. This needs to be enabled via a registry key “EnableAltSvc”.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters" /v EnableAltSvc /t REG_DWORD /d 1 /f

Again, you will need to restart http.sys or restart the server.

Start testing HTTP/3

Your IIS server via the http.sys service is now capable of serving content over HTTP/3. To check whether it is working you can use WireShark on both the client and the server to verify the web traffic is using QUIC.

Below you can see QUIC traffic to my IIS server being captured.

IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 202

You can also check this via your browser’s dev tools. The way to do this differs a bit from browser to browser. Below you find a screenshot from Firefox, this has proven the most reliable browser when it comes to effectively negotiating QUIC. Hit F12, select “Network” and add the protocol column to the view. Watch out for HTTP/2 and HTTP/3.

IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 202

It will help to hit refresh to make sure HTTP/3 is advertised to the client, which can then leverage it. Sometimes hitting refresh too much seems to break QUIC and then you will fall back to HTTP/2, all be it with TLS 1.3.

Any way that’s it for IIS and HTTP/3, QUIC, TLS 1.3 in Windows Server 2022 for now. I hope to come back to this later.