Microsoft recommending IAP DesktopMicrosoft might not be the premier source of information about Google Cloud, but their cloud security benchmark (MCSB) turns out to provide some sound advice. Continue »
Using Integrated Windows Authentication over a Google Cloud load balancerModern web applications typically use OAuth or OpenID Connect to authenticate users, but older intranet applications often still rely on Integrated Windows Authentication to deliver a single sign-on experience for users. When we migrate such an application to Google Cloud, we must be careful to choose the right load balancer, otherwise authentication might fail in subtle ways. Continue »
Using Fiddler to inspect Java client library requestsWhen developing applications that use the Google Cloud API, being able to trace and inspect HTTP requests with a tool like Fiddler can be a great debugging aid. But getting Fiddler to work with the Java client libraries can be a bit tricky. Continue »
Remotely joining VM instances to Active Directory using IAP Desktop 2.31The first thing we often do after creating a new Windows VM on Google Cloud is join the VM to Active Directory. With the latest IAP Desktop release, that got a little easier. Continue »
Keeping track of SSH keys using IAP Desktop 2.26When we allow users to use SSH to connect to Linux VMs on Google Cloud, we need to keep track of their public keys, and which VMs they have access to. The latest version of IAP Desktop makes that a little easier. Continue »
Docking and floating RDP windows in IAP Desktop 2.25IAP Desktop uses a UI that’s similar to Visual Studio – we can dock tool windows, let them auto-hide when we don’t need them, or let them float as separate windows. But that flexibility didn’t apply to RDP windows… until now. Continue »
Using a CNG-backed key as service account key in JavaOne of the best ways to store a service account key on Windows is to use a CryptoNG key storage provider. That even works with Java. Continue »
Using ECDSA keys for SSH public key authentication in IAP Desktop 2.23By default, IAP Desktop uses the rsa-ssh public key signature algorithm when authenticating to a Linux VM. That can be a problem in certain situations, which is why the latest version now adds support for ECDSA.
Continue »
Exporting RSA public keys in .NET and .NET Framework.NET and .NET Framework don’t provide any methods to export RSA public keys in PEM format. But with some extension methods and a little help from CryptoAPI, we can fill that gap. Continue »
Importing RSA public keys in downlevel .NET and .NET Framework versionsIn .NET 5 and 6, we can use RSA.ImportFromPem to import a PEM-formatted RSA public key. Older .NET Core versions and .NET Framework don’t offer that functionality – but with a little help from CryptoAPI, we can fill that gap. Continue »
Using a Google Cloud service account to authenticate to AD FSBy using certificate-based authentication, we can let a Google Cloud service account authenticate to AD FS without having to manage any client secrets. Continue »
Obtaining a SAML 2.0 assertion from AD FS by using WS-Trust and Integrated Windows AuthenticationUsing Integrated Windows Authentication (IWA) to authenticate to AD FS not only works for OAuth. We can also use IWA to get SAML 2.0 assertions. Continue »
Obtaining AD FS access tokens using the client credentials grant and Integrated Windows AuthenticationWhen an application needs to authenticate to AD FS, we don’t have to use a client secret. Instead, we can let the application use its existing Kerberos or NTLM credentials to authenticate. Continue »
Best practices for using sole-tenant nodes to run VM workloads on Google CloudWindows Server licensing is tricky, particularly if yur goal is to run Windows Server in the cloud and use existing licenses for it. But if you’re using Google Cloud’s sole-tenant nodes, a new best practices article can offer some help. Continue »
Demystifying AutoSelectCertificateForUrls syntaxWhen a web server requires mutual TLS authentication, the default behavior of web browsers is to show a dialog that lets us choose which client certificate we’d like to use. Chrome lets us suppress these prompts by using the AutoSelectCertificateForUrls policy. But documentation is scarce. Continue »
Do browsers use client certificates to authenticate the user, the device, or both?Most browsers support client certificates for mutual TLS authentication. But what is really being authenticated here, the end user, their device, or both? Continue »
Deploying AD FS without domain admin privilegesBy default, installing AD FS requires domain admin access to Active Directory. But it’s possible to deploy AD FS in environments where we don’t have these privileges, like Google Cloud’s Managed Service for Microsoft Active Directory. Continue »
Performing per-user installations on Windows ServerInstead of performing machine-wide installations, some applications do per-user installations. That’s often convenient because we don’t need administrative privileges for such installations. But unfortunately, per-user installations typically don’t work on Windows Server. Continue »
Keep your software packages smallIt wasn’t until 2004 that I got broadband internet at home. So I remember the times when downloading a new JDK (which was around 20 MB at the time) over my 56K modem line meant blocking my family’s phone line for 2 hours. Today, bandwidth doesn’t seem like a limiting factor anymore. But that doesn’t mean that download sizes for applications don’t matter. Continue »
Using registry-based group policies in applicationsGroup policies let you control and tweak thousands of Windows settings. But group policies aren’t limited to Windows or Microsoft applications. We can also use group policies to manage custom applications, either by registering a group policy extension for the app, or (more commonly) by using registry-based policies. Continue »