Posts made by zachary715

Yeah that shouldn't happen. First thing to check on that would be to ensure there were no saved credentials in Windows Credential Manager that may be trying to conflict. Otherwise, that sounds like a fluke issue and not something normal.

I'm not totally sure if an app password is still usable with Modern Auth or not. It sort of defeats the purpose. If you don't want to have to constantly enter the MFA code, you have a couple of options.

1. Enable the setting that allows trusted devices to remember authentication up to 60 days before prompting again. This reduces it, but still requires users to from time to time verify their session.
2. Enable the Trusted IPs setting for your office to make it so that if users are authenticating from a public IP you specify, it doesn't prompt for MFA. Anything outside that IP does prompt for MFA. I haven't tested this specific setting, but this is how I understand it to work. Not sure if any additional licensing is needed. More info about these first two items found here
3. Setup Conditional Access policies that further specify when MFA is and isn't required. This is the ideal solution, but requires additional licensing with at least Azure AD P1 or M365 Business Premium. With Conditional Access, you have a lot of additional controls over these things. More info on Conditional Access here.

I have always really liked the Magic Mirror project, but have never stopped to try and actually build it. Would love to see how his turns out when he's done.

Ok this is all over the place, so let's try to start at the beginning.

• Although MFA and 2FA technically have some differences, for the sake of this conversation they're essentially the same thing.
• In order to use MFA, you require 1) Apps which support Modern Authentication or 2) App Passswords. App Passwords are essentially a workaround to not having compatible software (old Outlook clients) so that you can have MFA enabled.
• The key to successfully using MFA is what's referred to as Modern Authentication. This is enabled by default in new tenants since 2017 I believe. If your tenant was created before this time, then you need to manually enable it in your admin center.
• Outlook on mobile is the required/recommended app because up until recently, it was the only one along with standard iPhone Mail app which supported Modern Authentication. Therefore, if you wanted to be able to generate the MFA code via SMS or Authenticator app, you would need to use Outlook for mobile. I believe GMail now supports it as well as of recently. All other standard e-mail apps for Samsung and other devices currently do not support Modern Authentication.
• To my knowledge, MFA isn't enabled by default in tenants so someone has triggered this for your users inadvertently, possibly by enabling what's called Security Defaults. People probably shouldn't enable things they don't understand the full extent of what they do. That would also explain why users trying to use App Passwords on their phones are getting blocked because I believe Security Defaults disables Basic Authentication, which is what these other e-mail clients are using.

Steps to take:

1. Check to see if someone has enabled Security Defaults. Check here for more info on what it is and how to enable/disable it. If it's enabled, considering disabling it for the time being to get everything back working as you're used to.
2. Ensure that Modern Authentication is enabled in your tenant. Check here for info about that.
3. You need to eventually get to where you're only using Modern Auth and MFA, so you do need to block Basic Authentication (which will happen automatically next year. It was postponed due to Covid-19). Review which devices are still using apps that don't support Modern Authentication via Azure and work to get those users onto apps that are supported. Check here for details.
4. Once you've moved everyone to compatible apps that support Modern Auth, you need to disable Basic Auth. Steps can be found here to do so. Without this step, MFA is near useless because Basic Auth methods bypass MFA and so attackers can still breach your accounts.
5. Now that you've done all this, you need to review MFA policies and setup how you want your users to be able to receive their codes whether Authenticator app, SMS, phone call, etc. Once you've decided these things, you can go in and enable MFA for individual users to get a feel for the process before you roll out to others. This gives you the ability to generate some documentation that will make it easier for others so that they know what to expect.

All of this isn't overly complicated, but it does take some additional planning up front. Hopefully that helps alleviate some confusion.

@Grey said in Non-IT News Thread:

https://www.foxbusiness.com/money/wells-fargo-federal-probe-coronavirus-paycheck-protection-program

I fucking hate Wells. Literally, the worst bank.

Which is hilarious because before the fake account scandal broke a couple years ago, they were the golden boy of the industry. It's crazy how fast they have run their reputation into the ground.

@scottalanmiller said in Miscellaneous Tech News:

@black3dynamite said in Miscellaneous Tech News:

https://ubuntu.com/blog/ubuntu-20-04-lts-arrives

Time to update.

First attempt failed...

See if this registry key is present and what it is set to...

HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\System
Name: AllowStorageCard
Type: DWORD
Value: 0 for block, 1 for allow

@scottalanmiller Mississippi will be next. A lot of people here think it's a conspiracy to hurt Trump during the election or to take away freedoms, etc. People I would otherwise consider somewhat intellectual people. It's wild.

Sounds to me like Shared Mailbox is what you want. Create the mailbox [email protected] and then give the necessary users permission. Then from within Outlook or web they should see a separate mailbox for that e-mail account that they all can share and work out of.

@Dashrender said in Printers - IP or WSD:

@zachary715 said in Printers - IP or WSD:

No sorry I missed the print server part. I did away with that thing when I first took over. Our printer fleet of about 25 is small enough to manage without it so I'm just going straight to the device.

Again, it's essentially the DNS name which is either BRN for wired or BRW for wireless followed by mac address. It's what populates automatically in the DNS server when connected and then I just create the reservation where I want it. Print management is a breeze these days.

Allllllrighty then.

something for me to consider.

I wonder if I can deploy non server based printers in GPO to direct printers. The main issue becomes deploying drivers then.

How did you handle that?

Also, without a print server, how do you prevent people from printing color - if you had that concern? I deploy two printers - one with a color driver and with with Black only driver - with that don't have color access, don't get that printer.

So I typically just deploy printer drivers whenever I initially setup the computer, or whenever a new printer is purchased. I do this manually and just install the latest driver from Brother. I typically setup at least one or two backup printers in the case they have issues with their primary.

As far as printing color vs black, 90% of our printers are black only, and of the ones that are color, I typically default them to black and white and tell them if they need color that they'll need to specify each time that they want it. Works well enough for us.

No sorry I missed the print server part. I did away with that thing when I first took over. Our printer fleet of about 25 is small enough to manage without it so I'm just going straight to the device.

Again, it's essentially the DNS name which is either BRN for wired or BRW for wireless followed by mac address. It's what populates automatically in the DNS server when connected and then I just create the reservation where I want it. Print management is a breeze these days.

We use mostly brother printers and with those we set it to the node name, which is essentially its DNS address (BRN########). I do still set DHCP reservations for printers just because I like to have things organized, but this would allow for the IP address to change and the printer to continue functioning.

How do I know? We went through an IP address scheme change last year after being purchased and after converting everything, printing resumed as normal without intervention. Would have really sucked if they were all static.

@bnrstnr said in Webex vs. Microsoft Teams + FreePBX conference:

One thing I didn't like about teams is that you have to install a client to attend the meeting, which is the same for Webex and just about every other major solution if I remember correctly.

I just attended a Teams meeting today and it didn't require I install anything. Joined via web browser.

@Obsolesce said in Miscellaneous Tech News:

@Dashrender said in Miscellaneous Tech News:

@scottalanmiller said in Miscellaneous Tech News:

@Dashrender said in Miscellaneous Tech News:

@mlnews said in Miscellaneous Tech News:

Slack isn’t worried about Microsoft’s big Teams push

Slack’s CEO compares Microsoft’s Teams bundling to Google+
Microsoft revealed last week that it now has more than 13 million people using its Microsoft Teams chat software, a milestone that means the app has overtaken Slack.

It's hard not to agree. Actual engagement is the only thing that matters.

Actually, it's businesses being willing to pay for the service is all that matters.

It’s not something you pay extra for since it’s bundled with O365.

You are.

If you want Slack, it's not because you also want Google Sheets or Zimbra email with XYZ. It's because you want Slack because of what business needs it covers.
Slack is $6-$12 per user per month.

If you just want MS Teams (which is a legit need by the way), too bad, you also have to pay for other stuff you may or may not need or use.
MS Teams will cost you $5, which is cheaper than Slack, which does NOT include Office or Office Suite, but does include Exchange... whether or not you need it. To get Office, it's a minimum of $12.50 for Business Premium (< 300 users). Otherwise, you're buying enterprise O365 licenses which just goes up.

If you're an organization who is already utilizing Office 365 in any fashion, it makes sense to thoroughly vet Teams before its alternatives since it's bundled in. That's the part that will hurt Slack the most is organizations who "force" themselves into using Teams since it's already included in their O365 subscription rather than looking at paying additional for Slack.

@wirestyle22 said in How to authenticate via AD to non-domain server:

@zachary715 Def report back. I'm curious.

Just finished fresh 16.04 install. Installed bookstack via their install script. Added server to AD via http://ricktbaker.com/2017/11/08/ubuntu-16-with-active-directory-connectivity/. Same results. I'm missing something.

@wirestyle22 said in How to authenticate via AD to non-domain server:

@zachary715 that may not be a graceful upgrade. I haven't compared. I know a lot changed with 18.04. I'd be willing to do it but it's dependent on whether or not my vxrail servers explode again or not. Nothing like multiple millions of dollars worth of hardware having issues to keep you up at night

Haha no worries then. I'm going to install it on 16.04 and see if it works. If it does, then I'll upgrade to 18.04 and see what happens.

Yeah I've gone back to Ubuntu's documentation and even added some of the things for AD join that the other tutorial didn't mention, and still no luck. What a pain. I may spin up a 16.04 server and see if I can get that to work.

@wirestyle22 If you have time and can make a clone of your bookstack install and upgrade it to 18.04 and test, that might be helpful as well.

@wirestyle22 said in How to authenticate via AD to non-domain server:

@zachary715 Try using your hostname without the port specified for LDAP_SERVER=

Same results...

@wirestyle22 said in How to authenticate via AD to non-domain server:

@zachary715 post your .env file

I followed the thread you and @dbeato were discussing setting it up, so I'm assuming you have it running and authenticating. If you specify machines in AD via Log On To, can you still have them log in?

# Database details
DB_HOST=localhost
DB_DATABASE=bookstack
DB_USERNAME=bookstack
DB_PASSWORD=PASSWORD

# Mail system to use
# Can be 'smtp', 'mail' or 'sendmail'
MAIL_DRIVER=smtp

# SMTP mail options
MAIL_HOST=localhost
MAIL_PORT=1025
MAIL_USERNAME=null
MAIL_PASSWORD=null
MAIL_ENCRYPTION=null

# General auth
AUTH_METHOD=ldap

# The LDAP host, Adding a port is optional
LDAP_SERVER=10.10.168.10:389

# If using LDAP over SSL you should also define the protocol:
# LDAP_SERVER=ldaps://example.com:636

# The base DN from where users will be searched within
LDAP_BASE_DN=dc=domain,dc=local

# The full DN and password of the user used to search the server
# Can both be left as false to bind anonymously
[email protected]
LDAP_PASS=Password

# A filter to use when searching for users
# The user-provided user-name used to replace any occurrences of '${user}'
LDAP_USER_FILTER=(&(sAMAccountName=${user}))

# Set the LDAP version to use when connecting to the server
LDAP_VERSION=3

# Set the default 'email' attribute. Defaults to 'mail'
LDAP_EMAIL_ATTRIBUTE=mail

# Set the property to use for a user's display name. Defaults to 'cn'
LDAP_DISPLAY_NAME_ATTRIBUTE=cn