PingFederate 8 and the JCE

TL;DR It’s a good idea to install JCE.

Installing the Java Cryptography Extension JCE is highly recommended if your countries laws permit it’s importation and use, for two reasons: adherence with standards & interoperability. There’s some pretty cool stuff being developed by those who don’t care too much for interoperability, but for those of us in the Enterprise Identity Management space, it’s essential.

Java 8 gives you basic crypto, but includes limits on Maximum Keysizes. The following table provides a quick summary.

Copying VHDs from one Azure subscription to another

The comes a time when you need to move VHDs between Azure subscriptions. You have the option of downloading the VHD locally, but at around 120GB in size, it could take a while.

There are also tools you can purchase such as Cerebrata’s Azure Management Studio for direct subscription to subscription copy, but at around $195USD for a single license, some might find it a little pricey.

This script provides an alternative method for performing a direct subscription to subscription copy using only PowerShell.

PingFederate and Active Directory Kerberos Tokens

An old AD issue that pops up from time to time is Kerberos Token Bloat. In a nutshell, the AD groups you’re a member of, the bigger your Kerberos Token. Eventually your token gets too big and stuff breaks.

In the most common use case, when you attempt to access a web site, the Kerberos token is encoded and placed in the Authorization header of the Internet Explorer HTTP request.

Servers receiving the HTTP request have a MaxTokenSize configured. Historically the MaxTokenSize was 12k. With Server 2012, this was bumped up to 48k - the maximum possible - constrained by HTTP Protocol. Some older documentation refers to a 65535 bytes, but this advice didn’t take into account that the kerberos token is Base64 encoded, which adds to the length of the token.

PingFederate is configured to have a header size 8K. When integrating with a Kerberos Forest, We’re typically upping this to 48K, in line with Windows 2012+ .

Unblocking DLLs

NTFS Alternate Data Streams (ADS) provides the mechanism for MS to block the execution of DLLs. This is a security mechanism that was first introduced in XP SP2 & Windows 2003 SP1. More info here. Alternate data streams is also a popular way for hackers to hide files from administrators.

The typical method used to remove the offending ADS, is by right clicking the DLL selecting properties and then clicking Unblock. This can become tedious if there are a lot of DLLs to unblock, or if it needs to be done frequently.