Android Xamarin App- Sign your app using a keystore in a Release Pipeline

To sign your Xamarin Android app using Visual Studio, you can use the keystore setings in the project properties. This will generate a jks file for Windows.

See Compile steps: https://docs.microsoft.com/en-us/xamarin/android/deploy-test/release-prep/?tabs=windows#compile

Then continue to these steps to export the JKS file: https://docs.microsoft.com/en-us/xamarin/android/deploy-test/signing/?tabs=windows

Once you export the app, you can copy the file: C:\Users\EricSchrader\AppData\Local\Xamarin\Mono for Android\Keystore\DevOps

Click Secure Files in Azure DevOps pipeline for your project:

Select your keystore file

Now you can upload the keystore file to Azure DevOps Pipeline:

Then you can update the build pipeline to use the keystore file and password (password stored in Library variable for security)

Then simply run the build and grant access to the Variables group.

Azure VM Remote Desktop error- CredSSP encryption oracle remediation

I ran into an issue where I could not Remote Desktop to my Azure VM and was getting this error:

Remote Desktop Connection
An authentication error has occurred.
The function requested is not supported

Remote computer: 13.64.xx.xxx
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

The issue was a March 2018 security update patch that was applied to my CLIENT computer, so I cannot connect to the Azure SERVER Windows Server 2012 R2 Datacenter VM that has not had updates applied recently.

https://blogs.technet.microsoft.com/mckittrick/unable-to-rdp-to-virtual-machine-credssp-encryption-oracle-remediation/

Examples:
1.       If the client is updated and you try to RDP to an Azure VM that was not updated, then it will be blocked and see the error message.
2.       If the client is not patched while server is updated, RDP can still work. But the session will be exposed to the attack.
3.       If both client & server are patched with default setting (Mitigated), RDP will work in a secure way.

I really could not find a solution anywhere that worked. Just a bunch of links to archaic Windows Updates websites from the early 2000’s (reminds me how far we came)

Solution

The solution is to Uninstall the KB on your CLIENT computer so you can install the KB on your SERVER VMs, then you can reinstall the KB on your CLIENT if you would like.

Detailed Steps

I UNINSTALLED the KB4103721 from my Windows 10 machine, so I could patch my VM’s and rebooted.
I RDP’ed from my CLIENT to each SERVER that was not patched, and installed the patch (note a different OS so a different KB patch)
Applied Installed a KB on each SERVER and rebooted http://www.catalog.update.microsoft.com/Search.aspx?q=KB4103715
On my CLIENT Windows 10 PC, I reinstalled the KB
1. Go to https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2018-0886 and find your OS, then click Security Update
3. Continue to download the appropriate patch (https://www.catalog.update.microsoft.com/Search.aspx?q=KB4103721)
5. Once downloaded, install the KB

That’s it! I could not find an easy explanation of what KB to uninstall and which one to install.

A side note, if I enabled automatic updates, I think this wouldn’t have happened. My SharePoint VMs are not patched automatically since they are Dev machines.

Hope this helps.

SharePoint Online Azure AD B2B – Custom email invites for users using PowerShell

Big changes have been happening with External User sharing for SharePoint Online over the past few months now that Azure Active Directory Business to Business (Azure AD B2B) is now generally available. Azure AD B2B allows you to share Office 365 content and line of business applications to users outside your organization. If you are new to Azure AD B2B, watch this great intro on this page: https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-what-is-azure-ad-b2b

The drawback however is the user onboarding process. Security groups, permissions, user onboarding, administration, the cumbersome 4-6 step user invite process to accept and signup/sign-in to your site, etc. make it difficult to see a good OOTB solution. However, after reading most of the Azure AD B2B articles and working with Microsoft support, I have found an improved (not perfect) process for inviting users and allowing them to sign up for a Microsoft account.

This script will:

Import your users from a CSV file
Add them to an Office 365 security group (that is permissioned to your app or SharePoint Online site)
Send them a custom email message with the invite link that fully supports HTML

The goal of this script is to make it easier on the user so they see a custom email and not a generic Office 365 Azure AD email (after all, the users have no clue what Azure AD is)

Administration- CSV import file

When inviting the users, create a CSV file in the following format:

InvitedUserEmailAddress	Name
[email protected]	Eric Schrader (Company Optional)
[email protected]	Eric Schrader
Etc.

Above, the first row is the CSV headers which we will reference in PowerShell during the import. The following rows are the actual users valid email where the invite will be sent (but we will intercept this email, so this will just be used as the users identity so we know how to email them in the future). Long story, but the invited email doesn’t have to match the Personal/Organizational account they sign in as, but for this blog post they will match so we don’t get confused with Authorization vs Authentication.

Administration- Create a Security group and set SharePoint Online permissions

The next step is so you don’t have to go into SharePoint Online sites and add each users’ permissions manually.

Similar to AD groups, create an Office 365 Security Group in the O365 Users > Groups admin center.
Add the AD group to SharePoint and set any read/write permissions this group will have (so maybe your group is called External Users and they are read only to the root site, then another called External Members with contribute permissions, etc.

Once we import the CSV of users, we will have to add the new users to the O365 groups accordingly.

PowerShell time!

Be sure to install the Azure AD PS module – https://www.powershellgallery.com/packages/AzureADPreview Otherwise, you cannot run these commands.

Get the ID of your security group

Get the security group name you want the external users to automatically be added to:

get-azureadgroup | where-object {$_.DisplayName -ilike “External Users”}

(replace External Users with the name of your Security group you want the users to be added to)

Then copy the Object ID for the group and save this for our script.

The whole enchilada

#1.) Install Azure AD PS module – https://www.powershellgallery.com/packages/AzureADPreview
#Install-Module -Name AzureADPreview

#2.) provide O365 tenant admin cred

$cred = Get-Credential

Connect-AzureAD -Credential $cred

#2.a) second cred for O365 email account (merge var with above if for non-demo O365 tenant)

$adminemailcred = get-credential

#2.b) External User Security Group ID

#get-azureadgroup | where-object {$_.DisplayName -ilike “External Users”}

$groupID = “c9a04711-e307-4370-af42-f48db58f80c5”

#3.) import CSV, update url and csv location below.

$invitations = import-csv C:\azure_ad_b2b.csv

foreach ($email in $invitations) {

#loop over each user in the CSV and create an invite for that user but does not email the user

$result= New-AzureADMSInvitation -InvitedUserEmailAddress $email.InvitedUserEmailAddress -InvitedUserDisplayName $email.Name -InviteRedirectUrl https://mycompanyhere.sharepoint.com/sites/extranet -InvitedUserMessageInfo $messageInfo -SendInvitationMessage $false

$inviteurl = $result.InviteRedeemUrl

$userid = $result.InvitedUser.Id

#automatically add the new user to your Security Group

Add-AzureADGroupMember -ObjectId $groupID -RefObjectId $userid

#send the user a custom email from your Office 365 tenant. Supports HTML.

#Configuration variables for Email#Configuration variables for Email $EmailTo = $result.InvitedUserEmailAddress
$EmailFrom = “Eric Schrader <[email protected]>”
$EmailSubject = “INVITE: Eschrader Extranet”
$SupportEmail = “[email protected]”
$SmtpServer = “smtp.office365.com”
$InviteUrl = $inviteurl
$DisplayName = $result.Name

#HTML Template $EmailBody = @”
<header>
<img src=”https://eschrader.com/wp-content/uploads/2017/05/sileo-logo.png” />
</header>

Congrats $DisplayName,

You have been invited to access the Eschrader extranet.

</p> <p> If you need further assistance, please contact us <a href=”mailto:$SupportEmail”>$SupportEmail</a> </p>
</div>
“@
Send-MailMessage -To $EmailTo -from $EmailFrom -Subject $EmailSubject -Body $EmailBody -BodyAsHtml -smtpserver $SmtpServer -usessl -Credential $adminemailcred -Port 587

}

Note, above HTML was stripped out of my email template. Here is a PasteBin: https://pastebin.com/e1ziPq9U

In the above script,

Note that #2 and #2a can be combined to just prompt you once. I had to use two because I have two O365 tenants, one is a demo tenant that does not support email and the other is my personal O365 tenant I send the email from.
YOU WILL NEED TO REPLACE A LOT OF THE HARD-CODED VARIABLES ABOVE IN THE SCRIPT. LOOK CLOSELY.
Watch out for the fancy quotes

Here is an example email I sent myself to test (I put the access ID for my demo tenant and accepted it, so don’t bother typing it out haha)

If you want to embed images in the HTML message, I believe send-mailmessage has an “attachments” and “-inline attachments” parameter as outlined in this script, which can easily be adapted to your email template https://gallery.technet.microsoft.com/scriptcenter/Send-MailMessage-3a920a6d

You can also add other columns to the CSV file for send-mailmessage such as company, group ID, etc. and really build this script out.

There are lots of hard coded variables, as this is a rough script. Feel free to clean it up!

Links:

Azure AD User/Group PowerShell commands: https://docs.microsoft.com/en-us/powershell/module/Azuread/?view=azureadps-2.0

Send email from Office 365 in PowerShell: https://absolute-sharepoint.com/2016/03/send-email-from-powershell-in-office-365.html

Azure AD B2B invite process overview (OOTB, not PowerShell): https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-invitation-email

A good import script using a different CSV format, a good read: http://artokai.net/2016/SPOnlineAndAzureB2B/

Using Visual Studio Team Services build tasks for Linux over SSH

We use Visual Studio Team Services for source code on a LAMP stack Azure VM. When deploying via VS TS and copying the files over SSH through VS TS, I had a few challenges to automate the build/deployment process. Here is how I set things up.

Check your files into source control (PHP files, web assets, etc.)
1. I manually configured the deployment of 4 environment VMs for Dev, INT, STG, PRD using 4 instances of Azure Ubuntu Linux VMs.
2. I manually deployed machine specific content, such as config files to the server. I later filter these files out of the deployment if they are in the web root. For security, I keep these files outside of the web root.

Create Build definition (one for each environment, DEV, INT, STG, PRD)

Use an Empty Process
2. Under Get Sources, say This Project and chose the repository.
3. Add a task to Copy files securely over SSH
5. On the SSH endpoint, click the gear to configure your endpoints:
6. Add SSH endpoints with your key file and IP, etc.
8. Select your endpoint and apply chose your web root from your project under Source Folder. Also, under Contents, apply any filters: (below, ** is everything, then we filter out files/folders using !**/)
  
  I use the following filter examples:
  **
  !**/old_code/*
  !**/old/file.txt
I added two SSH commands to set permissions before/after the copy
You can choose a Shell Script and provide environment specific variables, such as a user.
I have my resetperms.sh script in Source Control as well. This uses the same user as VS uses to overwrite files, then after the deployment, I use a second script to set my special permissions. The second script I will not post since it is specific to my application, and for security reasons. $1 is the argument I pass in for the user, who I set as owner recursively for all web files during deployment.

#!/bin/bash
# Reset permissions before TFS deployment
echo “Reset permissions before TFS deployment”
if [ “$1” != “” ]; then
echo “Ready, Positional parameter 1 contains user $1”
echo “Resetting permissions to $1 for TFS deployment”
sudo chown -R “$1″:”$1” /var/www/html
else
echo “Fail, Positional parameter 1 is empty. Please pass in the environments user”
fi

One important note, on Windows when I created the script as resetperms.sh in NotePad++, you have to go to Edit -> EOL Conversion (thanks to this article http://stackoverflow.com/questions/8195839/choose-newline-character-in-notepad )
Otherwise, you will get the following error:

Build
./resetperms.sh: line 2: $’\r’: command not found
./resetperms.sh: line 10: syntax error: unexpected end of file
Command failed with errors on remote machine.

That’s it, then save and queue a new build!

Much easier than copying files via FTP. Now I can click a button and update my application in each environment. Next steps are to automate the testing, release process.

More on SSH with Visual Studio Team Services https://www.visualstudio.com/en-us/docs/build/steps/deploy/ssh

Note: you can also have a build definition trigger the release definition to copy the files over SSH, etc. This is the way the Azure Portal sets up Continuous Delivery for Web Apps.

Azure Linux Ubuntu disk space full

I noticed our dev team had some issues with our disk space on an Azure VM saying the disk was full. I saw something in Linux called dev/sba1 that was taking up all my space and my disk was full. Why was my Linux storage space low?

Our website is only 5-6GB in size, so I knew something was wrong. Our VM in Azure is a DS12v2 with 56GB ram and 128GB SSD.

We are running the Ubuntu 14 OS image from Azure and are using it as an Apache web host.

When I ran a “df” (Disk Filesystem) command to check the free space, one of the volumes was huge and at 97%

$ sudo df -h

Filesystem Size Used Avail Use% Mounted on

udev 28G 12K 28G 1% /dev

tmpfs 5.6G 432K 5.6G 1% /run

/dev/sda1 29G 27G 1.1G 97% /

none 4.0K 0 4.0K 0% /sys/fs/cgroup

none 5.0M 0 5.0M 0% /run/lock

none 28G 0 28G 0% /run/shm

none 100M 0 100M 0% /run/user

none 64K 0 64K 0% /etc/network/interfaces.dynamic.d

/dev/sdb1 111G 60M 105G 1% /mnt

Run a sudo df -h (h stands for human readable)

I am still not 100% clear on this, but some of these above results are different disk partitions that are mounted via symbolic names, similar to how a disk in Windows can be partitioned into C, D drives, etc.

The Azure VM had one OS VHD assigned to it, which should be 128GB.

So, I focused in on the /dev/sda1 filesystem. I had no clue what this was at first, but after looking into it, it might be my VHD mounted to my VM’s primary root drive (/). (Please correct me if I am wrong). In “sda1“, The “sd” stands for SCSI device (which is now any attached device, could be USB, SATA, IDE, etc.), the “a” stands for the attached device order (a is first, b is the second device, etc.) and the “1” indicates the partition on that device (think of a hard drive partitioned into 1, 2, 3 different partitions.) (thanks to this article for the explanation http://superuser.com/questions/558156/what-does-dev-sda-for-linux-mean)

For me, I only have one sd device and one partition, so I assume that’s my Azure VM OS VHD that should have been 128GB. But why was it only 29GB?

WELL! All Linux OS vm partitions come as 30GB allocated.

How do I get all my GB’s? Add a second drive for my data? No, just resize the primary partition.

I read this article (https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/05/24/step-by-step-how-to-resize-a-linux-vm-os-disk-in-azure-arm/) about resizing an Azure VHD and thought “ooh God, I am going to scrap my entire OS partitions data if this goes wrong or if I get stuck in these steps…” but after reading the top, UBUNTU automatically resizes the Linux partition on boot! YES! All I have to do is reboot! But, I just rebooted and that didn’t resize the partition….

The Problem: When browsing the Azure portal, I noticed my VM disk size was blank, and where I could select 128/256 or 512GB, none were selected. So, I thought “maybe Azure doesn’t automatically define a default OS disk size of 128GB since machine sizes can go up or down dynamically.”

These machines will have 128GB OS disks allocated to them, so I wanted to set them to the full 128GB (I can go up in size, but not down).

Problem: my OS disk size is not selected, so Ubuntu cannot automatically resize the partition (I think the VHD is dynamically allocated at this point)

Solution: How to add more space in the Azure Portal easily with a Linux Ubuntu VM

Turn off the VM
Select the disk size for the OS disk (I used 128GB)
Turn it on.

BAM! You now have more space.

Run the “df -h” command again after the VM comes back online and see a 126GB of space at the root! Done!

$ sudo df -h

Filesystem Size Used Avail Use% Mounted on

udev 28G 12K 28G 1% /dev

tmpfs 5.6G 416K 5.6G 1% /run

/dev/sda1 126G 5.8G 116G 5% /

none 4.0K 0 4.0K 0% /sys/fs/cgroup

none 5.0M 0 5.0M 0% /run/lock

none 28G 0 28G 0% /run/shm

none 100M 0 100M 0% /run/user

none 64K 0 64K 0% /etc/network/interfaces.dynamic.d

/dev/sdb1 111G 60M 105G 1% /mnt

If you don’t have Ubuntu, you have more steps to do to resize the Linux OS partition. I haven’t done it, but this seems like a good place to start: https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/05/24/step-by-step-how-to-resize-a-linux-vm-os-disk-in-azure-arm/

Please leave any comments if you know more about the df command results, the sda1, Azure VM OS disk sizes, Linux partitions, etc. I am always learning.

References that helped me get here: