Category: Applications

Chrome – Certificate warning – Invalid Common Name

Users of Google Chrome version 58 (released March 2017) and later will receive a certificate alert when browsing to HTTPS-sites if the certificate only uses Common Name and does not use any Subject Alternative Name (SAN) values. This has been ignored and for many years the Common Name field was exclusively used. The Chrome developers finally had enough with the field that refuses to die. In Chrome 58 and later, the Common Name field is now ignored entirely.

Chrome - Certificate warning - Invalid commonName

Chrome – Certificate warning – NET::ERR_CERT_COMMON_NAME_INVALID

The reason for this is to prevent homograph attack – which exploits characters which are different but look similar. The lookalike characters can be used for phishing and other malicious purposes. For instance, the English letter “a” looks identical to the Cyrillic “a”, but from a computers point of view these are encoded as two entirely different letters. This allows domains to be registered that look just like legitimate domains.

Some organizations with an internal or private PKI have been issuing certificates with only the Common Name field. Many often do not know that the “Common Name” field of an SSL certificate, which contains the domain name the certificate is valid for, was phased-out via RFC nearly two decades ago (RFC 2818 was published in 2000). Instead the SAN (Subject Alternative Name) field is the proper place to list the domain(s), which all publicly trusted certificate authorities must abide by, has required the presence of a SAN (Subject Alternative Name) since 2012.

Publicly-trusted SSL certificates have been supporting both fields for years, ensuring maximum compatibility with all software – so you have nothing to worry about if your certificate came from a trusted CA like Digicert.

Below is an example of a correctly issued certificate with Common Name and Subject Alternative Name.

tech.xenit.se - Common Name

tech.xenit.se – Common Name

tech.xenit.se - Certificate Subject Alternative name

tech.xenit.se – Subject Alternative Name

RFC 2818 – Common Name deprecated by Google Chrome 58 and later

”RFC 2818 describes two methods to match a domain name against a certificate: using the available names within the subjectAlternativeName extension, or, in the absence of a SAN extension, falling back to the commonName.

/…

The use of the subjectAlternativeName fields leaves it unambiguous whether a certificate is expressing a binding to an IP address or a domain name, and is fully defined in terms of its interaction with Name Constraints. However, the commonName is ambiguous, and because of this, support for it has been a source of security bugs in Chrome, the libraries it uses, and within the TLS ecosystem at large.

Source: https://developers.google.com/web/updates/2017/03/chrome-58-deprecations



Outlook Search index med FSLogix

Något som upptäckts snabbt efter uppsättningen av sin ”FSlogix Office 365 Containers”-lösning i en fleranvändarmiljö är att sök-indexeringen för Outlook i vissa miljöer görs om vid varje ny inloggning, det gäller miljöer där man har flera Session Hostar användarna kan logga in på.

Sök-funktionen i Outlook använder sig av ”Windows Search” vilket är en databas över indexeringarna på hela Operativsystemet, det är alltså inget som lagras för varje enskild användare. Det innebär t.ex.  att en Citrix miljö med flera servrar kommer en användares Outlook indexera om hela Outlook vid varje ny server man loggar in på. Detta medför en långsam sökning (tills indexeringen är klar) och en onödigt belastning på CPU som i sin tur kan påverka hela miljön negativt. Det kan bli ännu värre i de fall man använder Citrix Provisioning Services (PVS) då den uppdaterade indexeringen försvinner vid varje omstart av servern.

FSLogix to the rescue

För att komma runt detta problem finns en funktion i FSLogix som tar med din Outlook indexering i VHD-filen, på så vis har du alltid din uppdaterade indexeringsdata med dig på vilken server du än hamnar på. Du behöver ändra på två stycken registervärden för att aktivera detta, jag själv föredrar att skapa/editera en GPO för detta.

Följande två registervärden ska justeras:

HKLM\Software\FSLogix\Apps

Type:                      DWORD

Value Name:          RoamSearch

Value Data:            2

 

HKLM\Software\Policies\FSLogix\ODFC

Type:                      DWORD

Value Name:          RoamSearch

Value Data:            2

 

Hör gärna av er om ni skulle vara intresserade av eller vill veta mer om produkter från FSLogix, se gärna våra tidigare blogginlägg om FSLogix nedan:

FSLogix Profile Containers – Enkel och snabb Profilhantering

Office365 med FSLogix i en fleranvändarmiljö

OneDrive with simulated Single Sign-On

 

 



OneDrive with simulated Single Sign-On

Recently we have received numerous requests to implement OneDrive in multi-user environments. This is not an easy task given that Microsoft refuses to release and develop a client supporting multi-user environment. Citrix and Microsoft give the following recommendations:

  1. Use OneDrive for Business through the browser.
  2. Use ShareFile instead of OneDrive for Business.
  3. Continue using OneDrive for Business, but through ShareFile Desktop App or ShareFile Driver Mapper.


Configure Google Chrome in a multi-user environment

Installing and configuring Google Chrome in a multi-user environment can be everything but easy. More and more users change from Internet Explorer to a much more convenient browser and they expect to use it in business too. In this post, I will provide a short tutorial how I usually install and configure Google Chrome for a non-popup seamless experience for your end user.

Installing Google Chrome is a basic next, next, next installation by using the MSI-file provided here. The problem with configuring Chrome is that there are several ways to set different kinds of settings. Sometimes you can configure the same type of settings on several places and sometimes you only have one place to configure some settings. There are mainly three ways of configuring settings – Policy based (ADMX-template), master preferences and tags on the shortcut when launching Chrome. I will be talking about the first two in this post. I always try to set as much settings as possible in a group policy (GPO) using the ADMX-templates. Why? Because it is much easier to update a GPO than to update a file on each session host.

Google Chrome is an application that configure and do many things in the background. Do you really want all users to be prompted to check the default browser, get a first run introduction and create shortcuts on the desktop? Although this is a standard procedure that most users are familiar with, it is much more convenient (and enterprise) to not get any popups at all. Below is what I usually add in the “master_preferences”-file. I have not found a convenient way to see a full list of settings to configure, but this is the closest I have yet to come.

 

notepad “C:\Program Files (x86)\Google\Chrome\Application\master_preferences”

 

After installing Google Chrome and adding the “master_preferences”-file I usually proceed by downloading the ADMX-templates from here. Download and install the ADMX-template in your central store. Browsing through the settings you should notice three things.

  1. All settings are applied to the computer, meaning that the settings configured do not affect user login time.
  2. There is two folders with policys. In “Google Chrome – Default Settings” the user may override all the configured defaults. In the other folder the user may not override the configured defaults.
  3. The settings we configured using the “master_preferences” is not overridable.

 

Google Chrome GPO

Please browse through each setting in the group policy and configure the settings to your liking.

Google Chrome saves a lot of settings and files in the user profile. If you are using roaming profiles, the profiles will soon begin to fill up and users will get a longer login time. There are two different approaches we can take. If your roaming profile system allows you to include and exclude files and directories you may use the first one below.

 

Include files:

 

The second approach is to configure the policy “Set user data directory” to your home catalog. I prefer using the second one due to that it is much easier to manage.

Google Chrome GPO User data directory