Kerberos Authentication flow
Video version: Kerberos Authentication flow Whenever you login with Windows Authentication to the sever like SQL Server, in many cases, Kerberos is used as a main authentication type. In short, Kerberos is a secure method for verifying the identity of users and services in a network to authenticate users. So, suppose, Kerberos authentication started to fail and your application cannot login? You started to panic and want to troubleshoot as soon as possible! But you do not know how to do that because you do not understand how this authentication works internally. In this case, if you know how Kerberos functions internally, it becomes much easier for you to troubleshoot this issue. The below is the Kerberos authentication flow at high level: 1. Whenever client tries to login to the server, it should first do Name resolution. If there is no DNS cache, it will connect domain controller and bring IP address for the server DNS name. 2. Afterwards, there will be three-way TCP handshake with the server. 3. Following TCP handshake, servers negotiate on protocol types of authentications: NTLM or KERBEROS. Often Kerberos is chosen as this is new protocol with more performance efficiency. 4. After Kerberos is chosen, Client will do TCP handshake on TCP port 88. 5. Then, client will send AS-REQ packet to KDC center in domain controller. AS-REQ (Authentication Service Request) is the initial message sent by a client to the Key Distribution Center (KDC) in Domain controller to get TGT. This message includes the client's principal name (username) and may include pre-authentication data such as password. If the username is correct and password is valid, domain controller sends AS RESPONSE. This response includes TGT key and session key. Here is the important point: TGT key is encrypted with password of KRBTGT account and session key is encrypted with client's password. If you go to your domain controller, you will see this KRBGT account. TGT is encrypted with this account’s password. When the client receives the TGT, it decrypts the session key with password and this session key is placed in memory along with the TGT. Going forward the account’s password is no longer required. When the client makes subsequent ticket requests it will present the TGT and creates a new authentication using the session key and the system timestamp. 6. After getting TGT and session key, client makes TGS request presenting TGT and service principal name (SPNs) of the service the client wants to access. 7. After getting TGS-REQ, domain controller decrypts TGT ticket, validates the user and SPNs. If the SPNs are correctly registered and user credentials, TGT ticket are valid, domain controller responds with TGS-REP which includes the service ticket and a session key. The service ticket is encrypted with the service's secret key, while the session key is encrypted with the client's session key. Here, important point is service ticket is encrypted with the password of service account attached to the server and session key is encrypted by the client’s session key. Therefore, client cannot decrypt service ticket. 8. Finally, by using this service ticket, client makes AP request to the server. And AP-REP is received. This AP-REP is often not mandatory and does not happen depending on the service type. With this, KERBEROS authentication finishes. Authentication flow in network traces 1. TCP-handshake 2. First, as we learn AS REQUEST is sent. One important point here: first AS-REQ fails with PRE-AUTH REQUIRED error because client did not send pre-authorization, or did not send the appropriate type of pre-authorization, to receive a ticket. The client will retry with the appropriate kind of pre-authorization (the KDC returns the pre-authentication type in the error). Many Kerberos implementations will start off without preauthenticated data and only add it in a subsequent request when it sees this error. This is expected and you should ignore this. 3. Afterwards, client again sends AS-REQUEST with appropriate pre-authorization. 4. Domain controller is responding with AS-REP and providing encrypted TGT ticket and session key. 5. By using this session key and TGT, client is making TGS request. It also includes SPN names. 6. Finally, domain controller responds TGS response and includes service key. By using this service key, client makes authentication request.Introducing Project Robin | New Feature
this one is a new flag you can enable: edge://flags/#edge-robin Microsoft Edge Version 91.0.852.0 (Official build) canary (64-bit) I think, Project Robin is a way to show Windows Defender Application Guard windows as tabs, next to other regular tabs. because right now, when you open a new WDAG window, it has its own protected window, backed up by Windows Defender engine. this Project Robin might be a way to bring the 2 environments together in the same window. so far the feature doesn't seem to be fully implemented yet. when I try it, it takes me to https://dev.browse.trafficmanager.net/?header=0&url=https%3A%2F%2Fwww.bing.com%2F&escape=newdomain&titlePrefix=0 and then nothing. it's exciting, waiting for future versions to see more changes.Alt + Tab experience can now be turned off from the browser using this newly added flag
This flag that was just added today to Edge Version 89.0.736.0 (Official build) canary (64-bit) edge://flags/#edge-window-tab-manager can disable Alt + Tab experience the description says: "Allows Windows to show open Microsoft Edge tabs in OS experiences like Alt + Tab, pinned sites, and more. – Windows" so regardless of what your settings are in Windows you can stop Edge tabs to appear as separate windows in Alt + Tab view.Microsoft Edge Kids! - Kids mode added to Edge - What an Amazing feature! (●'◡'●)
Microsoft Edge version 90.0.800.0 (Official build) canary (64-bit) introducing Kids mode which can be accessed from the browser settings: edge://settings/family you can learn all about it here in this official page a brief description: Kids Mode is a convenient browsing mode inside Microsoft Edge that’s designed for kids. With its kid-friendly features and safety guardrails in place, Kids Mode is a great place for children to safely explore the web. Kids Mode includes features like custom browser themes, kid-friendly content, browsing based on an allow list, Bing SafeSearch set to strict, and a password requirement to exit. Also, Kids Mode doesn't require a child account or profile. Currently, Kids Mode is limited to US English on Windows and MacOS. Kids mode is full screen mode, in order to exit it, kids need to have Windows Pin or Password and you can see, all the appropriate content and links are added to the home page ^^ Bonus content:
Remove red overdue date from recurring tasks
Some tasks, which are set to be recurring everyday, do not need to be highlighted red with an overdue date if not completed. Can this be turned off? I want the task to appear every day, but I don't want it to be flagged as overdue, and definitely not in a red font. e.g. task: 'Take a 20 minute walk' doesn't need to be flagged as overdue if it hasn't been done that day, but it is helpful to be in my task list each day.New feature: Move tabs between different profile windows
This flag has been in Edge canary for some time but it started working since today's update, Edge Version 89.0.711.0 (Official build) canary (64-bit) you need to enable this flag: edge://flags/#edge-move-tabs-to-profile-window restart browser and when you right-click on a tab, you will have that option to move tab to a different profile window. of course first you have to have at least a 2nd profile in Edge for this to work. p.s the other profile doesn't need to be open or running. I'm hoping in future we will be able to use drag and drop to move tabs between 2 open Edge profile windows.SS33: smart pip mode - better tiktok integration (or other video social/websites) picture-in-picture
Suggestion (SS): 33 Classification: TIKTOK + PIP / picture-in-picture + audio control PRIORITY IN MY OPINION: 4-6 on a scale from 1 (low) to 10 (high) EDIT: i just found this picture in picture https://link.ws/pipdiscussion1 discussion in the feed too. 1) i don't see this directly is annoying i need to activate it via flags 2) pip doesn't work, even if i activate it goal like 360 chrome (or even better, see 3) or https://link.ws/vivopepip with better video control (sugg.17.) and pip buttons (sugg.18.), but avoid to put it over the downloader... (like the picture) 3) smart player with zoomed features like this on the right 4) remember tiktok specific size 5) keep always on top over all mac apps (i haven't tested this with edge, because i don't see pip) 6) please go to next tiktok automatically 7) allow extension in pip mode, so i can download tiktok videos in pip mode with the overlay button PS: about 6) i already told to them inside my 50+ suggestions to tiktok too, but maybe edge is able to fix it too. i hope auto for both pip mode and normal web browsing. 😎add possibility to add multiple url inside a list of pip mode, so a sort of playlist pip mode. 9) maybe like 8 with collections or bookmarks folders, so you pip mode randomly url 10) add to bookmarks inside pip mode directly, especially if you implement 6) 11) same like 10 for collections 12) maybe a separate history for pipmode visited urls (if 6. is implemented) EDIT: sorry i can activate it via 1 ... there is no button over the video for pip (or below, near the video). if i do that, i see there is no mute option too. 13) we cannot change the size, we can only change position. yes pip is over all mac apps (i see it now after enabling with 1. ) 14) remember to add even the option "keep behind mac app too". so both option should be available. 15) loop mode support for other website here the max size possible 16) better audio control panel, where we see all tabs with audio active and we can choose where to keep audio on or off. for example if 300 tabs are opened, but 20 with audio, in this panel we see only the 20 tabs. 17,18) see above 19) ability to quick copy url link or share the video (in pip mode) 20) screenshot feature integrated in pip mode. 21) loop from x to y https://www.tiktok.com/@buketalican11.12.16/video/6682465643712744709 example from 0 to 0.22 in this video, by skipping the rest 22) continue to loop, even if i launch another website, in this case you have 2 audios, 1 with pip, 1 without. would be cool the loop function for normal browsing too (is possible via extension...) 23) remember the dual mode suggestion: pip and full mode at the same time https://link.ws/edgess25 about 24) it depends how you implement all that. if you do like 360chrome, where each video has separate pip then allow both option "deactivate audio in dock mode" or "keep audio in dock mode" (not available in 360). what i like is that i can pip my videos in the dock. so if you use a player, maybe a way to pip the player in the dock is cool too, with both option "audio on" "audio off". 25) if there is no idea for 23) then a way to switch from pip to full faster, and from full to pip too about 26) i know this get against tiktok policy, but maybe useful for other websites**. a download button. **at the end is not possible to download it at all, since it doesn't work. plus the fact that tiktok download is not directly a feature a browser need to support and extension can do it perfectly. so the point is to add it for other websites, that allow you to download videos without copyright problem... 27) spotify player should be different from video player. so we can have spotify and pip at the same time. 28) 2x click switch size for example with opera max size is then with a 2x click we go to so a small size, which is not related to the full size video - pip mode switch suggestion that i wrote before. in this case the max size could be 1/2 of display, full mode is 1/1 29) right click options would be cool to see suggestions or skip ads or stop auto suggestions with right clickNew Feature for Web Capture - Subscroller area selection
Normally you can't use Web Capture or Smart Copy in Edge to capture the contents of the 2nd scrollbar, but now you can with this new feature added under this flag in Edge Version 91.0.844.0 (Official build) canary (64-bit) Subscroller area selection. When enabled, users will be able to select sections of subscrollers when using WebCapture or SmartCopy. – Mac, Windows, Linux #edge-subscroller-area-selection edge://flags/#edge-subscroller-area-selectionYou can turn on Math Solver feature on-demand now
Make sure you are at least on Edge version 91.0.831.0 (Official build) canary (64-bit) and then enable this new flag: edge://flags/#edge-math-solver You can learn more about Math Solver feature here: https://techcommunity.microsoft.com/t5/articles/learn-how-to-solve-math-problems-with-math-solver-in-microsoft/m-p/2195689
