Update (2006-0213): okay, so half that stuff doesn't seem to be working properly...grrrrr...I'll look into it and update this post when everything is behaving properly.
A couple of changes have been made to this site design...not really sure whether I'll keep them. Mostly just playing around right now.
Summary of changes:
- Added RSS <link/> element to /default.aspx. Need to add one to /announcements.aspx too.
- Put some content on the Extranet page. You can grab the root certificate if you feel like trusting me to issue digital certs...
- Removed "ntldr.net: the site" banner (it annoyed me today...no real other reason).
- Changed underlying SharePoint theme from "vNext" to "Glass", since having big black boxes/bars didn't look so good to me (and I never got around to fixing things up to look nice with "vNext").
Sidenote: I know that /default.aspx doesn't render properly in IE7. I have no idea WHY right now, and it probably isn't just IE7 that has problems (although IE6 seems to work correctly).
Anyway, any thoughts on it?
Follow the two links in the post...
Context update: this was one of the fun things I found during OS's today, thus proving (again) that having PowerPoint slides available for a class leads to decreased attention.
Another Algorithms assignment due today, so I'm still basically brain dead. But I installed the IE7 Beta 2 Preview, and thought I should at least test out if parts of my site still worked...
IE7 Beta 2 Preview is out...get it at www.microsoft.com/windows/ie if you're feeling adventurous and stupid (note the AND on those two conditions at the current time).
Funny post: http://kupek85.livejournal.com/71090.html. I found it funny at least. Preliminary feedback from testing on IM subjects indicates that part of the humour comes from knowing the people in the post.
And the results from the logs for January are in...#1 most read post (as measured by people actually clicking on the link and reading the post) was ID81: Donut-ilicious ( www.ntldr.net/Blog/DispForm.aspx?ID=81). I have no idea why. Explanations are welcome, especially funnier ones. Or ones that actually make sense.
It's been a while since I last posted about my adventures at work with Solaris. The optimistic amongst you may have just figured "hey, he got it working and is being snobbish about sharing the tricks to it with us." Oh how I wish that were the case...instead, it's been dragging out, sitting there half complete while other stuff comes up.
It's been half complete because it was going nowhere. And has continued to go nowhere. But the monitor for the one Sun system has been sitting on my desk, glaring at me and serving as a constant reminder of my shame & failure.
High points: I got Samba working! Single sign-on! whoo-hoo! Better yet, it stayed working. Until we upgraded the DC's, which now run Windows Server 2003 R2. Crap.
See, in Server 2003 R2, the schema changed to be RFC 1307 (I think that's the #...) compliant. That means that the builtin OS tools for managing Unix identity attributes no longer work with the settings that Samba's winbindd picks up. So effectively, Samba has stopped working as desired.
So after looking at the current state of things, and what was actually needed, and my available options, I decided to scrap the whole lot. And so, in 10 minutes of using Windows to set things up, and another 3 hours on Solaris, I'm almost back to where I was with Samba for integrated authentication.
Steps to retrofit NIS onto Solaris:
- Edit /etc/hosts to contain the NIS servers
- Create a /etc/defaultdomain file containing the NIS domain name
- Run "ypinit -c"
- Edit /etc/nsswitch.conf to contain entries for NIS as needed (this part isn't exactly working for me quite yet...)
Useful sites:
http://technet2.microsoft.com/WindowsServer/en/Library/05e70117-b880-448b-9f89-6d637a402d5e1033.mspx
The PKI system I have on my computers has been upgraded: it now has 1 working smart card that I'm using for testing & evaluation!
The smart card is an Axalto Cryptoflex 32k e-gate. The certificate server is Windows Server 2003 Certificate Services. The client is straight Windows XP SP2 (no additional Axalto CSP, so I had to use their Personalization tool to format it for Windows 2000 compatibility).
Now, there was one tiny problem I've run into. When trying to request a new certificate using certmgr.msc, it would always generate the error "Certificate request could not complete. The specified user was not found." (or something along those lines). After combing the event logs, doing a number of web searches, and examining every nook and cranny of the Certificate Process, I found the solution.
It turns out the user requesting the certificate can't be logged in using the UPN ( username@domain). You have to login using the domain username, password, domain format.
At work we bought two new servers to replace our 5-6 year old DC's. I got most of the OS installed last weekend, and got the go ahead today to bring one of them up as a DC in the domain.
So I ran dcpromo.exe, walked through the wizard, and let it do its thing. After 5 minutes or so, it failed, saying the schema was out of date and needed to be updated. Which was funny, because its a Windows Server 2003 SP1 domain, and I thought that Windows Server 2003 R2 was the same core OS as 2003 SP1. Well, it turns out that atleast the AD components in R2 are newer (to support the Federation Services? or maybe the Integrated Unix Authentication?).
However, running adprep.exe from Disc 1 didn't help, since it kept saying the schema was up to date.
Well, it turns out there's ANOTHER adprep.exe that has to be run. It's located on DISC 2 under the \CMPNTS\R2\ADPREP folder. So, "adprep.exe /forestmode" (and, curiously, "adprep.exe /domainprep /gpprep", for our domain) needs to be executed before dcpromo will work.
Next time, I'll try looking at the docs before doing something I've done dozens of times before...
Well, I got IPSEC to work. Finally. Actually, it only took about a week...there just happened to be this thing called "winter break" and "classes start again" immediately after I got everything working.
So, how did I manage to do it?
- Use certificate authentication, not Kerberos.
- Disable the "map certificates to accounts" setting, otherwise it seems a UNencrypted connection to a DC is needed, just like with Kerberos.
- Somehow keep all the computers you're trying to configure from locking while you're in the middle of setting everything up, because it's likely that if that happens, and you have applied the MS Windows Server 2003 Security Guide recommendations, then you'll be screwed and unable to access the server you're in the middle of configuring. Yes, this happened to me, and no, I never want to go through that experience again.
- Become familiar with "net stop policyagent", as it can save you when things get screwed up. Basically, it turns off IPSEC enforcement/usage, allowing the computer to communicate with the DC (maybe).
- If you see someone like MS doing something with IPSEC, like exempt DC's & DNS servers from policy, PAY ATTENTION. THERE IS A REASON THEY DID THAT. Whatever you do, don't think you're smarter than the people who wrote those papers, especially since their implementation actually works.
So, those are my tips on how to get it working with Windows Server 2003 SP1 and Windows XP SP2. Anyone else got any advice?
You may have noticed the site being up & down (mostly down though) for the last week and a half. Site performance has also decreased now that it's back up.
This is because IPSec is the worst thing EVER. And I mean that. Literally.
IPSec sits in the low level of the OSI stack and provides encryption and authentication for IP. So it can do things like have every TCP packet from the Internet encrypted using 3DES, with the sender and reciever authenticating to each other over Kerberos. So far, so good. Sounds like a wonderful technology: all you have to worry about are IP spoofing, hardware hacking, and Layer 1 (like ARP poisoning) attacks. Everything above that stuff is always encrypted and always authenticated.
Except, it turns out to be incredibly hard to actually use. Sure, it starts simple enough: assign one of the predefined policies that sounds like it's the correct choice, like "Client" or "Require Security". But then you apply that setting...and find out you can't log into the computer anymore, can't get the computer to recognize that you've fixed the policy so that you could actually login, and then find out you can't actually pull the broken policy off because the IPSEC driver has now gone into BLOCK mode, and is denying every attempt to connect.
Even worse is what happened to me. It seemed to work fine for the servers for a day or two. Then they started having those problems. Even more confusing, they'd do this when configured to use Certificate based authentication.
Even more frustrating is that I have the PolicyAgent ("IPSec Services") startup controlled via GPO's. So when I finally did manage to get the service stopped and everything talking once again, the next GP application came around and fired it right back up. While the console was locked. With the "Require Domain Controller authorization to unlock workstation" setting enabled.
Oh, and this is all happening during finals week (well, actually, it started the week before finals; it just took me a while to notice).
Understand why IPSec is the worst thing ever?
Note: I cannot be bribed with donuts.* Oh...but...mmmm....donuts......
* This post subject to change provided a sufficient quantity of donuts is provided. All rights reserved. Void where prohibited. Copywrite [by] Me. <Insert additionaly legalese as sufficient to make people not read this part>
Primarily, this is a post about RSS. You see, there's only one subscriber to the RSS feeds that are in all those tabs to the right (on the v5 site...which is the one that's available when this post is being written). And there should be more!\
But first, a digression into ECE: the lab practical today was just meh. It was a simple enough task, but the infernal contraption just wouldn't work for me! So I ran out of time, and the TA came over to grade what I had, and all of a sudden it mostly started working (I had pulled out the Asynch Reset so I could debug it). So I got a 9/10. Which is good, but the amount of frustration was...even more frustrating.
Back to RSS. It's just another XML format (kind of like most web pages are just the XHTML XML format). However, there are these cool things called RSS Readers that can Subscribe to an RSS Feed (the XML file containing RSS). When a feed (to use the simplified parlance of bloggers - people who author a Web Log, like the one that you're reading right now) is subscribed to, the RSS Reader will automatically check the feed for updates and display those to the user in whatever manner. So subscribing to one of the RSS feeds on this site would mean you'd never have to manually come and visit it to see what's new: the Reader would take care of that for you.
I recommend that you check RSS out and see what it can do for you (like on this site). I use RSS A LOT. I'm subscribed to a lot of RSS feeds (not just blogs - change logs & "new releases" are things I've found to be condusive to use as RSS items). And now onto a little problem I have...
Now, there are a wide variety of RSS Readers. You have web based ones, like Start, live.com, Google Reader (I know Google has one at least), and a wide variety of much more popular sites. There are addons & plugins for existing apps, like Newsgator: Outlook. There are apps that have had Reader capabilities baked in (similar to the plugins), like Mozilla Thunderbird, a couple of Jabber clients, and Microsoft IE7. And then there are the dedicated desktop, rich client RSS Aggregators.
I use the later. Currently, this is RSS Bandit 1.2.117. I started out with SharpReader, but that's waaay too memory intensive, and doesn't look that great in my opinion either. But it lasted me a while. The next client I tried was SauceReader, which looked great, but had even worse resource usage than SharpReader. Finally, I tried RSS Bandit 1.2.114. And that had me hooked: it was specifically designed to not trash system resources. RSS Bandit has served me well for almost a year and a half now.
Development has also continued, lead primarily by Dare Obasanjo ( www.25hoursaday.com). They've had the 1.3 series of versions released for a bit now, and just rolled out a new one. Unfortunately, I have never been able to get the 1.3 versions to work. Between 1.2 and 1.3, they changed some of the UI components, and the new library just does not seem to want to work. So whenever I go to use 1.3, all I get is a blank area where it should be displaying the tree view of the feeds I'm subscribed to. Which means that the program is completely useless, as none of the other sections of the program (post contents & post list for the currently selected feed) get populated. I have seen this problem even on fresh installations of Windows, with just XP SP2 & .NET 1.1 SP1 installed. Obviously everything is working fine for most people, just not for me.
As stated before, I've been running the older version of RSS Bandit because of that issue. However, that solution is becoming increasingly inadequite. A number of the feeds I'm subscribed to use ATOM (as far as end users are concerned, it's the same as RSS...just a different company's take on the whole feed idea), and have recently moved from the 0.3 version to the 1.0 version of the spec. Which means RSS Bandit 1.2 can no longer view them.
So, any recommendations for a new RSS Aggregator? It needs to support ATOM 1.0, podcasting support is not needed, I'd like it to look nice, preferably be a standalone client (although something that acts as an addin to Outlook might also work for me), and ideally be free/cheap.
Thanks!
|
About the author
Jeffrey Stults is a software developer currently in Portland, Oregon. He is contactable at:
stultsj@ntldr.net
Archive
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|
| 29 | 30 | 31 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 | | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | 19 | 20 | 21 | 22 | 23 | 24 | 25 | | 26 | 27 | 28 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 |
Disclaimer
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
© Copyright
2012
Jeffrey Stults, Jr.
Statistics
Total Posts: 256
This Year: 0
This Month: 0
This Week: 0
Comments: 23
Utilities
Pick a theme:
Sign In
|