Today's "DUH! I'M AN IDIOT!" award goes to...me. Yay, I won something.
I get it for not putting the /* on the end of the path I was trying to publish with ISA. The /extranet.aspx links should now work. The funny thing is I forgot it despite there being other paths published in the same rule that correctly had the /* at the end. So, basically, if I had just like, looked at the screen maybe, I should have seen the problem immediately.
If anyone wants a Windows Live! Messenger invite, I've got a bunch to give away. Just email me at stultsj@ntldr.net from the email account on the Passport that you want to WL!M enable.
If you don't know what WL!M is, it's basically the next version of MSN Messenger. If you don't know what MSN Messenger is, umm...do a search or something?
Update (2006-0213): okay, so half that stuff doesn't seem to be working properly...grrrrr...I'll look into it and update this post when everything is behaving properly.
A couple of changes have been made to this site design...not really sure whether I'll keep them. Mostly just playing around right now.
Summary of changes:
- Added RSS <link/> element to /default.aspx. Need to add one to /announcements.aspx too.
- Put some content on the Extranet page. You can grab the root certificate if you feel like trusting me to issue digital certs...
- Removed "ntldr.net: the site" banner (it annoyed me today...no real other reason).
- Changed underlying SharePoint theme from "vNext" to "Glass", since having big black boxes/bars didn't look so good to me (and I never got around to fixing things up to look nice with "vNext").
Sidenote: I know that /default.aspx doesn't render properly in IE7. I have no idea WHY right now, and it probably isn't just IE7 that has problems (although IE6 seems to work correctly).
Anyway, any thoughts on it?
Follow the two links in the post...
Context update: this was one of the fun things I found during OS's today, thus proving (again) that having PowerPoint slides available for a class leads to decreased attention.
Another Algorithms assignment due today, so I'm still basically brain dead. But I installed the IE7 Beta 2 Preview, and thought I should at least test out if parts of my site still worked...
IE7 Beta 2 Preview is out...get it at www.microsoft.com/windows/ie if you're feeling adventurous and stupid (note the AND on those two conditions at the current time).
Funny post: http://kupek85.livejournal.com/71090.html. I found it funny at least. Preliminary feedback from testing on IM subjects indicates that part of the humour comes from knowing the people in the post.
And the results from the logs for January are in...#1 most read post (as measured by people actually clicking on the link and reading the post) was ID81: Donut-ilicious ( www.ntldr.net/Blog/DispForm.aspx?ID=81). I have no idea why. Explanations are welcome, especially funnier ones. Or ones that actually make sense.
It's been a while since I last posted about my adventures at work with Solaris. The optimistic amongst you may have just figured "hey, he got it working and is being snobbish about sharing the tricks to it with us." Oh how I wish that were the case...instead, it's been dragging out, sitting there half complete while other stuff comes up.
It's been half complete because it was going nowhere. And has continued to go nowhere. But the monitor for the one Sun system has been sitting on my desk, glaring at me and serving as a constant reminder of my shame & failure.
High points: I got Samba working! Single sign-on! whoo-hoo! Better yet, it stayed working. Until we upgraded the DC's, which now run Windows Server 2003 R2. Crap.
See, in Server 2003 R2, the schema changed to be RFC 1307 (I think that's the #...) compliant. That means that the builtin OS tools for managing Unix identity attributes no longer work with the settings that Samba's winbindd picks up. So effectively, Samba has stopped working as desired.
So after looking at the current state of things, and what was actually needed, and my available options, I decided to scrap the whole lot. And so, in 10 minutes of using Windows to set things up, and another 3 hours on Solaris, I'm almost back to where I was with Samba for integrated authentication.
Steps to retrofit NIS onto Solaris:
- Edit /etc/hosts to contain the NIS servers
- Create a /etc/defaultdomain file containing the NIS domain name
- Run "ypinit -c"
- Edit /etc/nsswitch.conf to contain entries for NIS as needed (this part isn't exactly working for me quite yet...)
Useful sites:
http://technet2.microsoft.com/WindowsServer/en/Library/05e70117-b880-448b-9f89-6d637a402d5e1033.mspx
The PKI system I have on my computers has been upgraded: it now has 1 working smart card that I'm using for testing & evaluation!
The smart card is an Axalto Cryptoflex 32k e-gate. The certificate server is Windows Server 2003 Certificate Services. The client is straight Windows XP SP2 (no additional Axalto CSP, so I had to use their Personalization tool to format it for Windows 2000 compatibility).
Now, there was one tiny problem I've run into. When trying to request a new certificate using certmgr.msc, it would always generate the error "Certificate request could not complete. The specified user was not found." (or something along those lines). After combing the event logs, doing a number of web searches, and examining every nook and cranny of the Certificate Process, I found the solution.
It turns out the user requesting the certificate can't be logged in using the UPN ( username@domain). You have to login using the domain username, password, domain format.
At work we bought two new servers to replace our 5-6 year old DC's. I got most of the OS installed last weekend, and got the go ahead today to bring one of them up as a DC in the domain.
So I ran dcpromo.exe, walked through the wizard, and let it do its thing. After 5 minutes or so, it failed, saying the schema was out of date and needed to be updated. Which was funny, because its a Windows Server 2003 SP1 domain, and I thought that Windows Server 2003 R2 was the same core OS as 2003 SP1. Well, it turns out that atleast the AD components in R2 are newer (to support the Federation Services? or maybe the Integrated Unix Authentication?).
However, running adprep.exe from Disc 1 didn't help, since it kept saying the schema was up to date.
Well, it turns out there's ANOTHER adprep.exe that has to be run. It's located on DISC 2 under the \CMPNTS\R2\ADPREP folder. So, "adprep.exe /forestmode" (and, curiously, "adprep.exe /domainprep /gpprep", for our domain) needs to be executed before dcpromo will work.
Next time, I'll try looking at the docs before doing something I've done dozens of times before...
Well, I got IPSEC to work. Finally. Actually, it only took about a week...there just happened to be this thing called "winter break" and "classes start again" immediately after I got everything working.
So, how did I manage to do it?
- Use certificate authentication, not Kerberos.
- Disable the "map certificates to accounts" setting, otherwise it seems a UNencrypted connection to a DC is needed, just like with Kerberos.
- Somehow keep all the computers you're trying to configure from locking while you're in the middle of setting everything up, because it's likely that if that happens, and you have applied the MS Windows Server 2003 Security Guide recommendations, then you'll be screwed and unable to access the server you're in the middle of configuring. Yes, this happened to me, and no, I never want to go through that experience again.
- Become familiar with "net stop policyagent", as it can save you when things get screwed up. Basically, it turns off IPSEC enforcement/usage, allowing the computer to communicate with the DC (maybe).
- If you see someone like MS doing something with IPSEC, like exempt DC's & DNS servers from policy, PAY ATTENTION. THERE IS A REASON THEY DID THAT. Whatever you do, don't think you're smarter than the people who wrote those papers, especially since their implementation actually works.
So, those are my tips on how to get it working with Windows Server 2003 SP1 and Windows XP SP2. Anyone else got any advice?
You may have noticed the site being up & down (mostly down though) for the last week and a half. Site performance has also decreased now that it's back up.
This is because IPSec is the worst thing EVER. And I mean that. Literally.
IPSec sits in the low level of the OSI stack and provides encryption and authentication for IP. So it can do things like have every TCP packet from the Internet encrypted using 3DES, with the sender and reciever authenticating to each other over Kerberos. So far, so good. Sounds like a wonderful technology: all you have to worry about are IP spoofing, hardware hacking, and Layer 1 (like ARP poisoning) attacks. Everything above that stuff is always encrypted and always authenticated.
Except, it turns out to be incredibly hard to actually use. Sure, it starts simple enough: assign one of the predefined policies that sounds like it's the correct choice, like "Client" or "Require Security". But then you apply that setting...and find out you can't log into the computer anymore, can't get the computer to recognize that you've fixed the policy so that you could actually login, and then find out you can't actually pull the broken policy off because the IPSEC driver has now gone into BLOCK mode, and is denying every attempt to connect.
Even worse is what happened to me. It seemed to work fine for the servers for a day or two. Then they started having those problems. Even more confusing, they'd do this when configured to use Certificate based authentication.
Even more frustrating is that I have the PolicyAgent ("IPSec Services") startup controlled via GPO's. So when I finally did manage to get the service stopped and everything talking once again, the next GP application came around and fired it right back up. While the console was locked. With the "Require Domain Controller authorization to unlock workstation" setting enabled.
Oh, and this is all happening during finals week (well, actually, it started the week before finals; it just took me a while to notice).
Understand why IPSec is the worst thing ever?
|
About the author
Jeffrey Stults is a software developer currently in Portland, Oregon. He is contactable at:
stultsj@ntldr.net
Archive
| | Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|
| 29 | 30 | 31 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 | | 12 | 13 | 14 | 15 | 16 | 17 | 18 | | 19 | 20 | 21 | 22 | 23 | 24 | 25 | | 26 | 27 | 28 | 1 | 2 | 3 | 4 | | 5 | 6 | 7 | 8 | 9 | 10 | 11 |
Disclaimer
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent
my employer's view in any way.
© Copyright
2012
Jeffrey Stults, Jr.
Statistics
Total Posts: 256
This Year: 0
This Month: 0
This Week: 0
Comments: 23
Utilities
Pick a theme:
Sign In
|