markwilson.it

Author: Mark Wilson

  • Using server side includes in web pages served from IIS

    Last year I blogged about using server side includes in web pages. My SSI code has all been working well on my ISP’s Apache servers, but my development server runs under IIS 5 on Windows 2000. Even with the default document list set to include index.shtml, I was getting HTTP 404 errors for pages that I knew existed. I checked that I had application mappings in place for .shtml files, but what none of the documentation told me was that I needed to change the executable path for .shtml from %systemroot%\System32\inetsrv\404.dll to %systemroot%\System32\inetsrv\ssinc.dll. Once I had made that change, everything jumped into life and my dynamic pages were served as expected.

  • Tracking down the vendor portion of a MAC address

    I was trying to track down the source of an IP address conflict earlier today and I came across two sites offering a search service for the initial 24-bit (6 digit hexadecimal) vendor portion of an Ethernet media access control (MAC) address. The IEEE service is the official one, from where you can also download the complete listing, but MAC finder is also useful as you can use the ?string=00%3a00%3a00 command on the end of the URL (replacing the zeros with the appropriate hexadecimal digits).

  • Disabling the Shutdown Event Tracker in Windows Server 2003 (and XP)

    I run Windows Server 2003 on my work laptop (largely because I’m getting up to speed with Windows SharePoint Services right now). I find that pretty much anything designed for Windows XP runs under Windows Server 2003, but there are some configuration differences out of the box. One of these is the shutdown event tracker – a useful feature on enterprise servers, but not so useful for me on my everyday laptop – so I was pleased to stumble across Microsoft’s advice on configuring the shutdown event tracker, including how to disable it. Interestingly, Microsoft knowledge base article 293814 reports that the functionality is also available in Windows XP but is disabled by default.

  • (Finally) joining the iPod generation

    There. Done it. Bought an iPod Mini on the way out of Heathrow this morning…

    (and my iTrip Mini should be in the post later today…)

    So I finally joined the iPod generation (and I’m well impressed). Okay, so the software setup had a few hiccups on Windows Server 2003 – but that is an unsupported platform after all. I still got up and running pretty quickly. I know I’ve previously expressed concerns about Apple’s use of its proprietary AAC format, but Stuart pointed out to me that iPods can also play MP3 at up to 192kbps and let’s face it, Apple products are very stylish.

    Right… off to find some good podcasts for the flight back home tomorrow…

  • I’m famous (sort of)

    Some people have commented that I may be a little biased towards Microsoft… and whilst at times that may be a fair comment, if you look at my computers I use various open source programs, I do criticise the software giant from time to time and, let’s face it, I work for a systems integrator, primarily focusing on building solutions using Microsoft infrastructure products.

    I also have a tendency to use my blog as a dumping ground for notes after I attend events, which seems to have caught the attention of the the IT professional technical evangelist team at Microsoft UK (hopefully not too annoyed at the plagiarism of their presentations). Last month, they created a new blog on the TechNet web site for articles contributed by “industry insiders” – people who don’t work for Microsoft, but who have real world experience of implementing Microsoft products, possibly even in conjunction with competitive products from other vendors – and yesterday, after a couple of weeks of discussions, Steve Lamb posted what I hope will be the first of many contributions from yours truly.

  • Installing and verifying the configuration of an ISA Server 2000 array

    Just over a year ago, I posted a blog entry which gives a 10,000 feet view of Microsoft ISA Server 2000. I haven’t done anything with ISA Server since then but over the last few days, I’ve been installing an new ISA Server 2000 array into an existing enterprise for a client.

    Nothing too complicated about that – once I had secured the network interfaces and installed the ISA servers, there were just a few extra settings to configure (see getting started with ISA Server) to ensure that the new array would allow outbound traffic, but I did start to doubt myself when my test clients were receiving error 10060 connection timeouts (although the logs from the upstream firewall reported that it was letting the outbound requests pass). It transpired that there was an issue with the ISP’s network, but as anyone who has ever been in that situation will know, convincing an ISP that there is a problem their end is not always easy, and I also asked two of my colleagues to check my configuration (just in case!).

    Although I installed in integrated mode (for future flexibility), my client only needed the caching functionality, so I stopped and disabled the Microsoft Firewall service. Everything seemed fine as the clients were connecting okay via HTTP, HTTPS or FTP and the upstream firewall logs reported all the client requests as coming from my proxy servers; but I wanted to be sure that the array servers were co-operating and that the cache was being populated as my test clients hit the new array.

    Understanding how the client requests are processed is straightforward – by default, ISA Server maintains a log file in %programfiles%\Microsoft ISA Server\ISALogs\, which for the Microsoft Web Proxy service is named webextdyyyymmdd.txt. This file contains a whole host of information about requests received and how they were answered, including a useful field called s-object-source, which shows where the request was retrieved from (e.g. “member” for another member of the array, “inet” for the Internet or “cache” for the ISA Server cache – full details can be found in the Microsoft Internet Security and Acceleration Server Enterprise Edition product documentation). From looking at the ISA Server logs, I was confident that both servers were working, and resolving requests between one another using the cache array routing protocol (CARP) but I still wanted to check that the caches on both of the ISA Servers in the array were being populated.

    Microsoft provides a useful utility with ISA Server 2000 – the ISA Server Cache Directory Tool (cachedir.exe), found on the ISA Server CD in the \support\tools\troubleshooting\ folder. Once copied to the ISA Server folder (by default, %programfiles%\Microsoft ISA Server\), this can be used to view the contents of the cache. I could see some entries in the cache on one server, but not the most recent requests, and running the tool on the other server returned an empty cache. Then I remembered that ISA server caches in memory first (by default 50% of available RAM), and only uses (slow) disk cache when the (fast) memory cache is full. The different results on each server were because I had restarted the Microsoft Web Proxy service on one server but not on the other. Once I restarted the Microsoft Web Proxy service on the second server, I could see all of the expected cache entries on disk as the memory cache is flushed to disk when the Web Proxy service is stopped. For reference, the ISA Server documentation gives an explanation of the ISA cache files.

    All in all, it has been a successful implementation, if slightly protracted by the ISP issues and my stupidity around cache contents. Now I can put those issues down to experience, but I thought posting them into the blogosphere might help out some other poor soul with an ISA server to configure in a hurry.

  • RSS and Atom aggregator web part for SharePoint

    One of the most useful web parts that I’ve seen for SharePoint is FeedReader, from Smiling Goat. It is, quite simply, an RSS and Atom aggregator for SharePoint sites, implemented as a web part that can consume multiple feeds and represent them in a clear, concise view with a number of display and formatting options. Best of all, it is free! The screen shot below is an example on my Windows SharePoint Services site:

    FeedReader webpart on a WSS page

    Like many free web part downloads, installation is not as simply as running the supplied Windows Installer (.MSI) file; however it only requires one command – registration of the web part using the stsadm.exe tool which is part of Windows SharePoint Services, found at %programfiles%\Common Files\Microsoft Shared\Web Server Extensions\60\BIN\. The full command for installation is stsadm -o addwppack -filename "C:\Program Files\Smiling Goat\FeedReader\smilinggoat.feedreader.cab" -globalinstall -force, after which it is available for import into a web page.

    Now all I need to do is to find something just as good (and that is browser agnostic) to use in static HTML pages.

    (Purely co-incidentally, my RSS and Atom aggregator of choice is also called FeedReader, although apart from its purpose, it is an totally unrelated product).

  • An introduction to blogcasting

    I suffer from information overload. I don’t read half my e-mails, and much of the syndicated weblog content that I subscribe to passes me by too. I’m a family man, with little time right now for much else apart from baby talk, nappies, mowing the lawn and maybe a bit of DIY when I’m not working (alright, perhaps a few hours of watching the telly each week); however, I do spend a lot of time in the car (perhaps as much as 20 hours some weeks) and a couple of weeks back, Alex introduced me to the idea of podcasting.

    Now, I was fairly late onto the blogging bandwagon, and I’m probably a bit behind the times with podcasting too, but after some initial scepticism (I tended to agree with Anu Gupta and Paulo Valdemarin), I’ve come around to the view that it’s a great idea! In fact, I think it’s such a good idea that I’m seriously considering buying an iPod and an iTrip (one of those tune-your-car-radio-into-an-iPod-gadget-thingies) so that I can listen to podcasts instead of Terry Wogan or Today on my way to work (what does that say about my listening habits?) – although I’ll probably still pick up the BBC Radio 4 comedy on my way home. I have no intentions of creating such content myself (I lose enough of my bandwidth to weblogs as it is, without going multimedia, and besides which, who wants to hear my voice!), but sites like liberated syndication provide a hosting service for podcasters and it was one of their sites that sold me onto this idea – How to pour the perfect Guinness from Tod Maffin’s How to Do Stuff site (thanks to Owen for the original link).

    On a similar note to the podcasting idea (but requiring full attention as they are generally video-based), the IT professional technical evangelist team at Microsoft UK have begun to produce blogcasts. It was Eileen Brown that initially alerted me to this, but Steve Lamb has started to blogcast too and now a blogcast repository has been created. Well worth a look if for a quick demonstration of how to do something.

  • Handy little 10/100 Ethernet switch

    Sometimes, when I’m on a client site, I think that it would be really useful to have an Ethernet switch with me but generally they are too big to carry around (even my excellent NetGear DS108 hub is a bit on the chunky side). GS-SW005 (front)Then, last week, I spotted one of my colleagues using a small network switch, about the size of a packet of cigarettes, with four ports (plus uplink). It turns out to be a GS-SW005 10/100Mbps switch from Gigabyte Technology. Now I’ve got one and it’s great! Although it is supplied with a DC power adapter, it was the USB power cord that sold it to me, meaning one less power supply to carry around. I got mine from Scan Computers although for a £24.68 item I thought £10 for shipping was a bit steep (and even the £24.68 is a bit high considering it is also available in Australia for just AUS$20).

    GS-SW005 (back)One word of warning – the product no longer appears on the Gigabyte Technology website, so it may have been discontinued; even so I would certainly recommend it to anyone who frequently needs to create ad-hoc networks for PC builds, demonstrations, or when working in a meeting room with only a single live network port.

  • Overview of Active Directory Application Mode

    I recently blogged about Microsoft Identity Integration Server (MIIS), which is Microsoft’s platform for connecting directory enabled applications and facilitating identity management. For organisations that require flexible support for directory enabled applications and for which organisational constraints or schema issues prevent the use of Active Directory (AD), Microsoft has developed Active Directory application mode (ADAM).

    ADAM is a lightweight directory access protocol (LDAP) directory, providing many of the features of AD, but which can be used to support directory enabled applications that are not considered safe for use with AD. Although AD was designed to be extendable, possible concerns over safety could include:

    • Unacceptable schema changes.
    • Security risks.
    • Directory management requirements.
    • Development requirements.

    ADAM runs as a user service (rather than as a system service) and multiple instances can be run concurrently on a single computer, with an independent configuration for each instance. Unlike AD, ADAM doesn’t have any dependencies on the domain name system (DNS) or file replication service (FRS). Instances that share the same configuration and schema can be added to a configuration set and will replicate changes to one another; however ADAM cannot replicate with AD – instead, there is a beta tool called the Active Directory to ADAM Synchronizer that provides one way synchronisation from AD to ADAM.

    On the client side, ADAM supports any client that is written to the LDAP v3 technical specification as well as Active Directory service interfaces (ADSI) for clients from Windows 2000 onwards.

    ADAM overviewTo illustrate where ADAM might be useful, here are three example scenarios:

    1. The first scenario is an intranet portal application for users that have been authenticated by AD. Because ADAM is integrated with the Windows security model, any application that is deployed using ADAM can authenticate access against AD across the enterprise. Global data is stored in AD, whilst application-specific data is stored in ADAM. As the application uses AD for authentication it doesn’t need to maintain its own database of user IDs and passwords (although this is supported if required) and because ADAM is used for the application’s personalisation data, there is no need to extend the AD schema. Different departments using the application may have different schema requirements and apply different business logic to directory data. The answer to this is ADAM’s support for multiple instances, each with their own schema, without needing to modify the enterprise schema or to manage yet another set of user accounts and passwords. These isolated ADAM instances may be deployed and managed locally or centrally.
      ADAM deployment scenario 1
    2. The second scenario is a web portal application that handles extranet access management. In this case the portal directory is used for authentication purposes only. ADAM can be used to store application information, while authenticating user objects using LDAP simple binds, allowing ADAM to work in heterogeneous environments and in situations where AD is not present (or is deliberately segregated).
      ADAM deployment scenario 2
    3. The final scenario considers an organisation in the process of migrating to AD but which still has applications that rely on an X.500 naming convention or directory. ADAM can serve as an interim solution to support the legacy applications through the migration process which using AD for user authentication and a shared security infrastructure. Optionally, MIIS can be used to transform identity information between AD, ADAM and any other identity stores in use. By using a single directory technology for both the network operating system and application directory needs, overall infrastructure costs are reduced as additional investments are not required for training, administration, or management of the application directory. The LDAP, ADSI, and directory services markup language (DSML) application programming interfaces are also equivalent between the two directory services, so that applications may be built on ADAM and then migrated to AD as needed, with minimal change.
      ADAM deployment scenario 3

    By using ADAM to isolate application-specific information from AD and for simple authentication for extranet applications, organisations are able to develop, deploy and manage directory-enabled solutions without the need to create separate user databases or change the schema of AD to support each application. Because the ADAM directory can easily be installed, reinstall, or removed, it may be considered for deployment with an application.

    Similar to the partition structure in AD, ADAM consists of a number of naming contexts (NCs), which are:

    • Configuration NC – CN=Configuration,CN={GUID}
    • Schema NC – CN=Schema,CN=Configuration,CN={GUID}
    • One or more application directory partitions (ADPs), e.g. cn=partition1,dc=markwilson,dc=co,dc=uk.

    The configuration and schema NCs are provided by default and are automatically configured, with the application directory partitions specified by the administrator. Note that they are defined by an instance GUID, and not using DNS names. Because it is an LDAP directory, ADAM can also support x.500 names for integration with legacy applications (LDAP was designed as a lightweight version of the X.500 directory access protocol).

    ADAM can be installed on computers running any version of Windows XP or Windows Server 2003 (32- or 64-bit) and does not require a forest, domain, or domain controller so can be installed on computers that are configured as domain controllers, domain members or workgroup members.

    During installation the only options required are:

    • Acceptance of the license agreement.
    • Whether or not to install the ADAM administration tools.
    • Whether to install a unique instance, or a replica of an existing instance.
    • Instance name (a service will be created named ADAM_instancename).
    • LDAP and SSL port numbers (389 and 636 by default, but these should be changed to high numbered ports if AD is or will be installed on the same computer).
    • Whether or not to install an ADP (and if so, the ADP name) – some applications will create their own ADP on installation.
    • Data and data recovery file locations (by default, %Program Files%\Microsoft ADAM\instancename\data.
    • Service account information (network or a specified account).
    • ADAM administrator details.
    • Any lightweight directory interchange format (LDIF) files to extend the application partition schema – these can also be imported at a later time, using LDIF directory exchange utility (ldifde.exe).

    Once installed, ADAM has a limited toolset, with ADAM ADSI Edit, ADAM Help and the ADAM Tools Command Prompt. Many of the command prompt tools have the same names as their AD counterparts, so it is important to use the correct command prompt.

    ADAM security is based on the AD model, with the majority of default permissions set on the NC head for a number of default groups, held in the roles container for each partition. For an application directory partition, the default groups are Administrators, Readers and Users. There is no user interface for setting security, instead the ADAM version of the dsacls.exe support tool is used although the ldp.exe support tool is useful for viewing security descriptors. An LDAP simple bind is used for ADAM security principles, whilst for Windows security principles, a simple authentication and security layer (SASL) bind is used (either Kerberos or NTLM) and there is also provision for binding to ADAM and redirecting to AD via an ADAM proxy object. Anonymous access is also available, controlled using the dSHeuristics flag (in the configuration directory partition – CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,CN={GUID} – on which various bits are set to indicate various directory operations, detailed in the product documentation).

    Although ADAM cannot replicate objects to and from AD (for that, either MIIS or the Identity Integration Feature Pack for Active Directory is required), the AD to ADAM Synchronizer allows application administrators and developers to use an XML configuration file and a scriptable command line interface to specify a filtered and scoped subset of data to be pulled from AD to ADAM.

    No data is written back to AD and the objects and values in ADAM are not transformed in any way. Object or attribute based evaluation rules cannot be implemented and values from the source (AD) are authoritative. While the application may extend the data stored in ADAM, any shared data will be overwritten on subsequent runs, with data values from AD.

    Using the ADAM synchronizer involves:

    • Extending the ADAM schema to support the ADAM synchronizer along with the attributes and objects that are to be imported.
    • Setting the appropriate fields in the ADAM synchronizer’s conf_public.xml file and loading the file.
    • Running the synchronisation.

    ADAM looks to be a useful addition to the Microsoft directory services toolset. I only wish that some of the Microsoft applications used it so I could avoid extending the AD schema for them (e.g. Exchange, ISA Server and SharePoint Portal Server).

    Credits

    Although I have provided additional information from my own research, the inspiration for this blog post was a seminar hosted by Microsoft, during which John Craddock and Sally Storey from Kimberry Associates presented on stretching directory boundaries: cross platform identity management, authentication and security. The ADAM deployment scenarios above were taken from Microsoft’s ADAM overview presentation.