life Archives - Page 13 of 23

You DO Learn Something New Everyday

In fact, some days you learn two things! Be warned, techno-speak is about to ensue.

Lately, I’ve been reading a lot about Windows sercurity. Now, all the books I’ve read that have dealt with authentication bring up the differences between LM, NTLM, NTLMv2, and Kerberos. The general idea that these books give you is that the Lan Manager and NT Lan Manager authentication methods use a hash or a challenge/response hash, while Kerberos uses time based tokens. The key word being “time”. Nowhere in my reading was it brought up that any versions of Lan Manager authentication had time involved.

This leads me to my problem yesterday. We have an NT4 domain setup to mirror a customer’s environment. This NT4 domain contains many environments for various testing purposes. One of these purposes is regression testing with date changes. Prior to this week, changing the date on the machines has been fine. However, this week we ran into problems.

Now, for those of you that aren’t familiar with NT4, it uses LM, NTLM, or NTLMv2 (SP4 or above) authentication, which according to everything I’ve read had no time restrictions, and everybody in the office was in the same boat as me. In fact, these machines authenticated fine with date changes until this week. The difference being a security template we had been applying to all machines that was given to us by the customer.

To begin with, we knew that it was a problem with the security template because non-hardened machines would work fine with the date change still, while the hardened ones would throw errors. Basically, critical application services couldn’t start after the hardening had happen. Now, it was my job to figure out what the security template was doing to prevent these services from running.

First I went through the documentation that came with the security template to see what they changed, and tried to find the obvious answer. Well, of course that didn’t work. So, instead, I just started changing settings back to the original. Thankfully I started at the bottom, and four changed settings later, I was at my solution: Network security: LAN Manager authentication level. The security template was setting it to “Send NTLMv2 response onlyrefuse LM & NTLM”, while the default setting is Send NTLM response only. The default setting worked, but I wanted to try the other two settings between the default and the hardened setting: Send NTLMv2 response only, and Send NTLMv2 response onlyrefulse LM. Needless to say, neither of those settings worked either.

Now, you may be thinking that we were having problems with NTLMv2 because our PDC and BDC on the NT4 domain aren’t at SP4 or above. Bah, I say to that, we’re at SP6, so we can have NTLMv2 authentication on our domain. So why was the hardened setting, or any NTLMv2 setting for that matter, not working? Well, after much googling it appears that NTLMv2 is time dependent. In fact, the NTLMv2 response contains a little-endian, 64-bit signed timestamp.

Let me tell you how assured I was in the books I was reading after that. 🙄 After reading about this timestamp, we wanted to figure out how much of a time delta NTLMv2 allowed (for purely scientific reasons). After some testing with the hardened machine, it was concluded that the timestamp of the response cannot be greater than or less than 30 minutes from the challenge machine (in this case the PDC). So, in our testing, setting the date back a month, obviously was outside of this delta.

Then, later that night I was playing with my ISA 2004 machine at home. A little background first. I’ve got multiple websites on multiple machines at the apartment that use port 80, so I’ve been using ISA to publish the websites. Otherwise, all the sites would have to be on one machine, since the router only supports port forwarding, and not host header forwarding.

So, I’ve been dealing with a problem where whenever I would set the firewall rule to “Requests appear to come from the original client”, my website wouldn’t load. This is a nice feature for stats, so that you can actually see where visitors come from. For the interim, I’ve had it set to “Requests appear to come from the ISA Server computer.” So, everything from referrers to log files show the IP address of my ISA server, bleh.

Finally, last night, I had time to figure out the problem. I knew I needed to head over to ISAserver.org, but I didn’t realize how fast it would be to find the answer. Basically, since my ISA server, isn’t acting as a gateway on my network, it can’t be set to requests come from original IP. However, by making the ISA server the gateway on my web server, everything works the way I want. Unfortunately, this means that I can’t route outside of my network on the web server anymore, but since it’s just a virtual machine used to serve static webpages anyways, this isn’t a big deal.

So, to recap, NTLMv2 responses are time sensitive and ISA must be your webserver’s gateway if you want requests to appear to come from the original client.

Puerto Vallarta Pictures

So, you can view about half of the pictures we took in Puerto Vallarta! I know you’re excited to go see them, so I’ll wait here a few minutes while you go check them out.

If you want a fullsize picture, just click on the medium sized ones. These are straight from the camera too. I tried to filter out some of the really bad ones, but a few are slightly blurry when viewed at full resolution.

Anyways, now it’s time for some Puerto Vallarta statistics. I’ll create another post for when the other pictures get put up (have to develop them and then scan em in), and that will detail our adventures a little bit more. Right now I need to finish studying for my elective exam.

Total 2 for 1 drink specials we hit up: 2 (I think that’s right)
Total times we were asked if we were practicing for our honeymoon: 2 or 3
Total times offered pot: 3
Total nights there: 4
Total days there: 5
Total miles flown: 3885
Total times we were asked if we were honeymooning: I lost count
Total siesta’s taken: I lost count

And We’re Off

See ya in a week!

Project Server 2003

Let me count the ways Project Server 2003 sucks.

The installation is crazy convoluted
When using the ad sync, first or last name cannot contain a “-”, “[”, “]”, or an extra space at the end
When using the ad sync, display name cannot contain an extra space at the end
There is absolutely no online documentation for problem solving

For those that may be having similar problems that I am, and can’t find a solution to save themselves, I was getting multiple errors while using the AD Sync tool in Project Server 2003. Additionally, apparantely, you can’t just have it sync with Domain Users for some unknown reason, it just plain doesn’t work. However, there are other undocumented “features” like the above.

For example, you may get the error:

Component: AD Connector
File: AutoADProcess
Line: -1
Description: CDATA[AD Res Pool Sync – PDS ADD Res failed : USERNAME]

Followed by:

Component: AD Connector
File: AutoADProcess
Line: -1
Description: CDATA[AD Res Pool Sync – failed to issue the PDS Resource Add request]

This error is because of either problems number two or three listed above. Be sure to run through all usernames that are giving errors and correct them, because it appears as if one error causes the whole AD Sync script to fail. That’s some quality coding right there. Good error catching there MS. Talk about crazy fun to troubleshoot.

Update 2/21/2006—This post has been updated to NOT break the RSS feed.

MCSE Update

Today marks the 4 completed test since starting in December. My re-evaluation of the situation has given me a goal of being done by the end of March. The way that I’ve been rolling through these last 2 weeks, I’m not really that worried either.

Unfortunately, because of ordering a book, this fourth test doesn’t mark me getting my MCSA. Instead, I’m not going to get my MCSA until I receive my MCSE. This doesn’t really matter, since my company only cares that I get my MCSE within a year of hire anyways. And since I’m not going to have a problem doing that, I figure that I’ll make my studying easier on me.

Basically, I’m going for my MCSE:Security, and from what I’ve heard, if you study and pass the 70-299 (elective), you shouldn’t have too much more studying for the 70-298 (required). So far I’ve completed the 70-270, 70-290, 70-291, and 70-293. I’ll study for the two security exams by reading a MS Press Book on the flight to and from Puerto Vallarta (not while I’m there though), which will give me a good running start.

I figure I can get the last test before the two security exams done before I even leave on the 24th, which would get me sitting pretty to have my goal of being done before the end of March.

Update 2/22/06—Only two left now! :cheese:

Update 3/6/06—Only 1 left for MCSE, and 2 left for MCSE: Security!

Vacation!

Aww yeah, going to Puerto Vallarta on the 24th of February!

It should be fun. Erin was looking at all-inclusive, but that really wasn’t what I was looking for. So, instead, I found this nice bed and breakfast that is about 3 blocks from the beach (and the tourists) that we both thought would be fun. I can’t wait! :cheese:

SuperBowl

Yesterday was the big game. It wasn’t bad, but then again, I couldn’t care less about the teams. So, instead lets talk about the other things surrounding the game. For those of you that don’t know, I’ve got HD TV at home, connected to a 50” plasma and a receiver for 5.1 surround sound. Watching any football game in HD is pretty cool, as the audio is mixed so that it actually utilizes all the speakers. This was the case for the SuperBowl, except for the half time show. Talk about udder crap. The music was very muted and sounded like it was coming out of a single speaker. The crowd noise was coming out of all speakers, but not the actual music. It’s like they piped the direct feed of the instruments and singing straight out to the nation without any mixing. It was lifeless and dull to say the least. I guess I shouldn’t complain, since the audio wasn’t even working at the beginning of the performance. It took a few lines before we even heard Mick singing.

Oh, and I also loved how in the song “Rough Justice”, ABC decided to censor the word “cocks.”

One time you were my baby chicken
Now you’ve grown into a fox
Once upon a time I was your little rooster
But am I just one of your cocks

Now on to the commercials. There were some that I enjoyed, and actually the only ones I remember. The rest weren’t that great at all. And for shame to the advertisers out there that are still not shooting and airing their commercials in HD.

FedEx Cavemen
Sprint Crime Prevention Phone
Bud Light Revolving Wall
Ameriquest

Emigrant Direct

Currently, I use ING for my savings account. Their interest rates are at 3.8%, but I’ve always been tempted to sign up with Emigrant Direct, since their rates are always higher (currently 4%). A month ago, I decided to take the plunge and sign up.

To begin with, their signup is a lot more complicated with ING. Good or bad, it just takes a lot longer to actually start making money. Anyways, you can open an account with no initial deposit. Being that you can’t demo the system before you sign up, I figured this would be a good way to make sure I actually liked what they do, and that I wasn’t jumping into something I didn’t want to be in.

After signing up, you have to attach it to an account so you can get money in and out, and they can authorize the account. Not a problem. Since I was going to transfer money out of my ING account to begin with, I put in the account and routing details for it. I then waited 3 or 4 days until two deposits were done, and then I signed back in to Emigrant to authorize the account. Unfortunately, that’s not the last step. Turns out to be able to sign into the account online, you need to wait for your first billing statement to arrive.

So, I wait.

On the 22nd or so, I finally get a statement from them, so I proceed to sign in. I get a strange error message while signing in, but figure it’s just a glitch since it refreshed on its own, and was gone. So, after I finally get signed in, I get a “General Error” when I attempt to view my account. They have a message center, so I fire off an email to figure out what’s going on. The reply follows.

Dear Customer,
Thank you for your Inquiry.
According to our records, your American Dream savings Account has been closed effective 12/15/2005 due to an initial deposit of “0.00”. After 10 business days of the account at a “0.00” balance, the account will be closed.
However, In order to reopen the account please mail in a check to the following address.
Mail in a check made out to EmigrantDirect for at least one dollar with your EmigrantDirect account number

Please mail the check to the following address:
EmigrantDirect
ATTN: Communication Department
13 Croton Avenue
Ossining, New York 10562
Thank you for banking with EmigrantDirect
-Shahara H.

Let’s point out what’s wrong with this email, shall we?

My name is not “Customer.” Is your system so archaic that you can’t retrieve my name from my login ID?
How was I supposed to fund the account when it took > 10 days to receive my mailed bank statement?
Why does your sign up process inform you that you don’t have to fund the account, when you, in actuality, do?

Ok, so those last two weren’t actually part of the email, but it’s implied based on what was offered to me during signup. And don’t you worry faithful readers, I emailed back Shahara and let her know how assinine this policy is.

I haven’t yet sent off an check to them, because after looking over the interface, it leaves a lot to be desired. I can’t even add additional accounts to automatically fund an account. Or at least, I can’t do that from any of the menu’s I currently have available. Maybe someone who has a functioning account can instill a little bit more confidence, but as it stands, I think I may not do anything with Emigrant.

Back on the Road to MCSE

I’m sure everyone remembers my praise of Microsoft Certification Tests from last time I talked about them, but now I come with new found knowledge and an external pressure (having to get it done fully certified in one year). For those of you that don’t know, I’m now an MCP (yes Nick and Jason, I can do the dance/handshake now). Actually, I’m closer to being an MCSA than MCP, but who’s counting.

Now, this may come as a surprise to those that I have worked with before, as I don’t hold the tests in very high regards. This is mostly due to the people were MCSE Certified, and the messes they left me to clean up. Plus there was the horrible taste in my mouth after I took my first test under a year ago. Not to give myself excuses, but looking back, that first test wasn’t as bad as I made it out to be. Yes, I don’t doubt that I should’ve passed, but just reading the book without taking any sort of practice test probably wasn’t the smartest thing to do. Granted, I did pretty much the exact same thing this time, with minimal (read about 30 mins before each test) review for both the Windows Server 2003 and Windows XP. Honestly, I don’t think it has anything to do with the amount of review time I put towards it, and instead how much I’ve actually used the product.

Now after I’ve completed both of those tests, looking back, I realize it is a fairly decent test. It shows if you really know the material, I guess. I think the last time I took it, I was just so nervous, and when I started seeing the complex questions I paniced more than anything. This time around, I knew that I knew the material, so it was much easier, and quite painless. However, at the end of the test it was still hard to push the completed button.

I’m just hoping the other tests I have go just as easily. I know, though, that I’m going to have to spend more time on each of them instead of just flying off the cuff, as I don’t know as much intricacies with AD, networking, etc. Actually, I tried with the Networking I test, and amazingly didn’t do that bad. Unfortunately, much like the first time I took the Windows 2003 test, though, I failed, but by such a small amount that I’m sure if I would’ve taken it the next day I would’ve passed. Oh well, such is life.

Four more in 9 months. It sounds like a long time, but going home and studying is not what I call a fun time. Hopefully I can mash out a bunch within a week to keep me from spreading it out too much.

Daily Humor

I saw this over at BoingBoing, and couldn’t resist sending it to everyone one I knew. However, I realized, there’s some of you I may have missed, so I introduce you to the Coyote Hat.