joeware - never stop exploring... :)

http://en.wikipedia.org/wiki/Extensible_Storage_Engine

Amazing how powerful a database there is that is built right into Windows. Obviously it scales and is dependable because Microsoft’s most important and more deployed products rely entirely upon it – Exchange and Active Directory. Wonder why more of the stuff out of MSFT that needs a backend store doesn’t use it. Say like MIIS, MOM, etc…

Microsoft Surface – http://www.microsoft.com/surface/

Tabletop computers. MSFT is saying they came up with this, but I swear I recall seeing a show a couple of years ago on this and the work was being done on it at a university. Match concept up with OLED and we have something cool. Wall displays, desk displays, etc that can interact with you.

Microsoft Silver Light – http://www.microsoft.com/silverlight/

Flash replacement, very pretty demo. Love the logo. Very futuristic.

So anyone who used Windows LiveWriter, beta 2 is now available. Looks quite a bit different. More complex. Doesn’t open a new window for every new blog post which is nice. I keep seeing my CPU on my laptop spike up to 80-100% for bursts with WindowsLiveWriter.exe as the culprit when using it though. Not sure what that is about. Still can’t publish images to WordPress either now that I have upgraded to WordPress 2.2. I looked around and some people are saying it is an issue and others are saying it isn’t an issue. I fully suspect it is something in WordPress because multiple versions of LiveWriter could publish images to the previous version of WordPress I was running (something quite old, I don’t recall now) and the instant I upgraded to 2.2 it all broke.

Go get the new LiveWriter here —> http://windowslivewriter.spaces.live.com/blog/cns!D85741BB5E0BE8AA!1272.entry#comment

I would recommend keeping the old install binaries around just in case you want to go back….

I tried to upgrade a Vista RC2 to RTM last night, it didn’t work so well. Normally I don’t upgrade, I don’t trust upgrades. It wasn’t my computer though and there was a bunch of installed software and I didn’t want to mess with it. RC2 had been running fine and it wouldn’t have needed an upgrade only the time bomb is May 31 and it was about to die.

So I said, MSFT says upgrades work fine now… So I tried… It loaded up and then started blue screening only it was bouncing so fast I couldn’t even read the blue screen message and nothing was being written to the harddrive even though it was all configured. I booted in safe mode and it during driver loading it listed crcdisk.sys as the last loaded but no clue what it did after that when it crashed again. I tried a repair, nothing, tried chkdsk, nothing, got a command prompt from the repair screen and the drive was working just fine as I could read anything I wanted. Nothing funky with the system that I could ascertain, no additional drivers needed for the disk drive, etc.

Performed an upgrade rollback which went quite well. Started unloading any “touchy” software such as Daemon tools, etc. Cleaned up the disk really well, told it to update everything to latest versions, etc. Ran upgrade advisor which said everything was perfect. Started upgrade again, went beautifully until I notice the machine rebooting over and over again. Same issue. I told it to rollback again and went to sleep.

Next morning (i.e. today) I started into it again and removed even more software and told it to export the settings for the users (using the Migration wizard stuff to a file – pretty cool) and also Windows Mail account and messages exports. Upgraded again, still no joy. Rolled back, then told it to install a clean second copy of the OS. That worked flawlessly… damn upgrade.

So I installed a clean version on the original partition and just went on from there where I likely should have started in the first place. As you can imagine, I am no closer to trusting upgrades. I spent the better part of the day reloading all of the software and getting the settings right.

Some complaints:

1. The settings export missed things like backgrounds, etc. Still trying to work out everything it missed.

2. Windows Mail lets you export accounts and messages. Message import worked great. Account import blew up with some odd error. I then try to set the account up manually, it is a hotmail account… Guess what, Windows Mail in RC2 lets you access hotmail, Windows Mail in RTM doesn’t… Beauty. I found a tool called FreePops which helped out here. Loaded it and then configured Windows Mail to get my hotmail through the freepops localhost server. If I hadn’t found that, the mailbox would have been converted over to GMAIL with Hotmail just autoforwarding. No clue why Microsoft thinks it makes sense to turn off POP3 like that. Not like they are delivering anything else that would make someone choose them over one of the other free email providers.

3. Trying to clean up the old instances of Windows was terrifically painful. Well the old instance on C: wasn’t too bad, the cleanup tool cleaned it right up. But cleaning up the temp copy on D:, the cleanup tool completely frelled it up and missed most of it. I then had to go in, take ownership of many folders including Windows, and several under Program Files and then after taking ownership set the ACLs so that I had FULL CONTROL so I could delete the damn things. Took me a while to figure out why I had 2GB missing until I realized the hibernation file had to be taken out the same way.

4. I went looking for the background image and found on the new install that it should be in a specific folder in the users folder of the old install which was, nicely enough saved (until I smoked it). Well I went into the folder and sure enough, MSFT doesn’t feel you should see that stuff so hides it by default, luckily I had the path so I went in anyway. Then once in the folder structure, I tried to search for all JPGs, it couldn’t find a thing. I do the search from the command prompt and I hit several hundred JPG files…

I don’t know about you, but Vista is getting too much up into my grill and assuming too much about what I want it controlling. Getting to be time for my yearly FreeBSD check up. I mean I am thrilled about many of the underlying security enhancements in Vista but the “for use by computer newbies” enhancements that I cannot shut off are too much. If Microsoft continues to assume all of its users are morons, that is, in fact, what will happen as the non-morons get sick of being treated that way and wander off and use other OSes.

  joe

I was perusing some of the newsgroups today and ran across such a (IMO) well written response by Joe Kaplan (JoeK as I normally refer to him) to a question asked about LDAP authentication that I wanted to share it.

——– Original Message ——–
Subject: Re: Authenticate against AD + other DS
Date: Fri, 25 May 2007 17:56:15 -0500
From: Joe Kaplan <joseph.e.kaplan@removethis.accenture.com>
Newsgroups: microsoft.public.active.directory.interfaces
References: <1180116673.063188.255780@g4g2000hsf.googlegroups.com>

The only common authentication method supported by all of these LDAP
directories is the LDAP simple bind (hopefully also protected by SSL).
That is the only thing that is specified in the LDAP V3 spec and is thus the
only thing they all have in common.

Any of those directories may support other LDAP authentication mechanisms
such as different SASL methods that use Kerberos, or Digest or whatever and
may also support client certificate authentication. However, that will
vary by directory. AD supports a SASL mechanism called GSS-SPNEGO that allows
“Windows negotiate auth”, which is the normal Windows authentication
protocol that selects between Kerberos and NTLM. When you use
“AuthenticationTypes.Secure” in S.DS, you are using GSS-SPNEGO which
translates to Kerberos or NTLM. AD also support SASL Digest auth and
client cert authentication.

To authenticate against AD in Windows, you don’t need to use LDAP. You can
just talk to the negotiate protocol directly using SSPI as you said or call
the LogonUser API, which eventually does the same thing under the hood.

I recommend against using S.DS for LDAP authentication as it scales very
poorly. The design of ADSI works directly against scalability for this use
case as ADSI opens up a new connection for new set of credentials it sees
and you can basically just run out of sockets if you try to do too many in
too short a time. If you must use LDAP auth in .NET, use S.DS.Protocols so
that you can control the connections directly. This is what the Active
Directory membership provider in ASP.NET 2.0 does.

The big problem with LDAP simple bind is that it is not secure as it uses
plaintext credentials. In order for it be secure on the wire, you must
secure the transport itself, usually with SSL. However, not all
directories have SSL support. AD supports SSL but doesn’t come configured
with it by default.

The other big problem with LDAP simple bind is that the LDAP spec only says
that the user name for the authentication must support the full
distinguished name. Other names may be supported, but the DN is the only
common denominator. However, most users don’t know their full DN in the
directory or wouldn’t want to type that, so you may need to accept a
shorter user name, search for the object in the directory to get the DN and then
execute a bind with the DN you found. However, that requires a service
account to do the search, which creates a configuration issue, as you must
store those credentials securely. Some directories like AD allow you to do
a simple bind with other user name formats and might allow you to skip the
searching step, but you can’t necessarily count on that.

So, this problem is hard to solve in general. You might consider creating
some sort of a provider model that allows you to plug in different models
that work slightly different for different directories and give you
control.
Another way to look at it is to turn the problem on its head. If you
designed your application for federated logon, where you accept some
sort of signed SAML token from a trusted partner, then you can push the
authentication of the end users off on the partner. Problem solved. 🙂

Best of luck!

Joe K.

—
Joe Kaplan-MS MVP Directory Services Programming
Co-author of “The .NET Developer’s Guide to Directory Services Programming”
http://www.directoryprogramming.net
—
<weinjare@msu.edu> wrote in message
news:1180116673.063188.255780@g4g2000hsf.googlegroups.com…
> Hi,
>
> I am working on some C# to authenticate against an AD, but also among
> other types of directory services, namely openLDAP, Novell eDirectory,
> and SunONE DS, and I am curious to hear if there are already solutions
> published for this.
>
> I am currently using S.DS to authenticate, and switching the
> AuthenticationTypes depending on the type of DS I am authenticating
> against.
>
> I have heard some mentions of using SSPI, but I doubt that there is
> support for authenticating against non-Microsoft directories with
> SSPI.
>
> Does anybody know of best case solutions for authenticating against
> multiple directory servers with different setups (such as Kerberos,
> SSL/TLS)?
>

Why is it that people think they can say, “Yeah I am getting Event ID 1000, do you know why that is?”

For the record, Event IDs are not UNIQUE. You need to know the Event Log, the Event Source, AND the Event ID.

Maybe it is the only Event ID 1000 that person who is asking the question has ever encountered, but why…. why would they assume that that is only possible Event ID 1000 that could possibly exist? If that is the only one you have encountered, the only thing you can assume is that you don’t have a clue if there are others. Assuming it is unique is hell of an assumption coming right out of the gate. It is like assuming because you saw a penguin as your first bird that all birds were flightless, black and white, ate a lot of fish, and are really good in movies…. THINK PEOPLE!!!

Just for those who think that possibly Event ID 1000 might be unique, I ran a little useful utility I have for myself (I might sell it one day if I get around to it) that dumps all of the events on a machine to a text file. I do that on my Windows Server 2003 laptop I am typing this on and then I run GREP across all of the text files produced for all of the event logs and it comes up with the following counts for Event ID 1000:

File k385002.joe.com – ADAM (instance1).txt:
2 lines match
File k385002.joe.com – Application.txt:
36 lines match
File k385002.joe.com – Security.txt:
3 lines match
File k385002.joe.com – System.txt:
11 lines match

That is 52, yes FIVE TWO, different Event ID 1000 events… 36 alone in the Application log. Say you narrowed it down to just the System Event Log, what do you have then? 11 events with that Event ID…

File k385002.joe.com – System.txt:

“1000” “1000” “” “%1” “c:\windows\microsoft.net\framework\v2.0.50727\eventlogmessages.dll” “System\MSDTC Gateway;System\MSDTC WS-AT Protocol”

“1000” “1000” “” “Your computer has lost the lease to its IP address %2 on the\nNetwork Card with network address %1.” “c:\windows\system32\dhcpcsvc.dll” “System\Dhcp”

“2164261864” “1000” “WARN” “%1” “c:\windows\system32\dmadmin.exe” “System\LDM”

“1000” “1000” “” “Faulting application %1, version %2, faulting module %3, version %4, fault address 0x%5.” “c:\windows\system32\faultrep.dll” “System\System Error”

“1073742824” “1000” “INFO” “The computer has rebooted from a bugcheck. The bugcheck was:\n%1.\nA full dump was not saved.” “c:\windows\system32\savedump.exe” “System\Save Dump”

“1000” “1000” “” “Unable to acquire a license for user ‘%1’, domain ‘%2’.” “c:\windows\system32\termsrv.dll” “System\TermService”

“1000” “1000” “” “The session directory failed to delete all the log files in the “%SystemRoot%\System32\tssesdir\” directory. The error code was %1.” “c:\windows\system32\tssdis.exe” “System\TermServSessDir”

“1000” “1000” “” “Processing media-specific event for [%1!ws!]” “c:\windows\system32\ws03res.dll”

“System\AeLookupSvc;System\Clussvc;System\DCOM;System\DfsSvc;System\Http;System\IPNATHLP;System\MSFTPSVC;System\PlugPlayManager;System\Print;System\RasMan;System\RemoteAccess;System\Service Control Manager;System\Tcpip;System\TermDD;System\TermServDevices;System\TermService;System\TermServLicensing;System\VolSnap;System\W32Time;System\W3SVC”

“2149581800” “1000” “WARN” “Unable to acquire a license for user ‘%1’, domain ‘%2’. Please check Citrix Licensing for diagnosing this issue.” “c:\windows\system32\ws03res.dll” “System\AeLookupSvc;System\Clussvc;System\DCOM;System\DfsSvc;System\Http;System\IPNATHLP;System\MSFTPSVC;System\PlugPlayManager;System\Print;System\RasMan;System\RemoteAccess;System\Service Control Manager;System\Tcpip;System\TermDD;System\TermServDevices;System\TermService;System\TermServLicensing;System\VolSnap;System\W32Time;System\W3SVC”

“3237938152” “1000” “ERROR” “%1” “c:\windows\system32\wshext.dll” “System\Windows Script Host”

“1000” “1000” “” “Processing media-specific event for [%1!ws!]” “c:\windows\system32\xpsp2res.dll” “System\DCOM”

So if you ask me, “Yeah I am getting Event ID 1000, do you know why that is?” and I respond with, “Which Event ID 1000?”, don’t look at me like I’m the one whose the idiot. Better yet, give me the Event ID and tell me the text of the message, that way I don’t even have to go try and look up the text which I will likely have to do anyway. The same machine I took the above info from has 26,199 events registered for it and it doesn’t have any real serious event log apps like Exchange, SMS, etc on it. And although I have had this machine for several years, there are still at least one or two, maybe more, of those events that I don’t have the text memorized for…  Let’s be real… Most people aren’t memorizing eventids. The only time this is sort of acceptable is when there is context to a conversation and you are talking about say Exchange and someone is bitching to other Exchange people about say Event ID 9548. That is (or was – depends on your SP level of Exchange) such a huge pain point for people running Exchange in larger environments that it was usually said with a hiss and an evil look and an outstretched arm in the direction of Redmond and the Exchange developers. Context is everything… It is just like if I said “George W is an idiot…”, most people in the world are going to assume it is one specific idiot I am talking about and that I don’t mean the neighbor who lives 4 houses down on the right.

     joe

…can’t you turn on auditing of the manipulation of share permissions directly either through GUI or code?

By this, I mean the permissions on the share, not permissions on the files and folders in the share. This may seem odd, but maybe, just maybe you want to know WHO is changing permissions on the share.

Just thinking out loud here…

  joe