archiveren

infrastructure

I hate backups, I really do… Even more than I hate printers 🙂

But, as recent happenings proved again, you definitely need one… Either being it for a virus or ransomware, or a failing hard disk, or even if you just delete something (why would you delete something?)

I’ve been looking around for a good off-site backup for ages, but never found a “good” (read: cheap) one… If you look at cloud-hosted backup solutions such as backblaze, crashplan, …, you’re always going to spend more than $50 yearly… (http://www.pcmag.com/article2/0,2817,2288745,00.asp)
I always figured, yeah, that’s the price of a physical disk you can keep forever…

Anyway, next issue, backup software… If someone can give me a tool that just actually works… PLEASE be my guest…
In the past I’ve used the build-in Windows one… But that one failed terrible resulting in me losing a lot of pictures… 😦

One of my last interests was backup up to Amazon’s Glacier service… But never took the actual step.

 

Last week, I took two steps!

 

Azure Simple File

https://azure.microsoft.com/en-us/services/storage/files/

A couple of months ago, a new “feature” was made available on Azure. Basically it’s just an oldskool file server in an Azure datacenter… Meaning: accessible over smb 🙂

\\fileserver.onmicrosoft and you’re good to go!
Jieehaa!
No shitty REST-interfaces! 🙂

It’s SMB 3.0, so authentication, encryption and data integrity are handled by the protocol 🙂 (hey, you’re communicating over a public network, of-course you’ll need that!)

Having a “regular” interface to the cloud opens possibilities… But, bringing me back to my earlier point of having the right tool for the job…
I don’t trust the file-history any more, so I’m looking around for other tools…

Currently running Iperius -> http://www.iperiusbackup.com/
Curious how that’s going to turn out…
It doesn’t have a restore option? WTF?

backupazure

Azure Backup

https://azure.microsoft.com/en-us/services/backup/

Another service I’m testing on Azure is the Backup functionality.

It comes with a client application. Install, configure, select data and you’re good to go! This app definitely impressed me!

azurebackupI know it says “failed”, one of the big issues with cloud storage is your upload speed… As I’m only a Belgian internet user, I’m stuck with a 5 mbit upload rate over adsl… So uploading 120GB takes forever… (forever being 2.5 days). So, on a daily schedule, after a day, the previous backup hasn’t finished yet 🙂
http://beta.speedtest.net/result/4976075067

Big plus, I crossed my “downloadlimit” uploading 650GB on backup data 😦
JEEEEJ CLOUD

Did I tell you it’s slow as hell?
And you have to pay extra for outbound network traffic, aka: to restore data you have to pay more…

I’m even considering installing this on all computers from my family!

Ok, let’s get it over with. Once and for all a decent how-to to setup Authentication Mechanism Assurance (AMA) in Active Directory Domain Services…

The last time I talked about this, is when I just found out of it existence at techet, in a talk by Hasain Alshakarti and Marcus Murray .

It basically shows a difference in group memberships between logging in using a regular username/password , and logging in using smarcards. If you login with a password you’ll become a normal user, when you logon with a smartcard you’re an admin! 🙂

The Microsoft step-by-step guide however is a bit long, and a bit clumsy… So here a quick rewrite 🙂

➡ Required components: a Windows Server, a PKI (or the default one in ADDS whatever), and some time.

CA Templates

First, we’ll have to create a new certificate template.
Open the certificate template management console, and go to the templates.

Lets start by duplicating the “smartcard logon” one. Choose 2008R2 for everything.

dupl
This default template should be good, 1 little thing needs to change.

Open the template, go to the extensions tab. And you see the issuance policies. Here you’ll need to add a new one.

Give it some useful name, for example “server admin” or whatever.
issuancepolicy

This extra extension will now go into the actual enrolled certificate…

Mapping

Next we’ll need to teach the ADDS how to map that extension to an actual Security Group. This can be done using the weird PowerShell script provided by Microsoft, but let’s do it manually here (it goes way faster!)

The link between the OID we just created and a security group is a policy defined in the regular SYSTEM partition of ADDS. Open it either using ADSIEDIT or the Sites and Services mmc.

Ofcourse we’re working with the Public Key Services, OID config, and there are all the policies stored. We’re looking for the OID of the policy we created earlier (add the “displayname” to the mmc-colums to make your life easier).

If you’ve found the correct object, rightmouseclick it, open attributes, and search for the “msDS-OIDToGroupLink” attribute.

⭐ This is the magic attribute ⭐

Fill in the DN of the security group.
And you’re good to go!

sitesandservicesgrouplink

Next steps are of course the enrollment and issuance of the CA template to the correct users. But I hope you know how that works 😉
From here on you can either put it in a Virtual Smart Card, and start using it!

 

Because there still is a huge lack of documentation about Microsoft AD RMS, here some hints and tricks to use!

  • First thing: irmcheck! Go use it!
  • Always check ntsf acl permissions on the server side files asmx-files.
  • ConnectionString for SQL is located in registry
    http://technet.microsoft.com/en-us/library/ff660033%28v=ws.10%29.aspx
  • MSIPC (RMS client 2.0 in windows 8 and office 2013) caches in registry and %localappdata%
  •  REGISTRY:\Software\Classes\Local Settings\Software\Microsoft\MSIPC\<Server Name> \Template (HKCU or HKLM)
  • %localappdata%\microsoft\msipc
    Hint: you can delete huge file names with  “rmdir MSIPC /s” in cmd (for some reason it doesn’t work in powershell)success
  • Advanced troubleshooting on OSI Layer 7: fiddler! (enable https decryption) Really, put it in between! You’ll get some far more usefull error messages then “cannot connect to the server”, or “cannot use this feature without credentials”…
    Even better, go Wireshark (note: ssl mitm here…)!
  • The older MSDRM (RMS Client 1) puts everything in your %localappdata%\Microsoft\DRM . There you can find your user- & machine certificates, and templates.
    Regkeys under REGISTRY:\software\microsoft\msdrm
  • always check the IIS certificates! If there’s something wrong, nothing will ever work!

Please, open them up, they’re just XML-based, and contain a lot of information! For example, in the GIC-file you can confirm your RMS-location. Don’t bother trying to modify them, they’re hashed… But you definitely should check them for having :443 in their url’s (check this article)
GIC (Group Identity Certificate) = RAC (Rights Account Certificate)
CLC (Client Licensor Certificate)
CERT-Machine = SPC (Security Processor Certificate)

More about those 3 files in here

  • When you need to go deeper, use debugview (or something new: Trace Spy). This works for bot MSDRM and MSIPC
    Server-side and Client-side
  • Go and check Windows Event Logs. RMS Client doesn’t actually logs something there, but it can be a source of good information anyway!

Another story standing since November 2012 (lol 😀 ).
The only thing that has changed: ARR (read on) is now officially supported by Microsoft!
They’re even almost/perhaps/maybe/theoretical/optional considering it as a successor for TMG2010 😛

Anyway, this post is not entirely correct. What we were trying to do was reverse proxy to an sub-directory. That didn’t work…
But  you can get some feeling with the possibilities of IIS’s ARR .

3 days later, but I solved this terrible situation…

The story

Our current website http://www.smartsys.be runs on an asp-powered cms called “umbraco” (url).
So, that makes it needs IIS and MS SQL accordingly…

Second part of the story: we want to introduce a blog with our success stories!
Number one blog software of our choice: wordpress (ofcourse 🙂 )

But, as we all know, wordpress runs on php and not asp, and an accompanying database…

The options:

  1. install php/fastcgi on IIS, mess around with it’s config, use ms sql as backend db, and run everything in IIS…
  2. use apache for both reverse proxying and serving the wordpress pages
  3. let IIS serve our umbraco web pages and set it up as reverse proxy for apache!

So, in the end, we tried only both last options.
I didn’t actually want to try and install php in IIS and maybe mess up our actual web service…

The result

Apache as reverse proxy didn’t end very well…
Actually, it didn’t work at all…
No idea why, didn’t put much effort in it…

On the other hand, IIS as reverse proxy wasn’t easy as well…
It took almost 3 days to figure out what went wrong, how to avoid it from happening, and in the end: how to solve it!
note: not 3 full days, but “some time during 3 days” ^^

How!

So, a little how-to:

First of all, you need IIS, just enable the feature on your Windows or Windows Server.
Secondly, you need “Application Request Routing“. You can download and install this without taking down your website.
This module is officially supported by Microsoft!

So, when both are installed, you can start configuring…

Enable ARR for your site : select your server in IIS Manager, open Application Request Routing under IIS options, choose “Server Proxy Settings” from the actions tab, and mark “enable” and press apply.

Secondly, we can start reverse proxying!

Select your site, in our example the “default web site”, and open the “url rewrite” module.
Here is where the magic should happen!

You can easily add a new rule clicking “add rule(s)”. And in our case, we’re choosing for “reverse proxy”.

Next, choose the path for your destination server, in our case being “http://localhost:8080/test/&#8221; .
Also, in the case for wordpress (very important): enable outbound rules, these are the rewrite rules…

One of the main issues want took so long to understand was a redirection issue: wordpress itself tries to redirect your to its config page, and IIS trying to rewrite the request to the wordpress folder. Resulting in endless 301 redirections… So, watch out here!
At first, I believed I could fix it by changing the config in wordpress. And I took to long to try to fix it that way. In the end (and what we’re doing in this manual) letting IIS handle all this reverse proxy work does the job…

So after adding this rule, we need to correct it somehow.
The default settings are not really good enough (maybe in your case it is!)

So, let’s have a look at the Inbound rule. Just open it.
I’m going to change the “pattern” IIS filters on from “(.*)” to “^test/(.*)” . This makes only requests for “blog.smartsys.be/test/” to be accepted.

Secondly, you have to add {R:1} to the end of the “rewrite url”. Otherwise things as http://blog.smartsys.be/test/wordpress/wp-admin/index.php would never work. It’s just the argument from the initial request that’s forwarded to the rewritten url…

That’s it, apply and close, next we’ll have a look to the outbound rule.

So, the big problem with wordpress is something with redirection. So, in the end, I made it undectectable for wordpress it’s being reverse proxied. So, in wordpress its point of view, it’s just running on localhost:8080 .

This implies we need to rewrite localhost:8080 to something external available, in our case “blog.smartsys.be”…
This is where the “outbound rule” comes in!

I just modified some parts of the default configuration the “add reverse proxy” wizard from before created.

At first: match all content!
The pattern should be” ^http(s)?://localhost:8080/(.*)”
And action value becomes: “http://blog.smartsys.be/{R:2}”

So, I hope you don’t spend any time on trying to let wordpress fix it (because it won’t), just let IIS do all the work!

AD FS, STS, SSO, Claims, Realms, Tokens, SAML, WS-Federation, WS-Security, … All these fuzzy terms that where thrown at my last month…

The project was to implement AD FS (see title) in our environment.
The single and only purpose of AD FS is to create a “single sign on experience” between applications. Sign on on any website, and you can visit all other websites with that same account! (Only trusted websites that is, ofc…)
There are claims providers for Exchange OWA, Sharepoint. You can use it native in custom and cross-platform applications, on Microsoft Azure and in our case Office 365.
And because it’s based on an open standard, you don’t have to use .net, but you can use Java (jeej) as well! Or even php -> http://code.google.com/p/simplesamlphp/.
As long as your application is compatible with saml, you’re good to go!

So, all mentioned abbreviations also have a meaning! And if you want to know what it means and what their purpose is, read this article on msdn!

A more “conceptual” article you can read: A Guide to Claims-Based Identity and Access Control (2nd Edition)
Especially the part about “the airport” explains a lot 😛

Some more “academic” OASIS articles on WS-Trust and WS-Federation

And if you want to know more about WSDL, just read wikipedia 🙂

Is only awesome…

textmx

Created by the guy(s) from dataenter.com, this utility does some automated debug tests for mailservers! Just like mxtoolbox.com, but local on for example your mailhub/smtp server…

If you run the executable from the command line, you’ll note some arguments you can pass towards the application.

For example:

TextMX.exe -drecipentdomain.be -tmendel@recipientdomain.be -fmendel@senderdomain.be -a -qDNS8.8.8.8

Just have a look if you’re interested into mail servers 😉