Skip navigation

AD LDS (aka ADAM) is a general purpose LDAP directory that you can use for free with Windows Server. It’s used for thing that you would normally use an LDAP server for…If you don’t know what that is then I promise you don’t care.

If you do know what an LDAP server is useful for…and you have the need…it’s a feature that can be installed from the Server Manager UI in 2008/ 2008 R2 or PowerShell in Server 8 Preview. (Add-WindowsFeature ADLDS)

Depending on how you deploy LDS you will need to take different steps to enable SSL. I’m writing this because I actually couldn’t find an example on the web that used LDS instead of the older ADAM on 2K3. It’s the same thing, mind you…just different names and a slightly different UI experience. The easiest way to go about this would be to get a machine account certificate from AD CS or whatever hoops you have to jump through to get a server auth certificate. That is, the Enhanced Key Usage needs to be both Client Authentication (1.3.6.1.5.5.7.3.2) and Server Authentication (1.3.6.1.5.5.7.3.1). The certificate should be installed in the machine’s personal certificate store like so:

image

Once that is in place you need to give your service account access to that key. Most deployments are going to use Network Service. Right click on the certificate and choose “Manage Private Keys…”

image

This will bring up a security dialog that allows you to add users/groups and set permissions on the private key of the machine identity certificate. Add Network Service and set the permission to Allow Read.

image

I still use LDP for everything…you can use what you like…Fire up an LDAP browser and make sure you can connect via SSL.

It goes without saying that if you are using a domain account as your service account identity then you will need to take further steps to ensure that Kerberos works by setting the Service Principal Name to the correct value. You should also install the certificate in the personal store of your service account if that is your model.

In all cases you will need to make sure that the certificate is issued to the DNS name that you will be connecting to. Using a vanity domain name that will be load-balanced would require a service account and Kerberos configuration. These steps aren’t that radically different from getting SSL and Kerberos working for IIS, though…So have fun with that.

Advertisements

Learn to love PowerShell…its the preferred management interface in the new server OS.

The preferred deployment model is going to be the “Server Core” installation. This is generally a Good Thing® in that it will drastically lower the attack surface for operating system exploits…But most Windows admins I know don’t even know the legacy VBScript that they should. I actually had a guy ask me how to get to the “search” feature that was on the XP start menu.

This is why UNIX admins seem better at their job.

Regardless, it really seems like MS really gets how big of a pain it is to run lots of machines at once. Things that used to require either expensive third party tools or custom development are baked in. In fact, the new Server Manager interface is actually just surfacing PowerShell commands. You can actually save the command text from the newest version of the Active Directory Administrative Center. This should ease the learning curve.

I guess I’ve finally read enough PowerShell examples that I’m starting to come around. Up until now I have mainly used C#, VBScript, and C++ (when forced) to do my work. One thing that I can say for the PowerShell ‘methodology’ is that its incredibly consistent.

Get-Help Some-Command –examples

It’s consistent patterns like the above that seem to pervade the whole system.

Speaking of ADAC…ADAC actually depends on the Active Directory Web Service. Some places might have reservations on deploying ADWS since it needs to be installed on every domain controller. (That’s the entry level recommendation at least.) I know quite a few places that didn’t deploy it just because it had “Web” in the name. Insert groan tag. The benefits really do out weigh any deployment or management costs whether real or mythological.

One really neat feature of PowerShell is that HKCU, HKLM, the certificate store, and IIS are all drives. So is Active Directory.

This image illustrates what I mean…

image

It’s been a long time coming. Windows really didn’t have good scripting story before PowerShell.

Full disclosure…you aren’t supposed to do this. The metaverse in FIM 2010 (ILM 2007, MIIS 2003) can be exported to an XML file. I finally got around to writing an app that can search the schema of ldap directories and SQL tables and add those new attributes to the MV schema with a prefix. Why? Because you will pretty much never get away from data flow troubleshooting questions. The FIM Sync Manager interface can only run on the console of the server that it’s installed on. (And no, you can’t install it on a server that has Remote App/terminal services installed.) There is some basic RBAC for segregating permissions but you still have to give RDP access to the machine.

The initial configuration of this application is also the very definition of tedium. The “old” method using the Sync manager was a pain…the SharePoint based method is worse.

More to come in the next post, but the general idea is a more automated means of getting the connected directories mapped into the system with inbound attribute flow’s that populate MV objects with the corresponding CD data. Programmatically generating the metaverse schema is the first step. Next step will be manipulating the MA export files.  Being able to generate these config files out of band will also enable some interesting UI scenarios for creating the attribute flows…There has to be a better way.

For the impatient:

Here’s a snippet that adds MV elements to the “person” class…
static void AddSchemaElement(string schemaObjectName)
{
var xEle = xDoc.Descendants(XName.Get(“directory-schema”, dsml.NamespaceName)).First();
var personEle = xEle.FirstNode.ElementsAfterSelf().Where(x => x.Name.LocalName == “class” && x.FirstAttribute.Value == “person”).First();
XElement newAtrributeType = new XElement(XName.Get(“attribute-type”, dsml.NamespaceName),
new XAttribute(“id”, schemaObjectName),
new XAttribute(“single-value”, “true”),
new XAttribute(XName.Get(“indexable”, msDsml.NamespaceName), “true”),
new XAttribute(XNamespace.Xmlns + “ms-dsml”, msDsml.NamespaceName),
new XElement(dsml + “name”, schemaObjectName),
new XElement(dsml + “syntax”, “1.3.6.1.4.1.1466.115.121.1.15”));

xEle.Add(newAtrributeType);
personEle.Add(new XElement(dsml + “attribute”,
new XAttribute(“ref”, “#” + schemaObjectName),
new XAttribute(“required”, “false”)
));
return;
}

I upgraded my mac to Lion. The thing I really like is the new XCode. It runs in a single window with Interface Builder built-in. Poking around in Grand Central, Apple’s parallel task system, I was really impressed. It’s using what looks like, effectively, the lambda passing stuff that .Net 4 is using as well. Since the whole world has gone MVC crazy it all seems easier to wrap my head around than my first foray’s into Mac development.  The thing is, though, I’m completely over phones, tablets, and the like…I’m just done. Everywhere I go it looks like people are examining their navel with a tricorder from star trek.

 

I’ve been doing a lot of claims-based authentication development lately, so I am looking forward extending that to cross platform scenarios.

I guess it had never occurred to me that people would spend money on this kind of thing. Nieve, I know. I have been researching GPU based hash cracking systems lately. Most of the stuff I have seen is open source and CUDA based. I may be purchasing a workstation level graphics card to pursue this kind of thing. So far the one I have my eye on is Quadro 4000 based…not that crazy, but still pretty powerful and more than capable for my amateur crypto analysis needs.

http://www.digitalintelligence.com/products/rack-a-tacc/

This is by a company called Tableau. It’s a dedicated distributed brute force attack appliance. They provide some stats at:

http://www.lostpassword.com/tacc-acceleration.htm

There is also a package from Elcomsoft…the people that brought you the Dmitry Sklyarov DMCA thing earlier this decade. They support GPU’s and the Tableau accelerator’s.

http://www.elcomsoft.com/lhc.html

I also ran across a company that makes PCI-Express expansion cabinets for the VDI market. Hmmm….

The F# language actually has support for the International System of Units…It could tell you at compile time, for instance, that you are trying to subtract a meter from a second.

That’s awesome.

http://blogs.msdn.com/b/andrewkennedy/archive/2008/08/29/units-of-measure-in-f-part-one-introducing-units.aspx

but when I do it’s because the infamous Cornchip predicted the future, again.

When the XBox Kinect came out my best friend got one. It’s awesome…no way around that. Over a drink we talked about the pro’s and con’s of having a device under your TV that can map your living room into a 3D space and record motion, facial expressions, sound, etc…

As game technology, I’m kind of up in the air about it. It’s pretty cool…amazing technology, really…but I don’t play video games much. The thing that leapt into my mind was Winston Smith in Orwell’s 1984 crouching at a desk in the corner of his room writing his diary and hoping that ENGSOC wasn’t watching him through the ‘telescreen’ . In 1984 this was the device used for surveillance of party members while at home. You never knew if someone was watching, but you knew that you could never turn it off.

Well, what if no one had to watch? What if the ‘telescreen’ could watch all by itself?

I’m not saying that I think that MS is watching people through the TV. I was, however, reminded of the aforementioned conversation when I saw this:

http://www.cisco.com/en/US/products/ps11253/index.html

Ignore the strange marketing video. This software uses an intelligent HD video camera (1080P) with an onboard DSP that can actually process the video at the edge of the network. The camera:

http://www.cisco.com/en/US/products/ps9716/index.html

On the slim chance that a non-nerd reads this, that means that the camera can see you. (VERY slim chance. I know, you’re the only one that reads it. Believe me, I see the numbers.) I’m not sure how much the analytics software would cost, they say that the camera can be plugged into 3rd party custom analysis engines…but how much does an HD camera with on-board smarts cost? 1800 bucks.

This is from the data sheet:

Security Package

• Tripwire: Identifies user-defined objects that move in a specified direction as they cross over a line (tripwire) drawn within the camera’s field of view.
• Object classification: Differentiates between a person, vehicle, or other objects.
• Camera tampering detection: Identifies any event that significantly changes the field of view of the camera.
• Loitering: Detects when a person or vehicle remains in a user-defined area of interest for a configurable length of time.
• Take away events: Detects when an object has been removed from a user-defined area of interest.
• Leave-behind events: Detects when an object has been left behind or inserted in the full view of a camera.

Counting Package

• Enters/exits events: Detects when an object enters or exits a specified area of interest from any direction within the camera’s field of view.
• Occupancy: Provides information about the number of people in a user-defined area of interest.
• Dwell time: Provides data about the length of time each person spends in a user-defined area of interest.

I’m all for better security where it counts. The thing I’m having a little trouble with is that these things are IP-based. While they should not be installed on internet accessible networks, they will be. The camera has a built-in web interface…its web server probably has a unique signature…wanna start a betting pool on when they will be discoverable in Google? Most of the time I find “computer security” people kind of obnoxious, but after the last few weeks of high-profile hacks…There are scenarios that you have to consider possible even if they aren’t likely.

Hypothetical situation time:

You get arrested. The DA offers into evidence video footage of you at a gas station gassing up your car. The time stamp is used as proof that you were reasonably close to a crime scene…except that its been tampered with. Why not? The camera has “tampering protection.” See where I’m going with this?

The marketing materials claim that the cameras support access control lists, 802.1x, etc…for authentication and authorization…but that’s really nothing new. Most wi-fi access points support some type of secure setup. All routers and multi-layer ethernet switches have locked down configurations. Operating systems have many more options for security hardening that I could list here.

Everything can be configured securely, but most things never are.

All that being said…I really want one.

Building .Net based services is kind of old hat…but I didn’t know that a lot of it could be done declaratively.

 

http://blogs.msdn.com/b/nikhilsi/archive/2011/06/13/how-to-create-a-windows-service-in-the-component-designer.aspx

This is too sweet. The Apache Directory Server supports triggers.

 

http://directory.apache.org/apacheds/1.5/apacheds-ldap-triggers.html

yet another entry for my todo list:

 

http://the-paper-trail.org/blog/?page_id=152