Shawn's MIIS/ILM Tricks, PKI Hints, and Résumé Writing Prevention Tips

ILM FFL - I haven't forgotten about it

2008-11-25T19:34:00Z

Hello Everyone,

Long time no type. I got super busy and the blog is unfortunately the first thing to lapse. I haven't forgotten about the ILM FFL and I intend on finishing this concept.

A couple of changes:

ILM "2" will be used instead of ILM 2007 FP1.

Until I find a suitable (free) feed of statistics, flat files will be used to import statistics. We'll work out the format later. I've been doing some work on the back end to try to get statistics feeds. Live data is not cheap.

Hopefully more to come later.

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

ILM Tricks: ILM FFL Specification (part 1)

2008-08-14T20:07:00Z

Hello Everyone!

On my last post I proposed we use Identity Lifecycle Manager 2007 with Feature Pack 1 as a Fantasy Football engine. This post will serve as part 1 for the initial specification for the engine. Thoughts are not in any particular order. The direct ILM implications are bolded.

-->Typical outside Fantasy Football Leagues (FFLs) have of anywhere from 8-16 Individual Teams (ITs) where a team is set up by the Fantasy Team Owner (FTO). Since the initial rules specified in the first TechNet post that we would have a Hybrid College/Pro League and our depth of players is greater, we're going to design the league to enable leagues of up to 64 ITs. We'll set the minimum at 2 to leave the possibility of a head-to-head league open.

-->Units: Pro Football Player (Pro), College Football Player (CP), Fantasy League Owner (FLO), Fantasy Team Owner (FTO), Individual Team (IT), Individual Leagues (IL). Each will have a unique identifier.

-->A FLO must always be a FTO. A FTO can own many ITs, but only one IT per IL. Pros and CPs are available for each IL and can only be used once per IL on an IT.

-->Metaverse object types will be created for Pros, CPs, FTOs, ITs and ILs.

-->FTOs that are FLOs will have a reference attribute for the IL that that they are the FLO for.

-->ILs will have a reference attribute listing the ITs

-->Pros and CPs positions that will be considered for league use are Quarterback (QB), Fullback/Tailback/Runningback (RB), Wide Receiver (WR), Tight End (TE), Team offensive line (OL), Kicker (K), Team Defense + Special Teams (D/ST), Interception Specialists (IS), Tackling Specialists (TS), Sack Specialists (SS), Kick Returners (KR). None of these positions are mandatory. Each Pro or CP will have a mandatory multi-valued attribute that identifies them as one or more of those positions. A WR could also be a KR, for example, hence the reason for the multi-valued attribute.

-->We will move toward near-real-time scoring, however since most of the statistics services are expensive, we will use a text format to input scoring initially. An ILM Management Agent will be created for the CP statistics and a Management Agent will be created for Pros Statistics.

-->Statistical fields will be represented as attributes.

-->The engine will be built so scoring will be determined by the FLO and will be flexible to allow weights for Pro and CP statistics, if needed as well as weight toward player positions. The weights will be applied in attribute flow.

-->Since College schedules are not as consistent as professional schedules, this adds a complexity to the league that can be desired or undesired. Because of this, and the Professional bye week, there will be functionality for automatic bye week adjustment where an unused player will be used in the place of a bye week player. More difficult leagues will not utilize this capability.

This is all I can come up with right now. Keep the e-mails coming and we'll start building this thing out later this week or into next.

Have a good day!

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

MIIS/ILM Tricks: ILM Fantasy Football

2008-08-12T22:00:00Z

Hello Everyone!

In the light of the upcoming football season, I am going to start a new series of blog posts where we will utilize Identity Lifecycle Manager to create our own Fantasy Football engine. The posts will split time between this TechNet blog and my MSDN blog, http://blogs.msdn.com/therabournidentity. The goal is to think outside of the box, have fun and hopefully associate our findings with real-world issues.

Rules of Engagement:

1. We will utilize Identity Lifecycle Manager 2007 with Feature Pack 1 as the main engine and since I use Virtual Machines on the road, I will use one single virtual machine for the entire solution. When relevant scenarios arise, I will let everyone know what the good practices are.

2. We are only allowed to use Active Directory, ADAM, SQL and File-based Management Agents.

3. The Fantasy Football league will be a Hybrid College/Professional league. Players will be able to select College and Professional players and rules will be adjusted accordingly.

4. Once the next ILM version is released, we will upgrade the entire system.

5. Rules Extensions will be written in both C# and Visual Basic and posts will be made on my MSDN blog.

6. Reader submissions and ideas will be accepted and fully credited.

7. Each post will have the appropriate technical level in the title (100-200-300-400)

Later this week, we will create specification of the environment on the TechNet blog.

Thanks!

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

MIIS/ILM Tricks: Where did the post go?

2007-12-11T22:45:00Z

Hello!

To stay consistent with the overall theme of MSDN (Developers) and Technet (IT Professionals), the MIIS/ILM Related Posts with source code in them have been placed in my newly created MSDN blog: http://blogs.msdn.com/therabournidentity

Have a good day!

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

MIIS/ILM Tricks - Breakdown of Exchange Provisioning and Other Changes in ILM 2007 FP1

2007-12-07T21:01:00Z

I use a lot of acronyms for this post, so I wanted to build a “key” so I wouldn’t get confused

o Microsoft Identity Integration Server 2003 Service Pack 2 (later abbreviated as MIIS 2003 SP2, MIIS SP2 or MIIS) + Certificate Lifecycle Manager (CLM) = Identity Lifecycle Manager (abbreviated as ILM 2007 or ILM)

o Identity Lifecycle Manager 2007 Feature Pack 1 (abbreviated as ILM 2007 FP1 or ILM FP1) = ILM 2007 + Vista client support for CLM and other CLM enhancements + Exchange 2007 support in the identity engine + Cumulative updates since ILM 2007/MIIS SP2

o MIIS and ILM (no FP) refer to binary versions 3.2.559-3.2.10xx

o ILM FP1 refers to binary versions 3.3.118 and later

One of the more frequently asked questions regarding ILM 2007 FP1 is, “What does ILM 2007 FP1 offer me above and beyond ILM 2007 or MIIS 2003 SP2 with regard to the metadirectory engine?”

There are many improvements to CLM. But for the metadirectory engine, or the beast formerly known as MIIS, there are a few fixes beyond ILM 2007/MIIS 2003 SP2 described in the ILM FP1 release notes:

· Run profiles listed in the Run Profile dialog box are automatically sorted alphabetically.

· The versioning for the CLMUtils class has been corrected. The CLMUtils class can now be used with Visual Basic .NET. (side note: fixed in 3.2.1005, see http://support.microsoft.com/?id=937561 )

· Any management agent for Lotus Notes created with ILM 2007 FP1 will be configured to run out of process by default. This is to allow for memory issues with the IBM Notes 7 client. (side note: fixed in 3.2.1001)

· When the ILM 2007/MIIS 2003 server was busy and the Run History information was refreshed, a false out-of-memory status could be generated. This feature pack corrects this condition. (side note: fixed in 3.2.1001)

Again, I am talking specifically about the metadirectory engine. Looking at the release notes I see this information:

· The management agent for Active Directory Global Address List (GAL) now supports Microsoft® Exchange Server 2007.

· The management agent for Active Directory now supports Microsoft Exchange Server 2007 Mailboxes, Mail Users, Mail Contacts and Distribution Lists.

With regard to Exchange 2007 Provisioning, I decided to dig deeper

In the Active Directory Management Agent (AD MA) and in the Active Directory Global Address List Management Agent (GalSync MA) there is a new checkbox in the “Configure Extensions” dialog:

“Enable Exchange 2007 Provisioning”

I thought to myself – what does this checkbox provide to us that MIIS SP2 or ILM does not provide?

In checking the box we activate functionality in a new DLL, Exch2007Extension.dll, that is added to the Extensions directory that runs the Powershell cmdlet Update-Recipient (http://technet.microsoft.com/en-us/library/bb738148.aspx)

Where specific to ILM FP1, the parameters passed to the cmdlet are as follows:

· Identity is the DN of the object

· Confirm is false

· Credential is the account running the MA (creating the new objects)

· DomainController is either the DC name acquired by using standard DC discovery (dsgetdc) or hardcoded into the MA, depending on MA settings

· Server is not set

· Whatif is not set

The Update-Recipient cmdlet was added in Exchange 2007 SP1 specifically for use with MIIS or ILM. Since the Recipient Update Service (RUS) was discontinued in Exchange 2007, a process is still needed to “stamp” the object to become mail-enabled. According to the details for Update-Recipient,

“The version of the GAL synchronization management agent that was included in Microsoft Identity Integration Server (MIIS) 2003 was designed to work with Exchange Server 2003 and relied on the Recipient Update Service (RUS). Because RUS is a deprecated feature and is no longer required for Exchange 2007, the new GAL synchronization management agent that is included in ILM 2007 is designed to function without RUS.”

For the MIIS SP2 or ILM admin who is looking for a workaround, consider that ILM FP1 performs the Update-Recipient operation per-object after an export using the credentials of the principal that the MA is running under. If you wanted to work around having MIIS SP2 or ILM 2007 you would have to identify the newly-created objects and run a process out-of-band from MIIS/ILM with proper credentials to replace the functionality that is enabled with the “Enable Exchange 2007 Provisioning” checkbox. For GalSync, the procedure to work around not having ILM FP1 is similar to the MIIS procedure outlined in How to Deploy Exchange 2007 in a Cross-Forest Topology (http://technet.microsoft.com/en-us/library/aa998597.aspx )

Of course this document states:

“Synchronizing Exchange 2007 GALs by using MIIS 2003 is supported only as a custom solution. The recommended solution for synchronizing Exchange 2007 GALs is to use Exchange 2007 Service Pack 1 (SP1) and Identity Lifecycle Manager (ILM) 2007 Feature Pack 1”

To me, using ILM FP1 is an easy choice. A checkbox is much easier than writing a custom out-of-band script.

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

MIIS/ILM Tricks - Joining using name tables for abbreviated and similar names

2007-11-08T07:35:00Z

This content is now posted in the MSDN blogs:

http://blogs.msdn.com/therabournidentity/archive/2007/12/11/miis-ilm-code-experiment-joining-using-name-tables-for-abbreviated-and-similar-names.aspx

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

MIIS/ILM Tricks - XML-based MIIS/ILM Metaverse Router (part 1)

2007-06-28T14:26:00Z

This content is now posted in the MSDN blogs:

http://blogs.msdn.com/therabournidentity/archive/2007/12/11/miis-ilm-code-experiment-xml-based-miis-ilm-metaverse-router-part-1.aspx

--Shawn

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - What not to do when you're coming home from an onsite visit

2007-02-14T01:12:00Z

I have a great story about my travels I would like to share with you. So I travel for Microsoft, I spend an average of 3 business weeks a month on the road. When you travel a lot one thing I have found that is important is to have a good routine. Here is an example from a few weeks ago where I started a new routine of never using the trunk of a rental car.

So I am walking toward the parking lot of my hotel and I am getting ready to go to my rental car so I can make my flight in 2 hours to go home and see my family. I start using the keyless entry on the keychain to honk the horn of the car so I can find it. I start to hear honking so I pop my trunk open and I walk to my car and put my bags in the trunk and I walk to the door and try to use the key to open the car. The car wouldn't open. I try to push the button on the keys to open the car and it still doesn't open. I finally use the button on the keys to honk the horn and the car next to the one I had locked my bags in the trunk in started honking. Of course neither the hotel or the rental car company could/would/should help me break in to someone else's car. Luckily, I noticed that inside the car of the person who forgot to close the trunk of the identically colored Pontiac G6 that got my bags that the directions to the hotel were in German. I let my friends at the hotel know and they told me that there were frequently German people visiting the hotel as Siemens was across the street. They called Siemens and I guess a pretty loud e-mail was sent to the site. Two hours later a German man with an identical Pontiac G6 rental came out to help. Of course it was not the same Pontiac G6 that my bags were locked in. Luckily for me, he knew another German man who had rented said Pontiac G6. I missed my flight but I had my bags.

I am certainly glad I get to make these mistakes so you guys don't have to. Now, I argue that the whole ordeal is 96% my fault for locking my stuff in someone else's trunk and 4% the other man's fault for leaving his trunk open... Of course my wife was expecting me to be home at 2:00pm so I could be with the kids so she could be at a meeting at 7:00 and my flight didn't arrive until 8:00 so she'll argue that it was 100% my fault for not paying attention. She's probably right.

The best part was sending this in an e-mail to my colleagues and getting their stories back.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - My Day Ruining Maneuver

2006-12-14T06:15:00Z

So here is a nice little tip that is a direct result of sleep deprivation and bad habit.

I was working on some C# code that grabs some log files and wraps them up into a cab file and moves them off to a different location. After that it clears the directory so new logs can be written. In writing the code I figured I would take the liberty of trying to get everything in the folder deleted except for the tool itself.

So in thinking I did this:

---snip---

Directory.Delete(Directory.GetCurrentDirectory(), true);

---end---

Where Directory refers to System.IO.Directory

So I am trucking along, writing some other functionality and I finally compiled the code... I fixed the compilation errors (usually missing semi-colons or curly brackets) and I went to test. I had a test directory C:\testdir\testdata where the tool was to be run in testdir and the data to be put in the cab file was in testdata.

Of course at 2:30am I am not thinking about the code I wrote an hour or two before, nor do I think about running this under the debugger. No I dragged the tool from the debug directory straight into a default command prompt. I was puzzled as the code did not return. So I went and looked at the code, thinking I might have done something wrong. I spent about 10 minutes looking. I figured it was hung somewhere so I looked for any potential hanging points - maybe a for loop where I put a greater than sign where I needed a less than sign or something like that. I went to control + C the running code and I caught a glimpse of my desktop...

Zero icons. Of course I had no browsing history anymore either. No PST's. No documents in the My Documents folder.

My default command prompt centers at %userprofile%... the "true" in the Directory.Delete means "go into all of the sub directories and torch everything."

Luckily I had a fairly recent backup. For the rest I used a third party file recovery tool.

This posting is provided "AS IS" with no warranties, and confers no rights.

BAD TROUBLESHOOTING 101 (part 4 of many): Give EVERYONE the opportunity for a short password!!

2006-08-22T22:40:00Z

OK. Let me get this perfectly straight. I am not going to give you a new way to do your passwords like Robert Hensing (http://blogs.technet.com/robert_hensing/archive/2004/11/12/256648.aspx) or former Microsoftie Jesper Johansson (http://blogs.technet.com/jesper_johansson/archive/2005/10/13/410470.aspx or http://www.microsoft.com/technet/security/secnews/articles/itproviewpoint110104.mspx). I am griping about short password policies. I was asked a question last week, "How do I prove to a customer that a six-character password policy is too short?" It wasn't the question that irked me, it was the thought that people have to actually *ask* that question. Six character passwords are to hackers like opponents are to Tiger Woods with the lead on Sunday at a Major. The red shirt makes it like everyone else starts off with a 4 on their scorecard before they ever hit the course.

The answer is a pretty easy one... Or is it? Password crackers can see passwords with less than 8 characters immediately. OK, so you know immediately that you have a limited character set to work with. At that point you *hope* that you have end users that use longer passwords. Well, what about social engineering? How many end users encorporate one of the following in their password:

Spouse's name?

Spouse's maiden name?

Kids' names?

Parents' names?

Pets' names?

Favorite sports team?

College attended?

Favorite hobby?

Make of vehicle?

Favorite movie?

Most recent movie they liked?

Favorite TV show?

Favorite actor/actress?

Favorite pro/college athlete?

A study was once done (I can't disclose details about it because it names a lot of names) showing that those 14 items would get well over half of passwords if they were included in a dictionary with hybrid capability ("password" could also be interpreted as "P@$$w0rD")

So you could potentially have a middle school student go into the cafeteria and hand out a survey for a "science project" and populate your dictionary file and then use a popular password cracker to run attacks against the shorter passwords and get quick results. Personally, I would be guilty of a few of those, but I am smart about it. I use a larger character set. One of my old passwords was a tribute to one of my favorite athletes "J0hn3lw@yH@ll0fF@m32004".

I wonder how many administrators you would get with the social engineering? I wonder if a middle school student added a 15th question "What is your favorite password?" How many would you get? That is a question for another day. I'd be interested in seeing how many of those you would get.

So I really haven't done anything definitive to prove that 6 character passwords are *that* bad. I have said something about password crackers and social engineering, but what's really the hold up here?

In my days in Product Support Services, I took about a hundred calls from customers who liked blank passwords and their new "0wn3r" liked those blank passwords as well. Can you count on your end user knowing better? Here's what I would like to see. I would like to see a video similar to those you see in an alcohol or drug or smoking or bad driving course. Your lungs will look like "this" when you're 50 if you use short and bad passwords. Seriously though, there needs to be a level of accountability there. Put the fear into the end user. If your password is the one that exposes Colonel Sanders' secret formula, you're fired.

So what are you preventing? The sticky note on the monitor or under the keyboard? A helpdesk call from someone who forgot their 9 character password? How about this? Go and print out 50 flash cards with inanimate objects on them and give everyone a deck of those cards and a roll of tape. Educate them to use something they can easily remember and the flash card to construct their password. So for me, my daughter's name is Georgia and her birthday is 5/26 and if I had a flash card with an apple on it, I could have a password like "Georgia5@^Apple"

That's not too bad, right? You can argue that there is capability of inside attacks at that point, but you can take it a step further. I could have a green apple and a red apple. Or a golden delicious apple. Or have four pictures on the flash card and instruct the user to remember one of them and not use the card again. 50 cards would get about five years of use with a 42 day expiration

I guess the justification is that it may or may not cost more to educate the user than it would cost to have everything 0wn3d. I am certainly glad that in some organizations there are compliance police that enforce these things and even better who are doing away with passwords and moving to two-factor authentication. But for those who still need to use passwords, please - educate your user. If a person can remember a 9-digit phone number, you can find a way for them to remember a 9 character password.

This posting is provided "AS IS" with no warranties, and confers no rights.

PKI Hints - Troubleshooting CertSvc Event ID 42 on an Enterprise CA in Windows 2000 and 2003

2006-08-12T02:55:00Z

I am going to tell you a story about SOX. Not Sarbanes Oxley, but S-O-X. In Microsoft Support, we are partly responsible for writing the Microsoft Knowledge Base articles at http://support.microsoft.com One of the ways we used to be able to get KB's out there was to write solution objects. In our case management database, customer cases were prefixed with SRX (or SRZ for a web issue or SR(letter), with a different letter for global regions). You open a case with Microsoft in North America and you get an SRX number which is SRX(year)(month)(date)6(daily case ID). So the 43,750th case for today would be SRX060811643750. SR stands for Service Request. When we would fix issues we would try to link a KB article to the solution. If we created the solution without documented support, we were responsible for creating solution objects, which are prefixed with SOX. So if you ever meet a Microsoft Support person and they talk about seeing an SOX, now you know what they're talking about. Anyway, if an SOX is linked to three cases, it gets raised to become a KB. "They" probably figure one time is a fluke, two times is a trend and three times is a real problem. I wrote a couple hundred of these things and have had a couple dozen raised. That leaves, well, a couple hundred SOX's that no one sees outside of Microsoft and I will try to sanitize them and post them. Hopefully you find them useful.

TITLE: How to Troubleshoot CertSvc Event ID 42 on an Enterprise CA

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><

How to Troubleshoot CertSvc Event ID 42 on an Enterprise CA

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 42
Date: 10/29/2002
Time: 1:03:29 PM
User: N/A
Computer: SERVER
Description:
Certificate Services did not start: Could not build CA certificate chain for <ca
name>. Cannot find object or property. 0x80092004 (-2146885628).

OR

Event Type: Error
Event Source: CertSvc
Event Category: None
Event ID: 42
Date: 10/29/2002
Time: 1:03:29 PM
User: N/A
Computer: SERVER
Description:
Certificate Services did not start: Could not build CA certificate chain for <ca
name>. Keyset does not exist. 0x80090016 (-2146893802) .

<><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><><>
*** Resolution ***

The certificate service relies on the CACertHash value present in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\<ca
name>
The easiest way to determine this value is to run the following command:

certutil -getreg ca\CACertHash

Take note of the values. An example is:

CACertHash               REG_MULTI_SZ =
    0: a3 44 19 90 30 41 5e c4 7b 0f d4 4d ea 47 d7 30 ef 0c 58 49
    1: ac 4e 6f d6 32 fd 6a 00 72 34 4f 9d b7 33 96 f4 71 3a ab 44

The next step is to verify that the Local Machine Personal Store has a correct
association with these keys:

certutil -f -repairstore my "a3 44 19 90 30 41 5e c4 7b 0f d4 4d ea 47 d7 30 ef 0c 58 49"
certutil -f -repairstore my "ac 4e 6f d6 32 fd 6a 00 72 34 4f 9d b7 33 96 f4 71 3a ab 44"

If these commands are not completing successfully, you are likely receiving the
first above event (cannot find object or property)

This is likely caused by deleting one of the CA certificates out of the local
machine store. To check to see if one of these is missing look in
HKEY_LOCAL_MACHINE/Software/Microsoft/SystemCertificates/My

The associated keys are the Certificate Hashes or Thumbprints. Check to see if all
of the hashes in the CACertHash value are present. If one or more is missing, this
is the cause of the event. To get the certificates back try running at the
following command:

ldifde –d “CN=<ca name>,CN=AIA,CN=Public Key
Services,CN=Services,CN=Configuration,DC={domain},DC={com}” –v –f ldifde.txt
look in the ldifde.txt
The output may look similar to this:

--snip--
dn: CN=ca name,CN=AIA,CN=Public Key
Services,CN=Services,CN=Configuration,DC=domain,DC=com
changetype: add
authorityRevocationList:: AA==
cACertificate::
MIIEXTCCA8agAwIBAgIQSnXfyRlA8IxIzC8VlL+qbjANBgkqhkiG9w0BAQUFADCBmjEhMB8GCSqGSI
b3DQEJARYSZ2FzZXRhQGNwcWQuY29tLmJyMQswCQYDVQQGEwJCUjESMBAGA1UECBMJU2FvIFBBdWxv
MREwDwYDVQQHEwhDYW1waW5hczENMAsGA1UEChMEQ1BxRDEYMBYGA1UECxMPU2Vydmlkb3JlcyBNYW
lsMRgwFgYDVQQDEw9DUHFEIEVudHJpc2UwHhcNMDMwNzE1MTkwMzM1WhcNMDUwNzE0MTkxMjI1
WjCBmjEhMB8GCSqGSIb3DQEJARYSZ2FzZXRhQGNwcWQuY29tLmJyMQswCQYDVQQGEwJCUjESMBAGA1
UECBMJU2FvIFBBdWxvMREwDwYDVQQHEwhDYW1waW5hczENMAsGA1UEChMEQ1BxRDEYMBYGA1UECxMP
U2Vydmlkb3JlcyBNYWlsMRgwFgYDVQQDEw9DUHFEIEVudGVycHJpc2UwgZ8wDQYJKoZIhvcNAQEBBQ
ADgY0AMIGJAoGBALxm6c/JjBUu+xrOEwALCug3MP/MeXe/lw+SyIy/Y4dZbQfI3zlOAAUxe5QxtK2z
sZ7yqzjsj9CEft9qjAdN93jojW1QKiNiPlFoHR9mdmM+wYDQupHAZb/BTbqxvzxO0W0NKIpSNISYbU
jGxJg2Ie9CLW88PDHgj3wVHJ0rHrftAgMBAAGjggGgMIIBnDATBgkrBgEEAYI3FAIEBh4EAEMAQTAL
BgNVHQ8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU2wGybzDbNPE9SX+z9oH37jEDMV
0wggEyBgNVHR8EggEpMIIBJTCB06CB0KCBzYaBymxkYXA6Ly8vQ049Q1BxRCUyMEVudGVycHJpc2Uo
MSksQ049c2FydW1hbixDTj1DRFAsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZX
MsQ049Q29uZmlndXJhdGlvbixEQz1hcXVhcml1cyxEQz1jcHFkLERDPWNvbSxEQz1icj9jZXJ0aWZp
Y2F0ZVJldm9jYXRpb25MaXN0P2Jhc2JqZWN0Y2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwTa
BLoEmGR2h0dHA6Ly9zYXJ1bWFuLmFxdWFyaXVzLmNwcWQuY29tLmJyL0NlcnRFbnJvbGwvQ1BxRCUy
MEVudGVycHJpc2UoMSkuY3JsMBIGCSsGAQQBgjcVAQQFAgMBAAEwDQYJKoZIhvcNAQEFBQADgYEAAI
H/45gc6pvksDMspXzS4tcB3GQ3NgVGGzUcfRYKzCsWIq+6RNhXLYiS4477WEr8iwqvWgmo4BMlNGiH
fQqQ9ZL3V7vB4eHtxVa99LqG1Ed8wQUg4iT1FA5yRS2ICI5vOf1vFDZHWXjH97heXSjyzfVt6/GwXH
fJ6QqvctSVXxI=
cACertificate::
MIID0DCCA3qgAwIBAgIQapi0c7lUwahPM9e1PZAHRjANBgkqhkiG9w0BAQUFADCBmjEhMB8GCSqGSI
b3DQEJARYSZ2FzZXRhQGNwcWQuY29tLmJyMQswCQYDVQQGEwJCUjESMBAGA1UECBMJU2FvIFBBdWxv
MREwDwYDVQQHEwhDYW1waW5hczENMAsGA1UEChMEQ1BxRDEYMBYGA1UECxMPU2Vydmlkb3JlcyBNYW
lsMRgwFgYDVQQDEw9DUHFEIEVudGVycHJpc2UwHhcNMDEwNzIzMTMzMzM2WhcNMDMwNzIzMTM0MjI2
WjCBmjEhMB8GCSqGSIb3DQEJARYSZ2FzZXRhQGNwcWQuY29tLmJyMQswCQYDVQQGEwJCUjESMBAGA1
UECBMJU2FvIFBBdWxvMREwDwYDVQQHEwhDYW1waW5hczENMAsGA1UEChMEQ1BxRDEYMBYGA1UECxMP
U2Vydmlkb3JlcyBNYWlsMRgwFgYDEw9DUHFEIEVudGVycHJpc2UwXDANBgkqhkiG9w0BAQEFAA
NLADBIAkEAv+tSVhSJyoG3oUGNDMMsUvCYH7KCF+DgQvSwb4txyxM5V9pixBTg0hOntGQF5jul
qcXHxSZBLADrbE50yQIDAQABo4IBmDCCAZQwEwYJKwYBBAGCNxQCBAYeBABDAEEwCwYDVR0PBAQDAg
EGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFPIxi5fiD+6eELg94lAzp/WJXUByMIIBLAYDVR0f
BIIBIzCCAR8wgdCggc2ggcqGgcdsZGFwOi8vL0NOPUNQcUQlMjBFbnRlcnByaXNlLENOPXNhcnVtYW
4sQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3Vy
YXRpb24sREM9YXF1YXJpdXMsREM9Y3BxZCxEQz1jb20sREM9YnI/Y2VydGlmaWNhdGVSZXZvY2F0aW
9uTGlzdD9iYXNlP29iamVjdGNsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MEqgSKBGhkRodHRwOi8v
c2FydW1hbi5hcXVhcml1cy5jcHFkLmNvbS5ici9DZXJ0RW5yb2xsL0NQcUQlMjBFbnRlcnByaXNlLm
NybDAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAANBAJ3GZkvWu1H3kUlkZZnl/g4pVm8P
5FcLUJJdV99feIlBYafuA0CIS5hM2IZuz4plqggINpVRlW8VqeDLc9D3lZE=
certificateRevocationList:: AA==
cn: ca name
instanceType: 4
--end snip--

Copy the data within the caCertificates attribute and paste it into text files.
Rename the text files to have a *.cer extension. Open the CER files and look at
the Thumbprint attribute, these attributes should line up with the above CACertHash
Values.   Find the CER file with the Thumbprint associated with the missing hash
and import the certificate into the Local Machine Personal Store. Open the
certificates mmc for local computer and double click on the Personal certificate
store, right click on certificates and go to Import certificate and select the CER
file associated with the missing hash.

Then run

certutil -f -repairstore my "{HASH}"

against the newly imported certificate and attempt service start.

To verify that the Keys are valid run the following command

certutil -verifykeys

If the verifykeys command fails - you are likely receiving the second error message
(Keyset does not exist)

If the key that is failing in the verifykeys command is associated with a
certificate that is not the most recent certificate, identify the certificate and
find the Thumbprint value and populate the caCertHash value with the correct sequence of thumbprints.

You may also want to check the permissions on the %allusersprofile%\Application Data\Microsoft\Crypto\RSA\Machinekeys folder to ensure that SYSTEM has permission on the private keys.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - BAD TROUBLESHOOTING 101 (part 3 of many) Everyone's a local admin!!

2006-07-06T14:06:00Z

OK. gripe time. One of my co-workers was asked by a customer, "Can you prevent a local admin from deselecting File and Printer Sharing?"

Come to find out, everyone in their domain was a local admin.

Here's the problem... I used to get similar questions to that one a lot in that exact scenario. They all have the same answer. You can use a GPO to hide junk, but the local admin can always circumvent those processes.

We're shoving LUA and Least Privilege down your throats and we're still getting these questions.

Here's how I would have responded to that customer today if I knew I wouldn't get fired...

You're an administrator. What are they paying you for? So you made all of your users local administrators so they could install printer drivers or so they could install their favorite cool toolbar which is really spyware. You're essentially delegating your responsibilities to the end user for what? So you don't have to hear them gripe. Nice work. So to prevent 20 phone calls, you increased your attack surface area 80 million percent. You don't have any control over your environment anymore. Sure, you can react now. No more cutting off the problems at the knees. Joe Enduser goes to a website, clicks on a link and gets a virus, block the website. Jill Enduser clicks on a link in an Instant Message and gets a virus, port out Instant Messaging.

How about this? When you were really building your fantasy team or playing World of Warcrack you could have been investigating Software Restriction Policies or actually packaging the drivers for the printer that 20 people who are all in the same OU and pushing that msi down using that SMS Deployment you bragged about in your last review. Now you are bracing yourself for the next virus introduced by those local admins and the 5 days of lost production due to cleanup. The wrong guy is going to get fired. The poor guy you made into a local admin who thought he was getting an IM from his mother who introduced the virus is going to get fired. Not the lazy admin who had three people nag at him because they couldn't download the MP3 software so he made everyone a local admin to "fix" the problem.

Worse than that we actually built a feature into the Windows Vista product that essentially stops everything and asks you if you are "really really sure" if you want to install that malware even if you are local admin. And you can turn THAT off. So please... please... for your sake. If you're going to give Pat Enduser local admin, please don't turn that off. At least that way Pat will have someone who is doing the right thing on his side (not you, dude - the person who wrote that code into Vista).

Do me a favor. Read into LUA.

400 level:

http://blogs.msdn.com/aaron_margosis/

200-300 level:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx

100 level:

http://www.microsoft.com/technet/security/secnews/articles/lpuseacc.mspx

P.S. Stop being lazy. And don't think Power Users is any better (http://blogs.technet.com/jesper_johansson/archive/2006/03/12/421870.aspx)

BTW, I am not perfect, either. I ran into one of the above Enduser problems once when I didn't know any better. Not going to tell you which one, but I too was lazy. Of course(and luckily), I was a one-machine administrator at the time.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT + PKI Hints - BAD TROUBLESHOOTING 101 (part 2 of many) Certification Authorities on a Domain Controller

2006-05-16T11:29:00Z

I blogged last week on User Profile troubleshooting and that was one of my biggest pet peeves. Now it is time for my BIGGEST pet peeve. I almost feel bad that I am on entry number 4 of this blog and I can't save this one for later, but I need to hopefully spread the word and stop the bleeding.

This really isn't much of a blog entry on troubleshooting, but often times I have seen people stand up a temporary CA to get things like Live Communications Server or Outlook Web Access to work, so I guess technically you could look at it that way. I don't know where it started or who first said it was OK, but I am going to say it now... DO NOT INSTALL AN ENTERPRISE ROOT CA ON A DOMAIN CONTROLLER. This is a bad idea. A really bad idea. First of all, if I was a hacker and I wanted to target a server, I would target a DC. If I was a mean hacker and I wanted to send e-mail that was digitally signed by the CEO saying that everyone is fired, I would be happy to know that the DC I just attacked also had the private key of the root CA on it. That only touches the surface of what you could do if you had the private key. And there would be no means of revocation. Second of all, the biggest dependency of the Certificate Service is the computer name. There are hooks in DCPromo.exe to check to see if the computer is a CA. You would have to backup the CA using the CA snap-in, demote the DC or decommission the DC and move the CA backup to a server with the same name (How to move a certification authority to another server - http://support.microsoft.com/default.aspx?scid=kb;en-us;298138). Now, what if the DC goes down? I hope you have a backup (http://blogs.technet.com/shawnrab/archive/2006/05/10/427905.aspx) because if we go into Directory Services Restore mode, we can't take a backup of the CA's private key. With no backup of the CA, if the computer is toast, so are the certificates you issued.

The Microsoft Best Practice of a three-tier CA with an offline root is the way to go. And with support for Certificate Services on Windows Server 2003 SP1 on Virtual Server 2005 R2, there's really no excuse. If you have an enterprise subordinate CA that issued 100,000 certificates that is compromised, all you have to do is revoke one single certificate to deem the CA and the certificates it issued inoperable. If you add a Hardware Storage Module (HSM) for the private keys, you're in better shape. You'll thank me. Your auditor will thank me. Your CEO will thank me. OK, maybe not - you've likely made any potential problem go away.

Certificate Services and PKI is 95% planning and 5% doing. If you stand up a temporary CA for one or two certificates as a short-term solution, I am *almost* OK with that as long as you come in behind that CA with a full-blown PKI and you don't install the CA on a DC. With the guidance of the Best Practices for Implementing Windows Server 2003 PKI (http://technet2.microsoft.com/WindowsServer/en/Library/091cda67-79ec-481d-8a96-03e0be7374ed1033.mspx?mfr=true) and my two three-tier webcasts (http://support.microsoft.com/default.aspx?kbid=896733 and http://support.microsoft.com/default.aspx?kbid=896737), you could set up a temporary three-tier PKI using Virtual Server 2005 R2 and Windows Server 2003 SP1 and have quick and cheap practice for a full-blown PKI.

You can install a parallel PKI to the temporary PKI and have it work almost independant to the existing PKI. The only thing they will share is the Certificate Templates, which are in the Configuration NC in Active Directory.

Once you are ready to decommission the temporary PKI, you can use a quick command to remove the remnants of the temporary PKI from Active Directory. For a CA with friendly name Temp-CA-1, you can run this command: certutil.exe -dsdel Temp-CA-1

So all in all, just say NO to a CA on a DC.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - BAD TROUBLESHOOTING 101 (part 1 of many) User profile troubleshooting - don't blow them away

2006-05-11T05:34:00Z

One alarming trend I am seeing on customer sites and I saw when I was in PSS was the common troubleshooting step of blowing away a user profile. An end user calls in to the helpdesk because they are having trouble logging on, whether they receive an error stating that a temporary profile loaded or that it just takes too long. Most helpdesk techs or admins take a nice simple path. They blow away the user profile. STOP IT. This is like having a car that doesn't start, so instead of figuring out the problem you break the glass on the dashboard and move the arrow that is pointing to "E" and glue it to the "F."

There are a few common problems with user profile unloading. The most common is that the user logged off and an application left an open handle into the profile (file or registry) and that handle is not allowing the user to log on. I don't know the case numbers but I would say that this is the problem more than 50% of the time as a conservative estimate (my educated guess would be 99%).

Common event log messages are in the application log coming from UserEnv and have event IDs of 1524/1517 (Windows XP/2003) or 1000 (Windows 2000)

http://support.microsoft.com/?kbid=837115

One of the Escalation Engineers in PSS wrote a tool called User Profile Hive Cleanup or UPHClean to help troubleshoot and often resolve these issues.

http://www.microsoft.com/downloads/details.aspx?familyid=1B286E6D-8912-4E18-B570-42470E2F3582&displaylang=en

Now, let me get to the point. Blowing away the profile is BAD NEWS. The user's private keys are stored there. The user might have data stored in the profile. Renaming it and renaming it back is OK, but if your user is engaging in User Autoenrollment and the certificate template specifies to publish the certificate to the user's account then they get another certificate on their account. User certificates are BY FAR the largest contributor to user-account bloat in Active Directory. Now, you might say, "I checked the checkbox to have the user's certificate not publish to the directory if a duplicate exists." That doesn't do you any good for the new profile. So now you have a chicken-egg scenario. You wouldn't have gotten in the mess in the first place

Also, how many users like to lose their favorites, or IE cache or cookies? OK, that might seem minor, but now think about the CEO losing EFS encrypted data. So you try to rename the profile and you can't because something has it's filthy mitts on ntuser.dat. So you reboot into safe mode as local admin and blow that puppy away. Chances are the reboot may have temporarily mitigated the issue.

You can use UPHClean actively where the service does its best to resolve these issues on the fly OR you can use UPHClean in Reporting mode to have events show up in the event logs - likely the culprit of the issue.

Next time in BAD TROUBLESHOOTING 101 - I will talk about another bad practice I have seen in the field and in PSS... Which one? Whichever one is firing me up that day.

This posting is provided "AS IS" with no warranties, and confers no rights.

RWPT - Don't "Jack" it up, back it up!!!

2006-05-10T21:28:00Z

I spent almost 4 years in Microsoft Product Support Services. I would take calls and fix problems. One nice thing about PSS is that if you worked the night shift, they would give you a salary differential. Being a younger employee and in need of some extra cash I would field night shift calls. The night shift calls were often really nasty issues and there was one common theme when it came to most customers.

So I am watching my favorite show on Monday night. Being a Premier Field Engineer, I travel a ton and there's one constant rule that I follow. Book your flights and make hotel arrangements around the show "24." Yeah, a DVR is a good idea, but I have too many friends who text message me their reactions as the show happens. I turn the phone off when I am on the West Coast... Watching "24" the night of the show is the only acceptable workaround. I can't go to work the next day without knowing the facts. Anyway, I am watching "24" and the main character Jack finally acquired the evidence that implicates the Fictional President of the United States in all of the days actions. It was a recording of the Fictional President talking to the bad guy. Jack had acquired the recording before in the season and then the bad guy got it back and during the last episode a different bad guy erased it. WHY DIDN'T JACK MAKE A BACKUP??

That bothers me that my fictional hero didn't make a backup. Jack is like the unfortunate many of the customers who would call me at night. There's really no excuse. We provide a tool (ntbackup.exe) to do backups. It's free, or at least it comes free with the purchase of Windows Server. So why aren't you using this shiny toy that comes in the bottom of the cereal box?

So what is the excuse for not having a backup? You didn't have time? You were busy dodging bullets and running from the MAN? Either way, don't get JACKED, make sure the data is BACKED!!

This posting is provided "AS IS" with no warranties, and confers no rights.