1dent1ty cHa0s

So, you are still running IE6 (as many Enterprises still are) on the desktop and whenever you attempt to export certain file types from a SQL Reporting Services web site you are prompted to save "Reserved.ReportViewerWebPart.axd". To the average user this would probably halt the experience and may even prompt a call to the helpdesk (if you're lucky, otherwise they might not say anything at all and just never use your nifty reporting site ever again). I've been getting this error for quite awhile now and, being only a minor nuisance, I would just rename the file to the appropriate name/extension and go on about my business. This morning I finally got tired of it and decided to do something about it.

It turns out that "rniersbach" was kind enough to file a bug in Connect on this very problem. The status of this bug is "Resolved (Won't Fix)" and the Microsoft tech assigned this bug was kind enough to list two workarounds:

1. Upgrade to IE 7.0 - not exactly an option in most corporate environments if the standard remains IE 6, or
2. Delete the .axd file type from the list of file types IIS compresses - now here is an option an SSRS Admin should be able to influence

The feedback goes on to reference the following TechNet article on how to accomplish this:

Customizing the File Types IIS Compresses

I found the instructions a little too high level, so for both general consumption and my own blog-term memory, I'll describe how to fix this. If you crack open the metabase (%windir%\system32\inetsrv\metabase.xml) you can find the following section:

Notice that the offending parameter here is under HcScriptFileExtensions. The safe way to eliminate this is to run the following commands from the command prompt:

cd \Inetpub\AdminScripts
cscript adsutil.vbs SET W3SVC/Filters/Compression/gzip/HcScriptFileExtensions "asp exe"

In order to get the change to take effect I had to follow this with an IISRESET as well; however someone more IIS savvy might know of a way around this last step.

That's it - now you can export without having the annoying AXD problem!

So, the more and more I work with the ILM "2" portal, the more I come to the realization that the "Identity" in "Identity Lifecycle Manager" is becoming irrelevant. The ILM "2" portal is built to be extensible so you can model virtually any type of object and track its lifecycle. For instance, if you wanted to track the lifecycle of pagers or other assets in your company and you needed to do so with a rich workflow based request model you could use the ILM "2" portal application to do so.

What about the Sync Engine?

While it is true that the ILM "2" portal will be somewhat limited in what it can action through the Sync Engine, the ability to action directly from a workflow activity running in the ILM "2" portal is certainly possible. Whether or not this action is sanctioned by the Product Group is an open question but I certainly hope it is not frowned upon. Today, for good reason, we limit external calls from ILM rules extensions because of the linear and transactional nature of the sync engine - but with Workflow state can be serialized and de-serialized at any point in the program execution without affecting the host service so I don't believe the same restriction applies here. If you wanted to have a workflow interact directly with another web service or process then I don't see an issue here.

A new MOSS Development Platform?

Ok, so replacing MOSS app/dev is perhaps going a bit too far, but for most rapid application development and small enterprise applications, building an application on top of the ILM "2" web service and the ILM "2" site template (or a heavily modified one) isn't a bad idea. As the technology matures and we collectively get better at manipulating the portal I can see this happening for sure; especially if the heart of what you are doing requires workflow driven request processing. For the right price, Microsoft might actually have something capable of combating the Notes application threat. If you've worked in a Notes-infected environment then you are well acquainted with the proliferation of "Notes applications" that are next to impossible to supplant. Again, if we collectively make this simple for Administrators and Power Users to build quick feature rich applications around then it will begin to accrete the "quick and easy" applications over time the way Notes environments have. Having a full powered self-service request mechanism at your fingertips is powerful indeed.

So, in summary, I truly believe the scope of "identity management" is blurring into a more general and open "lifecycle management"; identities and certificates are just the start my friends, get ready for a brave new world! I say, name the new product "Lifecycle Manager 2009."

Who's with me? I ask, toga enabled.

Ok, this was a head scratcher and of course now it makes total sense; in hindsight. Yes, today I "suffered mightily under the iron fist of PKI."

Client was getting this error when trying to import their Root CA certificate into the Cisco VPN client. The following items were not the problem:

• Key length was 2048 bits, so no issue with the key being too long
• Validity period was good
• File wasn't corrupt

The error wasn't much help and calls to Cisco turned out to be somewhat of a red herring as Cisco admitted a bug existed related to certificate imports but had no fix available. We could get other certificates to import fine but were at a loss as to why this particular certificate was somehow "invalid" when everything appeared to the contrary.

The break came when we reproduced the customer's CA configuration in a VPC and started altering the fields that were specific to their implementation:

• Basic Constraints had an error - path length was empty
• CRL DP had the "UnknownConfigDN" present in the LDAP URL
• Issuer/Subject fields on the non-working certificate used CN=RootCA,O=,C= format while others did not

As it turned out the Basic Constraints was a non-issue and is typical of renewing the CA certificate using 'certutil -renewcert' instead of going through the GUI. Brian Komar was kind enough to point out that this is due to a bug in Windows Server 2003 where renewing a certificate and changing the key ignores the CAPolicy.inf but I digress.

The CRL DP was also a false start - as it turns out, we're pretty certain the VPN client doesn't even attempt to validate this during import.  That left us with the Issuer and Subject fields...

Let's make one thing very clear, the distinguished name of your CA is not really a DN that should be reachable by any means. It is simply a distinguished name that allows you to infer some sort of organizational or country specific affiliation should you choose to do so. As it turns out, the Cisco client is very particular about RFC5280 to paraphrase Brian Komar.  For instance, the following are all legal distinguished names for your CA:

• CN=My really really long Root CA Name,O=MyCoolOrg,C=US
• CN=MyRootCA,O=Organization
• CN=RootCA
• CN=RootCA,DC=my,DC=activedirectory,DC=domain

None of these need exist but they are all valid syntaxes; however let us say that you have the following AD domain - domain.local and you decide that you would like the following CA DN:

• CN=MyRootCA,O=domain,C=local

Then you would get an Error 39 from your Cisco VPN client when it went to import it. The Microsoft CA doesn't care in the slightest and everything will function properly, until an application attempts to validate the syntax of your CA DN according to the RFC and X.520.

As it turns out, the client saw the "C" and attempted to validate it according to X.520 which says it should be no bigger than 2 characters. To test this further I created the following test CA DN:

• CN=MyRootCA,O=domain,C=xx

"C=xx" is not on the list of approved ISO 3166 codes and guess what...the Cisco client didn't care (would have been pretty impressive and yet self-limiting if it had).

So, the moral of the story is, if you are going to set your CA DN and you want to use the C/Country indicator then you need to stick to strict syntax and a two digit ISO 3166 country code; otherwise you can omit it altogether or use your OU/DC structure that you are most familiar with from Active Directory.

If you're still reading this and you don't already own one of Brian Komar's books, then stop what you are doing and go buy one.

Ensynch picked up a very nice regional partner award at Microsoft's Worldwide Partner Conference. It certainly is nice to be recognized as being dominant in your own backyard!

Ensynch received this year’s award for its growth and execution around Unified Communications, mastery of the Infrastructure Optimization methodology, and the growth and impact Ensynch is having on the Southern California marketplace.

Ensynch continues to expand beyond its Arizona headquarters with the opening of offices in Irvine, Los Angeles and San Diego, serving Southern California and its recent acquisition announcement of Calif.-based eBI Solutions.

Ensynch Named Southwest Partner of the Year by Microsoft

I am very excited to now be a 3-time award winner of the Microsoft Most Valuable Professional program. Our competency has morphed from MIIS to ILM and I'm happy to see three new members:

• Chris Calderon - Chris is a superb Identity Architect (just look at his blog) and an effective speaker.
• Peter Geelen - Peter is a huge influence in the Benelux community in the areas of Identity Management and Enterprise Security.
• - Brian has been an Enterprise Security MVP for several years now and because of his immense influence on the CLM components within ILM I'm happy to welcome him to the group!

In addition to our new awardees, Joe Stepongzi and David Lundell were also re-awarded - congrats guys!  That brings the total up to 8 ILM MVPs:

https://mvp.support.microsoft.com/communities/mvp.aspx?product=1&competency=Identity+Lifecycle+Manager

Last March we all got to meet with the ILM Product Group for dinner at the MVP Summit in Redmond, WA:

From left to right: Almero Steyn, David Lundell, Brad Turner, Joe Stepongzi, Paul Adare, Brian Komar, and Ahmad Abdel-wahed (Microsoft).

MVP's represent a group of passionate individuals that spend a considerable amount of time answering questions on forums or newsgroups (for free), speaking publicly, and generally evangelizing the product. We have a personal interest in seeing the quality of the products we represent improve and the adoption of them increase.

For me the most valuable aspect of being an MVP is the close relationship we build with the Product Group. This relationship culminates at events like the MVP Summit and technical conferences like the Directory Experts Conference (now The Experts Conference) where the direct exposure and access helps to open very effective dialogs between the PG and ourselves.

Looking forward to TEC 2009 and MVP Summit 2009 - Almero, you had better be at one of those if not both, sir!

I am really excited to welcome some new experts to the Ensynch team! This allows us to extend into Business Intelligence in a big way and gives us competencies in BizTalk, Commerce Server, Host Integration Server, SQL, and PerformancePoint Server that we didn't have before. I have high hopes that this will augment both our existing Portals & Collaboration and Identity and Access Management practices by adding new dimensions there as well.

Now to lure some of these folks to the ILM dark side...

You can find eBI Solutions online here:

Ensynch Announces Agreement to Acquire eBI Solutions, Business Process Integration Leader and Microsoft Gold Partner - Forbes.com

Are you just not getting that loving feeling from your ILM 2 beta 3 portal? Getting an Access Denied error instead? In order for you to logon to the portal the following things need to be in order:

• You must have an account in the portal
• You must have a matching account in AD

When logging into the portal the accounts must match in order for you to validate; however there is one additional permission that you must have the confounded our testing for awhile - the Identity Management portal must have the Domain Authenticated Users entry granted the Contribute rights. For whatever reason, our portal did not include this and only Administrator could login (or whoever installed the portal I believe). So, if you have exhausted all other attempts, validate that SharePoint has the correct rights:

• Logon to the Portal as Administrator
• Click the Site Actions drop down in the upper right hand corner
• Select Site Settings
• In Site Settings, click Advanced Permissions under the Users and Permissions column
• Validate that NT AUTHORITY\authenticated users has been added

Note that Authenticated Users will let even non-portal users view the portal splash page; however they will be unable to access anything.  The sAMAccountName of the logged on user must match a valid User object in the portal. or you get something like the following error:

How old were you when you first started using computers?

I remember taking things apart so I could figure out how they worked early on, but my first actual computer usage had to be during a GW Basic summer course when I was 11. My mother thought I would enjoy it (she was right) and I did get some interesting stares from the 20 and 30 something's in the class who were there for business training.

What was your first machine?

The programming class I took just happened to be held on a TI-99 4A so I begged my parents for one and so it became my first machine. I thought I was so cool saving programs to audio cassette and making it talk using the speech synthesizer!

What was the first real script you wrote?

My first Basic program was an AD&D character generator on the TI-99 4A (go figure) but without a printer it wasn't of much use other than generating random numbers.

My first real script of any substance in a scripting language would have been in Perl for Win32 back during the Y2k scare. I built a series of compiled Perl scripts that scavenged Win9x and WinNT systems for non-compliant software versions that eventually grew into a software delivery and auditing platform called MARV (Millenniax Application Remediation & Verification). It was overly complex, really cool on a geek level the way it self-updated, and not something you'd ever sell to anyone. :)

What scripting languages have you used?

Tinkered with VBScript and Batch of course but my real scripting love was Perl for Win32.  You can find all of my old Perl SysAdmin scripts (quickfind - Brad Turner) on Clarence Washington's Win32 Scripting site. Clarence and I used to work together back in the old Paranet days.

My programming background started with GW Basic (TI & PC Jr), Pascal/Turbo Pascal, VB6, VB.NET, and now C# (thanks Jerry). The more I program, the more I realize I am not a real developer - I will always have a scripter mentality for solving basic problems and automating complex tasks; that is why I love ILM so much!

What was your first professional sysadmin gig?

I did a year of PC delivery, assembly, and tech support before my first SA gig back in 1993 working for a small roofing company in Peoria, AZ. After that, another year in tech support and then my first real consulting gig doing desktop migrations from WFW to Win95; I didn't even know what a "helpdesk" was back then until I started there.

If you knew then what you know now, would you have started in IT?

Certainly, I might have even avoided those costly student loans!

If there is one thing you learned along the way that you would tell new sysadmins, what would it be?

Ok, several really:

Growth and hunger are important - especially when you are just starting out, learn everything and touch as much as you can to expose yourself to as much as possible and never stop learning or raising the bar higher; in IT, resting leads to stagnancy and soon obsolescence.

Find a company that you can make work for you - I have a reverse mentality about my employers, they work for me and facilitate my success. If you find yourself waiting for direction then you'll never be happy with what you are given, take control of your destiny and tell others where it is you need to be and if they can't help or aren't willing to adjust then find a new place to work. Good companies value dedicated and motivated employees and motivated employees equate to happy customers and therefore happy company.

"No problems, only solutions" - Flynn, from Tron

What's the most fun you've ever had scripting?

Probably learning Perl (Perl for Dummies and Learning Perl aka the Llama book) to solve a real world problem. I can't learn any new language unless I have a real world problem to solve yet; which is why I haven't picked up PowerShell yet. I recall many 18 hour days of work, and then staying late (when no one else was around) to experiment with new functions to see what sort of data I could uncover on remote systems.

Who am I calling out?

Jerry Camel

Joe Stepongzi

Shut Up, Laura - Laura's Rants and Raves - Scripting / SysAdmin meme