Archive for the ‘Microsoft’ Category

Boost your internal PKI/Microsoft CA security with FREE green Extended Validation SSL in 15 minutes or close your eyes until 2016!

One of the new CAB Forum baseline requirements is that all SSL certificate issuers are to stop issuing SSL certificates with internal host names and IP addresses. Currently it is possible to get internal host names in public certificates until 2016, but after 1. July it will be shortened to 2015. But keep reading and you will remove this threat today, instead of waiting to 2015-2016.

Normal usage of SSL certificates

Most companies with a medium to large infrastructure, use an internal PKI solution like Microsoft Certification Authority for identity and encryption on internal workstations and accounts. They will also use internal CA to issue certificates for server systems that are only accessed by internal computers where Root CA trust can be controlled automatically thru GPO or similar.

But external facing websites and server systems use public external CA issued SSL certificates, to ensure trust by all units including mobile units and external computers.

(did you see the padlock in the above image?)

Example of attack

It makes sense to prevent easy attacks on the identity part of SSL security for internal systems. Any internal website would be easy to replace with a fake site or do a man in the middle attack with a real external publically trusted SSL certificate that includes the internal host names. Example: an internal password management portal on https://mypassword.abc-organization.local. The intruder gets a certificate issued to www.notyours.dk including a SAN name “mypassword.abc-organization.local”. It would be easy for the intruder to setup a fake website to harvest passwords with a real SSL certificate that all clients would trust equally to their internally issued SSL certificate on the existing system. Clients would see the padlock with no visible changes. Read the rest of this entry »

How to get rid of the anoying syntax error popup message when using Internet Explorer with Java so your mother-in-law will stop buggin’ you about it

Quite some time ago I encountered this error the first time, to be honest i can not even remember when it was. But I do know it was Windows 7 and Internet Explorer fully updated, together with the current Java runtime environment that gave me the problem, but I am getting ahead of myself.

Problem description:

  • Using Internet Explorer, Windows 7 and Java Runtime Environment - all updated to latest editions on completely clean installations
  • On all webpages loading Java the following error message appears twice (x2, two times, 2 times).
    Title: "Microsoft JScript compilation er...".
    Error message: "Syntax error".

Extra bonus information:

  • I have experienced this problem on Windows 7 with and without service packs, Internet Explorer 8 and 9
  • Usually the problem appears from "birth" with default settings
  • Settings in Internet Explorer for showing errors, debugging scripts, etc. are all set to default i.e. not to anoy the user
  • The error always comes two times and has absolutely no usefull information
  • The Java application works fine without any errors, the only error is the actual message about the error and yes it is realy anoying

So to continue... Read the rest of this entry »

How to configure your virtual Domain Controllers and avoid simple mistakes with resulting big problems

So You went ahead and used virtualized Domain Controllers for Your Active Directory domain, congratulations! I am sure You will be happy with the decission, as long as You have a decent virtualizing environment, this will give You both peace of mind, faster recovery and cheaper redundancy.

There is however some special considerations You must do, when You are using virtual Domain Controllers, not to mention, please with sugar on top, Windows Server Active Directorydo NOT P2V/Convert Your physical Domain Controllers to virtual, without at least reading this article!

What areas do we need to consider on a virtual DC?

  • Time synchronization
  • Disk cache
  • Suspend/pausing virtual machine
  • Snapshots and System State backups
  • Performance

Personally I much prefer virtual Domain Controllers, from having a lot of physical ones, but there are some considerations to be made, about perhaps leaving some physical and what features to use on the virtual and what settings to use as well. This article attempts to uncover some of the points to consider, specifically for virtal DC's. The list is in no way meant to be the only considerations, but is mostly the things that I personally have noticed forgotten in environments I have encountered. Add Your own preferences and research to this and You should be well on Your way to live happily forever with Your virtual DC's.

Read the rest of this entry »

Debugging an OCS installation just got easier

I might be realy slow in discovering this, after all it has been some months since I last touched an OCS installation. I seriusly wished I had this tool when I was last time thou.

This tool just like the Exchange testing tool, will show all the steps involved in connecting to an OCS system and produce any errors and confirmations that everything is working, excellent for debugging or even just validating that everything is working as it should. I found the link to the tool on a new danish UM experience sharing group (all danish) http://www.colabora.dk/.

The actual tool can be found here: https://www.testocsconnectivity.com/

Thought I would also add some extra info and show what the tool can produce of results (FQDN's and IP's changed)

Read the rest of this entry »

How to get external SAN UC SSL certificates that work with OCS 2007 R2 and avoid having to read 100 blog posts!

Been reading up on external and internal DNS names used by OCS 2007 R2 ? Your head stopped spinning yet? So you've decided on what FQDN's to use, next step order some SSL certificates, should be easy enough right, You allready figured out You need SLL certificates that are Unified Communications Certificates (UCC) enabled. In my example I will use GlobalSign Domain Validated SAN's, if I needed multiple domains for example for @sole.dk and @soleit.dk, I would choose GlobalSign Organisation Validated SAN's instead.

For a GlobalSign SSL certificate to be UCC enabled, it must use SAN domains, no other way of enabling it. So no point in spending lots of budget on seperate SSL certificates for each service. SAN Subdomains are also quite alot cheaper than buying seperate SSL certificates.

One of the tricky parts of Office Communications Server 2007 R2 and SSL certificates, is that You can not use one single SAN SSL for all services, if You intend to use port 443 for all services!

Why would we only use port 443 ? Read the rest of this entry »

How to publish RD Web & Gateway (2008 r2) on ISA 2006, and still have time to watch The Big Bang Theory!

So I was asked the question, how do You publish the new Windows Server 2008 and 2008 R2 editions of Terminal Server, including the RD Web and RD Gateway (GW) services. And on top of that still use the ISA 2006 as authentication with Forms Based Authentication (needed in this case for RSA keys). Sounds easy enough right? Wrong!

Well once You get your head wrapped around the limitations, which of course are always hard to find documentation on, then it is easy enough. Basicly the RD Web service is easy enough to get working, simple next next next, will get You there with little trouble.(The RD Gateway on the other hand...)

Configure a ISA 2006 rule, with relevant web listener (or existing if appropiate), allow the /rdweb/* paths, use FBA authentication, use NTLM delegation of authentication to the internal webserver, configure the webserver (RD WEB) to use NTLM, install relevant SSL certificates to ISA and webserver, and presto it works! It even works with SSO if needed, and the user is only prompted by the ISA forms and not a second time by the RD Web site.

So far so good! A small hint before we go on, if You want to add multiple connections to other Terminal Servers in the RD Website, Read the rest of this entry »