Yeah, I Have The Blog Sausage

(It’s like a talking stick, but it’s for blogging. And it’s a sausage.)


But I’m spending 140% of my time learning about new stuff, so I’m bound to be a little bit quiet for a while.


So, rather than expand on any of them, here’s a batch of things I’m thinking/annoyed/curious about right now, and will have lost interest in by my next post:

  • Email Distribution Lists: I dislike them. I’d like to be able to catch up on all non-critical email at set times, while not missing emails sent directly to me. RSS for Email, if you will.
  • The Comet Effect: There’s a mass made of digitally stored information created by me on my PC. Files, music, settings, scripts, stuff. As I move from computer to computer, upgrade to upgrade, stuff gets lost, like a comet’s tail. The bulk is retained intact, but little bits fly off behind me. I miss those little bits. Perhaps one day they’ll smash into the Earth unless Bruce Willis can drill through them.
  • King Kong was a really good movie. The three hour life tax initially put me off, but from about ten minutes in, I wasn’t bored at all. No loo breaks.
  • It Scales Too Much In Pen Mode, But I Hate Mouse Mode: I stumbled across the option to switch from mouse to pen mode using the stylus button on my teeny Wacom tablet… After ordering a larger replacement. While explaining to someone why it’s great, but I need a bigger one because I can’t draw detail unless… Ah. Damn.
  • Virtual Server’s Great But… I tend to use Virtual PC for my day job, simply because of the copy and paste support. Drag and drop of files is also good. Doesn’t run on X64 though, which has become crippling enough to my average workday that I’ve only installed the 32 bit version of Windows XP on my 6GB X64-preinstalled Precision 670, just so I can use Virtual PC. I feel dirty. Might re-think that and go Server (32-bit), but it doesn’t make me any cleaner.
  • Patrik Wanted To Know About MTP under X64: MTP support is in Windows Media Player 10 (can I call it WiMP?) under XP X64 – you just won’t see your MP3/WMA/Whatever player through the 64-bit Explorer. Use a 32-bit Explorer (or instance of IE, or Control Panel -> 32 bit Control Panel) and you’ll see the device.
  • PDA: I want an OQO model 01+. Or I would, if it had a built-in phone as well.

Um, think that’s me up to date. Blog Sausage relinquished.


Update: Blog Chipolatas

  • Can’t get the Windows Vista December CTP’s DPI settings to stick to 120dpi on the Latitude D600. It worked using Standard VGA, but not using the RADEON 9000 Series driver I forced on from the supplied set. The UI looked quite iffy at the higher res anyway (wonder if Glass helps with the scaling on icons, but bits of various windows were showing through where they shouldn’t too…).

  • The new motherboard has been ordered, and the chipset fan is a heat sink. That’ll teach me.

  • IE7 in Dec CTP – I wish that a new tab opened next to the one I’m using, but I can’t find the option if it’s there.

(Puns based on the word “drill” may be easily misinterpreted)

Tristan’s main home PC was an Athlon 64 3500+.

It had an Asus A8N SLI, bought many months ago. The motherboard had always had a noisy chipset fan, and it had finally given up the ghost and decided that rather than spin, it would quack. Every four seconds, when it was warm.

Tristan decided that he was going to do something about this, so he ordered a new north bridge fan that looked about right.

Tristan’s colleague Russkie implied that smart people plan to be able to remove those little “one way clip” things without removing the motherboard from the tray. But perhaps there was another way. But Tristan probably wouldn’t be interested. Of course, Tristan pressed on… what was this secret technique?

Perhaps, the story went, a “dremmel” tool could be used to remove the one-way clip without having to pull out the motherboard.

Not knowing what a Dremel was, but pretty sure that he didn’t own one, Tristan politely inquired as to whether he might be able to borrow one from Russkie? Russkie acquiesced, but noted that any sufficiently small drill bit in a regular drill would also do the job. Tristan’s girlfriend had a drill. He could use that one, and not have to wait another day.

plastic thingy holds fan near motherboard. Spring included.Tristan went home, excited by the idea of drilling through the little plastic clippy things. And at the idea of using a power drill. It would be, oh, the second time. He would become a man.

The first clip drilled through easily. Tristan was happy. He had demonstrated his Drill Skill. He was a Real Man, with a Real Power Tool under his control, an extension of his very body.

Tristan was inspecting the perfectly-formed bore hole when the tensioning spring suddenly (and to its own immense surprise) won its eternal struggle with its newly-weakened plastic bolt, and launched it squarely into Tristan’s forehead.

Once Tristan had finished laughing, he drilled the second plastic thing. But this one didn’t pop off. The angle had changed when the other restraint had popped off, and so three more hands were needed than were available to hold the thing in place.

Tristan was undeterred. He drilled, and inspected. Drilled, and pulled. Drilled, and tugged a bit more. Re-drilled, re-twisted, re-tugged, and eventually, after several more iterations, the other restraint came loose. The fan was free.

Tristan triumphantly unboxed the new fan, and aligned it properly. Or tried to. There was no proper alignment. The new fan didn’t fit. Would never fit. Was a north bridge fan, for something that just abjectly wasn’t a north bridge. Bugger.

Old fan with 20 cent pieceThe new fan with 20 cent piece.
Old and New Fans. Note the complete opposite alignment of mount points and the size difference. Bonus different power connector included, but not shown.

He wasn’t about to give up, but he wasn’t about to leave the motherboard without cooling either (it got untouchably hot the instant the power was on). So, after cleaning all the dust out of the Fan-That-Fit, Tristan plugged it back in, and wondered how to reattach it.

Luckily, the fan that didn’t fit had come with some little plastic thingies that would affix it to the motherboard, and these were the standard 5mm-ish size. So, in they went.

Just one little snag… when the power was turned back on, the fan wasn’t moving. It looked like it was making an effort, but only in the most passive sense possible. It’d move a notch, and stop. Move a notch, stop. Clearly, unacceptable for the Nforce Inferno chip it was lamely and vainly trying to cool.

Tristan was faced with a dilemma. Try to remove this fan, or leave it on and hope it was sufficient cooling?

After a good four seconds of deliberation, he started drilling the new plastic holder things. The case was already off; better to get everything ready for the replacement.

But the new plastic clips weren’t as solid as the original ones. They bent under pressure, and Tristan couldn’t convince them to come out. Tristan also, it turned out, couldn’t drill straight through them.

He did manage to drill through an innocuous-yet-important part of the motherboard directly next to the clip-hole. So the once-proud motherboard could power up, but there were no reassuring beeps. No on-screen text. No actual activity as such.

(The new motherboard is on order.)

The Client Certificate Problem

Holiday Question #2, from Mathieu:

In Belgium we have a electronic identity card (eid) it contains a certificate for signing and authentication in windows.

After some investigation I found some documents on the microsoft website how I could implement client certificate authentication with the eID on my IIS webapplication. (ASP.NET)
This works very good ! (at the my intranet)

But when I would like to test the same application behind my ISA firewall, it does not work.
The user does not get the prompt from Internet Explorer to select an installed certificate and use this for my website.

How can I change my ISA server that Internet Explorer will be asked to send a certificate and that the certificate give will be read by my IIS server.

For now I use ISA 2000, but I will upgrade if it’s working in 2004. But i cannot find any documentation about that subject.

Good question, but the answer won’t be quite so good.

For ISA 2004:

  • An ISA Server can use Client Certificates to authenticate its clients.

    • on the client, that’s

      • a Certificate

      • with Intended Purposes that include Client Authentication

      • for which the client has an associated private key

  • An ISA Server can use one specific locally installed Client Certificate per publishing rule to authenticate itself to a published Web Server that requires Client Certs

    • it’s one to many – all clients using that rule (and meet whatever criteria ISA is enforcing – eg, authentication, IP address, content restrictions) then get to use the same client cert.

  • An ISA Server can’t pretend to actually be the client that presented a valid certificate to it, as it has no knowledge of that client’s private key.

    • The process of proving identify using a client certificate does not reveal the private key to the server, only that the client can provide evidence that it knows the private key.

    • Contrasted with other authentication protocols:

      • NTLM similarly doesn’t reveal the user’s secret (roughly equivalent to the private key) to the target server.

      • Basic Authentication gives the target server both the username and the password, in Base64 encoding (which is the next worst thing to plain text), which is why Basic over TLS/SSL (and/or VPN, and/or IPSec) is recommended when it is needed.

So, short version: in this type of scenario, ISA Server is effectively acting as a Man In The Middle (MITM), and the use of client certificates prevents it from working (I don’t know enough to claim that it’s how it’ll always work, but for now, that’s my assumption).

You end up with two options:

  • If the client must present its credentials directly to the Web Server, you could use Server Publishing. You lose the application layer inspection benefits of Web Publishing, but the client and server are assured of privacy, as they work directly with each other.

  • If it’s acceptable for clients to authenticate to the ISA Server using Certificates, and then for the ISA Server to act on behalf of any authenticated clients to the published Web Server using one common Client Certificate, you could configure the listener for Client Certificate authentication, and configure the publishing rule with the appropriate Client Certificate.

As I’m still on holiday, I’m short an ISA 2000 box to muck around with, so I can’t confirm whether the second option exists for that version, but the Server Publishing option definitely* works for both: ISA just sets up a TCP session between client and server, and gets out of the way.

* – as definitely as I can remember without actually being able to look it up. So a “probably definitely”, but I wanted to sound confident*.

ISA 2004: Hosting a Joint Operations Server

Back from the beach now, and starting to wade through the email morass via OWA (1000s of messages… makes you really appreciate fat clients, rules and desktop search). Here’s an interesting one from the blog feedback folder:

I am trying to configure our corporate firewall to allow hosting of Joint Ops.  On my linksys type firewall this is as easy as port forwarding UDP port 32768 to the game box.  But in ISA creating a simple Server listener (on UDP port 32768) isn’t enough.  There’s something missing.  Do you know what I’m missing?  Are there additional ports I need to open up and if so, what would those be?

Also, what’s the difference in ISA when configured a UDP listener between the “Send”, “Receive”, “Send Receive”, and “Receive Send” options?

There was a heated debate in the ISA newsgroup last year (er, 2004 then) as to whether game servers are appropriate behind a corporate firewall (short version: usually not unless you’re a hosting company), and it’s probably worth a read. Be sure you want to do this: At the end of the day, it’s your own bum that’ll be kicked if the server turns out to have an exploitable hole and it leads to loss or theft of information. If you’re going to do it, have the dedicated game server on an isolated network and turn it off anytime you’re not using it – assume it will be compromised, and look to mitigate the damage such a compromise would cause ahead of time.

So, here’s the Helpful* Picture I threw together:

I noticed the corporate firewall bit last, after I’d prpared a handy home-network-friendly diagram covering when to use Server Publishing and when to use Access Rules (Server Publishing is an inbound rule where inbound is defined by the NAT relationship direction, Access Rules are an outbound rule, but “outbound” is defined by the source and destination… Check the ISA Server Help for more on that stuff).

If you’re still using ISA 2000, instead of using Access Rules to allow access to the local machine from the External network, you use Packet Filters to open certain ports.

For ISA 2004, The specifics of the protocols you’d use are these:

  • For Server Publishing: Joint Ops Server – UDP, 32768-32768, Receive Send (means Receive then Send: Receive a packet on this port, then Send a packet from this port, but expect the incoming packet first).

    • You’d use similar parameters for the ISA 2000 Packet Filter if running on the ISA box itself, otherwise it’s the same for ISA 2000.

  • For an Access Rule: Joint Ops – UDP, 32768-32768, Send Receive (client initiates the connection).

If you’re finding it’s still not working, make sure the JOps server computer’s default gateway uses a path that hits the Internet via the ISA Server – it’ll need to be able to respond to Internet IP addresses.

Again: be sure you want to do this – and if you are, enjoy!

Other publishing-related posts:
Hosting Locomotion
Publishing Apple Remote Desktop
Publishing RADIUS
Publishing RDP and TSWeb

Token Post por Janvier

Dear Mater,

I’m still at the beach. STOP.

After a week of oppressive sunshine, sometimes over forty new degrees, we have endured ten days of oppressive rain. STOP.

When the rain stops, conditions are hot and humid. STOP. And then it rains again. STOP. Currently awaiting further showers. STOP.

Wish the rain would STOP. STOP.

I endeavoured to once again complete GTA: San Andreas, which was an excellent way to pass the first week. STOP. Since then, I bested Freedom Force vs The Third Reich, and have come to the dire and heavy realization that I forgot to bring all the interesting SDKs with me. STOP.

Please give my love to Gertrude and Harriet. STOP.

Back on the 19th. STOP. Lots of love, Oedie. STOP.