Deepnet Server v3.x migration

The migration of deepnet server (v3.x) is very simple.

• stop Deepnet Authentication Server(das) service


It can be done by typing "net stop das" in Command Prompt


• stop MySQL(dasmysql) service(if applicable)


Do it with "net stop dasmysql"


• backup whole deepnet folder


By default, it is called "Deepnet Authentication Server" in the folder "C:\Program Files"


• copy the backup to the new server


For simplicity, you should copy the backup to "C:\Program Files" on the new machine, just keep the path same.


• start the services on existing server


If you still need the deepnet service running on the existing machine for a while, you can start them by the reverse order, which are

net start dasmysql

net start das


• save the following code to a batch file(migration.bat) on the new machine




"%cd%\mysql\bin\mysqld.exe" --install DASMYSQL --defaults-file="%cd%\mysql\das.ini"
net start dasmysql

"%cd%\Tomcat\bin\tomcat5.exe" //IS//DAS --Startup=auto --StartMode jvm --StopMode jvm --StartClass org.apache.catalina.startup.Bootstrap --StopClass org.apache.catalina.startup.Bootstrap --StartParams start --StopParams stop --Install "%cd%\Tomcat\bin\tomcat5.exe" --LogPath "%cd%\Tomcat\logs" --Classpath "%cd%\Tomcat\bin\bootstrap.jar";"%cd%\jython\jython.jar" --Jvm "%cd%\jre\bin\server\jvm.dll" --DisplayName "DAS" --Description "DAS SERVICE" --StartPath "%cd%\Tomcat" --StopPath "%cd%\Tomcat" --JvmOptions "-Dcatalina.home=%cd%\Tomcat;-Dcatalina.base=%cd%\Tomcat;-Djava.endorsed.dirs=%cd%\Tomcat\common\endorsed;-Djava.io.tmpdir=%cd%\Tomcat\temp;-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager;-Djava.util.logging.config.file=%cd%\Tomcat\conf\logging.properties;-Dpython.home=%cd%\jython"

net start das




• move the batch file to Deepnet folder


You must place the batch file in the deepnet folder, which is "C:\Program Files\Deepnet Authentication Server"


• run the batch file


On the new machine, open a Command Prompt, go to deepnet folder, run migration.bat


• open a web page http://localhost:8080


Still on the new machine, launch a browser, access http://localhost:8080, assume you are using the default port of deepnet management console. It will ask you to input new IP address of the new machine. Don't forget to click Submit button to finish.

Mind you, it is against Deepnet license agreement if you run the same license on two different machine simultaneously(unless it is a load-balance/failover infrastructure), so please fully shutdwon the deepnet server on the old machine once the migration is completed.

Two Factor Authentication on RDWeb

Some vendors provide a solution to protect MS Remote Desktop Service(RDWeb) with OTP, the implementation and deployment are very easy, just customize the RDWeb login page(C:\Windows\Web\RDWeb\Pages\en-US\login.aspx) and add a OTP authentication dll to BIN folder (C:\Windows\Web\RDWeb\Pages\Bin).



Really it is very neat, but is it safe? I was a bit wary of that.

In order to answer my own question, we have to understand how RDWeb works. Thank my friend Craig who provided me this link How TSWeb / TSAC / Remote Desktop Web Connection Client Works. In this article, the author Tristan Kingston says,

There's a common misconception that TSWeb allows you to connect to a Terminal Server over HTTP. The reality is that you just use HTTP to transfer the Remote Desktop Client ActiveX control to the client browser, which then runs and makes a regular RDP connection to the Terminal Server, just like the regular Remote Desktop client would, but presented in a browser window.

Short version: HTTP and RDP are used to connect to a TSWeb server. HTTP (TCP 80) is used to download the ActiveX control, which then connects directly using RDP (TCP 3389) to whatever server is specified by the page for the actual Terminal Server interface. Clients that can't use port 3389 through a firewall won't be able to connect, so clients that exclusively have Web protocol access are not able to use this method to connect. (They'll be able to download the client and the page, but not able to do the actual Terminal Server part)."

It was posted almost six years ago, however the conclusion is still correct.

Recently I had time to play with RDWeb. I published 2 applications.

When I tried to click one of them, Remote Desktop(mstsc.exe) was launched

From the result of Process Explorer, it was evident that mstsc took part in this job!

Still not convinced? try the option "Don't allow connections to this computer" on the RDWeb server

Unluckily, I got the result which was expected though. Without Remote Desktop, RemoteApp doesn't work at all!

Now imagine if I were an intruder, do you think I would bother to access RdWeb? No, I would access Remote Desktop directly!

Frankly, the protection through RDWeb is still feasible if there is an easy way to block Remote Desktop while allow RemoteApp only. Unfortunately, ServerFault has a verdict on this question - Allow only RemoteApp, not Remote Desktop,

There isn't an "officially sanctioned" way to do this because, fundamentally, TS RemoteApp functionality is just leveraging existing Remote Desktop code. You could do something silly like use Group Policy to set the user's shell to be "logoff.exe" such that if they attempted to access the machine's desktop they'd be immediately logged-off. Any application that uses a common "File / Open" dialog, though, can be used to get a command prompt or other programs open on the server's desktop.

You're better off making sure that you follow the principle of least privilege and give your TS RemoteApp users as few rights as they need to run the intended software. If they do end up on the server computer's desktop their restricted rights should prevent them from doing anything damaging to the server computer.

Is it a neccessary burden to the administrator for enhancing the secure access? Do you want to completely block the Remote Desktop? You'd better think it twice! Nervertheless, I think it is very possible to leave a back door open if you only customize the RDWeb login page to do a two factor authentication.

All of a sudden, I realized why Deepnet always recommended adding the second factor protection at credential provider level(LOGONUI.exe). Even if you are using RemoteApp only, the second factor login kicks in at some stage.

Reference

TS RemoteApp Step-by-Step Guide

How TSWeb / TSAC / Remote Desktop Web Connection Client Works

Allow only RemoteApp, not Remote Desktop

Deepnet Windows Logon Solution

There are a few cases that the user can't login with OTP after installing Deepnet Windows Logon Solution.

In Event Viewer on the domain controller, you see some error logs emitted from a source called "DasDCAgent", and the error detail reads:

Get ticket from client failed: Domain MYDOMAIN
Domain Controller: DC IP
Workstation: MYWS
User: me
Connect to client failed
ErrorCode: E-FAIL

This error message means the domain controller(actually Deepnet DC Agent) is unable to contact a service (Deepnet Client Agent)installed on client machine(workstation). There are two possibities.

Workstation Side

Deepnet Client Agent port 14283 is blocked by Windows Firewall(or other software firewall installed)


Deepnet Client Agent default port 14283 is taken by another process(rather than dasclientagent.exe)


The service "DAS Client Agent" doesn't start properly

Domain Controller Side

Somehow the DC can't resolve the workstation name to a correct IP address which is allocated on the workstation. Generally it is down to a DNS problem. You can confirm it by executing a ping command in Command Prompt.


ping MYWS


Check the result to see if it matches the one returned by doing "ipconfig" at your workstation side.

Ironically, the inverstigaton on all of the reported cases only goes to prove the problem was caused by incorrect IP resolve at DC side - DNS corruption!

Yet another possible reason for error of sending SMS with GPRS Modem

In Deepnet, some users still got the notorious error message "org.apache.xmlrpc.XmlRpcException: null values not supported by XML-RPC" when they tried to send SMS with a GPRS Modem.

Coincidentally, this problem happened on my Motorola which can be taken as a GPRS Modem. On the second day, I received a message from T-Mobile, my network operator. It says "Yesterday you sent a message to an invalid number. UK mobile numbers start with 07 or +447. Numbers starting 447 without the leading + are invalid."

Immediately I realized the mobile number format requested was the culprit. In deepnet, mobile number must comply with the so-called "International Format". Assume you have a UK SIM card, and the mobile phone number is given as 07955512345, in deepnet you have to use 00447955512345, which is correct when you use SMS service provider like Clickatell, however it is wrong for Mobile Operator, at least in my case.

In that case, you have to do some modification so that this kind of phone number format is allowed in Deepnet. Please follow the instructions below.

1, go to the folder “C:\Program Files\Deepnet Authentication Server\Tomcat\webapps\das\scripts”, assume you have installed the server in the default folder;
2, backup the file “admin.js”, then open it with your favourite editor;
3, locate the function “isValidMobile”
 
function isValidMobile(sMobile) {
//            var mobileExp = /^[0]{2}\d{1,}$/;
                var mobileExp = /^\d{1,}$/;
                return mobileExp.test(sMobile);
}
 
4, change it to
 
function isValidMobile(sMobile) {
                return true;
}
 
5, try to modify the mobile number to “+447955512345”;
6, send SMS OTP;

RRAS on Windows 2008 R2

I always use MS remote access server(in Routing and Remote Access, RRAS) to test a simple VPN connection. Running and connection RRAS on Windows 2003 is very straightforward, however the connection to RRAS on Windows 2008 R2 never succeeded

If I selected "PPTP VPN" as the type of VPN

The connection attempt failed immediately with Error Code 678.

With this symptom, I soon realized that, unlike on Windows 2003, WAN Miniport(PPTP) must be configured manually on Windows 2008.

Open RRAS which is installed by adding a server role called "Network Policy and Access Services" on Windows 2008. Select "Ports" at left pane, you will notice there is only one "WAN Miniport(PPPOE)" configured(at right pane).

Right click "Ports", then select "Properties", you get

In devices list, select "WAN Miniport(PPTP)", then click "Configure..." button,

At least check the option "Remote access connections(inbound only)"

Now you can see there are a few WAN Miniports(PPTP) waiting to be connected!

Backup Deepnet Server(vension 3.x)

Deepnet Authentication Server(DAS) saves its main configuration and almost all of its operation data in a database, so please check the offical document from MS(if you are using MS SQL server) or MySQL(otherwise) for SQL Backup.

For disaster recovery, you should also backup the DAS server itslef. There are two scenarios

Full Backup

• Stop DAS service (net stop das);
  
• Stop MySQL service (net stop dasmysql) if you chosed the built-in MySQL as its database.
  
• Buckup the whole things under the folder "C:\Program Files\Deepnet Authentication Server"
  

Once backup is finished, start MySQL(if it is stopped) and DAS service.

Essential Backup

Compared to the full backup, the essential backup is trivial, but much smaller.

The following files and folders should be selected during this kind of backup

Files

• server.xml under C:\Program Files\Deepnet Authentication Server\Tomcat\conf
  
• keystore under C:\Program Files\Deepnet Authentication Server
  

Folders

• conf under C:\Program Files\Deepnet Authentication Server
  
• licence under C:\Program Files\Deepnet Authentication Server
  
• dgs under C:\Program Files\Deepnet Authentication Server\Tomcat\conf
  

Mystery of sending SMS in Deepnet with GPRS modem

Some of Deepnet Security customers who use GPRS Modem to send SMS reported they sometimes got the error "org.apache.xmlrpc.XmlRpcException: null values not supported by XML-RPC"



As far as I was concerned, this error message created a misleading impression.

Fortunately, you can check the actual reason by looking at the related log file,dgs.log, which by default is located under the folder C:\Program Files\Deepnet Authentication Server\Tomcat\logs

In my case(I am using GPRS609 Modem), I got the following

INFO 2010-10-07 12:00:09,109 DGS - Got Transport: GSMModem, Provider: GSM Modem, Service: SMS
INFO 2010-10-07 12:00:09,125 DGS - SetParameterValuesTransportFilter
ERROR 2010-10-07 12:02:03,906 org.smslib - GSM: Network registration denied!
ERROR 2010-10-07 12:02:03,921 DGS - 
com.deepnet.dgs.common.exception.DGSException: GSM Network Registration denied!
 at com.deepnet.dgs.providers.GSMModemTransport.send(GSMModemTransport.java:41)
 at com.deepnet.dgs.services.TransportFilterChain.send(TransportFilterChain.java:26)
 at com.deepnet.dgs.services.SetParameterValuesTransportFilter.send(SetParameterValuesTransportFilter.java:10)
 at com.deepnet.dgs.services.TransportFilterChain.send(TransportFilterChain.java:24)
 at com.deepnet.dgs.services.Communicator.sendSMS(Communicator.java:46)
 at com.deepnet.dgs.services.Communicator.sendMessage(Communicator.java:64)
 at com.deepnet.dgs.services.Communicator.send(Communicator.java:75)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
 at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
 at java.lang.reflect.Method.invoke(Unknown Source)
 at org.apache.xmlrpc.Invoker.execute(Invoker.java:130)
 at org.apache.xmlrpc.XmlRpcWorker.invokeHandler(XmlRpcWorker.java:84)
 at org.apache.xmlrpc.XmlRpcWorker.execute(XmlRpcWorker.java:146)
 at org.apache.xmlrpc.XmlRpcServer.execute(XmlRpcServer.java:139)
 at org.apache.xmlrpc.XmlRpcServer.execute(XmlRpcServer.java:114)
 at com.deepnet.dgs.servlets.DgsXmlRpcServlet.doPost(DgsXmlRpcServlet.java:97)

 ...........

Now you have a better vision of this problem - "GSM Network Registration denied". You may ask why, well, I think it is a challenge to Deepnet support team, as Deepnet system only deals with 2 important setings, COM Port and Speed (the other two are descriptive names), they are nothing to do with GSM Network Registration!

With a revised dgs.war provided by Deepnet Security Ltd, I saw something really interesting in the log file.

INFO 2010-10-07 11:38:01,390 DGS - Got Transport: GSMModem, Provider: GSM Modem, Service: SMS
INFO 2010-10-07 11:38:01,421 DGS - SetParameterValuesTransportFilter
WARN 2010-10-07 11:38:25,281 org.smslib - CMS Errors [ +CMSERROR:33555 ]: Retrying...
WARN 2010-10-07 11:39:11,140 org.smslib - CMS Errors [ +CMSERROR:332 ]: Retrying...
WARN 2010-10-07 11:39:21,281 org.smslib - CMS Errors [ +CMSERROR:33571 ]: Retrying...
WARN 2010-10-07 11:39:43,390 org.smslib - CMS Errors [ +CMSERROR:33571 ]: Retrying...
ERROR 2010-10-07 11:39:57,796 org.smslib - CMS Errors [ +CMSERROR:33555 ]: Quit retrying, message lost...

if you'd like to carry out the same experiment, please download the file dgs.war and upgrade your Deepnet server at your own risk! Upgrade instructions are listed below.

At this stage, you are adviced to check the error code in GSM specs. For your convenience, you can get it from here.

Want a futher investigation? you are encouraged to use HyperTerminal to test SMS. For details, please look at this page where the essential AT commands are described, you can also find these AT command descriptions in my favourite PDF file How To Configure A GSM Modem Using HyperTerminal.

Upgrade Instruction

• Stop DAS service, in Command Prompt, type "net stop das";
  
• Delete all log files under the folder "C:\Program Files\Deepnet Authentication Server\Tomcat\logs", assume you have a default installation of Deepnet Authentication Server;
  
• Delete the subfolder DGSSERVICE under "C:\Program Files\Deepnet Authentication Server\Tomcat\work";
  
• Backup the file dgs.war under "C:\Program Files\Deepnet Authentication Server\Tomcat\dgswebapps";
  
• Delete everything under "C:\Program Files\Deepnet Authentication Server\Tomcat\dgswebapps";
  
• Copy the revised dgs.war to "C:\Program Files\Deepnet Authentication Server\Tomcat\dgswebapps";
  
• Start DAS service(type "net start das" in Command Prompt);
  

Reference

CMS ERROR Code List

LDAP Bind Account Requirements

Some organizations may wish to use a specific user account(other than the administrator) for the Bind process, it is important to ensure that the Bind DN account has the correct level of permissions on the LDAP directory.

When creating an application in deepnet where you can import users from a LDAP server, a user account must be defined for connecting to the LDAP directory. This account is known as the Bind Distinguished Name (DN) and the process of connecting to the LDAP directory is known as Binding. In theory, this account can be just a simple authenticated user who has permissions all over the place to read(by default). During the Bind process, the Bind DN account is used to search for the user account that is attempting to authenticate to Deepnet Authentication Server. The Bind DN must also be configured with the account’s correct password or Bind DN Password.

In the example below, a Bind DN account named CN=ed binden,CN=users,DC=nanoart,DC=local will be used to connect to a LDAP directory’s Base DN of DC=nanoart, DC=local.

At a minimum, the Bind DN account must have:

• Read access to the user objects in the LDAP directory in order to search for user accounts

• Read access to the Base DN (for example, DC=nanoart, DC=local) with the correct attribute that is used as the LDAP Login Name
(for example, samAccountName)

Generally, we use ADSI Edit to check the security

In order to do Group Extraction, which is the process of determining a user’s group membership and returning those values to Deepnet Authentication Server, the Bind DN account must also have:

• Read access to the group attributes in the LDAP directory

In order to support password expiration during authentication, the Bind DN account must also have:

• Read access to the PwdLastSet, UserAccountControl, and msDS-User-Account-Control-Computed attributes in the LDAP directory

In order to use an alternative Single Sign On attribute (SSO Name Attribute), such as UPN format, the Bind DN account must also have:

• Read access to the particular SSO Name Attribute of interest in the LDAP directory

Finally, I'd like to point out, you can even configure Active Directory to allow anonymous queries, you may have a look at Q320528 and Anonymous LDAP operations in Windows 2003 AD.

Disable RDP credential prompt

Remote Desktop Connection on Windows 7(Vista as well) prompts you for credentials before you establish a remote desktop connection to Windows 2008.

As a result, it bypasses the remote machine's logon screen. This may be convenient if you save the credentials(username/password), next time, you don't need to input the credentials again. However, it brings a big trouble to the Deepnet users who are using its Terminal Server agent, because there is no chance to input the OTP in the prompt.

In order to show the login screen(Credential Provider) of the remote machine,

Login Screen Without Deepnet



Login Screen With Deepnet

you have to disable the credential prompt of RDP 6.0 client, which is achieved by editing the Default.RDP file in notepad to include enablecredsspsupport:i:0 and make it read as

      ....
authentication level:i:0 
enablecredsspsupport:i:0 
      ....

Note: the original authentication level is 2(authentication level:i:2).

Please look at KB941641 for the details.

If you save the Default.rdp file at default location "Libraries\Documents"(physically at the folder "C:\Users\userXXX\Documents"), please change the view setting in Folder Options to show it. as this file is a hidden file.

Reference

Remote Desktop Connection 6.0 prompts you for credentials before you establish a remote desktop connection

Application crash dump in Windows 7

I am so familiar with Dr Waston in XP that I thought I could also use it in Windows 7 as a postmortem debugger to get application crash dump. However, I got the following when I tried to run it to do setup by typing "drwatson.exe"

Accoding to google search results, Dr Watson is no longer used since Windows Vista, it has been replaced by "Windows Error Reporting"(WER) which is located at C:\Users\USERNAME\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_crashtest.exe_UUID. For me, the content of WER is useless though.
If you check this sample, you may agree with me.

Fortunately, you can still get the crash dump file if you follow the instruction mentioned by KB931673.

This feature is not enabled by default. Enabling the feature requires administrator privileges. To save these user mode memory dumps locally using Windows Error Reporting, create the following Registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps 
Value Name = DumpType 
Data type: REG_DWORD
Value Data = 1 

Data Values Descriptions: 
0 = Create a custom dump 
1 = Mini dump 
2 = Full dump

The crash dump file is generally stored at the folder "“%LOCALAPPDATA%\CrashDumps"



If the crashing process is a service, the location may be at

C:\Windows\System32\config\systemprofile\AppData\Local\CrashDumps



Open the crash dump file with WinDbg, and enter the command "!analyze -v", it can tell you where the problem is. With my example, it happened at




> 154: *pEmpty = 'x';

0:000> !analyze -v
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************


FAULTING_IP: 
crashtest!WndProc+94 [c:\projects\crashtest\crashtest.cpp @ 154]
01331224 c60078          mov     byte ptr [eax],78h

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 01331224 (crashtest!WndProc+0x00000094)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000001
   Parameter[1]: 00000000
Attempt to write to address 00000000

DEFAULT_BUCKET_ID:  WRONG_SYMBOLS

PROCESS_NAME:  crashtest.exe

FAULTING_MODULE: 76ee0000 ntdll

DEBUG_FLR_IMAGE_TIMESTAMP:  4ca4a81d

ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.

EXCEPTION_PARAMETER1:  00000001

EXCEPTION_PARAMETER2:  00000000

WRITE_ADDRESS:  00000000 

FOLLOWUP_IP: 
crashtest!WndProc+94 [c:\projects\crashtest\crashtest.cpp @ 154]
01331224 c60078          mov     byte ptr [eax],78h

FAULTING_THREAD:  000009ec

PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS

BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS

LAST_CONTROL_TRANSFER:  from 76c786ef to 01331224

STACK_TEXT:  
0031f6e0 76c786ef 001d0222 00000111 00008003 crashtest!WndProc+0x94 [c:\projects\crashtest\crashtest.cpp @ 154]
WARNING: Stack unwind information not available. Following frames may be wrong.
0031f70c 76c78876 01331190 001d0222 00000111 user32+0x186ef
0031f784 76c789b5 00000000 01331190 001d0222 user32+0x18876
0031f7e4 76c78e9c 01331190 00000000 76c7910f user32+0x189b5
0031f7f4 013310d3 0031f810 0031f8b8 00000001 user32+0x18e9c
0031f81c 005e8dcf 000000f3 00000119 01331456 crashtest!wWinMain+0xd3 [c:\projects\crashtest\crashtest.cpp @ 51]
0031f830 00000000 004b1654 00000001 b6d37f1e 0x5e8dcf


STACK_COMMAND:  ~0s; .ecxr ; kb

FAULTING_SOURCE_CODE:  
   150:    break;
   151:   case ID_FILE_CRASH:
   152:    {
   153:     char* pEmpty = NULL;
>  154:     *pEmpty = 'x';
   155:    }
   156:    break;
   157:   case IDM_EXIT:
   158:    DestroyWindow(hWnd);
   159:    break;


SYMBOL_STACK_INDEX:  0

SYMBOL_NAME:  crashtest!WndProc+94

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: crashtest

IMAGE_NAME:  crashtest.exe

BUCKET_ID:  WRONG_SYMBOLS

FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000005_crashtest.exe!base_address

Followup: MachineOwner
---------

If you just want to know the fault address(offset), you can check it from Control Panel -> Action Center

A little bit bizzare though, I couldn't reach the problem reports by a few clicks, it sounds no link in Action Center to get there, so that I had to search it

Double click one in the problem history, you can see Exception Code, Offset and other information.

Reference

How to create a user-mode process dump file in Windows Vista and in Windows 7

Create a new Outlook mail profile

It is quite natural that you want to create a new Outlook profile on client machine after Deepnet two factor authentication has been enforced on the Exchange server side.

The normal procedure of setup the profile will fail, as Deepnet OA agent won't be auto launched during the profile creation.

Technically speaking, the auto load feature is implemented as Outlook COM-Addin, the agent is only be launched after the profile is chosen. However the OA agent is a standalone Win32 application, you can start it at any time. In a word, you should manually launch it before adding a new outlook profile.

During the setup, do not click the button "Check Name", it is bound to fail.

Just ignore any error message and proceed to HTTP Proxy Setting

The first running of Outlook may look like freezed after you input the correct username and password, actually it is waiting for you to do some action! Please right click OA agent icon on taskbar,

and select the menu item "Restore". For example, it asks you to register the DevicePass token(see below)

Once the profile is fully created(it has connected to server and downloaded some emails), you can exit Outlook, also exit OA agent(right click the icon and choose Exit). Run Outlook again, this time OA agent should be auto launched(check the icon on the taskbar) when the usename/password dialog appears, if not, click Cancel,

then go to Trust Center and check if the agent is listed as an Active Application Add-ins

Install SharePoint 2010 RTM

Recently I needed a SharePoint 2010 to test Deepnet IIS agent. Deepnet requires web services working under form authentication, so I follow these two posts ^[1][2] which are pretty good(especially the first one). However, the installation(and configuration) still costed 2 days! so I am going to write down my story,just in case I'll forget it in the future. It also tries to ensure those people, who are trying to do the SharePoint form authentication with LDAP provider, do not suffer the same fate.

At the very beginning, I tried a standalone version of sharepoint 2010 which I thought was enough for me. The installation itself was quite straightforward, however, the "People Picker" never returned any AD user. My AD server was on another machine, so it was kind of remote LDAP access which I think it needed authentication, so I provided connectionUsername and connectionPassword,just like the one mentioned by this post.

        <add name="membership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5" 
             server="192.168.222.200" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="CN=Users,DC=nanoart,DC=local" 
             userObjectClass="person" 
             userFilter="(&(ObjectClass=person))" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" 
             connectionUsername="CN=administrator,CN=Users,DC=nanoart,DC=local" 
             connectionPassword="password" /> 

I doubled checked the connectionUsername and connectionPassword, in ADExplorer it worked without any problem. But in SharePoint People Picker, no luck at all.

This post suggested another format(not DN string) on connectionUsername and connectionPassword which I haven't got time to try. It points out, "One additional step is required and that is adding a couple of entries to the STS (Security Token Service) web.config file. You will need to add both connectionUserName and connectionPassword." If you are curious, please have a try yourself, and give me a feedback below.

        <add name="membership" 
             type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=94de0004b6e3fcc5" 
             server="192.168.222.200" 
             port="389" 
             useSSL="false" 
             userDNAttribute="distinguishedName" 
             userNameAttribute="sAMAccountName" 
             userContainer="CN=Users,DC=nanoart,DC=local" 
             userObjectClass="person" 
             userFilter="(&(ObjectClass=person))" 
             scope="Subtree" 
             otherRequiredUserAttributes="sn,givenname,cn" 
             connectionUsername="nanoart\administrator" 
             connectionPassword="password" /> 

I struggled for a few hours on that, eventually I gave up the standalone version, and decided to install SharePoint 2010 in a AD environment. Officially SharePoint 2010 is not recommended being installed on Domain Controller, so generally, you need 2 machines(see this post
for the details). Basically one machine(512M) for domain controller, another one(4G) to be a member server of the domain, and for deploying SharePoint.

I always want to make things simple, so I tried my luck to install everything (SharePoint 2010 plus SQL server 2008) on DC machine. Guess what? this time I wasn't disappointed. The installation was successful, and People Picker worked as well!

However another issue awaited me, which tortured me longer than the LDAP issue, I always got Access Denied error.

I believe I did right thing on User's Policy, as you can see this test user(i:0#.f|ldapmember|mingfa.ma) had "Full Read"(tried "Full Control" later as well).

This problem puzzled me for two days. I didn't realized that I fell right into the trap setup by myself until I saw this post.It mentioned somewhere that you need to set the default provider to our Forms provider, i.e. FBAMembershipProvider

OK let's look at how I modified the web.config of SharePoint site.

    <membership defaultProvider="LdapMember">
      <providers>
        <!-- <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
        <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="CN=Users,DC=nanoart64,DC=local" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
    </membership>
    <roleManager defaultProvider="LdapRole" enabled="true" cacheRolesInCookie="false">
      <providers>
        <!-- <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" /> -->
        <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" groupContainer="CN=Users,DC=nanoart64,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
      </providers>
    </roleManager>

Below I list correct one, you can easily see what the difference is.

    <membership defaultProvider="i">
      <providers>
        <add name="i" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthMembershipProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add name="LdapMember" type="Microsoft.Office.Server.Security.LdapMembershipProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="sAMAccountName" userContainer="CN=Users,DC=nanoart64,DC=local" userObjectClass="person" userFilter="(ObjectClass=person)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
      </providers>
    </membership>
    <roleManager defaultProvider="c" enabled="true" cacheRolesInCookie="false">
      <providers>
        <add name="c" type="Microsoft.SharePoint.Administration.Claims.SPClaimsAuthRoleProvider, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
        <add name="LdapRole" type="Microsoft.Office.Server.Security.LdapRoleProvider, Microsoft.Office.Server, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" server="WIN-SPSRV.nanoart64.local" port="389" useSSL="false" groupContainer="CN=Users,DC=nanoart64,DC=local" groupNameAttribute="cn" groupNameAlternateSearchAttribute="samAccountName" groupMemberAttribute="member" userNameAttribute="sAMAccountName" dnAttribute="distinguishedName" groupFilter="(ObjectClass=group)" userFilter="(ObjectClass=person)" scope="Subtree" />
      </providers>
    </roleManager>

How ironic it is! I could only blame my "cleverness". When I edited the web.config file I thought I should comment out the original one, and made the inserted one as the default member(role) which eventually resulted in an agony of finding the exact reason.

I wonder if SharePoint had some troubleshooting measures to guide me to the right place quickly. To some extent, the error "Access Denied" in this case misled me, I am afraid to say so.

Reference

Step by Step SharePoint 2010 Install RTM

How to Set Up Novell eDirectory Authentication for Microsoft SharePoint

Setting Up SharePoint 2010 forms-based authentication for claims based web applications

Configuring Forms Based Authentication for SharePoint 2010 using IIS7

Add Deepnet two factor authentication onto SharePoint 2010

It is supposed that you can use Deepnet IIS agent to add 2nd factor authentication onto any web services hosted under Microsoft IIS. However it is doomed to fail on protecting SharePoint if you only configure the settings per its user guide.
Generally you will get the infamous “500 – Internal server error” when visiting the protected SharePoint site.

In addition, you may use IIS manager and check the authentication of the application “DasWeb”(under the protected SharePoint site) created by Deepnet IIS agent, you will get the following error message box which complains duplicate issues.

In order to make Deepnet work with SharePoint 2010, a little bit of effort needs to be contributed.

Prerequisites

You have to configure the SharePoint with Form Authentication before installing Deepnet IIS agent.

Changes on web.config of your SharePoint site

Please find the file web.config in your sharepoint site, you can use IIS Manger, select the site, then click “Explore” in Actions pane, open the file with your favourite editor.

locate <httpModules> under <system.web>, insert
<add name="Session" type="System.Web.SessionState.SessionStateModule" /> after <httpModules>

<httpModules>
     <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
     <add name="FederatedAuthentication" type="Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
     <add name="SessionAuthentication" type="Microsoft.SharePoint.IdentityModel.SPSessionAuthenticationModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
     <add name="SPWindowsClaimsAuthentication" type="Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
</httpModules>

locate </modules> under <system.webServer>, insert
<add name="Session" type="System.Web.SessionState.SessionStateModule" />

before </modules>

 <add name="FederatedAuthentication" type="Microsoft.SharePoint.IdentityModel.SPFederationAuthenticationModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
 <add name="SessionAuthentication" type="Microsoft.SharePoint.IdentityModel.SPSessionAuthenticationModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
 <add name="SPWindowsClaimsAuthentication" type="Microsoft.SharePoint.IdentityModel.SPWindowsClaimsAuthenticationHttpModule, Microsoft.SharePoint.IdentityModel, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" />
 <add name="DasIIS7Native" />
 <add name="Session" type="System.Web.SessionState.SessionStateModule"/>
 </modules>

search “enableSessionState”, it will take you to somewhere

    <pages enableSessionState="false" enableViewState="true" enableViewStateMac="true" validateRequest="false" pageParserFilterType="Microsoft.SharePoint.ApplicationRuntime.SPPageParserFilter, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" asyncTimeout="7">

make a change on enableSessionState, keep others intact.

    <pages enableSessionState="true" enableViewState="true" enableViewStateMac="true" validateRequest="false" pageParserFilterType="Microsoft.SharePoint.ApplicationRuntime.SPPageParserFilter, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" asyncTimeout="7">

find <trust level="WSS_Minimal" originUrl="" />, comment it out

<!-- <trust level="WSS_Minimal" originUrl="" /> -->

save the file.

For your convenience, I uploaded the one in my lab just for the reference. Please do NOT use it to overwrite yours.

Changes on web.config of the application “DasWeb”

Simply download the file from here to overwrite the original one.

Application Pool on the application “DasWeb”

The application pool of DasWeb must be as same as the one of the web site root

Now you should be able to use Deepnet two factor authentication with SharePoint 2010.

Reference

Configuring claims and forms based authentication for use with an LDAP provider in SharePoint 2010

Configuring Forms Based Authentication in SharePoint 2010

Activate Token - script practice on Deepnet Authentication Server (< 5.0)

This is a piece of code for activating all inactive tokens in token stock.

import base64
import xmlrpclib
import sys

def main():
 global server
 
 if len(sys.argv)==1:
  print 'Usage: acttoken serveraddr [port] [ssl]'
  print '\tdefault port = 8080'
  print
  sys.exit(1)
 addr = 'localhost'
 if len(sys.argv)>1:
  addr = sys.argv[1]
  
 port = '8080'
 if len(sys.argv)>2:
  port = sys.argv[2]
  
 proto='http://'
 if len(sys.argv)>3:
  if sys.argv[3]=='ssl':
   proto='https://'
  
 serverurl = proto + addr + ':' + port + '/das/xmlrpc' 
 print serverurl  
 server=xmlrpclib.Server(serverurl)
 
 result = server.das.listStockTokens({'status':'INACTIVE'})
 if result[0]!='OK':
  print "Error:", result
  sys.exit(2)
  
 tokens = result[1]
 
 for t in tokens:
  print t, server.das.enableToken(t, True)
  
 
 
if __name__ == '__main__':
 main()

Send Token - script practice on Deepnet Authentication Server (< 5.0)

If you are using Deepnet two factor authentication server, probably you will agree with me that you can do almost everything with its management console. However, sometimes you may wonder if they provide script to do the trivial and repeatable job. Yes, they do, you can use python script to instruct the authentication server.

Here it is an example of sending token.

import base64
import xmlrpclib
import sys


def main():
 global server
 addr = '192.168.222.149'
 port = '8080'
 proto='http://'
  
 serverurl = proto + addr + ':' + port + '/das/xmlrpc' 
 print serverurl  
 server=xmlrpclib.Server(serverurl)
 r = server.das.sendToken('77004280', False, 'SMTP')
##Use 'SMS' to send token by SMS
 print r
 return

if __name__ == '__main__':
 main()

icon dimensions (0 x 0) don't meet the size requirements

I tried to upload the binary of my updated iphone app, and found Apple forced us to use Application Loader instead of the original iTunesConnect.

With the new approach, I got the following error

iPhone/iPod Touch: Icon.png: icon dimensions (0 x 0) don't meet the size requirements. The icon file must be 57x57 pixels, in .png format

I double-checked the image file, the size IS 57x57. I was puzzled, as it had no problem before(with iTunesConnect).

Luckily, I found the following link on Internet

http://www.iphonedevsdk.com/forum/iphone-sdk-development/54784-icon-dimensions-0-x-0-dont-meet-size-requirements.html

where tonymy suggested

Edit Project Settings -> Build -> uncheck Compress PNG Files


As you can imagine, this glitch is not hard to avoid. I always try not to make a fetish of Apple's products, as I believe nobody is perfect.

Next time, Apple should submit their applications to get our approval before publishing, just as our apps have to wait to be approved.

xcode build error

I haven't touched iphone development for one year. Today I have to update my app which has some problem on iphone OS 4.x, however I got a mystery when I rebuilt the project after renewing the iphone development certificate.

Command /bin/sh failed with exit code 1
Justis Publishing Ltd:no such identity Line Location Tool:0



I have to admit that I did try this code sign certificate(Justis Publishing Ltd) last year before I opened an account with Apple (costed $99), and this cert was expired, so I deleted it in Keychain.

I am quite sure I chose the correct development certificate which was downloaded from my account on iphone development portal. In XCode IDE, I poked around every corner, but failed to get rid of this error.


My gut feeling told me this problem lied in the project setting, so I decided to have a look with the Terminal.

First of all, I went to the project setting folder(the ".xcodeproj" actually is a folder).

grep -i "Justis" *.*

The above grep command result said the string "Justis" did exist in the file project.pbxproj!

With nano, I saw the following in this file

/* Begin PBXShellScriptBuildPhase section */
3F3B364F0FD01DF6001754F2 /* ShellScript */ = {
isa = PBXShellScriptBuildPhase;
buildActionMask = 2147483647;
files = (
);
inputPaths = (
);
outputPaths = (
);
runOnlyForDeploymentPostprocessing = 0;
shellPath = /bin/sh;
shellScript = "if [ \"${PLATFORM_NAME}\" == \"iphoneos\" ]; then\nplatform=/Developer/Platforms/iPhoneOS.platform\nallocate=${platform}/Developer/usr/bin/codesign_allocate\nexport CODESIGN_ALLOCATE=${allocate}\ncodesign -fs \"Justis Publishing Ltd\" \"${BUILT_PRODUCTS_DIR}/${WRAPPER_NAME}\"\nfi\n";
};
/* End PBXShellScriptBuildPhase section */

I have no idea how and when I added this section to this project, but I think I don't need this section at all, so I deleted it and saved the file, then reopened Xcode, and rebuilt my project, Bingo! I got everything right!

Like all other IDE, Xcode is not omnipotent. Sometime, you have to look into Makefile(here the project.pbxproj file), isn't it?

MobileID Android Version

Deepnet Security hasn’t published the official document for how to use one of their products, MobileID Android version. Probably they assume you have an android phone and are familiar with the android OS, thus you can figure it out by yourself. Actually yes, as you will see, it is quite straightforward to use this app.

Download

The app can be downloaded with your phone’s browser at this link. Surely you can use other ways to install this app to your mobile phone.

Once installed, it looks like,

“Not token yet”, you can’t do anything! Don’t panic. If you think about it from a common sense perspective, you will try the “menu” button which each android phone is supposed to have.

Press it, you can see 4 menu items on the screen.
Add Token

Touch it to bring you another activity.

You can install a token with two different approaches. With the approach “By Download”, you need to input Service URL, Token Serial Number and Activation Code, get them from your deepnet service provider(DSP).

If your service provider doesn’t expose the service URL, then try the other approach “Install Locally”. This time you have to get Token Seed, Token Serial Number from your DSP, however you can name the “Token Name” of your own will.

Once your click “OK” button, a new token will be added to your MobileID store, assume you have entered the correct data.

Now, touch the button “Generate OTP”, the OTP(s) will be generated and shown on the LCD area.

There are two buttons along with the bar which shows the current token’s name. The left one is an info button which shows the token information once you click it.

The right one is a sync button, it will synchronize the current token with Deepnet Authentication Server on the condition that this token is installed by download(it has a service URL).

Do you notice a task bar at the bottom of the screen which shows the text “OTP Mode”? Hold it more than one second, a context menu will be shown, you can alter the mode among the three, OTP, Sign and Challenge.

Are you a VIP? Do you have many tokens to access different applications? If yes, you may ask such a question, how to easily switch the active token? Well, this app provides you a convenient feature: fling/swipe the area of current token, it will shift to the adjacent one based on your fling direction.

Management Token

This activity lists all the tokens you have installed. Select a token by long click, it will pop up a context menu which allows you to delete a token, change the token name, view the token details and make the selected token as the primary(active) one(stated with the sign *).

Change PIN

Want more privacy? You can add a PIN to protect this app. There is no OK or Cancel button on this activity, you have to click the “Back” button to go back the main activity.

Now if you rerun the app(exit first), it presents the PIN page first, you have to enter the correct PIN so that you can access the normal OTP activity. Try with a wrong PIN, the app will show you a warning dialog saying how many times you can still try. If it reaches zero, sorry, the app will remove all tokens for security reason.

Exit

No statistic about how much battery power this app will consume during the idle. If you are concerned about this issue, press the menu item “Exit” for a fully quit to ease your mind.

It is said that all android phone with OS 1.5 or later can benefit from this app.