Almost had a slight panic at work today when I noticed some strange entries on the security logs on a domain controller. My first thought was someone trying to hack a user account outside of normal working hours. The security logs were showing multiple incorrect login entries for the same user hundreds of times a minute starting at 20:00 in the evening and eventually filling the whole log file by 22:00.

The log contained an event id number 672. After ruling out a virus (ruling out = hoping it wasn’t) or a hacker attempt, it finally clicked that it may have something to do with logon time restrictions. A quick look in Active Directory and it was confirmed that the user was not permitted to logon between 22:00 and 07:00 (this was not a default policy for our users on the domain).

Log Entry:

Authentication Ticket Request:
User Name: joe.bloggs
Supplied Realm Name: yourdomain.nnn.com
User ID: -
Service Name: krbtgt/yourdomain.nnn.com
Service ID: -
Ticket Options: 0×40810010
Result Code: 0×12
Ticket Encryption Type: -
Pre-Authentication Type: -
Client Address: 10.0.0.1
Certificate Issuer Name:
Certificate Serial Number:
Certificate Thumbprint:

I turned 30 recently, which was a great excuse to splurge some cash (thanks Mrs Me and Mum) on an Apple TV and hook it up to our recently built home network (wired: cat6, 1GBps switch and wireless: N+ router) and media server.

As soon as we moved into our current house (August 2006) I was determined to get away from physical media and have everything accessible at the touch of a button. Music was pretty easy, I already had a whack of albums mp3′d up and moved into iTunes and streaming from a central server to a netgear mp101 (which is really a not very good device, at all).

Movies on the other hand have had to wait for several reasons, money, time and infrastructure (see above network). All the bits and bobs I needed are now in place and here is how I have built my home media network with iTunes at the centre.

Current Kit

Mac (Pro G5 running Mac OSX 10.5)
Media Server (old optiplex gx270 running xp pro)
Apple TV (version 2.0)
iPods/iPhones (a few different models)

‘Must have’ Requirements

The following requirements are based on my families needs, having trawled the web there are umpteen ways of  configuring iTunes on a media server, some with scripts, some with syncing software (such as Tune Ranger). I did try these methods but none were compatible with the way we work at home.

• iTunes updates must be the same as before. Mrs Me or Little Me should be able to come along, pop in a CD , rip it to iTunes and it should then be available for them to play on the computer, apple tv or sync with an iPod.
• Movies and Music must always be available on Apple TV without having to remember to turn on the desktop Mac.
• Music should be backed up offsite.

The Desktop

The iTunes library and files are stored on the media server.

iTunes on the desktop Mac point to this library via a network share.

Music and iTunes store movies are added as normal.

Our DVD’s (purchased legally) are ripped using Handbrake (apple tv preset with 2 pass encoding, AAC+AC3 audio and deblock option selected) and then dropped into iTunes.

I create a separate rip especially for iPod on movies that Little Me wants to watch (Monsters Inc etc…), more storage is required but it means a better quality image for home use on the Apple TV. If space is an issue, the iPod high-res preset in Handbrake is still great quality and is comparable with standard-def downloads from the iTunes store and creates a file that will work on Apple TV and iPod/iPhone that is about 1.2GB in size, it’s your choice.

The Media Server

The media server runs it’s own version of iTunes.

The media server runs the paid for version of the itunes folder watch application. The paid for version allows for automatic updates.

The iTunes folder watch monitors the movie and TV shows folder only. If a movie is dropped into iTunes on the desktop Mac, the folder watch spots it and adds it to the media servers library as well. It does not duplicate the file as it uses the same folder for movies and TV shows.

I have shared out the media servers iTunes Library as ‘iTunes Movie Server’.

Offsite backup is carried out by Elephant Drive after midnight.

Apple TV

All music files (not movies or TV Shows) are synced to the Apple TV, this allows them to be available even if the desktop system is powered off.

The Apple TV is also connected to the ‘iTunes Movie Server’ shared library. As this is on a server the movies are always accessible but they don’t take up any room on the Apple TV.

Conclusion

An easy to use system that from a users point of view just works and is meets the needs of my family.

The system can be easily expanded as well.

• AirPort express will allow the same music to be spread throughout the house.
• TwonkyVision on the server will allow the iTunes library (if I add music to it) to be streamed to other non Apple devices.

There are downsides to the above solution, it will not work if we introduced a laptop that can also update the central library and take the files offsite. The following scripting article may help in that scenario:

http://guides.macrumors.com/Keeping_2_iTunes_Libraries_in_Sync

This is a quick guide that shows you how to enable SSH on your VMWare ESX server and then how to configure the physical NIC card remotely using SSH and Putty.

Before you start you will need:
Putty

If you cannot connect via Putty, you will need to physically go to the server and enable it using the following commands.

Allowing root to remote SSH onto the ESX server:

1. Access to local server console and from the local console, either at the server, remote management or similar login as root to the ESX server.
2. Navigate to the ssh folder, eg: cd /etc/ssh
3. Open the sshd_config file with a text editor, eg: vi or nano. example vi sshd_config
4. Go to the line where it says PermitRootLogin no (In my file it’s about line 32) and change the no to yes use ZZ to save and exit
5. Save the file and restart the sshd service: service sshd restart

Configuring/Creating the switch:

View existing configuration:

esxcfg-vswitch -l

Creating the switch:

esxcfg-vswitch -a vSwitch1

Creating the virtual network:

esxcfg-vswitch -A “Backup Network” vSwitch1

Adding the NIC

esxcfg-vswitch -L vmnic1 vSwitch1

Configuring the NIC

esxcfg-vswif -a vswif1 -p “Backup Network” -i 10.0.0.101 -n 255.255.254.0

A simpler way of importing Outlook contacts in csv format into the OS X Address Book.

*** Requires a Gmail account (I haven’t checked Hotmail or Yahoo mail) ***

A friend of mine has recently migrated from a Windows PC to Mac. They needed to import their (Windows) Outlook contacts into their new Apple OS X Address Book.  Simple? nope. OS X address book does not let you import .csv files directly.

A bit of Googling later and it was proving to be very difficult. The simplest way I found involved downloading Mozilla Thunderbird, importing the .csv, matching all the .csv fields with the Thunderbird fields, exporting as an ldif, then importing the ldif into the address book.

There is a much simpler way

1. Import your .csv file into your Gmail contacts.

2. Select all your contacts in Gmail.

3. Export as v-card.

4. Import into address book.

5. Done.

I’ve just rebuilt my HP tc1100 tablet with Microsoft Windows XP SP2 Tablet Edition. After downloading all the drivers from the official HP driver site I could not get the audio driver to install. The hardware manager only highlights that a ‘multimedia audio controller’ driver is required.

After trying to install the recommended driver without much luck, I performed the online HP diagnostic check. This provided a link to the following download:

ftp://ftp.hp.com/pub/softpaq/sp30001-30500/sp30107.exe

One of our development guys was trying to install IIS on his PC. During the install process he was prompted to enter the Windows XP cd as the staxmem.dll could not be found.

“Copy error
Setup cannot copy the file staxmem.dl_.
 
Ensure that the disk labeled ‘Windows XP Professional Service pack 2 CD’ is in the drive selected below, or provide the location where the file can be found.”

Unfortunately even with the disc in the system was adamant that it could not find the file (even though we could browse to it manually).

To fix this problem the following command has to be run (start > run then copy and paste the following):

esentutl /p %windir%\security\database\secedit.sdb

When prompted click Yes.

Now try the install again.

For more info you can go the the Microsoft KB article: KB555268

Following on from my previous post, Implementing 802.1x – Lessons learned, we have encountered a new more drastic problem. Microsoft has confirmed that Windows XP does not support dynamic vlan switching. This has really scuppered our plans for a secure wireless network that allows user accounts to determine which dedicated vlan they go onto, irrespective of site, making it easier for users to get access to the systems that they need without additional configuration from IT.

What we Wanted:
The initial plan was to use the machine account (checked against active directory) to place the client on a machine only vlan. This would allow admin work such as AV updates, security compliance and RDP sessions to be carried out. Access to all other network resources would not be allowed.

A user could then logon and depending on which network group they were in they would be verified against active directory and placed on the appropriate vlan which had access permissions set accordong to the group. This would allow them to move between sites and have no additional firewall/ACL changes made by IT.

The Problem:
The problem arises when the vlan switch occurs. After re-authentication, Windows XP sends a DHCP REQUEST to the DHCP Server. This REQUEST includes the IP from the previous vlan. This IP is no longer valid in the new vlan. This causes the DHCP server to send a NACK (Not Acknowledged)  to the client. The client then waits a few seconds and sends another DHCP-REQUEST which will fail again. What it should do is send a DHCP-DISCOVER to obtain a new IP address.

According to Microsoft this is because the NETLOGON service works independently of the 802.1x authentication process. One does not wait on the other, which leads to conflicts 75% of the time.

Updating to XP service pack 3 does not resolve the issue.

The KB article is here:

http://support.microsoft.com/?kbid=935638

The support Forum is here:

http://forums.technet.microsoft.com/en-US/winserverNAP/thread/f68dc3f0-744a-4d0f-b85a-87f8bc531fd0/

Implementing 802.1x for a multisite (100+) organisation. Using bonded authentication to verify both machine and user supplicants prior to network access being granted. Great for Windows systems, not so good for our OS X clients as they don’t do machine authentication.

I have recently started a new project in the day job. We have been asked to construct a test environment that will allow secure wireless access for company equipment to the internal network and at the same time allow guests to use their own wireless devices to connect to the Internet but be kept far away from the internal network. Once testing is complete the ‘model’ will then be applied to just under 100 sites with a potential user base of 45, 000 unique users.

It was decided to implement IEEE 802.1x for users and machines using a wireless connection. This post has been written, not to show how this can be setup, there are millions of them on the web already, instead, it has been written to jot down some of the problems/issues/obstacles that were encountered.

Two SSIDs were created. The first SSID, lets call it ‘Guest’, was broadcast and visible to all users. Guests/Staff with their own equipment can see and connect to this SSID giving them access to the internet via an internal portal which their browser is redirected to when they first try to browse to a webpage. The guest enters a user name and password (supplied by the company) they are then connected to the net. You’ve probably seen this before; think McDonalds or Starbuck hotspots and the WiFi you get supplied in hotels.

Connecting to the ‘Guest’ SSID also tells the switch to place the client on a guest vlan. The guest vlan keeps the guest clients separate from the internal network and it was also configured to block peer-to-peer connections.

The second SSID, lets call it ‘company’, was hidden and only known company equipment was allowed to be configured and connected to this SSID using the 802.1x standard. Depending on the user/computer credentials supplied the user was placed on an appropriate vlan. A regular user would be placed on a user vlan with access to file-share etc. Tech support users were placed on the tech vlan with raised access privileges and so on.

We decided to go for a combined authentication method using client and user credentials held in active directory. If both pieces of information were not present the client would not be allowed to the internal network and would be given a guest experience only.

Windows XP
clients were configured through active directory. You can configure and push an entire wireless policy (SSID, encryption, type of connection, type of 802.1x authentication) via group policy, which is really neat and scarily easy to do.

Windows 2000 (Services Pack 4 only)
This a manual process I’m afraid. The Dell clients we had could not be controlled via windows and the third party software provided by the wireless card manufacturer (Intel) had to be used for configuration.

Mac OS X
The OS from Apple posed a real headache. 802.1x has been natively supported since version 10.3. Unfortunately their implementation only supports user authentication. At present (as far as I can tell) there is no way to authenticate the client as well as the user (10.5 client authentication actually uses a user account and is not true client authentication). This caused a real problem for the security we had envisaged. Switching to user authentication only, would allow guests to put their own equipment onto our internal network.

We did try user authentication with MAC level security for the client but could not get this to work, which is good because management would be a nightmare. We decided to stick with client and user authentication and place the OSX machines on a new SSID with WPA2 encryption and MAC level authentication only. This is a temporary solution. The powers that be have been informed of the risk and they have accepted this.

Mac OS 9
OS 9 does not support 802.1x and these are being phased out.

Linux
We currently do not have any company Linux systems. Linux users can still connect to the ‘Guest’ SSID.

Further reading:

Wikipedia: 802.1x:
http://en.wikipedia.org/wiki/802.1x

TechNet: Access AD wireless policies:
http://tinyurl.com/4fyqjv

TechNet: Configure AD wireless policies:
http://tinyurl.com/45lqx8

Ja.net: 802.1x Implementation (PDF)
http://www.ja.net/documents/publications/technical-guides/8021x-tg-web.pdf