A fairy long title, but it describes exactly what this post is about. Once again a post about a Microsoft product and the way it works (or rather doesn't work) with your average Internet standard.
This week I was busy with RADIUS, 802.1x, PKI and the protection of websites with SSL encryption. For the implementation of 802.1x, I needed a PKI environment, so I used the Microsoft Certificate Services for that purpose. Along the way, I needed an SSL certificate for an internal website, but this particular website needed to work properly based on different FQDN's and or IP addresses without throwing warining or errors regarding the SSL connection.
The way to do this is to add Subject Alternative Names (SAN) to the certificate. This enables you to access the website in different ways, e.g.;
- Access a webmail host from the internet based on its official FQDN (https://webmail.somedomain.com)
- Access the same webmail host from the inside of the corporate lan based on its internal name (https://webmail.acme.local)
- And access the host from legacy DNS-unaware software on its IP address (https://192.168.1.254)
The Fritzbox 7340 is the only real available VDSL modem/router in the Netherlands. Too bad, since it has some bugs (but what piece of software hasn't???). Fortunately, the router works well, just as long as you use it as the only networking device in your (small) network.
In the last couple of days I've been busy to add the Juniper SRX100 branch firewall to my local home network. The idea was the following:
- The Fritzbox (FB) will remain the Internet router
- My web/mail/ssh server is placed behind the SRX100
- All the individual portforward rules in the Fritzbox are directed to the SRX100 by selecting the 'Exposed Host' in the FB.
Juniper started to migrate their firewalls from Netscreen to the Junos environment 'a couple of' months back. The advantage is that there's a universal OS for routers, switches and firewalls. Just like Cisco IOS. The disadvantage is that the Junos OS is being adapted for the firewalls. So the foundations are there, but there are still lots of features missing and bugs are also still abundant.
The bugs are thankfully mostly related to the WebGUI. On the commandlinethe bugs are in the same league as the Cisco, Checkpoint and every other vendor bugs. No piece of software is perfect.
Earlier this week I got the announcement (I opened an Adobe application) that there was an update for the Adobe Reader app. Security-conscious as I am, I fired up the update process.
Each time, this process stopped at the (near??) end of the installation with the following error:
The operation couldn’t be completed. (com.adobe.ARM error 1807.)
The error also suggested looking at the log file. Examination of this file showed nothing out of the ordinary. At least not that made sense to me.
There were some lines in the log that made me try to do a work-around (in bold);
During the clean-up of my personal data on my Mac's, I found several PGP encrypted containers, and encrypted files. To see what was stored in them, I needed to install PGP (again).
After installing the software I dug up my keyrings and everything worked fine, until I tried to encrypt an e-mail. In the old days you had a button for encrypting the body of an e-mail message, but today things have changed. PGP is using some sort of (local) proxy to encrypt, decrypt, sign and verify e-mail messages. BUT there's also the possibility to do this with text on the clipboard, or text you selected with your mouse/keyboard.
This is where I ran into some missing functionality; Normally the PGP actions are visible under the 'right-mouse' click -> Services, but no PGP actions available. Further investigation showed that no PGP actions were available on (plain) text in editors. PGP actions on entire files were no problem.
I'm currently busy with several 802.1x implementations in corporate networks, and in one of those environment I get the strangest behavior in regards to the authentication process.
In this particular case I use a Microsoft 2008 Active Directory. Mandatory for distributing the wired network adapter settings in regards to 802.1x. The clients are a mix of Windows XP (SP1 and SP3) clients and some newer and/or exotic operating systems. The authentication mechanism of choice is EAP-TLS with dynamic VLAN assignment. The RADIUS server used is the Cisco Secure ACS v5.x appliance.
During the authentication process of the XP SP3 PC's I saw that the first authentication attempt was made with the PEAP mechanism. Since PEAP isn't allowed, the authentication mechanism failed. About a minute and twenty seconds later the PC started another dot1x authentication sequence. This time using EAP-TLS, and the PC got access to the network.
It's been three weeks exactly (well, almost), and my new iMac i7 27" went to the repair shop.. (*sniff*).
The iMac booted normally this morning, but after a couple of minutes, the fans started kicking in. A new sensation for me. I have never heard a fan in this, or my other (i)Macs. At first I thought that my external drive (Drobo) started making the noise, but the Drobo was silent.
Turned out the fans in my iMac started blowing (hard), and the airflow was relatively warm. Too warm for a Mac which has been switched on for about 10 minutes with no real CPU intensive tasks running.
First I checked the Activity Monitor and 'Top' in the Terminal app to see if there was some program that consumed too many CPU cycles. Nothing there. On average, the CPU was 3% busy.
Next thing to do was resetting the PRAM/NVRAM by holding the Option-Command-R-P combination during a power-on of the iMac. This also made no difference (booting went a bit faster though).
One can not have enough screen "real-estate" when working with photos, or while exploring your web-development skillz. So, a single display is simply not an option in my case......
Next to my 27" iMac stands a Dell 24" TFT Display. This Dell display is being abused for two things;
- extended display for my iMac, and
- as a main monitor for my (Windows) work laptop
using the input selector on the TFT display.
Since I'm a guy and I rock at multitasking (*cough*), I have both my Windows (work) laptop and my iMac powered on. In this scenario I have only one active display on my iMac. The second display should therefor not be used, and this is where Apple fails miserably.
