Security issues w/ one-way forest trust and kerberos delegation
Re: http://www.dscoduc.com/2009/11/kerberos-delegation-across-a-trust/
Yuck! Your Active Directory one-way forest trusts are really one-and-a-half-way or two-way trusts.
Scenario: You enable a one-way forest trust from a development forest or resource-containing-forest into the forest where you have the user accounts for your enterprise. It's very convenient, and it sounds secure - after all, you are not trusting these other forests for authentication - they're supposed to trust authentication in your forest, but you don't trust authentication of accounts in the trusting domains. What could go wrong?
Enter 'trusted for delegation'. It turns out that an administrator the trusting forest can configure accounts/computers with the 'trusted for delegation' flag, and applications running under this security context can turn around and impersonate users from the trusted forest - *even to resources in the trusted forest!*. So an administrator in the trusting forest effectively has carte-blanche to any Kerberos-secured assets of any poor sap unfortunate enough to interact with a service in the trusting forest.
Basically, you can't really count on the 'unidirectional' nature of the trust. You can protect your administrator accounts with the 'account is sensitive and cannot be delegated' UAC flag, but unless you're ready to deny the joys of Kerberos delegation to the bulk of your users, you really need to assure the same level of security controls in trusting forests as you do in your trusted forest or you're creating substantial risks of inappropriate access/modification of your users' information assets.
If you're not convinced, try it out in your lab. It's very easy (and demoralizing) to demonstrate the scenario.
Posted at 03:39PM Dec 09, 2009 by raydoo in Software | Comments[0]
Sample: Customizing Spring.NET configuration variable resolution
While I was playing around with Spring.Objects.Factory.Config.VariablePlaceholderConfigurer I came across a scenario that led me to look into implementing my own IVariableSource . Essentially I was using CommandLineArgsVariableSource as the preferred source, trying EnvironmentVariableSource next, and then finally defaulting to a config file. In this case, I wanted the environment variable name to be more specific (qualified with an application identifier) than the command line arg names (keep them short). This is really a generic strategy rewrite the variable name and delegate to an existing implementation.
public class PrefixedEnvironmentVariableSource : IVariableSource
{
// EnvironmentVariableSource to be wrapped by this instance
private EnvironmentVariableSource environmentVariableSource;
/// Prefix to be prepended to config variable names when searching for values in environment.
public string Prefix { get; set; }
public PrefixedEnvironmentVariableSource()
{
environmentVariableSource = new EnvironmentVariableSource();
Prefix = String.Empty;
}
#region IVariableSource Members
public string ResolveVariable(string name)
{
return environmentVariableSource.ResolveVariable(Prefix + name);
}
#endregion
}
Posted at 09:18PM Sep 25, 2009 by raydoo in Software | Comments[0]
Sample: Generic GetObject extension method for Spring.NET
I know there's some controversy about whether or not this is a good thing - the stock interface is more flexible in that it won't go undefined if the context has multiple instances of a type. I guess I just think it's odd that you'd have by-type autowiring and not something like this... Here's a sample implementation of an extension method implementing a GetObject<T>() method on a Spring.NET application context that could go anywhere:
static class ProgramCustomerEntryForm customerEntryForm = appContext.GetObject<CustomerEntryForm>();
{
////// The main entry point for the application. /// [STAThread] static void Main() { //Get the default configured context from the .NET application configuration. using (IApplicationContext appContext = ContextRegistry.GetContext()) {
Application.Run(customerEntryForm);public static T GetObject<T>(this IApplicationContext appCtx)
}
}
{
IDictionary obectsOfType = appCtx.GetObjectsOfType(typeof(T));
if (obectsOfType.Count != 1)
throw new ApplicationException("Expected exactly one instance of type " + typeof(T).FullName +
" in Spring.NET context, but found " + obectsOfType.Count);
T retVal = default(T);
foreach (object key in obectsOfType.Keys)
retVal = (T) obectsOfType[key];
return retVal;
}
}
Posted at 10:58PM Sep 22, 2009 by raydoo in Software | Comments[1]
Unit tests failing with 'Exception has been thrown by the target of an invocation'?
I encountered an interesting problem in Visual Studio this week:
- Symptom:
- VS2008 SP1 w/ Team Foundation Client
- Unit tests in VS fail with 'Exception has been thrown by the target of an invocation'
- Unit tests work at w/ mstest cmdline.
- Team explorer shows Red X on Work Items folder.
- using witexport cmdline fails with 'Value does not fall within the expected range.' message
- Affects all solutions in problem TFS project for user on a computer.
- Does not affect same user on other systems.
- Resolution
- Deleted registry key HKEY_CURRENT_USER\Software\Microsoft\VisualStudio\9.0 and allowed Visual Studio to rebuild settings on next load. Something more surgical might have worked, but I was casting a wide net over different options.
- Re-installing software or patches doesn't help... The problem appeared to be in registry?
At first, all I had was an austere error dialog preventing me from running any tests in Visual Studio: 'Exception has been thrown by the target of an invocation.' - no stack. no details. I managed to get a stack out of Visual Studio by attaching a debugger to it. There must have been a better way. :S
System.Reflection.TargetInvocationException occurred
Message="Exception has been thrown by the target of an invocation."
Source="mscorlib"
StackTrace:
at System.RuntimeTypeHandle.CreateInstance(RuntimeType type, Boolean publicOnly, Boolean noCheck, Boolean& canBeCached, RuntimeMethodHandle& ctor, Boolean& bNeedSecurityCheck)
at System.RuntimeType.CreateInstanceSlow(Boolean publicOnly, Boolean fillCache)
InnerException: System.ArgumentException
Message="The Extender Provider failed to return an Extender for this object."
Source=""
StackTrace:
at Microsoft.TeamFoundation.WorkItemTracking.Client.DataStore.HandleComException(Int32 hr)
at Microsoft.TeamFoundation.WorkItemTracking.Client.DataStore.DatastoreClass.get_RootNode()
at Microsoft.TeamFoundation.WorkItemTracking.Client.ProjectCollection..ctor(WorkItemStore store)
at Microsoft.TeamFoundation.WorkItemTracking.Client.WorkItemStore.get_Projects()
at Microsoft.VisualStudio.TeamSystem.Integration.TeamFoundationHostHelper.GetWorkItemTypes(WorkItemStore store, String projectName)
at Microsoft.VisualStudio.TeamSystem.Integration.TeamFoundationHostHelper.RefreshData(Boolean serverChanged, Boolean projectChanged, Boolean fireEvent)
at Microsoft.VisualStudio.TeamSystem.Integration.TeamFoundationHostHelper.Initialize(Boolean getBuildInfo, Boolean getWorkItemTypes)
at Microsoft.VisualStudio.TeamSystem.Integration.TeamFoundationHostHelper..ctor(IServiceProvider serviceProvider, Boolean getBuildInfo, Boolean getWorkItemTypes)
at Microsoft.VisualStudio.TeamSystem.Integration.VsetServerHelper..ctor(IServiceProvider serviceProvider)
at Microsoft.VisualStudio.TeamSystem.Integration.Client.VsetHelper.InitializeThrow(IServiceProvider serviceProvider)
at Microsoft.VisualStudio.TeamSystem.Integration.Client.VsetHelper.InitializeHelper(IServiceProvider serviceProvider)
at Microsoft.VisualStudio.TeamSystem.Integration.Client.VsetHelper.CreateVsetHelper(IServiceProvider serviceProvider)
at Microsoft.VisualStudio.TestTools.TestCaseManagement.QualityToolsPackage.get_VsetHelper()
at Microsoft.VisualStudio.TestTools.TestCaseManagement.ResultsToolWindow..ctor()
at Microsoft.VisualStudio.TestTools.TestCaseManagement.ResultToolWindowHost..ctor()
InnerException:
Posted at 03:08PM Sep 07, 2009 by raydoo in Software | Comments[3]
Providing dependencies to Workflow instances hosted with WorkflowServiceHost
In my usage, I have components I want to inject, often instantiated/serviced via Spring.NET . This feels a little strange relative to most Spring.NET usage, as I will place our dependencies in the workflow runtime as Services, and then use an override of OnActivityExecutionContextLoad to have the workflow 'pull' the dependencies back in from the workflow runtime. This seems odd, but it gets the components where they need to be without building an IOC container dependency in the workflow or building an extension for your IOC gadget. The workflow runtime is a container of its own, and the workflows are serviced components. This approach adapts a generic object creation strategy to the WF/WCF model - the WF/WCF way.
In the workflow, note [NonSerialized] private value for the service we're providing to the workflow. You don't want your singleton services serialized along with workflow instances, do you?:
public sealed partial class Workflow1 : StateMachineWorkflowActivity
{
public Workflow1()
{
InitializeComponent();
}
[NonSerialized]
private IStuffDoer stuffDoer;
...
protected override void OnActivityExecutionContextLoad(IServiceProvider provider)
{
base.OnActivityExecutionContextLoad(provider);
stuffDoer = provider.GetService(typeof(IStuffDoer)) as IStuffDoer;
}
...
And we add the dependency to the workflow runtime in the host process like so (using 'new ...' for simplicity, you could pull from an IOC container here just as easily):
Console.WriteLine("Starting host.");
WorkflowServiceHost host = new WorkflowServiceHost(typeof(Workflow1));
host.Description.Behaviors.Find().WorkflowRuntime.AddService(
new StuffDoerImpl());
host.Open();
Console.WriteLine("Host started." + Environment.NewLine);
Console.WriteLine("Press Enter to stop:");
Console.ReadLine();
host.Close();
From there, the service is available for use in your workflow code activities. You can promote it to a public property if you want to bind it to activity properties.
It took a lot of Google-time to figure out how to get the dependency into the service host via the host description behaviors, and yet more to figure out how to get it from the ActivityExecutionContext into the workflow. I hope this saves someone some time!
Posted at 11:09PM Apr 13, 2009 by raydoo in Software | Comments[0]
Installing .NET v3.5 on a Virtuozzo Virtual Private Server (VPS)
Several months ago, I gave up on trying to get .NET v3.5 installed on the 1&1 Virtual Private Server I acquired to replace my old leased Linux server. The install kept failing, and I presumed it was because Virtuozzo was blocking the install due to it acting too much like an OS component. It turns out there is a simple, but obscure workaround. Special thanks to Andre Loker for spelling it out:
Coincidentally I had to setup two Virtuozzo machines this week as well, both running Windows Server 2003 Std SP2 64bit. One had 3.5 installed but needed SP1, the other had only 2.0 installerd. I ran into the problems again on both machines. Here's what I did to install SP1:
Andre Loker
1. Restart the VPS (via the Virtuozzo control panel)
2. When the VPS is running again, rename "C:\Windows\System32\CatRoot2" (e.g. to C:\Windows\System32\oldCatRoot2 or so). DO NOT RENAME C:\Windows\System32\CatRoot, only CatRoot2
3. Start the Printer Spooler service (no need to set the start mode to auto, leave it at manual)
4. Run the .NET 3.5 SP1 installer (full version)
5. You'll probably need to reboot after installation
It worked on both machines for me, but of course I can't make any guarantees. Make sure you have a backup.
Good luck!
Posted at 12:06PM Mar 22, 2009 by raydoo in Software | Comments[0]
Vista Hibernation problem resolved
My Vista x64 installation at home became afflicted with an issue the other month where it would no longer resume from hibernation successfully. Instead of restoring the state from disk, the boot-loader would come up and indicate that Windows was not shut down properly, and give me the option to boot normally. WTF!
At the time, I was stumped and gave up - disabled hibernation and hybrid sleep.
I did find a solution recently, and am back to my preferred power-management config: http://forums.techarena.in/operating-systems/1125718.htm
I'd bitch about how shitty Windows is, but I know I've had plenty of strange boot-loader configuration issues with non-Windows operating systems, too...
Posted at 02:40PM Mar 18, 2009 by raydoo in Software | Comments[0]
Dough!
Jeez. It's been about 6 months since I last posted. I suck. Anyway, I am just winding up a three week holiday vacation (hell yeah!) I spent a lot of it annoying my family by tying up the kitchen making breads. I've always enjoyed making bread, but hadn't really learned to do it 'right'. I think I've made some breakthroughs, though!
The thing I've been enjoying most is playing with sourdough. I started my own natural starter here shortly after Thanksgiving, and it has been enlightening. I've fed it different flours (bread and AP white, whole wheat, whole grain rye, and spelt), run it through different fermentation times and temps, and dumped loaf after loaf on friends and family members. My apologies if I gave you anything unpleasant! :P
On New Year's Eve, I made a couple of experimental batches inspired by a trip to the Davis Food Co-op, including this wheat sourdough where I replaced a lot of the liquid with organic veggies. I dumped a 14.5oz can of Muir Glen diced tomatoes, a finely grated carrot, and some fresh rosemary into a whole wheat preferment and did my thing.
Haha. It's like getting a cup of veggie soup in every slice. It's strong enough in taste with all the veggies (it's really about 1/3 veggies! by weight!), whole wheat, and sourdough that Rima and Hazel don't like it. I'll have to find something to do with it... I like it with cream cheese. It might make a good pizza-toast or something?
Happy new year, everyone!
Posted at 11:20AM Jan 02, 2009 by raydoo in FoodnDrink | Comments[1]