Monday, February 28, 2011

IIS6 and Apache: Together At Last

I knew of course that you can't have two web servers on the same machine using the same socket, but when a client said that they had a multi-homed server I figured we could easily set Apache to bind to one socket, and IIS to another. Problem solved.

Hahaha. Just kidding.

It can be really frustrating to make what seems like a simple configuration change and have it not work. You double-check the syntax of httpd.conf, you do a netstat, you check the websites under IIS, and everything tells you that you have a textbook setup (if you can call running two webservers on the same machine textbook, but we won't get into that), but it doesn't work.

Turns out that IIS, sneaky bugger, insists on binding to all available IPs, regardless of what you set up in IIS Admin.  You actually have to perform additional steps to get this setup to work. You first have to disable socket pooling, as per this KB article. This may work right off, but if it doesn't you then have to explicitly tell IIS what IP to use by using the httpcfg tool, which is included in Microsoft's Support Tools, as described here.

Pretty interesting. 

Tuesday, February 22, 2011

Bad Advice: Linux Password Strength

First of all let me say that for the record, I don't generally believe in setting weak passwords. It is definitely one of the things past users I've worked with will tell you can be annoying about me. They hate it when I hand them a new user password with a bunch of symbols and a variety of alpha-numeric characters. I personally get a lot of enjoyment out of trying to think up clever combinations. I recently ran into a situation at home though that necessitated the creation of a password that failed one of the classic password rules.

When I'd initially set up my Centos box, I had created a password that was standard for me at the time. Months later it is no longer my de facto password and it's become difficult for me to remember it when I go to log in to my system, so I decided it was time to finally change that password and bring it in line with what I typically use. When I tried to change it I got the message "BAD PASSWORD" because it was too close to what my previous password had been. I tried to change it to a blank password to see if that would get me over the hump. Nothing doing. My server was not about to let me use a weak password.

I did some digging and found the appropriate places to change the password strength setting. Not, unfortunately, before stumbling across a forum where every response to the OPs question was "You shouldn't do that." I hate forum police. It's fine to include a word of admonishment, but it would be really nice if you could also answer the question. Yes, thank you, I understand that weak passwords are a bad idea and that the policy is there to protect you, yadda yadda. Now please tell me how to override this policy.

I finally got the answer from this blog, and it's as simple as editing your /etc/pam.d/system-auth file to comment out the line that calls the pam_cracklib.so module.

Sunday, February 6, 2011

Office Click-to-Run

It's been a long time since I've been called on to install an Office product that was not volume-licensed, so I was taken by surprise during a recent task to install Office 2010 on a laptop. We're not even talking about upgrading a trial version to a purchased version, which I have done and comes with its own set of trials and tribulations. This was simple case of uninstall Office 2007 (which was also not a legal copy), purchase and download Office 2010 Home and Business, install it. Voila. No muss, no fuss. Except there was a healthy amount of both muss and fuss.

I should have known something was off when the icon for the installer, downloaded to the desktop, looked very different than the standard executable. I clicked it and started the install process, and was promptly met with a dialogue box that informed me that I could start using Office now and it would continue downloading content in the background. I assumed it was calling home and getting updates, which seemed like a nice little feature (and there was no option to cancel anyway), so I let it go. It automatically opened PowerPoint to give me some information about Office 2010. I closed it, and gave it back to the user to let it finish.

Later the user asked me to set up their email profile, so I launched Outlook to do so. It had actually kept all of the previous Outlook configurations so there was really no need to set up anything. I entered the user's password, and everything seemed kosher except that Outlook crashed 2 minutes later. From that point on all attempts to launch Outlook failed. The message I got was simply that Outlook failed to launch properly. No further information was logged in the Application Logs, no messages from the application itself with suggested fixes or any information about what caused the crash. Nothing.I tried launching it in Safe Mode to see if there was a problem with an add-on or plugin. Outlook /safe didn't work as it could not find an executable called outlook.exe. Suspicious. I tried looking in the Office14 folder. Shockingly, there was nothing there.

My next thought was that the installation was somehow corrupt because of the missing executable files in the Office14 folder; not only was the one for Outlook missing, but for every other Office app. I checked the Control Panel and noticed the presence of a couple of items I had not explicitly installed, including something called Office Click-to-Run. I uninstalled it and it warned me that it would also uninstall Office 2010. Fine by me; that's what I'm headed for anyway. Uninstalled, rebooted, tried again. Same behavior as before, and the Click-to-Run entry is back. I turn to my good friend Google at this point to find out what Click-to-Run is and I find out that it's a virtualization of Office to allow faster purchase to use times for end users. It runs in its own virtual space by creating a "Q" drive on the machine, and that's why there are no .exe files along with it and no Safe Mode. A little more digging led me to this article on Slipstick about potential problems running Outlook from the Click-to-Run "installation". I followed their instructions for downloading the actual msi file and sure enough, once I had done a nice, traditional install everything worked as expected.

I can appreciate the allure of having instant ability to run an app that you purchase online or to try a new version of an app while still having your old one installed, and certainly being able to always download the latest version of the app (i.e. not having to run updates or install Service Packs afterwards) is great, but I feel like this virtualization of Office is a flashy cover for something that isn't really necessary or all that beneficial. Certainly the streaming technology has been around for a while now and is nothing new. Also, if the way in which it works means you can't use some of the most common features for business users like add-ins, Smartphone syncing, or interfacing with other applications like a CMR app, then it becomes pretty useless for the business user, and your average home user doesn't really need or use Outlook. I would assume this is part of the reason that this version of installation is not available for Professional and Professional Plus. I would argue that Home and Office should be included in this.

Wednesday, February 2, 2011

A Tale of Two Warranties: A Cisco Drama

In December I found that the SMARTnet contracts on our two firewalls were due to expire, so I set off on a mission to buy new ones. The goal was cheap, so whereas I could have gotten them from a known entity like CDW, it was important that I get the lowest price that I could. Ultimately it's like buying Microsoft software when you're not buying from Microsoft directly: you make sure to read the fine print very carefully so that you know what you're in for.

With SMARTnet contracts I entered a world of confusing codes and specifications. There was 8x5xNBD, 24x7x4, 24x7x2, and a new one that I had never heard of called SMB Smart Assistant. The codes for these differ depending on the exact serial number of your firewall. They were both ASA5505s, but because they had different licensing the product IDs for the warranties differed, so you had to make sure that you were getting the proper product ID. This website actually has a neat tool to help with that.

Ultimately, through much research and head-scratching, I settled with a company called ITHSC (http://www.ithsc.com/). I contacted them, got pricing information, and got the go-ahead to order the SMARTnets. Everything seemed on the up and up and I placed my order. The first surprise was when I was then contacted by a salesperson from a company called Network Dynamics asking for my current Cisco contract information and login. I assumed that this was related to my order but I emailed him back asking him who he was. Imagine, I receive an email from someone not affiliated in any obvious way with the company with which I'd been dealing, asking me for my Cisco contract number, and I was suspicious. I don't know why! (/sarcasm). After checking in with ITHSC I was told that they did their actual Cisco sales through NDI. Would have been nice if they'd let me know that, or if the salesperson that contacted me had put some context on his request.

After confirming his identity I received a PO. It was a PO for the wrong product. We currently had 8x5xNBD and we wanted to move up to 24x7x2. No problem; he came back with the correct PO. I wanted to pay by company credit card, and he sent me the payment form by email and advised me to send it back to him. He wanted me to send my credit card information over email, unencrypted. I sent it to him, encrypted.

After this, I wait. I get confirmation that the order was placed and that we have coverage shortly thereafter. I immediately notice that the coverage is for 8x5xNBD and not the 24x7x2 that we'd ordered. I email the salesperson back and he says he will get it fixed that day. I don't hear from him for two weeks. I email him again to say, "What's going on?" No response. Thus begins a game of hide and seek with NDI. I call their main line and try to speak to their product department. It consistently goes to voicemail, with my messages not being returned. I finally call the salesperson, who is very apologetic and tells me that he will walk right over to product and see what's going on and email me that day. It was a Friday, and it passed with no email from him. At this point it has been almost a month and we don't have the correct coverage for our product.

I go back to ITHSC and ask to speak with the person who originally put me in touch with NDI. He is surprised to hear that I've been having such difficulty getting the NDI salesperson to be responsive. He asks me to forward him whatever correspondence I have. He even pulled up the email between he and I where I specified that we wanted the 24x7x2 coverage. The next day I get an email from the NDI salesperson informing me that they had in fact put the change in with Cisco every so long ago, back when he'd originally said," We'll get this fixed today" and it was simply taking Cisco a long time to complete the transaction. In fact, he went so far as to forward me the email chain with the Cisco rep.

So, Cisco is the hold up at this point. Shocking, considering how easy Cisco's website is (oh yeah, some more sarcasm here). Even if Cisco is the culprit and everything is their fault, it doesn't excuse the lack of communication and follow-through from them, the VAR. If you tell someone that you are going to get back to them that day, you'd damn well better get back to them. I'm reminded of Stephen Covey's "emotional bank account". These companies have made a huge withdrawal and very little to get things back in balance.

Small Business Challenges: Drop Everything

Most often I will write about purely technical things: what neat tool I found, some challenge I had, a learning experience, etc. I feel, however, that at times it's important to also highlight and touch on the portion of Systems Administration that has nothing to do with the machine and everything to do with the Administration portion-- things like processes and interpersonal communication and office culture. Today is one of those times.

Working for a large company (or even a mid-size company), you encounter a fair number of standards and processes because they have to be there. A company that has a central IT staff and many branch offices has to have some kind of ticketing system so that people get assistance. A company that has to achieve some sort of compliance measure (like PCI or the MA privacy laws) finds themselves building processes and standards as a result of the changes that they have to make in operations. These are the kinds of companies I've worked for in the past, and it has given me a great appreciation for the way this works to best use your resources and make sure that the important, business-critical items are being hit consistently. I enjoy the order of this kind of environment.

Small business culture, which I've had ample opportunity to experience as a consultant, works very differently.  In a small business there are few if any formal processes for IT, and those that exist are not followed consistently. There are no change control forms, no ticketing system. Small businesses favor a "drop everything" atmosphere. It's hard not to really, when your IT department or support person is merely a few cubicles or desks away. I've had it described to me as an environment where "you can knock on any door at any time and people will drop everything to help you." I love this mentality, and in fact expect it...when there's an emergency or unforeseen situation. If my server crashes, or the network goes down, all hands on deck for sure. The problem is that perceptions of emergency vary. I do not expect this to be the case when someone doesn't like the way their Blackberry is displaying their messages. I also don't expect this to be the case in the classic story of "lack of planning on your part does not constitue an emergency on mine".

We've all been there, all experienced this in some aspect of our lives. This kind of mentality and behavior isn't solely a facet of working in IT. We've all been in the middle of something and had someone approach us with the expectation that we would immediately attend to their issue. When that happens, how easy is it for you to go back to what you were doing? Do you find it difficult to pick up where you left off? Do you think it affects the outcome of your work to be interrupted in this manner? Perhaps it takes you longer to complete a task because you have to switch trains of thought so often. It is now widely understood that "multitasking" actually makes it more difficult to complete a single a task, and usually means it takes longer. It is nowhere near as productive as focusing on a single task until completion, or at least until a natural stopping point.

Here is a pretty typical picture: I'm sitting at my desk working through a problem. I have multiple terminal sessions to servers open, a browser with tabs that I've used for researching the problem, and I'm reading through articles and checking logs. Someone approaches with an issue. It's not an emergency issue, it's not stopping them from working or affecting productivity, but I get up and go with them to their desk anyway to check out their problem. I come back to my desk and stare at the windows I have open trying to remember where I was, what I was about to do next. It doesn't seem like a lot of time, but multiply this kind of time by oh, say...10 interruptions a day, and you have quite a bit of time where I'm simply trying to get my whits about me again. It would be far better if I didn't get up and go with them, but in a company culture where it is expected, you meet a lot of resistance. No one wants to be told to put in a ticket when you're right there, and no one wants to be told that you'll come see them later.

The moral is simply that I think it very important to have processes in place, and to enforce them. Ultimately I believe it aids productivity and makes for a better workplace. The "drop everything" mentality is nice in theory, but ultimately harmful when unchecked. I believe you can foster an environment where people feel like they're important and their issues matter without adversely affecting the productivity of your IT staff.