Re: [OT] Assign app role in subscription

2023-05-08 Thread Richard Carde 
On Tue, 9 May 2023 at 08:27, Greg Keogh via ozdotnet 
wrote:

> In the Select Members panel on the right, it'll show users and groups in
>> the list by default, but doesn't show applications. You may just need to
>> search for the application service principal by name.
>>
>
> This morning I sit down with a freshly booted brain, and I've fixed it.
> You're right! ... The list on the right does not list apps, so I started
> typing "S u b..." into the search box and my app with that name prefix
> appears, and I can give the role okay. Now I'm confused ... did I not
> previously start typing into the search box? I can't believe I wouldn't
> have tried that in recent days, but maybe during all the fumbling around I
> didn't ... I dunno.
>
> I assigned the role Reader to my app, but it died with permission failure
> trying to ListKeys (list the storage account keys). It's not obvious which
> Role I should use, so I gave-up and made it an Owner role and now it works
> (with overkill).
>
>
Following the principle of least privilege**, in addition to Reader you
probably want to look at Reader and Data Access

for
Storage Accounts which provides for the following additional actions that
should suit your needs.

  "Microsoft.Storage/storageAccounts/*listKeys/action*",
  "Microsoft.Storage/storageAccounts/ListAccountSas/action",
  "Microsoft.Storage/storageAccounts/read"

**Note that if the application can read the storage key then, depending on
your configuration in regard to allowing storage key access, the
application may have full read/write access to the storage account even
with read-only RBAC applied.


> *Greg*
>
> [image: image.png]
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/

Re: [OT] VS2022 Replace in Files problem

2022-07-14 Thread Richard Carde via ozdotnet 
Greg

I just did a test as you requested.

VS 2019 Pro 16.11.17 works as expected.
VS 2022 Pro 17.2.6 does not make changes, as you have experienced, even
though the output window says otherwise.
.
Regards,

RC


On Thu, 14 Jul 2022 at 14:10, Greg Keogh via ozdotnet 
wrote:

> Folks, about 2 months ago, VS2022 *Replace in Files* stopped working as
> expected on my work PC, in VMs and on my laptop. After hours of experiments
> I have determined that Replace in Files will not alter any "external" files
> that are not part of an open project. The file types, folder locations,
> user account, recent minor updates, dialog options, /reset, etc make no
> difference.
>
> Can someone do something like this in a recent VS2022 release ... Create a
> C:\temp\junk.txt file and put the word FOO inside it. In VS2022 with *no
> projects open*, run a Replace in Files over the temp folder and file and
> see if you can change FOO to BAR. Does the txt file get updated? Not for
> me.  Below is a sample of my attempt which says it made 1 change, but it's
> a lie. Is there some obscure option I've accidentally toggled?
>
> In VS2015 it changes files as I expect. I opened a ticket, but it's been
> in evaluation status for weeks -- Thanks, *Greg K*
>
> [image: image.png]
>
> [image: image.png]
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/
-- 
ozdotnet mailing list 
To manage your subscription, access archives: https://codify.mailman3.com/

Re: ozdotnet - New List Infrastructure

2022-06-23 Thread Richard Carde 
Another +1 for the new list.

This is the first David Kean post that didn't need to have the "Not Spam"
treatment in the Gmail spam folder.


On Thu, 23 Jun 2022 at 16:48, David Kean via ozdotnet 
wrote:

> Also appreciate you keeping this alive. As a matter of interest, how many
> folks are still subscribed? Definitely was “the list” to be on early days
> of .NET.
>
> Looks like its attaching a txt file with every reply containing the
> following, not sure if that’s intentional.
>
>
>
> --
>
> ozdotnet mailing list
>
> To manage your subscription, access archives: https://codify.mailman3.com/
>
>
>
> *From:* David Connors via ozdotnet 
> *Sent:* Thursday, June 23, 2022 4:01 PM
> *To:* ozDotNet 
> *Cc:* David Connors 
> *Subject:* Re: ozdotnet - New List Infrastructure
>
>
>
> Yeah it has been a while.
>
>
>
> The old stanski list imploded one day and kept sending messages out of
> order or days/weeks late and that went on for ages and never got fixed.
> Turned out to be the fault of some hoster who stuck their hand up to look
> after the list but didn't.
>
>
>
> Back then we were using GFI Mail Essentials for our anti-spam for Exchange
> and it had a list server built into it so I offered that as a solution and
> it worked great for years until it imploded just as I went on site to build
> out the TechEd infrastructure (might have been TE2010?)... so we re-built
> on MM2 and that server ran great for 10 years.
>
>
>
> Recently it started having bounce issues that was threatening
> unsubscribes. It was so old it wasn't worth investigating so I looked for
> hosted provided and signed us up for mailman3.com
> 
> .
>
>
>
> So far these guys have been great. Very responsive support and help in
> setting everything up. Should be good for another 10 years. lol
>
> David Connors
> da...@connors.com | M +61 417 189 363
> Telegram: https://t.me/davidconnors
> 
> LinkedIn: http://au.linkedin.com/in/davidjohnconnors
> 
>
>
>
>
>
> On Thu, 23 Jun 2022 at 12:25, Greg Keogh via ozdotnet <
> ozdotnet@ozdotnet.com> wrote:
>
> Looks like he’s in Edinburgh now.
>
> Latest post:
>
>
>
> in alternito land, the basic life form is not human or animal but a
> business. mating is a one-way operation of selling goods or services. upon
> your birth, your business plan is registered on
>
> [cut]
>
>
>
> Holy schmoley! I may be a slightly better programmer than I am clinical
> psychologist, but I think he needs his prescription changed -- *Greg (K)*
>
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/
> 
>
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/

[Trivia] PowerShell / .Net implicit string conversions

2022-06-23 Thread Richard Carde 
I have no idea how widely known this is, but it annoyed me for an hour or
so.

PS C:\> *(Get-Date).ToString()*
23/06/2022 2:06:24 PM

PS C:\> *"$(Get-Date)"*
06/23/2022 14:06:33

Huh?

I know why there's a difference.  Anyone been stung by that before?

The implicit conversion does this:

PS C:\>
*(Get-Date).ToString($null,[System.Globalization.CultureInfo]::InvariantCulture)*
06/23/2022 14:07:43

Regards,

RC

Re: here's a question for the list: NT

2022-06-22 Thread Richard Carde 
Greg

You are correct.

C:\>*tzutil /l*

(UTC+09:30) Adelaide
Cen. Australia Standard Time

(UTC+09:30) Darwin
AUS Central Standard Time


Check with PowerShell:

PS C:\> *([System.TimeZoneInfo]::FindSystemTimeZoneById("Cen. Australia
Standard Time")).SupportsDaylightSavingTime*
True
PS C:\> *([System.TimeZoneInfo]::FindSystemTimeZoneById("AUS Central
Standard Time")).SupportsDaylightSavingTime*
False


Regards,

RC


On Thu, 23 Jun 2022 at 13:07, Dr Greg Low via ozdotnet <
ozdotnet@ozdotnet.com> wrote:

> Found one list where it says:
>
>
>
> Adelaide = Cen. Australia Standard Time
>
> Darwin = AUS Central Standard Time
>
>
>
> Hopefully DST is the difference.
>
>
>
> Regards,
>
>
>
> Greg
>
>
>
> Dr Greg Low
>
>
>
> 1300SQLSQL (1300 775 775) office | +61 419201410 mobile
>
> SQL Down Under | Web: https://sqldownunder.com
>
>
>
> *From:* Dr Greg Low
> *Sent:* Thursday, 23 June 2022 12:40 PM
> *To:* ozDotNet 
> *Subject:* here's a question for the list: NT
>
>
>
> Hi Everyone,
>
>
>
> Here’s a question for the brains trust:
>
>
>
> When configuring Windows timezones, what gets used for the Northern
> Territory?
>
>
>
> “Cen. Australia Standard Time” I’m sure is for SA, etc. but would also
> include DST changes, where the NT doesn’t have DST. Is there some other
> timezone that works well for NT ?
>
>
>
> Or is that the difference between “Cen. Australia Standard time” and “AUS
> Central Standard Time” ?
>
>
>
> Regards,
>
>
>
> Greg
>
>
>
> Dr Greg Low
>
>
>
> 1300SQLSQL (1300 775 775) office | +61 419201410 mobile
>
> SQL Down Under | Web: https://sqldownunder.com
>
>
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/

Re: ozdotnet - New List Infrastructure

2022-06-21 Thread Richard Carde 



On Tue, 21 Jun 2022 at 15:36, David Burstin via ozdotnet <
ozdotnet@ozdotnet.com> wrote:

> Cool. Thanks Richard. Appreciated.
>
> On Tue, 21 Jun 2022, 15:27 David Connors via ozdotnet, <
> ozdotnet@ozdotnet.com> wrote:
>
>> Richard Carde was a huge help today getting all the DMARC nonsense
>> correct and tested.
>>
>> I just shut down the VM that has been sitting on a NUC in the corner of
>> the office since we moved to Azure years ago. 
>>
>> David Connors
>> da...@connors.com | M +61 417 189 363
>> Telegram: https://t.me/davidconnors
>> LinkedIn: http://au.linkedin.com/in/davidjohnconnors
>>
>>
>>
>> On Tue, 21 Jun 2022 at 15:18, David Burstin via ozdotnet <
>> ozdotnet@ozdotnet.com> wrote:
>>
>>> Thanks David for all the work you do to keep this list going. Really
>>> appreciated.
>>>
>>> On Tue, 21 Jun 2022, 14:34 David Connors via ozdotnet, <
>>> ozdotnet@ozdotnet.com> wrote:
>>>
>>>> Hi All,
>>>>
>>>> I've readded everyone to the new mailman3 hosted environment. There are
>>>> a few changes to how message headers are presented etc as a result of the
>>>> move to mailman3.
>>>>
>>>> If you want to change your subscription etc then head to
>>>> https://codify.mailman3.com.
>>>>
>>>> I am not going to continue keeping the old archives at
>>>> http://prdlxvm0001.codify.net/mailman and will bin that server as soon
>>>> as I've removed the other lists from it that no one uses any more.
>>>>
>>>> David Connors
>>>> da...@connors.com | M +61 417 189 363
>>>> Telegram: https://t.me/davidconnors
>>>> LinkedIn: http://au.linkedin.com/in/davidjohnconnors
>>>>
>>>> ___
>>>> ozdotnet mailing list -- ozdotnet@ozdotnet.com
>>>> To unsubscribe send an email to ozdotnet-le...@ozdotnet.com
>>>>
>>> ___
>>> ozdotnet mailing list -- ozdotnet@ozdotnet.com
>>> To unsubscribe send an email to ozdotnet-le...@ozdotnet.com
>>>
>> --
>> ozdotnet mailing list
>> To manage your subscription, access archives:
>> https://codify.mailman3.com/
>
> --
> ozdotnet mailing list
> To manage your subscription, access archives: https://codify.mailman3.com/

Re: Testing GTG

2022-06-20 Thread Richard Carde 
Exchange Online not going to Junk now.

From: Richard Carde via ozdotnet 
Sent: Tuesday, 21 June 2022 11:20
To: ozdotnet 
Cc: Richard Carde 
Subject: Testing GTG

Looks like it's good to go??

Testing GTG

2022-06-20 Thread Richard Carde 
Looks like it's good to go??

Re: Testing new list infra

2022-06-20 Thread Richard Carde 
Reply-All.  All good.


On Tue, 21 Jun 2022 at 10:58, David Connors via ozdotnet <
ozdotnet@ozdotnet.com> wrote:

> Testing the new list infra.
>
> David Connors
> da...@connors.com | M +61 417 189 363
> Telegram: https://t.me/davidconnors
> LinkedIn: http://au.linkedin.com/in/davidjohnconnors
>
> ___
> ozdotnet mailing list -- ozdotnet@ozdotnet.com
> To unsubscribe send an email to ozdotnet-le...@ozdotnet.com
>

Re: DI in MVC

2019-12-10 Thread Richard Carde 
On Fri, 29 Nov 2019 at 11:22, David Burstin  wrote:

> Hi guys,
>
> Got a DI question:
>
...

> Is there a way that I can get MVC DI to resolve IHoldAllInterfaces so that
> at runtime it will pass in an object that holds all of the internal
> interfaces already resolved per the startup.cs file?
>

Sounds like you're after an aggregate service.  I was introduced to AutoFac's
ability

to do that a few months ago when doing a code review.

A quick Google suggests Microsoft's built-in DI container won't do it but this
Stack Overflow thread

might be of use.


> I hope this makes sense - I'm not very good at writing questions clearly
> *and* concisely :)
>
> Cheers
> David
>


--
Regards,

RC

Re: MSDN Portal decommission left me without access keys

2018-08-21 Thread Richard Carde 
FYI

I had the opposite where I could download my keys but my benefits and
subscription details were gone after I had renewed via the Azure Portal (in
the second year after having an annual MSDN retail sub for ages).  The
Portal has my subscriptions but my.visualstudio.com was ignorant of that.

Originally I thought it was caused by the Microsoft/Personal Account vs
School/Work account debacle but I tried everything to separate the two
accounts with no luck.

As I renewed via Azure I had to start my quest for support via the portal
and was contacted very quickly.  However, they couldn't help and after 2
weeks it was sorted in a couple of days by a chap from the Americas after a
couple of email exchanges and, finally, a Skype call.  Apparently there are
a few issues with the data migration for some people.

See if you can get into https://manage.visualstudio.com/.

Good luck!


On 21 August 2018 at 10:32, kirsten greed  wrote:

> Hi All
> In case anyone else has this issue.
> I have a VS Professional Subscription but the keys are no longer available
> with the decommissioning of the MSDN portal
> Apparently there is a disconnect between the Volume Licensing Portal and
> the Visual Studio Portal my.visualstudio.com
> Support thinks my problem will be fixed in a few days.
> Kirsten
>
>
>
>

Re: Using Azure blob storage for static web sites

2018-07-16 Thread Richard Carde 
On 12 July 2018 at 13:10, Nick Randolph  wrote:

> I thought that they’d fixed that in Azure where you can assign custom
> domain w SSL via CDN (https://buildazure.com/2017/
> 02/08/setup-ssl-tls-on-azure-cdn-custom-domain/)?
>
>
I did a quick test and this does indeed work for the static web sites
preview - at least for serving the index.html file.  You need to specify a
custom origin in the CDN setup using the primary endpoint of the static
website as the origin rather than selecting the storage account as it
allows selecting the blob storage endpoint.

I wonder how the costs compare as I use AWS for this at the moment and it
costs me on average AUD$0.20/month over the last 12 months for S3 +
CloudFront combination to host a pretty much brochureware site with a few
pages over HTTPS.  The DNS hosting costs more!


>
>
> *Nick Randolph* | *Built to Roam Pty Ltd* | Co-Founder, Technical Lead |
> +61 412 413 425 | www.builttoroam.com
> | The information contained in this email is confidential. If you are not
> the intended recipient, you may not disclose or use the information in this
> email in any way. Built to Roam Pty Ltd does not guarantee the integrity of
> any emails or attached files. The views or opinions expressed are the
> author's own and may not reflect the views or opinions of Built to Roam Pty
> Ltd.
>
>
>
> *From:* ozdotnet-boun...@ozdotnet.com  *On
> Behalf Of *David Connors
> *Sent:* Tuesday, 10 July 2018 10:04 PM
> *To:* ozDotNet 
> *Subject:* Re: Using Azure blob storage for static web sites
>
>
>
> On Tue, 10 Jul 2018 at 21:17 Arjang Assadi 
> wrote:
>
> did anyone suggested this already:
>
> https://www.michaelcrump.net/azure-tips-and-tricks138/
>
>
>
> It only just went public preview.
>
>
>
> As with these cheap things - YMMV. There won't be SSL over custom domains
> etc... but you can serve a static web site (or JS, images, etc to support a
> web app) for 2/10 of bugger all in cost.
>
>
>
> David.
>
>
>
>
>
> --
>
> David Connors
> da...@connors.com | @davidconnors | https://t.me/davidconnors
> | LinkedIn | +61 417 189 363
>

Re: Links from Microsoft Word losing authentication context.

2018-01-20 Thread Richard Carde 
Rings a bell and I've come across this quite some time ago.

Refer to the following, it probably relates to your situation:
https://support.microsoft.com/en-us/help/899927/you-are-redirected-to-a-logon-page-or-an-error-page-or-you-are-prompte

*The Web site in the hyperlink uses a Single Sign-On (SSO) authentication
system that relies on HTTP session cookies for client identification. Even
if you have already provided user credentials, you are prompted to provide
the user credentials again.*

Regards,

RC

On 20 January 2018 at 18:48, Tony Wright  wrote:

> Hi people,
>
> I have an issue with an asp.net mvc application. Essentially, if I log
> into the application, and I tick the "remember me" box, it stores a cookie
> with the authentication details and logs me in.
>
> Any time I come back to that site within the timeframe set within the
> context of that saved authentication cookie, I am logged in automatically.
> That actually works ok, no problems there.
>
> But when the link to a page within my site is saved inside a Word
> document, and I hold down the ctrl key and click the link, it opens up the
> browser, attempts to go to the right web page, but it doesn't use the
> cookie, so it requires me to log in again.
>
> Outside of Word, I can still put the link into the browser and it will
> remember the security context and log me in.
>
> Has anyone else experienced this? Is it possible to get it to
> automatically authenticate using the cookie, because this kind of behaviour
> makes me feel like it was by design.
>
> Any ideas?
>
> Regards,
> Tony
>
>
>

Re: X509 certificate and trust

2014-11-30 Thread Richard Carde 
Greg

What it sounds like you are being asked to do is certificate based
authentication.  This is something that cannot be forged, unlike a 'magic
number'.  The server can verify the validity of the cert and identify the
client.  You might have individual certs to identify a user or device.
I've done this before for a web app on WinMo 6 where the user's own Active
Directory cert is loaded on the device and IIS requires the cert as part of
the type of authN.  It avoids the user having to type in creds on a PDA but
the servers knows who the user is.

The pfx file will contain the certificate (plus, if necessary, root CA cert
and any intermediate certs needed to be loaded on the client to complete
the chain to be trusted).

I don't think Silverlight supports such authentication.

HTH
On 25 Nov 2014 21:21, Greg Keogh g...@mira.net wrote:

 Howdy, I've been thinking about this overnight and have had no Eureka!
 moment. I do have the factory ID of the phone, but I think registering the
 IDs on the server would be a bother (in any case, a fake client could send
 any ID it wanted to fool the server).

 The client and server both have the same confidential company certificate,
 but I don't know how I can leverage this. The client could send the server
 some secret data out of the cert, but it's just a number, any magic/secret
 number could be shared, which is childish.

 So I remain puzzled about how an arbitrary phone can prove to the service
 that it's calling via trusted client software without human entry of a PIN
 or password.

 The phone does have a config screen, so perhaps the human operator could
 be instructed to put in a 4 digit hash of the phone ID, which can only be
 computed and verified on the server. This would require a one-time setup
 process, but it might be acceptable in the form of a registration screen
 on the phone.

 *Greg K*


 On 25 November 2014 at 23:55, Stephen Price step...@perthprojects.com
 wrote:

 And then I read your email a second time and notice you said Silverlight
 PHONE app. Perhaps you could use something similar... but as it's not
 hosted on a web server, but instead its on the phone that might not work.
 Perhaps a call to a server with a login where a key is given out for that
 session? Or something that is harder to fake, like a phone ID (can you set
 up a list of authorised devices on server or is it a public facing app
 where anyone could be connecting?)

 On Tue, Nov 25, 2014 at 8:06 PM, Greg Keogh g...@mira.net wrote:

 Folks, I have a Silverlight Phone app that talks to a WCF service. The
 spec says that phones must *prove* to the service that they are
 legitimate and trusted. I figure therefore that I will stuff something in
 the message headers of each call that can't be forged to prove a phone has
 legitimate client software ... but what?

 The spec is vague and does not specify any kind of login method or
 handshake to establish trust.

 To confuse matters, I've been given a pair of X509 certificates (as cer
 and pfx files) without any hint about what to do with them. So I've been
 reading about X509's for hours, but I can't figure out if they're of any
 help in this situation or not. All the sample code I've found using
 certificates is for the full CLR and not for the Silverlight CLR where many
 classes are smaller or missing. I can't figure out how to use X509s for
 solving my problem (if they are of any use).

 Any suggestions from crypto protocol boffins out there?

 *Greg K*

Re: [OT] Windows SCHANNEL Protocol registry keys

2014-11-30 Thread Richard Carde 
Noonie

IISCrypto is your friend.  But you should really understand a little about
protocols and cipher suites and the ordering thereof.

Test your public site with Qualys ssllabs. You're aiming for an A.
https://www.ssllabs.com/ssltest/

Using SHA1 certs will lower the score but that's not too much of a worry.
You should be able to re-key and get SHA-2 (SHA256) replacement if it
concerns you.  Any recently issued cert expiring on or after 1/1/2017 will
be SHA2 anyway.

References:
https://support.microsoft.com/kb/245030
https://technet.microsoft.com/en-us/library/cc766285.aspx
https://technet.microsoft.com/en-us/library/security/2880823.aspx

HTH
On 19 Nov 2014 01:48, noonie neale.n...@gmail.com wrote:

 Greetings,

 The recent Poodle issues and Microsoft's broken patch (MS14-006) have now
 made it necessary for me to actually understand secure connections to our
 web applications because it appears that when the user can't connect to a
 web server it is my web application that is broken :-^

 For the life of me I can't find a single definitive source as to what the
 registry keys actually mean. There's plenty of do it this way
 instructions but I don't believe in magic so I want to understand what the
 effects of changing the keys are likely to be.

 There are tantalising fragments, of the information I want, at various web
 sites but I haven't found a good description anywhere yet. Does anybody
 know of a resource I can access that explains why certain key would be
 needed and what the effects of the different settings are likely to be?

 The keys I'm interested in live at:-

 HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\

 And I've read a number of articles from various sites:-

 https://www.nartac.com/blog/post/2013/04/19/IIS-Crypto-Explained.aspx
 http://support2.microsoft.com/kb/2588513

 http://www.dotnetnoob.com/2013/10/hardening-windows-server-20082012-and.html

 http://serverfault.com/questions/637195/is-there-any-reason-why-tls-1-1-and-1-2-are-disabled-on-windows-server-2008-r2

 http://books.google.com.au/books?id=fQOLBAAAQBAJpg=PA448lpg=PA448dq=schannel+registry+keys+explainedsource=blots=sFcqPREgO9sig=SUGeh2vCMkCdLOCqGlitcEt2wTwhl=ensa=Xei=IOJrVK2gPISxmwWkloHICQved=0CD0Q6AEwBTgU#v=onepageq=schannel%20registry%20keys%20explainedf=false

 http://www.adminhorror.com/2011/10/enable-tls-11-and-tls-12-on-windows_1853.html
 http://support2.microsoft.com/default.aspx?scid=kb;EN-US;245030

 If there is no reasonable reference documentation could someone please
 answer the following questions:-

 What is the the real effect of DisabledByDefault on both Server and Client
 sub-keys?

 Are there any nonsense combinations of keys or key values for
 DisabledByDefault and Enabled?

 When would I need to set both Server and Client Keys?

 Is it good practice to explicitly set all these keys or is it OK to rely
 on system defaults for keys that are absent? (I know half the answer to
 this one because although Windows Server 2008R2 supports TLS 1.1  1.2 it
 will only use them if they are explicitly enabled in this registry hive!)

 --
 Regards,
 noonie

Re: IIS7 Application Pool Identity on domain joined machine

2014-01-08 Thread Richard Carde 
On 8 January 2014 02:18, David Connors da...@connors.com wrote:

 I have an odd behaviour I've not noticed before. When deploying a bog
 standard ASP.NET + SQL Server app I create a database role and grant exec
 on all of the procs to that role. At the time of deployment I'll create a
 SQL Server login on the local box for IIS APPPOOL\App Pool Name and add
 it into that role.

 I have noticed that IIS7 doesn't appear to use the app pool identity when
 authenticating to SQL Server on a domain joined machine (even though IIS
 and SQL are ont he same box). ie.

1. App is set up with its own App Pool
2. Identity is set to ApplicationPoolIdentity
3. When connecting you get Login Failed for user CODIFY\MACHINENAME$


I work this way often on a domain joined Server 2008 R2 (IIS7.5) box with
local SQL Server 2008 R2.  I just did a SQL Trace and it does show IIS
APPPOOL\account as the LoginName and account as the NTUserName.
 Interestingly, task manager shows w3wp.exe shows the user running as
account - sans the IIS APPPOOL prefix.

You state IIS7, not 7.5, so are you using Server 2008?  What version of SQL
Server are you using?

The following might be relevant, and the resident Mr Schaefer has already
weighed in.  A local network trace is impossible but sniffing for any
RPC/AD type traffic (port 88, 135, etc) might reveal something?
http://forums.iis.net/t/1206862.aspx

My original thought was that perhaps there's an SPN (MSSqlSvc/server for
your box in AD and it's trying some dodgy Kerberos things.  But I don't
think it will try that with local accounts.

machinename implies it's falling back to NetworkService?   Typo somewhere?

Exact same code on a non-domain-joined machine:

1. App is set up with its own App Pool
2. Identity is set to ApplicationPoolIdentity
3. When connecting you get Login Failed for user IIS APPPOOL\APP POOL
NAME

 What's more perplexing is that in *both cases*, the w3p.exe is running at
 IIS APPPOOL\APP POOL NAME - which is what you expect. It just does this
 daft impersonation when the machine is domain joined...


So must be the way the account is resolved inside SQL ?  Latest sqlncli?


 David.

 David Connors
 da...@connors.com | M +61 417 189 363
 Download my v-card: https://www.codify.com/cards/davidconnors
 Follow me on Twitter: https://www.twitter.com/davidconnors
 Connect with me on LinkedIn: http://au.linkedin.com/in/davidjohnconnors




-- 
*Richard Carde*
Phone: +44 7956 356 226

Re: [OT] FTP client problems

2013-10-18 Thread Richard Carde 
Or SFTP (not to be confused with FTPS) which works flawlessly through 
firewalls, is easy to reverse publish and is secure.

I don't understand why Server 2012 still doesn't do it.

--
Richard Carde
Ph: +44 7956 356 226

 On 18 Oct 2013, at 04:22, Grant Maw grant@gmail.com wrote:
 
 Just a side-comment - maybe we're luddites here, but we use FTP all the time 
 to get things from A to B. Every single day. I know it's old, but it's still 
 useful.
 
 
 On 18 October 2013 09:46, Greg Keogh g...@mira.net wrote:
 You do need a higher end firewall though. 
  
 I didn't want to confuse matters previously, but now things have calmed down 
 I can add that the offending server is actually inside an Amazon AWS server 
 instance. I turned off the Windows firewall ages ago, but Amazon have their 
 own Security Group feature where you say which inbound/outbound ports are 
 open. I'm not sure why they have such a meta firewall as it just confuses 
 things for customers. It turns out that this feature was irrelevant to our 
 problem anyway. 
  
 The other good news is that the chap writing the Borland C++ code found a 
 passive switch which lets his ftp operations work perfectly. I'm still going 
 to urge him over to http instead.
  
 Greg K

LINQ to SharePoint Issues and 100% CPU in w3wp.exe

2011-11-22 Thread Richard Carde 
) and the dump of stack objects shows that each thread is referencing
the same object.  In fact it looks like they are all executing the same
code.

My suggested fix it to follow the MSDN guidance and NOT use LINQ for
anonymous access and use SPQuery and write the CAML.  They are doing this
now and we will see if that stops the CPU spikes (plateaus).  Hope so,
because I'm sick of looking at

My questions are:

   - Is this a known or previously observed issue?
   - The An item with the same key has already been added is caused by
   the use of the static Dictionary and static helper?
   - Can it be that the use of a static helper combined with anonymous
   delegate which might get compiled into a totally static method be the cause
   (I don't know enough about the innards of the IL to know or check)?

You probably want to see code, but I thought the blog posts should do the
trick as there's not much more to it.

-- 
*Richard Carde*
E: rich...@carde.id.au

Kerberos Pt 2

2011-11-22 Thread Richard Carde 
Simon's recent issue with Kerberos reminded me of an issue I faced recently
where Kerberos was failing.

This is possibly a question to Ken, but anyone else might want to chip in.
 I do often refer people to Ken's multi-part blog on Kerberos.  It must
have been written when Ken had some spare time, before he started sparring
with Silky.   I digress.

Imagine we have DEVSERVER with SSRS 2008 R2 and SharePoint 2010 installed.

I believe:

   - SSRS was installed and configured to use service account
   domain\svcSSRS and listen on port 80, and
   - SP2010 was installed and configured to use service account
   domain\svcSP2010 and listen on port .


Initially, the domain controllers were complaining about a duplicate SPN
because HTTP/devserver was registered against both of the above service
accounts.  This may have been because the guys were mucking around with
SPNs trying to make things work.

So, to fix that I removed the SPN HTTP/devserver from domain\svcSP2010
and added the SPN as HTTP/devserver:.

No more complaints about duplicate SPNs.  Still didn't work though.

Introduce another server. Lets call it PITA - she, sadly, runs BizTalk 2010.

I NetMon'd with WireShark which showed that any process running on PITA
still requested Kerberos tickets for HTTP/devserver no matter whether the
ultimate request was for http://devserver:80 or http://devserver:.

In fact, I found that most (all?) requests do not add the port number.
 SPNs support port numbers, clients don't request tickets with a port
number?

My suggestion was to create DNS A records for the two servers and add the
respective SPN to each service account (I already knew one cannot use a
CNAME as the underlying hostname will be used anyway).

Have I not read something in the docs or is this a general gotcha that one
should be aware of?

-- 
*Richard Carde*
E: rich...@carde.id.au

Re: Anyone got some sort laser cutter better than a CNC lathe?

2011-07-22 Thread Richard Carde 
To get lower than 1mm resolution, chemical milling or photochemical etching 
might be then next step.

NFI on the cost.

--
Richard Carde

On 21 Jul 2011, at 02:25, Keith Peck kp...@smsmt.com wrote:

 Have a chat to a stamp maker. I'm sure you aren't the first person to want a 
 metal stamp and certainly won't be the last.
 A laser cutter will be able to do what you want, but they are restricted by 
 the width of the cutting beam, which in the cases I've seen is actually 
 quite wide, something in the area of 1mm.
  
 Worst case scenario is you will need to go to a jeweller.
  
 Keith Peck
 Consultant
 SMS Management  Technology
 
 T +61 7 3215 7200
 F +61 7 3215 7100
 www.smsmt.com
 From: ozdotnet-boun...@ozdotnet.com [ozdotnet-boun...@ozdotnet.com] On Behalf 
 Of mike smith [meski...@gmail.com]
 Sent: Thursday, 21 July 2011 11:24 AM
 To: ozDotNet
 Subject: Re: Anyone got some sort laser cutter better than a CNC lathe?
 
 So something like a branding iron onto leather.  (or forehead[1]) :^)
 
 Of course, if you're using a laser, you could use that direct on end material 
 to produce code.  But maybe you want to sell the stamp to ppl without a 
 laser.  
 
 
 [1] a QR code that would take you to www.thenumberofthebeast.com
 
 
 On Thu, Jul 21, 2011 at 11:05 AM, David Connors da...@codify.com wrote:
 On Thu, Jul 21, 2011 at 11:04 AM, mike smith meski...@gmail.com wrote:
 Sounds intriguing. If it aint secret, and you'd have to kill us all if you 
 told us, go on...
 Ideas that occur are does it have to be metal, could you make it with some of 
 the 3d printer stuff that's starting to happen?  
 
 I want to make a metal stamp (to be applied with heat) in the form of a 
 low/medium density QR code. 
 
 -- 
 David Connors | da...@codify.com | www.codify.com
 Software Engineer
 Codify Pty Ltd
 Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 
 363
 V-Card: https://www.codify.com/cards/davidconnors
 Address Info: https://www.codify.com/contact
 
 
 
 
 -- 
 Meski
 
  http://courteous.ly/aAOZcv
 
 Going to Starbucks for coffee is like going to prison for sex. Sure, you'll 
 get it, but it's going to be rough - Adam Hills
 
 
 NOTICE - This communication is intended only for the person or entity to 
 which it is addressed and may contain confidential and/or privileged 
 material. Any review, retransmission, dissemination or other use of, or 
 taking any action in reliance on, this communication by persons or entities 
 other than the intended recipient is prohibited. If you are not the intended 
 recipient of this communication please delete and destroy all copies and 
 telephone SMS Management  Technology on 1300 842 767 immediately. Any views 
 expressed in this Communication are those of the individual sender, except 
 where the sender specifically states them to be the views of SMS Management  
 Technology. Except as required by law, SMS Management  Technology does not 
 represent, warrant and/or guarantee that the integrity of this communication 
 has been maintained nor that the communication is free from errors, virus, 
 interception or interference.

Re: add code to all button on my asp.net website?

2011-04-20 Thread Richard Carde 
Anthony

I presume you're trying to disable the button so a user cannot click twice.

This methodology has been discussed previously and, assuming that's the case, 
you're looking at the problem the wrong way around.  This is similar to the 
'how do I disable the back button' question.

What do you do if there's a s script error or network glitch during the POST.  
The user is stuck.

Let the user click as many times as they want or go back and forth - just make 
sure you process the request once.  Do this by inserting a nonce into the form 
as a hidden item and store it in the DB or session state. When you've processed 
it, mark it as such and move the user on - a GUID is often used for this 
purpose.

Job done!  No jiggery-pokery on the client side where you have less control.

Good luck, and do let us know the site you're working on if it goes public.

--
Richard Carde

On 19 Apr 2011, at 03:28, Anthony asale...@tpg.com.au wrote:

 I want add the following to all button on my website  i.e. 
 button.Attributes.Add(onclick, 
 ClientScript.GetPostBackEventReference(button, ) + ;this.value='Processing 
 Credit Card Payment...';this.disabled = true;)
  
 
 Is there an easy to automatically apply this to all buttons?
 
  
 
 regards
 
 Anthony (*12QWERNB*)

Re: adding ssl to asp.net website

2011-04-13 Thread Richard Carde 
On Tue, Apr 12, 2011 at 9:44 AM, Ken Schaefer k...@adopenstatic.com wrote:





 *From:* ozdotnet-boun...@ozdotnet.com [mailto:
 ozdotnet-boun...@ozdotnet.com] *On Behalf Of *Richard Carde
 *Sent:* Tuesday, 12 April 2011 2:46 PM


 On Sun, Apr 10, 2011 at 12:55 PM, Anthony asale...@tpg.com.au wrote:

 Thanks David...i have installed ssl cert etcmost ecommerce system only
 use ssl for login and checkout..so was looking for technique to do this...

  I don't understand the rationale for falling back to non-https mode.
  IMO, it's bad practice and increases risk to the user - see OWASP Top Ten
 2010 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projectrisks 
 A3, A6 and A9.



· Usually requires dedicated IPv4 address – of which we have a
 shortage

 · Has resource overhead in setting up and maintaining a connection
 – there are solutions to this, but they all cost money

 I think you disregarded the part about 'falling back'.  If you've committed
to securing the login process via SSL then you've used that IP address
already.  Yes, there's overhead.  Yes, you might need more than 1 IP - but
only if you need to secure other content to avoid creating issues related to
mixed-mode security - fetching non-secure (static) content from other hosts
or if you're using a CDN.  But isn't your customer's security more
important?

I would argue that smaller shops would host all content from the same server
or reference ssl-enabled CDNs. Larger shops possibly reverse proxy content
from a single listener which requires only a single IP address.




 Cheers

 Ken


-- 
*Richard Carde*

Re: adding ssl to asp.net website

2011-04-12 Thread Richard Carde 
On Sun, Apr 10, 2011 at 12:55 PM, Anthony asale...@tpg.com.au wrote:

 Thanks David...i have installed ssl cert etcmost ecommerce system only
 use ssl for login and checkout..so was looking for technique to do this...




I don't understand the rationale for falling back to non-https mode.  IMO,
it's bad practice and increases risk to the user - see OWASP Top Ten
2010https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Projectrisks
A3, A6 and A9.

Like David says, the session/basket can be hijacked if someone gets the
cookie - that's all they need after the authentication process has
completed.  If you don't understand how this can happen, you best do some
reading on the stateless nature of the HTTP protocol and how cookies work.

As previously mentioned, you can protect the session cookie by setting the *
secure* attribute, however, this also means they'll lose their basket upon
entering http mode.

Roll on HTTP Strict Transport Security so a site owner/developer can, in
theory and in a user-friendly way, turn on TLS at the server and ensure the
session remains secure (or fails altogether).


-- 
*Richard Carde*
E: rich...@carde.id.au
M: +44 7956 356 226

Re: In praise of robocopy

2011-04-09 Thread Richard Carde 
I suspect ROBOCOPY still has a place though.

http://blogs.technet.com/b/josebda/archive/2011/02/25/file-server-improvements-from-windows-server-2003-to-windows-server-2008-r2-8-items-for-8-years.aspx

I'm intrigued by your comment.  I've typically found Explorer to be slow - 
until it 'gets going' so it probably depends on the circumstances.

High latency gigabit networks (DCs hundreds of miles apart) do get you head 
scratching until you know what's going on and SMB2 and TCP scaling are really 
important.


--
Richard Carde

On 9 Apr 2011, at 08:35, David Connors da...@codify.com wrote:

 On Sat, Apr 9, 2011 at 2:43 PM, Greg Keogh g...@mira.net wrote:
 I was trying to xcopy 60GB of important files to a USB hard drive and it kept 
 dying with INSUFFICIENT MEMORY. This is caused by the path being too long. I 
 shortened some paths and kept getting further and further, but it would keep 
 dying further along. By good timing, a friend just dropped in and he said he 
 uses robocopy for this sort of thing. And sure enough, he’s right, it has no 
 such path limit. I just forgot that it existed. It has lots of really useful 
 switches.
 
 
 It has no path limit - but on fast networks it is dog slow. Someone remarked 
 that to me and I didn't believe them so I went and tested it for myself. Sure 
 enough, explorer.exe kills robocopy for perf.
 
 -- 
 David Connors | da...@codify.com | www.codify.com
 Software Engineer
 Codify Pty Ltd
 Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile: +61 417 189 
 363
 V-Card: https://www.codify.com/cards/davidconnors
 Address Info: https://www.codify.com/contact

Re: Embedding SQL index hints into SQL commands for SQL SERVER.

2010-06-25 Thread Richard Carde 

On 23 Jun 2010, at 04:58, Maddin, Peter peter.mad...@pathwest.wa.gov.au 
wrote:

 I actually made the requested changed to my SQL command but there was no 
 discernable difference.
 
 I really wasn’t expecting any.
 
If you think it's related to the amount if data, some basics to try;

1. Take a copy of prod  load into development.  Do this by detach  copy the 
data  log files and also by taking a dump (of the DB).

2. See if there's any difference.

3. Delete some data, check performance.

4. Rebuild indexes, check performance.

5. Look at the query plan being used.  Rather than index hints, try specifying 
the join type.

6. Check the index type.  Your query implies you have a small range of data in 
the joining tables - a bitmap index might be useful, if not already used.

7. Fragmentation? Infrastructure being overloaded (is the data on a SAN)?

On your dev box, check SQL profiler (she's your friend here) for high CPU or 
IO.  High CPU might mean the optimizer is getting bogged down (not likely here) 
or high IO implies lots of reads - the query execution plan should show this 
with high cost.  

Compare the query plan and profiler results with production too!!  I recently 
helped a client where prod was slow (15mins for a query plan) but was almost 
instant in test.  Long story short, the prod server had 'too much' (GBs) RAM 
and the optimizer got 'lost' - lowering the ram (to MBs) got the query down to 
30 secs but batch processing died. This was an exceptional case where the 3rd 
party system was joining over 20 tables.

It's a relatively simple query, it *should* be quick.
  
 
 Regards Peter Maddin
 
 
Regards,

--
Richard Carde

Re: How to validate directory path

2010-06-18 Thread Richard Carde 


On 18 Jun 2010, at 01:01, Tom Rutter therut...@gmail.com wrote:

The time in fact can vary. Some times it can be a few seconds and  
other times it may be 10s of minutes. I would hate it as a user if i  
make a request and then 5 minutes later i get told that  the  
directory path i provided as input is bad. I prefer to get told that  
up front


You could:

1. Allow the user to select a root folder that exists - the user would  
pre-create any required subfolders - they have suitable access at this  
time.


2. Do the work.

3. Write output file(s), creating any sub-folder if needed.

4. If 3 fails, write to System.IO.GetTempPath() and prompt the user  
for a solution.


This assumes user interaction is desirable and the output files can be  
stores in memory rather than created in the fly.




On 17 June 2010 14:12, Tom Rutter therut...@gmail.com wrote:
Mainly because of design I guess. I have a function that uses the  
folder path way down the line someplace after a lot of other work  
has been done, so i dont want to do lots of stuff and then find out  
the folder path i was given cant be used now.





Can I please get some recommendations on how to check if a directory  
can be created given a path if it already doesnt exist?


--
Richard Carde

Re: How to validate directory path

2010-06-18 Thread Richard Carde 


On 18 Jun 2010, at 09:01, Richard Carde rich...@carde.id.au wrote:



On 18 Jun 2010, at 01:01, Tom Rutter therut...@gmail.com wrote:

The time in fact can vary. Some times it can be a few seconds and  
other times it may be 10s of minutes. I would hate it as a user if  
i make a request and then 5 minutes later i get told that  the  
directory path i provided as input is bad. I prefer to get told  
that up front


You could:

1. Allow the user to select a root folder that exists - the user  
would pre-create any required subfolders - they have suitable access  
at this time.


2. Do the work.

3. Write output file(s), creating any sub-folder if needed.

4. If 3 fails, write to System.IO.GetTempPath() and prompt the user  
for a solution.


This assumes user interaction is desirable and the output files can  
be stores in memory rather than created in the fly.


Or the other way around, write to %TEMP% and then move the output  
files to the destination upon completion.


Still may require user assistance, but at least the re-processing  
isn't required.






On 17 June 2010 14:12, Tom Rutter therut...@gmail.com wrote:
Mainly because of design I guess. I have a function that uses the  
folder path way down the line someplace after a lot of other work  
has been done, so i dont want to do lots of stuff and then find out  
the folder path i was given cant be used now.





Can I please get some recommendations on how to check if a  
directory can be created given a path if it already doesnt exist?


--
Richard Carde

Re: ASP.NET Web Forms vs MVC vs ...

2010-03-18 Thread Richard Carde 


On 18 Mar 2010, at 23:54, silky michaelsli...@gmail.com wrote:

On Fri, Mar 19, 2010 at 10:46 AM, David Connors da...@codify.com  
wrote:




Yup. It is really a very big worry when people writing the  
framework can be
so fundamentally stupid as to think that avoiding XSS issues is a  
function

of input, not output.


I think this fact is not particularly obvious to everyone, and the
typical MS strategy is to do something that may cause 'more good' than
'more harm' even if people don't like it. Clearly, this is IE's model
with it's respect of invalid HTML, and it's the model of


I believe this attitude is changing which is good.  It's never good to  
upgrade something and it breaks, but in the long run it's better than  
persisting the 'lie'.


In the case of IE I guess competing browsers working to published  
standards forced the hand.  If it weren't for competition in that  
space, we'd still be stuck with IE6.


Also giving the user the option to unbreak things, viz. compatability  
modes that work.



RequestValidation. Reasonable programmers should turn it off and -
indeed - do everything on *output*, but the few who are able to create
websites without understanding anything; maybe this helps them.



Indeed, for applications to function well, it should be off.  I'll do  
my own escaping thanks.  And what's with a yellow screen of death for  
that anyway.





--
David Connors (da...@codify.com)
Software Engineer
Codify Pty Ltd - www.codify.com
Phone: +61 (7) 3210 6268 | Facsimile: +61 (7) 3210 6269 | Mobile:  
+61 417

189 363
V-Card: https://www.codify.com/cards/davidconnors
Address Info: https://www.codify.com/contact


--
silky

 http://www.programmingbranch.com/


--
Richard Carde

Problem with GetFiles() or me?

2010-03-05 Thread Richard Carde 
Back to a programming topic...(rare for me).


I've knocked up a small console application to process a folder structure
with hundreds of thousands of small text files, read each file, strip off
some headers and append the resulting data into a single large file.  The
all worked fine until I needed to do it on a different path (mapped drive).


If I specify the path (first argument) as a drive letter (of a mapped drive)
only, and that drive has a current working directory other than the root, it
fails because GetFiles() returns an absolute path which is incorrect - it
prepends the filenames with a \.


eg:


H:\CD Z:\data_to_process

H:\GetFilesTest.exe Z:

Processing file Z:\file1.txt

Processing file Z:\file2.txt

...


This isn't correct. While it correctly enumerates the files within the
folder structure as specified, the path should be Z:file1.txt, etc.  Surely?


Tried with VS2008  .Net 3.5 as well as VS2010 RC  .Net 4 - same behaviour.


A quick Google didn't turn up anything obvious.  So I'm thinking I've missed
something in the documentation (which I must admit, I didn't read until it
didn't work as expected) or am clueless about the vagaries of DOS
working/current directories because this seems so simple.

--8K---8K---8K--
using System;
using System.IO;

namespace GetFilesTest
{
class Program
{
static void Main(string[] args)
{
if (args.Length != 1)
{
Console.WriteLine(Please specify a path);
return;
}

// enumerate all files in the supplied path and subfolders
string[] files = Directory.GetFiles(args[0], cdr*.*,
SearchOption.AllDirectories);

Console.WriteLine(String.Format(Getting files from {0},
args[0]));

// iterate over the files, displaying the full path
foreach (string file in files)
{
Console.WriteLine(String.Format(Processing file {0},
file));
}
}
}
}
--8K---8K---8K--

-- 
Richard Carde