February 12th, 2010 | by matt | devdog
Feb
12
So I’m experimenting with a little contest to see how smart my 3 readers actually are. Every couple of weeks I’m going to post a puzzle. They’ll be pretty easy to start off with and get increasingly more difficult as time goes by and I have time.
Without further ado, here is the first cryptogram.
V2l0aCBmYWl0aCBhbmQgaG9wZSwgdGhlIGRyZWFtIGJlZ2lucyBhbmV3
Good luck!
For each cryptogram, the solution will be posted the following Monday.
Update: Answers are posted on Wednesday, not Mondays.
August 30th, 2009 | by matt | devdog, micro$oft
Aug
30
As you’ve read before, I’ve had a variety of battles with the Hosted Messaging and Collaboration framework from Microsoft.
Today was another day for battle. And an interesting battle it was.
So here is the situation that I was running into. Within my code in the customer portal, I have a notification that is sent out that has a full back trace of what happened on the system, what was inputted and what was the error message that was returned. I of coarse try to give the user a friendly version of the error message to the screen before sending off this plethora of valuable detail. Out of this pile of data, I find the following error message has been returned:
“A device attached to the system is not functioning”
Really? Let’s look at that again. Because surely no one in their right mind would return such a generic error!
“A device attached to the system is not functioning”
Hmm, my clue-by-four hasn’t been brought out recently and plane tickets to Redmond aren’t that expensive right now. I guess I could go out there and start handing out clues. But why would I need to. This error message is clear and concise. A device attached to the system is not functioning. What more could I possibly need from this error message. It gives me everything I want! There’s a device, its one of 30 or so devices in the system, that is not functioning.
HOW ABOUT WHICH DEVICE YOU FUCKTARDS!!!!!!!
So we check out the domain controllers, the MPS servers, the web servers, OCS pools, exchange queues, look at SCOM alerts. Nothing pops out at us. Then I take a look a bit further at the error message. here is the full error message that I get back:
Server was unable to process request. ---> Unable to create 'cn=user@domain.com'./A device attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)/Create Object -- ><response><errorContext description="Unable to create'cn=user@domain.com'./Adevice attached to the system is not functioning. (Exception from HRESULT: 0x8007001F)/Create Object" code="0x8007001f" executeSeqNo="58"><errorSourcenamespace="Error Provider" procedure="SetError"/><errorSourcenamespace="Managed_Active_Directory" procedure="RethrowError_"/><errorSourcenamespace="Managed_Active_Directory"procedure="TryCreateSamObject_"/><errorSourcenamespace="Managed_Active_Directory"
procedure="CreateSamObject_"/><errorSourcenamespace="Managed_Active_Directory" procedure="CreateUser_"/><errorSourcenamespace="Managed_Active_Directory" procedure="CreateUser"/><errorSourcenamespace="Hosted Active Directory"procedure="CreateUser"/></errorContext></response>
The CreateSamObject_ raised a red flag to two. If you search Google long enough you’ll eventually find something from MSDN stating the following:
From MSDN:
User account names are limited to 20 characters and group names are limited to 256 characters. In addition, account names cannot be terminated by a period and they cannot include commas or any of the following printable characters: “, /, \, [, ], :, |, <, >, +, =, ;, ?, *. Names also cannot include characters in the range 1-31, which are nonprintable
Eureka! We have found the issue!!!
The sAMAccountName for our system is pretty generic. Cut down the upn to 16 characters. Add a period and a unique key that we keep for each of our domain names. This way, the chances of you duplicating names both inside and outside of your OU is pretty limited. However, in this case there was an error with retrieving the unique 3 letter key for the end of the name so the sAMAccountName that we were attempting to set looked something like this:
<property name='sAMAccountName' >
<value>user_domain.</value>
</property>
This was an easy fix once we found the issue. But man, could there be a crappier error message from HMC? I mean seriously, how do you get from unable to create the sAMAccountName to a device attached to the system is not functioning?!?!?
Anyway, I figured that I would type this up, let the search engines find it and hopefully someone else can benefit from our digging through the depths of HMC.
Comments Closed
June 7th, 2009 | by matt | devdog, sysadmin
Jun
07
Ladies and Gentlemen, today you are going to learn a lesson on why you do NOT edit the active directory directly for exchange attributes.
Background
A long time ago, we had a very crappy provisioning system for our hosted Exchange 2003 platform. It worked ok, but missed a lot of things that we wanted to have set. They also were kind of pricks when it came to licensing so making a ton of money on the platform was hard to do. So, we decided to roll our own. It wasn’t that hard to reverse engineer what was being set for users, groups and contacts. There were a few obstacles of coarse but we were able to get a pretty good provisioning system setup. However, this too had its faults. Sure we had total control over the code and could update things as we needed. But we were still working in a void. We really didn’t know _everything_ that was happening on the system that needed to actually happen. Plain and simple, we were missing things. Not to mention future services would require the same amount of dev time reverse engineering what needed to be set. That’s not a scalable solution.
So, when it came time to roll out our Exchange 2007 environment, we have moved over to HMC and for the most part, things have been a lot happier.
The Issue
Since we have this shiny new 2007 platform, we thought it was in our best interest to start migrating our users from the 2003 platform and away from the old clunky provisioning. So far we have moved some smaller customers and everything has gone pretty smooth. Certain customers have required the migration to happen in stages so we have come up with a decent solution to make this as smooth as possible. We define the list of users to migrate, setup a temporary domain on the 2003 platform, add smtp aliases to the users on the 2007 platform and then enable forwarding on the 2003 platform to the 2007 temporary smtp alias. All mail still flows as it did before, its just that some users happen to be on the 2007 platform getting their email. Easy as can be right?
Well, the users that we have moved so far have been fairly small customers. So the need for automating certain aspects of the move have been put off. There is a lot of automation that happens, but some of the tasks were put off such as the setting of the forwarding address.
That is, until last week. Last week we were starting to move one of the bigger customers so I setup a script that would take the users that were being moved and automatically set the forwarding address. Here is the code that I had in place to figure out the forwarding address:
// need to add forwarding address here.
list($tuname, $tdmn) = explode("@", $user['mail']);
// new address
$fwd = "{$tuname}@{$newdomain}\n";
Notice the $fwd variable. This is where the trouble begins. You can ignore the {} as those simply tell the parser that these are valid variables contained within the string.
No, the real issue is at the end of the line. Specifically, the \n. Technically, you can set the AD object to whatever you want. It will take this as a value. However, Exchange does not like this. With forwarding in exchange, you set the forwarding to an object. Typically another user, group of contact. Since we allow for users to forward to multiple people, we create a group automatically and populate that with one or more users, groups or contacts.
Now for the really bad part. I’m not sure if this is just Exchange 2003 or if others are affected as well. But when you forward to a group that contains a single contact object that has invalid characters, your email message with be lost in the ether. Gone, Kaput, Not even an NDR will be generated. We were unable to even find logs that the message came in it failed that spectacularly.
Conclusion
So the moral of the story is, don’t do what we did. Microsoft will tell you the exact same thing. Its dumb to do what we did. You should not be messing with the AD attributes directly in this instance. There is a certain level of error checking that must take place at the upper levels which were missed by both my script, and the provisioning system. But in the same breath, I can’t say for sure that HMC was mature enough to use when we first rolled out the 2003 platform. So whether it is you editing AD directly or someone else doing it, its just as bad. It just depends on how much control you want over the gun pointed at your head.
Comments Closed
June 5th, 2009 | by matt | devdog
Jun
05
For our Hosted Exchange 2007 environment, we offer a BlackBerry Enterprise Server that allows users to connect their crackberries and have the full functionality that one expects with these devices.
Various automation scripts have been put in place that make it easy for the user to see who has BlackBerry enabled for their account, add additional users and so on. Today, we discovered a rather annoying feature that exposed a bug in our code. Not a horrible bug, but one that did affect the user and their experience with the customer portal.
Here is the basics of the bug. We use the BESUserAdminClient.exe program with the find option to find users. We then search the results for something along the lines of “(bar@domain.com) 1 results found.” Unfortunately, we were getting false positives on our searches. bar@domain.com does not exist on our BES system. However, foobar@domain.com does. So if you search for bar@domain.com, what you are really search for is *bar@domain.com* I can’t say the last wild card is there, but the first definitely is.
What we found was that in order to improve our search, we needed to add a -v flag to the search string. That returned our “(bar@domain.com) 1 results found.” as before. But this time we found the results also returns a CSV result that had a whole bunch of information such as: “User name,MailBoxDN,ServerDN,PIN,Device Type,State,Message Server,Forwarded,Sent,Pending,Filtered,Expired,….” This also exposed that the result that we were getting was actually foobar@domain.com!
The solution was to now search the verbose (-v) results for SMTP:user@domain.com and we would now get the desired result back. We would no longer find foobar@domain.com when we really wanted to see if bar@domain.com exists.
I can’t really call this a bug per se. But I consider it an over site in the documentation of the function. It would be nice if there was a flag that I could pass it that would force it to only search for bar@domain.com and NOT *bar@domain.com*
Comments Closed
March 22nd, 2009 | by matt | devdog, rants
Mar
22
I follow quite a few blogs of various people that make headlines and have a coding background. One person in particular that somehow made the list many moons ago that I have failed to remove is Leah Culver. I think it was her ties to the midwest and the fact that she seems to be putting her ass out there with Pownce (which has since had to close its doors).
In her latest post, she talks about writing a plugin for Django. If you are unfamiliar with django, it is a web framework written in python which loosely follows the model-view-controller design pattern (source).
Before I go on trashing the comments in the post, I’d like to note, I’m not a django developer and never have been. But I think that my overall points come back to good design and practices.
Ok, May I direct your attention to this comment made by Leah.
Let’s take the only advantage first, “can update on the fly, no server restart”. This is a web framework correct? Why the hell are you restarting!?!?! I’m clearly missing something here but for all the web apps that I have created, a restart isn’t required. A reload of my web browser is, but I’ve never had to restart my application or web server. I’m really not sure what she is referring to here exactly so I’m guessing I’m missing something major here. Maybe the application she is developing for requires an application server that needs to be restarted in which case it would make sense. But for some reason, I’m not thinking that is the case. Someone please explain this one to me in the comments.
In the disadvantages of using a DB, I have a big problem with #1, “slooooow”. If your database is slow, it is usually one of four issues:
I don’t really have a major issue with the rest of her list, they all seem to be fairly logical. But I just didn’t understand the advantages fully and the first disadvantage, well, as you can tell it drove me up the freaking wall. If the database is slow, there is a good reason for it all of which are fixable.
Now, with all that being said, I do kind of agree with her. IF the data is not going to change, why store it in a database. Having a flat config file is not the end of the world people. Its fast, saves a query, and never changes! But that last part is pretty critical. If the data may expand which very well could in this instance, it proabably makes sense to put it in the database even though it doesn’t fully seem like it needs to go there. if you have your database design in order, you should be fine and never notice a performance hit getting this data.
Comments Closed