Syncthru LDAP to 2008 active directory

I had the opportunity recently to work with one of the newer large multifunction Samsung copiers this month.  The Syncthru web interface is fairly feature rich but the documentation really could use more examples in some places.  My bane for 2 hours was figuring out how to populate the address book inside it by doing an LDAP pull from Active Directory.
The initial setup of the LDAP connector went through pretty quickly.  I just went to Security -> Network Security and then down to LDAP Server on the left menu.  I then clicked Add to enter in my LDAP server.  I added in the IP address of one of my domain controllers and then used Port number 3268 to start with because you want to keep it simple initially and introduction SSL LDAP would just add one more thing to troubleshoot.  Fill in your AD Domain name in DC=yourdomain,DC=com format.  Choose simple and enter in your username in DOMAINNAME\username format.  Note that this is the first oddity in that we're mixing netbios/domain name\username format and LDAP convention on the same form.

On the second half of that window, don't check the LDAPS yet!!!  

Click on the TEST button at the very bottom and make sure you get all OK/Success. 

Once that works, then click the Apply button at the top to save these settings.

So now we're halfway done and ready for the twists.  Go to the Address book and then click on the LDAP button at the top right.

Now for the GOTCHAS!   

a)  I couldn't get it to search recursively

b)  It only worked when the user account I used to authentication against AD was in the same ORG that I was searching.  (My AD is set to not allow anonymous searching so I have to use authentication)

c)  The login ID is in CN=firstname lastname format.  This is different than the domainname\username from the other LDAP screen.

d)  The search root is the full path to the exact ORG that you want to pull from. (note the OU=test, OU=US prepended)

To keep it simple, I used (mail=*) for my search filter.  Click on the Search button when done and IF you are successful, a list of people will show up.  Just click the Apply button to pull them all into the Address book (you can always delete the ones you don't want later from inside the copier).  If you botched it, you'll get Incorrect Filter errors.

Repeat for your other ORG units, remembering to use an account inside each one for the Login ID.  If you make it past the inconsistencies of the interface and the limitations of the AD implementation of LDAP you're home free.  Once you're done you'll have a fully functional Scan to Email function that works great.

LDAPS, php, windows server 2008 r2 and the Unknown CA error

It's never a good day when I have to use IIS and PHP in the same sentence.  I was trying to set up an open source program to do an LDAP auth to my Active Directory servers and it worked fine without encryption on port 389.  Since I'm not fond of passing credentials in clear text across networks, I then tried to set it up for LDAPS at which time it started failing.  I ran a wireshark capture on it and the glaring fatal error of "Unkonwn CA" reared it's ugly head.  After spending considerable time making sure my AD certificates were up to date, the CA cert was imported to the local machine's certificate store, and several LDP.exe tests just to make sure, I turned my attention to figuring out how to make ldap skip past that error.  PHP had been installed using the microsoft platform installer so of course very little matched up with most of the articles I found since folders like c:\openldap\sysconf don't exist, much less then LDAP.conf file whose location appears to shift depending on which DLL your install came with.
Anyway, the key I needed was TLS_REQCERT never which would tell ldap to go fly a kite if it didn't like the CA.

So yes, that's all that you have to put in the ldap.conf file and then save it out as type "All Files" so notepad doesn't attach a hidden .txt to your filename.  Depending on your DLL, you'll either need to drop it in the root of your inetpub drive or in c:\openldap\sysconf.  Or do like I did and just dump it in both places.  Then run an IISRESET or reboot the server and voila, LDAPS starts working.

Yes, it is slightly less secure since it's not checking the CA but at least it's not clear text.

 

Making NPS logs legible with notepad++

Overall I do like NPS in Windows 2008 but reading the logs is just painful.  I know there are aftermarket solutions but sometimes you just need to be able to read these things with something freely available.  Notepad++ is part of my standard toolkit and overall is just a great tool.  When you open an NPS log you'll notice that each line is over 2000 characters long.  Since all the tags look pretty orderly, I went to Language and told it to interpret is as XML.  Now I had pretty, colorized 2000+ character long lines.  After a little digging online, I figured out how to do a find/replace to insert a carriage return between each back to back tag.

You have to remember to select "Regular Expression" before clicking Replace All.  Now everything fits on the width of the screen and now all you have to do is decipher all the tags.

Microsoft Certified Solutions Associate

So I've been out of the certification loop for a couple of years - mainly due to workload and time/cost vs gain just not being worth it to me once you hit a high enough level.  I always try not to certify too far past the level I currently work at because a lot of that knowledge will just drain away when you're not using it.
On a whim I logged into the MCP page this week and noticed some changes since my last visit.  I guess it was only a matter of time until Microsoft pushed out new 'cloudy' certifications.  One bittersweet surprise was that I gained a new certification - Microsoft Certified Solutions Associate - apparently just for being a 2008 MSCA (back when it was 'administrator').  I guess I can't complain too much about a new free title, it's just that after all those bad years of hearing horror stories about paper MCSEs and fly by night Microsoft certs coupled with a few real life experiences with 'book smart, practical dumb' certification holders I'd already felt my certifications were being devalued.  I guess it's time to get off my duff and get back to working on these again before I get left behind.  So starting today I'll start studying for my "Microsoft Certified Solutions Expert" cert which will be available June 11th, 2012.  If I find anything useful while brushing up I'll be sure to post.

MDT 2012

After spotting the release announcement on Aiden Finn's blog I went ahead and downloaded MDT 2012 so I could upgrade my old MDT 2010 Update 1 installation.  That turned out to be a chore since TMG 2010 kept trying to eat the install file.  Installation was a breeze afterward, just dumped it on top of the old one and once I got into the deployment manager it had an exclamation mark over my deployment share to remind me to upgrade my deployment share to the latest version.  Running powershell scripts is now a built in task option and it now supports security compliance manager templates so there's some new stuff to play with.  I also noticed several screens seemed a bit more polished and if I'm not mistaken a few new options in the default task sequence steps.
So far so good and no issues - currently got a LTI deployment running to test out the new monitoring console.

Monitoring console:

Galaxy Tab WiFi stops working every few days

Having finally gotten fed up with rebooting my galaxy tab every few days to get it to work with my home netgear router, I started trolling through forums for a solution.  Suffice it to say, Android has a long way to go as far as dhcp and wifi if even half of what's posted on these forums is accurate.  Fortunately I managed to stumble on a fix that worked for me.  My wifi network was set up to accept Both WPA and WPA2.  I removed WPA support and just left only WPA2 support on and I haven't had to reboot in the past few weeks.   (There's some kind of rekey'ing issue with WPA version 1 every few days)  I'd also had intermittent issues with my Cisco WAPs and I applied the same changes to them and am waiting to see if it helps.
 

Android Exchange 2010 ActiveSync issue with Smart Forwarding

Ran into a real doozy of a bug this week with one of my user's DROID phones.  Apparently there's a bug in the Smart Forwarding feature that causes an infinite loop for an outgoing message.  After doing some digging I found a LOT of references to this rare bug on the forums.  I'll post the links below but the short version is that the smart forwarding is supposed to just insert a marker when you forward an email with an attachment.  That marker tells the server to insert the attachment so the client doesn't have to download the whole email to their phone first.  In some cases this marker gets hosed royally and causes a loop between the client and server and it just repeatedly sends out the same email.  The only way to break that loop is to kill the mail profile on the device or hard reset it.

So for now I've told my users that if they've got this feature to turn it off.

settings -> battery and data manager ->data delivery - > Email and corporate sync -> smart forwarding

Email Settings-> SmartForwarding

http://social.technet.microsoft.com/Forums/en-AU/exchangesvrmobility/thread/0e332aff-dc44-47d2-a294-36c68b56b04e

http://www.sharepointpanda.com/2011/08/motorola-atrix-with-gingerbread-update-triggers-infinite-loop-on-forwarded-emails/

http://www.atrixforums.com/forum/rescue-squad/5153-forwarded-emails-exchange-2010-get-sent-infinite-loop-after-gb-update.html

I like the Cisco AP541N WAPs

So I've been resisting giving wireless access to my internal network for a long while.  But over time the security options on wireless equipment have gotten better and frankly the cable clutter in the conference rooms has started resembling a brier patch. So I went to go look for a wireless router that could not only handle multiple VLANs but would also provide strong security and integrate my user's Active Directory accounts.  Enter in the Cisco AP541N which can emulate up to 15 virtual APs, each can be configured with unique authentication options, VLAN tagging, and supports redirection to a URL.  And it had good clustering support to boot which was a nice plus along with POE support to simplify deployment and it comes in just under $400.
http://www.cisco.com/cisco/web/solutions/small_business/products/wireless/ap_500/index.html

For my secure network I set the VAP to use RADIUS auth to my win2k8 r2 domain controllers that were set up using NPS.  Good setup article here:  http://aaronwalrath.wordpress.com/2010/06/22/install-windows-2008-r2-nps-for-radius-authentication-for-cisco-router-logins/

Accessing the VAP is a breeze as the user just has to click connect on their domain joined laptops and their credentials are automatically passed through without any end user configuration.   Nice video at:  http://www.youtube.com/watch?v=g-0MM_tK-Tk

Now the only thing that I didn't like when I configured it was that the admin password was limited to only 8 alphanumeric characters.  Fortunately if that's an issue you can just configure the whole WAP to use 802.1x to authenticate the admin account.  I also ran into an issue where the auto-configured settings that the cluster feature set up had an authentication problem but all I had to do to fix that was just re-enter the RADIUS password again and it went away.