Classic ASP and Windows integrated authentication

I’ve just spent a few days looking into making a small change to a live web site that uses an old classic ASP page to provide basic file access to network drives so files can be accessed from home via a web browser. It’s a pre-existing web site running in IIS6 on a Windows Server 2003 box and uses basic authentication which means the user will be prompted to enter their Active Directory username and password before they will be granted access.

The first change was to use Windows integrated authentication so the user isn’t challenged with a prompt when they access the site internally (because the browser will pass along their network logon credentials and the server will use those).

The second was to sort the list of folders and files alphabetically.

The first change turns out to be real pain to achieve because with Windows integrated authentication the code appears to run in the context of the remote user until you need to do something with another network resource (such as a file server). At that point you run into a double hop problem – the impersonated credentials work on the web server, but won’t work anywhere else. There are some options here, such as trying to enable constrained delegation to allow the impersonated credentials deeper access (but the file server isn’t actually a Windows machine and constrained delegation might not work with classic ASP anyway). Or maybe I could write a COM interop object that calls RevertToSelf to terminate the impersonation and do the network file store access as the IIS process identity? All sounds like a bunch of hassle to support a minor use case – the internal users will use the file store directly anyway and the external ones are still going to have to provide their logon details as they won’t be logged in to the domain while at home.

The second also turns out to be a pain because classic ASP with VBScript doesn’t have any way to sort things (other than implement your own sorting or push it into a database – yikes!). I found a nice solution on the web that uses CreateObject to create a .Net SortedList (presumably through COM interop). However, accessing the folder and file objects provided by the FileSystemObject via the SortedList causes the basic authentication impersonation to get dropped giving access denied errors because the IIS process account doesn’t have any permissions against the network file store. Hence a horrible workaround involving storing the file and folder objects in arrays and the indexes in the SortedList.

This post is to remind me to STAY THE FUCK AWAY FROM CLASSIC ASP.

Amazon Kindle

I recently bought a Kindle (v3). I bought the WiFi version (£111) as I don’t need the 3G connectivity. I also bought the Kindle Edition of Iain M Banks’ latest Culture novel Surface Detail. This cost £5, which is approximately the same as the paperback version.

I chewed through it in about the same time and manner as I would have done the dead-tree version. I was happily reading for hours at a time with no hint of eye strain. Due to its small size and weight and long recharge times it’s as convenient as a dead-tree book. As it’s not back-lit it doesn’t wash out in sunlight like a laptop does, so I was untroubled even when slashes of bright sunlight were coming in through a blind in the conservatory. There’s space for ~3500 books so that should mean I’m never without something to read – I’ll no longer have to pack a stack of books to take on holiday.

It remembers your place in each book, so it’s easy to switch reads. You can create additional bookmarks and highlight passages. It comes with a copy of the Oxford English dictionary so you can easily look up the meaning of new words.

There’s a vast stack of ‘classics’ available free from the Kindle website. I’ve often promised myself I’d read some of this stuff at some point, but now I can do so easily I’m left wondering if I really want to read Moby Dick (for example).

It has a built-in web browser, which I’ve not really used, and the Kindle can also read books aloud to you. This is surprisingly good, both at pronunciation and at emphasis. I’m not sure how much use it will be to me, but could be great (along with the dictionary) to help kids get into reading.

There’s a standard socket for ear phones and you can upload and playback MP3 tracks so you can have music along for the ride, although I’ve not tried this either yet.

I’d like to try a Kindle Edition computer textbook out soon – I’ve currently got a fair size backlog of dead-tree texts to get through, but they are so bulky and dry it’s often hard going. Being able to nibble away on a Kindle might be a much better way for me to keep up in future. And having them at hand when you need them (rather than stacked-up in an office) would also be good.

I’m not too concerned about the costs of eBooks at the moment - £5 for the hours I’ll get out of my first purchase seems a good deal to me – although I’m uneasy about not being able to lend or sell an eBook on. Copyright laws are based on preserving pre-digital markets: if I buy a chair (or a car or a whatever) I expect it to retain some value which can be recovered through sale. Having these rights artificially restricted seems wrong somehow.

VMware, Windows 2008 Server R2 & Windows Updates

I have started playing with VMware because I needed to set up a test environment to play with zEntity. I tried a Windows Server 2008 install in VirtualBox on a Windows 7 host, but was getting some strange crashes. A passing consultant recently recommended VMware to me, and it seems we already have a VMware ESXi server running so I might as well get used to it.

The potential benefit here is that I can create and run a virtual machine locally and then move it off to the server if I want to keep it semi-permanently.

The consultant recommended VMware Server (which is actually a desktop product), but it seems this is reaching its end of life very soon. The internet recommends VMware Workstation as a replacement, but it’s a pay-for product and I’m just playing with it at this point. VMware Player seems to be the way to go – the current version allows a virtual machine so be created (I’m guessing earlier versions didn’t, hence ‘Player’). Very confusing nomenclature.

As I have access to an Action Pack I can get hold of install disks for lots of Microsoft stuff – they come with a variety of trial periods so there’s no immediate issue with licenses, and if we decide to keep something we have budget to get licenses after the trial. My laptop has some Roxio disk burning software bundled with it so I have used that to copy the install disks to the hard drive as ISO images which can then be mounted into the virtual machine and installed from. Handy if I need to reinstall as I won’t need to get the physical disk again.

It seems that Windows 2008 Server R2 is 64-bit only. I’m running 32-bit Windows 7 Ultimate on a Dell Precision M6400, which has 4GB RAM and a Core 2 Duo CPU @ 2.26 GHz. VMware doesn’t seem phased by this and happily lets me create a blank Virtual Machine (VM) and install Windows 2008 Server R2 from the ISO. It defaults to the Data Centre Edition for some reason, so I delete it and start again, this time choosing the Standard Edition.

I got the server installed and found 54 updates waiting. No problem – I let those install. It stops at update 31. Just sits there. Downloading, it says, but nothing happens. I cancel the download and ask it to reboot. It quits my desktop and starts installing the 31 updates. This never completes. The screen is updating the status dots, but the install is stuck. I cycle the power to the VM and it comes back up. I carry on installing updates and also install SQL Server 2008. Another update sticks. Cycling the power won’t unstick it – it refuses to download it. The Server Manager also won’t show me what roles or features are installed or let me add more. This is going to be a problem as I need to get IIS running and I didn’t install it yet.

Eventually I decide to start again and delete the VM. This time I give the VM 2GB of RAM – the first attempt only had the default 1GB. I also decide to install updates in batches of ~10 – earliest first and with a reboot between each batch. I’m only installing the ‘important’ updates – I ignored the optional ones previously and will do so again for now. The following table summarises the sets of updates that were applied.

Date range	Updates
2009	3
Jan-Jun 2010	9
Jul-Nov 2010	11
Dec 2010	10
Jan-Mar 2011	6
Apr 2011	10
May 2011	2

I opt to leave IE 9 uninstalled for now and I also install the Security Update for .Net Framework 3.5.1 and the Windows Malicious Software Removal Tool update individually at the end.

This appears to have worked. All the updates went on without me needing to manually power-cycle the VM and the Roles and Features stuff in Server Manager is still operational.

Umbraco CMS

I recently helped to create a small website to show off some colleagues’ work. Rather than start from scratch we decided to hunt around for a Content Management System (CMS) compatible with the .Net framework. Following a tip from a friend we decided to try out Umbraco 4 which is open source and written in .Net. I just did the installation and some technical stuff – James & Joel added the content and made it look nice.

Installation was simple and comes with a set of basic pre-built website samplers to get you going. There’s also some free training videos on the Umbraco website. These are a good start although they are a little out of date, but it was easy to map what they were talking about to the current version.

A screen shot of the videos listing page is shown although as it’s a work in progress it will probably look different now. The link to the site is: http://rlo.harper-adams.ac.uk/.

Umbraco provides an administrative user interface in the Umbraco folder of the website with which you can create document types and instances. Database access (SQL Server) is handled for you. You can edit the aspx page in the Umbraco UI to control the display of a document type (you can also write your own custom controls, but I’ve not tried this yet) and you can use XSLT to generate HTML via templates. Umbraco hands you the site’s content in XML format so all the plumbing is done for you.

The same XSLT template approach is used to generate RSS feeds. It was easy to create a feed page and link it from the home page.

I’m not sure how to create multiple categories yet – we would like to be able to list the pages by department, for example, as well as content type (video, image, etc).

I’ve been told that subsonic is good from database access from Umbraco, but not tried it yet.

Umbraco also has a plug-in system so it’s easy to find and install third-party utilities. The same system can also be used to export your files out to a zip file so you can easily move a site between dev and live, for example.

So far I’m impressed. It looks like my Netcetera web hosting account comes with tools to install Umbraco. Will be trying this out soon.

Netcetera web hosting

I recently created an account with Netcetera to host an ASP.Net MVC 2 web site for work. I initially tried to host it from an existing Fasthosts account, but their package didn’t support ASP.Net MVC 2.

It’s a good price and hosted in the UK so might be slightly better in terms of data protection legislation anyway.

However, the transfer of our domain hadn’t happened after the 5 calendar days were up (all part of the disgusting game of too-much-hassle-to-swap the domain registrars are permitted to play). I opened a support ticket and am told that the transfer was cancelled because it was locked at the current registrar. Can we please unlock it and send an authorisation code?

I was there and saw it being unlocked the first time around. I personally provided the authorisation code and personally clicked the emailed link from Netcetera to confirm the transfer, so I know this is bullshit. And, regardless, that’s no excuse for not letting us know that there was an issue with the transfer.

Update:

I think the domain transfer failed because it’s still within the 60 day new registration period so can’t be moved yet. To be fair this isn’t Netcetera’s fault so much as a failure of the domain registration system in general, although, as the Gaining Registrar, Netcetera should have been informed of the failure and could have passed this on. Lesson learned: next time I’ll use a new, less desirable domain name initially and only commit to the desirable domain name once I’m sure the hosting package is the right choice. I’ll also avoid any ‘free transfer’ option and just include the extra expense of the second domain when shopping around.

In the mean time I’ve picked a second domain name and registered that and pointed it at the website. Not ideal, but will have to do for now. I couldn’t initially figure out how to get the new domain to point to the existing website, but Netcetera’s email support got back to me within minutes to point me in the right direction.

First, I needed to go to the website’s control panel at http://cp2.netcetera.co.uk/. Then click on Domains > Add Domain.

Then use the Domain Alias link to point the second domain to the first website. The result is shown in the picture above (as I took it after already completing this process).

And now http://www.agricommon.org is up and running.

I should point out that I registered the new domain using Netcetera’s main website first – the instructions above then get it to refer to the website.

DPM causes IIS read access forbidden (403 2)

I have just spent several hours trying to figure out why Microsoft (MS) Security Center Essentials 2007 (SCE) isn’t able to serve MS Updates to its clients anymore. This looks like it was working 6 months ago, but not any more.

I tracked it to IIS problems – pretty much every request from another machine was getting sent back with error 403 sub-error 2 read access forbidden despite the fact that everything looked fine in IIS Manager.

It looks like MS Data Protection Manager (DPM) locks down IIS pretty tightly and, sure enough, the box has DPM 2007 installed on it too.

More info: http://blog.mattrudge.net/2009/07/05/error-403-2-read-access-forbidden-on-iis/