Runbooks missing in Orchestrator 2012 console

Posted on by

After you created one or more runbooks in the runbook designer of System Center Orchestrator 2012, it may occur that these runbooks are not showing up in the Orchestrator console. It appears to me that this is a bug in Orchestrator 2012. To resolve this issue, you need to flush the authorization cache, by following these steps:

  1. Open SQL Management Studio on the server that is hosting the Orchestrator database
  2. Create a new query and make sure you select the Orchestrator database
  3. Run the below query
TRUNCATE TABLE [Microsoft.SystemCenter.Orchestrator.Internal].AuthorizationCache

Make sure you make a backup of your Orhcestrator database before making this change. Once complete you should notice that your runbooks will appear in the web console.

 

Microsoft NLB on VMware ESX platforms

Posted on by

To run Microsoft NLB clusters on a VMware platform as virtual machines, the NLB cluster must be placed in multicast mode. To explain you the reason why, you first need to understand the difference between multicast and unicast NLB

Implementing Network Load Balancing (NLB) you must choose between unicast and multicast mode, there are a few differences, but the main difference is in the way MAC addresses are implemented.

Unicast - Each NLB cluster node replaces its real (hard coded) MAC address with a new one (generated by the NLB software) and each node in the NLB cluster uses the same (virtual) MAC. Because of this virtual MAC being used by multiple computers, a switch is not able to learn the port for the virtual NLB cluster MAC and is forced to send the packets destined for the NLB MAC to all ports of a switch to make sure packets get to the right destination

Multicast - NLB adds a layer 2 MAC address to the NIC of each node. Each NLB cluster node basically has two MAC addresses, its real one and its NLB generated address. With multicast, you can create static entries in the switch so that it sends the packets only to members of the NLB cluster. Mapping the address to the ports being used by the NLB cluster stops all ports from being flooded. Only the mapped ports will receive the packets for the NLB cluster instead of all ports in the switch. If you don’t create the static entries, it will cause switch flooding just like in unicast.

NLB is designed in the past for physical switches. However you now have virtual switches like those in the VMware ESX platform.

The Microsoft NLB cluster masks the cluster’s MAC address for all outgoing traffic to prevent the switch from learning the MAC address.

In the ESX host, the VMkernel sends a RARP packet each time certain actions occur—for example, a virtual machine is powered on, experiences teaming failover, performs certain VMotion operations, and so forth. The RARP packet informs the switch of the MAC address of that virtual machine. In a NLB cluster environment, this exposes the MAC address of the cluster NIC as soon as a NLB node is powered on. This can cause all inbound traffic to pass through a single switch port to a single node of the NLB cluster.

To resolve this issue, you must configure the ESX host to not send RARP packets when any of its virtual machines is powered on.
To disable these RARP packets you must disable the notify switches NIC teaming option in VMware ESX on a port group or virtual switch level.
My best practise is that for each NLB cluster on a virtual platform I create a separate port group where i disable the notify switches option

What is private cloud computing and how to implement it in your organisation

Posted on by

To define cloud computing I often make the  comparison with the water in my house that comes out of the tap. This water has the following specifications:

  • I only pay for the water that I use on a monthly basis. So my costs for water is spread in time and I only pay for what I use
  • I can use any volume of water that I want, when I need it. The volumes I consume can differ each month
  • The water is standardized. I can’t choose which type of water comes out of the tap. It is always the same. I can’t adjust the color of the water to red or green or…
  • I don’t care which technical complexity is required to deliver this water to my home. I just now that it is delivered
  • When I open the tap the water is automatically delivered
  • The same water infrastructure is used by the service provider to deliver water to multiple clients

So to put it in other words, cloud computing is for me about pay-as you go, scalability, flexibility, standardization, hiding technical complexity to the user, automation, self-service capabilitiesshared facilities.

The difference between a public and a private cloud is who the service provider is of the services. In case of a public cloud is this an external organisation. in case of a private cloud is this in most cases the IT department of your own organisation. And then a hybrid cloud is a combination where some services are delivered by an external organisation and other services by your own organisation.

Suppose that you see the advantages of private cloud services and want to implement them in your organisation, what should you do. Well in fact you are going to deliver the water in your organisation to stay by the same example.

First of all you need to define which standardized items you want to deliver to your organization with your private cloud. In a cloud environment users are requiring you to deliver them items automatically and as much as they want. So if you don’t standardize, users ask you each time different things and you will end-up in such an overall technical complexity that things well be unable to manage. So define your service catalogue first to put it in ITIL terms.

To cut costs as a service provider you can choose to share resources. For example share SAN storage between clients and don’t implements a separate SAN storage solution for each client. This is the so called sharing principle you hear about when they are talking about cloud. But remember that to be able to share resources the items you delivered should be standardized. Otherwise you will not be able to share a lot of resources and the price of the items you deliver will increase.

Now you have defined which items you will deliver to your internal clients, you need to figure out how you will deliver them these items technologically. When the user opens the tap, the water must come out. So you need to implement a self-service portal where users are requesting new items and behind it you need a complete automation engine to deliver the users automatically the items they requested. You can also work with RFC documents or requests where members of your IT team need to perform manual actions to deliver the  required items following standardized procedures. However this second approach only works if the workloads aren’t too high. If you have a huge amount of requests for specific items you must think of automation.

As IT department you now have a set of standardized items that can be delivered to the users on their request when they want it. However as IT department you need to make huge investments to make this type of service possible but I can imagine that if you don’t have an internal charge back mechanism that the users keep demanding things for free and that the IT department must keep investing. I think the management of your business will not be happy with this. So you need to put the costs by the people who request items. I also need to pay my water bill for the water that I used. This means you need to setup an internal charge back mechanism and price list.

As IT department I don’t want to do all manual administration to calculate who has used which amount of water the last month, so you need some kind of billing application that can cope with the pay-as you go principle. In much cases it is possible that you can’t measure who has used which exact capacity every hour. In that case you can work with a maximal amount of capacity a client can consume each month and bill the client that maximal amount.

Just my idea about private cloud computing and how to implement it

 

Can others see my files on my hard drive ?

Posted on by

Yesterday was a reportage on Belgian television that handled that just deleting files by moving them to the recycle bin is not enough. With special software can you still recovery those files from the hard drive. As follow up to this reportage I wanted to post here the links of software that were used:

http://www.recovermyfiles.com 

Program used to recover files after accidental deletes, computer crashes,…

http://eraser.heidi.ie/

Eraser was advised to safely remove everything to make sure nothing is gone

 

Link to the reportage

http://www.deredactie.be/cm/vrtnieuws/mediatheek/programmas/koppen/2.19424/2.19425/1.1194396

A .NET 4.0 implementation of the OAuth protocol in C#

Posted on by

Introduction

As a follow up to my earlier post, can you find in this post a sample implementation of the OAuth protocol consumer side in  c# .NET 4.0.

To keeps things simple is this a simple console application that interrogates Twitter to get a status list timeline of the people I follow on Twitter. However to access these statuses by making use of my application I need to authenticate my application by making use of the OAuth protocol

Step 0

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Diagnostics;
using System.Web;
using System.Collections.Specialized;
 
namespace vankeyenberg
{
    internal class Program
    {
        private const string AccessUrl = "http://twitter.com/oauth/access_token";
 
        private const string AuthorizeUrl = "http://twitter.com/oauth/authorize?oauth_token={0}";
        private const string RequestUrl = "http://twitter.com/oauth/request_token";

The first part of the program inserts the required .NET classes and defines the OAuth endpoint URL’s required for twitter

 private static void Main()
        {
           Console.WriteLine("Welcome to the OAuth Console Walkthrough");
            Console.WriteLine();
 
            // you can get these from app.config or another source
            string consumerKey = Settings.Default.ConsumerKey;
            string consumerSecret = Settings.Default.ConsumerSecret;

I stored the OAuth consumerKey and consumerSecret in a separate settings.setttings file

Step 1

//Step 1 get an unauthenticated request token from the service provider
            string requestToken = OAuth.GetRequestToken(RequestUrl,
                                                     consumerKey,
                                                     consumerSecret);
            //response of the service provider ( oauth_token, oauth_token_secret, oauth_callback_confirmed) is stored
            //in the NameValueCollection collection
            NameValueCollection collection = HttpUtility.ParseQueryString(requestToken);

I implemented a separate OAuth static class where the low level OAuth authentication protocol is implemented in and also several helper methods usefull in the OAuth protocol. You can download this static class from my website.

Step 1 of the OAuth authentication protocol is implemented by the OAuth.GetRequestToken(string Request URL, string consumer key, string consumer secret). Like you can see are only the request url, the consumer key and the consumer secret given as parameters of this method. The other parameters required by the oauth protocol request token call are created automatically by the GetRequestToken method.

The oauth request token, the corresponding secret and the oauth_callback parameter are stored in a NameValueCollection.

Step 2

 // Step 2 send the user to the authorization site out of band
            string authorizationUrl = String.Format(AuthorizeUrl, collection[0]);
            Process.Start(authorizationUrl);
 
            // wait for the user to return to the site
            Console.WriteLine(
                "Press any key to continue after " +
                "authorizing this application...");
            Console.ReadLine();

In step 2 the user is redirected to the authorization URL of the service provider with as a parameter the oauth request token. The program waits untill the user has confirmed authorization at the authorization site of the service provider

Step 3

// Step 3 exchange the request token for an access token
            string accessToken = OAuth.GetAccessToken(AccessUrl,
                                                   consumerKey,
                                                   consumerSecret,
                                                   collection[0],
                                                   collection[1]);
            collection = HttpUtility.ParseQueryString(accessToken);

Now the user has given authorization the application can exchange it’s request token for an access token. This exchange is implemented by the OAuth.GetAccessToken which resembles a lot at the OAUth.GetRequestToken method with the difference that in the OAuth.GetAccessToken to request token and request token secret are used as additional parameters. See also the implementation of these methods in the OAuth class for more information. The received access token and secret are again stored in a NameValueCollection

Step 4

 // access a protected API call on Twitter
            const string query = "http://twitter.com/statuses/user_timeline.xml";
 
            String userTimeline = OAuth.GetProtectedResource(query,
                                                          "GET",
                                                          consumerKey,
                                                          consumerSecret,
                                                          collection[0],
                                                          collection[1]);
 
            Console.WriteLine(userTimeline);
            Console.WriteLine();
 
            Console.WriteLine("Press any key to exit the walkthrough.");
            Console.ReadLine();

Now the application has received the access token, this token can be used to access protected resources from Twitter for example the statuses of the users you follow spread over a timeline.

As well the OAuth static class as the complete program.cs file can be downloaded from the download section of this website

The OAuth 1.0a protocol explained

Posted on by

I am working on the development of an application that interrogates several social media providers. However the resources made available by these service providers ( such as Twitter, Facebook,…) are protected by the OAuth protocol. The OAuth protocol enables websites or applications (Consumers) to use Protected Resources from a web service (Service Provider) via an API, without requiring Users to disclose their Service Provider credentials to the Consumers. More generally, OAuth creates a freely-implementable and generic method for API authentication.

An example use case is allowing a picture sharing service (share.example.com), to use photos stored on another service ( hosted.pictures.net) provider without requiring Users to provide their hosted.pictures.net credentials to share.example.com

In a next post I will give you an overview of my implementation of the OAuth protocol in .NET. However before this has any sense you need to understand the OAuth authentication protocol

The OAuth protocol works as follows

Step 0

The consumer needs to register it’s application by the service provider. The service provider will provide you in reply to your request with the consumer key ( unique identifier of your application for the service provider )  and the consumer secret. The service provider also gives you a list of it’s end point URL’s. This information is exchanged between the consumer application’s owner and the service provider. For example for Twitter can you request this information at https://dev.twitter.com/apps

Step 1

In the first step of the authentication protocol, the consumer asks the service provider to issue a request token. The request token’s sole purpose is to receive User approval and can only be used to obtain an Access Token.To obtain a request token, the consumer sends an HTTP request to the service provider’s request token URL ( for example at twitter https://api.twitter.com/oauth/request_token ) with the following parameters

  • oauth_consumer_key: the consumer key obtained in step 0 from the service provider
  • oauth_signature_method: The signature method of the Consumer used to sign the request
  • oauth_signature: The request is signed with the oauth_signature. This signature exists out of the signature base string which is encrypted by the consumer_secret. The base string is a normalized string that consists out of the concatenation of

HTTP method
service provider request URL
oauth_consumer_key
oauth_nonce
oauth_signature_method
oauth_timestamp
oauth_token
oauth_version

for example  GET&http%3A%2F%2Fhosted.pictures.net%2Fphotos&%26oauth_consumer_key%3Ddpf43f3p2l4k3l03%26oauth_nonce%3Dkllo9940pd9333jh%26oauth_signature_method%3DHMAC-SHA1%26oauth_timestamp%3D1191242096%26oauth_token%3Dnnch734d00sl2jdk%26oauth_version%3D1.0

  • oauth_timestamp: number of seconds since January 1, 1970 00:00:00 GMT. Timestamp value MUST be a positive integer and MUST be equal or greater than the timestamp used in previous requests
  • oauth_nonce: unique value created by the consumer for all requests with the same timestamp. A nonce is a random string, uniquely generated for each request. The nonce allows the service provider to verify that a request has never been made before and heps prevent replay attacks
  • oauth_version: most cases oauth_version 1.0
  • oauth_callback: An absolute URL to which the Service provider will redirect the User back when the Obtaining user authorization step is completed

The service provider responds to this request with a request token and a request token secret

Step 2

In order for the consumer to be able to exchange the request token for an access token, the consumer must obtain approval from the user by directing the User to the Service Provider. The consumer constructs an HTTP GET request to the Service Provider’s User Authorization URL ( for twitter for example https://api.twitter.com/oauth/authorize ) with the following parameter:
oauth_token: the reques token obtained from the previous step

Once the user authenticates with the service provider and grants permission for consumer acces, the service provides directs the User back to the consumer by using the oauth_callback parameter given in step 1 to the service provider.

Step 3

In step 3 the consumer exchanges its request token by an access token and token secret. To request an access token the consumer makes an HTTP request to the service provider’s access token URL ( for example for Twitter https://api.twitter.com/oauth/access_token) The request contains the same parameters as the request in Step 1 except the request token is added as a parameter

If this request is succesful, the service provider generates an Access Token and Token Secret and returns them in the HTTP response body

Step 4

After succesfully receiving the Access Token and Token Secret, the consumer is able to access the protected resources on behalf of the User. The request MUST be signed per Signing requests, and contains the following parameters

See for more information:

The Oauth 1.0a protocol specification http://oauth.net/core/1.0a/#auth_step1
Beginning guide to OAuth http://hueniverse.com/oauth/guide/intro/ 

 

 

Create Site Server Signing Certificate Template on a Certification Authority for System Center Configuration Manager

Posted on by

To create and issue the site server signing certificate template you need to follow these next steps:

  1. On your certification authority click Start – Programs – Administrative Tools – Certification Authority
  2. Expand the name of your CA and then click Certificate templates
  3. Right-click certificate templates and click Manage
  4. In the results pane, right-click the entry that displays computer in the template display name column and then click Duplicate template
  5. In the Properties of New template dialog box, on the general tab, enter a template name for the site server signing certificate template, such as SCCM site server signing certificate, and then select Publish certificate in Active Directory
  6. Click the Subject name tab, and then click supplied in the request
  7. Click the extensions tab, make sure application policies is selected, and then click Edit
  8. In the Edit Application Policies Extension dialog box, select Client Authentication, press Shift and select Server Authentication, and then click Remove
  9. In the Edit Application Policies Extension dialog box, click Add.
  10. In the Add Application Policy dialog box, select Document Signing as the only application policy and then click OK.
  11. In the Properties of New Template dialog box, you should now see listed as the description of Application Policies: Document Signing
  12. Click the Issuance Requirement tab, and select CA certificate manager approval
  13. Click OK and close the Certificate Templates administrator console, certtmpl – [Certificate Templates].
  14. In Certification Authority, right-click Certificate Templates, click New, and then click Certificate Template to Issue.
  15. In the Enable Certificate Templates dialog box, select the new template you have just created, SCCM Site Server Signing Certificate, and then click OK.

Default password HP Gbe2 interconnect p-class Blade Enclosure

Posted on by

In case you would have forgotten the password of the HP Gbe2 interconnect module of your p-class Blade Enclosure you can reset this password by using the following recovery password in a hyperterminal context:

2wGDEp|B

This is an undocumented feature, but could save you lots of time not needing to find the old password

Single sign-on Microsoft terminal services

Posted on by

It is quite annoying when each time you open a terminal connection that your credentials are asked by the system, certainly when you need to connect to multiple terminal servers to access different applications.

A new feature in terminal services under Windows 2008 is single sign-on. This means that you don’t need any longer to supply the required credentials when you create your terminal connection. However if you wish to profit from this feature the terminal connection needs to be initiated by a Windows Vista or Windows server 2008 client to a Windows server 2008 terminal server. Also is password based authentication required. Smart cards are not supported.

Single sign-on is not configured just out of the box on a Windows 2008 terminal server. To configure this follow the next steps:

  1. Open terminal services configuration using tsconfig.msc and then click OK
  2. Under connection, right-click RDP-tcp and then choose properties
  3. Under the general tab verify that the security layer value is Negotiate or SSL(TLS 1.0)

To configure TS single sign on for the Windows Vista based computers use group policy or the local group policy

  1. Expand the following Computer configuration, Administrative templates, system and then click Credentials Delegation
  2. Double-click allow delegating default credentials
  3. In the properties dialog box, on the settings tab, click enabled and then click show
  4. In the show contents dialog box, click add to add servers to the list
  5. In the add item dialog box, in the enter the item to be added box, type the prefix termsrv/ followed by the name of the terminal server and then click OK

Robocopy

Posted on by

When you need to synchronize files between 2 storage locations robocopy is an easy and free tool from Microsoft that you can use for this purpose.

Originally robocopy was published in the Windows resource kit which you can download here.

Robocopy is now standard included in Windows Vista and Windows 2008

Robocopy is a command-line tool. To perform a file synchronization between storage location A and B the following command can be used:

"C:\Program Files\Windows Resource Kits\Tools\robocopy.exe" \\storagelocationA \\storagelocationB /SEC /B /E /R:3 /v /LOG+:c:\robocopylog.txt

In this example the following options are used:

  • /SEC copy files with their security settings
  • /B copy files in backup mode
  • /E copy subdirectories, including empty ones
  • /R:n Sometimes the file copy may not work since a file is in use. This option means retry the copy n times otherwise skip this file
  • LOG+:logfile output status to specified log file (append to existing log)