Tutorial: Installing SSL in IIS on Windows Server 2008

I'm surprised at the changes I'm still discovering in IIS 7.5 in Windows Server 2008. I've managed quite a few Windows Server 2003 boxes over the years, and now I'm exclusively on 2008 boxes. One of the recent surprises I ran into was just how different it is to set up SSL on a hosted site in IIS 7.5 . This was not exactly a simple task on previous versions of IIS, but it had become comfortable if only by rote.

Getting close is intuitive enough -- open up Information Services Manager, and click on the site you want to work on. You should see an SSL settings icon, but if you click on it, you'll get a surprising message:

"The site does not have a secure binding (HTTPS) and cannot accept SSL connections."

While this seems like an annoyance, it's actually a very powerful addition to the functionality that can be hosted from IIS. You want to handle FTP? Add an FTP binding and a managed assembly. Your own proprietary protocol? Go for it!

Back to the issue at hand, how to enable secure binding for a website. All you need to do is right click the site to edit, and choose "Edit Bindings". From here, choose "Add", and select "HTTPS" from the list, assign to the IPs du jour, and pick your certificate. I won't get into certificate generation / purchasing in this article, but there's a self-signed one installed by default that can be used provided a browser warning is not too intrusive for your purposes. 

Keep in mind that for a client-facing site, you should always have a legitimate signed certificate to maintain a professional atmosphere.

Once this is done, you can optionally go back to the SSL settings, and force a site to only function over SSL if that's your ideal scenario.

Your site should now be functioning over SSL.

Posted on 8/16/2010 8:05:00 PM by Jason Nadal

Permalink | Comments |

Categories: security | windows | iis

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Predictive Analytics -- Data Mining

After some frenetic development at my new position, I've had the opportunity to try out some new technology (read that as 'new to me', rather than new in general): Sql Server 2008 Data Mining. I'll be sharing quite a lot of perspective on this in upcoming posts, with some practical examples where possible.

One thing that's surprised me so far is how small the community seems to be around this. It doesn't seem to be very well publicized, even withing Sql circles. Most of the documentation that's out there are from members of the Sql Server development team at Microsoft that have come up with the server implementation.

After having some hands on, there's plenty to love and quite a bit of frustration, however I believe ultimately that most developers and information workers will find a great deal of value in this little-hyped tool.

Here's some trivia that gives you a picture about what it takes to learn how to effectively use this:

1) Data Mining is tightly integrated as a part of SSAS -- Sql Server Analysis Server (with all that goes with that -- Windows Auth only included)

2. Data Mining queries (predictions) are done using DMX queries (not to be confused with MDX queries for cubes, although you can blend a statement with a DMX query and an MDX subselect)

3) Data Mining started out as an ODBC set of extensions  -- literally Data Mining eXtensions for ODBC (aka DMX)

4) Mining Models and Structures are stored under the covers as cube-ish metadata. Don't believe me? Check out the tooling, and note how attributes are made... there's a lot of similarities there.

5) The Data Mining add-on for office is really something that should be exploited -- essentially making an on-the-fly cube based on a table in excel, and then having the ability to create live trending forecasts / clustering / market basket associations? Sign me up!

6) The tooling is inconsistent, depending on the type of data you're working with. If you predict nested details, you lose some tooling functionality; if you only predict master-level fields, you lose other functionality. 

7) Although the technology has been out since at least Sql Server 2000, the adoption rate looks low, or people aren't sharing their learned lessons with the community at large. I've gathered the blog feeds I've found so far here: http://www.google.com/reader/bundle/user%2F09775912853343203303%2Fbundle%2FSqlServerDataMining

8) This book is invaluable -- there's learned lessons and documentation here that can't even be found in the Books Online documentation in Sql Server. Data Mining with Microsoft Sql Server 2008 by Jamie McLennan, ZhaoHui Tang, and Bogdan Crivat.

 

Posted on 8/11/2010 7:55:00 PM by Jason Nadal

Permalink | Comments |

Categories: dmx | DataMining

Tags: , , ,

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Test mobile entry

Test cell phone entry

Posted on 8/2/2010 5:56:51 PM by Jason Nadal

Permalink | Comments |

Categories:

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Fixing Home Server VM Restore for Win7

I've been trying to restore my development virtual machine in order to test out some apps, and found out the vmware image must have gotten corrupted. So Windows Home Server backs up all my machines, but in this case wouldn't restore all that well -- yielding a no-boot scenario. So after replacing the Home Server Restore disk with the Windows 7 install disk and booting, I expected to just adjust the boot partition location in BOOT.INI, but was surprised to see that had been done away with.

In it's place is a new command line tool "BOOTREC", but there's requirements on it actually being able to poll the active drive paritions ("active" being the key here).

This link shows how to fix the boot partition for Windows 7. Notice the difference between the legacy use of the hidden, system, readonly BOOT.INI with a command line app.

 http://social.technet.microsoft.com/Forums/en/w7itproinstall/thread/7791044e-db7f-4144-a96c-945299811f58

Now for me, the initial bootrec command wouldn't let me rebuild the boot configuration, instead giving an "element not found" error. Insead, the DISKPART instructions in the post about setting the active disk partition allowed me to get to an BOOTMGR not found error. 

Now Kevon Walcott's solution didn't work on it's own for me, but was the first step:

 

Diskpart

LIST DISK

SELECT DISK (followed by the number of the disk . most likely 0)

LIST PARTITION

SELECT PARTITION (followed by your partition number. most likely 0)

ACTIVE

EXIT

Second step was from Vivian Xing [MSFT], and rebuilt the boot config for the drive itself and the boot list:

 

Bcdboot C:\windows

 

NOTE: Replace C with the drive letter where the system is installed.

 

BOOTREC /FIXMBR

BOOTREC /FIXBOOT

BOOTREC /REBUILDBCD

BOOTREC /SCANOS

 

Rebooting gave me a "BOOTMGR is missing" error. Bouncing the machine a 3rd time, and using the windows system recovery option to repair the installation at least let me try. However so far, the error "BOOTMGR is missing" is still present. So far, Win7: 1, Me:0.

 

Restarting the VM and again rebooting into windows system recovery gave me the message that the disk I was trying to repair with was not the right media for the installation (note: took a bit to realize the installation was Win7 Pro x64, and I had Win7 Ultimate media in the drive).

 

Putting the right media in this time, and now it's just saying Windows. Use the command prompt, bcdboot c:\windows AGAIN, and choose startup repair again. More repeated failures, and another restore from home server -- this time adjusting the partitions in Disk Manager in the restore window.

 

 

Posted on 6/10/2010 9:52:00 PM by Jason Nadal

Permalink | Comments |

Categories: personal | troubleshooting | virtualization | windows

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Membership Providers and Password Hashing -- be careful!

While recreating some boilerplate code that winds up getting created for every set of apps -- including a membership provider, roles provider, etc, I initially went right for setting hashAlgorithmType based right on the enum.

More info about membership properties here.

This enum only gives three values -- MD5, SHA1, and None. The problem here is that both of those algorithms have been proven broken for some time (hopefully ASP.NET 4.0 will resolve this!). The answer of course is to use something with a little more difficulty to it... say by using SHA512Managed() and a salt. This is just another one of those times when setting values to canned possibles can be a dangerous move. This is especially true with authentication / encryption.

 

Posted on 4/8/2010 6:43:00 AM by Jason Nadal

Permalink | Comments |

Categories: asp.net | development | security

Tags: , ,

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Exception Handling and Language Restriction in C#

In this post, by Eric Lippert, he goes through part 4 of his iterator block series. What's interesting in this post is the statement on how yield statements aren't allowed in "catch" blocks. The interesting part of the article is not just some of the mindset of proposing MSIL for how this could actually be accomplished, but really, the part of the post that matters most is here:

And really, what’s the usage case that motivates this situation in the first place? Do people really want to try something and then yield a bunch of results if it fails?

The crux of the arguement is not at all that the feature is missing, but that the mindset of attempting to do so is abusing exceptions, and hurting the performance of the code you write. Exceptions should be exceptional situations. They should not occur during "normal" behavior (the so-called happy path). I believe Hunt & Thomas stated it best:

We believe that exceptions should rarely be used as part of a program's normal flow; exceptions should be reserved for unexpected events. Assume that an uncaught exception will terminate your program and ask yourself, "Will this code still run if I remove all the exception handlers?" If the answer is "no," then maybe exceptions are being used in nonexceptional circumstances.

To bring the point home, take a look at this information compiled by Roger Orr on how exceptions affect performance. Some examples should really stand out.

Jeff Atwood of Coding Horror (can't recommend his blog enough!) goes a step further, showing how knowledge of some internal .NET functions which rely on exception handling to provide their magic can indirectly degrade your performance as well.

Lippert's post was interesting, but I felt the case should be made more strongly to just give a second or third look on when exceptions are used.

Posted on 7/21/2009 8:00:00 AM by Jason Nadal

Permalink | Comments |

Categories: codeQuality | development

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

A Note on Password Security for Mesh Sites

This is based off a somewhat dated blog post from Jeff Atwood over at Coding Horror.

He makes the great point that as web developers, by exposing users to certain things, we have the potential to make them comfortable with things that should raise alarms. One of these is to ask for another site’s credentials.

This is incredibly bad!

And yet.. if you’re on my actual web site (not the RSS feed), check out the little green box there on the left. See that link? “Google login”? That provides a way to log into my site (or parts of it) as a Google account. I don’t do anything crazy with it, in fact it just pops up a window to their login gateway, but the certificate is not prevalent in the browser window, and really, I could have done something similar and captured the password for a replay attack if I was unscrupulous.

As developers, we should be refusing to use non-integrated, remote login API’s. I say non-integrated, because safer methods like OpenID are in fact remote login API’s (distributed credential repositories).

Even if the quick & dirty API’s to pass credentials along aren’t phased by a lack of developers using them, if it’s a rarity to ask for another site’s password, it should be jarring to the user.

A user should not feel comfortable entering another site’s credentials in your site.

Posted on 5/15/2009 7:15:26 AM by Jason Nadal

Permalink | Comments |

Categories:

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

A Foray into WPF : Conditional Data Binding with Graphics

I’ve decided to take a break from some of the more back-end concepts in my game refactoring for a bit, and concentrate for a bit on the front-end. As someone whose primary job function is to release an ASP.NET web application, writing code for Windows is both a significant challenge, as well as a breath of fresh air.

As Andrew Hunt puts it (paraphrased) in Pragmatic Programmer, you should learn outside your common comfort zone – he had stated it in the context of learning languages, but the same holds true for frameworks, and GUIs as well. Or even areas of application development … or even to systems deployment or administration. Each of these realms gives a unique perspective on how applications work in the wild.

But I digress.

To restate the application, it’s a game, whose primary surface is a game Grid ( a two dimensional representation of tiles). The tiles on the Grid can be one of N options, each represented by a different graphical tile. By writing a new WPF UI for the application, I needed to find out how to render the grid.

First things first … drop the Grid onto the XAML form and run, check. Row and Column definitions matching the dimensions of the game Grid object, check. Render a graphic for each cell, check (they’re all the same at this point). Conditionally bind a different color based on the content of the bound data…. uh? Here’s the problem. Upon research, I came across this great interface, called IValueConverter. This interface allows you to map one of your values to another value.

public class CellValueToColorConverter : IValueConverter
{
  public object Convert(object value, Type targetType, object parameter, CultureInfo culture)
  {
    var cell = value as Cell;

    return CellValueToColorString(cell);
  }

  public object ConvertBack(object value, Type targetType, object parameter, CultureInfo culture)
  {
    throw new NotImplementedException();
  }
}

So that allows us to do a one-way conversion from a cell value to a color (take it for granted there’s another method in there that takes cell, and returns a string color based on cell.CellValue.

So how do we actually do the conditional work in XAML then, you may ask? Well, let’s jump right to some XAML and deconstruct a working example. Keep in mind the Ellipse objects representing each cell are created when the game’s Grid is redrawn.

<Window x:Class="SameBloxUIWinWpf.Window1"
    xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
    xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
    xmlns:local="clr-namespace:SameBloxUIWinWpf.Assets"
    Title="SameBlox" Height="400" Width="400">
    <Window.Resources>
        <local:CellValueToColorConverter x:Key="CellValueConverter"/>
        <Style x:Key="lifeStyle" TargetType="{x:Type Ellipse}">
            <Setter Property="Opacity" Value="0.75" />
            <Setter Property="Fill" Value="{Binding Path=Cell, Converter={StaticResource CellValueConverter}}" />              
        </Style>
    </Window.Resources>
    <DockPanel>
        <StackPanel DockPanel.Dock="Bottom"
                 Orientation="Horizontal"
                 HorizontalAlignment="Center" >
            <Label Height="33" Name="PotentialScore" Width="120" HorizontalAlignment="Left">0</Label>
            <Button x:Name="newGameButton" Margin="5" Click="newGameButton_Click">New Game</Button>            
            <Label Height="33" Name="Score" Width="120" HorizontalAlignment="Right" HorizontalContentAlignment="Right">0</Label>
        </StackPanel>        
        <Grid x:Name="GameGridControl" Background="Black" />
        
    </DockPanel>
</Window>

So above you can see the first interesting part in here is the declaration of a local resource object. CellValueToColorConverter (the class we created before) is given a name: CellValueConverter. Second, a style called “lifeStyle” is created, targetting our ellipses. From here, we’re setting the Fill property (color) to bind the Cell property of the Ellipse’s DataContext to the CellValueConverter! Now because we’re adding the Ellipses dynamically, there’s one more important code snippet, below.

ellipse.Style = Resources["lifeStyle"] as Style;

And that’s really all there is to it.I should mention there’s one other ‘trick’ I added for ease of calculation (& to help perfomance a bit) was to store both the Cell object and the matching coordinate in the DataContext. Below you can see that Cell is one of the properties of that DataContext.

public class WinGridCellDataContext
{
    public GridCoordinate Location { get; set; }
    public Cell Cell { get; set; }
    
}

Posted on 5/13/2009 7:11:32 PM by Jason Nadal

Permalink | Comments |

Categories:

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

BC Article on Student “Hacker”

While the initial allegations of this article are pretty sad (involving a student allegedly sending a potentially libelous email to a campus email distro list), the trail of evidence stated to lead authorities to their suspect is weak at best, and ludicrous at worst.

Some gems from the story:

  • “CS Major who is considered a master of the trade” (yet couldn’t mask a sent email? This is trivial for anyone who understands email)
  • “Two different operating systems to hide his illegal activities … the regular B.C. operating system and the other is a black screen with white font which he uses prompt commands on”. Wow. The college has their own OS? And a command prompt is used to hide?

It seems like after his stuff was seized, many pirated movies, software were found (there’s more incrimination in the article). From the looks of it, they were just looking for a reason to target this student – but this looks like a pretty weak case.

Posted on 5/13/2009 8:12:06 AM by Jason Nadal

Permalink | Comments |

Categories:

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5

Case Studies of Bad UI are Everywhere

I went out to dinner with friends last night, and got treated to a particularly bad example of UI design gone wild. Somehow this UI evolved over time.

 

So as you can see here, there’s a disaster of light switches. Some for fans and vents, others for lights. The best part is that there’s

  • another row of lights i couldn’t fit into this picture
  • actually another entire ‘panel’ in a different part of the restaurant! (smaller, though)

When looking at this from my perspective, the meaning is lost. The first thing that comes to mind is that there must be some better way to do this (an actual panel, perhaps?), second is that things must be rough when you just want to turn things on or off for one light.

We had to ask what the deal with the lights actually was – apparently it’s really rough to train people to close down at night, because some of the switches stay on, and some stay off.

The punch line of this is that they recently repainted. Apparently they’re half mislabeled now, as they didn’t spend too much effort worrying about putting the right cover plates back on the right switches.

How many times have you seen this in web UI design? This is a real world example of what a form with controls thrown everywhere would look like. It seems ridiculous when we see it on a wall, and it should seem just as ridiculous when we make a webform that just throws 23+ controls at you and says “have fun”.

So what could be done to actually fix this design? Here’s some potential solutions:

  • Group like-switches together. Perhaps “bar lights”, “main seating lights”, “main seating fans” etc.
  • Group switches by context together. Typically we turn this set of lights on at the same time – group those.
  • “Complex” switch – a master programmable control panel (this seems expensive, and a design cop-out to me)
  • Hide them. This is the interesting one. Right now, this is exposed to all of the customers, even those who don’t need to be made aware of the complexity. I wonder what brand psychologists would say about the subtle hints given off by having this in a dining room – it certainly wouldn’t make you feel like a tight ship was being run.If the complexity is a must (again, that should be a last resort), then only show it to those who must interact with it. Perhaps the closer touches the master panel, and the average wait staff only works with the “simple” panel.

One last point – if you see that much mess out front, imagine what’s going on behind the scenes. Behind every light switch should be a box that encases the electrical wiring behind the drywall – this is usually slightly larger than the switch itself. Imagine where all the boxes would fit in the above picture – there’s not much room for the wall at that point… and there must be just a mess of wiring in the wall.

Bad UI can expose your code smell to the client. This is the worst – it’s bad enough if your code is riddled with flaws and is an unmaintainable mess, but the client should not have to have that made visible to them!

Posted on 5/9/2009 9:29:00 AM by Jason Nadal

Permalink | Comments |

Categories: ui | design

Tags:

Be the first to rate this post

  • Currently 0/5 Stars.
  • 1
  • 2
  • 3
  • 4
  • 5