CA Migration

I’ve recently migrated my 2003 DC’s CA to a non-dc 2008r2 server. Everything went surprisingly well. It’s pretty easy. Folow MS’s directions which are basically, backup the CA Database from the MMC, backup the registry. Remove the CA. Install the CA. Restore the database. Fiddle around a bit.

 

The only issue I had is the CRL. THe old crl was at http://oldca and removing the CA role removes this website. Although the CRL is in AD, it won’t get updated by the new CA.  I found this fantastic article which helped immensely with sorting out the CRL. The http one won’t work, but the AD one is good enough (I hope). Just a few points on the article that I didn’t notice, its ldap:/// not ldap:// (three / ) so make sure you type it correctly! I think the whole path is case sensitive too. If “publish crl” is greyed out after you’ve entered the information, you’ve typed something wrong.

Asterisk Fun

I’ve spent the last half hour or so trying to fix my Cisco 7945 that;s on my desk at home. I’t s anice phone, colour display and cisco brick-like build quality. Howerver, I don’t think Cisco want it to work with asterisk. After much trialling and fiddling I have it registered (extensions nat=no) and making and receiving calls. Anyway, recently I’d noticed the MWI light not coming on when I had a message. Out going calls were ok, but it turns out that inbound weren’t. Not changed anything, other than wiping my router but I wasn’t forwarding ports anway so what could be the problem? Asterisk keept on logging ast_tcptls_client_start: Unable to connect SIP socket to xxx:port Connection timed out I pinged my ddns and indeed xxx was my ip, so why didn’t it work? Well after 30 minutes I realised that my phone was natting itself with the IP of my ddns as BT change it whenever I reboot my router. I’d neglected to add the DDN settings back to my router when I wiped it, so it complaining was entirely justified. Added the DDNS config in, restarted the phone and away I go

Yubikeys and Citrix Web Interface

I’ve had a look at using yubikeys with the xenapp 5 web interface recently to enhance the security of external access to our systems. I’ve installed a yubiradius server on our ESX infrastructure and have it validating users correctly. The only issue is the odd way that the server handles passcodes. Sending simply the passcode on it’s own won’t work. Yubiradius will be unable to parse the key, as it attempts to split the string int “password” and “yubikey”. Now, as far as I can tell nothing happens to the actual password field. I’ve been logging on with my user name, password and in the passcode box I can enter any rubbish followed by the yubikey OTP. The server then parses this correctly and everything seems to be ok. So, in order that users don’t ahve to enter some rubbish before the OTP, I’ve written a short bit of java to prepend some rubbish to the passcode box and then sending the form.

You’ll need to find “login.js” on the server and add the following somewhere. The document.get element should be on a single line. Wrapped for readbility
function mangle()
{
document.getElementById("passcode").value=
document.getElementById("password").value+
document.getElementById("passcode").value;
}

Find the function “function setup_login_submit_keys()” and edit it so that it looks like this:
if (keynum == 13) { // enter key
mangle()
submitForm();
return false;
}

This should work. As the yubikey has an “enter” at the end of it, then this will run the manglescript when the form is submitted with enter. It doesn’t do anything clever. It jsut adds the entered password before the yubikey OTP is sent. Seems to work fine for me.

Enjoy!