How to upgrade Microsoft UAG 2010 SP1 to SP2

November 6, 2012 ~ Anton Khitrenovich ~ Leave a comment

How do you upgrade from UAG 2010 SP1 to UAG 2010 SP2? Well, it appears that such upgrade is not as trivial as expected.

First, Microsoft UAG is based on another Microsoft product – Microsoft TMG, – which has to be upgraded separately. Besides that, there is no direct upgrade package for the UAG itself. Thus, the correct upgrade path would be as follows: UAG SP1 => UAG SP1 Update 1 => TMG SP2 => UAG SP2. Of course, the whole process is documented in TechNet – but you have to be aware about this upgrade path first…

There is another caveat in this upgrade. In case you have some UAG trunks configured (and I assume you have some, since what do you need UAG for otherwise?), you have to active UAG configuration after each step in the upgrade process, otherwise you’ll end up without configured trunks – they will disappear silently during the process. Thanks to TechNet forums for solving this one for me!

How to configure multiple EAIs with different authentication levels in WebSEAL

June 28, 2012April 3, 2013 ~ Anton Khitrenovich ~ Leave a comment

A week ago I had to investigate whether it is possible to configure multiple EAIs in WebSEAL, when each one provides different authentication level. While configuration of several EAIs is pretty simple – all that you need is one trigger URL per EAI, and this is perfectly supported – placing each one of the on the own authentication level does not look trivial. The definition of authentication level per authentication method in WebSEAL is implicit, by the order of the authentication methods in the list.

For example, the list below defines password authentication to be level 1 and EAI to be level 2:

[authentication-levels]
level = unauthenticated
level = password
level = ext-auth-interface

But how do you define EAI to act as both first and second method? Well, simple – but not so intuitive:

[authentication-levels]
level = unauthenticated
level = ext-auth-interface
level = ext-auth-interface

Note that here EAI is mentioned twice – both as a first and as a second authentication level!

Additional missing piece of the puzzle is to tell WebSEAL which one of your EAIs represents each authentication level. This is solved via special “am-eai-auth-level” HTTP header from your EAI back to WebSEAL upon successful authentication, in the same way you send the username:

HTTP/1.1 200 OK
Date: Thu, 28 Jun 2012 12:00:00 GMT
am-eai-user-id: john
am-eai-auth-level: 2
Content-Type: text/plain
Content-Length: ........

Now you have to check with EAI should be invoked when the user comes to the login page. This information is available to your login page via %AUTHNLEVEL% macro. The processing can be easily done via JavaScript on the static logic or using server-side processing when LRR is enabled.

How to install RDP 6.1 on Windows Server 2003

March 7, 2012November 13, 2012 ~ Anton Khitrenovich ~ 11 Comments

Microsoft RDP client (aka “Remote Desktop Connection” or “Terminal Services Client”) allows you to connect from your Windows station to other Windows servers. Version 6.1 was released in 2008 and nowadays many popular tools (such as mRemoteNG) state it as a requirement. Unfortunately, this version is available for Windows XP/Vista and Windows Server 2008, but not for Windows Server 2003.

So, how can you install RDP client 6.1 on Windows Server 2003?

It appears that in March 2011 Microsoft released security update for RDP client 6.0 and 6.1 – which can be installed on Windows Server, since the original RDP client 6.0 is supported there. Now, pay attention to this note in the “more information” section:

Bottom line? Take the official RDP client 6.0, download KB 2481109 for Windows Server 2003 (the security update mentioned above) – and you are ready to run with RDP client 6.1 on your Windows Server 2003!

Initial Tuning of MediaWiki Installation

February 4, 2012 ~ Anton Khitrenovich ~ Leave a comment

Just found another old notes on the initial tuning of MediaWiki installation. Note sure if they are outdated or not, but maybe somebody will find them useful. The notes are not really detailed, so some minimal technical understanding of MediaWiki software is required.

Permissions

Disable self-registration and anonymous editing:

$wgGroupPermissions['*']['createaccount'] = false;
$wgGroupPermissions['*']['edit'] = false;

Appearance

Change the name of the site (shown in browser window title):

$wgSitename = "My private Wiki";

Change the main page:

Go to “MediaWiki:Mainpage” page
Click on “Create” or “Edit” tab
Enter the name of new main page
Save changes

Files Upload

Change allowed upload types:

$wgFileExtensions[] = 'zip';

Icons for file types are located under skins/common/images/icons directory.

Site Name in OpenSearch Box

To edit site name that is displayed in search boxes of popular browsers:

Go to “Special:Allmessages” page
Find opensearch-desc message
Click on the message name
On the edit page, set the new message text
Save the page

For non-US people: How to Avoid Wikipedia Blackout

January 18, 2012 ~ Anton Khitrenovich ~ Leave a comment

For all non-US people, that have no U.S.Congress representative to contact about SOPA and PIPA – here is the simple recipe to avoid the blackout.

First of all, you need Google Chrome with AdBlock extension. Now, open the AdBlock options, go to the Customize tab, click on ‘Edit’ button and add the following two lines to the filters:

http://meta.wikimedia.org/w/index.php?title=Special:BannerLoader&banner=blackout* http://upload.wikimedia.org/wikipedia/commons/9/98/WP_SOPA_Splash_Full.jpg

Don’t forget to click ‘Save’ and enjoy the Wikipedia again!