Write Conflict

Aaron Croasmun is a epic level contributor to the Service Manager forums, and he’s helped me personally out on several occasions.

Now, much like Prometheus (the allegory, not the terrible film), he has gifted for us something that will change the very nature of humanity. Ok, well, just the people who use service manager anyways.

Aaron has single-handedly solved the “This item cannot be updated because it has been changed by another user or process” write conflict error.

<pause for the shocked murmur of disbelief in the audience to die down>

Anyone who wishes to leave now and secure a copy from Technet Galleries may be excused. (more…)


ADFS CNG Certificates

For those of you that deal with Active Directory Federation Services regularly, you’re probably aware that ADFS does not now and has not ever supported Cryptography Next Generation (CNG) certificates. ADFS 3.0 is EXCEPTIONALLY sensitive about this, and won’t even install if any of the certificate you are using are using CNG keys, and you’ll end up with the following lovely error:

Install-AdfsFarm : The certificate with the specified thumbprint <REDACTED>; has a Cryptography
Next Generation (CNG) private key. The certificates with the CNG private key are not supported. Use a
certificate based on a key pair generated by a legacy Cryptographic Service Provider.
At line:1 char:1
+ Install-AdfsFarm `
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Install-AdfsFarm], DisplayableArgumentException
+ FullyQualifiedErrorId : PrerequisiteTest,Microsoft.IdentityServer.Deployment.Commands.InstallFarmCommand


Running LAPS around local admin credentials

In case you didn’t hear about it, Microsoft released a new tool for management of the Local Administrator passwords for domain joined machines, Local Administrator Password Solution (LAPS) (Support KB, Download page).

This solution is configured via GPO, and causes EACH MACHINE to check the local admin account’s password expiration, and if it’s expired the machine will randomize its own password, and then store the new password in AD! Quoted from the Technet release page:

LAPS stores the password for each computer’s local administrator account in Active Directory, in a confidential attribute in the computer’s corresponding Active Directory object. The computer is allowed to update its own password data in Active Directory, and domain administrators can grant read access to authorized users or groups, such as workstation helpdesk administrators.

After years of telling us to simply disable the local admin account, and pretending domain trust failures didn’t happen, they’ve finally bit the bullet and are now offering a way to simply and easily automate local admin password management. In a single stroke, this solves three or four major security risks for domain joined machines, and automatically handles the largest source of panic admin credentials, the management of which is normally a giant manual hassle for IT departments.

MS seems to be keeping this quiet. I heard about it from the SANS Internet Storm Center Daily Stormcast podcast this morning, who apparently found it 4 days after release by trolling new articles in the Microsoft Security TechCenter.

Windows HTTP.Sys vulnerability, “Heartbleed for windows”

If you are not aware, the SANS Internet Storm Center took the unusual step yesterday to raise the internet threat level from Green to Yellow in response to the Windows HTTP service vulnerability (https://isc.sans.edu/forums/diary/MS15034+HTTPsys+IIS+DoS+And+Possible+Remote+Code+Execution+PATCH+NOW/19583/, or https://technet.microsoft.com/library/security/MS15-034 edit: fixed link to point to the correct vuln).

This vulnerability was originally published as a denial of service request; it can be used to blue screen servers with a single request. however, since it was released, it’s been discovered that this vulnerability can be used to read kernel memory, and suspicion is mounting that this could be used to exploit a server remotely with a well-crafted series of requests. Denial of service attacks ARE HAPPENING IN THE WILD RIGHT NOW.

The vulnerable component is part of the kernel library for processing HTTP request. this library is used for IIS and lots of other windows based services, for example, Exchange, Lync, and ADFS all rely on IIS for this behavior. Even some clients apps use this library for http communications.

“Heartbleed for windows” is a rough analogy, but probably more accurate than not.

This is a good opportunity to talk to your clients; First to make sure they are aware and reacting to this critical vulnerability, and if they need any help getting their security feet under them, and Second to talk about planning for the general case with patch management over the long term so this type of issue doesn’t take them by surprise in the future.

MP Variables and MP References

Another forum thread documentation post.

Why are the expansion strings were not replaced in notification templates? In the context of the post, it became clear that the poster had copied the strings from one notification template stored in one of the default MPs into a new notification template stored in a custom MP. Why wouldn’t this work? it’s just computer code things that the system will interpret, why should it care where it is?

Well, let’s start with a breakdown of those strings. they’re actually OMSDK variables that are replaced at run-time with data from the system. to break it down (spaces replaced by BR for readability) :

  • $ starts and ends a variable. It’s primarily a delimiter for the variable engine but is also used to surrounding meta-properties (i.e. the internal ID can be directly referenced as $ID$) and possibly some other use cases.
  • Context is one of the keywords that control the behavior of the variable. Service Manager is based on the OMSDK, which means the Ops Manager variables (Other Reference) (Yet Again) are the basis for these. Context is new for service manager, and is largely undocumented, but in most situations can be read as the root element of the projection that is the data context of the reference.
    For a form, the forms data context is a projection, referred to as the form’s projection target.
    For a notification template, it’s the projection that is the target of the notification template.
  • Path[] means we are going down the projections path. This allows us to look at related objects in the projection, rather the just the root element.
    • Relationship modifies path by specifying which relationship to follow in the brackets with the Relationship element. This needs to be an MP Reference. more on that later.
    • SeedRole modifies path by setting which side of the relationship the starting objects is on, in this case, the “context” is the source of the relationship, rather then the target.
    • TypeConstraint filters path based on what’s on the other side of the relationship. Yet another MP Reference; this will be important later. In this case, it must be a user.
  • Property[] means we’re reading data from a property of this user, as opposed to pathing down another relationship.
    • Type modifies property by controlling which class definition to get the property set from. Each side of a relationship is defined as a specific class, but any class that inherits from that can also be related. i.e. the most common user class is Microsoft.AD.User, which inherits through a lineage of classes.
  • The last entry is the property name to get data from, i.e. the FirstName property. this needs to be the internal name of the property, not the display string. The internal name is always in American English, because Microsoft and most of it’s programmers are in Redmond, WA. internal names will also have no spaces or special characters, because those might break the surrounding code. Imagine if the internal name of a property contained >, ], or “, characters typically used to end references.

So why do I keep babbling on about MP References? Well MP references consist of two parts, separated with an Exclamation mark (!). The bit to the right is the name of the element and is required. the bit to the left is the Management Pack Alias, and is omitted, along with the bang for elements in the local MP.

The particularly swift (or well informed) reader will already notice that the MP Alias definition isn’t in the code of the notification template. it’s local to the MP, not a global object, and it’s stored at the top of the management pack. It should be clear why copying a notification template using the UI will fail if you store the new one in a different MP; ‘Workitem!System.WorkItemAffectedUser’ is only valid if the MP alias ‘Workitem’ already exists in the new MP, and points to the MP that contains the element ‘System.WorkItemAffectedUser’ that defines a relationship.

But wait, why does reinserting the sometimes fix the issue? well the insert button is looking for existing MP Aliases, and adding new MP aliases behind the scenes if it can’t find an existing one, but the aliases the console throws in are not always the same as the aliases you want. The console created alias will often look like “Alias_150d3d58_e565_44f1_90da_c4f4181416f9” not “workitem”.

So where do those American English human readable alias in  names come from? Human American English Programmers.

On Variable names

So Brody, a college of mine, wrote a script to pull the entire history of a work item and all related work items. Those of you who do auditing in service manager, your ears are probably burning right now. This is an incredibly useful feature in the relational object data model that service manager implements. The ability to see, at a glance, all of the edits to a combination work item (like a change request and all of it’s component activities) is SUPER VALUABLE. He asked me to look over the script before he published it.

To paraphrase Joss Whedon; I am very smart. So when I say Brody is almost 10 years my junior, and he has a deeper grasp of the database and low level functionality of Ops Manager and Service Manager then I could hope to develop given those 10 years over again, I want you to take my full meaning.

Next is the bit where I start dumping on him.

The script he sent over was terrible. oh, It worked perfectly and functioned like a charm! but I couldn’t tell you why or how. It’s full of code segments like this:

  $item1 = New-Object PSObject
  $item1 | Add-member -type NoteProperty -Name 'Property' -Value $oldRel.Name
  $item1 | Add-member -type NoteProperty -Name 'OldValueorRemove' -Value $OldObject
  $item1 | Add-member -type NoteProperty -Name 'NewValueorAdd' -Value $NewObject
  $Propa += $item1
  $item1 = $null

There is no way I could tell you what the objective of this code block is. It LOOKS like he’s building a custom PowerShell object, and inserting several key-value pairs, but why this array of members instead of a Hash Table? what does $Item1 mean? If you saw that somewhere else in the code, would you be able to tell what was supposed to be in that variable?  what about $PropA and what’s it’s data type? why are we building this array of custom object anyways?

Code is a language; a way of representing a set of ideas and communicating them. Computer code is a dual purpose language: Your source needs to communicate it’s intent to both the compiler/interpreter/machine, and to other programmers who need to understand, maintain and modify it.

The machine may have no problem understanding the purpose and difference for the variables named $H and $HH, but I can’t. Without that understanding, I can make no comment on if they’re being used effectively, correctly, or meaningfully.

The following two code segments are functionally identical:

  $a |% { if ($_.P) {$b+=$_ }}
  # this takes an input array, looks at each item
  # verifies it has a property Printable that is true
  # and then adds it to the output
  Foreach ($Element in $InputArray) {
    If ($Element.Printable -eq $True) {

But it should be clear which is preferred, and why.

Yes, I know, I use Egyptian brackets. I’m bad. it’s an old habit I developed programming in original basic in high school, where IF statements were declared with English-ish keywords, rather then proper brackets, so i just got used to the condition being on the same line as the code block.

Dependancy Inversion in Service Delivery

My college over in Application Development published a blog post on the corporate blog on the Dependency Inversion Principle, and the benefit of applying this to API contracts. I do a lot of work in System Center Service Manager, which is unsurprising to anyone who has seen this blog, and this post got me thinking about the social contract between service desks and the user base.