Kerberos authentication and delegation: ServicePrincipalNames

My Hosting Blog

NOTE: while I’m still keeping the current posts live as they still seem to help, currently my focus has changed and new activity moved to the new site iternia.be

SPN’s

One of the errors that often reoccur when deploying a service is the Kerberos authentication failing for some reason when another system depends on your service. Depending users or services try to log on to your service but are not allowed to access it. This is not a problem with the enduser but with the rights of the service account on which the service itself is running. The service account doesn’t have the right to delegate access or impersonate the enduser. About 9 times out of 10 this is caused by inproper Kerberos rights due to a faulty SPN (or ServicePrincipalName) configuration and sometimes due to the delegation settings on the service account.

First lets take a look at how…

View original post 1,163 more words

Advertisements

The Hippocratic oath that programmers should make

I swear to fulfil, to the best of my ability and judgement, this covenant:

I will respect the hard-won scientific gains of those programmers in whose steps I walk, and gladly share such knowledge as is mine with those who are to follow.

I will apply, for the benefit of the users, all measures that are required, avoiding those twin traps of time and cost.

I will remember that there is art to software as well as science, and that warmth, sympathy, and understanding may outweigh the programming toolsets or coding standards.

I will not be ashamed to say “I know not,” nor will I fail to call in my colleagues when the skills of another are needed for a project’s success.

I will respect the privacy of my users, for their problems are not disclosed to me that the world may know. Most especially must I tread with care in matters of life and death. If it is given me to save a life, all thanks. But it may also be within my power to take a life; this awesome responsibility must be faced with great humbleness and awareness of my own frailty. Above all, I must not play at God.

Project Management is difficult – like running a ship

Under what circumstances, if any, can adding team members to a software development project that is running late result in a reduction in the actual ship date with a level of quality equal to that if the existing team were allow to work until completion?

There are a number of things that I think are necessary, but not sufficient, for this to occur (in no particular order):

  • The proposed individuals to be added to the project must have:
    • At least a reasonable understanding of the problem domain of the project
    • Be proficient in the language of the project and the specific technologies that they would use for the tasks they would be given
    • Their proficiency must /not/ be much less or much greater than the weakest or strongest existing member respectively. Weak members will drain your existing staff with tertiary problems while a new person who is too strong will disrupt the team with how everything they have done and are doing is wrong.
    • Have good communication skills
    • Be highly motivated (e.g. be able to work independently without prodding)
  • The existing team members must have:
    • Excellent communication skills
    • Excellent time management skills
  • The project lead/management must have:
    • Good prioritization and resource allocation abilities
    • A high level of respect from the existing team members
    • Excellent communication skills
  • The project must have:
    • A good, completed, and documented software design specification
    • Good documentation of things already implemented
    • A modular design to allow clear chunks of responsibility to be carved out
    • Sufficient automated processes for quality assurance for the required defect level These might include such things as: unit tests, regression tests, automated build deployments, etc.)
    • A bug/feature tracking system that is currently in-place and in-use by the team (e.g. trac, SourceForge, FogBugz, etc).

One of the first things that should be discussed is whether the ship date can be slipped, whether features can be cut, and if some combinations of the two will allow you to satisfy release with your existing staff. Many times its a couple features that are really hogging the resources of the team that won’t deliver value equal to the investment. So give your project’s priorities a serious review before anything else.

If the outcome of the above paragraph isn’t sufficient, then visit the list above. If you caught the schedule slip early, the addition of the right team members at the right time may save the release. Unfortunately, the closer you get to your expected ship date, the more things can go wrong with adding people. At one point, you’ll cross the “point of no return” where no amount of change (other than shipping the current development branch) can save your release.

I could go on and on but I think I hit the major points. Outside of the project and in terms of your career, the company’s future success, etc. one of the things that you should definitely do is figure out why you were late, if anything could have been done alert you earlier, and what measures you need to take to prevent it in the future. A late project usually occurs because you were either:

  • Were late before you started (more stuff than time) and/or
  • slipped 1hr, 1day at time.

Hope that helps!

Continue reading “Project Management is difficult – like running a ship”

Content Security Policy (CSP) for ASP.NET MVC

This series of blog posts goes through the additions made to the default ASP.NET MVC template to build the ASP.NET MVC Boilerplate project template. You can create a new project using this template by installing the Visual Studio template extension or visit the GitHub site to view the source code.

What is CSP?

For a true in-depth look into CSP, I highly recommend reading Mozilla‘s documentation on the subject. It really is the best resource on the web. I will assume that you’ve read the documentation and will be going through a few examples below.

Content Security Policy or CSP is a great new HTTP header that controls where a web browser is allowed to load content from and the type of content it is allowed to load. It uses a white-list of allowed content and blocks anything not in the allowed list. It gives us very fine grained control and allows us to run our site in a sandbox in the users browser.

CSP is all about adding an extra layer of security to your site using a Defence in Depth strategy.

The idea behind the defense in depth approach is to defend a system against any particular attack using several independent methods

It helps detect and mitigate Cross Site Scripting (XSS) and various data injection attacks, such as SQL Injection. Continue reading “Content Security Policy (CSP) for ASP.NET MVC”

OWASP 2017 Update

After the long-winding road of discussion and deliberation, revision, disagreements and adjustments, the Open Web Application Security Project (OWASP) are updating their venerable Top 10 list of the most critical web application security risks since 2013. This update brings with it three new entries to the list, based on data OWASP collected and analyzed. Here’s all you need to know about OWASP Top 10 2017.

OWASP_Top_10-2017_(en).pdf

Continue reading “OWASP 2017 Update”

Ten Commandments for Stress Free Programming

  1. Thou shalt not worry about bugs.Bugs in your software are actually special features.
  2. Thou shalt not fix abort conditions.Your user has a better chance of winning state lottery than getting the same abort again.
  3. Thou shalt not handle errors.Error handing was meant for error prone people, neither you or your users are error prone.
  4. Thou shalt not restrict users.Don’t do any editing, let the user input anything, anywhere, anytime. That is being very user friendly.
  5. Thou shalt not optimize.Your users are very thankful to get the information, they don’t worry about speed and efficiency.
  6. Thou shalt not provide help.If your users can not figure out themselves how to use your software than they are too dumb to deserve the benefits of your software anyway.
  7. Thou shalt not document.Documentation only comes in handy for making future modifications. You made the software perfect the first time, it will never need modifications.
  8. Thou shalt not hurry.Only the cute and the mighty should get the program by deadline.
  9. Thou shalt not revise.Your interpretation of specs was right, you know the users’ requirements better than them.
  10. Thou shalt not share.If other programmers needed some of your code, they should have written it themselves.