Author Archive | jbmurphy

Error: Request for the permission of type System.Web.AspNetHostingPermission failed

Every so often I have to go into some historical code to try and see what is happening. And every time I make the same mistake, I try to debug the code off my mapped user drive (I do everything in my user drive which is on a network share. And every time, I get the same error:

Security Exception
Description: The application attempted to perform an operation not allowed by the security policy.  To grant this application the required permission please contact your system administrator or change the application's trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type 'System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' failed.

Note to self, don’t debug from a local drive!

Cisco ASA and smart tunnels – my experience on OS X 10.7

I have been playing with smart tunnels on my Cisco ASA. The documentation is a little scarce on examples, so I thought I would post what I have found. On OS X, not much appears to work (I only tried with Safari). Maybe this post will help someone, or they will post a comment on how to get these apps working.

Terminal
I was able to get terminal working, but my terminal preferences are ignored. Once Terminal was started, I could ssh into a server behind the ASA:

smart-tunnel list applist Terminal terminal platform mac

Remote Desktop
I was able to get Remote Desktop to launch, but I could not connect to a server behind the ASA. Not sure why:

smart-tunnel list smarttunlist-jbmurphy RemoteDesktop “/Applications/Remote Desktop Connection.app/Contents/MacOS/Remote Desktop Connection” platform mac

Safari
I could get Safari to start, but it would crash as soon as I tried to access a site behind the ASA.

smart-tunnel list smarttunlist-jbmurphy Safari /Applications/Safari.app/Contents/MacOS/Safari platform mac

The error thrown was described by @craigbox here. I also see this in the logs: sandbox: WebProcess(xxxxxx) deny file-write-data /private/tmp/narwhal.log I know that there is new “Sandboxing” with Lion, maybe that is the issue.

Anyway, not a lot of success, but maybe a discussion will follow. I will update if I have anymore luck.

Send WordPress post to Google Plus (Not show Google+ on my WordPress site)

I was surprised that I could not find a plugin that would add a new WordPress post to Google+. I saw plugins that showed my Google+ profile card or added a +1 button to my site, but nothing to send a new post automatically to Google+. I can do this with the Twitter Tools plugin to Twitter, but I couldn’t find one for Google+.

I found a workaround – IFTTT. People have been raving about IFTTT.com, and I thought it was interesting, but I didn’t see a need. Then I stumbled on a post described how you can use Google Voice to send an SMS text to Google Plus. With the use of this IFTTH recipe, this post should show up in my Google+.

Let’s see if this works!

UPDATE: FAIL: Google+: Internal error occurred, please try later.

UPDATE2:Been working for a while!

On demand iPhone vpn connection to a Cisco ASA

This was a proof of concept that I worked on with @xrobx99. Thanks @xrobx99 for your help.

We were interested in how our users could access SharePoint behind our firewall on their mobile devices. We currently have an Cisco ASA in front of our organization. Idea is this: user receives an email notification from SharePoint that they need to approve a workflow. Email comes with a link and user clicks it on their Apple iOS device. That click would start an on demand VPN session to our ASA and the user be able to reach the SharePoint. This is how we got it all working.

First, you need to setup certificate authentication for your asa. If you don’t already have a PKI, then you can run a certificate server on your ASA. Looking at this blog post it is not that difficult to setup a local CA. That post describes how to do it via command line, to enable a CA vi asdm go to: Configuration > Remote Access VPN > Certificate Management > Local Certificate Authority

Clicking the enable box generates the following code:

  crypto ca server
      smtp from-address [email protected]
      no shutdown passphrase secret

Next add a user:

After adding a user, grab the One Time Password (OTP) and log into the enrollment site: http://site.name.com/+CSCOCA+/enroll.html. This will download a *.p12 file which I double clicked and added to my keychain (mac user). We will

Add a new tunnel-group

Next step was to set a a group-url for a new tunnel-group. We did this because we wanted the ability to log in with both passwords and certificates. This is what our tunnel groups looked like:

tunnel-group default webvpn-attributes
 group-url https://server.company.com enable
tunnel-group certificate webvpn-attributes
 authentication certificate
 group-url https://mobile.company.com enable

Add Certificate to iPhone Confiuration App

Fire up the iPhone confiruation utility and create a new Configuration Profile. Scroll down to “Credentials” section and add the *.p12 file with the OTP.

Next go to the VPN section to add the address of the ASA and check the on demand box for the the site.

Share the new configuration profile and apply it to your phone.

Now when you try to access a url that matches the on demand urls in the vpn section of the iPhone profile, the AnyConnect client will connect to the url that  allows certificate authentication. The certificate that you included in the profile will authenticate you, and you are in!

This was fun to put together!

Cisco ASA memory issues – disable webvpn cache may fix?

The credit for this article goes to @xrobx99. I wanted to blog about his discovery so that others might find the solution quicker.

We have an Cisco ASA that we had to reboot every month because the memory would keep growing. We thought it was a memory leak (and it may have been in previous revisions), so we just lived with the fact that we had to keep rebooting the ASA to clean up the leak. @xrobx99 found that by default the ASA caches html when using webvpn. Well that explains that! A growing cache could easily be misinterpreted as a memory leak (see CSCtb68311)!

webvpn cache disable

Our memory use has not grown since making the change!

Cisco ASA: tunnel-group commands and Connection Profiles

I have to say, it is difficult to learn Cisco products.  I have been hacking away at my new Cisco ASA 5505, and it is not easy. One of the toughest things is that the ASDM displays the configuration one way, but when you look at the config, it is completely different. For example, ASDM shows Connection Profiles, but the actual code uses tunnel-group. Not even close. The documentation has one line out of 46 pages.

You configure connection profiles using tunnel-group commands. In this chapter, the terms “connection profile” and “tunnel group” are often used interchangeably.

Took me quite a while to figure that out. I guess that is why people go to training (and the 5505 is not a consumer product).

 

PowerShell wrapper script to send email

I wanted a standard function that I can call from other scripts to send email. I needed multiple recipients, and default sender and smtp arguments. Here is the script that I came up with.

function JBMURPHY-Send-Email {
Param(	[parameter(Mandatory = $true)]$ToAddress,
	[parameter(Mandatory = $true)]$Subject,
	[parameter(Mandatory = $true)]$Body,
	[parameter(Mandatory = $false)]$FromAddress="[email protected]",
	[parameter(Mandatory = $false)]$SMTPAddress="192.168.1.1")
$msg = New-Object Net.Mail.MailMessage
$msg.From = $FromAddress
$msg.Body = $Body
$msg.Subject = $Subject
if($ToAddress -isnot [Object[]]) {$ToAddresses = ([string]$ToAddress).Split(";")}
foreach($Address in $ToAddresses) { $msg.To.Add($Address)}
$smtp = new-object Net.Mail.SmtpClient($SMTPAddress)
$smtp.Send($msg)
}

PowerShell script to add users to a group

In this previous post : PowerShell wrapper for creating a new distribution group, I created a script for creating a new distribution group. I wanted to take that a step further and prompt the SysAdmin to add users. I created a new recursive function called AddToDistributionGroup. In this code, I prompt for a group name, and a user to add. The SysAdmin types in the first few parts of the name (I could have used samaccountname) and then I then loop through ADusers with that name asking the SysAdmin if that is the user they want to add.

function JBMURPHY-EXCHANGE-AddToDistributionGroup {
Param(	[parameter(Mandatory = $true)]$GroupName,
	[parameter(Mandatory = $true)]$UserToAdd)
JBM-EXCHANGE-StartPSSESSION
if (!($GroupName)) {write-host "you need to specify a group name"
break}
if (($UserToAdd)) {
 $UserToAdd=$UserToAdd+"*"
 Get-aduser -filter {(name -like $UserToAdd) -and (Enabled -eq $true)} | foreach-object {
  $UserName=$_.Name
  $message = "Add $UserName to the group: $GroupName"
  $yes = New-Object System.Management.Automation.Host.ChoiceDescription "&Yes","Yes add $UserName to the group $GroupName"
  $no = New-Object System.Management.Automation.Host.ChoiceDescription "&No","No, don't add $UserName to the group $GroupName?"
  $options = [System.Management.Automation.Host.ChoiceDescription[]]($yes, $no)
  $result = $host.ui.PromptForChoice($title, $message, $options, 0) 
  if ($result -eq 0){
   write-host "Adding $UserName"
   Add-DistributionGroupMember -Identity $GroupName -Member $UserName
  }
 }
JBM-EXCHANGE-AddToDistributionGroup $GroupName
}
}

* Note, there is not any error checking to see if the group exists. I am mainly using this code to be called from a NewDistributionGroup script, where I know the name of the group. I may add a lookup to see if the group exists at some point.

** Now that I think about it, this is for any type group, not just distribution groups.

VMware Fusion 4 – Did they move vmrun?

Did they move vmrun in VMware Fusion 4?

In version 4, I find it here: “/Applications/VMware Fusion.app/Contents/Library/”

But this documentation says that the command should be in “/Library/Application Support/VMware Fusion”, but I found it here”/Applications/VMware\ Fusion.app/Contents/Library/vmrun”

I don’t see anything in the release notes.

Anyone?

 

PowerShell wrapper for creating a new distribution group

Unknown to me, in Exchange 2010 when you create a new distribution group in EMC, by default, the group will not receive email from external recipients – the setting “Require that senders are authenticated” is checked. We use distribution groups to communicate with clients, so unauthenticated senders need to email these groups.  This setting is on the Mail Flow Setting – Message Delivery restrictions page.  I wrote a simple wrapper script to create a new distribution group and turn off the “Require that senders are authenticated” setting:

function JBMURPHY-EXCHANGE-NewDistributionGroup {
Param([parameter(Mandatory = $true)]$GroupName)
Write-host "Creating group named $GroupName"
new-DistributionGroup -Name $GroupName -OrganizationalUnit 'site.name/OUName' -SamAccountName $GroupName -Alias $GroupName
Set-DistributionGroup $GroupName -RequireSenderAuthenticationEnabled $false
write-host "The $GroupName distribution group has been created."
}

Simple one. I know.

Powered by WordPress. Designed by WooThemes