Shelf-cleaning

I just finished doing something that I have a hard time doing, for various reasons that wind tightly down into the psyche of my Asperger’s Syndrome: cleaning books from our bookshelves. We added six books and removed twenty-one, which really represents two new books, four books replacing twelve books, and nine removals. This gives us the room we need to add another dozen or so books that have been patiently waiting.

bookshelvesAs a child, I had to get rid of books for simple reasons: we were moving, or I’d long since passed the stage of needing picture books but I did need the shelf space. As adults, Stephanie and I have more complicated reasons for getting rid of books:

  • They are falling apart. These books are disintegrating, whether through lots of use or simply because they were never well put-together (I salute you in memory, my first run of The Belgariad, bought in high school as the first fruits of my labors at McDonalds). These are the easiest to deal with, because we simply place them on our wish list, purchase replacements, and swap them out.
  • They take up too much space. In our new house, we have a fixed amount of wall space (stupid modern construction techniques using larger windows) for book shelves. As a result, we’re now in a mode of “one comes in, one comes out.” I really dislike this, so one technique we’ve been using to get more bang for the buck is buying omnibus editions to gain back shelf space.
  • They are not getting read. Even though I have read every book in my library, there are some I don’t end up re-reading that often – or when I do, I discover that my skills and needs as a reader have advanced and the book no longer is a compelling part of my library. Removing these books from the collection requires a great deal of effort to overcome the inertia of nostalgia.
  • We purchased them second-hand, but want the author to get paid. The more I learn about the publishing industry and the more contacts I make in the author community, the more personal it becomes for me to make sure that these people are able to make a living by writing. Book sales are the best way to do that – new books, back list books, whatever.

Sometimes, we combine some of these reasons. We have recently begun to replace many of our favorite books (Eddings, Brust, Bujold, Cooper, Engdahl, Weeks, and more) with as many omnibus editions as we could. This way we replaced tattered books, gained back shelf space, and made sure the author keeps seeing royalty statements. Honestly, I wish omnibus editions were more of a thing. As we can, we’ll replace hardbacks with paperbacks (or likewise) to ensure a given series is consistent and takes the least amount of shelf space.

Tonight, I’m removing books from my collection for a much different and more painful reason: I no longer wish to support the author. I’m not going to name specific authors – the reasons for doing so are between me and Stephanie and no one else – but there are some people who are so toxic in some area of their lives that we no longer wish to support them. Although the money we spent for their books is long gone, removing those books from our shelves is a tangible way to detach our lives and fates from theirs. It helps us close the open loops in our minds that would otherwise urge us to buy their books. However, getting rid of these books sucks; it takes a lot of energy and there is/will be a mourning period. For so many years, books were my greatest friends. Getting rid of books that you have accepted into your life and given a home to feels like turning out the family pet, or possibly one of your kids.

If you think that’s a juvenile or overblown sentiment for a grown man to express, all I can say is that the concept of books and writing got wired into my soul at a very early age, and yes, sometimes books mean more to me than people. If you can’t or won’t understand that, I cordially extend to you the benison of I don’t give a shit.

Another solution for Autodiscover 401 woes in #MSExchange

Earlier tonight, I was helping a customer troubleshoot why users in their mixed Exchange 2013/2007 organization were getting 401 errors when trying to use Autodiscover to set up profiles. Well, more accurately, the Remote Connectivity Analyzer was getting a 401, and users were getting repeating authentication prompts. However, when we tested internally against the Autodiscover endpoints everything worked fine, and manual testing externally against the Autodiscover endpoint also worked.

So why did our manual tests work when the automated tests and Outlook didn’t?

Well, some will tell you it’s because of bad NTFS permissions on the virtual directory, while others will say it’s because of the loopback check being disabled. And in your case, that might in fact be the cause…but it wasn’t in mine.

In my case, the clue was in the Outlook authentication prompt (users and domains have been changed to protect the innocent):

image

 

I’m attempting to authenticate with the user’s UPN, and it’s failing…hey.

Re-run the Exchange Remote Connectivity analyzer, this time with the Domain\Username syntax, and suddenly I pass the Autodiscover test. Time to go view the user account – and sure enough, the account’s UPN is not set to the primary SMTP address.

Moral of the story: check your UPNs.

Upgrade Windows 2003 crypto in #MSExchange migrations

Just had this bite me at one of my customers. Situation: Exchange Server 2007 on Windows Server 2003 R2, upgrading to Exchange Server 2013 on Windows Server 2012. We ordered a new SAN certificate from GoDaddy (requesting it from Exchange 2013) and installed it on the Exchange 2013 servers with no problems. When we installed it on the Exchange 2007 servers, however, the certificates would import but the new certificates (and its chain) all showed the dreaded red X.

Looking at the certificate, we saw the following error message:

image

 

If you look more closely at the certificates in GoDaddy’s G2 root chain, you’ll see it’s signed both in SHA1 and SHA2-256. And the latter is the problem for Windows Server 2003 – it has an older cryptography library that doesn’t handle the newer cypher algorithms.

The solution: Install KB968730 on your Windows Server 2003 machines, reboot, and re-check your certificate. Now you should see the “This certificate is OK” message we all love.

Load Balancing ADFS on Windows 2012 R2

Greetings, everyone! I ran across this issue recently with a customer’s Exchange Server 2007 to Office 365 migration and wanted to pass along the lessons learned.

The Plan

It all started so innocently: the customer was going to deploy two Exchange Server 2013 hybrid servers into their existing Exchange Server 2007 organization for a Hybrid organization using directory synchronization and SSO with ADFS. They’ve been investing a lot of work into upgrading their infrastructure and have been upgrading systems to newer versions of Windows, including some spiffy new Windows Server 2012 Hyper-V servers. We decided that we’d deploy all of the new servers on Windows Server 2012 R2, the better to future-proof them. We were also going to use Windows NLB for the ADFS and ADFS proxy servers instead of using their existing F5 BIG-IP load balancer, as the network team is in the middle of their own projects.

The Problem

There were actually two problems. The first, of course, was the combination of Hyper-V and Windows NLB. Unicast was obviously no good, multicast has its issues, and because we needed to get the servers up and running as fast as possible we didn’t have time to explore using IGMP with Multicast. Time to turn to the F5. The BIG-IP platform is pretty complex and full of features, but F5 is usually good about documentation. Sure enough, the F5 ADFS 2.0 deployment guide (Deploying F5 with Microsoft Active Directory Federation Services) got us most of the way there. If we had been deploying ADFS  2.0 on Server 2012 and the ADFS proxy role, I’d have been home free.

In Windows 2012 R2 ADFS, you don’t have the ADFS proxy role any more – you use the Web Application Proxy (WAP) role service component of the Remote Access role. However, that’s not the only change. If you follow this guide with Windows Server 2012 R2, your ADFS and WAP pools will fail their health checks (F5 calls them monitors) and the virtual server will not be brought online because the F5 will mistakenly believe that your pool servers are down. OOPS!

The Resolution

So what’s different and how do we fix it?

ADFS on Windows Server 2012 R2 is still mostly ADFS 2.0, but some things have been changed – out with the ADFS proxy role, in with the WAP role service. That’s the most obvious change, but the real sticker here is under the hood in the guts of the Windows Server 2012 R2 HTTP server. In Windows Server 2012 R2, IIS and the Web server engine has a new architecture that supports the SNI extension to TLS. SNI is insanely cool. The connecting machine tells it what host name it’s trying to connect to as part of the HTTPS session setup so that one IP address can be used host multiple HTTPS sites with different certificates, just like HTTP 1.1 added the Hosts: header to HTTP.

But the fact that Windows 2012 R2 uses SNI gets in the way of the HTTPS health checks that the F5 ADFS 2.0 deployment guide has you configure. We were able to work around it by replacing the HTTPS health checks with TCP Half Open checks, which connect to the pool servers on the target TCP port and wait for the ACK. If they receive it, the server is marked up.

For long-term use, the HTTPS health checks are better; they allow you to configure the health check to probe a specific URL and get a specific response back before it declares a server in the pool is healthy. This is better than ICMP or TCP checks which only check for ping responses or TCP port responses. It’s totally possible for a machine to be up on the network and IIS answering connections but something is misconfigured with WAP or ADFS so it’s not actually a viable service. Good health checks save debugging time.

The Real Fix

As far as I know there’s no easy, supported way to turn SNI off, nor would I really want to; it’s a great standard that really needs to be widely deployed and supported because it will help servers conserve IP addresses and allow them to deploy multiple HTTPS sites on fewer IP/port combinations while using multiple certificates instead of big heavy SAN certificates. Ultimately, load balancer vendors and clients need to get SNI-aware fixes out for their gear.

If you’re an F5 user, the right way is to read and follow this F5 DevCentral blog post Big-IP and ADFS Part 5 – “Working with ADFS 3.0 and SNI” to configure your BIG-IP device with a new SNI-aware monitor; you’re going to want it for all of the Windows Server 2012 R2 Web servers you deploy over the next several years. This process is a little convoluted – you have to upload a script to the F5 and pass in custom parameters, which just seems really wrong (but is a true measure of just how powerful and beastly these machines really are) – but at the end of the day, you have a properly configured monitor that not only supports SNI connections to the correct hostname, but uses the specific URI to ensure that the ADFS federation XML is returned by your servers.

An SNI-aware F5 monitor (from DevCentral)

What do you do if you don’t have an F5 load balancer and your vendor doesn’t support F5? Remember when I said that there’s no way to turn SNI off? That’s not totally true. You can go mess with the SNI configuration and change the SSL bindings in a way that seems to mimic the old behavior. You run the risk of really messing things up, though. What you can do is follow the process in this TechNet blog post How to support non-SNI capable Clients with Web Application Proxy and AD FS 2012 R2.

 

Postscript

As a side note, almost everyone seems to be calling the ADFS flavor on Windows Server 2012 R2 “ADFS 3.0.” Everyone, that is, except for Microsoft. It’s not a 3.0; as I understand it the biggest differences have to do with the underlying server architecture, not the ADFS functionality on top of it per se. So don’t call it that, but recognize most other people will. It’s just AD FS 2012 R2.

Book Review: Hurricane Fever by Tobias S. Buckell

Update 7/17 16:21 to add disclosure: I received my ARC copy of this book via a reviewer giveaway from the author’s blog. I had to request the copy.

Note: this review is spoiler-free.

Tobias Buckell writes very smart people-centric speculative fiction. When I was reading the ARC of his latest novel Hurricane Fever, I realized he has quietly become one of my five favorite authors.

Hurricane Fever

One of the reasons is how he writes in a style I’ll just have to call “Flow” for lack of a more precise term. From the non-typical (and welcome) way Buckell deals with writing dialect to his pacing, his stories move smoothly from introduction to crises to resolution. You cover a lot of ground, but it doesn’t feel like it, much like a ramble through the countryside. Hurricane Rising is no exception. Even as the tension and the stakes crank up, the book is a relaxing read. Even if you haven’t read the first book in the series, Arctic Rising, you should be able to drop right in without feeling like you’ve missed anything. (I can’t promise that you will still feel that way when you get to the end; if you feel the need to run right out to the library or to a bookstore, or at least make a big order on Amazon, you’re in good company.)

Another reason is how his stories deal with big ideas of world-shaping significance. Hurricane Rising is a near-future espionage thriller that rivals the scope of a Bond story, with a world-threatening plan that would make Fleming green with envy. In most books, the writer would try to give us hints that Something Big was coming; Buckell makes us care about the people and reels us in from there. The protagonist, Prudence “Roo” Jones, is a retired Caribbean intelligence agent who is just trying to raise the nephew who is all the family he has left. Roo is drawn out of his life onboard a catamaran into the unfolding geopolitical events because he is driven by bonds of family and friendship, not for the sake of power or adrenaline or some abstract duty.

Tobias Buckell writes very smart SF

Probably the biggest reason, though, is that Buckell’s version of smart isn’t intimidating like so much SF can be if you don’t know as much as the author. Rather, his writing is inviting and comfortable. If you know as little about the Caribbean islands as I do, this may be the book that will lead you to your atlas or tablet so you can look up the geography Buckell so lovingly introduces us to. Roo lives just around the corner of tomorrow where the consequences of our bad decisions have come home to roost; climate change has remapped our coastlines, tweaked the balances of power and resources, and altered the patterns of weather. There is a lot of thoughtful worldbuilding that has gone on behind the scenes, but Buckell is comfortable enough in his skill as a storyteller to let it slip in hints and dashes – a master chef deftly and subtly spicing the meal he is preparing. There are no infodumps, no expository lumps, and no detours through backwaters whose only purpose is to show off a feature of the world that would otherwise lay untouched by the plot. I felt like Buckell had made a pact with me: he would stay on task of telling a compelling story, and I would bring my reader A-game and imagination to come play for a while.

We in the Seattle area will host Buckell at University Bookstore on July 28th, one of just five appearances in the Hurricane Rising West Coast Book Tour. I’ll be taking the opportunity to fill in some of the gaps in my library. Hope to see you there!

Local Date Night, @SoundersFC edition

This last year Stephanie helped me become something I never thought I could be: a soccer fan.

Wait, let me rephrase. She got me interested in football. Although soccer is the original and correct name, most of the rest of the world just knows it as football (or futbol if you are from a country whose primary language is a Romance language). It’s only here in North America where we refer to gridiron football as just football.

At any rate, Steph used to play as a goalie when she was growing up and has retained a love of the sport. She used to follow the Seattle Sounders FC matches via Twitter until we moved last fall and got hooked back up to Comcast as our Internet provider. While our package doesn’t include access to ESPN and ESPN2 (where MLS broadcasts national games), it does include JoeTV and Q13 Fox, the local Seattle channels that carry Sounders games when they aren’t being nationally televised. (As an aside, remind me to rant about the stupidity that the FCC permits some other time.) So this year, I got things set up so Steph can watch the Sounders games, and inevitably started sitting next to her with my Surface on my lap while she watched. Then I started asking questions. Then I started recognizing players. Then I started figuring out what the hell was going on. Really, in about three games, I understood 95% of the rules – more than I understand to this day of American football.

At that point, Sounders games became time to spend together. I’d already gotten Steph a Sounder shirt; she got me one, and got us both scarves. And then the World Cup happened. HOLY CRAP people, with all the games being televised over ESPN3/Watch ESPN, and viewable within the ESPN app on our Xbox 360, it was easy to keep games on all through the month of world soccer awesomeness. With two of the familiar Sounders faces on the US Men’s National team, it was natural to watch and cheer them on. Even when they were eliminated by Belgium in the Round of 16, I was invested in the final results. In between the World Cup games, the Sounders had moved into the US Open Cup season, so I streamed those from my Surface to our TV (thanks to the HDMI plug and the Sounder website streaming video). I had become a football fan.

Today, we watched the final struggle of Germany vs. Argentina, then tried to figure out what our options were for watching the Seattle vs. Portland game (broadcast on ESPN2). Steph finally remembered that a local pizza joint, Sahara Pizza, had advertised that they were showing all of the World Cup games. They have gluten-free and dairy-free options on their menu, so Steph called them up to see if they would be showing the Sounders game tonight. They said yes…so we had ourselves a date night.

Here we are, dressed up in our Sounders shirts, practicing for our big day next weekend when we go see the Sounders live in their exhibition game vs. Tottenham.

WP_20140713_20_23_59_Pro

My name is Devin L. Ganger, and I am a football fan.

Is All About That Bass Skinny-shaming?

For the past several days, Stephanie and I have been severely afflicted with one of the catchiest earworms we’ve ever caught: Meghan Trainor’s debut song “All About That Bass”, which is a playful yet serious romp through doo-wop, Motown, and modern pop. Music aside, though, it’s gaining attention because of the uncompromising body-positive message the song delivers:

Every inch of you is perfect from the bottom to the top!

The video for the song is beautifully directed by Fatima Robinson and features a diverse array of dancers and artists, including guest star Sione Maraschino (who is famous in Vine circles). In short, on the surface it seems like a great song: catchy music that skillfully blends old and new, uplifting lyrics, diverse cast and crew. What’s not to like?

The song has gotten some pushback as it has gained in popularity (what viral song hasn’t?), but from a somewhat unexpected quarter: detractors say the song is skinny-shaming. That is, its body-positive message is only for people with plus-size bodies and everyone who is slender and attractive according to currently popular standards need not apply. And I confess: when Stephanie and I first heard the song, this was our concern as well, because of these words in the second verse:

I’m bringing booty back
Go ahead and tell them skinny bitches that
Naw, I’m just playing
I know you think you’re fat
But I’m here to tell you
Every inch of you is perfect from the bottom to the top!

At first blush, this sounds like the “skinny bitches” are cast into the outer darkness and Meghan’s message is only for the girls like here. But if you watch the video, you’ll see this isn’t so. That diverse group of dancers (including the skinny brunette) are all equally lauded as beautiful throughout the course of the video. If Meghan and her director meant to exclude people, they did a poor job.

I’m pretty sure that the disconnect here is that Meghan’s trying to say multiple things at once, which is hard enough in prose, harder in rhyme, and damned difficult when set to music (if you don’t think so, you are cordially invited to try). With a lot of today’s music, the writers don’t try for nuance or complexity…so perhaps we’ve gotten out of the habit of listening for it, substituting binary polarities for critical thought. Here’s what I pull out of that verse:

  • Judging people based on their size creates an environment rife with misperceptions about body image and self-worth
  • People that you and I perceive as skinny are in fact often extremely worried about their (mis-perceived) body image
  • Words matter. Saying you’re “playing” when using a criticism or insult doesn’t take the sting away, so pick your words carefully.

Did Meghan actually accomplish packing all that nuance in? I’m not sure, but kudos to her for trying – something not enough artists are doing these days, it seems. This large person, however, feels that Meghan’s song is all-inclusive and inviting (not skinny-shaming), so give it a listen and tell me what you think.