Entourage – Series Finale – Awesome

BEST

FINALE

EVER

I cried like a baby. I’ve loved the whole series, but the last two seasons have just gotten better and better. The ending was picture perfect. Way to go Hollywood. You got this one right. And though, the crew is the best, Piven plays his absolute best here. Just at the most pivotal moments, he goes from the insanely driven power driver of a actor’s management character….to a real man, that loves his family more than anything else.

Kudos. Entourage.

 

IIS Security versus Keith Davis = I Win (IIS Security & Security Part Deux)

Well, if I’m going to complain, then I ought to share the solution when I find one…and I did. It involves:

  • Delegation
  • SPN
  • FQDN
  • Integrated Windows Authentication

Really, it was easy to fix once I figured it out. The primary component in our configuration that may not common is that we use Windows Authentication exclusively, so that last part was easy. I did have Digest Authentication enabled, and that cannot be, but it was no big deal to turn it off.

Then what I had to do was enable Delegation for the web server in Active Directory. Next, I registered the SPN for the web server.  This part is not necessary if you use the actual host name to access your web server (ex. app01.pridedallas.com), but we do not, we use intranet.pridedallas.com. Finally, and this is more of a process issue, you MUST use the FQDN. So, on our Intranet, I changed our home page in AD to http://intranet.pridedallas.com, and added code to our site that redirects all users to the FQDN if they get there otherwise.

Consequently, I found that VisualCron does not like that forced redirection. Had to modify all of our HTTP jobs….there were a lot.

And whala! It worked. Thank God. I can put the AK back in the box….

<rant>IIS & Security</rant>

Well, if I can’t complain on my own blog, where can i?

I HATE how IIS handles security. I know, hate is a strong word, but that is the truth. I have spent the last 10 days trying to work out a solution that would allow users to browse files (scanned documents in TIFF format), as well as rename those files, that are stored on another server  (IIS server is Server 2008 and network share is on Server 2003.) It just can’t be done (I’d love for someone to prove me wrong.) I’ve even tried to make it work in some very unsecure configurations, but nothing works. The one that gets me the most is if it run IIS under another account, one that has permissions to access that share, but logging tells me that IIS is still using the anonymous account (I’ve even given the anonymous account permissions, but that doesn’t work either.)

I understand if my server is on the Internet or exposed in some fashion, but this is purely an intranet server. Why will Microsoft not provide some facility for internally used IIS servers?? I’ve read tons of forum posts and technet documents.