Rhys Goodwin's Weblog
I AM the system administrator. Who do I call?
Pet Door Opening in a Security Mesh Door
Nov 19th
Now for something completely different….after shelling out for one of these awesome microchip cat doors
Mark the bars you'll need to cut to get make a square just a little bigger than the cat door opening
Cut where you marked using some hefty bolt cutters - a good excuse to buy tools, it would cost more to get a guy out to do the job, right? For now only cut the bars not the screen.
Make up 2 "picture frames" using mitre saw. The inner dimension should be about the same size as the cat door opening or just slightly bigger. I glued and tacked mine together with small nails.
After assembling the frames prime and paint to make them weather proof
On one of the frames check and mark where you can put 4 screws through without hitting bars.
In one of the frames drill screw holes
Line up the 2 frames and screw the screws through into the frame you didn't drill
Put the screws into the drilled frame and push through the mesh screen to hold it in place. Cut out the mesh, and put some dabs of glue to hold the mesh
Screw on the other frame to clamp it on to the bars
Perform testing
Done!
OpenAM – Can’t Log on to Admin Console
Nov 8th
This one cost me some time!
Symptoms
After installing and configuring OpenAM you’re unable to log on to the admin console with the amAdmin account and password you set during the install. It doesn’t give an error message, just drops you back to the login page.
Cause
When you go through the custom configuration wizard you get asked for the cookie domain. If your OpenAM server is openam.mydomain.co.nz then your cookie domain should be .mydomain.co.nz but by default the wizard just takes the trailing two domain components from the server name – i.e. .co.nz. Unless you specifically set the cookie domain correctly you’ll get the issue described above. As you can imagine this issue wouldn’t occur if your OpenAM server was called openam.mydomain.com.
This means that if you have a domain name with more than 2 domain components then you’ll always need to run the custom config wizard.
ADFS 2.0 in Forest Trust Environment
Oct 11th
I’ve been meaning to get this out there for a while now. I’m not going to go into great detail on ADFS but you can get more background on ADFS and federation in these posts:
Salesforce SSO with ADFS 2.0 – Everything You Need to Know
ADFS 2.0 Choose Your Attributes Wisely
SAML WebSSO Federation Made Easy
My scenario is as follows:
- 2 domains in 2 forests with a one way trust between them.
(For this post I’ll refer to these domains PERIMETER and INTERNAL) - PERIMETER trusts INTERNAL but INTERNAL doesn’t trust PERIMETER
- Both PERIMETER and INTERNAL contain user accounts that need to be authenticated and federated via ADFS
- The ADFS server is joined to the PERIMETER domain
- ADFS and its related IIS services need to run under a service account from the INTERNAL domain
Here are the high level hoops I had to jump through to get this working:
- On a clean Windows 2008 R2 server, obtain and run the ADFS 2.0 setup file AdfsSetup.exe. Select “Federation Server”, This will install everything you need to make ADFS 2.0 work (including pre-requisites). Don’t run through the config wizard – We will do the config from command line later.
- Create a new service account. e.g. INTERNAL\Svc.ADFS. Create a new DNS ‘A’ record and point it to the ADFS server. E.g. federate.internal.com. Set a Kerberos SPN for the DNS record against the service account:
setspn -a HOST/federate.internal.com stjohn\Svc.ADFS
- Load the certificates MMC for local computer account and install a certificate which can be used for the ADFS web site. In the IIS manager configure a new binding on the default website for SSL with the appropriate FQDN and select the cert you just installed.
- Make sure the ADFS server has access to all LDAP servers for all domains. Something to consider if you’ve got a few firewalls here and there.
- Add your service account to the local admins group on the ADFS server and to domain admins group for the domain that the service account belongs to. Don’t panic this will only be temporary! This just allows the service account to create the necessary config for ADFS in the Program Data\ADFS OU. Once created it will have the correct permissions for the service account. I had to do this to get it work, not sure why it’s any different to a normal single forest install.
- Log on to the ADFS server with the service account. Skip this step at your peril!
- Run cmd prompt as admin. cd to:
C:\Program Files\Active Directory Federation Services 2.0\
-
Run the following command to configure and new ADFS 2.0 farm
FSConfig.exe CreateFarm /ServiceAccount "INTERNAL\Svc.ADFS" /ServiceAccountPassword "somebiglongpassword" /AutoCertRolloverEnabled /FederationServiceName "federate.internal.com
-
Remove the service account from local admins and domain admins now.
-
That’s it. Load the ADFS console and configure ADFS as you would in any other scenario
Notes
-
During the install you might get a yellow warning about not being able to set the SPN. That’s cool we already did it above.
- Make sure you can view the federation data for your new server e.g.
https://federate.internal.com/FederationMetadata/2007-06/FederationMetadata.xml - If you get a certificate error from your service provider. E.g. This typical error from SalesForce:Signature or certificate problems
Is the response signed? False
The signature in the assertion is not valid
Is the correct certificate supplied in the keyinfo? False
No valid certificate specified in this response.
Try re-generating your token signing certificate using the following PowerShell commands. Note:This will break any existing trust relationships you have with any service providers. You will have to export the new cert and update your service providers with it.
Add-PSSnapin Microsoft.Adfs.Powershell Set-ADFSProperties -AutoCertificateRollover $true Update-AdfsCertificate -Urgent
This might not be the only way to get this working and I haven’t tested it thoroughly – your mileage may vary! But as always I’m keen to hear how you get on and happy to field questions.
Salesforce – Special Meal Requests!
Sep 6th
I snapped this in the lunch area on my recent trip to the Dreamforce conference in San Francisco.
Contact a ‘Server’?
Is this some kind of sick joke for people with special dietary requirements?
TBS 6984 Quad Tuner DVB-S/S2 Card (Review)
Jul 24th
Intro
In my last post I showed you my RG6 coax patch panel build which included cabling up the 4 outputs of my LNB. Well there was a reason I risked life and limb on the roof in high winds.
TBS Technology of Shenzhen China have only been making TV cards for about 5 years but they’re starting to build a good reputation amongst HTPC enthusiasts, and for good reason – as you’ll see the 6984 is a solid performer. This review will focus on using the TBS 6984 with MediaPortal TV Server.
The TBS6984 really is the grand-daddy of DVB-S cards! It’s a DVB-S/S2 PCI Express card with 4 tuners allowing you capture from 4 different satellite transponders simultaneously. At $249USD the price is right. That’s about $62 per tuner – considerably cheaper than buying 4 separate DVB-S2 cards and much more convenient.
TBS list the following specifications:
Receiving Frequency: 925~2175 MHz Tuning Range
Input Level: -69~23dBm
4x Advanced DVB-S2/DVB-S 8PSK QPSK Demodulator
Symbol Rates:
DVB-S QPSK: 1-45 Msps
DVB-S2 8PSK/QPSK: 2-36 Msps
Code Rates:
DVB-S: 1/2, 2/3, 3/4, 5/6, 7/8
DVB-S2 QPSK: 1/2, 3/5, 2/3, 3/4. 4/5. 5/6, 8/9, 9/10
DVB-S2 8PSK: 3/5, 2/3. 3/4. 5/6. 8/9, 9/10
I’m not going to pretend that I could explain all the technical aspects of these specs, but suffice to say this card will handle pretty much anything you can throw at it.
What’s In The Box
- The PCIe Card
- A driver mini-CD
- Infrared Remote Control
- Infrared Receiver Cable
- Power Cable
The build quality of the card is excellent – all the soldering looks clean and solid, and the components are well aligned. The bracket has labels for the tuners ‘A’ through ‘D’ stamped on it – a nice touch. The chipset consists of the following:
- 2x Trident CX24132 Dual DVB-S2 Tuner
- 2x Trident CX24117 Dual DVB-S2 Demodulator
- 2x Intersil ISL6422B Dual Output LNB Supply and Control Voltage Regulator
- 1x Trident SAA7160E PCI Express Audio/Video Capture Bridge
The remote is pretty basic; but let’s be honest, if you’re looking for a quad tuner card you’re probably an HTPC enthusiast in which case you’ll already have an advanced remote. If not you’ll need to get one! It has TV and navigation buttons, but lacks buttons for the advanced features you’d typically find in media centre packages like MediaPortal. That said, it will do just fine to get you up and running with basic TV software.
As for the driver CD, I haven’t even put it in my PC. Personally I never use the driver CDs which come with any hardware. I prefer to go straight to the web and download the very latest version. It would be nice if TBS released a white-box version of this product, which included just the card and the power cable.
TBS state that the additional power cable is only required when you need extra current for driving things like dish positioning motors and some LNBs. In general, you shouldn’t require it which is good – the less cables floating around the better when it comes to an HTPC that you’re trying to keep cool with a minimum of fans.
Installation
I’d love to go into great detail about the installation but there really isn’t much to say. The hardware side is obvious – unplug your PC and install the card into a spare PCIe 1x slot.
As for the driver, TBS keeps it simple which I really appreciate. You don’t have to run an installer (although there is one). You can simply let Windows detect the card and then tell it where to find the latest driver files and the device installs without any fuss. I wish more manufacturers would take this simple clean approach. With an installer, you don’t really know what you’re getting and what’s being changed on your system. I’m running Windows 7 x64. Once the driver is installed, you’ll see a single “TBS 6984 Quad DVBS/S2 BDA Tuners” device listed in device manager. The driver is a BDA driver, which means it conforms to Microsoft’s broadcast driver architecture so the card will be compatible with any TV software which supports BDA devices.
MediaPortal
MediaPortal is a free and open source media centre package for Windows.
MediaPortal TV Guide
MediaPortal Home
You can get a wealth of information and support at the Team-MediaPortal site, but these are the basic components that you’ll need to get TV up and running with the TBS 6984. The remainder of this review will focus on the TV Server component of MediaPortal.
- MediaPortal – this is the main front-end application. You can have this installed on as many PCs around the house as you like
- TV Server – this is a Windows service which manages all TV streaming and recording. It can be on the same or a different PC to the MediaPortal application
- TV Client Plug-in – this is a plug-in component to MediaPortal which connects it to the TV Server
Once you’ve got the driver installed TV Server will detect the card. You’ll have to restart the TV Service and TV Server configuration tool if they are already running.
One thing I really like about this card is the way it identifies itself. In the Windows device manager it just shows a single device, but once you open up the TV Server configuration tool you’ll see all 4 tuners and they’re actually labelled A, B, C and D – unlike some other dual cards I’ve seen, which just show 2 identical tuners so you can’t tell which one is which.
Scanning speed is impressive – just over 6 minutes to scan 41 transponders. Both DVB-S and DVB-S2 channels are found correctly.
Now the part you’ve been waiting for – recording 4 channels at once. In fact, with MediaPortal TV Server you can record even more than that because it allows you to record all the channels on a given transponder at the same time. The TBS 6984 can tune into 4 separate transponders, so if each of those transponders carries 6 channels that would mean you could record 24 channels simultaneously! Below you can see I’m receiving 12 channels quite happily and the 6984 doesn’t skip a beat! “Just try that Windows 7 Media Center!”
The driver seems to report the signal quality and strength much more accurately than a lot of other cards I’ve seen, and also updates these quite frequently – which is great.
Channel Change Speed
The most common question I hear when discussing various TV cards with HTPC enthusiasts is “How fast can it change channels?”. There are a number of things that can affect this – system hardware, TV card, TV card driver, TV software, media codecs, etc. It also depends on where you take the measurement. The following results are taken from the TV Server logs, and indicate the time it takes for the TV card to switch channels.
Start DVB-S Channel (Same channel/transponder for each tune) 1st Tune: 437ms 2nd Tune: 218ms 3rd Tune: 203ms 4th Tune: 281ms 5th Tune: 124ms
Start DVB-S Channel (Different channel/transponder for each tune) 1st Tune: 390ms 2nd Tune: 718ms 3rd Tune: 531ms 4th Tune: 796ms 5th Tune: 609ms
Change DVB-S Channel (Same transponder for each tune) 1st Tune: 437ms 2nd Tune: 453ms 3rd Tune: 374ms 4th Tune: 281ms 5th Tune: 593ms
Change DVB-S Channel (Switch transponder for each tune) 1st Tune: 475ms 2nd Tune: 374ms 3rd Tune: 468ms 4th Tune: 468ms 5th Tune: 687ms
Change DVB-S2 Channel (Same transponder for each tune) 1st Tune: 234ms 2nd Tune: 296ms 3rd Tune: 234ms 4th Tune: 343ms 5th Tune: 171ms
Change DVB-S2 to DVB-S (Switch transponder for each tune) 1st Tune: 656ms 2nd Tune: 390ms 3rd Tune: 718ms 4th Tune: 656ms 5th Tune: 687ms
Change DVB-S to DVB-S2 (Switch transponder for each tune) 1st Tune: 2159ms 2nd Tune: 2124ms 3rd Tune: 2156ms 4th Tune: 2218ms 5th Tune: 2187ms
Very impressive, with all tests sub-second, except DVB-S to DVB-S2 switching which takes a little longer.
DiSEqC
The TBS 6984 supports DiSEqC 2.x. MediaPortal TV Server doesn’t yet support DiSEqC for this card, but I’ve spoken to a member of the MediaPortal development team who has informed me that they will be adding it soon, and has asked me to be a tester when the time comes.
Conclusion
All-in-all, my only criticism is that such a high-end card should be matched with a high-end remote. I think the best solution is a white box version of the product so the user can choose their own remote.
The channel change speed tests speak for themselves; that, combined with the solid driver and excellent build quality, makes the 6984 an excellent choice for anyone looking to build or expand an HTPC. In fact, unless you’re certain you won’t need more than 2 tuners, I would say just go straight for the 6984 because you’ll end up saving money in the long run.
As for TBS support – while I haven’t needed any technical support, from what I’ve read elsewhere they seem to have a reputation of being very responsive as well as being happy to interact with the MediaPortal development team. They also make their SDK (software development kit) freely available.
Structured Cable at Home (‘F’ Patch Panel)
Jul 11th
Here’s a quick update on my structured cable at home. Hopefully it will give you some ideas if you’re looking to do something similar. The main goal here was to run all 4 LNB outputs from my dish and my UFH antenna back to a single point.
RG6 quad-shield run up from the floor through the existing data cable channel.
I used a piece of powder coated aluminum which I cut from a 2U server rack blanking panel and ran the RG6 cables through the wall and terminated them with ‘F’ joiners.
I came across a great free 2D CAD application called DraftSight which I used to create a template for drilling the plate and the wall.
Completed and all back together – featuring the aptly named ‘Patch’. The cables connected to the completed patch plate all go back up the channel to the TV Server PC in the cupboard above. I haven’t cabled any of the rooms (except the lounge) because everything is delivered over IP, however I have pre-drilled at the back of the plate and half drilled the plate for future expansion.
I’d like to thank Godfey who supplied all the RG6, F connectors, and tools. And also took the time to show me how to do PPC compression fittings. Kiwi’s – if you’re in need to any of the gear to do this stuff Godfrey trades through TradeMe and gives the best service and prices around!
Service Wrapper for oscam
Jun 25th
Ok this is one of those “if you need it, you’ll know what I’m talking about posts”!
I recently started using oscam and being that I don’t like sever applications that need to run in the foreground I wrote a small windows service wrapper to handle oscam for me.
Just drop it in your oscam folder and install it by running oscamSVC -install
Using oscam as a system service also overcomes the issue that some people have found with some USB card readers such as the Omnikey disconnecting or ejcecting when a remote desktop connection is made to the PC running oscam.
Version History & Changes
0.3.5.0 – Current version
- Added settings form (Loaded by starting oscamSVC.exe without any parameter)
- Added start-up delay option
Use this option if you see card detection errors in your oscam log. I did – even though I made oscamSVC dependent on the smartcard service.
Adding the delay just lets Windows start a bit more which for what ever reason seems to help. It will be dependent on your reader.
During the delay the service is kept in the ‘starting’ state so you can still add service dependencies using regedit.
e.g. MediaPortal TVServer depends on oscamSVC. - Changed command line options from slash to dash
(i.e oscamSVC.exe -install instead of oscamSVC.exe /install)
0.3.0.0
- Initial public release
Requires .NET 2.0
Enjoy.
Resin Cast Project Enclosure
Apr 25th
Project boxes available off the shelf always seem to be just too smahttp://blog.rhysgoodwin.com/wp-admin/post.php?post=973&action=edit&message=1ll or way too big! This is especially true here in New Zealand where the options between JayCar and SurplusTronics are fairly limited. I needed a specific size to house a project I’m working on so I decided to cast my own in Polyester Resin
Draw up a design – I used Google Sketch up. Make a box of which the inner dimensions represent the outer dimensions of your final enclosure. I used blocks of pre-dressed pine. You’ll want to use something reasonably solid and screw it down to a base board so you get nice square vertical sides. For a base I used melamine board – it’s nice and smooth and the resin won’t bond to it. Your local kitchen builder will give you off cuts for free if they’re nice.
Wrap the blocks with masking tape. This provides three benefits:
- The waxy surface of the tape acts as a barrier between the wood the resin and makes de-molding easier
- It creates a nice flat surface to mold against
- Reduces the chance the resin leaking out because it forms a seal as the blocks are pressed together then screwed down
Put a mark on the side of at least one of the walls to indicate the height of the enclosure, this is where you will pour the resin up to.
Accuracy when cutting the wood is important if you want a professional looking result. Decide on a tolerance and stick to it. If you cut a length and it’s not within tolerance then re-do it. If you don’t, you’re sure to be disappointed with the end result. Resist the “She’ll be right” temptation – it won’t be right! Errors are amplified at each stage of the process. I worked to 0.5mm. For me this was an excellent practice exercise in hand-saw and measuring accuracy.
Make a shape of which the outer dimensions will represent the inner dimensions of your finished enclosure. This is where you decide on the thickness of the enclosure walls. I made over-sized corners so that I had solid pillars to screw into.
Unless you’ve got a dead level work bench you’ll probably need to set up a little platform that you can level off with screws – like this:
Mix up some resin and pour it into the mold up to the height you marked. Mix the resin and MEKP as per the instructions. I mixed towards the higher end of the 1%-2% ratio, about 1.7%. And please be careful with the MEKP. Don’t even think of going near it without eye protection and gloves. MEKP is a severe skin irritant and can cause progressive corrosive damage or blindness.
Now the fun bit. After a few hours the resin will be hard enough to remove it from the mold. Unscrew and remove the inner blocks and as many outer blocks as you need to get the enclosure out.
It will be a bit hard to get out because the resin shrinks a little bit as it cures. It will probably also still be a bit sticky when it comes out.
Now on to the top and bottom sections. You could just cut some flat plexi-glass for this but while we’re at it we might as well just cast them. Clean up the enclosure with sand paper. I used wet/dry from 120 grit up to 400.
Drill and tap the corners.
Use making tape to mask off the areas where the resin will touch. Screw in 4 countersunk lid screws leaving them out to the height you want the thickness of top lid to be (I made mine 4mm). Make sure they are all exactly the same height.
Reassemble the outer box of the mold on a new piece of melamine and place the enclosure back in, screws down. The enclosure will have shrunk since it was last in the mold so use multiple layers of masking tape as packers to center it (use an even number of layers on each opposing side).
Make sure your platform is dead level and pour the resin into the mold so it just comes up over the sides of the enclosure. This will make a locking lip on the lid.
After a few hours you can de-mold the box with lid attached. It will be stuck to the board but just slowly ease it away, you almost have to peel it up. Don’t try to knock or tap it. With a bit of luck you’ll be able to remove the screws from lid and take the lid off without too much difficulty. Making the lid this way takes care of the screw holes and countersinking.
Now repeat the process for bottom lid. For the bottom I didn’t mask it off because I wanted it sealed on – I don’t need to remove it. I also made it a bit thicker so it’s nice and solid for mounting to.
Once you’re all done you can sand/polish the enclosure as much or as little as you like. I left it with a frosted look but you could shine it up to be completely transparent if you wanted. I also removed the thread from the holes in the lid.
Well that’s quite a process! But the result is good and it’s good practice for accuracy, woodwork and resin casting. I tried a number of methods before I came up this and it’s by no means perfected – as always I’m keen to hear your ideas.
iLO 2 Firmware Images, Cursor Keys and IE8
Apr 20th
A couple of things I came accross with iLO today:
Plain Firmware Image .bin Files
I’ve got DL360 G5 running VMWare ESX 4 and I wanted to update the iLO firmware to the latest version. Even though iLO has a firmware update page where you can upload a new firmware image file. This doesn’t seem to be available for download at the HP iLO2 support page. To get it you need to download the Windows firmware update tool and extract the package using 7-zip.
Remote Console – Cursor Keys Don’t Work with IE8
To get around this, disable protected mode in IE or run it IE as administrator (Windows 7, vista etc).
ADFS 2.0 – Choose Your Attributes Wisely
Apr 8th
If you’ve read my last few posts you’ll be aware that I’m in the middle of implementing ADFS 2.0 for Web SSO. SalesForce for starters, with more to follow. I’m yet to put it into production but I was thinking today and just having a bit of a sanity check and something occurred to me. We send LDAP attributes as claims, the attributes are accepted by our service provider as law. They trust our federation service – that’s what federation is all about. Trust. There are number of mechanisms that make it very difficult for someone to spoof an assertion. 
On the whole, the SAML protocol can be considered very secure. What it can’t do is guarantee the validity of the source LDAP attribute.
Consider the scenario above. We’re going to send the User’s telephone number as a claim. Maybe unlikely but it could happen, maybe you’ve got a SaS provider and you’ve already got 500 users in the system and telephone number is the only field you know is accurate between you and them. Unlikely? I know. But that’s not the point.
The issue is this – in Active Directory the attribute telephoneNumber, along with a few other attributes is by default, self writeable.
Once Dave figure’s out that the telephone number is significant he’ll update his phone number in AD to Bob’s phone number, launch the SaS app and will be logged in as Bob.
While there are only a few self writeable attributes in AD and they’re not ones you’d likely use for federation, it’s important to keep the whole picture in mind and the problem could go beyond self writeable attributes. A couple of other situations I can think of off the top of my head:
- Active directory self service applications which allows users to update attributes which aren’t normally self writeable
- Identity management systems which synchronise other systems to Active Directory. Not a problem in itself but you might be moving the point authorization for a specific application without realising it.
So choose your attributes wisely and make sure you know how, why, when and by whom or what they are written to before you decide to send them as federation claims.