Webtop has default setup that can be configured to support SSO using either RSA Access Manager(formerly known as ClearTrust) or using CA SiteMinder Policy Server. The Documentum download site for EMC RAS plug-in from Powerlink lists documents for how to setup SSO for Webtop. The following link presented a document about the setup using SiteMinder.
https://community.emc.com/servlet/JiveServlet/previewBody/3809-102-1-12177/Netegrity%20Configuration%20for%20Webtop.pdf.

While searching for Webtop SSO solutions, I also found out that IBM presented a solution using Tivoli Access Manager (http://www-01.ibm.com/support/docview.wss?uid=swg24007434).

Needless to say, all these SSO solutions need additional proprietary components (either RSA Access Manager, or CA SiteMinder Policy Server, or IBM Tivoli Access Manager) to make it happen. Here I will present a way to set up SSO for Webtop where no extra component is not necessary. The approach is to rely on SPNEGO support from Internet Explorer or Firefox. The underlying authentication protocol is Kerberos. 

Environment

Even the solution presented here should be working with broader environments, the following is the system configuration I have been working with:

- Webtop 6.5 SP1 on Tomcat 6.0.18 under Windows 2003 SR2.
- Windows 2003 Server with Active Directory 2003
- JDK 1.6 used for Tomcat
- JRE 1.6+ used for IE or Firefox

Prerequisite

The only thing I can think of is that the users in Documentum repositories should have their login name set the same as their AD login name. How the users in Documentum were created was irrelevant here, and as long as they are not using inline password.

Preparation for the setup

As for understanding the basics about the approach, please implement the setup from the following two links (where each link has detailed explanation and references to other resources):

http://webmoli.com/2009/08/29/single-sign-on-in-java-platform/
http://spnego.sourceforge.net/spnego_tomcat.html

Please note when testing, the browser instance has to be on a different host other than the web server. That’s the requirement of Kerberos support from IE and Firefox. Configuration is also needed for the browser to support SPNEGO(see here).

After you have successfully run the above two samples, you may follow the following the steps to set up SSO for Webtop (actually the solution is an application of SpnegoHttpFilter, many setup already done will be re-used here):

Service Account

Make sure to get a service account from AD, say myssoaccount. Actually I was using the LDAP binding account that already exists for my Documentum setup. The account and its password will be used later. 

Service Principal Name 

The following commands are run to against the AD, which created the service principal names for the above service account (probably you need to ask your AD admin to do that for you):

setspn -a HTTP/mytomcatserver.mydomain.com myssoaccount 
setspn -a HTTP/mytomcatserver myssoaccount

SpnegoHttpFilter 

- Gets the source from SPNEGO SourceForge project

- Modify the implementation for SpnegoHttpFilter as following:

public void doFilter(ServletRequest request, ServletResponse response,
FilterChain chain) throws IOException, ServletException 
{
    HttpServletRequest httpRequest = (HttpServletRequest)request;
    // go through the negotiation process.
    SpnegoHttpServletResponse spnegoResponse =
         new SpnegoHttpServletResponse((HttpServletResponse)response);
    SpnegoPrincipal principal;
    try {
        principal = authenticator.authenticate(httpRequest, spnegoResponse);
    } catch(GSSException gsse) {
        LOGGER.severe((new StringBuilder("HTTP Authorization Header=")).append(
                   httpRequest.getHeader("Authorization")).toString());
        throw new ServletException(gsse);
    }
    if(spnegoResponse.isStatusSet()) {
        return;
    }
    if(principal == null) {
        LOGGER.severe("Principal was null.");
        spnegoResponse.setStatus(500, true);
        return;
    } else {
        LOGGER.fine((new StringBuilder("principal=")).append(principal).toString());
        // chain.doFilter(new SpnegoHttpServletRequest(httpRequest, principal), response); 
        HttpSession hs = httpRequest.getSession(); 
        if (hs != null) { 
            String principalAttr = "spnego_principal_"; 
            hs.setAttribute(principalAttr, principal); 
        } 
        chain.doFilter(request, response); 

        return;
    }

The reason to just modify the original source was for the purpose of simplicity. We could make a sub-class if class SpnegoHttpFilter were not defined as final class. Please note the hard-coded attribute name for SpnegoPrincipal spnego_principal_, which will be used later in the authentication scheme and could be a point to improve by using configuration parameter.

The compiled classes should be put under Webtop’s class path.

kbr5.conf

Create file kbr5.conf as the following:

[libdefaults]        
     default_realm = mydomain.com 
     default_tkt_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc  
     default_tgs_enctypes = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc  
     permitted_enctypes   = aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
[realms]   = {
     kdc =  myactivedirectoryserverhost 
     default_domain = mydomain.com
}
[domain_realm]  
     .mydomain.com = mydomain.com

And put the file under Tomcat boot folder.

login.conf

create a file, login.conf with the following content:

spnego-client {  
     com.sun.security.auth.module.Krb5LoginModule required;
}; 

spnego-server {  
    com.sun.security.auth.module.Krb5LoginModule required  
    storeKey=true  
    isInitiator=false;
};

and put the file under Tomcat root folder.

web.xml for Webtop

Add the following section

   <filter>
       <filter-name>SpnegoHttpFilter</filter-name>
       <filter-class>net.sourceforge.spnego.SpnegoHttpFilter</filter-class>

       <init-param>
           <param-name>spnego.allow.basic</param-name>
           <param-value>true</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.allow.localhost</param-name>
           <param-value>false</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.allow.unsecure.basic</param-name>
           <param-value>true</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.login.client.module</param-name>
           <param-value>spnego-client</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.krb5.conf</param-name>
           <param-value>krb5.conf</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.login.conf</param-name>
           <param-value>login.conf</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.preauth.username</param-name>
           <param-value>your service account</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.preauth.password</param-name>
           <param-value>password for your service account</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.login.server.module</param-name>
           <param-value>spnego-server</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.prompt.ntlm</param-name>
           <param-value>true</param-value>
       </init-param>

       <init-param>
           <param-name>spnego.logger.level</param-name>
           <param-value>1</param-value>
       </init-param>
   </filter>

before the following section in web.xml file

   <filter>
      <filter-name>WDKController</filter-name>
      <filter-class>com.documentum.web.env.WDKController</filter-class>
   </filter>

which would result in the SpnegoHttpFilter being called before the WDKController. The placeholders for account name and password should be replaced by the service account, myssoaccount and its password.

Also add the filter mapping to web.xml before the filter mapping for WDKController.

   <filter-mapping>
      <filter-name>SpnegoHttpFilter</filter-name>
      <url-pattern>/index.jsp</url-pattern>
      <dispatcher>REQUEST</dispatcher>
   </filter-mapping>

The  above initial parameter definition for SpnegoHttpFilter showed that NTLM and basic authentication are actually supported as well as Kerberos. When Kerberos support is not available (usually due to the browser configuration), it will fall back to NTLM, or then Basic authentication.  

MySSOAuthenticationSchema

Create a java class as the following and compile it. The class file needs to put under Webtop WEB-INF/classes folder. The package definition for the class can be anything you like. 

public class MySSOAuthenticationScheme implements IAuthenticationScheme 
{
    public SpnegoSSOAuthenticationScheme() {
        if(Trace.SESSION) {
             System.out.println(getClass().getName() + " starting ...");
         }
    }
    public String authenticate(HttpServletRequest httpservletrequest,
          HttpServletResponse httpservletresponse, String docbase) throws DfException 
    {
        String principalAttr = "spnego_principal_";
        HttpSession hs = httpservletrequest.getSession();
        SpnegoPrincipal spnego_principal = (SpnegoPrincipal)hs.getAttribute(principalAttr);
        String domain = null;
       String strUser = null;
       String s3 = "noop";
       if (spnego_principal == null) {
           return null;
       } else {
           String username[] = spnego_principal.getName().split("@", 2);
           strUser = username[0];
       } if (Trace.SESSION) {
           System.out.println("Trying to log in: " + strUser + " into " + docbase);
       }
       HttpSession httpsession = httpservletrequest.getSession();
       IAuthenticationService authservice = AuthenticationService.getService();
       String sTempDocbase = docbase;
       docbase = null;
       try {
           authservice.login(httpsession, sTempDocbase, strUser, getServiceLogin(s3), domain);
           docbase = sTempDocbase;
           if (Trace.SESSION) {
               System.out.println(getClass().getName() + " - Authentication succeed.");
           }
       } catch (DfException dfe) {
           docbase = null;
       }
       return docbase;
    }
    public String getLoginComponent(HttpServletRequest httpservletrequest,
       HttpServletResponse httpservletresponse, String s, ArgumentList argumentlist)
    {
       String principalAttr = CookieStringFinder.cookieString(httpservletrequest);
       HttpSession hs = httpservletrequest.getSession();
       SpnegoPrincipal spnego_principal = (SpnegoPrincipal)hs.getAttribute(principalAttr);
       if (spnego_principal == null) {
           if (Trace.SESSION) {
              System.out.println(getClass().getName() + " - null.");
           }
           return null;
       } else {
       if (Trace.SESSION) {
           System.out.println(getClass().getName() + " - sso_login .");
       }
       return "sso_login";
       }
    }
    private String getServiceLogin(String s)
    {
       StringBuffer stringbuffer = new StringBuffer(128);
       stringbuffer.append("DM_PLUGIN");
       stringbuffer.append("=");
       stringbuffer.append("myspnegossoauth");
       stringbuffer.append("/");
       stringbuffer.append(s);
       return stringbuffer.toString();
    }
    private static final String DM_PLUGIN = "DM_PLUGIN";
}

Please note the plug-in id was named as ‘myspnegossoauth’, which will be matched in the authentication plug-in definition for Content Server later. The hard-coded attribute name, spnego_principal_ was used to retrieve the SpnegoPrincipal in the scheme.

AuthenticationSchemes.properties

Update the properties file from Webtop installation under /WEB-INF/classes/com/documentum/web/formext/session/ as following:

scheme_class.1=com.documentum.web.formext.session.TicketedAuthenticationScheme
scheme_class.2=<the package name>.MySSOAuthenticationScheme
scheme_class.3=com.documentum.web.formext.session.RSASSOAuthenticationScheme
scheme_class.4=com.documentum.web.formext.session.SSOAuthenticationScheme
scheme_class.5=com.documentum.web.formext.session.UserPrincipalAuthenticationScheme
scheme_class.6=com.documentum.web.formext.session.SavedCredentialsAuthenticationScheme
scheme_class.7=com.documentum.web.formext.session.DocbaseLoginAuthenticationScheme

app.xml for Webtop

So far I have found out no changes to app.xml are necessary for the SSO setup to work. However, if you only have one repository, or want to use a different authentication service class, definitely you can do so by customizing the authentication section from the file.

Authentication plug-in

From your Content Server, make a backup of several files under $DM_HOME/install/external_apps/authplugins/sampleauth, such as sampleauth.cpp, sampleauth.so (sampleauth.dll if the CS is on Windows), and sampleauth.o.

Open file sampleauth.cpp and locate the line,

static const char pluginId[] = "sampleauth";

and change it to:

static const char pluginId[] = "myspnegossoauth";

The matching plug-in id to that from the authentication scheme would ensure that users would be validated by this plug-in.

In the same file, locate method dm_authenticate_user and make changes as the following:

  // Add the following two lines
dmTrace(traceEnabled, isTraceInitialized, traceFilePath, "Authentication-%s: ALWAYS Success.", userOsName);
return true;
// dmTrace(traceEnabled, isTraceInitialized, traceFilePath,
// "Authentication-%s: Failure. Unknown user or password", userOsName);
// dmSetProperty(outPropBag, DM_ERROR_MSG, "Sorry, I couldn't authenticate this user!");
// return false;

Yes, the changes would result in all the users who reach to this plug-in will be accepted by the plug-in. I will explain this later. Then compile the plug-in with available C++ compiler on your CS platform and set it up for the repository you want to run SSO. The CS administration guide provides details about how to implement authentication plug-in and how to set it up.

Internet Explorer and Firefox setup

The link SPNEGO SSO Browser configuration shows how to set up IE or Firefox to support SPNEGO.

For now, you should be able to make your Webtop SSO enabled. congratulations!

Further explanation

You may have noticed the authentication plug-in would accept any users. Is it a security concern? I would say No.
The SPNEGO protocol would make sure the users are trustworthy between Webtop server and the client (IE or Firefox). Only users who passed the security checking by SPNEGO with Kerberos (via KDC from the setup) will reach the authentication plug-in. The following is an exception for an user login from docbase log (the timestamp for each line was removed for clarity. Space lines were added as well):

.. AT 61102: Start-AuthenticateUser: ClientHost(), LogonName(myuserloginname),
   LogonOSName(SYSTEM), LogonOSDomain(), UserExtraDomain(), ServerDomain()
.. AT 61102: Start-AuthenticateUserName:
.. AT 61102: dmResolveNamesForCredentials: auth_protocol()
.. AT 61102: End-AuthenticateUserName: dm_user.user_login_domain(myldapconfigname)
.. AT 61102: success
.. AT 61102: Found dm_user.user_login_name(myuserloginname),
    dm_user.user_login_domain(myldapconfigname)

.. AT 61102: Start-AuthenticateDomain:LogonName(myuserloginname),
    UserExtraDomain(), auth_protocol()
.. AT 61102: AuthenticateDomain - no domain required:domainOverride(False),
    user_login_domain(myldapconfigname), serverAuthTarget(), userAuthTarget()
.. AT 61102: End-AuthenticateDomain:
.. AT 61102: success

.. AT 61102: Start-AuthenticateUserState:UserLoginName(myuserloginname), UserExtraDomain()
.. AT 61102: Start-AuthenticateUserState:
.. AT 61102: dmStateForUser: auth_protocol()
.. AT 61102: End-AuthenticateUserState:
.. AT 61102: success

.. AT 61102: Start-AuthenticateByTrust:OSLogonName(SYSTEM),
    UserLoginName(myuserloginname), OSLogonDomain(), UserExtraDomain()
.. AT 61102: End-AuthenticateByTrust:
.. AT 61102: failure

.. AT 61102: Start-AuthenticateByPassword:UserLoginName(myuserloginname), UserExtraDomain()
.. AT 61102: Start-authenticateByPlugin: UserLogonName(myuserloginname), PluginId(myspnegossoauth)
.. AT 61102: End-authenticateByPlugin:

.. AT 61102: success
.. AT 61102: End-AuthenticateByPassword:

.. AT 61102: success
.. AT 61102: Final Auth Result=T, LOGON_NAME=myuserloginname, AUTHENTICATION_LEVEL=8,
OS_LOGON_NAME=SYSTEM, OS_LOGON_DOMAIN=,CLIENT_HOST_NAME=,
CLIENT_HOST_ADDR=xx.xxx.x.x, USER_LOGON_NAME_RESOLVED=1, AUTHENTICATION_ONLY=0,
userID=xxxx xxxx xxxx xxxx, USER_NAME=My User Name, USER_OS_NAME=myuserloginname,
USER_LOGIN_NAME=myuserloginname, USER_LOGIN_DOMAIN=myldapconfigname,
USER_EXTRA_CREDENTIAL[0]=, USER_EXTRA_CREDENTIAL[1]=, USER_EXTRA_CREDENTIAL[2]=F,
USER_EXTRA_CREDENTIAL[3]=, USER_EXTRA_CREDENTIAL[4]=, USER_EXTRA_CREDENTIAL[5]=T

The user authentication log shows there are several steps for an user to be authenticated to a repository. First of all, the user has to be existing in the repository. Secondly the user domain is checked (I guess this step would branch into different path based on user’s setup method, i.e. inline password, LDAP authentication, or authentication plug-in, and so on). Then the user state is checked. And then the trusted login is tried with the user. Usually it would fail unless the user is the installation owner. Lastly, the user is checked with his/her login credential. From the log, only the last step would involve the authentication plug-in when necessary. Apparently the Content Server uses other means to make sure the user has to pass the previous several steps to reach the last checking.

During my testing, only a valid user would be able to reach the last step where the plug-in is being called to verify the user. Since the SPNEGO protocol has made sure the user is from our trusted domain, it will be safe for our authentication plug-in to accept anyone who has ‘entitled’ with the ‘myspngossoauth’ identifier and come this far.

Hopefully I have clearly stated the necessary steps to implement the SSO solution. Please leave your questions or comments if you run into any issues.

As the writer/director/producer on KERBEROS, I had the excitement and joy of working with a really talented cast. And it’s a huge cast! I think 54 scripted speaking parts. My leads, Stan Harrington and Rob Pralgo, already accomplished actors and along with me, embody the three heads of the hellish hound. Stan and Rob seriously chew it up, and though many of the broad strokes were written for them, they bring amazing interpretations and nuance to their roles. These guys come across as A-list actors – they embody their roles, dominate the screen when they are on it, and brought a wealth of experience to the working situation of creating such ambitious characters. And in Rob’s case, got to help and mentor one of our other actors while doing it.

Whitney Sullins, pretty much unknown even locally, is not only beautiful, not in an artificial way in the least, but some stunning, innocent, sweet way all her own, brings such a genuine performance that everyone who sees her can only imagine her as a future star – and a not too distant future at that! She plays it as the girl it was written as – brave within her fear, strong within her weakness, always genuine, always with a complexity of emotions dancing subtly beneath the surface. As director and writer, I can’t wait to create something for her again, and to know that I am again a part of her journey.

So what about the next round of roles? Chris Burns, Ted Huckabee, Mark Harris, Courtney Hogan, Vince Canlas, and Jess Dillard? Playing a not such a bad guy, a seriously bad guy, a not such a good guy, not such a bad girl, a mysterious badass, and the badass surprise. Not for a moment do they let it down. These roles pushed and pulled as much as the main leads and again these actors bring a wealth of both subtle and not so subtle facets to their characters. These characters are deep – as a writer I was determined to make them as complex as the main three, and again they all bring it. And in some ways a tougher job as in they have slightly less screen time – and yet still convey the many sides to their roles. You can feel and see the backstory on each, imagine their dreams for the future, and watch them give one hundred percent to their roles.

And these are big roles! Huge in fact. They all have major screen time and are absolutely integral to the story. When the movie comes out, I hope people rent or buy and take time to watch at least a couple times to see all the levels they bring to every moment they are in the movie.

So what’s this got to do with being the editor? Let me switch hats here… It’s because I get the joy everyday of watching these badass performances in a badass movie by truly badass actors. Having to micro-manage and study each frame in crafting together the movie I want, I get to watch the hundreds, collectively maybe thousands of small things they do that make their performances such a pleasure.

I am not having to edit around performance in this film at all, which having worked on many other projects as the editor and ‘fixer’, this is a real rarity. Ask any editor!

Chris had arguably the most uncomfortable role of the movie, physically and maybe emotionally. Chris always brings it, which is why such a tough part was always his, he’s the actor I KNEW would never these scenes down. Ted is a genius, seriously, and brings so many things to the table that it would be easy to focus on his performance alone in everyone of his scenes, but he is competing with Stan in all the same scenes, who delivers his own captivating performance at all times. The hardest part of editing their scenes was deciding which amazing shot, expression, or delivery to use at any one moment. But watching these two guys go at it is one of the real pleasures in this movie!

Courtney, the girl next door beauty – yeah you wish – again is put through hell in this movie – physically and emotionally – as the editor I get to see the small, almost unnoticed touches on her performance every day. Each time I watch this film, maybe a couple thousand times by now – I find more and more on all these actors and stay in awe of them.

Vince, who probably felt abused during the shooting as he needed to be in so many scenes and yet had so few lines or actions, was absolutely needed in all those scenes! He is the one guy who doesn’t need to say anything at all and yet can dominate the frame and keep focus riveted on what’s going on behind a face that films and picks up light in some magical way from every angle in any light.

Mark Harris had to bravely play a role that was not only heart wrenching, but closer to the bone than I hope any of us ever have to deal with. His role too is vital, and the honesty he brings to it is liable to stay with the viewer a long time after the film is done.

And who the hell is Jess Dillard? Jess is the real deal, the real life version of the tough guy part of my character in the film. Having seen every moment forwards and backwards, there is not one moment of his performance I would change in any way. And like my character Mike Finn in the movie, Jess is tough enough in real life he doesn’t have to wear it on his sleeve; it’s just there, even while he’s playing a human that the rest of us can relate to.

So that’s like 10 people already… 10 badass performances (yeah – I threw myself in there too)… but what about the other 40 something parts. This is a no budget indie film - the rest must just suck! Nope – not even close – they ROCK IT – SLAM IT – and BRING IT!

I’m constantly amazed - I know I wrote and directed it – how much screen time all these guys have! Jon Everry as Skinny – he has to be on screen at least 10 minutes… that’s a LOT of screen time! And he is frigging great every moment of those 10 minutes! Really great!

Todd Denson is great in his one 3 minute scene (3 minutes is long time on screen – it only takes one second to screw it up – and Todd nails it), as is Adam Rice in his scene – pitch perfect in every way.

Haji Golightly gives a showcase performance with Stan and Ted doing the same in another scene that people will talk about after the movie.

I can’t mention or talk about every actor in every scene – though I’ll try in one of the director’s commentaries. Kaliah Walker and Alan Coleman, along with Ricky Brown who was so good in his audition that I agonized about how to increase his role – even considering having him play one of the main three.

And John Curran and Adam Boyer. Good grief – these guys are SO BADASS! John is one of those rare people that stays compelling on screen even when he is just standing there. Ultimately he has a pretty big part – and again I marvel at how much screen time all these guys get in the same movie. Their counterparts in the story, Attila Alexander and Kevin Coyle are equally good. Kevin says his lines perfectly straight, and yet somehow is the comic relief of the movie. All these smaller parts could have moved into the major roles and kicked ass there as well.

That’s one of the hard parts in casting such a small budgeted film to fill the small roles with quality, and yet the depth of acting on KERBEROS is exceptional. The list goes on and on…

The two arrogant cops, Quint von Canon and Jason Guiliano. One of the telling signs there is that Brad Fallon – our Exec Producer – was amazed how great these two cops were at acting – not even recognizing one who he’s worked with before on my short film DUST TO HEAVEN. He was shocked and nearly in disbelief when I told him they are actors not cops. They killed it! They also have to fight and of course get their asses kicked. Quint throws his body backwards across screen as well as any Hollywood stunt man with no pads, no questions asked, and no hesitation.

Lauren Roden as the ‘drunk hottie’. Should be easy to sit there and pretend you’re drunk right? Not a chance… it’s one of the hardest things to do well, to play out of control while being in control enough to do the part. And to convey the half dozen small things that informed about our main character at the same time. Oh yeah and look sexy – easy for her – drunk – I guess it was easy for her – vulnerable - it’s there – and oh yeah - you have to do all that as the secondary character of a 60 second scene. She’s great and I am so happy for every bit of it every time I see that short scene.

Ray Lloyd, world champion pro wrestler turned actor. Again, a lot of screen time, a hugely important role, and he not only looks perfect, his tone, his voice, and his acting is spot on. Ray will be the one pro wrestler besides Dwayne Johnson, (and Roddy Piper before him) that gets known for actually being able to ACT.

There are at least 2 dozen more actors I would love to use in a film again. Tim Perez who had one simple line and 10 seconds to make an impression. He does. A dozen guys who stepped in for one night – a very long, complex night of filming, and are absolutely great. Dave Gara from SKID ROW stepped in for one scene and a couple lines. I would cast Dave again in heartbeat. Constantine Verazo who played a small, integral part in my first film, and came back to do it again here. The Amazing Amanda – two short simple lines – but you see the thought process going on that drives them as the words come out perfectly. I‘ve seen 50 million dollar movies that don’t have that!

As the editor, I get to see these performance every day for the past year. It’s fun watching them as I add the polish and color grading, the sound fx, and the songs and musical score. It was fun watching them eight hours a day on a 30 foot screen day after day as we did the sound mix at Twickeham Film Studios in London. It was fun watching the sound engineers from that prestigious studio watching these same performances and trying to answer their questions as we worked about who all these guys were, knowing that they felt the same things I did about them.

And it’s going to be fun as KERBEROS starts to get out there, on the fest circuit and beyond, to watch people’s reactions as the watch so many unknown actors tear it up in a movie that does the same!

kely mcclung

Been quite some time since I last updated. Been busy with some RL stuff. Anyways, on to the release update.

From Toy-World.com via Ngee Khiong

• Bandai MG Astray Red Frame Kai, February 2010, 5,250円
• Bandai MG Exia Trans-Am Mode, Release Date and Price TBA

From Amiami.com

• Revoltech Yamaguchi Date Masamune White Costume ver., January 2010, 2,286円
• Revoltech Yamaguchi Sanada Yukimura White Costume ver., January 2010, 2,286円
• Kerberos Saga Kai Tetsuro GENX CORE, December 2009, 7,240円

From Gunpla.jp via Ngee Khiong

• Bandai MG Sinanju Titanium ver., February 2010, 12,600円
• Bandai MG Unicorn Gundam OVA ver. SP Pack, March 2010, 7,350円
• Bandai MG Unicorn Gundam OVA ver. , March 2010, 5,250円

Okay maybe only thousands… but tell that to Cameron!

But what about the movies that cost less than 1/4000 of that budget? A lot of the same details have to get done.

Titles. These can be extremely simple or major productions in their own right. On the low budget indie scene, there are few filmmakers knocking out Kyle Copper style work, but why not try? I would guess on these small indie budgets the biggest factor is time rather than money. Of course not many people have that kind of talent either! And even on the most simplistic titles, someone must take time to determine the fonts, the kerning, the leading, the pt size, the color, the duration, which ones to include, the order, the spelling. Then comes the compositing, the timing, the music choice, and the integration and rendering.

If you are not an artist, or a graphic artist, you should probably find someone who is. And then you can add in the time to plan, discuss, demo, and approve that work.

Fortunately for me, ( I think) is that I am an artist. I draw, paint. model in clay, do wire sculptures, and am pretty adept at both Photoshop and After FX. Because of those abilities, I watch, read, and study details like titles, in the knowledge that I can contribute world class work to my own films, regardless of the budgets. There are some great books out there, Kyle Cooper’s (Se7en, Spiderman) is one of the coolest, and of course he is one of the best known and most prolific of the big budget Hollywood title designers. And most people remember James Bond movies openings as sexy, clever, and as high end music videos for the songs that almost always become hits. Some great titles can be found at www.watchthetitles.com/

I know there is a trend to put the titles at the end now, to move the story along, and in the right film I might do that also. But not on BLOOD TIES and not on KERBEROS.

The titles accomplish a few things that I think are very important besides just splashing our names on screen. One is for the audience – even if it’s a single viewer – to have that moment to make the transition from sitting down in a theater after driving there and standing in line, or turning on the player, finding the remote, and getting comfortable in their living room. It helps sets the mood of the film, and again prepares them for what’s to come. It can convey back story, story concepts, and themes that help bring the viewer up to speed. This tends to be the way I am using my titles.

I think it is also a way to prep a person as to the quality of what they are about to see. If the first 2 to 5 minutes of the film are kick ass, done with meaning and thought and accomplished execution, then the audience will be more predisposed to watch the rest with interest and engagement.

And for the low budget, micro budget, no budget filmmaker? Because most or all of it can be done as computer graphics, utilizing combos of footage, stills, photos, typography, and CG, there is little excuse for their quality not to be first class. A single bad line of acting or a bad effect can kill a film; if the titles represent 2 to 5 minutes of what people are putting their time in to watch, then they better be good. And of course, why not try to be great!

And in the case of my current hard core crime thriller KERBEROS – I’m lucky enough to have truly great song by Katy J that sets the tone of my lead character and the story to follow.

To see some stills pulled from my own work on the KERBEROS title sequence… If you click on the images, a larger version can be seen.

Making movies!

kely mcclung

The Question Submitted To Me

A manager at my company asked me this question. I told him that I didn’t know for sure but I didn’t *think* Kerberos authentication would affect connection pooling. I put on my thinking cap at this point and told him that the connection pool in an ADO.Net application (he was concerned with only .Net apps) was keyed on the connection string so, I told him, if the connection string didn’t change between users then a single connection pool would be used for all users.   

I went on to tell this manager that with Kerberos authenticated users, the connection string would be a trusted connection string without specific credentials for each user. Since the connection string would be the same trusted connection string for all users, there would be one connection pool for all of the Kerberos authenticated users.   

After telling him the above information, he asked me to put together a test to document my findings so I set about to create a test which could prove this one way or the other. However, at this point I was pretty sure I was right because it *seemed* right given everything I knew.   

Boy, was I in for an eye opener.   

Overview Of My Test

The test I came up with was to write a test client which connected to a web service on another machine. This web service would then connect to another web service on a second machine. This second web service would then connect to a SQL Server database on a third machine:   

I setup these machines in my trusty hyper-v environment I used for the Sharepoint 2010 farm.   

To validate my theory, I decided to create 5 domain users: user1 – user5 and run each of them through my test one by one. I figured at the end of the test, the SQL Server would have either 5 seperate connections for each user or it would have one session which was shared by each user in the connection pool.   

At this point, I had been doing a lot of reading on Kerberos and I ran across a document from Microsoft which flat out told me that Kerberos authentication would defeat the connection pool. However I still thought I was right and decided that I’d ignore that document, maybe they were taking about an issue that didn’t apply to this environment. Besides, I was in the midde of setting up this test and I wanted to finish it.   

Running The Test

My test client presented a menu and gave the user an option of calling one of two operations:

WhoAmI()  – Returns the identity of the caller. Returns both the thread identity and current windows identity.

Here is a screen shot of the WhoAmI() test:

WhoAmI() Test Results

ExecuteSQLServerDBCommand() Test Resuts

SQL Server Configuration

I’ll start with the SQL Server endpoint of my test because its going to be easier to explain each endpoint by starting at the end and working my way back to the test client.   

My SQL Server was a SQL Server 2008 instance running on Windows Server Standard 2008R2. I created a simple database named KERBTEST and gave all 5 domain users access to it:   

KERBTEST SQL Server Database

WCF Web Service 2

        #region IService2 Members

        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        string IService2.WhoAmI()
        {
            string result = String.Format("{3}System.Security.Principal.WindowsIdentity.GetCurrent().Name = {1}{0}System.Threading.Thread.CurrentPrincipal.Identity.Name = {2}{0}"
                , Environment.NewLine
                , System.Security.Principal.WindowsIdentity.GetCurrent().Name
                , System.Threading.Thread.CurrentPrincipal.Identity.Name
                , GetDecoratedFunctionName("WhoAmI"));

            return result;
        }

        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        string IService2.ExecuteSQLServerDBCommand(string dbcs, string commandSQL)
        {
            StringBuilder result = new StringBuilder();

            result.Append(GetDecoratedFunctionName("ExecuteDBCommand"));
            try
            {
                using (SqlConnection conn = new SqlConnection(dbcs))
                {
                    conn.Open();

                    SqlCommand cmd = new SqlCommand("select @@SPID", conn);
                    string spid = cmd.ExecuteScalar().ToString();

                    cmd = new SqlCommand(commandSQL, conn);
                    int rowsEffected = cmd.ExecuteNonQuery();
                    result.Append(String.Format("SQL Server connection established:{0}\tSPID = {1}{0}\tCommand executed. Rows effected = {2}{0}"
                        , Environment.NewLine
                        , spid
                        , rowsEffected));

                    conn.Close();
                }

            }
            catch (Exception ex)
            {
                result.Append(String.Format("{0}{1}", Environment.NewLine, ex.ToString()));
            }

            return result.ToString();
        }

        #endregion

WCF Web Service 1

I wrote this web service as a WCF web service also that was configured for Kerberos authentication. This web service had the same operations as Web Service 2 (WhoAmI() and ExecuteSQLServerDBCommand()).

The WhoAmI() operation did the same as the WhoAmI() operation in the second web service and then called WhoAmI() on the second web service.

The ExecuteSQLServerDBCommand() operation did nothing in this web service except call the ExecuteSQLServerDBCommand() operatin in the second web service.

A partial block of the code in the WCF Web Service 1 is shown below: 

 

        #region IService1 Members 

        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        string IService1.WhoAmI()
        {
            ServiceReference2.Service2Client svc = new WcfService1.ServiceReference2.Service2Client();
            svc.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation; 

            string result = String.Format("{3}System.Security.Principal.WindowsIdentity.GetCurrent().Name = {1}{0}System.Threading.Thread.CurrentPrincipal.Identity.Name = {2}{0}{4}"
                , Environment.NewLine
                , System.Security.Principal.WindowsIdentity.GetCurrent().Name
                , System.Threading.Thread.CurrentPrincipal.Identity.Name
                , GetDecoratedFunctionName("WhoAmI")
                , svc.WhoAmI()
                ); 

            return result;
        } 

        [OperationBehavior(Impersonation = ImpersonationOption.Required)]
        string IService1.ExecuteSQLServerDBCommand(string dbcs, string commandSQL)
        {
            StringBuilder result = new StringBuilder();
            result.Append(GetDecoratedFunctionName("ExecuteSQLServerDBCommand"));
            try
            {
                ServiceReference2.Service2Client svc = new WcfService1.ServiceReference2.Service2Client();
                svc.ClientCredentials.Windows.AllowedImpersonationLevel = TokenImpersonationLevel.Impersonation;
                result.Append(svc.ExecuteSQLServerDBCommand(dbcs, commandSQL));
            }
            catch (Exception ex)
            {
                result.Append(String.Format("{0}{1}", Environment.NewLine, ex.ToString()));
            } 

            return result.ToString();
        } 

        #endregion 

Results

I ran my test and executed 2 ExecuteSQLServerDBCommand() operations. One for user1 and one for user2. Remember that ExecuteSQLServerDBCommand() would return the SPID of the current connection so if I was right and Kerberos authentication did not affect the connection pool, then the same SPID would be returned for each user in my test.

Here is a screen shot of that test:

Gotcha!! I won’t be bitching again about Sweden . You thought I would , right ?

Actually the phrase comes from a Swedish band’s song [1] .As funny as it may seem , it speaks the truth . Give them a try, you ‘ll might like them , even if the language can be a problem for those not interested in Swedish . Imagine a Swedish guy blogging about a song by “Διάφανα Κρίνα” . No way.

Anyway, for those with sharp eyes, or for those who visit on a standard basis ( heh, good one, i know) you might have noticed that is the second post in a day . And if you are in the privileged* category of those who actually know me well enough , you’re right, it can only mean one thing : There is something really important I should be doing instead .

Well, have you heard about Kerberos ? In Greek mythology it was a vicious 3-headed dog that guarded the entrance of Hades. Hades is the Greek version of hell. Same shit, different name. And you might be thinking : “Wouldn’t it be better if it guarded the exit instead ?” I seem to agree, I can’t think of anyone willing to attend the party uninvited , but on the other hand “Hell is for heroes [2]” (another band that is worth a try) .Anyway, Kerberos is also the name of a service providing authentication in a network. Clever guys in MIT designed it some years ago, which means we , less-clever, guys need to study it. Along with PKI, DES, AES, CBC , EBC, PKCS, SHA, MD5, SSL, PEM, S/MIME and all sorts of interesting acronyms. Well , we didn’t. Up yours , smart asses.

*You would need to be in the privileged category stated above to understand that it’s sarcasm**

** You would need to be in the privileged category stated above to understand that I mean it.

[1] http://www.youtube.com/watch?v=SbM7BZYyc1c

[2] http://www.youtube.com/watch?v=v3TnkmFrtMA

KERBEROS is SO close… changing out the small list of sound effects that bother me, adding in the few that were missing, and making minute adjustments to how songs and score weave their way in and out. Most of these are things that have bothered me since the beginning, and many I recognized even when we were in the throes and rush of the mix at Twickenham. Others have taken these couple weeks of distance form that rushed work, others still have been discovered as the bulk of the sound has been crafted and now leave these last minute adjustments wanting.

And last, a few of these final effects and tweaks are being taken on as a best somewhat educated guess – trying to take in how the movie may sound on a computer, a TV, or a home theater system, as opposed to the full blown Dolby calibrated mixing theater. These are all things that normally Twickenham Film Studios would have been able to test while I was there, and make our adjustments while still loaded in Pyramix project with the benefit of the massive Harrison console; not to mention the advantage of the opinions and experience of a kick ass BAFTA winning sound engineer like Craig Irving and our Sound Supervisor Rob James, (though they will be the first to tell you that I have a very definite sound I am going for – so if something doesn’t work – I’ll gladly take the blame!)

So, I am sure that dropping it back into Premiere and trying to load the dozens and dozens of pieces that make up the full assembly, and mixing not only on my radically reduced sound systm here and mixing ont he desktop with a mouse, that I am bound to be creating some small technical issues. But, I am moving slow, deliberate, and trying to sign off.

Last of course is the credits – which are now in their 50th incarnation… between misspelling, typos (hey – these hands were made to hit people not type), and the gathering up of names and genuinely trying to give credit to everyone who worked on this film or contributed in any way – big or small – is a huge task in itself. For those who have never done it themselves, it’s also the consideration of the the typography – the font, the point size, the kerning and leading, and then the speed so as to look best on all mediums. Timing them with the music, and then of course the order and coherency of the entire piece. The logos and the disclaimer and the…

Someday, I’ll have people to do all this. Or maybe – I hope not – I’ll have no say in it at all and will be ‘just’ the director. I can already tell I’m going to miss it.

Soon comes one of the stages of the 50 million steps in making a movie – the marketing!

But not quite yet… I still have those final final touches…

For more info on the mistakes and triumphs of making this movie – check out the website and feel free to touch base with twitter

What’s in a name? Kerberos – or the cur (hard K sound) of Eberos? While working with Rob James and Craig Irving at Twickenham Film Studios outside of London in St Margarets, the question came up repeatedly from those stopped in for a quick peek (might have been the screaming, yelling, slamming punches, gunshots, and car crashes that I kept pushing to be louder and be more violent!)

For more detail of the name and my rationale for the violence in this movie, see an earlier post KERBEROS – Another Violent Movie

So past that, with the acceptance that Kerberos has 3 heads, the idea of 3 became important to me in the writing and construction of the story and script.

The name – Kerberos – the three heads were represented to me by 3 main characters – Mike Finn (Kely McClung), Lester Armstrong (Robert Pralgo) and Tony Menacci (Stan Harrington).

Finn has 3 friends in the movie; Katie (Whitney Sullins), Burns (Chris Burns), and Big John (Ray Lloyd).

There are 3 important women in the story; Katie – his young friend who is the catalyst of all the action everyoine else takes, Vivian – (Courtney Hogan), the unrequited love interest whom Finn constantly stands up for, and Sarah Michelle – his deceased daughter who’s death drives Finn’s constant attempt to put his violent nature behind him.

Armstrong has 3 main ‘henchmen’; Grant (Jess Dillard), Burton (Mark Harris), and Lo Wei (Vince Canlas). Besides the story points and scenes they all have throughout, Finn deals with each of the 3 in 3 separate action scenes.

Finn has 3 sources of information which drive part of the story; Jimmy, Joey, and Skinny. (played with awesome gusto and showcase performances by Todd Denson, Adam Rice, and John Everry)

A bit of through line? Yep… and hopefully on at least a subconscious level it plays on people’s sense of organization and understanding of the story. 3 different people invade Finn’s apartment as they and the audience piece together his story. Mennaci has 3 scenes of killing people, Armstrong has 3 very definite arcs and acts to define his character, and exists in the story in 3 locations. It goes on, and now I admit that some may have been coincidence or at least subconscious. They are 3 car scenes, there are 3 shootouts, there are 3 bars. And like many screenplays of course – 3 main acts.

If I have done my job right, no one will notice the above construction, they’ll just enjoy the movie and the performances. But hopefully the levels of storytelling and contruction bring people back to watch a second and ‘3′rd time, and discover or at least sense that I at least tried to push the story to deeper levels.

And as someone just pointed out to me – counting my first feature BLOOD TIES and my only short film AM SESSION, this is my ‘3′rd film…

–
“Film is Forever”

Kely McClung

follow me on twitter

http://www.twitter.com/kelymcclung

This post is mainly written for the fine IT staff at the College of Public Programs, but if you’re an ASU student and need access to ASU’s AFS servers (more commonly referred to as My Docs), here’s what you do:

In a terminal running as root (you may need to type sudo su and enter the root password):

apt-get install openafs-client openafs-modules-dkms openafs-krb5 krb5-config krb5-user

In the installation process, when you’re presented with the “AFS cell this workstation belongs to” dialog, type in

asu.edu

The next dialog asks about the local AFS cache on your workstation.  The default is 50,000KB.  I normally accept this proposal.

OpenAFS and Kerberos are now installing themselves on your computer.  The process takes about 5-10 minutes depending on your hardware.  Quick note, however: the install will look like it’s hung.  It hasn’t; it’s just OpenAFS installing its kernel modules into DKMS.

Find krb5.conf at /etc/krb5.conf. Copy krb5.conf from another ASU machine, click here to download it, or modify it manually to contain:

[libdefaults]
default_realm = ASU.EDU
dns_lookup_kdc = true
default_tkt_enctypes = des3-hmac-sha1 des-cbc-crc
default_tgs_enctypes = des3-hmac-sha1 des-cbc-crc

[realms]

ASU.EDU = {
kdc = krb1.asu.edu:88
kdc = krb2.asu.edu:88
kdc = krb3.asu.edu:88
admin_server = krb1.asu.edu:749
default_domain = asu.edu
}

[domain_realm]
.asu.edu = ASU.EDU
asu.edu = ASU.EDU

[logging]
kdc = CONSOLE

Restart OpenAFS Client service

/etc/init.d/openafs-client restart

Now the tedious part.  Making sure you’re not root, each time you want to authenticate into AFS, in a terminal, run:

kinit asurite -l 1d

being sure to replace “asurite” with your actual ASURite ID.  You’ll be prompted to enter your password – it’s the same password you use to authenticate to other ASU services. Then:

aklog

And now you’re in!  If you have problems, then run (as root):

/etc/init.d/openafs-client restart

and if that fails, then check your network connectivity by going to a website like asu.edu.

Now, where are my files?  Each ASU student gets 4 GB of storage space that can be used for anything, really, but it’s most commonly used with My Apps.  If your ASURite id is “asurite”, then your space is accessed at /afs/asu.edu/users/a/s/u/asurite (note the three one-letter folders that correspond to the first three letters of your ASURite id.

And that’s it! Whenever a new kernel is released, DKMS will automatically rebuild the OpenAFS kernel modules into that new kernel.  It sure saves the hassle of having to rebuild the kernel modules by hand.

-Edward Jensen

The KERBEROS budget is at best maybe defined as a ‘micro-budget’ film (or movie for you die hard purists), certainly more than pocket money but radically less than the definitions of somewhere like the London Independent Film Fest of £100k or Mark Stolaroff’s cut off of 250K! How many movies could we make for that?

The idea that I did my final mix at a prestigious, world class facility with BAFTA winning sound mixer Craig Irving, and noted sound tech guru Rob James, spending a huge percentage of our total budget for the final polish, must be a rarity if not an actual ‘first’. It certainly was for Twickenham, a facility that has worked on films from Neil Jordan’s CRYING GAME to Shekhar Kapur’s ELIZABETH: THE GOLDEN AGE to Richard Linklater’s ME AND ORSON WELLES.

I’ll try to write about my reasons, how the opportunity developed, and the work flow that still continues as I move into the the final stage, creating delivery materials. On top of that of course, what the mix did for our film, how the collaboration with Craig and Rob worked out, their contribution and what working with their experience and talents brought to the table, and the reasons work continues back on my desktop before I can move on to the next project.

A huge part of the soundtrack is music – maybe even more in film like this where the music is not just an integral part of mix, but is creatively designed to help hide what could otherwise be sound issues. With a crew many times of just 2 and 3 people, sound suffered! And unlike those filmmakers who are smart enough to create amazing stories that have limited locations and actors, KERBEROS was conceived to look huge, and then seemed to grow on an almost daily basis as I pushed all available limits.

Of course, all of this is simply my perspective, (the only one I’ve got!), but I hope it can be useful and I know I would of loved to have had this information as I made decisions on my own film. I’ve always wanted these blogs and the website to be a resource for other filmmakers as much as a way of showing off what we pulled off.

A lot of info coming!

Follow me on twitter for updates and news

http://www.twitter.com/kelymcclung

Where are we at?

Well, if you are one of the other dozens of people who worked on the feature film KERBEROS, you are probably onto dozens of other projects. Well, maybe not dozens, but you have certainly moved on, which is how it should be.

As the producer/director, my job has been and still is, to make this feature and everyone’s work in it as polished and powerful as possible. Coming up on 2 years of work, and I have loved nearly every minute of it. So… not quite done, but so close… which brings us back to – “where we at?”

So much to tell, and getting this blog up and running is a part of that. A part of making movies in the modern age – as in the last 2 to 5 years anyway. Easy to put up a blog, but the one hosted by my website hosting company has not been working correctly and so tired of fighting with them, I have jumped ship long enough to put this together. Hosted out of WordPress, that’s about 5 minutes of work! If it all was this easy…

I’ve got a lot of information coming, both about KERBEROS and filmmaking in general, and I can only hope that like a good movie, it entertains and inspires.

I just returned from working in London with re-recording mixer Craig Irving and former BBC sound editor/mixer Rob James on polishing our sound. Both took on the job of making our film better, and we mixed in the primary sound theater at Twickenham Film Studios where Craig is co-managing director of the facility. Craig is a world class re-recording mixer and Twickenham Film Studios is arguably one of the elite, pretigious mixing theaters of the world. John Madden, Richard Linklater, Richard Attenborough, Kenneth Branagh, and Mikael Håfström have all worked and completed films there.

I have a lot to say and write about the benefits of working with such talents as Rob and Craig, as well as many of the issues we dealt with in porting a desktop production into a multi million dollar facilty.

On top of that, I feel like an entire book could be written about the music, both the score and the more than a dozen songs from Katy J, Gretchen Lewis, Dawn is Broken, Uncle Daddy and the Kissing Cousins, Fastrack, Cafe Medula and ToeHider. These bands represent both sides of the US, and stand strong for the musical talents of Melbourne, AU. I’ll be writing a lot about them all, and the huge contribution they make to our film.

Oh yeah? Where we at? I can’t speak for everyone, but I’m right here – making movies!

More coming!

Hi,

Here the placement for System Administrator – Abu Dhabi, UAE.

Position : System Administrator

No.Of Openings : 3

Experience : 3 years.

Qualification :

Location : Abu Dhabi, UAE.

Required Skill set :

• General understanding of Microsoft Windows Server OS and supporting systems including SMTP, Sites and directory object management.
• Knowledge of basic networking protocols such as TCP/IP, Kerberos and SNMP.
• Understanding of Server hardware and peripherals.
• Knowledge of Microsoft Windows based Operating Systems, networking best practices and troubleshooting techniques/
• Experience with Dell hardware and Dell Blade Servers.
• HP and/or Dell certification a plus.
• Hands on experience with a helpdesk ticket system. Remedy is preferred.
• Team oriented with a desire to succeed in a fast paced environment.
• Excellent customer service.

Would you be interested ?

Please send us your latest updated profile with contact nos.
current & expected salary details and joining time required toradha@kbsconsultants.com

You may also suggest this opening to your friends who may be interested.

Further Information:

KBS Consultants

Flat H,Kulothungan Apts,
No, 5 Natesan Road
Ashoknagar,
Chennai 600 083.
India
Phone: +91-44 2489 5341 / 2371 9622

Visit Our Sites:

International jobs: http://www.jobsearchworld.com/
SAP ERP Jobs : http://www.jobsvista.com/
Core Engineering Jobs : http://www.gotachance.com/
Technology Jobs : http://www.kbsconsultants.com/
India Jobs :http://www.kbsconsultants.org.in

‘The whole power productive of water they called Oceanus, and named its symbolic figure Tethys. But of the whole, the drinking-water produced is called Achelous; and the sea-water Poseidon; while again that which makes the sea, inasmuch as it is productive, is Amphitrite. Of the sweet waters the particular powers are called Nymphs, and those of the sea-waters Nereids.

Again, the power of fire they called Hephaestus, and have made his image in the form of a man, but put on it a blue cap as a symbol of the revolution of the heavens, because the archetypal and purest form of fire is there. But the fire brought down from heaven to earth is less intense, and wants the strengthening and support which is found in matter: wherefore he is lame, as needing matter to support him.

Also they supposed a power of this kind to belong to the sun and called it Apollo, from the pulsation of his beams. There are also nine Muses singing to his lyre, which are the sublunar sphere, and seven spheres of the planets, and one of the fixed stars. And they crowned him with laurel, partly because the plant is full of fire, and therefore hated by daemons; and partly because it crackles in burning, to represent the god’s prophetic art.

But inasmuch as the sun wards off the evils of the earth, they called him Heracles (from his clashing against the air) in passing from east to west. And they invented fables of his performing twelve labours, as the symbol of the division of the signs of the zodiac in heaven; and they arrayed him with a club and a lion’s skin, the one as an indication of his uneven motion, and the other representative of his strength in “Leo” the sign of the zodiac.

Of the sun’s healing power Asclepius is the symbol, and to him they have given the staff as a sign of the support and rest of the sick, and the serpent is wound round it, as significant of his preservation of body and soul: for the animal is most full of spirit, and shuffles off the weakness of the body. It seems also to have a great faculty for healing: for it found the remedy for giving clear sight, and is said in a legend to know a certain plant which restores life.

But the fiery power of his revolving and circling motion, whereby he ripens the crops, is called Dionysus, not in the same sense as the power which produces the juicy fruits, but either from the sun’s rotation, or from his completing his orbit in the heaven. And whereas he revolves round the cosmical seasons and is the maker of “times and tides,” the sun is on this account called Horus.

Of his power over agriculture, whereon depend the gifts of wealth, the symbol is Pluto. He has, however, equally the power of destroying, on which account they make Sarapis share the temple of Pluto: and the purple tunic they make the symbol of the light that has sunk beneath the earth, and the sceptre broken at the top that of his power below, and the posture of the hand the symbol of his departure into the unseen world.

Cerberus is represented with three heads, because the positions of the sun above the earth are three-rising, midday, and setting.

The moon, conceived according to her brightness, they called Artemis, as it were, “cutting the air.” And Artemis, though herself a virgin, presides over childbirth, because the power of the new moon is helpful to parturition.

What Apollo is to the sun, that Athena is to the moon: for the moon is a symbol of wisdom, and so a kind of Athena.

But, again, the moon is Hecate, the symbol of her varying phases and of her power dependent on the phases. Wherefore her power appears in three forms, having as symbol of the new moon the figure in the white robe and golden sandals, and torches lighted: the basket, which she bears when she has mounted high, is the symbol of the cultivation of the crops, which she makes to grow up according to the increase of her light: and again the symbol of the full moon is the goddess of the brazen sandals.

Or even from the branch of olive one might infer her fiery nature, and from the poppy her productiveness, and the multitude of the souls who find an abode in her as in a city, for the poppy is an emblem of a city. She bears a bow, like Artemis, because of the sharpness of the pangs of labour.

And, again, the Fates are referred to her powers, Clotho to the generative, and Lachesis to the nutritive, and Atropos to the inexorable will of the deity.

Also, the power productive of corn-crops, which is Demeter, they associate with her, as producing power in her. The moon is also a supporter of Kore. They set Dionysus also beside her, both on account of their growth of horns, and because of the region of clouds lying beneath the lower world.

The power of Kronos they perceived to be sluggish and slow and cold, and therefore attributed to him the power of time: and they figure him standing, and grey-headed, to indicate that time is growing old.

The Curetes, attending on Chronos, are symbols of the seasons, because time journeys on through seasons.

Of the Hours, some are the Olympian, belonging to the sun, which also open the gates in the air: and others are earthly, belonging to Demeter, and hold a basket, one symbolic of the flowers of spring, and the other of the wheat-ears of summer.

The power of Ares they perceived to be fiery, and represented it as causing war and bloodshed, and capable both of harm and benefit.

The star of Aphrodite they observed as tending to fecundity, being the cause of desire and offspring, and represented it as a woman because of generation, and as beautiful, because it is also the evening star-

“Hesper, the fairest star that shines in heaven.” [Homer, Iliad 22:318]

And Eros they set by her because of desire. She veils her breasts and other parts, because their power is the source of generation and nourishment. She comes from the sea, a watery element, and warm, and in constant movement, and foaming because of its commotion, whereby they intimate the seminal power.

Hermes is the representative of reason and speech, which both accomplish and interpret all things. The phallic Hermes represents vigour, but also indicates the generative law that pervades all things.

Further, reason is composite: in the sun it is called Hermes; in the moon Hecate; and that which is in the All Hermopan, for the generative and creative reason extends over all things. Hermanubis also is composite, and as it were half Greek, being found among the Egyptians also. Since speech is also connected with the power of love, Eros represents this power: wherefore Eros is represented as the son of Hermes, but as an infant, because of his sudden impulses of desire.

They made Pan the symbol of the universe, and gave him his horns as symbols of sun and moon, and the fawn skin as emblem of the stars in heaven, or of the variety of the universe.’

Problem description

You have successfully installed SCOM Agent manually on managed computer. However, managed computer doesn’t appear in the Agent Managed or Pending Management list in the Operations Console.

The following event is logged in the Operations Manager event log on Agent-managed computer:

Event Type:            Error

Event Source:         OpsMgr Connector

Event Category:     None

Event ID: 20057

Description: Failed to initialize security context for target MSOMHSvc/<SCOM Management Server Name> The error returned is 0×80090311(No authority could be contacted for authentication.).  This error can apply to either the Kerberos or the SChannel package.

How to confirm the problem?

To troubleshoot the issue, Microsoft Network Monitor can be used:

• Stop HealthService on managed computer to stop the SCOM Agent (open the Command Prompt and type the net stop HealthService).
• Start Microsoft Network Monitor.
• Click on the New capture tab.
• In the Capture Filter, enter the following filter:

KerberosV5
OR KerberosV5_Struct
OR NLMP
OR NLMP_Struct
OR GssAPI
OR SpnegoNegotiationToken
OR GssapiKrb5
OR LDAP

• Click on the Apply button to apply the Capture Filter.
• Click on the Start button to start the new capture.
• Now, quickly start the HealthService to start the SCOM Agent (net start HealthService).
• Wait (usually 10-15 seconds) until event 20057 appears in the Operations Manager event log on the affected computer.
• In Network Monitor, click on the Stop button to stop the capture.
• Now carefully revise capture frames in the Frame Summary window. You should see KerberosV5 and LDAP protocol traffic against the Active Directory Domain Controllers.

NOTE: Above applies in case that you are not using certificate-based authentication.

To resolve this issue, make sure that TCP/UDP 88 port (Kerberos) and TCP/UDP 389 port (LDAP) is open against the Domain Controllers in your Active Directory environment.

These ports are not documented in the TechNet’s article Using a Firewall with Operations Manager 2007.

What happens under the hub?

When SCOM Agent <-> Management Server communication starts, authentication takes place (Kerberos). If you have multi-domain environment, things are bit more complicated. Before the authentication protocols can follow the forest/domain trust path, the service principal name (SPN) of the SCOM Management Server must be resolved (LDAP).

When a managed computer (SCOM Agent) in one domain attempts to access resource computer (SCOM Management Server) in another domain, it contacts the domain controller for a service ticket to the SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same domain as the domain controller, the domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows the referral chain until it gets to the domain where the resource is located.

If you have SCOM Management Server in child domain A of the Active Directory Forest infrastructure and the SCOM Agent in child domain B, make sure that SCOM Agent is able to access all DC’s in the referral chain which are required to get to the domain where SCOM Management Server is located.

For more information about the ports required for the System Center Operations Manager, and the authentication in Operations Manager, refer to the following TechNet articles:

Authentication and Data Encryption for Windows Computers in Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/bb735408.aspx

Using a Firewall with Operations Manager 2007, available at the: http://technet.microsoft.com/en-us/library/cc540431.aspx

My team were trying to implement VMM R2 in multiple domains topology. They installed VMM R2 on windows 2008 R2. We start by implementing VMM 2008 R2 and SSP (Self Service Portal)on Domain A.

We have users from domain A and B. Ans one way trust relationship between those domain from domain A to B.  i.e Domain A trust users from domain B.

This scenario was designed so that users from Domain A, B would have the capability to deploy new VMs using Web interface (SSP).

The installation went fine with local admin account (Domain user from domain A with local admin privilege) and I am able to see all users from Domain A and B and add them to Self Service portal users role.

The problem that users from domain B can’t log in to SSP while users from domain A can.

As per Microsoft Technet

Does VMM support cross-domain authentication?

Yes. Kerberos authentication is a prerequisite for VMM. To configure your environment to allow users in one Active Directory Domain Services (AD DS) domain to access VMM resources in another domain, you can either ensure that both domains are in the same forest or configure a forest-level trust relationship and use Kerberos authentication. To set up a forest-level trust relationship, both domains must be in Windows Server 2003 forest mode. Windows 2000 Server does not support forest-level trusts.

So this was the first problem.. VMM should use Kerberos authentication while my one way trust was External ( NTLM ).. My domain are above 2003 so I delete my old trust and create new forest one way trust again.

Now VMM should work but Opsssss it did not ?!!!!!!

As per Microsoft technet it should work fine but nothing worked at all. After some digging with the trust we found it. it has to be 2-way forest level trust between the two domains. :S

And we got confirmation from Microsoft:

Based on this finding, I fully analyze all internal Kerberos traffic again and the two trust is required from SSP.

1. if we only configure one-way trust from SCVMM server domain to user domain, the DC in SCVMM domain will be able to establish secure channel with user domain and get the trust TGT ticket. Thus we can configure SSP and choose user from trusted domain.

2. However, when user accesses SCVMM portal from trusted domain, because it is one way and there is no trusted account for user domain in SCVMM domain, the user cannot get trusted TGT ticket and thus the user cannot get session ticket to access SSP.  The accessing will fail back to NTLM by SCVMM DC contacts DC in user domain for NTLM authentication.

According to authentication requirement for SCVMM, we need configure two-way trust so that user can get session ticket to access SSP in other domain.

So… to have users from different domain we need configure two-way trust so that user can get session ticket to access SSP in other domain.

http://support.microsoft.com/kb/319723

http://blogs.msdn.com/sql_protocols/archive/2005/10/12/479871.aspx

Everything you wanted to know and didn’t know to ask.  Click here.

Need to work with Kerberos in Snow Leopard?  Use Ticket Viewer.  Read more here.

From yesterday I can’t authenticate to our SIP server. Yes we have the certificate installed. It is set to Always Trust.
Yes I have the IP address of the SIP server in System Preferences’ No Proxy List.
It was working once. Somehow I managed to score a Kerberos ticket from a server in the same domain as the SIP server.
Since yesterday I haven’t been receiving one.
I checked the console and in /Library/Ligs/SingleSignOnTools I can see
ReadConfigHeader could not find header in /Library/Preferences/edu.mit.Kerberos
Not much about this line on the web.

Got my Mac working on 10.5.7 and another on Snow 10.6 also working. Two others on 10.5.7 cant get them to work.
One of them has this entry in the Console
SecKeychainItemCopyAccess error
and
[0x0-0x34034].com.apple.keychainaccess[420] 2009-10-22 16:10:56.163 kcproxy[534:10b] SecKeychainItemSetAccess status: -2147413720
More to come!

For an application I’m writing I’m using JSch (a java implementation of the ssh protocol). Now I tried to use this with authentication using a kerberos token (which has the advantage that I don’t have to supply a password every time I run the program for testing).

After spending some time googling and digging into the source code of JSch (a definitive advantage of open source libraries !), putting breakpoints in various places, especially those where it catches another type of exception and rethrows them as JSchException.

On this page I saw that one has to provide the location of login a configuration file by setting a property. This can be done on the command line by adding an option like:

-Djava.security.auth.login.config=/.../mylogin.conf

I got a little further. However, I got another exception:

javax.security.auth.login.LoginException: No LoginModules configured for

This looked to me like somebody is putting an empty string as configuration name somewhere (yes, the error message ends after the word ‘for’). I downloaded the sources of OpenJDK and digged further (even though I was not using OpenJDK as runtime library I was hoping that the differences were not too large). By looking at the source code, I had the impression that indeed at some point in call hierarchy (GSSUtil.login(..) ), an empty string literal is passed as name to the constructor of LoginContext (which I thought is used to look up the corresponding entry in the login configuration file). How am I supposed to put an empty string as login configuration name in the file ? (Simply leaving out the name did not work…)

By chance I found a related post in on Sun’s forums. It turns out that the following configuration entry in the login configuration file made JSch work with authentication by kerberos token:

com.sun.security.jgss.krb5.initiate {
  com.sun.security.auth.module.Krb5LoginModule required doNotPrompt=true useTicketCache=true;
};

At work, linux machines running the standard linux installation support kerberos token forwarding via ssh. This is very convenient as it allows to obtain a kerberos ticket and then e.g. run scripts which run on my desktop and the login to the computer farm to perform some tasks. However, this does not work out of the box with Ubuntu (at least not with Hardy Heron). I’ve been looking for a solution since a long time (I even copied the ssh executable and dependent libraries from a node with the standard installation to my desktop but obviously this is not a very elegant solution).

Now I finally found out how to make this work ! (amongst others thanks to this page). In fact, I compared the output of ssh -vvv between logging in from my desktop and logging from in from a node where token forwarding works. I noticed that at some point (when logging in from Ubuntu), I see:

debug2: we sent a gssapi-with-mic packet, wait for reply
debug1: An invalid name was supplied
No error

On the link mentioned above I saw that there is an option

GSSAPITrustDNS=yes

which one could give to ssh (either with -o on the command line for testing or in ~/.ssh/config once one wants to use the option permanently). Indeed, this solved the problem (it seems to work around a bug of ssh with round robin DNS hosts, i.e. several hosts sharing the same host name alias where load balancing is implemented by the domain name server). The above error message in the debug output disappears. In order also to have access to my afs directory on the destination host, I also needed to add the option

GSSAPIDelegateCredentials=yes

Leia a matéria abaixo. Comento depois.

Ciência mais perto da ‘transmissão de pensamentos’

Cientistas britânicos acreditam ter chegado mais perto da “transmissão de pensamentos” através da internet. O sistema foi desenvolvido por uma equipe da Universidade de Southampton, que descreveu o estudo como os “primeiros passos de bebê” rumo à leitura total da mente.

O experimento, detalhado nesta quinta-feira pelo jornal The Times, utiliza uma técnica que permite a interpretação de sinais cerebrais por computadores. Por enquanto, porém, só podem ser transmitidos códigos binários – sequências de 0 e 1 – , o que significa que ainda está longe de você ter de se preocupar com o pensa na frente dos outros.

Paramedir a atividade cerebral, duas pessoas tiveram eletrodos conectados em seus crânios. A primeira pessoa gerou uma série de números 0 e 1 ao imaginar mexer o braço esquerdo (0) ou direito (1). A mensagem foi decodificada por um computador e enviada pela internet para outro PC, o qual emitiu o sinal na forma de um piscar de luzes, interpretado automaticamente pelo cérebro da segunda pessoa e traduzido direto na tela do computador.

Como funciona em rede, significa que as pessoas não precisam estar no mesmo ambiente – e sequer no mesmo país – para se comunicarem por pensamentos. Christopher James, que liderou o estudo, destaca que não se trata de telepatia:”Não há pensamento consciente se formando na cabeça de uma pessoa e outro pensamento consciente aparecendo na mente de outra pessoa”. O pesquisador acredita que sua invenção poderá um dia ser útil para aqueles que estão “presos em seus corpos, que não podem falar, nem mesmo piscar”.

http://veja.abril.com.br/noticia/ciencia-tecnologia/ciencia-mais-perto-transmissao-pensamentos-505818.shtml

Voltei.

O primeiro passo é sempre o mais difícil de ser dado. Agora o avanço será rápido. Já antevejo o futuro.
O próximo empecilho a retirar é a necessidade de lidar com os incômodos números binários. Cientistas da IBM já estão projetando um compilador – a ser implantado em chip no crânio – que converta instruções Assembly em impulsos mentais. O temor dos pesquisadores está em alguma instrução provocar estouro de pilha e causar ataques epiléticos. Prometem que vão escrever um artigo sobre isso assim que encontrarem referências bibliográficas em algum sebo.

Outras pesquisas se mostram mais promissoras. Brian Kernighan e Dennis Ritchie trabalham em uma versão adaptada do compilador C – sem o uso de ponteiros – depois que um ponteiro não inicializado apagou a uma área de memória de um membro da equipe de testes. Resta saber para que servirá um C sem ponteiros!

Um IDE Netbeans também está sendo desenvolvido. O chip RAMBUS para armazenar o compilador estará disponível em breve e pesará um quilo e oitocentos gramas.

O projeto da Sun Microsystems/Oracle é o mais arrojado de todos. Uma máquina virtual Java promete rodar em qualquer tipo de plataforma craniana, desde os malaios até os cearenses. Indagados Quanto ao desempenho, os engenheiros desconversaram, mas revelaram trabalhar numa versão stand-alone para pessoas que usam intensamente o cérebro. A Oracle, que comprou recentemente a Sun, já anunciou que vai cobrar por neurônio instalado.

A enorme mudança de paradigma atinge também o mundo das telecomunicações, em especial o das redes sem fio.
Engenheiros da 3Com trabalham em 3 projetos internos de chips com interfaces sem fio embutidas, de diferentes velocidades. Os projetos têm os nomes-código Javé, Einstein e Carla Peres, direcionados a diversos nichos de mercado e níveis de preço diferentes.

Como era previsível, o número de endereços IP da versão IPv6 ainda será pequeno para tanta demanda, e uma força-tarefa do IETF já trabalha arduamente na versão 7, com endereços de 16384 bits. Matemáticos calculam que com esse tamanho haverá 10245467 IPs diferentes para cada pensamento na face da terra.

Nessas circunstâncias, a segurança também será bastante afetada. Cada pessoa deverá ter um pequeno servidor Kerberos rodando na cachola, para permitir o início de conversas. Moças de família não poderão sair de casa com criptografia de menos de 1024 bits. O Norton já lançou um pacote de utilitários para qualquer eventualidade.

As perspectivas são vastas.

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark development thrives thanks to the contributions of networking experts across the globe. It is the continuation of a project that started in 1998.

Wireshark has a rich feature set which includes the following:

• Deep inspection of hundreds of protocols, with more being added all the time
• Live capture and offline analysis
• Standard three-pane packet browser
• Multi-platform: Runs on Windows, Linux, OS X, Solaris, FreeBSD, NetBSD, and many others
• Captured network data can be browsed via a GUI, or via the TTY-mode TShark utility
• The most powerful display filters in the industry
• Rich VoIP analysis
• Read/write many different capture file formats: tcpdump (libpcap), Pcap NG, Catapult DCT2000, Cisco Secure IDS iplog, Microsoft Network Monitor, Network General Sniffer® (compressed and uncompressed), Sniffer® Pro, and NetXray®, Network Instruments Observer, NetScreen snoop, Novell LANalyzer, RADCOM WAN/LAN Analyzer, Shomiti/Finisar Surveyor, Tektronix K12xx, Visual Networks Visual UpTime, WildPackets EtherPeek/TokenPeek/AiroPeek, and many others
• Capture files compressed with gzip can be decompressed on the fly
• Live data can be read from Ethernet, IEEE 802.11, PPP/HDLC, ATM, Bluetooth, USB, Token Ring, Frame Relay, FDDI, and others (depending on your platform)
• Decryption support for many protocols, including IPsec, ISAKMP, Kerberos, SNMPv3, SSL/TLS, WEP, and WPA/WPA2
• Coloring rules can be applied to the packet list for quick, intuitive analysis
• Output can be exported to XML, PostScript®, CSV, or plain text

Download

 Windows Installer (32-bit)

 Windows Installer (64-bit)

 Windows U3 (32-bit)

 Windows PortableApps (32-bit)

 OS X 10.5 (Leopard) Intel .dmg

 OS X 10.5 (Leopard) PPC .dmg

 Source Code

The 64-bit Windows installer requires the Microsoft Visual C++ 2008 SP1 Redistributable Package (x64) in order to run.

http://www.wireshark.org/

Continuing my tussle with setting up Kerberos authentication in the sharepoint environment, I ran into another issue today.

Windows has a rule that causes it to fall back to NTLM authentication if there is an issue with the Kerberos authentication. So I had to validate that we were indeed using Kerberos as the authentication method, and in order to do that, I had to enable logon events on the servers.

To get to the Local Security Settings, go to Start -> Run (or just press <Windows Key>+R)
type secpol.msc
Navigate to Security Settings -> Local Policies -> Audit Policy

Local Security Policy Window

 The events you want to log are:

Account logon events: This event is audited to see each instance of a user logging on to or logging off from another computer in which this computer is used to validate the account. Account logon events are generated in the domain controller’s Security log when a domain user account is authenticated on a domain controller. These events are separate from Logon events, which are generated in the local Security log when a local user is authenticated on a local computer. Note: Account logoff events are not tracked on the domain controller.

Logon events: This event is audited to see when someone has logged on or off your computer (either while physically at your computer or by trying to log on over a network).

Double-click Audit account logon events to bring up the window to change Security Settings
I found that the Properties window had the Success and Failure options greyed out

Audit Logon Events Properties (Disabled)

 I was logged in as a Local Administrator, but it just wouldn’t let me enable those options.
Apparently, the Group Policy at the Domain Level takes precedence over Local Security Settings. And since I do not have Domain Administrator permissions, I could not login to the Domain Controller to make any changes.

The next step was to manually override the domain level Group Policy with the caveat that it will only last for 2 hrs as the domain controller refreshes the policies every 120-min.

Open Command Prompt: Start -> Run (or just press <Windows Key>+R)
type cmd
Change directory: cd C:\Windows\Security\Database

Export the existing security policy. This extracts all policies from the database and puts them in the Security Template file. Use the following command:
secedit /export /db SecurityDBName /cfg SecurityTemplateFile

Edit the Security Template file
notepad SecurityTemplateFile

Look for [AuditLogonEvents], change the value to 3 (for both Logon and Logoff to be audited)
Look for [AuditAccountLogon], change the value to 3 (for both Logon and Logoff to be audited)

Validate the Security template file thus created
secedit /validate SecurityTemplateFile

If everything checks out okay, make the changes to the security policy as:
secedit /configure /db SecurityDBName /cfg SecurityTemplateFile /overwrite

And you should be in business, with both options checked (though still greyed out)

Audit Logon Events Properties (Enabled)