Wednesday, 29 April 2015

Cannot copy-and-paste into Remote Desktop login box

Well, I thought I couldn't but tl;dr it was user error!

I use KeePass for passwords because I have so many and I want them to be secure. Apart from the extra hassle, it seems to work OK except in this one case. I have a newly created Windows Server 2012 and whenever I try and copy the password from KeePass into the Remote Desktop window to login, it doesn't work. If I copy it via another program, it doesn't work. If I type it in manually, it works fine.

I was searching all over the interwebs to find out what was going on and why Remote Desktop was misbehaving (even it worked on other servers!) and then one day, it hit me.

Was that last character a zero or an O (how do you spell O?)

Why does it matter? The server was created as a VM via X2Go which does not allow copy and paste from host to VMs running Windows so I had generated a password in KeePass and then had to type it into the VM when it was created - I had misread the generated password and typed a zero instead of an O.

Of course, every time I wanted to login from KeePass it wouldn't work because KeePass was copying the O that was really at the end of the password. I changed the O to 0 in KeePass and hey-presto. Back in business!

Wednesday, 22 April 2015

The pain that is WebDeploy and error 401 when publishing

I don't have the time to write down all the things that have done my head in when trying to set up web deploy for the first time. Traditionally I have been using source control to publish sites but on this test one, I thought web deploy would be quick and easy but it has taken me two days to make it work.

The problem was actually the fact that my password wasn't copying correctly from KeePass but of course, because you can't see what is pasted into the box, it looks correct but doesn't work.

The reason this is not great is because, as with many pieces of software, the architecture is not easy to understand and the error messages not descriptive enough to work out what is actually happening. WebDeploy, for instance, consists of two Windows services (although maybe only one?), running that as a user that has permissions to access the web folder and then setting up IIS Manager Permissions and Permissions Delegation in IIS - you can use Windows credentials or theoretically, you can use IIS user permissions, but that only seemed to work when I gave all users full control to access the web directory!

Fortunately, I did (eventually) find a half-decent guide from Microsoft: http://www.iis.net/learn/publish/using-web-deploy/configure-the-web-deployment-handler

And this is what finally pointed me to the fact that the password pasted from KeePass wasn't working.

One of the things that annoys me is that I have probably made a load of changes I didn't need while making this work and there's no way I can remember everything I did to revert these things.

Tuesday, 21 April 2015

The request was aborted: Could not create SSL/TLS secure channel

Scenario: ASP Web Forms app deployed to test server, while calling a web service (with a client produced from svcutil.exe), the above error is displayed.

Reason: The web service call is client certificate protected and although the certificate is installed on the test box, the web site, which runs as "App Pool Identity" did not have access to the certificate.

Hint: Use logging where possible and attempt other ways to access the same URL, for instance in a browser. This indicated that the logged-in user had no problems but the site did which made me realise that it was a permissions issue.

Fix: The certificate must be installed in the Local Machine store in mmc.exe. If you double-click it in Explorer, it will be installed in the Current User store, where you cannot manage permissions. In Windows 7 and Server 2012 (and probably 2003/8 as well):


  1. run up mmc.exe and choose File->Add/Remove Snap-in, select certificates on the left-hand list and when it asks you, choose Computer Account and Local Computer. Click OK to exit the selection page.
  2. Open up the Personal->Certificates folder under the snap-in you just enabled. It is possible, that the Certificates folder doesn't exist (if it is empty).
  3. Right-click in the contents pane of Personal or Certificates and choose All Tasks->Import
  4. Go through the wizard to import your certificate and select the option to "mark it exportable" which is usually needed for SSL usage (I think it includes the private key only when this is ticked).
  5. With the certificate imported, select it, choose All Tasks->Manage Private Keys
  6. You will get a familiar security dialog where you can add users who can access the private key. Add the account for the user that is running the application pool for your web site. 
  7. If you are using "App Pool Identity", then the users are found with IIS Apppool\app.pool.name Note that if you are running some versions of Windows Server, you will need to change the "location" parameter to point to the local machine rather than the domain which is selected by default, otherwise the user won't be found.
Voila.

Tuesday, 14 April 2015

Cheryl's Birthday and the weaknesses of language

I read a post today about the now famous Cheryl's birthday problem here: http://www.bbc.co.uk/news/world-asia-32297367

I thought I would have a go and immediately was stumped by the question. I then watched the video on the BBC page which supposedly explained how to solve it but was still confused. It sounded mostly correct but there seemed to be gaps in the logic and I still didn't understand.

It was only after going over it a few times and reading a few comments that I finally understood both the solution and more importantly, why I hadn't been able to understand it. The reason? The ambiguity of language mixed with various assumptions that we make when reading things. A lesson that most of us have learned when we have incorrectly implemented some software.

I won't recreate the question here but I will explain, hopefully more clearly, the solution and where the problem lies.

Many logic problems set a scene and then make a set of statements. There are some assumptions that must be made in logic problems generally and they include a) Everything you need to know is in the statements (perhaps that is obvious) and b) Every statement has some logical value. In other words, if you think there is some other assumed context, you are probably wrong and if you think a statement is superfluous, you are also presumably wrong. c) Every statement is fundamentally correct - it would be really hard to solve a problem containing fallacious arguments!

Albert: I don't know when Cheryl's birthday is, but I know that Bernard does not know too.

Excusing the slightly poor grammar. This statement immediately felt like it was superfluous. Obviously Albert cannot know the date because he only has the month. Likewise, my assumption is that Bernard cannot know, otherwise it would be a rubbish question! Part of the problem is that in this case, we are using a real-world example and that brings in all kinds of assumptions or questions: What did Cheryl tell each of them about the other? Does Albert know that Bernard was only told the day? Did Bernard tell Albert that he didn't know the date?

I had fallen into the logical trap, both of thinking I was missing information (in which case the question is unanswerable - probably not what was intended) or otherwise the first statement was superfluous, which would mean it was poorly written - but since I could not solve it without the first statement, it probably wasn't intended to be superfluous.

The key here is not the fact that Bernard does not know the date but that Albert knows that Bernard doesn't know the date. Assuming there is nothing outside of the statements that is needed to solve the question, the only way Albert can know that Bernard does not know is if Albert has a month that does NOT include a unique day (18 or 19) - if he did, Bernard might know what the date was because he held that unique day but even if he didn't, Albert would not be able to say for certain that Bernard does not know the date. The conclusion from Albert's first statement is that Albert holds July or August as a month.

We are not told that Albert tells Bernard anything, we have to assume that Bernard has worked out what we have worked out using Albert's first statement. In other words, Bernard now knows that Albert is holding July or August in order for Albert's statement to be true.

It is now Bernard's turn to give a clue in his statement:

Bernard: At first I don't know when Cheryl's birthday is, but I know now.

Knowing that Bernard now knows the month is July or August, there is only one way this second statement can be true - that is if the day that Bernard knows is unique amongst July and August. If Bernard had 14, he still wouldn't know. If he does, he must have 15, 16 or 17 then he knows the exact date.

Why don't we stop here? Because it is not the point that Albert or Bernard has worked out the answer but that we know the answer and we are still left with 3 possibilities: 16th July, 15th August and 17th August.

Again, we assume that Albert has deduced the same 3 possibilities that Bernard did (and Bernard also knows the day - so he knows the actual date) so for the 3rd statement to have value:

Albert: Then I also know Cheryl's birthday

That means the month that Albert started with must uniquely identify one of these 3 dates. Since 2 of them have the same month, if the date was one of those, Albert would not be able to deduce it and the 3rd statement would be false. In other words, only if it is July 16th, would Albert now know what the date is.

I thought the whole experience was another useful reminder about assumptions, ambiguity and making sure we really understand something before we attempt to solve it.

Learn to Code in 30 days with.....

There are lots of these adverts around at the moment. The web is big business, most people realise that now. That means that people who can program it are sought after, sometimes by individual companies and sometimes by contractors.

This naturally leads to companies trying to fill the training gap (and in the UK, this gap is VAST) and what better way than to offer online courses for not very much money?

Well, in my opinion: there are lots of problems.

Firstly, as many people comment on Facebook underneath these adverts, you cannot learn to be a good developer in a short time. Even after 15 years in the game, I still struggle to keep up, I never seem to know enough and I make mistakes. I would hope my overall quality is high but if I make mistakes after 15 years, what can someone do after 30 days of any quality?

Another largely avoided issue is that in almost all cases, the hardest part of development is requirements gathering. That is of course not very interesting to most developers who think coding is cool and, dare I say it, "sexy". The reality is, sadly, a mostly mundane experience of learning how to listen to people and what they really want, rather than what they say they want and then to convert this into software quickly enough before they change their mind. When they do, there are problems associated with Change Control, another area that is largely not talked about in software training.

But I think possibly the most difficult hurdle to overcome is the lack of personal contact. Software sounds like a pure technical role but it isn't in reality. A lot of development skills are to do with communication and personality. How do my team respond to being asked to carry out certain work? How do they understand what is being asked for by me or the customer? How do they interact with each other? In almost all situations, these issues can be the difference between a really valued employee and a person you want to fire. Team work is essential in an ongoing way but also a good attitude, a can-do approach to work, a personality that helps others etc. How do you learn these things in an online course? You mostly can't or don't.

I know a few people who have used Code Academy but it has the wrong approach. It shows a basic example and you fill in the code but don't have to prove any understanding of what is actually happening. Take those people from Code Academy and give them a proper project to work on and they can't do it, the training has given very little by way of breadth or depth - at best they are primers but they don't even really succeed with that either.

There was only one site I have seen that shows a more proactive and realistic approach to online training (although there are now a few more) and that is www.thinkful.com, a mentor-based approach that wasn't just a case of typing in some code to make something work but allows a mentor to ask questions about your motivation. Why did you choose that type of code instead of this type? Did you think about this when you wrote that? Where do you handle that error etc.?

The reason this works really well is it ticks the boxes that the other training courses don't. You get to interact with people, understand what they are asking for, justify your choices and have that personal interaction where you learn what people are like to work with. You also get real-world experience from mentors who can tell you that certain things do or don't happen in real life or how to cope with them.

Sure this type of training or mentorship is going to cost more than a basic online training course but why do developers think that it is wrong to pay for something of quality? You wouldn't expect to train to be a doctor for free (or anywhere close) so if you really want to do something, invest in it and the skills you gain will be invaluable. I would value someone who has used online mentorship much more highly than someone who went through a few Code Academy courses. It shows investment, willing and aptitude.

So don't learn to code in 30 days, learn to do it properly.

Friday, 10 April 2015

If you ever use the word "best" in a computer science question, you need to go to school

So many times, so many visits to Stack Overflow, Hacker News, MSDN or Google Groups and the questions are asked over and over again. "What is the best....", best framework, best language, best fit.

It is a terrible word used too frequently. You might as well ask, "What is the best car?" or "What is the best sport?"

Clearly, the question only makes sense when qualified with your definition of best but there's still room for uncertainty. Unless you can specify everything about your situation and even if you can, it would be impossible to answer it in most cases, especially in fields like computer science where there are so many options.

Example: "What is the best PHP framework?"

Answer: "How mature does it need to be? How much support do you require? How easy do you need to recruit people? What frameworks do you already know? Would you prefer reliability or speed? What environment are using/do you want to use?"

You get the idea. The question is dumb and the answer is complicated but yet so many people ask it.

If you use the word best, you should go back to school. Or maybe you should go to school for the first time. If you want to be taken seriously as a developer, take a course, do a degree or a diploma. Don't assume that being good at software engineering is instinctive and obvious and that you are clever enough to think of all the things you need to learn. Don't assume that it is OK to make mistakes on commercial sites and learn from them - you should be learning from mistakes others have already made.

Oh, and you should not use the word "best".

Thursday, 9 April 2015

The remote server returned an error: (403) Forbidden

You know those pain problems that are slightly odd and shouldn't really still happen? This is one.

Scenario:

When I run up a .Net web app solution directly from Visual Studio 2013 using Debug (running IIS Express), my call to a web service works fine. This has worked for ages and is client-certificate secured, the certificate being specified in web.config and installed locally. The web service is hosted remotely.

I wanted to test a more realistic example of the same solution using a real URL directing to 127.0.0.1 in my hosts file and using full IIS but now when I call the same web service method, I get the error above - 403. The only difference (or is it?) is running via the proper URL.

The clue is in the error details which show the authentication method "anonymous", when it should be using a client certificate. Fortunately, I quickly compared this config with another to make sure nothing was changed accidentally by me.

I quickly realise that the real URL is running as another user in IIS whereas IIS Express is running as me (an Administrator), which means that I have access to the private key of the certificate whereas the app pool identity does not. Very good for security so what do we do to give it access?

You would imagine a simple option in MMC.exe which would allow you to set permissions but nope. You have to import the certificate into the Computer Personal Store (not your user one, which happens if you install by double-clicking in Explorer) and you also have to make it exportable when you import. Once you do this and right-click the certificate in mmc under the computer account snap-in, you get an option under All Tasks saying Manage Private Key, under which you can set permissions for your app pool user. You have to search for the user using IIS AppPool\, because if you miss the first bit, windows can't seem to find the app pool name by itself (which is rubbish and should definitely work by now).

And now it all works!