Monday, October 20, 2008

Big Techie Ohmigod

Hello All,
  We've rounded two REALLY painful technological bends here recently.  Our first victory was moving to a different voice collaboration system and getting the Commander's Update Brief to use headphones.  Doesn't sound like much, but it's a pretty big feat with the microwave and satellite links here.
 
  The second one has been HORRIBLE.  Here's the deal:
   - A General, his Aide, and his Exec could not send encrypted or signed emails. They also could not upload their Public Encryption certs to the Global Address List (GAL)  We worked on this problem for the last two months.
 
Techie Alert:  If you're not a techie, this will bore you to tears.  Just know that this really, really sucked.
 
  - First, we checked their certs.  The certs are valid.  The email addresses on the certs do NOT match the email addresses here.
  - We used their certs on our accounts.  The certs sent just fine, both encrypted and signed.
  - We used our certificates on their accounts, no one's accounts could send.
  - We checked Active Directory for any Sesame Streets ("which one of these is not like the other.....")  No joy there.
  - We manually published their encryption certs THROUGH THE SERVER to AD.  Suddenly, they could receive encrypted emails.  Still couldn't send signed or encrypted.
 - We got DISA and the TNOSC involved.  DISA branched this problem out to Oklahoma City, Columbus Ohio, and a NCES help site.  They had a lot of great ideas.
- They had us manually put SupressNameChecks DWORD = 1 in the registry under HKEY_Current_User/Software/Microsoft/Office/11.0/Outlook/Security  --  still no joy (GPOs are supposed to push this anyway).  Notice that 'Supress' is misspelled.  We didn't catch that the first time (Thanks Microsoft).  Also, there are two Outlook subkeys under Office.  Use the 11.0 one, not the plain Outlook one.  We missed that, too (Thanks again, Microsoft).
 
We ended up nuking LTC Z's account while keeping her mailbox.  No joy.  We then nuked her account AND mailbox.  WORKED!! Except now she gets lot's of bounced emails.
 
We went to CPT F's mailbox.  We nuked his account and mailbox, waited two hours for replication, them made him an identical account and mailbox.  He worked AFTER we put SupressNameChecks in.
 
We haven't gotten to fix the general, yet.  Nuking his mailbox causes him to not be able to receive email for six hours.  He gets email 24X7, even late night on US weekends.  Lot's of fun.
 
Even better, we found that all three of these folks were receiving NO GPOs.  No idea how that is happening.  The NOC, RNOSC, and TNOSC are working on that one.  Crazy, crazy stuff when Active Directory gets this big and dispersed.
 
Cheers,
Jody

--
"...wrap your arms around your body armor, give it a big embrace, and LEARN TO LOVE THE SUCK!"
  -- Sergeant First Class Jenkins, 13 JUL 08

3 comments:

admiyo said...

And this is why the Army should be forbidden to use Microsoft products. It is email. A standard protocol. OK, I get the complexity of ths crypto aspects of it, but still, this stuff was designed by DARPA. Why are we dependent on a company that just doesn't understand networking? Hell, MIT Kerberos would be an improvement.

Anything that goes out to the field should be field maintainable, and that goes double for Software.

Bag Blog said...

Too nerdy for me, but I am glad to know you are well.

Master Chief Maup1n said...

Sir,

It seems that the only thing to say here is: "Well, Muh-Fuh!".

V/R,

Maupin