IT Work
One in a million is next Tuesday
Gordon’s response was simply: “In our business, one in a million is next Tuesday”.
What I Want From Tech Support
Windows Batch Gotcha: Use REM Inside IF Blocks
Normally I comment out lines in a Windows batch script by prefixing them with “::"—it just looks better to me than “REM”. But today I found out the hard way (of course) that you can’t do that inside an IF block, or the script dies with…
The syntax of the command is incorrect.http://www.petri.co.il/forums/showthread.php?t=43604
How to Override IE's Compatibility View Behavior On Intranet Sites
To force IE to edge mode (even on intranet sites, where IE would otherwise use compatibility mode), the server needs to send X-UA-Compatible as an HTTP header. Using a meta element in the document head doesn’t work reliably.
I found the answer buried in this Stack Overflow thread.
In my case, I was working on a WordPress theme, so I added
header(“X-UA-Compatible: IE=Edge”);
at the top of header.php.
You can also do it at the web server level with Apache or IIS (I haven’t tested either of those methods).
UPDATE 3/13/2014: I have now verified the IIS method linked above.
Single Sign-On Epiphany
When I wrote about my experience setting up AD Single Sign-On for Linux, I said the next step was to extend the transparent SSO experience into WordPress. The biggest reason for that—I thought—was so that the WordPress server could then impersonate the logged-in user to pull resources from our SharePoint server (using SharePoint Web Services) and include them on WP pages. Basically a WordPress front-end with SharePoint doing some Digital Asset Management duties on the back-end.
The epiphany I just had is that it wouldn’t be WordPress connecting to SharePoint, it would be PHP, which already knows who the user is, thanks to the Kerberos authentication I already have set up. I don’t need to tackle the WordPress part before I can build the SharePoint part.
Transparent SSO to WordPress is a benefit mainly for content creators, editors, and admins—those are a small percentage of my total user base, and managing their accounts is relatively easy.
Active Directory Single Sign-On for Linux Intranet Servers
Intranet Milestone: Transparent Authentication
I’ve started a project to move the front-end of our intranet from SharePoint to WordPress (SP is just too icky to do any serious front-end work with). The plan is for WordPress to become the front-end and CMS for news-type content, keep SharePoint for file library and calendar-type stuff (at least for now), and use the SP web services to integrate the SP content into WP. All of the various authentications involved must be transparent to the end-user.
Goal #1 was to get all the Kerberos stuff worked out so that Apache would transparently authenticate users against Active Directory (assuming they’re logged into a Windows client machine with their domain account—a reasonable assumption for an intranet, although a good experience logging on from an iPad or other non-domain client is also disirable). It took a bit of trial-and-error, but I got it working! WooHoo!!!
Goal #2 will be to fire up WordPress and get it to recognize that Apache already knows who the user is, create a new WordPress account if it doesn’t already exist, and log the user into WordPress.
This should be fun… 😉
When Low Tech Is the Best Tech
We’ve been thinking about developing a quick application to replace a paper HR process—should be a simple state machine with four possible states: Submitted, Accepted, Rejected, and Completed. But then we realized we would need email notifications and a coherent security model.
These requirements—workflow, notification, and security—happen reasonably well in the old paper model. Not perfectly, but well enough. These mechanisms are ingrained in the way people do their work, but to implement this in a computer application would require us to build it from scratch.
It quickly became more complicated than it was worth, a good reminder that sometimes low tech is the best tech.
The Spam That Got Through
All of my company’s inbound and outbound email goes through a security service that scans for spam and viruses. From time to time I get an email from someone saying that they got a message that they consider spam. I see that as a good sign. Here’s why:
Spam filters are machines, with some human input to fine-tune the filter criteria, doing the best job they can. The algorithms are ever-improving, but they’re still just computer programs.
Also, spam filters read mail, not minds—some of what they see looks enough like legitimate email that they are allowed to pass through. If I, a human, were reading our inbound email feed, I probably would allow many of the “spam” messages, too. It’s not possible for man or machine to know the mind of every recipient, how they would classify every message they receive.
And the humans that fine-tune the filter criteria tend to err on the side of caution: a false positive—deleting a sales lead, a message from an attorney, etc.—is far more costly an error than a false negative—the spam that got through.
According to the reports I get from our spam filtering service, 89% of our inbound email is deleted as spam, 1% is quarantined as likely spam, and the remaining 10% is delivered as normal email. That translates to about 2.7 million spam messages a year that never hit our inboxes. Under that kind of barrage, I’m surprised anyone finds it surprising when a single unwanted message sneaks through.
That’s what I consider a good sign: if end users are surprised when they get a single spam, it means our filters are doing a pretty darn good job.
I hope that puts things in perspective.