Eureka!

Recently a user encountered the following error message when refreshing a query in Excel that used PowerQuery to connect to Microsoft SQL Server using Windows authentication:

Could not load file or assembly ‘System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a’ or one of its dependencies. Either a required impersonation level was not provided, or the provided impersonation level is invalid. (Exception from HRESULT: 0x80070542)

What’s going on? Read on for all the gory details.

Spoiler: The problem was caused by attempting to “Use alternate credentials” for Windows authentication in PowerQuery. It was solved by switching to “Use my current credentials” in Data Source Settings, as described in “Manage data source credentials” in Manage data source settings and permissions (Power Query).

I recently configured a Windows 11 guest virtual machine on libvirt with the VirtIO drivers. This post is a collection of my notes for how to configure the host and guest. Most are applicable to any recent version of Windows.

For the impatient, just use my libvirt domain XML.

Suppose you are using Microsoft Exchange Online with Azure AD Connect Sync to synchronize users between an on-premises Active Directory and Azure Active Directory. Further suppose that there are some users for whom you do not want to create an Exchange Online mailbox, but would like to forward email to an external address. This might occur for part-time employees, contractors, partners, or other users for whom it is convenient to have a company email address, but a mailbox to hold the email is not required or desired. How would you accomplish this?

I was surprised to find that the version of Vim which ships with Git for Windows does not load my vimfiles/vimrc. This post has the explanation and an easy workaround.

Michael Dayah of Ptable.com asked about how to extend the technique from Serving XHTML with Apache MultiViews and Serving Pre-Compressed Files with Apache MultiViews to serve files for a language requested using a query parameter. This post outlines the slick technique we worked out.

Recently I started using the Sway window manager, with occasional fallback to XFCE. Having both mako and xfce4-notifyd installed causes a conflict over the org.freedesktop.Notifications D-Bus service name (see Red Hat Bug 484945). This post describes the workaround I am currently using, until dynamic activation directories or another solution is implemented.

Some quick notes about connecting Subaru STARLINK to a home wireless network (e.g. for firmware updates):

Not long ago I helped a few people transfer their landline phone number from Charter Spectrum to Google Voice. The general process is straight-forward, but the devil is in the details. Several steps are prone to failure and delays if not done correctly. This post is my notes about the exact steps required.

IEEE 802.11w-2009 defines a mechanism for cryptographically protecting 802.11 management frames to prevent deauthentication attacks (such as the deauthentication attacks recently discussed on Hacker News). The feature is often referred to as “Protected Management Frames (PMF)” or “Management Frame Protection (MFP)” and is required by WPA3.

While configuring and testing 802.11w, I found it difficult to determine whether 802.11w was supported, enabled, and/or required on each device and network. This post documents the methods that I used.

GnuPG 2 uses a pinentry program to prompt the user for passphrases and PINs. The standard pinentry collection includes executables for GNOME, plain GTK+, Qt, Curses, and TTY user interfaces. By default, the graphical programs will fall back to Curses when $DISPLAY is not available. For my own use, I would like the opposite behavior: Present a text UI if a terminal is available, otherwise fall back to a graphical UI. This post describes one way to accomplish that behavior.

Recently I reimplemented client-side (i.e. in-browser) JavaScript error reporting for a web application that I had written years ago. This post outlines some of the things I discovered and provides a basic implementation.

For a number of reasons, including the use of better cryptographic algorithms and key management using a hardware security module exclusively, I have recently set up a new OpenPGP key and will be transitioning away from my old one.

The old key will continue to be valid for some time, but I prefer that the new key be used whenever possible.

Recently I helped a client update an ASP.NET web site project from ReportViewer 2005 to ReportViewer 2017. This post documents a few issues that I encountered during the process:

A friend recently convinced me that it’s time to disable NetBIOS (and WINS) based in part on Microsoft’s recommendation not to deploy WINS, serious unpatched WINS vulnerabilities, spoofability, and because it complicates network lookups and masks DNS problems. After reviewing Ace Fekay’s excellent post Do I need NetBIOS? to check for gotchas, I decided to disable NetBIOS over TCP/IP by using DHCP server options. This is accomplished by setting the Vendor-Specific Option Code 0x01 to the value 0x00000001 for DHCP clients matching the Microsoft Vendor Class Identifier (using “MSFT” for forward-compatibility rather than the entire “MSFT 5.0” identifier). In dnsmasq this can be accomplished by adding the following to /etc/dnsmasq.conf:

dhcp-option=vendor:MSFT,1,2i

(For reference, there is more explanation of how dhcp-option vendor options work in a dnsmasq-discuss post.) Once configured, restart dnsmasq then acquire a new DHCP lease (e.g. by running ipconfig /release && ipconfig /renew) and confirm NetBIOS over TCP/IP is disabled (e.g. by running ipconfig /all). With any luck you will be free of NetBIOS.

I am reasonably certain that the partition type GUID B8CB5058-C187-4719-BAF0-379CA2D4C97E is used for ExpressCache partitions. Since Wikipedia articles must not contain original research, and I was unable to find a source to corroborate (or refute) this finding, I am documenting it here.

Azure App Service provides a management interface reachable through “Advanced Tools” in the Azure Portal for controlling App Service features. (This interface is part of the Kudu project.) Today I discovered that if your browser does not send the HTTP Referer header in cross-origin requests, you will get Error 403 with the following content:

After a recent SD Card failure on a Raspberry Pi, I decided to research storage devices and configurations to improve performance and device lifetime. This post contains the results of that research.

I recently encountered the following error while attempting to connect to a SonicWall IPsec VPN using strongSwan:

payload type ID_V1 was not encrypted

This issue has been encountered in Chromium OS and subsequently fixed. The fix was upstreamed to strongSwan and included in strongSwan 5.2.0 and later behind the charon.accept_unencrypted_mainmode_messages configuration option. Users encountering the above error may want to include the following in /etc/strongswan.conf:

charon {
    accept_unencrypted_mainmode_messages = yes
}

On Debian-based distributions this can be accomplished by editing the appropriate line in /etc/strongswan.d/charon.conf.

I recently ran into some difficulty enabling SQL password saving for a data source which had password saving disabled when it was created in the Power Pivot Excel Add-in. After some trial and error, I discovered that the trick is to enable password saving in the Excel workbook connection before specifying a password and enabling password saving in the Power Pivot connection. This post provides a detailed walkthrough of the process.

While troubleshooting a graphics-related freeze on Linux I was asked whether Windows uses x2APIC. It was not immediately clear to me how to check, and my initial searching did not come up with a convenient command or WMI property to query. This post describes the method I used to read the configuration from the model-specific registers (MSRs) in hopes that it may save others the time effort of figuring it out.

I recently read through Debian Bug 299007 which resulted in the policy change to move toward /usr/local being owned by group root instead of group staff. The move was largely motivated by concerns that group staff is root-equivalent (i.e. a user in group staff has all the power of the root account) because it can create/change binaries in the root $PATH. Although this is true, and is a good reason not to add users to group staff, it ignores at least one good use case discussed in this post.

This post describes one way to set up Unbound as a validating, recursive, caching DNS resolver on a router running OpenWrt. The setup includes forwarding to Dnsmasq for local names.

IMPORTANT: This post is of historical interest only. OpenWrt 18.06 added support for UCI-based configuration of Unbound and OpenWrt 21.02 added support for the dhcp_link option. Configuring Unbound as described in the Parallel dnsmasq section of README.md should now be sufficient.

History: This post was initially written as the Unbound HOWTO on the old OpenWrt wiki for Chaos Calmer (15.05.1). It was moved to Example 2 on the Unbound services page on the new wiki and updated to work on LEDE 17.01 and OpenWrt 18.06, then subsequently removed when it became too outdated.

While helping to diagnose name resolution issues on a Windows Domain, I discovered that Microsoft DNS Server (version 1DB10106 (6.1 build 7601)) responds to requests from the BIND DIG tool (version 9.11) with response code 1 FORMERR (Request format error). This post discusses why and a workaround.

When filtering the commit history of a Git repository to contain only the history of certain files, and performance is an issue, consider the following suggestions:

1. Use BFG Repo-Cleaner where possible. It’s quite fast.
2. Otherwise, use the --subdirectory-filter option of git filter-branch, where appropriate.
3. Otherwise, use the --index-filter option of git filter-branch and specify the desired files as arguments.

A common tactic to increase performance and decrease bandwidth is to compress HTTP responses. This is particularly useful for text content such as the CSS, JavaScript, and HTML that are fundamental to the web. There are several different methods for configuring compression in Apache, but most have subtle (or not so subtle) issues. This post continues the series of MultiViews posts (after the earlier XHTML and ErrorDocuments posts) by outlining the problems encountered in popular compression configurations and how to avoid them using MultiViews.

Web developers and admins looking to tighten the security of their websites should consider defining a Content Security Policy for their site. For sites hosted using Apache, a simple way to achieve this is by sending the Content-Security-Policy header using mod_headers. Unfortunately, making this simple solution robust is more difficult than it first appears. This post describes a method for setting or modifying the Content-Security-Policy header in a way that won’t clobber previous values set by earlier configuration options or returned by an application server.

For those of you who are Serving XHTML with Apache MultiViews you may want to be careful about how MultiViews interacts with ErrorDocument. Configuring error documents with content negotiation can lead to compound errors in the case that the client does not accept any of the types available for the error document. This results in both unexpected behavior and a suboptimal user experience. This post describes how to avoid such errors while still negotiating the returned content type.

This blog has been dead for the last couple of years, without a single post since the beginning of April, 2013. In that time I’ve been preoccupied with other endeavors, primarily Quantpost, and haven’t had time to document any of my minor discoveries. Luckily for readers, this blog is only mostly-dead, not all-dead, and I am planning to bring it back to life.

I have recently moved to Seattle, WA to attend courses at the University of Washington and am planning to make time available for writing new content. I have a few drafts of new posts that have been waiting to be completed since 2013 which are still relevant and useful, as well as a and a long list of topics that deserve attention which has accumulated over the past 2 years. I make no guarantees about the frequency or volume of upcoming posts, but you can expect several new posts in the next few weeks and posts on a more regular basis after that. Perhaps even some style improvements to make the blog easier to read. So, without further ado, on to the new posts!

I recently configured an additional encrypted partition mounted at boot using cryptsetup with LUKS. Doing so increased my boot time by about 5 seconds. In tracking down this minor annoyance, I learned two things about cryptsetup which may be helpful to others in a similar situation:

Recent versions of Firefox crash on startup when /proc is not mounted. Although this is not a problem, per se, the fact that it crashes without giving any indication of the reason can significantly complicate testing alpha/beta/nightly releases. This post simply lists the errors that I have seen in hopes that it will save others some debugging time.

I just finished tracking down a rather esoteric bug in a Scala application that I am writing. Understanding this bug requires some understanding of how Scala is translated to Java and how Java handles static initialization, neither of which will be explained (much) in this post. So, if you are interested in how default parameters on a constructor can cause circular static initialization resulting in a NullPointerError, read on.

If a delete trigger is fired on a table due to an ON DELETE CASCADE action, will the trigger see the rows in the parent table which triggered the cascade? Will a trigger on the originating table see rows in the child tables? Does it matter if the trigger is a “before” or an “after” trigger? The answer to these questions was not immediately obvious to me, and my half-minute of searching didn’t find a clear answer, so I have written this post to remind myself and others what happens in PostgreSQL 9.1.

This post is just a quick warning that Flyway (before commit 55985b, which includes version 2.0.3, the current version) disables auto-commit on its JDBC Connection. Also, BoneCP (before commit 99d50d, resulting from bug 790585, which includes version 0.7.1.RELEASE, the current version) did not apply the default auto-commit or read-only setting to recycled connections. When these behaviors are combined, connections will be returned from the connection pool which have differing auto-commit. Plan accordingly.

Another quick note, version 0.8.0-rc1 has auto-commit set to false by default, which differs from the JDBC behavior. I consider this a bug.

The Lift web framework integrates the SLF4J logging framework through a set of interfaces for performing logging and a configuration mechanism. The configuration mechanism attempts to configure the logging in a manner similar to the configuration for other parts of Lift. Unfortunately, this mechanism performs differently (or not at all) when running tests than it does when running normally. This post is a quick explanation of the configuration mechanism and how to configure logging during tests.

Just a quick reminder to always flush your buffers (when appropriate) and that the behavior of the JDK default XMLStreamWriter (com.sun.xml.internal.stream.writers.XMLStreamWriterImpl) differs between UTF-8 output, which is unbuffered, and non-UTF-8 output, which is buffered through com.sun.xml.internal.stream.writers.XMLWriter. I just spent way too much time figuring this out (particularly because finding the actual location of the source file is non-trivial - Hint: It’s not in the OpenJDK source tree). Hopefully this post will save others that time/effort.

Ruby software is commonly distributed as “gems”, packages containing Ruby applications and/or libraries, which can be installed using the RubyGems package manager, typically run as a command named gem. On Debian systems, some gems are also available as Debian packages through the Debian package repositories. For Ruby developers on Debian, it is almost inevitable that some gems will be installed through RubyGems and some will be installed through the Debian package managers (and possibly some installed through both). This post discusses some tips for minimizing the pain of this situation.

Just a quick note: I wanted to work with fonts from Google Web Fonts offline. Unfortunately, the source code only contains TTF files and I was unable to find either a trusted converter utility for all formats or a way to download non-TTF formats. So, I wrote a simple utility to download the fonts. Perhaps you will find it useful.

Recent versions of Lift (2.2-M1 and later) provide a concise way of expressing XML transformations using a CSS-like syntax called CSS Selector Transforms. The pleasant conciseness comes with a number of unexpected/undocumented behaviors and corner-cases. One which recently caught me by surprise is the handling of attributes on XML elements. This post is a brief discussion of the behavior and how to work around it to remove attributes from elements.

I’ve recently started using the Dispatch library for HTTP/HTTPS, which is quite a nice library, as long as you don’t need documentation. Dispatch uses the Ning/Sonatype AsyncHttpClient library, which is also quite nice, and although AsyncHttpClient is a library which I could recommend, it does have an insecure-by-default implementation of SSL. This post is a quick discussion of the AsyncHttpClient defaults and how to implement certificate verification to increase the security provided by SSL.

I recently started using SLICK (formerly ScalaQuery) for database access in a Scala project. In the process of wrapping my head around how SLICK, I’m documenting some “recipes” for common queries. Unfortunately, this post got published before the recipes were ready. (Oops!) But, not to worry, I’ll post them here (or a link from here) once they are ready.

I recently had to make the difficult choice to replace Squeryl with SLICK (formerly ScalaQuery) much later in the development cycle than I would have liked. Although I do like some of the design and features of Squeryl, it has some very significant limitations that anyone considering using it should be aware of up-front. Also, in an effort to avoid excessive bias, I’ll include a few of the limitations of SLICK that I have encountered for comparison.

Although it does not appear to be officially documented, it is possible to subscribe to a Google Group without a Google Account. There are several ways to subscribe but, as I recently found out, Google Groups tries really hard to use a GMail account, if you have one. This post explains how to subscribe to a Google Group via email and how to avoid one pitfall that may result in messages being sent to your GMail address rather than the address with which you subscribed.

The latest issue that I’ve encountered while working with Squeryl in a Lift-based web application, is that not all transactions are being committed to the database. This post is a quick discussion of the symptoms that I was seeing and a note on how to avoid the issue.

In tracking down some persistent errors relating to using Squeryl with Lift, I’ve found that the latest version of BoneCP does not appear to be safe for use in this scenario. This article is a quick discussion of the symptoms that I am seeing and how to avoid them.

Although the ffmpeg (and avconv) program has a relatively intuitive command-line interface, given the diversity and complexity of the functionality that it exposes, there are still many operations which can be difficult to express. I found letterboxing (and pillarboxing) to be one of those operations, so in order to save others the trouble of working out the details, this post will develop a command for doing boxing with ffmpeg/avconv.

I recently spent way too much time tracking down the source of an error in the Squeryl integration to the Record persistence layer in Lift. In the hopes that it may be useful to others encountering the same error, here are the details:

If you are reading this article on the web using a modern web browser, you should be seeing an XHTML version of this page served as application/xhtml+xml. The merits of the XHTML media type, and XHTML in general, have been widely debated and I will not discus them here. Instead, here is a brief discussion of how this server is configured to serve HTML and XHTML content.

The impatient may wish to skip to the recommended configuration.

Recently Thunderbird started opening http URLs in the wrong browser. Although you may think that the solution would be a simple configuration change, as I did at the time, it turns out that the process which Thunderbird uses to determine which browser to use is complex, poorly documented, and has changed several times between Thunderbird versions. This post outlines my understanding of the process and, most importantly, how to change the default browser in current versions of Thunderbird.

Redmine is a web-based project management system, often called a forge, built using the Ruby on Rails framework. It provides bug/issue tracking, time tracking, wiki pages, gantt charting and calendar, multiple project support, and role-based access control for users to name a few. This article will cover the process of installing Redmine on Debian Squeeze using MySQL for data storage, Thin for serving Ruby, and nginx as the outward-facing server.

Read more at Debian Administration…

This post was converted from a page I put together several years ago. It is presented here for posterity and in the hopes that it may still be useful in some way.

The Simple Directmedia Layer (SDL) library provides several methods of displaying images, many of which may be used interchangeably. In order to help developers choose which method to use in a given set of situations, this post presents performance numbers for a variety of these display methods.