I recently committed a couple sample projects to the Kerberos.NET library that shows how you can authenticate a web-based Kerberos ticket. My choice of platform is OWIN middleware because it most closely resembles how things work in ASP.NET Core, without actually going full-core.

The key class to look at is KerberosEndToEndMiddleware. It contains the necessary logic to handle detection and prompting for authentication:

Keep in mind that this is rudimentary sample. It doesn’t detect or create sessions, so any unauthenticated requests will be prompted to authenticate. You can try the sample by just launching the KerberosMiddlewareEndToEndSample project. It’ll start a console app and begin listening on localhost:9000. You can immediately try browsing to https://localhost:9000/api/kerberosE2E and you’ll get prompted for a username and password.

This authentication request will fail. You’ll notice in the console app an error has appeared saying that NTLM isn’t supported. This is for a couple reasons:

  1. You may not be a domain user, on a domain-joined machine — this should be obvious, but you must be a member of a domain to do Kerberos.
  2. You don’t have a principal in AD with an SPN mapping to your localhost — this is less obvious, but Active Directory doesn’t know what key to use to encrypt the ticket, so it falls back.

Both of these problems are a little too complicated to solve here, so just go ahead and hit any key — it’ll kick off a negotiation dance:

GET /api/KerberosE2E


Response: 
HTTP 401
WWW-Authenticate: Negotiate


GET /api/KerberosE2E
Authorization: Negotiate YIIHHAYGKwYBBQUCoIIHEDCCB...
Response:
HTTP 200
{
 "Name": "testntlm@identityintervention.com",
 "IsAuthenticated": true,
 "claims": [
  {
   "Value": "testntlm@identityintervention.com",
   "Type": "https://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier"
  }
 ]
}

The flow is a bit contrived because it’s executed manually, but it behaves the same way a browser will handle the responses — you can verify with fiddler or the F12 network tools.

Kate and I bought our first house a few months ago. This likely comes as a shock to us more than anyone else. The house was built in 2002, which means it has the benefit of being built to a more rigorous set of standards and codes than say a house built in 1972 and as such is theoretically safer and more energy efficient. The downside of a house built in 2002 is that it’s on the wrong side of the great technology upgrade divide.

Most houses these days are wired with data in mind. The current standard is somewhere between CAT-5e and CAT-6a as they can be used for any number of evils throughout the house like internet, home theater, or even analog telephones, and are somewhat future-proof because they can handle gigabit to theoretical 10-gigabit speeds. In addition, coax is still often run to many rooms for cable boxes or internet connections. If you go back in time a few years you might see a few networking runs, but you’ll see more coax runs, and possibly a few analog telephone runs using CAT-3. If you go even further back, you’ll find just coax and CAT-3, and if you keep going back you’ll see even less. The farther you go back, the less useful wiring you’ll find.

original-wiringThere was a time when builders didn’t really add any extra wiring capacity to homes, but consumers had a demand for technologies requiring it, so the home owners got the service providers like the cable or phone companies to do the wiring installs. The unfortunate problem is that the installed wiring is often not future-proof and therefore has a limited utility, and, of course, needed updating whenever technology matured past a certain point.

What this long winded history lesson leads to is the fact that this house was built with very little useful wiring for my home network.

One of the first things I did when we moved in here was to do an inventory of all the wiring. The previous owners liked to watch TV, and they liked to talk on the phone, but the house wasn’t pre-wired for this sort of thing so at some point they got the-cable-provider-that-shall-not-be-named to run a ton of coax and CAT-3 everywhere.

One nice thing about outdated wiring is that you can use it as the pull string for the new wiring. In this case the wiring all originated from the ugly lovely beige service points on the front of the house, and ran into the basement where it developed into a rats nest of wiring. Thankfully coax requires special termination when branching because of signal degradation, but CAT-3 telephone wiring does not. Well, it does, but not for idiot installers. Each telephone drop was haphazardly run through whatever seam was available, or run through pre-existing holes used for mains wiring (balanced connection or not, there’s going to be interference), and the installers just used electrical tape and wire nuts whenever they needed to be spliced into another line.

The wiring running upstairs exited the basement through a hole in the wall used by the power and refrigeration lines of the AC condenser, hidden away inside the little lip on the siding used to move water away from the house, run up the side of the wall, back into the wall, and sealed off with some water-resistant sealant.

So I had that going for me.

I decided none of it was salvageable, and more importantly none of it was running the right way, so I ripped it all out.

By this point, my ISP, EPB Fiber, had already been in and ran a new CAT-5E cable to a spot near a shelf in my garage (see what I mean above?). We owned the house all of a day and half when the installer showed up so I hadn’t given a lot of thought to where it should go. The only option I had at this point to was to plug in a wireless router. The router worked fairly well for a while, but there were two critical flaws in it’s location: 1) it gets hot in the summer because the basement is not insulated, and 2) it was about as far away from my office upstairs as it could be, so the signal sucked.

The next step was to figure out how this place should be wired. I’ve learned a few things over the years having been part of many office cabling jobs. There are a few simple rules worth keeping in mind when trying to lay out a wiring design:

  • All wiring should come to a head in a single place
  • That place should be central to everything, if possible
  • Keep the runs as short as possible
  • Run more cables than you think you’ll need

I’m sure the pros can list a dozen more rules, but these are what I know.

I had a pretty good idea where I wanted network drops, but I didn’t have a great idea where they should all start. I consulted my mostly-to-scale drawing of the house I created in Visio (every home owner makes one of these, right? No? Just me? Weird.) and found that the trunk line for the second floor AC runs up a column right in the middle of the house.

The red circle is approximately where the column runs to the attic.

The red circle is approximately where the column runs to the attic.

That column runs from the basement all the way to the attic. Handy. A few feet away from that is the back of the basement stairs where the previous owners stored a bunch of leftover materials from the renovation they did. It wasn’t useful for very much besides storage, so I decided it was the best place to run all the wires.

Under the stairs turned out to be a good spot to house the wiring.

Under the stairs turned out to be a good spot to house the wiring.

As luck would have it, the new internet drop was actually installed just on the other side of that wall, so it didn’t have far to go to get to under the stairs. Unfortunately the installer did something that I found to be stupid:

Can you guess which one they installed?

Can you guess which one they installed?

In reality it probably had no impact on performance. The cable was crossing perpendicular to the mains, never really ran parallel with any of it, and it was a good distance from everything. Still… it looked bad, and it bugged me. Since I was already running wire, it wouldn’t hurt to plan to include another 50ft or so to the fiber demarc out front.

So now that we’ve got a nice central spot for everything to run, I needed to figure out what to run. EPB runs CAT-5e as a matter of course because it’ll support gigabit, but it’s hitting it’s upper limits of performance these days. I decided to go with CAT-6 because  my base internet connection is gigabit fiber with the potential to upgrade to 10-gigabit (seriously), and it’s still got a lot of room for upgrade in the future. I also couldn’t justify spending twice the cost for CAT-7 on the whim that I might upgrade to 10gb in the future. Frankly at that point I’d just run fiber — it’s more fragile, but not susceptible to interference.

Equal parts useful and frustrating.

Equal parts useful and frustrating.

Anyway, getting back to realistic future-proofing, I decided to run at least two cables per room, more for rooms I know would need it — like my office. I measured the runs from under the stairs, up the column to the attic, across the ceilings, and down the walls to the various spots they needed to go. I added 20% to each run for safety and figured I needed a little more than 600 ft of cable.

I bought a roll of 1000ft and cut it into segments long enough for each run. I could have bought less, but its cheap in bulk, and I was going to make mistakes. I collected all the wire destined to run all the way to the attic (most of the wiring as it turns out) and taped them all together every 5 ft or so. I ended up with a massive and heavy snake of a cable.

Now the fun part. If you’ve ever run cable you know it’s a pain in the ass, especially through multiple floors. I had to get the heavy cable from the basement all the way to attic. I decided to use a metal fish tape run through the column from the attic to the basement (hitting every possible thing imaginable along the way). My working theory was this: pull as much cable into the attic as possible, leaving just enough in the basement long enough to be neatly run to the spot under stairs. It worked well enough, but gravity didn’t have any of it, so I had to tie some off in the attic and route it through the access hole to keep it from falling.

Why yes, that is the mains and smoke detector signal wire running across the access hole.

Why yes, that is the mains and smoke detector signal wire running across the access hole. It’ll have to get fixed… later.

Cut the three sides at a steep angle leaving the top uncut.

Cut the three sides at a steep angle leaving the top uncut.

The next phase was to get the wires to the necessary walls, which were, of course, at opposite ends of each other. I bought a bunch of cheap hooks to hang in the attic so the wires weren’t just sitting on the insulation. In addition to keeping things neat and tidy, they also provided spots to loop the wires so they don’t get pulled taught.

 

Once the wires were in the general vicinity of the wall I had to drill holes so they can run down the wall to their final spot. I cut a hole in the wall where I wanted to network drop to go, and used a 48″ drill bit to drill up the wall into the attic space. I was expecting to hit a fire stop in the wall (a horizontal 2×4 fit between the wall studs) and was not surprised when I hit one with the bit. It was too cumbersome to drill through it with the 48″ bit, so I cut a hole just below the fire stop and used a shorter bit to drill through it.

Use a punchdown tool for the wires.

I had learned a neat trick when cutting holes: cut out the left, right, and bottom sides at a steep angle, but leave the top side uncut. Break the top drywall, but leave the paper intact. Now you wont lose the chunk, and it’s easier to repair. 

Once I was past the fire stop I was able to use the 48″ bit to drill through into the attic. I ran the fish tape up the wall, using the upper cutout to guide it into the attic, taped the bundle of wire destined for that wall to the end, and yanked it down. Rinse and repeat for each wall. Once I was certain I was done in the attic, I cleaned up the insulation that got moved around (don’t compress insulation — it reduces it’s effectiveness), closed up the access hole and proceeded to drink a gallon of water — word of advice: only do work in the attic early in the morning, or in the winter, or hire someone else to do it. The wires were terminated with CAT-6 keystone jacks.

Now I needed to finish the other ends back down in the basement. I didn’t want to just terminate the wires with RJ-45 connectors, so I opted to wire them into a patch panel.

Measure your lengths carefully. You don't want to rip out the wires and start all over again because they don't sit right in the channel.

Measure your lengths carefully. You don’t want to rip out the wires and start all over again because they don’t sit right in the channel.

The patch panel wasn’t going to mount directly to the wall, and all the networking components needed a place to live, so I mounted everything into a rack. This had the added benefit that it has a small fan at the top pulling air over all the components keeping them just a little cooler than they would normally be.

The glass is nice because you can see the blinky lights when all is done.

The glass is nice because you can see the blinky lights when all is done.

However, the area beneath the stairs was open stud, so I needed a place to mount the rack. I bought a sheet of 3/4″ plywood and attached it with a dozen screws across 3 studs. The rack itself was mounted to the plywood, into the studs with four 5/8″ x 3″ lag screws. I don’t think it’s going anywhere.

Before wiring in the patch panel, I routed the wires through a hole in the top of the rack and neatly wrapped them together using Velcro ties — don’t use zip ties, they’ll dig into the jackets.

Those hooks came in handy. They keep everything neat and tidy.

Those hooks came in handy. They keep everything neat and tidy.

Once the patch panel was wired in I used a simple continuity-based cable tester to verify I didn’t mix up any pins. Of the two-dozen or so jacks, I only switched one wire pair in one jack — not bad!

I installed the patch panel at the top of the rack to allow for proper cable management. Below the patch panel is a Ubiquiti EdgeRouter, and below that is a Linksys switch. At the bottom is a small UPS mostly just used to keep everything alive long enough to prevent any damage during power outages. On top of that should be a small shelf, but I couldn’t be bothered to install it. Where the shelf should be is all the gear that isn’t mountable, like the NAS, Cisco SMB PoE switch, and the power injector for my network-connected Geiger counter.

Velcro ties are amazing.

Velcro ties are amazing.

I decided to color code all the patch cables. Red is inter-network, and yellow is intra-network.

A speed test was in order once everything was all wired in.

Not bad.

Not bad.

Not bad at all.

 

The last year or so has been… busy. Around this time last year the company I work for got acquired by Kaseya and it was a reasonably smooth transition. I went from being the Identity Guy to Lead Member of Technical Staff, and from a small engineering team to, well, a lot more. Our products went from being somewhat silo’ed in nature to being the secure foundation for Kaseya’s new next generation platform. As such my team has spent the last year building some pretty cool things that everyone will see in the coming months. We made amazing progress over this last year and have hit a pretty good groove.

It seems fitting then that a year later I throw a wrench into the gears and royally muck up things. Two weeks ago my lovely girlfriend Dr. (Professor) Kate Rogers and I packed up all our stuff and moved South to Chattanooga Tennessee where Kate will be doing whatever it is professors do, and I continue doing whatever it is I do, albeit remotely.

It turns out I seem to move a lot. This isn’t my first cross-country move, and in fact, it isn’t even my second.

Around the age of 14 my parents packed up and moved from California to Ontario Canada.

Murr-Brock

As I recall it wasn’t a particularly easy exidous as California was going through a mini-drought at the time and had suddenly seen rainfall so a few highways were washed out leaving us stuck in the middle of the desert towards the end of summer, in traffic, late at night. Excellent. We pushed on but then the moving truck broke down on day two or three because of a sketchy timing belt. A timing belt that was installed a day or two before we left, because it’s predecessor was also causing problems. Coincidence? Eh. Eventually we made it to the new house, though technically it was over 200 years old by the time we moved in.

Life did it’s thing and I eventually found myself working in Toronto where I met Dana and he offered me a job in British Columbia working for him building our Single Sign-On product.

Brock-Rich

I learned my lesson last time that hauling your life’s possessions across the country is better left to the professionals so I hired a moving company. They came around the second week of December and I wasn’t scheduled to start until January, so I went home to Brockville and visited family for Christmas. The night before I was supposed to fly out a more-than-mild ice storm covered everything in ice making my 7am flight out of Ottawa an adventure as the airport was more than an hour away. Eventually we made it and the flight departed without issue. Dana picked me up at the airport and we took the long way to the office chatting about life, business, technology, and everything in between. Dana and I have since become close friends, and this latest move saddens me that we don’t get to just hang out and chat anymore, but seeing as I still work for him, we’ll talk plenty.

Along the way I met Kate. She was studying psychology at the University of British Columbia, though originally from North Carolina. We hit it off and moved in together. A year and a half later she defended her dissertation, became a doctor and was offered a position in Chattanooga. Suffice to say, it’s been quite the year.

Once more I learned hauling your life’s possessions across the country only later to realize you haven’t used half of it since moving, that it’s best to get rid of stuff before moving. We decided we would pack up all our stuff, and then drive down stopping along the way to see the various sights.

Richmond-Chat

It took a week, a few donuts, quite a few cups of coffee, and a lot of tacos, but we made it. It was fairly uneventful, though there was an unexpected detour when a rock made friends with the windshield.

rock

I don’t know why but out of everything we saw I most enjoyed South Dakota. It may have just been that we saw the most things within a few miles of each other: Mt. Rushmore, Badlands National Park, and the Minuteman Missile Historic Site. Well, lets be honest: it was the Minuteman.

giggle

Unfortunately we only got to the visitor center for the Minuteman site, but I would have loved to have seen this door:

Delta-01 Minuteman Launch Control Facility Blast Door underground

Delta-01 Minuteman Launch Control Facility Blast Door underground (Source)

I guess we’ll have to go back some day.

Eventually we made it though, smiling too.

tenn

We’ve been here about a week now settling in. Unfortunately our apartment is still under construction, even though all “estimates” pointed to it being move-in ready 3 weeks ago. We stopped by the building earlier this week and poked around and there’s still a fair bit of work left. We’re staying with Kate’s family in the meantime. We may be here a while. Ah well. It’s nice to be with people you know though so that’s certainly making the transition a lot easier.

We’ll see what the next few weeks bring.