Welcome to Community Server Sign in | Join | Help

Alan makes a bold claim - the iPhone is so far beyond a smarphone device that it's almost as if Steve Jobs has come from 2020 to announce it this year. It's so capable that it deals a "mortal blow" to other vendors in the smartphone market.

Why does Alan think this is so? He gives five reasons:

  1. It runs MacOSX, so that must mean that it has great battery life, stability and efficient use of processing power.
  2. Maybe it'll run small MacOSX apps in the future. You could even run Parallels to show how superior this phone is to Windows Mobile
  3. Includes integrated apps from Yahoo! and Google, and you could potentially use VOIP on it
  4. It syncs with Macs and PCs, and it's 5 years ahead of any Window Mobile device
  5. The two-finger touch interface is revolutionary

Here's my reply. The device isn't a new class of anything because:

  1. It does nothing that hasn't been done already
  2. It comes in a form factor that's nothing beyond what we have already
  3. It includes no cutting edge technology, or any novel use of technology, that might encourage new ways to use such devices (e.g. think of the rise of texting)

That's not to say that the Apple iPhone isn't a sexy device - it is. But it's not revolutionary in any way. It might be a better implementation (just like the iPod was a better mp3 player and swept the market), but that doesn't make it some new class of device.

In response to Alan's points in particular:

  1. Just because it runs MacOSX does mean that it'll be efficient battery or powerwise on a mobile device. If you follow the mobile device blogs you will see that working in the mobile space is a whole different kettle of fish to working with laptops
  2. Parallels doesn't allow you to run Windows Mobile, so your scenario isn't possible. How a mobile device would even support virtualisation software given the paucity of system resources and battery power, I don't know. Talking about far-fetched, implausible scenarios just leads people to think you're talking rubbish
  3. You could, potentially run VOIP on it. By you can do VOIP on just about any smartphone (Windows Mobile, Symbian etc) today. So what does iPhone give you? Nothing
  4. The iPhone (at the moment) has no support for Blackberry or Exchange Server ActiveSync. This is one thing that will cripple iPhone sales in the corporate market. This is why I think it's funny when Alan says that this device is 5 years ahead of Windows Mobile. Maybe he meant "5 years behind". Without being able to easily sync messages (email, voice), calendar, tasks etc with your corporate messaging system (especially when you don't have a computer handy) how is this device going to sell in the corporate world? It'll make some inroads with cashed-up consumers, and the small/mid-sized market, but that's not where RIM and Windows Mobile play
  5. How well the scrolling interface works we won't know until people actually get their hands on these devices. Do not always trust what happens in demos - they're designed to show-case what works well. The dirty-little-secrets (the stuff that doesn't work well) typically are not showcased in product launches :-)

My conclusion? iPhone looks like a nice addition to the smartphone market. Is it revolutionary? No. Will it sweep away RIM and WM? No - not at least with this first iteration.

Filed under:

Mikal thinks it's a bit creepy that you need a secret handshake to submit a session breakout paper for Tech.Ed 2006 in the US. For as long as I've known (but that's probably only been the last few years) open submission of papers has not been accepted for Tech.Ed US. You've had to have been invited to submit a session (though the invites have been widely distributed amongst MVPs, RDs, authors, other influentials, former speakers etc).

I suspect that the organisers for the US event are overwhelmed as it is dealing with the large number of submissions. I was lucky enough to present at Tech.Ed 2006 (Boston), and when you're up against the likes of Mark Russinovich (Sysinternals) and Mark Minasi (the author) let alone Microsoft's internal top-guns (everyone from Raymond Chen through to Steve Riley) the competition is pretty fierce. For what it's worth, there are plenty of non-Microsoft people presenting as it is...

Filed under:

In Part 3 of this series we look at setting up Kerberos Authentication in the simplest possible scenario. If you missed Parts 1 (What is Kerberos and how does it work) and 2 (Service Principal Names) they may be worth reading first. In this scenario, we have a client, a DC and a single IIS server. As we progress through the series, we will progressively add more elements into the mix.

In this very simplistic example a client wishes to authenticate to a website hosted on the webserver. The sequence of events is illustrated in the diagram:

IIS and Kerberos - a simple scenario

1) The client makes a HTTP Request
2) The server denies the request with a 401 Authorization Required. It includes the WWW-Authenticate: Negotiate header and/or the WWW-Authenticate: Kerberos header indicating that it supports Kerberos authentication
3) The client requests a Service Ticket from the KDC hosted on the Domain Controller
4) The Domain Controller returns the Service Ticket
5) The Client generates the Authenticator, and sends this plus the Service Ticket in a new HTTP request to the web server
6) The webserver determines the identity of the client, checks the ACL on the resource and either permits or denies access to the resource.

In order for this sequence of events to work the following need to be configured.

The Browser
For Internet Explorer to use Kerberos to authenticate to IIS the following must be configured correctly:

  1. Under Tools -> Internet Options -> Advanced the option "Enable Integrated Windows Authentication (Requires Restart)" must be checked. Whilst technically IWA encompasses both NTLm and Kerberos, IE will use NTLM only if this option is not checked whilst it can use both Kerberos or NTLM if this option is checked.
  2. The website you are connecting to must be located in the "Intranet" Security zone. You can see what zone IE thinks the website is in by looking at the icon in the bottom right-hand side of IE's status bar. If the website is located in the "Internet" zone, IE will not even attempt Kerberos authentication. This is because, in most Internet scenarios, a connection with a domain controller can not be established. The simple rule is that any website that contains full stops (periods for Americans) such as an IP address or Fully Qualified Domain Name (FQDN) is in the Internet zone. If you are connecting to an IP address or FQDN then use IE's settings or Group Policy to add this site to the Intranet security zone. For more information on how IE determines what zone the website is in please see KB 258063

The Domain Controller
For the Domain Controller to generate the appropriate tickets to give to the client an appropriate Service Principal Name (SPN) must be registered in Active Directory. When a Windows Server 2003 machine is added to a domain, a HOST SPN for both the NetBIOS name and the FQDN of the server is automatically added to Active Directory. If your website is accessible at http://servername or http://servername.domain.tld (tld = Top Level Domain, such .com or .local) and the web application pool is running as Network Service, Local Service or Local System, you do not need to change any SPNs.

If the web application pool hosting the site is running under a custom account, the SPN HTTP/servername or HTTP/servername.domain.tld needs to be registered under that custom user account. If those HTTP SPNs exist under any other account, they need to be removed.

And lastly, if the website is accessible at an arbitrary hostname that is unrelated to the actual server’s name (e.g. www.domain.tld) then a SPN needs to be registered for that hostname. If the web application pool hosting the website is running as Network Service, Local Service or LocalSystem, then the SPN needs to be registered under the server’s computer account. If the web app pool is running under a custom user account, then the SPN needs to be registered under that user account in Active Directory.

SPNs can be added using a GUI-based tool such as ADSIEdit. Or can be added programmatically using an interface to AD (such as ADSI), or can be added using the SetSPN.exe command line tool (SetSPN is discussed in Part 2 of IIS and Kerberos listed earlier). To add an SPN using SetSPN for:

  1. a servername under a custom user account:
    setspn –A HTTP/servername Domain\Username
  2. an arbitrary hostname under a computer account:
    setspn –A HTTP/hostname.domain.tld Domain\MachineName
  3. an arbitrary hostname under a custom user account:
    setspn –A HTTP/hostname.domain.tld Domain\UserName

The IIS Server
There isn’t a lot to configure on the IIS Server. Firstly Integrated Windows Authentication (IWA) should be enabled for the website or application you are seeking to protect. By default this enabled both the Negotiate and NTLM Authentication Providers in the IIS metabase. If you have edited the metabase to remove the Negotiate provider, you will need to add it back in. The installation of some products (e.g. Sharepoint Portal Server 2001) removes the Negotiate provider – you may need to manually add it back in. See Microsoft KB Article 832769 for your options.

Secondly, all web applications hosted at the DNS name in question need to be running in one or more web application pools that are all running under the same user account. It’s easiest if all the web applications at that DNS name are running in a single web app pool. However if you do need to split web applications into multiple pools, those pools need to be running under the same user account.

And that should be all that is required for your Internet Explorer browser to authenticate to IIS using Kerberos. To verify whether this is occuring, you can use the tools described in my previous post on determining whether the browser is using NTLM or Kerberos to authenticate to IIS.

Filed under: ,

I'm not sure who designed the UI for the Add/Remove Windows Components feature in Vista, but that's got to be one of my biggest peeves. If you install/uninstall components (such as IIS) the checkboxes are not tri-state (no sub features, default sub features, all sub features). Instead the checkboxes toggle between "no sub features" and "default sub features". If you want to get all the subfeatures, you need to expand each level and manually check each and every non-default feature.

Now IIS 7.0 on Vista alone has 48 checkboxes in three levels, about half of which aren't in the default features list. That means you need to check about 24 boxes manually to get all of IIS installed. That's annoying.

And what happened to controlling System Restore? In Windows XP you could control which drives System Restore applied to, and also how much of your disk drive was being used by that feature. In the Vista GUI you are now informed that if you have this feature enabled, it may use "up to 15%" of your disk, which no indication of how much is actually being used. I suppose disks are getting pretty big these days (300-500GB disks are pretty cheap), but if you have a laptop then space is still at a premium. A 40GB C: partition has about 8GB for Vista, 2GB for hibernation, 2GB for page file, up to 6GB for System Restore and about 4GB for basic applications. That's half your partition gone without installing Civilisation 4! I can understand that the Vista source size, and the hibernation file size are fixed, so being able to control the space being used by System Restore via the GUI would be nice.

Sometimes when looking at your dump files, the actual cause isn't possible to determine due to issues such as memory corruption. For example a buggy module may write to some memory address that it doesn't own. When the real owner comes to read back its data, the data is now corrupt and an exception is raised. Unfortunately the crashing module is a victim rather than the real culprit. Your crash dump may look something like this:

BugCheck A, {80ed3d84, 1c, 0, 806c7d4c}
Probably caused by : memory_corruption

b754b3a4 804dce53 0000000a 80ed3d84 0000001c nt!KeBugCheckEx+0x19
b754b3a4 806c7d4c 0000000a 80ed3d84 0000001c nt!KiTrap0E+0x2ad
b754b43c 80512600 00000008 00000003 00000000 hal!HalpClockInterrupt+0x98
b754b4b0 bf878168 bcfca098 000005dc 00000000 nt!RtlFillMemoryUlong+0x10
b754b4e4 bf87b464 b754b758 00000177 bcf10008 win32k!vSolidFillRect1+0x106
b754b664 bf87afa7 bf87806b b754b758 e2a325a4 win32k!vDIBSolidBlt+0x199
b754b6d0 bf87b152 e1912008 00000000 00000000 win32k!EngBitBlt+0xdf
b754b720 bf875ae0 e19ba780 b754b780 e2a32424 win32k!GrePatBltLockedDC+0x1ff
b754b7b8 bf875668 b754b8f0 0000f0f0 7ffde20c win32k!GrePolyPatBltInternal+0x17c
b754b924 804da112 000000c0 0012f348 00000202 win32k!NtGdiFlushUserBatch+0x384
b754b924 7ffe0304 000000c0 0012f348 00000202 nt!KiSystemService+0x96
0012f358 00000000 00000000 00000000 00000000 SharedUserData!SystemCallStub+0x4

In this case the next step is to enable Driver Verifier. Driver Verifier ships with Windows 2000 and above. It provides a number of capabilities to detect operations by kernel modules that may cause a crash or system instability. Microsoft KB Article 244617 provides detailed information on the capabilities of Driver Verifier, and how to enable and disable it.

Note that enabling Driver Verifier won't stop your system from crashing. However your dump files will mostly likely contain meaningful information rather than random gibberish. In the case of the crash above, the problematic module turned out to be from a popular Antivirus product, and updating to the latest version fixed the crashes.

For those that missed the first two parts: Part 1 & Part 2

Filed under:

Virtual PC 2007 RC1 is now available from Microsoft Connect. New improvements include PXE support, fixes for keyboard input lagging on certain laptop chipsets and BSODs when starting Virtual PC after suspending or hibernating your machine.

Here are some more of my favourite (sic) annoyances with Vista. In Internet Explorer you now get a pop-out favourites list by default. However if you have many favourites, especially those with long titles this display is next to useless. I have over a thousand Microsoft KB articles in my favourites folder, and the default view makes browsing this list quite difficult because the right-hand border can not be resized:

Vista Annoyances - IE Favourites

Clicking the "Pin" button in the top-right allows you to resize the Favourites menu, but you need to click this button each and every time you open the Favourites menu. That's annoying. At least it's still possible to get the old IE6-style menu bar, but who knows if that'll be available next version.

The next annoyance comes from Windows Mail - the successor to Outlook Express. Everytime you post to the Microsoft Communities, you are prompted to sign-in using your Passport/Live login. But what happens when your IE homepage is set to "about: blank"? You get an error message, and the sign-in dialogue remains until you press "Cancel". You need to do this every time - and that's annoying:

Vista Annoyances - Mail

Some more little peeves - when you hibernate your laptop you previously used to get a visual indication (a progress bar) showing how long it would be until all your data is saved and the machine is shut down. Now the screen blanks almost straight away (presumably to have the punters think the process is going quicker), however your hard drive is still thrashing away. If you're like me, and you don't want to stow your laptop into your carry on luggage until it has turned off (just in case it doesn't turn off properly and remains on all flight), then the lack of a visual indication is annoying. You don't know if you are going to be waiting 5 seconds or 5 minutes for the shutdown.

Speaking of lack of visual indicators - what about the Defrag Utility that comes with Vista? When it analyzes your disks, it no longer gives you any indication of how defragmented they are, or what the most defragmented files are. If I used to find that my Temporary Internet Files (for example) was heavily defragmented, then I would just delete those files rather than waste time defragmenting them. Now, you have no idea how bad a state your disk is in.

 And when you do defragment, you get a little spinning wheel and a message saying that the process "may take from a few minutes to a few hours". Lovely. 

Since I got back from holidays, I've been using Vista RTM in anger on a few machines. There are certainly a few annoyances (beyond the usual driver issues and app compat issues that seem to arise from using a new OS).

What happened to the View -> Folder Options -> Files Types tab that was in Windows XP that used to give us control over what applications, actions and icons file extensions were associated with? It seems to have completely disappeared. You either need to edit the registry, or use a 3rd party application to get this control back.

And what happened to the network icons we used to have in the notification area/system tray? We used to have one icon for each network connection (assuming you choose to enable that). This allowed us to see the status of each connection, and which connection traffic was travelling over. Now we have just the one icon, and the Network and Sharing Center doesn't tell us much about the status of each connection either.

When "repairing" a network connection under Windows XP, we used to get information on what the OS was doing, and at what step the repair failed (particularly useful if a DHCP server can't be contacted, or isn't responding). Now we just get bland information, and an option for us to "reset" the connection.

I have a few more annoyances, but they might be the result of me not knowing where the new options are. Feel free to add your own issues.

Succumbing to the lure of cheaper pricing overseas I bought a new Apple Macbook whilst on my holiday. It joins my small pile of laptops below. From top to botton: Apple MacBook, Toshiba Portege M200, Toshiba Portege M400, Dell Latitude D600, Toshiba Tecra M2, Toshiba Tecra M4. Not shown: Sony Vaio Z1.

The laptop family

This is my second Mac. I bought a Mac Mini back in June which is serving as a HTPC in the living room, mostly running WinMCE.

Intel Mac Mini running Windows Media Center Edition

Filed under:

Apologies for the delay in posting Part 2 - I've been on holidays so it's been a bit hard finding the time to write these posts. In this part we cover Service Principal Names (SPNs). 

In a previous post we covered the basics of Kerberos authentication. Everything is relatively straitforward, however I didn't cover the one particular aspect. Namely, how does the Authorisation Service (AS) and remote Service share their shared secret?

In an Active Directory domain, all computer and user objects have a password. This password is used as the basis of the shared secret between the AS and the remote service. If the remote service is running under an inbuilt principal such as LocalSystem or Network Service then the computer account's password is used as the basis of the shared secret. If the remote service is running under a custom user account, then the user account's password is used as the basis of the shared secret.

So how does the AS know which user or computer account's password should be used? When a user wishes to connect to a remote service, it tells the Domain Controller what Kerberos service it wishes to connect to. The AS searches through Active Directory to find a matching Service Principal Name (SPN). SPNs are attributes of user and computer objects in the directory. For example, for the computer w03-svr-sql we can see the following SPNs (using ADSIEdit):

Service Principal Name (SPN)

Service Principal Names (SPN)

SPNs can be viewed, added and removed using a GUI tool like ADSIEdit, or you can do the same using a command line tool such as SetSPN (part of the Windows 2000 Resource Kit).

Using SetSPN

Generally, when installing a product such as SQL Server or IIS that supports Kerberos, SPNs are registered for you for the accounts that those products are configured to use. However you later change the user account that the services are running under, you may need to set a new SPN for that Kerberos authentication continues working.

This method of determining the shared secret to be used between the AS and remote service raising a couple of gotchas which can break Kerberos Authentication:

1) The missing SPN
When installing IIS (and a lot of other common services) the installer will register a set of default SPNs in the Directory. However if you change the way that your service runs after installation, you may need to update the SPNs that are registered.

For example, after installing IIS, SPNs for servername and servername.domain.tld are registered under the server's computer account in Active Directory. These SPNs will allow Kerberos authentication to work when using the following built-in service principles: LocalSystem, Network Service or Local Service as the identity for your worker processes.

However if you change the process identity of your web application pool, and assign its worker process a custom domain user acccount as a process identity, then you will need to create SPNs for servername and servername.domain.tld under this custom user account. This allows the KDC to encrypt the service ticket with the password of the user account rather than the computer account.

2) The duplicate SPN
In the event that an SPN for the same service is registered under multiple accounts in Active Directory (e.g. under a computer account and a user account), then the KDC will not know which password should be used to encrypt the service ticket, and Kerberos Authentication will fail.

In the above scenario, once you change the identity of your web application pool, and add the new SPNs for servername and servername.domain.tld, you may need to remove the existing SPNs from under the computer account. Likewise, if you change the process identity from one user account, to another user account, you would most likely need to remove the SPNs from the first user account, and add them to the second user account.

3) Load-balanced IIS solutions
In this situation, the user's request might be routed to either of the two (or more) nodes in your cluster. In this case, you can not run your web application pools under an inbuilt principal (such as Network Service), because the KDC can not know which computer account's password should be used (it does not know which node in the cluster the request will be routed to). In this situation you must use a common domain user account as the process identity of your worker processes.

4) Multiple web applications hosted at a single domain name
Because SPNs are organised by name (either NetBIOS or fully qualified domain name), all web applications hosted at that domain name must be running in worker processes utilising the same, common, identity. This is so that the KDC can generate a service ticket using that identity, no matter what web application is being accessed at the FQDN. You can still run the web applications in separate web application pools, but each pool must be running under the same, common, identity.

Filed under: ,

Edit: I've created a list of all the parts in this series here, which will be updated as I add more parts. 

Configuring Kerberos and Delegation is one of the more common problems I see in the communities and even within Avanade. Since Kerberos isn't a simple topic, I'm going to write a quick series explaining how Kerberos works, common scenarios and problems and some troubleshooting tips.

Kerberos is an open authentication protocol developed at MIT, and implemented in Windows 2000/2003 Active Directory domains (amongst other places). Authentication is the process of proving your identity to a remote system. Your identity is who you are, and authentication is the process of proving that. In many systems your identity is your username, and you use a secret shared between you and the remote system (a password) to prove that your identity.

The problem with simplistic shared secret systems is two-fold:
a) there is a scalability problem. If every user needs to maintain a shared secret with every individual server (or every service on every server!) then that results in poor passwords. Users can not be expected to remember dozens, hundreds or thousands of unique passwords and so end up repeating them regardless of whether the server is a low security or high security resource
b) there is an issue in securely transmitting the shared secret from the user to the server. Various technologies (like TLS/SSL) exist for securing the transport of data between machines, however it is incumbent upon each service to utilise services lower down in the network stack.

Kerberos is designed to overcome these limitations. In this part we look at how a simple Kerberos implementation works. In this scenario we have a user using a client machine that wishes to connect to a remote service (the user here is a person or application, the client is the OS or machine). Remember that we want a system that allows us to store shared secrets centrally, and to securely transmit user credentials between client and service. Lastly we should look to prevent replay attacks (where someone who is sniffing the wire can replay captured packets to impersonate a legitimate user, even if they do not know how to create the authentication packets themselves).

To begin with we introduce the Kerberos KDC - Key Distribution Centre. In the Windows Active Directory world, the KDC lives on Domain Controllers (DCs). The client connects to the Authorisation Service (AS) that runs on the KDC and asks the AS to authenticate the user to the remote service. Technically, the client doesn't need to authenticate itself to the Domain Controller. However in the Active Directory world, something called pre-authentication is used to ensure that the user (or client application) is actually who they say they are.

Simple Kerberos implementation

The AS on the KDC generates a session key that will be used by the client and the remote service. It encrypts the session key with the user's password (this is why the user doesn't need to authenticate - if the user isn't who they say they are, they won't be able to decrypt the session key because they don't know the user's password). The KDC also prepares a second piece of data - it again encrypts the session key as well as the user's username (known as a Kerberos principal), but using the service's password this time to encrypt the data. Only the remote service will be able to decrypt this second piece of data. This second piece of data is known as the Service Ticket (or just Ticket).

The KDC now sends both pieces of data back to the client. The user, knowing their own password, is able to decrypt the first piece of data, and extract the session key. The user however does not know the service's password, so is unable to decrypt the second piece of data. The client uses the session key to encrypt the current time (amongst other things, but they aren't so important right now). This piece of data is known as the Authenticator. The client sends the Authenticator it just generated, along with the Service Ticket received from the KDC to the remote service.

The remote service is able to decrypt the Service Ticket using its own password. It is thus able to get access to the session key, and the Principal (user) attempting to connect. It now uses the session key to decrypt the Authenticator, and extract the time. It compares the time to the current system time on the server to ensure a match. Since only the service, the KDC and the user, know the session key then the service can assume that user must be who they say they are.

If an imposter sent a Service Ticket to the service (e.g. by replaying captured packets) they wouldn't know the correct session key necessary to encrypt the timestamp correctly. Alternatively, if the imposter attempts to use captured Authenticator packets (which contain a timestamp), thus bypassing the need to know the session key, then the times will not match when the Authenticator is decrypted by the service and the service will refuse to authenticate the remote user.

If this was the extent of the Kerberos, then each and every time the client received an encrypted session key from the KDC, the user would need to enter their password to allow the client machine access to it. That could rapidly become a productivity sinkhole (imagine having to enter your password for each and every HTTP request you made!). To get around this, the client machine could cache the user's password, but that isn't a particulary secure system. What Kerberos does is introduce the concept of a Ticket Granting Ticket (TGT).

Ticket Granting Tickets are issued by the AS running on the KDC in the same way that a normal service ticket is issued. However the TGT is valid for the Ticket Granting Service, rather than a remote HTTP server (or any other type of server). Whenever the user wishes to connect to a remote service, it can use the TGT that it has already received to connect to the TGS. The TGS, after authenticating the user via the TGT, issues a Service Ticket to the remote service. However instead of encrypting anything using the user's password, it encrypts using the session key originally generated by the AS. Since the client machine aleady knows this from when the TGT was received in the first place, there is no need to bother the user for their password. The TGT typically has a short lifespan - around 8 hours or so.

Filed under: ,
Internet Explorer 7 has been released for Windows XP SP2 (x86 and x64), Windows Server 2003 (x86, x64 and ia64) in English. Other languages coming in the next few weeks.
Filed under:

Frank says we're getting a new editor. He mentions that the editor is:

  • an MVP
  • Based in Canberra
  • Well known Aussie Blogger
  • A speaker at the upcoming Ready Summit
  • Member of the blogger list on TechTalkBlogs

Let me add my own predictions - the editor will:

because that's not common (1, 2, 3, 4) :-)

No offence to any of the previous editors - they are all, absolutely, great guys at the top of the tree. But on the other hand, variety is the spice of life - maybe some more variety might get some other ideas into the mix?

(Edit: deleted duplicate word, fixed spelling)

Filed under:

David Wang (formerly of the IIS Team) resumes blogging at his new blog. His second post is revealing - it alludes to a tension between what a blogger wishes to write about, and what image their employer wishes to convey publicly. I mention this tension because Avanade (my employer) is about to launch its own corporate blogging site (similar to MSDN/TechNet blogs).

If your immediate management is supportive, your blog can be an independant voice direct to interested parties (customers, peers, clients etc). On the other hand, if management is not supportive, you blog may end up being no more than bland nothings and corporate approved marketing messages. Whilst that might keep the blog "on brand" it means that no one is going to read it - which defeats the purpose of having a corporate blog in the first place.

If the firm already has established bloggers (and I've noticed that Avanade has quite a few), then it will need to demonstrate that it's going to be able to manage the tension between the desire to project a corporate message, and the independant thoughts and interests of its bloggers. Otherwise I suspect those bloggers (and there's a number who have a lot more reach and influence than my little blog) will simply choose to remain outside the corporate fold. 

I wonder if any of those responsible for circulating our proposed policies are reading this? :-)

Filed under: