Choosing an Office 365 identity model (when to use ADFS)

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

At the time of writing, Microsoft Office 365 has the ability to work with three identity models:

  • Cloud identity (stored in Microsoft Azure Active Directory).
  • Synchronised identity (a copy of the objects from an on-premises Active Directory is made in Microsoft Azure AD), optionally with synchronised password hashes.  This is also known as same sign on (not single sign on as there are still two separate objects, albeit two objects that are kept synchronised).
  • Federated identity, using a federation service (such as Active Directory Federation Services, but others are supported) to authenticate users in an on-premises directory following which authorisation can be granted to Office 365 resources. This is also known as single sign on.  In this instance, directory synchronisation is still used to populate the Azure AD with user objects, although authentication happens on-premises.

Whilst the majority of small businesses will be fine with cloud identities, many of my conversations with enterprise customers start off in the directory synchronisation space. Generally, synchronisation is performed using the Office 365 DirSync appliance (a customised version of Forefront Identity Manager) although, more recently a new tool (Azure AD Sync) has been released that will eventually replace DirSync.  At the time of writing the main difference is that Azure AD Sync supports multiple forests (DirSync is a single forest solution) but it doesn’t support password synchronisation (still a major advantage for DirSync).

In general, the approach I recommend is to choose the simplest model for the organisation’s needs. The cloud identity model can work well when there is no on-premises directory service or there is no requirement to integrate; synchronised identity is the most commonly used (assuming there is an existing Active Directory) but sometimes federation is required:

  1. If there is an existing ADFS infrastructure.
  2. If a third party federated ID provider is in use.
  3. If Forefront Identity Manager 2010 is in use (which does not support password synchronisation).
  4. If there are multiple on-premises Active Directory forests (although Azure AD sync may negate this requirement).
  5. If smart cards or other third-party multi-factor authentication solutions are in use (Azure AD does have an MFA capability, although there are some restrictions on its use).
  6. If custom hybrid apps or hybrid search are in use (SharePoint).
  7. If a hybrid Lync solution is in use (i.e. placing users with enterprise voice capabilities on premises and those that don’t need voice in Lync Online, sharing the same SIP namespace).
  8. For self-service password reset via a web service (only administrators have self-service password reset in Office 365).
  9. If there is a requirement to audit logins and/or immediately disable accounts.
  10. If there is a requirement for single sign-on (i.e. accessing Office 365 workloads with the same user credentials as on-premises).
  11. If there is a requirement to restrict client logins by time or location.
  12. If the organisational security policy prevents the synchronisation of password hashes to Azure AD.

On a related topic, the Microsoft Online Services Sign-in Assistant (MOSA) for IT Professionals only exists to simplify the user experience (handling tokens, etc.) and is generally not required with modern versions of Office. Administrators using PowerShell may still need it though.

Finally, if ADFS is down, there is no way for users to authenticate. For that reason, federated infrastructure needs to be highly available (e.g. multiple ADFS proxies and multiple ADFS servers).  One method that’s starting to be commonly recommended is an “ADFS safety net”, using DirSync as a fall back (it’s possible to move between identity models on demand) but obviously that’s only an option if your organisation’s security policy allows the synchronisation of identities (including password hashes to minimise the impact on end users).

For reference, the PowerShell commands are:

Convert-Msol-DomainToStandard -DomainName domainname.tld -SkipUserConversion $true
Convert-Msol-DomainToFederated -DomainName domainname.tld

Set-Msol-DomainAuthentication -Authentication Managed -DomainName domainname.tld
Convert-Msol-DomainToFederated -DomainName domainname.tld

Credit is due to Michel de Rooij (@mderooij) for the ADFS safety net tip.

My new Office 365 Resource Centre

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve been doing a fair amount of work with Office 365 in recent months (including passing certification exams) and, along the way, I’ve found a lot of snippets of useful information. Normally I’d write a blog post but I expect to be constantly adding to the information so I thought I’d create a different solution this time.

So, I’ve started to create what’s currently known as Mark’s Office 365 Resource Centre. It’s work in progress – and I’m sure the structure will change as it grows over time – but at least I’ve found something to do with the public website on my Office 365 subscription!

Déjà vu: buying and upgrading another Mac Mini

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Eight years ago, I was writing blog posts about buying a Mac Mini and upgrading its inner workings. Then, last weekend, I bought a new one.  Well, actually I bought the outgoing model at a knock-down price, thanks to a tip-off from Dom Allen (@ca95014).  A 2.3GHz Core i7 late-2012 model should happily replace my aging MacBook and, unlike the late-2014 model that Apple recently announced, it has upgradable RAM (up to 16GB) rather than memory integrated on the main logic board (I believe the term is planned obsolescence and I find it deeply cynical…).

As usual, I bought my memory from Crucial but, whilst I was waiting for it to arrive, I introduced my eldest son to the Apple unboxing experience…

The memory turned up a day or so later and now I’m in the process of transferring all of my images and photo-editing software to the new Mac… I’m sure there will be more posts to follow on that experience.

With some more hard disk space and a faster Mac, maybe I’ll start taking more pictures (lost my “photo mojo” of late, although I did grab a few shots when I went to watch the Revolution Series track cycling a couple of weeks ago).

Dreaming of a better commute

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Travelling in and out of London this week for the course I’ve been attending has reminded me why working from home (mostly) is a huge blessing. At least 4 hours’ travel a day for a relatively simple 60-mile commute? No thank you!

I did, however, use two different routes with contrasting experiences and that made me think – why does it have to be this way? And what might it be like one day?

Commute route 1: Olney to London via Bedford (Thameslink/East Midlands Trains)

After driving to Bedford and finding a space in the car park (not always easy), the next question was where are the ticket machines? The option to pay and display with optional mobile phone/SMS/app payment seems to have been replaced by a system to pay as you leave the car park on foot (albeit with an optional mobile app). It uses ANPR to recognise my car but the user interface is confusing and there’s no option for contactless payment (surely a perfect use case for fast commodity transactions like this?). At £7.90 for a day’s parking (when the only reason you would ever park there is to catch a train!), it’s expensive too.

Then, at the station I bought a ticket – again falling foul of a confusing user interface (not helped by Thameslink’s corporate colours not really highlighting what I need to see). I switched to another machine and followed a different (but more familiar) purchase journey on the touch screen whilst another customer switched queues because of a broken card reader in the machine she was using.

Catching the train is simple, with frequent services but lots of stops and the (07:34) train is packed well before reaching London.

The good thing about this route (on Thameslink – not on East Midlands Trains) is that it goes right to the heart of the city (not the West End) although I change at Farringdon to get on the underground towards Tower Hill. Sadly, with no barriers to pass through and crowds of commuters I didn’t see an Oyster touch in/out machine, which I realise after boarding the train – wouldn’t it be good if there were more of these machines or if you could swipe on the train!? I touch out at the end of the journey but am charged the full fare and it takes me a lot of time on the phone waiting to sort out the charging…

Commute route 2: Olney to London via Milton Keynes (London Midland/Virgin Trains)

After a faster drive to Milton Keynes (MK is famous for its roundabouts but there’s a real benefit in the national speed limit grid road network), I park close to the station. The actual station parking is extortionate (so much so that I know some people who don’t pay, preferring to take the risk of an occasional fine) but off-street parking is available and half price if I pay by phone (£4.18).

I buy a ticket at the station but know to always allow time for queuing: there are 6 machines and 4 booths but that’s never enough! It’s 06:54 so I dash for the 06:55 London Midland service, but see that the (faster) 06:53 Virgin train has only just arrived (even though it’s showing as “on time”).

We set off towards London, only to be delayed by a vehicle striking a bridge at Watford and are overtaken by the slower London Midland service that I nearly caught earlier! Eventually, we get moving and arrive in London 20 minutes late…

A dream of a better commute

These real world stories are just single journeys and it could all be so different on another day. So let’s compare with what it could be like:

  • My calendar shows that I’m planning to be in London for the day.
  • My alarm wakes me with enough time to get ready, and the lights in the house gently warm up to wake me from my slumber.
  • I drive to the station and, as I park my phone recognises my location and that I’m stationary, asks me if I need to pay for parking and then takes care of the details.
  • Arriving on the station concourse, my digital personal assistant has pre-bookèd my train ticket and there’s a boarding pass on my phone. No paper tickets are required as the barriers can simply scan a QR code on my screen (or even use NFC?)
  • There’s a steady flow of trains (on time of course!) and as I switch to the Underground, payment is dealt with as I pass through turnstiles using a contactless payment card – and, even if I end up on the platform via a different route I can pick my boarding point (verified using location services) and ensure I’m correctly billed, using a smartphone app…
  • Realising there are delays on the line, my phone reschedules appointments as required, or otherwise ensures that contacts are aware I will be delayed.

It’s not difficult – all of this technology is available today but it just doesn’t quite work together… all of this talk of an Internet of Things brings it tantalisingly close but train companies, car park operators and other organisations still cling on to outdated methods. So it seems I’ll be dreaming for a little while longer…

 

Microsoft course review: 10968B (Designing for Office 365 Infrastructure)

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve spent the last three days on a Microsoft Official Curriculum training course at QACourse 10968B: Designing for Office 365 Infrastructure. Like many Microsoft courses, this is badly named (it won’t teach you how to design for Office 365) but I really did find it useful because it focuses very heavily on Microsoft’s FastTrack deployment methodology for Office 365.  Stepping through each of the stages of pilot (although it’s questionable whether enterprises will do this), deploy and enhance, the course reminds us of the key points to consider at each stage with labs to work through with a fictitious company (for once, it’s not Contoso).  Then, the final module is a full case study (using Trey Research of course) where the class divides into groups and works with the instructor (as a customer) to walk through a series of meetings to understand the environment and make the appropriate decisions for use of the Office 365 services.

I found it really beneficial – particularly the final exercise – as I’m doing this with customers all the time and it’s good to compare the approach I take with the Microsoft recommendations.  I was fortunate as well that we had a very knowledgeable instructor, Dan Lewis, and that led to some really good classroom conversations (in contrast to an Exchange course I attended at the same venue last year, where the instructor was limited in her knowledge) – and the range of roles in the room (midsize company infrastructure manager; large enterprise employees; specialist service provider; systems integrator) also added to the depth of discussion.

The one negative – and it’s a huge one – was the courseware.  Microsoft has moved from printed materials to online content and I can understand the reasons (both financial and environmental) but the system used is awful.  Microsoft Learning have partnered with Skillpipe, who have a content platform using a proprietary document format (presumably for reasons of digital rights management – although why they can’t use Microsoft’s own DRM is beyond me) and the content is only available in browser, or in a reader app for Windows (Vista/7 or 8/RT). No mobile devices – not even Windows Phone!  Added to which I find it really difficult to absorb information on screen (e.g. reading a scenario) and it really damages the learning experience.

Incidentally, if you want to learn about the detail of Office 365, this course is not for you – there’s a 5 day hands on course (Course 20346B: Managing Office 365 Identities and Services or you can access the same content, minus the hands-on elements, in the Microsoft Virtual Academy). And, if you really think that’s all a bit too much fuss and you would like to engage a Microsoft Partner instead… then you could always contact me at work!

Ethernet control for my office “traffic lights”

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A couple of years ago, I wrote about the “traffic lights” I’d created for my home office (and subsequent “upgrade”). Shortly after that, I updated the solution to use three LEDs (as shown below) but it still wasn’t quite what I needed. Walking to the door to push a button and change the light defeated the object somewhat.  I needed to enable this device with a “web service”!

The solution comes in the form of an Arduino Ethernet Shield, allowing pin control over a standard Ethernet connection.  I didn’t use the official shield though – cheap imports can be found on eBay for around £7.  Following that, I amended my code using the Instructables Arduino Ethernet Shield Tutorial and another Instructables post on controlling an LED over the Internet using an Arduino.

The end result is below (or on Github) – and the Arduino uses DHCP to obtain an IP address (reservations can be used to control which one – or DHCP logs can be analysed) and a simple query string is read to set the light using:

  • http://xxx.xxx.xxx.xxx/?r for red.
  • http://xxx.xxx.xxx.xxx/?a for amber.
  • http://xxx.xxx.xxx.xxx/?g for green.

Anything else fails back to red.  

/*
Red/green LED indicator with pushbutton control
Based on http://www.makeuseof.com/tag/arduino-traffic-light-controller/

USE_GITHUB_USERNAME=mark-wilson

*/

// Setup Ethernet Shield
#include <SPI.h>
#include <Ethernet.h>
boolean reading = false;

// Enter a MAC address and IP address for your controller below.
// The IP details will be dependent on your local network (commented out if DHCP in use):
byte mac[] = { 0xDE, 0xAD, 0xBE, 0xEF, 0xFE, 0xED };
// byte ip[] = { 192, 168, 0, 112 }; //Manual setup only
// byte gateway[] = { 192, 168, 0, 1 }; //Manual setup only
// byte subnet[] = { 255, 255, 255, 0 }; //Manual setup only

// Initialize the Ethernet server library
// with the IP address and port you want to use
// (port 80 is default for HTTP):
EthernetServer server(80);

// Pins for coloured LEDs
int red = 3;
int amber = 4;
int green = 5;
int light = 0;

int button = 2; // Pushbutton on pin 2
int buttonValue = 0; // Button defaults to 0 (LOW)

void setup(){
Serial.begin(9600);

// Set up pins with LEDs as output devices and switch for input
// Pins 10,11,12 & 13 are used by the Ethernet Shield
pinMode(red,OUTPUT);
pinMode(amber,OUTPUT);
pinMode(green,OUTPUT);
pinMode(button,INPUT);

// start the Ethernet connection and the server:
Ethernet.begin(mac);
//Ethernet.begin(mac, ip, gateway, subnet); //for manual setup

server.begin();
Serial.println(Ethernet.localIP());
}

void loop(){

// listen for incoming clients, and process qequest.
checkForClient();

// Read the value of the pushbutton switch
buttonValue = digitalRead(button);
if (buttonValue == HIGH){
changeLights();
delay(1000); // Wait 1 second before reading again
}
}

void changeLights(){
// Change the lights based on current value: 0 is not set; 1 is red; 2 is amber; 3 is green
switch (light) {
case 1:
turnLightAmber();
break;
case 2:
turnLightGreen();
break;
case 3:
turnLightRed();
default:
turnLightRed();
}
}

void turnLightGreen(){
// Turn off the red/amber and turn on the green
digitalWrite(red,LOW);
digitalWrite(amber,LOW);
digitalWrite(green,HIGH);
light = 3;
}

void turnLightAmber(){
// Turn off the green/amber and turn on the red
digitalWrite(green,LOW);
digitalWrite(amber,HIGH);
digitalWrite(red,LOW);
light = 2;
}

void turnLightRed(){
// Turn off the green/amber and turn on the red
digitalWrite(green,LOW);
digitalWrite(amber,LOW);
digitalWrite(red,HIGH);
light = 1;
}

void checkForClient(){

EthernetClient client = server.available();

if (client) {

// An http request ends with a blank line
boolean currentLineIsBlank = true;
boolean sentHeader = false;

while (client.connected()) {
  if (client.available()) {

    if(!sentHeader){
      // Send a standard http response header
      client.println("HTTP/1.1 200 OK");
      client.println("Content-Type: text/html");
      client.println();
      sentHeader = true;
    }

    char c = client.read();

    if(reading && c == ' ') reading = false;
    if(c == '?') reading = true; //found the ?, begin reading the info

    if(reading){
      Serial.print(c);

       switch (c) {
         case 'a':
           turnLightAmber();
           break;
         case 'g':
           turnLightGreen();
           break;
         case 'r':
           turnLightRed();
           break;
       }
    }

    if (c == '\n' && currentLineIsBlank)  break;

    if (c == '\n') {
      currentLineIsBlank = true;
    }else if (c != '\r') {
      currentLineIsBlank = false;
    }

  }
}

delay(1); // give the web browser time to receive the data
client.stop(); // close the connection:

}

}

All it needs now is another service to read my Lync status and call the Arduino accordingly, although, having got this far, I have to admit the form factor is not exactly brilliant and I probably should spend the money on a Busylight or a Blynclight instead so that my Arduino can be repurposed for a new project!

Or, of course, there’s Garry Martin (@GarryMartin)’s beautifully simple approach:

Visual C++ runtime error R6034 caused by duplicate startup entries

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I think I’ve logged more IT support calls this week than ever before… most of which have resulted in frustration (possibly on both ends of the phone) – I guess that’s the danger of being a technical end user, who doesn’t really want to have a 90-mile round trip for a desktop support technician to look at a problem when I can really fix things for myself.

Yesterday’s call was really just a “niggle” though – but, as I was in the process of fixing some of the issues on my PC, one I wanted to be rid of…

Every time I booted the PC (not resumed from hibernation – just on a cold start or warm reboot), I was presented with a Visual C++ Runtime Library error:

Runtime Error! Program: C:\Program Files (x86)\Common Files\BeCrypt\BCSystray.exe R6034 An application has made an attempt to load the C runtime library incorrectly. Please contact the application's support team for more information

It wasn’t a major issue – more of an annoyance – but Googling didn’t turn up much so, once again, I tried the IT support route. When it didn’t look like I was getting very far, I also tweeted ByCrypt – who were very helpful but, in the meantime, the correct support channels came back with the solution (and a 100% success rate, I’m told).

The issue was that a previous software update had left two startup entries for the BeCrypt system tray application active – one 32-bit and one 64-bit:

Disabling the 32-bit C:\Program Files (x86)\Common Files\BeCrypt\BCSystray.exe entry (not the 64-bit C:\Program Files\Common Files\Becrypt\BCSystray.exe version) and restarting the computer cured the problem.

 

 

Windows Phone 8.1 Backup won’t run? Check OneDrive is authenticated successfully

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Over recent months, the Windows Phone I use for work (a Nokia Lumia 625) has become progressively more unreliable. Initially, there was just the odd random reboot which also reset the date and time to the out of the box values. Then, I found it was becoming unresponsive several times daily – and there was no pattern to it that would suggest any one application was at fault. The only fix was to hold the power button for at least 10 seconds, after which would perform a soft reset (needing the date and time to be set each time). On one occasion it even hung when I went straight from a reboot to the Date and Time settings without running any other apps!

After a call to our mobile operator’s service desk, I arranged a handset swap but that meant I needed to back up my phone. Windows Phone is pretty good in that regard, in that my configuration settings, applications, etc. are linked to my Microsoft account (depending on the Backup settings). Unfortunately though, the backup hadn’t run successfully for a month – which seemed to co-incide with the time I accidentally killed the DHCP server at home…

Windows Phone can’t be configured with static IP (at least not until the next release) so I tried backing up over 3G and 4G networks, and even using a neighbour’s Wi-Fi, but it kept failing.  Googling was turning up posts about changing my lock screen image but that made no difference so I decided to build a new DHCP server to try and restore the configuration that had worked previously.  Nope. No luck there either Eventually, I found a post that suggested checking the OneDrive app was authenticated.  Sure enough, the app had updated and I needed to log in again. With OneDrive up and running, the Backup also jumped into life. Result. A day or so later, with the new handset delivered by courier, logging into my Microsoft account allowed the phone to be restored.    

I had to supply passwords for mail accounts, etc. and all of the apps need to be authenticated again but that’s not really a problem.  Internet Sharing settings needed to be edited and the Bluetooth pairing with my car needed to be recreated too but by and large the configuration settings migrated to the new handset (as did all of my text messages and call history). I’m sure there will be other things I need to fix (and I lost the images on the first handset as they weren’t included in the backup) but at least my phone doesn’t keep rebooting!

Raspberry Pi infrastructure server (DNS, DHCP, TFTP)

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A long time ago, I used to run real servers at home – I had a Compaq Prosignia 300 for a while and then a Compaq (or maybe it was an HP) Proliant DL380 running in my garage. Then, a few years back, I stopped running my own mail server and put all of the infrastructure services onto a low-powered PC running Windows Server (working alongside a NetGear ReadyNAS Duo). Recently, I found I didn’t even need Active Directory (I have unmanaged devices and cloud services these days) so I started to switch over onto a Raspberry Pi.  Each move made a huge difference to my electricity bill but I’ve had some mishaps too. I accidentally turned off the Pi and corrupted the flash memory (oops), then recommissioned the previous server. Then, I accidentally killed the power on that too and it’s not come back up (could be the PSU, or the motherboard – but whichever it is it’s unlikely to get fixed) so last Saturday night, I found myself bringing the Pi back into service as a DNS, DHCP and TFTP server – partly to improve my Internet access speeds and partly to back up my Windows Phone (that will be the subject of another blog post).

Luckily, I had the notes from last time I did it – but they hadn’t made it into a blog post yet, so I’d better record them in case I need to do this again…
Assuming that the Raspberry Pi is running Raspbian, the following commands should be entered from command line (e.g. LX Terminal):

  • sudo nano /etc/network/interfaces (to set up static IP – in this case 192.168.1.10 on a class C network):
    #iface eth0 inet dhcp
    iface eth0 inet staticaddress 192.168.1.10
    netmask 255.255.255.0
    network 192.168.1.0
    broadcast 192.168.1.255
    gateway 192.168.1.1
  • sudo nano /etc/resolv.conf (to set the DNS server address – 8.8.8.8 will do if you don’t have one):
    nameserver 8.8.8.8
  • sudo ifdown eth0 (take down the Ethernet connection).
  • sudo ifup eth0 (bring it back up again).
  • ifconfig (check new IP settings.)
  • sudo apt-get install dnsmasq (install the Dnsmasq network infrastructure package for small networks)
  • Optionally, sudo apt-get install dnsutils (to get utilities like nslookup and dig). Unfortunately, this is resulting in bash: dig: command not found (I’m pretty sure it worked when I did this a year or so ago but, for now, I’m managing without those tools.
  • sudo service dnsmasq stop (stop the Dnsmasq service)
  • sudo nano /etc/dnsmasq.conf (edit the Dnsmasq config) – these are the settings I changed (all others were left alone) – the original version of the file includes full details of what each of these mean):
    domain-needed
    bogus-priv
    no-resolv
    server=212.159.13.49
    server=212.159.13.50
    server=212.159.6.9
    server=208.67.222.222
    server=208.67.220.220
    server=8.8.8.8
    local=/home.markwilson.co.uk/
    expand-hosts
    domain=home.markwilson.co.uk
    dhcp-range=192.168.1.100,192.168.1.199
    dhcp-host=00:1d:a2:2f:20:f9,192.168.1.199
    dhcp-option=3,192.168.1.1
    dhcp-option=6,192.168.1.10
    dhcp-option=42,192.168.1.1
    dhcp-option=66,192.168.1.10
    dhcp-option=66,boot\pxeboot.com
    dhcp-option=vendor:MSFT,2,li
    enable-tftp
    tftp-root=/home/pi/ftp/files
  • Optionally, add some static entries for fixed IP items on the network with sudo nano /etc/hosts:
    192.168.1.1 router
    192.168.1.10 raspberrypi
  • sudo nano /etc/resolv.conf (set the DNS server address again – to use the local server):
    nameserver 192.168.1.10
  • sudo service dnsmasq start (start the Dnsmasq service)
  • View client leases with cat /var/lib/misc/dnsmasq.leases.

A few more notes that might be useful include that pinging short names may need a trailing . .
Other blog posts that helped me in creating this include:

(I haven’t actually tested the TFTP functionality – I need it for my Cisco 7940 phone, but need to recover the files from the old server first).

Now, all I need is a UPS for my Pi – and it looks like one is available (but I’m waiting for the new version that can keep the device running a while on battery power too…)

Resuscitating iPass when the client service fails to load

This content is 10 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’m on the train this morning, and Virgin Trains Wi-Fi works with the iPass service that my company uses for roaming Wi-Fi connectivity.  Unfortunately, iPass didn’t want to play this morning – but I found a fix…

The error message displayed said something like “An important service (client service) failed to load. Please contact your administrator”.  So I opened the Services console (services.msc), sorted by startup type and looked for Automatic services that were not showing as “Started”. Sure enough, one of these was iPlatformService (described as the iPass iPlatform Service and components”).

With the iPlatformService started, I could successfully connect to the on-train Wi-Fi. I still can’t get a VPN connection but that’s not related to iPass.  So it looks like I’ll have to drive to the office to empty my Outbox (and please don’t get me started on how Outlook Anywhere has been available since 2003 and using a VPN for email is outdated…).