0 comments

No SPN means No logon

Published on Friday, November 27, 2009 in , ,

Mostly when I have issues logging on to a server, it's due to DNS problems. Sometimes the secure channel is messed up, but the last time it was actually quit simple: there was no SPN for the server in Active Directory.

The error: "The security database on the server does not have a computer account for this workstation trust relationship."



On a windows 2008 server the setspn command is built in. When I exectued "setspn -l servername" it returned no spn's for the server. Simply running "setspn -r servername" fixed the whole thing, immideately allowing me to log on again.

0 comments

Windows 2008 automatic user profile hive cleanup

Published on in ,

After the upgrade of HP RDP to version 6.0 (cfr the other post), we seem to have a lot of scripts failing with weird errors. because these scripts ran fine in the past, I blamed the RDP upgrade. What we we're seeing is that whenever in one of the vbscripts we tried to execute a command like netsh, bcdedit, diskpart, it would fail with the following errorcode: -2147023741

Google didn't came up with much, just that it would mean something like "windows doesn't know the file extension used". Huh? So we started looking in the scripts for errors in the path, or quotes, but all in vain.

Then we noticed that the same scripts wouldn't always fail at the same point, and very soon after that we noticed the following errors in the eventlog:

Windows detected your registry file is still in use by other applications or services. The file will be unloaded now. The applications or services that hold your registry file may not function properly afterwards.

DETAIL -
1 user registry handles leaked from \Registry\User\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106: Process 3616 (\Device\HarddiskVolume1\Windows\System32\cmd.exe) has opened key \REGISTRY\USER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106 Event Xml: 1530 0 3 0 0 0x80000000000000 121 Application server.domain.tld
1 user registry handles leaked from \Registry\User\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106: Process 3616 (\Device\HarddiskVolume1\Windows\System32\cmd.exe) has opened key \REGISTRY\USER\S-1-5-21-xxxxxxxxxx-xxxxxxxxxx-xxxxxxx-1106
<:event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

Bottom line, some kind of race condition was occuring with the profile of our user account being forced to unload while the script was running. And thus causing all kind of weird unexainable behaviour. It seemed like we were doing to much, or to fast logons with the scripts running in the context of a domain user.

Some possible workarounds exists:
  • Run scripts under "local system"
  • Use the following workaround: remkoweijnen blogpost
  • Insert a sleep inside the HP RDP job. This is the part where you configure which script will be executed. This is the content who gets copied to a file called rxscript.bat and thus executed. Note: for the sleepcommand: download the Windows 2003 resource kit tools.
We choose the first option as that seemed the nicest one. We had to give some security on our shares containing packages and logs to the "domain computers"

Oh, almost forgot, this behaviour is "by design": http://support.microsoft.com/kb/947238, nevertheless I think it's a nice feature for the Terminal Server boys

0 comments

HP RDP 3.80 NIC teaming issue solved!

Published on in , ,

A year ago I encountered issues when deploying Windows 2008 based servers on HP proliant blades and servers. Everything went fine, but when the NICS where configured as a team, the deployment agent lost connection with the deployment server. Odly enough, we only had this issue on Windows 2008 servers, Windows 2003 servers were fine.

On the ITRC forums other people were complaining aswell. HP 3.81 or 3.82 didn't solve the issue. With HP RDP 3.83 I don't know, but what I do know is that HP RDP 6.0 actually does solve the issue.

Using the remote install feature to deploy the new agents to the disconnected systems saved us some time as well.

1 comments

Explaining UAC related behavior

Published on Saturday, November 21, 2009 in ,

Some days ago I encountered some fun with UAC. I wrote up some email with some examples for some collegues. Today I stumbled upon the following: http://thoughtsonopsmgr.blogspot.com/2009/11/srs-uac-ie-esc-to-name-few.html
To be honest, I'm not against enabling/disabling UAC. However sometimes I hate the way it alters expected output. Commands simple behave in an other way instead of just telling you: "hey you need to run me elevated". In the end of this post I'll give some examples.
As an answer to the behavior of the reporting website:
Suppose you got SRS (SQL reporting server) and OS (Other Server)
If you start IE on SRS, you do it with a "deny group membership" for the following --built-in--- groups: SRS\Administrators, SRS\backup operators, SRS\power users and SRS\network configuration operators.
So, IF the reporting services website require you to have local administrator rights (membership of SRS\administrators), things will go wrong because those are stripped of your token (actually a deny group membersip) and you are accessing the website as a memberof SRS\users
However IF you visit the website remotely from the server "OS", the group OS\Administrators will be denied (due to UAC being enabled to), but the group SRS\Administrators will be in your token this time. Hence you have enough rights to actually see the required Items.
If you execute "whoami /groups" whether in a normal and elevated prompt, you can actually see what is denied.
Withouth elevation:


With elevation:


Other examples of UAC behaviour:
repadmin /showrepl (on a domain controller):


With elevation:


slmgr -dlv (show license information, determine which KMS server activated your server):


More on UAC: http://technet.microsoft.com/en-us/library/cc512679.aspx

3 comments

AD: External trusts and Kerberos

Published on Monday, September 14, 2009 in ,

Very recently I followed a question at activedir.org (very interesting mailing list!) concerning whether external trusts support Kerberos. (topic @ activedir.org)

Microsoft isn't always as clear about it, but the following articles does state it: Kerberos is only possible when a forest trust is created: http://technet.microsoft.com/nl-be/library/bb727065(en-us).aspx

And some other references:

Conclusion: External trusts only support NTLM authentication. External trusts are also known as "down-level trusts" or "Microsoft Windows NT Server 4.0 trusts."

0 comments

Windows 2008 SP2 KMS: virtual counts!

Published on in ,

Seems like there are some change for the KMS in Windows 2008 SP2. Most important, there used to be a requirement of 5 physical requests to be able to activate server and 25 physical requests for Vista clients. With physical requests, I mean the request should originate from a non-virtual installed OS.

Though this has changed for Windows 2008 SP2:

A KMS hosted on Windows Vista or Windows Server 2008 SP2 now counts virtual machines toward the activation threshold.

In other words, environments which mainly consists of VM's now have the ability to setup a KMS withouth having to use workarounds.

Source: http://download.microsoft.com/download/5/A/2/5A29FA34-4E89-45AF-AA4D-7A148E66039E/Volume%20Activation%20Changes%20for%20Service%20Pack%202%20for%20Windows%20Vista%20and%20Windows%20Server%202008.docx

0 comments

Certificate templates can't be issued after an implace upgrade ofWindows 2008 to the enterprise edition

Published on Saturday, February 14, 2009 in

Months ago I had a Windows 2008 (standard edition) server which had to be upgraded to Windows 2008 enterprise. The enterprise edition of Windows allows templates to be duplicated and changed so that custom validity periods can be chosen or that a smaller key size can be set.

After the upgrade the duplicated templates couldn't be issued. Always keep in mind that these templates are stored in AD so they might take some time to replicate. Nevertheless, I seemed unable to issue those templates. Then I stumbled upon this post: Windows PKI blog

Which provided the following solution:

certutil -setreg ca\setupstatus +512
net stop certsvc
net start certsvc

And now Microsoft issued KB967332 5 months after that post.

0 comments

W2008 Failover Cluster: resource name fails to come online after afailover

Published on Thursday, February 12, 2009 in , ,

In the project I'm currently involved in, the network team had a planned upgrade of the cisco 4500 switches located in both datacenters. These switches are used to connect the new server hardware to the current environment. This new hardware consist of a print, file and mail cluster among other service. The print and file clusters have their SAN disks in the first datacenter (A), the mail in the other datacenter (B). During the upgrade, for some reason a complete shutdown of the switch in the first datacenter was required. It was a planned intervention and the environment is still in build phase so this was not an issue. We, the ones responsible for the server setup, didn't stay to check the health of the clusters. We just expected a fail-over to happen to the other datacenter for the file and print services. Not!

As the switch in datacenter A was powered off at 18.00, the clusternodes for file and print lost their network in datacenter A. Hence they stopped their services, disks, networknames so the nodes in the other datacenter B could start them. I intended to provide a small network diagram, but I have no time for this.

As the cisco 4500 was powered off in datacenter A, the cisco 4500 in datacenter B had to learn new networkroutes to other LAN segments such as the one containing the DNS servers. The process of learning this new routes approximately takes up to 6 minutes. This is because the RIP protocol is currently in use. During this crucial 6 minutes the clusternodes in the B datacenter try to start the resources. Bringing the disks online is no issue, same for the IP's. Bringing the CAP (Client Access Points) online failed. So basically no services where available. The proces of bringing the network names online failed because Active Directory couldn't be contacted... The domain controllers themselves where available as these are located on VLANs which are routeable by the cisco 4500. But for the clusternodes be able to contact AD they required DNS, which they didn't had because they lacked a networkroute to that specific subnet for 6 minutes....

So when we arrived the morning after, we found our file and print cluster to be offline. At first we wondered why the clusters didn't tried to bring their networknames online at a later interval.  Afterall the network was "healthy" all night. This KB947172 explains why. Shortly: if a resources fails once on the first node, followed by a failure on the other node, a manual interaction is required.

Below is a copy paste of the clusterlog when the check succeeds:

INFO  [RES] Network Name <vdmprinters>: Initiating the Network Name operation : 'Verifying computer object associated with network name resource printcluster'
INFO  [RES] Network Name <vdmprinters>: Trying to find computer account printcluster object GUID(b4a849281d4b47d30af3681b8590a20e) on any available domain controller.
INFO  [RES] Network Name <vdmprinters>: Found computer account printcluster on domain controller \dc1.domain.local.

So the point in this story: allthough the cluster service no longer requires an Active Directory user account, you still need AD AND DNS to be around at all time, especially during a cluster failover.

0 comments

DC Locator process

Published on Thursday, February 5, 2009 in , ,

Just a very interesting series of posts by Jorge on how the Active Directory clients determine which domain controller servers their logon request and which domain controller sends the GPO files over.

DC Locator process part 1
DC Locator process part 2
DC Locator process part 3

A small add-on: using start - run - cmd and execute "set" you can easily determine your logon server. Determining which DC sent the GPO's can be determined by running "gpresult /R" (Windows 2008) or "gpresult" (Vista)

The following Technet article is also a nice source of information: How DNS Support for Active Directory Works

2 comments

Active Directory and Firewalls

Published on Wednesday, February 4, 2009 in , ,

[Update:] added NTP as said by Brent in the comments

The following post will explain how to let basic Active Directory related network traffic such as logon requests or replication traffic, be it either sysvol items or AD objects, happen through firewalls. This doesn't mean I'm totally in favour of implementing a firewall between every possible environment. But you might encounter projects where firewalls are used between different sites or just internally between clients and servers.  In that case you might find the following interesting:

The following list is an overview of the AD related services with their required ports:


  • NetBIOS name service (137/tcp, 137/udp)

  • NetBIOS datagram service (138/udp)

  • NetBIOS session service (139/tcp)

  • SMB over IP (Microsoft-DS)(445/tcp, 445/udp)

  • LDAP (389/tcp)

  • LDAP ping (389/udp)

  • LDAP over SSL (636/tcp)

  • Global catalog LDAP (3268/tcp)

  • Global catalog LDAP over SSL (3269/tcp)

  • Kerberos (88/tcp, 88/udp)

  • DNS (53/tcp, 53/udp)

  • WINS resolution (if required) (1512/tcp, 1512/udp)

  • WINS replication (if required) (42/tcp, 42/udp)

  • RPC endpoint mapper (135/tcp, 135/udp)

  • AD replication (TCP 1024 - 65535*)

  • FRS replication (TCP 1024 - 65535*)

  • Netlogon (TCP 1024 - 65535*)

  • NTP (123/udp)


It all seems fine but those last 3 entries are quit funny. If you ask your security guy to implement those, he might aswell just throw his firewall out of the window. Microsoft describes this situation as turning your firewall into swiss cheese (Technet: Active Directory Replication over Firewalls).  A second solution is to set up an IPsec tunnel. Something in between is the option to restrict certain RPC services to a specific port. There are a lot of services which use RPC to determine the port they are listening on. Domain replication, file replicaton, netlogon, remote eventviewer, remote computermanagement are all examples. Whenever such a service is started the "RPC end-point mapper", a service which listens on port 135, decides which port the service will actually listen on (between 1024 and 65535). This behaviour is nicely explained in the following posts over at the (Microsoft Networking Team: RPC Endpoint Mapper in a network trace and RPC to Go v.1)

By choosing those ports ourselves and fixing the services to listen on those port we can actually limit the required ports to be opened to 3 single ports:
  • AD replication:
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NTDS\Parameters\
DWORD: "TCP/IP Port"
value: port1
  • Sysvol replicaton
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\NTFRS\Parameters\
DWORD: "RPC TCP/IP Port Assignment"
value: port2
  • Netlogon traffic
HKEY_LOCAL_MACHINESYSTEM\CurrentControlSet\Services\Netlogon\Parameters\
DWORD: "DCTcpipPort"
value: port3

Don't forget: A reboot is required

Note: actually only sysvol and ad replication traffic is required for two domain controllers to talk across a firewall. The netlogon service is only required when you want to handle logon requests or domain joins accross a firewall. This might be the case when you're setting up a new site and at first you don't have that Domain Controller available to handle your requests.

Microsoft KB's which explain the given registry keys:

KB224196 and KB319553

0 comments

HP SIM: Performance Management Pack and Windows 2008

Published on Thursday, January 29, 2009 in ,

The customer I'm currently working at has some c7000 enclosures with Insight Control licenses which gives us the ability to monitor the servers with the HP SIM Performance Management Pack. For a windows 2003 hosts the process is quit straightforward: license, configuring logging, monitoring and sample rate and after a while all is fine.

For all our Windows 2008 hosts I encountered the following problem: at the page where the currently selected target systems get analyzed, all Windows 2008 hosts appear as licensed but they are reported as "unsupported configurations". After double checking the PMP supported OS list, I found out Windows 2008 is fully supported. What bothered me was a counter in the upper left corner which stated that there were several unreachable licensed servers.

After googling I found the following ITRC post: Error unsupported configuration which led me to a solution. I generally dislike the idea of altering database content, but I even less liked the idea of having to change the system properties of each Windows 2008 SIM object. So I came up with the following solution: The PMP_V3_0 database contains a table dbo.supported_software which contains all currently supported OS' by PMP. There are several lines which describe all 2008 flavours, though the exact names slightly mismatched what HP SIM was reporting on the System Properties summary. I simply copied the rows and altered them as seen below on the screenshot:

sql_pmp_v_0031

I'm aware that this is the type of solution which might get broken by a PMP upgrade. But it sure made the HP PMP plugin work for all our Windows 2008 hosts.

0 comments

Discovering MSCS in HP SIM

Published on Wednesday, January 28, 2009 in ,

Although we figured out the necessary steps to add a Windows 2008 failover cluster to HP SIM (currently version 5.2) in our build environment, for some reason this stopped working after some time.

The necessary steps to add a cluster are described below. At first sight some steps may seem unnecessary, but in the end this has proven to be successful. Skipping some of the steps resulted in nodes being discovered with the name of the cluster and vice versa.




  • Add both nodes



  • Run an identify task on those nodes in SIM



  • Restart the SNMP service on both nodes (it will also restart some HP dependent services)



  • Run an identify task on those nodes in SIM again



  • Add the virtual IP which is used to administer the cluster

  • After performing these steps a HP SIM object should be created which represents the cluster. It should look something like this:

    HP SIM cluster object

    On the other hand, if the call seems to time out and you receive something like this:

    HP SIM Cluster error

    You might need to apply the following registry fix on all your nodes and redo the discovery process:
    Create the key: "CompaqCommonClusterAgent" below HKEY_LOCAL_MACHINE\SOFTWARE\Compaq\

    Create a String (REG_DWORD): “Pathname” with value "%SystemRoot%\\System32\\svrclu.dll" below HKEY_LOCAL_MACHINE\SOFTWARE\Compaq\CompaqCommonClusterAgent


    All credits go to "Karim H" over at HP ITRC forums: HP SIM: Cluster Monitor (ITRC Forums)

    0 comments

    Windows 2008: export printer queues

    Published on Wednesday, January 21, 2009 in ,

    The project I'm currently working on involves a Windows 2008 (32-bit) failover cluster dedicated to printing. The print management console, introducted with Windows 2003 R2 has an export feature which is supposed to replace the printmig utility. I like the idea of having the possiblity to save multiple sets of drivers/ print queues to a file. It's an eassy way to have a roll-back plan when some new installed driver doesn't works the way it's supposed to be working. Besides the fact that some thirdy party printer drives don't install nicely on the virtual print cluster, there seems to be an issue with the export feature. The good news is that it will be fixed in SP2 of Windows 2008.



    I noticed that even with drivers which are provided within Windows 2008, the issue exists. I simply added the HP Laserjet 4 printer driver to the drivers on the cluster:

    HP Laserjet 4

    Which is nicely installed without errors:

    Installed Printer Driver

    But when I want to save the drivers, print queues and ports:

    Export

    The following error occurs:

    Error

    When I click the event viewer button, no errors seem to have been logged:

    Event Viewer

    And if I perform a manual export by using the printbrm.exe command line utility I receive the following error:

    Printbrm

    After using sysinternals process monitor I found out that the export utility is trying to access a share (c$) on the network name "clif01ps". This is actually the name of the printer resource, and because windows 2008 failover clusteirng uses scoped shares, the share isn't available at all at that path.

    I opened a call for this at Microsoft who confirmed they could reproduce this issue. A month later a fix was deliverd which solved the problem for us. Microsoft support confirmed the fix will be included with Windows 2008 SP2.

    Related forumpost: Microsoft Technet Forums

    2 comments

    HP C-Class blades: bulk iLO configuration

    Published on Tuesday, January 20, 2009 in , ,

    People working with HP RDP or the Smartstart Scripting toolkit probably know hponcfg. The HP Online Configuration utility. It can be used to configure the iLO interface of a server by means of XML files.
    Mostly you can use it just from withing the OS running on the server. Lately I found out it is also provided as an option on the Onboard Administrator.

    When opening a ssh (or telnet) session to the Onboard Administrator (the management interface of a c-class enclosure), the same tool is available. The advantage is that you can target all iLO interfaces at once.

    It could be quit usefull when you forgot the password and want to reset it or just when you have no clue about the IP which was set either manually or by dhcp. It might be used to upgrade the firmware of all iLO's at once.


    After setting up a ssh session, type help to receive an overview of the possible commands.

    hponcfg ALL << * (press enter)
    (paste iLO xml script)
    * (press enter)

    The "*" is actually a marker which should not be used in the pasted xml script. It's a way to show the command where the script begins and ends.

    Sample scripts:

  • Delete HP SIM trust

  • <RIBCL VERSION="2.0">
      <LOGIN USER_LOGIN="adminname" PASSWORD="password">
        <SSO_INFO MODE="write">
          <DELETE_SERVER INDEX="0" />
        </SSO_INFO>
      </LOGIN>
    </RIBCL>


  • Configure Active Directory integration

  • <RIBCL version = "2.0">
       <LOGIN USER_LOGIN="Administrator" PASSWORD=" ">
       <DIR_INFO MODE="write">
        <MOD_DIR_CONFIG>
          <DIR_AUTHENTICATION_ENABLED VALUE = "Y"/>
          <DIR_LOCAL_USER_ACCT VALUE = "Y"/>
          <DIR_SERVER_ADDRESS VALUE = "domain.local"/>
          <DIR_SERVER_PORT VALUE = "636"/>
          <DIR_OBJECT_DN VALUE = ""/>
          <DIR_OBJECT_PASSWORD VALUE = ""/>
          <DIR_USER_CONTEXT_1 VALUE = "@domain.local"/>
          <DIR_USER_CONTEXT_2 VALUE = "OU=Server Admins,OU=Users,OU=site,DC=domain,DC=local"/>
          <DIR_USER_CONTEXT_3 VALUE = ""/>
       <DIR_ENABLE_GRP_ACCT value = "yes"/>
       <DIR_GRPACCT1_NAME value = "CN=IloAdmins,OU=Security,OU=Groups,OU=site,DC=domain,DC=local"/>
       <DIR_GRPACCT1_PRIV value = "1,2,3,4,5"/>
        </MOD_DIR_CONFIG>
          </DIR_INFO>
     </LOGIN>
    </RIBCL>


  • Configure HP SIM and trust by certificate to enable SSO

  • <RIBCL version = "2.0">
    <LOGIN USER_LOGIN="Administrator" PASSWORD=" ">
    <SSO_INFO MODE="write">
    <MOD_SSO_SETTINGS>
    <TRUST_MODE VALUE="CERTIFICATE" />
    </MOD_SSO_SETTINGS>
    <!-- Add an SSO server record using indirect iLO import from -->
    <!-- the network name. -->
    <SSO_SERVER IMPORT_FROM="192.168.10.11" />
    </SSO_INFO>
    </LOGIN>
    </RIBCL>


    Other iLO XML sample scripts can be found at: HP.com

    Another usefull command available at the Onboard Administrator is the "reset" command. You can use it like this reset server 4. In this case the command would temporary remove all power from blade 4. This can be usefull when the iLO is all locked up. It saves you a walk to the datacenter.

    0 comments

    Configuring Kerberos authentication pass through in an IIS 7 NLB setup

    Published on Monday, January 19, 2009 in , , ,

    Setting up IIS to work with Kerberos authentication might require extra steps when working with NLB configurations. Kerberos is highly dependent of SPN's (Service Principal Names) and DNS. SPN's are defined in Active Directory and are used by the KDC (Key Distribution Center) in the Kerberos authentication process.
    When a user accesses a webservice hosted by a web server, for example http://server01.domain.local, the user will request a Kerberos ticket for the http service hosted on server01.domain.local. The KDC service in the domain will hand out such a ticket and the client will successfully retrieve the website content.
    In the NLB scenario however, we could access http://server01.domain.local and http://server02.domain.local which would work fine, but when setting up a load balancing cluster users are supposed to access the web server at http://nlbweb.domain.local. If we do visit http://nlbweb.domain.local we will notice the kerberos single sign on we had for http://server01 and http://server02 is broken.
    This can eassily be explained by the fact that there is no one responsible for the http://nlbweb.domain.local service in Active Directory. By default a computer will have two SPN's in AD: termsrv and Host. The Host SPN will be used for a services hosted by the computer which use the local system or network account. Therefore when someone accesses a service using the hostname, authentication will succeed.
    Using the setspn tool, available in the Windows 2003 support tools, or built-in in Windows 2008, we can list the registered SPN's and add SPN's.
    In a single web server setup, where we would like the users to access our site with a generic name, we could add a SPN for the dns alias:

    "setspn -A http/web server01"
    "setspn -A http/web.domain.local server01"

    Though in a NLB setup, we cannot do this. There is a simple rule to follow: a SPN for a give service should only be registered once in AD! So never add a SPN for a given service on different AD accounts. If we can't add our http/nlbweb service to server01 and server02, we have to delegate it to a user. The following steps are required:
    Create an AD user for kerberos delegation:


  • Create a dedicated user for this
  • Make sure to check trust for delegation on the user properties in aduc
  • Make this user member of the IIS_IUSR group on IIS nodes
  • Use this user as identity for the application pool used by the website
  • Add the spn's to the user AD account:  setspn -a http/nlbweb ADuser  setspn -a http/nlbweb.domain.local ADuser  Verify with setspn -l ADuser


  • Configuring the authentication on the IIS nodes:


  • open applicationhost.conf (c:\windows\system32\inetsrv\config\)
  • Locate the website you wish to configure
  • search something like <windowsAuthentication enabled="true" useKernelMode="true" />
  • change it to include useAppPoolCredentials="true": <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />


  • And most important: configure the browser or the client


  • Add the URL to the local intranet zone (nlbweb and/or nlbweb.domain.local)
  • Enable windows integrated authtentication on the advanced tab (default is enabled)
  • Automatic logon only in intranet zone (default setting) (or even less restrictive: automatic logon with current username and password)


  • When testing:
    Access the website from a workstation and make sure the zone displayed is the intranet zone and not the internet. Testing the website from one of the nodes is pointless as it will use NTLM instead of kerberos.

    You might enable kerberos debug logging, though keep in mind this will give you a lot "safe to ignore" errors in your eventlogs. Set the following registry key to 1 to enable kerberos logging  (0 to disable again), a reboot is not required
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x1
     
    Sources:


  • Rakkimk: Enabling Kerberos Delegation on a NLB scenario
  • Ken Schaefer: New in IIS 7 - Kernel Mode Authentication
  • Care, Share and Grow!: Kerberos troubleshooting from IIS perspective
  • Microsoft.com: kb 262177 (enbable kerberos logging)

  • 0 comments

    Display authentication used when accessing an IIS website

    Published on in , ,

    When playing around with web services and kerberos, the following might be usefull determine which authentication is actually being used.

    Copy past the code below in a test.asp file, put it in the root of your web server, make
    sure asp is enabled and it will tell you what kind of authentication your are using:
    * NTLM
    * Kerberos
    * Anonymous
    *...



    <%
    DIM userID
    Dim AuthMethod
    Dim AuthType
    Dim AuthLength
    Dim AuthOther
    ' Get the authentication method being used.
    userID= Request.ServerVariables("LOGON_USER")



    Response.Write "<br> User Id = " & userID
    ' Get the authentication method being used.
    AuthMethod = Request.ServerVariables("AUTH_TYPE")
    ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
    AuthLength = Request.ServerVariables ("HTTP_Authorization")
    ' If some other authentication method (other than Negotiate) is used, call it "Other".
    If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod
    ' If Negotiate is used, go straight to the subroutine to handle it.
    If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod

    Sub AuthOtherMethod()
    ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
    If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
    Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
    Response.Write "<P> If you were expecting a different method to be used,"
    Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
    Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
    Response.Write " different method being used.</table>"
    End Sub

    Sub AuthNegotiateMethod()
    ' Typically, NTLM yields a 150 - 300 byte header, and Kerberos is more like 5000 bytes.
    If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
    If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
    Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"
    ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
    Response.Write "The user was logged on using <B>" & AuthType & "</B>."
    Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
    Response.Write " If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
    Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
    Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
    Response.Write " for any subsequent requests.</table>"
    End Sub

    %>


    0 comments

    Speed up startup of applications

    Published on Sunday, January 11, 2009 in ,

    Often people think applications are slow for the wrong reassons, they blame memory or cpu, or even VMware. One of things I've encountered lately is that these applications are trying to accessing CRL's (Certificate Revocation Lists) on the web. When the application is being ran on a server where you simply don't have direct internet access this results in a timeout and a slow start of the application. This can can be eassily solved by changing some settings in Internet Explorer.

    Determing whether your application suffers of this phenomena is quit eassy: use the latest version of the sysinternals process monitor which has a built-in network trace. (Process Monitor)

    The following are example console who suffer from this: Microsoft SQL management, Exchange 2007 management and Citrix Xenapp management console.
    Unchecking both settings in the advanced section of your IE browser will solve the slow startup:

    Internet Explorer Advanced Settings

    0 comments

    AD CS: v3 templates

    Published on in ,

    For those setting up a windows 2008 certificate services server, pay attention when using templates:


    The catch here is that the webenrollment part of the Windows 2008 AD CS only can handle v1 or v2 templates. So if you choose "Windows 2008" template when duplicating your template, you will only be able to use it for auto-enrollment purposes or enrollment by the mmc. It will not appear on the certsrv website.

    When you duplicate a template in orde to change settings like the validity period, the template becomes a version 2 (Windows 2003 ) or a version 3 (Windows 2008 ) certificate. The out of the box provided certificates are version 1 certificates.