HTTP Keep-alive option in IIS
A Business Critical Website hosted on IIS on Windows 2000 server which has configured with Windows Authentication, suddenly was not accessible. users are getting 401.1 and 401.2 authentication failure errrors. When investigated we found that the SPN for the website is missing from AD. And users are getting authentication failures.
The website can be configured to be authenticated by Kerberos and NTLM if required.
Lets see how this works.
A website hosted on IIS can use both Kerberos and NTLM protocols for authenticating users. There is an option for negotiate authentication in the authentication methods. so, we negotiate authentication is selected then it will try to get autheticate users by Kerberos Protocol. If this fails, then fall backs to NTLM.
So what is required to get authenticated by these 2 protocols.
Kerberos Authentication: kerberos authentication requires an SPN registered for the URL in Active Directory.
NTLM Authentication: If Kerberos fails then NTLM authentiction should take place. In order to have NTLM Authentication successfully, you need to enable an option called “HTTP Keep-Alive” settings in the webserver properties.
In the above issue mentioned. neither the SPN is registered nor the HTTP Keep-Alive settings is enabled. Both the authentication methods were failing. Seems some one accidentally removed SPN or/and disabled HTTP Keep-Alive setting.
To know more about how to configure IIS to support both Kerberos Protocol and NTLM Protocol for network authentication, see the below link.
http://support.microsoft.com/kb/215383
Also you can find what changes in IIS 6.0 at
http://www.microsoft.com/technet/prodtechnol/WindowsServer2003/Library/IIS/7b037954-441d-4037-a111-94df7880c319.mspx?mfr=true
Issues allowing yahoo.com in ISA 2006
There was a simple requirement for one of my clients, to configure firewall to protect from internet and also restricting users to access some external sites. So the requirement was to allow only google.com, some of the external mail sites and restrict all other sites. Installed and configured ISA 2006. This can be achieved by creating Domain Name sets and Access Rule for each site, allowing google.com, gmail.com, rediff.com and yahoo.com. Have created the Access Rules for the same. However yahoo.com was not accessible properly. When accessed I got the home page of yahoo.com but the font was different and all images in the home page were not loaded showing many red X marks.
Have rechecked the configuration of ISA and nothing was found. Unlike other mail sites, Yahoo has a different URL for loading images. I have checked it in the google and found a separate URL for yahoo images. Adding the image URL *.yimg.com in the allowed Access Rule, yahoo.com is accessible normally with the proper images and font.
This problem doesn’t occur when you allow all the external sites, as yimg.com will be allowed by default.
LdapIPDeny List
Let me explain you the background on an issue I have faced. A member server which has several applications running on it. All of a sudden all applications are stopped and not allowing us to start. The error seems to be with the service account used for the application. Its clearly says that its problem with authentication. So, in the process of troubleshooting one of our sysadmin disjoined the server from the domain. When he tried adding back the server to domain, then the actual problem started. It didn’t allow joining the server back to DC saying that LDAP Query Failed and got Access denied.
We had to rename and rebuild the server. But it didn’t help us to solve the issue.
Finally, after lot of investigations, found the root cause which says that the server IP has been added to the LdapIPDeny List in AD which was causing ldap failed errors and not allowing this server to join back to domain. After we removed the IP from the list and successfully joined back to the domain.
Very brief information on the LdapIPDeny List which is as follows:
To provide higher level of security for the DC, you can apply an IP Deny List that prevents the DC from accepting LDAP queries from clients with specified IP addresses. Similar to the LDAP administration limits, the IP Deny list only alters the Default LDAP Policy object. The default LDAP Policy is applied to any DC that has not had a specific LDAP policy applied to it or the site in which it belongs.
A DC uses the following three mechanisms to apply LDAP Policies:
- A DC might refer to a specific LDAP Policy. The NTDS Settings object includes an optional attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
- In the absence of a specific query policy being applied to a DC, the DC applies the Query Policy that has been assigned to the DC’s site. The ntDSSiteSettings object includes an option attribute queryPolicyObject, which contains the distinguished name of a Query Policy.
- In the absence of a specific DC or site Query Policy, a DC uses the default query policy named Default-Query Policy.
A Query Policy object includes the multivalued attributes LDAPIPDeny List and LDAPAdminLimits. Ntdsutil allows the administrator to set the LDAP administrator limits and IP Deny List for the Default-Query Policy Object.
The following links might be helpful for you to understand how ldapipdeny list works.
http://technet.microsoft.com/en-us/library/cc976714.aspx
http://msdn.microsoft.com/en-us/library/cc220058(PROT.10).aspx
/3GB switch
I have come across many a times issues with Virtual memory, /3GB,/PAE etc. So is with you I guess. Here is a brief description of how /3GB and /PAE works and where to use them.
/3GB – This is a switch in boot.ini file which increases the User mode Virtual Address Space and decreases for Kernel mode. By default, /3GB switch is not enabled, system will allocate 2GB for User mode and 2GB for Kernel mode. It means, 2GB of Virtual Address space can be used by Applications in User mode and rest can be used by Kernel mode. In other words, 2 Billion memory addresses for kernel mode and 2 billion for Applications. MS W2k, W2k3 can directly address up to 4GB of Memory address space, regardless of how much physical RAM is installed. From the process perspective, each element of virtual address conceptually refers to a byte of physical memory.
Now we see what is Virtual Address Space. Is it the same as Virtual Memory? … No. Virtual Address space is different from Virtual Memory. Virtual address space is something to do with allocating address space for each process of user mode and kernel mode. Now you can understand the advantage and disadvantage of /3GB switch.
Let’s see how it works.
Adding /3GB switch increases the performance of programs/applications that are
capable of using the /3GB switch.
For example, Active Directory is capable of using /3GB switch and this allows AD to improve its caching.
W2k – /3Gb switch allows AD caching a maximum – 1024MB
W2k – without /3GB switch, AD caching is limited to 512MB
W2k3 – AD Cache is allowed to grow more freely but remains by virtual address space.
Note1: Do not enable /3GB switch unless the application is aware of /3GB. If you enable /3GB for application who is not aware of large address spaces, that will hurt the kernel address space and do not improve the performance.
Note2: If you use /3GB with /PAE will have conflicts and kernel is limited to 16GB of memory. This is caused as the kernel virtual memory address space limitations.
/PAE - Causes Ntldr to load Ntkrnlpa.exe, which is the version of the x86 kernel that is able to take advantage of x86 PAEs. The PAE version of the kernel presents 64-bit physical addresses to device drivers, so this switch is helpful for testing device driver support for large memory systems.
Operating system Maximum memory support with PAE
Windows 2000 Advanced Server – 8 GB of physical RAM
Windows 2000 Datacenter Server – 32 GB of physical RAM
Windows XP (all versions) – 4 GB of physical RAM
* Windows Server 2003 (and SP1), Standard Edition – 4 GB of physical RAM
* Windows Server 2003, Enterprise Edition – 32 GB of physical RAM
Windows Server 2003, Datacenter Edition – 64 GB of physical RAM
Windows Server 2003 SP1, Enterprise Edition – 64 GB of physical RAM
Windows Server 2003 SP1, Datacenter Edition – 128 GB of physical RAM
* Total physical address space is limited to 4 GB on these versions of Windows.
I will cover PTEs, paged and non-paged pool in my next article.
TS Console Session in W2k8
Use mstsc /admin instead of mstsc /console(w2k3) to connect to W2k8 TS console session. /admin switch is included in RDP 6.1.
Enable debug logging for Netlogon service
Netlogon Service is one of the key LSA (Local Security Authority) processes that run on every Domain Controller. Netlogon service log files are useful when you troublehsoot authentication problems, client account logon, lockout etc. By default the netlogon service logging is not enabled. You can do it in 2 ways to enable netlogon logging.
1. nltest /dbflag:0x2080ffff
- Restart netlogon service
- Logging will happen at %windir%\debug\netlogon
Note: Nltest is part of Win 2008 and also support tools for Win 2003, 2000 and XP
Note: Run nltest /dbflag:0×0 to disable logging
OR
2. Start Regedt32
- go to HKLM\system\Currentcontrolset\Services\Netlogon\Parameters
- Create a new REG_DWORD called DBFlag and add 2080ffff hexadecimal value
- Restart netlogon service
Note: To disable it, change the value to 0×0
One of the issues with netlogon.log file is the file size will grow quickly. By default the Max log file size is 20MB. You can change this by editing registry.
HKLM\System\Currentcontrolset\Services\Netlogon\Parameters
Value Name: MaximimLogFileSize
Value Data: <Max log file size in Bytes>
Utility used to query the Netlogon log File is nlparse.exe. It is a GUI tool that comes with ALTools.exe file at
http://www.microsoft.com/downloads/details.aspx?FamilyID=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
nlparse contains the most common Netlogon error codes and stores the output in two files – %windir%\debug\netlogon - folders: netlogon.log-out.scv and netlogon.log-summaryout.txt
One thing everyone is interested to see in Hyderabad is… Traffic
Here you go…
Help others to get Certified
I still remember those days when I took MCSE-2000 certification in the year 2002. I use to go to an internet cafe and download exam dumps from mcsebraindumps.net site. Then come back home put them in my system and prepare for exams. Those dumps really helped me to pass the exams. After I passed my first paper 70-210 I thought of sharing this to the world and started thinking how I could help others in taking certification.
You know what, then I started collecting all the important questions for all the exams and uploaded them to mcsebraindumps.net site.
Recently I went back to that site and could find one of those dumps which I have uploaded. I felt happy to see my dump available still in the site database.
Here is the link.
http://www.mcsebraindumps.net/dump.php?bd_id=9734
I have a message to all the guys who are taking any certification course. I am sure most of you are seeking help from the internet to prepare, take your certification and forget there itself. Why don’t you take an opportunity to help others by uploading dumps or through some blogs. If you don’t find time to upload or don’t know where to go to provide your helping hand, please write to me with the details.
Quotes
Presence is more than just being there – Malcolm S. Forbes
Compromise – That’s when everybody loses, but with the idea that everyone should lose equally
Ability is what you’re capable of, Motivation determines what you do, Attitude determines how well you do it
Windows 2008
Here is the link for step-by-step guide on Windows 2008.
http://www.microsoft.com/downloads/details.aspx?FamilyID=518d870c-fa3e-4f6a-97f5-acaf31de6dce&DisplayLang=en
