After breaking my head over this for about 3 days and finally coming up with a solution I thought Id share.

Here’s the situation:

• 2 Forests with a one way external trust between them.
  • Domain B in Forest B trusts Domain A in forest A.
• An ASP.NET Application running in Domain A
  • Configured to impersonate.
  • Application Pool running under a service account from domain A which is trusted for delegation
  • Application URL (DNS name) is registered as an SPN against the above service account used to the application pool.
• A user (Bob) from Domain A has permission to modify properties and reset passwords of users in Domain B
• When using the Active Directory users and computers MMC Bob is able to reset passwords and modify properties of users in the trusting domain(Domain B) I.e. Permissions are ok!
• When Bob uses the ASP.NET application (System.DirectoryServices.DirectoryEntry) Bob is able to modify properties of users in the trusting domain. I.e. Bob’s creditneials are sucessfuly delegated to the domain controller in the trusitng domain. I.e. Delegation is working!
• When the ASP.NET application specifies Bob’s username/password in the DirectoryEntry object e.g. DirectoryEnty de = new DirectoryEntry(“LDAP://domainB.com/CN=Steve,ou=test,dc=domainb,dc=com”,”bob”,”password1″) then invokes the setpassword method, the password is successfully set. I.e. SSL is working correctly. Necessary firewall ports are open etc
• When Bob uses the ASP.NET application and invokes the setpassword method now using delegation a COMException 0×80072020 thrown.

I’ve spent some hours trying to work this out, network dumps with WireShark (no good for LDAPS), Kerberos logging on DCs and webserver, etc etc. I have also opened up the firewall to allow DirectoryEntry.Invoke(“setpassword”) to try his other methods. I just can’t get this to work in a domain trust environment with delegation. I have however found that using System.DirectoryServices.Protocols to reset the password in a trusting domain with a delegated credential does work! For this I’m very relieved; I was almost at the point where I was going to go back to our dev guys and tell them to switch back to using a superuser account instead of the delegation method which I had been pushing on them for weeks!

Frustraing though that I still don’t know why this method works where the standard System.DirectoryServices method doesnt!

This example was taken from chapter 10.16 of The .NET Developer’s Guide to Directory Services Programming by Joe Kaplan and Ryan Dunn. I strongly reccommend you read this book!

using System;
using System.DirectoryServices.Protocols;
using System.Net;
using System.Text;

public class PasswordModifier
{
    public static void Main()
    {
        NetworkCredential credential = new NetworkCredential(
            "someuser",
            "Password1",
            "domain"
            );
        DirectoryConnection connection;

        try
        {

            //change these options to use Kerberos encryption
            connection = GetConnection(
                "domain.com:636",
                credential,
                true
                );

            ChangePassword(
                connection,
                "CN=someuser,CN=users,DC=domain,DC=com",
                "Password1",
                "Password2"
                );

            Console.WriteLine("Password modified!");
            IDisposable disposable = connection as IDisposable;

                if (disposable != null)
                    disposable.Dispose();
            }
            catch (Exception ex)
            {
                Console.WriteLine(ex.ToString());
            }
        }

        private static DirectoryConnection GetConnection(
            string server,
            NetworkCredential credential,
            bool useSsl
            )
        {
            LdapConnection connection =
               new LdapConnection(server);

            if (useSsl)
            {
                connection.SessionOptions.SecureSocketLayer = true;
            }
            else
            {
               connection.SessionOptions.Sealing = true;
            }

            connection.Bind(credential);
            return connection;
        }

        private static void ChangePassword(
            DirectoryConnection connection,
            string userDN,
            string oldPassword,
            string newPassword
            )
        {
            DirectoryAttributeModification deleteMod =
                new DirectoryAttributeModification();
            deleteMod.Name = "unicodePwd";
            deleteMod.Add(GetPasswordData(oldPassword));
            deleteMod.Operation= DirectoryAttributeOperation.Delete;

            DirectoryAttributeModification addMod =
                new DirectoryAttributeModification();
            addMod.Name = "unicodePwd";
            addMod.Add(GetPasswordData(newPassword));
            addMod.Operation = DirectoryAttributeOperation.Add;

        ModifyRequest request = new ModifyRequest(
            userDN,
            deleteMod,
            addMod
            );

        DirectoryResponse response =
            connection.SendRequest(request);
    }

    private static void SetPassword(
        DirectoryConnection connection,
        string userDN,
        string password
        )
    {

        DirectoryAttributeModification pwdMod =
            new DirectoryAttributeModification();
        pwdMod.Name = "unicodePwd";
        pwdMod.Add(GetPasswordData(password));
        pwdMod.Operation = DirectoryAttributeOperation.Replace;

        ModifyRequest request = new ModifyRequest(
            userDN,
            pwdMod
            );

        DirectoryResponse response =
            connection.SendRequest(request);

    }

    private static byte[] GetPasswordData(string password)
    {
        string formattedPassword;
        formattedPassword = String.Format("\"{0}\"", password);
        return (Encoding.Unicode.GetBytes(formattedPassword));
    }
}

In my case this is somehow related to the domain trust but I guess any time 0×8007202 appears during setpassword and you just can’t get it to go away I’d suggest giving this method a go!

I came across this one today when one of our web apps in the perimeter network stopped working for external users after a switch failure on our internal network.

We run split DNS so if you ask an internal DNS server for the IP address of webapp.ourdomain.com it will tell you the private address of the perimeter webserver but if you ask a DNS server on the internet you will get the public address which is NAT’d to the ISA server which publishes the app. Now if you ask a DNS server in the perimeter network he will forward the DNS request to an internal DNS server. If the internal DNS server is unavaliable the perimeter server will use recursion to resolve the address and ultimatily end up resolving and caching the public address of the webapp. By now you can probably guess what happens.

1. Internet user connects webapp.ourdomain.com which is resolved to 203.271.47.15
2. The connection is NAT’d by our external hardware firewall and  received by the ISA web listener / publishing rule.
3. The ISA server resolves the name in the “To” section of the web publishing rule using a perimeter DNS server. The address is from the internal domain (ourdomain.com) so the perimeter DNS server tries to forward  the request to an internal DNS server, this fails so the perimeter DNS server uses recursion to resolve the name and returns the public internet address instead of the private address of the web server in the perimeter network. We now have a loop which results on the above error being logged.

There are a couple of ways to deal with this.

1. Disable recursion on the domain forwarding in the DNS server settings:
2. Explicitly specify the IP address in the “To” section of the publishing rule.

Another one of those “Only in this exact and unlikely situation” type posts but oh well!

I’ve realised that I’m just not going to have time to complete my MOSS back-to-back series in the way I started out in Part 1 so instead I’m going to combine everything in a single post based around my original documentation and go from there. Please feel free to ask questions, I’ll answer them to the best of my ability and continue to add detail to this post.

I found the Microsoft SharePoint extranet deployment documentation pretty lacking; from what I could find they don’t go much further than: “here are a few ideas, have fun!” Well I did have fun! And as always with these things the devil is in the details.

Objectives

Primary objective – Making SharePoint available over the internet

• A single URL for external users and internal corporate staff regardless of where they access SharePoint from
• External member accounts contained in a separate domain to internal corporate staff accounts
• Access secured with publicly trusted SSL certificate
• Full backend access and functionality for corporate staff

Secondary Objectives

• Implement single sign-on, forms based authentication and reverse proxy for all web-based applications hosted in the perimeter network

Guiding Principals

• Internal users logged on to internal workstations are seamlessly authenticated to the MOSS site
• Internal users accessing the MOSS site from the internet are presented with a forms-based logon screen; they authenticate using the same username and password as they do for internal workstation logon
• The same URL is used whether the MOSS site is accessed from internal network or the internet
• Perimeter (non-staff) users access the MOSS site from the internet using an account from the perimeter domain
• Perimeter users cannot logon on to an internal workstations and cannot access internal resources.
• Both internal and perimeter users access the same MOSS site
• Both internal and perimeter users can reset their password from the forms-based logon page
• Once users have logged on they can navigate to other applications without having to enter their username and password again.
• The perimeter domain trusts the internal domain
• The internal domain does not trust the perimeter domain
• MOSS WFE applications in the perimeter can use Kerberos to delegate credentials of internal users to other applications on the internal domain, so internal users have access to all the same resources regardless of whether they are access from the internet or from an internal workstation

Solution Overview

The solution is built on a back-to-back firewall topology, it uses forms based pre-authentication and server publishing technologies available in Microsoft’s ISA Server 2006. While the hardware firewall is the first point of entry from the internet the MS ISA firewall in the perimeter network should be considered the “front firewall” as it deals with server publishing and user authentication.

From a MOSS 2007 point of view the Microsoft Split back-to-back topology scenario has been followed; MOSS web front-end servers are located in the perimeter network while the application and database servers reside in the internal network.

A one-way Active Directory trust exists between the perimeter domain and the internal domain. This is a non-transitive trust where the perimeter domain trusts the internal domain but not the inverse. This serves two main purposes; it allows windows authentication and delegation to occur between services in the perimeter domain and the internal domain and at the same time protects sensitive data such as payroll databases on the internal network.

The existing internal network
Forest with 2 domains:

• corpforest.com (empty forest root domain)
• corp.com (internal production domain, contains accounts for all corprate staff)

The new perimeter network
Forest with a single domain:

• perimeter.corp.local (perimeter production domain, contains accounts for all members and external collaborators)
• Authenticates users from both perimeter domain and internal domain via domain trust

Authentication

Identity and Single Sign On

Everyone who accesses applications in the perimeter falls in to one of the two following categories; these categories determine which domain the user account is created in.

Internal Corporate Staff:
Users that require access to perimeter applications such as SharePoint but also require access to internal resources/applications such as Citrix, payroll / finance databases, and Exchange Email. These users reside in the current corp.com domain

Members:
Users that require access to perimeter applications such as SharePoint but do not require access to internal resources/applications. These users will reside in the new perimeter domain (perimeter.corp.local). External vendors / collaborators also fall in to this category

The ISA server in the perimeter domain is configured to support single-sign-on of users accessing applications on the corp.com DNS name space. This means that a user who logs in to one application will be able to follow a link to another without having to re-authenticate. E.g. A user logs on once to sharepoint.corp.com and can then hop to outlook.corp.com then to citrix.corp.com all without having to re-enter their username/password.

Forms Based User Authentication

Users who access web applications from the internet must first authenticate at the front MS ISA firewall. When a user attempts to access a web application (e.g. SharePoint – https://sharepoint.corp.com) in the perimeter network he will first be presented with a forms based (HTML username/password) authentication page at the ISA server. At this point the user can enter a credential from either the perimeter domain or from the internal domain. Once the user’s identity is validated the ISA server will proxy the application to his browser.

Authentication Protocols

The diagram below outlines the steps taken to authenticate and or delegate user credentials. Basic authentication is used from the ISA server to the published destination IIS server. This is done because cross forest Kerberos delegation is not supported by ISA server. Even though the IIS server is a member of the same domain as the ISA server, the IIS application pool is running under a service account from the internal domain, which is done to facilitate windows authentication from the application to the backend database server on the internal network.

The basic credentials are secured using SSL between the ISA server and the destination server.

Once the basic credentials reach the published IIS server it will use Kerberos to authenticate the user against the appropriate domain. Using Kerberos at this stage means that user’s credentials can be delegated to a backend server e.g. SQL Server Reporting Services. The result is that internal users get exactly same experience outside the network as they do inside.

Internal User

1. Username / Password from browser sent in clear text (over https) (FBA)
2. ISA pre-authenticates user with internal DC via using LDAPS
3. ISA delegates basic credentials (over https) to MOSS IIS server
4. MOSS IIS authenticates user using Kerberos to internal DC
5. MOSS IIS server delegates Kerberos authentication and impersonates user

Member

1. Username / Password from browser sent in clear text (over https) (FBA)
2. ISA authenticates user with perimeter DC via LDAPS
3. ISA delegates basic credentials (over https) to MOSS IIS server
4. MOSS IIS authenticates user using Kerberos to perimeter DC
5. Delegation fails due to one-way trust. Internal domain doesn’t trust perimeter domain

Configuration

Network Configuration

Networks

Internal : 192.168.33.0/24
Perimeter : 172.16.0.0/16
DMZ : 10.1.1.0/8
Public : 258.17.84.128/28

Network relationships

As shown in the diagram a route relationship is defined between the perimeter and internal network instead of a NAT relationship, this is required to facilitate the domain trust relationship and Kerberos authentication between the two domains.

Routing

All perimeter servers specify the front firewall (ISA02) as their default route

To maximize routing efficiency a persistent static route from the perimeter network to the internal network via the back firewall (ISA01) is added to all perimeter servers. The following command is run during initial server build.

route add 192.168.0.0 mask 255.255.0.0 172.16.1.1 –p

IP Addresses

HW Firewall Internal IF : 10.1.1.254
ISA01 External IF : 10.10.1.1
ISA01 Perimeter IF: 172.16.1.254
ISA02 Perimeter IF : 172.16.1.1
ISA02 Internal IF : 192.168.33.254
WFEVIP1 (SharePoint WFE farm load balanced virtual IP): 172.16.1.50

Network Address Translation

Public access from the internet is NAT’d via the hardwre firewall. The diagram below shows the complete network path taken by a user when accessing the a web app from the Internet. Note the web listener listens on multiple IP addresses. Multiple web publishhing rules use this web listener.

Back Firewall

Firewall Policy

This following table shows the firewall policy on the back firewall (ISA02) that relates to communication between the internal network and the new perimeter network e.g. MOSS frontend/backend/database access. Kerberos, LDAP etc.

This represents the bare minimum of rules as they relate to this document, you’ll certainly have your own additional rules.

Click for an MS Word Version

Front Firewall

Web Publishing Rule Configuration

A single ISA SharePoint publishing rule is used to publish the load balanced MOSS web front end servers. Configuration can be considered default as per the MS ISA SharePoint publishing rule unless detailed below.

Destination server (To)
The FQDN of SharePoint (sharepoint.corp.com) is specified; this resolves to 172.16.1.50 which is the virtual IP address of the load balanced cluster of MOSS WFE servers. We choose to forward the original host header since the internal and external names are the same. Requests must appear to come from the original client otherwise load balancing based on IP address won’t work.

Listener

The listener selected (Perimeter Web Listener) is used by all FBA based applications in the perimeter network; this enables SSO functionality.

Public Name
The public DNS name used to match the publishing rule.

Bridging
Connections to the internal servers are only made via SSL, and on the default port (443).

Authentication Delegation
Credentials are delegated to the target server using basic authentication. Detailed information on why basic delegation is used can be found in the Authentication Protocols section under Solution Overview.

Web Listener / Pre-authentication

This section describes the ISA https web listener and forms based authentication configuration. ISA 2006 web listener defaults should be assumed unless described below.

Networks

All IP addresses that the web listener will listen on are selected here. There is a separate address defined for each application that makes use of this web listener. Traffic is NAT’d by the hardware firewall from public IP addresses to these DMZ addresses. e.g. the public IP address resolved by sharepoint.corp.com is 258.17.84.142 and is NAT’d to 10.1.1.142

Certificates and SSO

An individual certificate is assigned to each application’s DMZ IP address. This allows multiple SSL secured applications to use the same web listener which consequently means that single sign on can be used across all these applications.

Single sign on is enabled for applications on the corp.com DNS suffix.

Connections

http is redirected to https. The good thing here is that http links that that get emailed around when people are working at the office also work when they access from the internet.

Forms

The path to the customised html logon form is specified here as well as the options to allow users to change their passwords and password expiration warning.

Authentication

When users first request an application that is using this web listener they must first be authenticated by the MS ISA server before they are allowed to proceed to the requested application. HTML forms based authentication is used for this initial step. This is where user enters their username and password.

As shown in the screenshot LDAP is used instead of native windows authentication; this is due to an issue with password changes in a cross domain scenario. During testing it was discovered that when using Windows authentication it is not possible for a user to change their password at the HTML logon page if their account is in a different domain to the ISA server. This is problematic especially for seldom used accounts where the password expires or for new accounts where the administrator needs to force the user to change their password at next logon.  Microsoft ISA 2006 SP1 introduces a bug which also affects the change password functionality when using LDAP authentication, a non-public patch has been released to fix this bug; for details see the known issues section of this document.

Two LDAP server sets are used, one for the perimeter domain controllers and one for internal domain controllers.

Two LAP servers (domain controllers) are defined for each LDAP server set. For password change functionality to work, a secure connection must be used (LDAPS) and the “Use Global Catalog” option must be turned off. A lookup account in the target domain must also be made available for the ISA server. This is a non-privileged account with a very strong, non-expiring, set/forget password which is set during configuration.

A secure SSL LDAP connection requires that port 636 be open to the internal domain controllers on the back firewall, this is noted under the “back firewall” configuration earlier in this document.

A server certificates must also be installed on the domain controllers and must be trusted by the ISA server. This can be acheived by setting up a CA (certiificate Authority) but that’s out of scope for this post.

I will however point out a good tip for testing that the ISA server is correctly trusting the DC and is able to make an LDAPS connection. Use the ldp.exe tool from the Windows Server 2003 resource kit and make a connection on port 636 with SSL enabled. If everything is working correctly then it will connect without error otherwise it will throw some kind of TLS error.

Active Directory Trust Configuration

A one-way domain trust is configured between the corp.com domain and the perimeter.corp.local domain. This is done to allow internal accounts to be used in the perimeter domain which inturn enables windows authentication to be used when accessing backend resources such as SQL databases. This trust means that deploying MOSS web front end servers is as straight forward as adding the web front end role, all IIS configuration is completed by MOSS and remains valid in both the internal and perimeter domains.

Now you might be wondering why we don’t use a forest trust. Well the truth is I had issues with using a forest trust and if anyone can shed any light on this I’d be very interested. I’d love to set this back up in the lab but I can’t see my self getting time.

Here’s the situation. On the internal side we have an empty forest root domain of corpforest.com inside that forest we have the internal production domain called corp.com. On the perimeter we have a single forest/domain called perimeter.corp.local. We create a one-way forest trust (which is transitive) between corpforest.com and perimeter.corp.local. We then take a member server in the perimeter.corp.local domain install MOSS and join it as a webfront end to the MOSS farm based in the internal network.  This will automatically create IIS MOSS web apps and application pools. These application pools are set up identically to the ones on the internal MOSS servers so of course are configured to run under internal service accounts.

Everything seems to be working correctly the application pools run fine but when trying to browse to the site IIS writes an error: “The caller is not the owner of the desired credentials”. Despite many hours of digging through logs, traffic sniffing and bashing my head against the desk I was unable to get IIS to work with a service account from another domain when using the forest trust, except if I used an account from the root domain of the trusted forest which is not ideal as all internal MOSS IIS servers would need to be re-configured. I should mention that this is not an issue specific to MOSS, it’s an IIS issue in general. I stood up another IIS/ASP.NET/Visual Studio test box in the perimeter and it had the same problem.

If both your internal and perimeter domains are single forest/domain I expect you might not have any issues and I’d be very interested to hear your results.

SharePoint

This section only describes MOSS configuration that relates to the perimeter network deployment.

People Picker

To enable the “PeoplePicker” in a one-way trust scenario to search both domains (perimeter and internal) the following stsadm commands must be run.

On all servers in the farm:

stsadm -o setapppassword -password “(password)”

(Where “password” is a strong password shared between the servers.

On all web front end servers:

stsadm -o setproperty -url http://sharepoint -pn
"peoplepicker-searchadforests"
-pv "domain:perimeter.corp.local",
PERIMETER\PeoplePickerService, (Password)

(Where “Password” is the password for the unprivileged service account “PeoplePickerService” used to perform lookups on the perimeter domain)

AAM (Alternate Access Mappings)

Zones

The following access mappings / zones are configured

Internet users only access sharepoint over SSL in the default zone via https://sharepoint.corp.com

Internal users access sharepoint over plain http in the intranet zone via http://sharepoint.corp.com. This is the default home page for all internal users as set by group policy. Plain HTTP is used for internal users to ensure optimum performance especially across the WAN where the Certeon accelerators are deployed. The URL http://sharepoint is also valid for internal users.

Some SQL Server Reporting Services (SharePoint Integrated Mode) features only work when accessed in the default zone hence internal users wanting to access these features will need to access sharepoint in the default zone via https://sharepoint.corp.com. See the known issues section for more information.

Known Issues

MS ISA Forms Based Password Changes

Valid Account Discovery Vulnerability

A patch in ISA 2006 SP1, as means to fix a security vulnerability broke password change functionality when using LDAP authentication. (http://support.microsoft.com/kb/957859/). This has been fixed by non-public patch KB959357 (http://support.microsoft.com/kb/959357). Unfortunately this patch re-introduces the security vulnerability.  This Vulnerability means that when an incorrect password is entered for a valid account and the account is in a password-expired state, a change password form is displayed; while the correct old password must be specified before a new one can be set this could allow an attacker to discover that an account name is valid by brute force. This can be considered a low risk vulnerability which is out weighed by the need to allow users to change their own password. Hopefully Microsoft will fix this issue in the next major service pack. Below is a summery of the vulnerability behaviour.

Password length / Complexity Policy

The specified path refers to a SharePoint zone that is not supported.
The default zone path must be used.

The report viewer webpart works correctly regardless of what zone it is accessed in.

I’ve been a bit slack with my blog lately, partly because in October we bought our first house so that’s been taking up a lot of my time. It’s a good solid 1950’s house but VERY original so it needs a LOT of work.

Me plastering the back room getting it ready for painting.

From network engineer to home handyman / plasterer / carpenter! Don’t worry though I’ve got my priorities straight! Structured cabling and network cupboard is almost complete. I’m quite pleased with how it’s turned out so decided to put up some photos.

Cables come up from under the floor into the wall cavity

Fortunately there was a little wee open-cupboard off the hall. It’s a good central point to run all the cables back to. I’ve installed a total of 16 network ports. 6 in the lounge, 2 the dining room and 2 in each of the four bedrooms. The cable is CAT6 and is all run under the floor. I’ve created 3 channels by running 30mm thick strips of pre-dressed pine from top to bottom of the cupboard.

Left channel with bottom capping section installed

The left channel carries the CAT6 up from the floor to the patch panel. It is also used to carry alarm wires down from the ceiling. It has notches which accommodate 3.5mm plywood capping. The right channel is also capped and will be used for carrying power cables. The centre channel is left open and used for running cables between the shelves.

Patch panel, yet to be mounted and punched down.

Cables under floor

PDL 8p8c Module

Next step, get rid of that wallpaper!!!! But like I say, priorities!

I finally got around to fixing the auto play on start-up problem. The reason it took so long was because I was trying to perfect the auto restart option:

Sometimes when an AC3 file is played or something that takes control of the sound card SPDIFkeepAlive gets stopped. The auto restart option restarts playback every 3 seconds. This means that shortly after AC3 playback stops SPDIFKeepAlive resumes automatically.

Unfortunately I’ve still not got it working properly, at least not for me, depending on your sound card / driver you might get better results.  But be warned, on my system after a random amount of time (~1 hour) I get a terrible noise produced by SpdifKeepAlive and I have to exit, hence I don’t use this feature! I’ll try to fix it sometime. I think I’ll need to use threading and play 2 files that continuously overlap.

You can download the new version at the bottom of the SPDIFKeepAlive Post

This is just a quick one…

When trying to logon to Windows server 2003 via remote desktop you receive the following message:

The system cannot log you on due to the following error:
The RPC server is unavailable.
Please try again or consult your system administrator.

You will also receive the following event in the target server’s application event log:

Event ID: 1219
Logon rejected for Domain\User. Unable to obtain Terminal Server User Configuration. Error: The RPC server is unavailable.

There are a number of reasons you might see this message but in my case it was because the server I was connecting to was behind a firewall and in different domain to the one which my account was in.

When you logon via RDP, “Terminal Services” will contact the domain which your account is in to query terminal services information about your account e.g. profile path. It does this using RPC to a domain controller.

In my case the server concerned was in the perimeter network and there was no way I was going open RPC on the firewall to allow it to talk to an internal DC. And since the purpose for RDP to this server was purely for administration I really didn’t care if it couldn’t get my profile info from AD.

Fortunately there is a workaround as described in this Microsoft article, actually the article refers to a different problem, but the workaround is the same.

http://support.microsoft.com/kb/815266

1. Locate the following registry subkey:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
2. Create a new DWORD called IgnoreRegUserConfigErrors
3. Give it a value of 1

Done! I might consider creating a group policy preference to implement this across all the servers in the perimeter domain.

There are a lot of articles out there on setting up Kerberos Service Principal Names but today I’m going to make it simple. Bear with me as I start off with the basics; by the end of the post it will all be very clear.

Throughout this post I’ll make reference to a scenario of a client computer connecting to an SQL server called sql1.domain.com however the same applies for any service, for example a web server where the client connects via HTTP.

The SQL server service is running under a domain service account called “domain\SQLSVC“. No SPNs have been set yet.

The Basics

Active directory user and computer accounts are objects in the active directory database. These objects have attributes. Attributes like Name and Description.

Computer and User accounts are actually very similar in the way they operate on a Windows domain and they both share an attribute called ServicePrincipalName. An account object can have multiple ServicePrincipalName attributes defined.

The setspn.exe tool manipulates this attribute. That’s all it does.

The Failure

The client wants to access the SQL server so he asks his domain controller: “Please may I have a ticket for accessing MSSQLSvc/sql1.domain.com”

Now the domain controller asks the active directory database: “Give me the name of the account object who’s ServicePrincipalName is MSSQLSvc/sql1.domain.com“

The active directory database replies: “Sorry, there are no account objects with that ServicePrincipalName”

So the domain controller asks the active directory database again: “Ok then, give me the account object who’s ServicePrincipalName is HOST/sql1.domain.com“

All computer accounts have, by default ServicePinciaplName attributes set to:
HOST/[computername] and HOST/[computername].[domain]

So the active directory database replies to the domain controller: “The account object that has that ServicePrincipalName is sql1.domain.com’s computer account“

The domain controller now creates a ticket that only the computer account of sql1.domain.com can read. He gives the ticket to the client.

The client goes to the SQL service on sql1.domain.com and says “here is my ticket, may I come in?”

The SQL service will attempt to read the ticket. The problem is, the SQL service is not running under the computer account; it is running under a domain service account. It can not read the ticket; the ticket is only intended for the computer account of sql1.domain.com. Authentication fails (falls backto NTLM).

The Fix

Now lets run the setspn.exe tool to manipulate the ServicePrincipalName attribute of the SQL service account.

setspn -a MSSQLSvc/sql1.domain.com domain\SQLSVC

We will also add sql1 (without the domain name) in case we want to access the the server without the domain name appended.

setspn -a MSSQLSvc/sql1 domain\SQLSVC

Now run  through the scenario again and this time notice that the domain controller will return a ticket that the SQL server service account can read.

Obviously this is heavily paraphrased but hopefully it helps you understand the reason for setting the SPN attribute on the account that runs a given service.  Of course if the service runs under the local NetworkService or LocalSystem account then everything will just work because these local accounts represent the computer account in active directory.

Setting up SQL Server Reporting Services in SharePoint integration mode and you turn up with this error when you try to “Grant Database Access” from within Central Administration:

“Unable to connect to the Report Server WMI provider“

If you’ve got an ISA firewall between your MOSS central admin and your SSRS server you’ll need to turn off “Strict RPC Compliance” just while central admin performs the “Grant Database Access” operation .

Hope this saves someone some time. Not a very common scenario I guess.

As described a couple of posts ago I have set up an Ipaq 2210 in my car for the purpose of GPS navigation; it’s been working very well for a few months now but something stated to bug me; every time I got in the car I had to manually power on the Ipaq. I know it seems trivial and lazy but I just think such a device should be considered part of the car’s instrumentation, it should just sit there doing its thing; you wouldn’t want to have to manually turn on your speedo, rev counter or heat gauge would you?

After much digging I found that the Ipaq (the 2210 at least) could be woken up by applying 5volts to the DCD pin (pin 6) on the base connector; supposedly through a 4k7 resistor although that didn’t work for me so I just fed the 5v straight in (so far so good!). Since my power supply only applies power to the Ipaq at ignition I was able to just take a wire from the power-in on the Ipaq connector across to pin 6 (DCD). Now at ignition the Ipaq gets its 5volts for charging and the DCD gets 5volts to wake it up. There is just one problem; well two actually! The first is simple to fix; when the Ipaq is woken by DCD it tries to sync so the GPS application loses focus. There is an option somewhere in control panel to prevent this behaviour. The second problem is not quite so straight forward. When you turn the key in the ignition you get power for a second (DCD wake-up is triggered) then power is cut for a few seconds while the engine is cranking. Apparently the Ipaq won’t wake up in these conditions! So for this to work you need to turn the car on, wait for the Ipaq to wake up then start the car. Hardly seamless!

In the end I decided to rebuild the power supply with a 10 second delay on the output to the Ipaq. Thanks to Bill Bowden for his Power-On Time Delay Relay schematic.

If you want any more details or the PCB design in either PDF or eagle just let me know via a comment.

The finished project was much tidier than the first build but still hardly a professional finish! It does however work perfectly and the GPS requires no user intervention!

Since you’re reading this you probably already know that Internet Explorer has a number of security zones. URLs are treated differently depending on the zone they fall into. These security zones apply not just to URLs in Internet Explorer but to windows in general e.g. accessing files from a network location. My specific problem was a GPO start-up script that ran backinfo to display the server info on the desktop when an admin user logs on. Backinfo.exe an unsigned application stored on the netlogon share would throw the Open File – Security Warning every time it was launched. More about that soon.

In the enterprise it’s desirable to configure all these zone and security settings using group policy but there are a few gotchas that can make the configuration and testing process a bit confusing.

A standard zone template can be applied to a user’s settings. After you apply this template you can do a gpupdate /force/target:user; you won’t get a warning about logging on/off. Now in Internet Explorer you’ll notice a couple of things. (1)The security level and visual slider for the zone on the security page will not have changed and will not reflect the template you’ve selected in the GPO. (2)If you click on “Custom level” you’ll see that the individual settings that the selected template represents are in fact set and are now unchangeable, i.e. the policy has applied.

Ok so at this point we could be forgiven for assuming that the policy has been fully applied to the system; we can see the changes in IE and we know that gpupadte didn’t ask us to log off/on.

Now on to the “Open File – Security Warning “, this is affected by the setting pictured above, “Launching applications and unsafe files”. Since this is a trusted zone we trust all the locations in this zone so we are happy to launch unsigned applications without a security warning. For some strange reason this setting is one of the only ones that can’t be set individually with group policy, the only way to set it (via GPO) is to apply a template as described above. Both “Low” and “Medium Low” will allow applications to launch from a network location without a security warning.

The thing that’s really confusing is that even though doing the gpupdate updates the policy in IE it is not fully applied to the reset of the system until you log off/on.

In Conclusion

• Security templates are not visually reflected in the security page of Internet Explorer even though they are applied.
• Security zone settings are applied to Internet Explorer by doing a gpupdate but a log off/on is required to apply these settings to the rest of the OS
• The “Launching applications and unsafe files” setting determines whether the “Open File – Security Warning” dialog is displayed when launching applications from a given location
• The “Launching applications and unsafe files” cannot be set with a an indvidual GPO setting. (You could create a custom adm file though)
• When setting zone security via GPO I recommend making the Internet Explorer security page invisible to users to avoid confusion as they can still quite happily adjust the security level slider, it just won’t have any effect!

Click here if your looking for the updated version of the DC/DC 5 volt power supply

I had serial GPS mouse lying around (Thanks Alex) and my boss was kind enough to give me a retired HP Ipaq 2210 pocket PC from work. The 2 combined and I had a pretty reasonable touch screen car navigation system. Only problem was a power supply.

I didn’t want to use a cigarette lighter adaptor because I would have wires going everywhere; I wanted it hard-wired so the the GPS mouse sits on the dash with the cable disappearing down behind and a single thin cable coming out from the centre console for the Ipaq. I also wanted the GPS mouse running full time so there was no delay when it was searching for the satellites but I only wanted the IPAQ to be powered when the ignition was on.

I made 3 attempts before I was successful. First was 2 LM7805 5volt regulators. These got way too hot even with a heatsink; I would have needed a huge heatsink. Second attempt was the contents of 2 cigarette lighter to USB adaptors supposedly able to deliver 1AMP; yeah right! These things just about burst in to flames when I turned on the IPAQ! The third and successful attempt uses a LT1074 switching regulator and is detailed below.

The LT1074 was provided as a sample from Linear Technology, which is great since they cost about $NZ40 to order from RS!

The schematic is just the reference one from the LT1074 datasheet.

I couldn’t find exact matches for all the components in the reference schematic.

Here’s a list of parts I used
C1: Electrolytic 470uF (25v)
C2: Green Cap 0.01uF (This was a guess! All I really new is that it wasn’t an electrolytic because the schematic shows no polarity symbols!)
C3: Low ESR electrolytic 220uF (25v) (The application noste AN35 said to use low ESR and place it very close to the the LT1074).
MBR6745: This a SCHOTTKY-BARRIER RECTIFIER DIODE the recommended MBR745 is rated at 7.5Amps I used an ERC81-004 rated at 3Amps. Robbed from an old dot matrix printer PSU.
R1:I couldn’t find 2.8K @1% so I used 2x 5.6K @1% in parallel; both 1/2watt.
R2:2.2K @1%; 1/2 watt
R3:2.7k @5%; 1/2 watt
L1: This is of unknown value; robbed from an old dot matrix printer PSU. The application notes AN35 describe a rather humerus “alternate” method of selecting and inductor: (Click to read)

I haven’t done any PCB etching since high school so I thought I’d give it a go. I used Eagle CAD PCB design software which allows boards 100mmx80mm to be designed using their freeware version. Eagle is a bit clunky and counter-intuitive but once you get the hang of it, it’s really very good.

I followed the laser printer method for my etching as described in this instructables article.

1.Print the design to some shiny paper. (Thanks to ASB Bank!) Clean up the copper board with some 1200 sand paper

2. Iron on the design

3.Soak the board for 10Mins in cold water

4.Clean the paper off the board

5 Make up some etchant with Hydrochloric Acid and Hydrogen peroxide (Be careful!)

6.Etch the board

7.Etching Complete

8.Drill, holes, add components and solder

9.Test. Wow! It works! It has two +5v outputs, one is always on for the GPS the other is switched on via the relay at ignition.

That’s it! A bit of shame I don’t really understand how it works! It does the job though and with very little heat. If you want the PCB design either in Eagle or PDF format just let me know via comment.

As promised when I posted about the print server power control Hack, I’ve finally gotten around to writing a little windows app to control devices from the system tray. The utility is called PowerTray, it can control local devices or devices connected to a networked computer as long as they are also managed by PowerTray.

PowerTray can also integrate with MyPowerControl in MediaPortal HTPC system. If you’re using this with MediaPortal then only install either PowerTray or the MyPowerControl plug-in in a single computer not both!

Source is available in the MediaPortal plug-ins SVN
Version History

0.1.9.0 (2009-03-21)
-Lots of little bug fixes and better error handling

0.1.7.0 (2008-08-24)
-Initial release

Download PowerTray 0.1.9.0 (751Kb)
.NET Framework 2.0 Required

Ok this might be old news but I had some trouble finding a simple straight forward guide.

I just got a new laptop at work and I wanted to run to two completely separate copies of Windows XP using GNU GRUB as the boot loader.

These are the steps I eventually followed:

1. Completely clear the drive, all windows partitions, recovery partition etc.

2. Run XP setup, create a new partition leaving enough room for the second copy of windows; install Windows as per usual.

3. Install all drivers, updates and any software that you want to be on both copies of windows.

4. In windows Disk management create a new NTFS partition in the remaining space on the disk, leaving enough space for GRUB bootloader, I left 100MB,

5. Run Symantc ghost (or some other disk cloning tool) and clone partition 1 to partition 2. You will now have 2 identical copes of Windows on the same drive.

6. After cloning don’t reboot into windows, instead boot from CD to you’re favourite Linux distro. I used Ubuntu 6.1 which boots live off CD as part of it’s install process; I’m sure you could use knoppix or whatever.

7. Create a Linux partition in the remaining space using fdisk or cfdisk; flag this partition as the bootable partition. Assuming the disk is /dev/hda; XP1 and XP2 are /dev/hda1 and /dev/hda2 then this partition will be /dev/hda3

cfdisk /dev/hda

.

8. Format the new Linux partition with

mkfs.ext3 /dev/hda3

.

9. Make a new directory and mount the partition to. For this example e.g we’ll mount it to /mnt/tmp

mkdir /mnt/tmp
mount /dev/hda3 /mnt/tmp

.

10. Install Grub to the partition. This Will install grub to the root of /dev/hda3 and to the master boot record of /dev/hda

grub-install --root-directory=/mnt/tmp /dev/hda

.

11. Create a grub menu list file in in /mnt/tmp/boot/grub/
Use vi or nano to create a file in this location called menu.lst This will contain a list of operating systems you wish to boot. The file should look like this:

timeout 60
default 0

title Windows XP - Work
unhide (hd0,0)
hide (hd0,1)
rootnoverify (hd0,0)
chainloader +1 

title Windows XP - Home
unhide (hd0,1)
hide (hd0,0)
rootnoverify (hd0,1)
chainloader +1

.

12. Now unmount /dev/hda3, remove the linux CD and reboot. You should now get a grub boot menu where you can choose which copy of XP you want to load. The the hide and unhide commands for each OS entry in grub mean that the that each copy of windows won’t be able to see the other.

13. (Optional) To add a nice background to the to the grub menu, boot back into your live Linux distro and use firefox to download a grub splash screen. I got one from here, they also have a guide to create your own. Again mount /dev/hda3 and copy the splashimage to /mnt/tmp/boot/grub. Edit the menu.list to include the following line:

splashimage=(hd0,3)/boot/grub/myfile.xpm.gz

.

That’s it! 2 Copies with windows compleatly hidden from each other wih a nice menu using the renound GNU GRUB bootloader!

*UPDATE*

DON’T USE HIBERNATE WITH DUAL BOOT.
At first it seems neat to be able to choose which OS you want to resume but then the disk corruption starts!

A few years a go I built this solid-state relay power control box.

It connects to a parallel port allowing me to turn the power points on and off using software. The parallel port allows for up to 8 outputs by using data 0 through 7 (Pins 2 though 9).

I’ve had this box attached to my HTPC for the last few years; I use it to control power to my TV, subwoofer, table lamp etc.

As mentioned in my previous posts I’ve just finished building a new HTPC, and guess what, it has no parallel port! I thought it would be a simple case of using a USB to parallel adaptor but unfortunately these adaptors aren’t seen by windows as standard parallel ports; instead it appears in device manager as a “USB Printing Support” device hence can’t be addressed directly to turn the data pins on and off.

After much googling I came accross a project by Doktor Andy which uses a network print server to drive external devices. This was perfect since I had a HP JetDirect print server. I wasn’t able to get Doktor Andy’s circuit working with the JetDirect but Boyan Biandov who’s name was on Andy’s site was very helpful and told me how to get the JetDirect working. A single 74LS04 chip is all that is required to invert the strobe output and feed it back into the busy input, I’m not really a wiz with electronics but as I understand it this fools the print server in to thinking that there is a printer attached and everything is “ok”.

The IC requires +5Volts and it is also nessecicary to connect +5volts to pins 10, 13 and 15. It wasn’t hard to find a +5v point on the print server board.

Connections; What needs to be connected to what:

As for the software here is simple c#.net class. Say you wanted to turn on pins 2, 4 and 6. Combine the pin values

Pin2=1
Pin3=2
Pin4=4
Pin5=8
Pin6=16
Pin7=32
Pin8=64
Pin9=128

Required value to tun on pins 2, 4 and 6 is 1+4+16=21

Call the output method specifying the port as ipaddress:port and the output value:

(Most print servers use tcp port 9100, multi port JetDirects use 9100 for port one, 9101 for port two etc)

IpPortAccess.Output(192.168.1.10:9100,21);

using System.Net;
using System.Net.Sockets;
using System;
using System.Collections.Generic;
using System.Text;

namespace PowerControl
{
class IpPortAccess
    {
        public static void Output(string port,int value)
        {
            string[] ipport = port.Split(new char[] { ':' });
            string _ip = ipport[0];
            int _port = Convert.ToInt32(ipport[1]);
            Socket soc = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
            soc.Connect(_ip,_port);
            byte[] sendData = new byte[1];
            sendData[0] = Convert.ToByte(value);
            soc.Send(sendData);
            soc.Close();
        }
    }
}

Watch this space for a full downloadable windows application.

All credit goes to Doktor Andy for this great idea and BIG thanks to Boyan who gave me just the right info when I was about to give up!

Another mod in my quest for a quiet computer. I’ve mounted the hard drive using elastic cord and a cheap auto electrical crimp set. This should reduce vibration / noise transfer to the case.

Use pliers to completely open crimp connector.

Measure out a piece of elastic and tidy up the ends with a lighter. Thread a plastic cover on to the elastic. Place the elastic in the widened crimp connector so it sticks out just a tiny bit, this will cause it to mushroom-out when crimped. Fold up the edges of the crimp connector with the pliers then crimp.

Slide the plastic cover on.

Repeat as needed

Elastic should be stretched just enough to keep the drive held in place.

This could be implimented in a number of differnet ways depending on your case

New Zealand Freeview has just launched it’s high definition DVB-T TV service and my existing HTPC (home theatre PC) was nowhere near up to spec for decoding the high def streams. It was also too noisy for a computer that lives in the lounge so it was time for a rebuild. I was pretty excited; this is my first brand new PC in about 10 years the last one was a Pentium 120 when I was still at school! Of course I’ve had plenty of second-hand and hand-me-down gear between then and now.

The two main requirements for the new build were enough power to decode high definition video and quiet enough not to drive me crazy. Quiet means efficient cooling, i.e. good air flow.

I wanted to run the fan at very low RPM while maintaining good air flow across the CPU and video card; the idea is to pull air past the passively cooled video card, though the CPU heat sink and vent it straight out the back of the case.

I could have hacked a duct together with cardboard and tape but that would been just too easy, besides I wanted to try my hand at some fibreglassing. After much research, trial and error Here are the basic steps I went though.

Materials (Fibreglassing bare essentials can be had for about NZ$50)

• Polyester resin
• Methyl ethyl ketone peroxide (MEKP – The catalyst used to harden the resin)
• Fibre glass re-enforcing Chopped strand Matt (CSM)
• Polyvinyl alcohol release agent (Used so you can separate your part from the mold)
• Release wax
• Acetone (For cleaning up)
• Cheap bushes
• Mixing containers
• Latex gloves. (Keep the nasty chemicals from burning your skin, Box of 100 – you have to change them often)
• Stirling sticks
• Respirator mask
• Casting plaster to make the mold (Not used in the end. See trial and error!)
• Wood, plywood, tape, misc tools, sandpaper, etc etc

Thanks goes to NZ Fibreglass. They were very helpful; they sell in small and large quantities and took me though exactly what I needed to get started so if your in Auckland and need fibreglass gear it’s the only place to go check them out at:
http://www.nzfibreglass.co.nz/

1. Make a mold from wood (and masking tape!).

2. Coat the mold with resin and some fibreglass re-enforcing where strength and shape is needed, around the corners and over the masking tape.

3. Sand the resin coated mold very smooth

4. Wax the mold with release wax; about 6 coats, till it’s very shiny.
The guy at the fibreglass shop was very kind and gave me the last of a tin of wax they had in their workshop; saving $30

5. Brush on polyvinyl alcohol release agent. This stuff is great, it forms a sort of plastic bag-like skin so you can release from the mold. It should really be sprayed on evenly with a proper spraygun but this will have to do.

6. Now ready for the first layer of fibreglass. Mix up the polyester resin with the hardener. Soak the resin into the glass with a dabbing action too much brushing and the fibres will start to be dragged around with the brush. The glass should be saturated and become transparent.

The first layer is done!

7.Now the moment of truth; separate the part from the mold?

Note the PVA film has formed a barrier between the resin and the mold.
At this point I’m wondering if the wax was really necessary.

The part released reasonably cleanly

8.Add more re-enforcing and a top coat of very thin glass tissue. (My homemade roller helps get out air bubbles)

9. Clean-up (sand), add holes for top of heat sink

10. Add bottom sections

11. Lots of sanding to get it nice and smooth and ready for painting

12. Into the “spray booth”….

…Prime and paint

13. Done!

Full System Specs

• Motherboard: Intel DP35DP Media series
• CPU: Core2Duo E8400 3.0Ghz 45nm
• RAM: 4GB Crucial
• Video: Passively cooled Nvidia 8600GT (Gigabyte SilentPipe II)
• Hard drive: Seagate 320GB SATA
• Power supply: Enermax liberty 400(watt)
• Case: Lian li PC61 (Big thanks to Chris for this very nice all aluminium case)
• CPU Heatsink: Thermalright Ultra 120 Extreme
• CPU Fan: Yate Loon D12SL-12 (700RPM @5 volts)
• TV Cards:
  • Satellite (DVB-S)
    • Technisat SkyStar 2 (PCI)
    • Technotrend S1500+CI Module (PCI)
  • Terrestrial (DVB-T)
    • Hauppauge HVR-2200 Hybrid Dual Turner (PCIe)
  • Analog
    • Hauppauge PVR-150 (PCI)
    • Hauppauge HVR-2200 Hybrid Dual Tuner (PCIe)

After building a new HTPC I’ve discovered that the onboard IDT audio has a problem with the SPDIF output, or at least my Sony receiver has a problem with it! Every time a sound is played it causes the SPDIF input on the receiver to initialise which takes about 500 milliseconds, after the sound has finished the SPDIF goes back to sleep. As a result the first 500ms is lost off every sound that is played; not really a problem if you’re watching a movie but for applications that have little blips as you navigate around these sounds tend to get missed altogether; such is the case in MediaPortal the HTPC application I use.

My old motherboard with Nforce sound didn’t have this problem the SPDIF remained “active” all the time.

After much searching I did find a few other people with the same problem but no solution so I’ve written a small .NET application called SPDIFKeepAlive. It does just that. It sits in the system tray and continuously plays a silent wave file to keep SPDIF port active.

Hope this is helpful for others, leave comments for bugs or if you want the source code.

Download

.NET Framework 2.0 Required

Version History

Version 1.2 (Current Version) – download

• Fixed auto play on startup
• Added auto-restart option

Version 1.1

• Added new output options

Version 1.0

• Initial release

When clicking too fast you accidentally denied “Full Control” to “Authenticated Users” for a GPO you were working on. Since deny takes precedence over allow the results are that you are now denied the ability edit the GPO at all. This includes editing permissions to remove the blundered ACE! In the GPMC it Looks like this!:

A GPO is made up of two parts; a set of files in sysvol and an active directory object. When correcting GPO permissions you must modify the ACL on the AD object using DSACLS (included in the w2k3 support tools) and the sysvol NTFS permission.

The following dsacls command will remove the offending deny ACE from the ACL, in this case “Authenticated Users” from the AD object. The object is named by the GUID that can be seen on the inaccessiable objet in the GPMC.

dsacls “cn={3EE757FE-B5A4-4D23-937D-A3AF5G7F0CEA}, cn=Policies, cn=System, dc=wordpress, dc=com“ /R “Authenticated Users”

If successful this command will return a full list of the permissions for the object

Next up you need to remove the deny ACE from the policy’s NTFS folder ACL. Again the GUID of the policy is used to name the folder:
\wordpreessSysvolwordpress.comPolicies{3EE757FE-B5A4-4D23-937D-A3AF5G7F0CEA}

At this point your GPO will be accessible within the GPMC and the permissions will be consistent across AD and Sysvol. All that’s left to do is to add “Authenticated Users” back to the GPO. Do this by editing the GPO with the group policy editor; doing so will apply permission changes to both the AD object object and the Sysvol policy folder.

Just thought this might help someone, not that it’s ever happen to me.

This is useful if you want to start using quotas and all home dirs are owner by local admin. Or when you just want to tidy-up/reset permission on users home dirs.

Bulk repalce owner using folder name:
- Get subinacl.exe
-Run:
for /d %%i in (*) do subinacl /errorlog=subinacl.err /subdirectories %%i*.* /setowner=%%i

Bulk repalce permissions using folder name:
-Get SetACL.exe
-Run:
for /D %%u in (*.) DO SetACL.exe -on %%u -ot file -actn ace -ace “n:domain%%u;p:change” >>log.txt