Chris J's questions

We have an 2008R2 IIS server set up with a site configured to require client certificates. Our test client isn't working, and we're trying to debug why.

During the course of this, we've set up a new Server 2008 R2 box (yes, I know it's old, but this is what's running the software) to try and replicate or determine ways to troubleshoot.

One route we're investigating is the TLS handshake. The test application is written in .NET and with appropriate System.Diagnostics debugging enabled, this places the following entry in a log file:

System.Net Information: 0 : [22724] SecureChannel#48979325 - We have user-provided certificates. The server has specified 10 issuer(s). Looking for certificates that match any of the issuers.

We're unable to see this list of issuers, so we broke out OpenSSL. Running the following command:

openssl s_client -connect win2k8r2-1.hsl10690.test:443 -state -no_ticket -servername win2k8r2-1.hsl10690.test

Resulted in output that stated:

   [...]
-----END CERTIFICATE-----
subject=/CN=testcert.hsl10690.test
issuer=/CN=Internal Dev CA 1
---
No client certificate CA names sent
---
SSL handshake has read 1013 bytes and written 329 bytes
   [...]

So we have a mismatch where the Microsoft stack declared that the server specified 10 issuers, but OpenSSL is reporting that the server sent no CA names.

In the case of the live system, the System.Diagnostics logs reports 130-odd issuers specified by the server, yet OpenSSL still returns zero.

We believe the issue is that the client certificate we're supplying doesn't match one of the issuers (but we've validated that the root is in the server's trust store, and we've validated the certificate outside of the server). On the live server we see this in the logs after the "The server has specified..." message:

System.Net Information: 0 : [36484] SecureChannel#33675143 - We have user-provided certificates. The server has specified 133 issuer(s). Looking for certificates that match any of the issuers.
    ProcessId=20372
    DateTime=2018-12-20T13:33:39.9042036Z
System.Net Information: 0 : [36484] SecureChannel#33675143 - Left with 0 client certificates to choose from.
    ProcessId=20372
    DateTime=2018-12-20T13:33:39.9052036Z

whilst on test, where things work, it says:

System.Net Information: 0 : [22724] SecureChannel#48979325 - We have user-provided certificates. The server has specified 10 issuer(s). Looking for certificates that match any of the issuers.
    ProcessId=22100
    DateTime=2018-12-21T13:52:23.3718249Z
System.Net Information: 0 : [22724] SecureChannel#48979325 - Selected certificate: [Version]
  V3

[Subject]

How can we find out what certificates are returned by the server, and if we find that the issuer is missing from the list, what could have prevented the root being included? I'm not ruling out that we've missed something obvious, but we've not seen it yet.

I'm trying to configure remote access to WMI across a number of servers, however the boxes that are just running Server Core are giving me a headache.

Notionally, in order to do this we need to run dcomcnfg and set permissions through that tool for Remote Activiation etc. Server Core, being GUI-less, doesn't have dcomcnfg let alone MMC more generally.

Running dcomcnfg from a full machine and then adding the server core box for remote administration doesn't give me a "DCOM Config" entry in the tree - I only have "COM+ Applications" and "Distributed Transaction Coordinator" for the remote server.

I've done a few searches, and either can't find the right magical incantation for Google, or what I'm doing is something rarely done.

How are we meant to configure DCOM on a Server Core box?

For those that don't know, CPU parking is a feature in recent Windows Server releases that allows Windows to pretty much drop a CPU core to zero use, and having nothing use it. It's been introduced as a power-saving measure. There's more detail about it here, amongst other places.

However what I'm curious about is whether this matter on a virtualised guest - or is CPU parking more of a hindrance than a help, given that the physical CPUs are managed by ESXi, not Windows, and that a parked CPU is less likely to deal with traffic unless the scheduler deems there's enough work to unpark the CPU?

I've not found anything about this - I do suspect it will be very much based on a given workload, but I've not seen any discussion (unlike, say, whether hyper-threading has any effect, which seems to be discussed regularly). Whilst I do understand the "test with your workload" I was wondering if there was any advice/guidelines out there that I've missed.

We have an in-house application that requires the use of client SSL certificates to authenticate with a remote server (not under our control).

This has worked without problems before but on deploying to a new server, we're having problems getting Windows 2008 to use the certificate.

The certificate exists as a .pfx file that contains a private key. The same certificate exists in the LocalMachine store, again with its private key. We've ensured the one in the LocalMachine store is correct by creating a website in IIS against that certificate, so we're happy that the certificate, certificate chain, and private key is valid.

The PFX has been created by exporting from the Certificates MMC snap-in.

The issue is that we get the following in the system diagnostic logs that suggests it can't find the private key:

System.Net Information: 0 : [5988] SecureChannel#23264094 – Locating the private key for the certificate: [Subject]
CN=internal-server.company.com, OU=Servers, OU=Devices, O=org

[Issuer]
CN=SubCA02, OU=CA, o=org

[Serial Number]
407ABCDE

[Not Before]
31/10/2013 11:08:48 AM

[Not After]
31/10/2016 11:08:48 AM

[Thumbprint]
4354A34F6004F019E60F055979A47E50F62D1504
.
System.Net Information: 0 : [5988] SecureChannel#23264094 – Cannot find the certificate in either the LocalMachine store or the CurrentUser store.

I've validated the thumbprint, issuer and serial number listed in the log with the certificate in the LocalMachine store and these marry up.

From what I can tell with much searching, this appears to be a permissions issue. The user the application is running as has been granted access to the private key (Personal Certificates -> right click on the certificate -> all tasks -> Manage Private Keys), so I'm now at a loss as to which permission(s) it may be that is causing the issue.

UPDATES

• We have added the application user to the 'Administrators' group, rebooted the server, and tried again. The issue remains.

• We have enabled SChannel debugging (as per http://support.microsoft.com/kb/260729 ). The System event log reports the following warning:

  The remote server has requested SSL client authentication but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail depending on the servers policy settings.

• No .NET access denied exception is raised; in essence SChannel is falling back to not providing a client certificate. This has been verified with a Wireshark trace that shows a certificate count of zero before the remote ends forces a TCP reset.

Is there any DNS software that can translate incoming responses conditionally?

Basically we have a corporate DNS server that hijacks NXDOMAIN. As bad as this is, it doesnt' really affect most day-to-day activities. However it's causing problems with some 3rd party software, causing it to misbehave on occasion.

Now - I've attempted to get this changed to no avail. So what I'd like to do is stick a DNS proxy in front of the test env, which doesn't do anything except act as a DNS forwarder, but with the added functionality of being able to return NXDOMAIN when it recieves a specific IP address in response to to an A lookup.

I can't override the DNS - if I need to do external queries, they have to go through the corporate DNS (DNS requests are firewalled).

Other than expending lots of effort to try and get this behaviour turned off, is there anything out there that can do this (I've looked at BIND, but it's not immediately obvious that this can do it; similarly dnsmasq as well. If these can do it, then my google-fu has failed, and just pointing me at the docs that says "this is how you do it" would be grand, ta :-) ).

Scenario: we're in the process of setting up central virtualised server that acts as a demonstration environment. This VM (running Windows 7) will be cloned and put on sales laptops so demonstrations can be done "in the field" - using a VM allows us to ensure that we have a good working standard build, without having to worry about what the actual laptop.

The central VM needs to be on our coporate Active Directory domain. We ideally want to remove the domain membership from the cloned versions before it goes on to the sales laptops - in some cases, we'll be getting the VM to the sales guys remotely, so we don't want to have to support them in taking the machine of the domain.

Now, we can't just remove a clone from the domain, as being a direct clone it will also take the central VM off the domain. Removal of the domain will probably be done whilst the machine is on the corporate network - so whilst we could try and isolate the clone from the network, I'm expecting this to be forgotten about at some point.

So - I'm thinking that we need to look at using sysprep to do the dirty work, using the [Identification] section to take it off the domain and stick it on a workgroup. Has anyone any experience of this and advise of any caveats given what we want to do? It seems straightforward enough that it's making me think I've missed something...

Cheers :-)

EDIT (in answer to questions)

• We're intending to use VirtualBox on the laptops to host the virtual machines; it's both fairly straightforward for non-techs to use, whilst being completely reliable without going to the extreme of having a Server OS on the laptop.

• No domain access is needed - the VM is entirely standalone; however it needs to be on the domain whilst being centrally hosted and network-accessible due to our security policies.

• Remote access isn't an option - this leaves us at the mercy of a third party's network (i.e., can we raise a VPN connection - or even get on a network in the first place?) or the mobile network (is the signal going to be good enough and reliable enough for a sustained demo?). Having a VM locally hosted where no external connctivity is required ensures that demos can occur regardless of local conditions.

Is there a way to force files that are created through a network share, or in a given folder, to be owned by a specific user (i.e., is there a native Windows equivalent of Samba's force user).

Rationale: I have a server that runs a number of SQL Server 2008 instances for our internal development environments. Each instance runs as it's own service user, and each service user has a fixed quota - thus ensuring that if one SQL Server runs away with disk (for whatever reason), it won't keelhaul the server.

However some users need to be able to get backups on and off the server, so I have a number of file shares - one per instance - that point to the appropriate directory. As a result, files get created as the user copying the backup onto the disk, circumventing that instance's disk quota.

At the moment I'm working around it by forcing users to authenticate as the SQL Server service account. This isn't really ideal, but it's the best option I can find at the moment.

So ... is there a way to do this, or can anyone see any other solution that would achieve a similar effect?

Ta :-)

When SQL Server throws permissions errors (or other OS errors), it generally logs something of the form "Cannot open file {blah}. Operating system error 3 (failed to retrieve text for this message)".

It's a simple one: what is it that's stopping SQL Server retrieving the error text? I'm assuming it's a permissions problem somewhere, but I don't know what mechanism SQL uses to translate OS error codes to actual text messages to actual get this working in the first place.

NOTE: I'm not asking "how do I fix the initial error" (just incase someone misreads the question) -- this is "how do I get SQL Server to sucessfully translate the OS error number to text so I don't have to keep looking up or remembering what the OS error numbers mean".

This is one of those that there probably is an answer out there, but it's drowned out by all the questions asking "what does OS error mean", and I can't find the right google incantation...

In an effort to try and take the pointy-clickyness out of configuring IIS for our application, I've been looking at appcmd. Specifically it's ability to export config trees and reapply them with minimum fuss.

Generally, this gives the exported configuration:

appcmd list Config /section:httpProtocol /config /xml > template.xml

which I can then reimport at a later date with:

appcmd set Config /in < template.xml

and the changes get applied. This works well for everything other than custom error pages.

I've exported these with:

appcmd list Config "Default Web Site/intranet" /section:httpErrors /config /xml > customerrors.xml

but when I try and import with:

appcmd set Config /in < customerrors.xml

I get the following error:

ERROR ( hresult:8007000d, message:The input contained an error element, which may
indicate that the operation producing the input has failed.  )

Well yes, that's because I'm importing errohandler entries that look like this:

<?xml version="1.0" encoding="UTF-8"?>
<appcmd>
  <CONFIG CONFIG.SECTION="system.webServer/httpErrors" path="MACHINE/WEBROOT/APPHOST/Default Web Site/intranet" overrideMode="Inherit"
locked="false">
    <system.webServer-httpErrors errorMode="Custom">
      <error statusCode="500" prefixLanguageFilePath="" path="/intranet/ErrorPages/500-100.asp" responseMode="ExecuteURL" />
      <error statusCode="500" subStatusCode="100" path="/intranet/ErrorPages/500-100.asp" responseMode="ExecuteURL" />
    </system.webServer-httpErrors>
  </CONFIG>
</appcmd>

...which is what appcmd gave me (which would imply that the 'error' element really is what is required). Is this a case of appcmd trying to be too clever, or am I missing something ridiculously obvious?

Cheers!

If I'm reading Books Online correctly, a user can restore an existing database if they're the DBO of that database; the actual words are:

If the database being restored does not exist, the user must have CREATE DATABASE permissions to be able to execute RESTORE. If the database exists, RESTORE permissions default to members of the sysadmin and dbcreator fixed server roles and the owner (dbo) of the database (for the FROM DATABASE_SNAPSHOT option, the database always exists).

Unfortuantly, this doesn't seem to be exactly correct or there's a subtlety I'm missing. For a specific database, I'm trying to get this to work but when the user does a RESTORE FILELISTONLY to get the files in the backup file, we get the error:

Msg 262, Level 14, State 1, Line 1
CREATE DATABASE permission denied in database 'master'.
Msg 3013, Level 16, State 1, Line 1
RESTORE FILELIST is terminating abnormally.

It's a slightly confusing error message as at this point all we're doing is trying to read the backup file, not create, nor even restore an existing, database; so I can only assume SQL Server attempts to do a permissions check before allowing any RESTORE command to execute.

Now BOL doesn't mention any extra permissions needed, so am wondering which is correct, or am I missing a subtlety in the text. Whilst I don't doubt the error messages accuracy, what do I really need to do to get a user who is db_owner of a database to be able to restore that database, without elevating their permissions?

I've been asked to look into log shipping for SQL Server 2000 (yes, 2000): something in my memory tells me that I looked at this years ago and there were question marks over it's reliability.

I'm trying to google stuff, but given the age of 2000 now I've put pulled up anything to confirm this -- most seem to say they're using it without problem, so just want confirm whether I'm just being delusional, or whether there were problems, but with a fully patched SP4 box these don't exist any more.

Cheers!

Does anyone know if it's possible to mirror only data changes with SQL Server 2008's database mirror functionality. I suspect the answer is that it isn't possible, but wanted to see if I've missed something.

If not, does anyone know of any way to replicate only data and table schema changes from a source database to a reporting system. We don't want stored procs, views, functions, etc in the destination system. Replication doesn't need to be instantaneous, but what we're trying to avoid is having to do a full database copy followed by a DROP of all sprocs, views and functions (due to the size of the backup and the time this can take).

Replication (as in full-fledged SQL Server replication) isn't an option -- it has been investigated and would involve some changes to the database design, which would then take a number of weeks (if not more) to actually implement, test and support in the application above, as well as restricting and complicating how changes are applied to the database (i.e., although replication might technically be the right solution, for a whole host of process management and time constraints, it's probably not going to happen).

Cheers.

(This has started to get quite lengthy, but hopefully will provide a summary of things to try for anyone else that's bumped into this issue - it's not a simple one-size-fits-all solution by the looks of things; other solutions or avenues of investigation may be found in the answers as well).

I'm having problems getting a reliable share working on an x64 Server 2008 R1 SP1 server.

All works well after a reboot, but after some time (within a day) the shares become unavailable to XP and Server 2003 servers. Interestingly, they remain available to other Server 2008 servers.

On trying to access \\server\share, Server 2003 returns immediately and simply gives me the message "The specified network name is no longer available", XP takes a minute or two to timeout before giving the same message. There doesn't seem to be anything in the event logs indicating a problem.

Doing some googling over the last day or two I've seen the following blamed:

• Bad network drivers (Broadcom [which is what the HP servers we use have] seems to get a few mentions for being flaky) ... I've updated to the latest drivers with no result (see refs 1 and 2)
• Symantec anti-virus ... we're not using it (currently no AV on the server) (see refs 1 and 3)
• Receive window auto-tuning ... I've disabled with netsh int tcp set global autotuninglevel=disabled and netsh int tcp set global rss=disabled (see ref 4)

None of these have had an effect. Windows Firewall is currently disabled.

As other Server 2008 boxes (both x32 and x64) can connect, I can only assume that there's some new security configuration that's not quite right - or there's an AD issue that I need to trace, but don't know where to start. Even if anyone doesn't know how to resolve, if someone knows what I need to look for with Wireshark this would be a help.

EDIT ... I've put a Wireshark trace on (filtered by target host only) and what I'm seeing is that the client (Server 2003 in this case) sends an SMB "Negotiate Protocol Request" message to Server 2008, however no "Negotiate Protocol Response" is received from the server. The client retries until it times out. Note however that the server is responding postively to a session request. This is the full sequence of events:

C -> S  NBSS Session Request
S -> C  NBSS Positive Session Response
C -> S  SMB  Negotiate Protocol Request
[no response; time passes].
C -> S  NBSS Session Request
S -> C  NBSS Positive Session Response
C -> S  SMB  Negotiate Protocol Request
[no response; time passes].
[repeat]

EDIT2... Wiresharking a SMB connection from Server 2008 client shows the the Negotiate Protocol Response being sent, but with SMBv2:

C -> S  NBSS Session Request
S -> C  NBSS Positive Session Response
C -> S  SMB  Negotiate Protocol Request
S -> C  SMB2 NegotiateProtocol Response
C -> S  SMB2 SessionSetup Request
S -> C  SMB2 SessionSetup Response
[then the conversation contines, bringing the share back]

I'm going to try disabling SMBv2 on the 2k8 server (as per these instructions on petri.co.il) and see if that helps - should force the server to use SMB1 everywhere then.

EDIT3... I've also found this article on Microsoft Technet Forums ("Windows 2008 Keep disconnecting shares + outlook 2007 keep loos conection to exchange 2007" [sic]), to which others have suggested checking TCP Offload Chimney configuration. At this present moment however having disabled SMB2 (see EDIT2, above) things seem to be okay at the moment - shares have yet to disappear having disabled SMB2 last Friday. A quick google's found someone else (MS Technet forum "File opening issue on a server 2008 share.") who found that disabling SMB2 was also a solution. I'll let this tick over for a couple more days before self-answering and closing this question down.

References...
(1) Microsoft Networking Team - Intermittent file sharing connectivity from various clients to a Windows Server 2008 server
(2) 424help.com - Windows 2008 Server Network Connectivity Problem
(3) Symantec AVForums - MR3 Locks up Server 2008 file shares
(4) Usenet - Server 2008 R2 file share access fails under heavy load (also mirrored on various web forums like techarena, eggheadcafe, etc)

Does anyone know what or if there exists a replacement utility for the Server 2000/Server 2003 command line tool ntrights on Server 2008? More info on this utility (for those that don't know what it is) is in MSDN KB 315276.

I'm trying to plan disk space for a virtual environment, and wanting to keep virtual disks as small as possible - mostly as apart from the base OS, the software going onto the VM is less than a few MB, so want to avoid physical disk space going to waste; plus it'll give me an idea of how many VMs I could physically fit in {x}GB of physical drive.

For Server 2003, I've had installs on 2GB and 5GB sized virtual disks. However for Server 2008, Microsoft recommends a minimum of 10GB (I assume this is both for x32 and x64). For the record, I will be installing the x32 version.

Now I know I could just go ahead and try a small install, but wanted to solicit any practical knowledge as well :-) What's the smallest install of Server 2008 possible? (excluding server core installations).

Edits...:
Target virtualisation environment: Microsoft Hyper-V
Target use: development/peertest environment, so it's likely that we'll be creating and tearing down servers on a semi-regular basis. Lifetime of a single VM may vary from a day or so to over a year.

In order to support some build processes on our Server 2003 development servers, we require a common user account that has administrative privs.

Unfortuantly, this also means that anyone that knows the password can also gain admin privs on a server. Assume that trying to keep the password secret is a failed exercise. Developers that need admin privs already have admin privs so should be able to log in as themselves.

So the question is a simple one: is there anything I can configure to prevent people (ab)using the account to gain administrator on servers they shouldn't have administrator on? I'm aware that devs could disable anything that is put in place, but that's then down to process and auditing to track and manage.

I don't mind where or how: it can be via the local security policy, group policy, a batch file executed in the user's profile, or something else.

Can anyone point me to, or does anyone know what this "feature" of SQL Server is? Googling for it (also for "Super scan" which seems to be a synonym for the feature) reveals no information other than all the edition comparison pages that exist out there for SQL Server.

I'm also not sure whether this is a stackoverflow or a serverfault question. I'll try here on serverfault first, but if folk think stackoverflow may be a better forum, drop me a comment to that effect - ta :-)