p.campbell's questions

I've got an SSL certificate from the 3rd party certificate authority. It's a .cer file. The certificate is installed and working properly in IIS7.

The certificate displays its Intended Purposes as Server Authentication, Client Authentication.

The site requires authentication via client certificates. We're not using client certificate mapping, but simply using client certificates as a measure of authentication -- if you have one, you're authenticated.

• How can I create a client certificate?
• Does the CA have to do this, involving another CSR?
• Is this something I can do myself with another tool? (OpenSSL or other)
• What format is required for client certificates?

Consider a scenario of importing a .cer file for use in IIS 7.

The CSR was NOT created on this machine. After receiving a .cer file from the CA, the Complete Certificate Request wizard prompts for the CA's response and your friendly name for use in IIS.

CertEnroll: CX509Enrollment::p_InstallResponse: ASN1 bad tag value met.

How can you avoid this error and complete the certificate request in IIS7? Is this due to the CSR not being created on this machine? Digicert seems to think it's not the issue.

Consider an ASP.NET SOAP web service that starts up fine, but craters hard when receiving its first hit.

Please note that this is deployment works in the Test environment, but not in the PreProd environment. Both are Windows 2003 SP3 + IIS 6 + ASP.NET 3.5. All up-to-date.

The behaviour that we're seeing is:

• restart the site & app pool
• the app pool is configured to run under Network Service.
• browsing to the .asmx and .wsdl responds normally, as expected.
• send a normal well-formed SOAP request / normal payload to the web service
• 100% CPU usage
• after 5 seconds, the page request / site returns "Service Unavailable"
• no entry is created in the IIS log file (i.e. c:\windows\system32\logfiles\W3C-foo)
• the app pool ends up being stopped

The processes that hit the CPU hard are dw20.exe. I am unsure why Dr Watson is involved here.

Event Log shows an ASP.NET Runtime error:

Task Manager:

Event log text:

EventType clr20r3, P1 w3wp.exe, P2 6.0.3790.3959, P3 45d6968e, P4 errormanagement, P5 1.0.0.0, P6 4b86a13f, P7 24, P8 0, P9 system.stackoverflowexception, P10 NIL.

Questions

Any thoughts on what this system.stackoverflow exception might be? Given that the code is the same between environments, might it be a payload problem? Could it be a configuration issue? You can see the name of my .NET assembly there in the exception message: "ErrorManagement"

What command would you use in cmd.exe to find the number of files in the current directory?

Is there a powershell option here?

Update: I was hoping to avoid dir, as I know there are 10,000+ files in the current directory. Wanted to avoid the enumeration output to the cmd window. Thank you!

Consider a Win 2008 SP2 machine with IIS7. The task is to apply a certificate and host name to the one and only Site on this machine. The site's host headers need to be abc.123.example.com

The first step was installing the .pfx to the Personal Store, which was successful.

IIS7 finds the cert as available, but won't allow the entry of a host name. The host name textbox is ALWAYS disabled/greyed out, even before selecting my cert. I've even deleted the default port 80 binding.

Question: how can I set a host name for this site? Is it a matter of this cert being a wildcard cert? I understand that the SSL request comes into the web server, and the host header in the packet is encrypted. Why then would IIS6 allow the host header to be specified, but IIS7 not?

Update: The cert isn't part of the problem. I've created a new Site on the machine, and when choosing https binding, the host name textbox is disabled.

Consider a small-medium business' deployment of Exchange 2003. The question is around migrating to Exchange 2010. Here's a bit about the landscape:

• Current state is 50-100 users/mailboxes with the majority using Outlook 2007
• OWA enabled
• desktop users are NOT running in Cached Exchange Mode
• laptops users ARE running in Cached Exchange Mode
• a single Exchange server with modest or reasonable specs for the day (3 GHz, multi-core, 4 GB, Windows 2003 32-bit)

Questions

• What are your suggestions for the administration team regarding the upgrade path/steps from Exchange 2003 to 2010?

• Considering the requirement of a 64-bit OS, consider a new separate machine as ready to go with Windows 2008. Have I missed any details?

• Where might virtualization help in this project?

Any lessons learned in previous upgrades (2007 or 2010) would be appreciated!

Consider a Win2003 + IIS6 machine that has a single website. Let's call it myDomain.com. The task is to secure the site with an SSL certificate. Currently have a .pfx certificate.

Using the MMC app, the certificate is imported successfully into:

• Current user personal store
• Local Computer personal store

Problem: the myDomain cert doesn't show in the list of available certs when configuring IIS. The only entry is for that 3rd part certificate authority.

We know the cert for myDomain.com is in the .pfx because the MMC import process shows two certs:

• one for myDomain.com with the Intended Purpose of Client Authentication
• one for the Root CA

Question:

How can I ensure that the certificate --for myDomain.com-- in the .pfx shows in the pick-list in the IIS Certificate Wizard when choosing "Assign an existing certificate"?

Update It appears that the .pfx created was not suitable for Server Authentication, but rather Client Authentication only.

Consider an IIS6 installation with multiple Web Sites. Each is intended to be a different subdomain with its own cert (not a wildcard cert). Each has their host-header specified properly.

• foo.example.com - port 443. Require SSL w/128 bit. Working properly! It presents its SSL cert properly to the browser. Configured for a specific IP address.

• bar.example.com - port 443. Require SSL w/128 bit. Configured for all unassigned addresses. When inspecting the IIS property page, it fully shows the cert for bar.example.com on the View Certificate button. This is a NEW web site that is having cert problems. It's presenting the cert for foo.example.com. Ouch!

alt text http://www.imagechicken.com/uploads/1251156847014486300.png

Question: can you have more than one subdomains both running on separate websites with SSL certs on the same port (443)? How would you configure 2 web sites on the same range of 'all unassigned' for the same port (443) ?

Update: ignoring the cert error, when browsing to https://bar, the content served is from https://foo site.

When NOT using SSL, browsing to http://bar serves the correct content from bar.

Just one address is assigned to this DMZ server.

Consider an IIS7 deployment with multiple Applications under a Web Site. Each is running under its own AppPool. We want to disallow all outside visitors access to one Application in particular. All internal users should be allowed access.

The current strategy is to check the requesting IP address. This likely could be done in IIS7 and a web.config. The screenshot is the first stab at allowing internal users. Those who present from:

• 192.168.0.X should be allowed.

• an external IP, (i.e. a public address) should be denied.

  

Question: How would you configure your Application to suit this requirement, either by:

• inetmgr or
• web.config

Consider you have a website with many virtual directories. Each VD is configured as an application.

How would you, in effect, turn off just ONE of those VD, or have it redirect to another page? You want to be sure that you don't turn off the entire site and all the other VD.

The scenario here is that there is a downtime or deployment happening, and you would like to redirect to an app_offline.htm page.

Question: How would you go about temporarily disabling just one virtual directory?

Just wondering, have you ever made anything useful with a RAM disk in production? I wonder if the performance benefit they afford possibly outweighs their temporary nature in a specific circumstance.

I've only ever used one once, and it wasn't for performance. It was when I needed some writable disk space on a server showing hard drive errors – it gave just enough space for me to install the 3ware RAID utility to identify the dodgy disk.

How have you used a RAM disk in production?

The environment is Debian, although the answer will apply to all distributions.

Consider this scenario: an admin configured a public/private key pair to use when rsync'ing files between servers to avoid the password prompt. This setup works great.

Then when attempting to use SSH/SCP, the system prompts for a password.

Question: why is this the case if rsync is working properly?

While attempting to install .NET 3.5 SP1 on a fresh install of Windows 7 RC, nothing happens. The machine gives a UAC prompt. When selecting Yes, nothing happens.

Using the full redistributable package gives the same result: nothing.

Is there a reason why the .NET 3.5 SP1 installer would suddenly quit and not proceed with installation?

How many web servers does StackOverflow/ServerFault have?

If the answer is 'more than one', then is does it achieve Session Stickiness while DNS polling?

The I.T. dept is considering allowing installation and automated deployment of Google Chrome browser to 100+ desktops. One of the requirements is for domain credentials to be passed through. The desired behaviour is the same as Internet Explorer.

An issue has come up when browsing intranet resources. Intranet sites which require Active Directory authentication are showing the "Authentication Required" dialog.

For each site, you have to enter your domain credentials.

Question: Does Google Chrome currently, or plan to, support passthrough Windows authentication? If so, how do you configure this security setting?

I'm interested in learning about tools and techniques used to manage many Linux machines. (That is, deploying and maintaining updates.)

One way that I thought of to do this is write a Bash script that uploads another script to the servers and executes the script for each server sequentially. For example:

foreach server
{
     connect to server and scp update_script.sh to ~/scripts
     ssh user@server -e "sh ~/scripts/update_script.h"
}

And update_script would use apt-get/aptitude or yum, or whatever to update packages on the server.

Are there better ways to do things like this?

Given a machine configured with :

• Windows 7 64 bit
• a CPU that DOESN'T support the Intel hardware virtualization

Are there any free, non-time-sensitive virtual machine hosts that can host either 32 or 64 bit guest machines?

The candidates:

• VMWare Server (doesn't work well with 64 bit Windows 7... some driver signing problems that I don't want to muck around with)

• VMWare Workstation (is time limited at 30 days)

• Microsoft Virtual PC 2007 ?

• Sun VirtualBox - work perfectly with the conditions given! VirtualBox's only problem is that it's DIFFICULT to have it run headless. The problem is that VirtualBox requires you to "Start" each system, which brings up a new window. Closing that window will Suspend or Close that VM.

The goal is to host a wide array of guest machines; Windows, OSX (longshot), and *nix.

Question: any way to have Sun VirtualBox run headless in an official supported manner?

Given the recent events with a 'hacker' learning and retrying passwords from website administrators, what can we suggest to everyone about best practices when it comes to passwords?

• use unique passwords between sites (i.e. never re-use a password)
• words found in the dictionary are to be avoided
• consider using words or phrases from a non-English language
• use pass phrases and use the first letter of each word
• l33tifying doesn't help very much

Please suggest more!

Given the appropriate security policies, disclaimers, etc. by the employer, admins typically need tools to record and report on how the internet connection is being used by its employees.

In the past, I've relied on my firewall appliance to log the most viewed domain names. Very rudimentary stuff. It was difficult to track down who visited siteAbc123.com in a domain of 50+ computers. The egregious traffic was really what we were after.

If the requirements are to provide a report, on a per user basis:

• bandwidth used
• sites/pages visited + hitcount
• protocols used (i.e. streaming radio)

Can you suggest any free or low cost tools that would help gather and create reports on this information for a small-medium business in a Windows environment?