Qwerty's questions

I have an issue with Constrained Delegation and IIS 7 on Windows Server 2008.

We have a web application which uses impersonation to access a SQL Report Server. This has worked fine with IIS 6 with both Trusted for Delegation and Constrained Delegation. However we have run into an issue with IIS 7.

What I have been able to get it down to is this, On IIS 7, with the Application Pool running as NetworkService, and Constrained delegation configured, we get an HTTP 401 Unauthorised error from Report Server, with the Application Pool running as Local System the Impersonation works fine.

I have tested in both Classic and Integrated Pipeline. Code from a very simple test page that simulates this issue is below. Running the same test page from an IIS 6 server of Windows 2003 works fine. Any ideas of security policy, IIS configuration or even server features and roles that might effect this?

Please note I have checked Kerberos is working fine, and the constrained delegation configuration is correct.

private void testImpersonation()
{
  string url = "http://testsvr7/reportserver/";

  System.Security.Principal.WindowsIdentity user =
    (System.Security.Principal.WindowsIdentity)Context.User.Identity;
  System.Security.Principal.WindowsImpersonationContext WICTX = null;

  StringBuilder results = new StringBuilder();

  try
  {
     if (user != null)
     {
        WICTX = user.Impersonate();
        results.AppendFormat("<br />Impersonating, user: {0}",   
             System.Security.Principal.WindowsIdentity.GetCurrent().Name);

        System.Net.HttpWebRequest myHttpWebRequest =
             (HttpWebRequest)WebRequest.Create(url);

        // Assign the credentials of the user being impersonated.
        myHttpWebRequest.Credentials = CredentialCache.DefaultCredentials;

        System.Net.HttpWebResponse myHttpWebResponse =
             (HttpWebResponse)myHttpWebRequest.GetResponse();

        results.AppendFormat("<br />Authentication successful - {0}, {1}",
             url, CredentialCache.DefaultCredentials);
     }
  }
  catch (Exception ex)
  {
     results.AppendFormat("<br />Exception: {0}", ex.Message);
  }
  finally
  {
     if (WICTX != null)
     WICTX.Undo();
  }
  Response.Write(results.ToString());

I have a Nagios instance running on Ubuntu Server Lucid as a VM monitoring our Windows network.

I would like to have some specific graphs made by the trends.cgi file available on the internal Intranet. However when I make a link to one of these Apache/Nagios requires credentials to access these (makes sense).

How can I make it so that non authed users can request graphs without having to login to Nagios. I also don't want just give access to anything I don't have to.

Thanks

I have a Lucid Ubuntu Server running in a EBS 2008 windows domain. This server is running Nagios and I would like it to send email notifications to the Exchange 2007 server. I have installed mailutils and run a dpkg-reconfigure exim4-config however I still don't have it setup correctly.

I have been trying to send an email via command line first as a proof of concept for the Nagios command but the exim4 log file says:

2010-09-23 11:29:32 Start queue run: pid=8248
2010-09-23 11:29:53 1OySgu-0002xV-5N internet.domain.com.au [**my external IP**] Connection timed out
2010-09-23 11:29:53 1OySgu-0002xV-5N == [email protected] R=dnslookup T=remote_smtp defer (110): Connection timed out
2010-09-23 11:29:53 End queue run: pid=8248
2010-09-23 11:59:32 Start queue run: pid=9958
2010-09-23 11:59:32 1OySgu-0002xV-5N == [email protected] R=dnslookup T=remote_smtp defer (-53): retry time not reached for any host

I can telnet into the exchange server via 25 with the exchange machine IP.

I would like it configured correctly for just a simple internal network direct send to my exchange server. From looking at the log it seems like it wants to go out onto the Internet first instead of staying internal.

Any suggestions?

I have a Hyper-V Core server 2008 that I administer via command line and remote tools. We have now got a new backup system in place and it involves me connecting an External USB drive (G:) to backup system state files. My question is how should I safely remove the drive for its weekly offsite swap?

I've tried using the devcon tool however it just says the 'removal failed with no devices removed' with no other explanation. I have noticed that there isnt a readily available x64 version of devcon and that might be the cause of the problem. (I have read of people downloading a amd64 version but I have not located it myself, if someone knows where it is please let me know).

The devcon command worked on my old 2003 x86 server with the command: devcon remove 3200AVJ_EXTERNAL

I have also looked at using fsutil volume dismount g: but it doesn't seem to work as G: is still listed as a connected volume.

I have checked that the volume is not in use via remote tools and the net file command. Both show no open files in the G:\ volume. This could be a decent substitute as it might be used to flush any remaining IO to the volume can anyone clarify?

Thanks in advance.

In Active Directory (Windows EBS Server 2008 testing envionment), I have set a user the ability to log onto all computers. (Eg: Properties of User -> Account tab -> Log On To button -> Select All Computers option) This is all fine but the setting is being reset to the default option at odd intervals.

Is there some kind of policy setting that is making this revert? or something else? This option is preventing the test user from logging into their local workstation.

Thanks in advance.

This q is similar to: How to move Exchange 2003 mailbox or store from 2003 to 2007 on separate networks?

Basically I am trying to move our exchange mailboxes over to a test domain that is hosting EBS2008 with Exchange 2007. We plan to move as soon as we can when we have our exchange data over.

I have tried moving a db with mailboxes over but cannot get it to mount in the new Exchange in any way possible, including mounting it onto a recovery store. From my understanding the ONLY prerequisite for moving Exchange DBs across is that it must have the same Organizational name (unlike previous versions of Exchange). If anyone has any insight as to why I cannot mount and simply reattach the mailboxes, please give me an idea as to what could be wrong. It should be as simple as this. Note that the DBs I have are in a clean state.

I cannot use ExMerge because I am not running any mailboxes on 2003.

I have also tried using a 32bit Vista machine with the Export-Mailbox cmdlet to extract mailboxes but anything I do to it results in Permission errors. I have tried to troubleshoot these with no success. I am running in full admin with proper exchange roles and yet it still gives me access denied errors:

Export-Mailbox : MapiExceptionNetworkError: Unable to make admin interface conn
ection to server. (hr=0x80040115, ec=-2147221227)

Also some errors show in the management console:

get-MailboxDatabase
Completed
Warning:
ERROR: Could not connect to the Microsoft Exchange Information Store service on server TATOOINE.baytech.local. One of the following problems may be occurring: 1- The Microsoft Exchange Information Store service is not running. 2- There is no network connectivity to server TATOOINE.baytech.local. 3- You do not have sufficient permissions to perform this command. The following permissions are required to perform this command: Exchange View-Only Administrator and local administrators group for the target server. 4- Credentials have been cached for an unpriviledged user. Try removing the entry for this server from Stored User Names and Passwords.

Why I have to use a 32bit machine to export a simple .pst file is beyond me...

So yeah I am now out of ideas and any help would be great! Thanks in advance.

Currently testing backing up and restoring with Exchange 2007 on Windows 2008.

I have a 'clean shutdown' backup of an Exchange 2007 database. For the exercise I have deleted a users mailbox in Exchange and are attempting to recover it using the .edb (and log files). However when I use the Recovery Storage Group, the mailbox match up screen (from the merge option) shows the deleted users mailbox. Since it cannot match this mailbox up to one in the main edb (because it was deleted), it shows no way to restore the mailbox.

So my question is: How do you restore a mailbox from an .edb when the mailbox does not exist in the Exchange store?

I have looked at using the eseutil /R tool from TechNet but have had no success. If you can use eseutil to restore it, and post some clear instructions for me to follow that would be fantastic.

If I am going about this the wrong way please let me know. It really shouldn't be hard to perform single mailbox restore manually from a clean shutdown edb.

Thanks in advance!

We mainly run a 2003 orientated environment. Soon we will be moving towards a clean slate of 2008 EBS. My main concern is the AD/network legacy that has accumulated over the years will be difficult to remove.

Running the Windows Essential Business Server Preparation tool it gives me errors about stale Exchange objects in AD. What would be the best/safest way to remove these stale objects and any other out dated objects that would cause problems to implementing Essential Business Services 2008?

Or more broadly, what are some effective methods for keeping AD clean and tidy? (I guess with respects of upgrading to 2008 from 2003)

I know about the dsquery command for AD, if this could be used to remove stale exchange objects that would be helpful too.

Thanks in advance.

What I am looking for some of the best software examples of how installation and upgrading is performed. This could be from M$, Open Source, anything. E.g.: User experience, release compatibility, UI, click once installation, the whole spectrum of installing software.

Also is there any specific mistakes that are easy to make, that would have a huge negative impact on installation/upgrading a product.

I am looking for solutions on locking down VPN connections from clients to our untrusted testing domain. Basically a remote access option that we can give our clients to road test our software before we make a release to them. We have a tested way to do this via net meetings, but management want to explore all alternatives as to give the client a choice in how they want to preview it.

We currently have a majority Windows 2003 environment. We already have VPN connections available for our own staff to get access remotely We have:

• Internet Gateway
  • ISA 2004
  • Radius client
• Internal Master
  • Radius Server
  • Domain Controller

This is in our first domain A. We also have a domain B that is untrusted and used only for testing. What we want to be able to do is allow clients to VPN in on a locked down connection which takes them (or limits them) to a specific machine in domain B.

Could we use multiple Radius servers? Can our ISA in domain A forward specific VPN users (specified in domain B's DC) to domain B? Are there any other existing solutions that we could use? Something along the lines of Citrix or Terminal Services? Or is this the wrong way to go about doing something like this?

I'm rebuilding the server mentioned in this question.

However before I do blow it away I would like to move its operations off of it first. DHCP and ePO are taken care of and now all that is left is a demote for AD.

When following the dialogs it gives me an error of:

The operation failed because:

Managing the network session with server.domain.local failed

"Logon Failure: The target account name is incorrect."

I think my options are:

1. If there is a fix/workaround I could use to demote this machine.
2. Or nuke it now as it stands.

If I choose option 2 are there any specific things I need to do on my network to make sure it is nuked properly? Any possible gotchas?

Also if I do a dcpromo /forceremoval will I need to do anything else on my network?

Things I have checked:

• It is not an operations master server
• Turned off the global catalog (it still thinks it is one).

Thanks in advance.

Got an issue in upgrading a server to SP2.

Box: Win 2003 Ent SP1 x86

Roles: McAfee ePO server, DHCP, 2ndary DC

When installing SP2 it locks up (at the backing registry stage) and has 0 cpu usage in task manager. I then have to force close the process and then restart the machine. In the svcpack.log file the last entries say:

472.406: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Tmp.2.scw.cat with error 0x57
472.406: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\Tmp.2.scw.cat with error 0x80092004
473.531: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Tmp.2.sasetup.cat with error 0x57
473.562: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\Tmp.2.sasetup.cat with error 0x80092004
480.609: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Tmp.2.osccab.cat with error 0x57
480.609: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\Tmp.2.osccab.cat with error 0x80092004
480.906: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Tmp.2.ntprint.cat with error 0x57
480.937: GetCatVersion:  Failed to retrieve version information from C:\WINDOWS\Tmp.2.ntprint.cat with error 0x80092004

If I run the SP2 update with the /ER switch it says it has an internal error and then crashes nicely. The svcpack.log then says something different:

37.797: UnRegisterSpuninstForRecovery, failed to delete SpRecoverCmdLine value, error 0x2
37.797:  DoInstallation: Failed to unregistering spuninst.exe for recovery.
37.797: An internal error occurred.
155.813: Message displayed to the user: An internal error occurred.
155.813: User Input: OK
155.813: Service Pack 2 installation did not complete.
156.438: Message displayed to the user: Service Pack 2 installation did not complete.
156.438: User Input: OK
156.438: Update.exe extended error code = 0x1ffe054f

The extended error code (Update.exe extended error code = 0x1ffe054f) seems to be a more accurate description of the issue.

I also have noticed the setupapi.log file gets updated as well and it also contains lots of errors like this:

Error 87: The parameter is incorrect.

#-147 Loading class installer module for "Generic volume".
#W360 An unsigned, incorrectly signed, or Authenticode(tm) signed file "C:\WINDOWS\system32\syssetup.dll" for driver "Generic volume" will be installed (Policy=Ignore). Error 87: The parameter is incorrect.
#-148 Loading coinstaller modules for "Generic volume".
#W360 An unsigned, incorrectly signed, or Authenticode(tm) signed file "C:\WINDOWS\system32\SysSetup.Dll" for driver "Generic volume" will be installed (Policy=Ignore). Error 87: The parameter is incorrect.
[2009/08/19 16:34:58 4976.937 Driver Install]

I've posted the whole svcpack.log file on pastebin. http://pastebin.com/m54ee37ac

Some things I have tried (from googling):

• regsvr32 licdll.dll
• Renaming Catroot and software distribution folders (and then rebooting).
• Removed the McAfee VSE client software (not ePO)

Any suggestions and ideas would be greatly appreciated.

This is kinda a Part two from here.

When clients VPN into my network they get assigned an Ip address which in turn gives them the 252 option from the DHCP. The auto detect then grabs this file

What I need essentially is a way for the proxy.pac to figure out if a client is on a VPN connection so that it can resolve a DIRECT for them.

So if I do a simple var myIp = myipAddress() and then just have it match it from a list of these fixed addresses then it would be solved. However the myIpAddress() function seems to be picking up the local Ip to the machine (eg: 192.168.10.1) and not the network adapter. In my case that local address is my MS Loopback which is needed for some of my local VMs. If I disable my Loopback adapter it starts resolving the correct address. This is not an ideal workaround.

So how do I go about resolving the Ip address I want from the correct adapter?

• I have been conducting this testing from my local machine for now.
• I am aware that it is not a closed VPN solution, it is just what has been decided at the moment.

Thanks in advance...

I am gonna throw this problem out into the wild.

We have just started using a proxy to log users internet usage against login names. This is setup on ISA Server 2004 (which is on our Internet gateway server). Integrated and basic forms of authentication are enabled along with reuiqring all users to authenticate. I have ticked and enabled an array of settings on ISA so that it ignores internal addresses and domains.

To point our users to our Proxy server I have used a Detect with DHCPINFORM on our DHCP server to point clients at the network location of the proxy.pac file (Described here). I also have setup the wpad.dat in the same area as the proxy.pac (both files are identical).

Current proxy.pac file I am playing around with:

function FindProxyForURL(url, host)
{       
// Trying to save localhost
   if (localHostOrDomainIs(host, "localhost")) return "DIRECT";
   if shExpMatch (url, "http://localhost*") return "DIRECT";
// If specific URL needs to bypass proxy, send traffic direct.
var resolved_ip = dnsResolve(host);
if (isInNet(resolved_ip, "172.22.145.0",  "255.255.255.0") ||
    isInNet(resolved_ip, "192.168.1.0", "255.255.255.0") ||
    isInNet(resolved_ip, "127.0.0.1", "255.255.255.255"))
return "DIRECT";
return "PROXY ^gatewaynamehere^.baytech.local:8080; DIRECT";
}

(Our internal IP is the 172.22.145.* range)

Now the issues I am having is that the proxy.pac file makes the browser go to the proxy whenever localhost or 127.0.0.1 is requested. I can see the requests on the ISA Server when I monitor my IP address. I can request other servers in our Intranet and it doesn't touch the proxy (which is correct). But I suspect that this because of settings on ISA Server and not because of the proxy.pac file (I could be wrong).

A side issue is that we need to point Firefox to the proxy.pac file manually to make it work for Firefox. Also a minority of IE users also need to be pointed manually as well. The best thing to have is to set our browsers to auto detect (Both IE and FF) and have everything just work no matter where the user is.

Setting it manually via group policy or browser settings is not ideal because it causes problems for people who have laptops that get taken home.

I have also tried disabling the IE proxy cache as described here: http://support.microsoft.com/kb/271361

Some Proxy info sites I have looked at:

• Pac file Functions
• homepages.tesco.net/~J.deBoynePollard/FGA/web-browser-auto-proxy-configuration.html
• www.findproxyforurl.com

Thanks in advance.