Friday, November 11, 2005

VSWebApp and 404

When I have started too many virtual machines in Microsoft Virtual Server 2005 I find that the administration application (http://server/virtualserver/VSWebApp.exe) stops working.

To get it to restart, change the authentication settings on the IIS virtual directory to something other than what you have already (but not anonomyous). For example if it is Basic and Integrated set it to Basic only.

Open the admin page again and you will be prompted for authentication and it will now work.

Thursday, November 10, 2005

Mouse Pointer Delays in Virtual Server

I am running Microsoft Virtual Server 2005 and every 10 seconds or so I get a pause in the mouse movement on the screen - very annoying.

Examining the performance logs of the server I see that the Virtual Server service "vsssrv" goes to 0% CPU utilisation when this happens - so something is interupting the service.

Stopping my anti-virus software solves the problem, but introduces another problem in that my computer is now unprotected, so I will post back here later my results on not have the AV software (McAfee Managed Anti-Virus) from scanning the filesystem where my virtual machines are installed and the vsssvc.exe application ("C:\Program Files\Microsoft Virtual Server" folder).

Wednesday, October 19, 2005

Unable to Delete Active Directory Object

Whilst doing some tests on an Active Directory to do with permissions I removed all the permissions apart from SYSTEM. This proved what I wanted to prove, but I then could not delete the object or reset its permissions etc. to tidy up my test environment.

A search on the web for the problem returned one page and they had not solved it either. This was found here. Though they had deleted a user object and I had set permissions on an Exchange Server address list object I think the answer might be the same.

The problem in Exchange System Manager was "The specified directory service attribute or value does not exist" and "8007200a" when I tried to delete the object. Opening ADSI Edit would not let me delete the object (which appears as a notepad icon and not the folder icon it is supposed to be). Opening the object returns "An invalid directory pathname was passed" and deleting the object returns "This folder or one of its children has one or more property sheets up. Please close the property sheet before continuing with this action."

So taking the advice in the above link, and going a few steps further I managed to delete the object.

The key (in Windows Server 2003) is to use a command line tool called DSRM. This deletes active directory objects, but before it can be deleted the permissions need to be reset using another command line tool called DSACLS.
  1. Determine the distinguished name of the object. This is easiest to do in ADSI Edit by opening the parent item and copying the value of the distinguishedName property.
  2. Paste the copied distinguished name into Notepad and prepend to the text the name of the child object in the form of CN=child,distinguishedname.
  3. On the command line enter DSACLS "Distinguished Name" /A. The quotes are needed if there are spaces within the distinguished name. This will display the current permissions on the object for your interest.
  4. Repeat the above command but change the ending to /G Everyone:GA (remove the /A). This will grant full control to Everyone to this object. Remember that you are deleting this item so these permissions are temporary. This should be successful.
  5. Finally you can delete the object using DSRM if the object is a leaf object, but if not a leaf object then DSRM distinguishedName -subtree. It might also be possible to use ADSI Edit or the valid Active Directory administration tool to delete the object if the permission fix has worked.

Monday, October 10, 2005

Dell Notebook System Software (NSS) Failure to Install

I recently had to rebuild a Dell Latitude D610 as it was not working properly on purchase. The reinstall instructions for Windows XP SP2 included installing the relevant Dell drivers from the Dell CD (or internet download if they were later versions). The Notebook System Software (NSS) always failed to install - it would crash upon starting the program.

After phoning Dell Technical Support to fix this problem, the answer was to run the software whilst in Windows XP Safe Mode. To get to this reboot your computer and press F8 just before the Windows logo appears (easiest thing to do is press F8 repeatedly as soon as the computer boots and you are sure to get the option for Safe Mode).

After installing it in Safe Mode you can reboot into normal Windows XP.

Thursday, September 15, 2005

Vonage Installation with NTL as Your Broadband Provider

Connecting the router was easy, just followed the instructions, the only thing that I had to do (as I did not turn off my NTL cable modem) was clone the mac address of the current firewall onto the Linksys VoIP router (this is a setting in the Linksys admin pages).

Voice quality over a 2Mb line is good, and the 200K upload speed that I currently have will allow me to have two phones on the line as each uses 90K per call.

Role on NTL's upgrade to 10Mb lines in 2006

Saturday, September 10, 2005

ntl Netguard Installation with Roaming Profile

I installed ntl Netguard yesterday, the free antivirus software provided by this broadband provider. The comments on various forums where that it was easy to install but I found this to be incorrect advice. The main issue, and the one I blog about here is the creation of the required product folders when you have a remotely stored profile folder caused due to Active Directory/Group Policy folder redirection policies.

For the software to install you need to create the "logs" and "test" folder in the "ntl netguard" folder, which needs to be in the "ntl" folder in your Application Data folder. All the folders in quotes you need to create.

Friday, August 12, 2005

Windows Vista on Virtual PC's

As I do not have any spare PC hardware I decided to install a copy of Windows Vista (Beta 1) on virtualization software. I have a choice of both VMWare Workstation 5.0 and Microsoft Virtual PC.

And the winner is - Microsoft Virtual PC

The reason is simple - I can see what I am doing and what is happening with Virtual PC as it runs with a decent virtual graphics adapter. VMWare Workstation 5.0 runs at 4bit colour until after installation has completed and you install the VMWare tools (which installed fine) but compare that to Virtual PC and the experience is so different.

Monday, July 25, 2005

Start Menu and Multiple Monitors

When you enable multiple monitor on Windows XP, which I did by installing an ATI Radeon card in addition to my existing Nvidia card I found that after changing some of the settings (like which is the primary display), the Start Menu and Task Bar appears on the secondard display. What seemed to happen was the Start Menu etc. moved to one of the display's managed by the ATI card and then I set the primary display back to the Nvidia card it became the primary display (programs and dialog boxes opened on that display) but the Task Bar did not move back.

Eventually, after much reconfiguration and reseting/rebooting I decided to see if I could drag the Task Bar across. Now this is not supposed to work (maybe it has been added in SP2 for XP). So I unlocked the Task Bar and dragged it first to the side of the current screen (the displays are lined up left to right) and then across to the other display - you cannot drag it straight across the bottom of the displays.

This worked a treat, so I relocked the Task Bar and all works now.

Tuesday, July 05, 2005

Improving the Performance of IIS 6.0 Applications

Whilst working at a client doing some performance testing of an intranet, web-based, application we came across a little documented way to improve the network performance of the application if the web server is running IIS 6.0 on the Windows Server 2003 platform.

When the IIS 6.0 web server uses Windows Integrated authentication to log users onto a web application it goes through the following process, which is different to how it behaved on IIS 4.0, IIS 5.0 and IIS 5.1 (the versions that run on Windows NT 4.0, Windows 2000 and Windows XP):

  1. Client connects to the web server with an anonymous connection for the first object required.
  2. The web server rejects the connection with a 401 status message, which means that authentication is required.
  3. The client sends the request for the page to the server again, along with the current authentication information. The format of this authentication will differ based on whether NTLM or Kerberos is being used.
  4. Server responds with a 200 status indicating success and the object is transferred from the server to the client.
  5. So far nothing has changed in IIS 6.0 compared to the earlier versions of the software, but now the client makes the request for the second object (maybe a graphic within the page, or a second page on the same server). This second request, even if it is across the same HTTP session as the first, will be seen by the server as an anonymous request and it will be rejected with a 401 status message. In earlier versions of IIS this second (and subsequent requests on the same HTTP connection) were treated as being authenticated because the first object request was successfully authenticated.

This can be seen using the following information from an IIS 6.0 log file that was generated by a web browser making a GET request for four pages called auth1.htm through to auth4.htm.

cs-uri-stem cs-username sc-status sc-bytes cs-bytes
/auth1.htm - 401 1872 516
/auth1.htm DOMAIN\user 200 509 2307
/auth2.htm - 401 1872 557
/auth2.htm DOMAIN\user 200 510 2348
/auth3.htm - 401 1872 557
/auth3.htm DOMAIN\user 200 510 2348
/auth4.htm - 401 1872 557
/auth4.htm DOMAIN\user 200 510 2348

The client makes a request for the page auth1.htm. This page is only available to a user via Windows Integrated authentication and so the request is seen as rejected with a 401 status. The second line shows the successful request for the same page and the fact that a Windows domain account was used to authenticate the request. From that point on, each request can be seen first as an authentication failure and then a success. This means additional round trips to the web server, and longer page load times – especially to web servers that are across low latency WAN connections. For example, the above log data shows that the total bytes sent and received by the web server (the sum of the sc-bytes and the cs-bytes columns) is 21065 bytes. We will compare this value to one where the IIS 6.0 server has had performance changes made to it later in this article.

IIS 4.0, IIS 5.0 and IIS 5.1 worked by allowing all subsequent requests for objects over a single HTTP session that had already been authenticated to use the authentication information of the first successful request. With the increase in security that is part of IIS 6.0 this potential security hole has been closed – it might be possible to take over another session and become authenticated with the credentials of that previous session. This security improvement though, as with many security changes, decreases performance by an increases the number of round trips to the server and the bytes transferred on the network. If the risk is considered unlikely within your environment and users connect to the web server from remote locations then you can set the IIS metabase setting AuthPersistSingleRequest to false. This means that the IIS 6.0 web server acts in terms of authentication persistence like an IIS 5.0 web server.

The two metabase keys that need to be set are:

  • NTAuthenticationProviders
  • AuthPersistSingleRequest

NTAuthenticationProviders can be set at the web service or web site level and AuthPersistSingleRequest can be set at the web service, web site, virtual or real directory or at the file level.

To set these two metabase values open a command prompt, change to the \inetpub\adminscripts folder and run each of the following commands:

  1. cscript adsutil.vbs SET w3svc/1/NTAuthenticationProviders "NTLM"
  2. cscript adsutil.vbs SET w3svc/1/AuthPersistSingleRequest FALSE

The “1” in both the above commands will cause the property to be set on the Default Web Site. Change “1” to affect another web site or remove “1/” from the command to affect the entire server.

Once the two commands have been executed enter the following to ensure that they have run correctly:

  1. cscript adsutil.vbs GET w3svc/1/NTAuthenticationProviders
  2. cscript adsutil.vbs GET w3svc/1/AuthPersistSingleRequest

Finally run IISRESET from the command line to restart the web server.

The following data from an IIS 6.0 log file shows the same sequence of GET requests as described above after the NTAuthenticationProviders value has been set to NTLM and the AuthPersistSingleRequest value set to false.

cs-uri-stem cs-username sc-status sc-bytes cs-bytes
/auth1.htm - 401 2043 622
/auth1.htm DOMAIN\user 200 259 774
/auth2.htm DOMAIN\user 200 260 557
/auth3.htm DOMAIN\user 200 260 557
/auth4.htm DOMAIN\user 200 260 557

This data can be compared to that above quite easily. First you can see that the number of round trips is just over half the number on an IIS 6.0 server in its default configuration, as only the first request fails with a 401 status message – the subsequent requests now use the authentication of the first request within the session rather than per request authentication. Secondly the total number of bytes required within the HTTP session to download these four objects is 6149 bytes. This is 29% of the bytes transferred under the default IIS 6.0 configuration.

Therefore, if you run web applications that use NTLM authentication and have high latency networks then you can generate significant improvements in page load time at the browser, and at the client I am working at we reduced page load times from their India offices to the USA servers from 18 seconds to less than 10 seconds.


Monday, May 23, 2005

Enabling ASP.NET Session State without Installing IIS

At a client site, I needed to enable within a web cluster the ASP.NET session state service (ASP.NET State Service) and initially this was going to go on one server within the web cluster. The only problem though, as this configuration is easy, was what happens if the one server in the cluster that this is running on is the server that fails!

The solution we decided was to place the service on the SQL Server back-end database. Though this is not clustered (as it is not mission critical), if the database is unavailable then so is the application so why not run the ASP.NET State Service on that machine.

So we changed the web.config file to read:

<sessionState mode="StateServer" cookieless="false" stateConnectionString="tcpip=db_server:42424"/>

We went to the SQL Server (which was running Windows Server 2003 and so had the .NET Framework installed), but found that the service did not exist as ASP.NET was not installed.

So we ran the following, which claims to require IIS to be installed, but successfully enabled the ASP.NET State Service:

aspnet_regiis -i (this is in WINDOWS\Microsoft.NET\Framework\version folder

Set “HKEY_LOCAL_MACHINE\SYSTEM \ CurrentControlSet \ Services \ aspnet_state \ Parameters \ AllowRemoteConnection” to 1 on the server in the above step, set the service to Automatic and started it running.

And it all worked fine.

Monday, April 18, 2005

Exchange 2003 Resource Kit Published

Now available, the Exchange Server 2003 Resource Kit in which I wrote all the security chapters (chapters 11 through 13).

Friday, March 04, 2005

Current Clients

Brian is currently writing documentation and doing software testing for InfoBasis.

Thursday, March 03, 2005

C7 Solutions Blog

Following a prompt from Microsoft, I have started a more company based blog on C7 Solutions web site. Maybe I will update that more than this one (which I suppose is the point of a blog anyway)