I am usually reluctant to mirror other blogger’s contents or just post links but in this case I decided to make an exceptional exception. “Black Viper” (sounds like a gamer tag isn’t it?) published a comprehensive guide over Windows Server 2009 R2 and windows Seven System Service configuration covering all OS flavors. Have a look at it prior starting any optimization or hardening work!

• Windows Server 2008 R2
• Windows Seven

Previous Windows versions are also available btw.

From Hervé Schauer Consulting you might also find this (blast from the past, read “up to XP/Server 2003”) set of information useful:

• Windows network services internals
• Windows Systems Network Services

Marc

Suddenly some apparently well performing IIS servers recently started reporting this error regularly. some of them were also running SharePoint or OWA. all of them configured to use Integrated Windows Authentication (IWA) as authentication mechanism.

The problem with IIS worker process is that it can have so many explanation depending on the code executed that you can easily waste a week until you find a reasonable explanation. In this case, all servers were affected, regardless of the application they run. So my first idea was “they might be under attack”. But that was not the case: performance counters related to the worker process did not give any sign of that, this was confirmed by the IIS logs. Next”usual suspect”, a patch recently installed: bingo, that was it. Here are the details:

• The Security Update implementing “Extended Protection” for authentication in IIS (KB973917) was just deployed on all servers
• All impacted servers are running Windows Server 2003 Service Pack 2
• One or multiple application served by that application pool/worker process have IWA enabled
• After intensive file version analysis, it appeared that numerous IIS-related files (EXE, DLL’s…) were with a version prior SP2

Due to the inconsistency of IIS files in combination with that extra hot fix, the worker process keeps crashing –> root cause found!

Now how to fix it:

1. Perform an inventory of currently installed post-SP2 fixes. I personally do it in a very straightforward way using psinfo but I am sure you’ll find plenty of methods to do it the way you like
2. Reinstall the Service Pack 2
3. Redeploy post-SP2 hot fixes, see step 1
4. Check installed IIS File versions
5. If file versions are OK, Install KB973917

Additional information’s:

• MS KB: Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
• MS KB: Internet Information Services 6.0 may not function correctly after installing KB973917
• MS Security Research & Defense Blog: Extended Protection for Authentication
• MS TechNet: Microsoft Security Advisory (974926) Credential Relaying Attacks on Integrated Windows Authentication
• MS IIS Support Team Blog: Sample Script to Verify IIS File Versions for KB973917. [UPDATE] Here is my PowerShell Translation [UPDATE 2] It seems like the scripts (both versions) do not behave as expected on a 64-bit server. I am currently investigating…

Note: Make sure you pay attention to the process exit code which is always 0xffffffff. If you see another code, it might of course have another cause.

Marc

First my best wishes to you all over the place visiting this blog and site. The number of visits as well as the time spent reading was really incredible in 2009 and all I can hope for 2010 is to be equally good or better.

I was also pleased to see my MVP status renewed for another year. I’d like to thank my MVP Lead Martine T for her nearly real-time support, Prasad G for the great chat and collaboration and Jose B (and his team of course) for the excellent work they delivered last year.

Besides this I’d like to sincerely congratulate two other MVP for their nomination : First, a newcomer named Tonino Bruno, who’s also a very good friend and part-time colleague. He’s, with his mates, the active hand behind the Belgian MS Exchange User Group http://www.proexchange.be/. Congrats Toni and remember you owe me a beer now ;) Second, I’d like to congratulate a “serial” French MVP (7 times nominated!) named JC Bellamy not only knowledgeable regarding Windows but also continuously reinventing the French vocabulary related to IT;)

Now for a Silly Little FAQ, since I got these questions numerous times, time to reply has come, at least as seriously as possible ;)

Q: Where does the sentence “Happy is the one who could enter the secret causes of things” come from?

A: This is the direct translation of the French sentence present on a large pillar in the entrance of the University of Guernon (France), a fictional school depicted in the move “The Crimson Rivers”. It totally reflects my (compulsive?) willingness to understand the bits and bytes therefore never being satisfied with the marketing or technical “claims”, very fashionable nowadays. Note: although I picked up this sentence, needless to say I strongly disagree with the philosophy in place in the at Guernon ;). I am not the one to shout louder, I prefer to say it right because real facts mean real safety.

Q: Where is Anthony, what is he doing?

A: At home or at work, doing fine! No seriously, although we started this blog together, he also has to deal with other personal and professional challenges keeping him away from this online activity, though I am not totally desperate about having some contributions from him coming one day ;)

Q: Who is reading the blog, what are the readers looking for and where are they from?

A: Who: I have very few names to give out ;) but mostly IT people of course!

A: What: mostly hands-on problem-solving information, although I got a lot of positive feedback from more pro-active posts

A: Where: everywhere, but with more than 50% located in North America

Q: Why ain’t you talking about movie anymore?

A: Things tend to change, I prefer not to confuse the audience too much with cinema-related content and focus on more on technique. Besides this, No I did not particularly like Cameron’s Avatar, which indeed blew my senses out but miserably failed in touching my soul. Did all talented story tellers definitely leave Hollywood?

Q: What about the long-time promised posts on Federated Search, people-picker and so on?

A: Still coming (but not as soon as I promised I’m afraid)

Marc

Microsoft has finally releases a truly great document late October: Implementing an End-User Data Centralization Solution. This documents covers in a very comprehensive while practical manner everything related to storing, protecting and and making accessible user data using Windows File Sharing.

Unlike many white papers out there, this one can be directly used for planning, building, implementing and operating with no room for improvisation. It comes with real-life metrics, group policy settings as well as scripts and tools.

Important to mention that it is also 2008 R2/Seven-ready and covers the use of FSCT.

Download

• MS Download - Implementing an End-User Data Centralization Solution

Marc

I did not expect to receive so much feedback by mail regarding this (not so fascinating) topic. Not to mention referring sites and so on… This brought the motivation to loop the loop by testing on Windows Server 2008 (SP2) as well as on 2008 R2 in-depth in order to cover the whole stuff.

So in summary, when will PAC signature verification will finally occur?

The table hereunder summarizes possible scenario’s:

So in short, the only difference between Server 2003 and 2008/2008 R2 is that with from 2008, you do not need to modify registry anymore since the default value is inverted.

Once again, the important point here is: if you configure Kerberos on a IIS farm (SharePoint or “simple” ASP.Net), PAC Validation will ALWAYS occur, regardless what you will do to prevent it UNLESS the application is granted and makes use of the right “Act as part of the operating system”.

If the target application is granted seTCB making use of it:

Granting the seTCB privilege is not sufficient because it will be disabled by default until the application effectively requests it. But why would it need it? For various reasons this privilege might be needed by the server application. 2 common usages are described in the sections below.

Protocol transition

Protocol transition is the ability for a server application to delegate user credentials to a back-end service using Kerberos while they were not initially provided under that form by the client.

In clear, this means that a user may be authenticated by a service using non-Kerberos protocols such as Basic, NTLM, Digest and this service, making use of that feature, will transform the credentials in order to propagate them to another server. Example: a user authenticates against SharePoint using NTLM, want to use reporting service while it runs on a 2nd server, the SharePoint server will perform the necessary transition to push (aka “delegate”) the user’s credentials to the SRS server using Kerberos.

IIS MVP Ken Schaefer gives an excellent overview on his blog: IIS and Kerberos Part 5 - Protocol Transition, Constrained Delegation, S4U2S and S4U2P.

Services For User

SU4 extensions are tightly linked to Protocol Transitions. In very very short, they allow, under certain conditions, an application to perform a logon on behalf of a user without knowing his/her password.

This feature is, for example, used in IAM/SSO products such as IBM TAM/WebSEAL or CA SiteMinder

For both technologies, since the user does not initially authenticate using Kerberos, there is no PAC to validate.

OK but finally, why is disabling PAC validation so important?

Well I won’t say it is “so important”. I might help improving performances under some circumstances.

Since, in short, the PAC is verified by the server application before granting a Ticket-Granting-Service (TGS) to the client, it does not occur at every request as long as the TGS remains valid (note: there are some exceptions to this rule). BUT in some case, this initial verification can take some times because 1) the client’s AD is far (in term of network, hops, latency, bandwidth…) from the server’s AD or 2) the client’s AS is too busy. This could therefore give the wrong impression that client to server authentication seem slow while you expect a big boost by switching to Kerberos.

Additional Resources

• MSDN Patterns & Practices - Protocol Transition with Constrained Delegation Technical Supplement
• MSDN Magazine April 2003 - Exploring S4U Kerberos Extensions in Windows Server 2003
• MSDN - [MS-APDS]: Authentication Protocol Domain Support Specification

Marc