According to Scott Guthrie, MS is about to bring best of both worlds by releasing an “Express” version of Internet Information Server" (IIS).

This would be used as a smooth though rich replacement for Visual Studio’s built-in Web Server or to the very basic one shipped with each recent version of Windows.

Interestingly some see this as a threat for the health of IIS in the enterprise. Personally, I am rather seeing this as an opportunity to better and more easily align Dev and Prod infrastructures and therefore reduce the gap and subsequent failure at release time. Future will tell.

• MSDN – ScottGu’s Blog – Introducing IIS Express

Marc

It’s critical to keep systems up-to-date with patches, the 4 issues described hereunder prove it again ;) They affect Windows Vista only, not 7 or XP. Certainly because the WebClient went through a serious revamp with Vista, Seven drawing benefit from product maturation.

Explorer View does not work when connection goes through a forward proxy asking for authentication 

When browsing a SharePoint site through a forward proxy (or simply web proxy) server requiring authentication, everything is working fine but when switching to Explorer viewing or simply trying to open an MS Office document, whether you directly get an “Access Denied” message or you get prompted multiple times for authentication (pop-up windows).

This problem occurs because early Vista’s implementation of the WebDAV redirector (aka WebClient) used by the Explorer do not handle correctly the HTTP Response 407 (Proxy Authentication Required)

Solution: install this hot fix (http://support.microsoft.com/kb/954807) or install Vista Service Pack 2. note: the hot fix requires SP1 to be present

Explorer View does not automatically forward credentials if the site does not belong to Local Intranet zone

A tricky one: let’s say that a user is browsing a SharePoint site that belongs to the Trusted Sites security zone of Internet Explorer while the browser is configured to automatically forward credentials for that zone (non-standard config). Although it will work fine with the browser, it will miserably fail with the Explorer View because on vista, WebClient does not rely on Internet Explorer security zones configuration and therefore does not automatically forward credentials under some circumstances.

Solution: Install this hot fix (http://support.microsoft.com/kb/943280) or install Vista Service Pack 2 and configure registry as described in the MS KB article related to the hot fix (this step is mandatory).

Explorer View does not automatically forward credentials if IE’s proxy setting check box “Automatically detect settings” is cleared

Pretty much derived from the previous issue, this one will behave identically.

Solution: install this hot fix (http://support.microsoft.com/kb/941853) or install Vista Service Pack 2

Explorer View might merge merge cookies leading to authentication issues (or other issues as well)

Cookies are often used to maintained state and sometimes to allow some kind of authentication mechanism, like form-based authentication.

In the case of authentication, products such as ISA/IAG/TMG may use so called “persistent” cookies to allow application to share authentication. This is typical when you want to seamlessly switch from a browser to an MS Office application when working with SharePoint.

Apparently, Vista’s implementation of the WebClient may accidently merge cookies when passing them to the web server or gateway, making them unusable.

Solution: install this Internet Explorer Cumulative Security Update (http://support.microsoft.com/kb/972260/), which also includes functional updates solving that problem…

Credits go to Pascal B and Nicolas S both MSFT for this one. Thanks guys!

Marc

The best (according to me of course;)) and free URL Rewriting engine for IIS is now available in its version 2.0 including outbound rewriting capabilities.

Get it here: http://www.microsoft.com/web/spotlight/URLRewriter.aspx

Cool tutorial: http://learn.iis.net/page.aspx/460/using-url-rewrite-module/

Configuration Reference: http://learn.iis.net/page.aspx/665/url-rewrite-module-20-configuration-reference/

Marc

Suddenly some apparently well performing IIS servers recently started reporting this error regularly. some of them were also running SharePoint or OWA. all of them configured to use Integrated Windows Authentication (IWA) as authentication mechanism.

The problem with IIS worker process is that it can have so many explanation depending on the code executed that you can easily waste a week until you find a reasonable explanation. In this case, all servers were affected, regardless of the application they run. So my first idea was “they might be under attack”. But that was not the case: performance counters related to the worker process did not give any sign of that, this was confirmed by the IIS logs. Next”usual suspect”, a patch recently installed: bingo, that was it. Here are the details:

• The Security Update implementing “Extended Protection” for authentication in IIS (KB973917) was just deployed on all servers
• All impacted servers are running Windows Server 2003 Service Pack 2
• One or multiple application served by that application pool/worker process have IWA enabled
• After intensive file version analysis, it appeared that numerous IIS-related files (EXE, DLL’s…) were with a version prior SP2

Due to the inconsistency of IIS files in combination with that extra hot fix, the worker process keeps crashing –> root cause found!

Now how to fix it:

1. Perform an inventory of currently installed post-SP2 fixes. I personally do it in a very straightforward way using psinfo but I am sure you’ll find plenty of methods to do it the way you like
2. Reinstall the Service Pack 2
3. Redeploy post-SP2 hot fixes, see step 1
4. Check installed IIS File versions
5. If file versions are OK, Install KB973917

Additional information’s:

• MS KB: Description of the update that implements Extended Protection for Authentication in Internet Information Services (IIS)
• MS KB: Internet Information Services 6.0 may not function correctly after installing KB973917
• MS Security Research & Defense Blog: Extended Protection for Authentication
• MS TechNet: Microsoft Security Advisory (974926) Credential Relaying Attacks on Integrated Windows Authentication
• MS IIS Support Team Blog: Sample Script to Verify IIS File Versions for KB973917. [UPDATE] Here is my PowerShell Translation [UPDATE 2] It seems like the scripts (both versions) do not behave as expected on a 64-bit server. I am currently investigating…

Note: Make sure you pay attention to the process exit code which is always 0xffffffff. If you see another code, it might of course have another cause.

Marc

I did not expect to receive so much feedback by mail regarding this (not so fascinating) topic. Not to mention referring sites and so on… This brought the motivation to loop the loop by testing on Windows Server 2008 (SP2) as well as on 2008 R2 in-depth in order to cover the whole stuff.

So in summary, when will PAC signature verification will finally occur?

The table hereunder summarizes possible scenario’s:

So in short, the only difference between Server 2003 and 2008/2008 R2 is that with from 2008, you do not need to modify registry anymore since the default value is inverted.

Once again, the important point here is: if you configure Kerberos on a IIS farm (SharePoint or “simple” ASP.Net), PAC Validation will ALWAYS occur, regardless what you will do to prevent it UNLESS the application is granted and makes use of the right “Act as part of the operating system”.

If the target application is granted seTCB making use of it:

Granting the seTCB privilege is not sufficient because it will be disabled by default until the application effectively requests it. But why would it need it? For various reasons this privilege might be needed by the server application. 2 common usages are described in the sections below.

Protocol transition

Protocol transition is the ability for a server application to delegate user credentials to a back-end service using Kerberos while they were not initially provided under that form by the client.

In clear, this means that a user may be authenticated by a service using non-Kerberos protocols such as Basic, NTLM, Digest and this service, making use of that feature, will transform the credentials in order to propagate them to another server. Example: a user authenticates against SharePoint using NTLM, want to use reporting service while it runs on a 2nd server, the SharePoint server will perform the necessary transition to push (aka “delegate”) the user’s credentials to the SRS server using Kerberos.

IIS MVP Ken Schaefer gives an excellent overview on his blog: IIS and Kerberos Part 5 - Protocol Transition, Constrained Delegation, S4U2S and S4U2P.

Services For User

SU4 extensions are tightly linked to Protocol Transitions. In very very short, they allow, under certain conditions, an application to perform a logon on behalf of a user without knowing his/her password.

This feature is, for example, used in IAM/SSO products such as IBM TAM/WebSEAL or CA SiteMinder

For both technologies, since the user does not initially authenticate using Kerberos, there is no PAC to validate.

OK but finally, why is disabling PAC validation so important?

Well I won’t say it is “so important”. I might help improving performances under some circumstances.

Since, in short, the PAC is verified by the server application before granting a Ticket-Granting-Service (TGS) to the client, it does not occur at every request as long as the TGS remains valid (note: there are some exceptions to this rule). BUT in some case, this initial verification can take some times because 1) the client’s AD is far (in term of network, hops, latency, bandwidth…) from the server’s AD or 2) the client’s AS is too busy. This could therefore give the wrong impression that client to server authentication seem slow while you expect a big boost by switching to Kerberos.

Additional Resources

• MSDN Patterns & Practices - Protocol Transition with Constrained Delegation Technical Supplement
• MSDN Magazine April 2003 - Exploring S4U Kerberos Extensions in Windows Server 2003
• MSDN - [MS-APDS]: Authentication Protocol Domain Support Specification

Marc