.NET micro framework

Microsoft is always looking to extend their .NET platform.

The .NET Micro Framework is ideal for hobbyists who are looking for a fast, reliable way to develop custom hardware controllers for a variety of applications.

But I did not expect Microsoft to look at embedded hardware development something that hobbyists do on their spare time.

But way cool! :)

MSN and error 8100030d when logging in

I received this error when logging in into MSN. Looking for this error message on the Internet gave me nothing to work on except for the fact that it seems network related.

So I started looking into what can block the messenger. I have three options:

• The PC it self. As this was a problem on more than one PC I did not believe that the problem was here.
• The local firewall.
• My ISP.

My router is a Fortigate box running a relatively new FortiOS 3.0 image. I went in to the protection profile for my outgoing traffic and found that the profile protects me from MSN traffic.

I am not sure why this happens but it was "solved" by deactivating the Messenger scan from within the Fortigate.

CRM and IIS error 2148074242

IIS retuns 500 2148074242 when you access an MS CRM site.

When you try to connect to a Web site that is hosted on Microsoft Internet Information Services 6.0, Microsoft Internet Information Services 5.1, or Microsoft Internet Information Services 5.0, you may receive an error message that is similar to the following: Error 500: The function requested is not supported. Additionally, you may receive entries that are similar to the following in the Extended W3C log: 18:59:54 127.0.0.1 GET /localstart.asp 500 2148074242

The solution is found here.

MSVPN and FTP

Today I came across a wierd problem with a client connected to a Microsoft VPN server not connecting to third party FTP server.

The environment is a Windows 2003 server with the latest service packs applied.

It turns out that for all traffic floating from the client except for the FTP traffic originates with the client IP. All FTP traffic originates with the VPN Server IP address. As a result you will have to adjust your firewall accordingly.

DNS directed lookups - pros and cons

When you have to do directed name lookups you have lots of options. Conditional forwarders, stub zones and secondary zones. What should I choose? It is not easy to choose, as the pros and cons are hard to find. But look no further, you are now reading the definitive source.

Before I go into the discussions about pros and cons bear in mind that not all environments are equal. For this discussion there exist only two types of connections (WAN) between sites. A network that is firewalled can in many circumstances look like a LAN-LAN VPN type of connection - the same restrictions applies.

Connection	Configuration
LAN-LAN VPN	In this configuration a remote site is connected to the main site using VPN over Internet. The remote site have only access to parts of your network based on the IPSec policy.
Leased line	The remote site shares the entire IP network with the main network and can access all internal resources.

Stub zones

Microsoft added support for stub zones a few years ago. With stub zones you configure from where to load the stub and then all queries are iterative from that point. More about stub zones here.

Why

Why not

Does not require zone transfers to work. Easy to integrate into an existing network as it can scale and change with the network. The stub zone can be placed in Active Directory and automatically loaded onto all domain controllers.

If stub zones fails to load (can not obtain NS and SOA) the zones can be loaded with information on the Internet. If a zone is part of a split DNS then the public information is cached instead of the private information. Queries are iterative; the DNS server will attempt to query all DNS servers by it self to get the answer. If the zone have delegated subzones then our DNS server needs to talk to all other DNS servers. Changes to information within DNS propagates slower as the server caches all answers. (Also negative answers.) You have to reconfigure the zone properties for most changes in the other DNS server.

Secondary zone

A secondary zone will at all times keep a copy of the entire zone on disc or in memory. Read more here.

Why

Why not

Faster updates (potentially) as your DNS server can be notified on any changes to the original zone. (If not, the zone is refreshed based on values inside the SOA record.) The server does not have to query any other server to get the answer. (Except when you have delegated subzones.) If the zone expires (it fails to update the zone within the configured time) the server will only send back negative answers. It will not ask other DNS servers for an answer. (No chance for cache poisoning.)

You need zone transfers, and that is usually blocked on DNS servers. If it is a zone with many records then you consume memory, disc and network resources. You have to reconfigure the zone properties for most changes in the other DNS server.

Conditional forwarders

A conditional forwarder sends (by default) a recursive query directly and returns the answer. Read more here.

Why	Why not
Queries are unconditionally forwarded to the forwarder(s). Answers are cached.  Reduces number of queries as they are recursive. (Good if you have a slow WAN.)	Have to be configured manually on all name servers. You have to reconfigure the zone properties for all changes in the other DNS server.

Sources

• DNS: Conditional Forwarders vs. Stub-Zones
• Contrasting stub zones and conditional forwarders
• DNS Conditional Forwarding in Windows Server 2003

DNS and directed lookups explained

With Microsoft DNS Server you roughly have three ways to force lookup to specific servers. They are:

• Stub zones
• Secondary zones
• Conditional forwarding

In any environment with split DNS, non-public zones or where you use .local domains you need to plan how to manage DNS lookups from third parties.

In this article you can read about the differences between these types.

 

Stub zones

When you configure a stub zone you only tell the DNS Server where to download the glue records for the zone. The glue records contains SOA, NS and if needed the corresponding A/AAAA records for that zone. Further resolving from the DNS server is done using these records. You have to type in one or more IP addresses of DNS servers to download the glue records from.

The local DNS server will use these records and continue recursion as normal, using these NS pointers as hints. You can not control what DNS Server that will be queried.

Secondary zones

A secondary zone contains a copy of the entire zone and can give authoritative answers. The entire content of the zone is downloaded from your DNS Servers (you have to specify where to download the zone from) and stored in a local file.

Conditional forwarders

This is also known as a forward delegation. When you configure a conditional forwarder you simply say that for all queries to a domain, ask this (or these) IP addresses.

All queries are recursive with a conditional forwarder.

How to automatically archive or move deleted items

Many organizations have policies that automatically deletes deleted items after a period of time. How can you as a Outlook user circumvent this limitation?

Many Outlook users use their deleted items folder as an archive of previous threads. Often it can be hard to know what to archive and what to delete. As a result everything is archived in the deleted items folder.

I know of two ways to work around this issue.

1. Configure archiving of your deleted items folder to a local PST file.
2. Run programs like Auto-Mate to automatically move items from your deleted items folder to another folder in your mail system.

The downside for both proposed solutions here is that it is client-side, whereas the automatic delete is server side. If your client is offline for more than the retention days you will loose your valuable mails archived in deleted items.

OCS and 0x80090302

When working with an Office Communicator Service 2007 installation I came across the error message 0x80090302 when using the tracing tool. This error message appeared on the back end server when authenticating over the Internet.

after some research we found the reason to be a lockdown group policy that requires NTLMv2. By changing the following policies in the we made it work.

Policy	Setting
Network security: LAN Manager authentication level	Send LM & NTLM - use NTLMv2 session security if negotiated
Network security: Minimum session security for NTLM SSP based (including secure RPC) clients	Enabled
Network security: Minimum session security for NTLM SSP based	Enabled

Azure Services platform presentations

Azure Services platform is here to stay. But what is it? The links below are to presentations from a seminar Microsoft held in Norway.

Session 1: David Chappells whitepaper: http://www.microsoft.com/azure/business.mspx

Session 2: Delivering first class Business Productivity from the cloud, Larry Velez Microsoft Corp.: www.microsoft.no/EPG/Seminar/20081209/business_productivity_cloud.pptx

Session 3, del 1: HostingPartner_des 08, Alex Bødtker, Microsoft Norge: www.microsoft.no/EPG/Seminar/20081209/hosting_partner.pptx

Session 3, del 2: Net Works MS Cloud present v2, Peter Nomme, Net Works; www.microsoft.no/EPG/Seminar/20081209/net_works_ms_cloud.pptx

Session 3, del 3: Intelecom Software + Services Microsoft des 08, Birgitte Johannessen, Intelecom: www.microsoft.no/EPG/Seminar/20081209/software+services_microsoft.pptx

Session 3, del 4: NetConnect Team Portal - MS EPG 091208 v2, Rolf Larsen, NetConnect: www.microsoft.no/EPG/Seminar/20081209/netconnect_team_portal.pptx

IIS7 and 0x8009310b

When trying to complete a new SSL certificate request I got this error message:

CertEnroll::Cx509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b while installing a new certificate

My setting was a Windows 2008 server running IIS7. But when I looked through the settings I found out that the certificate import was complete and the certificate was ready to use.

Locked out of the administrator account

Some time ago I wrote about Liunx tools and how they can save my day as an Windows administrator. Today I had to download Trinity again. This time the quest was to reover a Windows 2000 server where the administrator password was lost and the account disabled.

The server was a HP server with an integrated Smart Array 5i. I had to load the cciss module manually to get the volume up and go. Then I ran a script called winpass to try change the passord and unlock the account.

Winpass is a script written by the Trinity folks and it seems to work fine. However, it only work with NTFS and fat partitions. And I could not write to the NTFS partitions. NTFS-3g is included, so for me these lines solved the day:

modprobe cciss
ntfs-3g /dev/cciss/c0d0p1 /mnt0
chntpw /mnt0/WINNT/system32/config/SAM

Microsoft Surface

Cool tool! Check it out!

ActiveSync and 0x80072efd

ActiveSync fails to sync with error Code:80072efd. This happened on my cell phone when using ActiveSync 4.2.

The solution lies within the registry.

ActiveSync version 4.2 made a change to how it interacts with the Windows networking stack to use Layered Service Providers (LSPs) on outgoing Desktop-Pass-Through connections. This allows for improved compatibility & policy compliance in environments where connections to the internet must be passed through these LSPs (ISA Proxy is one such example).

source

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows CE Services]
"AllowLSP"=dword:0

WAN optimization with Riverbed

Today I had a chance to work with a product for WAN optimization for the first time. I ran a live demo at a customers site.

	It works. At least if your network traffic is predictable and repetitive. Most networks are, as clients tend to do much of the same.
	It is too expensive for most customers. It is really hard to justify the cost and more importantly the return of investment.

Acceleration of SSL traffic

Rivedbed promised to support SSL in version 4 of their software. I can't wait to try this one out. It only requires you to install your private key on the box inside your datacenter.

Steelhead appliances now accelerate encrypted (SSL) traffic, using all of Riverbed's algorithms to deliver LAN-like performance for those key business applications.

Of course this won't work for external web sites as you don't have access to private keys. But for intranet applications this is cool!

Exchange 2007

Exchange 2007 supports encrypted MAPI connections. Much details on this issue is not known at this point.

Based on our testing, we've found that the encrypted connections that appear by default in an Exchange 2007 environment with Outlook 2007 clients are a proprietary "MAPI encryption", not SSL.

Impression

Riverbed Steelhead appliances are easy to set up and work without the need to do much. Just make sure the traffic is unencrypted and leave the rest to Riverbed.

RiOS 4.0

I will do a new lab with RiOS 4.0 when it is released and do tests on Exchange, Sharepoint and web traffic. All SSL encrypted. If you are curious about this, please leave me a note.

Microsoft virtualization license rules for Windows 2003

I recently came across some new licensing rules for Windows 2003 Server in regards to virtual images.

The virtualization use rights vary by edition of Windows Server. Standard Edition grants the use rights to run a single virtualized instance of Windows Server Standard Edition. Enterprise Edition grants the use rights to run four instances of Windows Server that may be a mix of Standard Edition and Enterprise Edition. Datacenter Edition is licensed per processor and grants use rights to run an unlimited number of virtualized instances of a mix of Standard Edition, Enterprise Edition and Datacenter Edition.

You can try out Microsoft's own licensing calculator and learn more.

IE7 and pishing filter works

It is good to see that that technology works for you. I got this warning today when I opened an email that I knew was spam.

Unfortunately I did not get this warning before I tried to log in with my username "fuck" and password "you". But better late than never I say. At least you know if you screwed up...

Tags: pishing, IE7

A Cost Analysis of Windows Vista Content Protection

I found this article talking about the new features in Microsoft Vista. At this point I am still reading this document.

Say you've just bought Pink Floyd's "The Dark Side of the Moon", released as a Super Audio CD (SACD) in its 30th anniversary edition in 2003, and you want to play it under Vista. Since the S/PDIF link to your amplifier/speakers is regarded as insecure for playing the SA content, Vista disables it, and you end up hearing a performance by Marcel Marceau instead of Pink Floyd.

Copy of article is found here

.

Tags: DRM, Vista

Update: Read answers here

Extended Validation Certificates

EV SSL: An introduction

Extended Validation certificate is a new type of expensive SSL certificate coming to a browser 7 near you before the end of January 2007 if you are using Internet Explorer. When, if or how other browsers are going to support EV certificates are not known at this time. Microsoft, Opera, Mozilla and KDE(not a browser, but...) are all members of CA/Browser forum and will - eventually - provide web browsers that can highlight websites with EV certificates.

What is the difference between today's certificate and EV certificates?

This comparison chart shows the differences between the two types of certificates.

Feature	Today's cert	EV cert
Price	You can get certificates all in all price ranges.	Will cost more as this the new, hot and secure certificate.
Validity of certificate	From one to three years.	Max 27 months, but the specification recommends 12 months validity.
Verification of certificate owner	Not much. You just need to document that you own the domain you request a certificate for.	There is a common procedure all EV certificate authorities need to comply to before issuing a certificate. The procedure seems to be somewhat vague at this point so there is a chance that there will be different procedure for each issuer.
Browser compatibility	You can get 99%-99.99% compatibility from most issuers.	EV certificates will use existing root certificates. At this point no there is no way to tell what root certificate the various issuers will use and compatibility is therefore now known at this time. There are requirements to be met for the root certificate, and these requirements are defined in the guidelines from CA/Browser Forum.
Wildcard certificates	Supported by many issuers.	Not supported. This is a requirement from CA/Brower Forum.

Pictures of EV SSL sites

I found some pictures from Verisign with some pictures showing how IE will look on a site with a EV certificate. The pictures had to be sized down to display properly on this page, so you can click on the image to get it in full size.

And a site without EV certificate:

External links

• http://www.instantssl.com/ssl-certificate-products/addsupport/ssl-evssl-twoyearpromo.html

• CA/Browser Forum.
• InstantSSL - my favorite issuer.
• Offer on EV certificates from InstantSSL.
• Tags: SSL, encryption, IE7, security.

EDNS - DNS extension

EDNS - DNS extension

I recently became aware of an extension to DNS called EDNS. As I work a lot with DNS I not quite sure how I could have missed this extension until now.

EDNS is an extension of the DNS protocol which allows more flags, label types and return codes to be defined, and enhances the transport of DNS data in UDP packets. The version of EDNS specified by RFC 2671 is known as EDNS0.

Wikipedia

EDNS - why?

According to the specifications of DNS, UDP packets should be no longer than 512 bytes in length. There are not any space left for additional flags in the header. For normal use this is  no problem at all, but to implement new features in DNS, such as DNSSEC, changes were needed.

EDNS uses a pseudo resource record called OPT to identify this extension. More links are found in the links section below.

Our firewall, a Fortigate FG-500A from Fortinet, logs oversized packets as a potential vulnerability in the IPS module. At the same time, it only logs the packet as bad, but it does not drop the packet. So it can't be that bad :)

EDNS - what you should know!

This extension is almost invincible for system administrators. Windows 2003 supports this extension by default, but I have never seen any problems as a result of this until today.

• Legacy DNS servers that don't know anything about EDNS will just ignore the OPT resource sent from the other side.
• DNS clients (such as computers) usually never use this option as it do not need to send packets greater than 512 bytes. Most DNS packets are between 150 and 200 bytes.
• There is an hotfix available for Windows 2000 to solve issues related to EDNS queries.
• Window 2003 DNS server do not announce itself as an EDNS capable server to other servers. But it replies to other hosts as EDNS capable when asked to do so.
• Newer versions of BIND seems to advertise itself as EDNS capable.
• EDNS usually adds as little as 10-15 bytes extra data into an UDP packet. In most queries you are still way below the limit of 512 bytes. Some intrusion prevention systems, firewalls or DNS servers may drop packets because of invalid options in the packet. Except for old Windows 2000 implementations (see above) and some Cisco PIX I don't know of any issues related to this.
• Some Cisco PIX firewalls are reported to drop oversized packets. But I do not have any information about what versions do so or how to fix this.
• Before EDNS, DNS reverted to TCP based transactions if the query exceeded 512 bytes. The only consequence from this is some extra IP packets on the network, and somewhat slower DNS. If the client asks a question where the server needs to send more than a 512 bytes reply it answers back that the client need to revert to TCP.
• DNS tries to compress the packets. That is, everything between two dots are only sent one time in the packet. If you query for www.novell.no and get a reply back with lots of additional records, novell is only sent once in the packet. Additional records are records that you did not ask about, but  what the DNS server think that you probably want to ask about later.

EDNS - turn off in Windows 2003

You can't turn off EDNS in Windows 2003 - it will always reply as EDNS capable if the source includes EDNS in the original packet. To make sure you do not send out EDNS probes to all hosts on the Internet you can make the following change in registry. (By default this feature is disabled, and the registry key is not present.)

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
EnableEDNSProbes=0x0

External links:

• Report from Fortiguard center.
• RFC2671 - the original specification.
• Article from Microsoft that talks about how to install the tool dnscmd.exe.
• How to change EDNS settings in Windows 2003.

• Tags: EDNS, DNS, EDNS0