Vista knowledge from the OEM team and others...

Here on the OEM team, we are often asked storage-related questions about the latest versions of Storport.sys, the iSCSI Initiator, and MPIO.                 

For easy reference, below are the latest available versions of Storport.sys, MPIO, and the iSCSI Initiator as of 6/18/2008.  Both GDR branch fixes available directly from the Microsoft Download Center and LDR branch fixes available from Microsoft Support are listed.

Please note that all updates are cumulative within the same branch, so though the below updates may not resolve a problem you are seeing, a previous fix may resolve your problem.  Look for more details on GDR fixes versus LDR fixes in David's post from 3/11/08: "What is the difference between general distribution and limited distribution releases?"

Please contact your storage vendor to discuss whether you should upgrade to the latest available Storport.sys, vendor-specific MPIO DSM, HBA drivers, etc.

Storport.sys
Server 2003 SP2
Latest version of Storport.sys available directly from the Microsoft Download Center:
KB 943295 – http://support.microsoft.com/kb/943295
Build 5.2.3790.4163 (October 2007)

Latest version of Storport.sys available from Microsoft Support:
KB 950448 – http://support.microsoft.com/kb/950448
Build 5.2.3790.4303 (May 2008)

Vista RTM, Vista SP1, and Server 2008
Latest version of Storport.sys available from Microsoft Support:
KB 953390 - http://support.microsoft.com/kb/953390
Vista RTM - Build 6.0.6000.20845 (May 2008)
Vista SP1 - Build 6.0.6001.22190 (May 2008)
Server 2008 - Build 6.0.6001.22190 (May 2008)

iSCSI Initiator
XP and Server 2003
Latest version is 2.07 (May 2008):
http://www.microsoft.com/downloads/details.aspx?FamilyID=12cb3c1a-15d6-4585-b385-befd1319f825&DisplayLang=en

Fixes for the following issues are included in this version:

1. Data written twice when spanning tapes on an iSCSI target virtual tape drive.
2. Bugcheck in iscsiprt on getting storage device ID property.
3. iscsiexe.exe can leak memory on discovering targets.
4. Initiator leaks handles when refreshing the list of persistent targets.
5. Microsoft iSCSI MPIO DSM (MSISCDSM) leaves stale Registrations under certain conditions.
6. Persistent Reservation (PR) not propagated across paths.

MPIO
Latest version is 1.21 (May 2008)
Included with iSCSI Initiator 2.07

Fixes for the following issues are included in this version:

1. Fixed a system hang that could occur due to race condition between path recovery and new path arrival.
2. Fixed install sample to use the correct MPIO hardware identifier on Windows Server 2008
3. Fixed memory leak in MPIO.
4. Fixed a system hang that could occur during total path failure in a Cluster environment.
5. Fixed Microsoft MPIO DSM (MSDSM) to update statistics for the correct path.
6. Fixed Microsoft MPIO DSM (MSDSM) logic for retrying Persistent Reservation commands.

In this helpful how to KB from our very own Doug Iman, he decribes at great length what is required to set up dynamic boot partition mirroring on GUID partition table (GPT) disks in Windows Server 2008.

This will be increasing helpful in the future as GPT begins to replace the aging Master Boot Record (MBR). While GPT disks technically still have some level of backwards compatibility by maintaining the MBR in the very first sectors of disk, this is mainly for disk utilities and other applications. Because of various differences between these types of disks, the steps required to enable partition mirroring have changed significantly.

For the complete guide see the following KB article, 951985: http://support.microsoft.com/?kbid=951985. If you'd like to know more about GPT disks, check out the above link to Wikipedia, or the Windows and GPT informational pages here, here, and here.

Any other questions feel free to leave a comment on this post.
Cheers,
Corey

If you happen to be debugging and hit the PrtScn / SysRq key on the debugee you may have noticed that this caused the debugger to break in. In certain situations this may not be the desired, thankfully it can be changed. This behavior and the modification is described in the following MSDN article, http://msdn.microsoft.com/en-us/library/cc267412.aspx.

One important thing to note though is that this also applies to USB keyboards through the kbdhid driver:

You can disable the SYSRQ key by editing the registry. In the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\kbdhid\Parameters registry key, create a value named BreakOnSysRq and set it equal to DWORD 0x0. Then, restart the computer. After you have restarted the computer, you can press the SYSRQ key on the target computer's keyboard and it will not break into the kernel debugger.

Debug | Break

Click Break on the Debug menu to stop the target's execution and return control to the debugger.

In user mode, this command stops the process and its threads, enabling you to regain control of the debugger. In kernel mode, this command breaks into the target computer.

You can also use this command while the debugger is active. In this situation, the command will truncate long Debugger Command window displays.

The Break command is equivalent to pressing CTRL+BREAK or clicking the Break (Ctrl+Break) button () on the toolbar.

User-Mode Effects

In user mode, the Break command causes the target application to break into the debugger. The target application stops, the debugger becomes active, and you can enter debugger commands.

If the debugger is already active, Break does not affect the target application. However, you can use this command to terminate a debugger command. For example, if you have requested a long display and do not want to see any more of it, Break will end the display and return you to the debugger command prompt.

When you are performing remote debugging with WinDbg, you can press the Break key on the host computer's keyboard. If you want to issue a break from the target computer's keyboard, use CTRL+C on an x86-based computer.

You can press the F12 key to open a command prompt when the application that is being debugged is busy. Click one of the target application's windows and press F12 on the target computer.

Kernel-Mode Effects

In kernel mode, the Break command causes the target computer to break into the debugger. This command locks the target computer and wakes up the debugger.

When you are debugging a system that is still running, you must press the Break key on the host keyboard to open an initial command prompt.

If the debugger is already active, Break does not affect the target computer. However, you can use this command to terminate a debugger command. For example, if you have requested a long display and do not want to see any more of it, Break will end the display and return you to the debugger command prompt.

You can also use Break to open a command prompt when a debugger command is generating a long display or when the target computer is busy. When you are debugging an x86-based computer, you can also press CTRL+C on the target keyboard to have the same effect.

The SYSRQ key (or pressing ALT+SYSRQ on an enhanced keyboard) is similar. This key works from the host or target keyboard on any processor. However, this key works only if you have opened the prompt by pressing CTRL+C at least one time before.

You can disable the SYSRQ key by editing the registry. In the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\i8042prt\Parameters registry key, create a value named BreakOnSysRq and set it equal to DWORD 0x0. Then, restart the computer. After you have restarted the computer, you can press the SYSRQ key on the target computer's keyboard and it will not break into the kernel debugger.

Additional Information

The corresponding key in KD and CDB is CTRL+C. For more information about other ways to control program execution, see Controlling the Target.

To that effect we'd just like to reiterate that indeed, Windows Server 2008 and Windows Vista Service Pack 1 are in fact the same code base now. This means that when you go to the System control panel, Windows will show Server 2008 RTM as having Service Pack 1 already included, this can be seen in the screen shot at left.

Now that servicing will be done against the same codebase, the first Service Pack for Server 2008 will be SP2.

The official statement can be found in KB 949607.
http://support.microsoft.com/kb/949607

There are a number of boot options that can be used in Vista and Windows Server 2008 that can be a pain to modify (or not possible if you are in a bugcheck loop), that can be done on the fly at boot time. These options are invaluable for diagnosing some problems you may experience on the system, and modifying them in the OS may involve figuring out the bcdedit syntax, the right BCD store to modify, or rebuilding and burning a new install DVD (if the problem is happening during install from media).

Some example boot switches you might want to use are:

• Adding a debug switch for any type of transport (not just the default serial option that you get in the F8 menu)
• Opting in or out of no exececute (NX)
• Capping the amount of system memory (with maxmem or burnmem)
• Limiting the number of processors (with numproc)

To modify the boot options on a Vista and Windows Server 2008 system, whether it is booting from the hard drive or DVD, you can do the following:

1. Hit the space bar repeatedly after the BIOS screen goes away.
2. On the next screen will be the Windows Boot Manager menu where you select the boot operating system.
3. On this screen hit the F10 button.
4. This will take you to the Edit Boot Parameters screen where you can edit the boot options in the same way you did with the boot.ini file in previous versions of Windows.
5. Here you can change the default values to the one-time values you want for this boot.

An example of this is to do a debug using 1394. To do this you change the default values to:

[ /NOEXECUTE=OPTIN /DEBUGPORT=1394 /CHANNEL=40 ]

And you will boot with the debugger enabled on the 1394 bus and with a channel number of 40.

Further switches and examples to come in further posts...

Want to debug the most difficult problems against the largest, most complex piece of software ever written? Are you fluent in C and assembly? Do you carry a spare debugger cable in your bag? Can you represent Microsoft in critical, time sensitive solution delivery? Writing code is easy, finding bugs in someone else’s code you’ve never seen before is a real challenge.

Want to hear more?

http://blogs.msdn.com/jobsblog/archive/2007/01/26/jobcast-life-as-an-escalation-engineer.aspx
http://blogs.msdn.com/jobsblog/archive/2007/11/21/life-as-an-escalation-engineer-part-ii.aspx

Candidate must be a strong critical thinker, and enjoy solving very difficult problems (often involving code level analysis).  Escalation Engineers within GES are frequently involved with the highest profile issues, and therefore must be able to handle both pressure and complex situations. Candidates must also have strong customer service, accurate logical problem solving and communication skills, and the ability to work in a team environment. Programming and debugging skills are required, preferably in C or C++.  Also, the ability to read and analyze network traces and solid protocol analysis is a plus. The ideal candidate may have a four year degree in C.S. or Engineering and a minimum of four years product support experience or the equivalent in work experience. Prior knowledge of the product to be supported, and other networking products and/or networking operating systems is required. If you enjoy being the problem-solver in the spotlight of critical problems, then this position will excite and challenge you.

Applicants that possess the experience, and desire will be considered and are encouraged to apply using the below link. After applying, please submit a copy of your resume to benjammc@microsoft.com.

Job Details - Microsoft Careers – job code is 209923 and can be found on the Microsoft Career page.

AutoEnrollment & MMC Enrollment

Enrollment Dependencies:

• The Certificate Template has been published to the Certification Authority.
• If Service Pack 1 has been installed on the CA and the CA is on a DC:
  • Verify that the CERTSVC_DCOM_ACCESS group contains, Domain Users, Domain Computers, and Domain Controllers.
• If Service Pack 1 has been installed on the CA and the CA is a member server in a Windows 2000 domain.
  • Verify that the Windows Server 2003 Schema Extensions have been installed.

AutoEnrollment Dependencies:

• Client machine must be Windows XP or higher.
  • Certification Authority has been installed on a Windows Server 2003 Enterprise Edition server.
  • User/Computer has Read, Enroll, and AutoEnroll permissions on the certificate template.
  • The Group Policy for the Domain/OU containing the User/Computer has been configured for Autoenrollment.

Debug Logging Options

Client Settings:

• By default, errors/failures and successful enrollments are logged in the Application event log on the client machine.
• To enable enhanced logging of the Autoenrollment processes set the following values:
  • User AutoEnrollment
    HKEY_CURRENT_USER\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel"; set value to 0.
  • Machine AutoEnrollment
    HKEY_LOCAL_MACHINE\Software\Microsoft\Cryptography\Autoenrollment: Create a new DWORD value named "AEEventLogLevel", set value to 0.

For information on available event log messages, see the following:
Troubleshooting (Certificate Autoenrollment in Windows Server 2003)
http://technet2.microsoft.com/WindowsServer/en/Library/8b1e8736-1574-44a0-802f-974f7aeedd9c1033.mspx?mfr=true

Certification Authority Settings

• Enable Certificate Services Debug Logging by running the following commands on the CA:
  certutil.exe -f -setreg ca\debug 0xffffffff
  Net Stop Certsvc && Net Start Certsvc
• The following log files will be created:
  %SystemRoot%\certsrv.log (Certsrv.exe) Certificate Services
  %SystemRoot%\certutil.log (Certutil.exe)
  %SystemRoot%\certreq.log (Certreq.exe)
  %SystemRoot%\certmmc.log (Certmmc.dll) Certificate Services MMC snap-in
  %SystemRoot%\certocm.log (Certocm.dll) Certificate Services Setup

Simultaneous Netmon Trace from both the client and the CA.

• Filter the trace on LDAP and RPC traffic.
• The client queries Active Directory for a list of available CAs and certificate templates that they are granted read and enroll permissions to.
• The client then makes an RPC bind to the ICertRequest DCOM Interface on the CA using Kerberos authentication.

Common Problems - Scenario #1: Clients are Not Autoenrolling and No Errors are being Reported in the Application Event Log

• Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard.  You May get the following error at the beginning of the wizard:
  
• This error typically, means:
  • We could not contact the Active Directory 
    • Use normal Active Directory troubleshooting methods.  i.e. verify networking connectivity and name resolution.
  • We do not trust the Enrollment Certification Authority
    • The Enrollment Certification Authority is located at:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=domain,DC=com
    • The Enrollment CA’s Certificate must be installed in the Trusted Root Certification Authority on the client if it’s a Root CA.
    • If the Enrollment CA is a subordinate CA then the Root CA certificate must be installed in the Trusted Root Certification Authority and the Enrollment CA should be installed in the Intermediate CA Store on the client.
    • All certificates are downloaded during Group Policy processing so make sure that Group Policy is applying to the client.
  • We do not have permissions to the Certification Authority.
    • Open the Certification Authority snap-in and right click on the CA name and select Properties.
    • Go to the Security tab and make sure that Authenticated Users, or the appropriate group, have "Read" and "Request Certificates" permissions.
  • We do not have permissions to any Certificate Templates.
    • To verify the templates that the machine has access to run the following command:
      Certutil -Template
    • To verify the templates that the user has access to run the following command:
      Certutil –user -Template
    • Verify that the CA can issue the template in question:
      Certutil –templateCAs <Template Name>

Common Problems - Scenario #2: Errors are being reported in the Client Application Event Log

Source: AutoEnrollment
Event IDs: 7,13,15

• Description
  • Automatic certificate enrollment for Haybuv\User1 failed to contact Active Directory (0x8007054b). The specified domain either does not exist or could not be contacted. Enrollment will not be performed.
• Resolution
  • Verify network connectivity and name resolution.
    
    
• Description
  • Automatic certificate enrollment for local system failed to contact a directory server (0x80072751). A socket operation was attempted to an unreachable host. Enrollment will not be performed.
• Resolution
  • This error most often occurs when a user is logged on to a machine with cached credentials and is offline. If the machine is not offline verify network connectivity and name resolution.
    
    
• Description
  • Automatic certificate enrollment for local system failed to enroll for one HAYBUV IPSEC certificate (0x800706ba). The RPC server is unavailable.
• Resolution
  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request.  Troubleshooting includes:
    • Verify that the client can get a certificate using the Manual Enrollment via the MMC Certificate Wizard.
    • Check network connectivity to all of the available Certification Authorities listed in the Enrollment services object listed in the AD:
      CN=Enrollment Services,CN=Public Key Services,CN=Services,CN=Configuration,DC=Domain,DC=com
    • Verify that the Certificate Services service is running on the Certification Authority.
    • Verify that you can ping the Certificate Request Interface by running the following command:
      Certutil –Ping –Config CAMachineName\CAName
      Note that you can run the following command to get the Config string of the available Certification Authorities:
      Certutil –Dump
  • The Certutil –Ping command runs under the context of the user.  If the command works for the user but the AutoEnrollment failure errors for the computer account, then open a command prompt under the machine account and then re-run the ping command.
  • If the ping command fails for either the user or the computer:
    • Verify that Dcom is Enabled on the Certification Authority.
      For more information, see the following:
      How to disable DCOM support in Windows
      http://support.microsoft.com/default.aspx?scid=kb;en-us;825750
    • Check for firewalls and proxy settings.
    • Check for Checkpoint Firewalls which have issues with RPC traffic from a Windows Server 2003 SP1 server.  For more information, see the following:
      Some firewalls may reject network traffic that originates from Windows Server 2003 Service Pack 1-based computer
      http://support.microsoft.com/kb/899148
    • Use Portqry to verify that the appropriate RPC ports are opened.  For more information, please see the following:
      PortQryUI - User Interface for the PortQry Command Line Port Scanner
      http://www.microsoft.com/downloads/details.aspx?FamilyID=8355e537-1ea6-4569-aabb-f248f4bd91d0&DisplayLang=en
      
      
• Description
  • Automatic certificate enrollment for local system failed to renew one HAYBUV IPSEC certificate (0x8009400f). An attempt was made to open a Certification Authority database session, but there are already too many active sessions. The server may need to be configured to allow additional sessions.
• Resolution
  • By default, the Windows Server 2003 certification authority allows only 20 concurrent sessions to the CA database.  To increase the maximum number of sessions to 30, which is the highest limit tested with the Windows Server 2003 certification authority:
    Certutil -setreg DBSessionCount 30
    Net Stop Certsvc && Net Start Certsvc
  • This behavior typically occurs when a CA has been introduced to the environment and clients are in the initial Autoenrollment phase.
    
    
• Description
  • Automatic certificate enrollment for local system failed to enroll for one Domain Controller certificate (0x80070005). Access is denied.
• Resolution
  • This error occurs when attempting to bind to the Certification Authority to generate the Certificate request.  Troubleshooting includes:
    • If SP1 is installed on the Certification Authority, verify that DCOM permissions are set correctly per the following article:
      Description of the changes to DCOM security settings after you install Windows Server 2003 Service Pack 1
      http://support.microsoft.com/kb/903220/
      
      
• Description
  • The certificate request failed.  The revocation function was unable to check revocation because the revocation server was offline.
• Resolution
  • The client does not a valid Certificate Revocation List (CRL) from the issuing CA.  Therefore, verify that all Certification Authorities in chain have valid Certificates.  To test, run the following command against the issuing Certification Authority certificate:
    Certutil –Verify –Urlfetch <Issuing CA Certificate>

How Certificate Services Works
http://technet2.microsoft.com/WindowsServer/en/library/d7cd44f4-b39a-4d35-bb56-a239f72b7e4c1033.mspx?mfr=true

Hi, my name is Bob Newhouse and I will be discussing managing group policy with Windows Vista.  To start we have added approximately 700 new group policies in Windows Vista and Server 2008\Vista, increasing the granularity of what you can do with group policy.  For a  complete listing of the Windows 2008 group policies see Microsoft's Group Policy settings in Windows 2008.

Group Policy no longer uses the Winlogon process but has as its own service.  We no longer rely on Userenv Debug logging to gather information.  In Windows 2008\Vista Group Policy runs under a SVChost process and group policy events now appear in a separate Group Policy operational log found under Application and Service Logs\Microsoft\Windows\Group Policy in your event viewer.  The operational log provides a centralized location for group policy events.  This makes it somewhat easier to diagnose a problem with group policy.

One of the biggest features of Vista is the ability to do multiple local group policy processing.  In earlier versions of Windows if you used a local group policy, it would apply to anyone who logged onto a client machine.  This meant having to jump through hoops to stop it from applying to Administrators and other users that you did not want it to apply to.  With multiple local group policies, you can create a group policy and apply it to the local computer (everyone affected), an administrator\non-administrator group or a user on the local machine or a remote machine.  Windows applies Local Group Policy objects first, then the Administrators or Non-Administrators Local Group Policy objects, and finally the user-specific Local Group Policy objects. This feature is a significant improvement for applying group policy without affecting everyone who logs on.  For conflict resolution, the last writer wins.  If you make the same change to computer, and a user, then the user setting will take effect.

To use this feature:

1. Start an MMC console.
2. Add a Snapin.
3. Select the Group Policy Object Editor.
   
4. For the Local machine you can click Finish.
5. For a User or Group select Browse.
   
6. Click on the User Tab or Computer tab (depending on what settings you are editing).
   
7. Highlight the User or Administrator or Non-Administrator Group orComputer you want to apply the policy to.
8. Click OK then Finish then OK
9. Modify the group policy as needed.
10. Run gpupdate /force

In a domain environment, we still apply local group policy (following the local group policy rules), site group policy, domain group policy and OU group policy.  You can find a Step-by-Step Guide to Managing Multiple Local Group Policy Objects here.  It has some different scenarios that you might like to test out before implementing.
GPMC was added with Vista when it first released and will be removed with SP1.  After SP1 it will be available for download.

References:
Vista Group Policy FAQ
What's New in Group Policy in Windows Vista
Windows Vista Managment and Operations

Windows Vista has a new tool for investigating and configuring Power Management features. For this discussion, I'll focus on PowerCFG -LastWake feature that is new for Windows Vista. This tool can help diagnose individual, corporation, and Original Equipment Manufacturer (OEM) issues with machines returning from a sleep state. In Windows XP there was no easy way to determine who woke the machine, it was mostly trial and error. So for Vista, LastWake was created to make it easier to assist in identifying what actually woke the machine.

From my personal experience, I have the machine set to never sleep in the Control Panel Power Management settings as I wanted this to be manual. I would then set my desktop to a S3 sleep state when I left the room as my contribution to being green. Many times I found my desktop up and running upon my return. When I upgraded to Windows Vista, my machine continued to wake up on its own. With the new PowerCFG tool, I decided to try and see if I could identify what woke my computer.

Before leaving for work, my machine was placed into S3. When I got home, my machine was on and running waiting for me to log in. After logging in and opening a command window, I typed in the following command:

powercfg -lastwake
Wake History Count - 1
Wake History [0]
Wake Source Count - 1
Wake Source [0]
Type: Device
Instance Path: PCI\VEN_8086&DEV_27C8&SUBSYS_01A81028&REV_01\3&172e68dd&0&E8
Friendly Name:
Description: Intel(R) 82801G (ICH7 Family) USB Universal Host Controller - 2
7C8
Manufacturer: Intel

From this example, my USB Host Controller sent the signal to wake the computer. But who actually woke the machine? To find this out I queried for devices that are armed for wake. Three devices were returned by the query.

powercfg -DEVICEQUERY  wake_armed
Microsoft USB IntelliMouse Explorer
HID Keyboard Device (003)
High Definition Audio Controller

By opening Device Manager and selecting View menu and choosing Device by Connection, I found the USB Host controller with the label _27C8. Opening that, I found it was my desktop mouse as it is the only device plugged into the USB controller that has the ability to wake my machine up. Upon further investigation, it turned out to be our house cats. They would use the desk as a launching pad to the window's ledge and sometimes they would step on the mouse pad on their way to the window. My resolution to this dilemma was to open Device Manager, locate the mouse and its Power Management settings, and simply uncheck "Allow this device to wake the computer".

From the OEM support perspective, this tool can help identify issues with custom devices. In one recent case, an OEM had a customer where if they manually placed the machine to sleep using an extra button on the laptop, the machine would wake shortly after. PowerCFG listed the following results:

powercfg /lastwake
Wake History Count - 1
Wake History [0]
Wake Source Count - 1
Wake Source [0]
Type: Device
Instance Path: ACPI\PNP0x0x\2&XXXXxXXX&2
Friendly Name:
Description: ACPI Sleep Button
Manufacturer: (Standard system devices)

When I heard about this, I asked them to remove the key from the keyboard for cleaning. Once it was reattached, the problem went away, so we only had a sticky key issue.

For the network administrator, this tool can help diagnose why machines are resuming when connected to a network. Protocols like router ARP packets can trigger Wake-On-LAN events. One such experience proved that the network card was waking the machine. The administrator was not interested in whom or what was waking the machine; they just wanted it set so only the administrators could do this. So after PowerCFG showed the NIC was responsible, we went into Device Manager and opened Power Management properties under the network adapter. We then set it to "Allow this device to wake the computer". We then followed up by setting "Only allow management stations to wake the computer", which gives the administrators control over this behavior in their domain by using a magic packet to wake a computer.

These are just a few examples of using PowerCFG, and there are a great many other uses available to explore: one just needs to do PowerCFG /? to see the possibilities.

If you would like to keep abreast of how Microsoft continues to innovate in power management please check our environmental website at   http://www.microsoft.com/environment.

David Winkler
OEM Support Team

From a consumer point of view seeing the message, "Internet Explorer has stopped responding" can be frustrating. Fortunately with Windows Vista information is collected about the hang which can be sent to Microsoft for further analysis, however you may not always get an answer on how to solve the problem. However, this information is useful for Microsoft to view data and examine trends to fix issues in the next release, so at a minimum we recommend always reporting crashes and hangs, with Internet Explorer, or any other application for that matter.

Now, lets say you're a savvy user and want to dig into the hang a little bit more, let's take a closer look at how we can do that.

First, understand what type of hang is it.

Soft hang

• The application takes a longtime to return data - Slow is perceived as a hang.
• The application takes a long time to open the application - Slow is perceived as a hang.

Hard hang

• The application console does not respond to anything. In the case you will see the aforementioned dialog or have to manual close the application.

In both these cases the application is waiting on something else to complete before it can continue. It may be a network connection, a response from the server, or an embedded application such as Adobe Flash ®. In order to figure out the root cause we can do some 'trial and error' troubleshooting or to dig in deeper we'll need to use some troubleshooting tools.

Common troubleshooting steps

• Start by disabling all IE add-ons one by one:
1. From the Tools menu.
2. Go to Manage Add-ons.
3. Click on Enable or Disable Add-ons.
   
• Disable all IE add-ons at once:
1. Click on the Vista pearl.
2. Click on All Programs then Accessories then System Tools
3. Finally, click on Internet Explorer (No Add-ons)
• Make sure you are running all the latest updates from Microsoft Update.
• If the problem only happens with a specific webpage, there could be a problem with the page itself. In this case, you'll need to contact the page or site owner.

Hang troubleshooting tool

ADPlus - Download and usage instructions can be found here:
http://support.microsoft.com/kb/286350

• ADPlus is a useful tool which will gather a dumpfile, which is a snapshot of the process when a hang or crash occurs.
• Once you have a dumpfile you'll need to analyze it. For some common steps to analyze the dump see this blog post and this one.

Stay tuned for an upcoming post on debugging the dump!

Thanks,
Derek

Hello All,

Vista SP1 is here and if you are wondering how Vista SP1 can resolve potential issue on Vista clients connecting to a Distributed File System (DFS) root then allow me to enlighten you by providing the following information.

In a nutshell, when one DFS root server is offline, the Vista client cannot fail over to another DFS root server. The Vista client still tries to contact the offline DFS server and then encounter the problem.

If a domain's DFS root server is unavailable, a client computer that is running Windows Vista cannot connect to another DFS server that is listed in the referral when the client computer tries to connect to the DFS root server. DFS failover does not occur. When the client computer tries to connect to the offline DFS server, you receive an error message that resembles the following:

System error 1214 has occurred. The format of the specified network name is invalid.

If you wonder why this is happening in your environment and would like to understand better, then suppose the DFS root has two replicas. One DFS root server is offline. When the Vista client gets the DFS referral list, it contacts the first DC which is already offline. It tries to setup the TCP session on either 445 or 139 but cannot receive the response. Then the transport layer returns an error. Since the error cannot trigger the Vista client to failover to the next DFS root server in the referral list, the client receives the previously mentioned error.

What is the resolution? Apply the required hotfix as stated in KB933860, or know that this hotfix is included in Vista SP1.

Thanks,
Jasmin

This issue will be seen if port 139 is blocked or filtered on any intermediate network or firewall devices. Often network administrators will block access to the NetBIOS over TCP/IP (NetBT) session port 139 and allow access only to SMB Direct Host port 445. This will also occur if NetBT is disabled on the remote Windows Vista client. Due to a problem with the initial release of Windows Vista, RAS connections will only succeed on port 139.

SMB is the file sharing protocol used by Windows. By default it should try to connect on both legacy NetBT port 139 and SMB Direct Host port 445. The problem is seen because Vista RTM does not add the RAS adapter GUID for SMB to the lanmanserver, lanmanworkstation, and SMB registry keys. Because of this if NetBT port 139 is blocked, file sharing will fail over a RAS interface.

For SMB to work over a RAS interface, the interface GUID must be added to the following registry locations:

• HKLM\CurrentControlSet\Services\SMB\Linkage HKLM\CurrentControlSet\Services\lanmanworkstation\Linkage
• HKLM\CurrentControlSet\Services\lanmanserver\Linkage

To resolve this issue, see KB article 933468 - You cannot access SMB shares on a corporate network through a Remote Access Service (RAS) connection from a computer that is running Windows Vista

http://support.microsoft.com/default.aspx?scid=kb;EN-US;933468

You can submit an online request for a hotfix to apply, or use the steps provided in the article to bind the SMB protocol to the RAS interface. Alternately you can apply Service Pack 1 for Windows Vista.

Here are the download links to obtain Vista SP1:

KB935791 - How to obtain the latest Windows Vista service pack:
http://support.microsoft.com/kb/935791

32-bit download:
http://www.microsoft.com/downloads/info.aspx?na=22&p=43&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3db0c7136d-5ebb-413b-89c9-cb3d06d12674%26DisplayLang%3den

64-bit download:
http://www.microsoft.com/downloads/info.aspx?na=22&p=42&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d874a414b-32b2-41cc-bd8b-d71eda5ec07c%26DisplayLang%3den

If the certificate has been revoked you will see the following at the bottom of the output:

The smart card logon process includes the following steps:

1. After the user inserts a smart card, the Windows logon service (WINLOGON) dispatches this event to the GINA.
2. The user is prompted to enter a PIN (rather than a username and password).
3. The GINA sends the PIN to the Local Security Authority (LSA).
   Note: There is no logon domain information required, because the user is logged on with a User Principal Name (UPN) which is embedded in the subject name field of the certificate.
4. The LSA uses the PIN to access the smart card and extract the certificate with the user's public key.
5. The Kerberos security service provider sends the signed user's certificate with the user's private key to the KDC.
6. The KDC compares the UPN in the certificate with the UPN on the user object in the directory. The KDC also verifies the signature on the certificate to ensure that it was issued by a CA that's trusted in the Active Directory forest, such as an Enterprise CA.
7. The KDC encrypts the logon session key and the TGT for the ticket granting service with the public key from the client certificate. This step ensures that only the client with the appropriate private key can decrypt the logon session key.
8. The client decrypts the logon session key and presents the TGT to the ticket granting service. After this process is complete, all other communication in Kerberos uses symmetric encryption.

Troubleshooting Smart Card Logons

Is the smart card reader recognized by the operating system?

Typically, if the reader is recognized by the system, a reader icon will be displayed on the GINA. Logon locally and check the device manager to see if the reader is displayed and is functioning correctly.

To check the smart card reader installation do the following:

1. Click Start
2. Select Control Panel
3. Select System
4. Select Hardware
5. Select Device Manager
6. Expand Smart Card Readers

If the reader is not displayed in the device manager, or is displayed with an inaccurate make or model name, check with the Card manufacturer and obtain the latest drivers for the OS in use.

Verify that the Smart Card services is running on the client by doing the following:

1. Click Start
2. Select Run
3. Type Services.msc
4. Verify that the Smart Card Service is set to Automatic or Manual.

For more information on troubleshooting hardware issues, please see the following:

The Step-by-Step Guide to Installing and Using a Smart Card Reader is available from the Microsoft website at the following URL http://www.microsoft.com/technet/prodtechnol/windows2000serv/howto/smrtcard.mspx

Is the user prompted for their PIN?
If not, try removing and re-inserting the card.

875506 The PIN dialog box may not be displayed when you use a smart card to log:
http://support.microsoft.com/?id=875506

If the correct CSP for the card is not installed, the following error message may be displayed:
"The card supplied requires drivers that are not present on this system. Please try another card"

If this is the case, contact the card vendor for a valid CSP to install on the workstation for that card. If the correct CSP has been installed and this error message is still displayed, the problem could be resolved by reinstalling the CSP.

If you know what CSP should be used for this card, you can check to see if the CSP is installed by running the following command on the client:
Certutil -csplist

You can test each CSP on the system by running:
Certutil -csptest

Are we using a 3rd party GINA?

• Check to see if the customer is using a 3rd party GINA by looking at the GINADLL value at:
  HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon

When a Smart Card is inserted:

• The Winlogon process is notified, and Winlogon changes the display of the loaded GINA to show a place to insert a PIN.
• Custom GINAs may handle this request incorrectly. If the GINADLL value in the registry is defined and set to anything other than MSGINA.DLL, change the value to MSGINA.DLL and restart the workstation.
• For more information, please see the following:
  843541 Your computer stops responding when you use a smart card to log on to
  http://support.microsoft.com/?id=843541

Can the user logon to the workstation using a UPN formed username without a smart card?

• The Subject Name/Subject Alternative Name of the certificate must contain the user's User Principal Name (UPN).
• The authenticating KDC uses the UPN to authenticate the user.
• Logons using UPNs require that a Global Catalog Server is available to the client.
• If no Global Catalog Servers are advertising, or one cannot be located because of a DNS lookup failure, UPN logon will fail.

Is the issuing CA certificate that issued the smart card certificate published to the NTAuth store in Active Directory?

• The issuing CA certificate must be published to the NTAuth store and replicated to all domain controllers in the domain.
• Typically, a Windows 2000 or 2003 Enterprise CA will automatically publish this certificate to the NTAuth store.
• A standalone CA certificate or 3rd party CA certificate will always need to be manually published.
• You can view the contents of this store by using PKIView.msc from the Windows 2003 Resource kit or by using the certutil command line tool.
• In PKIView.msc, right click on Enterprise PKI, select Manage AD Containers, and then go to the NTAuthCertificates tab to view any certificates which are published.
• Use Certutil at the command prompt with the following syntax (without quotes):

Certutil -viewstore -enterprise NTAuth

If there are many certificates found in the NTAuth store, you can verify that the one you need is published by comparing the Authority Key Identifier attribute on the Smart Card Certificate with the Subject Key Identifier attribute on the CA Certificate.

• Note: PKIView displays the information that is actually stored in the Active Directory.
• Note: Certutil -viewstore -enterprise NTAuth queries the following registry key on the local machine:
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates

Note: After this certificate is published to the NTAuth store, group policy needs to be applied for the setting to take effect.

Related Information:

• 295663 How to import third-party certification authority (CA) certificates into
  http://support.microsoft.com/?id=295663
• 310732 "The Handle Is Invalid" Error Message When You Log On with a Smart Card
  http://support.microsoft.com/?id=310732
• 281245 Guidelines for Enabling Smart Card Logon with Third-Party Certification
  http://support.microsoft.com/?id=281245

Can the issuing CA certificate, i.e. the one published to the NTAuth store, be validated?

This certificate:

• Must be trusted
• Must not be expired
• Must not be revoked
• Revocation checking against this certificate must not fail.

To check for these conditions:

• Open the certificate, click on the details tab, and select "Copy to file" to export the certificate (DER format is fine). At the command prompt, run:
  Certutil -verify -urlfetch cerexport.cer

If the certificate is not trusted because the root certificate is not in the trusted root store, the following will be displayed at the bottom of the output:

Exclude leaf cert:
  80 09 43 7e db ad f8 28 b4 41 0a f9 56 b7 1d ed 05 b9 ac 97
Full chain:
  68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=DC1.Contoso.net
  Serial: 61991547000000000019
  Template: SubCA
  6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
  e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=DC1.Contoso.net
  Serial: 18d199a000000000000b
  Template: SubCA
  a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)

------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)

If the certificate has expired will see the following at the bottom of the output:

Full chain:
  9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=DC1.Contoso.net
  Serial: 4c7619e10001002110fd
  Template: SubCA
  39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)

------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

If the workstation is unable to connect to the CRL distribution points to perform a revocation check, the following or similar will be displayed in the output (the actual error will vary based on condition):

  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
    http://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl

Does each Domain Controller have a domain controller certificate?

• Each domain controller in the domain needs a valid Domain Controller certificate.
• If a standalone CA or 3rd Party CA is being used, Domain Controller certificates will need to be manually requested and installed.

For a full list of requirements for a 3rd party Domain Controller certificate, view:
291010 Requirements for Domain Controller Certificates from a Third-Party CA
http://support.microsoft.com/?id=291010

• Check the authenticating domain controllers for this certificate by using by running:
  Certutil -store my
  
  It will return a list of all the certificates installed in the domain controller's certificate store.

================ Certificate 2 ================
Serial Number: 61b40644000000000004
Issuer: CN=Contoso Corporate Issuing CA, O=Contoso, C=US
Subject: CN=RJDC5.Contoso.net
Certificate Template Name: DomainController
Non-root Certificate
Template: DomainController, Domain Controller
Cert Hash(sha1): 82 ab 82 af 73 76 d1 52 40 01 74 71 03 54 b8 39 6d 00 18 72
  Key Container = 4c86cf1f699ee86033e502958ca4860d_e699ab56-a413-4766-914d-e6a735c4afdd
  Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed

Can the Domain Controller certificates be validated?

The Domain Controller certificates:

• Must not be expired
• Must not be revoked
• Revocation checking must not fail.

The easiest way to check for these conditions:
Certutil -verifystore my

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
  e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=DC1.Contoso.net
  Serial: 18d199a000000000000b
  Template: Domain Controller
  a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)

If the certificate has expired we will see the following at the bottom of the output:

Full chain:
  9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=DC1.Contoso.net
  Serial: 4c7619e10001002110fd
  Template: Domain Controller
  39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying
against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

Can the certificate on the smart card be validated on the domain controller?

When the KDC receives the user's smart card certificate, it will use the CryptoAPI to build a certificate chain from the user's certificate to verify that it can be trusted.

The certificate:

• Must have been issued by a trusted CA
• Must not be expired
• Revocation checking against this certificate must not fail.

To verify that the certificate chain can be built on the DC, perform the following:

Export a copy of the smart card certificate; either from the CA, or by running:
Certutil -scinfo

On a workstation with the smart card inserted in the reader.

Open the certificate, go to details, and click the "Copy to file" button. Export the certificate to file, and copy this exported certificate to the authenticating domain controller. At the command prompt, run the following:

Certutil -verify -urlfetch cerexport.cer

If the certificate is not trusted because the root certificate is not in the trusted root store of the DC, the following will be displayed at the bottom of the output:

Full chain:
  68 05 b4 48 50 de 54 10 64 47 15 59 e8 1d fa 8d e4 d6 f8 5a
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=One User, CN=Users, DC=Contoso, DC=net
  Serial: 61991547000000000019
  Template: Smart Card
  6c d0 03 08 65 cd fc cd 2a cb a8 a6 d0 5d 01 97 c5 c0 88 40
A certificate chain processed, but terminated in a root certificate
which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

If the certificate has been revoked you will see the following at the bottom of the output:

Full chain:
  e8 8f 69 ba 15 8b cc a1 e1 a7 f1 16 29 13 e7 79 e9 88 28 9e
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: Subject: CN=One User, CN=Users, DC=contoso, DC=net
  Serial: 18d199a000000000000b
  Template: Smart Card
  a1 34 d1 ac ba 9c 81 31 5c ba 50 f3 7f fa 78 b8 39 e1 61 05
The certificate is revoked. 0x80092010 (-2146885616)

------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=2)
If the workstation is unable to contact the CRL distribution points to perform a revocation check, 
  ----------------  Certificate CDP  ----------------
  Failed "CDP" Time: 0
    Error retrieving URL: A connection with the server could not be established 0x80072efd (WIN32: 12029)
    http://DC1/CertSrv/Contoso%20Corporate%20Issuing%20CA.crl

If the certificate has expired will see the following at the bottom of the output:

Full chain:
  9e 82 92 3d fc be 27 88 76 4b dd e1 31 e3 66 c0 de 76 39 60
  Issuer: CN=Contoso Issuing CA, O=Contoso, C=US
  Subject: CN=One User, CN=Users, DC=contoso, DC=net
  Serial: 4c7619e10001002110fd
  Template: Smart Card
  39 b9 9c 41 45 8e 69 10 d2 69 45 01 f6 df 05 e8 e9 e3 4f 61
A required certificate is not within its validity period when verifying against
the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
419.3401.0: 0x800b0101 (-2146762495)
Expired certificate
Leaf certificate revocation check passed

Smart Card Related Documents

Smart Cards
http://www.microsoft.com/technet/security/guidance/identitymanagement/scard.mspx

Windows Vista Smart Card Infrastructure
http://www.microsoft.com/downloads/details.aspx?FamilyID=AC201438-3317-44D3-9638-07625FE397B9&displaylang=en

The Secure Access Using Smart Cards Planning Guide
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD196BCE-876B-44E0-9E90-2A0C34446826&displaylang=en

The Smart Card Deployment Cookbook
www.microsoft.com/technet/Security/topics/smrtcard/smrtcdcb/default.mspx

The Smart Card Cryptographic Service Provider Cookbook
http://msdn.microsoft.com/library/en-us/dnscard/html/smartcardcspcook.asp

Yes you heard correctly - The long anticipated release of Windows Vista SP1 is here. Currently you can download it from the Microsoft Download Center and it will be pushed via Windows Update in April.

Things to know before you download Windows Vista SP1...
http://technet.microsoft.com/en-us/windowsvista/bb968859.aspx

• Windows Vista SP1 is available in English, French, German, Spanish, and Japanese. Other languages will be made available soon.
• Microsoft strongly recommends using Windows Update to download and install Windows Vista SP1 on single PCs:
• The download size from Windows Update of Windows Vista SP1 for x86 is 65 MB (compared to 450 MB from the Microsoft Download Center).
• The download size from Windows Update of Windows Vista SP1 for x64 is 125 MB (compared to 745 MB from the Microsoft Download Center).
• Windows Update will recognize PCs with known problematic drivers and postpone downloading Windows Vista SP1 until the PC has updated drivers or other applicable updates. Using Windows Update will help ensure you have the most trouble-free update experience possible.
  
  Some Windows Vista users may encounter an issue with a small set of hardware devices that may not function properly after updating a Windows Vista PC to Windows Vista SP1.   This is an issue with the way the device drivers were re-installed during the Windows Vista SP1 update process, not with the drivers themselves-these drivers worked on Windows Vista RTM and they work on Windows Vista SP1.  This problem is typically corrected by simply uninstalling and reinstalling the driver. We are working with the manufacturers of these devices to get the known problematic drivers and their install programs updated, and also on other solutions we can use to ensure a smooth customer experience when updating to Windows Vista SP1 using Windows Update. For new PCs provisioned with Windows Vista SP1, this is not an issue.
  
  If you choose to install Windows Vista SP1 via the standalone installer available on the Microsoft Download Center, Microsoft advises that you first visit Windows Update and install all optional drivers. Read Knowledge Base Articles 948187 and 948343 for more information.
  
  If you have a prior version of the Windows Vista SP1 beta installed, you must uninstall it prior to installing the final version. Use the Control Panel applet "Programs and Features" and select "View installed updates" from the top left of the task pane. Under Windows, look for "Service Pack for Windows (KB936330).

935791: How to obtain the latest Windows Vista service pack:
http://support.microsoft.com/kb/935791

32-bit
http://www.microsoft.com/downloads/info.aspx?na=22&p=43&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3db0c7136d-5ebb-413b-89c9-cb3d06d12674%26DisplayLang%3den

64-bit
http://www.microsoft.com/downloads/info.aspx?na=22&p=42&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=&u=%2fdownloads%2fdetails.aspx%3fFamilyID%3d874a414b-32b2-41cc-bd8b-d71eda5ec07c%26DisplayLang%3den

Here are some links to general information on the improvements in Vista SP1.

Overview of Windows Vista Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyId=39B802EA-B2CF-4585-8CEA-2CC6A6247CB3&displaylang=en
This white paper presents an overview of Windows Vista SP1 and the improvements it contains.

Notable Changes in Windows Vista Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=d69c4e1b-c81a-41be-b1f5-66e615ba5912&DisplayLang=en
This document provides more detail about the notable changes made to Windows Vista in Service Pack 1, which were focused on addressing specific reliability, performance, and compatibility issues, supporting new types of hardware, and adding support for several emerging standards.

Release Notes for Windows Vista Service Pack 1
http://www.microsoft.com/downloads/details.aspx?FamilyID=b5b681f5-f366-4ad2-ba10-6a7d209de7bd&DisplayLang=en
Release documentation that contains known issues for Windows Vista Service Pack 1 (SP1).

Hotfixes and security updates included in Windows Vista Service Pack 1
This document contains a list of all the hotfixes and security updates included in Windows Vista SP1.

Windows Vista SP1 Guides for IT Professionals
http://technet2.microsoft.com/WindowsVista/en/library/90a564b9-34af-4a6b-937f-324e1862244b1033.mspx
These guides will assist IT Professionals in evaluating and deploying Windows Vista SP1 and are downloadable versions of the SP1 guides found in the Windows Vista Technical Library.

Windows Vista SP1 Frequently Asked Questions
http://technet.microsoft.com/en-us/windowsvista/bb738089.aspx

Hello All,

Today I would like to talk to you about troubleshooting LDAP over SSL connectivity issues.    We will be covering LDAP over SSL basics, how Subject Alternate Name's (SAN) work, configuring Active Directory Application Mode (ADAM) for LDAP over SSL, and of course simple troubleshooting steps.

LDAP OVER SSL BASICS

In order to enable LDAP over SSL, the following server and client requirements must be met:

SERVER REQUIREMENTS

The server must have a certificate stored in the local machine store that meets the following criteria:

• Certificate Contains the Server Authentication OID: 1.3.6.1.5.5.7.3.1.
• The Subject name or the first name in the SAN must match the FQDN of the host machine.
• The Certificate passes the chaining validation test.
• The host machine account has access to the private key.
  Note:  Typically ADAM runs under a domain account as opposed to the Local System account.  In this scenario the domain account must have access to the private key. This will be covered later in the blog.

For an easy way to validate whether or not the machine has a valid certificate, we can run the following command:

Certutil -VerifyStore MY

The output will look similar to the following:

================ Certificate 0 ================
Serial Number: 4678576700000000000e
Issuer: CN=Contoso Issuing CA, DC=Contoso, DC=Com
Subject: CN=ServerName.Contoso.com
Certificate Template Name: Machine
Non-root Certificate
Template: Machine, Computer
Cert Hash(sha1): d9 14 d3 cc 54 e7 02 3e a3 99 e6 31 0c 46 3d 03 81 c0 a7 cf
  Key Container = e08a8f744d85c46b5494c876e5a9c7c2_17012b00-a428-4a32-bb81-3d15f8bc3c10
  Provider = Microsoft RSA SChannel Cryptographic Provider
Private key is NOT exportable
Encryption test passed
Verified Issuance Policies: None
Verified Application Policies:
    1.3.6.1.5.5.7.3.2 Client Authentication
    1.3.6.1.5.5.7.3.1 Server Authentication
Certificate is valid

Note: We can of course have multiple certificates in our certificate store.   So the value "================ Certificate 0 ================" refers to the first certificate in the store as the index values are zero based.

We can break down the output as follows:

Subject, i.e. the name that we specify for our LDAP over SSL Connection:

Subject: EMPTY (DNS Name=ServerName.Contoso.com)

The following section lets us know that we have a valid private key:

Private key is NOT exportable
Encryption test passed

The following verifies the intended purpose of the certificate which is Server Authentication:

Verified Application Policies:
    1.3.6.1.5.5.7.3.1 Server Authentication

The last section, verifies that the certificate is indeed valid.  I.e. the certificate chains to a trusted issuer, is within the time validity period, and has not been revoked.

Certificate is valid

Now we can of course run into issues at it relates to certificate validation.  These will fall primarily into one of two categories, issues with the private key and issues with certificate chaining.  We will cover the private key first.

Private Key

A typical error message would be:

No Key Provider Information or Missing Stored Keyset

This problem is due to a missing private key.  We can confirm this by looking for the following in the Certutil output:

Cert Hash(sha1): a5 79 2f 21 82 99 4d f2 31 83 00 81 2c 84 85 3c 20 b7 5e 08
No key provider information
Missing stored keyset

The normal cause of this problem is that the certificate request was generated on one machine and we have installed the certificate on a different machine. 

When we generate a certificate request, the client generates a private key and signs the request with it.   When we receive the certificate from the CA, we can verify that the certificate is based on the request that was generated by the client. 

So the first step in resolving the issue is verifying which machine the certificate request was generated on.   We can then go to that machine and run the following command to associate the certificate with private key container:

C:\>Certutil -RepairStore MY 0
================ Certificate 0 ================
Serial Number: 334205f9000000000022
Subject:
    CN=MachineName.Contoso.com
Non-root Certificate
Cert Hash(sha1): a5 79 2f 21 82 99 4d f2 31 83 00 81 2c 84 85 3c 20 b7 5e 08
  Key Container = 574d09d6-9ea4-4a64-9a2a-dc1dfabd97c9
  Provider = Microsoft Enhanced Cryptographic Provider v1.0
Private key is exportable
Signature test passed
CertUtil: -repairstore command completed successfully.

We have now associated the certificate with the private key.  If this command fails then it means that the private key was not located in the machine store.  If we can't locate the private key container then we will need to request a new certificate.  Also, if the private key is marked as exportable we can export the certificate to the appropriate machine.  If not we need a new certificate.

Certificate Validation Errors

Certificate validation is the process of verifying that the information contained in the certificate is authentic and that the certificate can only be used for its intended purpose and that the certificate is trusted.

If we have a validation issue we will see one of the following errors at the very bottom of the Certutil output:

Example 1:

A required certificate is not within its validity period when verifying against the current system clock or the timestamp in the signed file. 0x800b0101 (-2146762495)
------------------------------------
Expired certificate

CertUtil: -verifystore command completed successfully.

Example 2

The certificate is revoked. 0x80092010 (-2146885616)
------------------------------------
Certificate is REVOKED
Leaf certificate is REVOKED (Reason=6)
CertUtil: -verify command completed successfully.

Example 3

A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
------------------------------------
Verifies against UNTRUSTED root

CertUtil: -verifystore command completed successfully.

Example 4

An int