Suraj Singh's information Security Blog

For people who work on information Security.
Options
Search Blogs
Tags
Archive
Archives

April, 2013

TechNet Blogs » Suraj Singh's information Security Blog » April, 2013
Sort by: Most Recent | Most Views | Most Comments
Excerpt View | Full Post View

  • TMG Reporting- User activity and Monthly recurring reports are blank.

    Posted over 1 year ago
    by Suraj Singh MSFT}

    This one is about few reporting cases; I have worked on last few weeks. I had noticed few things and wanted to share them with all. There are few misconceptions and few things which are not clear about reporting and user activity reports ,which I thought to clear out  here and some troubleshooting to resolve a reporting issue.

    As usual I will start with an issue, so we had an environment of EMS server and two firewall nodes of TMG 2010. One of the nodes was acting as reporting server. Problem was that user activity report and monthly recurring report were showing up blank. One time report was working fine. While generating user activity report, we were getting an error

    Forefront TMG Error

    The operation failed.

    Error: 0xc00403ec

    The Microsoft Forefront TMG Control service could not be accessed. The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'Array name'

    If we try to generate the user activity reports from the Reporting services manager, they were still showing blank results. We checked in event viewer but could not find event related to ISARS and no in TMG for reporting.

    Troubleshooting Approach.

    We seemed to be facing multiple issues here, so planned to resolve them one by one.

    First of all , I wanted to hit the user activity blank report, I have seen many instances where we do not have an access rule that forces users to authenticate while accessing internet. If we won’t ask users to authenticate , we won’t get user information in the logs as well, as a result , pulling out user account based reports will be result less task, as logs would not have users information at all, If we look at the log fields of the TMG live logs, we will find a field call username, if we have access rules which do not
    force users to authenticate while accessing internet and have “all users” in the users property of the access rule, then username field would have a value “anonymous” ,hence you can’t fetch reports based on a user as that username was never captured on the TMG server as , we never configured TMG to ask user to send his credentials.

     So what’s the best way regarding this, Best way is to create web access rule with authentication i.e. with either user group based access or have “all authenticated” users in the users property of the access rule.

    In our scenario, that’s what I discovered we did not have access rules that were authenticating the user while accessing internet. So we created access rule that will only allow access to internet if user is authenticated i.e. we now had “all authenticated” in the user’s tab of the internet access rule. We could also have entered a user group here but in this scenario TMG admin did not have user groups, so we went with “all authenticated”. 

    After that we tested user activity reports from the Reporting services manager and we now had user activity report with results.

    Next challenge, was the error we were getting while trying to generate the report from TMG console even from the reporting server itself. But that itself was not a big challenge as we have an Kb article about that, all I had to do was search for the error code we were getting i.e. “0xc00403ec”

    Kb article is http://support.microsoft.com/kb/2624178

    Configuring the reg keys did the job in this scenario; we put the reg keys both on EMS as well as on the nodes as we now were getting the reports from the TMG console as well.

     

    Next challenge was the monthly recurring report, weekly and daily recurring reports were working fine, for that I suggested them to configure the monthly recurring report properties, i.e.  set the day to run property to 1 and then we set up the date when it will run the monthly report to next month’s first day e.g. 1st march 2013 so that monthly report will be generated on 1st march. Then we waited till that day and we had our working monthly recurring report as well. We could have set 2nd of the march as well it’s just that we wanted run report as quick as possible property “set the day to run” is different from the date on which report will run.

     

     

     

  • Getting error- 20152–500 Internal server Error (Data is invalid.) while accessing a web application published through TMG server.

    Posted over 1 year ago
    by Suraj Singh MSFT}

    In this scenario, TMG admin had published a web application through the TMG server, There was client side application as well on the clients, when users access the application using this client piece, they were getting error

    “error- 20152–500 Internal server Error (Data is invalid.)” in a window apart from the name of the application in the error message.

    TMG admin had noticed in the TMG live logs that they were getting “status 13 -data invalid”

     

     Data analysis and Troubleshooting.

    We collected TMG data packager from the TMG server ,while trying to connect from the client. In the Data, I tracked the client’s request in the TMG live logs, where we were getting result code as 13, then using the corresponding Request id in the live logs ( i have explained this technique in this blog post of mine, http://blogs.technet.com/b/sooraj-sec/archive/2012/11/07/data-analysis-using-with-tmg-data-packager.aspx).

    Then In the TMG trace found following

    ***********************************************************************************************************************************

    Info:0000000038EEA540: the client ask for compression different than gzip. The filter remove it

    Info:Filter called GetServerVariable: 'IS_CHUNKED_REQUEST', Context:0000000038EEA540

    Info:[GetHeader]:'Transfer-Encoding:' - the requested header wasn't found.

    Info:[GetServerVariable]:'IS_CHUNKED_REQUEST' - Returned value:'0', Context:0000000038EEA540

    Entering CalcRequestContentLengthInfo:Filter called GetServerVariable: 'REQUEST_CONTENT_LENGTH', Context:0000000038EEA540

    Info:[GetHeader]: 'Content-Length:', Returned Value: 'xxxx,xxxx'.

    Info:[GetServerVariable]:'REQUEST_CONTENT_LENGTH' - Returned value:'xxxx,xxxx', Context:0000000038EEA540

    ERROR:pContentLength->FromDecimalString(xxxx,xxxx) failed, hr=0x8007000d(ERROR_INVALID_DATA).

    ERROR:CalcRequestContentLength() failed dwError = 13(ERROR_INVALID_DATA)

    ERROR:OnClientPreProcHeaders() failed dwError = 13(ERROR_INVALID_DATA)

    Info:Rejecting the request

    Info:WPPISAPUBLIC:Returning error text "The data is invalid. " for error code 13(ERROR_INVALID_DATA)

    Noise:WPPISAPUBLIC:(x.x.x.x:xxxx <== x.x.x.x:xxxx), xxxx bytes, "HTTP/1.1 500"

    --------------------------------------------------------

    Info: WPPISAPUBLIC:Context property:Cache info = 0x0

    Info: WPPISAPUBLIC:Context property:Error info = 0x200

    Info: WPPISAPUBLIC:Context property:Filter info = Req ID: xxxxxx

    Info: WPPISAPUBLIC:Context property:Result code = 13

    Info: WPPISAPUBLIC:Context property:Response source = 0x00000000(fpcSrcUnknown)

    *******************************************************************************************************

    It seemed that the client application was asking for compression method other then gzip and then TMG was not able to understand and was failing to calculate the content-length, Once I explained that to the TMG admin, they removed the content-length header from the client application side and then tested and after that issue did not happen.

    Ideally they should have configured the client application with gzip compression but they went with removal of content-length header. But I guess they were happy with the outcome.