Suraj Singh's ISA server Blog

UAG Form Login SSO - Lessons from field

2013-05-06T17:30:00Z

This is next part of my UAG authentication presentation blogpost, where I am going to discuss about the form login authentication. I am a big fan of Ben Ari and usually follow his suggestions provided in his blog post for form login SSO
http://blogs.technet.com/b/ben/archive/2010/09/02/uag-custom-form-login.aspx

Usually it’s not possible to cover everything in single blog post. In this blog post I’m adding to the suggestions provided by my friend Ben in his blog using Troubleshooting approach I took on a case.

I was working on a case, where customer has changed his logon form page on his website, after that Single Sign On through UAG stopped working. After login to the portal ,when user tries to open the application, he was getting the logon form, instead of the application. I did view source of the page and found that autosubmit script was not getting injected into the logon page.

Troubleshooting Approach

1. URL of the logon page, I asked Admin to open IE on the UAG server itself, then access the websites logon page and from there I got the URL of the logon page.

2. The Form ,After the page was opened in the browser, I viewed the source of the page and copied the whole HTML. I will put my sample form page from my lab (not actual problem logon page) for reference here.

*********************************************************************************

<html>

<head>

</head>

<body>

Username <input name="contoso_username" type="text" value="" />

Password <input name="contoso_password" type="password" />

</form>

</body>

</html>

*********************************************************************************

3. After looking at the form, I noticed that the name of the form had changed, it was fabrikam-form earlier and now it was contosoform, so in the formlogin.xml file, I changed the name of the form, which is highlighted in the form login section
for that application below

*******************formlogin.xml for the application****************

<APPLICATION_TYPE> contosotest</APPLICATION_TYPE>

<PRIMARY_HOST_URL>.*</PRIMARY_HOST_URL>

<SECONDARY_HOST_URL>.*</SECONDARY_HOST_URL>

<SCRIPT_NAME source="data_definition">FormLoginSubmitStandard</SCRIPT_NAME>

<USER_AGENT>

<AGENT_TYPE search="group">all_supported</AGENT_TYPE>

<POLICY>multiplatform</POLICY>

<SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>

</USER_AGENT>

<MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>

<LOGIN_FORM>

<NAME> contosoform</NAME>

<NAME>contoso_username</NAME>

<DEF_VALUE>uname</DEF_VALUE>

</CONTROL>

<TYPE>PASSWORD</TYPE>

<NAME>contoso_password</NAME>

<DEF_VALUE>pwd</DEF_VALUE>

</CONTROL>

</LOGIN_FORM>

</USAGE>

</APPLICATION>

****************************************************************

4. After modifying the formlogin.xml at (C:\Program Files\Microsoft Forefront Unified AccessGateway\von\Conf\WizardDefaults\FormLogin\CustomUpdate\FormLogin.xml) on the UAG server and activating the configuration, we tested SSO and it was still not working.

5. Data analysis : Took UAG trace while doing Repro of the issue and found following in the tracing

*************************************************************

Entering CProcessForm::PreProcessInputData CProcessForm::PreProcessTag(), Start

Exiting from CProcessForm::PreProcessInputData CProcessForm::PreProcessTag(), End

Exiting from CProcessForm::PreProcessInputData PreProcessInputData()::End

Info:INFO: ProcessBufferFromRWS():(wfeID=000000000570EAB0) Required form Name/ID not found but should be : not a formlogin - not processing

*************************************************************

6. Then I noticed that not just the name of the form has changed but the tag to name the form, has also changed in the new logon page i.e. earlier they were using Name=”contosoform” and now they are using ID="contosoform" i.e they had Name to identify form earlier now they were using ID.

7. When I compared that with the formlogin.xml for this application , the part which deals with it i.e.

<NAME> contosoform </NAME>

And I could clearly see that XML tags do not match the tags of the logon form as in XML we have <NAME></NAME> tags and in the form we have “ID” to identify the form. So I modified this tag to

<ID> contosoform</ID>

in the formlogin.xml .After making this change in formlogin.xml, Activated the UAG config and tested, then we got a message on the client screen, saying that we have more than one form. I once again did view source of the page and found that autosubmit script was getting injected. I searched the form tags and found that there were two forms on the logon page.

8. Default Autosubmit script which is :

**********************************************

**********************************************

We can see that, this script checks that, if there is only one form in the logon page, if yes then submit that form else send an alert message “more than one form”.

9. If we have more than one form on the logon page, then we need to use custom script and modify the form login.xml as well, to mention this custom script. I have an amazing friend called Stanley George who had this custom script ready and tested. He gave me this script

***********************************************

function FormLoginSubmit()

{

document.getElementById('login-form').submit();

return false;

}

***********************************************

I put this script file at location (C:\Program Files\Microsoft Forefront Unified Access Gateway\von\Conf\Websites\<trunkname>\conf\Autosubmit_contoso.js) on all the nodes of the UAG array. When we use custom script, we also need to modify the formlogin.xml for that application, under the following section

<SCRIPT_NAME source="file"> Autosubmit_contoso.js </SCRIPT_NAME>

10. After this change in formlogin.xml, I activated the UAG configuration and tested again and Now SSO was working fine.

11. I also made my final formlogin.xml to be little more specific with the URL , after all the changes the working formlogin.xml will look like this.

*************************************************************************

<APPLICATION_TYPE>Contosotest</APPLICATION_TYPE>

<PRIMARY_HOST_URL>.*login\.html.*</PRIMARY_HOST_URL>

<SECONDARY_HOST_URL>.*login\.html.*</SECONDARY_HOST_URL>

<SCRIPT_NAME source="file">Autosubmit_contoso.js</SCRIPT_NAME>

<USER_AGENT>

<AGENT_TYPE search="group">all_supported</AGENT_TYPE>

                         <POLICY>multiplatform</POLICY>

<SCRIPT_NAME source="data_definition">FormLoginHandler</SCRIPT_NAME>

</USER_AGENT>

<MULTIPLE_LOGIN>true</MULTIPLE_LOGIN>

<LOGIN_FORM>

<ID>contosoform</ID>

<NAME>contoso_username</NAME>

<DEF_VALUE>uname</DEF_VALUE>

</CONTROL>

<TYPE>PASSWORD</TYPE>

<NAME>contoso_password</NAME>

<DEF_VALUE>pwd</DEF_VALUE>

</CONTROL>

</LOGIN_FORM>

</USAGE>

</APPLICATION>

*************************************************************************

Note: When you test form login SSO or APPwrap, Please clear the browser cache before testing the changes as browser caches the html content and at times even after making the change in the fomlogin or in the script you may not see the results or change in the results.

I am preparing a presentation on this topic as part 2 of my previous UAG authentication presentation, This presentation will further simplify what Ben has explained in his post and would add up my experiences in it.

Generating netstat output when a specific event occurs in the eventlog-using Powershell

2013-05-03T21:30:00Z

I was working on a case, where I needed to get netstat outpiut to understand certain connections behavior and I needed to do that for a particular event in the event log. It was really difficult to get this output exactly at the time this event was occuring. So I started working on it in my lab. I used my previous blog post about nmcap and eventmon and idea of powershell, which is a amazing tool and technology.

for event id I did not have to do much, i used the same script mentioned in my previous blog post where i had reference: http://blogs.technet.com/b/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx

I simplified that in my blog post : http://blogs.technet.com/b/sooraj-sec/archive/2011/12/23/using-eventmon-and-nmcap-to-take-network-monitor-trace-when-a-particular-event-is-generated.aspx Now i m trying to modify it further to get netstat output when an event occurs.

Step1 :Copy the contents of the script given in above post shown below in a notepad and save it as EvtMon.vbs and put this in a folder lets call it netstat and in my lab i put it in c:\netstat location

'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.

Public Sub PrintHelp
    Wscript.Echo "Usage:"
    Wscript.Echo " EvtMon EventNumber [LogFileDisplayName]"
    Wscript.Echo "    LogFile is optional. If used, the eventlog name"
    Wscript.Echo "    file ie, application, system, security, etc..."
End Sub

' Get the arguments. Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments

' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
    PrintHelp
ElseIf objArgs.Count > 1 Then
    EventNumber = objArgs(0)
    LogFile = objArgs(1)
Else
    EventNumber = objArgs(0)
    LogFile = ""
End If

If EventNumber <> "" Then

    strComputer = "."

    ' Attatch to the WMI Service
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query. Create a
    ' Event Log monitoring object and send it a query.
    If LogFile = "" Then
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber & "'")
    Else
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber _
                    & "' and TargetInstance.LogFile = '" _
                    & LogFile & "'")
    End If

    ' Create an object which returns when the next event occurs.
    Set objLatestEvent = colMonitoredEvents.NextEvent

    ' Print some info based on the event log we encountered.
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    WScript.Echo objLatestEvent.TargetInstance.Logfile
    Wscript.Echo
End If

Step2 : Copy the contents of the batch file below in a notepad and save it as netstat.bat in same folder

@echo off

cscript //NoLogo EvtMon.vbs %2 %3
powershell.exe -command "& netstat -ano | Out-file c:\netstat\netstat.txt
ping -n 1 4.3.2.1
goto :EOF

Note: You can see that I m taking output of the file at location c:\netstat\netstat.txt

Usage : After saving the two files at c:\netstat folder, Open up a elevated command prompt and then go to the folder, where we have saved these two files and then run command(this is an example command here, 1502 is the event id) -> netstat ports 1502

reference snapshots below

Note : once you run this command it just waits for the event to occur

This event "1502 "gets generated when you update the group policy , I used this event in my lab, for a quick repro as whenever you run gpupdate/force this event will be generated, so I ran gpupdate /force as shown below

after this I got 1502 event and got my netstat output as well as you can see in my snapshot below

for people who like to experiment, the batch file can be modified to get a filtered out put as shown below, in following batch file i filtered the output for filtered connections, similarly we can filter for other connection stated , even more specificaly the attacks e.g. half open connections, which show up as "Syn_received"

***********************************************

@echo off

cscript //NoLogo EvtMon.vbs %2 %3

powershell.exe -command "& netstat -aonp TCP | select-string "ESTABLISHED" | Out-file c:\netstat\netstat.txt

ping -n 1 4.3.2.1
goto :EOF

***********************************************

Getting error- 20152–500 Internal server Error (Data is invalid.) while accessing a web application published through TMG server.

2013-04-22T16:34:02Z

In this scenario, TMG admin had published a web application through the TMG server, There was client side application as well on the clients, when users access the application using this client piece, they were getting error

“error- 20152–500 Internal server Error (Data is invalid.)” in a window apart from the name of the application in the error message.

TMG admin had noticed in the TMG live logs that they were getting “status 13 -data invalid”

Data analysis and Troubleshooting.

We collected TMG data packager from the TMG server ,while trying to connect from the client. In the Data, I tracked the client’s request in the TMG live logs, where we were getting result code as 13, then using the corresponding Request id in the live logs ( i have explained this technique in this blog post of mine, http://blogs.technet.com/b/sooraj-sec/archive/2012/11/07/data-analysis-using-with-tmg-data-packager.aspx).

Then In the TMG trace found following

***********************************************************************************************************************************

Info:0000000038EEA540: the client ask for compression different than gzip. The filter remove it

Info:Filter called GetServerVariable: 'IS_CHUNKED_REQUEST', Context:0000000038EEA540

Info:[GetHeader]:'Transfer-Encoding:' - the requested header wasn't found.

Info:[GetServerVariable]:'IS_CHUNKED_REQUEST' - Returned value:'0', Context:0000000038EEA540

Entering CalcRequestContentLengthInfo:Filter called GetServerVariable: 'REQUEST_CONTENT_LENGTH', Context:0000000038EEA540

Info:[GetHeader]: 'Content-Length:', Returned Value: 'xxxx,xxxx'.

Info:[GetServerVariable]:'REQUEST_CONTENT_LENGTH' - Returned value:'xxxx,xxxx', Context:0000000038EEA540

ERROR:pContentLength->FromDecimalString(xxxx,xxxx) failed, hr=0x8007000d(ERROR_INVALID_DATA).

ERROR:CalcRequestContentLength() failed dwError = 13(ERROR_INVALID_DATA)

ERROR:OnClientPreProcHeaders() failed dwError = 13(ERROR_INVALID_DATA)

Info:Rejecting the request

Info:WPPISAPUBLIC:Returning error text "The data is invalid. " for error code 13(ERROR_INVALID_DATA)

Noise:WPPISAPUBLIC:(x.x.x.x:xxxx <== x.x.x.x:xxxx), xxxx bytes, "HTTP/1.1 500"

--------------------------------------------------------

Info: WPPISAPUBLIC:Context property:Cache info = 0x0

Info: WPPISAPUBLIC:Context property:Error info = 0x200

Info: WPPISAPUBLIC:Context property:Filter info = Req ID: xxxxxx

Info: WPPISAPUBLIC:Context property:Result code = 13

Info: WPPISAPUBLIC:Context property:Response source = 0x00000000(fpcSrcUnknown)

*******************************************************************************************************

It seemed that the client application was asking for compression method other then gzip and then TMG was not able to understand and was failing to calculate the content-length, Once I explained that to the TMG admin, they removed the content-length header from the client application side and then tested and after that issue did not happen.

Ideally they should have configured the client application with gzip compression but they went with removal of content-length header. But I guess they were happy with the outcome.

TMG Reporting- User activity and Monthly recurring reports are blank.

2013-04-07T05:33:21Z

This one is about few reporting cases; I have worked on last few weeks. I had noticed few things and wanted to share them with all. There are few misconceptions and few things which are not clear about reporting and user activity reports ,which I thought to clear out here and some troubleshooting to resolve a reporting issue.

As usual I will start with an issue, so we had an environment of EMS server and two firewall nodes of TMG 2010. One of the nodes was acting as reporting server. Problem was that user activity report and monthly recurring report were showing up blank. One time report was working fine. While generating user activity report, we were getting an error

“

Forefront TMG Error

The operation failed.

Error: 0xc00403ec

The Microsoft Forefront TMG Control service could not be accessed. The error occurred on object 'Reports' of class 'Reports Configuration' in the scope of array 'Array name'

“

If we try to generate the user activity reports from the Reporting services manager, they were still showing blank results. We checked in event viewer but could not find event related to ISARS and no in TMG for reporting.

Troubleshooting Approach.

We seemed to be facing multiple issues here, so planned to resolve them one by one.

First of all , I wanted to hit the user activity blank report, I have seen many instances where we do not have an access rule that forces users to authenticate while accessing internet. If we won’t ask users to authenticate , we won’t get user information in the logs as well, as a result , pulling out user account based reports will be result less task, as logs would not have users information at all, If we look at the log fields of the TMG live logs, we will find a field call username, if we have access rules which do not
force users to authenticate while accessing internet and have “all users” in the users property of the access rule, then username field would have a value “anonymous” ,hence you can’t fetch reports based on a user as that username was never captured on the TMG server as , we never configured TMG to ask user to send his credentials.

So what’s the best way regarding this, Best way is to create web access rule with authentication i.e. with either user group based access or have “all authenticated” users in the users property of the access rule.

In our scenario, that’s what I discovered we did not have access rules that were authenticating the user while accessing internet. So we created access rule that will only allow access to internet if user is authenticated i.e. we now had “all authenticated” in the user’s tab of the internet access rule. We could also have entered a user group here but in this scenario TMG admin did not have user groups, so we went with “all authenticated”.

After that we tested user activity reports from the Reporting services manager and we now had user activity report with results.

Next challenge, was the error we were getting while trying to generate the report from TMG console even from the reporting server itself. But that itself was not a big challenge as we have an Kb article about that, all I had to do was search for the error code we were getting i.e. “0xc00403ec”

Kb article is http://support.microsoft.com/kb/2624178

Configuring the reg keys did the job in this scenario; we put the reg keys both on EMS as well as on the nodes as we now were getting the reports from the TMG console as well.

Next challenge was the monthly recurring report, weekly and daily recurring reports were working fine, for that I suggested them to configure the monthly recurring report properties, i.e. set the day to run property to 1 and then we set up the date when it will run the monthly report to next month’s first day e.g. 1^st march 2013 so that monthly report will be generated on 1^stmarch. Then we waited till that day and we had our working monthly recurring report as well. We could have set 2^nd of the march as well it’s just that we wanted run report as quick as possible property “set the day to run” is different from the date on which report will run.

UAG DA Manage-out another mystery-intranet firewall.

2013-03-24T08:54:00Z

We know there are certain basic requirements or shall i say pre-requisites for the UAG DA manage out scenario to work. I was engaged on a case recently ,where the consultant started with listing out, what he has in place to make sure UAG DA manage out should be working. He was right in the items he mentioned.

For benefit of readers , I m putting certain parts of the list.

DirectAccess client has registered its IPv6 address and name in DNS and that it can be resolved by the Inside-Out management machine.
The Inside-Out management machine is configured with IPv6 via ISATAP
The Inside-Out management machine has registered its IPv6 address and name in DNS and can be resolved successfully.
The ISATAP router name is resolving to the internal interfaces of the DirectAccess server acting as the ISATAP router, the 2 x servers dedicated IP addresses plus the virtual IP address, so 3 addresses in total all resolving to the ISATAP name.
The Intranet Firewall is allowing Protocol 41 (IPv6 encapsulation) to UAG servers in both directions.
Any required, client side firewall rules are in place on the remote DirectAccess clients.
The Inside-Out management machines have been added to the management servers group on the DirectAccess servers, so as to allow management before the remote user logs on and establishes the Intranet tunnel.
Not affected by the setting in this article DirectAccess Manage Out fails for any non-ICMP traffic in Forefront Unified Access Gateway 2010, causing custom security policies regarding the local security rights for the DirectAccess Manage-Out machine and clients (modifying the setting "Access this computer from the network").

Above list is very comprehensive, prepared by the consultant and if we have all this in place then UAG DA inside-out access should work. In this particular scenario UAG DA outside in access i.e. the usual remote access was working. In customer environment, they were using IP-HTTPS hence edge traversal was also out of question as per Tom Shinder's post here http://blogs.technet.com/b/tomshinder/archive/2010/12/01/uag-directaccess-and-the-windows-firewall-with-advanced-security-things-you-should-know.aspx

Troubleshooting/Data analysis/Solution

To Start with I started looking at the first end point of this scenario i.e. the server from which we were trying to access the external DA client machine. Found that the server was not getting the ISATAP IPV6 address(seen in the output of the Ipconfig /all on the server). So my chain of thoughts started with this theory i.e. We know that ISATAP client will get its IP address from the ISATAP router and to reach ISATAP router,first it should be able to resolve name ISATAP. So I checked, if server is able to resolve the ISATAP to the UAG DA server's VIP and we pinged ISATAP from the command prompt of the server, that did resolve to the UAG DA server's VIP.

We took DA scenario tracing from the server and the UAG DA server nodes, while restarting IP helper service on the server(from where we were trying to connect the DA client). In the traces i found that UAG DA server was getting the Router solicitations but it was not sending back the Router advertisement back which does the Ip provisioning and ISATAP client gets the IPV6 address. you can double click on the image below to zoom it.

Since UAG DA server has TMG on it as well, I looked at the TMG live logs while restarting the IP helper service on the Server (from where we were trying to connect the DA client). From TMG live logs , we could see that TMG was allowing the traffic ,no denying of this traffic from the server. We also removed a third party anti virus from the UAG DA server to rule out if that could be dropping the packets. We finally found out that the intranet firewall between the UAG DA server and the internal server(from where we were trying to connect the DA client) was blocking the IP protocol 41, Once it was allowed , server (from where we were trying to connect the DA client) started getting IPV6 ISATAP address and inside-out started working fine.

So in the end , I would say the list above is really good and we can use it as check list and would like to appreciate the consultant who put that list, we just need to make sure we are implementing each point correctly.

Outbound Proxy and SecureNAT requests stop working intermittently on TMG 2010. Restarting the Firewall Service seems to resolve the issue temporarily.

2013-01-25T20:30:00Z

I worked on this case few months back, since it was a very interesting issue and lot of work had happened before it came to me, I thought of sharing it with all. So issue was with the web proxy and secureNAT clients, they would stop working intermittently. It required a restart of the firewall service to resolve the issue.

When this case came to me ,We already had data collected at the time of the issue.

Data analysis

So I had to do look at the data and find out if the already collected was pointing to anything that can resolve the issue. Data collected was TMG data packager collected on the TMG server. I found out the client IP from case details and then started looking at the network capture collected by the TMG data packager on the internal NIC, since it was an internal client.

In the network captures I found a very strange behavior, which we can see below

zoomed view

From here we can see that TMG was reseting the connection after it was getting syn packet from the client machine, it was not even letting the TCP handshake to complete. The whole traffic from client had met with same treatment from TMG. This was really strange. To find out why TMG was reseting this clients connection before even letting the TCP handshake to complete, I looked at the ISAtracing log collected by TMG data packager.

Where I Saw same behavior, however reason was still not clear from the tracing as well.

I also looked at netstat logs collected by TMG data packager and found huge number of connections in Close_wait state

note: click on picture below to have zoomed view.

I did further research on it and found that it could happen because of what is mentioned in Kb http://support.microsoft.com/kb/2577795 i.e. Under the cause part

This issue occurs because of a race condition in the Ancillary Function Driver for WinSock (Afd.sys) that causes sockets to be leaked. With time, the issue that is described in the "Symptoms" section occurs if all available socket resources are exhausted.

Solution

so solution was to upgrade the afd.sys. I checked the OS version on the TMG server , it was windows server 2008 R2 standard. Since it was a networking component, I engaged our networking team to find out the best way to upgrade to the latest afd.sys. Suggestion I got from the networking team was to first upgrade to windows server 2008 sp1 and then do windows update. We noted the file version of afd.sys and tcp.sys as well .Then followed the suggestion of our networking team. Then noted down the versions of the files again to make sure they have upgraded to a level equal or above the version mentioned in KB, After we upgraded, we then monitored if the issue comes back again. It never came back again.

TMG performance counters template and counter Thresholds

2013-01-07T10:49:00Z

Many times, my peers ask for and sometime I also need this template to use while troubleshooting TMG server performance related issues. So thought of putting this template on my blog post, it shall be easily available to all.

Please download and use instructions in this link to use it.

http://technet.microsoft.com/en-us/library/cc749337.aspx

Thanks, please let me know if you face any problem configuring it.

In case you were able to use it and need a reference point to understand varous counter thresholds, please refer to following link for thresholds

http://social.technet.microsoft.com/wiki/contents/articles/isa-server-performance-matrix.aspx (by Yuri)

and another amazing one, that gives very good idea for assessment

http://blogs.isaserver.org/shinder/2008/10/21/tips-for-isa-firewall-performance-assessment/ (by Jim Harrison : TMG/ISA' Big Daddy/posted by TOM(ISA BIGGY) on his ISA server.org)

and complete list from TechNet is here http://technet.microsoft.com/en-us/library/cc995277.aspx

Thanks and Regards

Suraj Singh

UAG DA client cannot connect, Error : ERROR_IPSEC_IKE_AUTH_FAIL in the network captures.

2012-12-29T18:10:00Z

Friends, for now i would say there are few prerequisites to understand following material i.e. you should have basic understanding of how to set up UAG DA and its concepts, so target audience is admins and peers who are already working on the UAG DA and can run into following scenario. I m planning to put links about basics of UAG DA here for everybody's understanding later.

Scenario discussion

I was setting up lab for a UAG DA Scenario and found that DA client was not connecting.So i checked if tunnels were by running following command

netsh advf monitor show mmsa

and found none of the two tunnels were up as i did not see main mode SA(security Associations) established, since Main mode did not establish ,quick mode cant. which meant, we had to start focusing on the IPSEC part, of the whole UAG DA technology which we know uses multiple technologies to implement DA, including IPSEC, apart from others like IPV6 ,Advance windows firewall etc.

so before digging deeper i took network captures on the client machine and ran following two commands in the command prompt.

net stop iphlpsvc (to stop IP helper service)

net start iphlpsvc (to start IP helper service)

purpose of doing this is to restart the IP helper service as it would try to start DA connectivity and would try to establish infrastructure tunnel and then corp tunnel. This would also mean that IPSEC SAs at main mode would also try to establish and that's where we wanted focus to start with.

In network captures got following error

ERROR_IPSEC_IKE_AUTH_FAIL in the network captures. Where i filtered the trace with protocol.authip i.e. with AuthIP protocol in network monitor .

This was not very descriptive so i took scenario tracing as below

Run following two commands in the command prompt

Netsh trace start scenario=directaccess capture=yes report=yes tracefile=C:\client.etl
Netsh wfp capture start

Then

net stop iphlpsvc (to stop IP helper service)
net start iphlpsvc (to start IP helper service)

to initiate the DA connectivity again.

Then stopped the traces by running following two commands in the command prompt

Netsh wfp capture stop
Netsh trace stop

Then opened the client.etl file with network monitor and found following in it

i.e.

WFP:IPsec: Main Mode Failure - Error: ERROR_IPSEC_IKE_AUTH_FAIL
 WFP WFP:IPsec: Main Mode Failure - Error: CERT_E_WRONG_USAGE

From Ipconfig details of the client , since client was on public internet it was using 6to4 adapter, so my client with IPV6 IP address 2002:2828:2803::2828:2803 was sending that error regarding the machine certificate usage to the UAG DA server.

**********************************************************************

Tunnel adapter 6TO4 Adapter:

   Connection-specific DNS Suffix  . : 
   Description . . . . . . . . . . . : Microsoft 6to4 Adapter
   Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   IPv6 Address. . . . . . . . . . . : 2002:2828:2803::2828:2803(Preferred) 
   Default Gateway . . . . . . . . . : 2002:2828:280b::2828:280b
   DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over Tcpip. . . . . . . . : Disabled

**********************************************************************

That made me to check the machine certificate on the UAG DA server, which looked right, ran following command in the command prompt on the UAG DA server.

certutil -store my

and it showed me that certificate was OK.

just to be on the safer side, i removed this machine certificate from the computer certificate store of the UAG DA server.

Then requested this machine certificate again from the certificate Authority and then again restarted the

 IP helper service as explained above to restart the DA connectivity.

This time DA connected fine, Network captures were clean our AuthIP traffic in the network captures showed that authentication was successful.

Tested DA by connecting to internal resources and it worked.

Presentation on UAG authentication and authorization,with a scenario discussion.

2012-12-25T05:31:00Z

Hi folks, Uploading a presentations for UAG admins and my peers. This is to provide more information around this topic, i m pretty sure there must be documents around it already but i have tried to give my perspective to it.

I will add audio /video to it in later revisions. I am also discussing here the scenario I discussed in the presentation.

Issue: if we point BaseDN of UAG authentication repository to domain level then portal access goes very slow,you cant get logged in, its kind of unresponsive.

UAG Admin has configured user group based access on the applications published on the UAG server.

Troubleshooting

Lot of work has already happened, when this case same to me. I suggested the UAG admin, to collect network captures for 3-5 minutes, on the internal NIC of the UAG, after pointing BaseDn to root of the domain and when he starts facing the issue.

Data Analysis

In the network captures, in the traffic between UAG and domain controllers , I saw window size advertised by the UAG server was gradually dropping, to zero for almost all the Global catalog traffic sessions,Please refer to the snapshot below.
Another observation was , we had huge amount of this LDAP/Global catalog traffic. It appeared that lot of data transfer was happening from domain controller to UAG and that can happen, if UAG forcing domain controller to do so with its certain
way of querying.
So next thing that I wanted to see was the Repository configuration, specifically the BaseDN and include subfolders option as they can force UAG to do such queries.
I found that the include subfolder was set to 5.

Action plan/workaround/solution

After seeing this, I made the include subfolder to 2 and asked admin to observe.But I still saw same behavior in the network captures. So reduced the included subfolder to 0 and then unchecked that option (for testing)and then observed. That reduced the impact and problem did not come for a week .once again I looked at the traces when problem again came back. We still had similar pattern.
Then we had detailed analysis of the way admin has set up his active directory.
We redesigned active directory infrastructure little bit, after detailed discussions with admin, where we created a specific OU for UAG users and then added the OU, that had most of user groups in it, we also found out that these user groups were not nested user groups, users in these groups were members of other groups, but the group themselves were not nested in one another. So we also removed the check box of nested level so that searches for groups within groups is not done as that also create huge amount of queries. After that issue did not happen.
Learning from this case was that if we reduce the search scope, we reduce amount of queries made to domain controller and also the resultant amount of data that was causing UAG to choke as we saw in the network traces.

Few ideas

We can have more then one repositories in UAG
We can use more then one repository on a trunk.
We can use different repositories and the user groups in them to authorize users on applications on a trunk.
Using these ideas , if we run into a performance issue where admin has a huge AD infrastructure and they have performance issues (due to huge queries and query responses by domain controller)if they use root of the domain for search in BaseDN, we
can suggest a way that would reduce the scope of search of queries by pointing to a OU that’s related to the UAG access.

TMG services hang at startup due to third party service.

2012-12-12T05:34:00Z

This post is once again about an issue I worked on few days back. Before I start discussing about the issue and how I resolved it, I would like to mention that objective of this post is to make TMG admins aware of the issue and what can be done to resolve it, The steps performed to determine the root cause of the issue e.g. user mode dump analysis can’t be done without the symbols(which are private) ,so idea is not to help in performing the dump analysis, instead I want to share the details of dump analysis to show at the time of boot, why TMG services can get hung and won’t start . If you are familiar with terms like process, threads and its stack then you can read it by yourself but if you are not I will explain the observations from it.

Issue:

TMG server admin was rebooting the server and at the time of reboot TMG services were hanging and were not starting. A similar issue was reported pre TMG sp2 but it was fixed post sp2, in this scenario TMG was updated to latest build i.e. TMG sp2 RU2.

Troubleshooting:

Some background: Lot of work has already happened, before I started working on this issue, so in such scenarios you understand the issue and check the steps that have already been taken to resolve the issue and move from there e.g. steps taken in this http://support.microsoft.com/kb/2659700 were performed already . We were getting following event id

_____________________________________________________________________________________________

Log Name: System

Source: Service Control Manager

Date: 09/11/2012 17:42:30

Event ID: 7022

Task Category: None

Level: Error

Keywords:
Classic

User: N/A

Computer: server1

Description: The Microsoft Forefront TMG Firewall service hung on starting.

Event Xml: <Event

xmlns="http://schemas.microsoft.com/win/2004/08/events/event">

<Channel>System</Channel>

<Computer>server1</Computer>

</System>

<Data Name="param1">Microsoft Forefront TMG
Firewall</Data>

</EventData>

</Event>

_____________________________________________________________________________________________

Data collection

During the course of troubleshooting we collected user mode dump while trying to restart the services in automatic startup mode, when it got hung again.

User mode dumps collection reference: http://msdn.microsoft.com/en-us/library/ff420662.aspx

Data analysis

Approach taken in this post is very similar to guidelines given in the following link about debugging a deadlock as we were in a scenario similar to a deadlock http://msdn.microsoft.com/en-us/library/windows/hardware/ff540592(v=vs.85).aspx

In the dump found following critical section was locked

More about critical section and locked critical section refer: http://msdn.microsoft.com/en-us/library/windows/hardware/ff541979(v=vs.85).aspx

Then I located the owning thread of this locked critical section. In following snapshot we can see the stack of this thread, Stack is read from bottom to upside, From this call stack it appears that wspsrv (firewall service) is trying to load a filter called XSISAPI and has deferred its filters start up till this filter is loaded.

Then I checked the module for this filter XSISAPI and found following, That is, it’s a filter called Afaria from Sybase.

Solution:

We configured the XSISAPI filter service to delayed start and after that TMG services started normally after reboot.