January, 2014

  • Certificate Requirements for Windows 2008 R2 and Windows 2012 Remote Desktop Services

    Good morning AskPerf!  Kiran here with a question for you:  Why do we need certificates?  Well, certificates are used to sign the communication between two machines.  When a client connects to a server, the identity of the server that is receiving the connection and in turn, information from the client, is validated using certificates.

    This is done to prevent possible man-in-the-middle attacks.  When a communication channel is setup between the client and the server, the authority that issues/generates the certificate is vouching for the server to be authentic.

    So, as long as the client trusts the server it is communicating with, the data being sent to and from the server is considered secure.  This brings me to the next question:

    What type of certificate is required for RDS?

    The following blog contains information regarding the type of certificates and how you can create them using the Internal CA of the domain.

    http://blogs.msdn.com/b/rds/archive/2010/04/09/configuring-remote-desktop-certificates.aspx

    Basic requirements for Remote Desktop certificates:

    1. The certificate is installed into computer’s “Personal” certificate store.
    2. The certificate has a corresponding private key.
    3. The "Enhanced Key Usage" extension has a value of either "Server Authentication" or "Remote Desktop Authentication" (1.3.6.1.4.1.311.54.1.2). Certificates with no "Enhanced Key Usage" extension can be used as well.

    As the function it performs suggests, we need a ‘Server Authentication’ certificate.  This certificate can be generated using the ‘Workstation Authentication’ template (if required).

    Here is the exact process: 

    1. Open CERTSRV.MSC and configure certificates.
    2. Open Certification Authority.
    3. In the details pane, expand the instructor computer name.
    4. Right-click Certificate Templates and select Manage. Right-click Workstation Authentication and click Duplicate Template.
    5. On the General tab, change the Template display name to Client-Server Authentication and check Publish certificate in Active Directory.
    6. On the Extensions tab, click Application Policies then Edit. Click Add then select Server Authentication. Click OK until you return to the Properties of New Template dialog.
    7. Click the Security tab. For Domain Computers, click the checkbox to ‘Allow Autoenroll’. Click OK. Close the Certificate Templates Console.
    8. In the certsrv snap-in, right-click Certificate Templates and select New then Certificate Template to Issue.
    9. Select Client-Server Authentication and then click OK.

    This will be visible when viewing the certificate in the ‘Certificates’ MMC snap-in, as below:

    clip_image002

    When you open the certificate, the ‘General’ tab will also contain the purpose of this certificate to be ‘Server Authentication’ as seen below:

    clip_image003

    Another way to validate this, would be to go to the ‘Details’ section of the certificate and look at the ‘Enhanced Key Usage’ property:

    clip_image004

    The easiest way to get a certificate, if you control the client machines that will be connecting, is to use Active Directory Certificate Services.  You can request and deploy your own certificates and they will be trusted by every machine in the domain. 

    If you're going to allow users to connect externally and they will not be part of your domain, you would need to deploy certificates from a public CA.  Examples including, but not limited to: GoDaddy, Verisign, Entrust, Thawte, DigiCert

    Now that you know what type of certificate you need, let’s talk about the contents of the certificate.

    In Windows 2008/2008 R2, you connect to the farm name, which as per DNS round robin, gets first directed to the redirector, next to the connection broker and finally to the server that will host your session.

    In Windows 2012, you connect to the Connection Broker and it routes you to the collection by using the collection name. 

    The certificates you deploy need to have a subject name or subject alternate name that matches the name of the server that the user is connecting to.  So for example, for Publishing, the certificate needs to contain the names of all of the RDSH servers in the collection.  The certificate for RDWeb needs to contain the FQDN of the URL, based on the name the users connect to.  If you have users connecting externally, this needs to be an external name (needs to match what they connect to).  If you have users connecting internally to RDweb, the name needs to match the internal name.  For Single Sign On, again the subject name needs to match the servers in the collection.

    For our example, let’s consider my RDS deployment to contain the following machines:

    RDSH1.RENDER.COM                 Session Host with Remote Apps configured

    RDSH2.RENDER.COM                 Session Host with Remote Apps configured

    RDVH1.RENDER.COM                Virtualization host with VDI VMs configured

    RDVH2.RENDER.COM                Virtualization host with VDI VMs configured

    RDCB.RENDER.COM                   Connection Broker

    RDWEB.RENDER.COM               RDWeb and Gateway server

    When my client connects internally, he will enter the FQDN of the server that hosts the web page, i.e,: RDWEB.RENDER.COM.

    The name of the certificate needs to be this name, of the URL that the user will initiate the connection to.  But we need to remember that the connection does not just end here.  The connection then flows from the web server to one of the session hosts or virtualization hosts and also the connection broker.

    The certificate can be common on all of these servers.  This is why we recommend that the Subject Alternate Name of the certificate contain the names of all the other servers that are part of the deployment.

    In short, the certificate for my environment would be as follows:

    Type: Server Authentication

    Name: RDWEB.RENDER.COM

    SAN: RDSH1.RENDER.COM; RDSH2.RENDER.COM; RDVH1.RENDER.COM; RDVH2.RENDER.COM; RDCB.RENDER.COM  

    This is all you need as long as you have 5 or less servers in the deployment. But we have a problem when we have more servers in the deployment. This is because, by design, the SAN (Subject Alternate Name) on a certificate, can only contain 5 server names. If you have more of them, you will have to get a wildcard certificate issued to cover all the servers in the deployment. Here my certificate changes as follows:

    Type: Server Authentication

    Name: RDWEB.RENDER.COM

    SAN: *.RENDER.COM

    We still do encounter some challenges when it comes to the following scenario. Note, that this is true only when you have external users that access the deployment.

    External name: RDWEB.RENDER.com

    Internal Name: RDWEB.RENDER.local

    Here, if you get a certificate with RDWEB.RENDER.COM in the name, the certificate errors still do appear.  This is because the certificate is supposed to validate a server with the FQDN: ‘RDWEB.RENDER.COM’.  However, your server is ‘RDWEB.RENDER.LOCAL’ and the ‘.com’ to ‘.local’ magic only happens at your public firewall/router using port forwarding (most common scenario).

    In such scenarios, we previously recommended that the name on the certificate contains the ‘.com’ name and the SAN contains the ‘.local’ name.

    Recently, all public certificate providers are stopping issuing certificates with ‘.LOCAL’ in them. Starting with Windows 8 and Windows Server 2012, we no longer need the external and internal names to be contained in the certificate.

    In scenarios where you have external clients connecting in and you have a private internal domain suffix (DOMAIN.LOCAL), you can get a certificate from a Public CA with the external (RDWEB.DOMAIN.COM) name and bind it to the RD Web Access and RD Gateway roles, because these are the only roles that are exposed to the internet.  For RD Connection Broker – Publishing and RD Connection Broker – Enable Single Sign On, you can make use of an internal certificate with the ‘DOMAIN.LOCAL’ name on it.  This however, as mentioned earlier, will only work with clients connecting through RDC 8.0 or above.

    The RD Gateway and Remote Desktop Client version 8.0 (and above) provides the external users with a secure connection to the deployment. Once connected to the deployment, the internal certificate with the ‘.local’ name will take care of Remote App signing (publishing) and Single Sign-On.

    Now, lets look at where we configure the certificate we have:

    Open the Server Manager on the Connection Broker server and Click on Remote Desktop Services in the left-most pane.

    Once here, you will see your deployment shown as in the illustration below. Click on Tasks and select “Edit Deployment Properties”

    clip_image005

    This will bring up the property sheet of the deployment. Select the Certificates option in the left pane:

    clip_image006

    Now, as discussed earlier, you can select the certificate that was created using the ‘Select Existing Certificate’ button on the bottom of the screen.

    Just point it to the ‘.pfx’ file and allow it to import the certificate for the role.

    You can use a single certificate for all the roles, if your clients are internal to the domain only, by generating a simple wildcard certificate (*.RENDER.LOCAL) and binding it to all the roles.

    Note, that even if you have multiple servers that are part of this deployment, the Server Manager will import the certificate to all the servers in the deployment, place them in the trusted root of the machines and bind them to the respective roles.

    -Kiran Kadaba

  • The case of “Above normal” priority

    Good morning AskPerf!  If you’ve used Task Manager, you may have noticed that it allows setting an “instance-based priority”.  This is an option where you can choose to boost or reduce the priority of any process, whereby adjusting the amount of CPU attention the process receives.  But honestly, how many times have you used this feature for any business apps on your Workstations or Servers?  The answer is probably not much.  The default CPU scheduling algorithm is adequately designed to distribute CPU among running processes in most scenarios.

    So recently, one of our customers reported the following anomaly they saw in Task Manager:

    clip_image001

    About 70% of the running processes would launch as Normal, and within few seconds the priority would change to Above normal automatically.  This would happen for many arbitrary processes, and would not allow a fair CPU scheduling for LOB applications.

    So how do you drill it down?  Well, we need to check some basic settings first.  Any process on Windows platform can have one of the following priorities at a given time:

    • Realtime
    • High
    • Above normal
    • Normal
    • Below normal
    • Low

    clip_image002

    Per MSDN these priorities correspond to following classes:

    • IDLE_PRIORITY_CLASS
    • BELOW_NORMAL_PRIORITY_CLASS
    • NORMAL_PRIORITY_CLASS
    • ABOVE_NORMAL_PRIORITY_CLASS
    • HIGH_PRIORITY_CLASS
    • REALTIME_PRIORITY_CLASS

    A process always launches with its Base Priority (default) – which can be decided by the app developer – else will inherit to default NORMAL_PRIORITY_CLASS.

    If you are a developer, to adjust your process’ priority from Base Priority (to newer priority), you can use the SetPriorityClass function.  That is exactly what happens for a running process’s instance when you opt to adjust its priority from Task Manager.  So we followed that route and begin investigating who is calling this SetPriorityClass() function on affected machine.  We used our best friend XPERF (rather WPR, the latest version of it) with stackwalk enabled.

    Steps:

    1. Start WPR
    2. Launch a process (say, notepad.exe)
    3. Wait for few seconds till the priority gets raised from “Normal” to “Above normal”
    4. Stop WPR capture
    5. Load the output ETL file in WPA (Windows Performance Analyzer, tool that comes with WPR installation)

    In WPA, we focused on the stack flow for the process in question (notepad.exe in our example), and found below the stack where we see wsrm.exe calling SetPriorityClass() function. You can see this stack using just our public symbols (path: http://msdl.microsoft.com/download/symbols).

    Line #

    Process

    Stack

    Weight

    All Count

    28

     

    |    |    |- wsrm.exe!CCPUManager::UpdatePriorities

    4.891726

    5

    29

     

    |    |    |    wsrm.exe!CCPUManager::UpdatePriorities

    4.891726

    5

    30

     

    |    |    |    wsrm.exe!CCPUManager::UpdatePriorities

    4.891726

    5

    31

     

    |    |    |    |- wsrm.exe!CProcess::SetPriorityClass

    4.058269

    4

    32

     

    |    |    |    |    KernelBase.dll!SetPriorityClass

    4.058269

    4

    From screenshot of Windows Performance Analyzer:

    clip_image003

    So now we know what is causing the priorities to be bumped up, but why?

    Windows Server Resource Manager (wsrm.exe) is a great tool to manage server processor and memory usage with standard or custom resource policies.  If you find yourself in a similar situation, chances are that you need to review the WSRM configuration and policies in your environment.  Or, you can simply disable WSRM if you are not using it.  This blog discusses more about WSRM policies and configuration.

    Additional Resources

    Scheduling Priorities

    -Deepak

    BONUS: Task Scheduler launches tasks by default in Below normal priority.  To change the priority of a task, you would have to edit its xml file (<Priority>7</Priority>), and re-import it.  More info:  TaskSettings.Priority property

  • Windows 8.1 preview build reboots every 2 hours

    Today’s blog is regarding the expiration of the Windows 8.1 preview build which occurred yesterday January 15th, 2014.  If you installed the Windows 8.1 preview build and have not upgraded to 8.1 RTM you may notice that your machine is rebooting itself every 2 hours and you should also be getting the following notification when you login

    clip_image001

    For more information on this and how to update to the final RTM build take a look at the following page: 

    Update from Windows 8.1 Preview to Windows 8.1
    http://windows.microsoft.com/en-us/windows-8/update-from-preview

    Scott McArthur
    Senior Support Escalation Engineer

  • Popular new features in Windows 8.1

    We are very excited, as are many of you, about our latest OS. Windows 8.1 is readily available across the globe. We thought of listing some of the top/new features it brings to the table. Here is a small list of some of the more popular new features:

    Your favorite Start button on taskbar

    image

    We heard you and the Start button is back! It makes the task bar look familiar and provides ease of access to the Start screen from the desktop.

    Start screen customization

    Customization for the Start screen using group policies and PowerShell is now available.

    Group policies allow you to specify the Start screen layout and prevent configuration changes. The layout specifications must be stored in an XML file that is generated with the Export-StartLayout PowerShell cmdlet. This XML file can be made available locally or from a UNC path.

    The policies for the Start screen layout are available under:

    • Computer Configuration | Administrative Templates | Start Menu and Taskbar
    • User Configuration | Administrative Templates | Start Menu and Taskbar

    NOTE we will provide greater detailed steps in a later blog

    Roam your favorite apps on 8.1 devices

    Another highly requested feature. Since last October, you can roam your installed applications on Windows 8 and Windows 8.1 to as many as 81 Windows devices. Earlier, when we launched Windows 8, the number was restricted to just five devices. This is limited to Windows Store apps only. More details can be found here:

    http://blogs.windows.com/windows/b/appbuilder/archive/2013/09/27/increasing-the-app-roaming-limits.aspx.

    Boot directly to the desktop

    You can now bypass the Start screen and log on directly to the desktop. To configure it, launch Task Bar Properties > Navigation > “When I sign in or close all apps on a screen, go to the desktop instead of Start”.

    image

    You can also use the Start Screen customization policy to deploy this to a group of users.

    Drag App to another display

    You can now drag and drop Metro Style apps across monitors. Drag and drop works for both full screen and snapped apps! So if you are like me with multiple monitors, check out how Windows 8.1 can increase productivity:

    http://blogs.technet.com/b/uspartner_ts2team/archive/2013/07/31/nice-multi-monitor-enhancements-in-windows-8-1.aspx

    Multi-snap views

    This is my personal favourite as I can do multiple things at the same time. I watch my stocks, video call on skype, and still work on my desktop! Not enough? You can even adjust the width of each snap-in to suit your need. Now that’s super cool. It is not limited to three, but here is a screenshot to present the idea. Try it out!

    image

    NOTE we will provide greater detailed steps in a later blog

    NFC has been enabled (for printing)

    One of the best implementations of NFC on the Windows Platform is NFC tap-to-connect printers, which is introduced in Windows 8.1. We have detailed post on it here:

    http://blogs.technet.com/b/askperf/archive/2013/10/21/windows-8-1-windows-server-2012-r2-nfc-tap-to-connect-printer-connections.aspx

    In-box Support for 3D printing

    We debut in-box support for 3D printing in Windows 8.1. Another superb thing to discuss. Most of the functionality and details are posted here:

    http://blogs.windows.com/windows/b/extremewindows/archive/2013/08/22/3d-printing-support-in-windows-8-1-explained.aspx

    Great "Search" capabilities

    With Windows 8.1 you will fall in love with Windows Search, or what I call “Super Search”. You can now search virtually everywhere from just one place. Hit ‘Windows Key + S’ or select ‘Search’ from the Windows charms bar. You can opt to search the web, files on your local storage, settings or ALL of these places simultaneously.

    image

    Search results for “Morgan Freeman”

    image

    New layout for the Windows Store

    New look, better visuals to review the screenshots and rating of applications.

    image

    All Apps screen

    At Start screen now you can click on the small down arrow to quick change the view to “All Apps”.

    image

    All installed apps on “All Apps” screen can be sorted by name (default), install date, mostly used, categories (game, production, utilities, etc).

    image

    Wireless Display (Miracast support)

    We tested with several Miracast receivers and among others, these work great in bringing Windows 8.1 to the big screen (wirelessly): ActionTec, ScreenBeam Pro and Netgear Push2TV (PTV3000). Some good details here:

    http://blogs.windows.com/windows/b/windowsexperience/archive/2013/11/12/windows-8-1-on-your-big-screen-with-miracast.aspx

    Download and Install updates for Store Apps automatically

    The feature can now be turned on/off using group policy located at Computer Configuration | Administrative Templates | Windows Components | Store | “Turn off Automatic Download and install of updates”.

    image

    Let us know in comments below your favorite features in Windows 8.1, or if you have any questions around these features.

    -Deepak Kumar

  • Debugging a Windows 8.1 Store App Crash Dump

    Quality reports on the App Summary page Microsoft provides triage dumps of your Windows Store application’s crashes and hangs through the Quality section of the App Summary page on the Dev Center - Windows Store apps portal.   Back in June 2012, ...read more