John Howard - Senior Program Manager in the Hyper-V team at Microsoft : IIS, Windows Server 2003

Windows Sharepoint Services SP1 on Exchange 2003

jhoward — Mon, 27 Jun 2005 10:04:00 GMT

This weekend, I was playing around yet more with my home infrastructure, "dogfooding", so to speak. One of the things I wanted to get running was Windows Sharepoint Services SP1 (the baby brother of Sharepoint Portal Server). However, I've pretty much run out of memory on my struggling servers here to be able to rack up another VM, hence, I picked on my Exchange 2003 SP1 server which has got IIS already installed. I obviously made sure I had a backup of it first (which is easy given it's a VM, and yes, I know it's not a supported configuration) in case things were to by any chance go wrong.

Well, things did go wrong - however the information was all there in the readme. Essentially, when opening Outlook Web Access, you get a page not found error as the ISAPI filter for Sharepoint is sucking all the requests made to it (that's not the official term though ;-). The solution (which although hard to follow does work exactly as it says) is documented in KB 823265. Note however that you'll also need to setup Sharepoint Services to use Kerberos authentication as documented in KB 832769.

Even though I got things working fine, my poor old server just couldn't hack the extra load by the time SQL went onto it running in a VM. Hence, I ended up reverting back to my original VM with just Exchange 2003 on it, and popped off to eBay to look for an cheap extra GB or two of ram. That should be enough for at least one seperate VM running the full blown sharepoint portal server, and if I tune it down enough, I should just about be able to squeeze another VM with Live Communications Server on it as well. Afterall, don't you have a full blown SIP service at your home? Nah, I think it's just me. I might have to wait until I can persuade the home "bean-counter" that we really need a twin CPU x64 servers - one of those new dual-core AMD chips are getting great reviews.

Here's the download link to Windows Sharepoint Services SP1.

Updated Server Performance Advisor Performance Diagnostic tool for AD and Windows

jhoward — Tue, 21 Jun 2005 09:57:00 GMT

The latest version of the Server Performance Advisor was released at the end of last week for download here. SPA helps you diagnose the root causes of performance problems in a Windows Server 2003 deployment by collecting performance data and generating comprehensive diagnostic reports that give you the data to easily analyse problems and develop corrective actions.

I'm downloading it now but haven't had a chance to find out more about its capabilities in depth. If it's as good as the first version though, I recommend you giving it a go - especially as it's free. One interesting change, bound to be of interest to many including Eileen and Rod is that SPA 2.0 supports a new management pack which can pass its data through to MOM (Microsoft Operations Manager). Further, it supports on x64 editions of Windows Server 2003.

How-To install a certificate for SSL Encryption under IIS

jhoward — Fri, 04 Feb 2005 11:56:00 GMT

Following on from my post a couple of days ago about using MakeCert to generate a self-signed certificate, this is one way in which you can test that the generated certificate is working correctly for SSL authentication within IIS. It was almost worthy of a blogcast (BTW, congratulations Mike for joining in the fun), but given I've all but lost my voice at the moment, here's the old fashioned way.

Create a new folder such as c:\test, and within it, create a new default.htm file using notepad. The content doesn't matter, but here's a very simple example
<BODY>
This is my SSL protected site
</BODY>
Start Internet Information Services (IIS) Manager from the Administrative Tools folder
(I'm going to lead you through creating a new web-site, although I could assign the certificate to the default web-site)
Right-click on Web-sites and select New Web-Site
Follow through the wizard. When you get to "Description", enter the name "Test"
Keep going through the wizard, and enter c:\test on the path step
On the newly created site, right-click and select properties and select the Directory Security tab
Click Server Certificate and work your way through the wizard
Select Assign an existing certificate
Select your newly created certificate
Choose port 443 (default SSL port)
Click Next/OK to finish the wizard and exit the site properties.
Currently the web-site is stopped. Right click the Test web-site and choose start
Open a browser and go to https://jhoward-5160/test, replacing jhoward-5160 with your machines DNS name. Note the MSN Toolbar :-)
Double-click the padlock icon in the bottom right to view the certificate for your site

Congratulations! If everything works this far, you have managed to create and protect a test web-site using SSL encryption and a self-signed certificate generated using MakeCert.exe

How-to use MakeCert for trusted root certification authority and SSL certificate issuance

jhoward — Wed, 02 Feb 2005 14:26:00 GMT

I wasn't originally going to blog this, but my colleague, Mat, and I were discussing encryption late last night. Mat was specifically interested in its use for security traffic in the context of SQL Reporting Service, but we got massively sidetracked and ended up talking about IPSec, MAPI and all sorts of other things along the way. Interesting, none-the-less.

One thing Mat wanted to demonstrate was the use of a certificate for encrypting traffic between a SQL Reporting Server and a back-end database. Why not install a certificate server, he said. My retort was that he was probably barking if this was just for a simple demonstration.... :-) (You're not, really Mat. Honest!) Hence, one topic along our way was how to use MakeCert.exe to demonstrate SSL encryption. Rather than me show him and get it written down, what better way than to blog it. Makes sense, right? Spookily just last week I was reminding myself about how to use the makecert.exe utility (download link at the bottom) to generate a self-signed certificate for a completely different purpose. However, definitely a subject for another day and besides, I never did succeed in that particular goal :-(

MakeCert.exe allows you to (for test/dev purposes) generate both a trusted root certificate and a certificate signed by that trusted root certificate for encryption purposes (also for signature purposes, but that wasn't relevant in this context). In this way, you can create a test/dev web-site, for example, with SSL encryption enabled. Follow these simple steps if this is something you need to do. I'll follow up later with an example of how you would use these generated certificates to SSL-enable a very simple web-site under IIS 6.

From the command prompt, in the directory where you downloaded makecert.exe, enter all the green bits below on a single line (ie exclude my comments in the right-most column).

makecert	-pe	Exportable private key
	-n "CN=Test And Dev Root Authority"	Subject name
	-ss my	Certificate store name
	-sr LocalMachine	Certificate store location
	-a sha1	Signature algorithm
	-sky signature	Subject key type is for signature purposes
	-r	Make a self-signed cert
	"Test And Dev Root Authority.cer"	Output filename

You will now have a "Test And Dev Root Authority.cer" certificate on disk and a new certificate will also be installed in the LocalMachine Certificate store. If you run up a Certificates MMC at this point, you will be able to see this. However, by default, the Certificates snap-in isn't available as a short cut. Hence, use the following steps:

Start/Run/MMC
File/Add-Remove Snap-In
Click Add
Select Certificates and click Add
Select Computer Account and hit Next
Select Local Computer
Click Close
Click OK

If you expand the console out to Personal/Certificates, you will see your newly created certificate as in the screen shot below.

Now that you have a root certificate, you need to use this certificate (at least the .cer file which is still present on your hard-disk) to sign another certificate you are going to use for encryption purposes. From the command prompt, enter the following

makecert	-pe	Exportable private key
	-n "CN=jhoward-5160"	Full DNS name of the target machine. Note that in this example, I am running a machine with the NetBIOS name "jhoward-5160" which is not a member of a domain. Hence, the full DNS name really is this. Replace this as appropriate. e.g. CN=mycomputer.company.com
	-ss my	Certificate store name
	-sr LocalMachine	Certificate store location
	-a sha1	Signature algorithm
	-sky exchange	Subject key type is for key-exchange purposes (i.e. Encryption)
	-eku 1.3.6.1.5.5.7.3.1	Enhanced key usage OIDs. Trust me on this :-)
	-in "Test And Dev Root Authority"	Issuers certificate common name
	-is MY	Issuers certificate store name
	-ir LocalMachine	Issuers certificate store location
	-sp "Microsoft RSA SChannel Cryptographic Provider"	CryptoAPI providers name
	-sy 12	CryptoAPI providers type
	jhoward-5160.cer	Output file - replace and name as appropriate.

Go back to the certificates snap-in, right-click the "Test and Dev Root Authority" certificate and copy it to the "Trusted Root Certification Authorities" node. Once done, if you expand this node, and then select certificates your newly created root cert should be present.

If you whizz back to the personal certificates in this snap-in, you also note that your new certificate suitable for encryption purposes is installed, as highlighted in the screen-shot below.

If you double-click the certificate, verify that you have a private key that corresponds to this certificate, and that the intended purpose is to ensure the identity of a remote computer.

At this point, you can safely delete the "Test And Dev Root Authority" certificate from the personal certificate store in the MMC snap-in. Remember also that you can save the two .cer files on disk safely away to save you remembering all the above parameters for makecert.exe. You can simply use the "All Tasks/Import" wizard in the MMC snap-in instead (assuming that the DNS name of the target machine matches).

Download makecert.exe from microsoft.com here

Oh the fun of after-work conversations.... Hope this is useful for you