Microsoft Enterprise Networking Team

New Networking-related KB articles for the week of January 24 – January 30

After a week with nothing to report, we finally have a few new networking-related KB articles this time around:

978943 Windows Server 2008 R2-based NLB nodes remain in a converging state indefinitely

979602 Error message when you try to connect to a printer by using an alias (CNAME) resource record: "Windows couldn't connect to the printer"

979599 The EAP method is configured incorrectly during the migration process from a 32-bit or 64-bit version of Windows Server 2003 to Windows Server 2008 R2

- Mike Platts

A Windows Server 2008 R2 Virtual Machine may crash with a blue screen after configuring NLB on it

We have heard from a few customers about an issue with configuring Network Load Balancing (NLB) on Windows Server 2008 R2 virtual machines. This problem may occur with a Windows Server 2008 R2 virtual machine (guest) on Hyper-V or VMware.

When you configure NLB on a Windows Server 2008 R2 system that is a virtual machine, the system may crash with a blue screen with the error shown below. Another possible symptom is that the guest system may hang.

*** STOP: 0x0000007C (0x0000000000000014, 0x0000000000000002, 0x0000000000000000, 0x0000000000000000)

BUGCODE_NDIS_DRIVER

Researching this issue, we found the issue happens only when some anti-virus products are installed on the Windows Server 2008 R2 virtual machine. If we remove the anti-virus software and then configure NLB, everything works fine.

We have found the following workaround has been successful for customers we’ve worked with on this issue:

Configure NLB on the Windows Server 2008 R2 guest before installing anti-virus software. Anti-virus software may then be installed. If the issue still occurs, please contact Microsoft Support.

- Saravanan N

New Networking-related KB articles for the week of January 17 – January 23

This week, we have no new KB articles to report. Check back again next week for any new content!

- Mike Platts

New Networking-related KB articles for the week of January 10 – January 16

We only have one new networking-related KB article for this week:

975851 When you resume a computer that is running Windows 7, WWAN devices do not automatically connect to the target 3G network

- Mike Platts

Support for Windows 2000 and Windows XP SP2 will end on July 13, 2010

We want to get the word out about an upcoming deadline. On July 13, 2010 our support for Windows 2000 and Windows XP Service Pack 2 will end.

In the case of Windows XP, Service Pack 3 will continue to be supported. More information about the end of Windows XP SP2 support can be found here: http://support.microsoft.com/gp/lifean31

For Windows 2000, we have been hard at work on a centralized site that brings together resources to help with moving from Windows 2000 to newer Windows versions. The Windows 2000 End-of-Support Solution Center is a good resource to leverage for your migration strategy.

To see the resources  specifically related to networking components on the Windows 2000 End-of-Support Solution Center, click here. This page covers such server roles and features as DHCP Server, DNS, IAS, NLB, and more.

For more information about this as well as Support Lifecycle information for other products, please visit the Microsoft Support Lifecycle page.

- Mike Platts

Remote Desktop Gateway client fails authentication with “Your user account is not authorized to access the RD Gateway”

Remote Desktop Gateway (RD Gateway), formerly Terminal Services Gateway (TS Gateway), is a role service in the Remote Desktop Services server role included with Windows Server® 2008 R2 that enables authorized remote users to connect to resources on an internal corporate or private network, from any Internet-connected device that can run the Remote Desktop Connection (RDC) client.

Refer the following links to learn more on Remote Desktop Gateway and for a step-by-step guide on deploying Remote Desktop Gateway

http://technet.microsoft.com/en-us/library/dd560672(WS.10).aspx

http://www.microsoft.com/downloads/details.aspx?familyid=6D146124-E850-4CEC-9EFA-33A5225E155D&displaylang=en

There were a few instances where our customers reported that Remote Desktop Gateway users are getting the error “Your user account is not authorized to access the RD Gateway”

There are 2 situations where a user may get the errors mentioned below:

• Situation A - This error may occur for the user account that belongs to the same domain as Remote Desktop Gateway
• Situation B – While user accounts from the same domain's (where Remote Desktop Gateway is located) have no issue, users from a child domain or a peer domain (within the same tree or forest) receive the error

Different error messages are reported based on the Remote Desktop Connection client version.

Remote Desktop Connection (RDC) 7.0 client

Remote Desktop can’t connect to the remote computer "<End Resource Name>" for one of these reasons:

1) Your user account is not authorized to access the RD Gateway "<RD Gateway Server Name>"
2) Your computer is not authorized to access the RD Gateway "<RD Gateway Server Name>"
3) You are using an incompatible authentication method (for example, the RD Gateway might be expecting a smart card but you provided a password)

Remote Desktop Connection (RDC) 6.1

Terminal Services connection authorization policy (TS CAP) is preventing connection to the remote computer through TS Gateway, possibly due to one of the following reasons:

• You do not have permission to connect to the TS Gateway server.
• You used password authentication but the TS Gateway server is expecting smart card authentication (or vice versa).

Note:

You may get the same error message irrespective of using the RDC Client (MSTSC) or the “Remote Desktop Web Access” (Under the “Remote Desktop” tab).

You may see the following events (any or all) getting logged

Security Log

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          Date Time
Event ID:      6274
Task Category: Network Policy Server
Level:         Information
Keywords:      Audit Failure
User:          N/A
Computer:      RDG Server FQDN

Description:
Network Policy Server discarded the request for a user.

Contact the Network Policy Server administrator for more information.

User:
 Security ID:   NULL SID
 Account Name:   MYDOMAIN\USER
 Account Domain:   MYDOMAIN
 Fully Qualified Account Name: MYDOMAIN\USER

Client Machine:
 Security ID:   NULL SID
 Account Name:   Client machine's FQDN
 Fully Qualified Account Name: MYDOMAIN\WSDGBLND035$
 OS-Version:   -
 Called Station Identifier:  UserAuthType:PW
 Calling Station Identifier:  -

NAS:
 NAS IPv4 Address:  -
 NAS IPv6 Address:  -
 NAS Identifier:   -
 NAS Port-Type:   Virtual
 NAS Port:   -

RADIUS Client:
 Client Friendly Name:  -
 Client IP Address:   -

Authentication Details:
 Connection Request Policy Name: TS GATEWAY AUTHORIZATION POLICY
 Network Policy Name:  -
 Authentication Provider:  Windows
 Authentication Server:  NPS Server's FQDN
 Authentication Type:  Unauthenticated
 EAP Type:   -
 Account Session Identifier:  -
 Reason Code:   5
 Reason:    The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
    <EventID>6274</EventID>
    <Version>0</Version>
    <Level>0</Level>
    <Task>12552</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8010000000000000</Keywords>
    <TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
    <EventRecordID>1463</EventRecordID>
    <Correlation />
    <Execution ProcessID="528" ThreadID="5748" />
    <Channel>Security</Channel>
    <Computer>RDG Server's FQDN</Computer>
    <Security />
  </System>
  <EventData>
    <Data Name="SubjectUserSid">S-1-0-0</Data>
    <Data Name="SubjectUserName">MYDOMAIN\USER</Data>
    <Data Name="SubjectDomainName">MYDOMAIN</Data>
    <Data Name="FullyQualifiedSubjectUserName">MYDOMAIN\USER</Data>
    <Data Name="SubjectMachineSID">S-1-0-0</Data>
    <Data Name="SubjectMachineName">WSDGBLND035.mydomain.internal</Data>
    <Data Name="FullyQualifiedSubjectMachineName">MYDOMAIN\WSDGBLND035$</Data>
    <Data Name="MachineInventory">-</Data>
    <Data Name="CalledStationID">UserAuthType:PW</Data>
    <Data Name="CallingStationID">-</Data>
    <Data Name="NASIPv4Address">-</Data>
    <Data Name="NASIPv6Address">-</Data>
    <Data Name="NASIdentifier">-</Data>
    <Data Name="NASPortType">Virtual</Data>
    <Data Name="NASPort">-</Data>
    <Data Name="ClientName">-</Data>
    <Data Name="ClientIPAddress">-</Data>
    <Data Name="ProxyPolicyName">TS GATEWAY AUTHORIZATION POLICY</Data>
    <Data Name="NetworkPolicyName">-</Data>
    <Data Name="AuthenticationProvider">Windows</Data>
    <Data Name="AuthenticationServer">RDSGBLND01.mydomain.internal</Data>
    <Data Name="AuthenticationType">Unauthenticated</Data>
    <Data Name="EAPType">-</Data>
    <Data Name="AccountSessionIdentifier">-</Data>
    <Data Name="ReasonCode">5</Data>
    <Data Name="Reason">The Network Policy Server was unable to connect to a domain controller in the domain where the account is located. Because of this, authentication and authorization for the RADIUS request could not be performed.</Data>
  </EventData>
</Event>

System Log

Log Name:      System
Source:        NPS
Date:          19/08/2009 12:39:56
Event ID:      4402
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      RDG Server's FQDN

Description:
There is no domain controller available for domain MYDOMAIN.

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="NPS" />
    <EventID Qualifiers="49152">4402</EventID>
    <Level>2</Level>
    <Task>0</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2009-08-19T11:39:56.000000000Z" />
    <EventRecordID>1518</EventRecordID>
    <Channel>System</Channel>
    <Computer>RDG Server's FQDN</Computer>
    <Security />
  </System>
  <EventData>
    <Data>MYDOMAIN</Data>
  </EventData>
</Event>

Terminal Services Gateway Log

Log Name:      Microsoft-Windows-TerminalServices-Gateway/Operational
Source:        Microsoft-Windows-TerminalServices-Gateway
Date:          19/08/2009 12:39:56
Event ID:      201
Task Category: (2)
Level:         Error
Keywords:      Audit Failure,(16777216)
User:          NETWORK SERVICE
Computer:      RDG Server's FQDN

Description:

The user "MYDOMAIN\USER", on client computer "X.X.X.X", did not meet connection authorization policy requirements and was therefore not authorized to access the RD Gateway server. The following authentication method was attempted: "NTLM". The following error occurred: "23003".

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="Microsoft-Windows-TerminalServices-Gateway" Guid="{4D5AE6A1-C7C8-4E6D-B840-4D8080B42E1B}" />
    <EventID>201</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>2</Task>
    <Opcode>30</Opcode>
    <Keywords>0x4010000001000000</Keywords>
    <TimeCreated SystemTime="YYYY-MM-DDTHH:MM:SS.739609200Z" />
    <EventRecordID>19</EventRecordID>
    <Correlation />
    <Execution ProcessID="4612" ThreadID="5296" />
    <Channel>Microsoft-Windows-TerminalServices-Gateway/Operational</Channel>
    <Computer>RDSGBLND01.MYDOMAIN.internal</Computer>
    <Security UserID="S-1-5-20" />
  </System>
  <UserData>
    <EventInfo xmlns="aag">
      <Username>MYDOMAIN\USER</Username>
      <IpAddress>192.168.0.189</IpAddress>
      <AuthType>NTLM</AuthType>
      <Resource>
      </Resource>
      <ErrorCode>23003</ErrorCode>
    </EventInfo>
  </UserData>
</Event>

Resolution

Please refer the 2 situations discussed above. The solution differs dependent on the particular situation.

Situation A

(If a user from the Remote Desktop Gateway domain's user has an issue)

Solution 1

Register the NPS server in Active Directory:

1. In Server Manager, browse to the following location: Roles\Network Policy and Access Services\NPS (Local).
2. Right click on the NPS (Local) node and choose Register server in Active Directory.
3. Click OK to authorize the server when prompted.

Solution 2

1. Open Active Directory Users and Computers on any Domain Controller of the same domain as the Remote Desktop Gateway.
2. Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.

Situation B

(If a user from a child domain or same level domain or parent domain has an issue)

1. Open Active Directory Users and Computers on any Domain Controller from the remote domain in which the users belong to.
2. Add the Computer Name of the Remote Desktop Gateway to the RAS and IAS Servers group.

- Prathabacimman Mohan

New Networking-related KB articles for the week of January 3 – January 9

Here are the most recently published networking-related Knowledge Base articles:

958970 A long delay occurs when you try to open a network share by entering a path in the Run box on a Windows Vista-based or Windows Server 2008-based computer

961880 How to troubleshoot Secure Socket Tunneling Protocol (SSTP) based connection failures when client fails to connect to SSTP VPN server giving error message 0x80092013

977426 Error message on a blue screen when encryption software is installed on a computer that is running Windows Vista or Windows Server 2008: "STOP: 0x000000E3"

978869 Error message when you try to open a network-shared application on a client computer that is running Windows 7 or Windows Server 2008 R2: 0xc000000f

- Mike Platts

New Networking-related KB articles for the week of December 27 – January 2

Here are the latest networking-related Knowledge Base articles for the week of December 27, 2009 – January 2, 2010. Happy New Year!

974841 An update is available for Windows XP to support protocol negotiation for remote procedure call (RPC) over HTTP Authentication

977526 Communication is interrupted periodically when you start a communication from a computer that is running Windows Vista or Windows Server 2008 to a computer that is running Windows XP or Windows Server 2003

977656 You cannot start a VPN connection that uses CHAP or PAP authentication to a computer that is running Windows Vista or Windows Server 2008

976674 The computer stops responding when you access some shared files from a computer that is running Windows Server 2008 or Windows Vista

975363 A time-out error occurs when many NTLM authentication requests are sent from a computer that is running Windows Server 2008 R2 or Windows 7 in a high latency network

- Mike Platts

New Networking-related KB articles for the weeks of December 13 – December 19 and December 20 – December 26

I hope everyone is enjoying the holiday season. Here are the latest networking-related Knowledge Base articles published in the past 2 weeks:

961186  NDIS 5.x USB network adapters do not appear in Performance Monitor

961256  The DNS PTR record might be deleted if you change the DNS server order on a Windows 2003 machine

977172  The existing PPTP connections to a VPN server that is hosted in a Windows Server 2003-based NLB farm do not work after a new node is added to the NLB farm

978325  A virtual machine connection is lost when the virtual machine tries to restart or tries to shut down after you remove the virtual networks

961344  How to configure a Windows Server 2008 DHCP server using an IPv6 scope to register clients in DNS when requested

958939  The DHCP MMC snap-in stops responding when you try to stop, start, or restart the DHCP service on a clustered DHCP server instance in Windows Server 2003

977262  You cannot open a Web folder by double-clicking it in Windows Vista and in Windows Server 2008

975494  Stop error when you uninstall the Intel PROSet/Wireless WiFi connection utility on a computer that is running Windows Vista or Windows Server 2008

976529  Stop error message after you install a WFP callout driver in Windows Vista SP2 or in Windows Server 2008 SP2: "STOP: 0x0000000A"

961433  How to configure a Windows Vista client to obtain an IPv6 DHCP address

960740  Error message when you use the Netsh utility together with the init restore syntax to initiate a restoration of a WINS database in Windows Server 2008: "The system cannot find the path specified"

976373  A computer that is connected to an IEEE 802.1X authenticated network through a VOIP phone does not connect to the correct network after you resume it from Hibernate mode or Sleep mode

973243  The default gateway is missing on a computer that is running Windows Server 2008 or Windows Vista after the computer restarts if the default gateway is set by using the Netsh command

978772  Description of support boundaries for Active Directory over NAT

959398  The WINS MMC snap-in stops responding when you try to stop, start, or restart the WINS service in the WINS MMC snap-in on a clustered WINS server instance in Windows Server 2003

960519  Windows Vista does not use all the bandwidth of a PPPoE connection when you download a file from an FTP server

Happy New Year!

- Mike Platts

How to query the list of network interfaces using SNMP (via the ifDescr counter)

There have been some instances where customers have asked about how to find out what what network interfaces a machine has by using SNMP. The main reason they want to use SNMP is to achieve the requirement of creating an inventory report and for monitoring remote network devices including Windows systems, routers, and switches with an SNMP Manager (like Microsoft Operations Manager 2005).

The following article explains how to query the network interfaces of a local or remote Windows machine using SNMP

To query a value we need to use an OID (Object Identifier).

The ifDescr counter’s OID is .1.3.6.1.2.1.2.2.1.2

The above mentioned OID may be used to query the list of network interfaces via SNMP.

OID (.1.3.6.1.2.1.2.2.1.2) description:

ifDescr OBJECT-TYPE
              SYNTAX  DisplayString (SIZE (0..255))
              ACCESS  read-only
              STATUS  mandatory
              DESCRIPTION
                      "A textual string containing information about the
                      interface.  This string should include the name of
                      the manufacturer, the product name and the version
                      of the hardware interface."

Command to be used

"snmputil walk hostname communityname .1.3.6.1.2.1.2.2.1.2"

Example:

Note:

The same OID can be used query from any SNMP Manager or SNMPUtil

How to convert the ASCII output to plain text

- The ifDescr counter (OID - .1.3.6.1.2.1.2.2.1.2) will be appended by .1, .2, .3 and so on, based on the number of adapters that are present

- Refer the output displayed above. The output will be a string of hexadecimal values which will be in ASCII format. The output would be like <0x53><0x6f>........

- In order to make it readable (converting from ASCII to human readable form), we need an ASCII (Hex to text) converter utility, which may be downloaded from the Internet. Search for such a utility with keywords like “ASCII (Hex to Text) Converter” or “ASCII converter”

If the ASCII converter you use accepts only “:” or “;” as separators, the format of the current hex values (<0x53><0x6f>) need to be changed with ":" or ":" as a separator (53:6f) manually to work properly with the ASCII converter utility.

Example

<0x53><0x6f><0x66><0x74><0x77><0x61><0x72><0x65><0x20><0x4c><0x6f><0x6f><0x70>
<0x62><0x61><0x63><0x6b><0x20><0x49><0x6e><0x74><0x65><0x72><0x66><0x61><0x63>
<0x65><0x20><0x31><0x00>

which may need to be manually converted to before entering it into your ASCII converter as discussed above to something like this:

53:6f:66:74:77:61:72:65:20:4c:6f:6f:70:62:61:63:6b:20:49:6e:74:65:72:66:61:63:
65:20:31:00

Paste the value in the ASCII converter and convert it to plain text. The output (in readable format) for the above example would be:

Software Loopback Interface 1

Sample output from a Windows system which has both a physical NIC and a wireless NIC

Variable = interfaces.ifTable.ifEntry.ifDescr.1
Value    = String <0x53><0x6f><0x66><0x74><0x77><0x61><0x72><0x65><0x20><0x4c><0x6f><0x6f><0x70>
<0x62><0x61><0x63><0x6b><0x20><0x49><0x6e><0x74><0x65><0x72><0x66><0x61><0x63>
<0x65><0x20><0x31><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.2
Value    = String <0x57><0x41><0x4e><0x20><0x4d><0x69><0x6e><0x69><0x70><0x6f>
<0x72><0x74><0x20><0x28><0x53><0x53><0x54><0x50><0x29><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.3
Value    = String <0x57><0x41><0x4e><0x20><0x4d><0x69><0x6e><0x69><0x70><0x6f>
<0x72><0x74><0x20><0x28><0x49><0x4b><0x45><0x76><0x32><0x29><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.4
Value    = String <0x57><0x41><0x4e><0x20><0x4d><0x69><0x6e><0x69><0x70><0x6f>
<0x72><0x74><0x20><0x28><0x4c><0x32><0x54><0x50><0x29><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.5
Value    = String <0x57><0x41><0x4e><0x20><0x4d><0x69><0x6e><0x69><0x70><0x6f>
<0x72><0x74><0x20><0x28><0x50><0x50><0x54><0x50><0x29><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.11
Value    = String <0x4d><0x69><0x63><0x72><0x6f><0x73><0x6f><0x66><0x74><0x20>
<0x36><0x74><0x6f><0x34><0x20><0x41><0x64><0x61><0x70><0x74><0x65><0x72><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.12
Value    = String <0x4d><0x69><0x63><0x72><0x6f><0x73><0x6f><0x66><0x74><0x20><0x54><0x65><0x72>
<0x65><0x64><0x6f><0x20><0x54><0x75><0x6e><0x6e><0x65><0x6c><0x69><0x6e><0x67>
<0x20><0x41><0x64><0x61><0x70><0x74><0x65><0x72><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.13
Value    = String <0x49><0x6e><0x74><0x65><0x6c><0x28><0x52><0x29><0x20><0x38><0x32><0x35><0x36>
<0x37><0x4c><0x4d><0x20><0x47><0x69><0x67><0x61><0x62><0x69><0x74><0x20><0x4e>
<0x65><0x74><0x77><0x6f><0x72><0x6b><0x20><0x43><0x6f><0x6e><0x6e><0x65><0x63>
<0x74><0x69><0x6f><0x6e><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.14
Value    = String <0x4d><0x69><0x63><0x72><0x6f><0x73><0x6f><0x66><0x74><0x20>
<0x49><0x53><0x41><0x54><0x41><0x50><0x20><0x41><0x64><0x61><0x70><0x74><0x65>
<0x72><0x00>

Variable = interfaces.ifTable.ifEntry.ifDescr.15
Value    = String <0x49><0x6e><0x74><0x65><0x6c><0x28><0x52><0x29><0x20><0x57><0x69><0x46><0x69>
<0x20><0x4c><0x69><0x6e><0x6b><0x20><0x35><0x33><0x30><0x30><0x20><0x41><0x47>
<0x4e><0x00>

After conversion

Variable = interfaces.ifTable.ifEntry.ifDescr.1

53:6f:66:74:77:61:72:65:20:4c:6f:6f:70:62:61:63:6b:20:49:6e:74:65:72:66:61:63:
65:20:31:00

Software Loopback Interface 1

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.2

57:41:4e:20:4d:69:6e:69:70:6f:72:74:20:28:53:53:54:50:29:00

WAN Miniport (SSTP)

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.3

57:41:4e:20:4d:69:6e:69:70:6f:72:74:20:28:49:4b:45:76:32:29:00

WAN Miniport (IKEv2)

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.4

57:41:4e:20:4d:69:6e:69:70:6f:72:74:20:28:4c:32:54:50:29:00

WAN Miniport (L2TP)

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.5

57:41:4e:20:4d:69:6e:69:70:6f:72:74:20:28:50:50:54:50:29:00

WAN Miniport (PPTP)

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.11

4d:69:63:72:6f:73:6f:66:74:20:36:74:6f:34:20:41:64:61:70:74:65:72:00

Microsoft 6to4 Adapter

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.12

4d:69:63:72:6f:73:6f:66:74:20:54:65:72:65:64:6f:20:54:75:6e:6e:65:6c:69:6e:67:
20:41:64:61:70:74:65:72:00

Microsoft Teredo Tunneling Adapter

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.13

49:6e:74:65:6c:28:52:29:20:38:32:35:36:37:4c:4d:20:47:69:67:61:62:69:74:20:4e:
65:74:77:6f:72:6b:20:43:6f:6e:6e:65:63:74:69:6f:6e:00

Intel(R) 82567LM Gigabit Network Connection

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.14

4d:69:63:72:6f:73:6f:66:74:20:49:53:41:54:41:50:20:41:64:61:70:74:65:72:00

Microsoft ISATAP Adapter

================================================

Variable = interfaces.ifTable.ifEntry.ifDescr.15

49:6e:74:65:6c:28:52:29:20:57:69:46:69:20:4c:69:6e:6b:20:35:33:30:30:20:41:47:4e:
00

Intel(R) WiFi Link 5300 AGN

================================================

More information:

SNMP terms

http://msdn.microsoft.com/en-us/library/ms894635.aspx

Management Information Base

http://msdn.microsoft.com/en-us/library/ms894545.aspx

- Prathabacimman Mohan

New Networking-related KB articles for the week of December 6 – December 12

960793  The IPv6 network interface status may not be displayed correctly in the Routing and Remote Access snap-in, depending on the properties of the network connection in Windows Server 2008

977171  DNS data corruption occurs when the DNS records are transferred from a BIND DNS server to a Windows Server 2003 SP2-based DNS server

974927  Windows Server 2003 does not set the value of the icmp6_cksum field in the icmp6_hdr structure for ICMPv6 packets after you install security update MS08-037

974392  MS09-069: Vulnerability in the Local Security Authority Subsystem service could allow denial of service

971737  Description of the update that implements Extended Protection for Authentication in Microsoft Windows HTTP Services (WinHTTP)

974030  The computer stops responding when you access some shared files from a computer that is running Windows Server 2008 or Windows Vista

974318  MS09-071: Vulnerabilities in the Internet Authentication service could allow remote code execution

977342  ISATAP and 6to4 tunneled addresses cannot be used by the NLB feature on a computer that is running Windows Server 2008 R2

976658  The memory of the nonpaged pool may leak when you enable IPsec on a computer that is running Windows Server 2008 R2 or Windows 7

977067  You receive a stop error after you enable the RequireinClearout mode on an IPv6 network on Windows Server 2008 R2 or in Windows 7

- Mike Platts

Possible problems seen after upgrading Windows XP clients to SP3 in an environment that uses wired 802.1x

If you are using Wired 802.1x, upgrading your Windows XP clients to Service Pack 3 can cause some severe issues due to design changes in this area.

The following information is intended to provide some background information on these changes and how to work around them. Although most these issues are documented in separate Knowledge Base articles, this post is intended to bundle the information and provide some additional information.

I encourage you to read through these steps carefully and perform extensive testing. Running into these problems after you have already installed Windows XP Service Pack 3 can be a painful experience. Since you would need a valid authentication/authorization to gain network connectivity and you need network connectivity to change the client configuration, you might run into a chicken and egg problem. This means you would need to do sneaker administration for all affected clients.

The following issues can occur depending on the client's system configuration and your networking infrastructure:

• The required services for Wired 802.1x will not be started automatically.
• The 802.1x authentication method might change.
• The client might suspend 802.1x authentication in case of a failure.
• The settings you configured using the registry keys AuthMode and SupplicantMode might have changed.

Let's go into some details on each of these.

The required services for Wired 802.1x will not be started automatically

This issue is documented in the following KB article:

953650  You cannot connect to an 802.1X wired network after you upgrade to Windows XP Service Pack 3

Please note that this article has been updated recently. The recently added solution (Method 3) is to create the registry key SupplicantMode with a value of 2 before installing Service Pack 3. This will make sure that both the dot3svc and the eaphost service will be started automatically.

Registry path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\EAPOL\Parameters\General\Global
Name: SupplicantMode
Type: Dword
Value: 2

Please read the following white paper if you need more details regarding this registry key:
http://www.microsoft.com/downloads/details.aspx?familyid=05951071-6b20-4cef-9939-47c397ffd3dd&displaylang=en

The 802.1x authentication method might change

In Windows XP SP3, the default authentication method has been changed from EAP-TLS (Smart card or other certificate) to PEAP-MSCHAPv2.

Besides this, you may be unable to connect using PEAP-MSCHAPV2 due to the following issue:

969111  A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain

The workaround here is to set the authentication method back to EAP-TLS to match your RADIUS Server's configuration. You might find a number of possible solutions to this. From my point of view the following two methods should match most needs.

A) Use the Run(Once) Registry Key
Use the Run or RunOnce Registry key to run a batch file. The batch file contains a netsh.exe command to import the Wired 802.1x configuration.
Here some information about the mentioned Run(Once) Registry keys.

314866  A definition of the Run keys in the Windows XP registry

To solve potential permission issues, you can use the Sysinternals tool psexec.exe. The reason to use psexec.exe is to run the batch file using the machine's system account.
You need to download the latest version of psexec.exe  and copy this to your Windows XP SP2 clients:

http://download.sysinternals.com/Files/PsTools.zip

You will need to export a working Wired 802.1x configuration from a Windows XP SP3 client. You can do this by using the following command:

'netsh lan export profile folder=%windir%'

This will create one or more xml files for each interface.  The XML file has to be copied to your Windows XP SP2 clients, too.

You will need to deploy the following registry key to your clients as next step:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce
Type: Reg_SZ
Name: Choose a name of your choice
Value: C:\psexec /accepteula -s -i c:\netshimport.bat
  Note: Obviously you may need to edit the path for psexec.exe and the xml file.

The batch file netshimport.bat must contain the following command (without the quotes):

'netsh lan add profile file=c:\filename.xml'

You may extend this command to pipe the result to a text file which could be of use for troubleshooting in case of a problem:

'C:\psexec /accepteula -s -i c:\netshimport.bat >%windir%\netsh_result.txt'

Test if the batch file works as expected. If it does, you can now install Service Pack 3.

B) Deploy a scheduled task
This is very similar to the method described before. Instead of using the Run(Once) registry key, you would create a scheduled task which runs the same batch file. I suggest to do this after user logon which is an option when you create a scheduled task.
You will need to copy the batch file and the xml file to the clients as a pre-requisite again.
There are multiple methods possible to create a scheduled task. To mention two of them:

• Use the Control Panel in Windows XP SP2 to create it.
• Use schtasks.exe to create this task.

The client might suspend 802.1x authentication in case of a failure

This issue has been documented in the following KB article:

957931  A Windows XP-based, Windows Vista-based, or Windows Server 2008-based computer does not respond to 802.1X authentication requests for 20 minutes after a failed authentication

You will need to install the related hotfix and create the registry key BlockTime. The value for BlockTime depends on your infrastructure needs. Normally 1, which is the lowest value possible, should be ok.

The settings you configured using the registry keys AuthMode and SupplicantMode might have changed

The registry keys SupplicantMode and AuthMode are no longer valid for Windows XP SP3 Wired 802.1x. Please note that they still apply to wireless connections.

Please read the following articles for details:

949984  Changes to the 802.1X-based wired network connection settings in Windows XP Service Pack 3

929847  How to enable computer-only authentication for a 802.1X-based network in Windows Vista, in Windows Server 2008, and in Windows XP Service Pack 3

- Frank Hennemann

New Networking-related KB articles for the week of November 29 – December 5

Here are the latest networking-related Knowledge Base articles for this week:

975755 Device Manager or the application stops responding when you use Device Manager or an application to uninstall the driver for a network adapter on a computer that is running Windows Vista or Windows Server 2008

953269 The DHCP Server service on a Windows Server 2008-based computer interprets DHCPv6 Option 39 incorrectly

977999 Citrix DNE does not work with the native Windows 7 Mobile Broadband driver

- Mike Platts

New Networking-related KB articles for the weeks of November 15 – November 21 and November 22 – November 28

I hope everyone who had a holiday last week had a great one. Here are the latest networking-related Knowledge Base articles published in the past 2 weeks:

977158 DNS updates may be incorrectly reported as failed when you use a third-party DNS server application for DNS registration on a computer that is running Windows Server 2008 R2 or Windows 7

976918 Server applications may be incompatible with default behavior of authentication protocols by Windows 7 clients

- Mike Platts

New Networking-related KB articles for the week of November 8 – November 14

Here are the latest networking-related Knowledge Base articles to report this week. Next week, there will be no update due to the upcoming holiday. I will publish an update the week after next that will encompass anything published between now and then. If you get to have a holiday next week, I hope you enjoy it!

976759 WFP drivers may cause a failure to disconnect the RDP connection to a multiprocessor computer that is running Windows Vista or Windows Server 2008

976484 Some IIS clients cannot connect to the Remote Desktop Gateway (RD Gateway) that is hosted on a computer that is running Windows Server 2008 R2

- Mike Platts