Blog du Tristank : Developery

Don’t Use Office Applications (or GDI+, or System.Drawing, or WinInet) in a Server Application (or ASP.Net)

tristank — Thu, 06 Nov 2008 10:03:22 GMT

Johan posted a timely reminder of a long-standing perennial support call generator in his post Office Automation .

Adding one more option to the list of possible workarounds – direct XML-based production/manipulation of an OOXML (or ODF, for that matter) document (Word, Excel, Powerpoint?) might get you where you need to go.

Now, to get the laundry list out of the way, here’s a quick top-of-the-head list of other technologies best kept away from your shiny new ASP.Net application:

Outlook automation on the server isn’t a good idea at all, which is why CDO (or these days, DAV for Exchange Server) is preferred.
The Word/Excel/Powerpoint/Outlook programmable Object Models typically drive the application itself rather than manipulating data files directly, so should be avoided too.
Tom posted a while back on the perils of System.Drawing/GDI+ in ASP.Net applications. The same goes for WPF, last I heard.

We do use System.Drawing as a demo of in some of our IIS 7 demos (most recently seen in the PDC IIS 7 demo that included watermarking using System.Drawing), and elsewhere – it’s an effective demo, but the caveats are as documented.

WinInet (the core HTTP engine used by Internet Explorer) is another old, old case of the same designed-for-client paradigm (which led to the creation of WinHTTP (and in .Net land, HttpWebRequest etc)).

I’m not saying any of the above don’t typically work - most of the time, whatever you’re doing might work fine (I personally wrote a bunch of charting and drawing controls years ago in ASP.Net before discovering this), but when it doesn’t, our options are limited in how we’re able to help.

.HDMP and .MDMP files

tristank — Tue, 23 Sep 2008 11:12:27 GMT

Just a quickie – the rule is blog what you know, but I figure my speculation might be good enough here.

A friend gave me an HDMP file and asked what I could make of it. After the usual “I could make a hat! Or a brooch! Or a dinosaur!” type stuff, I realized it wouldn’t open anyway.

In my experience, most .HDMPs come with matching .MDMP files. I think of these as Minidumps (in the “real” mini sense – just information about threads and thread stacks), and Heap dumps (everything else the process knew or cared about in User mode).

This HDMP wasn’t openable in the debugger directly, but if its corresponding MDMP was present in the same folder at the same time, I reckon it woulda.

The feared WER-wolf produces these files in pairs (that’s Windows Error Reporting, kids, don’t be too scared, except that it invalidates everything we used to know about AEDebug registry keys and similar, but that’s another story for another time), and that’s how I’ve analyzed them in the past. I remember hearing of some sort of merge operation that needed to happen between M and H dumps, but I’m reasonably certain I haven’t bothered with that (I assume I’m lazy by default), so I think the debugger just does it for ya.

Now I’ve written that, I’m going to go look for references to support my assertions!

949180 How to create a user-mode process dump file in Windows Server 2008
http://support.microsoft.com/default.aspx?scid=kb;EN-US;949180

(At the bottom – mini and heap dumps - yay me!). Think that’s enough for today. Hugs!

Mesh Gush

tristank — Wed, 20 Aug 2008 11:15:46 GMT

Hi Everybody! I've been laying low for a while, in read-only mode, sorting, filtering, evaluating and generally catching up on stuff!

So, why break radio silence now? Well, I'm popping up to offer a quick endorsement for the Mesh platform, which was recently opened up to Australian testers.

I'm excited. I love it, and it's not even finished.

Right now, you could liken it to Foldershare plus Skydrive plus Remote Desktop, just with the out-of-the-box stuff in the preview.

But there's more to come, and the glimpse you get is absolutely compelling.

I love that I'm a mouse-over and click away from Remote Desktop to any of my machines.

I love that I can synchronize folders between any number of my devices, and have a copy kept online in my Live Desktop.

I love that it's a platform, and having seen some demos of what's possible from a programming perspective, I can't wait to get my SDK on!

At present, there are some To Be Implemented features, the odd glitch and so on (as you'd expect from a CTP), so feel free to ignore me for a while, I'll just say "told you so" later! :)

One tip I'll pass on: Quite a few people requested a versioning feature for files and folders in the Mesh forums (and note that right now, folders you share with other people are writable by them) - Windows Vista has this built in already, in the form of the Previous Versions feature that you can use to recover a document in a given folder - just get the Properties, and then check the Previous Versions tab for the folder (or document).

Go get a Mesh!

Generic Troubleshooting: "Is it still a problem?"

tristank — Mon, 28 Apr 2008 09:38:05 GMT

I've been doing this support thing for a while now.

Frequently, the basics are what get overlooked when troubleshooting an issue, particularly an issue that seems complex on the surface.

Often, though, you'll find that the detailed techniques lead you back to a fairly basic set of rules, the most basic of which is:

Everything's either a file issue, or a settings issue, or just how the software works (by bug or by design).

If something seems unlikely to be a file (corrupted or incorrect file) or settings issue, it could easily be a bug (that is, given the same conditions, you'll be able to reach the same outcome). But if you think you might have hit a bug, what's the most efficient way of addressing it?

Obviously, to find someone else has addressed it already!

So, the Temporal rule of Troubleshooting: try it with the most recent version available.

(this doesn't necessarily mean "try Word 2007 if 2003 doesn't work", I mean "within the same major version").

Today, for example, I was looking at a memory dump (which you usually tend to do at the pointy end of a troubleshooting process, and I'm not going to show working or why these two are relevant), and found these *cough* classics:

0:000> lmvmurlmon
    Loaded symbol image file: urlmon.dll
    Image path: C:\WINNT\system32\urlmon.dll
    Image name: urlmon.dll
    Timestamp:        Wed Aug 04 17:56:37 2004 (411096B5)
    File version:     6.0.2900.2180
    Product version: 6.0.2900.2180
...
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     UrlMon.dll
    OriginalFilename: UrlMon.dll
    ProductVersion:   6.00.2900.2180
    FileVersion:      6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
    FileDescription: OLE32 Extensions for Win32
    LegalCopyright:   © Microsoft Corporation. All rights reserved.

0:000> lmvmmsxml3
start    end        module name
    Loaded symbol image file: msxml3.dll
    Image path: C:\WINNT\system32\msxml3.dll
    Image name: msxml3.dll
    Timestamp:        Wed Aug 04 17:59:24 2004 (4110975C)
    CheckSum:         00138815
    ImageSize:        00130000
    File version:     8.50.2162.0
    Product version: 8.50.2162.0
...
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft(R) MSXML 3.0 SP 5
    InternalName:     MSXML3.dll
    OriginalFilename: MSXML3.dll
    ProductVersion:   8.50.2162.0
    FileVersion:      8.50.2162.0
    FileDescription: MSXML 3.0 SP 5
    LegalCopyright:   Copyright (C) Microsoft Corporation. 1981-2003

What does that tell me? Well, lots! Like: this particular machine isn't up to date on IE and XML security patches. Internet Explorer security patches are cumulative, so installing one tends to refresh the majority of the browser software (side bonus: this can also resolve file-level issues, like a corrupted or incorrect DLL).

From that, you can infer that it's probably not up to date on a bunch of stuff. We make it pretty easy to apply security updates these days, and if the security patches aren't up to date, chances are there are non-security patches missing too, and so on.

So: My standard response to any binary implicated in a reproducible problem is to look for and then apply the latest version available (from memory, urlmon was updated this month, and msxml3 sometime since mid-2007).

Once we've applied the latest updates, we'll know whether we actually have more work to do, or whether we're just covering old ground.

So, short version: Try the latest version first.

See the big potential time saving there?

IIS7 Modules Aplenty - WebDAV, Bitrate Throttling

tristank — Sat, 15 Mar 2008 14:51:00 GMT

New modules, supported by Microsoft, are now officially RTMd (RTWd?) and available for use with IIS 7.0.

WebDAV

Yay new WebDAV! Yay being able to enable it on specific parts of a site! Yay better!

Robert: http://blogs.msdn.com/robert_mcmurray/archive/2008/03/12/webdav-extension-for-windows-server-2008-rtm-is-released.aspx

Downloads:

• Microsoft WebDAV Extension for IIS 7.0 (x86) http://www.iis.net/go/1621/
• Microsoft WebDAV Extension for IIS 7.0 (x64)http://www.iis.net/go/1618/

Media Bitrate Throttling

Yay something about bandwidth for media files!

Vishal: http://blogs.iis.net/vsood/archive/2008/03/15/bit-rate-throttling-is-now-released.aspx

Downloadies:

· 32 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1640

· 64 bit – http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1641

Intro:

The Internet Information Services 7.0 (IIS 7.0) Media Pack – Bit Rate Throttling module provides the ability to throttle progressive downloads of media files (in which audio/video playback starts as soon as sufficient data has been buffered on the client) based on the content bit rate. For sites that deliver audio and video files that may not be watched in their entirety, this module could significantly reduce your media-related bandwidth costs. A secondary feature of the Bit Rate Throttling Module is that it can also be used to throttle non-media ("Data") file types at specified bit rates.

Don't Forget The New FTP Server While You're At It

I already mentioned this, but I'll list it here as a one-stop convenience (aww, aren't I nice?)

Replaces FTP6 (that shipped in the box) with FTP7: FTP with SSL, virtual hostname support, extensibility, right-click-and-add-FTP-to-a-website publishing integration... loads of cool stuff.

Microsoft FTP Publishing Service for IIS 7.0 (x86)

Microsoft FTP Publishing Service for IIS 7.0 (x64)

MaxUserPort - what it is, what it does, when it's important

tristank — Tue, 11 Mar 2008 09:17:57 GMT

What can we say about MaxUserPort that hasn't already been said? Not a lot, it would seem. He's a beautiful dancer, perhaps? Ahh, such gentle humour, and nary a kitten drowned anywhere.

But TCP port shenanigans are fairly frequently misunderstood, so let's talk about the very basics of MaxUserPort.

NB: This is all pre-Vista behaviour - applicable from NT4 through to Windows Server 2003, including all the little NT-flavoured stops on the way.

MaxUserPort controls "outbound" TCP connections

MaxUserPort is used to limit the number of dynamic ports available to TCP/IP applications.

It's never going to be an issue affecting inbound connections. MaxUserPort is not the right answer if you think you have an inbound connection problem.

(I don't know why, I just know it is. Probably something to do with constraining resource use on 16MB machines, or something.)

To further simplify: it's typically going to limit the number of outbound sockets that can be created. Note: that's really a big fat generalization, but it's one that works in 99% of cases.

If an application asks for the next available socket (a socket is a combination of an IP address and a port number), it'll come from the ephemeral port range allowed by MaxUserPort. Typically, these "next available" sockets are used for outbound connections.

The default range for MaxUserPort is from 1024-5000, but the possible range is up to 65534.

When You Fiddle MaxUserPort

So, why would you change MaxUserPort?

In the web server context (equally applicable to other application servers), you'd usually need to look at MaxUserPort when:

- your server process is communicating with some type of other system (like a back-end database, or any TCP-based application server - quite often http web servers)

And:

- you are not using socket pooling, and/or

- your request model is something like one request = one outbound TCP connection (or more!)

In this type of scenario, you can run out of ephemeral ports (between 1024 and MaxUserPort) very quickly, and the problem will scale with the load applied to the system, particularly if a socket is acquired and abandoned with every request.

When a socket is abandoned, it'll take two minutes to fall back into the pool.

Discussions about how the design could scale better if it reused sockets rather than pooling tend to be unwelcome when the users are screaming that the app is slow, or hung, or whatever, so at this point, you'd have established that new request threads are hung waiting on an available socket, and just turn up MaxUserPort to 65534.

What Next? TcpTimedWaitDelay, natch

Once MaxUserPort is at 65534, it's still possible for the rate of port use to exceed the rate at which they're being returned to the pool! You've bought yourself some headroom, though.

So how do you return connections to the pool faster?

Glad you asked: you start tweaking TcpTimedWaitDelay.

By default, a connection can't be reused for 2 times the Maximum Segment Lifetime (MSL), which works out to 4 minutes, or so the docs claim, but according to The Lore O' The Group here, we reckon it's actually just the TcpTimedWaitDelay value, no doubling of anything.

TcpTimedWaitDelay lets you set a value for the Time_Wait timeout manually.

As a quick aside: the value you specify has to take retransmissions into account - a client could still be transferring data from a server when a FIN is sent by the server, and the client then gets TcpTimedWaitDelay seconds to get all the bits it wants. This could be sucky in, for example, a flaky dial-up networking scenario, or, say, New Zealand, if the client needs to retransmit a whole lot... and it's sloooow. (and this is a global option, as far as I remember).

30 seconds is a nice, round number that either quarters or eighths (depending on who you ask - we say quarter for now) the time before a socket is reusable (without the programmer doing anything special (say, SO_REUSEADDR)).

If you've had to do this, at this point, you should be thinking seriously about the architecture - will this scale to whatever load requirements you have?

The maths is straightforward:

If each connection is reusable after a minimum of N (TcpTimedWaitDelay) seconds
and you are creating more than X (MaxUserPort) connections in an N second period...

Your app is going to spend time "waiting" on socket availability...

Which is what techy types call "blocking" or "hanging". Nice*!

Fun* KB Articles:
http://support.microsoft.com/kb/319502/
http://support.microsoft.com/kb/328476

What's in IIS 7.0 for me?

tristank — Fri, 29 Feb 2008 06:16:00 GMT

While having a seemingly-innocuous chat with a colleague, I was asked to "throw together a few points" on what IIS 7.0 would do for a web application I've worked with in the past. Serves me right for talking to people, really.

In this application's case, authoring, publishing and content creation weren't as important as eventual scale-out and actual application performance (otherwise the just-released FTP7 would have been top of the list).

Here's what I came up with, off the cuff:

Reduced attack surface/patching requirements: IIS7 is now modular, and only the parts of the server actually needed by the application are required to be installed. This can also enable performance increases due to reduced memory footprint.
Vastly (imho) improved compression capabilities and compression performance (with automatic compression back-off when CPU use is high! How cool is that!?)
Simplified web farm management - if the application is able to work reliably in a web farm scenario, the IIS configuration store can be centralized and shared across all machines in the farm. (also see MSDeploy)
XCOPYable configuration - easily ensure settings are consistent between dev, qa and prod environments.
Failed Request Tracing (aka FREB) - if failures occur, request traces can be captured that include detailed diagnostic information.
Windows Server 2008 security, performance and scalability improvements - the most secure Windows yet (I expect); support for the latest hardware and 64-bit computing; and optimized TCP/IP performance.
SSL performance greatly increased - Kernel-mode SSL (not the best link for admin types) reduces context switching and ring transitions, and improves performance
Better UI! After a short time working out how the new model worked, I'm sold.

SetSPN improvements in Windows Server 2008! W00t!

tristank — Fri, 21 Dec 2007 10:21:00 GMT

All this stuff is based on a prerelease (RC1) version of Windows Server 2008 and may change before final release. Cheques may not be honoured.

I had a happy moment one night in India when the trainer for our IIS 7.0 TTT course discussed some of the Kerberos-related improvements in IIS7.

... SetSPN got revamped.

We all know (or knew, before my wiki collapsed) that duplicate Kerberos SPNs are bad. (The Wiki is still down, by the way, sorry).

We know that it's been a little bit iffy configuring said SPNs and that the chance of getting it wrong was quite high - there was no control that prevented the registration of the same SPN twice, against different accounts.

Worse: SetSPN was focused on the account (security principal) only - if you thought you had a duplicate, you needed to use a customized LDIFDE command to track it down based on the SPN, as SetSPN wouldn't search by SPN, only by account.

Buuut: Some wonderful SDE that should really be on my Christmas card list decided that SetSPN could become an all-singing all-dancing SPN troubleshooting tool!

Yes folks, SetSPN now has SANITY CHECK (-S) switches and FIND THE PROBLEM (-X) switches! HOW COOL IS THAT!?

In order to not break backwards compatibility (I infer; I didn't actually participate in the conversation or decision making process), these are implemented as new switches, not old ones: Existing scripts that rely on creating duplicates (and then presumably resolving that situation shortly afterwards) won't (er, shouldn't) suddenly break.

C:\Users\Administrator>setspn
Usage: setspn [modifiers switches data] computername
Where 'computername' can be the name or domain\name

Modifiers:
-F = perform the duplicate checking on forestwide level
-P = do not show progress (useful for redirecting output to file)

Switches:
-R = reset HOST ServicePrincipalName
Usage:   setspn -R computername
-A = add arbitrary SPN
Usage:   setspn -A SPN computername
-S = add arbitrary SPN after verifying no duplicates exist
Usage:   setspn -S SPN computername
-D = delete arbitrary SPN
Usage:   setspn -D SPN computername
-L = list registered SPNs
Usage:   setspn [-L] computername
-Q = query for existence of SPN
Usage:   setspn -Q SPN
-X = search for duplicate SPNs
Usage:   setspn -X

Examples:
setspn -R daserver1
It will register SPN 'HOST/daserver1' and 'HOST/{DNS of daserver1}'
setspn -A http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1'
setspn -D http/daserver daserver1
It will delete SPN 'http/daserver' for computer 'daserver1'
setspn -F -S http/daserver daserver1
It will register SPN 'http/daserver' for computer 'daserver1' if no such SPN exists in the forest

So, any instructions out there that currently use the positively archaic SETSPN -A can now be updated to use the shiny new SETSPN -S.

Again, I ask you: How cool is that!?

I should add that I haven't actually tried this yet, just gurgled at the wonderful new options and imagined their effect. If it throws a "NotYetImplementedException", please forgive my enthusiasm :)

401.3, you say? Not 403?

tristank — Mon, 22 Oct 2007 12:35:12 GMT

You're running an IIS 6.0 website, and you have a virtual directory configured for anonymous authentication only (that is, you've unticked Integrated Windows Authentication).

Using a web browser, you try to access a file in that virtual directory. http://example.com/vdir/something.txt

What's a web browser?

Know what IE is, Leon?

Yeah.

Same thing.

I've never seen an IE. But I know what you mean.

Anyway, the something.txt file is ACLd such that the anonymous user account (IUSR_MACHINENAME) doesn't have any NTFS permissions to it. IIS impersonates the anonymous user for any anonymous request, and if it's knocked back, it 401s the client with a WWW-Authenticate header describing the types of authentication supported.

Now IIS needs to ask for some kind of credential, but the only authentication method ticked is Anonymous. So IIS can't ask for credentials. It can't 401 with a WWW-Authenticate header because it's got nothing to put in it. It won't send a 403 because it hasn't yet made a good-faith attempt to impersonate a user other than Anonymous.

But you haven't configured it to ask for credentials. You could tick Integrated Windows and make the pain go away. Or you could allow the Internet Guest Account (at least) Read access to the file. But you're not doing that, Leon.

Why is that, Leon?

Do you make these questions up yourself, or do you have them written down for you?

Actually, people come to me with questions all the time, and I sometimes write them down.

Like this one: tell me only the good things that come to your mind, about... Personal Web Server on Windows 95.

Personal Web Server? Let me tell you about Personal Web Server...

Tip o' the Week: WEVTUTIL for EVTX/EVT file conversion

tristank — Fri, 05 Oct 2007 09:19:19 GMT

This week, a pointer to a solution to a problem I occasionally hit.

Windows Vista (and by extension Windows Server 2008, I assume) utilizes a new EVTX log format for event log exports. It's XML-based, natch.

Problem: Everyone's Favourite Log Digestion Tool Log Parser uses system APIs to read event log exports, and the old .EVT event log format isn't "native" any more. Long story short, it chokes on them.

This, to put it mildly, was annoying, as most customers haven't moved to Windows Server 2008 yet (I mean, it's only five months from release - is there ever a better time?) and so supply event logs in the old format when asked.

Anyway - you can convert the old-school event logs into shiny new event logs through the user interface (just double-click the EVT, wait for it to open and display in chronological order; then do a Save As, pick a location and filename and answer an obscure question about language formatting; then find and open the newly-resaved log file), but bluntly, the GUI process leaves a bit to be desired if you have the slightest inkling towards type-A behaviour, and all I really want is something that'll work in Log Parser, really.

WEVTUTIL (and NeilCar) to the rescue. It's included out of the box, and it'll convert those dusty old event logs from the command line, with nary a GUI or common dialog in sight, ready for consumption by Logparser, or any other EVTX-friendly file muncher.

Neil's example (for the click-inhibited):

wevtutil epl application.evt application.evtx /lf:true

Bewdiful.

Jason Brown's new blog

tristank — Thu, 02 Aug 2007 17:03:02 GMT

The traitorous malcontent (and former MVP) that left my cubicle for greener pastures has set up his own (shiny! new!) little shack on the intarwebs, discussing Sharepoint of all things.

I mean, I know he's in the Sharepoint support team now, but honestly - what can Sharepoint do that a stonking great database-driven ASPX site with hundreds of man-years of development ploughed into it can't?

I guess you can find out, over there.

Generating a memory dump when a particular event log occurs

tristank — Wed, 18 Jul 2007 08:18:12 GMT

Building from Paul Long's post on stopping a Netmon3 capture on a particular event, we're going to re-jig it so that we can run ADPLUS soon after a particular event is logged.

This won't produce a dump at the exact moment of the event log (which more often is what would be most useful for debugging purposes), but for the case I'm working on, I'm mainly interested in the state of the process at around or after that time; it's an intermittent problem that we're not confident we can catch quickly enough manually.

An alternative approach would be to attach, set a break on the Windows event logging function and evaluate the arguments passed to it; that's not what I'm doing here, and this has the advantage of being able to survive process recycling without special care.

EvtMon.vbs:

' evtmon.vbs
' http://blogs.technet.com/netmon/archive/2007/02/22/eventmon-stopping-a-capture-based-on-an-eventlog-event.aspx
'======================================================================
' Print out the help when something is not typed in correctly or when
' nothing at all is typed in.

Public Sub PrintHelp
    Wscript.Echo "Usage:"
    Wscript.Echo " EvtMon EventNumber [LogFile]"
    Wscript.Echo "    LogFile is optional. If used, the eventlog name"
    Wscript.Echo "    file ie, application, system, security, etc..."
End Sub

' Get the arguments. Check for event nubmer and log file as arugments
Set objArgs = WScript.Arguments

' See how many arguments we have and colect them.
if objArgs.Count < 1 OR objArgs.Count > 2 Then
    PrintHelp
ElseIf objArgs.Count > 1 Then
    EventNumber = objArgs(0)
    LogFile = objArgs(1)
Else
    EventNumber = objArgs(0)
    LogFile = ""
End If

If EventNumber <> "" Then

strComputer = "."

    ' Attatch to the WMI Service
    Set objWMIService = GetObject("winmgmts:{(Security)}\\" & _
            strComputer & "\root\cimv2")

    ' if the LogFile is populated add this to our query. Create a
    ' Event Log monitoring object and send it a query.
    If LogFile = "" Then
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber & "'")
    Else
        Set colMonitoredEvents = objWMIService.ExecNotificationQuery _
            ("Select * from __InstanceCreationEvent Where " _
                & "TargetInstance ISA 'Win32_NTLogEvent' " _
                    & "and TargetInstance.EventCode = '" _
                    & EventNumber _
                    & "' and TargetInstance.LogFile = '" _
                    & LogFile & "'")
    End If

    ' Create an object which returns when the next event occurs.
    Set objLatestEvent = colMonitoredEvents.NextEvent
    ' Print some info based on the event log we encountered.
    Wscript.Echo objLatestEvent.TargetInstance.User
    Wscript.Echo objLatestEvent.TargetInstance.TimeWritten
    Wscript.Echo objLatestEvent.TargetInstance.Message
    WScript.Echo objLatestEvent.TargetInstance.Logfile
    Wscript.Echo
End If

And the control batch file DUMPONEL.CMD, that does the rest of the work, also cannibalized from Paul's post!

DUMPONEL.CMD:

@echo off
if "%1"=="" goto Usage
if "%2"=="" goto Usage

cscript //NoLogo EvtMon.vbs %2 %3
cscript adplus.vbs -hang -pn %1 -quiet

goto :EOF

:Usage
echo Usage:
echo   %0 ProcessName EventNumber Logfile
echo       Logfile is optional. If used, the eventlog name
echo       file ie, applicaiton, system, security, etc...

So, for example:

I've put the two files in my Debugging Tools for Windows installation directory, and can use them with:

DUMPONEL w3wp.exe 2023

DumpOnEL runs EvtMon with the second and third arguments. When Evtmon returns (Evtmon just waits for the event it's looking for, a bit like a conditional "pause" command), ADPlus runs and hang dumps everything with the first argument (process name) specified.

The process then continues running happily* after it's finished being dumped, and the file ends up in a Hang_Mode_xxxxx folder under the current directory.

KDC_ERR_BADOPTION when attempting constrained delegation

tristank — Mon, 18 Jun 2007 10:50:54 GMT

Hit this earlier while working with someone else on a Kerberos delegation problem.

All the SPNs looked right and were registered against the right accounts; all the App Pools were Network Service; from what I'd been told, everything should have been working... but wasn't. More troublingly, it had been working at one point. But why!?

We checked that Kerb was working from the client to the first tier, then grabbed a network capture from the web server while trying to reproduce the problem.

The trace showed us a KDC_ERR_BADOPTION in response to a TGS request for http/targetserver.example.com , but looking it up didn't yield any likely results (until after we knew where to look).

In short - if everything else is right, chances are this error means that the middle tier (or however far you've got - whatever machine is acting as the KDC client at this point) isn't able to delegate.

We checked delegation options for the middle tier account, quickly popped them into "Trusted for delegation", and whop, it was working. Now we have a working baseline, confidence is restored, and they're going to implement constrained delegation later. The reason it worked once before: ticking "trusted for delegation" was one of a batch of changes implemented and rolled back during troubleshooting.

I updated my wiki with a useful* batch file that searches msds-allowedtodelegateto attributes as well as serviceprincipalname attributes.

It's documented in Technet already, but the search excerpt I got put me off initially:

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/tkerberr.mspx

The SPN to which the client is attempting to delegate credentials is not in its Allowed-to-delegate-to list.
Resolution
1.Use Network Monitor to determine the SPN to which the client is attempting to delegate credentials. You will need this information in a later step.
2.Click Start, click Run, and then open Active Directory Users and Computers by typing the following:
dsa.msc
3.Right-click the user or service account that has problems authenticating, and then click Properties.
4.Click the Delegation tab.
5.The Allowed-to-delegate-to list is the list of servers shown under the heading, Services to which this account can present delegated credentials.
6.Add the SPN the client is attempting to delegate to (information from the captured data you obtained in Step 1) to the Allowed-to-delegate-to list for that client. This will tell the KDC that this client is indeed allowed to authenticate to this service. The KDC will then grant the client the appropriate ticket.
For information about setting up service accounts for delegation, see “HOW TO: Configure Computer Accounts and User Accounts So That They Are Trusted for Delegation in Windows Server 2003 Enterprise Edition” in the Microsoft Knowledge Base at http://go.microsoft.com/fwlink/?LinkId=23067.
(or)
• The server does not support constrained delegation or protocol transition. (Windows 2000 does not support constrained delegation or protocol transition.)

Can I use SQL Server 2005 as the Biztalk Server 2004 database?

tristank — Wed, 13 Jun 2007 03:17:48 GMT

No - SQL 2005 and Biztalk 2004 aren't currently supported together, except with an "arm's length" SQL data adapter.

The primary BTS2004 database still has to be SQL 2000.

References:

915919 Microsoft SQL Server 2005 is not currently supported for Microsoft BizTalk Server 2004 databases
http://support.microsoft.com/default.aspx?scid=kb;EN-US;915919

926628 Summary of operating systems and SQL Server versions supported by different versions of BizTalk Server
http://support.microsoft.com/default.aspx?scid=kb;EN-US;926628

FAQ: How can I bundle IIS 6.0 (or IIS 7.0) with my application on an older OS?

tristank — Mon, 23 Apr 2007 04:24:56 GMT

I've seen a few variations on this question come up recently, generally of the form:

"We have Windows XP clients and require IIS 7.0 to be installed on them when our application is installed on them. Is there a redist?"

In short, no.

(Note that this question is distinct from "how can I install and configure the OS version of IIS when I install my application", which is not covered here)

Since Windows 2000 and IIS 5.0, the only releases of IIS we've made have been a part of the operating system they're installed with.

The table of available versions looks something like this:

IIS 4.0 - NT 4.0 Option Pack

IIS 5.0 - Windows 2000

IIS 5.1 - Windows XP 32-bit, (?and Itanium, from memory?)

IIS 6.0 - Windows 2003, Windows XP x64 edition

IIS 7.0 - Windows Vista, Codename "Longhorn" Server

Since the NT 4.0 Option Pack, there's been no separate release of IIS.

So, if your app requires IIS and is targeting Windows XP clients, you need to target an IIS version as low as 5.1.