Microsoft released SSL diagnostics utility. I just found it mention in an article called Troubleshooting SSL in IIS. However, it has one drawback: it comes as installable MSI package.
If you don’t want to install anything on your server, just run a one-time scan of it, I created a ZIP package with just the executable files – you can just copy this to the server and run it. It contains both 32 and 64 bit versions in one archive.
SSL Diagnostics
Recently, when migrating an application that uses client certificate authentication to IIS 7, we noticed that ASP.NET impersonation stopped working.
Client was authenticated properly, but connection to database server was being established with machine account (DOMAIN\SERVERNAME$). We didn’t find any issue in the configuration, so we raised the case with Microsoft support.
It turns out one of IIS 7 / 7.5 default configuration files has a bug. The file is called C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml, and under the following section there are wrong enum entries:
<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="0" />
<enum name="Batch" value="1" />
<enum name="Network" value="2" />
<enum name="ClearText" value="3" />
</attribute>
</sectionSchema>
And that causes IIS to use wrong logonMethod when logging in with an impersonated certificate-mapped account. The correct values to be set there are:
<sectionSchema name="system.webServer/security/authentication/iisClientCertificateMappingAuthentication">
<attribute name="logonMethod" type="enum" defaultValue="ClearText">
<enum name="Interactive" value="2" />
<enum name="Batch" value="4" />
<enum name="Network" value="3" />
<enum name="ClearText" value="8" />
</attribute>
</sectionSchema>
We set logonMethod=ClearText but as the enum entry was originally ‘3’ this told IIS to actually use the Network Token method (the real value of ‘3’) – which does not allow for the authentication mechanism we require (i.e. Kerberos delegation to a service on another server). Changing the enums to their correct value resolved the issue.
Microsoft probably won’t release a fix for that, so you’ll have to update this schema file on your own.
I just found another reason to love IPv6.
I spent 2 hours debugging why I can’t connect via RDP to a new server I built at home. Traces, firewall checks, vpings. Nothing – the port seemed closed from the network, even though it was wide open on the server OS.
Finally I found the reason – I was connecting via netbios name and the connection was going to a virtual machine I had opened, not to the actual physical server.
Thanks to IPv6, I couldn’t just recognize that looking at the ping results – it’s not that easy to spot a difference in IPv6, as it was with v4.
Just a rant. But quite annoying.
I just passed ITIL Foundation v3 training.
It’s pretty simple and straight-forward.
To a geek minds, it also gives a lot of pleasure to see your built-in sense for “the right thing”, all the rules you always felt and applied, to be clearly written down and structured by some organisation. Very nice experience.
And the HP Race to Results simulation game is excellent!
I just passed 70-680 – Windows 7, Configuring.
I got a free exam voucher from a local training facility and just went to take the exam. Unfortunately, all server exams were already booked, so I took a client one – not that I have anything to do with client OSes in my work. I got 100% on all the “server-like” functionalities (backups, permissions, security, network configuration) and a bit lower scores on the other – but the results is – another exam passed, for free this time.
Long live free vouchers!
Recent Comments