Ken Schaefer

Recently seen in the IIS newsgroup was the following problem:

We have a Dell Powervault 745N running Windows 2003 standard, SP1. We have generated and installed an SSL certificate from rapidssl (geotrust) in IIS and it works ok.

However, upon reboot, when we check the IIS certificate settings in the virtual directory, we can see that IIS is once again using the old, machine certificate. ... No error messages in the event log. ... The IIS metabase is working ok otherwise - does not appear to be corrupt as other settings I change seem to stay as part of the config.

The first step is to verify that the correct SSL certificate information is actually being persisted into the IIS metabase. To do that, we look at the website's properties in the metabase, particularly the SSLHash property, as shown below.

We then verify that this is the correct certificate that should be used. To do that we use the Certificates MMC Snapin to examine the computer's certificate store. To do this click Start - Run - MMC.exe

Inside MMC.exe click File - Add/Remote Snapin. add the Certificates snapin and point it to the Computer account when prompted.

Expand the Personal - Certificates nodes and locate the certificate that you want IIS to use (the certificates should be listed by their common name so you should be able to locate the one you want easily). Double-click the certificate to bring up its properties, and on the details tab scroll down to the thumbprint property. Verify that the value for the thumbprint is the same as the SSLHash stored in the metabase. If it is, then you know that IIS is currently configured (both in-memory, and in the metabase) to use the correct certificate.

Since the correct certificate has been persisted to the metabase, the change in certificate must be caused by some external agent. The next step is to enable Metabase Auditing. This enables us to see what process or user account is making changes to the metabase, what they are changing, and the old and new values. Detailed steps on enabling metabase auditing are available here.

In the current situation the following event was logged, indicating that a program called taskcord.exe was changing the SSLHash value in the metabase

Primary User Name: SYSTEM
Primary User Domain: NT AUTHORITY
Primary Logon ID: (0x0,0x3E7)
Path: /LM/W3SVC/6633
Property ID: 5506
Property Name: SSLCertHash
Old Value: 84 37 c2 d0 61 --snipped --
New Value: d7 48 f1 ba 6b --snipped --
Caller PID: 2776
Caller Image Path \WINDOWS\system32\ServerAppliance\taskcord.exe
Result: 0x0

A quick search turns up the following MSDN documentation on TaskCord. The Task Coordinator stores it's jobs in the registry at HKLM\SOFTWARE\Microsoft\ServerAppliance\ApplianceManager\ObjectManagers\Microsoft_SA_Task. Under the ApplianceInitializationTask key there was a task called SelfSignCert.SelfSignCert.1, which was run each time the box was booted. That task was causing a self-signed certificate to be generated and applied to the default website each time the box was booted. Removing that entry stopped the SSL certificate from being changed. Case closed!

On a completely unrelated note, I graduated with a Masters of Business and Technology (MBT) from the University of New South Wales last Friday (24th).

Bruce mentioned that IIS didn't appear to support the use of commas in filenames when configuring redirects in IIS.

This is true. When you configure a redirect in IIS the data is stored in field of type string. However IIS actually stores several pieces of data in this one field, and separates those bits of data using commas. The bits of data include what URL the user should be redirected to, and whether this is a permanent redirect or not

A sample node from the IIS metabase looks like this:

/test/redirect2.htm, EXACT_DESTINATION, PERMANENT

If the URL you are redirecting to contains commas, then any part of the URL following the comma is ignored.

So how can we get around this? We can encode the comma. The HTTP encoded value for a comma is %2C. Instead of entering your target URL with commas, use %2C instead. How do we know to use %2C? Well the ASCII value for a comma is 44, and the Hex value for 44 is 2C. How do we know what the ACSII value for a comma is? The following code VBscript snippet will tell you:

WScript.Echo Asc(",")

To generate a table of all ASCII and corresponding hex values for common characters, you can use the following script (it's best to run at a command line using cscript.exe scriptname.vbs)

For i = 20 to 255
   WScript.Echo Chr(i) & " = " & i & " = " & Hex(i)
Next

Mentioned on Splatt's blog, is this service that attempts to measure the influence of your blog. Curious, I checked it out. Apparently my score is/was 8065.

I also checked out a few other blogs. Frank Arrigo scores 11145. David Wang scores 2382. Frankly I don't think that my blog is 3x more influential than David's. And it can't be only a few thousand points short of Frank's. So something needs to be tweaked in the formula - my blog influence is waaaay overstated. On the other hand, Raymond Chen scores 97615 and Jensen Harris scores 17774 so no surprises there.

Jonno Downes (aka Jamtronix) has performed an experiment designed to work out how IE handles various HTTP status codes, following on from a discussion over at Intertwingly

As Aristotle pointed out in the discussion, it’s quite possible for a server to return a 404 or 500 HTTP status code, and IE (or any other browser) to render any provided HTML. Webservers have been serving custom 404 or 500 error pages for a long time now.

To add to Jonno’s experiment, I would like to tender Microsoft KB article 218155. This details the behavior of IE when seeing certain HTTP status codes, and friendly HTTP errors are turned on. If the HTTP body is less than a certain amount, then IE will substitute a "friendly" error page for certain codes. If the HTTP body is more than a certain amount, then IE will render the HTML sent by the server. Presumably this helps novice users who might otherwise be intimidated by a server that sets a HTTP status (e.g. 404), but provides nothing else.

The default threshold values are stored in: HKLM\Software\Microsoft\Internet Explorer\Main\ErrorThresholds and user specific overrides can be stored in a corresponding key under the HKCU hive.

Microsoft and Intel have removed the wraps from their UMPC (Ultra-Mobile PC) formerly code-named "Origami". There's been plenty of hype about it, and information galore on Engadget, community sites (UMPC, Rob McClaws), and even Aussie bloggers ( Jeff Alexander, Michael Kleef, Mitch Denny etc)

Some people seem to love them. I'm wondering if anyone's disappointed? Don't get me wrong, I love mobility. I have two tablet PCs (Tecra M4, Portege M200), three pocket PCs (two iPaqs and a Toshiba) and four smartphones (Qtek and iMate) in my flat, along with three regular notebooks (Lat D600, Tecra M2 and Vaio Z1).

Whilst I understand that there is probably a niche for this device, is just doesn't seem compelling to me. If Microsoft is pitching this at the consumer or mobile professional then:

• Three hour battery life is disappointing. If Microsoft wants this to be a disconnected device then we need at least a day's worth of power. There's no point taking this outside, on holidays, or wherever if it needs to be charged every 2-3 hours.
• It runs standard Windows XP Tablet PC Edition on a slow CPU off a regular hard disk. That's also disappointing. I don't know about everyone else, but waiting two or so minutes for my PC to boot up is not what I like doing. For a mobile device (like a Pocket PC or Smartphone) we expect "instant on", which makes the device handy for using whenever or wherever. Just get it out, hit a button and you're ready to go. I realise that standby/hibernate are options, but I find that you still need to reboot XP every so often, even if only to deal with crappy drivers that don't come back out of standby properly

I know Mitch has remarked that this device has the potential to replace desktops in the enterprise, but I think it falls far short of that. For the enterprise:

• The screen resolution is way too low. Imagine trying to do anything productive in Excel or Visio on an 800x480 screen.
• The device doesn't have any features that mitigate the current problems with mobile devices in the enterprise: employees lose these things, or they get stolen, or they get damaged, or they get infected with spyware/malware when used at home.
• The devices aren't exactly ergonomic. People who use computers daily need proper keyboards, mouses and a decent sized display. This device offers none of that.

And lastly, the devices look ugly. I know Jeff disagrees with me, but I think Jeff needs to buy some stuff some made by Apple or Sony. Whilst a low price might overcome these limitations, the talked about costs (US$500-1000) probably means I'll be sticking to my regular Tablet PC + iMate Smartphone + iPod Nano combination.

A few friends and I have been in discussions with a publisher about a book on IIS 7.0. On the weekend, we handed over the latest draft proposal. We already think we have a number of things that will make this book the book to have on IIs 7.0 - it'll cover everything that most other books do and then some, and it'll be written by people who have real-world experience running large scale IIS facilities. But we really want to ensure that this is the best book on IIS 7.0 out there, so we'd like to hear from you about what you'd like to see in a book on IIS 7.0 - what types of things would make you get hold of such a book?

Mike Kolitz (Virtualization Team) has instructions on installing Vista into a VPC. To get VPC Additions working you need to use the Virtual Server 2005 R2 Additions (well, those are the only pubicly available ones that work). You can get the Virtual Server 2005 R2 additions from the trial edition if you don't have access any other way.

But what if you don't want to install Virtual Server just to get the additions ISO? If you run the following command, you can unpack the Virtual Server setup.exe file:

setup /c /t c:\temp

If you then run the following command, you can unpack the MSI file. And you then you have access to the VS2005 R2 additions ISO, which you can install into your VPC (just use the CD -> Capture ISO Image... option)

msiexec /a "c:\temp\Virtual Server 2005 Install.msi" TARGETDIR=C:\temp\extract /qn

Many IT Admins and consultants who profess themselves to be AD-competent will tell you that multiple password requirements is a reason to have multiple domains within your Active Directory (AD) forest. You simply can't have multiple password polices in the same domain. And attempting to link GPOs that specify differing password polices to different containers (e.g. different OUs for users) doesn't work.

However I've found a lot don't seem to know why this is the case. Maybe it's a question they've never turned their minds to, or maybe they don't know as much about AD as they think they do. I'm sure it's the former, though some of my less charitable colleagues argue that it's the latter (big grin).

Password polices, like any other policy setting, apply to a client (be that a computer/machine, a user, or both). So who or what is the client in this case? Despite what many think, it's not the user. And that's the reason you can't have different policies for different users. The clients in this case are the Domain Controllers in your domain.

When you, as a user, change your password, it is submitted via a secure channel to the user's Logon Domain Controller. This DC is responsible for verifying whether the password meets the Domain's password requirements. By password requirements we are talking about length, minimum and maximum age, complexity requirements enforced by passfilt.dll and so forth. Because there can only be one effective policy applied to the DCs in your Domain, there can only be one effective password policy for the domain. If you need multiple password policies, you need multiple domains. (Let's leave aside options such as writing your own passfilt.dll that is aware of the differing requirements that you have for the time being!)

I recently received a nice surprise from Microsoft. A number of MVPs (and others) were given a Microsoft ACE award for their contribution to the VS.NET 2005 Beta. Mine got delivered a few days ago. Some pictures below (with Channel 9 guy to show size). There are some clearer pictures of the cube available on other websites (1, 2). Thanks Microsoft!