Welcome to Community Server Sign in | Join | Help
Longhorn Server Beta 3 is now officially out. If you are in the LHS beta program, you can download the build from Connect, or otherwise you can get an evaluation edition and documentation from the Microsoft website

EDIT: I've jumped the gun. The build available on MSDN is the April CTP. Beta 3 is still scheduled for towards the end of this month. 

EDIT2: I've removed the image to save a bit on bandwidth.

Had Longhorn Server Beta 3 been released?


It appears that there is a bug in Windows Server 2003 with Service Pack 2 - session_OnEnd events no longer fire in Classic ASP applications. A hotfix and KB to come soon.

EDIT: Hotfix is now available here (KB934903)

Filed under:

If you have a Vodafone 3G card you may have been a bit frustrated that v7 of the VMC software doesn't work under Vista. It's particularly annoying since "3" seems to use the same Novatel Merlin U630 card and their Mobilink software does work under Vista.

Well, you can now get VMC v9 and it works under Vista! Thanks to Jason Langridge for this information.

In a previous FAQ we covered enabling Metabase Auditing which allows tracking of metabase changes. If you'd like to get alerts on these changes in MOM (Microsoft Operations Manager 2005, instructions are in this new FAQ.

 Just in time before the end of the month - an IIS related blog post :-)

Filed under: ,
Windows Server 2003 Service Pack 2 has been released (RTM). Get it here for 32bit and 64bit (x86-64). SP2 for Itanium (ia64) will be released shortly.
Filed under:

Whilst IT, and solving problems with IT (both business and technical) is undoubtably one of my passions, climate change has been another for quite some time. In my day-to-day life I run into quite a few people with strong opinions one way or the other on climate change. A lot of what people think is incorrect - either completely or by degree. Partially this is because people get their information from any number of ill-informed or unscientific sources - of which the interweb is rife.

Whether the climate is changing is ultimately a scientific question. It should be reseached using the scientific method. What we should do about it (adapt, mitigate or just hope fo the best) is a socio-politico-economic question that is best answered through the political system. I won't delve into the latter question, but if you want the facts on what is happening to the climate, then there is a single pre-eminant source: the Intergovernmental Panel on Climate Change (or IPCC). Every few years, working groups at the IPCC produce summaries of all the scientific data to-date on what is happening with our climate. These working groups are constituted by hundreds of the world's most pre-eminent scientists in their respective fields. Their output is then rigorously examined by other organisations, including governments, before being approved and presented.

The last fully released report - the 3rd Assessment Report was delivered in 2001. Here is a picture of the approximately 3100 pages of information presented (and to help show I'm not some pink-leftie-greenie nutter, a copy of Bjorn Lomborg's Skeptical Environmentalist sits next to the pile)

IPCC 3rd Assessment Report

The IPCC's 4th Assessment Report is due to be delivered this year. The recent spate of articles in the media relating to climate change were brought about by the recent release of the Summary for Policy Makers document (equivalent to the thin one in the pile above) that provides a summary of what will be contained in the main reports.

If you think that climate change is a scientific question, then get your facts from the scientists. Read the IPCC reports - all it contains are summaries of all the published research on climate change. If you want to get your information from conspiracy theory websites and random blogs, by all means you are free to do so, but don't expect to be well informed on the situation.

(Comments Off)
Filed under:
An interesting proposition from Microsoft - start an IM conversation with Windows Live Messenger v8.1, and if you opt-in, Microsoft will donate to a cause of your choice (from the range available)
Filed under:

Virtual PC 2007 is out now (for 32bit and 64bit) - get it from here and be the first in your neighbourhood to be running VPC07 :-)

Some of the major new features include hardware virtualisation support (e.g. for Intel VT) that will dramatically improve performce pre VM additions installation, PXE boot support and improved WLAN network card support.

Filed under:
The Longhorn Server February CTP has been released on Connect. I imagine it will be available on MSDN downloads soon

EDIT: I made a mistaken in the path below. The key name should be HKLM\Software\Microsoft\Windows CE Services only. Underneath that key (in the right-hand pane in Regedit) there should be a String called SerialPort. You need to change the value of that string to COM7 (or whatever your Bluetooth COM port is). Apologies.

If you are running the new Windows Mobile Device Center on Windows Vista, and using the inbuilt Microsoft Bluetooth Stack, then syncing via bluetooth probably works fine for you. However if you are using the Toshiba Bluetooth Stack (for example, to get A2DP profile support) then you need to do some work to get bluetooth synchronising working.

Firstly, on your host machine, open Regedit and navigate to:

HKLM\Software\Microsoft\Windows CE Services\SerialPort

and change the value from Bluetooth to your incoming bluetooth COM port. Normally this is COM7 if you are using v5 of the Toshiba Bluetooth Stack (the Vista compatible version). Change the value to "COM7" (without the quotes). You will need to restart your machine.

Now pair your Windows Mobile device with your host machine. You should see the ActiveSync service listed. If you've previously paired your device, then you would have seen "Serial Port" listed as a service (which isn't enough to get ActiveSync working). Instead go into the properties of the bluetooth device and select "refresh" to get an updated list of services that your host PC is advertising. ActiveSync should now be an option. Select it. Now, when using ActiveSync on your WM device, Connect via Bluetooth should work just fine.

Filed under:

I noticed on Frank's blog today that Adam Cogan has some suggestions for improving Microsoft software. In particular Adam has a page on improving IIS.

With all due respect to Adam, I think we have a PEBKAC issue here, not a GUI issue. Adam complains that it's difficult to distinguish between a physical folder and a virtual folder in the IIS Manager, and this makes a big difference when deleting something. To help Adam distinguish between physical and virtual directories, I have the following screenshot that compares the two.

Difference between phsyical and virtual folders

A physical folder looks like a normal Explorer folder icon. A virtual directory has a small "globe" icon superimposed on the folder.

Additionally, when you delete a virtual directory you get a warning that says "do you want to delete this item?". When you delete a physical directory you get the same message you see in Explorer when you delete an item namely: "Do you want to move -folder- and all its contents to the Recycle Bin"

Lastly, if you have an Application Root (the box with the globe) and you wish to delete that directory, then you should first remove the Application from the IIS metabase which will revert the icon back to either a physical or virtual directory. To remove the Application, bring up the properties for that directory and on the "Virtual Directory" tab click the "Remove" button.

I hope that helps your experience with the IIS Manager MMC Snapin!

Filed under:

Amongst all the hoopla around the Window Vista and Office 2007 launches, there are a few more downloads out there worth checking out.

The new IIS Download Center has been launched by the IIS Product Group. Here you can download add-ons and extensions to IIS. In their words "The DownloadCENTER at IIS.net, is a community hotspot for discovering, sharing, reviewing and promoting IIS-related solutions in a single place. Dozens of existing downloads, for all versions of IIS – both from Microsoft and the community – are already available in DownloadCENTER today."

Also released is the RTM version of the Windows Mobile Device Center 6 for Windows Vista. This replaces ActiveSync that was used on previous versions of Windows. It's available via WindowsUpdate, or from the Microsoft website.

And lastly, if you are part of the Longhorn Server beta program, check out the "Changes in Longhorn Server" document available from the Microsoft Connect website for major upcoming changes in the Longhorn Server product.

The first of these two is a serious issue IMHO (so, much more than a mere annoyance). I hope Microsoft looks hard at fixing this one for us Tablet users!

When UAC is enabled on a Vista machine, you switched to the Secure Desktop to authorise privileged actions (like changing system settings, or installing software). The Secure Desktop is a separate window station. For most users, you'll already be an Administrator, and your token will be sufficient to authorise the action. Just click the OK button. If you are running as a regular user, you'll need to enter credentials of a user that has sufficient privileges.

So what's the problem? The tablet input panel (TIP) isn't available on the secure desktop! If you are using a Tablet in tablet mode, you need to switch back to normal laptop mode to type in your credentials. If you are using a slate, you'd have to attach an external keyboard. That is an issue IMHO. It's covered in Microsoft KB article 927843 (The Tablet PC Input Panel is unavailable when it is running in Admin Approval Mode in Windows Vista) and also in KB article 927838

The second is the removal of IP over IEEE1394 (Firewire). In Windows XP and Windows Server 2003, if you had a firewire port you'd have an additional network adapter. You could network two laptops (or other machines) together using Firewire. As an added bonus this would run at about 400mbps. This was handy if you were running a lot of Virtual Machines (like me) since it gave you another discreet network between VMs running on two different laptops.

Filed under:

Delegation is a feature of Kerberos authentication that allows a server to obtain a Kerberos ticket on behalf of an end user without ever having access to the end user's password. This functionality allows Kerberos to solve typical "double-hop" authentication problems where a user's credentials need to flow through multiple levels in an n-tier architecture. Other authentication technologies (Digest and NTLM) do not allow this natively (we'll cover something called "Protocol Transition" later on down the track).

In this simple scenario, we'll add a backend SQL Server to our original simple scenario. Our user will authenticate, using Kerberos, to our web application, and then the web application will open a connection to SQL Server using the end-user's credentials (a "trusted connection").

IIS and Kerberos - a delegation scenario

The delegation functionality featured here can be used through multiple levels (for example if you have a web server, connecting to an application server, connecting to an SQL Server). The delegation done by the web server is repeated at each additional layer in the chain.

In the diagram above the following sequence of events takes place:

  1. The client browser supplies a Kerberos service ticket to the web server. The process that happens in obtaining a service ticket is covered in the previous post.
  2. The web server, seeing the need to open a connection to SQL Server using the end user's credentials obtains the necessary ticket from the KDC
  3. The KDC returns a ticket if the web server is permitted to delegate
  4. The server opens the connection, sending the ticket obtained from the KDC
  5. The SQL Server permits the connection to be opened, or returns a error indicating that the user is not permitted login to SQL Server
  6. The web server returns the web page to the end user

To get this working, we need some additional configuration in addition to what we performed previously. In Active Directory we need to give permission to the web server so as to allow it to get tickets on the end user's behalf. If you locate the web server's computer in Active Directory Users and Computers MMC, right-click and choose "Properties", there is a "Delegation" tab where you can configure the necessary options. The Delegation tab looks different depending on whether you have a Windows 2000 functional level domain, or a Windows 2003 functional level domain.

In a Windows 2000 functional level domain, there is a single checkbox to allow delegation for this server. In a Windows 2003 functional level domain, the dialogue looks like the one below:

Configuring Delegation - Windows Server 2003 functional level domain

The first option (unconstrained delegation) corresponds to the single setting in a Windows 2000 functional level domain. Enabling this setting sets certain bit values the AD UAC attribute for the server's computer account (typically it changes from 0x80 to 0x2080). Alternatively, you can configure "constrained" delegation. Constrained delegation permits the server to get a ticket only for the nominated services. It prevents the server from getting a ticket on behalf of the user to any service in your environment. This can be helpful in the event your server is ever compromised. Using this setting sets the msDS-AllowedToDelegateTo AD attribute for the computer account in question.

Constrained delegation makes available another option (Protocol Transition) - this is the option that is labelled "use any protocol". We'll deal with Protocol Transition, and its implications in another post in the series.

For our scenario, we'll configure constrained delegation to our backend SQL Server. Click the "Add" button, and browse for the relevant computer or user account (I am running SQL Server under LocalSystem, so I would browse for the machine account of the SQL Server). You'll be presented with a list of SPNs for that machine - add the SPN for the SQL Server service. If you are not familiar with SPNs, read Part 2 in this series.

There are a couple of "gotchas" with constrained delegation that you need to be aware of. Firstly, constrained delegation only works if the services are in the same domain. The end user (and their computer's machine account) can be in any domain (or indeed, even in another trusted Forest). However the web server and SQL server, and any other backend servers need to be in the same domain. Secondly, if one hop in the delegation chain uses constrained delegation, then all other subsequent hops in the chain must also use constrained delegation.

Filed under: ,