Hello, Jeff ‘the dude’ Stokes back with a post to help you fully utilize that BYOD experience. That of course would be the Windows Surface RT and Windows Surface 2 tablets. They have a place and that place is Modern Apps. But what about legacy x86 apps you say? You can run those too via RemoteApp, and as Montell Jordan would say…this is how we do it.

How does one enable a mobile workforce with affordable devices and simple to construct backend environments, one might ask? This post is a primer, a guide for a proof of concept, a tantalizing tale of tranquil steps aka a guide for you to set this up in a test lab. So read and learn as the dude guides you through this step by step. A lab we will build, a proof of concept Remote Desktop Services node, with Remote Applications. If you don’t have a Windows RT Tablet, fear not, you can reproduce the steps in a Windows 8.1 VM as well.

Installing the RDS Server

1. Install Windows Server 2012. Run Windows Updates. Pick everything. Install. Reboot. Do the normal stuff (time zone, name, domain join, etc.).

2. Enable the RDS Role. This is an easy step, but an important one. It goes a little something like this:

3. We add a role and feature, through the wizard of course!

4. and then hit next. For our lab/proof of concept/playground, we just pick “Quick Start”.

5. This is not a VDI Post (nor a Love Song) so pick Session-based desktop deployment.

6. And then we need to of course verify we are installing this role and feature set on PICKLE! Well, that’s my name for the demo, you picked your own I’m sure for your lab. I also named my lab based on the movie I watched most recently...

7. No funky rights needed here, because the wizard is going to take care of it for us! That’s something the PG did an awesome job on. Standing up a (simple) VDI or RDS setup is quite easy in this wizard, kudos to them!

8. Check the box for “restart automatically if required” and click “deploy” and away we go…

It’ll reboot and then continue in progress…if you run into issues the event log is a good place to start, but I haven’t had a wizard deployment fail yet myself.

9. You’ll know it’s done when you can see this screen. Do note, the bottom, where it tells you the link to access your RDS farm. You can click it right there in the Wizard. You’ll also need it later if you want to test connectivity with other folks, etc.

10. By the way, normally you’d need licensing, etc setup. I’m not really wanting to get into licensing in this post though, sorry. After all, this is a proof of concept. So instead I get this:

Note: Configuring RDS for High Availability, Security, Internet-Facing Gateways, etc, is beyond the scope of this guide. Thank you.

11. Now that PICKLE has the role we can go into the management console for it. See the green plus signs? We can click those and easily add a server for that role. It is quite a slick setup really. A RD Gateway is mainly used to publish RDS apps to the Internet, Extranet or Intranet, so we don’t get into that with this post either. Again, simple, easy setup here.

12. Note that almost everything is wizard based or guided setup. The only thing we need to do, well, we don’t HAVE to, but the only thing I’m going to do here is make sure my apps are published:

13. Note it made Domain Users the default user group for this demo. It also was kind enough to publish 3 apps…but how do we get to them on a Surface RT (or anything else for that matter)?

Connecting With a Domain Joined Client

Let us start simple. For our non-Surface/Mobility friends, I’ll first connect from a domain joined machine, a VM running Windows 7 x64 SP1.

1. The first time a user hits the logon page, they are prompted to run the ‘Microsoft Remote Desktop Services Web Access Connector’ add-in. That’s fine, it’s needed.

2. Then you simply logon to the webpage using a Domain User account and select if you want the browser to be able to save credentials (the radio button at the bottom):

3. After doing so a balloon will appear that notes you are connected to work resources. This should be a common sighting for you with this exercise.

4. And then your web page will look like this. It’s the default suite of applications, just to demo that the thing works for you. Nothing too harmful, nice easy apps. Any x86 app should work though from my experience.

5. Launch an app, and voila you get a prompt, awfully similar to the mstsc window….note the publisher is unknown because we haven’t trusted the certificate.

6. After you connect, you are running the app, but remotely, as the icon on the taskbar tells us… to exit out, simply click the X like you would any other window. Easy enough right?

Connecting With a Surface RT/Surface 2

Ok so great. We’ve got remoteapp working. How does mobility come into this, specifically whats the angle on Windows Surface RT? Well, the limitation (or advantage) of RT is not running legacy x86 applications. But if you need long battery life + x86 legacy apps, publish the application in RDS and then connect from RT.

1, So logon to a Windows RT (or if you don’t have an RT tablet yet, a non-domain joined Windows 8.x x86/x64 install can be used here) and install from the store, the RDC app!

2. Now that you have it installed, there is a work around needed to trust the server (you don’t have a domain join so the client doesn’t know who pickle is). So open Internet Explorer and go to the IIS address, and download the certificate so you can install it on the machines’ certificate store:

3. Warning, danger Will Robinson! Untrusted Cert (No, for a demo/poc, I did not get a real SSL cert)

4. Go to view the certificate and on details, download it by copying it to a file.

5. Pick the top option as seen below:

6. I then save it somewhere easy to recall, in this case, on the desktop.

7. And viola, we’ve exported the cert successfully.

8. Now we run the command certutil –f –urlfetch –verify “cert.cer” > certverify.txt and we can see the URL is correct, should work, etc, in the text file.

9. Here is the results, we can see the cert info, looks good to me (I am not a cert guy, but bear with me, if you have to troubleshoot certificates, this is a way to do it).

10. Now, install the certificate. Just right click the .cer file and select “Install Certificate”.

11. Here is a certificate import wizard, remember! Local machine here folks. Not Current User.

12. Now, don’t let it guess, place the certificate into the “Trusted Root Certification Authorities” store.

13. Tada! Its done.

14. Now launch the Modern RDC client!

You place the web site name of your RDS farm into the modern app:

15. Then you are prompted for credentials (recall you aren’t domain joined here):

16. At which point you connect and get this!

17. So you click the OK button and are rewarded with a selection of awesome apps! The same list as we saw in the website right, on the desktop? Click an app you want to run.

We’re now running Calc remotely in RT/8.x non-domain joined from our Server in a RDS session. YAY!

Conclusion

So, one might ask, ‘Dude, I followed all these steps, and I see this, but why? What for? How? Huh?’ I’ll tell you, we just stood up a proof of concept RDS farm, we connected from non-domain joined assets securely to domain apps (in this case, Calc…which can calculate gas mileage did you know?!)

Now some have been awfully critical of the RT OS, saying it can’t run x86 / x64 applications so what’s the point. The point is a new model of application design, Modern Apps. But if you have an application, a legacy application, that you need to run, and you want longer battery life and a thin device and touch and all that, you can still run your legacy app provided you have some network connectivity. That’s not a bad deal in my opinion.

Some follow on questions. What about a real PKI solution? The dude is not a PKI guy, but yes, you could do the same and trust the CA I imagine. Or a real SSL cert. You would still have to import a certificate in any situation. Does Intune do this? Looks like it does. See http://technet.microsoft.com/en-us/library/jj884158.aspx for more information.

What about licensing, can we do this without paying more? We look to need RDS CALs for this, but check with a licensing specialist for your account. You may already own the licenses to roll this out and not even know it! See this for more information though. http://download.microsoft.com/download/3/D/4/3D42BDC2-6725-4B29-B75A-A5B04179958B/WindowsServerRDS_VLBrief.pdf

Jeff “I got 99 problems but legacy apps aren’t 1” Stokes.

Written by Dan Cuomo & Scott Simkins | Microsoft Platforms Premier Field Engineers and 1^st Time AskPFEPlat Bloggers

Hi Fellow IT Pros,

All too often we hear a common phrase from our customers, “I need to get spun up on…” IT professionals often struggle to keep up with, or try to stay ahead of, the ever evolving trends to keep their environments and careers healthy. Training budgets are shrinking and sending staff to brick-and-mortar training facilities to digest an enormous stream of information within a brief period of days could deplete an entire training budget very quickly. In addition, it is also difficult (and sometimes nearly impossible) for many to schedule time to attend a class during their normal work week. The good news is that there is an increasingly available wealth of high quality, on-demand, training options. Many of the options we mention here are completely free while the others can be obtained through our Premier and/or MSDN offerings which we will discuss as well.

One of our goals as Microsoft Premier Field Engineers (PFE) is to help make all the offerings more widely known by educating people on where to educate themselves. We understand that, sometimes, it is difficult to know where to begin. We also know that lots of folks want to be hands-on, see more demos, deep-dive on specific topics, learn from experts, and have access to lab systems they can configure for their own training needs without emptying their wallets to do so. That is why we are trying to be vigilant about spreading the word and letting as many people know about the robust set of learning options that they can begin accessing today, so long as they have a PC, an internet connection, and a desire to learn. No matter what your preferred learning style, this article has something for you. So, let’s get started!

Microsoft Virtual Academy

One of our personal favorites is the Microsoft Virtual Academy (MVA). This site provides high quality, expert training from Microsoft employees like our own Microsoft PFE, Milad Aslaner, (shown in the image below) and partners to include a variety of technologies from Windows 8 Deployment to Windows Phone Development. The majority of this training is provided through videos and live events and is typically accompanied by a transcript, documentation, and assessments at the end of each module. You can even create custom training plans to help you work through topics and track your progression. If you’re on-the-go and want to take a presentation with you, the site allows you to download content in a variety of formats and play them on a range of devices. MVA is a “provider” to degreed.com so you can update your micro-credentials once you’ve completed a course.

Here’s the best part… The MVA is completely free and requires only a Microsoft Live ID (also free) to access the content.

Channel 9

Channel 9 is another great resource for technical training. Channel 9 provides shows, blogs, forums, projects and information on upcoming and past events (like TechEd). This site is a great place to get up-to-date content on your preferred topics. It also allows for the download of content in a variety of formats. They even provide modern apps through the windows store for Channel 9 and the TechNet Edge show. According to their site, “Channel 9 is a community. We bring forward the people behind our products and connect them with those who use them.”

TechNet Virtual Labs

If you want to try out the technologies and see how to actually perform a task or work with the solutions, check out the TechNet Virtual Labs. The labs provide a risk-free virtual environment for testing purposes. Typically, you can complete each lab in 90 to 120 minutes and there is no complex setup or installation required. When the labs open up, they include a detailed lab guide. Best of all, there’s no limit to the amount of attempts for the lab and you don’t have to tear-down and rebuild your own systems. Instead, you can tear-down ours. We recycle, so go for it!

Azure Benefits

Azure is cool…really cool. We are talking “almost as cool as a ninja,” folks…almost. If you want to give it a go, you can try it for a month, for free. Of course, you should probably do a little reading prior to starting the trial so you can get the most out of it. So, we recommend you start out in the Documentation Center. If you’re looking for the offline version of Azure, get your documentation here –> Azure Pack.

But wait, there’s more! If you’re an MSDN subscriber you most likely have free Windows Azure credits as part of your subscription that are reloaded each month while your subscription lasts. In order to take advantage of this benefit for MSDN, you just need to activate it through your account settings under the MSDN subscription section. If you’re tossing and turning at night trying to figure out which version of MSDN to purchase, you should check the Compare the MSDN benefits page to see how many credits come with each subscription level.

Education as a Service (EaaS)

Suppose one of your New Year’s resolutions was to “NYR 173: Eliminate scheduling headaches.” Problem is, your calendar typically looks like a multi-colored wall of unavailability. Enter Education as a Service which is one of the numerous benefits available to Premier Customers as an on-demand portfolio of training courses. It’s a library of on-demand videos featuring Microsoft Engineers who are subject matter experts in their field. They discuss and teach a range of IT technical subjects designed to increase your IT staffs depth and breadth of knowledge. If you’re interested in adding this to your Premier contract, please speak to your Microsoft Technical Account Manager (TAM) who can arrange your subscription to our library of content. Instead of bringing a trainer to you, this training is available remotely and at the convenience of each of your colleagues. Go ahead and check the box next to #173.

Chalk-Talks and Brown Bags

Chalk-Talks and Brown Bags sessions are a great way to get personalized instruction on a topic of your choice. If you’re a Premier customer and are able to find time for a group from your team to attend some onsite training, a Microsoft Premier Field Engineer (PFE) can come to you to provide instruction in a variety of settings and formats. For example, one of our joint customers decided they wanted a bi-weekly, hour long session of custom PowerShell “brown-bags” delivered over Lync with screen sharing. If you’re interested in finding out more about what’s available and have a Premier contract, please speak with your Microsoft TAM.

Supplementary Learning Materials

There are a variety of other great learning materials out there too. Most of you are probably aware that Microsoft Press creates books and references for different skill levels across the range of technologies. Did you know that they also provide a gallery of free eBooks and a blog to keep everyone updated on the latest info? Speaking of blogs, there are numerous technology blogs led by Microsoft employees in their respective fields. Ask DS (Directory Services), SQL Team and MVP, System Center Team Blog, Windows Blog, and of course, our own Ask PFE Plat(Platforms) are a small list of the variety of other blogs available. For an additional list of Microsoft Team Blogs, check here.

For those of you who would either want to share some of your knowledge or troubleshoot some of your more challenging issues, check out the TechNet Forums.

If you’re looking for a topical launching point for some our key technologies, look no further than the Survival Guides. Using the survival guides can be far simpler than searching the internet and provides a means of finding what you need on a topic, especially if you don’t know exactly what you’re seeking. You might even find related information to pique your interest and lead you down an educational journey.

Another trove of knowledge can be found in the Infrastructure Planning and Design Guides. This series helps to clarify and streamline the design process for a variety of technologies.

Whether you’re building applications for the desktop, the Web, the cloud, or for mobile devices, MSDN Magazine provides up-to-the-minute, comprehensive coverage of Microsoft technologies. MSDN Magazine connects you with the industry’s leading voices on establishing practical solutions to real-world problems. You can still get a physical copy or “go-green” like us and our virtual labs.

In addition, MSDN and TechNet both provide a “flash newsletter” that can be customized to your liking.

TechNet Flash: The biweekly newsletter delivers the latest alerts of new resources to help you be more successful with Microsoft products and technologies. When you subscribe, or if you already receive TechNet Flash, you can customize your own version to receive the information that's most important to you.
MSDN Flash: MSDN Flash delivers critical developer news to you in one information-dense, compact newsletter. Stay up to date with the latest development news from Microsoft by subscribing today. Learn about the latest resources, SDKs, downloads, partner offers, security news, and national and local developer events. Every other week you'll get an email containing pointers to all of the new articles, samples, and headlines from MSDN Online, the MSDN Library, the Knowledge Base, the Developer Centers, and other Microsoft websites. In addition, look for announcements of Microsoft and industry events, training opportunities, chats, and webcasts

Finally, an oldie but goodie. Don’t forget about “the TechNet Library which contains technical documentation for IT professionals using Microsoft products, tools, and technologies.” One of my favorite features of TechNet (and a golden nugget for all those who made it to the end of the post ;-) is the export capability. If you want to “organize a custom set of articles with only the information you really want” check out J.C. Hornbeck’s article. You can export this custom set of articles in translated or its original language, specify the example code language (for example, PowerShell, HTML, C#, etc.), and create and title relevant chapters.

Summary

No matter what your technology, there is an à la carte menu of training options that is waiting to be consumed. We encourage you to tell your co-workers about them, talk about them with your friends, put up flyers, or share a link to this blog, so your pals can see for themselves. Thanks for reading.

-Dan Cuomo & Scott Simkins

Hi everyone Randolph (Randy) Reyes with another SBSL blog post. In this particular engagement we were able to be more proactive, our job was to check and verified a Windows 7 image prior of mass deployment all around the world.

When arriving onsite we notice that 1,000 Windows 7 machines were already deployed and 7,000 are schedule in 3 weeks.

So let’s get to it.

The Before

PreSMSS	SMSSInit	WinlogonInit	ExplorerInit	Post Boot
3.037	8.067	144.139	17.896	74.000

Boot to Post Boot Activity ended: 247 Seconds and 539 Milliseconds = 4 Minutes and 7 Seconds

Looking at this number definitely our boot time is not with in good values using traditional hard-drive (non-SSD).

What’s consider good value?

Here is an article previously posted with those values. “Becoming an Xperf Xpert Part 7: Slow Profile Load and Our Very First Stack Walk”

http://blogs.technet.com/b/askpfeplat/archive/2014/02/03/becoming-an-xperf-xpert-part-7-slow-profile-load-and-our-very-first-stack-walk.aspx

The major delay in the boot trace can be identified in the Winlogon Phase. Many operations occur in parallel during WinLogonInit. On many systems, this subphase is CPU bound and has large I/O demands. Services like PnP and Power, network subsystem, Computer and User Group Policy processing, CAD (CTRL+ALT+DEL) screen and credentials delay. Good citizenship from the services that start in this phase is critical for optimized boot times.

After adding the graph for Boot Phases and also Generic Event we can see that most of the Winlogon Initiation Phase time is been consume by the Subscriber Profiles under the Microsoft-Windows-Winlogon provider. In the picture below we can see when the Subscriber Profile started at 30.772 and ended at 154.169 of the trace.

Before jumping into any conclusion of why Profiles are taking too long to load, I decided to look all the different Graph’s that Windows Performance Toolkit provide to us.

The graph that caught my eye is Services. So let’s add the Services to the analysis view.

Choosing to highlight the start and stop time of Profiles we can see a service call SVCHost32.exe starting before Profiles. Looks like Profiles initiation is been extended by the Service SVCHost32.exe.

Services = Services can declare dependencies or use load order groups to ensure that they start in a specific order. Windows processes load order groups in serial order. Service initialization delays in an early load order group block subsequent load order groups and can possibly block the boot process.

Long delays during any service initialization can increase the time that the boot transition requires. If you can do so, set services to demand start or trigger start. Demand-start and trigger-start services start after the boot process is complete and therefore reduce overall boot time.

Important reminder services “300 or less milliseconds should take to initialize”

After adding the graph for Boot Phases and also Services “Display Graph and Table” we can see that the service SVCHost.32.exe started at 28.350 and ended 125.809 in the trace.

Wow that’s a long time for a service to initialize, it should only take around 300 Milliseconds. If we add the Service Initiation time and Container Initiation Time we get 97.458 (1 Minute and 37 Seconds)

I know what you are thinking, this is a critical service for the company and no matter what we need to leave it alone. :) Here is a conversation I had.

Randy: Why is this service taking this long? Do you know what software is using this service?

Customer: Yes, this is an internal application that needs to be in every system in the environment

Randy: What is this software supposed to do? Is the software needed when user is booting or do we use it after the user logs in?

Customer: (Thinking) Honestly not sure I will need to ask the programmers.

15 Minutes later…..

Customer: The software scans user data that is copied to the file servers and the version installed in the image is including a new update. The system didn’t take this long before this update was deployed.

Randy: Sounds like this service is not necessary to start at boot time and also we need to check if the update is the cause of this long delay in the service.

At this point for testing purposes we open the Services Microsoft Management Console, searched for the service SVCHost.exe and changed the Startup Type from Automatic to (Automatic Delayed Start)

The Fixes

Step 1 = Startup Type from Automatic to (Automatic Delayed Start)

The After

Boot to Post Boot Activity end: 68 Seconds and 004 Milliseconds = 1 Minutes and 8 Seconds

(Note: In this particular engagement we still have other areas that will improve boot time in this particular systems but those will be posted in another blog post.)

At the end of this engagement I was really happy! Not only because we shorted the boot time in the systems, but also because I got an e-mail from the company programmer two days later.

Programmer: Thank you so much for the work you did. After your visit and the recommendations in the SVCHost.exe service, we detected a bug in the application. At this moment the bug is fixed and service is no longer affecting boot time our systems.

Before

1,000 Computers x 4 minutes and 4 seconds= 4,000 minutes every working day

Potential full environment

7,000 Computer x 4 minutes and 4 seconds = 28,000 minutes every working day

After

1,000 Computer x 1 minute and 8 seconds = 1,000 minutes every working day

Pre-notes

ALL PUBLIC IP ADDRESSES HERE ARE JUST NUMERIC VALUES and are only included to help illustrate the steps and components of this walk-through
Azure costs can add up
- I did this all via credits included w/ my MSDN subscription
- Review the free trial details below - be sure to watch how you setup the trial so you don't automatically roll over into an unexpected credit card bill
  - https://www.windowsazure.com/en-us/pricing/free-trial/
- Check out the Azure pricing calculator and have a look at the 'sliders' for estimating charges in Azure - http://www.windowsazure.com/en-us/pricing/calculator/?scenario=full
- Generally, Azure charges for data going out of Azure (egress), but not data coming into Azure (ingress) – keep that in mind
  - Virtual Networks charge per hour for data egress (per the calculator above):
    - "Setting up a Virtual Network is free of charge. However, we do charge for the VPN gateway that connects to on-premises. This charge is based on the amount of time that connection is provisioned and available."

Worksheet

On-prem RRAS Router – public IP Address (VPN Device IP Address entered in the Azure Local Network setup): _ 23.23.23.22 __

On-prem RRAS Router – private IP Address (used as the gateway for on-prem systems): __ 192.168.0.20 ___

On-prem IP Address Spaces (and added to AD Sites): _____ 192.168.0.1/24 _______

On-prem DC/DNS Server name and IP Address (as will be entered in the Azure Local Network setup): _192.168.0.22 : ONPREM-DC-01 ___

On-prem AD Site name: __ ONPREM __

Site Link name, cost and replication interval/schedule: _OnPrem-Azure : 100/15 min_

Azure Local Network Name: __OnPrem-PNet-192Dot___

Azure Virtual Network Name: __Azure-VNet-01__

Azure Virtual Network IP Address Space(s) and Subnet Name(s): __10.10.10.0/27 : Subnet-1 __

Azure Virtual Network Gateway IP Subnet: _10.10.10.32/29 __

Azure Virtual Network Gateway IP Address: _ 23.23.23.23 _

Azure IaaS VM DC name(s) and IP Addresses (discovered after they rec'd IP from Azure DHCP): __AZURE-DC-01 : 10.10.10.4___

Azure AD Site name: __AZURE __

Azure AD IP Subnet(s): __10.0.0.0./24__

Now, on to the rest of the blog …

On most days, I have a typical home network with a cable modem, then a wireless router, and then PCs.

Before I started this work, I filed a change-control request with my family because they were going to suffer an 'enterprise-wide' Internet outage while I did this. I by-passed all of my typical home network gear for this lab and plugged one leg of a dual-homed physical server (2012 R2) directly into my cable modem and let it pull a public-facing IP. I did an IPCONFIG on the router/server and made a note in my worksheet of the public IP.

SECURITY NOTE– this act has some significant security implications and is NOT a recommended practice. This was an isolated learning experiment, though, and there was no other connectivity beyond these two transient physical systems.
NOTE - Azure Site to Site VPN connectivity requires a non-NAT'd public IP

Next, per my worksheet planning, I configured the private leg of my dual-homed physical server with a static IP address of 192.168.0.20 but left the gateway blank. With gateways, as with Highlanders, there can be only one.

I used the Windows 2012 R2 RRAS system ONLY as a router.
- Apart from RRAS configurations, I didn't RDP or perform other management tasks of the Azure or on-prem systems in my lab from this system
- I don't know enough about routing or routers to even know what sort of functional network connectivity I had/didn't have
- It was a headless, non-domain joined stand-alone system.

Before getting too far, I'll try to clarify some Azure terminology. The vocabulary is often my first stumbling block when I'm learning something new and Azure was no different.

What does Azure mean by 'Local Network?' What is a 'Gateway subnet?' What does a 'DNS Server' in an Azure Virtual Network refer to and what should I put in there? I heard Azure doesn't support static IP addressing – how do I assign IPs to my systems? How do I define other NIC settings for Azure-based VMs? Can I use WINS? No, you can't use WINS. J

Allow me to try to simplify/clarify/paraphrase:

An Azure Virtual Network consists of numerous settings, including DNS Server(s), Local Network(s), VPN settings and TCP/IP v4 address space(s). I think of an Azure Virtual Network as a sort of 'branch office network' in my mind.

Create a Virtual Network

Let's go through and cover each section of creating a Virtual Network in Azure, starting with DNS Servers.

Figure 2: Getting started with Azure Virtual Network "DNS SERVERS"

DNS SERVERS

In order for effective and fault-tolerant name resolution to work between on-prem systems and Azure IaaS VMs, you should define multiple DNS servers within your Azure Virtual Network:
- Local, on-prem DC/DNS server(s)
  - You should already know what their names and IPs are (per the planning worksheet above)
- Remote, Azure-based DC/DNS servers that are in your Azure Virtual Network
  - Once you create Azure-based VM DC/DNS server(s), they'll get an IP from Azure DHCP. After that, you can edit the DNS server list in the Azure Virtual Network, adding them in as needed.
  - The IaaS VMs only process newly added/removed DNS servers to their vNIC settings upon re/boot of the VM.
  - Failure to include one or more Azure-based DC/DNS servers may (likely will) impactname resolution for your Azure-based systems if/when the VPN isn't connected/working
Don't worry if you can't connect to these at the moment – these are just part of the 'definition' of the Virtual Network
NOTE - Azure IaaS VMs do not support static IP addressesbut they DO support 'persistent' IP addresses (think "an Azure-based DHCP reservation" - which last as long as the VM is provisioned)
- However, all that persists is the IP address. Other TCP/IP settings directly assigned to the vNIC will not persist – which is why you must define your DNS servers within the Azure Virtual Network
Why is this unique DNS server definition needed? A good question.
- One reason is VM servicing and portability in Azure. There can be cases where your VM is torn down and re-assembled from the VHD file. When that happens, the vNIC from the original VM is gone (along with its TCP/IP settings) and a new vNIC is plug'n'play'd into the new VM.
- When that new VM comes up, the new vNIC doesn't have any awareness of the prior vNIC settings. Azure automation assigns your new vNIC the same IP you had before and it sets the DNS server values you've defined here on the new vNIC.
- If you want more detail on this, have a look here: http://msdn.microsoft.com/en-us/library/windowsazure/jj156088.aspx#bkmk_BYODNS
I used a naming standard which matches the AD computer account names for my DNS server entries – i.e. "OnPrem-DC-01"

Figure 3: Register a DNS SERVER in the Virtual Network Wizard

Figure 4: On-prem DNS Servers are defined. I can edit this list later and add in my IaaS DC/DNS servers and IP addresses to provide DNS local to the Azure Virtual Network for fault tolerance in the event the VPN has issues. You can add up to 9 entries here.

LOCAL NETWORK

An Azure Local Network is an Azure-based reference to your on-prem IPv4 address space and is used to automagically create routing rules from Azure to the "on-prem side" of the VPN.
The ADD A LOCAL NETWORK wizard begins with a field for a name for your local network in Azure. Choose a descriptive name from your naming standard (I called mine "OnPrem-PNet-192Dot")
- As with anything in IT, give some thorough considerations to your naming standards/conventions for various Azure elements
The Local Network definition also includes the public IP of your on-prem VPN end-point/router/server
- It is called the "VPN DEVICE IP ADDRESS" in the Azure UI
- In my example, per my worksheet, this is my imaginary value - 23.23.23.22
Next, you get to enter an address space(s) for your local on-prem IPv4 network(s)
- In my example, per my worksheet, this is the 192.168.0.1/24 address space.
There you have it - a 'Local Network' in Azure

Figure 5: Add a LOCAL NETWORK

Figure 6: Local Network details

Figure 7: Specify the on-prem network address space(s)

Figure 8: An Azure Local Network has been defined

VIRTUAL NETWORK

A Virtual Network in Azure combines the other elements discussed above (DNS Servers and a Local Network) with a few other settings and establishes an IPv4 network for your use in Azure-land
As with the Local Network above, enter a descriptive name based on a consistent naming standard for your Azure Virtual Networks
- I called mine "Azure-VNet-01"
Check the box to enable "site-to-site VPN" and select the Local Network you defined/created above from the drop-down list
You assign the Virtual Network a non-routable (private) IPv4 address space.
- Click the "Starting IP" drop-down and notice this can ONLY be a 10., 192. or 172. address space.
- Then, you create one or more subnets within that address space and give the subnet a name
  - I used 10.10.10.0/27 and called it "Subnet-1" (these were defaults on this page)
  - This is where VMs that you create in Azure will live and be DHCP'd via automatic Azure mechanisms (including the DNS servers you defined above).
- The UI here won't let you over-lap with the on-prem address space that you defined (which makes sense if you think about basic TCP/IP networking)
Click the green "add gateway subnet" button to assign the Virtual Network a "gateway subnet" which is a small subnet which will automatically acquire a public-facing "gateway IP" (later, when you create the gateway)
- I used 10.10.10.32/29 for my gateway subnet and called it "gateway" (again, these were defaults on this page)
For more information about these Virtual Network settings and such, see this link to a great Azure doc
- http://msdn.microsoft.com/en-us/library/windowsazure/jj156074.aspx

Figure 9: Create a Virtual Network

Figure 10: Name the Virtual Network and create an Affinity Group in a regional Azure Datacenter

Figure 11: Add the DNS Servers you defined before, enable site-to-site connectivity, select the Local Network

Figure 12: Establish the Address Space, create a subnet within the Address Space and define the Gateway Subnet

Figure 13: Address space, subnet and gateway subnet review. The "Network Preview" graphic helped me visualize all the pieces.

Figure 14: An Azure Virtual Network has been created

Once my Local Network, DNS Servers and Virtual Network were all defined/created in the Azure portal, I clicked CREATE GATEWAY with Dynamic Routing (below).

Several minutes of "behind the scenes magic" happens up in Azure-land (about 10 minutes in my experiences).
This includes setting up static routes in the Azure Virtual Network so it can 'find a path' to the local, on-prem IP subnets (which were defined in the 'Local Network' portion of the Azure Virtual Network).

Figure 15: Create the Gateway – I chose Dynamic Routing

Figure 16: VPN Gateway is being created

Figure 17: VPN Gateway created but not yet connected (IP Address is for illustration purposes only)

Ta-da! The gateway was created (the blue GATEWAY in the graphic above) but note, it shows "DISCONNECTED" on the OnPrem side. Before the connection will work, I need to configure the on-prem Windows Server as a VPN RRAS router.

You can download a PowerShell script from the Azure portal that will set up the 2012/R2 RRAS aspects for you
Download the file onto the WS 2012 R2 router/server – note, it has a .CFG extension
Open it with Notepad and review it
- Notice the "plain text" passphrase/key for the connection – this is the equivalent of the 'password' for the VPN connection, as well as public IP addresses. Take care to secure this file.
I changed the extension of the file to .PS1 and then ran it from an elevated PowerShell console on the WS 2012 R2 router/server
- The script installed the Remote Access Role/Features/services and configured everything for me (including static routes to my Azure Virtual Network)
I opened up the RRAS console and reviewed the settings/statistics and noticed:
- The connection for the VPN showed as 'disconnected'
- The connection with the gateway IP showed just a few bytes of traffic
- A static route for the 10. subnet (the Azure Virtual Network address space I created) pointing to the gateway IP

After the Gateway has been successfully created and the WS 2012 R2 RRAS server is configured, I chose to CONNECT the Gateway

This also took a few minutes and I refreshed the portal a time or two before it hooked up and connected.

Figure 18: VPN is connected and data is passing. HOO-HAH!!

Once the Azure VPN gateway connected to my on-prem 2012 R2 VPN/router, I reviewed/refreshed the RRAS console again. At that point, it showed "Connected" with substantial incoming and outgoing traffic.

If you're following along at home and this is all working for you, congratulations!!

Trust me … this ain't no Little Feat (shout-out to one of my favorite bands)

Figure 19: VPN Interface "Connected"

Figure 20: Incoming and outgoing traffic

Figure 21: Static route settings

BONUS BLOG CONTENT

Once I connected my on-prem environment to Azure via VPN, I built out a replica DC on an Azure IaaS VM.

A few links with some GREAT content with much more detail for this:

I don't walk through each step of the VM build process here (it's really very simple) but notice the VM was created on the IP subnet in Azure that I created within the Azure Virtual Network back at the top of this post ("Subnet-1").

Figure 22: New VM attached to the 10.10.10.0 "Subnet-1" created in the Virtual Network above.

Once the VM was provisioned, I used the Azure Portal to connect to the new workgroup VM (below) …

Take a moment and think about this…

Within about an hour, I created an Internet-scalable Cloud-based extension to my on-prem network and spun up a licensed, patched WS 2012 R2 Server.
Does anyone else see that as magical, or is it just me?
Remember how long it used to take to get a subnet allocated, a physical server spec'd out, priced, budget-approved, ordered, shipped, built, racked, IP'd, OS built, and logged in? I recall MONTHS.
I just did it in about an hour. That, my friends, is the speed of cloud technology.

Since I had VPN connectivity at this point, I could have connected directly via RDP from an on-prem system using the VM's private IP address (which can be obtained from the Azure Portal):

Recall, when the IaaS VM re/boots, it picks up its "Azure reserved" IP address and the DNS servers I defined in the Azure Virtual Network.

Since the VM wasn't domain-joined yet, it wouldn't successfully register in my on-prem DNS yet so I was not able to resolve the Azure VM by name from my on-prem systems
However, DNS resolution was working from Azure back to on-prem and I was able to resolve my on-prem DNS records from the Azure VM.

With DNS working from the Azure VM to on-prem, I successfully joined the IaaS VM to the on-prem domain and rebooted it.

Do an IPCONFIG /ALL on the IaaS VM to view/verify/validate the desired DNS server settings
After the domain-join and reboot, I saw a dynamic registration for an A record in my on-prem DNS for my IaaS VM
- At this point, I had DNS resolution working in both directions and I could have used the FQDN to RDP to it from on-prem (or vice-versa)
Figure 23: DNS console showing the Azure IaaS VM successfully registered in DNS

It was really quite exciting to get this all set up and working ... but we ain't done yet!

Next, I added the AD DS Role to the IaaS VM and promoted it into AD as a replica DC in the HYBRID.LAB forest (my demo/lab).

Even though I didn't discuss it here, be sure to consider the issue of disk write-through caching and the use of a 'data disk' for your DC's DIT and SYSVOL
http://msdn.microsoft.com/en-us/library/windowsazure/jj156090.aspx#BKMK_PlaceDB

I had already created the proper AD Sites, Site Link and Subnets for my Azure world and my on-prem world in my lab AD forest configuration.

For an overview of these aspects of AD, see this link - http://technet.microsoft.com/en-us/library/cc754697.aspx

As a result of that pre-work, during the promotion wizard, I was able to choose the target AD Site for the new Azure-based DC, as well as select the on-prem DC for initial replication:

Figure 24: Selecting the destination AD Site (Azure) for the new Azure IaaS VM DC

Figure 25: Selecting the source DC (OnPrem-DC-01) for initial AD replication

After the DC promotion and reboot, I saw my shiny new DC up in Azure-land (AZURE-DC01):

Figure 26: AD Sites and Services Console showing the on-prem and Azure DCs, AD sites, subnets and Site Link

Figure 27: Active Directory Users and Computers Console showing both the on-prem and Azure IaaS DCs

Whew.

There are a lot of new concepts here. If you're struggling, give yourself a break ... take a deep breath; hum a tune; go chase some squirrels or something. Then come back to this - it took me more than just a bit of patience before it all clicked and I got the VPN dance to succeed.

Like I said at the outset, the Cloud is here; the time is now to start thinking about how Cloud technologies will fit into your IT career and the solutions you design/operate/support.

Thanks for reading and I hope you found it useful.

Cheers!

Hello all,

Jesse Esquivel here again with another post I hope you find useful. This post is a great complement to Jerry Devore's post on diagnosing a leak in non paged pool using event viewer, poolmon, and perfmon! Today I’m going to talk about analysis of a leak in paged pool kernel memory and the tools and methods used to diagnose and find root cause of the issue. A memory leak occurs when software (drivers) make kernel memory allocations and never free them, over time this can deplete kernel memory. Though paged pool depletion takes considerably more effort on an x64 based system it’s not impossible or unheard of for it to happen and cause a server to go down or into a hard hang state. Sometimes a low virtual memory condition can cause the operating system to become unstable and hang.

The Victim

The server we are looking at here is a virtual machine running 2008 R2 SP1. After about 90 hours or 4-5 days the server would become unresponsive, go into a hard hang state, and the services it was hosting would be unavailable necessitating a reboot to restore functionality. Rinse and repeat until doomsday. Like clockwork, this would happen every 5-7 days and the server would need to be rebooted again.

First things first. Since it’s in a hard hang state you actually can’t get into the server until after it was rebooted so the investigation started when the server wasn’t actually exhibiting the problem…yet. All we have to go on was the fact that the box would go belly up almost weekly like clockwork. Task Manager. A great place to start and get a very quick at a glance view of the health of the server. Having seen this strange behavior before I suspected a leak in kernel memory but alas we are not in the business of speculation. My suspicion zeroed me in on Kernel memory consumption, and handle count as seen here (this is just a shot of a random vm for reference):

I took note of the values for Kernel memory and the overall handle count of the system. Since everything appeared to be operating normally at the moment I decided to do some post mortem investigation. I reviewed the event logs around the time just before the server was rebooted. What I found was an entry in the System event log for Resource-Exhaustion Detector, event ID 2004. This indicated that the server was low on virtual memory (kernel) during the time it was in the hard hang state. This appears to back up my suspicion of an issue with Kernel memory on the box being depleted.

In a few hours I checked back with the server and saw that the paged pool kernel memory had increased, as well as the overall handle count for the system. To see what process has the highest handle count we can add the “Handles” column to task manager by clicking View | Select Columns and then sorting by it.

Lsass.exe had the most number of handles of any process, but was still a fairly low count. As a general rule of thumb, any process with a handle count higher than 10k should be investigated for a possible leak. I took note of the system time and the number of handles for lsass.exe. At this point we have a server with increasing paged pool consumption, increasing overall handle count, and Event ID 2004s in the system event log during the time the server was in a hard hang. These are all classic indicators of an issue with kernel memory depletion.

Now to find out what is consuming paged pool. There are two tools that we will use to analyze kernel memory consumption, Poolmon and Windows Performance Recorder.

Tools of the Trade

Poolmon

Poolmon is a tool that can be used to view kernel memory pools and their consumption. A great explanation of poolmon and how it works can be found here. In the aforementioned poolmon link, note the explanation on how pool tags work – a pool tag is a four-letter string that’s used to label the pool allocation and should be unique to each driver that is making the allocation (keep this in mind – more on this later). Poolmon is included in the Windows Driver Kit. Essentially using poolmon we can identify which pool tags are making the paged pool allocations and are not freeing them. Here is a sample screen shot of poolmon:

Windows Performance Recorder

The Windows Performance Recorder is part of the Windows Performance Toolkit whose latest version is available in the Windows 8.1 SDK. It’s a very powerful tool that can be used for performance analysis, debugging, and even for diagnosing memory leaks! Windows performance recorder takes event trace logs based on profiles. The pool usage profile can be used to log pool consumption in WPRUI:

Data gathering and Analysis

Now armed with poolmon and WPR, we can set the logging we need to investigate further. I set poolmon to continuously log on the server in question. Here is what the poolmon data would look like for this scenario at the start of the logging, we can see that the system has only been up for a few minutes, has an overall 25k handle count, and is at 120MB of paged pool consumption so all is well at the moment.

Now we wait for some time to pass as we log the increases in paged pool kernel memory. After some time while the server is still responsive I login and see the handle count for the lsass.exe process has increased steadily with the paged pool consumption, we’ll say it had ~26,000 when I checked it. Doomsday arrives and the server goes into a hard hang. It’s rebooted and we review the poolmon logs after it comes back up. After 89 hours uptime we have 64,592 handles on the system, and wait for it…we are at 2.9GB of paged pool consumption! Note the pool tag with the highest paged pool consumption is “Toke” with a note in the mapped driver column of “nt!se Token objects.” These are security token objects – which are created and managed by the lsass.exe process.

There is a lot going on here with this data, here’s how to make sense of the columns in Poolmon. We aren’t interested in legit allocations that are eventually freed, what we are interested in is outstanding allocations or allocations that have not yet been freed. The Diff column gives us exactly that, it tells us how many outstanding allocations we have, in this case 1,394,724 to be exact. The “Diff” column is actually the “Allocs” column minus the “Frees” column. So Alloc (127664567) – Frees (10771843) = Diff (1394724). For the Toke row, the Bytes column shows that this pool tag has consumed 2.3GB of paged pool. So of the 2.9GB total paged pool that is depleted on this system, 2.3GB of it are outstanding allocations made by the “Toke” pool tag.

The plot thickens

So now we know we have a problem with paged pool kernel memory depletion. We know that the Toke pool tag is the top consumer of paged pool. But why? We know that the lsass.exe process has a very large number of leaked handles. We can certainly draw the line and connect the Toke pool tag to the leaked handles in the lsass.exe process (since they are security token objects), but how can we verify this? Thanks to Mark Russinovich for creating the very useful handle.exe utility. Handle.exe will display all open handles for all processes on the system. As an example, if we run handle –s it will give us a count summary of all open handles, note the Token handles.

So let’s confirm that all of these leaked handles in lsass.exe are in fact for security token objects. Again we wait some time where we have enough leaked handles in lsass but the server is still operational in order to investigate. You can do a summary count by process with handle.exe, here it shows we have 24,238 handles in lsass.exe to security token objects:

We can also use handle.exe to dump all of the handles for the lsass process:

As you can see we have a large number of handles to security token objects which confirms what these leaked handles are for. So we have now confirmed the leaked handles in lsass are for security token objects, which match up to the Toke pool tag as the top consumer of paged pool. At this point we now need to find out why lsass is leaking so many handles for security token objects? Note the identity for the Token objects in the above screen shot, this is a domain service account for a third party software that runs under this identity. Turn off the software and the leak goes away. Is the third party the culprit? First instinct is yes it is, but there’s more than meets the eye here. This software is running against every server in the enterprise, but only this one leaks. This is enough to rule out the software for now and we keep digging.

Switch gears to Windows Performance Recorder

Since we have this powerful tool now in our arsenal we fire it up and begin logging pool usage with it. To start an ETW trace first we need to install the Windows Performance Toolkit on the server or optionally install it on another machine or workstation and copy the “C:\Program Files (x86)\Windows Kits\8.0\Windows Performance Toolkit\Redistributables” folder to the server and install the appropriate MSI file. Then we launch WPRUI as an administrator, click the pool usage profile, set the options like so and start logging:

Here is an excellent post on how to setup WPR to log pool and create custom profiles, in fact it’s the one I used to fire up the tracing! Now we wait for some time to pass as we log the increases in paged pool kernel memory. Since we are now armed with a lot more data and have confirmed there is a leak I stop the trace after about 20 minutes. The data is located in the location that you saved the ETL file:

Note: There are differences in the Save and Cancel button in WPRUI. The save button above actually saves the ETL but the trace continues to run. In order to actually stop the trace on the former screen above you need to click cancel.

We use the Windows Performance Analyzer (WPA) to view the data in the event trace log (ETL) file. You can copy the file off of the server to a machine that has internet access and load WPA to analyze it there. Be sure to click Trace | Load Symbols in order to view stack data. Please see the MSDN WPR blog post on how to configure symbols, your analysis machine will need internet access.

There is a lot going on in WPA when you open an ETL, and it can be overwhelming at times. It’s easy to get lost in the good amount of data in there! I’ve arranged my data according to the good folks over on the MSDN blog. Arranging your data in the table is key to analyzing it in WPA. In the graph explorer drag over the cumulative count by paged, Tag graph to the right pane for analysis. Everything that is important to you should be to the left of the gold bar in the table and in the order you want to sort it by. Here we have Type, Paged, Pool Tag, Stack, and size.

Couple of things here, first note the graphical representation of paged pool allocations – a steady increase that never drops. Now we start from the left inside the table. AIFO = Allocated Inside, Freed Outside – this is what we want, basically these are outstanding memory allocations that are never freed or are freed outside of the WPR trace. The leak is in paged pool so we move forward. Next column is Pool Tag, and thanks to poolmon we know it’s “Toke” so we key on that. The stack column is empty for some reason in this trace so we won’t be able to see the functions that are called to allocate pool (we’ll look at a different graph later). Then I added the size column, take note the highlighted size value of 1664. If you remember our poolmon data from earlier we know that the outstanding allocations are 1664 bytes:

So this data correlates to past behavior that we have seen with poolmon. Back to the WPA graph. Notice the count column and row 4. We have 6,189 outstanding allocations. Count column row 8 shows that we have 6,043 allocations at a size of 1664 bytes. Essentially the majority of the outstanding allocations are of size 1664 bytes, which indicates that these are likely the leaked security token objects. Let’s look at some more data in the analyzer pane. Expand the System Activity collection in the graph explorer pane on the left. Click on the “Stacks” graph and drag and drop it onto the right pane:

In the right pane at the top, click the “Display graph and table button:

In the middle pane just to the left of the gold bar right click and select the following columns: Provider Name, Process Name, Stack, Event Name, Count Pool: Allocate, Count Pool: Free, Version.

Now to the left of the gold bar arrange the columns in the following order starting from left to right: Provider Name, Process Name, Stack, Event Name, Count Pool: Allocate, Count Pool: Free, Version. Remember we want everything that is important to us to the left of the gold bar so that we can sort on it the way we like. This is a very important rule of using WPA and xperfview! So now we have everything arranged like so:

From the left we have Provider Name, Process Name, Stack, Event Name, and Count Pool: Allocate. We expand into the stack to find ntkrnlmp.exe!SepDuplicateToken and ntkrnlmp.exe!SepDuplicateToken <itself>, followed by 580 pool allocations in the event column. Walking down into the stack you see the vicious pattern repeating itself with no end in sight:

Indeed we can see that instead of re-using existing security token objects, a new one is created each time something is connecting to the machine. Correlating this with the data we’ve found from the dumping all of the lsass.exe handles we know that each time the service account authenticates to the server a new security token object is created, coupled with a frequent connection interval you can see how this can get out of hand quickly!

The Culprit

Lsass.exe binaries up to date. Check. Third party software up to date. Check. Increasing the third party software connection interval only puts off the inevitable. Third party software is agentless, it is merely authenticating to the box to gather information at an interval. We know that some driver is making these pool allocations, so we set out to review all software installed on the system, specifically asking questions about any security focused software since after all we have leaked token objects via lsass.exe. After talking with the administrators for a bit it was revealed they were running some security software. They turned off the software and the leak vanished, even with the high connection rate of the third party software. We engaged the vendor and provided the data to them. Don’t be afraid to engage other third party vendors and send them your ETL file so that they can take a look at it with their private symbols. They found the problem was in one of their drivers that was causing the leak and sometime later provided an updated driver. Due to the nature of these types of software’s it can be difficult to find the smoking gun or driver that is bringing the pain, surely to the untrained eye it looked like a leak in the lsass.exe process, especially since the Toke pool tag was the top consumer and ntkrnlmp.exe was making the pool allocations. So if debugging dumps is not your thing, there are plenty of tools to put in your arsenal to help you diagnose a pool memory leak. Having a diverse toolset can allow you to gather different types of data, correlate and re-enforce data points, and uncover things that you normally wouldn’t with just one tool. Using the right tools to uncover forensic data can sometimes lead you to the culprit without actually having to debug a dump!

Until next time!

Jesse "Hit-Man" Esquivel

Hey y’all Mark and Tom back after a small hiatus. We (well mostly Mark because this was his responsibility) got distracted by other things like “helping customers”, “the Olympics” and “I’m tired I’ll do it tomorrow, what’s on Netflix streaming?”. Hopefully so far you’ve followed along and have an ADFS server built and have a sample Web SSO so you can start messing around or if your manager asks, “learning” about ADFS. By now the security group has probably gotten wind of this experiment and come to you with “Hey man, these ADFS servers can make claims about anyone, they are just like a DC, no way we’re putting these in the DMZ.” Technically this person is correct. You will want to protect your ADFS servers the same way you protect a DC. If you wouldn’t put a DC in your DMZ (hint you probably shouldn’t) then same goes for ADFS. However you can now sit back and tell your security group “Don’t worry, we got an ADFS Proxy”.

Installing the ADFS Proxy Role

When you see how simple this is you will be ashamed it took me this long to write this post. You’ll have a machine that can be domain joined or doesn’t have to be as long as it can talk to the ADFS server on port 443. Since this is a test lab, I do have my ADFS Proxy joined to the domain. Start by click Add Roles and Features in Server Manager.

Click on Active Directory Federation Services

Accept all the requirements by click Add Features.

Select Federation Services Proxy and hit next.

You’ll then click finish let it install.

Configuring the SSL and DNS

The next thing you are going to need to do is put an SSL cert on your ADFSProxy. This SSL name should ALSO match the SSL cert on your ADFS server. This shouldn’t be too much of a shock when you think about what role it’s providing. For external users or applications that are external, they are going to resolve the same ADFS service name, in my case sts.markmorow.com and it will connect to the proxy instead of the internal ADFS server. Which brings us to DNS. It’s up to the administrator to configure the internal DNS servers to point at the internal ADFS server and the external DNS servers to point proxy.

This is the error message you’ll get if you thought you were slick and skipped that last paragraph about SSL and DNS.

Right click the default website, edit bindings, Add port 443 and select a certificate. For this lab you can use an internal cert as well but in the real world you will want to use a public cert.

After the SSL and DNS has been configured we are now ready to run the ADFS Proxy Configuration wizard.

It’s a pretty short wizard as you can see, click Next.

You’ll add the federation server you want to connect to, remember your DNS configuration from before so you should be pointing to the INTERNAL adfs server, for me that will be sts.markmorow.com. You’ll then enter your domain credentials to establish the trust.

Click Next

Alright you are done. The proxy is configured. A good way to “simulate” the proxy in a lab environment is to change your host file to resolve that name to the proxy instead of your internal adfs server. So after this post you should have a fully functional test lab that includes an ADFS server, ADFS Proxy and sample claims app. Don’t worry folks we are just getting started on this topic, if you have specific ADFS things you’d like to see covered or any comments let us know below.

Mark ‘didn’t even medal’ Morowczynski and Tom ‘coach’ Moser

Hi everyone Randolph (Randy) Reyes with another SBSL blog post. In this particular engagement we went onsite to deliver a workshop in how to utilize the Windows Performance Toolkit (XPERF) to detect slow boot and slow logon issues.

The Before

PreSMSS	SMSSInit	WinlogonInit	ExplorerInit	Post Boot
8.165	2.454	63.305	1.950	11.400

Boot to Post Boot Activity ended: 87 Seconds and 273 Milliseconds = 1 Minutes and 27 Seconds

If we expand this out for their main office of 3,000 Computers we get.

3,000 Computers x 1 minute and 30 seconds= 3,500 minutes every working day

Now you might be saying to yourself, 1 min and 27 seconds is not too bad. What if I told you it was a SSD (solid state drive)? Would you consider this to be an optimal value? I’ve discussed optimal times in a previous post, “Becoming an Xperf Xpert Part 7: Slow Profile Load and Our Very First Stack Walk”

http://blogs.technet.com/b/askpfeplat/archive/2014/02/03/becoming-an-xperf-xpert-part-7-slow-profile-load-and-our-very-first-stack-walk.aspx

Those values don't line up with what we expect to be seeing so its time get to the bottom of this.

First question you need to ask yourself. Why Profile is taking that long load?

Are we using Roaming Profiles or do we have a local profile in this Windows 7 System?

What’s going on with my Profiles?

To be able to understand what’s going on we need to turn into “Stack Walking”

We need to make note of the Process “Winlogon (732)” and Thread (760) so we can do wait analysis against this thread to see what is taking almost 33 seconds.

Also make sure to click in the Trace tab to Load Symbols, if you don’t load the symbols you will see the call stack recorded, but the details of what the code was executing will be hidden. (Call stacks will show DLL names followed by question marks).

Taking the process and thread information, we’ll use it in the “CPU Usage Precise” graph (based on Utilization by Process, Thread).

I recommend the order NewProcess, NewThreadID, NewThreadStack, Wait (us), ReadingProcess, ReadyingThreadID. SwitchInTime(s). These can be added or removed from the Line # menu.

After adding the graph “CPU Usage Precise” graph (based on Utilization by Process, Thread) we expanded process Winlogon (732) and inside this process we follow the thread (760)

In the Graph below we can see the CallNotificationSubscriber with a single call that took 33 seconds (Profiles)

Here we can see that Winlogon is waiting in Svchost.exe operations.

We can observe that the switching time in svchost.exe 696 was 68.002 seconds (exactly the time “Profiles” ended, so we are on the right track.

Using the same graph “CPU Usage Precise” graph (based on Utilization by Process, Thread) we expanded process svchost.exe (696) and inside this process we follow the thread (2812)

Remember we are looking for a delay in time of 33 seconds

Looks like we are waiting on some kind of network communication operation (rpcrt4.dll is the Remote Procedure Call (RPC) API, used by Windows applications for network and Internet communication).

Now, we need to follow the thread 1596, inside the svchost.exe (696).

Once we arrive to “Idle (0)” we are at the end of the stack.

Looks like the profsvc.dll (Provides User Profile Services service = Data and Components) waited 30 seconds for Network to be ready.

Now the big question is why profsvc.dll is waiting 30 seconds for network?

It could be that we were not able to contact a Domain Controller since this is a domain joined machine, we should.

When a machine is a domain joined, we depend on NLA to tell us whether it has domain connectivity or not so that we do not miss the opportunity to apply policy at boot or user logon even when the machine is connecting from home. When NLA cannot determine whether it has domain connectivity or not then we wait for ~30s to allow for network to come up.

The Fix

Step 1 = for testing purpose we connected system to LAN and system booted with in the expected values. (30 Sec less)

The After

Boot to Post Boot Activity end: 46 Seconds and 643 Milliseconds

(Note: In this particular engagement we still have other areas that will improve boot time in this particular systems but those will be posted in another blog.)

Before

3,000 Computers x 1 minute and 30 seconds= 3,500 minutes every working day

After

3,000 Computer x 46 seconds = Around 900 minutes every working day.

Pre-Reqs and High Level Process

You’ll want two machines set up both Server 2012 R2, one that is domain joined which will be the ADFS server and one that is not. This will be the Web Application Proxy (WAP) or what the ADFS Proxy has now become. We’ll get to this in a bit.

From the process standpoint we can break this down into a few key steps.

Export certificates from the current ADFS servers.
Export the configuration from the current ADFS servers.
Install ADFS 3.0 on the new server
Import the configuration on the ADFS 3.0 server
Install the Web Application Proxy (WAP) server
Test and make DNS changes to point to the new ADFS 3.0 infrastructure

Certificates on the ADFS Server

We first need to take a look at the different certificates we have. As we recall we have 3 certificates, the Service communication, the token-decrypting and the token-signing cert.

If you’ve been using our previous guides you’ll most likely have something as above. A service communication certificate from your PKI and 2 self-signed certs. We will now want to export out our Service communications cert. If you used a 3^rd party cert on any of the other certs, you’ll want to export those as well. Our lab is using self-signed.

To export the certificates open an MMC Console, Add Certificates, select Computer Account, Local Computer and Click Ok. It should look similar to this.

Next expand Personal, Certificates and right click the Certificate you want to export, pick All Tasks and select Export. Select next and should be at this screen.

You’ll want to confirm the “Yes, export the private key” check box is selected. If it’s greyed out and you are using an internal PKI it’s possible you requested the certificate without the option to allow the key to be exportable. This is why we have a test lab, people. Simply request a new cert, select the key to be exportable and set this new certificate as the SSL binding on the site as well as the Server Communication certificate. Don’t feel bad, the dates on my certs are different for the exact same reason.

Now click Next, set a password on the certificate to export and click Next.

Select an output directory and click Next.

Then click Finish. You should get this message.

(Hooray!)

Then go ahead and copy this over to your new ADFS 3.0 server. We’ll need this certificate in just a bit.

Exporting the ADFS Server Configuration

It’s time to back up our current ADFS server. You’ve probably wonder how do I do that. Well there is a built in PowerShell script on the 2012 R2 media. Simply go to \Support\ADFS and run the Export-FederationConfigration.ps1 –Path “Path to where you want it to go” and the script will take care of the rest. It also gives you some really important info you’ll need when you are setting up your new ADFS server, the farm name and the service account it’s going to be using.

ADFS 3.0 Install

This shouldn’t be too much of a surprise but you’ll go to Server Manager and Add Roles and Features wizard. You’ll want to select Active Directory Federation Services as shown below.

Then click Next on the features install.

Click Next on the ADFS screen.

Once it’s done you’ll need to configure the service. Server manager should indicate you still need to do this as seen below.

At this point you would be inclined to say oh I have an existing farm, I want to join this to the existing one. Sorry, it doesn’t work that way. What you will actually be doing is standing up a new ADFS 3.0 farm. Select “Create the first federation server in a federation server farm” and hit next.

If you aren’t logged in with an account that has Domain Admin privileges you will need to enter an account and then hit next for it to connect.

Now it’s time to get that certificate ready. Click the import button, browse to that certificate, put the password you set on it in and you should be good to go. Few things to also notice. Here is where you are going to set the name of the federation farm name and it should match what you exported from the old farm. Also note that we are setting up an SSL cert without any IIS. Let that sink in. Click Next.

Now it’s time to put in the service account you are running ADFS under. This was also told to you during that PowerShell export. Once you’ve got that in, hit Next.

Time to enter in what type of database we want to use. In the previous version our only choice was WID unless we wanted to do this whole install via PowerShell, where you were able to configure SQL Server. Now you can do either through the GUI. Since this is a test lab we are going to stick with WID. Click Next.

One last stop if we need to make any changes. We can also see how this would be configured via PowerShell by hitting the View script button. All looks good, let’s hit Next.

It will now do a pre-requisite check. If you get a pass, click Configure. If you didn’t, it’s time to troubleshoot. If you’ve been following along you should be ok.

This is what you should get when it’s completed. Looks good.

Ok so let’s take a second and make sure ADFS 3.0 is working as expected before we move on. To do that on the ADFS 3.0 server, open IE and go to https://localhost/adfs/ls/IdpInitiatedSignon.aspx.

If everything is working you should get a nice page like the following. You can ignore the cert error for now as well.

Import the ADFS Configuration

At this point we have a nice, brand new, clean ADFS 3.0 instance. That’s great but we don’t want to really set up all those relying party trusts. Time to import that previous export. Copy over that export folder to the ADFS 3.0 server. Much like a great magician, we show you that there is nothing in the Relying Party trusts other than the defaults.

Now let’s run that sister script, Import-FederationConfiguration.ps1 –Path “Where you put the export folder”. It’s located also in the 2012 R2 media under \Support\ADFS\. You should get something like that screen below.

And now your Relying Party trusts should look something like….

Bam! All that came over magically. Our lab is pretty simple but to see more of what you can export and import check out this TechNet article. At this point let’s take a step back and think about what we have going on. Currently all our DNS is pointing to the ADFS 2.1 infrastructure. We can update our host file on our test client to point at the new ADFS 3.0 infrastructure. Once we are convinced it’s all working we can move on but note we haven’t affected our ADFS 2.1 at all. It’s still exactly the way it was before we started on this.

Installing the Web Application Proxy (WAP)

The WAP has lots of great new features which are well beyond the scope of this post (told you the series will be long). Much like the ADFS proxy, we can domain join this or leave it in a workgroup. For this test lab, I’ll have mine domain joined. At this time we will want to export the certificate on the ADFS proxy and import it on to this WAP server before we get started. You would do this the same way described above for the export and just double click the certificate and follow the quick prompts to import it. Also much like the ADFS Proxy we will make sure DNS or using our host file points to the back end ADFS 3.0 server. Be careful if you are using DNS and are pointing to the ADFS 2.1 server. You want the WAP to point to the ADFS 3.0 not the 2.1 ADFS server. Make sense? Don’t worry you got this. Startup Server Manager and click Add Roles and Features Wizard and click “Remote Access”.

Hit Next at the features page.

At the Remote Access screen hit Next.

Add any features it needs for the install.

Now select Web Application Proxy and hit Next and finish the confirmation dialog box.

Once it’s all done you’ll need to do some quick configuration on the WAP to hook it up with ADFS. This should look familiar.

Now, just like the ADFS Proxy (notice how I keep stressing that), you’ll need to enter in the ADFS service name. This should be the name that is on the certificate you exported. We will want to make sure this name resolves to the ADFS 3.0 server as well. You’ll also need to enter some credentials for the ADFS server so it can complete the configuration. Once you’re done hit Next.

We are almost done; it’s a pretty short configuration process, similar to the ADFS Proxy. Select that certificate you exported and hit Next.

Take a last look and hit Configure.

At this point you are all set up. You can once again update your host file to point to this new ADFS WAP. You should get a screen much like this.

Notice DNS really controls who is hitting what. So we are able to completely test our ADFS 3.0 using host files to confirm it is working as expected before we make the big DNS changes to cut it over, big for a test lab, of courseJ. Update your DNS records to point to the correct ADFS servers and you should be all set. You just completed your very first ADFS upgrade.

Let us know in the comments of these post are helpful and what types of ADFS stuff you want to learn more about. Tom and a few of us got some ideas but we’d love to hear from you. Until next time.

Mark “was late to the Red Wedding” Morowczynski and Tom “knows nothing like Jon Snow” Moser

Welcome to Ask PFE Plat's coverage of the next chapter in Microsoft's on-going refinement of Windows. As with 8.1, we continue to evolve and improve the OS and last week, at the Build 2014 conference, we released "Windows 8.1 Update" to MSDN. On Tuesday, April 8th, the Update will be released to the Windows Update Catalog, Windows Update and WSUS channels.

Our prior post on the "dot 1" update to Windows 8 RTM from October of last year sparked great conversation – in fact, it was our most-commented post; we (PFEs and Microsoft as a whole) appreciate the feedback and discussion. Several of us have been chomping at the bit to bring you details of the changes coming with this Update. This is a "roundtable post" with discussion from myself (Michael Hildebrand), Jeff "The Dude" Stokes, Kyle Blagg, Mark Morowczynski and who can talk about Windows 8 without talking to Joao Botto?

Let's roll…

The Update, as we'll call it here, is actually a series of packages that install collectively and provide UI and functionality improvements (many geared towards keyboard/mouse users), a big IE feature-add as well as some heavy-lifting internal changes to Windows boot structures and memory/resource awareness and management. For additional information, check out the following:

This post will focus mostly on the UI changes - there may be future AskPFE Platforms posts that dive into some of the other aspects of the Update.

Before we get ahead of ourselves, let's cover a few heads-up/FAQ comments:

It will likely change your system's current behavior:
- For starters, unless the device is a tablet, a system with this update will boot to the desktop by default
  - You can still choose one way or another but I was surprised when I rebooted and was taken to my desktop instead of my Start screen
- See the chart further down in the post for a clear list of what default settings are changed and how
It does NOT include theStart menu that you may have seen/heard about at the recent Build conference. That is some exciting near-future stuff, which demonstrates our on-going commitment to deliver on customer feedback (such as your comments on this very blog)
It is defined as an "Important – Security update" in our Windows Updates framework
It is a cumulative update to Windows 8.1 that includes all previously released security and non-security updates
It is a required update to keep your Windows 8.1 device current
- See this blog for more details -http://blogs.windows.com/windows/b/springboard/archive/2013/10/18/windows-8-1-update-the-it-pro-perspective.aspx
Windows 8.1 is a prerequisite (vs Windows 8 RTM)
- Windows 8.1 media/WIMs/TechNet ISOs/Store bits/etc will be slipstreamed with this Update in the near term
KB2919442 is a pre-requisite update - released in March 2014 – you'll need this before 2919355 will be recognized
Additional info can be found in the KB – which obviously, you should read
- http://support.microsoft.com/kb/2919355
The Assessment and Deployment Kit (ADK) has been updated to accommodate the changes to Windows with this Update
- http://msdn.microsoft.com/library/windows/hardware/dn247001

To get the Update, make sure you are running Windows 8.1 and then hit Windows Update or the Windows Download Center.

Let's start with Start

Now that you have everything installed and your reboots are done, sign in and make your way to the Start screen. You'll notice a few things that folks have asked for:

Power
- Many of you have adapted with a variety of ways to turn off or reboot your PC, but now, there is a simple power UI on Start. Handy-dandy!
  - A quick note on 'Sleep' - Have you tried the 'Sleep' functionality recently? On prior generation devices, I never had much luck with Sleep. It seemed like it took longer to go to sleep than to shut my old laptop down, and resuming seemed to take longer than a full boot up. However, with the newer devices, SSDs and Windows 8, I find sleep a much-improved experience and very close to an 'instant on' solution that I prefer most of the time to a typical shutdown.
- However, on some devices you may not see the Power button. On devices that are not tablets like laptops, desktop PCs and All-in-Ones, the Power button should appear on the Start screen after installing the update. On most tablets you will not see the Power button on the Start screen as they have connected standby and a physical power button that lets you quickly shut down or put the device to sleep. However, on tablets larger than 8.5-inches without connected standby, you will see the Power button on the Start screen.
- For more information please see- http://blogs.windows.com/windows/b/windowsexperience/archive/2014/04/10/some-tips-and-tricks-for-using-the-windows-8-1-update.aspx
Search
- Again, many of you have likely learned to "just type" on the Start screen for searching but we've added a clickable Search icon that will 'fly-out' the Search box – this helps visual people like me. I often wondered where my typing was going in the early days of Win8.
If you're using a mouse, you can now right-click Tiles and get a familiar "context" style menu to manipulate them.

Some of the early Windows 8 feedback was that folks didn't like booting to the Start screen. With Windows 8.1, you could choose - boot to Desktop or boot to Start.

That flexibility remains unchanged in this Update but going forward, there are new defaults – as mentioned before, Windows 8.1 Update now boots to the desktop as the default unless the device is a tablet form factor.

There is a new group of Tiles that are added to a new user's Start screen for some of the more commonly-used settings/locations:

This PC (a.k.a. "My Computer")
PC Settings
Documents
Pictures

NOTE:

You will *NOT* see these added to your established Start screen – only new profiles get these
Windows RT users only get the "PC Settings" Tile

The Apps View

Let's review some of the changes that you'll find in relation to the Apps view.

First off, when you install a new application(s), now there is an indicator and count at the bottom of the Start screen.

Click the arrow or swipe-up into the Apps view. Those new Apps are highlighted and have a bright blue NEWnext to the title (this will go away once you click/open the new App).

The columns have been made wider and spacing increased to account for applications with longer names.

You can sort your Apps your way and now, clicking on the headings will zoom-out so you can jump through your installed applications quicker.

You can subtly shrink the icons in the Apps view to fit even more Apps into the screen, if you so desire:

From within the Apps view, bring up Settings > Tiles
Slide the "Show more apps in the Apps view" slider to Yes

This can be VERY helpful if you have a lot of Apps installed:

Desktop Changes and Integration with Modern Apps

Now that we've covered the Start screen and App view changes, let's flip to the Desktop and talk about some of the big changes there.

One recurring request for Windows 8 has been to facilitate a better "connection" between the Modern UI and Windows Store Apps with the traditional Desktop. In 8.1, the ability to show your Desktop background on the Start screen helped. This Update furthers the integration between the Desktop and Modern UI/Apps.

For starters, you likely already noticed the bright green icon in your Taskbar for the Store after installing the Update….

Yes, friends, you can now pin Store Apps to your Taskbar.

But wait - there's more! Not only can you pin Store Apps to the Taskbar; now, running Store Apps can show up on your Taskbar, just like a traditional Desktop App would.

You can see the App's thumbnail and operate any controls, such as skipping/pausing songs in the updated Xbox Music App, and close the App, too.

Cool?

If you'd rather not have Modern Apps taking up that precious real estate on your Taskbar, once again, we provide you the choice of configuration.

Right click the Taskbar and select Properties – you'll see the following new option (highlighted below) which you are free to select/deselect:

After the Update Before the Update (for comparison)

Another option to consider – drag your Taskbar up and make it 2x tall – you'll have more space for a bevy of Apps - Modern and/or traditional

Modern Apps get "minimize" and "close" buttons as part of this Update. I am still a frequent keyboard/mouse user and these two controls make multi-tasking among my open apps more intuitive with how I'm used to working.

In order to see these, hover the mouse pointer at the top of the App.

Also, there is a right-click context menu for splitting the running App across the right or left half of your Desktop (along the lines of the "snap" feature)

DUDE!? – where's my MINIMIZE?!

Depending on your settings, you may not see the "Minimize" option for Modern Apps.

Above, I showed how to configure Taskbar settings so Modern Apps are displayed on the Taskbar:

That checkbox also determines if you'll see the Minimize "bar" (checked) or not (unchecked) for a Modern App.

NOTE:

You'll get the close "X" button either way
You can pin Modern Apps to the Taskbar regardless, too

One more aspect of the tighter integration between the traditional Desktop and the Modern UI/Apps - the Taskbar can be brought up while using a Store App or on the Start screen.

When the "Show Windows Store apps on the taskbar" option is checked, drag your mouse downward along the very bottom of the screen. The Taskbar will slide up and you can use it to switch between Apps, access the Start button, etc.

You can see the Taskbar on the Start screen regardless of the "Show Store apps on the taskbar" setting

There are some additional changes to OS behavior that may catch you by surprise - here's a chart to help clarify:

	Default Behavior and Settings
Device Type	Before Windows 8.1 Update	After Windows 8.1 Update
Tablet	Boots to Start Screen Closing App takes user back to Start Screen Pictures, Music and Video files open with Modern App	Boots to Start Screen Closing App takes user to the previously used App. Pictures, Music and Video files open with Modern App
Non-tablet	Boots to Start Screen Closing App takes user back to Start Screen Pictures, Music and Video files open with Modern App	Boots to Desktop Closing App takes user to the previously used App. After closing all Apps the user ends in the Desktop Pictures, Music and Video files open with Desktop applications

App-specific Changes

The Update introduces changes to some of the in-box Apps such as:

Internet Explorer 11
- There are changes to both the Modern and Desktop versions
- A future post here will dive into the details of these changes
SkyDrive
- Updated throughout the OS to reflect the new name, OneDrive

---->

OneDrive has recently-enhanced features, such as manual Sync and Taskbar icons to provides the status of synchronization

Modern UI

We've added helpful additions to some of the Modern UI screens

Disk Space

Easily keep tabs on the amount space that your Apps take up and uninstall them right from here (click "See my app sizes")

Rename your PC and/or change domain membership with a tap or a click:

The WiFi 'fly-out' returns

A context menu provides convenient controls for managing WiFi network connections
This was removed in Windows 8.1

Touch and touch-keyboard:

"Tap and a half" is a new, more intuitive touch gesture for touch-pads - allowing you to tap twice but hold second-tap to highlight text or an object, and then drag and drop it.
Hide or bring up the touch keyboard:

Well folks, there you have it. Say hello to the Windows 8.1 Update.

Give it a go!

-Blog post updated with new information at 3:00 PM 4/10/14

– Five Merry Men (Mark Morowczynski, Kyle Blagg, Joao Botto, Jeff Stokes and Michael Hildebrand)

Introduction

Hi! My name is Richard Sasser, or Rick, as I prefer, and I’m a Microsoft Certified Master for Active Directory and I work on the Platforms DSE team. I do a lot of security related work, and consult frequently on Public Key Infrastructures and Authentication issues. I don’t blog as often as I should, but I’m trying to correct that – Shameless plugs here:

http://blogs.technet.com/b/rsasser/archive/2012/11/21/create-virtual-machines-quickly-using-mdghost-part-1.aspx

http://blogs.technet.com/b/askpfeplat/archive/2013/04/22/choosing-a-hash-and-encryption-algorithm-for-a-new-pki.aspx

Before you read this blog, you should be familiar with the contents of Ned Pyle’s blog here:

http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Issue

I ran across an interesting scenario with LastLogonTimeStamp and in my research, I turned up manycases in our database, and I thought I would dig in.

Essentially, there is a situation where LastLogonTimeStamp can be updated even if the user has not logged on.

This is an artifact of a Kerberos Operation known as Service-for-User-to-Self or,“S4u2Self,” in which a client/service can request a ticket for a user that is only useful for things like determining Access Checks or Group Membership. This can cause confusion about the relative staleness of an account, in addition to other security concerns. Wouldn’t it be nice if you could discover the source of the request so you could address your security concerns and possibly remediate updating stale accounts?

Technical Details

S4u2Self is documented here:

http://msdn.microsoft.com/en-us/magazine/cc188757.aspx#S2

S4U2Self

The S4U solution in this case is for the server to go through the motions of Kerberos authentication and obtain a logon for the client, but without providing the client's credentials. Thus, you're not really authenticating the client in this case, only making the rounds to collect the group security identifiers (SIDs) for the client. To allow this to occur, Windows Server 2003 domain controllers accept a new type of Kerberos request, where the service requests a ticket from the client to itself, presenting its own credentials instead of the client's. This extension is called Service-for-User-to-Self (S4U2Self).

If the client and the service are in separate domains, this requires a bidirectional trust path between them because the service, acting on the client's behalf, must request tickets from the client's domain.

While the wire-level details are all rather complicated, the service developer need only call one function to start the ball rolling: LsaLogonUser. In spirit, this is similar to calling LogonUser as I have shown earlier, but without needing to provide the client's password. The result is a token that the service can use with functions like AccessCheck and CheckTokenMembership, as well as the new AuthZ family of authorization functions. This allows the service to perform access checks against security descriptors for objects that it manages.

To protect the client, LsaLogonUser normally returns a token with a special restriction. The token will have an impersonation level of Identify, which means that the service will not be able to open kernel objects while impersonating the client using this token. However, for services that are part of the trusted computing base (TCB)—for example, a service running as SYSTEM—LsaLogonUser will return a token with an impersonation level of Impersonate, allowing access to local kernel objects using the client's identity. This prevents an untrusted service from using an S4U2Self ticket to elevate its own local privileges.

You can test this by logging into a file server and performing an effective access check on a file. For example, right click a folder, select properties, select security, select Advanced and go to the effective access tab.

I’m going to focus on the “AccessCheck” function mentioned above - more information about it can be found here:

http://technet.microsoft.com/en-us/library/cc772184.aspx

This generates the appropriate S4U2Self conversation. This exchange is documented here:

http://msdn.microsoft.com/en-us/library/hh554517.aspx

1. Perform a Kerberos S4U2Self service ticket request using the S4U2self KRB_TGS_REQ/KRB_TGS_REP protocol extension as specified in [MS-SFU] section 3.1.5.1.1.1.

The userName MUST be set to the user name obtained in step 2.

The userRealm MUST be set to the domain name of the obtained in step 2.

The chksum MUST be set as specified in [MS-SFU] section 2.2.2.

The auth-package MUST be set to "Kerberos".

http://msdn.microsoft.com/en-us/library/cc246102.aspx

Using the TGT to the TGS in the user's realm, Service 1 requests a service ticket to itself. The S4U2self information in the KRB_TGS_REQ consists of: padata-type = PA-FOR-USER (ID 129), which consists of four fields:userName, userRealm, cksum, and auth-package. Service 1 sets these fields as follows: The userName is a structure consisting of a name type and a sequence of a name string (as specified in [RFC4120] section 6.2). The name type and name string fields are set to indicate the name of the user. The default name-type is NT_UNKNOWN. The userRealm is the realm of the user account. If the user 's realm name is unknown, Service 1 SHOULD use its own realm name. The auth-package field MUST be set to the string, "Kerberos". The auth-package field is not case-sensitive.

Let’s look at an illustration of this in action.

SCENARIO - I logged in to a machine as myself and then used the “Effective permissions” tab in Windows Explorer to generate an effective access token for a user named “Vic” for a file on the server.

While I’m doing that, I have a network trace running on the client.

· The pertinent details are visible via the following NetMon filter
“Kerberosv5.TgsReq.KdcReq.PaData.PaData.PaData.PaDataType.AsnInt==129”
· UserName – vic…
· Realm = RS…

And can be located in a trace with the following filter:

Kerberosv5.TgsReq.KdcReq.PaData.PaData.PaData.PaDataType.AsnInt==129

Tracking down the source of the S4u2Self Request:

Now that I am armed with the appropriate knowledge, it is time to start tracking this stuff down:

The first place to start is with the account’s metadata, so we can understand where last logon timestamp was updated. So let’s take my lab for an example where I’m going to pick on Vic’s account because he has not logged into my server in a while:

Repadmin /showobjmeta <DCNAME> <ObjectDN>

repadmin /showobjmeta localhost "CN=Vic,OU=Administrator Accounts,DC=ad,DC=r,DC=net”

This is Vic’s User account. One of the many ways we can see that Vic hasn’t logged in to my server in a long, long time is that the DSA for this AD Environment has been deleted. Also, attributes are showing a last update of 1/2012. (I have omitted much of the attributes for brevity’s sake). Note that LastLogonTimeStamp for Vic is old as well.

Loc.USN Originating DSA Org.USN Org.Time/Date Ver Attribute

======= =============== ========= ============= === =========

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746445 2012-01-18 17:20:34 3 unicodePwd

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746445 2012-01-18 17:20:34 3 ntPwdHistory

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746445 2012-01-18 17:20:34 4 pwdLastSet

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746362 2012-01-18 16:57:43 1 primaryGroupID

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746361 2012-01-18 16:57:43 1 objectSid

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746455 2012-01-18 17:32:49 1 adminCount

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746362 2012-01-18 16:57:43 1 accountExpires

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746445 2012-01-18 17:20:34 3 lmPwdHistory

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746361 2012-01-18 16:57:43 1 sAMAccountName

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746361 2012-01-18 16:57:43 1 sAMAccountType

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746361 2012-01-18 16:57:43 1 userPrincipalName

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746361 2012-01-18 16:57:43 1 objectCategory

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746444 2012-01-18 17:20:34 1 lastLogonTimestamp

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746450 2012-01-18 17:20:36 5 msDS-LastSuccessfulInteractiveLogonTime

12463 Default-First-Site-Name\SUPERMASSIVE\0ADEL:6439a528-0957-48e0-b37d-426bf9ee446b (deleted DSA) 13746444 2012-01-18 17:20:34 1 msDS-FailedInteractiveLogonCountAtLastSuccessfulLogon

I subsequently logged in to a machine as myself (R*) and then used Explorer to generate an effective access token for Vic for a file on that server.