Integrated Windows Authentication in IE6 and IE7

Posted on December 23, 2009 by mvalk

In IE you can set the checkbox “Enable Integrated Windows Authentication” (Internet Options, Advanced Tab, below the heading Security)

Internet Explorer version 6 and 7 will use Integrated Windows Authentication whether you have the checkbox enabled or disabled. The big difference lies in the type of authentication which is kerberos or NTLM. If the option is checked IE will first try Kerberos and then will fallback to NTLM, if the option is unchecked it will just use NTLM. So Microsoft labeled the option wrong, it should say Negotiate Windows Authentication or so. Checking or unchecking this option just sets the registry key “HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\EnableNegotiate” to 1 or 0.

Installing MS Forefront Security for Exchange Server

Posted on November 27, 2009 by mvalk

Microsoft Forefront Security for Exchange Server integrates multiple scan engines from industry-leading security firms into a comprehensive, layered solution, helping businesses protect their Microsoft Exchange Server messaging environments from viruses, worms, spam, and inappropriate content.

start forefrontexchangesetup.exe
Accept the License Agreement and click on [Next]
You will be warned with the fact that “Microsoft Exchange Transport” will be restarted, so if this isn’t possible, abort the setup. Else just click [Next]
The next screen prompts you for the installation locations. If you want to change this do so, then click [Next]
If you use a Proxy Server fill in the details, then click [Next]
Enable the Antispam feature (if needed), then click [Next]
The next screen is about joining the CEIP (Customer Experience Improvement Program), if you want to be part of it, check the checkbox. Click [Next]
Verify your information, and then click [Next] to begin installation
After the installation, click [Finish]
Your start menu should now contain the “Forefront Protection for Exchange Server Console”. Fire it up.
Activate your license, or continue with the evaluation (only valid for 119 days).
If you have a Activation Key, you will be prompted to supply your License Agreement Number. Click on the link provided in the dialog screen.

Browsing a local hosted site with IE8

Posted on November 17, 2009 by mvalk

Internet Explorer version 8 has got some annoying loopbackcheck. Whenever you want to browse a local hosted site (IIS), it will pop up a security dialog in which you have to fill in your username and password.
Whatever combination you fill in, eventually you will get a 401.1. error.

You can resolve it by editing the the registry.

Click Start, click Run, type regedit, and then click OK.
In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Right-click Lsa, point to New, and then click DWORD Value.
Type DisableLoopbackCheck, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Quit Registry Editor, and then restart your computer.

The Machine SID Duplication Myth

Posted on November 17, 2009 by mvalk

A great article by Mark Russinovich (the creator of the tool NewSID), about the Myth around duplicate Security Identifiers. The NewSID tool is frequently used by System Administrators to change a computer’s SID, for cloning purposes, after you read this article you get a better understanding about SID’s and why the tool has been retired

http://blogs.technet.com/markrussinovich/archive/2009/11/03/3291024.aspx

Forefront Client Security and windows 7

Posted on October 14, 2009 by mvalk

I just installed a new virtual machine with Windows 7 Enterprise. As I wanted to have some good protection from viruses and malware, I decided to go for Forefront Client Security.

I copied the installation files for FCS to a local temp folder, and executed the command CLIENTSETUP.EXE /NOMOM (to install FCS with the MOM agent). Keep in mind that if you are using a x64 system, execute the clientsetup.exe inside the x64 folder
This installation failed because of UAC.
I changed my UAC settings to low by launching the “Change UAC Settings”, under the tool tab in MSConfig.

Again I tried to execute the CLIENTSETUP.EXE /NOMOM.
This time FCS installed correctly.
After installation I pressed the “Check for Updates Now” inside FCS, but it reported that there we’re now updates….strange, because the definition files are from September 14th 2006.

I then found this webpage: http://support.microsoft.com/kb/935934/ you can download the antimalware definition files manually and install them. This solved it for me.

View Permissions for Reporting Services in SharePoint Integrated Mode

Posted on July 15, 2009 by mvalk

Setting up security for SSRS in SharePoint integrated mode can be a bit tricky, particularly if you want to set up some of your users to only be able to run reports, but not to be able to modify or change them. I found a great post explaining how to create a Reporting group in SharePoint:

http://agilebi.com/cs/blogs/jwelch/archive/2009/07/10/view-permissions-for-reporting-services-in-sharepoint-integrated-mode.aspx

EWA: Error Data Refresh Failed

Posted on June 30, 2009 by mvalk

I’ve been struggling for quite a long time with Excel Web Access in combination with a SQL Analysis Server and SharePoint.
The problem is that I am able to display an excel file (which is in a SharePoint web part), but whenever I choose to refresh the connection I get the following error:

Unable to retrieve external data for the following connections:
[ODC File]
The data sources may be unreachable, may not be responding, or may have denied you access.
Verify that data refresh is enabled for the trusted file location and that the workbook data authentication is correctly set.

Here is a screenshot:

Finally today I got this error resolved.

First of all I did all the action that MVP – Ton Stegeman did in his blog about this subject. Check it out here (follow all 4 parts). He ends in part 3 with the error I have, but there was no solution provided.

First of all I needed to make sure that Kerberos is working and did not have a double hop problem, and that I could access the SSAS server and his cube. For that I added a SQL Server 2005 Analysis Services Filter Web Part and specified the same ODC file. It worked great (I could select a dimension and a Hierarchy).

The problem with this error is that I am running MOSS and SSAS both on a Windows 2008 Server (2 different servers btw.). You might think that it should not be any different than a 2003 server, but Server 2008 is “AES aware” (Advanced Encryption System). There is a problem with AES aware systems like W2K8, Vista and the use of Kerberos.
To get it to work, you will have to follow the steps below:

Open the following file in Notepad: “c:\Program Files\Microsoft SQL Server\MSAS10.MSSQLSERVER\OLAP\Config\msmdsrv.ini”

There is a section called Security, which looks like this:

    <Security>
        <DataProtection>
            <RequiredProtectionLevel>1</RequiredProtectionLevel>
        </DataProtection>
        <AdministrativeDataProtection>
            <RequiredProtectionLevel>1</RequiredProtectionLevel>
        </AdministrativeDataProtection>
        <RequireClientAuthentication>1</RequireClientAuthentication>
        <SecurityPackageList/>
        <DisableClientImpersonation>0</DisableClientImpersonation>
        <BuiltinAdminsAreServerAdmins>1</BuiltinAdminsAreServerAdmins>
        <ServiceAccountIsServerAdmin>1</ServiceAccountIsServerAdmin>
        <ErrorMessageMode>2</ErrorMessageMode>
        <CellPermissionMode>0</CellPermissionMode>
    </Security>

Change the tag <DataProtection> and <AdministrativeDataProtection>, so it looks like this:

    <Security>
        <DataProtection>
            <RequiredProtectionLevel>0</RequiredProtectionLevel>
        </DataProtection>
        <AdministrativeDataProtection>
            <RequiredProtectionLevel>0</RequiredProtectionLevel>
        </AdministrativeDataProtection>
        <RequireClientAuthentication>1</RequireClientAuthentication>
        <SecurityPackageList/>
        <DisableClientImpersonation>0</DisableClientImpersonation>
        <BuiltinAdminsAreServerAdmins>1</BuiltinAdminsAreServerAdmins>
        <ServiceAccountIsServerAdmin>1</ServiceAccountIsServerAdmin>
        <ErrorMessageMode>2</ErrorMessageMode>
        <CellPermissionMode>0</CellPermissionMode>
    </Security>

Stop and restart Analysis Services
Then edit your ODC file and add the following to the connection strong:

”;SSPI=Kerberos;Protection Level=Connect” (without the quotes)

Now try again.

Tip:
- restart IIS every time you make a change in your ODC file.

Internet Explorer behaviors with Kerberos Authentication

Posted on June 23, 2009 by mvalk

A great article from Rob “I Speak Tampa” Greene. He is explaining things that can occur when IE Kerberos authentication fails. You can check it out here.

Kerberos fails when using CNAME records

Posted on June 9, 2009 by mvalk

If you’re in the middle of implementing Kerberos for something, remember that Kerberos authentication fails whenever you use CNAME records in DNS, instead of A-Records.

Why is this?

This is because whenever for example IE asks AD: “which account has a SPN registration for kerberos.marcvalk.net”, and kerberos.marcvalk.net is an CNAME for IIS_Server.marcvalk.net, the reply will be IIS_Server.marcvalk.net and not the service account.

So you’ll probably see an pop-up authentication box, with a title of IIS_Server.marcvalk.net and not the correct hostheader kerberos.marcvalk.net.

Marc Valk dot Net

blogging about…… Microsoft, Cloud Computing and all other things I find interesting

Category Archives: Security