FreeBSD, UNC, IIS

Here are some basic instructions I used to get FreeBSD, SAMBA running.  The plan is to have a more complete guide to hooking up to IIS in the future.  I downloaded FreeBSD 8.2 and Centos 5.6 to see what it would take to hookup a virtual directory in IIS 7.5 to a *nix Samba share.  I have prior experience getting FreeBSD for various server roles.  It was the first Unix based OS I have experience with.  Getting Samba was super easy with the link below.   I have no experience in a production environment running a virtual directory from IIS to a *nix share.  This was strictly to “see if I could do it”.   

  • Download FreeBSD 8.2 ISO from www.freebsd.org
  • Create a new VM in Hyper-V or VMware (I used Hyper-V) – I had to add the legacy network connection once the VM was created.  Mount the ISO and let the install go as normal.  Here is the docs http://www.freebsd.org/doc/handbook/install.html 
  • Once FreeBSD is done installing

 

Ssh to FreeBSD using Putty

winuser

Su root

Bash

Cd /user/ports/net

Cd samba

Type make && make install (add / remove programs for FreeBSD) 

Prompted, here are the items I selected

  • Ldap
  • Ada
  • Cups
  • Winbind
  • With acl support
  • Aio aupport
  • With syslog support
  • With utmp accounting support
  • DNSupdate
  • With system wide POPT library
  • With IPv6 support

Defaults for Python 2.6.6 were taken

Text displayed at the end of Samba install
This port has installed the following startup scripts which may cause these network services to be started at boot time. /usr/local/etc/rc.d/samba  If there are vulnerabilities in these programs there may be a security risk to the system. FreeBSD makes no guarantee about the security of ports included in the Ports Collection. Please type ‘make deinstall’ to deinstall the port if this is a concern. For more information, and contact details about the security status of this software, see the following webpage:

http://www.samba.org/

Running IIS Manager

http://support.microsoft.com/kb/813615

How to setup a share on FreeBSD box

http://www.us-webmasters.com/FreeBSD/Install/Samba/

Cheers,

Steve

Hosting PERL on IIS 7.x thread

Every now and then, a thread will get my interest doing something different with IIS on http://forums.iis.net.  I’ve never setup PERL within IIS even though I knew it was possible to host PERL.  I figured what the heck, lets see if I can get it working even though I don’t really know how to program in PERL.  The post is asking how to secure PERL in a shared hosting model.

Forum thread on securing PERL.  As of this post, no one has responded who has secured PERL for shared hosting.  I’ve asked a couple questions for my own interest.  If you know, feel free to respond with more information.  I’d be interested.

http://forums.iis.net/p/1179875/1988997.aspx

Helpful post getting PERL setup.
http://forums.iis.net/p/1178679/1984038.aspx

ActivePERL by ActiveState
http://www.activestate.com/activeperl

PERL information
http://www.perl.org/

Tips

  • Have to run app pool in 32 bit mode.  I found many reports of issues with 64 bit version
  • Run process monitor to determine exactly which folders are being blocked
    i.e the PERL folder, %TEMP% variable etc..
  • Make sure to install the CGI role service (otherwise you’ll get errors, I did)

Cheers,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com

Have CNAME point to a Windows Host and access via SMB

I was trying to map \\servername\sharename which would be \\Web1\Sharename.  Web1 would be an actual NetBIOS name and ‘ServerName’ would be a DNS CNAME to Web1.  I was getting an error.  “because a duplicate name exists on the network”

Got To:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Create a new DWORD with the following details:
Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1

http://support.microsoft.com/?id=281308

Web Stress testing tools thread

Here is a thread on http://forums.iis.net that discusses Stress testing tools.  There is a wide variety tools available.  I personally use a powershell script to create a single log file, then load test with Web Application Stress tool (retired by Microsoft). For my personal needs this has been sufficient.  I thought I would pass along as an FYI.

http://forums.iis.net/p/1179857/1988763.aspx

If you have tools that you’ve found successful, feel free to add to the comments section

PS – And a great tool to help analyze the data is using PAL (performance analysis of logs)

http://pal.codeplex.com/

Thank you,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Enterprise Log Management solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com

IIS 7 / IUSR account, SCCM 2007 client, Status messages not working

Background

This is one of those posts that has been “years in the making”. I’ve been working with SMS / ConfigMgr 2007 since version 2.0. In my IT career, I’ve used SMS / ConfigMgr 2007 on the server side exclusively. Traditionally SMS / ConfigMgr has been mainly a desktop software deployment, management tool. I’ve never talked with anyone who has used ConfigMgr strictly “ in a Server environment” for other things besides patching, OSD. Using ConfigMgr for DCM, Software Distribution, Querying, reporting etc.

Problem

I recently came across a situation where I was getting inconsistent status messages being sent back to the site server. Here is the message Failed to submit event to the Status Agent. Attempting to create pending event. For those familiar with ConfigMgr, all components send their status messages through the StatusAgent component. Advertisements, task sequences would work. the status messages would not be updated however.

Side Bar
Introduced in IIS 7 was the ability to set the Anonymous Authentication module to inherit from the application pool identity automatically. Here is a screenshot of the setting.

\

In previous IIS versions, the IUSR account was a local account with it’s own SID (Security Identifier). The administrator had to be aware of this account along with the application pool account (App pools started in Windows 2003/IIS 6). The IUSR account was introduced in Windows Server 2008 as a ‘machine’ account with the same SID across all boxes. In IIS 6, I would set the IUSR_MachineName and application pool identity accounts the same. Although I was administering two locations, it made troubleshooting a lot easier only dealing with one account.  When Windows Server 2008 came out and provided the ability to inherit the application pool identity automatically, from an IIS Administrators perspective, I quickly adopted this architecture.  PS – I’m not 100% sure why inheriting Application Pool Identity isn’t the default setting, I once heard it was to support Classic ASP applications.  Not sure.

Back to ConfigMgr 2007

From an IIS perspective, administrators may implement this type of architecture (I did!). What I discovered, the IUSR setting at server level is required if a machine has IIS installed. What I did to prove the ConfigMgr client was checking for the existing of the IUSR account.

Here is the status messages that appeared in the logs. Notice the highlighted sections, and the function being called.

ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time=”00:14:21.853+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”14748″ file=”perfobject.cpp:1484″>
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time=”00:14:21.853+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”14748″ file=”perfobject.cpp:1559″>
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time=”00:14:21.862+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”14748″ file=”perfobject.cpp:1484″>
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time=”00:14:21.862+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”14748″ file=”perfobject.cpp:1559″>
ccmperf.log:<![LOG[Security::LookupIUSRAccountSid(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1484)]LOG]!><time=”00:14:22.678+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”13344″ file=”perfobject.cpp:1484″>
ccmperf.log:<![LOG[GetIISAccounts(sIUSRSid), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\ccmperf\perfobject.cpp,1559)]LOG]!><time=”00:14:22.680+240″ date=”01-09-2011″ component=”ccmperf” context=”” type=”0″ thread=”13344″ file=”perfobject.cpp:1559″>
StatusAgent.log:<![LOG[Security::LookupIUSRAccountSid(sAccount), HRESULT=80004005 (e:\nts_sms_fre\sms\framework\core\ccmcore\comobjectsecurity.cpp,58)]LOG]!><time=”00:14:58.883+240″ date=”01-09-2011″ component=”StatusAgent” context=”” type=”0″ thread=”11300″ file=”comobjectsecurity.cpp:58″>

As I mentioned earlier, I work strictly in a server environment, which many boxes have IIS installed (Mostly Windows Server 2008 / R2 boxes). For some reason Microsoft has logic in SCCM to check for the existence of the IUSR account. Here is a post I did “IUSR Account and ConfigMgr 2007 R3 agent”. This explains I temporarily had to set the IUSR account enabled at server level so the ConfigMgr agent would install.

A configuration workaround

The ConfigMgr agent doesn’t seem to check for IUSR at site level. This means an administrator who has ConfigMgr installed on a server OS with IIS can enable the IUSR setting at server level, and set the inherit application pool identity at site level. From my testing, this configuration works. I did a PowerShell script to:

  • Backup current applicationHost.config with appcmd
  • Enable IUSR at server level
  • Disable IUSR and inherit application pool identity.
  • Stop / Start SMS Agent Host
  • Watch the SCCM logs

A little precaution before running the script. The logic assumes you are using the application pool identity for securing resources. I’d recommend you review your IIS architecture to ensure this setup would work in your environment. I ALWAYS encourage people to try scripts in a non-production environment first. The script does make a backup copy of the applicationHost.config before making changes. If something happens, just restore the applicationHost.config.

After years of not quite understanding how IUSR was used. I thank God for helping me finally understand what is happening! I hope you find this post useful. Hope this workaround isn’t needed in CM2012. Time will tell.

Thank you,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com

Here is the script.

$ExitCode = 0
try
{
function EnableIUSRServerLevel
{
$Command = “$Env:SystemRoot\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/anonymousAuthentication /userName:`”IUSR`” /commit:apphost”
Write-Host $Command
Invoke-Expression -Command $Command
}

function DisableIUSRSiteLevel([string]$SiteName)
{
$Command = “$Env:SystemRoot\system32\inetsrv\appcmd.exe set config `”$SiteName`” /section:system.webServer/security/authentication/anonymousAuthentication /userName:`”`” /commit:apphost”
Write-Host $Command
Invoke-Expression -Command $Command
}

#Use Powershell provider to get a list of sites, one of these will error
#windows Server 2008 needs powershell provider installed before using
#Windows Server 2008 R2 has powershll provider already
#There is some better logic that could be implemented on this option

Import-Module -Name “WebAdministration”
Add-PSSnapin -Name “WebAdministration”
#Backup ApplicationHostConfig
$FileDate = (Get-Date).tostring(‘dd-mm-yyyy-mm-hh’)
$Command = “$Env:SystemRoot\system32\inetsrv\appcmd.exe add backup `”BeforeSettingIUSRData$FileDate`””

Write-Host $Command
Write-Host “applicationHost.config backed up”
Invoke-Expression -Command $Command

#Set IUSR at server level
Write-Host “Set IUSR at server level enabled”
EnableIUSRServerLevel

#Get List of Sites using get-childitem
$sites = gci IIS:\Sites

#Set Each site on the box with IUSR disabled
foreach($site in $sites)
{
Write-Host $site.name
Write-Host “”
DisableIUSRSiteLevel -SiteName $site.name
}

Write-Host “Done”
}
catch
{
$ExitCode = 1
Write-Host “error”
}

Powershell script to refresh SCCM client machine policy

I’ve been working with SCCM for a few months.  As some might know, forcing SCCM to “test now” is a bit of a process.   Here is a script I use to force the client to check for new advertisements.  It’s been handy when performing testing.  Hope you find this helpful

Refresh-SCCMClientMachinePolicy.ps1

$Computer = “.”
$Class = “SMS_Client”
$Method = “TriggerSchedule”
$Sched = “{00000000-0000-0000-0000-000000000021}”
$MC = [WmiClass]”\\$Computer\ROOT\ccm:$Class”

$InParams = $mc.psbase.GetMethodParameters($Method)

$InParams.sScheduleID = $Sched

“Calling SMS_Client. : TriggerSchedule with Parameters :”
$inparams.PSBase.properties | select name,Value | format-Table

$R = $mc.PSBase.InvokeMethod($Method, $inParams, $Null)
“Result :”
$R | Format-list

Here is a screenshot of how you refresh the Machine Policy on the client.  This forces the client to check for new policy (aka Advertisements).

Thank you,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Enteprise Log management solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com

IISLogs 4.0 released

We are excited to announce IISLogs 4.0 has been released July 1st.  There are two flavors, IISLogsEXE (Stand-Alone EXE) or Windows Service Version.  Download a 30 day full version here   The #1 custom request has been added, compress multiple log files into a single zip file.   Here is a summary of new features.

ZipFile Storage Preference ( Daily, Weekly, Monthly )
Control your zip files retention period. By default, IISLogs creates a zip file on a daily basis. Introduced in IISLogs 4.0, there are options to zip files on a daily, weekly or monthly basis. This can reduce the number of zip files created on disk. You can use IISLogs classic options to apply the same rules to all folders. The SpecificDirectories and Advanced Dir Config options are classic IISLogs options. The Per Directory (introduced in IISLogs 2.0) option allows for the same Zip options (Daily, Weekly, Monthly). Using the PerDirectory option, you can apply separate rules on a per directory basis.
 
Per Directory enhancements in IISLogs 4.0
In addition to providing Daily, Weekly, Monthly zip options in Per Directory feature, an additional option to Preserve Directory path, this option is called PreserveDirPath in IISLogsGUI). When IISLogs compresses a file stored to an alternative location, either a different directory on the same machine or UNC path, IISLogs preserves the original folder path when writing to disk. For example, if store your IISLogs on c:\inetpub\logs\logfiles\w3svc1, when a file is stored, keeps the original log path, it would be \\ServerName\ShareName\MachineName\inetpubLogs\logfiles\w3svc1\filename.zip (when Include ComputerName checked) or \\ServerName\ShareName\inetpub\Logs\logfiles\w3svc1\filename.zip (when IncludeComputerName not checked) When you disable PreserveDirPath, IISLogs will not retain the original folder path and write to the root of the alternative folder path configured in ZipFilePath. In this example, \\Server\Share\filename.zip

About IISLogs

IISLogs provides programs to help administrators manage all kinds of log files.  Started in July 2004, IISLogs offers 1.0, 2.0, 4.0 versions.  For more information, contact us at info@iislogs.com

Enjoy,

Steve Schofield
Windows Server MVP – IIS
http://www.iislogs.com/steveschofield

http://www.IISLogs.com
Log archival solution
Install, Configure, Forget

Questions on Microsoft SMTP Service – visit http://www.smtp.ws
IIS Community Newsletter – visit http://www.iisnewsletter.com