KB2909210 on Server 2008 R2 breaks my intranet sites
I have several intranet sites that my users use for various data entry and querying purposes. I installed Internet Explorer 10 onto my 2008 R2 Terminal Server over this past weekend which also installed the Security Update KB2909210 and rebooted the
server. On Monday morning, when my terminal users logged into the sites, the sites began malfunctioning. All the dropdown arrows turned into question marks. Some fields which normally have a small "x" on the right-hand side used
to erase the data entered in the text field were also displaying as question marks. The objects still functioned but it was disconcerting to my users. The update also slowed down these same intranet sites to where it began interfering with productivity.
I activated Compatibility View for all intranet sites, but it did not resolve the problem.
I also found that when my terminal users tried to print a pdf document from the intranet sites, the print dialog box was jumbled and no fields were pre-populated with data like they always are when printing. I updated to the latest Adobe Reader, but
the print dialog box remained jumbled.
All of my users with stand-alone PCs have IE 10 installed and the intranet sites work fine. They display properly and process quickly. It is only my terminal users who log in from a thin client to their profiles on the server and use the IE version
installed on the server who have the problem with IE10. The KB2909210 Update is not installed on, and does not come up as, an update for any of my stand-alone Windows 7 PCs.
I uninstalled IE 10 from my server, but since this was one of my production servers, I could not restart it until after the plant was shut down for the evening forcing my users to suffer with the slowness for the day. This morning the intranet sites
are working fine through IE 9. I also had to revert back to Adobe Reader v9.5 as the v11 (and v10) print dialog box does not display properly in IE 9.
I do not want to stay on IE 9 on my server as it gets more un-secure by the day and we've found IE 11 to be too buggy so far.
How can I install IE 10 with its security updates and prevent it from breaking my intranet sites?
I would re ask this in a different forum as this is a Small business server forum and I'm assuming you aren't running that platform?
Or call 1-800-microsoft and issues with a security patch are ultimately comp'd back to you.
This re-asking in forum after forum after forum is ridiculous! When someone else has this problem and searches for it, they will get several useless results with the only responses being to ask in another forum.
This was originally posted in the Microsoft Community forum. The MS Forum Moderator over there advised I should post it here and gave a link in her response. God forbid she had just moved it to the correct forum as I've seen done on countless
other forums!
Similar Messages
-
KB2909210 on Server 2008 R2 breaks my intranet sites and print dialog box
Let's try this again. I have been asking the following question of Microsoft and every time I do, I have only been told to try another forum.
I have several intranet sites that my users use for various data entry and querying purposes. I installed Internet Explorer 10 onto my 2008 R2 Terminal Server over this past weekend (10/18/2014) which also installed the Security Update KB2909210
and rebooted the server. On Monday morning (10/20/2014), when my terminal users logged into the sites, the sites began malfunctioning. All the dropdown arrows turned into question marks. Some fields which normally have a small "x"
on the right-hand side used to erase the data entered in the text field were also displaying as question marks. The objects still functioned but it was disconcerting to my users. The update also slowed down these same intranet sites to where it
began interfering with productivity. I activated Compatibility View for all intranet sites, but it did not resolve the problem.
I also found that when my terminal users tried to print a pdf document from the intranet sites, the print dialog box was jumbled and no fields were pre-populated with data like they always are when printing. I updated to the latest Adobe Reader, but
the print dialog box remained jumbled.
All of my users with stand-alone PCs have IE 10 installed and the intranet sites work fine. The sites display properly and process quickly, and the print dialog box is not jumbled. It is only my terminal users who log in from a thin client
to their profiles on the server and use the IE version installed on the server who have the problem with IE10. The KB2909210 Update is not installed on, and does not come up as, an update for any of my stand-alone Windows 7 PCs.
I uninstalled IE 10 from my server, but since this was one of my production servers, I could not restart it until after the plant was shut down for the evening forcing my users to suffer with the slowness for the day. This morning (10/21/2014) the
intranet sites are working fine through IE 9. I also had to revert back to Adobe Reader v9.5 as the v11 (and v10) print dialog box does not display properly in IE 9.
I do not want to stay on IE 9 on my server as IE9 gets more un-secure by the day and we've found IE 11, on any of our machines, to be too buggy.
How can I install IE 10 with its security updates and prevent it from breaking my intranet sites and print dialog box? What is so different about Server 2008 R2 and Windows 7 that IE 10 causes this corruption of intranet sites and the print dialog
box on the Server but not on the Win 7 machines?
The bulletin here:
https://technet.microsoft.com/library/security/ms14-011
is useless for determining why it breaks my intranet sites. Nor does it explain why the update destroys the print dialog box.Hi,
In my opinion, it's hard to say your problem caused by KB2909210. Have you tried to uninstall this update for test if your intrant site's problem resolved?
If your problem truthfuly caused by this updates, you can choose to hid the update as a workaround method.
Roger Lu
TechNet Community Support -
Configuring Service Broker between SQL Server 2008 and 2012 on Intranet
Hello, I would need help in configuring Service broker. As both servers are on the intranet, I wanted to remain the most simple so I used no certificates and allowed anonymous access but still, using SSBDiagnose, I can see errors.
I would like to paste here my configuration and my usage of SSBDiagnose, I already asked a question about SSBDiagnose usage but this new question is rather on the usage of certificates and the configuration of SSB, for me to know if I am doing this in the
best possible way.
Reading on the web, I have read in few places that certificates are not mandatory and that Windows Authentication only can be used. Then, I read that even if endpoints don't request certificates, the communication between two servers will still requires
certificates so I am wondering where is the truth...
I have two servers:
EmployeesSvr (SQL Server 2012 Enterprise Edition with Always On, EmployeesSvr is the listener name in front of two virtual servers)
CREATE MESSAGE TYPE [//E/S/ETChanged] VALIDATION = WELL_FORMED_XML
CREATE CONTRACT [//E/S/ECContract] ([//E/S/ETChanged] SENT BY INITIATOR)
CREATE QUEUE [dbo].[ECQueue] WITH STATUS = ON , RETENTION = OFF , ACTIVATION ( STATUS = ON , PROCEDURE_NAME = [dbo].[SSB_ECQueueProc] , MAX_QUEUE_READERS = 1 , EXECUTE AS N'dbo' )
CREATE SERVICE [//E/S/ECService] ON QUEUE [dbo].[ECQueue] ([//E/S/ECContract])
CREATE ROUTE [RouteToSECService] WITH SERVICE_NAME = N'//S/S/ECService' , BROKER_INSTANCE = N'F...' , ADDRESS = N'TCP://SoftwaresSrv.test.com:4022'
CREATE REMOTE SERVICE BINDING [SECServiceBinding] TO SERVICE N'//S/S/ECService' WITH USER = [domain\SvcBrokerTestUser] , ANONYMOUS = ON
CREATE ENDPOINT [ESBEndpoint] STATE=STARTED AS TCP (LISTENER_PORT = 4022, LISTENER_IP = ALL) FOR SERVICE_BROKER (MESSAGE_FORWARDING = DISABLED, MESSAGE_FORWARD_SIZE = 10, AUTHENTICATION = WINDOWS NEGOTIATE, ENCRYPTION = DISABLED)
SoftwaresSvr (SQL Server 2008 R2)
CREATE MESSAGE TYPE [//E/S/ETChanged] VALIDATION = WELL_FORMED_XML
CREATE CONTRACT [//E/S/ECContract] ([//E/S/ETChanged] SENT BY INITIATOR)
CREATE QUEUE [dbo].[ECQueue] WITH STATUS = ON , RETENTION = OFF , ACTIVATION ( STATUS = ON , PROCEDURE_NAME = [dbo].[SSB_ECQueueProc] , MAX_QUEUE_READERS = 1 , EXECUTE AS N'dbo' )
CREATE SERVICE [//S/S/ECService] ON QUEUE [dbo].[ECQueue] ([//E/S/ECContract])
CREATE ROUTE [RouteToECService] WITH SERVICE_NAME = N'//E/S/ECService' , BROKER_INSTANCE = N'2...' , ADDRESS = N'TCP://EmployeesSvr.test.com:4022'
CREATE REMOTE SERVICE BINDING [EECServiceBinding] TO SERVICE N'//E/S/ECService' WITH USER = [domain\SvcBrokerTestUser] , ANONYMOUS = ON
CREATE ENDPOINT [SSBEndpoint] STATE=STARTED AS TCP (LISTENER_PORT = 4022, LISTENER_IP = ALL) FOR SERVICE_BROKER (MESSAGE_FORWARDING = DISABLED, MESSAGE_FORWARD_SIZE = 10, AUTHENTICATION = WINDOWS NEGOTIATE, ENCRYPTION = DISABLED)
My SSBDiagnose command :
ssbdiagnose -E CONFIGURATION
FROM SERVICE //E/S/ECService
-S EmployersSvr
-d EmployersDB
TO SERVICE //S/S/ECService
-S SoftwaresSvr
-d SoftwaresDB
ON CONTRACT //E/S/ECContract
The result :
Microsoft SQL Server 10.50.1600.1
Service Broker Diagnostic Utility
D 29978 EmployersSvr EmployersDB
No valid certificate was found for user domain\SvcBrokerTestUser
D 29977 SoftwaresSvr SoftwaresDB
The user domain\SvcBrokerTestUser from database EmployersDB on EmployersSvr cannot be mapped into this database using certificates
D 29933 SoftwaresSvr SoftwaresDB
The routing address TCP://EmployeesSvr.test.com:4022 for service //E/S/ECService does not match any of the IP addresses for EmployersSvr
An internal exception occurred: An exception occurred while executing a Transact-SQL statement or batch.
Thank you for any help, I am searching for several answers :
Can I use the setup as I defined, with no certificate ? Is it risky ?
Is there too many objects defined ? Is it mandatory to have a Route and a Remote Service Binding ? I don't understand how those two are working togheter...
Is it ok to use the same windows account on each side, do they only need an 'Open' access rigth or do they need to be db_owner ?
Best regards,
ClaudeHi Claude,
1.Can I use the setup as I defined, with no certificate ? Is it risky ?
Service broker does not have to use certificate. The Certificate is necessary when you want to use dialog security, by which you can encrypt all messages sent outside a SQL Server instance.
http://technet.microsoft.com/en-us/library/ms166036(v=SQL.105).aspx
2.Is there too many objects defined ? Is it mandatory to have a Route and a Remote Service Binding ?
Remote Service Binding is used to privde dialog security. If you donnot need the dialog security, the Remote Service Binding is not mandatory.
http://technet.microsoft.com/en-us/library/ms166042(v=SQL.105).aspx
By default, each database contains a route that specifies that messages for any service which does not have an explicit route are delivered within the SQL Server instance. Since you have communications between different instances, creating a route between
them is necessary.
http://technet.microsoft.com/en-us/library/ms166032(v=SQL.105).aspx
3.Is it ok to use the same windows account on each side, do they only need an 'Open' access rigth or do they need to be db_owner ?
The windows account must own the certificate used for authentication. You can find more information below.
http://technet.microsoft.com/en-us/library/ms166045(v=SQL.105).aspx
http://technet.microsoft.com/en-us/library/ms186278(v=sql.105).aspx
Best regards, -
WDS on server 2008 std breaking .WIM files
Hi,
SUMMARY - 'Importing images into WDS seems to break them'
I'm a bit green so i appologise if I'm being stupid. I'm installing and configuring WDS and MDT deployment within a mixed MS 2003 domain environment. We need to be able to deploy 32 bit images and the server will be used for servicing images as well
as deploying and so (I think) I need to use Server 2008 standard as creating catalogue files on x64 systems for x86 images doesn't work.
So - the system is:
Server 2008 standard x86 edition; WDS Deployment Services Role; MDT 2012 Update 1; ADK 8, config manager tools for trace32.exe.
I have imported win7 boot and install images directly from the original DVD .iso files, both x86 and x64. Both capture and setup images work ok. I've added network drivers to these successfully. I can deploy vanilla win7 x86 and x64 using WDS - this works
fine.
So my issue is: I've deployed vanilla windows 7 to a desktop, installed applications, updated config as nessecary etc. Booted using the appropriate capture image and captured a .wim file. I've copied this to my WDS server and imported it as an install
image. When I try and deploy the image it fails just after the 'expanding windows files' stage. After looking in log files the error seems to be 'selected image file does not have a resource section'.
I've gone back to the WDS server, exported these image files and tried to mount them using DISM - I get the same error: "1812 The specified image file did not contain a resource section"
Mounting fails.
Now I've tried mounting the .wim files using dism BEFORE I import them into WDS and they mount without any issues. As soon as I import them and export them again they will not mount any more.
Please help, I don't know what else to try! :)
Some things I've thought but can't find answers to: Can you use 2008 standard to deploy Windows 7 at all? (server is earlier version of windows)
Is the apparent importing into WDS issue a red herring? Could it be that these images are broken from capture? Is there a way to test this without deploying the image using a USB stick instead of WDS?
I've tried uninstalling the ADK and installing WAIK instead. Exactly the same result. Here are some choice extracts from dism.log:
2015-03-02 17:33:18, Info CBS Failed to find a matching version for servicing stack: C:\Users\softset\AppData\Local\Temp\MDTUpdate.2544\Mount\Windows\WinSxS\x86_microsoft-windows-servicingstack_31bf3856ad364e35_6.2.9200.16384_none_060a6d2998b13f25\
[HRESULT = 0x80070490 - ERROR_NOT_FOUND]
2015-03-02 17:33:18, Info CBS Failed to find servicing stack directory in online store. [HRESULT = 0x80070490 - ERROR_NOT_FOUND]
2015-03-02 17:33:18, Info CBS Failed to get proc address for CMP_GetServerSideDeviceInstallFlags [HRESULT = 0x8007007f - ERROR_PROC_NOT_FOUND]
2015-03-02 17:33:18, Info CBS Failed to load CfgMgr32 DLL. [HRESULT = 0x8007007f - ERROR_PROC_NOT_FOUND]
2015-03-03 15:29:27, Error DISM DISM WIM Provider: PID=2852 Failed to mount the image. - CWimImageInfo::Mount(hr:0x80070714)
2015-03-03 15:29:27, Error DISM DISM WIM Provider: PID=2852 d:\w7rtm\base\ntsetup\opktools\dism\providers\wimprovider\dll\wimmanager.cpp:999 - CWimManager::InternalOpMount(hr:0x80070714)
2015-03-03 15:29:27, Error DISM DISM WIM Provider: PID=2852 d:\w7rtm\base\ntsetup\opktools\dism\providers\wimprovider\dll\wimmanager.cpp:2247 - CWimManager::InternalCmdMount(hr:0x80070714)
2015-03-03 15:29:27, Error DISM DISM WIM Provider: PID=2852 Error executing command - CWimManager::InternalExecuteCmd(hr:0x80070714)
2015-03-03 15:29:27, Error DISM DISM WIM Provider: PID=2852 d:\w7rtm\base\ntsetup\opktools\dism\providers\wimprovider\dll\wimmanager.cpp:516 - CWimManager::ExecuteCmdLine(hr:0x80070714)
2015-03-03 15:29:27, Error DISM DISM.EXE: WimManager processed the command line but failed. HRESULT=80070714Hello JPNhingy,
How to do you capture the .wim file?
About the question: Can you use 2008 standard to deploy Windows 7 at all? The answer is: Yes, you can use the Windows Server 2008 to deploy Windows 7.
You could create a capturer image in WDS, for more information, please take a look at the following article.
http://social.technet.microsoft.com/wiki/contents/articles/11680.creating-a-capture-image-in-wds.aspx
Additionally, you could use the sysprep to generalize the install image.
https://technet.microsoft.com/en-us/windows/preparing-an-image-using-sysprep-and-imagex.aspx
Best regards,
Fangzhou CHEN
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
Change scopre / Multiscope option regarding Server 2008 R2 With TMG2010 PPTP Site-to-Site VPN.
Hey guys,
Ive been looking through the forum for some answers regarding the next setup;
Host with 2VM'S; DC and TMG
Internal range is 192.168.100.x/24
Host02 with 2 VM'S; DC02 and TMG02
Internal range is 192.168.200.x/24
Now im looking to expand DC02 as that is my DHCP. (TMG is the Gateway)
However, there is a site-to-site between both TMG server.
What is best practice in this situation and how should I go about this..?
Any thoughts upon this?
With kind regards, René de Meijer. MIEGroup.Hi,
To serve the client in the subnet that doesn't have a DHCP server, we need to add a DHCP relay agent in this subnet.
To enable the DHCP relay agent, we need to install the RRAS. For the detailed steps, please refer to the link below:
Configure the IPv4 DHCP Relay Agent
https://technet.microsoft.com/en-us/library/dd469685.aspx
Besides, since we have installed the TMG server, a few more configuration is needed to allow the DHCP traffic.
Here is a related article, it may be helpful:
https://technet.microsoft.com/en-us/library/cc302680.aspx
Best Regards.
Steven Lee Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Support, contact [email protected] -
FTP logon issues on IIS 7 using Windows Server 2008 R2
Hi, I'm currently experiencing issues when trying to log on to an FTP server I created using Windows Server 2008 R2.
The FTP web site has Enabled both Anonymous and Basic Authentication.
On the Authotization Rules it has enabled Allow All Users and Anonymous Users with read permissions, and the local administrator with read and write.
Whenever I try to log on, either via IE or Command prompt, when asked for credentials, I get logon failures, either with anonymous or a username that has access permissions to the FTP root folder.
I tried changing the FTP application pool identity to Network Service, but still get the same error. I also have tried testing the connection from the basic settings section of the FTP Site, and when I test it using Application User (use pass-through authentication)
I get an error that says: ¨IIS Manager cannot verify whether the builtin account has access¨If I instead use a username and password, the test passes ok, however using this account to try to enter the FTP site I get logon failure, even when the account
I´m using is a local admin account.
The Server is part of an AD Domain.
I have read a few blogs and forums about problems with FTP validation but nothing related exactly to my issue.
Any ideas are deeply appreciated.
thanks
Eduardo RojasHi, I would tend to ask on IIS forum (iis.net), as you might get more attention and help there.
For your issue, I would tend to think that you need to set the correct security on the FTP's home folder, but again it's only an advice, as I'am not an IIS's guru.
Regards, Philippe
Don't forget to mark as answer or vote as helpful to help identify good information. ( linkedin endorsement never hurt too :o) )
Answer an interesting question ? Create a
wiki article about it! -
Free Ebook: Introducing Microsoft SQL Server 2008
Hello,
I am about to start studying for the upgrade to SQ Lserver 2008 exam 70-453. i completed my MCITP SQL server 2005 cert last year.
I have read a few forums on the topic, and some have suggested reading the free ebook entitled "Introducing Microsoft SQL Server 2008" (not to be confused with "Introducing Microsoft SQL Server 2008 R2")
Microsoft and other sites link the book here:-
http://csna01.libredigital.com/?urss1q2we6
I cannot access this link without receiving errors. (possibly firewall related)
I have successfully found the 2008 (R2) free ebook however i need the 2008 book to read for the 70-453 exam.
Could somebody please either send me the .pdf file (i will provide email) or send me a link that works?
Alternatively, will the R2 book suffice for my 70-453 studies? are there SQL 2008 features that are not repeated in the writings of the R2 book?
Thanks,
Any other tips fro exam 70-453 are welcomed.The book is linked here:
http://www.computerbooksonline.com/n2tech/index.php/free-ebook-offer-introducing-microsoft-sql-server-2008
But if you follow the link, which points to
http://go.microsoft.com/fwlink/?LinkId=189147, it actually downloads the R2 version instead of the original book depicted on that page. I suspect that the original book has been superseded, and the free download only applies to the latest version.
I have taken a look at the book, and it seems to concentrate on "what's new in the R2 version", so I'm afraid that it won't be terribly useful for your goal of preparing 70-453.
I suggest that you consider the Self-Paced Training Kit for 70-432, which should cover the knowledge that you require for the TS part of the 70-453 upgrade exam:
http://www.microsoft.com/learning/en/us/Book.aspx?ID=12858&locale=en-us -
Dymo Labelwriter printers not working via Mac Remote Desktop connection into Windows Server 2008
I'm having a really hard time getting Dymo labelwriters (models 335 turbo and 450 turbo) to work over a remote desktop connection and I'd appreciate any help you can offer.
To briefly describe the situation, I'm working for a Doctor's office, moving their IT from a remotely-hosted environment where employees connect to their Windows Server 2008 virtual machines (hosted off-site) via Windows 7 machines through Microsoft's remote
desktop software.
The new setup will have new servers running in-house instead of remotely and will be based on Apple's Mac Mini machines running Windows 7 for some tasks through Parallels virtualization
software running directly on each employee's Mac Mini.
We have 3 of the Dymo 450 Turbo products and one 330 Turbo, each connected directly to a Mac Mini.
Here's the problem: I have Microsoft's Remote Desktop software running on the Macs natively, connected to each employee's virtual machine on the remote server for now, until the time comes to make the switch to using the new in-house server. The remote desktop
software works fine - employees are able to connect successfully and access their desktops fine. I have the "Forward Printing Devices" option checked in the Microsoft Remote Desktop app so that the hosted virtual desktops can see the local labelwriters.
However, the Dymo Label software running on the remote server will not recognize that a labelwriter is present.
If I go to the Printers and Devices window on the remote server, the labelwriter shows up fine, named "dymo labelwriter 450 turbo (redirected 10)" however running the Dymo Label software gives an error, "Dymo label says no printer connected:
dymo label printer requires a dymo label printer be installed and connected ..."
To try and narrow down the cause of the problem, on the same Mac, I ran Windows 7 via Parallels and set up a new remote desktop connection within that Windows VM. Just to be clear, instead of using the RDC software running in the Mac OS, this new connection
is using a Windows virtual machine running on the same Mac, with the RDC being established from within that Windows VM. Again, I forward printing devices and the labelwriter shows up in Printers and Devices on the remote server as "dymo labelwriter 450
turbo (redirected 10)" This time, the Dymo Label software recognizes the attached labelwriter and runs fine.
I'd appreciate any advice you can give on why, as far as the remote server is concerned, a forwarded labelwriter from Microsoft remote desktop running natively on a Mac isn't recognized
but it is if forwarded from within Windows, bearing in mind that the labelwriter shows up on the remote server in both instances and is called the same name in devices and printers.
Sorry for the long-winded question. I hope you can help me.Hi,
Thank you for posting in Windows Server Forum.
Firstly please check whether you have driver capable for your printer with MAC MRD. Also I would like you to check with updated MRD version 8.0.9 for MAC OSX.
https://itunes.apple.com/in/app/microsoft-remote-desktop/id715768417?mt=12
Because as you have commented it can work with windows RDP, so please also try to contact Dymo Labelwriter printer and inquire regarding the issue.
Hope it helps!
Thanks.
Dharmesh Solanki
TechNet Community Support -
Windows itunes 10.7 update break itunes (windows server 2008 x64) older version of itunes works fine
Hi!
I just update itunes 10.7 to my (windows server 2008 R2) PC.
After update it stops to work...
Itunes just closes when tryning to start.
I did try repairn installation but status is same.
Old version was workin fine, how i can fix this?windows Eventlog error message:
Faulting application name: iTunes.exe, version: 10.7.0.21, time stamp: 0x504d85d9
Faulting module name: KERNELBASE.dll, version: 6.1.7601.17651, time stamp: 0x4e211319
Exception code: 0xe06d7363
Fault offset: 0x0000b9bc
Faulting process id: 0x7f0
Faulting application start time: 0x01cd9776417ddf4b
Faulting application path: C:\Program Files (x86)\iTunes\iTunes.exe
Faulting module path: C:\Windows\syswow64\KERNELBASE.dll
Report Id: 97b52139-0369-11e2-83a8-6c626d917f87 -
Installing KB3013455 breaks font rendering on Server 2008 x32
Hi
It appears that after installing KB3013455 none of my fonts render properly anymore.
It causes font display/smoothing/substitution corruption in all applications - I first noticed it in several different browsers, but then just went to Control Panel -> Fonts and confirmed that all fonts (checked a dozen) including Arial and Times New
Roman are affected.
Essentially the small fonts (8-20pt) that normally result in a one-pixel line (think of lowercase "b" or "t" or "d") would now be a random mess between 1 and 2 pixels. Turning on "Clear Type" or font smoothing does
"smooth" the garbage and it doesn't look as awful but that doesn't make the text any more readable.
Actually "font smoothing" didn't quite work as it did not affect the small fonts (which were the affected ones) - only Clear Type smoothed them.
Also, all fonts appeared much smaller - a 16pt font appeared as big as 8pt, and I might be off with the scale but definitely much smaller.
While researching the issue I found that a similar one happened some time ago - the picture posted there also matches somewhat the symptoms I saw:
http://askubuntu.com/questions/520044/unreadable-font-on-gmail-since-recent-updates-in-chromium
Also, the issue seems to apply to XP, Server 2003, Vista and other versions as per
http://www.dslreports.com/forum/r29852995-
I noticed this on a Server 2008, x32, with font smoothing and Clear Type turned off, normal font size (96dpi).
The question:
https://support.microsoft.com/kb/3013455 appears to be an important update so I'd appreciate any insights as to what other steps can we take.
Thanks
p.s. I forgot to take screenshots before I uninstalled the update. I'm not sure if you need one - I'd prefer to skip the pain of installing it and rebooting just for the sake of taking a screenshot (and then removing it again and rebooting again), but if
that's a must let me know.I've done some more testing - Win7 (both x32 and x64) seems to be unaffected.
Vista/2008/2003 (tested 32bit only) are all affected.
Here are some screenshots -
before:
and after: -
Hello,
I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
* Note. No back ups to work with aside from whats mentioned below.
DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up.
The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
"No Exchange servers are available in any Active Directory sites. You can’t connect to remote
Powershell on a computer that only has the Management Tools role installed."
Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc per instructions only to discover I couldnt relaunch it because there was
no way how. So I copied another msc file that happened to be on the DC Server 1 back to Exchange Server 2 and got it to launch again.
Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
it is using the Certificate Authority Service.
I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
"The Trust Relationship between this workstation and primary domain failed."
I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started.
I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
MartyI recommend that you open a ticket with Microsoft Support before you break things more.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems." -
SQL Server 2008 KB2977321 Failed with Error code 1642
As part of application of security patches via windows update, sql server KB2977321 was applied along with a number of OS security patches.
Prior to applying the patches, I stopped the agent, engine, reporting, analysis and full text services.
The Sql server build prior to windows update was (for both instances):
ProductVersion
ProductLevel
Edition
10.0.5500.0
SP3
Standard Edition (64-bit)
After the update process, my main instance is showing (the second instance is not in use yet and I have left it in its stopped state)
Microsoft SQL Server 2008 (SP3) - 10.0.5520.0 (X64)
Jul 11 2014 16:11:50
Copyright (c) 1988-2008 Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (VM)
In the Administrative Logs after the OS patches were applied (and all were reported as successful by windows update), I found the following errors listed:
Log Name:
Application
Source:
MsiInstaller
Date:
11/18/2014 7:16:45 PM
Event ID:
1024
Task Category: None
Level:
Error
Keywords:
Classic
User:
SYSTEM
Computer:
SJCDB3.intranet.co.st-johns.fl.us
Description:
Product: Microsoft SQL Server 2008 Database Engine Services - Update '{9145CF54-462E-4A28-8FB5-A44C93AD3716}' could not be installed. Error code 1642. Windows Installer can create logs to help troubleshoot
issues with installing software packages. Use the following link for instructions on turning on logging support: http://go.microsoft.com/fwlink/?LinkId=23127
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="MsiInstaller" />
<EventID Qualifiers="0">1024</EventID>
<Level>2</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2014-11-19T00:16:45.000000000Z" />
<EventRecordID>1764186</EventRecordID>
<Channel>Application</Channel>
<Computer>SJCDB3.intranet.co.st-johns.fl.us</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data>Microsoft SQL Server 2008 Database Engine Services</Data>
<Data>{9145CF54-462E-4A28-8FB5-A44C93AD3716}</Data>
<Data>1642</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>(NULL)</Data>
<Data>
</Data>
<Binary>7B38373544383436332D313135422D343444322D414432352D3731454337453833423843437D207B39313435434635342D343632452D344132382D384642352D4134344339334144333731367D2031363432</Binary>
</EventData>
</Event>
In the C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Log\20141118_191448\Detail.txt file I found the following around the time the error was reported
2014-11-18 19:16:30 Slp: Baseline Package Id sql_engine_core_inst_Cpu64 - The highest patch version is 10.3.5500.0
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_engine_core_inst_Cpu64 - NotInstalled on the baseline msi package sql_engine_core_inst_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_engine_core_inst_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_engine_core_inst_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_engine_core_inst.msp PatchCode={9145CF54-462E-4A28-8FB5-A44C93AD3716}
2014-11-18 19:16:30 Slp: Patch Id: KB2977321_sql_engine_core_inst_Cpu32 - The baseline msi is not installed.
The patch package is ignored.
2014-11-18 19:16:30 Slp: Patch Id: KB2977321_sql_engine_core_inst_Cpu32 - Detail description of this patch package is: PatchId=KB2977321_sql_engine_core_inst_Cpu32 PatchVersion=10.3.5520.0 BaselinePackageId=sql_engine_core_inst_Cpu32
BaselineVersion=10.3.5500.0; PatchFileName=sql_engine_core_inst.msp PatchCode={9145CF54-462E-4A28-8FB5-A44C93AD3716}
2014-11-18 19:16:30 Slp: Baseline Package Id sql_rs_Cpu64 - The highest patch version is 10.3.5500.0
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_rs_Cpu64 - NotInstalled on the baseline msi package sql_rs_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_rs_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_rs_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_rs.msp PatchCode={2296F7DD-2D3D-4802-B61A-AE7460EFB767}
2014-11-18 19:16:30 Slp: Patch Id: KB2977321_sql_rs_Cpu32 - The baseline msi is not installed.
The patch package is ignored.
2014-11-18 19:16:30 Slp: Patch Id: KB2977321_sql_rs_Cpu32 - Detail description of this patch package is: PatchId=KB2977321_sql_rs_Cpu32 PatchVersion=10.3.5520.0 BaselinePackageId=sql_rs_Cpu32 BaselineVersion=10.3.5500.0;
PatchFileName=sql_rs.msp PatchCode={2296F7DD-2D3D-4802-B61A-AE7460EFB767}
2014-11-18 19:16:30 Slp: Baseline Package Id sql_is_Cpu64 - The highest patch version is 10.3.5500.0
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_is_Cpu64 - NotInstalled on the baseline msi package sql_is_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_is_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_is_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_is.msp PatchCode={E870296C-24CC-4D82-BB59-CD136692E2BD}
2014-11-18 19:16:30 Slp: Baseline Package Id sql_bids_Cpu64 - The highest patch version is 10.3.5500.0
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_bids_Cpu64 - NotInstalled on the baseline msi package sql_bids_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_bids_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_bids_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_bids.msp PatchCode={EA407FA6-C2D1-4D3D-9227-B9E06DDDEFD0}
2014-11-18 19:16:30 Slp: Baseline Package Id sql_ssms_Cpu64 - The highest patch version is 10.3.5500.0
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_ssms_Cpu64 - NotInstalled on the baseline msi package sql_ssms_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_ssms_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_ssms_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_ssms.msp PatchCode={8A81B870-E8F0-415D-AC80-13BEAA3EC8C8}
2014-11-18 19:16:30 Slp: Baseline Package Id: sql_common_core_Cpu64 - No patches are found by SQL Discovery on the installed package whose ProductCode is {5340A3B5-3853-4745-BED2-DD9FF5371331}
2014-11-18 19:16:30 Slp: Patch Id KB2977321_sql_common_core_Cpu64 - NotInstalled on the baseline msi package sql_common_core_Cpu64.
Detail description of this patch package is: PatchId=KB2977321_sql_common_core_Cpu64 PatchVersion=10.3.5520.0 BaselinePackageId=sql_common_core_Cpu64 BaselineVersion=10.3.5500.0; PatchFileName=sql_common_core.msp PatchCode={CF023E0F-3A19-4DBF-BCA3-0F664B447EDB}
The instance came up successfully and seems to be operating normally. Was there an error or was the KB installed correctly as the result of the windows update process indicated?
Is there a way I can verify this?I did some research on this particular KB article and it seems to be related to Master Data Services which I am not using. The KB was pushed automatically and I am not sure that it was a required update in our situation. I'd like to understand exactly
what caused the error message before initiating a repair as this is a production and not a test environment. Everything appears to be functioning properly and I have received direction from Microsoft in the past that information in some logs identified
as level 'error' are in fact to be ignored. I checked the windows update and this KB shows 'Successful' rather than failed or cancelled.
I would also like more information on why sql server services should not be stopped prior to allowing the OS patches to be applied. I have received messages in the past that stopping the services before service packs are applied
prevent the necessity for a reboot of the machine. I've never heard before that it is a best practice not to stop Sql service prior to applying patches. Once the services are stopped, I have our infrastructure admin start a VM snapshot on
the machine then kick off the windows update process. When done, I reboot the machine, test out Sql Server processes and then if all goes well give the ok to release the VM snapshot. I've supported various databases for 12 years, Sql Server for 5
years and this is the first time I've heard stopping the service manually can cause problems. If that is the case, I will certainly change how I do things....
I did run the discovery report and the results follow:
Microsoft SQL Server 2008 Setup Discovery Report
Product
Instance
Instance ID
Feature
Language
Edition
Version
Clustered
Sql Server 2008
MSSQLSERVER
MSSQL10.MSSQLSERVER
Database Engine Services
1033
Standard Edition
10.3.5520.0
No
Sql Server 2008
MSSQLSERVER
MSSQL10.MSSQLSERVER
SQL Server Replication
1033
Standard Edition
10.3.5520.0
No
Sql Server 2008
MSSQLSERVER
MSSQL10.MSSQLSERVER
Full-Text Search
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
MSSQLSERVER
MSAS10.MSSQLSERVER
Analysis Services
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
MSSQLSERVER
MSRS10.MSSQLSERVER
Reporting Services
1033
Standard Edition
10.3.5520.0
No
Sql Server 2008
EVAULT
MSSQL10.EVAULT
Database Engine Services
1033
Standard Edition
10.3.5520.0
No
Sql Server 2008
Management Tools - Basic
1033
Standard Edition
10.3.5520.0
No
Sql Server 2008
Management Tools - Complete
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
Client Tools Connectivity
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
Client Tools Backwards Compatibility
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
Client Tools SDK
1033
Standard Edition
10.3.5500.0
No
Sql Server 2008
Integration Services
1033
Standard Edition
10.3.5520.0
No -
Oracle 11.2.0.3 on Windows Server 2008 R2 64-bit
Good night Oracle community,
I'm having problems on using Oracle 11.2.0.3 on Windows Server 2008 R2 64-bit that runs inside a virtual machine.
The first problem was the error ORA-12152 (unable to send break message) when using a 32-bit server version when trying to connect via SQLPlus using domain administrator user. I did reboot, tnsping, checked parameters and oracle support articles but neither help me. So I uninstalled it and installed the 64-bit version and it wasn't possible to run the applications like netca.
Now I installed it on a local profile version 32-bit to see if the problem was related to the domain.
My question is simple: is this environment ok to run a production database server? 11.2.0.3 is that stable with Windows 2008?
Thank you very much!Oracle Database 11.2.0.3.0 is certified on Microsoft Windows (32-bit) 2008.
Error: ORA 12152
Text: TNS:unable to send break message
Cause: Unable to send break message. Connection probably disconnected.
Action: Re-establish connection. If the error is persistent, turn
n tracing and reexecute the operation.
Refer to MOS
ORA-12152 "Unable To Send Break Message" on Connection [ID 363638.1] -
SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1
I am trying to use SChannel to secure a socket connection. I modified the example at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380537(v=vs.85).aspx, converting it from Negotiate to SChannel. Following the specs for the SSPI APIs I was able the get a Client & Server connection authenticated on Windows 7.
However, when I try running the same programs on Windows Server 2008 R2, either the Client side or Server side fails, depending on how I select the security protocol.
Here is the modified example code, details about my results follow the code.
Client.cpp
// Client-side program to establish an SSPI socket connection
// with a server and exchange messages.
// Define macros and constants.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "SspiExample.h"
#include <string>
#include <iostream>
CredHandle g_hCred;
SecHandle g_hCtext;
#define SSPI_CLIENT "SChannelClient:" __FUNCTION__
void main(int argc, char * argv[])
SOCKET Client_Socket;
BYTE Data[BIG_BUFF];
PCHAR pMessage;
WSADATA wsaData;
SECURITY_STATUS ss;
DWORD cbRead;
ULONG cbHeader;
ULONG cbMaxMessage;
ULONG cbTrailer;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
SecPkgContext_ConnectionInfo ConnectionInfo;
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName);
char Server[512] = {0};
WCHAR CertName[512] = {0};
// Validate cmd line parameters
if ( argc != 3 )
LOGA ( ( __log_buf, SSPI_CLIENT " required parameters ServerName & CertName not entered.\n"));
LOGA( ( __log_buf, SSPI_CLIENT " Abort and start over with required parameters.\n") );
std::cin.get();
else
// argv[1] - ServerName - the name of the computer running the server sample.
// argv[2] - TargetName the common name of the certificate provided
// by the target server program.
memcpy(Server, argv[1], strlen(argv[1]));
size_t sizCN;
mbstowcs_s(&sizCN, CertName, strlen(argv[2])+1, argv[2], _TRUNCATE);
LOGA ( ( __log_buf, SSPI_CLIENT " input parameters - ServerName %s CertName %ls.\n", Server, CertName ));
// Initialize the socket and the SSP security package.
if(WSAStartup (0x0101, &wsaData))
MyHandleError( __FUNCTION__ " Could not initialize winsock ");
// Connect to a server.
SecInvalidateHandle( &g_hCtext );
if (!ConnectAuthSocket (
&Client_Socket,
&g_hCred,
&g_hCtext,
Server,
CertName))
MyHandleError( __FUNCTION__ " Authenticated server connection ");
LOGA ( ( __log_buf, SSPI_CLIENT " connection authenticated.\n"));
// An authenticated session with a server has been established.
// Receive and manage a message from the server.
// First, find and display the name of the SSP,
// the transport protocol supported by the SSP,
// and the size of the header, maximum message, and
// trailer blocks for this SSP.
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT "QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " QueryContextAttributes failed.\n");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
cbHeader = SecPkgSizes.cbHeader;
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_CLIENT " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_CONNECTION_INFO,
&ConnectionInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
switch(ConnectionInfo.dwProtocol)
case SP_PROT_TLS1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: TLS1\n"));
break;
case SP_PROT_SSL3_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL3\n"));
break;
case SP_PROT_PCT1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: PCT\n"));
break;
case SP_PROT_SSL2_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL2\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Protocol: 0x%x\n", ConnectionInfo.dwProtocol));
switch(ConnectionInfo.aiCipher)
case CALG_RC4:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC4\n");)
break;
case CALG_3DES:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Triple DES\n"));
break;
case CALG_RC2:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC2\n"));
break;
case CALG_DES:
case CALG_CYLINK_MEK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: DES\n"));
break;
case CALG_SKIPJACK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Skipjack\n"));
break;
case CALG_AES_256:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: AES 256\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Cipher: 0x%x\n", ConnectionInfo.aiCipher));
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher strength: %d\n", ConnectionInfo.dwCipherStrength));
switch(ConnectionInfo.aiHash)
case CALG_MD5:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: MD5\n"));
break;
case CALG_SHA:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: SHA\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Hash: 0x%x\n", ConnectionInfo.aiHash));
LOGA ( ( __log_buf, SSPI_CLIENT " Hash strength: %d\n", ConnectionInfo.dwHashStrength));
switch(ConnectionInfo.aiExch)
case CALG_RSA_KEYX:
case CALG_RSA_SIGN:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: RSA\n"));
break;
case CALG_KEA_KEYX:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: KEA\n"));
break;
case CALG_DH_EPHEM:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: DH Ephemeral\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Key exchange: 0x%x\n", ConnectionInfo.aiExch));
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange strength: %d\n", ConnectionInfo.dwExchStrength));
// Decrypt and display the message from the server.
if (!ReceiveBytes(
Client_Socket,
Data,
BIG_BUFF,
&cbRead))
MyHandleError( __FUNCTION__ " No response from server\n");
if (0 == cbRead)
MyHandleError(__FUNCTION__ " Zero bytes received.\n");
pMessage = (PCHAR) DecryptThis(
Data,
&cbRead,
&g_hCtext);
// Skip the header to get the decrypted message
pMessage += cbHeader;
ULONG cbMessage = cbRead-cbHeader-cbTrailer;
if ((cbMessage == strlen(TEST_MSG)) &&
!strncmp(pMessage, TEST_MSG, strlen(TEST_MSG)) )
LOGA ( ( __log_buf, SSPI_CLIENT " SUCCESS!! The message from the server is \n -> %.*s \n",
cbMessage, pMessage ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " UNEXPECTED message from the server: \n -> %.*s \n",
cbMessage, pMessage ));
LOGA ( ( __log_buf, SSPI_CLIENT " rcvd msg size %u, exp size %u\n", cbMessage, strlen(TEST_MSG) ));
// Terminate socket and security package.
DeleteSecurityContext (&g_hCtext);
FreeCredentialHandle (&g_hCred);
shutdown (Client_Socket, 2);
closesocket (Client_Socket);
if (SOCKET_ERROR == WSACleanup ())
MyHandleError( __FUNCTION__ " Problem with socket cleanup ");
exit (EXIT_SUCCESS);
} // end main
// ConnectAuthSocket establishes an authenticated socket connection
// with a server and initializes needed security package resources.
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *g_hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName)
unsigned long ulAddress;
struct hostent *pHost;
SOCKADDR_IN sin;
// Lookup the server's address.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n"));
ulAddress = inet_addr (pServer);
if (INADDR_NONE == ulAddress)
LOGA ( ( __log_buf, SSPI_CLIENT " calling gethostbyname with %s.\n", pServer ));
pHost = gethostbyname (pServer);
if (NULL == pHost)
MyHandleError(__FUNCTION__ " Unable to resolve host name ");
memcpy((char FAR *)&ulAddress, pHost->h_addr, pHost->h_length);
std::string ipAddrStr;
ipAddrStr = inet_ntoa( *(struct in_addr*)*pHost->h_addr_list);
LOGA ( ( __log_buf, __FUNCTION__ " gethostbyname - ipAddress %s, name %s.\n", ipAddrStr.c_str(), pHost->h_name ) );
// Create the socket.
*s = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == *s)
MyHandleError(__FUNCTION__ " Unable to create socket");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Socket created.\n"));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ulAddress;
sin.sin_port = htons (g_usPort);
// Connect to the server.
if (connect (*s, (LPSOCKADDR) &sin, sizeof (sin)))
closesocket (*s);
MyHandleError( __FUNCTION__ " Connect failed ");
LOGA ( ( __log_buf, SSPI_CLIENT " Connection established.\n"));
// Authenticate the connection.
if (!DoAuthentication (*s, pCertName))
closesocket (*s);
MyHandleError( __FUNCTION__ " Authentication ");
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n"));
return(TRUE);
} // end ConnectAuthSocket
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName)
BOOL fDone = FALSE;
DWORD cbOut = 0;
DWORD cbIn = 0;
PBYTE pInBuf;
PBYTE pOutBuf;
if(!(pInBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
if(!(pOutBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " 1st message.\n"));
if (!GenClientContext (
NULL,
0,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext
LOGA ( ( __log_buf, SSPI_CLIENT " GenClientContext failed\n"));
return(FALSE);
if (!SendMsg (s, pOutBuf, cbOut ))
MyHandleError(__FUNCTION__ " Send message failed ");
while (!fDone)
if (!ReceiveMsg (
s,
pInBuf,
MAXMESSAGE,
&cbIn))
MyHandleError( __FUNCTION__ " Receive message failed ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " Message loop.\n"));
if (!GenClientContext (
pInBuf,
cbIn,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext))
MyHandleError( __FUNCTION__ " GenClientContext failed");
if (!SendMsg (
s,
pOutBuf,
cbOut))
MyHandleError( __FUNCTION__ " Send message failed");
LOGA ( ( __log_buf, SSPI_CLIENT " fDone %s.\n", fDone ? "Yes" : "No" ));
if (NULL != pInBuf)
free(pInBuf);
pInBuf = NULL;
if (NULL != pOutBuf)
free(pOutBuf);
pOutBuf = NULL;
LOGA ( ( __log_buf, SSPI_CLIENT " exit.\n"));
return(TRUE);
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *g_hCred,
struct _SecHandle *g_hCtext)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[2];
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
wcscpy_s(lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME );
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
g_hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
MyHandleError( __FUNCTION__ " AcquireCreds failed ");
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with pIn supplied.\n"));
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = InSecBuff;
InSecBuff[0].cbBuffer = cbIn;
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pIn;
InSecBuff[1].pvBuffer = NULL;
InSecBuff[1].cbBuffer = 0;
InSecBuff[1].BufferType = SECBUFFER_EMPTY;
ss = InitializeSecurityContext (
g_hCred,
g_hCtext,
pCertName,
MessageAttribute,
0,
0,
&InBuffDesc,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
else
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with NULL pIn.\n"));
ss = InitializeSecurityContext (
g_hCred,
NULL,
pCertName,
MessageAttribute,
0,
0,
NULL,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext failed with error 0x%08x\n", ss));
MyHandleError ( __FUNCTION__ " InitializeSecurityContext failed " );
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext returned 0x%08x\n", ss));
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (g_hCtext, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " complete failed: 0x%08x\n", ss));
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_CLIENT " Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer));
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
PBYTE DecryptThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// By agreement, the server encrypted the message and set the size
// of the trailer block to be just what it needed. DecryptMessage
// needs the size of the trailer block.
// The size of the trailer is in the first DWORD of the
// message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before decryption including trailer (%lu bytes):\n",
*pcbMessage));
PrintHexDump (*pcbMessage, (PBYTE) pBuffer);
// Prepare the buffers to be passed to the DecryptMessage function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = *pcbMessage;
SecBuff[0].BufferType = SECBUFFER_DATA;
SecBuff[0].pvBuffer = pBuffer;
SecBuff[1].cbBuffer = 0;
SecBuff[1].BufferType = SECBUFFER_EMPTY;
SecBuff[1].pvBuffer = NULL;
SecBuff[2].cbBuffer = 0;
SecBuff[2].BufferType = SECBUFFER_EMPTY;
SecBuff[2].pvBuffer = NULL;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = DecryptMessage(
hCtxt,
&BuffDesc,
0,
&ulQop);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage failed with error 0x%08x\n", ss))
else
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage success? Status: 0x%08x\n", ss));
// Return a pointer to the decrypted data. The trailer data
// is discarded.
return pBuffer;
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[2];
ULONG ulQop = 0;
PBYTE pSigBuffer;
PBYTE pDataBuffer;
// The global cbMaxSignature is the size of the signature
// in the message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before verifying (including signature):\n"));
PrintHexDump (*pcbMessage, pBuffer);
// By agreement with the server,
// the signature is at the beginning of the message received,
// and the data that was signed comes after the signature.
pSigBuffer = pBuffer;
pDataBuffer = pBuffer + cbMaxSignature;
// The size of the message is reset to the size of the data only.
*pcbMessage = *pcbMessage - (cbMaxSignature);
// Prepare the buffers to be passed to the signature verification
// function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 2;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = cbMaxSignature;
SecBuff[0].BufferType = SECBUFFER_TOKEN;
SecBuff[0].pvBuffer = pSigBuffer;
SecBuff[1].cbBuffer = *pcbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pDataBuffer;
ss = VerifySignature(
hCtxt,
&BuffDesc,
0,
&ulQop
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " VerifyMessage failed with error 0x%08x\n", ss));
else
LOGA ( ( __log_buf, SSPI_CLIENT " Message was properly signed.\n"));
return pDataBuffer;
} // end VerifyThis
void PrintHexDump(
DWORD length,
PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_CLIENT " %s\n", rgbLine));
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes\n", cbBuf ));
if (!SendBytes (s, (PBYTE)&cbBuf, sizeof (cbBuf)))
LOGA ( ( __log_buf, SSPI_CLIENT " size failed.\n" ) );
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
LOGA ( ( __log_buf, SSPI_CLIENT " body failed.\n" ) );
return(FALSE);
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return(TRUE);
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
// Receive the number of bytes in the message.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n" ));
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " failed: size of cbData %lu, bytes %lu\n", sizeof (cbData), cbRead));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
return(FALSE);
if (cbRead != cbData)
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMessage
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent;
int cbRemaining = cbBuf;
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes.\n", cbRemaining ));
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_CLIENT " send failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
pTemp += cbSent;
cbRemaining -= cbSent;
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return TRUE;
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_CLIENT " Entry: %lu bytes.\n", cbRemaining ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes remaining.\n", cbRemaining ));
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " recv failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n" ));
return TRUE;
} // end ReceiveBytes
void MyHandleError(char *s)
DWORD err = GetLastError();
if (err)
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (0x%08.8X). Exiting.\n",s, err ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (no error info). Exiting.\n",s ));
exit (EXIT_FAILURE);
Server.cpp
// This is a server-side SSPI Windows Sockets program.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "Sspiexample.h"
#include <iostream>
CredHandle g_hcred;
struct _SecHandle g_hctxt;
static PBYTE g_pInBuf = NULL;
static PBYTE g_pOutBuf = NULL;
static DWORD g_cbMaxMessage;
static TCHAR g_lpPackageName[1024];
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb );
#define SSPI_SERVER "SChannelServer:" __FUNCTION__
void main (int argc, char * argv[])
CHAR pMessage[200];
DWORD cbMessage;
PBYTE pDataToClient = NULL;
DWORD cbDataToClient = 0;
PWCHAR pUserName = NULL;
DWORD cbUserName = 0;
SOCKET Server_Socket;
WSADATA wsaData;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
ULONG cbMaxMessage;
ULONG cbHeader;
ULONG cbTrailer;
std::string certThumb;
// Create a certificate if no thumbprint is supplied. Otherwise, use the provided
// thumbprint to find the certificate.
if ( (argc > 1) && (strlen( argv[1]) > 0) )
certThumb.assign(argv[1]);
else
LOGA( ( __log_buf, SSPI_SERVER " : No certificate thumbprint supplied.\n") );
LOGA( ( __log_buf, SSPI_SERVER " : Press ENTER to create a certificate, or abort and start over with a thumbprint.\n") );
std::cin.get();
certThumb.clear();
Insert code to find or create X.509 certificate.
// Set the default package to SChannel.
wcscpy_s(g_lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME);
// Initialize the socket interface and the security package.
if( WSAStartup (0x0101, &wsaData))
LOGA ( ( __log_buf, SSPI_SERVER " Could not initialize winsock: \n") );
cleanup();
ss = QuerySecurityPackageInfo (
g_lpPackageName,
&pkgInfo);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " Could not query package info for %s, error 0x%08x\n",
g_lpPackageName, ss) );
cleanup();
g_cbMaxMessage = pkgInfo->cbMaxToken;
FreeContextBuffer(pkgInfo);
g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
if (NULL == g_pInBuf || NULL == g_pOutBuf)
LOGA ( ( __log_buf, SSPI_SERVER " Memory allocation error.\n"));
cleanup();
// Start looping for clients.
while(TRUE)
LOGA ( ( __log_buf, SSPI_SERVER " Waiting for client to connect...\n"));
// Make an authenticated connection with client.
if (!AcceptAuthSocket (&Server_Socket, certThumb ))
LOGA ( ( __log_buf, SSPI_SERVER " Could not authenticate the socket.\n"));
cleanup();
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
// The following values are used for encryption and signing.
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbHeader = SecPkgSizes.cbHeader;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_SERVER " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
else
LOGA ( ( __log_buf, SSPI_SERVER " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
// Send the client an encrypted message.
strcpy_s(pMessage, sizeof(pMessage),
TEST_MSG);
cbMessage = (DWORD)strlen(pMessage);
EncryptThis (
(PBYTE) pMessage,
cbMessage,
&pDataToClient,
&cbDataToClient,
cbHeader,
cbTrailer);
// Send the encrypted data to client.
if (!SendBytes(
Server_Socket,
pDataToClient,
cbDataToClient))
LOGA ( ( __log_buf, SSPI_SERVER " send message failed. \n"));
cleanup();
LOGA ( ( __log_buf, SSPI_SERVER " %d encrypted bytes sent. \n", cbDataToClient));
if (Server_Socket)
DeleteSecurityContext (&g_hctxt);
FreeCredentialHandle (&g_hcred);
shutdown (Server_Socket, 2) ;
closesocket (Server_Socket);
Server_Socket = 0;
if (pUserName)
free (pUserName);
pUserName = NULL;
cbUserName = 0;
if(pDataToClient)
free (pDataToClient);
pDataToClient = NULL;
cbDataToClient = 0;
} // end while loop
LOGA ( ( __log_buf, SSPI_SERVER " Server ran to completion without error.\n"));
cleanup();
} // end main
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb )
SOCKET sockListen;
SOCKET sockClient;
SOCKADDR_IN sockIn;
// Create listening socket.
sockListen = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == sockListen)
LOGA ( ( __log_buf, SSPI_SERVER " Failed to create socket: %u\n", GetLastError ()));
return(FALSE);
// Bind to local port.
sockIn.sin_family = AF_INET;
sockIn.sin_addr.s_addr = 0;
sockIn.sin_port = htons(usPort);
if (SOCKET_ERROR == bind (
sockListen,
(LPSOCKADDR) &sockIn,
sizeof (sockIn)))
LOGA ( ( __log_buf, SSPI_SERVER " bind failed: %u\n", GetLastError ()));
return(FALSE);
// Listen for client.
if (SOCKET_ERROR == listen (sockListen, 1))
LOGA ( ( __log_buf, SSPI_SERVER " Listen failed: %u\n", GetLastError ()));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " Listening ! \n"));
// Accept client.
sockClient = accept (
sockListen,
NULL,
NULL);
if (INVALID_SOCKET == sockClient)
LOGA ( ( __log_buf, SSPI_SERVER " accept failed: %u\n",GetLastError() ) );
return(FALSE);
closesocket (sockListen);
*ServerSocket = sockClient;
return(DoAuthentication (sockClient, certThumb ));
} // end AcceptAuthSocket
BOOL DoAuthentication (SOCKET AuthSocket, std::string certThumb )
SECURITY_STATUS ss;
DWORD cbIn, cbOut;
BOOL done = FALSE;
TimeStamp Lifetime;
BOOL fNewConversation;
fNewConversation = TRUE;
PCCERT_CONTEXT pCertCtxt;
Insert code to retrieve pCertCtxt
// Build SCHANNEL_CRED structure to hold CERT_CONTEXT for call to AcquireCredentialsHandle
SCHANNEL_CRED credSchannel = {0};
credSchannel.dwVersion = SCHANNEL_CRED_VERSION;
credSchannel.grbitEnabledProtocols = SP_PROT_SSL2_SERVER | SP_PROT_TLS1_SERVER;
credSchannel.cCreds = 1;
credSchannel.paCred = &pCertCtxt;
ss = AcquireCredentialsHandle (
NULL, //pszPrincipal
g_lpPackageName, //pszPackage
SECPKG_CRED_INBOUND, //fCredentialuse
NULL, //pvLogonID
&credSchannel, //pAuthData - need SCHANNEL_CRED structure that indicates the protocol to use and the settings for various customizable channel features.
NULL, //pGetKeyFn
NULL, //pvGetKeyArgument
&g_hcred, //phCredential
&Lifetime); //ptsExpiry
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcquireCreds failed: 0x%08x\n", ss));
return(FALSE);
while(!done)
if (!ReceiveMsg (
AuthSocket,
g_pInBuf,
g_cbMaxMessage,
&cbIn))
return(FALSE);
cbOut = g_cbMaxMessage;
if (!GenServerContext (
g_pInBuf,
cbIn,
g_pOutBuf,
&cbOut,
&done,
fNewConversation))
LOGA ( ( __log_buf, SSPI_SERVER " GenServerContext failed.\n"));
return(FALSE);
fNewConversation = FALSE;
if (!SendMsg (
AuthSocket,
g_pOutBuf,
cbOut))
LOGA ( ( __log_buf, SSPI_SERVER " Send message failed.\n"));
return(FALSE);
return(TRUE);
} // end DoAuthentication
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewConversation)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = 0;
// Prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// Prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer));
PrintHexDump (InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
ss = AcceptSecurityContext (
&g_hcred,
fNewConversation ? NULL : &g_hctxt,
&InBuffDesc,
Attribs,
SECURITY_NATIVE_DREP,
&g_hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (&g_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " complete failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
// fNewConversation equals FALSE.
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer generated (%lu bytes):\n",
OutSecBuff.cbBuffer));
PrintHexDump (
OutSecBuff.cbBuffer,
(PBYTE)OutSecBuff.pvBuffer);
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext result = 0x%08x\n", ss));
return TRUE;
} // end GenServerContext
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
ULONG * pcbOutput,
ULONG cbHeader,
ULONG cbTrailer)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// The size of the trailer (signature + padding) block is
// determined from the global cbSecurityTrailer.
LOGA ( ( __log_buf, SSPI_SERVER " Data before encryption: %s\n", pMessage));
LOGA ( ( __log_buf, SSPI_SERVER " Length of data before encryption: %d \n",cbMessage));
// Prepare buffers.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
PBYTE pHeader;
pHeader = (PBYTE) malloc (cbHeader);
SecBuff[0].cbBuffer = cbHeader;
SecBuff[0].BufferType = SECBUFFER_STREAM_HEADER;
SecBuff[0].pvBuffer = pHeader;
SecBuff[1].cbBuffer = cbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pMessage;
PBYTE pTrailer;
pTrailer = (PBYTE) malloc (cbTrailer);
SecBuff[2].cbBuffer = cbTrailer;
SecBuff[2].BufferType = SECBUFFER_STREAM_TRAILER;
SecBuff[2].pvBuffer = pTrailer;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = EncryptMessage(
&g_hctxt,
ulQop,
&BuffDesc,
0);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " EncryptMessage failed: 0x%08x\n", ss));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " The message has been encrypted. \n"));
// Allocate a buffer to hold the encrypted data constructed from the 3 buffers.
*pcbOutput = cbHeader + cbMessage + cbTrailer;
* ppOutput = (PBYTE) malloc (*pcbOutput);
memset (*ppOutput, 0, *pcbOutput);
memcpy (*ppOutput, pHeader, cbHeader);
memcpy (*ppOutput + cbHeader, pMessage, cbMessage);
memcpy (*ppOutput + cbHeader + cbMessage, pTrailer, cbTrailer);
LOGA ( ( __log_buf, SSPI_SERVER " data after encryption including trailer (%lu bytes):\n",
*pcbOutput));
PrintHexDump (*pcbOutput, *ppOutput);
return TRUE;
} // end EncryptThis
void PrintHexDump(DWORD length, PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_SERVER " %s\n", rgbLine));
} // end PrintHexDump
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
if (!SendBytes (
s,
(PBYTE)&cbBuf,
sizeof (cbBuf)))
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
return(FALSE);
return(TRUE);
} // end SendMsg
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
// Retrieve the number of bytes in the message.
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed retrieving byte count.\n", cbBuf ));
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer size (%lu) differs from reported size (%lu)\n", sizeof(cbData), cbRead ));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed.\n", cbBuf ));
return(FALSE);
if (cbRead != cbData)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer bytes (%lu) differs from reported bytes (%lu)\n", cbData, cbRead ));
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMsg
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_SERVER " send failed: %u\n", GetLastError ()));
return FALSE;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes sent\n", cbSent ));
pTemp += cbSent;
cbRemaining -= cbSent;
return TRUE;
} // end SendBytes
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " recv failed: %u\n", GetLastError () ) );
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
return TRUE;
} // end ReceivesBytes
void cleanup()
if (g_pInBuf)
free (g_pInBuf);
g_pInBuf = NULL;
if (g_pOutBuf)
free (g_pOutBuf);
g_pOutBuf = NULL;
WSACleanup ();
exit(0);
SspiExample.h
// SspiExample.h
#include <schnlsp.h>
#include <sspi.h>
#include <windows.h>
#include <string>
BOOL SendMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
BOOL SendBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
void cleanup();
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *hCred,
PSecHandle phCtext
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewCredential
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput,
ULONG cbHeader,
ULONG cbTrailer
PBYTE DecryptThis(
PBYTE achData,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt
BOOL
SignThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature
void PrintHexDump(DWORD length, PBYTE buffer);
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName
BOOL CloseAuthSocket (SOCKET s);
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName );
BOOL DoAuthentication (SOCKET s, std::string certThumb );
void MyHandleError(char *s);
#define DBG_SIZE 1024
int OutputDebug( char buff[DBG_SIZE] )
int retval;
char debugstring[DBG_SIZE+32];
retval = _snprintf_s( debugstring, DBG_SIZE+32, _TRUNCATE, " %s", buff );
OutputDebugStringA( debugstring );
return retval;
int DbgBufCopy( char *buff, const char *format, ...)
int iLen;
va_list args;
/// Call va_start to start the variable list
va_start(args, format);
/// Call _vsnprintf_s to copy debug information to the buffer
iLen = _vsnprintf_s(buff, DBG_SIZE, _TRUNCATE, format, args);
/// Call va_end to end the variable list
va_end(args);
return iLen;
#define LOGA(_format_and_args_)\
{ char __log_buf[DBG_SIZE];\
DbgBufCopy _format_and_args_;\
printf("%s", __log_buf );\
OutputDebug(__log_buf);\
#define TEST_MSG "This is your server speaking"
My initial attempt built an SCHANNEL_CRED structure following the documentation to set
grbitEnabledProtocols to 0, and let SChannel select the protocol. This worked on Windows 7, selecting TLS1. When I ran the same exe-s on 2008 R2, the Client program failed, with InitializeSecurityContext returning SEC_E_DECRYPT_FAILURE.
The failure occurred on the 2nd call, using phNewContext returned on the first call.
My next attempt set grbitEnabledProtocols to SP_PROT_TLS1_SERVER. This also worked on Win 7, but 2008R2 failed again, this time on the Server side. AcceptSecurityContext failed, returning SEC_E_ALGORITHM_MISMATCH.
TLS is a requirement for my project, but to try getting the sample to run, I next set grbitEnabledProtocols to SP_PROT_SSL2_SERVER. This did work for 2008R2, selecting SSL2, but now the Server failed on Win7 with AcceptSecurityContext returning
SEC_E_ALGORITHM_MISMATCH.
My final try was to set grbitEnabledProtocols to SP_PROT_TLS1_SERVER | SP_PROT_SSL2_SERVER, but that failed identically to the first case, with the Client on 2008R2 returning SEC_E_DECRYPT_FAILURE.
So my question is - What is required to get SChannel to select TLS regardless of the Windows version on which the programs are running?Thank you for the reference. That did provide the information I needed to get TLS working. However, the documentation is not accurate with regard to setting the registry keys and values.
The tables all show DisabledByDefault as a subkey under the protocol. They also describe a DWORD value, Enabled, as the mechanism to enable/disable a protocol.
What I found is DisabledByDefault is a DWORD value under Client/Server and it appears to be the determining factor to whether a protocol is enabled/disabled.
The only way I was able to get TLS 1.1 working is with the following path present:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Under Client, I must have DisabledByDefault set to 0. With that, the Enabled value does not need to be present.
This held true for any level of TLS.
I also found the setting of grbitEnabledProtocols in the SCHANNEL_CRED structure to be misleading. From the description at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx, I thought my Server program could set this field to 0, and SChannel would select the protocol as directed by the registry. What I found is that the structure flag must
agree with the registry setting for TLS to work. That is with the resgistry key above for TLS 1.1, I must set grbitEnabledProtocols to SP_PROT_TLS1_1.
Can you confirm the relationship between the SCHANNEL_CRED contents and registry state? -
Windows Server 2008 R2: "The update is not applicable to your computer"
ALCON,
I'm trying to install a "Windows Update Standalone Installer" file (Windows6.1-KB3032323-x64.msu) along with other .msu files and I keep getting the same message: "The update is not applicable to your computer". The server is a
virtual machine and is also the vCenter server for the system, so I REALLY don't want to mess this installation up and break the system but the installation is needed and mandatory. How can I go about installing these .msu files.
*Note* The system is located in a classified environment so it doesn't have a connection to the outside (unclassified) world. But I'm able to have the .msu files placed on the system at any time.
Thanks!
V/r,
Stanley L. Johnson Jr.Hello,
do you use SP1 for Windows Server 2008 R2?
Best regards
Meinolf Weber
MVP, MCP, MCTS
Microsoft MVP - Directory Services
My Blog: http://blogs.msmvps.com/MWeber
Disclaimer: This posting is provided AS IS with no warranties or guarantees and confers no rights.
Twitter:
Maybe you are looking for
-
Burn DVD using Premiere Pro 2.0
I use premiere pro 2.0 on my PC with Windows 7. I can edit and save a video project, but I can't burn it to a DVD. Is there a burn program in 2.0, or is there another burning program that will accept premiere pro 2.0 projects? I can import video se
-
I'm having the following issue when trying to login to Hyperion Workspace (in EPM 11.1.2) . I get to the login page fine, and when I login it takes me into Workspace, but a warning immedately pops up saying *"Namespace Communication Error".* I can di
-
APs not joining 5508 on dynamic ports created manualy
Hey all, i have a problem with our new 5508 wireless controller (7.0.116.0). Port 1 is the system default "management" (Port 2 is backup). Dynamic AP Management is disabled. Port 3 is a new dynamic interface "ap-manager 2" with Dynamic AP Management
-
Report question for main, incoming, outgoing G/L accounts
hi , i am an abaper , i got a requirement in FI as per my requirement my bank account consists of 3 G/l acc's 1) Main A/C 2) Incoming A/c 3) Outgoing A/c based on plant and date i have to retrieve the data as o/p in G/L desc fr G/L desc Particulars
-
How to write LOGO(SE78 CREATE) TO XLS FILE(USING OLE2 METHOD!
HI FYI! i put a logo into sap! and i will download this logo into XLS file ! how to do it! please give some demo code! thank you very much!