SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1

I am trying to use SChannel to secure a socket connection. I modified the example at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380537(v=vs.85).aspx, converting it from Negotiate to SChannel. Following the specs for the SSPI APIs I was able the get a Client & Server connection authenticated on Windows 7.
However, when I try running the same programs on Windows Server 2008 R2, either the Client side or Server side fails, depending on how I select the security protocol.
Here is the modified example code, details about my results follow the code.
Client.cpp
// Client-side program to establish an SSPI socket connection
// with a server and exchange messages.
// Define macros and constants.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "SspiExample.h"
#include <string>
#include <iostream>
CredHandle g_hCred;
SecHandle g_hCtext;
#define SSPI_CLIENT "SChannelClient:" __FUNCTION__
void main(int argc, char * argv[])
SOCKET Client_Socket;
BYTE Data[BIG_BUFF];
PCHAR pMessage;
WSADATA wsaData;
SECURITY_STATUS ss;
DWORD cbRead;
ULONG cbHeader;
ULONG cbMaxMessage;
ULONG cbTrailer;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
SecPkgContext_ConnectionInfo ConnectionInfo;
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName);
char Server[512] = {0};
WCHAR CertName[512] = {0};
// Validate cmd line parameters
if ( argc != 3 )
LOGA ( ( __log_buf, SSPI_CLIENT " required parameters ServerName & CertName not entered.\n"));
LOGA( ( __log_buf, SSPI_CLIENT " Abort and start over with required parameters.\n") );
std::cin.get();
else
// argv[1] - ServerName - the name of the computer running the server sample.
// argv[2] - TargetName the common name of the certificate provided
// by the target server program.
memcpy(Server, argv[1], strlen(argv[1]));
size_t sizCN;
mbstowcs_s(&sizCN, CertName, strlen(argv[2])+1, argv[2], _TRUNCATE);
LOGA ( ( __log_buf, SSPI_CLIENT " input parameters - ServerName %s CertName %ls.\n", Server, CertName ));
// Initialize the socket and the SSP security package.
if(WSAStartup (0x0101, &wsaData))
MyHandleError( __FUNCTION__ " Could not initialize winsock ");
// Connect to a server.
SecInvalidateHandle( &g_hCtext );
if (!ConnectAuthSocket (
&Client_Socket,
&g_hCred,
&g_hCtext,
Server,
CertName))
MyHandleError( __FUNCTION__ " Authenticated server connection ");
LOGA ( ( __log_buf, SSPI_CLIENT " connection authenticated.\n"));
// An authenticated session with a server has been established.
// Receive and manage a message from the server.
// First, find and display the name of the SSP,
// the transport protocol supported by the SSP,
// and the size of the header, maximum message, and
// trailer blocks for this SSP.
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT "QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " QueryContextAttributes failed.\n");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
cbHeader = SecPkgSizes.cbHeader;
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_CLIENT " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_CONNECTION_INFO,
&ConnectionInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
switch(ConnectionInfo.dwProtocol)
case SP_PROT_TLS1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: TLS1\n"));
break;
case SP_PROT_SSL3_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL3\n"));
break;
case SP_PROT_PCT1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: PCT\n"));
break;
case SP_PROT_SSL2_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL2\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Protocol: 0x%x\n", ConnectionInfo.dwProtocol));
switch(ConnectionInfo.aiCipher)
case CALG_RC4:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC4\n");)
break;
case CALG_3DES:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Triple DES\n"));
break;
case CALG_RC2:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC2\n"));
break;
case CALG_DES:
case CALG_CYLINK_MEK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: DES\n"));
break;
case CALG_SKIPJACK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Skipjack\n"));
break;
case CALG_AES_256:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: AES 256\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Cipher: 0x%x\n", ConnectionInfo.aiCipher));
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher strength: %d\n", ConnectionInfo.dwCipherStrength));
switch(ConnectionInfo.aiHash)
case CALG_MD5:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: MD5\n"));
break;
case CALG_SHA:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: SHA\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Hash: 0x%x\n", ConnectionInfo.aiHash));
LOGA ( ( __log_buf, SSPI_CLIENT " Hash strength: %d\n", ConnectionInfo.dwHashStrength));
switch(ConnectionInfo.aiExch)
case CALG_RSA_KEYX:
case CALG_RSA_SIGN:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: RSA\n"));
break;
case CALG_KEA_KEYX:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: KEA\n"));
break;
case CALG_DH_EPHEM:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: DH Ephemeral\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Key exchange: 0x%x\n", ConnectionInfo.aiExch));
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange strength: %d\n", ConnectionInfo.dwExchStrength));
// Decrypt and display the message from the server.
if (!ReceiveBytes(
Client_Socket,
Data,
BIG_BUFF,
&cbRead))
MyHandleError( __FUNCTION__ " No response from server\n");
if (0 == cbRead)
MyHandleError(__FUNCTION__ " Zero bytes received.\n");
pMessage = (PCHAR) DecryptThis(
Data,
&cbRead,
&g_hCtext);
// Skip the header to get the decrypted message
pMessage += cbHeader;
ULONG cbMessage = cbRead-cbHeader-cbTrailer;
if ((cbMessage == strlen(TEST_MSG)) &&
!strncmp(pMessage, TEST_MSG, strlen(TEST_MSG)) )
LOGA ( ( __log_buf, SSPI_CLIENT " SUCCESS!! The message from the server is \n -> %.*s \n",
cbMessage, pMessage ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " UNEXPECTED message from the server: \n -> %.*s \n",
cbMessage, pMessage ));
LOGA ( ( __log_buf, SSPI_CLIENT " rcvd msg size %u, exp size %u\n", cbMessage, strlen(TEST_MSG) ));
// Terminate socket and security package.
DeleteSecurityContext (&g_hCtext);
FreeCredentialHandle (&g_hCred);
shutdown (Client_Socket, 2);
closesocket (Client_Socket);
if (SOCKET_ERROR == WSACleanup ())
MyHandleError( __FUNCTION__ " Problem with socket cleanup ");
exit (EXIT_SUCCESS);
} // end main
// ConnectAuthSocket establishes an authenticated socket connection
// with a server and initializes needed security package resources.
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *g_hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName)
unsigned long ulAddress;
struct hostent *pHost;
SOCKADDR_IN sin;
// Lookup the server's address.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n"));
ulAddress = inet_addr (pServer);
if (INADDR_NONE == ulAddress)
LOGA ( ( __log_buf, SSPI_CLIENT " calling gethostbyname with %s.\n", pServer ));
pHost = gethostbyname (pServer);
if (NULL == pHost)
MyHandleError(__FUNCTION__ " Unable to resolve host name ");
memcpy((char FAR *)&ulAddress, pHost->h_addr, pHost->h_length);
std::string ipAddrStr;
ipAddrStr = inet_ntoa( *(struct in_addr*)*pHost->h_addr_list);
LOGA ( ( __log_buf, __FUNCTION__ " gethostbyname - ipAddress %s, name %s.\n", ipAddrStr.c_str(), pHost->h_name ) );
// Create the socket.
*s = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == *s)
MyHandleError(__FUNCTION__ " Unable to create socket");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Socket created.\n"));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ulAddress;
sin.sin_port = htons (g_usPort);
// Connect to the server.
if (connect (*s, (LPSOCKADDR) &sin, sizeof (sin)))
closesocket (*s);
MyHandleError( __FUNCTION__ " Connect failed ");
LOGA ( ( __log_buf, SSPI_CLIENT " Connection established.\n"));
// Authenticate the connection.
if (!DoAuthentication (*s, pCertName))
closesocket (*s);
MyHandleError( __FUNCTION__ " Authentication ");
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n"));
return(TRUE);
} // end ConnectAuthSocket
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName)
BOOL fDone = FALSE;
DWORD cbOut = 0;
DWORD cbIn = 0;
PBYTE pInBuf;
PBYTE pOutBuf;
if(!(pInBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
if(!(pOutBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " 1st message.\n"));
if (!GenClientContext (
NULL,
0,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext
LOGA ( ( __log_buf, SSPI_CLIENT " GenClientContext failed\n"));
return(FALSE);
if (!SendMsg (s, pOutBuf, cbOut ))
MyHandleError(__FUNCTION__ " Send message failed ");
while (!fDone)
if (!ReceiveMsg (
s,
pInBuf,
MAXMESSAGE,
&cbIn))
MyHandleError( __FUNCTION__ " Receive message failed ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " Message loop.\n"));
if (!GenClientContext (
pInBuf,
cbIn,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext))
MyHandleError( __FUNCTION__ " GenClientContext failed");
if (!SendMsg (
s,
pOutBuf,
cbOut))
MyHandleError( __FUNCTION__ " Send message failed");
LOGA ( ( __log_buf, SSPI_CLIENT " fDone %s.\n", fDone ? "Yes" : "No" ));
if (NULL != pInBuf)
free(pInBuf);
pInBuf = NULL;
if (NULL != pOutBuf)
free(pOutBuf);
pOutBuf = NULL;
LOGA ( ( __log_buf, SSPI_CLIENT " exit.\n"));
return(TRUE);
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *g_hCred,
struct _SecHandle *g_hCtext)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[2];
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
wcscpy_s(lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME );
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
g_hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
MyHandleError( __FUNCTION__ " AcquireCreds failed ");
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with pIn supplied.\n"));
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = InSecBuff;
InSecBuff[0].cbBuffer = cbIn;
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pIn;
InSecBuff[1].pvBuffer = NULL;
InSecBuff[1].cbBuffer = 0;
InSecBuff[1].BufferType = SECBUFFER_EMPTY;
ss = InitializeSecurityContext (
g_hCred,
g_hCtext,
pCertName,
MessageAttribute,
0,
0,
&InBuffDesc,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
else
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with NULL pIn.\n"));
ss = InitializeSecurityContext (
g_hCred,
NULL,
pCertName,
MessageAttribute,
0,
0,
NULL,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext failed with error 0x%08x\n", ss));
MyHandleError ( __FUNCTION__ " InitializeSecurityContext failed " );
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext returned 0x%08x\n", ss));
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (g_hCtext, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " complete failed: 0x%08x\n", ss));
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_CLIENT " Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer));
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
PBYTE DecryptThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// By agreement, the server encrypted the message and set the size
// of the trailer block to be just what it needed. DecryptMessage
// needs the size of the trailer block.
// The size of the trailer is in the first DWORD of the
// message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before decryption including trailer (%lu bytes):\n",
*pcbMessage));
PrintHexDump (*pcbMessage, (PBYTE) pBuffer);
// Prepare the buffers to be passed to the DecryptMessage function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = *pcbMessage;
SecBuff[0].BufferType = SECBUFFER_DATA;
SecBuff[0].pvBuffer = pBuffer;
SecBuff[1].cbBuffer = 0;
SecBuff[1].BufferType = SECBUFFER_EMPTY;
SecBuff[1].pvBuffer = NULL;
SecBuff[2].cbBuffer = 0;
SecBuff[2].BufferType = SECBUFFER_EMPTY;
SecBuff[2].pvBuffer = NULL;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = DecryptMessage(
hCtxt,
&BuffDesc,
0,
&ulQop);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage failed with error 0x%08x\n", ss))
else
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage success? Status: 0x%08x\n", ss));
// Return a pointer to the decrypted data. The trailer data
// is discarded.
return pBuffer;
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[2];
ULONG ulQop = 0;
PBYTE pSigBuffer;
PBYTE pDataBuffer;
// The global cbMaxSignature is the size of the signature
// in the message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before verifying (including signature):\n"));
PrintHexDump (*pcbMessage, pBuffer);
// By agreement with the server,
// the signature is at the beginning of the message received,
// and the data that was signed comes after the signature.
pSigBuffer = pBuffer;
pDataBuffer = pBuffer + cbMaxSignature;
// The size of the message is reset to the size of the data only.
*pcbMessage = *pcbMessage - (cbMaxSignature);
// Prepare the buffers to be passed to the signature verification
// function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 2;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = cbMaxSignature;
SecBuff[0].BufferType = SECBUFFER_TOKEN;
SecBuff[0].pvBuffer = pSigBuffer;
SecBuff[1].cbBuffer = *pcbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pDataBuffer;
ss = VerifySignature(
hCtxt,
&BuffDesc,
0,
&ulQop
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " VerifyMessage failed with error 0x%08x\n", ss));
else
LOGA ( ( __log_buf, SSPI_CLIENT " Message was properly signed.\n"));
return pDataBuffer;
} // end VerifyThis
void PrintHexDump(
DWORD length,
PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_CLIENT " %s\n", rgbLine));
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes\n", cbBuf ));
if (!SendBytes (s, (PBYTE)&cbBuf, sizeof (cbBuf)))
LOGA ( ( __log_buf, SSPI_CLIENT " size failed.\n" ) );
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
LOGA ( ( __log_buf, SSPI_CLIENT " body failed.\n" ) );
return(FALSE);
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return(TRUE);
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
// Receive the number of bytes in the message.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n" ));
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " failed: size of cbData %lu, bytes %lu\n", sizeof (cbData), cbRead));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
return(FALSE);
if (cbRead != cbData)
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMessage
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent;
int cbRemaining = cbBuf;
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes.\n", cbRemaining ));
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_CLIENT " send failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
pTemp += cbSent;
cbRemaining -= cbSent;
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return TRUE;
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_CLIENT " Entry: %lu bytes.\n", cbRemaining ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes remaining.\n", cbRemaining ));
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " recv failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n" ));
return TRUE;
} // end ReceiveBytes
void MyHandleError(char *s)
DWORD err = GetLastError();
if (err)
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (0x%08.8X). Exiting.\n",s, err ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (no error info). Exiting.\n",s ));
exit (EXIT_FAILURE);
Server.cpp
// This is a server-side SSPI Windows Sockets program.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "Sspiexample.h"
#include <iostream>
CredHandle g_hcred;
struct _SecHandle g_hctxt;
static PBYTE g_pInBuf = NULL;
static PBYTE g_pOutBuf = NULL;
static DWORD g_cbMaxMessage;
static TCHAR g_lpPackageName[1024];
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb );
#define SSPI_SERVER "SChannelServer:" __FUNCTION__
void main (int argc, char * argv[])
CHAR pMessage[200];
DWORD cbMessage;
PBYTE pDataToClient = NULL;
DWORD cbDataToClient = 0;
PWCHAR pUserName = NULL;
DWORD cbUserName = 0;
SOCKET Server_Socket;
WSADATA wsaData;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
ULONG cbMaxMessage;
ULONG cbHeader;
ULONG cbTrailer;
std::string certThumb;
// Create a certificate if no thumbprint is supplied. Otherwise, use the provided
// thumbprint to find the certificate.
if ( (argc > 1) && (strlen( argv[1]) > 0) )
certThumb.assign(argv[1]);
else
LOGA( ( __log_buf, SSPI_SERVER " : No certificate thumbprint supplied.\n") );
LOGA( ( __log_buf, SSPI_SERVER " : Press ENTER to create a certificate, or abort and start over with a thumbprint.\n") );
std::cin.get();
certThumb.clear();
Insert code to find or create X.509 certificate.
// Set the default package to SChannel.
wcscpy_s(g_lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME);
// Initialize the socket interface and the security package.
if( WSAStartup (0x0101, &wsaData))
LOGA ( ( __log_buf, SSPI_SERVER " Could not initialize winsock: \n") );
cleanup();
ss = QuerySecurityPackageInfo (
g_lpPackageName,
&pkgInfo);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " Could not query package info for %s, error 0x%08x\n",
g_lpPackageName, ss) );
cleanup();
g_cbMaxMessage = pkgInfo->cbMaxToken;
FreeContextBuffer(pkgInfo);
g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
if (NULL == g_pInBuf || NULL == g_pOutBuf)
LOGA ( ( __log_buf, SSPI_SERVER " Memory allocation error.\n"));
cleanup();
// Start looping for clients.
while(TRUE)
LOGA ( ( __log_buf, SSPI_SERVER " Waiting for client to connect...\n"));
// Make an authenticated connection with client.
if (!AcceptAuthSocket (&Server_Socket, certThumb ))
LOGA ( ( __log_buf, SSPI_SERVER " Could not authenticate the socket.\n"));
cleanup();
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
// The following values are used for encryption and signing.
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbHeader = SecPkgSizes.cbHeader;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_SERVER " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
else
LOGA ( ( __log_buf, SSPI_SERVER " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
// Send the client an encrypted message.
strcpy_s(pMessage, sizeof(pMessage),
TEST_MSG);
cbMessage = (DWORD)strlen(pMessage);
EncryptThis (
(PBYTE) pMessage,
cbMessage,
&pDataToClient,
&cbDataToClient,
cbHeader,
cbTrailer);
// Send the encrypted data to client.
if (!SendBytes(
Server_Socket,
pDataToClient,
cbDataToClient))
LOGA ( ( __log_buf, SSPI_SERVER " send message failed. \n"));
cleanup();
LOGA ( ( __log_buf, SSPI_SERVER " %d encrypted bytes sent. \n", cbDataToClient));
if (Server_Socket)
DeleteSecurityContext (&g_hctxt);
FreeCredentialHandle (&g_hcred);
shutdown (Server_Socket, 2) ;
closesocket (Server_Socket);
Server_Socket = 0;
if (pUserName)
free (pUserName);
pUserName = NULL;
cbUserName = 0;
if(pDataToClient)
free (pDataToClient);
pDataToClient = NULL;
cbDataToClient = 0;
} // end while loop
LOGA ( ( __log_buf, SSPI_SERVER " Server ran to completion without error.\n"));
cleanup();
} // end main
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb )
SOCKET sockListen;
SOCKET sockClient;
SOCKADDR_IN sockIn;
// Create listening socket.
sockListen = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == sockListen)
LOGA ( ( __log_buf, SSPI_SERVER " Failed to create socket: %u\n", GetLastError ()));
return(FALSE);
// Bind to local port.
sockIn.sin_family = AF_INET;
sockIn.sin_addr.s_addr = 0;
sockIn.sin_port = htons(usPort);
if (SOCKET_ERROR == bind (
sockListen,
(LPSOCKADDR) &sockIn,
sizeof (sockIn)))
LOGA ( ( __log_buf, SSPI_SERVER " bind failed: %u\n", GetLastError ()));
return(FALSE);
// Listen for client.
if (SOCKET_ERROR == listen (sockListen, 1))
LOGA ( ( __log_buf, SSPI_SERVER " Listen failed: %u\n", GetLastError ()));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " Listening ! \n"));
// Accept client.
sockClient = accept (
sockListen,
NULL,
NULL);
if (INVALID_SOCKET == sockClient)
LOGA ( ( __log_buf, SSPI_SERVER " accept failed: %u\n",GetLastError() ) );
return(FALSE);
closesocket (sockListen);
*ServerSocket = sockClient;
return(DoAuthentication (sockClient, certThumb ));
} // end AcceptAuthSocket
BOOL DoAuthentication (SOCKET AuthSocket, std::string certThumb )
SECURITY_STATUS ss;
DWORD cbIn, cbOut;
BOOL done = FALSE;
TimeStamp Lifetime;
BOOL fNewConversation;
fNewConversation = TRUE;
PCCERT_CONTEXT pCertCtxt;
Insert code to retrieve pCertCtxt
// Build SCHANNEL_CRED structure to hold CERT_CONTEXT for call to AcquireCredentialsHandle
SCHANNEL_CRED credSchannel = {0};
credSchannel.dwVersion = SCHANNEL_CRED_VERSION;
credSchannel.grbitEnabledProtocols = SP_PROT_SSL2_SERVER | SP_PROT_TLS1_SERVER;
credSchannel.cCreds = 1;
credSchannel.paCred = &pCertCtxt;
ss = AcquireCredentialsHandle (
NULL, //pszPrincipal
g_lpPackageName, //pszPackage
SECPKG_CRED_INBOUND, //fCredentialuse
NULL, //pvLogonID
&credSchannel, //pAuthData - need SCHANNEL_CRED structure that indicates the protocol to use and the settings for various customizable channel features.
NULL, //pGetKeyFn
NULL, //pvGetKeyArgument
&g_hcred, //phCredential
&Lifetime); //ptsExpiry
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcquireCreds failed: 0x%08x\n", ss));
return(FALSE);
while(!done)
if (!ReceiveMsg (
AuthSocket,
g_pInBuf,
g_cbMaxMessage,
&cbIn))
return(FALSE);
cbOut = g_cbMaxMessage;
if (!GenServerContext (
g_pInBuf,
cbIn,
g_pOutBuf,
&cbOut,
&done,
fNewConversation))
LOGA ( ( __log_buf, SSPI_SERVER " GenServerContext failed.\n"));
return(FALSE);
fNewConversation = FALSE;
if (!SendMsg (
AuthSocket,
g_pOutBuf,
cbOut))
LOGA ( ( __log_buf, SSPI_SERVER " Send message failed.\n"));
return(FALSE);
return(TRUE);
} // end DoAuthentication
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewConversation)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = 0;
// Prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// Prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer));
PrintHexDump (InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
ss = AcceptSecurityContext (
&g_hcred,
fNewConversation ? NULL : &g_hctxt,
&InBuffDesc,
Attribs,
SECURITY_NATIVE_DREP,
&g_hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (&g_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " complete failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
// fNewConversation equals FALSE.
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer generated (%lu bytes):\n",
OutSecBuff.cbBuffer));
PrintHexDump (
OutSecBuff.cbBuffer,
(PBYTE)OutSecBuff.pvBuffer);
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext result = 0x%08x\n", ss));
return TRUE;
} // end GenServerContext
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
ULONG * pcbOutput,
ULONG cbHeader,
ULONG cbTrailer)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// The size of the trailer (signature + padding) block is
// determined from the global cbSecurityTrailer.
LOGA ( ( __log_buf, SSPI_SERVER " Data before encryption: %s\n", pMessage));
LOGA ( ( __log_buf, SSPI_SERVER " Length of data before encryption: %d \n",cbMessage));
// Prepare buffers.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
PBYTE pHeader;
pHeader = (PBYTE) malloc (cbHeader);
SecBuff[0].cbBuffer = cbHeader;
SecBuff[0].BufferType = SECBUFFER_STREAM_HEADER;
SecBuff[0].pvBuffer = pHeader;
SecBuff[1].cbBuffer = cbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pMessage;
PBYTE pTrailer;
pTrailer = (PBYTE) malloc (cbTrailer);
SecBuff[2].cbBuffer = cbTrailer;
SecBuff[2].BufferType = SECBUFFER_STREAM_TRAILER;
SecBuff[2].pvBuffer = pTrailer;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = EncryptMessage(
&g_hctxt,
ulQop,
&BuffDesc,
0);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " EncryptMessage failed: 0x%08x\n", ss));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " The message has been encrypted. \n"));
// Allocate a buffer to hold the encrypted data constructed from the 3 buffers.
*pcbOutput = cbHeader + cbMessage + cbTrailer;
* ppOutput = (PBYTE) malloc (*pcbOutput);
memset (*ppOutput, 0, *pcbOutput);
memcpy (*ppOutput, pHeader, cbHeader);
memcpy (*ppOutput + cbHeader, pMessage, cbMessage);
memcpy (*ppOutput + cbHeader + cbMessage, pTrailer, cbTrailer);
LOGA ( ( __log_buf, SSPI_SERVER " data after encryption including trailer (%lu bytes):\n",
*pcbOutput));
PrintHexDump (*pcbOutput, *ppOutput);
return TRUE;
} // end EncryptThis
void PrintHexDump(DWORD length, PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_SERVER " %s\n", rgbLine));
} // end PrintHexDump
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
if (!SendBytes (
s,
(PBYTE)&cbBuf,
sizeof (cbBuf)))
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
return(FALSE);
return(TRUE);
} // end SendMsg
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
// Retrieve the number of bytes in the message.
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed retrieving byte count.\n", cbBuf ));
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer size (%lu) differs from reported size (%lu)\n", sizeof(cbData), cbRead ));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed.\n", cbBuf ));
return(FALSE);
if (cbRead != cbData)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer bytes (%lu) differs from reported bytes (%lu)\n", cbData, cbRead ));
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMsg
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_SERVER " send failed: %u\n", GetLastError ()));
return FALSE;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes sent\n", cbSent ));
pTemp += cbSent;
cbRemaining -= cbSent;
return TRUE;
} // end SendBytes
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " recv failed: %u\n", GetLastError () ) );
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
return TRUE;
} // end ReceivesBytes
void cleanup()
if (g_pInBuf)
free (g_pInBuf);
g_pInBuf = NULL;
if (g_pOutBuf)
free (g_pOutBuf);
g_pOutBuf = NULL;
WSACleanup ();
exit(0);
SspiExample.h
// SspiExample.h
#include <schnlsp.h>
#include <sspi.h>
#include <windows.h>
#include <string>
BOOL SendMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
BOOL SendBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
void cleanup();
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *hCred,
PSecHandle phCtext
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewCredential
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput,
ULONG cbHeader,
ULONG cbTrailer
PBYTE DecryptThis(
PBYTE achData,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt
BOOL
SignThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature
void PrintHexDump(DWORD length, PBYTE buffer);
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName
BOOL CloseAuthSocket (SOCKET s);
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName );
BOOL DoAuthentication (SOCKET s, std::string certThumb );
void MyHandleError(char *s);
#define DBG_SIZE 1024
int OutputDebug( char buff[DBG_SIZE] )
int retval;
char debugstring[DBG_SIZE+32];
retval = _snprintf_s( debugstring, DBG_SIZE+32, _TRUNCATE, " %s", buff );
OutputDebugStringA( debugstring );
return retval;
int DbgBufCopy( char *buff, const char *format, ...)
int iLen;
va_list args;
/// Call va_start to start the variable list
va_start(args, format);
/// Call _vsnprintf_s to copy debug information to the buffer
iLen = _vsnprintf_s(buff, DBG_SIZE, _TRUNCATE, format, args);
/// Call va_end to end the variable list
va_end(args);
return iLen;
#define LOGA(_format_and_args_)\
{ char __log_buf[DBG_SIZE];\
DbgBufCopy _format_and_args_;\
printf("%s", __log_buf );\
OutputDebug(__log_buf);\
#define TEST_MSG "This is your server speaking"
My initial attempt built an SCHANNEL_CRED structure following the documentation to set
grbitEnabledProtocols to 0, and let SChannel select the protocol. This worked on Windows 7, selecting TLS1. When I ran the same exe-s on 2008 R2, the Client program failed, with InitializeSecurityContext returning SEC_E_DECRYPT_FAILURE.
The failure occurred on the 2nd call, using phNewContext returned on the first call.
My next attempt set grbitEnabledProtocols to SP_PROT_TLS1_SERVER. This also worked on Win 7, but 2008R2 failed again, this time on the Server side. AcceptSecurityContext failed, returning SEC_E_ALGORITHM_MISMATCH.
TLS is a requirement for my project, but to try getting the sample to run, I next set grbitEnabledProtocols to SP_PROT_SSL2_SERVER. This did work for 2008R2, selecting SSL2, but now the Server failed on Win7 with AcceptSecurityContext returning
SEC_E_ALGORITHM_MISMATCH.
My final try was to set grbitEnabledProtocols to SP_PROT_TLS1_SERVER | SP_PROT_SSL2_SERVER, but that failed identically to the first case, with the Client on 2008R2 returning SEC_E_DECRYPT_FAILURE.
So my question is - What is required to get SChannel to select TLS regardless of the Windows version on which the programs are running?

Thank you for the reference. That did provide the information I needed to get TLS working. However, the documentation is not accurate with regard to setting the registry keys and values.
The tables all show DisabledByDefault as a subkey under the protocol. They also describe a DWORD value, Enabled, as the mechanism to enable/disable a protocol.
What I found is DisabledByDefault is a DWORD value under Client/Server and it appears to be the determining factor to whether a protocol is enabled/disabled.
The only way I was able to get TLS 1.1 working is with the following path present:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Under Client, I must have DisabledByDefault set to 0. With that, the Enabled value does not need to be present.
This held true for any level of TLS.
I also found the setting of grbitEnabledProtocols in the SCHANNEL_CRED structure to be misleading. From the description at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx, I thought my Server program could set this field to 0, and SChannel would select the protocol as directed by the registry. What I found is that the structure flag must
agree with the registry setting for TLS to work. That is with the resgistry key above for TLS 1.1, I must set grbitEnabledProtocols to SP_PROT_TLS1_1.
Can you confirm the relationship between the SCHANNEL_CRED contents and registry state?

Similar Messages

AiroNet 1140 Authentication Issues Windows Server 2008 NPS

Hello,
We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL

Hi Steve, Here is the config for the AP. Some screenshots of the NPS config are below, too. Please let me know if you need more information from our NPS server. Thanks, Doug
ap#sh run
Building configuration...
Current configuration : 2971 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
aaa new-model
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid wifi
   authentication open eap eap_methods
   authentication network-eap eap_methods
   authentication key-management wpa
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
dfs band 3 block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication mac
nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap#

Windows Server 2008 R2: Using PowerShell to send a MSI file to all workstations

Hello!
We are currently using Windows Server 2008 R2. In the upcoming months, we are releasing new software. Instead of touching all the machines with gpupdate /force, we would like to know if we could somehow use Windows PowerShell and send that
command to all the computers in our organization? We are currently in the process of using Group Policy Management to set up the new GPO. After we create them, we would like to send the MSI file to all workstations. I know it is SUPER easy to do within Windows
Server 2012... as I have read articles and seen screenshots. I am just having a hard time figuring out how to make it work with Windows Server 2008 R2.
Thanks!
Megan

New-PSSession -computername Computer
where Computer is one of your remote computers. If that succeeds, great! But I'm guessing it won't and enabling that on all of your computers would require more effort than what you're trying to accomplish in the first place.
Psexec is free to download and you don't have to deploy it:
http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx
As far as identifying your target computers, it really depends on your environment. Get-ADComputer is effective, but the example I provided above would get literally every computer in your active directory - is this something you want to deploy to
any and all servers, workstations, etc? How big and complex is your AD? Is this something you need to coordinate with all your systems around about the same time, or can it be staggered? Do you expect your target computers not to reboot between
now and then? I know that's a lot of questions, but your question is loaded and not easy to answer without knowing more about your environment.
What about this?
http://technet.microsoft.com/en-us/library/jj134201.aspx
There is a requirement to have certain firewall exceptions on your target systems, but hopefully they are because that is the best approach.
I hope this post has helped!

Client can not connect to Server installed window server 2008 and using 8.8

HI all!
I have a problem when Client log in to server that installed window server 2008.It can not connect to this server even when restart and key in IP or Server name,...
I try disable Firewall of window 2008 in server machine and client can connect to server. But when i disable firewall, it's mean i can not use Remote desktop or terminal service..
Now, how i can do in order to solve this problem.
Thanks!

Hi,
Take a look at the admin guide (Page 75, 119, 159):
[http://service.sap.com/~sapidb/011000358700000150922010E.zip]
If you installed a firewall on the license service computer, make sure that the firewall is not set to port 30000; otherwise, the license service cannot work.
If you are using Port X, make sure that you open Port X and Port (X+1) in the firewall. For example, if you are using port 10000, make sure to also open port 10001.
The default communication port is 1143.
The default port of the SAP Business One license server is 30000 for license communication and 30001 for the license naming service

Can I install Windows Server 2008 R2 using Bootcamp? I do not want to install native, but may consider if that is the only way....

I already have Win 7 on an internal Bootcamp drive. It so far has worked well, Bootcamp performance drag is minimal, if at all. Now I want to install Win Server 2008 R2 and load a bunch of virtuals using Hyper-V Manager. The virtuals are already created. This is to practice for a certification test....
Running Mountain Lion, 2010 MP 2 X 2.4 (8 core) 24 GB RAM, all HDD slots full.

Works like a charm. Apple Supports says you can have multiple instances of Bootcamp. Win Server 2008 R2 is up and running, drivers installed (except issues with Bluetooth) and accepting Windows Updates and Service Packs.

Two Factor Authentication on Windows Server 2008 R2

We have a small 2008 R2 Active Directory environment with 2 domain controllers and 13 member servers. We have no additional features such as an RDP gateway or Federation Services - just a plain AD setup. We now have a requirement from our client to have
a two factor authentication solution for each time we logon to any server, either using RDP or locally. We only have 4 admins that ever logon to these servers - we do not have any "regular" users.
Is there anything out there that would work in this environment without having to modify our AD (at least nothing major)?
Thanks

Hi,
You may consider smart card:
Smart Card Overview
http://technet.microsoft.com/en-us/library/hh831433.aspx
Understanding Requirements for Connecting to a Remote Desktop Gateway Server
http://technet.microsoft.com/en-us/library/cc770519.aspx
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

Active-Passive Failover cluster in Windows Server 2008 R2

Hi,
As per the client requirements, I build an active-passive Oracle 11g R2 database cluster in Windows Server 2008 R2.
(Used Microsoft cluster as Client don't have Fail Safe licence)
As per the configuration, I follow the below mentioned steps:
a)OS vendor configured Active-Passive Windows Cluster
b)Installed Oracle 11g R2 on both the nodes with same ORACLE_HOME name
c)Create Listener and configured it with cluster IP in Node1
d)Create Database from Node1. Physical files location are all in Storage
e)Create Oracle Service with the same name in the 2nd node and copy all the files like spfile,tnsnames.ora,listener.ora,password file to Node2
f)Configure Listener with the same Oracle SID.
g)Test database failover from Node2 with Listener registration
h)Open the Windows Failover Manager to configure the Oracle Database and Listener Service in the Cluster Group
Now I am facing problem by moving Cluster Group movement. Whenever trying to moving the group, Listerner service is not getting up by Cluster Manager as quorum is not included in the group and that quorum disk is not moving in the failover node with the Oracle Cluster Group. As per my understanding Quorum having information of Cluster IP which has been configured with Listener.
But when I am shutdown one node, then in the other node all the resources successfully moving and cluster able to online all the resources. I guess at that time Quorum is also moving and thus cluster can able to make Listener online.
Please suggest how to resolve this issue. Means how can I make Listener up instead having any dependencies with Quorum in the fail over node?
Thanks a lot for your help.

hello
I was going through your post and i am also doing the same thing here at our organisation for Oracle 10g R2
Can you pls send me any docs u r having for configuration of Oracle in windows clusters .
And, can you pls elaborate on this point
e)Create Oracle Service with the same name in the 2nd node and copy all the files like spfile,tnsnames.ora,listener.ora,password file to Node2.
Pls send me the details at [email protected] or you can contact me at 08054641476.
Thanks in advance.

Backed up files partially disappear after restore (Windows Server 2008 R2 - Windows Server Backup)

Dear all,
I am experiencing a problem with "Windows Server 2008 R2", using Windows Server Backup.
Here's my setup:
Server: RAID 5 Disk setup
Backup:
By using Windows Server Backup (within Windows Server 2008 R2), C: and D: were fully backed up, with "System State" and "Baremetal Recovery" options selected. Backup went okay without any errors.
Restore:
By using Windows Recovery Environment (booted from Windows Server DVD), C: and D: were fully restored to the original partitions with "System Recovery" option found within Windows RE (without re-formatting partitions during restore). Restore
went OK without any errors. Rebooted, and system has been running fine.
Problem:
After the restore, the system itself seems running OK; no BSOD, no crash, no visible errors.
However, our client insisted some files (around 6 to 7) which are related to the propriety software has "disappeared" right after System Recovery.
Question:
Since Windows Server Backup is using "Volume Shadow Copy" technology which enables "live backup" of the running system, is it possible that some files will disappear (=restore error) after
System Recovery?
I cannot really find any errors or warnings related to Windows Server Backup in the event log, through. No Windows-backup errors. No VSS errors, too.
Do anybody have experienced this kind of problem in the past? Any suggestion will be greatly appreciated.

Thank you for your reply, Ms. Mandy.
To make things clear, let me explain to you briefly:
1. The "missing data" was backed up with "full system backup".
2. After a system restore from the above backup image, as you mentioned, partitions has been overwritten with the partions' backup data in the Backup Data Set taken by Windows Server Backup. No error with backup. No error after restore, and reboot - system
has been running fine.
3. Although there was a report that the affected files(about 7 java exectables) were missing after the above restore operation, other aspect of system was running fine at the time of the report.
4. I have checked the original backup data set - and voila, there ARE files which seems to gone after restore.
5. When I used Windows Server Backup "on" Windows Server 2008 R2 normal environment (= NOT Recovery environment from DVD) and selectd ONLY these affected files to restore, these files could be RESTORED successfully, without any errors. SO... data
was property backed up.
> The recovery will overwrite the partitions so files created after the backup point will be missing.
I understand, and this is not the case this time, because the affected files are already present in the backup data set (= I have mounted the backup data as VHD, and I could clearly see them present in the mounted VHD file)
Plus, these files are completely restoreable via "selective file restore" in Windows Server Backup.
Things I want to know/confirm:
> The recovery will overwrite the partitions
If I understand this correctly, in case that the files in question are already present in the backup data set, these files SHOULD be restored after full system restore, right? (If these files could not be restored, Windows Server Backup SHOULD show some errors.)
What do you think, Ms. Mandy? :)
Jo

IDM 7.2 under Windows Server 2008 R2 (SQL Server ): Which NTW ? Which JVM ?

Hello,
We are installing IDM 7.2 under Windows Server 2008 R2 using the database SQL Server 2008 R2.
1/ Which NetWeaver should we use to install the Java Application Server (NTW 7.3 or NTW 7.2)?
Using install guides 7.2rev8, we tried NTW 7.3 but it comes with JVM 1.6 that isn't supported, according to the PAM.
Should we install the AS Java with NTW 7.2 that comes with JVM 1.5 (JVM 1.5 being supported)?
2/ Has someone installed IDM 7.2 under Windows Server 2008 R2 (SQL Server)?
If yes, which NTW was used (7.2 or 7.3)? Which JVM was used (1.5 or 1.6)? Which JDBC drivers (1.2 or 3)?
Thanks a lot for your replies,
Regards.

{quote)For the Java RE are you using 32 or 64 bytes ?{quote)
C:\Users\Administrator>java -version
java version "1.6.0_30"
Java(TM) SE Runtime Environment (build 1.6.0_30-b12)
Java HotSpot(TM) 64-Bit Server VM (build 20.5-b03, mixed mode)
{quote)Which JDBC driver do you use (1.2 or 3.0) ?{quote)
{quote)In the IDM Identity Center, for the dispatchers option tools, how do you fill it ?
We are using :
Path to java exe: E:\usr\sap\ID1\J00\exe\sapjvm_6\bin\java.exe{quote)
C:\Program Files\Java\jre6\bin\java.exe
{quote)Path to jvm.dll: E:\usr\sap\ID1\J00\j2ee\JSPM\sapjvm\jre\bin\server\jvm.dll{quote)
C:\Program Files\Java\jre6\bin\server\jvm.dll
{quote)JDBC driver jar: D:\Microsoft SQL Server JDBC Driver 3.0\sqljdbc_3.0\enu\sqljdbc4.jar{quote)
C:\sqljdbc\sqljdbc4.jar
{quote)JDBC driver names: xxxxxxxxx (can you write us what you use){quote)
com.microsoft.sqlserver.jdbc.SQLServerDriver
{quote)CLASSPATH extension: D:\Microsoft SQL Server JDBC Driver 3.0\sqljdbc_3.0\enu\sqljdbc4.jar{quote)
No Classpath specified

Opening Excel Workbook Fails when run from Scheduled Task on Windows Server 2008 Rw

Hi,
I have a little vbs script that instantiates the Excel.Application object and then opens a work book to perform some tasks on it. The script runs fine when run from the command line. When I attempt to run it as a scheduled task (it is supposed to update
data that is pulled from a SQL Server at regular intervals), it fails with the following error:
Microsoft Office Excel cannot access the file 'c:\test\SampleWorkbook.xlsm'. There are several possible reasons: .....
The file does exist. The path reported in the error is correct. The account under which the task is running is the same account I use to run it from the command line. User Account Control is not enabled, and the task is set up to run with highest privileges.
When I run the same script through the Task Scheduler from a Windows Server 2003 machine, it works without issue.
I was just wondering if somebody on this forum has run into a similar issue in connection with Windows Server 2008 R2 and figured out what the magic trick is to make it work. I'm sure it is rights related, but I haven't quite figured out what which rights
are missing.
Thanks in advance for any advice you may have.

This is truly killing me ... trying to get it working on Windows Server 2012 without success.
I desperately need to automate running Excel macros in a "headless" environment, that is non-interactive, non-GUI, etc.
I can get it to work using Excel.Application COM, either via VBScript or Powershell, successfully on many other Windows systems in our environment - Windows Server 2008 R2, Windows 7 (32-bit), etc., -BUT-
The two servers we built out for running our automation process are Windows Server 2012 (SE) - and it just refuses to run on the 2012 servers - it gives the messages below from VBScript and PowerShell, respectively-
I have tried uninstalling and re-installing several different versions of Microsoft Excel (2007 Standard, 2010 Standard, 2010 Professional Plus, 32-bit vs. 64-bit, etc.), but it makes no difference.
Would be extremely grateful if any one out there has had any success in running Excel automation on Server 2012 in a non-interactive environment that they could share.
( I have tried adding the "%windir%\syswow64\config\systemprofile\desktop"
folder, which did fix the issue for me when testing on Windows Server 2008 R2, but sadly did not resolve it on Windows Server 2012 )
[VBScript error msg]
Z:\TestExcelMacro.vbs(35, 1) Microsoft Office Excel: Microsoft Office Excel cannot
access the file 'Z:\TestExcelMacro.xlsm'. There are several possible reasons:
• The file name or path does not exist.
• The file is being used by another program.
• The workbook you are trying to save has the same name as a currently open work
[Powershell error msg]
Exception calling "Add" with "0" argument(s): "Microsoft Office Excel cannot open or save any more documents because th
ere is not enough available memory or disk space.
To make more memory available, close workbooks or programs you no longer need.
To free disk space, delete files you no longer need from the disk you are saving to."
+ CategoryInfo : NotSpecified: (:) [], MethodInvocationException
+ FullyQualifiedErrorId : ComMethodTargetInvocation
You cannot call a method on a null-valued expression.
+ CategoryInfo : InvalidOperation: (:) [], RuntimeException
+ FullyQualifiedErrorId : InvokeMethodOnNull

Installation of Client Access role fails on Windows Server 2008 R2 (Execution of: "$error.Clear(); Install-ExchangeCertificate -services "IIS, POP, IMAP")

Hello
I am trying to install Exchange Server 2010 beta 1 onto a Windows Server 2008 R2 (build 7000) machine which has also been set up as a domain controller.
However when attempting to install the Client Access role, setup fails with the error below.
Does anyone know of a way to get around this please?
I have already searched for this error and not found any similar threads.
Also every time I press the code button on this forum it crashes the browser and I keep losing the message! (IE8 from within Server R2). Also the message box is very small, will not expand and keeps jumping to the top.
Thanks
Robin
[code]
Summary: 4 item(s). 1 succeeded, 1 failed.
Elapsed time: 00:00:01
Preparing Setup
Completed
Elapsed Time: 00:00:00
Client Access Role
Failed
Error:
The execution of: "$error.Clear(); Install-ExchangeCertificate -services "IIS, POP, IMAP" -DomainController $RoleDomainController", generated the following error: "Could not grant Network Service access to the certificate with thumbprint 2F320F5D5B5C6873E54C8AB57F604D8AFA31D18C because a cryptographic exception was thrown.".
Could not grant Network Service access to the certificate with thumbprint 2F320F5D5B5C6873E54C8AB57F604D8AFA31D18C because a cryptographic exception was thrown.
Access is denied.
Elapsed Time: 00:00:01
Mailbox Role
Cancelled
Finalizing Setup
Cancelled
[/code]
Robin Wilson

Hello
Thanks for all the replies.
I have since wiped the system and installed everything again and it all worked this time so not sure what was wrong last time. I did try to uninstall all Exchange components and then uninstall IIS and Application server, reboot and re-install but I received the same error still when it came to installing the client access role.
Walter: I just attempted the standard installation which should have used the default self-signed certificate. Everything was a fresh install done at the same time on a freshly formatted PC.
For info last time when it failed to work:
- Installed Windows Server 2008 R2
- Installed Domain Controller role using dcpromo. I set the forest and domain as Windows Server 2008 R2
- Added a forest trust between main domain and test Exchange domain (set up as ex2010.local)
- Installed IIS and Application Server role
- Installed Hyper-v role
- Installed Desktop Experience feature
- Installed Exchange and recieved the error
When it worked I set up the forest and domain in Windows Server 2008 mode (i.e. not R2), installed Exchange first and then set up the forest trust and then Hyper-v. It did say it failed to configure dns which was probably because it started trying to do automatic updates half way through the dcpromo! DNS seems to work ok though.
I did notice this time that Hyper-v gave a warning about the virtual network adapter not being set up correctly and the local network did not work correctly although I could access the internet. Not sure if this could have been related to the cause of the problem previously. For now I have disabled the virtual network until I get time to try and get it working and so the mail will work in the meantime.
I also noticed that Hyper-v added an extra 443 ssl binding to the default website so as it had 2 bindings on port 443 it refused to start. After deleting one it worked.
I decided to install Exchange onto a domain controller as it is only a test and I wouldn't do it in a live environment. I am also short of test machines! It didn't give me any warnings about this actually, I think previous versions warn you that it is not recommended.
Andreas and Chinthaka: I did not know about the requirement to run the domain at 2003 mode. The main domain is running in 2008 mode with Exchange 2007 so I assume this is just a temporary beta related requirement. It does seem to be working (second attempt) so far in a 2008 mode domain although I haven't had a chance to fully test it yet.
Thanks
Robin
P.S. Sorry it's taken me a while to reply!
Robin Wilson

Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."

Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHui

Hi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS

Windows Server 2008 R2 Backup failing with error - 0x8004231F

Hi,
I have Windows Server 2008 R2 Web Edition. Everything was working fine until recently. I tried checking for the log files, but I see that there are no log files that are created now in the location C:\Windows\Logs\WindowsServerBackup. The only files that
are being created recently are of the type mentioned below.
Wbadmin.1.etl
WbadminUI.0.etl
etc.
I tried removing the old backup and starting a new backup. But, even now it is failing with the same error.
When running the backup from the PowerShell, the output is as below.
PS C:\Users\administrator> Wbadmin start backup -backupTarget:\\localhost\E$\WindowsImageBackup\Server01 -systemState -vss
Copy
wbadmin 1.0 - Backup command-line tool
(C) Copyright 2004 Microsoft Corp.
Note: The backed up data cannot be securely protected at this destination.
Backups stored on a remote shared folder might be accessible by other
people on the network. You should only save your backups to a location
where you trust the other users who have access to the location or on a
network that has additional security precautions in place.
Retrieving volume information...
This will back up volume System Reserved (100.00 MB) (Selected Files),SAN(I:) (Selected Files),Local Disk(C:) (Selected
Files) to \\localhost\E$\WindowsImageBackup\Server01.
Do you want to start the backup operation?
[Y] Yes [N] No y
The backup operation to \\localhost\E$\WindowsImageBackup\Server01 is starting.
Starting to back up the system state [12/8/2013 9:29 AM]...
Creating a shadow copy of the volumes specified for backup...
Creating a shadow copy of the volumes specified for backup...
Creating a shadow copy of the volumes specified for backup...
Summary of the backup operation:
The backup of the system state failed [12/8/2013 9:30 AM].
Log of files successfully backed up:
C:\Windows\Logs\WindowsServerBackup\Backup-08-12-2013_09-29-49.log
Log of files for which backup failed:
C:\Windows\Logs\WindowsServerBackup\Backup_Error-08-12-2013_09-29-49.log
There is not enough disk space to create the volume shadow copy on the storage location. Make sure that, for all volumes
to be backup up, the minimum required disk space for shadow copy creation is available. This applies to both the backup
storage destination and volumes included in the backup.
Minimum requirement: For volumes less than 500 megabytes, the minimum is 50 megabytes of free space. For volumes more th
an 500 megabytes, the minimum is 320 megabytes of free space.
Recommended: At least 1 gigabyte of free disk space on each volume if volume size is more than 1 gigabyte.
ERROR - A Volume Shadow Copy Service operation error has
occurred: (0x8004231f)
Insufficient storage available to create either the shadow copy storage file or other shadow copy data.
If you see the free space available in each of the drives, they are in plenty.
C:\ 7.5 GB free of 70 GB
E:\ 250 GB free of 499 GB
I:\ 86.7 GB free of 350 GB
I am out of any hints on how I can proceed now. Has any one had similar issues? Can any one give any hint on this? Thanks.
Thanks.

Some Additional info.
Shadow Copy Storage association
   For volume: (\\?\Volume{a9fb0474-f1bd-11e0-b235-806e6f6e6963}\)\\?\Volume{a9f
b0474-f1bd-11e0-b235-806e6f6e6963}\
   Shadow Copy Storage volume: (\\?\Volume{a9fb0474-f1bd-11e0-b235-806e6f6e6963}
\)\\?\Volume{a9fb0474-f1bd-11e0-b235-806e6f6e6963}\
   Used Shadow Copy Storage space: 0 B (0%)
   Allocated Shadow Copy Storage space: 0 B (0%)
   Maximum Shadow Copy Storage space: 32 MB (32%)
Shadow Copy Storage association
   For volume: (I:)\\?\Volume{ddf6a51c-1282-11e3-b291-000c293b01d1}\
   Shadow Copy Storage volume: (I:)\\?\Volume{ddf6a51c-1282-11e3-b291-000c293b01
d1}\
   Used Shadow Copy Storage space: 0 B (0%)
   Allocated Shadow Copy Storage space: 0 B (0%)
   Maximum Shadow Copy Storage space: 35 GB (10%)
Shadow Copy Storage association
   For volume: (E:)\\?\Volume{0e3bf713-125d-11e3-b2dd-000c293b01bd}\
   Shadow Copy Storage volume: (E:)\\?\Volume{0e3bf713-125d-11e3-b2dd-000c293b01
bd}\
   Used Shadow Copy Storage space: 0 B (0%)
   Allocated Shadow Copy Storage space: 0 B (0%)
   Maximum Shadow Copy Storage space: 149.999 GB (30%)
Shadow Copy Storage association
   For volume: (C:)\\?\Volume{a9fb0475-f1bd-11e0-b235-806e6f6e6963}\
   Shadow Copy Storage volume: (C:)\\?\Volume{a9fb0475-f1bd-11e0-b235-806e6f6e69
63}\
   Used Shadow Copy Storage space: 0 B (0%)
   Allocated Shadow Copy Storage space: 0 B (0%)
   Maximum Shadow Copy Storage space: 4.99 GB (7%)
Hope this might also help you experts to get a little more information.

Windows Server 2008 R2 Standard "Certificate Authority Service" / Exchange Server 2010 EMC not starting and no AD connectivity for authentication.

Hello,
I am a new IT Manager at this company and need assistance big time. Their environment looks as follows:
Server 1. Domain Controller Server (Windows Server 2008 R2 Standard) running active directory.
Server 2. Email Server (Windows Server 2008 R2 Standard) running Exchange Server 2010 .
* Note. No back ups to work with aside from whats mentioned below.
DC had a virus infection causing a lot of issues on the shared network drives 2 days ago locking up all the files with a crypto ransom virus. Running Avast suppressed the infection. Had to recover the file shares which luckily had a back up.
The issue is that the Exchange Server 2 post this lost connectivity with the AD Server 1. Exchange Server 2 when launching EMC could not launch the console stating the following:
"No Exchange servers are available in any Active Directory sites. You can’t connect to remote
Powershell on a computer that only has the Management Tools role installed."
Shortly after I found that it is possible the EMC launcher was corrupt and needed to be reinstalled following another blog post. I deleted the exchange management console.msc per instructions only to discover I couldnt relaunch it because there was
no way how. So I copied another msc file that happened to be on the DC Server 1 back to Exchange Server 2 and got it to launch again.
Another post said that it might be an issue with the Domain Account for the Computer, so to delete it in the AD Server 1 only to find that rejoining it from Exchange Server 2 using Computer>Properties> Chage Settings > Change is greyed out because
it is using the Certificate Authority Service.
I tried manually re-adding the computer in AD and modeling permissions after another server in group settings but no go. After this I was unable to login to the Exchange Server 2 with domain accounts but only local admin, receiving the following Alert:
"The Trust Relationship between this workstation and primary domain failed."
I tried running the Power Shell tools on Exchange Server 2 to rejoing and to reset passwords for domain accounts as noted in some other blogs but no luck as the Server 2 could not make the connection with Server1 or other errors it kept spitting out.
I also during the investigation found the DNS settings were all altered on both the Server 1 and Server 2 which I luckily was able to change back to original because of inventorying it in the beginning when I started.
I need help figuring out if I need to rejoin the Exchange Server 2 manually by disabling the Certificate Authority Service (or removing the CA as listed here:
https://social.technet.microsoft.com/Forums/exchange/en-US/fb23deab-0a12-410d-946c-517d5aea7fae/windows-server-2008-r2-with-certificate-authority-service-to-rejoin-domain?forum=winserversecurity
and getting exchange server to launch again. (Mind you I am relatively fresh to server managing) Please help E-Mail has been down for a whole day now!
Marty

I recommend that you open a ticket with Microsoft Support before you break things more.
Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Windows 2008 Standard SP2 inplace upgrade to Windows Server 2008 R2 Standard SP1 failing

Hi All,
I'm encountering an issue with performing an in-place upgrade of Windows Server 2008 SP2 to Windows Server 2008 R2 SP1.
Server details:
Virtual machine running on VMware ESXi 5.
Uninstalled AV and backup software
Domain controller also running AD Certificate Services#
UAC disabled
Running setup as a domain admin
When launching setup, the process completes "Copying Windows Files". After a few seconds or being on "Gathering files, settings and programs 0%", an error appears on screen -
Windows installation encountered an unexpected error. Verify that the installation sources are accessible, and restart the installation.
Error code: 0xC0000005
Errors and information up to the fatal errors in the setupact.log setup summary:
2013-04-28 19:26:35, Info MIG Loading replacement manifest data for Microsoft-Windows-WMI-Core
2013-04-28 19:26:35, Info MIG Loading replacement manifest data for Microsoft-Windows-WSRM-Service
2013-04-28 19:26:35, Info [0x080841] MIG UPGCSIAgent: Enumerating installed manifest source using C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wcp.dll
2013-04-28 19:26:35, Warning [0x080405] MIG EnablePrivilege: AdjustTokenPrivileges failed (Error:0x514)
2013-04-28 19:26:35, Info CSI 00000001@2013/4/28:18:26:35.866 WcpInitialize (wcp.dll version 0.0.0.5) called (stack @0x7feeff78c85 @0x7fef1646a4e @0x7fef1646676 @0x7fef1647a53 @0x7fef164c291
@0x7feedd728ba)
2013-04-28 19:26:35, FatalError [0x090001] PANTHR Exception (code 0xC0000005: ACCESS_VIOLATION) occurred at 0x000007FEF00498CF in C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wcp.dll (+00000000001498CF).
Minidump attached (107516 bytes).
2013-04-28 19:26:36, FatalError [0x090001] PANTHR Exception (code 0xC0000005: ACCESS_VIOLATION) occurred at 0x000007FEF00498CF in C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6\wcp.dll (+00000000001498CF).
Minidump attached (107788 bytes).
The diagerr.xml has the two minidumps but they are just encoded straight into the xml file. Thanks for any assistance. /Ashley

Hi,
Generally such kind of issues are caused by third party programs such as CD burning programs, device driver etc.
First please refer to this article to see if there is anything helpful:
Guide for Upgrading to Windows Server 2008 R2
http://technet.microsoft.com/en-us/library/ff972408(v=ws.10).aspx
Meanwhile from the description, it mentioned a file under C:\Windows\winsxs. Check the permission of the folder amd64_microsoft-windows-servicingstack_31bf3856ad364e35_6.0.6002.18005_none_676975d87cc9b6e6 and the file wcp.dll to see if the permission
and ownership are correct compare with the other folders.
Also as it provided 2 minidump files, you will need to use WinDBG to read the minidump files and see if there is any further information.
http://support.microsoft.com/kb/315263
TechNet Subscriber Support in forum |If you have any feedback on our support, please contact [email protected]

SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1

Similar Messages

Maybe you are looking for