Windows Server 2008 R2 ( USB Port Block)
Dear Team,
I need to create a policy to restrict the USB port for every domain user.
Please guide in this regards,
Regards, Ravi Kumar
Hi ,
You can create a group Policy say "USB port blocking" in your domain and this Policy will apply your domain all domain users will not able to access any removal drive. Open GPMC console then user configuration then administrative templates then
system then removable storage access then select all removable storage access and enable it. Then go to command prompt and type gpupdate /force.
Similar Messages
-
Hello,
I have a Windows Server 2012 R2.
I have configured the Group Policy on it to block the usage of USB - Storage Devices @ user level on the client machines. It works properly for my Windows 7 client machines but it's not working on one of the machine having Windows Server 2008 R2 installed
on it (this machine is also a domain client in the same domain).
I will really be thankful if anyone can suggest some solution to this issue.
Please feel free to write back in-case I have missed anything obvious to be shared.
Thanks!
-Vinay Pugalia
If a post answers your question, please click "Mark As Answer" on that post or
"Vote as Helpful".
Web : Inkey Solutions
Blog : My Blog
Email : Vinay PugaliaHi,
Any update?
Just checking in to see if the suggestions were helpful. Please let us know if you would like further assistance.
Best Regards,
Andy Qi
TechNet
Subscriber Support
If you are TechNet
Subscription user and have any feedback on our support quality, please send your feedbackhere.
Andy Qi
TechNet Community Support -
Windows Server 2008 R2 only detect USB storage drives if I restart the system
Hi, I have a Windows Server 2008 R2 with an weird behaviour. I cannot connect any USB drive (not USB external hard disk neither pendrives). Windows device manager detects the device as
Mass Storage Device, but with a yellow exclamation sign. The exact error code is:
The device cannot start.
However, if I restart the machine keeping the USB disk plugged, the hard disk (or pendrive) is correctly detected and usable.
I've tried:
Update mass storage driver.
Review HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor "Start"
and is 3 (I think is right)
I've tried with different usb hard disks that are working in other PCs.
I've tried with large (>1TB) disks and small (8GB) pendrives.
I've tried all available USB ports, front and back, with same behaviour.
Always I get a yellow exclamation (Device cannot start) and if I restart the computer the device is working perfectly.
Can someone help me?
Thanks in advance
Edit: Here is the log of connecting a Kingstone USB 8GB pendrive
>>> [Device Install (Hardware initiated) - USB\VID_0930&PID_6544\C860008863DBCE801A0B24B4]
>>> Section start 2015/01/09 09:35:49.342
ump: Creating Install Process: DrvInst.exe 09:35:49.498
ndv: Retrieving device info...
ndv: Setting device parameters...
ndv: Searching Driver Store and Device Path...
dvi: {Build Driver List} 09:35:49.966
dvi: Searching for hardware ID(s):
dvi: usb\vid_0930&pid_6544&rev_0100
dvi: usb\vid_0930&pid_6544
dvi: Searching for compatible ID(s):
dvi: usb\class_08&subclass_06&prot_50
dvi: usb\class_08&subclass_06
dvi: usb\class_08
cpy: Policy is set to make all digital signatures equal.
dvi: Enumerating INFs from path list 'C:\Windows\inf'
inf: Opened PNF: 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
dvi: Created Driver Node:
dvi: HardwareID - USB\Class_08&SubClass_06&Prot_50
dvi: InfName - C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf
dvi: DevDesc - Dispositivo de almacenamiento USB
dvi: DrvDesc - Dispositivo de almacenamiento USB
dvi: Provider - Microsoft
dvi: Mfg - Dispositivo de almacenamiento USB compatible
dvi: ModelsSec - Generic.NTamd64
dvi: InstallSec - USBSTOR_BULK
dvi: ActualSec - USBSTOR_BULK.NT
dvi: Rank - 0x00ff2000
dvi: Signer - Microsoft Windows
dvi: Signer Score - INBOX
dvi: DrvDate - 06/21/2006
dvi: Version - 6.1.7601.17577
inf: Searched 1 potential matches in published INF directory
inf: Searched 36 INFs in directory: 'C:\Windows\inf'
dvi: {Build Driver List - exit(0x00000000)} 09:35:51.900
ndv: Selecting best match from Driver Store (including Device Path)...
dvi: {DIF_SELECTBESTCOMPATDRV} 09:35:51.900
dvi: No class installer for 'DataTraveler 2.0'
dvi: No CoInstallers found
dvi: Default installer: Enter 09:35:51.900
dvi: {Select Best Driver}
dvi: Selected driver installs from section [USBSTOR_BULK] in 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf'.
dvi: Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.
dvi: Set selected driver complete.
dvi: Selected:
dvi: Description - [Dispositivo de almacenamiento USB]
dvi: InfFile - [c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf]
dvi: Section - [USBSTOR_BULK]
dvi: Signer - [Microsoft Windows]
dvi: Rank - [0x00ff2000]
dvi: {Select Best Driver - exit(0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_SELECTBESTCOMPATDRV - exit(0x00000000)} 09:35:51.916
inf: {SetupCopyOEMInf: C:\Windows\INF\usbstor.inf} 09:35:51.931
inf: Driver Store location: C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf
inf: Published Inf Path: C:\Windows\INF\usbstor.inf
inf: {SetupCopyOEMInf exit (0x00000050)} 09:35:51.931
dvi: Searching for hardware ID(s):
dvi: usb\vid_0930&pid_6544&rev_0100
dvi: usb\vid_0930&pid_6544
dvi: Searching for compatible ID(s):
dvi: usb\class_08&subclass_06&prot_50
dvi: usb\class_08&subclass_06
dvi: usb\class_08
inf: Opened PNF: 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
dvi: Selected driver installs from section [USBSTOR_BULK] in 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf'.
dvi: Class GUID of device changed to: {36fc9e60-c465-11cf-8056-444553540000}.
dvi: Set selected driver complete.
ndv: Driver selected, now performing install...
ndv: {Core Device Install} 09:35:51.947
inf: Opened PNF: 'C:\Windows\INF\usbstor.inf' ([strings.0c0a])
inf: Opened PNF: 'C:\Windows\INF\usbstor.inf' ([strings.0c0a])
dvi: {DIF_ALLOW_INSTALL} 09:35:52.259
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: No CoInstallers found
dvi: Default installer: Enter 09:35:52.259
dvi: Default installer: Exit
dvi: {DIF_ALLOW_INSTALL - exit(0xe000020e)} 09:35:52.259
ndv: Installing files...
dvi: {DIF_INSTALLDEVICEFILES} 09:35:52.306
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: Default installer: Enter 09:35:52.306
dvi: {Install FILES}
inf: Opened PNF: 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
inf: {Install Inf Section [USBSTOR_BULK.NT]}
inf: CopyFiles=USBSTOR.CopyList (usbstor.inf line 173)
flq: CopyFiles from an inbox inf.
cpy: Open PnpLockdownPolicy: Err=2. This is OK. Use LockDownPolicyDefault
flq: QueueSingleCopy...
flq: Inf : 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf'
flq: SourceInf: 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf'
flq: SourceSection: [sourcedisksfiles]
flq: Source root path based on SourceInf
flq: SourceRootPath: 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d'
flq: {FILE_QUEUE_COPY}
flq: CopyStyle - 0x09000000
flq: {FILE_QUEUE_COPY}
flq: CopyStyle - 0x09000000
flq: SourceRootPath - 'C:\Windows\System32\DriverStore\FileRepository\usbstor.inf_amd64_neutral_26b33263a639795d'
flq: SourceFilename - 'USBSTOR.SYS'
flq: TargetDirectory- 'C:\Windows\system32\drivers'
flq: TargetFilename - 'USBSTOR.SYS'
flq: SourceDesc - 'windows cd'
flq: {FILE_QUEUE_COPY exit(0x00000000)}
flq: {FILE_QUEUE_COPY exit(0x00000000)}
inf: {Install Inf Section [USBSTOR_BULK.NT] exit (0x00000000)}
dvi: Processing co-installer registration section [USBSTOR_BULK.NT.CoInstallers].
inf: {Install Inf Section [USBSTOR_BULK.NT.CoInstallers]}
inf: {Install Inf Section [USBSTOR_BULK.NT.CoInstallers] exit (0x00000000)}
dvi: Co-installers registered.
dvi: {Install INTERFACES}
dvi: Installing section [USBSTOR_BULK.NT.Interfaces]
dvi: {Install INTERFACES exit 00000000}
dvi: {Install FILES exit (0x00000000)}
dvi: Default installer: Exit
dvi: {DIF_INSTALLDEVICEFILES - exit(0x00000000)} 09:35:52.384
ndv: Pruning file queue...
dvi: {_SCAN_FILE_QUEUE}
flq: ScanQ flags=620
flq: SPQ_SCAN_PRUNE_COPY_QUEUE
flq: SPQ_SCAN_FILE_COMPARISON
flq: SPQ_SCAN_ACTIVATE_DRP
flq: ScanQ number of copy nodes=1
flq: File 'C:\Windows\system32\drivers\USBSTOR.SYS' pruned from copy.
sig: Using catalog 'C:\Windows\system32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Package_3_for_KB982018~31bf3856ad364e35~amd64~~6.1.3.2.cat'.
cpy: DrpSetRegFileProt 'C:\Windows\system32\drivers\USBSTOR.SYS' Status=0 Class=Inbox Windows protected
flq: ScanQ action=200 DoPruning=32
flq: ScanQ end Validity flags=620 CopyNodes=0
dvi: {_SCAN_FILE_QUEUE exit(0, 0x00000000)}
ndv: Committing file queue...
flq: {_commit_file_queue}
flq: CommitQ DelNodes=0 RenNodes=0 CopyNodes=0
flq: CommitQ early exit: No nodes are queued
flq: {_commit_file_queue exit OK}
ndv: Registering CoInstallers...
dvi: {DIF_REGISTER_COINSTALLERS} 09:35:54.037
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: Default installer: Enter 09:35:54.069
inf: Opened PNF: 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
inf: {Install Inf Section [USBSTOR_BULK.NT.CoInstallers]}
inf: {Install Inf Section [USBSTOR_BULK.NT.CoInstallers] exit (0x00000000)}
dvi: Co-installers registered.
dvi: Default installer: Exit
dvi: {DIF_REGISTER_COINSTALLERS - exit(0x00000000)} 09:35:54.100
ndv: Installing interfaces...
dvi: {DIF_INSTALLINTERFACES} 09:35:54.100
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: No CoInstallers found
dvi: Default installer: Enter 09:35:54.100
dvi: {Install INTERFACES}
inf: Opened PNF: 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
dvi: Installing section [USBSTOR_BULK.NT.Interfaces]
dvi: {Install INTERFACES exit 00000000}
dvi: Default installer: Exit
dvi: {DIF_INSTALLINTERFACES - exit(0x00000000)} 09:35:54.100
ndv: Installing device...
dvi: {DIF_INSTALLDEVICE} 09:35:54.100
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: Default installer: Enter 09:35:54.100
dvi: {Install DEVICE}
inf: Opened PNF: 'c:\windows\system32\driverstore\filerepository\usbstor.inf_amd64_neutral_26b33263a639795d\usbstor.inf' ([strings.0c0a])
dvi: Processing Registry/Property directives...
inf: {Install Inf Section [USBSTOR_BULK.NT]}
inf: AddReg=USBSTOR_BULK.AddReg (usbstor.inf line 174)
inf: {Install Inf Section [USBSTOR_BULK.NT] exit (0x00000000)}
inf: {Install Inf Section [USBSTOR_BULK.NT.Hw]}
inf: Empty section
inf: {Install Inf Section [USBSTOR_BULK.NT.Hw] exit (0x00000000)}
dvi: {Writing Device Properties}
dvi: Provider name=Microsoft
dvi: DriverDate 06/21/2006
dvi: DriverVersion=6.1.7601.17577
dvi: Class name=USB
dvi: Manufacturer=Dispositivo de almacenamiento USB compatible
dvi: Matching DeviceID=usb\class_08&subclass_06&prot_50
dvi: Strong Name=usbstor.inf:Generic.NTamd64:USBSTOR_BULK:6.1.7601.17577:usb\class_08&subclass_06&prot_50
dvi: {Writing Device Properties - Complete}
inf: {Install Inf Section [USBSTOR_BULK.NT.Services]}
inf: Addservice=USBSTOR,0x00000002,USBSTOR.AddService (usbstor.inf line 177)
inf: ServiceType=1 (usbstor.inf line 234)
inf: StartType=3 (usbstor.inf line 235)
inf: ErrorControl=1 (usbstor.inf line 236)
inf: ServiceBinary=C:\Windows\system32\DRIVERS\USBSTOR.SYS (usbstor.inf line 237)
inf: DisplayName="Controlador de dispositivo de almacenamiento USB" (usbstor.inf line 233)
dvi: Add Service: Modified existing service 'USBSTOR'.
inf: AddReg=DeviceSpecific (usbstor.inf line 238)
inf: {Install Inf Section [USBSTOR_BULK.NT.Services] exit(0x00000000)}
dvi: Updated reflected section names for: usbstor.inf
dvi: {Install DEVICE exit (0x00000000)}
dvi: Writing common driver property settings.
dvi: DriverDescription=Dispositivo de almacenamiento USB
dvi: DeviceDisplayName=Dispositivo de almacenamiento USB
dvi: Install Device: Restarting device. 09:35:54.537
dvi: Install Device: Restarting device completed. 09:35:57.625
!!! dvi: Device not started: Device has problem: 0x0a: CM_PROB_FAILED_START.
dvi: Default installer: Exit
dvi: {DIF_INSTALLDEVICE - exit(0x00000000)} 09:35:57.641
dvi: {DIF_NEWDEVICEWIZARD_FINISHINSTALL} 09:35:57.641
dvi: No class installer for 'Dispositivo de almacenamiento USB'
dvi: Default installer: Enter 09:35:57.641
dvi: Default installer: Exit
dvi: {DIF_NEWDEVICEWIZARD_FINISHINSTALL - exit(0xe000020e)} 09:35:57.657
ndv: Device install status=0x00000000
ndv: Performing device install final cleanup...
! ndv: Queueing up error report since device has a PnP problem...
ndv: {Core Device Install - exit(0x00000000)} 09:35:59.201
ump: Server install process exited with code 0x00000000 09:35:59.232
<<< Section end 2015/01/09 09:35:59.279
<<< [Exit status: SUCCESS]I tried, but windows says that the best driver is alredy installed.
Now I've just tried to delete (uninstall) absolutly all devices under Universal Serial Bus Controller
(host controllers, root hubs, etc) into Device Manager, and then I've click on
Scan for hardware changes to force reinstall of all USB drivers. After that I've connected my USB external hard disk and has been correctly recognized and its working. However I don't know if when I'll restar the server and connect a new one usb device
it will continue working or not. I'll try later, because this is a production server.
I've tried for drivers into HP site to update or reinstall, but there isn't any driver for motherboard or USB controller. It's an HP ML350 G6. -
HP Pavilion p7-1451 USB 3.0 and Bluetooth drivers for Windows Server 2008 R2
I bought an HP Pavilion p7-1451 so I could have an affordable, yet reasonably powerful machine to put a server software development environment on (I'm a software engineer).
It came with Windows 8, but I needed Windows Server 2008 R2, which I own through an MSDN subscription. I did what I always do in these cases, re-partioned the hard drive, re-formatted, and installed the new operating system.
I have nearly all devices working properly, but it still won't recognize the USB 3.0 ports and the Bluetooth device. I searched everywhere but cannot find anything that will work. Anything from the HP site is targeted for either Windows 7 or 8, and when trying either one of those, it tells me "Your system does not meet the operating system requirements" and MSI does not publish any drivers at all for this particular motherboard (that I can find anyway).
Motherboard: MSI MS-7778 also known as: MSI 2AEO version 1.0
BIOS: AMI 8.12
This is the list of "Other devices" in Device Manager that Windows doesn't recognize:
BCM20702A0
Universal Serial Bus (USB) Controller
Universal Serial Bus (USB) Controller
Bluetooth Device ID: USB\VID_0A5C&PID_21F1&REV_0012
USB Controller device ID: PCI\VEN_1022&DEV_7812&SUBSYS_2AE0103C&REV_03
Windows still doesn't recognize them after allowing it to search the internet.
And I've googled all over the place and I'm not getting anywhere.
Does anyone have any advice?
Any chance this could be related to the BIOS?
I'm not having any luck finding a BIOS download for this motherboard either.
Any help is much appreciated!
This question was solved.
View Solution.Holy crap, it worked!!
My version number was slightly different in the .inf files, but I dropped the last ".1" off the end and that did the trick!
So, the steps were:
Get and extract the driver files:
1. Download the AMD Chipset Drivers file from here:
http://support.amd.com/us/gpudownload/windows/Pages/raid_windows.aspx#2
(choose the first download in the list. It's called "AMD Chipset Drivers")
2. Download and install 7-Zip from here:
http://7-zip.org/download.html
3. Right click the 13-4_vista_win7_win8_32-64_sb.exe chipset file, select "7-Zip", then choose "Extract Here"
Install the USB Host Controller driver:
1. Open the USB Controller .inf file in Notepad from the following location:
13-4_vista_win7_win8_32-64_sb\Packages\Drivers\SBDrv\hseries\USB30\amdxhc\W764A\amdxhc.inf
2. Find all instances of: .5.1.1 and replace with: .5.1
and save and close the file.
3. In Device Manager, right click the first unknown "Universal Serial Bus (USB) Controller" and choose "Update Driver Software..."
4. Choose "Browse my computer for driver software", navigate to the directory in Step 1, and click Next.
5. Accept any warnings and choose to Install anyway...
It should recognize and install the USB Controller driver (finally progress!)
Repeat the same steps above for any other USB 3.0 controllers that are unrecognized.
The devices should now say "Unknown device" instead of "Universal Serial Bus (USB) Controller".
Windows recognizes your controllers now, but not the USB root hubs.
For each of those "Unknown device" entries, do this to install the USB 3.0 Root Hub:
1. Open the USB Hub .inf file in Notepad from the following location: (notice that it's a different directory)
13-4_vista_win7_win8_32-64_sb\Packages\Drivers\SBDrv\hseries\USB30\amdhub\W764A\amdhub30.inf
2. Find all instances of: .5.1.1 and replace with: .5.1
and save and close the file.
3. In Device Manager, right click the first "Unknown device" and choose "Update Driver Software..."
4. Choose "Browse my computer for driver software", navigate to the directory in Step 1, and click Next.
5. Accept any warnings and choose to Install anyway...
I plugged in a USB 3.0 hard drive, and at first it didn't seem to work. I tried another port and still nothin. But after about 40 seconds the drive was recognized and all is well. Yay!
Thank you Paul for your help!
Hopefully this post will help others too.
USB 3.0 on a fresh install of Windows Server 2008 R2.
That was easy. :-P -
Windows Server 2008 firewall. Inbound connection is blocked as outbound?
I connect using "Computer Management" from computer A to computer B. Both computers are Windows Server 2008 x64 with all current hotfixes. The connection succeedes, and I don't even try to open any of the sub-snapins.
But computer A (the connection source) logs the following event in its System Log:
Log Name: System
Source: Microsoft-Windows-DistributedCOM
Date: 9/13/2008 8:59:58 PM
Event ID: 10006
Task Category: None
Level: Error
Keywords: Classic
User: N/A
Computer: <Computer A name's here>
Description:
DCOM got error "2147944122" from the computer <Computer B FQDN's here> when attempting to activate the server:
{03837521-098B-11D8-9414-505054503030}
And computer B (the connection destination) logs the following two events (three times each) in its Security Log:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/13/2008 9:00:11 PM
Event ID: 5152
Task Category: Filtering Platform Packet Drop
Level: Information
Keywords: Audit Failure
User: N/A
Computer: <Computer B name here>
Description:
The Windows Filtering Platform blocked a packet.
Application Information:
Process ID: 568
Application Name: \device\harddiskvolume1\windows\system32\services.exe
Network Information:
Direction: Inbound
Source Address: <Computer B IP's here>
Source Port: 57144
Destination Address: <Computer A IP's here>
Destination Port: 63485
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
and
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 9/13/2008 9:00:11 PM
Event ID: 5157
Task Category: Filtering Platform Connection
Level: Information
Keywords: Audit Failure
User: N/A
Computer: <Computer B name here>
Description:
The Windows Filtering Platform has blocked a connection.
Application Information:
Process ID: 568
Application Name: \device\harddiskvolume1\windows\system32\services.exe
Network Information:
Direction: Inbound
Source Address: <Computer B IP's here>
Source Port: 57144
Destination Address: <Computer A IP's here>
Destination Port: 63485
Protocol: 6
Filter Information:
Filter Run-Time ID: 0
Layer Name: Receive/Accept
Layer Run-Time ID: 44
Well, I already know that events 5152 and 5157 are nearly the same, so we need to look only into one of them in each case. But what's next?
It seems to me that the firewall here treats the initial connection and a responce as two different connection. So it allows the initial connection (from A to B) because I have some rules in place that are supposed to allow remote management. But then it blocks the responce (from B to A). In this case, looking into separate connection from B to A, I guess, it should treat it as outbound and not filter at all. But it still calls it "Inbound" for some reason, apply some firewall rules and blocks it.
Are my assumptions wrong? What are the explanation for this behaviour? How do I prevent the packets from being blocked?Many thanks. That sounds almost logical.
Your statement regarding "no real reason to disable" is not exactly valid. There are myriad reasons to actually disable the service itself - one of which is other software that conflicts and sees the 'service' state, and not the 'profile state' of the firewall
settings. Those products - let me give you at least one as an example... wait for it... wait for it... The 'infamous' SQL Server!
Yes, pups and pupettes, that' is correct - SQL Server does indeed give you a "false positive" during its pre-req checks and so forth; and and tells you, "Oops, dear systems manager, your firewall service is still enabled... blah blah" - that's not
the exact quote, but very close indeed. Does it bother to check and see that, "OH, well, you've got firewall disabled for ALL profiles, so all is cool?" Noooo, of course it doesn't. [Note to Microsoft, please fix this!]
Now, it may be okay [at this point], since I already have SQL server properly installed, and past all the "pre-checks," to re-enable the firewall service; but, to just off-hand say "there's NO reason whatsoever to disable the firewall service;" well, that
is just not correct.
For that matter, there are many of us who completely 'remove' the service - yes, it can be done - and, yes, I have written a technical article on doing just that; and, no, it will NOT cause unpredictable results - [IF] done properly and [IF] all the technical
whatcha-ma-jig-its are lined up with the North Star when Pluto is in retrograde.
But, yes, it is best just to let policy take care of disabling the various levels of the firewall and then leave the service as-is, since Microsoft puts more and more hooks in their o/s.
Thanks again. -
Hello,
I run a small business network with five physical servers: three Dell servers running Windows Server 2008 R2, one custom build running 2008, and another custom build running 2012 with Domain Controller Role (same hardware for both custom builds).
The Dell servers are all running the Hyper-V role and each has a number of 2008 VMs. I also have a 2012 VM with the Domain Controller Role on one of the Hyper-V servers and another VM with a completely base install of 2012.
All servers are plugged into a Cisco SG300-52 switch which is uplinked to a Cisco 881 router which is connected to a cable TWC provided Ubee cable modem. I have no VLANs setup. I do have the Firewall on the router configured
to inspect most traffic.
Here is my problem: I cannot connect to most of the internet on ANY 2012 server (and all exhibit the exact same behavior), but I have NO problems connecting to the internet from 2008 servers. Here is what I already know:
1.) I can ping the outside world just fine so ICMP is passing to any external host.
2.) Two of the 2012 servers are DCs running DNS services and they can connect to the internet just fine for DNS requests because they are doing a perfectly good job of providing DNS services to my network.
3.) Here's where it gets really weird: I can browse in internet explorer to Bing.com and it works. I can also go to a couple other Microsoft websites (though they are very slow). If I click on any link in Bing, however, it doesn't
work and gives me a page not available error. If I connect to a non-MS website like Google or my company website, I get page not available.
4.) I have tried to telnet to port 80 at Bing and it works. I have tried to telnet to port 80 at google.com and it won't connect. The 2008 servers have no issue telneting to either bing or google on port 80 and none of my client
PCs on the network do either.
5.) Windows Update will not connect and neither will any other update service such as AVG (I have AVG Antivirus installed WITHOUT firewall on two of the three servers. The base 2012 VM has no software installed and no roles...I built it
just to see if it could connect after a fresh install and it still cannot.)
6.) The network connection does not indicate limited connectivity (probably because ICMP appears to be passing successfully)
7.) If I connect the server directly to the modem it has full internet access.
8.) All internal LAN connectivity is perfectly fine and runs at full speed.
9.) I have scoured the internet trying to find other examples of this particular kind of connectivity issue on 2012 and I have found two TechNet articles that are similar, but they both had the same resolution: changing the router
worked, but no one knows why. (I would have included the links, but apparently I cannot do that yet)
My question is this: What is different about Windows Server 2012 networking that would render it unable to communicate through a router that Windows Server 2008 has no problems with? I ask because, unlike in these two articles where they were
running personal networking equipment they could easily upgrade, I'm running a Cisco 881 with what should be virtually limitless configuration options and I have no desire to replace it. I have to assume the issue is somehow related to the firewall configuration,
which I could fix easily, but I don't know what to change. If anyone knows what changed in 2012 and why I would be able to browse to bing and other MS sites but no where else, please pass them along. Thanks.This is the IP Config for the 2012 DC:
Windows IP Configuration
Host Name . . . . . . . . . . . . : COMPANYDC02
Primary Dns Suffix . . . . . . . : company.local
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Intel(R) 82574L Gigabit Network Connection
Physical Address. . . . . . . . . : 00-25-90-DC-EF-D5
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Link-local IPv6 Address . . . . . : fe80::81d5:53cf:bd07:14ed%12(Preferred)
IPv4 Address. . . . . . . . . . . : 10.10.10.202(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 10.10.10.1
DHCPv6 IAID . . . . . . . . . . . : 301999504
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1A-96-D5-C3-00-25-90-DC-EF-D5
DNS Servers . . . . . . . . . . . : 10.10.10.202
10.10.10.221
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.{9929D989-8E88-4096-A1CB-61F1DB173FA3}:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
Tunnel adapter Teredo Tunneling Pseudo-Interface:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Teredo Tunneling Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
This is the IP Config for the fresh install 2012 VM:
Windows IP Configuration
Host Name . . . . . . . . . . . . : WIN-800299O7ES6
Primary Dns Suffix . . . . . . . :
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : company.local
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . : company.local
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-0A-5C-02
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.10.10.49(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Saturday, August 23, 2014 10:23:01 PM
Lease Expires . . . . . . . . . . : Wednesday, August 27, 2014 10:23:01 PM
Default Gateway . . . . . . . . . : 10.10.10.1
DHCP Server . . . . . . . . . . . : 10.10.10.1
DNS Servers . . . . . . . . . . . : 10.10.10.220
10.10.10.221
NetBIOS over Tcpip. . . . . . . . : Enabled
Tunnel adapter isatap.company.local:
Media State . . . . . . . . . . . : Media disconnected
Connection-specific DNS Suffix . : company.local
Description . . . . . . . . . . . : Microsoft ISATAP Adapter
Physical Address. . . . . . . . . : 00-00-00-00-00-00-00-E0
DHCP Enabled. . . . . . . . . . . : No
Autoconfiguration Enabled . . . . : Yes
NOTE: 10.10.10.220 and 10.10.10.221 are the other domain controllers on my network. One of them is 2012 and one of them is 2008. They are both functioning correctly for providing DNS services. The 2012 Virtual DC, however, still has
the internet connectivity issue that this whole post was about in the first place.
NOTE2: When I logged on to COMPANYDC02 this morning, it told me that I had new Windows Updates that needed to be downloaded. Confused, I checked the most recent time WU had checked for updates at it had successfully checked for updates last night
at 10pm. Of course, it failed when trying to download them, but it appears that once in a while, a connection gets through successfully... -
Need solution for solving TIME_WAIT in TCP/IP ports in Windows Server 2008 Standard Service Pack 2
In one of our windows machine( OS : Windows Server 2008 Standard (Service Pack 2)-32bit), we are facing TIME_WAIT in all the TCP/IP ports and it is not getting closed.
On analyzing the issue, we found solution for this from the below link,
https://support.microsoft.com/en-us/kb/2553549
In this page, we are able to get the hotfix for Windows Server2008 R2 SP1 but i can't able to get for Windows Server 2008 Standard SP2(32bit). If we try to apply the hotfix vailable for SP1, it is showing "The update does not apply to your System".
Kindly provide us the solution for solving TIME_WAIT issue in the machine.
OS Details : Microsoft Windows Server 2008 Standard
Version : 6.0.6002 SP2 Build 6002
System Type : 32 bit(x86-based PC)
Awaiting for the response.
Thank you,
Pushpalatha.ADownload correct version from Microsoft Update Catalog. Run it with elevated rights.
M. -
USB writing problem on windows server 2008
We are using Windows Connector 2.1 (Solaris 10, srss 4.1). When running a rdp session on windows server 2008 and trying to write data to an usb-stick connected to the sunray dtu the windows explorer hangs about 5 minutes. Afterwards it writes the data without problems. Whenever we try to copy a file to the usb-stick the same problem occurs. When using the same sunray server and a rdp session on windows server 2003 everything works fine.
That's a known issue with SRWC 2.1 and it has been fixed in latest SRWC 2.2.
Thanks
P.S.M.Swamiji
Note: These are my personal opinions, nothing to do with my employer -
WMI port range Issues windows server 2008 R2
I've been encountering issues with the communication to some of my distributions points worldwide. The server is live but is unable to receive any packages.
I troubleshooted the issue with our network group and it seems that the servers are trying to send the data through the 1027 port
Now for the kicker: These are all 2008 R2 servers and port 1027 is part of the WMI range for server 2003. The port range for 2008 starts at 49152.
the issue in itself is easy enough to fix as you can see below:
netsh int ipv4 show dynamic tcp (this give you the current range)
netsh int ipv4 set dynamic tcp start=49152 num=**** (this allows you to set the beginning of the range to what you want and the # of ports available)
this requires a reboot to be effective.
My question is, why is the default port range changing without an input from anyone?Hi Carl,
As you point out, in Windows Server 2008 and later versions, and in Windows Vista and later versions, the default dynamic port range changed to the following range:
Start port: 49152
End port: 65535
After my research, I found a relevant KB we can reference:
The default dynamic port range for TCP/IP has changed in Windows Vista and in Windows Server 2008
http://support.microsoft.com/kb/929851
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
USB Controller Driver (3.0) for Windows Server 2008 Standard Edition 32-bit
Hi,
I have recently built a HP DL320e Gen8 v2 server with Windows Server 2008 Standard Edition 32-bit & it's missing the USB Controller Driver which HP don't have. I have searched endlessly online without success. HP suggest I try Windows but I couldn't
find it in the Download Center either.
Can somebody please provide me with the USB Controller Driver for Windows Server 2008 Standard Edition 32-bit?
Regards
NazHi,
Thanks for your posting.
For this issue, i think you need to search in the HP official website or contact the HP support.
Regards.
Vivian Wang -
How Create Dos boot able USB for Create Ghost for NTFS File and windows server 2008
Hi
How Create Dos boot able USB.
Which show all Partition Drive in dos mode for NTFS file system.
I have Windows Server 2008 which have NTFS File System of Hard disk.
I have not CD / DVD Rome and I cannot attach the CD / DVD because we have no permeation by our organization.
but i wanted to create Ghost.
So i need boot pc by other media USB.
Please help me.Hi
I just assembled a cd which boots dos and can read and write to ntfs drives.
Should you be interested in the iso image file which you can use to write to cd or usb please email me at [email protected]
Thanks
Nuno -
Windows Server 2008 R2 dynamic assigned ports for currently logged in users
Hi,
How can I find out currently allocated dynamic ports for a user in windows server 2008?
From registry, I can see the dynamic port range for an application (1025~49151) and system dynamic port range is 49152~65534.
However, I am looking for the dynamic port range for users currently logged into the server.
Please assist.
Thanks,
SuranjitIf you want to list all ports the server is currently listening on as well as the processes using them, netstat can help you with that.
netstat -aon | find /i "listening"
Where the -o will give you the Process ID, which can be matched up with the username. -
Install windows server 2008 64bit on a poweredge sc430 using usb flash drive
Good day Sir!
I Have 2 poweredge sc430 server with windows server 2003 64bit OS... I want to upgrade it to windows server 2008 standard edition R2 64bit.. I first disable the internal cdrom from bios and installed win2k8 64bit on 1 sc430 using external dvdrom. But when i used a usb flash drive to install win2k8 to another sc430, the server and keyboard hangs. ive already configured the boot sequence(usb drive as 1st priority). ive tried my usb flash to a non dell pc to make sure if my usb boots well and it worked... i think that there must be something i missed in configuring the bios of sc430
Thanks in advance!donpham
Is it possible that I could have a copy of WS 2008 64-bit from you?
Thanks!
That's not how it works. -
Hi,
Windows 7 or Windows Server 2008 R2 domain join displays error "Changing the Primary Domain DNS name of this computer to "" failed...."
DC:windows Server 2008 R2
Domain functional level:Windows Server 2003
When Winxp join domain, have no this error message.
I checked http://support.microsoft.com/kb/2018583?wa=wsignin1.0 does't work.
There have 3 suggestion in this article:
1.The "Disable NetBIOS over TCP/IP" checkbox has been disabled in the IPv4 properties of the computer being joined.
Doesnt's work.
2.Connectivity over UDP port 137 is blocked between client and the helper DC servicing the join operation in the target domain.
On my DC, I run netstat -an, reslut as below:
UDP 192.168.20.3:137 *:*
3.The TCP/IPv4 protocol has been disabled so that the client being joined or the DC in the destination domain targeted by the LDAP BIND is running TCP/IPv6 only.
We are not using IPV6.
This server recently updated from Windows Server 2003 to Windows Server 2008 R2. Before upgrade, when Win7 and Win2008 join this domain, also have the same error message.
Please help to check this issue.
Thank you very much.
BR
Guo YingHuiHi Guo Ying,
I have faced this critical error which makes over-writes the host names in the domain when you join.
For example: Already you had a host name called as PC.domain.com in the domain.com Domain.
When you try to add the another host name called as PC in the domain.com Domain, it doesn't give you the duplicate name error on the network it does over-write the existing host name called as PC.domain.com & it will add the new host name into the domain.
Host name which got over-written will get removed from the domain. I faced this issue in my project. My DPM host name got removed from the Domain & new host name got joined into the domain which halted my backups for one day.
Final Resolution is as follows:
You need to start the dns console on the DC & drop down the domain name.
Select the _msdcs when you click on _msdcs it will show the Name Server's list on the right hand side.
You need to add the Domain Naming Master under the _msdcs or add all the domain controllers which you had.
After you add the Name server's try joining the PC OR Laptop to the domain which is successfully joins it.
Regards
Anand S
Thanks & Regards Anand Sunka MCSA+CCNA+MCTS -
SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1
I am trying to use SChannel to secure a socket connection. I modified the example at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380537(v=vs.85).aspx, converting it from Negotiate to SChannel. Following the specs for the SSPI APIs I was able the get a Client & Server connection authenticated on Windows 7.
However, when I try running the same programs on Windows Server 2008 R2, either the Client side or Server side fails, depending on how I select the security protocol.
Here is the modified example code, details about my results follow the code.
Client.cpp
// Client-side program to establish an SSPI socket connection
// with a server and exchange messages.
// Define macros and constants.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "SspiExample.h"
#include <string>
#include <iostream>
CredHandle g_hCred;
SecHandle g_hCtext;
#define SSPI_CLIENT "SChannelClient:" __FUNCTION__
void main(int argc, char * argv[])
SOCKET Client_Socket;
BYTE Data[BIG_BUFF];
PCHAR pMessage;
WSADATA wsaData;
SECURITY_STATUS ss;
DWORD cbRead;
ULONG cbHeader;
ULONG cbMaxMessage;
ULONG cbTrailer;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
SecPkgContext_ConnectionInfo ConnectionInfo;
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName);
char Server[512] = {0};
WCHAR CertName[512] = {0};
// Validate cmd line parameters
if ( argc != 3 )
LOGA ( ( __log_buf, SSPI_CLIENT " required parameters ServerName & CertName not entered.\n"));
LOGA( ( __log_buf, SSPI_CLIENT " Abort and start over with required parameters.\n") );
std::cin.get();
else
// argv[1] - ServerName - the name of the computer running the server sample.
// argv[2] - TargetName the common name of the certificate provided
// by the target server program.
memcpy(Server, argv[1], strlen(argv[1]));
size_t sizCN;
mbstowcs_s(&sizCN, CertName, strlen(argv[2])+1, argv[2], _TRUNCATE);
LOGA ( ( __log_buf, SSPI_CLIENT " input parameters - ServerName %s CertName %ls.\n", Server, CertName ));
// Initialize the socket and the SSP security package.
if(WSAStartup (0x0101, &wsaData))
MyHandleError( __FUNCTION__ " Could not initialize winsock ");
// Connect to a server.
SecInvalidateHandle( &g_hCtext );
if (!ConnectAuthSocket (
&Client_Socket,
&g_hCred,
&g_hCtext,
Server,
CertName))
MyHandleError( __FUNCTION__ " Authenticated server connection ");
LOGA ( ( __log_buf, SSPI_CLIENT " connection authenticated.\n"));
// An authenticated session with a server has been established.
// Receive and manage a message from the server.
// First, find and display the name of the SSP,
// the transport protocol supported by the SSP,
// and the size of the header, maximum message, and
// trailer blocks for this SSP.
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT "QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " QueryContextAttributes failed.\n");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
cbHeader = SecPkgSizes.cbHeader;
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_CLIENT " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_CONNECTION_INFO,
&ConnectionInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
switch(ConnectionInfo.dwProtocol)
case SP_PROT_TLS1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: TLS1\n"));
break;
case SP_PROT_SSL3_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL3\n"));
break;
case SP_PROT_PCT1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: PCT\n"));
break;
case SP_PROT_SSL2_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL2\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Protocol: 0x%x\n", ConnectionInfo.dwProtocol));
switch(ConnectionInfo.aiCipher)
case CALG_RC4:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC4\n");)
break;
case CALG_3DES:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Triple DES\n"));
break;
case CALG_RC2:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC2\n"));
break;
case CALG_DES:
case CALG_CYLINK_MEK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: DES\n"));
break;
case CALG_SKIPJACK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Skipjack\n"));
break;
case CALG_AES_256:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: AES 256\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Cipher: 0x%x\n", ConnectionInfo.aiCipher));
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher strength: %d\n", ConnectionInfo.dwCipherStrength));
switch(ConnectionInfo.aiHash)
case CALG_MD5:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: MD5\n"));
break;
case CALG_SHA:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: SHA\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Hash: 0x%x\n", ConnectionInfo.aiHash));
LOGA ( ( __log_buf, SSPI_CLIENT " Hash strength: %d\n", ConnectionInfo.dwHashStrength));
switch(ConnectionInfo.aiExch)
case CALG_RSA_KEYX:
case CALG_RSA_SIGN:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: RSA\n"));
break;
case CALG_KEA_KEYX:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: KEA\n"));
break;
case CALG_DH_EPHEM:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: DH Ephemeral\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Key exchange: 0x%x\n", ConnectionInfo.aiExch));
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange strength: %d\n", ConnectionInfo.dwExchStrength));
// Decrypt and display the message from the server.
if (!ReceiveBytes(
Client_Socket,
Data,
BIG_BUFF,
&cbRead))
MyHandleError( __FUNCTION__ " No response from server\n");
if (0 == cbRead)
MyHandleError(__FUNCTION__ " Zero bytes received.\n");
pMessage = (PCHAR) DecryptThis(
Data,
&cbRead,
&g_hCtext);
// Skip the header to get the decrypted message
pMessage += cbHeader;
ULONG cbMessage = cbRead-cbHeader-cbTrailer;
if ((cbMessage == strlen(TEST_MSG)) &&
!strncmp(pMessage, TEST_MSG, strlen(TEST_MSG)) )
LOGA ( ( __log_buf, SSPI_CLIENT " SUCCESS!! The message from the server is \n -> %.*s \n",
cbMessage, pMessage ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " UNEXPECTED message from the server: \n -> %.*s \n",
cbMessage, pMessage ));
LOGA ( ( __log_buf, SSPI_CLIENT " rcvd msg size %u, exp size %u\n", cbMessage, strlen(TEST_MSG) ));
// Terminate socket and security package.
DeleteSecurityContext (&g_hCtext);
FreeCredentialHandle (&g_hCred);
shutdown (Client_Socket, 2);
closesocket (Client_Socket);
if (SOCKET_ERROR == WSACleanup ())
MyHandleError( __FUNCTION__ " Problem with socket cleanup ");
exit (EXIT_SUCCESS);
} // end main
// ConnectAuthSocket establishes an authenticated socket connection
// with a server and initializes needed security package resources.
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *g_hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName)
unsigned long ulAddress;
struct hostent *pHost;
SOCKADDR_IN sin;
// Lookup the server's address.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n"));
ulAddress = inet_addr (pServer);
if (INADDR_NONE == ulAddress)
LOGA ( ( __log_buf, SSPI_CLIENT " calling gethostbyname with %s.\n", pServer ));
pHost = gethostbyname (pServer);
if (NULL == pHost)
MyHandleError(__FUNCTION__ " Unable to resolve host name ");
memcpy((char FAR *)&ulAddress, pHost->h_addr, pHost->h_length);
std::string ipAddrStr;
ipAddrStr = inet_ntoa( *(struct in_addr*)*pHost->h_addr_list);
LOGA ( ( __log_buf, __FUNCTION__ " gethostbyname - ipAddress %s, name %s.\n", ipAddrStr.c_str(), pHost->h_name ) );
// Create the socket.
*s = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == *s)
MyHandleError(__FUNCTION__ " Unable to create socket");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Socket created.\n"));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ulAddress;
sin.sin_port = htons (g_usPort);
// Connect to the server.
if (connect (*s, (LPSOCKADDR) &sin, sizeof (sin)))
closesocket (*s);
MyHandleError( __FUNCTION__ " Connect failed ");
LOGA ( ( __log_buf, SSPI_CLIENT " Connection established.\n"));
// Authenticate the connection.
if (!DoAuthentication (*s, pCertName))
closesocket (*s);
MyHandleError( __FUNCTION__ " Authentication ");
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n"));
return(TRUE);
} // end ConnectAuthSocket
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName)
BOOL fDone = FALSE;
DWORD cbOut = 0;
DWORD cbIn = 0;
PBYTE pInBuf;
PBYTE pOutBuf;
if(!(pInBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
if(!(pOutBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " 1st message.\n"));
if (!GenClientContext (
NULL,
0,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext
LOGA ( ( __log_buf, SSPI_CLIENT " GenClientContext failed\n"));
return(FALSE);
if (!SendMsg (s, pOutBuf, cbOut ))
MyHandleError(__FUNCTION__ " Send message failed ");
while (!fDone)
if (!ReceiveMsg (
s,
pInBuf,
MAXMESSAGE,
&cbIn))
MyHandleError( __FUNCTION__ " Receive message failed ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " Message loop.\n"));
if (!GenClientContext (
pInBuf,
cbIn,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext))
MyHandleError( __FUNCTION__ " GenClientContext failed");
if (!SendMsg (
s,
pOutBuf,
cbOut))
MyHandleError( __FUNCTION__ " Send message failed");
LOGA ( ( __log_buf, SSPI_CLIENT " fDone %s.\n", fDone ? "Yes" : "No" ));
if (NULL != pInBuf)
free(pInBuf);
pInBuf = NULL;
if (NULL != pOutBuf)
free(pOutBuf);
pOutBuf = NULL;
LOGA ( ( __log_buf, SSPI_CLIENT " exit.\n"));
return(TRUE);
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *g_hCred,
struct _SecHandle *g_hCtext)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[2];
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
wcscpy_s(lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME );
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
g_hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
MyHandleError( __FUNCTION__ " AcquireCreds failed ");
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with pIn supplied.\n"));
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = InSecBuff;
InSecBuff[0].cbBuffer = cbIn;
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pIn;
InSecBuff[1].pvBuffer = NULL;
InSecBuff[1].cbBuffer = 0;
InSecBuff[1].BufferType = SECBUFFER_EMPTY;
ss = InitializeSecurityContext (
g_hCred,
g_hCtext,
pCertName,
MessageAttribute,
0,
0,
&InBuffDesc,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
else
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with NULL pIn.\n"));
ss = InitializeSecurityContext (
g_hCred,
NULL,
pCertName,
MessageAttribute,
0,
0,
NULL,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext failed with error 0x%08x\n", ss));
MyHandleError ( __FUNCTION__ " InitializeSecurityContext failed " );
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext returned 0x%08x\n", ss));
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (g_hCtext, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " complete failed: 0x%08x\n", ss));
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_CLIENT " Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer));
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
PBYTE DecryptThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// By agreement, the server encrypted the message and set the size
// of the trailer block to be just what it needed. DecryptMessage
// needs the size of the trailer block.
// The size of the trailer is in the first DWORD of the
// message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before decryption including trailer (%lu bytes):\n",
*pcbMessage));
PrintHexDump (*pcbMessage, (PBYTE) pBuffer);
// Prepare the buffers to be passed to the DecryptMessage function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = *pcbMessage;
SecBuff[0].BufferType = SECBUFFER_DATA;
SecBuff[0].pvBuffer = pBuffer;
SecBuff[1].cbBuffer = 0;
SecBuff[1].BufferType = SECBUFFER_EMPTY;
SecBuff[1].pvBuffer = NULL;
SecBuff[2].cbBuffer = 0;
SecBuff[2].BufferType = SECBUFFER_EMPTY;
SecBuff[2].pvBuffer = NULL;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = DecryptMessage(
hCtxt,
&BuffDesc,
0,
&ulQop);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage failed with error 0x%08x\n", ss))
else
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage success? Status: 0x%08x\n", ss));
// Return a pointer to the decrypted data. The trailer data
// is discarded.
return pBuffer;
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[2];
ULONG ulQop = 0;
PBYTE pSigBuffer;
PBYTE pDataBuffer;
// The global cbMaxSignature is the size of the signature
// in the message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before verifying (including signature):\n"));
PrintHexDump (*pcbMessage, pBuffer);
// By agreement with the server,
// the signature is at the beginning of the message received,
// and the data that was signed comes after the signature.
pSigBuffer = pBuffer;
pDataBuffer = pBuffer + cbMaxSignature;
// The size of the message is reset to the size of the data only.
*pcbMessage = *pcbMessage - (cbMaxSignature);
// Prepare the buffers to be passed to the signature verification
// function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 2;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = cbMaxSignature;
SecBuff[0].BufferType = SECBUFFER_TOKEN;
SecBuff[0].pvBuffer = pSigBuffer;
SecBuff[1].cbBuffer = *pcbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pDataBuffer;
ss = VerifySignature(
hCtxt,
&BuffDesc,
0,
&ulQop
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " VerifyMessage failed with error 0x%08x\n", ss));
else
LOGA ( ( __log_buf, SSPI_CLIENT " Message was properly signed.\n"));
return pDataBuffer;
} // end VerifyThis
void PrintHexDump(
DWORD length,
PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_CLIENT " %s\n", rgbLine));
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes\n", cbBuf ));
if (!SendBytes (s, (PBYTE)&cbBuf, sizeof (cbBuf)))
LOGA ( ( __log_buf, SSPI_CLIENT " size failed.\n" ) );
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
LOGA ( ( __log_buf, SSPI_CLIENT " body failed.\n" ) );
return(FALSE);
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return(TRUE);
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
// Receive the number of bytes in the message.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n" ));
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " failed: size of cbData %lu, bytes %lu\n", sizeof (cbData), cbRead));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
return(FALSE);
if (cbRead != cbData)
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMessage
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent;
int cbRemaining = cbBuf;
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes.\n", cbRemaining ));
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_CLIENT " send failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
pTemp += cbSent;
cbRemaining -= cbSent;
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return TRUE;
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_CLIENT " Entry: %lu bytes.\n", cbRemaining ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes remaining.\n", cbRemaining ));
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " recv failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n" ));
return TRUE;
} // end ReceiveBytes
void MyHandleError(char *s)
DWORD err = GetLastError();
if (err)
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (0x%08.8X). Exiting.\n",s, err ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (no error info). Exiting.\n",s ));
exit (EXIT_FAILURE);
Server.cpp
// This is a server-side SSPI Windows Sockets program.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "Sspiexample.h"
#include <iostream>
CredHandle g_hcred;
struct _SecHandle g_hctxt;
static PBYTE g_pInBuf = NULL;
static PBYTE g_pOutBuf = NULL;
static DWORD g_cbMaxMessage;
static TCHAR g_lpPackageName[1024];
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb );
#define SSPI_SERVER "SChannelServer:" __FUNCTION__
void main (int argc, char * argv[])
CHAR pMessage[200];
DWORD cbMessage;
PBYTE pDataToClient = NULL;
DWORD cbDataToClient = 0;
PWCHAR pUserName = NULL;
DWORD cbUserName = 0;
SOCKET Server_Socket;
WSADATA wsaData;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
ULONG cbMaxMessage;
ULONG cbHeader;
ULONG cbTrailer;
std::string certThumb;
// Create a certificate if no thumbprint is supplied. Otherwise, use the provided
// thumbprint to find the certificate.
if ( (argc > 1) && (strlen( argv[1]) > 0) )
certThumb.assign(argv[1]);
else
LOGA( ( __log_buf, SSPI_SERVER " : No certificate thumbprint supplied.\n") );
LOGA( ( __log_buf, SSPI_SERVER " : Press ENTER to create a certificate, or abort and start over with a thumbprint.\n") );
std::cin.get();
certThumb.clear();
Insert code to find or create X.509 certificate.
// Set the default package to SChannel.
wcscpy_s(g_lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME);
// Initialize the socket interface and the security package.
if( WSAStartup (0x0101, &wsaData))
LOGA ( ( __log_buf, SSPI_SERVER " Could not initialize winsock: \n") );
cleanup();
ss = QuerySecurityPackageInfo (
g_lpPackageName,
&pkgInfo);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " Could not query package info for %s, error 0x%08x\n",
g_lpPackageName, ss) );
cleanup();
g_cbMaxMessage = pkgInfo->cbMaxToken;
FreeContextBuffer(pkgInfo);
g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
if (NULL == g_pInBuf || NULL == g_pOutBuf)
LOGA ( ( __log_buf, SSPI_SERVER " Memory allocation error.\n"));
cleanup();
// Start looping for clients.
while(TRUE)
LOGA ( ( __log_buf, SSPI_SERVER " Waiting for client to connect...\n"));
// Make an authenticated connection with client.
if (!AcceptAuthSocket (&Server_Socket, certThumb ))
LOGA ( ( __log_buf, SSPI_SERVER " Could not authenticate the socket.\n"));
cleanup();
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
// The following values are used for encryption and signing.
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbHeader = SecPkgSizes.cbHeader;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_SERVER " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
else
LOGA ( ( __log_buf, SSPI_SERVER " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
// Send the client an encrypted message.
strcpy_s(pMessage, sizeof(pMessage),
TEST_MSG);
cbMessage = (DWORD)strlen(pMessage);
EncryptThis (
(PBYTE) pMessage,
cbMessage,
&pDataToClient,
&cbDataToClient,
cbHeader,
cbTrailer);
// Send the encrypted data to client.
if (!SendBytes(
Server_Socket,
pDataToClient,
cbDataToClient))
LOGA ( ( __log_buf, SSPI_SERVER " send message failed. \n"));
cleanup();
LOGA ( ( __log_buf, SSPI_SERVER " %d encrypted bytes sent. \n", cbDataToClient));
if (Server_Socket)
DeleteSecurityContext (&g_hctxt);
FreeCredentialHandle (&g_hcred);
shutdown (Server_Socket, 2) ;
closesocket (Server_Socket);
Server_Socket = 0;
if (pUserName)
free (pUserName);
pUserName = NULL;
cbUserName = 0;
if(pDataToClient)
free (pDataToClient);
pDataToClient = NULL;
cbDataToClient = 0;
} // end while loop
LOGA ( ( __log_buf, SSPI_SERVER " Server ran to completion without error.\n"));
cleanup();
} // end main
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb )
SOCKET sockListen;
SOCKET sockClient;
SOCKADDR_IN sockIn;
// Create listening socket.
sockListen = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == sockListen)
LOGA ( ( __log_buf, SSPI_SERVER " Failed to create socket: %u\n", GetLastError ()));
return(FALSE);
// Bind to local port.
sockIn.sin_family = AF_INET;
sockIn.sin_addr.s_addr = 0;
sockIn.sin_port = htons(usPort);
if (SOCKET_ERROR == bind (
sockListen,
(LPSOCKADDR) &sockIn,
sizeof (sockIn)))
LOGA ( ( __log_buf, SSPI_SERVER " bind failed: %u\n", GetLastError ()));
return(FALSE);
// Listen for client.
if (SOCKET_ERROR == listen (sockListen, 1))
LOGA ( ( __log_buf, SSPI_SERVER " Listen failed: %u\n", GetLastError ()));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " Listening ! \n"));
// Accept client.
sockClient = accept (
sockListen,
NULL,
NULL);
if (INVALID_SOCKET == sockClient)
LOGA ( ( __log_buf, SSPI_SERVER " accept failed: %u\n",GetLastError() ) );
return(FALSE);
closesocket (sockListen);
*ServerSocket = sockClient;
return(DoAuthentication (sockClient, certThumb ));
} // end AcceptAuthSocket
BOOL DoAuthentication (SOCKET AuthSocket, std::string certThumb )
SECURITY_STATUS ss;
DWORD cbIn, cbOut;
BOOL done = FALSE;
TimeStamp Lifetime;
BOOL fNewConversation;
fNewConversation = TRUE;
PCCERT_CONTEXT pCertCtxt;
Insert code to retrieve pCertCtxt
// Build SCHANNEL_CRED structure to hold CERT_CONTEXT for call to AcquireCredentialsHandle
SCHANNEL_CRED credSchannel = {0};
credSchannel.dwVersion = SCHANNEL_CRED_VERSION;
credSchannel.grbitEnabledProtocols = SP_PROT_SSL2_SERVER | SP_PROT_TLS1_SERVER;
credSchannel.cCreds = 1;
credSchannel.paCred = &pCertCtxt;
ss = AcquireCredentialsHandle (
NULL, //pszPrincipal
g_lpPackageName, //pszPackage
SECPKG_CRED_INBOUND, //fCredentialuse
NULL, //pvLogonID
&credSchannel, //pAuthData - need SCHANNEL_CRED structure that indicates the protocol to use and the settings for various customizable channel features.
NULL, //pGetKeyFn
NULL, //pvGetKeyArgument
&g_hcred, //phCredential
&Lifetime); //ptsExpiry
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcquireCreds failed: 0x%08x\n", ss));
return(FALSE);
while(!done)
if (!ReceiveMsg (
AuthSocket,
g_pInBuf,
g_cbMaxMessage,
&cbIn))
return(FALSE);
cbOut = g_cbMaxMessage;
if (!GenServerContext (
g_pInBuf,
cbIn,
g_pOutBuf,
&cbOut,
&done,
fNewConversation))
LOGA ( ( __log_buf, SSPI_SERVER " GenServerContext failed.\n"));
return(FALSE);
fNewConversation = FALSE;
if (!SendMsg (
AuthSocket,
g_pOutBuf,
cbOut))
LOGA ( ( __log_buf, SSPI_SERVER " Send message failed.\n"));
return(FALSE);
return(TRUE);
} // end DoAuthentication
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewConversation)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = 0;
// Prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// Prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer));
PrintHexDump (InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
ss = AcceptSecurityContext (
&g_hcred,
fNewConversation ? NULL : &g_hctxt,
&InBuffDesc,
Attribs,
SECURITY_NATIVE_DREP,
&g_hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (&g_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " complete failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
// fNewConversation equals FALSE.
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer generated (%lu bytes):\n",
OutSecBuff.cbBuffer));
PrintHexDump (
OutSecBuff.cbBuffer,
(PBYTE)OutSecBuff.pvBuffer);
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext result = 0x%08x\n", ss));
return TRUE;
} // end GenServerContext
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
ULONG * pcbOutput,
ULONG cbHeader,
ULONG cbTrailer)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// The size of the trailer (signature + padding) block is
// determined from the global cbSecurityTrailer.
LOGA ( ( __log_buf, SSPI_SERVER " Data before encryption: %s\n", pMessage));
LOGA ( ( __log_buf, SSPI_SERVER " Length of data before encryption: %d \n",cbMessage));
// Prepare buffers.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
PBYTE pHeader;
pHeader = (PBYTE) malloc (cbHeader);
SecBuff[0].cbBuffer = cbHeader;
SecBuff[0].BufferType = SECBUFFER_STREAM_HEADER;
SecBuff[0].pvBuffer = pHeader;
SecBuff[1].cbBuffer = cbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pMessage;
PBYTE pTrailer;
pTrailer = (PBYTE) malloc (cbTrailer);
SecBuff[2].cbBuffer = cbTrailer;
SecBuff[2].BufferType = SECBUFFER_STREAM_TRAILER;
SecBuff[2].pvBuffer = pTrailer;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = EncryptMessage(
&g_hctxt,
ulQop,
&BuffDesc,
0);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " EncryptMessage failed: 0x%08x\n", ss));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " The message has been encrypted. \n"));
// Allocate a buffer to hold the encrypted data constructed from the 3 buffers.
*pcbOutput = cbHeader + cbMessage + cbTrailer;
* ppOutput = (PBYTE) malloc (*pcbOutput);
memset (*ppOutput, 0, *pcbOutput);
memcpy (*ppOutput, pHeader, cbHeader);
memcpy (*ppOutput + cbHeader, pMessage, cbMessage);
memcpy (*ppOutput + cbHeader + cbMessage, pTrailer, cbTrailer);
LOGA ( ( __log_buf, SSPI_SERVER " data after encryption including trailer (%lu bytes):\n",
*pcbOutput));
PrintHexDump (*pcbOutput, *ppOutput);
return TRUE;
} // end EncryptThis
void PrintHexDump(DWORD length, PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_SERVER " %s\n", rgbLine));
} // end PrintHexDump
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
if (!SendBytes (
s,
(PBYTE)&cbBuf,
sizeof (cbBuf)))
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
return(FALSE);
return(TRUE);
} // end SendMsg
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
// Retrieve the number of bytes in the message.
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed retrieving byte count.\n", cbBuf ));
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer size (%lu) differs from reported size (%lu)\n", sizeof(cbData), cbRead ));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed.\n", cbBuf ));
return(FALSE);
if (cbRead != cbData)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer bytes (%lu) differs from reported bytes (%lu)\n", cbData, cbRead ));
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMsg
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_SERVER " send failed: %u\n", GetLastError ()));
return FALSE;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes sent\n", cbSent ));
pTemp += cbSent;
cbRemaining -= cbSent;
return TRUE;
} // end SendBytes
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " recv failed: %u\n", GetLastError () ) );
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
return TRUE;
} // end ReceivesBytes
void cleanup()
if (g_pInBuf)
free (g_pInBuf);
g_pInBuf = NULL;
if (g_pOutBuf)
free (g_pOutBuf);
g_pOutBuf = NULL;
WSACleanup ();
exit(0);
SspiExample.h
// SspiExample.h
#include <schnlsp.h>
#include <sspi.h>
#include <windows.h>
#include <string>
BOOL SendMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
BOOL SendBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
void cleanup();
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *hCred,
PSecHandle phCtext
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewCredential
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput,
ULONG cbHeader,
ULONG cbTrailer
PBYTE DecryptThis(
PBYTE achData,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt
BOOL
SignThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature
void PrintHexDump(DWORD length, PBYTE buffer);
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName
BOOL CloseAuthSocket (SOCKET s);
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName );
BOOL DoAuthentication (SOCKET s, std::string certThumb );
void MyHandleError(char *s);
#define DBG_SIZE 1024
int OutputDebug( char buff[DBG_SIZE] )
int retval;
char debugstring[DBG_SIZE+32];
retval = _snprintf_s( debugstring, DBG_SIZE+32, _TRUNCATE, " %s", buff );
OutputDebugStringA( debugstring );
return retval;
int DbgBufCopy( char *buff, const char *format, ...)
int iLen;
va_list args;
/// Call va_start to start the variable list
va_start(args, format);
/// Call _vsnprintf_s to copy debug information to the buffer
iLen = _vsnprintf_s(buff, DBG_SIZE, _TRUNCATE, format, args);
/// Call va_end to end the variable list
va_end(args);
return iLen;
#define LOGA(_format_and_args_)\
{ char __log_buf[DBG_SIZE];\
DbgBufCopy _format_and_args_;\
printf("%s", __log_buf );\
OutputDebug(__log_buf);\
#define TEST_MSG "This is your server speaking"
My initial attempt built an SCHANNEL_CRED structure following the documentation to set
grbitEnabledProtocols to 0, and let SChannel select the protocol. This worked on Windows 7, selecting TLS1. When I ran the same exe-s on 2008 R2, the Client program failed, with InitializeSecurityContext returning SEC_E_DECRYPT_FAILURE.
The failure occurred on the 2nd call, using phNewContext returned on the first call.
My next attempt set grbitEnabledProtocols to SP_PROT_TLS1_SERVER. This also worked on Win 7, but 2008R2 failed again, this time on the Server side. AcceptSecurityContext failed, returning SEC_E_ALGORITHM_MISMATCH.
TLS is a requirement for my project, but to try getting the sample to run, I next set grbitEnabledProtocols to SP_PROT_SSL2_SERVER. This did work for 2008R2, selecting SSL2, but now the Server failed on Win7 with AcceptSecurityContext returning
SEC_E_ALGORITHM_MISMATCH.
My final try was to set grbitEnabledProtocols to SP_PROT_TLS1_SERVER | SP_PROT_SSL2_SERVER, but that failed identically to the first case, with the Client on 2008R2 returning SEC_E_DECRYPT_FAILURE.
So my question is - What is required to get SChannel to select TLS regardless of the Windows version on which the programs are running?Thank you for the reference. That did provide the information I needed to get TLS working. However, the documentation is not accurate with regard to setting the registry keys and values.
The tables all show DisabledByDefault as a subkey under the protocol. They also describe a DWORD value, Enabled, as the mechanism to enable/disable a protocol.
What I found is DisabledByDefault is a DWORD value under Client/Server and it appears to be the determining factor to whether a protocol is enabled/disabled.
The only way I was able to get TLS 1.1 working is with the following path present:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Under Client, I must have DisabledByDefault set to 0. With that, the Enabled value does not need to be present.
This held true for any level of TLS.
I also found the setting of grbitEnabledProtocols in the SCHANNEL_CRED structure to be misleading. From the description at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx, I thought my Server program could set this field to 0, and SChannel would select the protocol as directed by the registry. What I found is that the structure flag must
agree with the registry setting for TLS to work. That is with the resgistry key above for TLS 1.1, I must set grbitEnabledProtocols to SP_PROT_TLS1_1.
Can you confirm the relationship between the SCHANNEL_CRED contents and registry state?
Maybe you are looking for
-
I use Dreamweaver and Adobe Bridge to create slide shows on my website. When 'previewing' the slideshow - in Dreamweaver it opens Firefox - it crashed and the dialogue box opens telling me to change my 'settings' - it doesn't do this if I preview in
-
I'm trying to reinstall osx on my mbp retina mid 2012, i have a boot-usb with Yosemite on. The problem is that when i'm trying to install it i cant chose the SSD as my taget disk. I have tried to erase the SSD with disk utility bot IT won't allow me
-
IMac not remembering username and password
Hi, I recently bought a Qwest wireless DSL modem and set it up with my iMac. I chose my username and password for my network. I also set my security to have the network invisible. It worked great for weeks, but the last several days when I would shut
-
Photo not appearing, fade to black
New mac User. just imported all my photos to iPhoto and its been working wonderfully but now its messing up. I was editing a photo and I was resizing it and after I resized it to 1x2 and I tried to zoom in the photo dissapeared. now whenever I view t
-
Hello everybody, I'm newbie at community, but I'm not so noob in Java programming. At first, I tried a lot of solutions for this problem, but nothing did work. Now, I hope we can work together to solve that. Ok, here we go. I'll explain the problem: