WPA2-Enterprise Radius Authentication Windows Server 2008 R2
Hello,
I have tried a few online tutorials for providing secure wireless access. I currently have a server running Server 2008 R2 that has RRAS, NAP, and AD CS installed on it. My goal is to create a wireless SSID that utilizes WPA2-Entperise for users
to connect. Their AD credentials would need to belong to my "Wireless Users" group. I have seen tutorials that involved certificates, and some tutorials that simply added the RADIUS clients along with the network/connection policies,
and then added the settings to the router. When I've tried both ways, the wireless network never connects to the network. If I un-check the "Use Windows login credentials" a username/password field pops up. I enter the credentials
(tried both username and domain\username) of an account that is part of "Wireless Users". When I hit OK it sits for a few moments, and then pops back up again. When I do check "Use Windows login credentials" it says it can't
connect.
I have tried different firmware on the router, and I know the router is not the issue. This server is joined to my domain controller. It feels like the NAP server is not reaching the domain to authenticate credentials. Am I doing anything
wrong that I should be made aware of? In NAP if I right click the server, the "register in active directory" is greyed out, which I assume is because it's already joined to the domain.
I appreciate any help you can provide.
-Ken
I've searched in "Event Viewer" on the NPS server, and came across an interesting error. I have Google'd the error, and there are only a select few articles about it. If I try to connect, often times I will get two information events:
Event ID 4400 "A LDAP connection with domain controller DC-VPN-IIS-01.dc.cooper.org for domain COOPER is established."
And now...the issue
Event ID 6273
Network Policy Server denied access to a user.
Contact the Network Policy Server administrator for more information.
User:
Security ID: COOPER\LAPTOP3-W7$
Account Name: host/laptop3-w7.dc.cooper.org
Account Domain: COOPER
Fully Qualified Account Name: COOPER\LAPTOP3-W7$
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: c0c1c074bfb6
Calling Station Identifier: 00216a902b70
NAS:
NAS IPv4 Address: 172.16.4.2
NAS IPv6 Address: -
NAS Identifier: c0c1c074bfb6
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 11
RADIUS Client:
Client Friendly Name: CiscoAP
Client IP Address: 172.16.4.2
Authentication Details:
Connection Request Policy Name: Use Windows authentication for all users
Network Policy Name: Connections to other access servers
Authentication Provider: Windows
Authentication Server: dc-vpn-iis-01.dc.cooper.org
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Logging Results: Accounting information was written to the local log file.
Reason Code: 65
Reason: The Network Access Permission setting in the dial-in properties of the user account in Active Directory is set to Deny access to the user. To change the Network Access Permission setting to either Allow access or Control access through NPS Network Policy, obtain the properties of the user account in Active Directory Users and Computers, click the Dial-in tab, and change Network Access Permission.
Clearly, when I try to connect, it's completely bypassing the network policy I created, but going to the "Connections to other access servers", which by default denys access. I've tried everything....removed and re-added the security policy...added
2 network policies for wireless. Does anyone know why the network policy I create for wireless is not being recognized?
Similar Messages
-
MS SQL Server 2008 R2 Enterprise Edition on Windows Server 2008 R2 Standard Edition
Hello Team,
Is there any issue/conflicts/limitationn to install MS SQL Server 2008 R2 Enterprise Edition on Windows Server 2008 R2 Standard Edition.
OR their is nothing to worry about it I guess their is memory limitation between both of them. Please suggest
Regards
Naveed AmirHi,
Here you can find the officially Hardware and Software Requirements for SQL Server 2008 R2:
http://msdn.microsoft.com/en-us/library/ms143506(v=sql.105).aspx
There should be NO problem as much as I know if the basic limitation fit you (as shanky mentioned).
I had (an clients still have) several servers with Windows Server 2008 R2 Standard & SQL
Server 2008 R2 Enterprise and Standard with no problem (today I have one old developing server with this exact installations work great for several years).
[Personal Site] [Blog] [Facebook] -
Update error of SQL Server 2012 enterprise running on Windows server 2008 standard SP2 (32 bits)
Hi there;
I have a windows server 2008 SP2 (32bits) in which I have an instance of SQL Server
2008 and another of 2012.
My Windows server 2008 installed the following updates; (see below).
(KB2898858),(KB2909921),(KB890830),(KB2898869),(KB2911502),(KB2901126),
(KB2916036),(KB2862973),(KB2901113)
After the machine was re-started, I was not abble to connect
to the instance of SQL Server 2012. I am able
to connect to the instance of SQL Server 2008.
The error message I get when I atemp to connect can be found
at the end of the list of updates below.
Do I need to uninstall an update? if so, which one and how do I do that?
Thanks Gabriel I. Ruiz
Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2898858)
Installation date: 2/12/2014 11:42 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2898858
Cumulative Security Update for Internet Explorer 9 for Windows Server 2008 (KB2909921)
Installation date: 2/12/2014 11:42 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2909921
Windows Malicious Software Removal Tool - February 2014 (KB890830)
Installation date: 2/12/2014 11:41 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/890830
Security Update for Microsoft .NET Framework 4.5.1 on Windows 7, Windows Vista and Windows Server 2008 x86 (KB2898869)
Installation date: 2/12/2014 11:40 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2898869
Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2911502)
Installation date: 2/12/2014 11:36 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2911502
Security Update for Microsoft .NET Framework 4.5.1 on Windows 7, Windows Vista, and Windows Server 2008 x86 (KB2901126)
Installation date: 2/12/2014 11:36 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2901126
Security Update for Windows Server 2008 (KB2916036)
Installation date: 2/12/2014 11:34 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2916036
Security Update for Windows Server 2008 (KB2862973)
Installation date: 2/12/2014 11:34 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2862973
Security Update for Microsoft .NET Framework 2.0 SP2 on Windows Vista SP2 and Windows Server 2008 SP2 x86 (KB2901113)
Installation date: 2/12/2014 11:34 PM
Installation status: Successful
Update type: Important
More information:
http://support.microsoft.com/kb/2901113
===================================
Cannot connect to HAVANA\HAVANA_2012_1ST.
===================================
The client was unable to establish a connection because of an error during connection initialization process before login. Possible causes include the following: the client tried to connect to an unsupported version of SQL Server; the server was too busy
to accept new connections; or there was a resource limitation (insufficient memory or maximum allowed connections) on the server. (provider: Shared Memory Provider, error: 0 - No process is on the other end of the pipe.) (.Net SqlClient Data Provider)
For help, click: http://go.microsoft.com/fwlink?ProdName=Microsoft%20SQL%20Server&EvtSrc=MSSQLServer&EvtID=233&LinkId=20476
Server Name: HAVANA\HAVANA_2012_1ST
Error Number: 233
Severity: 20
State: 0
Program Location:
at System.Data.SqlClient.SqlInternalConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)
at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)
at System.Data.SqlClient.TdsParserStateObject.SNIWritePacket(SNIHandle handle, SNIPacket packet, UInt32& sniError, Boolean canAccumulate, Boolean callerHasConnectionLock)
at System.Data.SqlClient.TdsParserStateObject.WriteSni(Boolean canAccumulate)
at System.Data.SqlClient.TdsParserStateObject.WritePacket(Byte flushMode, Boolean canAccumulate)
at System.Data.SqlClient.TdsParser.SendPreLoginHandshake(Byte[] instanceName, Boolean encrypt)
at System.Data.SqlClient.TdsParser.Connect(ServerInfo serverInfo, SqlInternalConnectionTds connHandler, Boolean ignoreSniOpenTimeout, Int64 timerExpire, Boolean encrypt, Boolean trustServerCert, Boolean integratedSecurity, Boolean withFailover)
at System.Data.SqlClient.SqlInternalConnectionTds.AttemptOneLogin(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean ignoreSniOpenTimeout, TimeoutTimer timeout, Boolean withFailover)
at System.Data.SqlClient.SqlInternalConnectionTds.LoginNoFailover(ServerInfo serverInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance, SqlConnectionString connectionOptions, SqlCredential credential, TimeoutTimer
timeout)
at System.Data.SqlClient.SqlInternalConnectionTds.OpenLoginEnlist(TimeoutTimer timeout, SqlConnectionString connectionOptions, SqlCredential credential, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance)
at System.Data.SqlClient.SqlInternalConnectionTds..ctor(DbConnectionPoolIdentity identity, SqlConnectionString connectionOptions, SqlCredential credential, Object providerInfo, String newPassword, SecureString newSecurePassword, Boolean redirectedUserInstance,
SqlConnectionString userConnectionOptions, SessionData reconnectSessionData)
at System.Data.SqlClient.SqlConnectionFactory.CreateConnection(DbConnectionOptions options, DbConnectionPoolKey poolKey, Object poolGroupProviderInfo, DbConnectionPool pool, DbConnection owningConnection, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.CreateNonPooledConnection(DbConnection owningConnection, DbConnectionPoolGroup poolGroup, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionFactory.TryGetConnection(DbConnection owningConnection, TaskCompletionSource`1 retry, DbConnectionOptions userOptions, DbConnectionInternal oldConnection, DbConnectionInternal& connection)
at System.Data.ProviderBase.DbConnectionInternal.TryOpenConnectionInternal(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.ProviderBase.DbConnectionClosed.TryOpenConnection(DbConnection outerConnection, DbConnectionFactory connectionFactory, TaskCompletionSource`1 retry, DbConnectionOptions userOptions)
at System.Data.SqlClient.SqlConnection.TryOpenInner(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.TryOpen(TaskCompletionSource`1 retry)
at System.Data.SqlClient.SqlConnection.Open()
at Microsoft.SqlServer.Management.SqlStudio.Explorer.ObjectExplorerService.ValidateConnection(UIConnectionInfo ci, IServerType server)
at Microsoft.SqlServer.Management.UI.ConnectionDlg.Connector.ConnectionThreadUser()
===================================
No process is on the other end of the pipeHi,
Check if SQL Server service is running fine. I doubt you may have changed the user account password used for SQL Server service. After restarting the machine, you also need to update the user account of SQL Server service in Configuration
Manager. Re-type the user account name and password under Log on tab and see how it helps.
Thanks.
Tracy Cai
TechNet Community Support -
MAC Authentication + Windows Server 2008 R2 Radius server
Hello there,
I have been trying to configure the MAC Authentication on Windows Server Network Policy Server but no success. Details on my configuration can be find below.
I have firstly enabled the Mac Authentication on 3com switch 4400 model.
enabling -> Mac-authentication
enabling authentication mode -> UsernameAsMacAddress
configuring a domain - mac-authentication domain abc.local.
I left the default Vlan (Vlan1)
While on my DC, I created a user
username: 00-00-00-00-00-00
password: 00-00-00-00-00-00
Lastly on the NPS Server, I configured the 802.1x Wired configuration, I configured the NAS (Radius Client) whici is the 3com Switch.
After completing the configurations, I turned on my computer with and logged on to the domain abc\00-00-00-00-00-00 with the password. But there was no success when the computer tried to connect to the network looking for DHCP services to obtain IP address.
On the NPS event service, I got:
User:
Security ID:
NULL SID
Account Name:
[email protected]
Account Domain:
abc
Fully Qualified Account Name:
abc\00-00-00-00-00-00
Client Machine:
Security ID:
NULL SID
Account Name:
Fully Qualified Account Name:
OS-Version:
Called Station Identifier:
Calling Station Identifier:
0000-0000-0000
NAS:
NAS IPv4 Address:
xxx.xxx.xx.xx
NAS IPv6 Address:
NAS Identifier:
00aa00aa00aa
NAS Port-Type:
Ethernet
NAS Port:
12345678
RADIUS Client:
Client Friendly Name:
3com
Client IP Address:
xxx.xxx.xx.xx
Authentication Details:
Connection Request Policy Name:
NAP 802.1X (Wired) 2
Network Policy Name:
Authentication Provider:
Windows
Authentication Server:
server.abc.local
Authentication Type:
PAP
EAP Type:
Account Session Identifier:
Logging Results:
Accounting information was written to the local log file.
Reason Code:
16
Reason:
Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.
All I could find was " Authentication failed due to the reason appeared in the reason code but I am very sure that the name and the password are the same. I hope someone can help me out.
Thanks.Hi,
Thanks for your post.
MAC address authorization is performed when the user does not type in any user name or password, and refuses to use any valid authentication method. In this case, Network Policy Server (NPS) receives the Calling-Station-ID attribute, and no user name and
password. To support MAC address authorization, Active Directory Domain Services (AD DS) must have user accounts that contain MAC addresses as user names.
For more detailed information about MAC Address Authorization, please refer to the below article. Hope it helps.
MAC Address Authorization
http://technet.microsoft.com/en-us/library/dd197535(WS.10).aspx
Best Regards,
Aiden
Aiden Cao
TechNet Community Support -
RAC on Windows Server 2008 R2 - which edition is necessary
Hello,
which Windows Server 2008 R2 edition is required to install RAC - standard or enterprise (NOT database edition - windows server 2008 edition)?
If we want to implement RAC 11Gr2 Enterprise Edition does the operating system also has to be enterprise edition or is it possible to install RAC 11GR2 Enterprise Edition on Windows Server 2008 Standard Edition?
What Server Version is more suited for RAC Windows Server 2003 or Windows Server 2008, and why?
Thanks in advance for any information.
kind regards
Monika AnnaHi Monika,
which Windows Server 2008 R2 edition is required to install RAC - standard or enterprise (NOT database edition - windows server 2008 edition)?
If we want to implement RAC 11Gr2 Enterprise Edition does the operating system also has to be enterprise edition or is it possible to install RAC 11GR2 Enterprise Edition on Windows Server 2008 Standard Edition?All Oracle Database 11g Release 2 is supported on the following Windows Server 2008 R2 editions:
Windows Web Server 2008 (x64)
Windows Server 2008 Foundation (x64)
Windows Server 2008 Standard (x64)
Windows Server 2008 Enterprise (x64)
Windows Server 2008 Datacenter (x64)
What Server Version is more suited for RAC Windows Server 2003 or Windows Server 2008, and why?I recommend Windows 2008, because the system is newer and has a lot of features that do not exist in Windows 2003. Oracle 11.2 is certified in Windows 2008.
Check this note...
*Statement of Direction: Oracle Database 11g Release 2 – Microsoft Windows 7 and Windows Server 2008 R2 [ID 867040.1]*
https://support.oracle.com/CSP/main/article?cmd=show&type=NOT&doctype=ANNOUNCEMENT&id=867040.1
Regards,
Levi Pereira -
Driver Security Certificate Expiration Issue on Windows Server 2008
Hi,
We want to install Oracle Database 10g Release 2 RAC (10.2.0.4.0) Enterprise for Microsoft Windows Server 2008 x64. When installing Oracle Cluster Ready Services on Windows Server 2008, the prerequisite check fails with the following message:
"Security certificates for OCFS and Orafence drivers on Windows Server 2008 have expired"
Can somebody please point a download location from Metalink from where we can download the latest drivers?Hi Satish,
thank you for your reply. I also found this bug on metalink and did as they wrote there (change the date before 2009). It worked, pre requirments assistant is now ok, but after setting private/public interfaces section it fails with error message:
"Unable to collect and verify hardware information on all nodes" ...
This is the same error I got in 11g as well, because I already had a post yesterday about this bug in this section :(
The strange thing is that now cluster verification passes the system architecture check for (10.2.0.4), but it fails during the installation of CRS.
We are already have an SR with Metalink, but unfortunately they are not much of a help :(
D:\10204_vista_w2k8_x64_production_crs\clusterware\cluvfy>runcluvfy stage -pre crsinst
-n rac1,rac2 -verbose
Performing pre-checks for cluster services setup
Checking node reachability...
Check: Node reachability from node "RAC1"
Destination Node Reachable?
rac2 yes
rac1 yes
Result: Node reachability check passed from node "RAC1".
Checking user equivalence...
Check: User equivalence for user "Administrator"
Node Name Comment
rac2 passed
rac1 passed
Result: User equivalence check passed for user "Administrator".
Checking administrative privileges...
Checking node connectivity...
Interface information for node "rac2"
Interface Name IP Address Subnet
PublicLAN 172.17.10.23 172.17.10.0
PublicLAN 172.17.10.201 172.17.10.0
PrivateLAN 192.168.10.21 192.168.10.0
Interface information for node "rac1"
Interface Name IP Address Subnet
PublicLAN 172.17.10.22 172.17.10.0
PublicLAN 172.17.10.200 172.17.10.0
PrivateLAN 192.168.10.11 192.168.10.0
Check: Node connectivity of subnet "172.17.10.0"
Source Destination Connected?
rac2:PublicLAN rac2:PublicLAN yes
rac2:PublicLAN rac1:PublicLAN yes
rac2:PublicLAN rac1:PublicLAN yes
rac2:PublicLAN rac1:PublicLAN yes
rac2:PublicLAN rac1:PublicLAN yes
rac1:PublicLAN rac1:PublicLAN yes
Result: Node connectivity check passed for subnet "172.17.10.0" with node(s) rac2,rac1.
Check: Node connectivity of subnet "192.168.10.0"
Source Destination Connected?
rac2:PrivateLAN rac1:PrivateLAN yes
Result: Node connectivity check passed for subnet "192.168.10.0" with node(s) rac2,rac1.
Suitable interfaces for the private interconnect on subnet "172.17.10.0":
rac2 PublicLAN:172.17.10.23 PublicLAN:172.17.10.201
rac1 PublicLAN:172.17.10.22 PublicLAN:172.17.10.200
Suitable interfaces for the private interconnect on subnet "192.168.10.0":
rac2 PrivateLAN:192.168.10.21
rac1 PrivateLAN:192.168.10.11
ERROR:
Could not find a suitable set of interfaces for VIPs.
Result: Node connectivity check failed.
Checking system requirements for 'crs'...
Check: Operating system version
Node Name Available Required Comment
rac2 Windows Server 2008 Windows Server 2008 passed
rac1 Windows Server 2008 Windows Server 2008 passed
Result: Operating system version check passed.
Check: Total memory
Node Name Available Required Comment
rac2 8GB (8387020KB) 1GB (1048576KB) passed
rac1 8GB (8387020KB) 1GB (1048576KB) passed
Result: Total memory check passed.
Check: Swap space
Node Name Available Required Comment
rac2 16.05GB (16826288KB) 1GB (1048576KB) passed
rac1 16.05GB (16826288KB) 1GB (1048576KB) passed
Result: Swap space check passed.
Check: System architecture
Node Name Available Required Comment
rac2 64-bit 64-bit passed
rac1 64-bit 64-bit passed
Result: System architecture check passed.
Check: Free disk space in "C:\" dir
Node Name Available Required Comment
rac2 20.21GB (21190416KB) 400MB (409600KB) passed
rac1 19.98GB (20948624KB) 400MB (409600KB) passed
Result: Free disk space check passed.
System requirement passed for 'crs'
Pre-check for cluster services setup was unsuccessful on all the nodes. -
WPA2 EAP-PEAP error, may be Windows Server 2008 or...
I've studied posts like /t5/Connectivity/Not-able-to-connect-to-company-WLAN-WPA2-AES-PEAP-with-E71/m-p/420301/highlight/tru... , updated firmware, no joy. On E71, get
WLAN: EAP-PEAP authentication failed
In the event log of the domain controller+NPS server, get:
Log Name: Security
Source: Microsoft-Windows-Security-Auditing
Date: 5/19/2010 10:24:18 AM
Event ID: 6274
Task Category: Network Policy Server
Level: Information
Keywords: Audit Failure
User: N/A
Computer: Actinium.s********.com
Description: Network Policy Server discarded the request for a user. Contact the Network Policy Server administrator for more information.
User:
Security ID: S****\****
Account Name: d***@*****.com
Account Domain: S*******
Fully Qualified Account Name: S******\*****
Client Machine:
Security ID: NULL SID
Account Name: -
Fully Qualified Account Name: -
OS-Version: -
Called Station Identifier: 000B8651*****
Calling Station Identifier: 0021FE3****
NAS:
NAS IPv4 Address: 10.0.1.253
NAS IPv6 Address: - NAS Identifier: 10.0.1.253
NAS Port-Type: Wireless - IEEE 802.11
NAS Port: 1
RADIUS Client:
Client Friendly Name: OAW-4308
Client IP Address: 10.0.1.253
Authentication Details:
Connection Request Policy Name: Secure Wireless Connections
Network Policy Name: Secure Wireless Connections
Authentication Provider: Windows Authentication Server: Actinium.s********.com
Authentication Type: EAP
EAP Type: -
Account Session Identifier: -
Reason Code: 1
Reason: An internal error occurred. Check the system event log for additional information.
I get a different "Reason" when I deliberately use the wrong certificate, so that part is probably OK. Tried many combinations of sAMAccountName, userPrincipalName, etc. in user and realm fields. I saw a perhaps related issue with somebody using a maemo device that stopped working when they upgraded to Windows Server 2008 on the back end. No problem with iPhones, Blackberry Storms, laptops.
Help...In the SCVMM world a 'template' is composed of the following: a VHD with an OS that has been generalized (sysprep), virtual hardware profile (settings), and an OS profile.
The OS profile is required to have a product key. A MAC activation key at the minimum. But the key is required.
If you deploy a VM from a VHD, the same customization assumptions are not at play. Which is why it succeeds. (there is no template in this case, there is also no requirement that the OS in the VHD be sysprep'd).
SCVMM has rules. And lots of things don't make sense until you begin to understand them and play within them. (I am not saying that the SCVMM rules are a good thing, just saying they exist)
Brian Ehlert
http://ITProctology.blogspot.com
Learn. Apply. Repeat. -
WLC 5508 & Windows Server 2008 radius
Hello guys, I need some bailout here. I have a WLC 5508 which i have configured for AP's but i would like to use the windows server 2008 as the radius server to authenticate the Active directory users.
Can i use a separate windows server 2008 as the radius server or I have to use the same server working as the Active directory?
I don't want to request unnecessary server from my client.
Rgds,
AnthonyI am trying to take my WLC 5508 and have backend authentication through LDAP using web auth. i have tried and tried to set this up but it fails everytime.
http://www.cisco.com/en/US/tech/tk722/tk809/technologies_configuration_example09186a008067489f.shtml
I used that document to get me most of the way there but i cant get the part in the WLC where i go to SECURITY>AAA>LDAP, from here i click on the SERVER index that I want to use which is 1 and not sure what creditenals to put in some of those fields on there. the fields are USER BASE DN: , USER ATTRIBUTE: , and USER OBJECT TYPE: . I have tried to do it as the link says from above but it just does not work. -
AiroNet 1140 Authentication Issues Windows Server 2008 NPS
Hello,
We have an AiroNet 1140 AP that we are trying to configure RADIUS authentication. Our RADIUS server is a Microsoft Windows Server 2008 NPS server. Unfortunately, our Wi-Fi clients are unable to authenticate. We appear to have everything configured on the AP and RADIUS server correctly, but we receive the following errors from the debug on the AP. Doug
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: No response from radius-server; parse response; FAIL
*Mar 14 05:46:58.413: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response;
FAILHi Steve, Here is the config for the AP. Some screenshots of the NPS config are below, too. Please let me know if you need more information from our NPS server. Thanks, Doug
ap#sh run
Building configuration...
Current configuration : 2971 bytes
version 12.4
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
hostname ap
logging rate-limit console 9
enable secret 5 $1$1IPZ$WkdzqdeeGvEPvQLCHfGXU.
aaa new-model
aaa group server radius rad_eap
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server radius rad_mac
aaa group server radius rad_acct
aaa group server radius rad_admin
server 10.20.2.96 auth-port 1645 acct-port 1646
aaa group server tacacs+ tac_admin
aaa group server radius rad_pmip
aaa group server radius dummy
aaa authentication login eap_methods group rad_eap
aaa authentication login mac_methods local
aaa authorization exec default local
aaa accounting network acct_methods start-stop group rad_acct
aaa session-id common
dot11 syslog
dot11 ssid wifi
authentication open eap eap_methods
authentication network-eap eap_methods
authentication key-management wpa
username pg_ap privilege 15 secret 5 $1$rg0/$hTYIn.lysNUfxhzxqXonl/
bridge irb
interface Dot11Radio0
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
speed basic-1.0 2.0 5.5 11.0 6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7.
m8. m9. m10. m11. m12. m13. m14. m15.
station-role root
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface Dot11Radio1
no ip address
no ip route-cache
encryption mode ciphers aes-ccm
ssid wifi
antenna gain 0
dfs band 3 block
speed basic-6.0 9.0 12.0 18.0 24.0 36.0 48.0 54.0 m0. m1. m2. m3. m4. m5. m6. m7. m8. m9. m10. m11
. m12. m13. m14. m15.
channel dfs
station-role root access-point
bridge-group 1
bridge-group 1 subscriber-loop-control
bridge-group 1 block-unknown-source
no bridge-group 1 source-learning
no bridge-group 1 unicast-flooding
bridge-group 1 spanning-disabled
interface GigabitEthernet0
no ip address
no ip route-cache
duplex auto
speed auto
no keepalive
bridge-group 1
no bridge-group 1 source-learning
bridge-group 1 spanning-disabled
interface BVI1
ip address 10.40.0.200 255.255.0.0
no ip route-cache
ip default-gateway 10.40.0.1
ip http server
no ip http secure-server
ip http help-path http://www.cisco.com/warp/public/779/smbiz/prodconfig/help/eag
ip radius source-interface BVI1
radius-server local
no authentication mac
nas 10.20.2.96 key 7 003555402B5F012F3D007B16062C46430759550B3A232F7E0A1636472C01402573
radius-server attribute 32 include-in-access-req format %h
radius-server host 10.20.2.96 auth-port 1645 acct-port 1646 key 7 08100A08261D0F3E202A3B5C251E677C26
677B1C171E08576F7A4C077F19403C337F0C7C7D035B172550305F756934172E327A1B13250C154D4C3F1319305C3514
radius-server vsa send accounting
bridge 1 route ip
line con 0
line vty 0 4
end
ap# -
Problems LMS-4.2 Installation on Windows Server 2008 R2 Enterprise SP1
Hi all,
During the installation of the LMS-4.2,
It passed the "Initializing" and "Copying" stages,
but, in the "Configuring", it never finishes,
Anyone had have a similar problem?
the installer is for - LMS-4.2 and the OS is Windows Server 2008 R2 Enterprise SP1Thanks for the update. Glad to know it has installed now.
There can be some port clashes and resource scarcity when other applications may be using it. Hence we recommend to have majorly LMS as the primary software on the server's.
Also, LMS is not supported in other languages installers or setups except English and Japanese.
There are a couple more things you can do/check prior to running the installation.
LMS generally need Naming convention to handle long names/path etc. By default C: has 8.3 Naming convention enabled. However if you installed on different drive (for eg E:), for which this may be disabled.
To check naming convention you can run the following command from Windows Command prompt:
cmd>fsutil.exe 8dot3name query <Drive>
Example:
C:\Users\winlau>fsutil 8dot3name query C:
The volume state for Disable8dot3 is 0 (8dot3 name creation is enabled).
The registry state of NtfsDisable8dot3NameCreation is 2, the default (Volume level setting).
Based on the above two settings, 8dot3 name creation is enabled on C:.
8dot3 needs to be enabled for all drives LMS will potentially use, including:
Drive where TEMP/TMP is located
The drive LMS is installed to
The drive LMS backs up to
Drive used for a relocated RME Shadow directory or other nonstandard paths written to.
In some cases, altering the TEMP and TMP variables to be a short path (eg C:/temp or C:/tmp) may avoid the issue, but not always.
Hence, to be safe, it is best to enable 8dot3name creation globally, either via the registry or Windows CLI
Sample command to enable globally:
"fsutil 8dot3name set 0"
Sample command to enable on one volume:
"fsutil 8dot3name set X: 0"
Note that this needs a reboot to take effect. You should not disable 8dot3name creation which already has it enabled, especially the system volume (usually C:).
For further information http://technet.microsoft.com/en-us/library/cc778996%28v=ws.10%29.aspx
-Thanks
Vinod
**Encourage Contributors. RATE them** -
To install Remote Desktop Services User CAL on Windows Server 2008 R2 Enterprise Edition with SP1
Dear Sir,
Presently we have installed Windows Server 2008 R2 Enterprise Edition with SP 1. And now i would like to install Remote Desktop Services User CAL on this server. I have 25 digit product key of Windows Server
2008 R2 Remote Desktop Services User CAL (20). Downloaded this product key from our MSDN Subscriptions.
Kindly suggest me how to install (CAL server with product key that i have) and configure remote desktop services on my above existing server also how to point other server with my CAL server.
ThanksHi,
1. Install Remote Desktop Session Host and Remote Desktop Licensing Role Services using Server Manager.
2. Open RD Licensing Manager (licmgr.exe), Activate your server, then install your license
3. In RD Session Host Configuration (tsconfig.msc), set the Licensing mode to Per User and Specify your RD Licensing server name (itself). If you want you may configure these two settings via group policy setting instead. The path of the
group policy settings is Computer Configuration\ Administrative Templates\ Windows Components\ Remote Desktop Services\ Remote Desktop Session Host\ Licensing
4. You may point other RDSH servers to your RD Licensing server using RD Session Host Configuration or via group policy as mentioned above.
5. Optionally you may consider installing other Remote Desktop Role Services such as RD Gateway, RD Web Access, RD Connection Broker, etc.
-TP -
Hi Guys,
Has anyone come across this BSOD error and found a fix, as I'm at a lost as to what is causing the BSOD
Please see Windows Debugger output below:-
Microsoft (R) Windows Debugger Version 6.2.9200.16384 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
Loading Dump File [C:\Transfer\Minidumps\Mini051414-01.dmp]
Mini Kernel Dump File: Only registers and stack trace are available
Symbol search path is: srv*c:\symbols*http://msdl.microsoft.com/download/symbols
Executable search path is:
Windows Server 2008/Windows Vista Kernel Version 6002 (Service Pack 2) MP (8 procs) Free x64
Product: Server, suite: Enterprise TerminalServer
Built by: 6002.23154.amd64fre.vistasp2_ldr.130707-1535
Machine Name:
Kernel base = 0xfffff800`01c18000 PsLoadedModuleList = 0xfffff800`01dd7e30
Debug session time: Wed May 14 12:01:16.178 2014 (UTC + 1:00)
System Uptime: 3 days 7:15:01.532
Loading Kernel Symbols
Loading User Symbols
Loading unloaded module list
* Bugcheck Analysis
Use !analyze -v to get detailed debugging information.
BugCheck 3B, {c0000005, fffff9600030271e, fffffa603d967ec0, 0}
Probably caused by : win32k.sys ( win32k!PFFOBJ::pPvtDataMatch+12 )
Followup: MachineOwner
7: kd> !analyze -v
* Bugcheck Analysis
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600030271e, Address of the instruction which caused the bugcheck
Arg3: fffffa603d967ec0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
win32k!PFFOBJ::pPvtDataMatch+12
fffff960`0030271e f6430804 test byte ptr [rbx+8],4
CONTEXT: fffffa603d967ec0 -- (.cxr 0xfffffa603d967ec0)
rax=fffff900c277dd10 rbx=6364735523080013 rcx=fffffa603d968790
rdx=fffff900c2cc92a0 rsi=fffff900c2ade350 rdi=fffffa80369f6680
rip=fffff9600030271e rsp=fffffa603d968720 rbp=0000000000000000
r8=0000000000000000 r9=fffffa80369f6680 r10=fffffa803b6cdc48
r11=fffffa603d9687c8 r12=fffffa603d968810 r13=0000000000000000
r14=000000000000301f r15=0000000000000001
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
win32k!PFFOBJ::pPvtDataMatch+0x12:
fffff960`0030271e f6430804 test byte ptr [rbx+8],4 ds:002b:63647355`2308001b=??
Resetting default scope
CUSTOMER_CRASH_COUNT: 1
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT_SERVER
BUGCHECK_STR: 0x3B
PROCESS_NAME: chrome.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff960003009b1 to fffff9600030271e
STACK_TEXT:
fffffa60`3d968720 fffff960`003009b1 : 00000000`0000301f 00000000`00004fbc 00000000`00000000 fffffa80`3b6cdbb0 : win32k!PFFOBJ::pPvtDataMatch+0x12
fffffa60`3d968750 fffff960`001aacb6 : fffff900`c2ade350 fffff900`c3fa59e0 00000000`00000000 fffffa80`369f6680 : win32k!PFTOBJ::bUnloadWorkhorse+0x55
fffffa60`3d9687d0 fffff960`001ab8d8 : fffff900`c2ade2d0 00000000`00000000 00000000`00000001 00000000`00000001 : win32k!vCleanupPrivateFonts+0x72
fffffa60`3d968810 fffff960`0019fbc0 : 00000000`00000000 fffff800`01ebfe00 fffff900`c277dd10 fffffa80`38d5b800 : win32k!NtGdiCloseProcess+0x4a8
fffffa60`3d968870 fffff960`0019f423 : 00000000`00000000 fffff900`c277dd10 00000000`00000000 fffff800`01ebfe48 : win32k!GdiProcessCallout+0x1f4
fffffa60`3d9688f0 fffff800`01ecc924 : 00000000`00000000 00000000`00000000 fffff800`01db6ec0 00000000`00000000 : win32k!W32pProcessCallout+0x6f
fffffa60`3d968920 fffff800`01ebfe65 : fffffa60`00000000 fffff800`01c89701 fffffa80`57c73810 00000000`78457350 : nt!PspExitThread+0x41c
fffffa60`3d968a10 fffff800`01c89881 : fffffa60`3d968ad8 00000000`00000000 fffffa80`382fe430 00000000`00000000 : nt!PsExitSpecialApc+0x1d
fffffa60`3d968a40 fffff800`01c8d935 : fffffa60`3d968ca0 fffffa60`3d968ae0 fffff800`01ebfe74 00000000`00000001 : nt!KiDeliverApc+0x441
fffffa60`3d968ae0 fffff800`01c6721d : fffffa80`3b6cdbb0 00000000`0038f2f4 fffffa60`3d968bf8 fffffa80`597301e0 : nt!KiInitiateUserApc+0x75
fffffa60`3d968c20 00000000`74c93d09 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : nt!KiSystemServiceExit+0xa2
00000000`000eebd8 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 0x74c93d09
FOLLOWUP_IP:
win32k!PFFOBJ::pPvtDataMatch+12
fffff960`0030271e f6430804 test byte ptr [rbx+8],4
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k!PFFOBJ::pPvtDataMatch+12
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 52f4cf4d
STACK_COMMAND: .cxr 0xfffffa603d967ec0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_win32k!PFFOBJ::pPvtDataMatch+12
BUCKET_ID: X64_0x3B_win32k!PFFOBJ::pPvtDataMatch+12
Followup: MachineOwner
7: kd> lmvm win32k
start end module name
fffff960`000e0000 fffff960`0039a000 win32k (pdb symbols) c:\symbols\win32k.pdb\E3E9D4C3813E470A90F52FAEC6461A252\win32k.pdb
Loaded symbol image file: win32k.sys
Mapped memory image file: c:\symbols\win32k.sys\52F4CF4D2ba000\win32k.sys
Image path: win32k.sys
Image name: win32k.sys
Timestamp: Fri Feb 07 12:19:25 2014 (52F4CF4D)
CheckSum: 002AD344
ImageSize: 002BA000
File version: 6.0.6002.23325
Product version: 6.0.6002.23325
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: win32k.sys
OriginalFilename: win32k.sys
ProductVersion: 6.0.6002.23325
FileVersion: 6.0.6002.23325 (vistasp2_ldr.140207-0038)
FileDescription: Multi-User Win32 Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
7: kd> .cxr 0xfffffa603d967ec0
rax=fffff900c277dd10 rbx=6364735523080013 rcx=fffffa603d968790
rdx=fffff900c2cc92a0 rsi=fffff900c2ade350 rdi=fffffa80369f6680
rip=fffff9600030271e rsp=fffffa603d968720 rbp=0000000000000000
r8=0000000000000000 r9=fffffa80369f6680 r10=fffffa803b6cdc48
r11=fffffa603d9687c8 r12=fffffa603d968810 r13=0000000000000000
r14=000000000000301f r15=0000000000000001
iopl=0 nv up ei pl nz na pe nc
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010202
win32k!PFFOBJ::pPvtDataMatch+0x12:
fffff960`0030271e f6430804 test byte ptr [rbx+8],4 ds:002b:63647355`2308001b=??
Thanks
JTGetting BSOD's pointing to this dll also. Started at around the same date as Jitinder's post. Maybe a new issue introduced has been introduced?
7: kd> !analyze -v
* Bugcheck Analysis *
SYSTEM_SERVICE_EXCEPTION (3b)
An exception happened while executing a system service routine.
Arguments:
Arg1: 00000000c0000005, Exception code that caused the bugcheck
Arg2: fffff9600011fda0, Address of the instruction which caused the bugcheck
Arg3: fffffa6027acd1d0, Address of the context record for the exception that caused the bugcheck
Arg4: 0000000000000000, zero.
Debugging Details:
"kernel32.dll" was not found in the image list.
Debugger will attempt to load "kernel32.dll" at given base 00000000`00000000.
Please provide the full image name, including the extension (i.e. kernel32.dll)
for more reliable results.Base address and size overrides can be given as
.reload <image.ext>=<base>,<size>.
Unable to add module at 00000000`00000000
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
FAULTING_IP:
win32k!PFEOBJ::vFreepfdg+e8
fffff960`0011fda0 0fba60300f bt dword ptr [rax+30h],0Fh
CONTEXT: fffffa6027acd1d0 -- (.cxr 0xfffffa6027acd1d0)
rax=00000000014c0000 rbx=0000000000000000 rcx=fffff900c009c2a0
rdx=fffffa802735ab80 rsi=fffff900c0b9b010 rdi=fffffa6027acda80
rip=fffff9600011fda0 rsp=fffffa6027acda30 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffffa802800a288
r11=fffffa802800a060 r12=0000000000000000 r13=0000000000000000
r14=000000001539ed50 r15=0000000000000001
iopl=0 nv up ei pl nz na po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010207
win32k!PFEOBJ::vFreepfdg+0xe8:
fffff960`0011fda0 0fba60300f bt dword ptr [rax+30h],0Fh ds:002b:00000000`014c0030=????????
Resetting default scope
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
BUGCHECK_STR: 0x3B
PROCESS_NAME: iexplore.exe
CURRENT_IRQL: 0
LAST_CONTROL_TRANSFER: from fffff960002e66d4 to fffff9600011fda0
STACK_TEXT:
fffffa60`27acda30 fffff960`002e66d4 : 00000000`00000000 fffffa80`2735ab50 00000000`00000001 00000000`746e6647 : win32k!PFEOBJ::vFreepfdg+0xe8
fffffa60`27acda60 fffff960`002f0cb7 : 00000000`00000000 fffff900`c008f000 fffff900`c0010000 00000000`00000000 : win32k!RFONTOBJ::vDeleteRFONT+0x210
fffffa60`27acdac0 fffff960`002f0926 : 00000000`00000000 fffff900`c2bfcca0 fffff900`c0ae4010 00000000`00000000 : win32k!vRestartKillRFONTList+0xab
fffffa60`27acdb10 fffff960`00275c79 : 00000000`00000000 00000000`00000001 fffffa80`235762b0 fffff900`00000002 : win32k!PFTOBJ::bUnloadWorkhorse+0x196
fffffa60`27acdb90 fffff960`002978e2 : fffffa80`2800a060 fffff900`c0b932a0 fffffa60`27acdca0 00000000`7457c444 : win32k!GreRemoveFontMemResourceEx+0xad
fffffa60`27acdbf0 fffff800`01a64173 : fffffa80`2800a060 fffffa60`27acdca0 00000000`7ee9f000 fffffa80`25803040 : win32k!NtGdiRemoveFontMemResourceEx+0x12
fffffa60`27acdc20 00000000`74513d09 : 00000000`74513cc5 00000023`77300682 00000000`00000023 00000000`00000202 : nt!KiSystemServiceCopyEnd+0x13
00000000`1539ed48 00000000`74513cc5 : 00000023`77300682 00000000`00000023 00000000`00000202 00000000`1767d5e0 : wow64cpu!CpupSyscallStub+0x9
00000000`1539ed50 00000000`7457ab36 : 00000000`77120000 00000000`1539fd20 00000000`60c8f022 00000000`1539f450 : wow64cpu!Thunk0Arg+0x5
00000000`1539edc0 00000000`7457a13a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : wow64!RunCpuSimulation+0xa
00000000`1539edf0 00000000`771847c8 : 00000000`00000000 00000000`00000000 00000000`7efdf000 00000000`00000000 : wow64!Wow64LdrpInitialize+0x4b6
00000000`1539f350 00000000`771461be : 00000000`1539f450 00000000`00000000 00000000`7efdf000 00000000`00000000 : ntdll! ?? ::FNODOBFM::`string'+0x1fba1
00000000`1539f400 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!LdrInitializeThunk+0xe
FOLLOWUP_IP:
win32k!PFEOBJ::vFreepfdg+e8
fffff960`0011fda0 0fba60300f bt dword ptr [rax+30h],0Fh
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: win32k!PFEOBJ::vFreepfdg+e8
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: win32k
IMAGE_NAME: win32k.sys
DEBUG_FLR_IMAGE_TIMESTAMP: 5202fc4d
STACK_COMMAND: .cxr 0xfffffa6027acd1d0 ; kb
FAILURE_BUCKET_ID: X64_0x3B_win32k!PFEOBJ::vFreepfdg+e8
BUCKET_ID: X64_0x3B_win32k!PFEOBJ::vFreepfdg+e8
Followup: MachineOwner
7: kd> lmv m win32k
start end module name
fffff960`000d0000 fffff960`00389000 win32k (pdb symbols) c:\symcache\win32k.pdb\54B8C53009264F08A9D8CF1B4B56BCDC2\win32k.pdb
Loaded symbol image file: win32k.sys
Image path: \SystemRoot\System32\win32k.sys
Image name: win32k.sys
Timestamp: Thu Aug 08 04:02:53 2013 (5202FC4D)
CheckSum: 002B126B
ImageSize: 002B9000
File version: 6.0.6002.18912
Product version: 6.0.6002.18912
File flags: 0 (Mask 3F)
File OS: 40004 NT Win32
File type: 3.7 Driver
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
InternalName: win32k.sys
OriginalFilename: win32k.sys
ProductVersion: 6.0.6002.18912
FileVersion: 6.0.6002.18912 (vistasp2_gdr.130807-1537)
FileDescription: Multi-User Win32 Driver
LegalCopyright: © Microsoft Corporation. All rights reserved.
7: kd> .cxr 0xfffffa6027acd1d0
rax=00000000014c0000 rbx=0000000000000000 rcx=fffff900c009c2a0
rdx=fffffa802735ab80 rsi=fffff900c0b9b010 rdi=fffffa6027acda80
rip=fffff9600011fda0 rsp=fffffa6027acda30 rbp=0000000000000000
r8=0000000000000000 r9=0000000000000000 r10=fffffa802800a288
r11=fffffa802800a060 r12=0000000000000000 r13=0000000000000000
r14=000000001539ed50 r15=0000000000000001
iopl=0 nv up ei pl nz na po cy
cs=0010 ss=0018 ds=002b es=002b fs=0053 gs=002b efl=00010207
win32k!PFEOBJ::vFreepfdg+0xe8:
fffff960`0011fda0 0fba60300f bt dword ptr [rax+30h],0Fh ds:002b:00000000`014c0030=???????? -
Windows server 2008 R2 x64 Authentication failure while try to access Windows server 2003 R2
Hello,
I try to access Windows Server 2003 R2 Standard from Windows Server 2008 R2 x64 standard using integrated windows authentication . And because my application tries to read SQL server i'm getting and error that user is not trusted. Then I tried to open a
simple shared folder on 2003 and none of the users is able to do it. Both servers are part of common workgroup in the same IP range. Using domain is not an option. Migrating 2003 to 2008 is not an option either. The specific DB provider I have to use
supports only windows authentication, so creating user into SQL server is not an option too. I have tested many applications and cases which requires/uses windows authentication and non of the manage to connect.
Any help is very welcome because things are urgent!
Authentication failureThat method in workgroup mode may be a problem.
Authentication in SQL Server
Might ask them over here.
SQL Server forums on
MSDN
Regards, Dave Patrick ....
Microsoft Certified Professional
Microsoft MVP [Windows]
Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights. -
Can I install Solution Manager 7.0 in Window Server 2008 R2 Enterprise ed.?
Hi, SDN experts.
I am trying to install Solution Manager 7.0 in in Window Server 2008 R2?
I checked the the software requirement for SAP Solution Manager 7.0, it only mentioned Window Server 2003 and 2008 enterprise edition.
I am trying to install Solution Manager 7.0 in in Window Server 2008 R2 enterprise edition?
When I ran the Solution Manager Master Installer, the Pre-requisite Checker gave a warning message saying that it detected incompatible server version, that the server version is Windows NT 6.1 (Build 7601: Service Pack 1) (I guess it meant Window Server 2008 R2).
=======
The following Windows operating system version is supported: Windows Server 2003 (i.e. Version 5.2) and Windows Server 2008 (i.e. Version 6.0).
Current Windows version: Version 6.1, Service Pack 1.0, productive type: Server.
You can check the current version of you operating system by runningu2026u2026..
========
Can I actually install Solution Manager 7.0 in Window Server 2008 R2? Will this cause problem during the installation/post-installation if I ignore this message?
Thanks,
KCHi,
I think it is not straight forward to install SAP Solution Manager 7.0 in MS Window Server 2008 R2.
I am installing Solution Manager 7.0 , the installation encountered error on Create Java Users step (Phase 31 of 44). When I login to SAP solution Manager system through SAP GUI. I encountered this error:
"OS release Windows NT 6.1 7601 Service Pack 1 4x AMD64 Level 6 (Mod 44 Step 2) is not supported with this kernel (700)'
I found that it is because I am installing SAP Solution Manger 7.0 in MS Window Server 2008 R2, which the existing kernel version does not support.
Do you know which kernel I should install?
I browsed in:
SAP Application Components" SAP SOLUTION MANAGER" SAP SOLUTION MANAGER 7.0" Entry by Component" Solution Manager ABAP Stack
SAP KERNEL 7.00 64-BIT UNICODE --> Windows Server on x64 64bit -->MS SQL SERVER
I downloaded:
SAPEXEDB_291-20001361.SAR Kernel Part II (for Basis 7.00) 291
Is this the right Kernel patch I should use?
If it is the right kernel patch file, how do I apply the latest kernel to existing Solution Manager system? Can you give me some guidance on this?
Thanks,
KC -
SChannel Fails Authentication on Windows Server 2008 R2 Using TLS1
I am trying to use SChannel to secure a socket connection. I modified the example at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa380537(v=vs.85).aspx, converting it from Negotiate to SChannel. Following the specs for the SSPI APIs I was able the get a Client & Server connection authenticated on Windows 7.
However, when I try running the same programs on Windows Server 2008 R2, either the Client side or Server side fails, depending on how I select the security protocol.
Here is the modified example code, details about my results follow the code.
Client.cpp
// Client-side program to establish an SSPI socket connection
// with a server and exchange messages.
// Define macros and constants.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "SspiExample.h"
#include <string>
#include <iostream>
CredHandle g_hCred;
SecHandle g_hCtext;
#define SSPI_CLIENT "SChannelClient:" __FUNCTION__
void main(int argc, char * argv[])
SOCKET Client_Socket;
BYTE Data[BIG_BUFF];
PCHAR pMessage;
WSADATA wsaData;
SECURITY_STATUS ss;
DWORD cbRead;
ULONG cbHeader;
ULONG cbMaxMessage;
ULONG cbTrailer;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
SecPkgContext_ConnectionInfo ConnectionInfo;
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName);
char Server[512] = {0};
WCHAR CertName[512] = {0};
// Validate cmd line parameters
if ( argc != 3 )
LOGA ( ( __log_buf, SSPI_CLIENT " required parameters ServerName & CertName not entered.\n"));
LOGA( ( __log_buf, SSPI_CLIENT " Abort and start over with required parameters.\n") );
std::cin.get();
else
// argv[1] - ServerName - the name of the computer running the server sample.
// argv[2] - TargetName the common name of the certificate provided
// by the target server program.
memcpy(Server, argv[1], strlen(argv[1]));
size_t sizCN;
mbstowcs_s(&sizCN, CertName, strlen(argv[2])+1, argv[2], _TRUNCATE);
LOGA ( ( __log_buf, SSPI_CLIENT " input parameters - ServerName %s CertName %ls.\n", Server, CertName ));
// Initialize the socket and the SSP security package.
if(WSAStartup (0x0101, &wsaData))
MyHandleError( __FUNCTION__ " Could not initialize winsock ");
// Connect to a server.
SecInvalidateHandle( &g_hCtext );
if (!ConnectAuthSocket (
&Client_Socket,
&g_hCred,
&g_hCtext,
Server,
CertName))
MyHandleError( __FUNCTION__ " Authenticated server connection ");
LOGA ( ( __log_buf, SSPI_CLIENT " connection authenticated.\n"));
// An authenticated session with a server has been established.
// Receive and manage a message from the server.
// First, find and display the name of the SSP,
// the transport protocol supported by the SSP,
// and the size of the header, maximum message, and
// trailer blocks for this SSP.
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT "QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " QueryContextAttributes failed.\n");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
cbHeader = SecPkgSizes.cbHeader;
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_CLIENT " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hCtext,
SECPKG_ATTR_CONNECTION_INFO,
&ConnectionInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " QueryContextAttributes failed: 0x%08x\n", ss));
MyHandleError( __FUNCTION__ " Query context ");
switch(ConnectionInfo.dwProtocol)
case SP_PROT_TLS1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: TLS1\n"));
break;
case SP_PROT_SSL3_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL3\n"));
break;
case SP_PROT_PCT1_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: PCT\n"));
break;
case SP_PROT_SSL2_CLIENT:
LOGA ( ( __log_buf, SSPI_CLIENT " Protocol: SSL2\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Protocol: 0x%x\n", ConnectionInfo.dwProtocol));
switch(ConnectionInfo.aiCipher)
case CALG_RC4:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC4\n");)
break;
case CALG_3DES:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Triple DES\n"));
break;
case CALG_RC2:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: RC2\n"));
break;
case CALG_DES:
case CALG_CYLINK_MEK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: DES\n"));
break;
case CALG_SKIPJACK:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: Skipjack\n"));
break;
case CALG_AES_256:
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher: AES 256\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Cipher: 0x%x\n", ConnectionInfo.aiCipher));
LOGA ( ( __log_buf, SSPI_CLIENT " Cipher strength: %d\n", ConnectionInfo.dwCipherStrength));
switch(ConnectionInfo.aiHash)
case CALG_MD5:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: MD5\n"));
break;
case CALG_SHA:
LOGA ( ( __log_buf, SSPI_CLIENT " Hash: SHA\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Hash: 0x%x\n", ConnectionInfo.aiHash));
LOGA ( ( __log_buf, SSPI_CLIENT " Hash strength: %d\n", ConnectionInfo.dwHashStrength));
switch(ConnectionInfo.aiExch)
case CALG_RSA_KEYX:
case CALG_RSA_SIGN:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: RSA\n"));
break;
case CALG_KEA_KEYX:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: KEA\n"));
break;
case CALG_DH_EPHEM:
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange: DH Ephemeral\n"));
break;
default:
LOGA ( ( __log_buf, SSPI_CLIENT " Unknown Key exchange: 0x%x\n", ConnectionInfo.aiExch));
LOGA ( ( __log_buf, SSPI_CLIENT " Key exchange strength: %d\n", ConnectionInfo.dwExchStrength));
// Decrypt and display the message from the server.
if (!ReceiveBytes(
Client_Socket,
Data,
BIG_BUFF,
&cbRead))
MyHandleError( __FUNCTION__ " No response from server\n");
if (0 == cbRead)
MyHandleError(__FUNCTION__ " Zero bytes received.\n");
pMessage = (PCHAR) DecryptThis(
Data,
&cbRead,
&g_hCtext);
// Skip the header to get the decrypted message
pMessage += cbHeader;
ULONG cbMessage = cbRead-cbHeader-cbTrailer;
if ((cbMessage == strlen(TEST_MSG)) &&
!strncmp(pMessage, TEST_MSG, strlen(TEST_MSG)) )
LOGA ( ( __log_buf, SSPI_CLIENT " SUCCESS!! The message from the server is \n -> %.*s \n",
cbMessage, pMessage ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " UNEXPECTED message from the server: \n -> %.*s \n",
cbMessage, pMessage ));
LOGA ( ( __log_buf, SSPI_CLIENT " rcvd msg size %u, exp size %u\n", cbMessage, strlen(TEST_MSG) ));
// Terminate socket and security package.
DeleteSecurityContext (&g_hCtext);
FreeCredentialHandle (&g_hCred);
shutdown (Client_Socket, 2);
closesocket (Client_Socket);
if (SOCKET_ERROR == WSACleanup ())
MyHandleError( __FUNCTION__ " Problem with socket cleanup ");
exit (EXIT_SUCCESS);
} // end main
// ConnectAuthSocket establishes an authenticated socket connection
// with a server and initializes needed security package resources.
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *g_hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName)
unsigned long ulAddress;
struct hostent *pHost;
SOCKADDR_IN sin;
// Lookup the server's address.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n"));
ulAddress = inet_addr (pServer);
if (INADDR_NONE == ulAddress)
LOGA ( ( __log_buf, SSPI_CLIENT " calling gethostbyname with %s.\n", pServer ));
pHost = gethostbyname (pServer);
if (NULL == pHost)
MyHandleError(__FUNCTION__ " Unable to resolve host name ");
memcpy((char FAR *)&ulAddress, pHost->h_addr, pHost->h_length);
std::string ipAddrStr;
ipAddrStr = inet_ntoa( *(struct in_addr*)*pHost->h_addr_list);
LOGA ( ( __log_buf, __FUNCTION__ " gethostbyname - ipAddress %s, name %s.\n", ipAddrStr.c_str(), pHost->h_name ) );
// Create the socket.
*s = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == *s)
MyHandleError(__FUNCTION__ " Unable to create socket");
else
LOGA ( ( __log_buf, SSPI_CLIENT " Socket created.\n"));
sin.sin_family = AF_INET;
sin.sin_addr.s_addr = ulAddress;
sin.sin_port = htons (g_usPort);
// Connect to the server.
if (connect (*s, (LPSOCKADDR) &sin, sizeof (sin)))
closesocket (*s);
MyHandleError( __FUNCTION__ " Connect failed ");
LOGA ( ( __log_buf, SSPI_CLIENT " Connection established.\n"));
// Authenticate the connection.
if (!DoAuthentication (*s, pCertName))
closesocket (*s);
MyHandleError( __FUNCTION__ " Authentication ");
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n"));
return(TRUE);
} // end ConnectAuthSocket
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName)
BOOL fDone = FALSE;
DWORD cbOut = 0;
DWORD cbIn = 0;
PBYTE pInBuf;
PBYTE pOutBuf;
if(!(pInBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
if(!(pOutBuf = (PBYTE) malloc(MAXMESSAGE)))
MyHandleError( __FUNCTION__ " Memory allocation ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " 1st message.\n"));
if (!GenClientContext (
NULL,
0,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext
LOGA ( ( __log_buf, SSPI_CLIENT " GenClientContext failed\n"));
return(FALSE);
if (!SendMsg (s, pOutBuf, cbOut ))
MyHandleError(__FUNCTION__ " Send message failed ");
while (!fDone)
if (!ReceiveMsg (
s,
pInBuf,
MAXMESSAGE,
&cbIn))
MyHandleError( __FUNCTION__ " Receive message failed ");
cbOut = MAXMESSAGE;
LOGA ( ( __log_buf, SSPI_CLIENT " Message loop.\n"));
if (!GenClientContext (
pInBuf,
cbIn,
pOutBuf,
&cbOut,
&fDone,
pCertName,
&g_hCred,
&g_hCtext))
MyHandleError( __FUNCTION__ " GenClientContext failed");
if (!SendMsg (
s,
pOutBuf,
cbOut))
MyHandleError( __FUNCTION__ " Send message failed");
LOGA ( ( __log_buf, SSPI_CLIENT " fDone %s.\n", fDone ? "Yes" : "No" ));
if (NULL != pInBuf)
free(pInBuf);
pInBuf = NULL;
if (NULL != pOutBuf)
free(pOutBuf);
pOutBuf = NULL;
LOGA ( ( __log_buf, SSPI_CLIENT " exit.\n"));
return(TRUE);
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *g_hCred,
struct _SecHandle *g_hCtext)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff[2];
ULONG ContextAttributes;
static TCHAR lpPackageName[1024];
if( NULL == pIn )
wcscpy_s(lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME );
ss = AcquireCredentialsHandle (
NULL,
lpPackageName,
SECPKG_CRED_OUTBOUND,
NULL,
NULL,
NULL,
NULL,
g_hCred,
&Lifetime);
if (!(SEC_SUCCESS (ss)))
MyHandleError( __FUNCTION__ " AcquireCreds failed ");
// Prepare the buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// The input buffer is created only if a message has been received
// from the server.
if (pIn)
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with pIn supplied.\n"));
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = InSecBuff;
InSecBuff[0].cbBuffer = cbIn;
InSecBuff[0].BufferType = SECBUFFER_TOKEN;
InSecBuff[0].pvBuffer = pIn;
InSecBuff[1].pvBuffer = NULL;
InSecBuff[1].cbBuffer = 0;
InSecBuff[1].BufferType = SECBUFFER_EMPTY;
ss = InitializeSecurityContext (
g_hCred,
g_hCtext,
pCertName,
MessageAttribute,
0,
0,
&InBuffDesc,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
else
LOGA ( ( __log_buf, SSPI_CLIENT " Call InitializeSecurityContext with NULL pIn.\n"));
ss = InitializeSecurityContext (
g_hCred,
NULL,
pCertName,
MessageAttribute,
0,
0,
NULL,
0,
g_hCtext,
&OutBuffDesc,
&ContextAttributes,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext failed with error 0x%08x\n", ss));
MyHandleError ( __FUNCTION__ " InitializeSecurityContext failed " );
LOGA ( ( __log_buf, SSPI_CLIENT " InitializeSecurityContext returned 0x%08x\n", ss));
// If necessary, complete the token.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (g_hCtext, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " complete failed: 0x%08x\n", ss));
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss) ||
(SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_CLIENT " Token buffer generated (%lu bytes):\n", OutSecBuff.cbBuffer));
PrintHexDump (OutSecBuff.cbBuffer, (PBYTE)OutSecBuff.pvBuffer);
return TRUE;
PBYTE DecryptThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// By agreement, the server encrypted the message and set the size
// of the trailer block to be just what it needed. DecryptMessage
// needs the size of the trailer block.
// The size of the trailer is in the first DWORD of the
// message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before decryption including trailer (%lu bytes):\n",
*pcbMessage));
PrintHexDump (*pcbMessage, (PBYTE) pBuffer);
// Prepare the buffers to be passed to the DecryptMessage function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = *pcbMessage;
SecBuff[0].BufferType = SECBUFFER_DATA;
SecBuff[0].pvBuffer = pBuffer;
SecBuff[1].cbBuffer = 0;
SecBuff[1].BufferType = SECBUFFER_EMPTY;
SecBuff[1].pvBuffer = NULL;
SecBuff[2].cbBuffer = 0;
SecBuff[2].BufferType = SECBUFFER_EMPTY;
SecBuff[2].pvBuffer = NULL;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = DecryptMessage(
hCtxt,
&BuffDesc,
0,
&ulQop);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage failed with error 0x%08x\n", ss))
else
LOGA ( ( __log_buf, SSPI_CLIENT " DecryptMessage success? Status: 0x%08x\n", ss));
// Return a pointer to the decrypted data. The trailer data
// is discarded.
return pBuffer;
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[2];
ULONG ulQop = 0;
PBYTE pSigBuffer;
PBYTE pDataBuffer;
// The global cbMaxSignature is the size of the signature
// in the message received.
LOGA ( ( __log_buf, SSPI_CLIENT " data before verifying (including signature):\n"));
PrintHexDump (*pcbMessage, pBuffer);
// By agreement with the server,
// the signature is at the beginning of the message received,
// and the data that was signed comes after the signature.
pSigBuffer = pBuffer;
pDataBuffer = pBuffer + cbMaxSignature;
// The size of the message is reset to the size of the data only.
*pcbMessage = *pcbMessage - (cbMaxSignature);
// Prepare the buffers to be passed to the signature verification
// function.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 2;
BuffDesc.pBuffers = SecBuff;
SecBuff[0].cbBuffer = cbMaxSignature;
SecBuff[0].BufferType = SECBUFFER_TOKEN;
SecBuff[0].pvBuffer = pSigBuffer;
SecBuff[1].cbBuffer = *pcbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pDataBuffer;
ss = VerifySignature(
hCtxt,
&BuffDesc,
0,
&ulQop
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_CLIENT " VerifyMessage failed with error 0x%08x\n", ss));
else
LOGA ( ( __log_buf, SSPI_CLIENT " Message was properly signed.\n"));
return pDataBuffer;
} // end VerifyThis
void PrintHexDump(
DWORD length,
PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_CLIENT " %s\n", rgbLine));
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes\n", cbBuf ));
if (!SendBytes (s, (PBYTE)&cbBuf, sizeof (cbBuf)))
LOGA ( ( __log_buf, SSPI_CLIENT " size failed.\n" ) );
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
LOGA ( ( __log_buf, SSPI_CLIENT " body failed.\n" ) );
return(FALSE);
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return(TRUE);
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
// Receive the number of bytes in the message.
LOGA ( ( __log_buf, SSPI_CLIENT " entry.\n" ));
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " failed: size of cbData %lu, bytes %lu\n", sizeof (cbData), cbRead));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
return(FALSE);
if (cbRead != cbData)
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMessage
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent;
int cbRemaining = cbBuf;
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes.\n", cbRemaining ));
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_CLIENT " send failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
pTemp += cbSent;
cbRemaining -= cbSent;
LOGA ( ( __log_buf, SSPI_CLIENT " success\n" ) );
return TRUE;
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_CLIENT " Entry: %lu bytes.\n", cbRemaining ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
LOGA ( ( __log_buf, SSPI_CLIENT " %lu bytes remaining.\n", cbRemaining ));
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_CLIENT " recv failed: 0x%08.8X\n", GetLastError ()));
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
LOGA ( ( __log_buf, SSPI_CLIENT " success.\n" ));
return TRUE;
} // end ReceiveBytes
void MyHandleError(char *s)
DWORD err = GetLastError();
if (err)
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (0x%08.8X). Exiting.\n",s, err ))
else
LOGA ( ( __log_buf, SSPI_CLIENT " %s error (no error info). Exiting.\n",s ));
exit (EXIT_FAILURE);
Server.cpp
// This is a server-side SSPI Windows Sockets program.
#include "StdAfx.h"
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <stdlib.h>
#include "Sspiexample.h"
#include <iostream>
CredHandle g_hcred;
struct _SecHandle g_hctxt;
static PBYTE g_pInBuf = NULL;
static PBYTE g_pOutBuf = NULL;
static DWORD g_cbMaxMessage;
static TCHAR g_lpPackageName[1024];
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb );
#define SSPI_SERVER "SChannelServer:" __FUNCTION__
void main (int argc, char * argv[])
CHAR pMessage[200];
DWORD cbMessage;
PBYTE pDataToClient = NULL;
DWORD cbDataToClient = 0;
PWCHAR pUserName = NULL;
DWORD cbUserName = 0;
SOCKET Server_Socket;
WSADATA wsaData;
SECURITY_STATUS ss;
PSecPkgInfo pkgInfo;
SecPkgContext_StreamSizes SecPkgSizes;
SecPkgContext_PackageInfo SecPkgPkgInfo;
ULONG cbMaxMessage;
ULONG cbHeader;
ULONG cbTrailer;
std::string certThumb;
// Create a certificate if no thumbprint is supplied. Otherwise, use the provided
// thumbprint to find the certificate.
if ( (argc > 1) && (strlen( argv[1]) > 0) )
certThumb.assign(argv[1]);
else
LOGA( ( __log_buf, SSPI_SERVER " : No certificate thumbprint supplied.\n") );
LOGA( ( __log_buf, SSPI_SERVER " : Press ENTER to create a certificate, or abort and start over with a thumbprint.\n") );
std::cin.get();
certThumb.clear();
Insert code to find or create X.509 certificate.
// Set the default package to SChannel.
wcscpy_s(g_lpPackageName, 1024 * sizeof(TCHAR), UNISP_NAME);
// Initialize the socket interface and the security package.
if( WSAStartup (0x0101, &wsaData))
LOGA ( ( __log_buf, SSPI_SERVER " Could not initialize winsock: \n") );
cleanup();
ss = QuerySecurityPackageInfo (
g_lpPackageName,
&pkgInfo);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " Could not query package info for %s, error 0x%08x\n",
g_lpPackageName, ss) );
cleanup();
g_cbMaxMessage = pkgInfo->cbMaxToken;
FreeContextBuffer(pkgInfo);
g_pInBuf = (PBYTE) malloc (g_cbMaxMessage);
g_pOutBuf = (PBYTE) malloc (g_cbMaxMessage);
if (NULL == g_pInBuf || NULL == g_pOutBuf)
LOGA ( ( __log_buf, SSPI_SERVER " Memory allocation error.\n"));
cleanup();
// Start looping for clients.
while(TRUE)
LOGA ( ( __log_buf, SSPI_SERVER " Waiting for client to connect...\n"));
// Make an authenticated connection with client.
if (!AcceptAuthSocket (&Server_Socket, certThumb ))
LOGA ( ( __log_buf, SSPI_SERVER " Could not authenticate the socket.\n"));
cleanup();
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_STREAM_SIZES,
&SecPkgSizes );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
// The following values are used for encryption and signing.
cbMaxMessage = SecPkgSizes.cbMaximumMessage;
cbHeader = SecPkgSizes.cbHeader;
cbTrailer = SecPkgSizes.cbTrailer;
LOGA ( ( __log_buf, SSPI_SERVER " cbHeader %u, cbMaxMessage %u, cbTrailer %u\n", cbHeader, cbMaxMessage, cbTrailer ));
ss = QueryContextAttributes(
&g_hctxt,
SECPKG_ATTR_PACKAGE_INFO,
&SecPkgPkgInfo );
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " failed: 0x%08x\n", ss));
exit(1);
else
LOGA ( ( __log_buf, SSPI_SERVER " Package Name: %ls\n", SecPkgPkgInfo.PackageInfo->Name));
// Free the allocated buffer.
FreeContextBuffer(SecPkgPkgInfo.PackageInfo);
// Send the client an encrypted message.
strcpy_s(pMessage, sizeof(pMessage),
TEST_MSG);
cbMessage = (DWORD)strlen(pMessage);
EncryptThis (
(PBYTE) pMessage,
cbMessage,
&pDataToClient,
&cbDataToClient,
cbHeader,
cbTrailer);
// Send the encrypted data to client.
if (!SendBytes(
Server_Socket,
pDataToClient,
cbDataToClient))
LOGA ( ( __log_buf, SSPI_SERVER " send message failed. \n"));
cleanup();
LOGA ( ( __log_buf, SSPI_SERVER " %d encrypted bytes sent. \n", cbDataToClient));
if (Server_Socket)
DeleteSecurityContext (&g_hctxt);
FreeCredentialHandle (&g_hcred);
shutdown (Server_Socket, 2) ;
closesocket (Server_Socket);
Server_Socket = 0;
if (pUserName)
free (pUserName);
pUserName = NULL;
cbUserName = 0;
if(pDataToClient)
free (pDataToClient);
pDataToClient = NULL;
cbDataToClient = 0;
} // end while loop
LOGA ( ( __log_buf, SSPI_SERVER " Server ran to completion without error.\n"));
cleanup();
} // end main
BOOL AcceptAuthSocket (SOCKET *ServerSocket, std::string certThumb )
SOCKET sockListen;
SOCKET sockClient;
SOCKADDR_IN sockIn;
// Create listening socket.
sockListen = socket (
PF_INET,
SOCK_STREAM,
0);
if (INVALID_SOCKET == sockListen)
LOGA ( ( __log_buf, SSPI_SERVER " Failed to create socket: %u\n", GetLastError ()));
return(FALSE);
// Bind to local port.
sockIn.sin_family = AF_INET;
sockIn.sin_addr.s_addr = 0;
sockIn.sin_port = htons(usPort);
if (SOCKET_ERROR == bind (
sockListen,
(LPSOCKADDR) &sockIn,
sizeof (sockIn)))
LOGA ( ( __log_buf, SSPI_SERVER " bind failed: %u\n", GetLastError ()));
return(FALSE);
// Listen for client.
if (SOCKET_ERROR == listen (sockListen, 1))
LOGA ( ( __log_buf, SSPI_SERVER " Listen failed: %u\n", GetLastError ()));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " Listening ! \n"));
// Accept client.
sockClient = accept (
sockListen,
NULL,
NULL);
if (INVALID_SOCKET == sockClient)
LOGA ( ( __log_buf, SSPI_SERVER " accept failed: %u\n",GetLastError() ) );
return(FALSE);
closesocket (sockListen);
*ServerSocket = sockClient;
return(DoAuthentication (sockClient, certThumb ));
} // end AcceptAuthSocket
BOOL DoAuthentication (SOCKET AuthSocket, std::string certThumb )
SECURITY_STATUS ss;
DWORD cbIn, cbOut;
BOOL done = FALSE;
TimeStamp Lifetime;
BOOL fNewConversation;
fNewConversation = TRUE;
PCCERT_CONTEXT pCertCtxt;
Insert code to retrieve pCertCtxt
// Build SCHANNEL_CRED structure to hold CERT_CONTEXT for call to AcquireCredentialsHandle
SCHANNEL_CRED credSchannel = {0};
credSchannel.dwVersion = SCHANNEL_CRED_VERSION;
credSchannel.grbitEnabledProtocols = SP_PROT_SSL2_SERVER | SP_PROT_TLS1_SERVER;
credSchannel.cCreds = 1;
credSchannel.paCred = &pCertCtxt;
ss = AcquireCredentialsHandle (
NULL, //pszPrincipal
g_lpPackageName, //pszPackage
SECPKG_CRED_INBOUND, //fCredentialuse
NULL, //pvLogonID
&credSchannel, //pAuthData - need SCHANNEL_CRED structure that indicates the protocol to use and the settings for various customizable channel features.
NULL, //pGetKeyFn
NULL, //pvGetKeyArgument
&g_hcred, //phCredential
&Lifetime); //ptsExpiry
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcquireCreds failed: 0x%08x\n", ss));
return(FALSE);
while(!done)
if (!ReceiveMsg (
AuthSocket,
g_pInBuf,
g_cbMaxMessage,
&cbIn))
return(FALSE);
cbOut = g_cbMaxMessage;
if (!GenServerContext (
g_pInBuf,
cbIn,
g_pOutBuf,
&cbOut,
&done,
fNewConversation))
LOGA ( ( __log_buf, SSPI_SERVER " GenServerContext failed.\n"));
return(FALSE);
fNewConversation = FALSE;
if (!SendMsg (
AuthSocket,
g_pOutBuf,
cbOut))
LOGA ( ( __log_buf, SSPI_SERVER " Send message failed.\n"));
return(FALSE);
return(TRUE);
} // end DoAuthentication
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewConversation)
SECURITY_STATUS ss;
TimeStamp Lifetime;
SecBufferDesc OutBuffDesc;
SecBuffer OutSecBuff;
SecBufferDesc InBuffDesc;
SecBuffer InSecBuff;
ULONG Attribs = 0;
// Prepare output buffers.
OutBuffDesc.ulVersion = 0;
OutBuffDesc.cBuffers = 1;
OutBuffDesc.pBuffers = &OutSecBuff;
OutSecBuff.cbBuffer = *pcbOut;
OutSecBuff.BufferType = SECBUFFER_TOKEN;
OutSecBuff.pvBuffer = pOut;
// Prepare input buffers.
InBuffDesc.ulVersion = 0;
InBuffDesc.cBuffers = 1;
InBuffDesc.pBuffers = &InSecBuff;
InSecBuff.cbBuffer = cbIn;
InSecBuff.BufferType = SECBUFFER_TOKEN;
InSecBuff.pvBuffer = pIn;
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer received (%lu bytes):\n", InSecBuff.cbBuffer));
PrintHexDump (InSecBuff.cbBuffer, (PBYTE)InSecBuff.pvBuffer);
ss = AcceptSecurityContext (
&g_hcred,
fNewConversation ? NULL : &g_hctxt,
&InBuffDesc,
Attribs,
SECURITY_NATIVE_DREP,
&g_hctxt,
&OutBuffDesc,
&Attribs,
&Lifetime);
if (!SEC_SUCCESS (ss))
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
// Complete token if applicable.
if ((SEC_I_COMPLETE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss))
ss = CompleteAuthToken (&g_hctxt, &OutBuffDesc);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " complete failed: 0x%08x\n", ss));
OutputDebugStringA( "." );
return FALSE;
*pcbOut = OutSecBuff.cbBuffer;
// fNewConversation equals FALSE.
LOGA ( ( __log_buf, SSPI_SERVER " Token buffer generated (%lu bytes):\n",
OutSecBuff.cbBuffer));
PrintHexDump (
OutSecBuff.cbBuffer,
(PBYTE)OutSecBuff.pvBuffer);
*pfDone = !((SEC_I_CONTINUE_NEEDED == ss)
|| (SEC_I_COMPLETE_AND_CONTINUE == ss));
LOGA ( ( __log_buf, SSPI_SERVER " AcceptSecurityContext result = 0x%08x\n", ss));
return TRUE;
} // end GenServerContext
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
ULONG * pcbOutput,
ULONG cbHeader,
ULONG cbTrailer)
SECURITY_STATUS ss;
SecBufferDesc BuffDesc;
SecBuffer SecBuff[4];
ULONG ulQop = 0;
// The size of the trailer (signature + padding) block is
// determined from the global cbSecurityTrailer.
LOGA ( ( __log_buf, SSPI_SERVER " Data before encryption: %s\n", pMessage));
LOGA ( ( __log_buf, SSPI_SERVER " Length of data before encryption: %d \n",cbMessage));
// Prepare buffers.
BuffDesc.ulVersion = 0;
BuffDesc.cBuffers = 4;
BuffDesc.pBuffers = SecBuff;
PBYTE pHeader;
pHeader = (PBYTE) malloc (cbHeader);
SecBuff[0].cbBuffer = cbHeader;
SecBuff[0].BufferType = SECBUFFER_STREAM_HEADER;
SecBuff[0].pvBuffer = pHeader;
SecBuff[1].cbBuffer = cbMessage;
SecBuff[1].BufferType = SECBUFFER_DATA;
SecBuff[1].pvBuffer = pMessage;
PBYTE pTrailer;
pTrailer = (PBYTE) malloc (cbTrailer);
SecBuff[2].cbBuffer = cbTrailer;
SecBuff[2].BufferType = SECBUFFER_STREAM_TRAILER;
SecBuff[2].pvBuffer = pTrailer;
SecBuff[3].cbBuffer = 0;
SecBuff[3].BufferType = SECBUFFER_EMPTY;
SecBuff[3].pvBuffer = NULL;
ss = EncryptMessage(
&g_hctxt,
ulQop,
&BuffDesc,
0);
if (!SEC_SUCCESS(ss))
LOGA ( ( __log_buf, SSPI_SERVER " EncryptMessage failed: 0x%08x\n", ss));
return(FALSE);
else
LOGA ( ( __log_buf, SSPI_SERVER " The message has been encrypted. \n"));
// Allocate a buffer to hold the encrypted data constructed from the 3 buffers.
*pcbOutput = cbHeader + cbMessage + cbTrailer;
* ppOutput = (PBYTE) malloc (*pcbOutput);
memset (*ppOutput, 0, *pcbOutput);
memcpy (*ppOutput, pHeader, cbHeader);
memcpy (*ppOutput + cbHeader, pMessage, cbMessage);
memcpy (*ppOutput + cbHeader + cbMessage, pTrailer, cbTrailer);
LOGA ( ( __log_buf, SSPI_SERVER " data after encryption including trailer (%lu bytes):\n",
*pcbOutput));
PrintHexDump (*pcbOutput, *ppOutput);
return TRUE;
} // end EncryptThis
void PrintHexDump(DWORD length, PBYTE buffer)
DWORD i,count,index;
CHAR rgbDigits[]="0123456789abcdef";
CHAR rgbLine[100];
char cbLine;
for(index = 0; length;
length -= count, buffer += count, index += count)
count = (length > 16) ? 16:length;
sprintf_s(rgbLine, 100, "%4.4x ",index);
cbLine = 6;
for(i=0;i<count;i++)
rgbLine[cbLine++] = rgbDigits[buffer[i] >> 4];
rgbLine[cbLine++] = rgbDigits[buffer[i] & 0x0f];
if(i == 7)
rgbLine[cbLine++] = ':';
else
rgbLine[cbLine++] = ' ';
for(; i < 16; i++)
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
rgbLine[cbLine++] = ' ';
for(i = 0; i < count; i++)
if(buffer[i] < 32 || buffer[i] > 126)
rgbLine[cbLine++] = '.';
else
rgbLine[cbLine++] = buffer[i];
rgbLine[cbLine++] = 0;
LOGA ( ( __log_buf, SSPI_SERVER " %s\n", rgbLine));
} // end PrintHexDump
BOOL SendMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
// Send the size of the message.
if (!SendBytes (
s,
(PBYTE)&cbBuf,
sizeof (cbBuf)))
return(FALSE);
// Send the body of the message.
if (!SendBytes (
s,
pBuf,
cbBuf))
return(FALSE);
return(TRUE);
} // end SendMsg
BOOL ReceiveMsg (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
DWORD cbRead;
DWORD cbData;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
// Retrieve the number of bytes in the message.
if (!ReceiveBytes (
s,
(PBYTE)&cbData,
sizeof (cbData),
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed retrieving byte count.\n", cbBuf ));
return(FALSE);
if (sizeof (cbData) != cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer size (%lu) differs from reported size (%lu)\n", sizeof(cbData), cbRead ));
return(FALSE);
// Read the full message.
if (!ReceiveBytes (
s,
pBuf,
cbData,
&cbRead))
LOGA ( ( __log_buf, SSPI_SERVER " ReceiveBytes failed.\n", cbBuf ));
return(FALSE);
if (cbRead != cbData)
LOGA ( ( __log_buf, SSPI_SERVER " Error: buffer bytes (%lu) differs from reported bytes (%lu)\n", cbData, cbRead ));
return(FALSE);
*pcbRead = cbRead;
return(TRUE);
} // end ReceiveMsg
BOOL SendBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf)
PBYTE pTemp = pBuf;
int cbSent, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
if (0 == cbBuf)
return(TRUE);
while (cbRemaining)
cbSent = send (
s,
(const char *)pTemp,
cbRemaining,
0);
if (SOCKET_ERROR == cbSent)
LOGA ( ( __log_buf, SSPI_SERVER " send failed: %u\n", GetLastError ()));
return FALSE;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes sent\n", cbSent ));
pTemp += cbSent;
cbRemaining -= cbSent;
return TRUE;
} // end SendBytes
BOOL ReceiveBytes (
SOCKET s,
PBYTE pBuf,
DWORD cbBuf,
DWORD *pcbRead)
PBYTE pTemp = pBuf;
int cbRead, cbRemaining = cbBuf;
LOGA ( ( __log_buf, SSPI_SERVER " %lu bytes\n", cbBuf ));
while (cbRemaining)
cbRead = recv (
s,
(char *)pTemp,
cbRemaining,
0);
if (0 == cbRead)
break;
if (SOCKET_ERROR == cbRead)
LOGA ( ( __log_buf, SSPI_SERVER " recv failed: %u\n", GetLastError () ) );
return FALSE;
cbRemaining -= cbRead;
pTemp += cbRead;
*pcbRead = cbBuf - cbRemaining;
return TRUE;
} // end ReceivesBytes
void cleanup()
if (g_pInBuf)
free (g_pInBuf);
g_pInBuf = NULL;
if (g_pOutBuf)
free (g_pOutBuf);
g_pOutBuf = NULL;
WSACleanup ();
exit(0);
SspiExample.h
// SspiExample.h
#include <schnlsp.h>
#include <sspi.h>
#include <windows.h>
#include <string>
BOOL SendMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveMsg (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
BOOL SendBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf);
BOOL ReceiveBytes (SOCKET s, PBYTE pBuf, DWORD cbBuf, DWORD *pcbRead);
void cleanup();
BOOL GenClientContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
WCHAR *pCertName,
CredHandle *hCred,
PSecHandle phCtext
BOOL GenServerContext (
BYTE *pIn,
DWORD cbIn,
BYTE *pOut,
DWORD *pcbOut,
BOOL *pfDone,
BOOL fNewCredential
BOOL EncryptThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput,
ULONG cbHeader,
ULONG cbTrailer
PBYTE DecryptThis(
PBYTE achData,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt
BOOL
SignThis (
PBYTE pMessage,
ULONG cbMessage,
BYTE ** ppOutput,
LPDWORD pcbOutput
PBYTE VerifyThis(
PBYTE pBuffer,
LPDWORD pcbMessage,
struct _SecHandle *hCtxt,
ULONG cbMaxSignature
void PrintHexDump(DWORD length, PBYTE buffer);
BOOL ConnectAuthSocket (
SOCKET *s,
CredHandle *hCred,
PSecHandle phCtext,
char * pServer,
WCHAR * pCertName
BOOL CloseAuthSocket (SOCKET s);
BOOL DoAuthentication (SOCKET s, WCHAR * pCertName );
BOOL DoAuthentication (SOCKET s, std::string certThumb );
void MyHandleError(char *s);
#define DBG_SIZE 1024
int OutputDebug( char buff[DBG_SIZE] )
int retval;
char debugstring[DBG_SIZE+32];
retval = _snprintf_s( debugstring, DBG_SIZE+32, _TRUNCATE, " %s", buff );
OutputDebugStringA( debugstring );
return retval;
int DbgBufCopy( char *buff, const char *format, ...)
int iLen;
va_list args;
/// Call va_start to start the variable list
va_start(args, format);
/// Call _vsnprintf_s to copy debug information to the buffer
iLen = _vsnprintf_s(buff, DBG_SIZE, _TRUNCATE, format, args);
/// Call va_end to end the variable list
va_end(args);
return iLen;
#define LOGA(_format_and_args_)\
{ char __log_buf[DBG_SIZE];\
DbgBufCopy _format_and_args_;\
printf("%s", __log_buf );\
OutputDebug(__log_buf);\
#define TEST_MSG "This is your server speaking"
My initial attempt built an SCHANNEL_CRED structure following the documentation to set
grbitEnabledProtocols to 0, and let SChannel select the protocol. This worked on Windows 7, selecting TLS1. When I ran the same exe-s on 2008 R2, the Client program failed, with InitializeSecurityContext returning SEC_E_DECRYPT_FAILURE.
The failure occurred on the 2nd call, using phNewContext returned on the first call.
My next attempt set grbitEnabledProtocols to SP_PROT_TLS1_SERVER. This also worked on Win 7, but 2008R2 failed again, this time on the Server side. AcceptSecurityContext failed, returning SEC_E_ALGORITHM_MISMATCH.
TLS is a requirement for my project, but to try getting the sample to run, I next set grbitEnabledProtocols to SP_PROT_SSL2_SERVER. This did work for 2008R2, selecting SSL2, but now the Server failed on Win7 with AcceptSecurityContext returning
SEC_E_ALGORITHM_MISMATCH.
My final try was to set grbitEnabledProtocols to SP_PROT_TLS1_SERVER | SP_PROT_SSL2_SERVER, but that failed identically to the first case, with the Client on 2008R2 returning SEC_E_DECRYPT_FAILURE.
So my question is - What is required to get SChannel to select TLS regardless of the Windows version on which the programs are running?Thank you for the reference. That did provide the information I needed to get TLS working. However, the documentation is not accurate with regard to setting the registry keys and values.
The tables all show DisabledByDefault as a subkey under the protocol. They also describe a DWORD value, Enabled, as the mechanism to enable/disable a protocol.
What I found is DisabledByDefault is a DWORD value under Client/Server and it appears to be the determining factor to whether a protocol is enabled/disabled.
The only way I was able to get TLS 1.1 working is with the following path present:
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client
Under Client, I must have DisabledByDefault set to 0. With that, the Enabled value does not need to be present.
This held true for any level of TLS.
I also found the setting of grbitEnabledProtocols in the SCHANNEL_CRED structure to be misleading. From the description at
https://msdn.microsoft.com/en-us/library/windows/desktop/aa379810(v=vs.85).aspx, I thought my Server program could set this field to 0, and SChannel would select the protocol as directed by the registry. What I found is that the structure flag must
agree with the registry setting for TLS to work. That is with the resgistry key above for TLS 1.1, I must set grbitEnabledProtocols to SP_PROT_TLS1_1.
Can you confirm the relationship between the SCHANNEL_CRED contents and registry state?
Maybe you are looking for
-
SQL 2000 - Blocking Happening again and again
Hi guys.. on sql 2000 ..from today morning blocking keep happening again and again even though killed SPID .. Reastarted SQL and app server. any one has idea what will be good action item? also like to know scripts for sql 2000 gives detailed inform
-
Hi, I have an xbox 360 and a wireless router (WRT300N). My xbox 360 can connect to the router wirelessly and i get a great signal, but when i try to play online, for example, halo 3 slayer games, my game turns all glitchy and disorted. My characte
-
How do I transfer my iTunes library to a new PC?
I have been using an ipod for many years now & have built up my library a lot, including all the records of how many times each song has been played. My PC now though is dying and runs very slow I have a new, much quicker laptop now and am keen to t
-
How can i fix "the url is not valid and cannot be loaded error firefox"?
anyone know what that error message is about?
-
Flat file header diferent from remaining file (function module GUI_UPLOAD)
Hello gurus, I need to upload a flat file but the header is the control record with the number of lines in the file, and has a diferent structure from remaining file records. I'm using GUI_UPLOAD in ASCII mode for the flat file and my first line with