Category Archives: IIS

Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Can’t ping the domain controller via FQDN while on the internal network?  Trouble accessing any of the internal domains that are available via Direct Access while on your internal network?

This is a quick blog post to document an error I encountered that took me a while to figure out, as is typical with errors that are caused by configuration mistakes, yes self-inflicted.  In the Microsoft Unified Access Gateway administration documentation for configuring Direct Access (DA), it says 2 things that are extremely important but does not emphasize just how important they are, or the errors that will be encountered if they are not followed.

Your Network Location Server (NLS), which must be able to serve HTTPS requests, is used by your DA clients to determine whether they are on the internal network, this site must not and cannot be accessible through DA or any other means from outside your network, so make sure the HTTPS resource is NOT something you need to access from external networks.  If your clients can access the NLS then they will not attempt a DA connection.  If they cannot access the server, then they will attempt a DA connection.  There are a few key points to this server that also cannot be overlooked.

Continue reading Direct Access Computers Can’t Ping Domain Controller on Internal Network?

Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Continue reading Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

Continue reading Install Certificate Services on Windows Server 2008 R2

MOSS: An Unexpected Error Has Occurred

If you’ve worked with MOSS long enough, I’m sure you’ve seen this error.  The reasons that it occurs are numerous, and may even be blamed on poor error handling / reporting by the programmers.

If you’ve come across this error, and turned <customErrors /> off in your MOSS site’s web.config and it still occurs, you may have run into the issue that I did.

This can occur right after MOSS installation, or on a farm that has been up and running for some time, and this is something quick that you can check to make sure it’s not the reason, especially if your server is managed through AD or an admin that is really tight on server security.

My instance of this error was on a completely locked down Windows Server 2008 installation.  The cause was one setting that was applied through Active Directory (AD) Group Policy Objects (GPO), Use FIPS compliant algorithms for encryption, hashing, and signing.

Continue reading MOSS: An Unexpected Error Has Occurred

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

In my last post, we created a VM (Virtual Machine) using VMware Workstation 6.5.2 running Windows Server 2003 R2.  If you’re getting started here with a VM of your own, or physical hardware, the current status of the VM for this tutorial is a standard Windows Server 2003 R2 installation, with all recommended updates / patches applied.

If this server is running in VMware Workstation, feel free to snapshot the VM at this point so that you have a clean build of Windows Server 2003, that can then be sysprep’ed and used to deploy multiple other servers.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

IIS Can Manage Multiple Web sites on Port 80 with a single IP address

Host Headers are the answer!

YES!  IIS can manage multiple web sites on the same port (properly port 80) without having to do extraneous configuring.  This can even be done with MOSS and WSS implementations.

I’ve always considered it to be common knowledge that ‘host headers’ could be used to allow IIS to handle multiple web sites on the same IP and port.  Lately I’m finding out that some very smart people are completely unaware of this fact, so I decided to blog about it.

Configuring it for basic site usage:

– Open IIS (Start > Run > inetmgr). 

– Expand the <server> node, and expand the Web Sites node.

iis01

– Right-Click on the web site that you want to edit and choose Properties.

– On the Web Site tab in the Web site identification area, click on Advanced.

– The top area titled ‘Multiple identities for this Web site’ will allow you to add host headers, modify IP address usage within IIS, and modify the non-SSL ports.

iis02  iis04

The host header value will cause IIS to route requests that are directed to the specific host header to that specific web site.

You can and should use this to facilitate development and production deployments within IIS.  If host headers are not used, then the only other way to assign multiple sites using the same port (80) to a single web server is to assign multiple IP addresses.  There is no reason to do that.  A single IP address can be used to route your sites and to state once more, this can be used with MOSS and WSS web applications. 

For MOSS deployments, when creating a web application you can assign a host header and MOSS will configure IIS accordingly.  If your web applications are already created and you want to host them on a new port (80) using host headers, you should be able to make the changes directly within IIS to manage this.  Make sure you leave the original entries in IIS so that no URL’s break, but you should now be able to route through IIS on port 80 to your web application.  Please post any environment specific questions and I’ll answer as I can.

Hope this helps some people out.

And please note, this does not apply for SSL (HTTPS) sites.  SSL does not support multiple sites on the same port and IP address due to the way encryption and certificates are managed.