The other day I was helping a client setup their fax environment and ran into an interesting issue. The server that we installed the software was windows 2008 R2 and the core software went great. There is a web client that they also wanted to have installed so I kicked off the install and everything appeared to install as well. In 2003, it would automatically enable windows authentication by default. This would allow users to automatically login to the web applications if their account exists in windows.

Well, in windows 2008, the application does not do this. Instead, you need to set this up manually. In earlier versions of windows, windows authentication is added as a feature automatically. In windows 2008, it is an installable module. I had to go into the IIS roles and check windows authentication. Once this was done, it required a restart of the IIS services. I then went into the website instance and enabled windows authentication. Once done, the web application worked as expected.

I wonder why this option is no longer installed automatically by windows. I understand that Microsoft is continually trying to make IIS more secure, but I’m not entirely sure that this was a good move. By default, website instances are setup as anonymous access and you need to allow other authentication methods. If anonymous access and another authentication method is checked, the website breaks. Therefore, I just don’t understand why windows authentication is not installed as a default installation.

For the life of me, I could not get my netscreen vpn software to connect.  No matter what I did to the virtual windows xp, it just would not fly.  I kept receiving the following errors:

6-24: 07:18:55.296 My Connections\wvenezia@bitxbit.com – Initiating IKE Phase 1 (IP ADDR=160.79.51.201)
6-24: 07:18:56.108 My Connections\wvenezia@bitxbit.com – SENDING>>>> ISAKMP OAK AG (SA, KE, NON, ID, VID 6x)
6-24: 07:19:11.239 My Connections\wvenezia@bitxbit.com – message not received! Retransmitting!
6-24: 07:19:11.239 My Connections\wvenezia@bitxbit.com – SENDING>>>> ISAKMP OAK AG (Retransmission)
6-24: 07:19:26.261 My Connections\wvenezia@bitxbit.com – message not received! Retransmitting!
6-24: 07:19:26.261 My Connections\wvenezia@bitxbit.com – SENDING>>>> ISAKMP OAK AG (Retransmission)
6-24: 07:19:41.283 My Connections\wvenezia@bitxbit.com – message not received! Retransmitting!
6-24: 07:19:41.283 My Connections\wvenezia@bitxbit.com – SENDING>>>> ISAKMP OAK AG (Retransmission)
6-24: 07:19:56.303 My Connections\wvenezia@bitxbit.com – Exceeded 3 IKE SA negotiation attempts

I had initially thought it was due to the virtualbox blocking the IKE packets from reaching the gateway, but then decided to take virtualbox out of the picture and troubleshoot this like a normal computer.  Once I did this, it only took me 10 minutes to figure out what is wrong.  The message not received means that the remote host did not get the packet and the retransmission means that the remote host is not responding.  Well, that would indicate that the netscreen software is sending out the packets right but the gateway is a no show.  I thought, maybe I used an old Security Policy.  I opened up my working laptop and compared it to the virtualbox pc, and sure enough, the gateway ip addresses are different.  Once I changed this, it started working without a charm!

This makes me very happy as I am tired of carting my laptop with me to use my vpn!

Well, it seems that in the latest attempt for google to take over the world, one browser at a time, their toolbar is calling such files as gtbe12.tmp.exe.  Can you make it seem more spyware than this google?  I mean, come on!
Well, I logged into my work computer this morning and it seems that everything was crawling.  Since I do not login to this computer very often (2 times a week) this behavior is not very surprising.  During this time, I check to see what processes are running and where the memory leaks are.

Today, it was outlook that was the memory leak, but due to Outlook and its need to consume more ram than the computerh as, I noticed this funny process – gtbe12.tmp.exe.  I thought for sure that I picked myself up a bug until I did a bit of research and it seems that it is hooked into google’s toolbar.

Sure enough, I had used IE7 the last time I had the computer open and google toolbar was installed on it.  As part of my initial process to get my computer working again, I did close down IE7.  While researching the issue, the process ended shortly after IE closed.  This corresponds with the internet’s account that the process is associated with IE + google toolbar.

The end result?  While I vote for spyware (and depending on how you view Google’s actions with their toolbar, you can more legitimately say that it is spyware) this process is ok to leave alone.  I would definitely keep my eye on it, but it appears to be temp executable files pertaining to updating the toolbar’s files.  After letting it run (once my computer stabilized from outlook), it did stop appearing…

I found that the topic of the day was rather fitting.  Why?  Winmail.dat is just stupidly annoying.  First, lets go into what causes winmail.dat to occur.  Winmail.dat is generated when outlook sends an email as a Rich Text Format.  This format is an “outlook” only format and any non-outlook emails receive a winmail.dat message since they don’t play nice with outlook.  Basically, Rich Text is like sending emails to an exclusive club and anyone not in it gets the shaft.

Go Microsoft.

The fix?  Well, there are a couple of schools of thought.  First, you can change it on the client settings.  The down and dirty method is to tell all your users that receive this issue to not use Rich Text formatting.  Simple right?

The issue.  I had a user that uses quickbooks to send out paystubs.  Even though she was set to not use Rich Text, the quickbooks integration still did anyways.  Nothing like trying to see how much you got paid and you get a winmail.dat instead of your paystub.  WEEEEEEEEEE

The solution? Make exchange 2007 NOT use Rich Text formatting.  I know, this seems a little extreme, but sometimes you have to go for the gold.  Stupid Quickbooks.

Open Exchange Management Console

Expand Organization Configuration

Hub Transport

Edit the default properties

Under Exchange Rich-text format, select Never use.

Problem solved….

As bizzare as it sounds, I have seen the problem first hand.  I had a user with a treo 680 and synced with the Palm Desktop.  Palm to desktop worked fine, but desktop to palm failed.  It never generated an error message, but it just continued to fail.  I tried all the normal stuff, deselecting it, reselecting it, forcing treo to palm sync, removing all data from the palm desktop and it still did the same basic behavior.  Finally, I decided to roll back to version 4.2 and it worked great.

Apparently, version 6.2.2 does not work well with windows XP.  That sounds a little bizzare, but here is a forum with more information on it…

http://forums.palm.com/palm/board/message?board.id=software&thread.id=37617

Ideally, I would like to see people with an exchange server and activesync to remove the need for Palm Desktop, but not everyone is fortunate enough to be on one!

Well, I don’t know about you, but my company has switched to IPSwitch Gold for monitoring a couple of months ago.  It seems to work really well, but not everything is “simple” to do if you do not know where the setting is.  For about the last 2 weeks, I have been trying to figure out how to put devices in maintenance mode…now I know that once you know how to do it, it is really easy to do.  The problem was I didn’t know and kept looking in the wrong places.  If I have this problems, others must as well.  Without further ado, here are the directions.

Maintenance

Use this section of the dialog to manually set the device Maintenance state, or schedule the maintenance state for a certain time period. Any device placed in Maintenance mode will not be polled, but it remains in the device list with an identifying icon. By default, the maintenance state is represented by an orange background color.

• Force this device into maintenance mode now. Select this option to put the selected device in maintenance mode. Clear the option to resume polling the device.
• Recurring maintenance times. This box displays all scheduled maintenance times for the device.
  • Click Add to schedule a new maintenance time for the device.
  • Select an entry, then click Edit to change a scheduled time.

    - or -

    Double-click a Schedule to edit its configuration.

  • Select an entry, then click Remove to delete a scheduled time.

So, like any other day, I am commuting to work.  I get off the train and wait on the subway platform when I see a familiar face.  I study the man, and determine that he looks remarkily like a big shot CEO for the company that we rent our office space from.  I keep my distance from the man, fearing that he might not be the person that I think he is, and we board the subway in the same car.  I sit across from him, and he waves hello, but never says a word.  I wave back and expect some sort of conversation to occur.  The man typically talks to me in the office as I am his IT contact and he has been known to flag me across the office just to bullshit every once and awhile.

I typically get off at 23rd street as my office is at 19th street.  The 28th street stop comes, and he gets off and mumbles, see ya to me.  I thought that this was a bit odd, but perhaps he was going to a meeting or something?  Who knows.  I continue with my routine and get breakfast and proceed to the office.  The CEO is there and says hello to me, and asked what took me so long.  I said I got breakfast and you would have known that if you didn’t run off the extit before mine…

I think that the age of ipods and other mp3 players have taken away the ability to strike up a conversation with a person that you know out of your element.  The guy didn’t know what to do with himself so much, he left the subway a stop early, and I might add, it was really cold outside today.

Maybe I just have that effect on people, who knows…

NOTE: Information has been taken from http://www.ilopia.com/Articles/WindowsServer2003/EmailServer.aspx, a great resource for configuring and setting up POP3/SMTP for windows 2003 server.

* Open Computer Management
* Expand Services and Applications, expand Internet Information Service
* Right click Default SMTP Virtual Server and click Properties
* Click the Access tab
* Click the Authentication button and make sure Anonymous Access and Integrated Windows Authentication is enabled.
* Click the Relay button and make sure Allow all computers which successfully… is enabled and Only the list below is selected.

First of all, Authentication and Relay is not the same thing. We use the Authentication button to specify which authentications methods are allowed for users and other SMTP servers. So enabling Anonymous here is not a security issue, in fact, it’s required if we want our server to be able to receive emails from other servers on Internet (I doubt you want to tell all administrators of email servers on Internet how they should logon to yours). We also need Windows Authentication so the email clients can authenticate to the server and be able to relay (send emails).

As Relay Restrictions we selected Only the list below because we do not want to be used by spammers to send emails. But we never specified any computers. That is valid, because we wants our clients to always use the username and password to authenticate, no matter where they are.

If you want users to only be allowed to relay if they are on a private network, then you can uncheck Windows Authentication as allowed authentication method, and specify the IP range for your network in the Relay Restrictions window.

NOTE: This was edited from http://www.ilopia.com/Articles/WindowsServer2003/EmailServer.aspx and from that site, it has pretty pictures as well!

You can install the Email Server by using Add or Remove Windows Components or Manage Your Server. Manage Your Server is a bit easier to use too, because it will prompt you for the domain you want to use during setup. That will not Add or Remove Windows Components do, and we have to do everything manually.
If it’s not open, start Manage Your Server by clicking Start->Programs->Administrative Tools->Manage Your Server.

* Click on Add or remove a role.

This will start the Configure Your Server Wizard. Read the text and make sure you have connected all the necessary cables and all the other things it says you should do before continuing.

* Click Next

The wizard will now detect your network settings. This will take a while depending on how many network connections you have

We now come to the step where we add and remove roles for our server. We will add the Mail Server role. I also suggest that before you click Next,

* Click Mail server (POP3, SMTP)
* Click Next

You will now specify the type of authentication and type the email domain name.

* Click Next

Next step is to confirm the options you have selected.

* Click Next

The installation will start, and will also start the Windows Components Wizard. When you get prompted to insert your Windows Server 2003 CD-ROM into your CD-ROM drive, do so. If you didn’t get prompted to do that, you maybe already have it in the drive.

* Click Finish

Install the Email Server

* Click Start, then run, and type p3server.msc

This will open up the POP3 Service. This is where you configure and manage the POP3 part of the mail server.

* Click on <ComputerName> in the left pane
* Click on Server Properties in the right pane

This brings up the Properties for our Mail Server.

Authentication Method

There are three different authentication methods you can use; Local Windows Accounts, Active Directory Integrated and Encrypted Password File. It is an important decision which method to use, because once you have chosen, you must delete all email domains on the server to change method (from now on, you can migrate Encrypted File user accounts to AD, but nothing else can be migrated).

* Local Windows Accounts
If your server is stand alone (not member of an Active Directory domain), and you want to have the user accounts on the same local computer as the POP3 service, this is the best option. By using this option, you will use the SAM (Security Accounts Manager) for both the email user accounts, and the user accounts on the local computer. This means that a user can use the same user name and password to be authenticated for both the POP3 service and Windows on the local computer. But there is a limitation, although you can host multiple domains on the server, there must be unique user names for all domains. So, let us say you have two users named Sandra. One working at company1.com and another one working at company2.com. Their user name used will be sandra@company1.com and sandra@company2.com. But in SAM, they will both have the same user name, sandra, so one of them must be renamed to something else (if we don’t want them to read each other’s emails).

If you create the user account when you create the mail box (by using the POP3 interface), the user will be added to the POP3 user group. Members of this group are not allowed to logon locally. The fact that the users are added to the POP3 group does not mean that you must be a member of this group to have a mailbox. You should however be careful adding mailboxes to users that are not member of the POP3 group, because the password used for email can for example be sniffed (if you are not using SPA), or someone can brute force the password and gain access to the server.
* Active Directory Integrated
You can select this option if the server is a member of an Active Directory domain or is a Domain Controller. By using this you will integrate the POP3 Service with you AD domain. AD users can use their user name and password to send and receive email. Of course you have to create mailboxes to them first. Unlike Local Windows Accounts you can use the same user name on different domains. So sandra@company1.com and sandra@company2.com will have different mailboxes. There is however one thing you should know about, that does not affect the mailbox name and email-name, and the pre-Windows 2000 user name can be changed. Active Directory do not support the same pre-Windows 2000 user name, and this name is usually the same as the user name, which means that if you create a mailbox and user with the same pre-Windows 2000 user name, it will rename the pre-Windows 2000 user name.
* Encrypted Password File
This is the option you want to select if you don’t use Active Directory or don’t want to create users on the local computer. Like Active Directory Integrated you can have the same user name on different domains, but you cannot assign the same user name to several mailboxes within the same domain.
This method works by creating an encrypted file stored in each user’s mailbox. This file contains the password for the user. When the user wants to check his/her email, the password that the user supplies is encrypted and compared to the one in the file.
It is possible to migrate Encrypted File user accounts to AD user accounts.

Logging Level

Four options to choose between. If you change this, remember that you must restart the POP3 service.

* None
Nothing is logged.
* Low
Only critical events are logged.
* Medium
Both critical and warning events are logged.
* High
Critical, warning and informational events are logged.

Root Mail Directory

If you don’t want to use the default Mail Directory, you can choose another one. Make sure the path is not more than 260 characters and you can also not store to the root of a partition (i.e. C:). It is strongly recommended that you use a NTFS formatted partition. You can’t use a mapped drive, but the UNC name (\\servername\share) can be used. If you later change the store, and there are still emails in one or more boxes, you must manually move the folders in which there are emails to the new location. You must also reset the permissions on the directory by using winpop set mailroot.

SPA

Enable SPA if you want to have a secure communication between your email sever and email clients. This will send both the user name and password encrypted from the client to the server, instead of sending it in clear text. SPA supports only Local Windows Accounts and Active Directory Integrated Authentication. It is recommended to use this. Remember to restart the POP3 service if you change this.

Create a mailbox

The Setup Wizard created a domain to us, so we do not need to create this manually. If you did not use Manage Your Server to install, add the domain manually be clicking the server name in the left pane and then click New domain in the right pane. Remember to set the properties before you add the domain.

* Click on your domain (ilopia.com in my case) in the left pane.
* Click Add Mailbox in the right pane.

This will open up the Add Mailbox window.

* Write bob in Mailbox Name
* Write bob as password (of course this is not a password you should use in a production environment, it’s too short)
* Click OK

A message will pop-up and tell you how to configure the email clients. Read this, and notice the difference when using SPA or not.

* Click OK

What we just did was not only creating a mailbox named bob, but we also created a user bob. We will also create a mailbox for an existing user – ariel. To do that we simply perform the same steps, but we uncheck Create associated user for this mailbox. Remember that the mailbox name must be less then 21 characters (64 for Encrypted Password File and Active Directory). Periods are allowed to use, but not as the first or last character.

So, we have now two users. Are they equally? No, bob is a member of the POP3 Users group, which is denied to logon locally. Ariel is not member of this group, and can still logon locally and access her mailbox.

A co-worker of mine just figured out why a push installation of Veritas backup was not working correctly.  Feel free to read what he did to resolve the issue.

When a media server makes a connection with a remote system, the initial connection will be initiated on port 10000. The Remote Agent will be listening for connections on this pre-defined port.

To get around this problem I performed the following steps:

1. Instead of pushing the Remote Agent For Windows Servers (RAWS)I instead ran the installation locally on the server in which I intended to backup. For this expample the location of the installation files were X:\BEWS_11D.7170_32BIT_VERSION\WINNT\INSTALL\RAWS32.

2. Run setup.exe and select the appropriate media server in which this agent will publish it’s information to. You may have an issue in which the Backup Exec Remote Agent for Windows Systems service will not start. The event log will most likely have the following event:

Event Type:Error
Event Source:Backup Exec
Event Category:None
Event ID:58117
Date:3/9/2009
Time:12:21:17 PM
User:N/A
Computer:ALTIGEN4
Description:
The Backup Exec Remote Agent for Windows Servers Service did not start. The application failed to listen on the NDMP TCP/IP port. Check the network configuration.

For more information, click the following link:

http://eventlookup.veritas.com/eventlookup/EventLookup.jhtml

3. You will need to reserve the port for this service to listen on. For this situation I used port 9000.

Note- For Backup Exec 11d and above: These steps only need to be done on the the affected remote server(s). All other remote servers can have the existing/default NDMP Port.

To reserve the port on the remote machine you will need to do the following:

3a- Go to C:\WINDOWS or \WINNT\system32\drivers\etc and modify the “services” file
3b- Go to the bottom of the file and add the following line:

ndmp 9000/tcp #Network Data Management Protocol

3c- Save the change.

4. Start the Backups Exec Remote Agent for Windows Systems service and then launch the Symantec Backup Exec Remote Agent Utility usually running on the task bar or you can launch via Programs->Symantec Backup Exec For Windows Servers->Backup Exec Remote Agent Utility

5. Navigate to the “Publishing” tab and check off “Enable the Remote Agent to publish information to the media servers in the list” click “Add” and enter the name of the media server. You may now see the remote server’s FQDN in the “Published names for this agent” field.

6. On the media server go to Tools->Options->Network and Security and check off “Enable remote agent TCP dynamic port range” and specify as such.

Note- for this situation I chose to use the dynamic port range of 9000-10000.

7. Click OK in the Options Dialog box and you should now be able to see the remote system under “Windows Systems” when configuring a new job.