Super-Networking Blog

So I have been on the Internet for quite sometime. Back in the early 90s I was a chatter on the Internet. I used a chat room service called mIRC most of the time. I had a 28.8 Kbps modem and dialed up to the Internet. I then chatted hours on end with people across the country and world. It really isn’t a big deal these days but back then it wasn’t nearly that common.

I really got a lot of my geeky roots back then, setting up chat rooms with bots to monitor and enforce it. Running DOS attacks against people you didn’t like, was pretty easy to drop someone’s connection to the IRC service and if you could get it right you could disconnect their modem connection too.

You would meet people in large public chat rooms and I made a lot of long term friends that we would all come online at the same time everyday to talk for hours.

I haven’t used IRC in years, typically now I use one-on-one programs like ICQ or MSN.

I hadn’t even thought about it in years until earlier this year I got contacted by and old friend from IRC. She found me on Myspace, then just in the past couple of days another friend from ages ago contacted me on Facebook. It is crazy that after all these years people are looking up and finding long lost friends using social networking sites.

For those of you who maybe talked to me back in the day this is Superboy signing off.

Anyone else have memories of the Internet back in the early 90s?

So I ran across something kind of interesting the other day. I was setting up Microsoft CRM 4.0. I got the server setup and the website configured but when I went to the website it prompted me for my username and password. I would type it in and the authentication would fail. I tried it in Firefox and it would work using my correct logged in credentials which is what Integrated Windows Authentication is.

So I check out my IIS settings, I have anonymous access disabled and Integrated Windows Authentication is checked. Why would Integrated Windows Authentication work in Firefox but not in IE. I go into Internet Options on my browser and select the advanced tab. There is an option “Enable Integrated Windows Authentication” and I have it enabled. I tried a couple of more times to make sure I wasn’t fat fingering my login and still get 401 authentication errors.

Well I thought just for the heck of it I would try unchecking the “Enable Integrated Windows Authentication” box in IE. I restarted my browser and bang it works, doesn’t prompt for password or anything. So I uncheck use Integrated Authentication and the Integrated Authentication starts working. Now I am really scratching my head.

I start searching through user groups on the Internet and I finally find the answer. In IE 6 and IE 7 the browser will use Integrated Windows Authentication if you have that checkbox enabled or disabled. The difference is the authentication type. With the box checked it with try Kerberos authentication first then fallback on NTLM. If you uncheck the box then it will just use NTLM. Thank you Microsoft for mislabeling that feature. The really annoying thing is if both ends support Kerberos authentication, you have that Integrated Windows Authentication box checked, and Kerberos fails it will not fail back to NTLM. The only way it will fail back to NTLM is if your website doesn’t support Kerberos.

What I ended up finding out was that Kerberos authentication was broken on my CRM server, quick workaround was to uncheck the box in IE. The problem with that is most features in CRM 4.0 don’t work on NTLM. I will post another time on how I fixed Kerberos on that server.

If you really want to configure your IP address from the command prompt instead of the Windows GUI you can do so with the Netsh.exe command.

To see your current network config go to a command prompt and type in the following command “netsh interface ip show config”

If you want to set you IP to 10.10.0.2 with a subnet mask of 255.255.255.0 and a gateway of 10.10.0.1 on your Local Area Connection adapter use the following command: “netsh interface ip set address name=”Local Area Connection” static 10.10.0.2 255.255.255.0 10.10.0.1 1″

Want to setup DNS settings: “netsh interface ip set dns “Local Area Connection” static 10.10.0.200″

These commands should work on Windows Server 2003 and Windows XP, might work on other versions too but haven’t tested.

If you setup a folder to replicate using DFS and you want to lock down the folder rights on it you might have issues. You have to be sure to give the System account on each server write and modify rights for the replication to work.

If you add the system account to the folder you should be able to lock the rights down as far as you want and the replication will still work.

I was getting the following error from Google in their Google Checkout Integration Console:

We encountered an error trying to access your server at

https://www.website.com/ (URL Path Changed)

the error we got  is: javax.net.ssl.SSLHandshakeException:

sun.security.validator.ValidatorException: PKIX path building failed:

sun.security.provider.certpath.SunCertPathBuilderException:

unable to find valid certification path to requested target

Google’s Info on Cart Integration issues is here

About this error is says:

Use a valid SSL certificate so you can receive callbacks. (If you’re only testing in the sandbox, you won’t need an SSL certificate. Feel free to use an HTTP callback URL for testing purposes.)

So you check out your certificate and it is valid, you go to your site over https and everything looks great. I read that sometimes your certificate chain can be broken so I found these instructions:

To view the current certificate chain being returned by your server:

In Firefox:
1. Navigate to your callback URL in your browser.
2. Click the lock icon in the address bar of your browser.
3. Click ‘View’ under the ‘Security’ tab.
4. Click ‘Details.’
5. Locate the current certificate chain under ‘Certificate Hierarchy.’

In Internet Explorer:
1. Navigate to your callback URL in your browser.
2. Double click the lock icon in the lower right hand corner of the status Bar in your browser.
3. Click the ‘Certification Path’ tab in the window that appears.

Additionally, you can view the current certificate chain being returned by your server by using the OpenSSL and the following command:
openssl s_client -connect {website domain}:443 -showcerts

In both Firefox and IE the chain looked fine. But both browsers have a tendency to fix a missing chain so I downloaded and installed openssl and ran that command above. Found the chain was messed up.

I went into the certificate stores on the webservers, went into Intermediate Certification Authorities only to find the CA for our SSL certificate had expired.

We had a VeriSign SSL Cert and here are the instructions on how to fix it:

https://www.verisign.com/support/ssl-certificates-support/page_dev028341.html

After doing an iisreset on all of the servers with the new CA cert everything started working. I hope this keeps some people from running into the same headaches I ran into.

So I thought I would discuss the topic of multiple default gateways on Windows Servers today since my buddy blogged about it.

IT and Development Best Practice

First off you should never have two default gateways on your servers. It doesn’t matter which OS you are running, Windows 98/NT is worse at handling the condition but all of them will have problems. Every windows server has a little routing table in memory. If you have one network card it will know to send anything on its own subnet out that adapter even if you don’t have a gateway. It doesn’t know how to get to anything outside of its own subnet without a default gateway. Now if you have two adapters without default gateways the server will know to send traffic for each subnet depending on which it tied to which network card.

When you add a default gateway to a network card the server will then send anything outside of its local subnet(s) to that gateway you specify. The gateway, being a router or firewall, which then pass the traffic on to the correct location. The problem comes in if you have default gateways on more than one network card. The server then gets confused on where to send its traffic when it is off its local subnets.

The way it is supposed to work is the adapter that is bound first to the OS should be the one used but that isn’t what happens. Instead the OS randomly guesses at which gateway to use and some packets may get through some will not. This is not only for different sessions but in mid session as well.

So what do you do when you have a dual-homed server, you want multiple subnets to go out one adapter and everything else to go out the other? You add the default gateway on the adapter that you want the traffic to go when you might not know the subnet like say Internet traffic. Then add a route statement for the subnets you know and want to go out the other adapter.

Example:

Adapter #1 - 10.1.1.20 Mask 255.255.255.0 Default Gateway 10.1.1.1

Adapter #2 - 192.168.2.20 Mask 255.255.255.0

Go to a command prompt and add the below command

“route add 192.168.0.0 mask 255.255.0.0 192.168.2.1″

This would tell the server that all traffic that is heading for anything on the 192.168.0.0 subnets would be directed to the IP 192.168.2.1. That adapter would not have a default gateway. The other adapter has the default gateway and all other traffic would go out that adapter and to the IP specified. Note that the command above will go away on restart unless you specify -p and it will stay until you do a route delete.

If you want to see all the routes your server is currently using run the command “route print”

One thing to ask yourself before going through this, do I really need a dual-homed server? What security holes am I opening up? Am I bypassing a firewall?

So I am running Solarwinds Orion 8.5 on a Windows 2003 R2 server. I installed Microsoft .NET Framework 2.0 Service Pack 1 (KB110806) on the server and it broke Orion’s website. The website would come up then when I tried to login I would get the following error:

Orion Website Error
An error has occurred with the Orion website.
Additional Information
System.Net.WebException: The remote server returned an error: (400) Bad Request.
at System.Net.HttpWebRequest.GetResponse()
at ClassicSiteProxy.Login(HttpContext context, String
username, String password)
at Login.InitiateLogin()
at Login.OnLoad(EventArgs e)
at System.Web.UI.Control.LoadRecursive()
at System.Web.UI.Page.ProcessRequestMain(Boolean
includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint)

To fix it I did a repair on Orion, then I installed SP3 for Orion 8.5

It is now working again.

I have never had problems with my SD cards in the past. I have had Sony SD cards, SANDisk etc… I have run them for years in my phones, cameras, MP3 players, PDAs. It is one of those things you just take for granted, there isn’t much to them they should just work.

Well for Christmas I got a digital picture frame and needed an SD card to have it read the pictures from. I went to Walmart and bought the cheapest one I could find, I mean come on it is just an SD card right? Well I bought a 1GB Lexar SD card for like $15. Everything worked fine for a while, of late I have been noticing that some of my pictures were turning weird colors, getting lines through them. Not all of them so I knew it wasn’t the frame’s screen or anything, but since rebooting the frame and reinserting the card didn’t help I thought maybe the files were getting corrupt. I came in this morning and there was just a ? on the screen. I put the SD card in my laptop’s SD card reader and it won’t read it anymore.

Can you believe that crap? 1 month and the thing burns out. Junk! I guess I won’t go for the Lexar brand anymore. Anyone else have experiences with SD cards burning out like that?