WMI – Reporting Services Configuration Manager – Event Viewer

Background

When troubleshooting Reporting Services Configuration Manager WMI calls it can be useful to see whether WMI activities are occurring.

 

TroubleShooting

Event Viewer

Enable Log

WMI calls are logable in the Event Viewer.

But, they are not logged by default.

To enable logging please follow the steps listed below:

Obtaining WMI Events Through Event Viewer
Link

  1. Open Event Viewer. On the View menu, click Show Analytic and Debug Logs
  2. Locate the Trace channel log for WMI under Applications and Service Logs | Microsoft | Windows | WMI Activity
  3. Right-click the Trace log and select Log Properties. Click the Enable Logging check box to start the WMI event tracing
  4. WMI events appear in the event window for WMI-Activity. Double-click an event in the list to see the detailed information. You can view an event in XML View or in Friendly View format.

Logged Events

Tabulate

# Event
1 GroupOperationId = 159602; OperationId = 159602; Operation = IWbemServices::Connect; ClientMachine = QADB; User = dadeniji.adeniji; ClientProcessId = 5024; NamespaceName = \\QA\root\Microsoft\SqlServer\ReportServer
2 GroupOperationId = 159603; OperationId = 159604; Operation = Start IWbemServices::CreateInstanceEnum – __NAMESPACE; ClientMachine = QADB; User = daniel.adeniji; ClientProcessId = 5024; NamespaceName = \\.\root\Microsoft\SqlServer\ReportServer
3 GroupOperationId = 159605; OperationId = 159605; Operation = IWbemServices::Connect; ClientMachine = QADB; User = daniel.adeniji; ClientProcessId = 5024; NamespaceName = \\QADB\root\Microsoft\SqlServer\ReportServer\RS_DATACAP\v12\Admin
4 GroupOperationId = 159606; OperationId = 159607; Operation = Start IWbemServices::CreateInstanceEnum – MSReportServer_ConfigurationSetting; ClientMachine = QADB; User = daniel.adeniji; ClientProcessId = 5024; NamespaceName = \\.\root\Microsoft\SqlServer\ReportServer\RS_DATACAP\v12\Admin
5 ProviderInfo for GroupOperationId = 159606; Operation = Provider::CreateInstanceEnum – MSReportServer_ConfigurationSetting; ProviderName = ReportingServicesWMIProvider; ProviderGuid = {0A0B6A3E-DAA2-4ED9-A603-B1C4ED9515FF}; Path = C:\Program Files (x86)\Microsoft SQL Server\120\Shared\reportingserviceswmiprovider.dll

 

Explanation

  1. Event #1 :- IWebServices Create Instance Enum
    • NamespaceName :- \\QA\root\Microsoft\SqlServer\ReportServer
  2. Event #2 :- IWebServices Create Instance Enum
    • NamespaceName :- \\.\root\Microsoft\SqlServer\ReportServer
  3. Event #3 :- IWebServices Connect
    • NamespaceName :- \\.\root\Microsoft\SqlServer\ReportServer\RS_DATACAP\v12\Admin
  4. Event #4 :- IWebServices Instance Enumerate
    • NamespaceName :- \\.\root\Microsoft\SqlServer\ReportServer\RS_DATACAP\v12\Admin
  5. Event #5 :- Com Object Instantiated
    • COM Object ID :- 0A0B6A3E-DAA2-4ED9-A603-B1C4ED9515FF
    • COM File :- C:\Program Files (x86)\Microsoft SQL Server\120\Shared\reportingserviceswmiprovider.dll

 

Summary

From logging WMI Calls we are able to see the inner workings of the WMI Provider class and IWbemServices interface.

In the case of Sql Server Reporting Services (SSRS) it is an version specific dll ( C:\Program Files (x86)\Microsoft SQL Server\120\Shared\reportingserviceswmiprovider.dll ).

IIS – TroubleShooting – High CPU Utilization – SysInternals/Process Explorer – Day 01

Background

In our last post we spoke on how to troubleshoot IIS using Microsoft’s own Debug Diagnostic Tool ( DebugDiag).

That tool works by first getting a dump of a wobbled IIS process and then training the tool against that up.

Using a set of rules the dump is inspected.

Familiar issues are checked for and if they occur they are grouped and cited.

 

SysInternals / Process Explorer

Introduction

In this post we will use a more rudimentary tool and point it at a running IIS process and do the inspection ourselves.

 

Download

If you don’t have a recent version of SysInternal’s Process Explorer, please download it from here.

The current version is 16.12

Install

No need to install, just run it.

Usage

Start Mode

If not started as an “Administrator”, you will miss some functionalities.

Mode :- User

Mode :- Administrator

Explanation

  1. Tabs
    • Additional Tabs are shown when running as an Administrator
      • Job
      • .Net Assemblies
      • .Net Performance

Application :- W3wp.exe

Disk and Network

Image

Explanation
  1. Get a feel of IO requirements and throughput
    • Network I/O ( Receives VS Sends )
    • Disk I/O  ( Reads VS Writes )

GPU Graph

Image

Explanation
  1. GPU Graph is empty
    • Not doing anything with Graphics Coprocessor

 

Threads

Image

Explanation

Listed are

  1. Number of threads
  2. Individual Threads
    • Thread ID ( TID )
    • CPU ( Ordered by CPU% usage )
    • Start Address
      • clr.dll!DllRegisterServerInternal+0x1f060

TCP/IP

Image

Explanation
  1. Using ephemeral ports on localhost to communicate with backend DB/SQL Server ( ms-sql-s)

Security

Image

Explanation
  1. User :- IIS APPPOOL\DefaultAppPool
  2. Groups
    1. BUILTIN\IIS_ISUSRS
    2. BUILTIN\USERS
    3. CONSOLE LOGON

 

Environment

Image

Explanation

Review:

  1. Processor Identifier
  2. Number of processors
  3. User Domain and Name

 

Job

Image

Explanation

List of Jobs and Processes.

.Net Assemblies

Image

Explanation
  1. Entity Framework
    • EntityFramework
    • EntityFramework.Extended
    • EntityFramework.SQLServer
  2.  Glimpse
    • Glimpse.Ado
    • Glimpse.AspNet
    • Glimpse.Core

.Net Performance

In the .Net Performance Tab, we are able to track different .Net Performance counters.

Inclusive :

  1. .Net CLR Exceptions
    • # of Exceps thrown
      • Number of Exceptions thrown
  2. .Net CLR Threads & Locks
    • Total # of Contentions
    • Current Queue Length
    • Queue Length Peak
  3. .Net CLR Loading
    • Total # of Load Failures

 

Summary

It goes without saying that SysInternal’s Process Explorer gives unending information about the going ons of a running process.

Careful attention to details is needed to gather pertinent data.

It is also helpful to work with actual end users to get an idea of what they will likely doing during various captured events timeline.

An, go back to Development and gauge their understanding of how various APIs stress the system.

 

References

  1. Microsoft Technet
    • Chad Schultz – MSFT
      • How to use Sysinternals Process Monitor and Process Explorer to Troubleshoot SharePoint
        Link
  2. Piers ( Cup(Of T )
    • Production Debugging for Hung ASP.Net 2 applications – a crash course
      Link

 

IIS – TroubleShooting – High CPU Utilization – Debug Diagnostic Tools v2.1 – Day 1

Background

Needing to do a deep drive into troubleshooting IIS Servers.  As part of our troubleshooting exercises we will cover one of Microsoft’s own tool, Debug Diagnostic Tools.

 

Debug Diagnostic Tools

Version

The tool’s team blog is here.

And, the current version is 2.1 and it is available here.

Details

The version was availed on 2015-Nov-13.

Requirements

Link

We are running MS Windows 2012 R2.

And, the bitness is 64-bit.

 

Install

Image

Welcome

End-User License Agreement

End-User License Agreement – Initial

End-User License Agreement – Completed

Custom Setup

 

Ready to install

Installing….

Completed

Debug File

Before we actually use the debug tool, let us go generate dump files from a working w3wp process.

Identify Process

Code


c:\windows\system32\inetsrv\appcmd list wp

 

Output

Dump file

Task Manager

On the IIS machine, launch Task Manager, access the Processes tab, select the “IIS Worker Process”.

Right click on your selection and choose “Create dump file“.

 

Use Debug Diagnostic Tool

Start Menu

Here is the Start Menu,

We will choose the menu option “Debug Diagnostics Tool 2” \ “Debug Diag2 Analysis”.

 

Data Files

We will click the “Add Data Files” button and navigate to the folder where we kept the dump file that was created earlier.

Here is the screenshot once we have added our dump file.

 

Analysis Rules

From the list of rules, we chose “Default Analysis” “CrashHangAnalysis“.

Start Analysis

Please click the “Start Analysis” button.

Reports

Analysis Report – Dashboard

Here we noted 3 Warnings.

 

Sections

Previous .Net Exceptions Reports ( Exception in all .Net Heaps )

Image

Tabulated

 

Exception Count Message Stack Trace
System.Exception 1 <none>  ;
System.OutOfMemoryException 1 <none>  ;
 

System.StackOverflowException

1 <none>  ;
System.ExecutionEngineException 1 <none>  ;
System.Threading.ThreadAbortException 2 <none>  ;
System.NullReferenceException 3 Object reference not set to an instance of an object.  garage.Models.Articulation.GeneratedPrefixAgreement+<>c__DisplayClass1e.<Generate>b__b(garage.Models.Articulation.Courses.CourseToCourseArticulation)
System.Linq.EnumerableSorter`2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].ComputeKeys(System.__Canon[], Int32)
System.Linq.EnumerableSorter`1[[System.__Canon, mscorlib]].Sort(System.__Canon[], Int32)
System.Linq.OrderedEnumerable`1+<GetEnumerator>d__1[[System.__Canon, mscorlib]].MoveNext()
garage.Models.Articulation.GeneratedPrefixAgreement.Generate(CodeFirstMembershipSharp.DataContext)
LinqKit.Extensions.ForEach[[System.__Canon, mscorlib]](System.Collections.Generic.IEnumerable`1<System.__Canon>, System.Action`1<System.__Canon>)
garage.Infrastructure.GeneratedAgreementFactory.Generate(garage.Models.Articulation.GeneratedAgreement)
 

System.Reflection.TargetInvocationException

3 Exception has been thrown by the target of an invocation.  System.RuntimeMethodHandle.InvokeMethod(System.Object, System.Object[], System.Signature, Boolean)
System.Reflection.RuntimeMethodInfo.UnsafeInvokeInternal(System.Object, System.Object[], System.Object[])
System.Reflection.RuntimeMethodInfo.Invoke(System.Object, System.Reflection.BindingFlags, System.Reflection.Binder, System.Object[], System.Globalization.CultureInfo)
Hangfire.Server.CoreBackgroundJobPerformer.InvokeMethod(System.Reflection.MethodInfo, System.Object, System.Object[])
 

Hangfire.Server.JobPerformanceException

3  

An exception occurred during performance of the job.

  Hangfire.Server.CoreBackgroundJobPerformer.InvokeMethod(System.Reflection.MethodInfo, System.Object, System.Object[])
Hangfire.Server.CoreBackgroundJobPerformer.Perform(Hangfire.Server.PerformContext)
Hangfire.Server.BackgroundJobPerformer+<>c__DisplayClass8_0.<PerformJobWithFilters>b__0()
Hangfire.Server.BackgroundJobPerformer.InvokePerformFilter(Hangfire.Server.IServerFilter, Hangfire.Server.PerformingContext, System.Func`1<Hangfire.Server.PerformedContext>)
Hangfire.Server.BackgroundJobPerformer.PerformJobWithFilters(Hangfire.Server.PerformContext, System.Collections.Generic.IEnumerable`1<Hangfire.Server.IServerFilter>)
Hangfire.Server.BackgroundJobPerformer.Perform(Hangfire.Server.PerformContext)
Hangfire.Server.Worker.PerformJob(Hangfire.Server.BackgroundProcessContext, Hangfire.Storage.IStorageConnection, System.String)

 

Thread Report

Image

Explanation
  1. 54 Threads
    • 32% of all threads have this same call stack

 

clr!Thread::intermediateThreadProc ( 54 Threads )

Image

 

Explanation

mscorlib_ni!System.Collections.Generic.Dictionary`2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].Insert(System.__Canon, System.__Canon, Boolean)+bf 
garage.Models.garageSystem.Menu.AddItemForRoles(CodeFirstMembershipSharp.User, System.String, System.String, Boolean, System.String[], Boolean, System.String)+d5 
garage.Controllers.HomeController.BuildMenu()+6c 
garage.Controllers.BaseController.Initialize(System.Web.Routing.RequestContext)+1956 
System.Web.Mvc.Controller.BeginExecute(System.Web.Routing.RequestContext, System.AsyncCallback, System.Object)+179 
System.Web.Mvc.MvcHandler.b__4(System.AsyncCallback, System.Object, ProcessRequestState)+37 
System.Web.Mvc.Async.AsyncResultWrapper+WrappedAsyncVoid`1[[System.Web.Mvc.MvcHandler+ProcessRequestState, System.Web.Mvc]].CallBeginDelegate(System.AsyncCallback, System.Object)+41 
System.Web.Mvc.Async.AsyncResultWrapper+WrappedAsyncResultBase`1[[System.Web.Mvc.Async.AsyncVoid, System.Web.Mvc]].Begin(System.AsyncCallback, System.Object, Int32)+aa 
System.Web.Mvc.MvcHandler.BeginProcessRequest(System.Web.HttpContextBase, System.AsyncCallback, System.Object)+23b 
System_Web_ni!System.Web.HttpApplication+CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()+132 
System_Web_ni!System.Web.HttpApplication.ExecuteStep(IExecutionStep, Boolean ByRef)+9d 
System_Web_ni!System.Web.HttpApplication+PipelineStepManager.ResumeSteps(System.Exception)+5dc 
System_Web_ni!System.Web.HttpApplication.BeginProcessRequestNotification(System.Web.HttpContext, System.AsyncCallback)+79 
System_Web_ni!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest, System.Web.HttpContext)+e0 
System_Web_ni!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)+407 
System_Web_ni!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)+14 
System_Web_ni!DomainNeutralILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)+5b 
System_Web_ni!DomainNeutralILStubClass.IL_STUB_PInvoke(IntPtr, System.Web.RequestNotificationStatus ByRef)+7e 
[[InlinedCallFrame] (System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion)] System.Web.Hosting.UnsafeIISMethods.MgdIndicateCompletion(IntPtr, System.Web.RequestNotificationStatusByRef) 
System_Web_ni!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(IntPtr, IntPtr, IntPtr, Int32)+5e6 
System_Web_ni!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(IntPtr, IntPtr, IntPtr, Int32)+14 
System_Web_ni!DomainNeutralILStubClass.IL_STUB_ReversePInvoke(Int64, Int64, Int64, Int32)+5b 
[[ContextTransitionFrame]] 


 

clr!Thread::intermediateThreadProc ( 16 Threads – 9% of all threads )

Image

Explanation
  1. 16 Threads
    • Thread is waiting in a waitOne

 

clr!Thread::intermediateThreadProc ( 8 Threads – 4% of all threads )

Image

Textual

Entry point   clr!Thread::intermediateThreadProc 
Create time   8/2/2017 3:30:18 PM 
Time spent in user mode   0 Days 00:00:00.093 
Time spent in kernel mode   0 Days 00:00:00.031 

This thread is waiting for .net garbage collection to finish.
The current set of scripts were not able to determine which thread induced GC.
The garbage collector thread wont start doing its work till the time the threads which have pre-emptive GC disabled have finished executing. 
The following threads have pre-emptive GC disabled 28,51,52,53,54,55,56,57,66,67,69,70,71,72,73,74,75,76,77,78,79,80,81,82,83,84,85,86,87,88,89,90,91,92,93,94,95,96,97,98,99,100,101,102,103,104,105,106,107,108,109,110,111,112,113,114,115,116,117,118,119,120,121,122,123,124,125,127,128,129,130,131,132,133,134,135,136,137,138,139,140,141,142,143,144,145,146,147,148,149,150,151,152,153,155,156,157,158,159,160,161,162,163,165,166,167,

Call Stack

ntdll!NtWaitForSingleObject+a 
KERNELBASE!WaitForSingleObjectEx+94 
clr!SVR::gc_heap::wait_for_gc_done+134 
clr!SVR::gc_heap::wait_for_gc_done+cb 
clr!CLREventBase::WaitEx+7c 
clr!SVR::gc_heap::bgc_thread_function+a7 
clr!Thread::intermediateThreadProc+86 
kernel32!BaseThreadInitThunk+22 
ntdll!RtlUserThreadStart+34 


Explanation

This is a very important group:

  1. This thread is waiting for .net garbage collection to finish.
  2. The garbage collector thread wont start doing its work till the time the threads which have pre-emptive GC disabled have finished executing.
  3. The following threads have pre-emptive GC disabled…..

 

Summary

Here is a quick compilation of what the tool is informing us of:

  1. We have exceptions that are not gracefully handled
    • System.NullReferenceException
      • Entity Framework calls
        • Uncompleted DB Calls that likely timed out
        • .Net code should review return code before trying to access returned dataset
    • System.Reflection.TargetInvocationException
    • Hangfire.Server.JobPerformanceException
      • Hangfire background process when accessing persistent backend
  2. Seeming contention issue accessing Dictionary Collection?
    • Stack Trace :-
      • mscorlib_ni!System.Collections.Generic.Dictionary`2[[System.__Canon, mscorlib],[System.__Canon, mscorlib]].Insert(System.__Canon, System.__Canon, Boolean)+bf
        garage.Models.garageSystem.Menu.AddItemForRoles(CodeFirstMembershipSharp.User, System.String, System.String, Boolean, System.String[], Boolean, System.String)+d5
        garage.Controllers.HomeController.BuildMenu()+6c
  3. Garbage Collection Issues
    • Stack Trace :-
      • This thread is waiting for .net garbage collection to finish.The current set of scripts were not able to determine which thread induced GC.  The garbage collector thread wont start doing its work till the time the threads which have pre-emptive GC disabled have finished executing. The following threads have pre-emptive GC disabled

 

References

  1. Developer Network
    • Mourad Lagdas
      • How to Use the Debug Diagnostic Tool v1.1 (DebugDiag) to Debug User Mode Processes
        Link
  2. Microsoft Developer
    • Michael Friis ( friis[at]microsoft.com )
      • Which w3wp.exe PID corresponds to which application pool ?
        Link
  3. Hangfire
    • Documentation \ Background processing \ Dealing with exceptions
      Link
  4. WhiteSites.com
    • Debugging Faulting Application w3wp.exe Crashes
      Link

DataStore.edb

Background

An alarm was raised by our monitoring software.

An alarm is raised whenever a drive free space falls below 10%.

Combed the drive using SpaceSniffer and found out that the DataStore.edb file on C:\Windows\SoftwareDistribution\DataStore is larger than usual.

 

Image

Here it is clocking in at 1.3 GB

 

TroubleShooting

SysInternals

Process Monitor

Overview

Let us see if we can use SysInternal’s Process Monitor and determine which processes are accessing the DataStore.edb file.

Filter

Clause
  1. Path
    • Begins with C:\Windows\SoftwareDistribution\DataStore
Image

 

Capture

Image
 
Event Properties
Event Properties – Create File – Event

Event Properties – Create File – Event – Property
  1. Desired Access :- Read Attributes, Synchronize
  2. ShareMode :- Read, Write
Event Properties – Create File – Event

Image

Details

  1. Path :- C:\Windows\System32\svchost.exe
  2. Command Line :- C:\Windows\System32\svchost.exe -k netsvcs
  3. User :- NT AUTHORITY\SYSTEM

 

Services

Knowing that svchost.exe is a host for many services, which one is netsvcs?

Services Applet

Image

Explanation

We see it is the “Windows Update” service.

 

Process Explorer

Overview

Which program has datastore.edb opened?

Process Explorer Search

Menu Find

Using the menu item”Find Handle or DLL…”, sought for datastore.edb

Handle or DLL substring

 

Process Explorer Results

Here is the result from searching for DataStore.edb

What process is is using the marked PID

Our marked PID is 1012

WIthin Process Explorer ordered by Process ID, PID, and looked for our identified process ID, 1012.

What process is is using the marked PID

Right clicked on that Process and from the drop down menu chose the Properties item.

Here are the services that are using that running within the identified process.

 

Summary

Though DataStore.edb is principally used by the Windows Update Service, because svchost.exe is a shared process, it is going to take more than stopping Windows Update Service to prune / clean out the DataStore.edb file.

Let’s Encrypt – Zero SSL Online Wizard

 

Background

In this exercise we will use ZeroSSL Online Wizard to process a new Let’s Encrypt SSL Certificate.

Glossary

Name Definition Other Name Link
Certificate Signing Request In Public Key Infrastructure (PKI) systems, a Certificate Signing Request (also CSR or certification request) is a message sent from an applicant to a Certificate Authority in order to apply for a digital identity certificate. It usually contains the public key for which the certificate should be issued, identifying information (such as a domain name) and integrity protection (e.g., a digital signature).  Link
CSR
 Domain Validated Certificate  A domain-validated certificate (DV) is an X.509 digital certificate typically used for Transport Layer Security (TLS) where the identity of the applicant has been validated by proving some control over a DNS domain.

The sole criterion for a domain-validated certificate is proof of control over a domain. Typically control over a domain is determined using one of the following:

a) Response to email sent to the email contact in the domain’s whois details
b) Response to email sent to a well-known administrative contact in the domain, e.g. (admin@, postmaster@, etc.)
c) Publishing a DNS TXT record
d) Publishing a nonce provided by an automated certificate issuing system

 Link
 Intermediate Certificate Intermediate certificates are used as a stand-in for our root certificate. We use intermediate certificates as a proxy because we must keep our root certificate behind numerous layers of security, ensuring its keys are absolutely inaccessible.

However, because the root certificate itself signed the intermediate certificate, the intermediate certificate can be used to sign the SSLs our customers install and maintain the “Chain of Trust.”

Installing Intermediate Certificates
After your SSL certificate is issued, you will receive an email with a link to download your signed certificate and our intermediate certificates.

How you install the certificates depends on the server software you use. In most cases, you can download and install an intermediate certificate bundle. However, for some server types you must download and install the two intermediate certificates individually. Please refer to the Install SSL certificates for the specific process you should follow.

 Link

Let’s Encrypt – Client Option

From the list of Client Options for Let’s Encrypt, we have ZeroSSL.

ZeroSSL Windows

ZeroSSL has two options for utilizing ZeroSSL on Windows.

One option is through scripting and the other is thru a browser based wizard.

Because of reasons that we will have to cover in another post, our only option based on our targeted OS,  MS Windows 2003, is the Wizard option.

Processing

Outline

  1. Using IIS Manager, Request Certificate
  2. Using IIS Manager, Configure virtual folder
    • .well_known\acme-challenger
      • Mime Type ( extension-less files )
  3. Access ZeroSSL’s Website
    • Access Wizard
    • Submit Request
      • Paste generated CSR unto right side of request
      • Receive Domain Certificate
      • Press OK
    • Verification Process
      • Select Verification process ( HTTP or DNS )
      • Process Verification
    • Receive Certificates
      • Machine Certificate
      • Certificate Authority Certificate
  4. Using IIS, Accept Certificate
  5. Using IIS, Review Accepted Certificate

Request Certificate

Hopefully, you have already installed IIS on your targeted machine.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Server Certificate” window appears
      • Choose the “Create a new certificate” option button
    • The “IIS Certificate Wizard – Delayed Or Immediate Request” window appears
    • The “IIS Certificate Wizard – Name and Security Settings” window appears
      • Change Certificate Name from “Default” to friendly,  pertinent name that will make it easy to associate and identify later
      • Change Bit Length from 1024 to 4096
    • IIS Certificate Wizard – Organization Information
      • Entered “Organization” Information
      • Entered “Organization Unit” Information
    • IIS Certificate Wizard – Geographical Information
      • Choose Country
      • Entered State
      • Entered City
    • IIS Certificate Wizard – Certificate Request File Name
      • Enter a filename to save the “Certificate Request” file under
    • IIS Certificate Wizard – Request File Summary
      • Review Request Summary

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Server Certificate

IIS Certificate Wizard – Delayed Or Immediate Request

IIS Certificate Wizard – Name and Security Settings

IIS Certificate Wizard – Name and Security Settings – Initial

IIS Certificate Wizard – Name and Security Settings – After

IIS Certificate Wizard – Organization Information

IIS Certificate Wizard – Geographical Information

IIS Certificate Wizard – Certificate Request File Name

IIS Certificate Wizard – Request File Summary

IIS Certificate Wizard – Completing the Web Server Certificate Wizard

Configure .well-known\acme-challenge

Steps

  1. Using Windows Explorer or Command Shell, create new folder under the root folder
    • Example
      • c:\inetpub\wwwroot\.wellknown\acme-challenge
  2. Register new mime-type for extension-less files
  3. Validate extension-less files are handled
    • Temporarily enable directory browsing
    • Create extension-less files under .wellknown\acme-challenge
    • Using web browser access folder and access extension-less files

Images

acme-challenge Properties

acme-challenge Properties – Mime Types – Adding Extension-less file

acme-challenge Properties – Mime Types

Validate Extension less file are handled

Access ZeroSSL Website

https://zerossl.com/free-ssl/#crt

Details

Outline

On the Details Tab

  • Enter fields
    • Email (optional)
      • Email to correspond and inform of pending expiration
    • Paste your Let’s Encrypt key
      • If you already have a Let’s Encrypt Key, please paste it
    • Domains ( Only if you have no CSR)
    • Paste your CSR or leave it blank to generate
      • We have a CSR we generated using IIS Manager
    • Verification
      • Verification Choices
        • HTTP Verification
        • DNS Verification
      • We chose HTTP
    • Accept ZeroSSL TOS
    • Accept Let’s Encrypt SA (PDF)
  • We pasted the generated CSR
  • And, clicked on the Next button
  • Account Key
    • The system stays busy for a while, as the Account Key is generated
    • Once generate the Account key is placed in the Account Key text box
  • Click the next button

Image

ZeroSSL : Free SSL – Home Page

ZeroSSL : Free SSL – Free SSL Certificate Wizard

Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Details  – CSR Pasted

CSR Pasted

Here we paste the “Certificate Request” ( CSR ) we generated earlier.

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Generate Account Key

ZeroSSL : Free SSL – Free SSL Certificate Wizard – Account Key Generated

Verification

Verification  – Guidance

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Domain Name
  • Filename
  • File Content

Screen Shot

Verification – Initial

Verification  – Implementation

On the Verification Tab, for each Domain that we submitted on the Details tab, we are given guidance per:

  • Access WebSite root folder
    • Usually C:\inetpub\wwwroot
  • Create sub-folder .well-known \ acme-challenge
  • For each domain
    • Create file
    • Add file contents

Verification – Created File

Verification – File Contents

Verification – Link Clicked

Certificate

Outline

On the Certificate Tab

  • Information
    • Certificates good for 90 days
    • Keep the following keys for when you renew
      • Let’s Encrypt Key
        • Certificate Authority Key
      • CSR
        • Host specific
  • Download
    • Two keys are availed as text
      • Host Assigned Cert
      • Issuer Cert
    • Depending on your targeted purpose, you have choices
      • IIS
        • For IIS, you can download the entire block inclusive of begin and end marker and save as one file

ScreenShot

Your Certificate is Ready

Certificate Text

Receive Certificate

In this section, we use IIS Manager to receive the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Website
  3. Access the “Directory Security” tab
    • Click the “Server Certificate” button
  4. The Wizard starts
    • The “Welcome to the Web Server Certificate Wizard” window appears
      • Click the Next button
    • The “IIS Certificate Wizard – Pending Certificate” window appears
      • Choose the “Process Pending Request and install the certificate” option button
    • The “IIS Certificate Wizard – Process a pending Request” window appears
      • A lone text box asking for the certificate filename
        • The filename being asked for is the one generated by our Certificate Authority ( CA )
            • Enter or paste the file name
            • Or click on the browse button to navigate the File System ad select the file
    • The “IIS Certificate Wizard – Process a Pending Request – SSL Port” window appears
      • Accept or Change the SSL/HTTPS Port Number
    • The “IIS Certificate Wizard – Process a Pending Request – Certificate Summary” window appears
        • Review the Certificate Summary
          • Issued to :-
            • Internet :- FQDN
            • Intranet :- Computer Name
          • Issued By :-
            • Let’s Encrypt Authority X3
          • Expiration Date :-
            • For “Let’s Encrypt Authority X3”, 3 months from Issue Date
          • Intended Purpose :-
            • Server Authentication
            • Client Authentication
          • Friendly Name
            • Friendly Name
      • The “IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard” window appears

Image

Window – Default Web Site Properties // Tab – Directory Security

Welcome to the Web Server Certificate Wizard

IIS Certificate Wizard – Pending Certificate Request

certReceived_PendingCertificateRequest_20170720_1148PM

IIS Certificate Wizard – Process a Pending Request

certReceived_ProcessAPendingRequest_20170720_1149PM

IIS Certificate Wizard – Process a Pending Request – Browse

certReceived_PendingCertificateRequest_Open_20170720_1150PM

IIS Certificate Wizard – Process a Pending Request – File Selected

certReceived_ProcessAPendingRequest_20170720_1150PM (Brushedup)

IIS Certificate Wizard – Process a Pending Request – SSL Port

certReceived_PendingCertificateRequest_SSLPort_20170720_1151PM

IIS Certificate Wizard – Process a Pending Request – Certificate Summary

certReceived_PendingCertificateRequest_CertificateSummary_20170720_1152PM (BrushedUp)

IIS Certificate Wizard – Process a Pending Request – Completing the Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completing_20170720_1152PM

IIS Certificate Wizard – Process a Pending Request – Completed Web Server Certificate Wizard

certReceived_PendingCertificateRequest_Completed_20170720_1153PM

Review Certificate

In this section, we use IIS Manager to review the Certificate.

Steps

  1. Launch IIS Manager
  2. Access Web Site
  3. Access the “Directory Security” tab
    • Click the “View Certificate” button
  4. The “Certificate” window appears
    • Window – Certificate // Tab –  General
      • Issued To
      • Issued By
        • Let’s Encrypt Authority X3
      • Valid from
        • Valid from Begin to End Date
        • In our case 7/20/2017 thru 10/18/2017
    • Window – Certificate // Tab –  Details
      • Issuer
          • Let’s Encrypt Authority X3
      • Valid from
      • Valid To
      • Subject
        • Common Name
      • Public Key
        • Length
        • Integration Guide
          Link

          • Let’s Encrypt accepts RSA keys from 2048 to 4096 bits in length
        • In our case 4096
    • Window – Certificate // Tab –  Certification Path
      • Certificate Path
        • Issuer
        • Issued To
      • Certificate Status :-
        • This certificate is OK

Certificate – View – General

certView_General_20170720_1143PM (Brushedup)

Certificate – View – Details

certView_Details_20170720_1154PM - (BrushedUp)

Certificate – View – Certificate Path

certView_CertificatePath_20170720_1154PM (BrushedUp)

References

  1. GoDaddy
    • IIS 8/Windows Server 2012: Generate CSRs (Certificate Signing Requests)
      Link
  2. Certificate Requests
    • Specifications
      • Bit Length
        • Integration Guide
          Link
        • Is it possible?
          Link

Webprofusion Ltd – Certify The Web – Day 1

Background

Security is being in the news a lot lately.

In this post, we will talk about using SSL, specifically reaping SSL certificates from LetsEncrypt.Org via “WebProfusion Ltd – Certify the Web“.

LetsEncrypt.Org

Client Options

Here are the Client Options available for Windows

Link

WebProfusion Ltd – Certify GUI –
(.Net, WinForms )

In this post, we will go with WebProfusion Ltd – Certify the Web.

 

Requirement

Outline

  1. Network
    • DNS
  2. Website Availability
    • Website Availability Test
  3.  Software
    • Microsoft .Net v4.5
  4. Microsoft IIS
    • Bindings

Network

DNS

DNS Requirement

From a networking standpoint, the LetsEncrypt validation servers have to able to connect to the originating computer.

That rules out the following:

  1. Servers that are not reachable over the Internet
    • Servers that only have local IP Addresses

 

DNS Server Names

Here are a couple of popular DNS Servers:

Vendor Link DNS-1 DNS-2
Verisign  Link  64.6.64.6  64.6.65.6
Google  Link  8.8.8.8  8.8.4.4
OpenDNS  Link  208.67.222.222  208.67.220.220

 

DNS Validation
nslookup

On MS Windows, we can use nslookup to validate.

Syntax

Here is the syntax


nslookup [FQDN] [dns-server]

Sample – DNS – Google ( 8.8.4.4 & 8.8.8.8 )
Code

nslookup web.labDomain.org 8.8.8.8 

Output

Sample – Verisign ( 64.6.64.6 & 64.6.65.6 )
Code

nslookup web.labDomain.org 64.6.64.6 

Output

 

Website Availability

Website Availability Test

Here are some availability tools:

  1. Uptrends

 

Uptrends.com

Go to https://www.uptrends.com/tools/uptime.

Intentionally entered an invalid URL, in this case upTimeTest.cnn.com

Uptrends.com – Sample

uptimeTest.cnn.com

We entered a FQDN that we know is not available.

hyattHouse.com

We entered hyattHouse.com and we are able to successfully validate.

 

Software

Microsoft .Net Framework v4.5

Although the software can be installed without first installing .Net v4.5, it can not be used.

If one tries to do so, the user is prompted to install .Net 4.5.

BTW, .Net v4.5 has its own requirement in terms of minimal OS.  And, those are:

  1. Windows 2003
    • .Net v4.5 can not be installed on MS Windows 2003
  2. Windows 7
  3. Windows 2012

 

Microsoft IIS

IIS – Site Bindings

Internet Information Server ( IIS )

Site Bindings

We can use IIS Manager and access the Site Bindings

Site Bindings – Original

 

Site Bindings – Add Binding

Click on the “Add..” button.

Add each hostname or alias that you will like to generate certificate for.

Please add only http entries.

The https will be added for you.

 

Site Bindings – After adding
  
Explanation

In the screen above, we have added the hostname that we will like exposed.

 

Download

Downloaded “Certify The Web” from the Vendor’s website.

As of 2017-July-15th, the current version is V2.0.7-beta4.

Installation

ScreenShots

License Agreement

Image

 

Select Destination Location

Image

Explanation

  1. 9 MB

 

Select Start Menu Folder

Image

 

Ready to Install

Image

Installing ….

Image

Complete the Wizard

Image

 

Usage

Launch “Certify the web“.

Initial Screen

Empty Canvas

New Certificate

Click the “New Certificate” button.

Managed Sites – New Certificate – Options

Image

Explanation

  1. Select IIS Site
    • Chose the IIS Site
  2. Name
    • The Name is only figurative
  3. Primary Domain Name
    • Please choose the Domain Name
    • If none shown, please visit the TroubleShooting section
  4. Alternative Domain Subject Name
    • All of the hostnames registered in the Site Bindings are listed

 

Managed Sites – New Certificate – Advanced

 

 

Explanation

  1. Auto create/update IIS bindings ( use SNI )
    • Chose to use SNI
      • Please read more about SNI ( Server Name Indication )
      • As always Wikipedia is a good source and here is the Link

 

Once you are comfortable with your choices, please click the Save button.

 

Request Certificate

Here are the steps for actually requesting a certificate.

Saved Certificate Request

Here is the screen once a Certificate is Requested.

Image

 

Certificate Received and Installed

Image

Explanation

  1. In the image above, our request has been validated, a certificate has been issued, and installed on our machine.

 

Troubleshooting

Primary Domain Name

Primary Domain Name – Empty

In the example that follows we just installed the Application and we are trying to add a “New Certificate”.

New Certificate

Error – “A primary domain must be selected”

Explanation:

  1. The error message states “A Primary Domain” must be selected
    • The reason is because we have not selected “Primary Domain Name

 

Remediate:

To fix, please …

  1. Launch IIS Manager
  2. Access Site
  3. Under Sites, select the Web Site
  4. In the Action Panel
    • Under Edit Site, Choose Bindings…
  5. In the “Site Bindings” window
    • Review listed Site Bindings
    • If not listed, click the “Add” button
      • The “Site Binding” window appears
        • In the Host name text box, add the host’s “Fully Qualified Domain Name

 

Summary

If you are running at a minimum MS Windows 7 ( desktop)  or 2012 ( server ), you should consider “Certify The Web“.

There is a lot more as this is only Day ONE.

 

References

  1. Certify The Web
    • Home Page
      Link
    • Docs
      Link
    • Getting Started
      Link
    • Issues
      • Issues – does not give list of possible domains #83
        Link
  2. Server Name Indication
  3. Browser – SSL
    • Google Chrome
      • Akemi Iwaya
        • Akemi Iwaya – How Do You View SSL Certificate Details in Google Chrome?
          Link
  4. DNS Servers – Public
    • Lifewire
      • LifeWire – Free & Public DNS Servers
        Link

Installing Powershell v5 on Windows 7

Background

In the last few weeks I have wanted to devote a bit of personal time to look more into SSL Certificates.

With LetsEncrypt it is no longer don’t have the money excuse.

The reference implementation for LetsEncrypt on MS Windows Platform is the groundbreaking work done by ebekker.

 

eBekker?

eBekker has in Eugene Bekker

IT is an Interesting Business.  Everyone goes by first initial and their last name.

So who is Eugene Bekker, let us just bring up is profile on the fighting Identity Crime web site.

Link

letsEncrypt On Windows

Here are the Client Options for availing LetsEncrypt on Windows.

Link

 

ACMESharp

To install ACMESharp, I know I need to read the documentation.

And,  some of that information is available as a wiki file here.

ACMESharp Installation

PowerShell Gallery

From everything I am reading I will be better off with PowerShell Gallery.

And, the easiest path to PowerShell Gallery is to b running PowerShell Version 5.

 

Status

What version of Powershell do we currently have in place…

Command

Launched OS Command shell and entered “powershell –$PSVersionTable” and got back the image pasted below.

Image

Powershell-Command-PSVersionTable-20170710--0726PM

Explanation

PSVersion is 2.0.

Download

Download PowerShell v5 from here.

PowerShell is bundled as Windows Management Framework 5.0.

ChooseTheDownloadYouWant_20170710_1021PM

There are two offerings for Windows 7; and those are:

  1. Win7AndW2K8R2-KB3134760-x64.msu
    • 64-bit OS
  2. Win7-KB3134760-x86.msu
    • 32-bit OS

We have a 64-bit OS and so we sip the -x85 package and choose the […….]–x64.msu

 

Installation

Screenshots

Do you want to install KB3134760?

WindowsUpdateStandaloneInstaller-ConfirmInstallation

License Agreement

license

Installing….Stage – Begining

tTheUpdatesAreBeingInstalled

Installing….Stage – Progressing

TheUpdatesAreBeingInstalled_20170710_1027PM

Installation Complete

InstallComplete

Rebooted computer and got some sleep.

Wish I could say beauty sleep, but not so lucky.

 

Confirmation

Command

From OS Shell command line issued “powershell –$PSVersionTable” and got back the image pasted below.

Image

Powershell-Command-PSVersionTable-20170710--0753AM

Explanation

  1. PSVersion is 5.0.10586.1167
  2. CLRVersion is 4.0.30319.4200

Listening

It is a long road to the Heights!

In the word of one Jim Croce…

And give me the number if you can find it
So I can call just to tell ’em I’m fine and to show
I’ve overcome the blow, I’ve learned to take it well

I think about a love that I thought would save me

Music :- Link
Lyrics :- Link

Moral

Though Jim Croce recorded Operator in 72, I know just like he did then.

The love for SSL will not save me.

…. There is no one there that I really I want to talk to.

It is just another software to pile on my machine.

 

References

  1. How to Install Windows Powershell v4.0
    Link
  2. Identify .Net Version
    • Rodney Viana – MSFT
      • Identifying the .NET version you are running (2.0, 4.5, 4.5.1 or 4.5.2)
        Link
    • Techno gyan by Vijayshinva Karnure – Support Escalation Engineer (Microsoft)
      • Where is ASP.NET 4.5 …wait Where is .NET 4.5 ?
        Link
  3. Install Material
    • PowerShell v5.0