Close

Mixed Windows Authentication in IIS 8.5 (ASP.Net)

Update:

Actually, this not works. It looks OK because of the cache of client. There is no way to do this as I know.


Original:

 

I got a case recently to build a site in IIS 8.5:

  • When the visitor is logged on to the desktop with domain account, use this account for this website.
  • When the visitor is not using domain account, do not pop up a login window asking for domain account, redirecting to a version for anonymous instead.

I thought it’s simple in IIS setting but I was wrong. The anonymous cannot work parallelly with Windows authentication.

After some digging in Google, I started my test:

  1. Deploy the site by using anonymous authentication.
  2. Select the login page for detecting domain user and change that page to Windows authentication instead of anonymous model.
  3. Add a custom page for this page on error 401. Model is set to “Execute a URL on this site”.

It works good but…

When the login page opened, it should contain a Url as parameter for returning back to the original page. So I have to deal it in the customized 401 page. I turned that page to an ashx with the command context.Response.Redirect. The URL for returning can be cut from context.Request.RawUrl.

After that, it went wrong. Form the same server which has the IIS installed, it still works well. But when I try this page on another computer, it will always redirect to the anonymous version page no matter it’s from the desktop logged with domain account or not. I’m sure that the site is added as Intranet zone and automatically logon is set in this zone.

Checked by network monitor, the browser will not get the 401 response in this scenario. As the ashx file request, only the 302 code is returned. That’s the reason why the browser won’t be notified to logon with the current user.

The solution is: if you want to use ashx with redirect function as a customized 401 page still, do not use context.Response.Redirect. Instead, try to do that with an HTML function with the 401 code in HTTP response.

context.Response.Status = "401 Unauthorized";
context.Response.StatusCode = 401;
context.Response.ContentType = "text/html";
context.Response.Write(@"<html>
<head>
<title>Redirecting</title>
<meta http-equiv=""refresh"" content=""0; url=" + redirectUrl + @""" />
");

It works like a charm.

I guess (yes, guess) when the browser get a 401 response first time, it will retry to the previous submitting/navigation with the domain account for login. If it’s failed again, it will pop up a login window after the html page is displayed. So as I required in HTML code, after it navigate to another page, the browser has no chance to display the login window. That’s the deal.

All I’m sure is it really works well. Hope it useful to you.

Set SQL Alias

When you need to move the SQL Server instance to another server, you can use SQL Alias to get avoid of changing connection string for softwares which use this database.

All you need is setting up SQL Alias on the computers running your softwares. Nothing need to be done with the SQL Server if it’s installed other than the computers running applications.

The tool for setting up SQL Alias is included with Windows. You just need to run cliconfg.exe to set. Be careful the typing — it’s not config.

If your Windows is x64 based, you may need to choose the right version of that tool. The x64 version is C:\Windows\system32\cliconfg.exe and the x86 version can be located as C:\Windows\syswow64\cliconfg.exe. If you don’t know which is the right one, set up both of them.

WDS of Windows Server 2012 R2 with Update

No matter the way you get the Windows Server 2012 R2 with Update, by fresh installing from the CD supplied by MSDN Subscription or simply upgrading by Windows Update, the WDS of this system sucks.

 

If you planned to upgrade, please remember to backup the Boot folder of WDS while using Windows Server 2012 R2 without that update. After upgrading process, you need to stop WDS service, replace the Boot folder with your backup and restart WDS.

 

The Boot folder provided with Windows Server 2012 R2 with Update or Windows 8.1 with Update, is not compatible with capture image creation. If you use the original Boot folder from Windows Server 2012 R2 with Update, or get the Boot folder upgraded by adding a boot.wim from Windows Server 2012 R2 with Update or Windows 81. with Update, it can boot but cannot support capture image any more. No matter which boot file your capture image is created based on, even you get your capture image from another server, it just cannot boot your PC for capturing. After loading finished, you will get an error in winload.exe with the status code 0xc000000f.

 

To avoid this, do NOT use the boot.wim from Windows Server 2012 R2 with Update or Windows 8.1 with Update ISO files which are provided by MSDN Subscription. And do NOT use the Boot folder provided with the WDS of Windows Server 2012 R2.

To fix this, you just need to restore the WDS Boot folder from your backup before upgrading this update. If you don’t have a backup, copy this folder from another server which is hosted by Windows Server 2012 R2 (without that Update).

 

Still don’t know the reason but it’s not suprised me that WDS is not tested well. In many versions of Windows Server, WDS cannot work well.

 

Related:

Do NOT add a boot file for WDS from Windows 6.3 with Update

Caution: Upgrading Windows to 2012 R2 may change the interface number of network interface card

Some server has specified settings wrote by command “route -p” to deal with multiple internet or intranet connections. To make it work with RRAS, the option “if <number>” must be provided with each route command.

If you’re planning to upgrade such a server to Windows Server 2012 R2, be careful, you may have to get a console connection. Through upgrading process will not failed or at least give you any warning about route settings, after it done, the interface number of NIC (network interface card) will be changed. It means you have to remove and add the related persistent routes to resume the remote connection before you can use this server again.

If you cannot get a console, you may want to disable RRAS, remove the “if <number>” parameter from the route command before upgrading.

Visual Studio 2013 Update 1 is not compatible with Windows 8.1 with Update (MSDN CD) while using sysprep

While the new installation CD named Windows 8.1 with Update launched for MSDN subscriptions user, I downloaded it and try to upgrade all the images from the Windows Deployment Service in my company. But I found the new version of Windows 8.1 might have some problem with Visual Studio 2013 Update 1.

 

Coz I need to upgrade some related images in batch, this is my way:

Create a VM and install Windows 8.1 (x64 enterprise version with update, downloaded from MSDN subscriptions site);

  1. Install Office 2013 with Service Pack 1 (VL version, coz there is a KMS in our company);
  2. Update to the latest patches;
  3. Run Cleanmgr to minimal the system;
  4. Create a snapshot named Office 2013;
  5. Use Sysprep to boot into the audit mode;
  6. Remove the current user;
  7. Use Sysprep to boot into the OOBE mode with Generalize checked;
  8. Use WDS to capture this status and upload, named as Office 2013. Before capturing, I deleted the pagefile, swap file and the contents within temp folder.

It works great.

Then,

  1. Reverse to snapshot Office 2013;
  2. Install Visual Studio 2013 with Blend, Office Developer Tools, SQL Server Data Tools, Web Developer Tools, Silverlight Development Kit; (No C++, nor mobile things)
  3. Install Update 1 from iso;
  4. Install Visual Studio SDK;
  5. Update to the latest patches;
  6. Run Cleanmgr to minimal the system;
  7. Create a snapshot named Visual Studio;
  8. Use Sysprep to boot into the audit mode;
  9. Remove the current user;
  10. Use Sysprep to boot into the OOBE mode with Generalize checked;
  11. Use WDS to capture this status and upload, named as Visual Studio. Before capturing, I deleted the pagefile, swap file and the contents within temp folder.

It looks familiar right? Actually, it WON’T WORK.

After deploy from this Visual Studio and create a new user, system end with this text:

The User Profile Service service failed the sign-in.

User profile cannot be loaded.

Even when trying to boot from the template VM in current status, it failed in the same way.

But if I try to install Team Explorer from Team Foundation Server with Update 2 CD instead, or using the Office 2013 image created above, it works like a charm. Even just use the old Windows 8.1 CD instead of the new one, it still works great.

I’ve check by using reg in command line. There is nothing wrong like this KB mentioned: http://support.microsoft.com/kb/947215.

I have no clue about this but just leave a message here for avoiding others go into the same jam.

 

 

Update: It fixed in VS 2013 with Update 2.

Do NOT add a boot file for WDS from Windows 6.3 (2012R2/8.1) with Update

If you have a Windows Deployment Service (WDS for short) hosted by Windows Server 2012 R2 (w or w/o update), never try to add a boot file from Windows Server 2012 R2 with Update (MSDN CD) or Windows 8.1 with Update (MSDN CD). If you do so, all capture image, no matter which version of boot file is based on, or it’s created by this server or others, just cannot work. After the loading finished, you will get an error in winload.exe with the status code 0xc000000f.

If you have been in this jam, you have to restore the whole boot folder from the backup before you attach the new version boot files. Don’t forget to stop the WDS before you replace the folder. Delete the new boot file only won’t work.


Update: There is another way to fix the broken capture image file directly. But you have to do that for every capture file. http://social.technet.microsoft.com/Forums/windowsserver/en-US/a164b948-1778-42bd-8d77-9cef1ca70866/image-capture-boot-image-fails-with-0xc000000f?forum=winserversetup

Do NOT add a newer boot file into an older Windows Deployment Service

In my company, there is a Windows Deployment Service (WDS for short) hosted by Windows Server 2012 R2. Since I got the new release of Windows Server yesterday, named Windows Server 2012 R2 with Update, I added the boot.wim from the new CD into this server and began my nightmare.

Result: All boot images from installation CD work great. But all capture images are failed to start, no matter the capture image is pre-existed, new created or copied from other servers. They’re failed in 2 ways:

  • Error in \Windows\System32\boot\winload.exe with status code 0xc000000f after the loading bar completed; or,
  • Black screen after displaying the Windows logo.

To fix this, I’ve tried to remove the new added boot image but this trying is ineffective. Finally, I googled and find there is a person who added a Windows 8 Preview boot file into an old WDS server, which lead to the similar result. The way to fix is:

  1. Stop the WDS;
  2. Restore the Boot folder from a previous version; and,
  3. Restart the WDS.

If you don’t have backup, you may need to reinstall WDS.

I guess when you add a new boot image into a WDS, it will update the existed boot folder to the latest version, which may not be compatible with other boot files. Maybe it will be fixed after patching the server OS, but it’s better never to do such a thing again.


Update: There is another way to fix the broken capture image file directly. But you have to do that for every capture file. http://social.technet.microsoft.com/Forums/windowsserver/en-US/a164b948-1778-42bd-8d77-9cef1ca70866/image-capture-boot-image-fails-with-0xc000000f?forum=winserversetup

Enable Remote Management for Hyper-V Server

After a clean installation process, firewall of Hyper-V Server is set to deny any remote connection by default.

If you need to management other than using console, you may want to enable inbound rules for Remote Management and Remote Desktop by running these commands in the console.

To enable the Remote Management:

cscript C:\windows\system32\scregedit.wsf /im 1

To enable the Remote Desktop:

cscript C:\windows\system32\scregedit.wsf /ar 0

And, you need to enable the remote desktop from the sconfig (the blue console window) also.

AVMA: An easier way to activate Windows Server 2012 R2 in Hyper-V

Microsoft provides a new way to activate VMs hosted in Hyper-V, named Automatic Virtual Machine Activation (AVMA). It makes the activation step of VMs much easier.

Requirement:

  • Hypervisor: Windows Server 2012 R2 Datacenter with Hyper-V role. Other versions are not supported. Dedicated Hyper-V Server is not supported.
  • VM: Windows Server 2012 R2 Datacenter, Standard and Essentials.

Steps:

  1. Prepare and activate your Hypervisor;
  2. Install supported OS as VM with the key listed below, or change the key of an installed VM with command “slmgr /ipk <key>”.

Keys:

  • Windows Server 2012 R2 Datacenter: Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
  • Windows Server 2012 R2 Standard: DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
  • Windows Server 2012 R2 Essentials: K2XGM-NMBT3-2R6Q8-WF2FK-P36R2

These keys are supported to being used in any unattend.exe setup file also.

 

Source: http://technet.microsoft.com/en-us/library/dn303421.aspx

Remove unwanted IP addresses belong to Domain Controllers from DNS

If you have multiple IP addresses on domain controller and do not want to publish them all to local DNS, the original way may not help because no matter how you setup, all the interfaces can still access the DNS (localhost).

In this case, you can do this by editing the registry directly.

Open regedit.exe from Domain Controller, navigate to HKLM\System\CurrentControlSet\Services\DNS\Parameters, add a string value, named as PublishAddresses, and set the value to the IP address which you want to be published to DNS.

Don’t forget to reboot and delete the existed unwanted records from DNS manually.