What's Up Duck

Hacking ValidateSet

2013-05-18T11:30:00.000-05:00

I guess I should start off this post by saying what I'm doing is a dirty hack, in no way supported, and in general a terrible idea. But it's also really awesome.

Occasionally I find it would be nice to be able to dynamically generate the values used in a ValidateSet attribute on a function parameter. Joel Bennett wrote a post a while back explaining how to build a custom validation attribute that could be written to include the ability to update the set list dynamically. Or you could even use his technique of using ValidateScript and throwing a custom error message to generate the set dynamically.

The problem with these other techniques is that ValidateSet comes with magic that they don't include. This magic provides tab-completion, error messages, and a listing of valid values in help, all for free. I actually started off my experiment by following Joel's post and implementing my own ValidateDynamicSetAttribute class that provided Add() and Remove() methods so the values could be changed on the fly.

But that class wouldn't have come with the magic of ValidateSet, and while I was using ILSpy to learn how ValidateSet was implemented, I discovered that it was based on a private string array and it turns out I had just learned how to access private members while I was at the PowerShell Summit 2013 (thanks Adam!).

The result is the following function that takes a FunctionInfo object (use Get-Command), the name of the parameter that is using ValidateSet, and the new set of valid inputs. It hacks its way into the command, locates the correct parameter, locates all the ValidateSet attributes on it, and rips into the heart of each one and replaces the private validValues array with the one provided in the -NewSet parameter.

<# .SYNOPSIS Replace the set of valid values on a funciton parameter that was defined using ValidateSet. .DESCRIPTION Replace the set of valid values on a funciton parameter that was defined using ValidateSet. .PARAMETER Command A FunctionInfo object for the command that has the parameter validation to be updated. Get this using: Get-Command -Name YourCommandName .PARAMETER ParameterName The name of the parameter that is using ValidateSet. .PARAMETER NewSet The new set of valid values to use for parameter validation. .EXAMPLE Define a test function: PS> Function Test-Function { param( [ValidateSet("one")] $P ) } PS> Update-ValidateSet -Command (Get-Command Test-Function) -ParameterName "P" -NewSet @("one","two") After running Update-ValidateSet, Test-Function will accept the values "one" and "two" as valid input for the -P parameter. .OUTPUTS Nothing .NOTES This function is updating a private member of ValidateSetAttribute and is thus not following the rules of .Net and could break at any time. Use at your own risk! Author : Chris Duck .LINK http://blog.whatsupduck.net/2013/05/hacking-validateset.html #> function Update-ValidateSet { [CmdletBinding(SupportsShouldProcess=$true)] param( [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [System.Management.Automation.FunctionInfo]$Command, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [string]$ParameterName, [Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] [String[]]$NewSet ) #Find the parameter on the command object $Parameter = $Command.Parameters[$ParameterName] if($Parameter) { #Find all of the ValidateSet attributes on the parameter $ValidateSetAttributes = @($Parameter.Attributes | Where-Object {$_ -is [System.Management.Automation.ValidateSetAttribute]}) if($ValidateSetAttributes) { $ValidateSetAttributes | ForEach-Object { #Get the validValues private member of the ValidateSetAttribute class $ValidValuesField = [System.Management.Automation.ValidateSetAttribute].GetField("validValues", [System.Reflection.BindingFlags]::NonPublic -bor [System.Reflection.BindingFlags]::Instance) if($PsCmdlet.ShouldProcess("$Command -$ParameterName", "Set valid set to: $($NewSet -join ', ')")) { #Update the validValues array on each instance of ValidateSetAttribute $ValidValuesField.SetValue($_, $NewSet) } } } else { Write-Error -Message "Parameter $ParameterName in command $Command doesn't use [ValidateSet()]" } } else { Write-Error -Message "Parameter $ParameterName was not found in command $Command" } }

SharePoint 2007 Wiki Pages Broken

2013-02-21T23:00:00.000-06:00

One of our SharePoint wiki libraries got in a state where we couldn't edit any of the pages. When we clicked "Edit" we would get the document properties page instead of the wiki editor page. I believe the root cause was someone moving a page from another wiki and the page ended up in the library as a "document" instead of a "wiki page".

I found a solution here, but it required installing SharePoint Manager 2007 in order to change the ContentTypesEnabled property on the list. I wasn't really wanting to install any additional software, so I set out to determine if there was a way to modify the property using the SharePoint API, and it turns out there is.

The following script uses the SharePoint API to modify your list properties to enable the content types UI elements in your list settings in order to clean up your wiki content types. I ran it from a SharePoint server in my farm, I assume it's possible to run remotely but have no idea how that would be done.

001
002
003
004
005
006

[reflection.assembly]::LoadWithPartialName("Microsoft.SharePoint") $Site = [Microsoft.SharePoint.SPSite]("http://site.com") $Web = $Site.OpenWeb("pat/to/web") $WikiList = $Web.Lists["WikiListName"] $WikiList.ContentTypesEnabled = $true $WikiList.Update()

With this script, you can follow the instructions linked above to fix the content types on your existing documents, using the script instead of SharePoint Manager to enable editing the content types on your wiki library. Then you can delete the "Document" content type from your library.

After you have everything cleaned up, you can run the following script to return your wiki library to the default configuration.

001
002
003
004
005
006

Deploying WDS Across Domain Forests

2012-04-05T17:38:00.000-05:00

I'm not going to cover how to setup your unattend file, or how to customize a PE image... there are plenty of people out there who have covered those topics. What I do want to cover here is how to edit your PE image so that you can force it to connect to a specific WDS server. This will help solve the problem where you want to deploy computers into two domains on the same subnet, but WDS only looks for prestaged computers objects on the domain it is joined to.

This process does require two WDS servers, one joined to each domain you want to deploy computers into. I'm going to refer to them as WDSPrimary and WDSSecondary. I'm assuming you have either WDSPrimary configured to listen to broadcast requests, or your DHCP server options 66 and 67 pointed at WDSPrimary and boot\x64\wdsnbp.com respectively. The challenge is to be able to add a boot image on WDSPrimary that tells setup.exe to contact WDSSecondary to deploy the image.

Extract Your Existing Boot Image

Assuming you already have a boot image customized for deploying to WDSPrimary, export that image to a work folder using the Windows Deployment Services management console. For this example, I'm going to use c:\PEBoot\SecondaryBoot.wim as the extracted file name.

Mount the Image

Using Windows 7 or Server 2008 R2, first create a mount folder to mount the wim image to. I'll use c:\PEBoot\mount. Then run the following command to mount the image (remember to launch your shell as Administrator)

dism /mount-wim /mountdir:c:\PEBoot\mount /wimfile:c:\PEBoot\SecondaryBoot.wim /index:2

Configure the PE Image

Window PE includes a file called winpeshl.ini (Win 8/2012 version) that you can use to specify custom applications to run instead of starting setup.exe automatically. We will use this file to start setup.exe with custom options that will tell it to connect to WDSSecondary instead of defaulting to the WDS server that it booted from (WDSPrimary).

Open notepad and create a new file with the following contents

[LaunchApps]
%SYSTEMDRIVE%\windows\system32\wpeinit.exe
%SYSTEMDRIVE%\setup.exe, "/wds /wdsdiscover /wdsserver:WDSSecondary.contoso.com"

Make sure you enclose multiple command-line parameters in double quotes when you specify them in winpeshl.ini or they will not be properly passed to the command.

Unmount the PE Image and Import it into WDS

Now we need to unmount the wim file and commit our changes. This is accomplished using the following command.

dism /unmount-wim /mountdir:c:\PEBoot\mount /commit

Now all that is left is to import the new boot image into the primary WDS server that all clients boot to. In this case, you would go to WDSPrimary and right click "Boot Images" and select "Add Boot Image". Now when you PXE boot, you will have an option to boot to the customized image that connects to WDSSecondary to deploy the operating system.

Re: Zero out Free Disk Space

2012-03-23T01:01:00.000-05:00

We've been having weekly script club meetings at work where anyone who is interested gets together in a conference room and we all work on scripts together so we all have a chance to learn new techniques while solving our real-world problems at the same time. This week I developed a script to mimic the behavior of the SysInternals utility SDelete. The script will be used to reclaim thin-provisioned space from our SAN, and I wanted to develop it during script club to use as an example of how to use the classes in the System.IO namespace to get better IO performance from PowerShell.

One of my co-workers shared the script from the meeting with Don Jones and he was nice enough to post it on his blog along with a few comments about the script.

Don's blog doesn't seem to support public comments, so I wanted to take a few minutes to respond to his comments here. I've reproduced his comments (in italics below) along with my responses:

I wish the comment-based help was a bit more complete, but I love that they're using it!: This script was written in a "class" setting and I was focusing more on solving the task at hand than producing a share-able script. The parameter block and help content were actually thrown in at the very end of the session just as a quick "finishing touch" and were never even run. I agree that well documented scripts are important and I try to write more complete help on my scripts when I don't have an audience watching me code :)
They're overriding $PercentFree to always be 0.5 - not sure if that's on purpose: This is a bug due to the way I'm trying to teach programming at work. I've been encouraging people to use variables for things even when they are just starting a script and are still in "explore" mode, with the idea that this makes it easy to turn the script into a function just by deleting the explicit variable declarations and moving them up to a parameter block.
Yay! Error handling!: I really wanted to take the opportunity to highlight the proper way to deal with external resources (ie file handles, network ports, etc) for my team. I see a lot of people who either don't bother to close things or don't put the close statements in a finally block and end up leaking resources.
Yay! Variable-replacement-within-double-quotes instead of concatenation!
Really brilliant technique of creating an empty file and then deleting it - clever thinking.: Can't really take credit for this one, just replicating the way sdelete works :)
Kind of a lot of variables. Like, why put 64KB into $ArraySize, and then only use it once? Why not use use the literal 64KB? Doing so would make the script a bit more concise and possibly easier to read.: This again comes from my programming style. At the time I thought there was potential we might want to make $ArraySize a parameter so I built it from the start so that it would be easy to convert down the line if we decided to go that way. Also I wanted to make it very easy to modify so we could do some performance testing to determine what the optimal block size to write was. In general I try to avoid hard coding any values into the meat of my scripts to make them easier to modify if the needs change down the road.

After Further Review

The script that Don was kind enough to review was written live during class and I never even got to the point of saving the script to a file in my editor, much less cleaning it up to make it "enterprise class" or "share worthy". Some other rough areas I have noticed in it after having time to review it are:

It should probably test to make sure the file doesn't exist already so it doesn't clobber existing data
It should test to make sure the $Root path/volume exists
It should validate that $PercentFree is between 0 and 1
The delete command should probably be moved up into the finally block to ensure the file gets deleted
I also would consider putting the whole thing in a process block, adding a "Name" alias to $Root, and enabling "ValueFromPipelineByPropertyName" so you could do:

gwmi Win32_Volume | Write-ZeroesToFreeSpace

The "Real" Script

I've sort of posted these last two blog entries in reverse order, as my previous post is the cleaned up version of the script that addresses Don's comments as well as my additional comments posted above.

Thanks again Don for taking the time to review our little script and give us the opportunity to share a little bit of our development process with the community!

A PowerShell Alternative to SDelete

2012-03-23T00:03:00.001-05:00

Problem Background

Many storage appliances support thin provisioning by not storing large blocks of zeros on disk, thus saving expensive physical disks for actual data. One of the challenges of this feature is that Windows (or most file systems really) does not zero out space that was used by files that have been deleted. This means that over time as files are written an deleted, the amount of physical disk that is saved by thin provisioning grows smaller.

One popular solution (really the only one we've been able to find) is to use the SysInternals utility SDelete's -z switch to write zeros to all the free space, thus allowing the storage appliance to use all that empty space for something else. The challenge with sdelete is that it only supports volumes mounted as drive letters, not volumes that are mounted to folders. Another concern with SDelete is that it appears to fill up the entire disk, if only for that brief second between finishing writing the file out and deleting the file. We were concerned with using this tool at work on a workload like SQL that might not take kindly to a disk filling up.

Our storage administrator tried to solve this problem using the standard PowerShell techniques of redirecting null strings to files and found the performance to be somewhat lacking. I don't want to get into a detailed analysis of PowerShell IO characteristics (mostly because I haven't spent much time researching how PowerShell does IO), but instead just post that the solution is to turn to the System.IO .Net namespace and perform the IO operations the "hard way".

The Script

Here is the script I came up with using a FileStream to write out the zero file. We informally compared a couple of runs between this script and sdelete and saw roughly the same performance.

Write-ZeroesToFreeSpace.ps1

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030
031
032
033
034
035
036
037
038
039
040
041
042
043
044
045
046
047
048
049
050
051
052
053
054
055
056
057
058
059
060
061
062
063
064
065
066
067
068
069
070
071
072
073
074
075
076
077
078
079
080
081
082
083
084
085
086
087
088
089
090
091
092
093
094
095
096
097
098
099
100
101
102

<# .SYNOPSIS Writes a large file full of zeroes to a volume in order to allow a storage appliance to reclaim unused space. .DESCRIPTION Creates a file called ThinSAN.tmp on the specified volume that fills the volume up to leave only the percent free value (default is 5%) with zeroes. This allows a storage appliance that is thin provisioned to mark that drive space as unused and reclaim the space on the physical disks. .PARAMETER Root The folder to create the zeroed out file in. This can be a drive root (c:\) or a mounted folder (m:\mounteddisk). This must be the root of the mounted volume, it cannot be an arbitrary folder within a volume. .PARAMETER PercentFree A float representing the percentage of total volume space to leave free. The default is .05 (5%) .EXAMPLE PS> Write-ZeroesToFreeSpace -Root "c:\" This will create a file of all zeroes called c:\ThinSAN.tmp that will fill the c drive up to 95% of its capacity. .EXAMPLE PS> Write-ZeroesToFreeSpace -Root "c:\MountPoints\Volume1" -PercentFree .1 This will create a file of all zeroes called c:\MountPoints\Volume1\ThinSAN.tmp that will fill up the volume that is mounted to c:\MountPoints\Volume1 to 90% of its capacity. .EXAMPLE PS> Get-WmiObject Win32_Volume -filter "drivetype=3" | Write-ZeroesToFreeSpace This will get a list of all local disks (type=3) and fill each one up to 95% of their capacity with zeroes. .NOTES You must be running as a user that has permissions to write to the root of the volume you are running this script against. This requires elevated privileges using the default Windows permissions on the C drive. #> param( [Parameter(Mandatory=$true,ValueFromPipelineByPropertyName=$true)] [ValidateNotNullOrEmpty()] [Alias("Name")] $Root, [Parameter(Mandatory=$false)] [ValidateRange(0,1)] $PercentFree =.05 ) process{ #Convert the $Root value to a valid WMI filter string $FixedRoot = ($Root.Trim("\") -replace "\\","\\") + "\\" $FileName = "ThinSAN.tmp" $FilePath = Join-Path $Root $FileName #Check and make sure the file doesn't already exist so we don't clobber someone's data if( (Test-Path $FilePath) ) { Write-Error -Message "The file $FilePath already exists, please delete the file and try again" } else { #Get a reference to the volume so we can calculate the desired file size later $Volume = gwmi win32_volume -filter "name='$FixedRoot'" if($Volume) { #I have not tested for the optimum IO size ($ArraySize), 64kb is what sdelete.exe uses $ArraySize = 64kb #Calculate the amount of space to leave on the disk $SpaceToLeave = $Volume.Capacity * $PercentFree #Calculate the file size needed to leave the desired amount of space $FileSize = $Volume.FreeSpace - $SpacetoLeave #Create an array of zeroes to write to disk $ZeroArray = new-object byte[]($ArraySize) #Open a file stream to our file $Stream = [io.File]::OpenWrite($FilePath) #Start a try/finally block so we don't leak file handles if any exceptions occur try { #Keep track of how much data we've written to the file $CurFileSize = 0 while($CurFileSize -lt $FileSize) { #Write the entire zero array buffer out to the file stream $Stream.Write($ZeroArray,0, $ZeroArray.Length) #Increment our file size by the amount of data written to disk $CurFileSize += $ZeroArray.Length } } finally { #always close our file stream, even if an exception occurred if($Stream) { $Stream.Close() } #always delete the file if we created it, even if an exception occurred if( (Test-Path $FilePath) ) { del $FilePath } } } else { Write-Error "Unable to locate a volume mounted at $Root" } } }

Powershell ValidateNotNullOrEmpty Bug

2012-02-08T17:27:00.000-06:00

I was showing a co-worker how easy it is to ensure that the parameters to his script were actually being set using the [Parameter(Mandatory=$true)] and [ValidateNotNullOrEmpty()] decorators on his parameter declaration block, and we encountered a bug where he was able to pass an empty string as a parameter to his function and the validation did not catch it.

Reproduction Steps

In our search to explain what was going on, we located a couple of forum posts which led us to 2 bugs filed on connect that I believe are related to the same problem: 610176 and 677559.

Our steps mirrored 610176 almost exactly, so I'm going to copy the reproduction steps from that bug here, with a few changes.

001
002
003
004
005
006
007
008
009
010

Function test { param([Parameter(Mandatory=$true)] [ValidateNotNullOrEmpty()] $param ) $param.GetType().FullName "Entered: '$param'" [string]::IsNullOrEmpty($param) }

The expected result when you pass an empty string would be an error stating that the parameter failed vaildation, no matter how you generated that string:

PS> test ""
test : Cannot validate argument on parameter 'param'. The argument is null or empty. Supply an argument that is not null or empty and then try the command again.

However, when you call the function without any parameters, Powershell sees that you forgot a mandatory parameter and prompts you for a value. If you just press , the empty string incorrectly passes validation and your function is executed:

PS> test

cmdlet test at command pipeline position 1
Supply values for the following parameters:
param:<just press enter here>

System.String
Entered: ''
True

As you can see, the parameter is a string and it is an empty string, which should never have passed validation.

Explanation

Using Reflector, I tracked down the ValidateNotNullOrEmptyAttribute class (load System.Management.Automation from the GAC and then drill down to the System.Management.Automation namespace and then the Validate method on the ValidateNotNullOrEmptyAttribute class) and discovered the following code:


    ... (tests the arguments variable for null)

    str = arguments as string;
    if (str != null)
    {
        if (string.IsNullOrEmpty(str))
        {
            throw new ValidationMetadataException("ArgumentIsEmpty", null, "Metadata", ValidateNotNullOrEmptyFailure", new object[0]);
        }
    }
    else
    {

    ... (continues on to handle special cases for enumerable objects)

You can see they are using the C# as operator to attempt to convert the parameter into a string object. The problem is that Powershell uses an adaptive type system to work magic on some particularly annoying types (XML and WMI come to mind), and apparently the method that is reading the input when you forget to specify a mandatory parameter (and also the Read-Host cmdlet as demonstrated in 677559) are returning Powershell objects that look like strings, but aren't actual .Net strings.

Go Vote

If you're not a fan of this behavior, go vote for the bug on Connect. I've posted a comment with a link back to this post, so hopefully there is enough detail here to get the problem fixed in V3 :)

Digging Deeper

So I fired up Visual C# Express and wrote a little C# program that embeds a Powershell runspace and reproduces the problem, then extracts the variables and tests them in C# to see what types the objects really are. While I was testing different scenarios with my co-worker, I discovered you can also convert a string object to a Powershell adapted object by just referencing $MyString.PSBase, and this breaks ValidateNotNullOrEmpty just as badly as Read-Host, so I used this method in my C# application as it was easier to code than trying to work out how to get input from the C# console to the Powershell runtime properly.


using System;
using System.Collections.Generic;
using System.Text;
using System.Management.Automation;
using System.Management.Automation.Runspaces;

namespace ConsoleApplication1
{
  public class Program
  {
    public static void Main(string[] args)
    {
      using (Runspace rs = RunspaceFactory.CreateRunspace())
      {
        rs.Open();
        using (Pipeline pl = rs.CreatePipeline())
        {
          pl.Commands.AddScript("$str = \"\"");
          pl.Commands.AddScript("$pso = \"\"");
          pl.Commands.AddScript("$pso.psbase");
          pl.Invoke();
          Object oStr = rs.SessionStateProxy.GetVariable("str");
          Object oPso = rs.SessionStateProxy.GetVariable("pso");
          Console.WriteLine(string.Format("oStr type = {0}", oStr.GetType().FullName));
          Console.WriteLine(string.Format("oPso type = {0}", oPso.GetType().FullName));
          string sStr = oStr as string;
          if (sStr != null)
          {
            Console.WriteLine(string.Format("sStr.IsNullOrEmpty = {0}", string.IsNullOrEmpty(sStr)));
          }
          else
          {
            Console.WriteLine("oStr is not a string");
          }
          string sPso = oPso as string;
          if (sPso != null)
          {
            Console.WriteLine(string.Format("sPso.IsNullOrEmpty = {0}", string.IsNullOrEmpty(sPso)));
          }
          else
          {
            Console.WriteLine("oPso is not a string");
          }
        }
      }
    }
  }
}

The output is as follows:

oStr type = System.String
oPso type = System.Management.Automation.PSObject
sStr.IsNullOrEmpty = True
oPso is not a string

As you can see, the string->string conversion was successful (oStr->sStr variables), while the PSObject->string conversion was not (oPso->sPso). This results in the PSObject argument being treated as a regular object (which is not null) instead of a string, even though it is type-adapting a string object.

Casting Objects to Boolean in Powershell

2012-01-28T14:57:00.000-06:00

A question came up on the Powershell technet forum asking why an empty System.DirectoryServices.SearchResultCollection was evaluating to $true. The original post is HERE, but the gist of the question is this:

Why does an empty System.DirectoryServices.SearchResultCollection object evaluate to $true when used in an if statement (ie if($SearchResult)), but an empty System.Array and System.Collections.ArrayList both evaulate to $false?

I was aware that Powershell has some special rules for casting objects, but a search for exactly what those rule are only returned very generic terms for how collections were handled (ie this blog post and this book). Nothing specified exactly which types/interfaces were expanded as collections and which were not.

So I did a little digging and came up with the following...

The reason a SearchResultCollection evaluates to true even when it is empty is because it does not implement the IList interface:

PS> [System.DirectoryServices.SearchResultCollection].GetInterfaces()

IsPublic IsSerial Name
-------- -------- ----
True     False    ICollection
True     False    IEnumerable
True     False    IDisposable


PS> [System.Array].GetInterfaces()

IsPublic IsSerial Name
-------- -------- ----
True     False    ICloneable
True     False    IList
True     False    ICollection
True     False    IEnumerable


PS> [System.Collections.ArrayList].GetInterfaces()

IsPublic IsSerial Name
-------- -------- ----
True     False    IList
True     False    ICollection
True     False    IEnumerable
True     False    ICloneable

As you can see, both System.Array and System.Collections.ArrayList implement IList. This is apparently what Powershell uses to determine if it should "look inside" when it converts the object to a boolean.

You can see (what I think is) the proof of this if you load up Reflector (dotPeek, ILSpy, and JustDecompile are free alternatives)

Open System.Management.Automation from the GAC
Expand the System.Management.Automation namespace
Browse down to LanguagePrimitives
Browse down to the IsTrue(object obj) method and decompile it

In there you can see the algorithm (which I am assuming is being used in this case) that converts objects to boolean. The basic logic is:

If it is null, return $false
If it is a boolean, return the boolean
If it is a string, return $false if it is empty, else return $true
If it is a number, return $false if it is 0, else return $true
If it is a SwitchParameter, call its own ToBool() method
Convert it to an IList
1. If this conversion fails, return true (meaning it was an object that was not null, not any of the "special" things above, and not a list for PS to count)
2. If it is a list and has 0 elements, return $false
3. If it is a list and has 1 element, return the IsTrue(list[0]) value (ie recurse on the one element and return its value
4. If it is a list with more than 1 thing in it, return $true

As you can see, the Array and ArrayList fall into rules 6.ii-6.iv because they implement IList, whereas the SearchResultCollection falls into rule 6.i because it does not implement IList so the conversion to a list fails, which means it was a plain old non-null object which evaluates to $true in Powershell.

Adjusting Icinga-Web Session Timeout Values

2011-10-17T13:00:00.001-05:00

Icinga-Web is a more modern interface to Icinga (as opposed to the Icinga Classic interface that seeks to mimic the traditional Nagios web interface). A comparison of all three interfaces is provided at the Icinga site (https://www.icinga.org/nagios/webinterface/).
One thing you will quickly notice is that after 24 minutes, your session disappears and you are prompted to log in again. From a quick glance through the code it appears they are using a very heavy handed garbage collection where they delete any sessions that are older than the php configuration variable session.gc_maxlifetime. Out of the box (on our RedHat 5.7 distro) this is configured as 1440 (1440 seconds = 24 minutes). This means that NO session can live past 24 minutes, no matter how frequently you are using it.

How to Extend the Icinga-Web Session Timeout

There are two pieces to the Icinga-Web session: PHP max session lifetime variable and the Icinga-Web session cookie lifetime variable.

To adjust the PHP max session lifetime variable:

Open /etc/php.ini
Change the session.gc_maxlifetime value to something more appropriate

Setting the PHP max session lifetime to 0 will cause no sessions to be cleaned out of your database, which will eventually cause problems. Icinga really needs to patch this so that accessing the Icinga-Web site updates the session_modified value and then only do GC on stale sessions.

To adjust the Icinga-Web session cookie lifetime variable:

Open /usr/local/icinga-web/app/config/factories.site.xml
Adjust the <ae:parameter name="session_cookie_lifetime"> parameter to a more appropriate value

This value sets the lifetime of the cookie in your browser. Setting it to 0 will cause Icinga-Web to create a session cookie that will be valid for as long as your browser is open. This is a reasonable setting for your browser, but you will still be subjected to the PHP max lifetime value, so you will still experience timeouts.

Configuring Icinga Classic for Active Directory Authentication via IWA

2011-10-12T15:06:00.009-05:00

Out of the box, the Icinga Classic interface uses standard Apache .htaccess files (http://docs.icinga.org/1.5.0/en/cgiauth.html) to secure both the CGIs and the classic web interface. Living in an Active Directory world, I'm always looking for ways to integrate products with my existing AD credentials so I don't have to log in again. I decided our move from Nagios to Icinga was a good opportunity to figure out how achieve integrated Windows authentication (IWA) in Apache since we were having to figure out how to configure everything anyway.

To maintain my focus on this post, I'm not going to cover installing Icinga or configuring Kerberos on your Linux box. I'm also only covering instructions for RedHat 5.7. Most of my information was pulled from the Apache + Windows Kerberos tutorial found here: http://grolmsnet.de/kerbtut/

Example Configuration

Throughout this example, I'm going to use the following hypothetical configuration:

Icinga site = icinga.example.com
AD Domain FQDN = corp.example.com
AD Domain Netbios = ExampleCorp
icinga.example.com is an A record in DNS (important for IE spn building)
Apache Configuration = /etc/httpd/conf and /etc/httpd/conf.d
Apache User = apache
Apache Group = apache
My AD Credentials = ExampleCorp\cduck or cduck@corp.example.com

Create an AD Account

The first step is to create an account in AD for the site to use to validate credentials with. In this example, I'm going to use apache_icinga.example.com. The account is configured as follows in AD:

Full name: apache_icinga.example.com
User UPN logon: apache_icinga.example.com@corp.example.com
User SamAccountName: ExampleCorp\apache_icinga.exampl
Password Never Expires
Password: Pass1234

Generate a Keytab for the AD Account

This step will use the Windows command-line utility ktpass to generate a keytab file for the AD account so that the Linux server will have a valid private key for the account. This command was run on a Windows 2008 R2 server, alternate commands are available in the original tutorial: http://grolmsnet.de/kerbtut/. Note that this command should all be run on one line.

c:\ktpass -princ HTTP/icinga.example.com@CORP.EXAMPLE.COM -mapuser apache_icinga.example.com@CORP.EXAMPLE.COM -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass Pass1234 -out c:\icinga.example.com.keytab -setupn

The -setupn option above is important to include (and missing from the original tutorial) as it prevents ktpass from altering the account's userPrincipalName attribute. The remainder of this tutorial assume that the userPrincipalName has been preserved as above and not altered by ktpass.

You now need to copy the keytab file created above to your Icinga server. I recommend using PSCP (http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html), but you can do this however you want. I copied my keytab to /etc/httpd/conf as it will be referenced in the Apache.conf files that are living there.

Now you need to change the owner and permissions for the keytab to the apache user and group:

chown apache:apache /etc/httpd/conf/icinga.example.com.keytab
chmod 400 /etc/httpd/conf/icinga.example.com.keytab

Configure Apache to use Kerberos

Edit your icinga.conf apache file (mine is at /etc/httpd/conf.d/icinga.conf). You need to add the kerberos authorization module (http://modauthkerb.sourceforge.net/) and then configure the Icinga directories to use it for authentication. Here is my icinga.conf with the changes highlighted:

# SAMPLE CONFIG SNIPPETS FOR APACHE WEB SERVER
#
# This file contains examples of entries that need
# to be incorporated into your Apache web server
# configuration file. Customize the paths, etc. as
# needed to fit your system.
LoadModule auth_kerb_module modules/mod_auth_kerb.so
ScriptAlias /icinga/cgi-bin "/usr/lib64/icinga/cgi"
<Directory "/usr/lib64/icinga/cgi">
# SSLRequireSSL
Options ExecCGI
AllowOverride None
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Icinga Access"
# AuthType Basic
AuthType Kerberos
KrbAuthRealms CORP.EXAMPLE.COM
KrbServiceName HTTP/icinga.example.com@CORP.EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/icinga.example.com.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
# AuthUserFile /etc/icinga/htpasswd.users
Require valid-user

Alias /icinga "/usr/share/icinga/"
<Directory "/usr/share/icinga/"
# SSLRequireSSL
Options None
AllowOverride All
Order allow,deny
Allow from all
# Order deny,allow
# Deny from all
# Allow from 127.0.0.1
AuthName "Icinga Access"
# AuthType Basic
AuthType Kerberos
KrbAuthRealms CORP.EXAMPLE.COM
KrbServiceName HTTP/icinga.example.com@CORP.EXAMPLE.COM
Krb5Keytab /etc/httpd/conf/icinga.example.com.keytab
KrbMethodNegotiate on
KrbMethodK5Passwd on
# AuthUserFile /etc/icinga/htpasswd.users
Require valid-user

Restart Apache (/etc/init.d/httpd restart) and you should be able to authenticate via IWA to your Icinga site.

Grant IWA Credentials Access to the Icinga CGIs

mod_auth_kerberos will set your username to your userPrincipalName from AD. In my implementation, the entire userPrincipalName was converted to upper case, even though it wasn't set that way in Active Directory. So for this example my username according to Icinga would be CDUCK@CORP.EXAMPLE.COM. This is the value that you need to use to grant permissions in the Icinga CGIs (http://docs.icinga.org/1.5.0/en/cgiauth.html). In my case, my Icinga CGI config file was at /etc/icinga/cgi.cfg and I edited the following lines to grant my account access:

authorized_for_system_information=CDUCK@CORP.EXAMPLE.COM
authorized_for_configuration_information=CDUCK@CORP.EXAMPLE.COM
authorized_for_system_commands=CDUCK@CORP.EXAMPLE.COM
authorized_for_all_service_commands=CDUCK@CORP.EXAMPLE.COM
authorized_for_all_host_commands=CDUCK@CORP.EXAMPLE.COM

You'll want to read the Icinga documentation on the CGI authorization and determine what is appropriate for your environment.

***** Updated 3-24-2012 - The crypto parameter for the ktpass utility should read "RC4-HMAC-NT" as pointed out by reader Stefan. Thanks for the correction!

WCF REST Services on IIS7

2011-05-02T18:42:00.000-05:00

If you're using everything below:

A .svc file for activation, hosted locally (not over UNC) with or without fixed credentails
Windows Authentication

You will fall under the "NTFS ACL-based Authorization" rules in this document (http://technet.microsoft.com/en-us/library/dd163543.aspx ). If that is the case and you are developing a REST service, you will probably experience an Access Denied error the first time you try and PUT a new object (assuming your application doesn't have write access to its own code).

The NTFS ACL-based authorization is built in to the core of IIS 7 so there is no way to disable it, except for breaking one of the conditions that triggers it. The solution for me was to eliminate the physical file that my service was mapping to (ie my ServiceName.svc file). This is possible due to a new feature in .Net 4.0 called Configuration-Based Activation (CBA).

You can read a little bit about CBA and see the basic configuration here: http://blogs.msdn.com/b/rampo/archive/2009/10/27/activation-without-svc-files-config-based-activation-cba.aspx

This site has a full example of a service along with the full configuration: http://geekswithblogs.net/michelotti/archive/2010/08/21/restful-wcf-services-with-no-svc-file-and-no-config.aspx

Neither of these sites was enough to get my service working though. I had a service that was telling me it could not work with Windows authentication turned on and that I needed to enable Anonymous. The bit that I was missing from my config was this:

<system.serviceModel>

</security>

</binding>

</basicHttpBinding>

</bindings>

</system.serviceModel>

Which I found here: http://blogs.msdn.com/b/drnick/archive/2007/03/23/preventing-anonymous-access.aspx

At this point, I stopped getting errors, but my service only returned blank pages, not any data. The last piece was to configure my service activation element with the System.ServiceModel.Activation.WebServiceHostFactory like this:

<system.serviceModel>

<add

factory="System.ServiceModel.Activation.WebServiceHostFactory"
relativeAddress="ServiceName.svc"
service="Namespace.ServiceClass" />

</serviceActivations>

</serviceHostingEnvironment>

</system.serviceModel>

April MS Patch Issue

2011-04-26T18:24:00.000-05:00

After deploying our April patches we were having trouble with our Exchange servers, specifically our web mail servers were not responsive and we had high cpu utilization on all our Exchange (2010) boxes (sorry, I don't know exactly which process was going crazy with the CPU). In our initial troubleshooting, it was discovered that other symptoms were Event Viewer and Powershell both crashed immediately upon loading. This pointed us to KB2540222.

The problem turns out to be an older patch (979744) and there is also an easy way to detect the problem before the new patches cause it and a new version of 979744 that can be installed to prevent the issue.

I wrote the following quick script to check all servers on our network for the bad version of the patch so we could get them all updated during our maintenance window, even if we weren't experiencing a problem with them at the time. This script queries your Active Directory to locate servers to check and then uses your current credentials to make a remote registry query to check the keys listed in the KB for the broken version of the patch. It assumes that you only have server computer objects in your OU and that you aren't running IA-64 based servers (it only checks 2008 x86, 2008 x64, and 2008 R2 registry paths). The script displays the computers with the broken patch on the screen as well as saving them to the $broken variable.

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023
024
025
026
027
028
029
030

$RootOU = "ou=servers,dc=contoso,dc=com" $Timeout = 100 $x86 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB979744~31bf3856ad364e35~x86~~6.0.1.0" $x64 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB979744~31bf3856ad364e35~amd64~~6.0.1.0" $r2 = "SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages\Package_for_KB979744~31bf3856ad364e35~amd64~~6.1.1.0" $ds = new-object DirectoryServices.DirectorySearcher $ds.filter = "(objectcategory=computer)" $ds.searchroot = [adsi]"LDAP://$RootOU" $computers = $ds.findall() | %{ $_.properties.cn[0] } $ping = new-object net.networkinformation.ping $broken = $computers | %{ $computer = $_ if($ping.send($_, $timeout).status -eq "Success") { $hklm = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey([Microsoft.Win32.RegistryHive]::LocalMachine, $computer) $x86, $x64, $r2 | %{ $key = $hklm.opensubkey($_) if($key) { if($key.getValue("currentstate") -eq 7) { Write-Host "$Computer is broken" $computer } } } } }

Once you have identified all the servers that need the new version of 979744, you can download it from the link above, making sure to grab the V2 version for your OS and architecture.

Convert a Windows SID from Binary to SDDL Form

2011-03-19T14:26:00.001-05:00

At work I had a problem that required me to decode a SID that was stored in a database in binary form in order to locate the user/group that it represented. It turns out this is fairly easy to do, but I couldn't find a Powershell solution online and the solutions in those "other" languages tended to be overly complicated.

Getting the Initial Data

The first task was to get from the binary data from SQL into an appropriate .Net object. Browsing through MSDN, it looks like System.Security.Principal.SecurityIdentifier would be a good choice :)

001
002
003
004

Add-PSSnapin SqlServerCmdletSnapin100 $binsid = (Invoke-SQLCmd "SELECT operators_sid FROM [FIMDatabase].[mms_server_configuration]").operators_sid $sid = new-object security.principal.securityidentifier($binsid, 0)

Converting From a SID to a Principal

Now that we have a SID object we can use that to convert the binary SID to a string and then use the string value to search either our local SAM database or an Active Directory Domain to locate the account the SID represents. For this task, I've written a script called Get-Principal.ps1:

<# .SYNOPSIS Gets a principal object from either an Active Directory Domain or a "local" SAM account database. This can be either a user or a group. Note that this is not a search function, you must fully specify a unique identifier for a principal. .DESCRIPTION Uses the System.DirectoryServices.AccountManagement namespace introduced in .Net 3.5 to locate a principal object. Can bind on any property in the System.DirectoryServices.AccountManagement.IdentityType enumeration (SamAccountName, Name, UserPrincipalName, DistinguishedName, Sid (in SDDL form), or Guid). .PARAMETER Identity The value to match on as a string. Should be one of the following: SamAccountName (Administrator) Name (Smith) UserPrincipalName (user@domain.com) DistinguishedName (cn=smith,ou=users,dc=domain,dc=com) Sid (S-1-5-32-544) Guid (0d15a1bb-dbec-4855-b949-25999828c24c) .PARAMETER DomainName The domain name to query. If none of DomainName, ComputerName, or Local are specified, the default domain is queried. This can be specified as the NetBIOS name or FQDN of the domain. .PARAMETER ComputerName The name of the computer to query. .PARAMETER Local Query the local computer. .EXAMPLE Get the Administrators group on the local computer. .\Find-Principal.ps1 Administrators -local .EXAMPLE Get a principal for a user named jsmith on the default domain. .\Find-Principal.ps1 jsmith .EXMAPLE Get the user with sid S-1-5-21-654981354-654786135-6565798-327 on the domain example.com. .\Find-Principal.ps1 "S-1-5-21-654981354-654786135-6565798-327" -domain "example.com" .NOTES This function requires .Net 3.5 or greater. #> [CmdletBinding(DefaultParametersetName="Domain")] Param( [Parameter(Position=0, ValueFromPipeline=$true, Mandatory=$true)] $Identity, [Parameter(ParameterSetName="Domain")] $DomainName, [Parameter(ParameterSetName="Computer")] $ComputerName, [Parameter(ParameterSetName="Computer")] [switch]$Local ) if(![reflection.assembly]::LoadWithPartialName("System.DirectoryServices.AccountManagement")) { throw ".Net 3.5 required to run Find-Principal" } switch ($PsCmdlet.ParameterSetName) { "Domain" { if($DomainName) { $ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain, $DomainName) } else { $ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Domain) } } "Computer" { if($ComputerName) { $ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $ComputerName) } else { $ctx = New-Object System.DirectoryServices.AccountManagement.PrincipalContext([System.DirectoryServices.AccountManagement.ContextType]::Machine, $env:computername) } } } return [System.DirectoryServices.AccountManagement.Principal]::FindByIdentity($ctx, $identity)

Now we can take the string SID from $sid.ToString() and resolve the SID to either an account or group on the domain:

.\Get-Principal.ps1 $sid.ToString()

or on the local computer:

.\Get-Principal.ps1 $sid.ToString() -Local

Converting a Principal Back to a Binary SID

Going the other way is just as simple... there is a method on System.Security.Principal.SecurityIdentifier called GetBinaryForm that takes a byte array and populates it with the binary SID. You just have to make sure that you create an empty byte array with enough space to hold the SID:

#Get the SID for the local Administrators group as an example
$sid = (.\Get-Principal "Administrators" -local).sid

#Create a byte array long enough to hold the whole SID
$BinarySid = new-object byte[]($sid.BinaryLength)

#Copy the binary sid into the byte array, starting at index 0
$sid.GetBinaryForm($BinarySid, 0)

$BinarySid
1
2
0
0
0
0
0
5
32
0
0
0
32
2
0
0

Saving it Back to SQL

To bring this example back around full circle, the last bit is to save the new binary SID back into the database:

#Create a template string to perform the update in SQL, in my case there is only 1 row in the table so it is easy
$SQLUpdate = "UPDATE [FIMDatabase].[mms_server_configuration] set [operators_sid] = {0}"
Invoke-SQLCmd ($SQLUpdate -f $BinarySid)

I'll talk about why I'm actually doing all this in another post.

Issues With Configuring Powershell ExecutionPolicy via Group Policy

2010-09-24T15:38:00.001-05:00

When you publish an ExecutionPolicy for Powershell via Group Policy, several issues will crop up. The first I came across is that it breaks several of the Best Practices Analyzers. The second is that it breaks some of the Exchange 2010 installers.

You can reproduce this error on 2008 R2 with IIS or the File Services role installed:

Make sure your ExecutionPolicy is only defined locally:

PS> Set-ExecutionPolicy RemoteSigned -Force
PS> Get-ExecutionPolicy -List
    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned

Run the IIS or File Services BPA, this should be successful

Set the ExecutionPolicy in your Local Computer Policy:

Open Local Policy Editor, browse to Local Computer Policy> Computer Configuration> Administrative Templates> Windows Components> Windows Powershell. Enable "Turn on Script Execution" and set the policy to "Allow local scripts and remote signed scripts".

Verify that your ExecutionPolicy is now defined as a Group/Local Policy:

PS> Get-ExecutionPolicy -List
    MachinePolicy = RemoteSigned
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned

Run IIS or File Services BPA, this fails with:

There has been a Best Practice Analyzer engine error for Model ID:'Microsoft/Windows/FileServices' during execution of the Model. (Inner Exception: One or more model documents are invalid: {0} Discovery exception occurred proccessing file '{0}'.
Windows PowerShell updated your execution policy successfully, but the setting is overridden by a policy defined at a more specific scope. Due ot the override, your shell will retain its current effective execution policy of "RemoteSigned".

Rather than constantly have to move our Exchange servers in and out of the GPO, I decided to fix our issue by switching over to a Group Policy Preference that sets the same registry key as if you had typed Set-ExecutionPolicy RemoteSigned at the command prompt.

Open Group Policy Management Editor

Browse to Computer Configuration> Preferences>Windows Settings> Registry

Right click and create a new registry item:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Microsoft\PowersShell\1\ShellIds\Microsoft.PowerShell
Value name: ExecutionPolicy
Value type: REG_SZ
Value data: RemoteSigned

Now create a second registry item that will cover 32-bit Powershell on 64-bit machines:

Action: Update
Hive: HKEY_LOCAL_MACHINE
Key Path: SOFTWARE\Wow6432Node\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
Value name: ExecutionPolicy
Value type: REG_SZ
Value data: RemoteSigned

On the "Common" tab...
Check Item-level targeting
Press the "Targeting" button
Create a new "Environment Variable" item
Name: PROCESSOR_ARCHITECTURE
Value: AMD64

Verify that only the local settings are being applied and that the preference will reset the value if a user changes it:

PS> Set-ExecutionPolicy Undefined -Force
PS> Get-ExecutionPolicy -List
    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = Undefined
PS> gpupdate /force /target:computer
PS> Get-ExecutionPolicy -List
    MachinePolicy = Undefined
    UserPolicy = Undefined
    Process = Undefined
    CurrentUser = Undefined
    LocalMachine = RemoteSigned

Note that this method does require the Group Policy Preferences Client to be installed on XP/Vista/2003 (it is included in Win7/2008/2008 R2) and be aware that an administrative user can easily override the ExecutionPolicy setting until Group Policy is applied again (although they could also override the Group Policy setting since they are admin, just not as easily).

The Case of the Silverlight Video Lockup

2010-06-30T22:48:00.001-05:00

I came home to a computer unwilling to play video today. Netflix would launch the silverlight player, determine my video quality, buffer 5-30% of the video, then hard hang my computer. I couldn't even get CrashOnCtrlScroll to work so I could try using WinDbg to determine what was causing the hang.

After uninstalling loads of software and drivers (I had recently installed the Silverlight SDK, so I thought maybe that had something to do with it), I ended up in the system event log where I noticed this event:

Unused media renderer devices were not removed from the list of devices because required DRM components cannot run while a debugger is attached. Detach the debugger from the machine or from the WMPNetworkSvc service, and then restart the WMPNetworkSvc service.

Log Name: System

Source: Windows Media Player Network Sharing Service

Event ID: 14105

Level: Warning

OpCode: Info

At this point, I connected the dots that last night I had enabled live kernel debugging (bcdedit /debug on) while working through one of the examples in Windows® Internals, 5^th Edition (great book btw). Disabling debugging and rebooting solved the hang.

Apparently kernel debugging is the sworn enemy of watching 30 Rock on Netflix and Silverlight protects the content by hanging my computer. Thanks a lot DRM.

Querying Peak Commit Bytes with Powershell (via NtQuerySystemInformation)

2010-05-12T19:34:00.000-05:00

One of the more interesting values to determine how much memory to allocate a machine is the Peak Committed Bytes. This value is available as "Commit Charge (K) - Peak" from Windows 2003 Task Manger and from Sysinternals Process Explorer and is a good representation of the maximum amount of memory that has been used at once since the computer was last rebooted. Wikipedia has more details about the Commit Charge numbers if you want to read more.

The current committed bytes and current commit limit are both available as memory performance counters and can be accessed using the WMI class Win32_PerfFormattedData_PerfOS_Memory^[1] as CommitLimit and CommittedBytes. Unfortunately, Microsoft has not provided a performance counter for the peak committed bytes. In fact, the only way I have been able to locate this counter is through the undocumented^[2] NtQuerySystemInformation function of ntdll.dll.

Powershell can be used to call unmanaged APIs as described in PowerShell P/Invoke Walkthrough by Lee Holmes. I used the information in Lee's post as well as the examples on www.pinvoke.net and the python solution by Mike Driscoll at Python: Finding the Commit Charge Values in Windows to construct the following Powershell script to query for the committed bytes peak value:

<# .SYNOPSIS Returns the PeakCommitment value using NtQuerySystemInformation .DESCRIPTION Uses p/Invoke to query the undocumented (unsupported) NtQuerySystemInformation function in ntdll.dll. .NOTES Author : Chris Duck Name : Get-CommittedBytesPeak.ps1 .LINK http://blog.whatsupduck.net .INPUTS None .OUTPUTS The value of committed bytes peak in bytes. .EXAMPLE get-committedbytespeak.ps1 Returns the value for committed bytes peak on the local machine. .EXAMPLE [string]::format("{0:#,#}Kb", (.\get-committedbytespeak.ps1) / 1KB) Formats the value for committed bytes peak on the local machine as 8,301,621Kb. .EXAMPLE Invoke-Command remoteserver -FilePath .\get-committedbytespeak.ps1 Returns the value for committed bytes peak on a remote machine named "remoteserver". #> $sig = @' [StructLayout(LayoutKind.Sequential)] public struct SYSTEM_PERFORMANCE_INFORMATION { public Int64 IdleTime; public Int64 ReadTransferCount; public Int64 WriteTransferCount; public Int64 OtherTransferCount; public uint ReadOperationCount; public uint WriteOperationCount; public uint OtherOperationCount; public uint AvailablePages; public uint TotalCommittedPages; public uint TotalCommitLimit; public uint PeakCommitment; public uint PageFaults; public uint WriteCopyFaults; public uint TransitionFaults; public uint Reserved1; public uint DemandZeroFaults; public uint PagesRead; public uint PageReadIos; public ulong Reserved2; public uint PagefilePagesWritten; public uint PagefilePageWriteIos; public uint MappedFilePagesWritten; public uint MappedFilePageWriteIos; public uint PagedPoolUsage; public uint NonPagedPoolUsage; public uint PagedPoolAllocs; public uint PagedPoolFrees; public uint NonPagedPoolAllocs; public uint NonPagedPoolFrees; public uint TotalFreeSystemPtes; public uint SystemCodePage; public uint TotalSystemDriverPages; public uint TotalSystemCodePages; public uint SmallNonPagedLookasideListAllocateHits; public uint SmallPagedLookasideListAllocateHits; public uint Reserved3; public uint MmSystemCachePage; public uint PagedPoolPage; public uint SystemDriverPage; public uint FastReadNoWait; public uint FastReadWait; public uint FastReadResourceMiss; public uint FastReadNotPossible; public uint FastMdlReadNoWait; public uint FastMdlReadWait; public uint FastMdlReadResourceMiss; public uint FastMdlReadNotPossible; public uint MapDataNoWait; public uint MapDataWait; public uint MapDataNoWaitMiss; public uint MapDataWaitMiss; public uint PinMappedDataCount; public uint PinReadNoWait; public uint PinReadWait; public uint PinReadNoWaitMiss; public uint PinReadWaitMiss; public uint CopyReadNoWait; public uint CopyReadWait; public uint CopyReadNoWaitMiss; public uint CopyReadWaitMiss; public uint MdlReadNoWait; public uint MdlReadWait; public uint MdlReadNoWaitMiss; public uint MdlReadWaitMiss; public uint ReadAheadIos; public uint LazyWriteIos; public uint LazyWritePages; public uint DataFlushes; public uint DataPages; public uint ContextSwitches; public uint FirstLevelTbFills; public uint SecondLevelTbFills; public uint SystemCalls; } [DllImport("ntdll.dll")] public static extern int NtQuerySystemInformation( uint SYSTEM_INFORMATION_CLASS, ref SYSTEM_PERFORMANCE_INFORMATION returnStruct, uint length, ref uint returnLength); '@ Add-Type -MemberDefinition $sig -Name NTDLL -Namespace Win32 > $null $out = New-Object Win32.NTDLL+SYSTEM_PERFORMANCE_INFORMATION $outlen = New-Object int [Win32.NTDLL]::NtQuerySystemInformation(2, [ref]$out, [System.Runtime.InteropServices.Marshal]::SizeOf($out), [ref]$outlen) > $null return $out.PeakCommitment * 4096

As shown in the examples included in the script, this can be used with Invoke-Command to run on remote servers. It could even be combined with Win32_OperatingSystem.TotalVisibleMemorySize^[3] to determine if a server has enough (or too much) memory allocated to it. Just remember that the counter starts over every time the server is rebooted, so make sure there has been plenty of time since the last reboot when you are reading this number or it may not be an accurate reflection of all of the server's workloads.

[1] Win32_PerfFormattedData_PerfOS_Memory on MSDN
[2] NtQuerySystemInformation on MSDN
[3] Win32_OperatingSystem on MSDN

Using MSBuild to Maintain Powershell Modules

2010-05-02T03:36:00.010-05:00

The Problem

One of the challenges faced when developing scripts that will be used from other scripts is keeping the library script updated. Frequently the file is copied from the folder it was developed in to the folders containing the scripts that depend on it. This is a good way to make sure that the dependency follows the main script if it is moved, but creates multiple copies of the library script that are unlikely to be updated if a bug is fixed or an improvement made.

The Goal

Ideally, there would be a way to link the library script to the dependent scripts, without actually having to keep a copy of it in the folder. This would allow a single place to update all of the scripts and still maintain the dependencies with the main scripts.

The Solution - MSBuild

This solution will establish a workspace where all development of scripts occurs and then use MSBuild (included in the .NET framework) to deploy the scripts to a release folder. The build process will copy all of the dependencies of the scripts into their local folders so the folder can then be moved to another computer and all of the dependencies will be packaged together.

This also works well if there is a source control system maintaining the master copy of all the scripts. The workspace can be set as the base folder for the source control system and then only a single copy of each file is included in source control.

Environment and Directory Layout

The easiest way to run a build is to add msbuild.exe to the PATH environment variable and call it from a folder containing a .proj file. This will invoke the default target in the .proj file and doesn't require any parameters to be passed to msbuild. Msbuild.exe is included in the v2.0.50727 and v3.5 framework folders, usually located at C:\windows\Microsoft.NET\Framework. Here is a batch file that can be run easily from explorer to run a build in its current folder:

@echo off
set path=%path%;c:\windows\Microsoft.Net\Framework\v3.5;

msbuild
pause

Here is some powershell that will locate the path for .NET 3.5 for you:

get-itemproperty "HKLM:\Software\Microsoft\NET Framework Setup\NDP\v3.5").InstallPath

The variable $ws will be used to represent the workspace throughout this post. This is where the master copy of the scripts are kept (if using a source control system, this would be where files are checked out to). As an example, it could be set as follows:

$ws = c:\users\cduck\documents\scripts

The following folder structure is used within the workspace:

$ws\Release
This will be the default output folder and is excluded from source control. This folder is designed to be copied to c:\scripts and to have c:\scripts\modules added to your $env:PSModulePath. It will be automatically created by the MSBuild target.
$ws\ThirdPartyLibs
This is for 3rd party libraries, like binaries or .NET assemblies and is under source control. There will be a separate folder under here for each library that will be linked to from scripts and modules.
$ws\src
This is where working copies of scripts and modules are saved and is under source control.
$ws\src\Modules
Each module gets a new folder under $ws\src\Modules\
$ws\src\Scripts
Single scripts can go in this root, or collections of scripts can be put in sub-folders here.

Configure the Main MSBuild Project File^[5]

The main build process is controlled by a MSBuild project file in the workspace root, $ws\msbuild.proj. This file is configured to search the $ws\src\Modules\* folders and $ws\src\Scripts\* folders for any msbuild.proj files (recursing only one folder deep) and run the default target for each of those files. It also overrides the OutputDirectory property of each of these build files to force the build output to $ws\Release\Modules for modules or $ws\ for scripts.

The contents of $ws\msbuild.proj ^[2][3][4] are:

<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<OutputDirectory>$(MSBuildProjectDirectory)\Release</OutputDirectory>

<ModuleOutputDirectory>$(OutputDirectory)\Modules</ModuleOutputDirectory>

<ScriptOutputDirectory>$(OutputDirectory)</ScriptOutputDirectory>
</PropertyGroup>

<ItemGroup>
<ModuleBuilds Include="src\Modules\*\msbuild.proj" />

<ScriptBuilds Include="src\Scripts\*\msbuild.proj" />

<ScriptFiles Include="src\Scripts\**\*.*" />
</ItemGroup>

<Target Name="ModuleBuild">
<MSBuild
Projects="@(ModuleBuilds)"

Properties="OutputDirectory=$(ModuleOutputDirectory)"
/>
</Target>

<Target Name="ScriptBuild">
<Copy
SourceFiles="@(ScriptFiles)"

DestinationFiles="@(ScriptFiles->'$(ScriptOutputDirectory)\%(RecursiveDir)%(Filename)%(Extension)')"
/>

<MSBuild
Projects="@(ScriptBuilds)"

Properties="OutputDirectory=$(ScriptOutputDirectory)\%(RecursiveDir)"
/>
</Target>

<Target Name="Build">
<CallTarget Targets="ModuleBuild;ScriptBuild" />
</Target>

<Target Name="Clean">
<RemoveDir
Directories="$(OutputDirectory)"
/>
</Target>
</Project>

This file can be invoked by calling msbuild.exe^[1] with your current directory set to your workspace ($ws), or by creating a file $ws\build.cmd with the contents from above in it and double clicking on it.

This build file defines a base output directory as "a folder called 'Release' that is a sub-folder of the parent folder of the build file" and saves it in the OutputDirectory parameter. This can be overridden on the command line using msbuild.exe /p:OutputDirectory=c:\scripts. It also defines the parameters 'ModuleOutputDirectory' as a 'Modules' sub-folder of the main output directory and 'ScriptOutputDirectory' as the same folder as the main output directory.

This source folder structure:

$ws\src\Scripts\script1.ps1
$ws\src\Scripts\Nested\nestedScript1.ps1
$ws\src\Modules\Module1\Module1.psm1

Will be output as follows:

$ws\Release\script1.ps1
$ws\Release\Nested\nestedScript1.ps1
$ws\Release\Modules\Module1\Module1.psm1

As you can see, this allows the contents of $ws\Release to be directly copied to c:\scripts, or you can use the command line parameter above to set the output to c:\scripts directly.

Including a Custom MSBuild Project for a Module or Script Folder

The whole point of this exercise is to allow a script or third party assembly/executable to be included in a module or script folder without having to create multiple copies of it in the source control system, but so far all we have is a way to recreate the directory structure of the $ws\src\scripts folder. The magic of using MSBuild to accomplish this is in chaining project definitions contained in each module or script sub-folder to the main build definition.

To add pscp.exe from $ws\ThirdPartyLibs\PuTTY to the scripts contained in $ws\src\Scripts\Linux, create the following msbuild.proj in $ws\src\Scripts\Linux:

<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<tplibs Include="..\..\..\ThirdPartyLibs\PuTTY\pscp.exe" />
</ItemGroup>

<Target Name="Build">
<Copy
SourceFiles="@(tplibs)"

DestinationFolder="$(OutputDirectory)"
/>
</Target>
</Project>

Since the entire contents of $ws\src\Scripts will be copied to the output folder by the main msbuild.proj file ($ws\msbuild.proj), all that is needed in the $ws\src\Scripts\Linux\msbuild.proj file is any dependency that needs to be added from outside of this folder. This could even include scripts from other folders if you have some utility scripts that are used by other scripts. If there are no outside dependencies, a msbuild.proj file does not need to be created.

Here is another example that copies $ws\src\Scripts\new-share.ps1 and $ws\src\Scripts\DNS\set-cname.ps1 to $ws\src\Scripts\IIS so that a script located there (maybe new-iissite.ps1) can use them to create a share and add a new CNAME record to DNS for the site:

<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<ItemGroup>
<tplibs Include="..\new-share.ps1;..\DNS\set-cname.ps1" />
</ItemGroup>

<Target Name="Build">
<Copy
SourceFiles="@(tplibs)"

DestinationFolder="$(OutputDirectory)"
/>
</Target>
</Project>

Now there is only one copy of new-share.ps1 and set-cname.ps1 in the source control system, but they are copied to the IIS folder to fulfill dependencies for the new-iissite.ps1 file in that folder.

Modules will use a similar technique, but the msbuild.proj files have been crafted slightly differently to allow a module to be built independently. The script version of the msbuild.proj file could be modified to work like modules or vice-versa if so desired.

Here is the contents of $ws\src\Modules\Linux\msbuild.proj that will be used to copy the module and add $ws\ThirdPartyLibs\PuTTY\pscp.exe to this module:

<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
<PropertyGroup>
<ModuleName>Linux</ModuleName>

<OutputDirectory>..\..\..\Release\Modules</OutputDirectory>
</PropertyGroup>

<ItemGroup>
<tplibs Include="..\..\..\ThirdPartyLibraries\PuTTY\pscp.exe" />

<ModuleFiles Include="**\*.*" Exclude="**\msbuild.proj" />
</ItemGroup>

<Target Name="Build">
<Copy
SourceFiles="@(tplibs)"

DestinationFolder="$(OutputDirectory)\$(ModuleName)"
/>

<Copy
SourceFiles="@(ModuleFiles)"

DestinationFolder="$(ModuleFiles->'$(OutputDirectory)\$(ModuleName)\%(RecursiveDir)%(Filename)%(Extension)')"
/>
</Target>

<Target Name="Clean">
<RemoveDir
Directories="$(OutputDirectory)\$(ModuleName)"
/>
</Target>
</Project>

Placing the recursive file copy task in the module's msbuild.proj file and including a default OutputDirectory property allows the module to be built alone. The msbuild.proj file that was used in a script folder above only copied dependencies. The module version could be used in a script folder, allowing that script folder to be built on its own, but then the full build process would be doing double file copies.

Summary

This post shows two examples of how to configure a simple MSBuild project to enable a single master copy of scripts to be maintained and then meshed together to build folders with local copies of any dependencies for each script. MSBuild is a very robust build system and these examples can be extended to do much more.

^[1] MSBuild Command Line Reference
^[2] MSBuild Project File Schema Reference
^[3] MSBuild Task Reference
^[4] MSBuild Reserved Properties Reference
^[5] MSBuild: Basics Tutorial by Brennan Stehling

Kerberos Authentication in IIS and IE

2010-04-23T00:17:00.010-05:00

What is Kerberos

Kerberos authentication is very useful when you need to impersonate the end user's credentials to access another system. This is also known as a double-hop authentication. The alternative to implementing Kerberos on the initial request is to enable constrained delegation with protocol transition. This will enable the client (IE) to fall back to NTLM authentication to the server (IIS) and then the server will transition the authentication token to Kerberos to pass along to the back end systems (SQL, SSRS, web services, cifs, etc). Constrained delegation can be hard to implement and maintain as you have to approve each allowed back end service the front end server is allowed to delegate to, but this is also more secure as your credentials cannot be delegated to any random service on the network.

This post is going to cover the basics of getting Kerberos working and the speed bumps I have encountered in my implementations at work. If you want to learn the details behind what is going on, I recommend you read the series posted by Ken Shaefer on his blog, starting with What is Kerberos and how does it work?.

Configuring Kerbros on IIS

Initially, you need to determine two pieces of information to successfully implement Kerberos:

What is the URL my service will be exposed at?
For example: http://www.example.com
What is the account the service will be running as?
For example: corp.example.com\wwwPool

Determining the SPN

The URL will be used to construct the Service Principal Name (SPN) for your service. This will be used by the KDC (a Domain Controller in AD) to locate the service account that is running your site. In my example above, IE will generate an SPN like this:

HTTP/www.example.com

Some things to watch out for here are:

If your page is hosted on a non-standard port (not 80 or 443), out of the box IE will ignore the port when generating the SPN. This means you cannot have 2 websites running on the same DNS name and different application pool identities, unless you implement KB 908209 on all of your IE clients who will be accessing your site. If you are running IE6, you have to make sure your version includes the hotfix listed in the KB before it will read the registry keys. All later versions already include the hotfix, but you still have to apply the registry key changes listed in the KB as the default behavior is still to ignore the port. I do not have any information on how other browsers construct their SPNs.
You cannot use a CNAME record for your DNS entry without applying the registry changes in KB 911149 (IE6 also requires the hotfix, newer versions already have the patch included). This is because IE will use the A Name that the CNAME is pointing to when it constructs the SPN. You can see this in action by disabling IWA and browsing to the site. On the credential prompt you will see the server listed as the A Name instead of the correct CNAME record. You can either apply this KB or use an A Name record to work around this issue.

Assigning the SPN to the Correct Account

The next piece of the puzzle is the account you are running the site as. Kerberos is designed to ensure the identity of the user to the server AND the server to the user. This requires an administrator to link the service (site) to the account that is supposed to be running that service, which is done by setting an SPN on the application pool identity account. The SPN needs to match the one IE will generate exactly so the correct account can be located in AD.

If you are running this site on multiple servers (ie behind a load balancer or using round-robin DNS), you have to setup a domain service account because the two-way authentication requires the service (your site) maps to a single service account, not to two different machine accounts.
Since I used a domain account in my example above, I would use the following command to create my SPN ^[1]:

setspn.exe -s HTTP/www.example.com corp.example.com\wwwPool

If you have applied KB 908209 and are running your site on a non-standard port, you would use:

setspn.exe -s HTTP/www.example.com:8080 corp.example.com\wwwPool

When setting an SPN, you need to make sure you have not created a duplicate, as this leaves the KDC (DC in AD) unable to locate the correct account to encrypt the tokens for and will cause kerberos authentication to fail. Newer versions of setspn.exe have the -s and -x switches to help you locate duplicate SPNs. You may also need to do a forest wide search using the -f parameter.

If your site is running on the same DNS name as your server AND your site is running as Network Service, you do not need to create an SPN as the KDC will fail back to the host SPN for the computer (ie HOST/wfe1.corp.example.com), which is automatically set on the machine account when it joins the domain.

Configuring IIS/Asp.NET/IE

The last step is to make sure the site has "Integrated Windows Authentication"^[3] enabled and that your IE is showing "Local Intranet" for your zone and that "Automatic Login" is enabled for the zone. An important note to consider in IIS7+ is that when you enable "Integrated Windows Authentication", you also need to determine if you need to leave kernel mode authentication enabled. By default, IWA in IIS7 assumes your site will be running under the Network Service account which would require your SPN to be set on the machine account. If you set an SPN on a domain account, you will need to click the "Advanced Settings" link and un-check (disable) kernel mode authentication^[3] on your site. This will cause the Kerberos tokens to be processed by the application pool account instead of the machine account.

At this point you should be able to authenticate to your web server using Kerberos. You can verify that you are using Kerberos by checking your security log and look for event 4624 with the "Authentication Package" field set to Kerberos.

Delegation

Now that you are successfully authenticating using Kerberos, you may want to pass those credentials on to the next tier of your application. You'll need to open up Users and Computers and locate the service account. This is the account that you set the SPN on, in my example above it would be the corp.example.com\wwwPool account. You should now have a "Delegation" tab available (this tab only shows up when an SPN is set on an account). You will need to enable one of the "Trust this user for delegation" settings, you can read about Simple Delegation and Constrained Delegation at Ken's blog, but the easiest setting to make here would be to enable delegation to any service. This will allow your site to delegate a user's credentials to any other service running in environment. If you want to restrict where the delegated credentials can go, you will want to read about constrained delegation.

The final setting you need to make to enable delegation is in your application. You can either set the entire web application to run using the end user's credentials via the "ASP.Net Impersonation" setting in the "Authentication" module of IIS manager ^[2], or use the instructions in the section titled Impersonate the Authenticating User in Code in KB 306158 to only impersonate the user in specific code sections in your site.

^[1] I'm assuming you are using setspn from Vista or newer, if not use "-a" instead of "-s". The "-s" switch searches for an existing SPN to help prevent duplicates from being set.
^[2] This sets the <identity> tag in your web.config file to enable impersonation. Full documentation can be found on MSDN.
^[3] While this setting can be set in the IIS manager, in IIS7+ the default configuration is for this setting to be saved in the application's web.config file.

(Not) Using PowerShell v2 to View WSMan Data From ESX

2009-09-16T21:57:00.006-05:00

Today I was trying to get at my "Health Status" data on my ESX servers though PowerShell using the tutorial posted on the PowerCLI Blog (http://blogs.vmware.com/vipowershell/2009/03/monitoring-esx-hardware-with-powershell.html), but I kept getting an "Access Denied" message. I did a little more research into using WSMan in PowerShell and discovered that before V2, there was a way to use a COM object to query WSMan that gave you a little more control over the connection (http://technet.microsoft.com/en-us/magazine/2007.11.heyscriptingguy.aspx).

Here is a PowerShell script based on the PowerCLI script that uses the COM object from the Scripting Guy article (it assumes you're already connected to your Virtual Center server):

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020

$vmhost = get-vmhost "" $view = get-view $vmhost.id $token = $view.acquireCimServicesTicket().sessionId $uri = "https:///wsman" $object = "http://schemas.dmtf.org/wbem/wscim/1/cim-schema/2/CIM_NumericSensor" $wsman = new-object -com WSMan.automation $options = $wsman.createConnectionOptions() $options.username = $token $options.password = $token $flags = $wsman.sessionFlagUseBasic() -bor $wsman.sessionFlagCredUserNamePassword() -bor $wsman.sessionflagskipcacheck() -bor $wsman.sessionflagskipcncheck() -bor $wsman.sessionflagskiprevocationcheck() $session = $wsman.createSession($uri, $flags, $options) $result = $session.enumerate($object) $xml = while(!$result.atendofstream) { $result.readitem() }

This proved that it was possible to pull this data from Windows, but I wanted to use my shiny new v2 cmdlets to do it (plus I wanted objects instead of XML that I was having problems casting without modification).

My next step was to sniff the network from my workstation and see exactly what Get-WSManInstance was passing to the ESX server for the username and password. That involved locating a version of Wireshark that had the SSL decryption libraries enabled (I'm using x64 Windows 7) and copying the private key from the ESX server to my workstation.

After installing many different versions of Wireshark (1.2.2 for x86 worked) , I discovered that OpenWSMan logs authentication messages (that include the username) to /var/log/messages on the ESX server. Either way you decide to go, what you will find is that Get-WSManInstance is pre-pending a "\" before the username:

Sep 16 21:34:00 xvhalp22 openwsman(pam_unix)[12388]: bad username [\5297c1ab-ecf9-43c1-6b4a-cb7dce63d813]

I decided to try and determine if the Powershell cmdlet was the culprit or if it was the .Net implementation of WSMan that was adding the extra character, so I did a little searching and came across this blog post that includes a function that allows you to pipe a cmdlet to it and it will locate the appropriate class and DLL and then load it up in Reflector (http://www.nivot.org/2008/10/30/ATrickToJumpDirectlyToACmdletsImplementationInReflector.aspx). The command would be:

001	get-command Get-WSManInstance \| Reflect-Cmdlet

What I found after a little digging is that in the CreateSessionObject function of the WSManHelper class, they are setting the credentials as follows:

001
002
003
004
005
006
007
008
009
010
011
012
013
014
015
016
017
018
019
020
021
022
023

if (credential != null) { NetworkCredential networkCredential = new NetworkCredential(); if (credential.get_UserName() != null) { networkCredential = credential.GetNetworkCredential(); if (string.IsNullOrEmpty(networkCredential.Domain)) { if (authentication.Equals(AuthenticationMechanism.Digest)) { connectionOptions.UserName = networkCredential.UserName; } else { connectionOptions.UserName = @"\" + networkCredential.UserName; } } else { connectionOptions.UserName = networkCredential.Domain + @"\" + networkCredential.UserName; } connectionOptions.Password = networkCredential.Password; if ((!authentication.Equals(AuthenticationMechanism.Credssp) || !authentication.Equals(AuthenticationMechanism.Digest)) || authentication.Equals(AuthenticationMechanism.Basic))

I think line 15 is the cause of my problem and I believe this is a bug in the cmdlet. I'm not sure which "basic" authentication schemes would be expecting a username like "\user", and in fact the System.Net.WebClient doesn't add this leading slash when you use Basic and a PSCredential.

I haven't tried this on the Vista or XP PowerShell v2 RC, but I have to assume that this behavior was introduced sometime after CTP3, or the PowerCLI Blog people would never have been able to connect.

Adding a Custom Certificate to McAfee ePO Server 4.0 (Apache)

2009-07-15T10:51:00.011-05:00

Our ePO adminitrators came to me asking for help installing an enterprise certificate on our new ePO 4.0 server so they could provide a vanity dns name for management to view reports. According to McAfee, this is not supported in 4.0, but will be a feature of 4.5. Knowing that ePO runs on Tomcat, I was pretty confident that I could get it working anyway... just remember that none of this is supported. If you need a supported solution on 4.0, I recommend adding the self signed certificate to your domain certificate trust list and using the computer name to access the site.

If you just have to have your vanity url, here's how you can get it set up.

The main idea here is to import a certificate that will be trusted by your browsers (either a domain certificate or a public certificate from a trusted CA like EnTrust or Verisign) into the Java keystore that Tomcat is using. Our security team provided us with a certificate and a private key from an existing wildcard certificate for our domain.

In order to locate the correct keystore, I loaded up the Tomcat configuration file located at c:\Program Files\McAfee\ePolicy Orchestrator\Server\conf\server.xml. From here, you need to locate the "Connector" element that is binding to the port for the site you are using. In our case, this is 8443 so the element looks like this:

Sun Java provides a tool to edit keystores called keytool.exe. However, there is a limitation on this tool (described here) that prevents us from adding a private key separately. Fortunately ePO uses the latest version of Java, so we do have the ability to import a PKCS12 file containing both our public certificate as well as our private key.

First, I had to get my separate files into one PKCS12 file. I did this using the following OpenSSL command:

> openssl pkcs12 -export -out c:\temp\store.pfx -in c:\temp\certificate.cer -inkey c:\temp\private.key

Now that I have a PKCS12 file with both the certificate and private key, I can import those into the Java keystore for Tomcat. My first step was to add the JRE\bin to my path and change to the directory of the keystore:

> set path=%path%;c:\Program Files\McAfee\ePolicy Orchestrator\JRE\bin
> cd C:\Program Files\McAfee\ePolicy Orchestrator\Server\keystore\

Next I made a backup of the original McAfee keystore (so we can go back to the supported configuration if needed):

> copy server.keystore server.keystore.original

Then I deleted the existing certificate and private key from the keystore, then imported the new pair from the PKCS12 file, and finally renamed the alias for the key to match the original:

> keytool -delete -alias mykey -keystore server.keystore
> keytool -delete -alias cacert -keystore server.keystore
> keytool -importkeystore -srckeystore c:\vhacert\store.pfx -destkeystore server.keystore -srcstoretype pkcs12
> keytool -changealias -keystore server.keystore -alias 1 -destalias mykey

Finally, you just need to restart all 3 ePO services. Tomcat should now be providing your custom certificate.

Unused media renderer devices were not removed from the list of devices because required DRM components cannot run while a debugger is attached. Detach the debugger from the machine or from the WMPNetworkSvc service, and then restart the WMPNetworkSvc service.
Log Name:	System
Source:	Windows Media Player Network Sharing Service
Event ID:	14105
Level:	Warning
OpCode:	Info