IIS, mutual authentication using SSL certificates

Not everyone knows that IIS (Internet Information Services), the webserver included in Windows Server, offers the possibility to perform mutual authentication using SSL certificates.

You probably saw that, within the site’s SSL configuration, you can require an SSL client certificate to the client that is connecting:

iis-ssl-001

in this case, IIS only verifies that the submitted certificate is valid, i.e. signed by a trusted CA.

The mutual authentication allows you to go one step further: based on the certificate that the client sends to IIS, the server maps it to a local or domain user. It is therefore possible to identify a user without requiring username and password, but based on the certificate it owns.

IIS allows two different mappings: one-to-one (each certificate corresponds to a specific user) or many-to-one (multiple certificates correspond to a single user). In the first case you have to load the whole certificate in IIS, while in the second one you indicate to IIS the characteristics that the different certificates must have (for example the value of CN):

iis-ssl-002

Configuration

You cannot configure the Certificate Mapping via graphical interface (IIS Manager); the configuration is possible only directly modifying the IIS configuration.

First verify that the following role services are installed on your server:

iis-ssl-005

the first one (Client Certificate Mapping) is used for mapping clients to domain accounts (Active Directory), while the second one (IIS Client Certificate Mapping) for local accounts.

Open the configuration editor of the website you want to modify:

iis-ssl-003

The configuration of both modules is under security – authentication:

iis-ssl-004

For example let’s configure the mapping on local accounts. First you have to enable the module and choose if you want one-to-one or many-to-one mapping (you can enable both):

iis-ssl-006

To add a one-to-one mapping, click on :

iis-ssl-007

then click on Add and type the requested information (certificate, username and password):

iis-ssl-008

you have to provide the certificate in base64, after having removed the lines —BEGIN CERTIFICATE— and —END CERTIFICATE— and the new line characters so that all the content is on a single line:

iis-ssl-010

The steps to add a many-to-one mapping are similar… instead of loading the certificate you have to define one or more rules. If the client certificate matches a rule, the mapping is performed:

iis-ssl-011

As last step, remember to disable the other authentication methods:

iis-ssl-012

Parsing a packet using structs

When I was analyzing the source code of an opensource software, I found an interesting technique to parse incoming data in a very efficient way, using a struct.

This technique works if the received data has a fixed length and structure; for example it applies very well to data “packets”.

When receiving, the program normally stores incoming data in a buffer in the RAM memory. For example let’s assume that the packet has a length of 14 bytes:

char rx_buffer[14];

Your specific protocol defines the following fields in the packet:

  • address, 5 bytes
  • temperature value, 3 bytes
  • humidity value, 3 bytes
  • TX counter, 1 bytes
  • checksum, 2 bytes

You can define a struct that represents the structure of the packet:

typedef struct {
  uint8_t address[5];
  uint8_t temperature[3];
  uint8_t humidity[3];
  uint8_t tx;
  uint8_t checksum[2];
} my_packet;

The technique consists in applying, as if it were a template, the struct to the buffer:

mem-struct-001

in this way the received bytes are automatically divided into the different fields:

mem-struct-002

Therefore, to parse the data you only need to cast the buffer:

my_packet* parsed_data = (my_packet*)rx_buffer;

and access the struct fields:

parsed_data.address;
parsed_data.temperature;
[...]

Padding and packed

You still have a problem: to make it more efficient to access the memory, compliers normally align the variables based on their size. This means that – when a compiler allocates memory for your struct – some empty space (named padding) could be added between the different variables:

mem-struct-003

The presence of the padding space causes a misalignment if you apply the struct to the buffer with the received data (which are instead continous). Fortunately, it is possible to ask the compiler not to insert padding using the packed attribute:

typedef struct {
  uint8_t address[5];
  uint8_t temperature[3];
  uint8_t humidity[3];
  uint8_t tx;
  uint8_t checksum[2];
}__attribute__((packed)) my_packet;

If you remember to add this attribute, the technique works perfectly!

Java, IllegalFormatConversionException when importing an SSL certificate

Today I faced a strange problem. I needed to import an SSL certificate in a java keystore, using the “classic” keytool command. I was sure that the format of the certificate was correct, but I always received the following error:

java.util.IllegalFormatConversionException: d != java.lang.String

java-keystore01

The reason of the error is that – in the latest versions of java – by default the keytool command uses the language of the system (in my case italian).

I had to add the parameter -J-Duser.language=en to the keytool command to made it work correctly:

java-keystore02

IIS, how to debug HTTP errors

Today I faced a problem during the setup of a new application: if I opened a browser and entered the URL of the application, I got the following error message

iis-01

To be able to identify the root cause of the error, I found a new feature added in the latest versions of Microsoft IIS (Internet Information Services): the failed request tracing. Using this tool you can selectively trace all the processing pipeline of a request to identify which step causes the error reported to the user.

Let’s see how to use it. First, verify that this feature is installed on your server using the Server Manager:

iis-02

Open the IIS Manager tool, select the site which publishes the application and in the Actions pane (on the right) click on Failed Request Tracing…:

iis-03

Enable the feature and note down the path IIS will save the logs into:

iis-04

Now you have to specify which requests will be traced. Click on the icon:

iis-05

then click on Add... in the Actions pane.

Thanks to a wizard you can define the criteria a request must match to be traced. For example in the screenshot below I created a tracing rule for the requests which return error 401.3:

iis-06

If I reloaded the page with my browser, in the path above I could find the trace logs:

iis-07

With a double-click on the frxxxxxx files, a page with all the details of the request was displayed:

iis-08

When I moved to the Request Details tab I was able to identify the folder IIS couldn’t access:

iis-09

When I set the correct permissions on the NTFS filesystem, the application started to work.

 

Google Chrome, how to display the website’s SSL certificate

Users of the Google Chrome web browser were able to display the SSL certificate of a website published via https protocol with a click on the address bar. In the latest versions, this functionality has been removed:

chrome-ssl01

You now need some additional steps: first open the developer tools (CTRL-Shift-I):

chrome-ssl02

then select the Security tab and click on View certificate:

chrome-ssl03

And finally you can see the certificate used by the web site (in this example, www.google.com):

chrome-ssl04

WinRM, exceeded MaxEnvelopeSize quota

Today, while I was configuring an Exchange 2010 server, I got the following error:

The WinRM […] was notified that the request size exceeded the configured MaxEnvelopeSize quota

exchange-01

The MaxEnvelopeSize parameter defines the maximum size (in Kb) of a single SOAP request. Sometimes you may need to increase the value to be able to run a big script/command (via powershell or using the GUI).

The default maximum size is 500Kb and you can show the actual value with the command:

winrm get winrm/config

exchange-02

To change the value, run the following command (in the example I’m increasing the value to 1000Kb):

exchange-03

If you got the error from the Exchange management console, you probably need also to increase the value in the web.config file (InstallDir\ClientAccess\PowerShell). If the parameter is not already present, it can be added:

exchange-04

Microsoft Exchange without using Outlook

If you have a mailbox hosted on a Microsoft Exchange server, you’re probably using Outlook (or its web variant) as mail client. Thanks to a suggestion by a colleague, I’ve just discovered a way to access your Exchange mailbox (including calendar and contacts) using any mail clients.

You only need to install on your PC an opensource software, DavMail Gateway

davmail-01

DavMail indeed acts as a “translator”: on a side it communicates with the Exchange server using the language (protocol) normally spoken by Outlook (WebDav, EWS – Exchange Web Services), while on the other side it offers the standard mail protocols: POP/IMAP (for incoming emails) and SMTP (for outgoing emails):

davmail-07

Let’s see how to use it; as mail client I chose Thunderbird, in its portable version (which doesn’t require installation) but as I said you can use the mail client you prefer.

First download the latest version of DavMail. DavMail is available on different platforms, I chose the Windows version, again the one that doesn’t require installation:

davmail-02

Once unzipped the archive in a new folder, run the program with a double clink on davmail.exe (you can also run the program in console mode or install it as a Windows service):

davmail-03

The program shows its icon in the systray, in the right-bottom corner of your screen, next to the clock. You can configure it choosing Settings… from the menu (right-click the icon to display it):

davmail-04

Type the address of the webmail (OWA) of your Exchange server. Depending on how the server is configured, you may need to choose a particular protocol; most of the time the default setting (Auto) is ok. Note the port numbers of the different services (for example IMAP on port 1143…): you’ll need them later to configure your mail client.

davmail-05

When DavMail is configured and running, you can move to your mail client. When configuring a new account, type localhost both for incoming and outgoing server and enter the correct port number for the different protocols:

davmail-06

If everything was configured correctly, you can now manage your Exchange mailbox using your preferred mail program!

Websphere MQ – Copy messages between queues

If you administer a Websphere MQ server, it may happen that someone ask you to manage the messages: create a backup, move messages from a queue to another one…

The main administration tool for WMQ, MQ Explorer, doesn’t support those operations; you can only browse the queues or send test messages:

qload-01

I recently discovered a tool, freely released by IBM, named qload.  This tool allows to move/copy messages between queues or transfer them between a queue and a text file.

qload’s source code is available on Github, in the ibm-messaging repository.

Let’s see some examples of its usage:

  • move all the messages from queue IN.QUEUE to queue OUT.QUEUE, qmanager QM.TEST
./qload -m QM.TEXT -I IN.QUEUE -o OUT.QUEUE
  • copy all the messages from queue IN.QUEUE to queue OUT.QUEUE,qmanager QM.TEST
./qload -m QM.TEXT -i IN.QUEUE -o OUT.QUEUE
  • save all the messages in queue IN.QUEUE, qmanager QM.TEST, to the file msgs.txt
./qload -m QM.TEXT -i IN.QUEUE -f msgs.txt
  • load all the messages from file msgs.txt to queue IN.QUEUE,qmanager QM.TEST
./qload -m QM.TEXT -o IN.QUEUE -f msgs.txt

It’s of course possible to filter the messages. For example the parameter -r allows to specify the number of the message or the range of messages to be included in the action:

./qload -m QM.TEXT -i IN.QUEUE -f msgs.txt -r 10..15

saves in the file msgs.txt only messages with index between 10 and 15.

Eagle – PCB quote generator

The PCBShopper website compares the prices of the most used PCB services.

Jeremy Ruhland published on his Github’s repository an Eagle script (ulpuser language program) that automatically gets the required information from an Eagle project and compiles the PCBShopper web form. Let’s see how to use it:

- first click on pcbshopper.ulp and display his source code (RAW button).

ulp-1

- save the ulp file in the ulp subfolder of your Eagle installation:

ulp-2

- open your Eagle project, move to the Board window and choose File – Run ULP…. Choose the pcbshopper.ulp file saved before:

ulp-3

- configure the required PCB (copper size, quantity…), then click on Click here to open PCBShopper.com:

ulp-4

- the PCBShopper website will be automatically opened with all the fields pre-filled, you only have to click on Get Prices:

ulp-5

- to get the quotes, the cheapest ones on the top:

ulp-6

Eagle – How to place pins in a circle

I’m working with Eagle to prepare a PCB for a Nixie clock. I wasn’t able to find a library for the Nixie I chose so I had to create it from scratch.

Nixie’s datasheet has the following drawing about pins disposition:

eagle-round1

Let’s see how to draw it in Eagle, thanks to an ULP (User Language Program).

Choose File – Run ULP…

eagle-round2

Click on cmd-draw.ulp:

eagle-round3

Choose Pad, then enter the values for the radius (0.19 mils) and the angle between two pads (25.714°) as explained in the datasheet. You can also define shape and size for the pads:

eagle-round4

Click on OK and confirm the generated script with OK again:

eagle-round5

The result:

eagle-round6