How to kill all but the newest Excel process with PowerShell

Excel was the example I used, but you could use anything…Somebody on HardForums.com was asking about a way to kill all but the most recently started Excel process. I came up with this:

get-process | where-object { $_.name -eq "excel" } | sort-object -property "Starttime" -descending | select-object -skip 1 | foreach { taskkill /pid $_.id }

If there is just one excel process running, it will leave that process alone, thanks to the -skip 1 in Select-Object.

I can’t imagine this is too useful, but who knows? :)

January 9th, 2010 | Tags: , | Category: PowerShell | Leave a comment

How to give a user account rights to register its own Service Principal Name (SPN)

I recently had a SQL server where the SQL instance had a different name than the hostname. Not having rights to connect to SQL, I wasn’t aware of that. So, I registered the SPNs as they should have been registered, and it was still falling back to NTLM (see: failing).

SQL Server will register its own SPNs at startup – assuming the service account has rights to set its own SPN. To give the service account rights to self-register SPN (assuming you’re using a domain service account and not Network Service/Local System), you need to grant the service account rights to “Write Public Information” on itself in Active Directory.

1) Launch Active Directory Users and Computers
2) Find your service account and hit the Security tab
3) Select “SELF” in the “Groups or user names” listbox
4) Find “Write public information” in the “Permissions for SELF” listbox and check “Allow”
5) Click OK


After, you’ll need to restart SQL Server for the SPN to register. Use setspn -l domain\account to verify that the account has properly registered.

If you do happen to be using Network Service or Local System, shame on you. That said you’ll just need to verify on the computer account in AD that SELF has “Validated write to service principal name” set to Allow. But, seriously, stop using Network Service or Local System (ESPECIALLY THAT!) and start using a domain account…or at the very least a local account.

Reblog this post [with Zemanta]

December 30th, 2009 | Tags: , , , , | Category: Active Directory, SQL Server | Leave a comment

How to configure AD, SQL, and IIS for two-hop Kerberos authentication

Recently, some of our developers were writing an app that required impersonation from the web service, as the user, to the database. Admittedly, Kerberos isn’t one of my strong points.

There were two hops here. From the user -> IIS server and from IIS Server -> SQL Server, but the application in IIS would impersonate the user when authenticating with the SQL server.

So, the idea here is that from the user to the IIS server, we know Kerberos will work. The user passes its ticket to the web service. Nothing unusual. From there, the web app, running as a custom app pool ID, needs to pretend (delegate) to be the user when it authenticates to the SQL server.

There are a few requirements.
1) Your application in IIS should be running under a custom identity – domain\MyAppService
2) SQL Server needs to be running under a domain service account – domain\MySQLService
3) IIS needs to use Negotiate instead of NTLM for that application. It should do this by default, then fall back to NTLM. For whatever reason, my app was using NTLM. IIS should also have Windows Authentication enabled.
4) Change your connection string to impersonate the site user

Step 1 – Set the SPN on your app pool ID for the site, for the hostname and FQDN.
setspn -a http/mysite domain\MyAppService
setspn -a http/mysite.domain.com domain\MyAppService

Step 2 – Set the SPN for the SQL service on your SQL service account – assuming you use the default SQL port
setspn -a MSSQLSvc/hostname domain\MySQLService
setspn -a MSSQLSvc/hostname.domain.com domain/MySQLService
setspn -a MSSQLSvc/hostname:1433 domain\MySQLService
setspn -a MSSQLSvc/hostname.domain.com:1433 domain/MySQLService
Restart SQL

Step 3 – In Active Directory Users and Computers, find the service account, click the delegation tab, and trust it for delegation. You can set it for delegation to anywhere, or constrained delegation to the SPNs you’ll set for the SQL service account.

Step 4 – Force your site or application to use Negotiate. This won’t work with NTLM, so we’ll remove it. (Note: This is for IIS7/7.5)
- Find and open your applicationHost.config. It’s probably under c:\windows\system32\inetsrv\config. You can also set this in the system.webServer section of the web.config for the application.

- Scroll to the bottom and above /configuration copy this in:

   <location path="SitePath">
        <system.webServer>
            <security>
                <authentication>
                    <windowsAuthentication>
                        <providers>
                            <add value="Negotiate" />
                            <remove value="NTLM" />
                        </providers>
                    </windowsAuthentication>
                </authentication>
            </security>
        </system.webServer>
    </location>

If you get a 500 error after adding the above XML, it’s probably because Negotiate is already added elsewhere. Just remove the line that says add value=”Negotiate” and leave the remove NTLM line.

Reference: This post was extremely helpful in solving my problem – http://blogs.technet.com/askds/archive/2008/06/13/understanding-kerberos-double-hop.aspx – in the end, I did pretty much everything in that post, and still had the IIS server passing anonymous to SQL, which is what tipped me off that it was using NTLM and not Negotiate.

Reblog this post [with Zemanta]

October 24th, 2009 | Tags: , , , , , , | Category: Active Directory, IIS7, Microsoft, SQL Server, Server Management, Windows Server 2008 | One comment

Windows 7 – How To Link Online IDs

I stumbled upon this today in Windows 7, completely by accident.

Linking your online ID will let you log in to Windows and then log in to any service for which you’ve installed a provider, without being prompted to login again. I associated my Windows Live ID with my home desktop computer login. When I went to Hotmail, all I had to do was click my email address to log in. I went over to MSDN to check my available downloads and simply clicked “Sign in” and was there. Pretty cool feature and a great time saver.

Here’s how to do it:

Click the Windows button.
Type “link online” and you should see “Link Online IDs” at the top of the search. Click it.
Select “Add an Online ID Provider” and select one from the list – at the time I’m writing this, only MS Live is available.

Download the installer, and install. You should see this:
LiveID

Click “Link online ID” and enter your credentials. That’s it! Now head over to your Live/Passport enabled sites and login!

Reblog this post [with Zemanta]

August 7th, 2009 | Tags: , , , | Category: Microsoft, Windows 7 | Leave a comment

AjaxControlToolkit causes System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission … failed.

Here’s a quick one…

A developer was using AJAXControlToolkit in an application. Not a big deal. Except that it kept throwing that damn exception. You know the one:


Server Error in ” Application.
Security Exception
Description: The application attempted to perform an operation not allowed by the security policy. To grant this application the required permission please contact your system administrator or change the application’s trust level in the configuration file.

Exception Details: System.Security.SecurityException: Request for the permission of type ‘System.Web.AspNetHostingPermission, System, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089′ failed.

I know what you’re going to say, but I prefer to not use caspol.exe to set the trust.

There were several other sites on the server using the toolkit that worked fine, without using caspol to set full trust.

The difference? Those other applications were compiling the AJAX DLL when the apps themselves were compiled. The developer in this case had just copied the DLL from the toolkit download and added the reference to her code.

I copied the DLL from one of the sites that I knew worked, and it magically started working. Copy her version of the DLL back, and it failed again (after IISReset).

I don’t really know how this happened, but if the DLL was referenced in the VS project, it should have been built with the rest of the app and then deployed with full trust…

So, if you’re running into this and you’re building the code yourself, make sure that the AjaxControlToolkit.dll is building with the rest of your application (the timestamp should be the same) as the other DLLs that were modified. Don’t just drop it in afterwards…it won’t work…

Reblog this post [with Zemanta]

March 11th, 2009 | Tags: , , | Category: IIS7, Microsoft, Server Management, Windows Server 2008 | 10 comments
 
  Older Entries »