Windows Explored

Everyday Windows Desktop Support, Advanced Troubleshooting & Other OS Tidbits

Configure WinHttp for Proxy

Posted by William Diaz on November 3, 2013


Recently, we were testing a new remote desktop application but I was experiencing problems connecting to the application, and it wasn’t isolated to a single workstation. A few of my other labs were unable to access the application as were other computers as the testing expanded. Admittedly, I should have figured this one out quickly as it was not the first time I encountered an issue trying to access remote desktop applications (i.e. terminal server apps) inside our network. The fact that we were hosting this RDP app internally, though, lead me to dismiss my initial hunch. A quick look with Network Monitor confirmed the problem:

  image

The Windows local security authority processes (lsass.exe) is trying to get out to the cloud to do something, in this case likely some certificate revocation checking (this is usually the case for RDP apps). It keeps on trying by retransmitting until a response is received or it times out, but because we are behind a proxy, lsass.exe will never find a path outside the network. Certificate checking is handled by the Windows crypto API, which relies on WinHttp. Now, by default, Winhttp 5.1 can find a way out of the network if your network is configured to use Web Proxy Autodiscovery (WPAD). We do not, so the fix is to manually configure Winhttp to use some proxy. Since we have this information configured in Internet Explorer (along with proxy exceptions), we just need to import these settings into Winhttp via (elevated command prompt) netsh winhttp import proxy source=ie. Afterwards, the connection problem resolved*.

On the flipside, configuring Winhttp to use a static proxy can also cause connectivity problems for mobile users. I ran into this issue myself today when I was trying to stream a movie from Netflix and kept on encountering the following error: “Whoops. something went wrong… An Internet or home connection network connection problem is preventing playbackError code: H7111-1101”

Capture

To verify my suspicion that the opposite was true—that Winhttp was trying to use a proxy it could not reach to do certificate verification checks—I looked in the Windows event CAPI2 logs and could see that the Netflix certificate check was failing:

Capture2

The details pane further down revealed the cause as the certificate server was “offline”, which is just a generic term for can’t be found. You can verify your winhttp proxy via netsh winhttp show proxy. To correct, simply set the winhttp proxy to use direct connection via netsh winhttp reset proxy when outside the network.


*Certificate verification does not need to be performed for every session, i.e. the initial check is good enough until the crypto API determines that the information is expired and another check needs to be performed.

I am not sure why yet, but Netmon captures on a Windows 8.1 system did not reveal the lsass.exe process. Instead, the process was listed as unavailable.

image

Posted in Troubleshooting, Troubleshooting Tools | Tagged: , | Leave a Comment »

IE 11, Page can’t be displayed, Google.com, & SPDY/3 Protocol

Posted by William Diaz on October 28, 2013


I’ve been taking Internet Explorer 11 for a test drive recently and started to notice an odd occurrence. Upon initially opening IE 11 and typing www.google.com into the address bar, I am unable to get to the page, instead getting the generic : “This page can’t be displayed…

image

A quick refresh, however, had no problems taking me to the page afterwards. Closing IE (and making sure all iexplore.exe processes are closed via the Task Manager) and typing the same URL again would reproduce the problem roughly 8 out of 10 times. A quick look with Network Monitor should that connection was, in fact, successful:

image

Looking at one of the frames in the network capture showed the presence of an additional HTTP protocol I wasn’t familiar with in Internet Explorer, SPDY/3:

image

I remember seeing it in the Advanced tab of the Internet Explorer settings:

image

Unchecking this setting resolved the issue. I am not sure why this is happening. SPDY/3 is a relatively new open protocol introduced by Google and being adapted by IE. More about it can be read here: http://en.wikipedia.org/wiki/SPDY & http://dev.chromium.org/spdy/spdy-protocol/spdy-protocol-draft3. In short, it makes the browser speedier by reducing web page load times.


Update

Seems to be reproducible only behind a proxy, TMG in our case.

Posted in Uncategorized | Tagged: , | 11 Comments »

Failed Java Uninstalls

Posted by William Diaz on October 23, 2013


After moving to Java 7 several months ago, this issue started plaguing us. During normal troubleshooting of Java applet-website issues techs would try to uninstall our custom Java 7 package, only to encounter: “There was a problem starting C:\Program Files (x86)\Java\jre7\bin\\installer.dll. The specified module could not be found.”

image

Up until recently, the fix was to run the Microsoft FixIt Utility to Fix problems with Programs that can’t be installed or uninstalled. Afterwards, we would then need to remove the stubborn registry entries that left the Program and Features application list populated with the now removed application by running the uninstall again. With the recent expiration of Java 7 update 25 and confusion from tier 1 support, there were several updates being done to the new JRE. In order to maintain a consistent software environment, I asked to have those updated JREs put back to 7.25. This also required uninstalling 7.25 on so many workstations that my head was left spinning because the process had to be done manually and I was the “go-to” person for the Java crisis. More importantly, at some point we would need to eventually update to a new JRE and likely want to remove the old one but not have a way to automatically uninstall the previous client with the uninstall broken.

After some web research, I found that the issue was with one of the custom actions in the Java msi, UninstallJRE:

SNAGHTML1ec65f21

This should be changed to:

image

Thanks to Keith Jones. Found this gem here: http://lists.wpkg.org/pipermail/wpkg-users/2013-May/009394.html.

Posted in Uncategorized | Tagged: | 3 Comments »

Um, So We’ll Have to Lower Java Security Again?

Posted by William Diaz on October 21, 2013


So, last week with the expiration of Java 7 Update 25, Java LiveConnect stopped working on several web sites that our users frequent, forcing them to change the default Java security setting from High to Medium. For arguments sake you could update to Java 7 Update 45 and go back to using the High security setting. But then I saw some additional text on one of the common Java 7 security dialogs: “This application will be blocked in a future Java security update because the JAR file manifest does not contain the Permissions attribute…”

image

Assuming the applet is not updated by the next JRE expiration, user’s would then have to lower Java security again.

image

Posted in Uncategorized | Tagged: | Leave a Comment »

Java Headaches After Update Release

Posted by William Diaz on October 17, 2013


So Java just released JRE 7 Update 45. This is apparent when someone goes to run a Java applet and encounters the following prompt:”Your Java version is out of date…”

image

For the average home user, this is not a big deal. But in a corporate environment headaches ensue. Why? Because some users will blindly click on the Update button and be redirected to the Java download page for the latest release. The first problem is that our users are not going to have the administrative privileges to update their Java client. But the real problem is that once a user has done this, they will be redirected to the Java download page each and every time they need to run a Java applet. So the question was, how do we get the prompt back so the user can select the appropriate Later option and Do not ask again until the next update is available?

For starters, the property that controls this setting is located in a file called deployment.properties in %userprofile\AppData\LocalLow\Sun\Java\Deployment named deployment.expiration.decision.10.25.2=update:

Posted in Troubleshooting | Tagged: | Leave a Comment »

Login Issue and Mandatory Profiles

Posted by William Diaz on October 4, 2013


An interesting little quickie. After moving to mandatory profiles in a Citrix environment, a particular ActiveX web application would no longer allow logins. There was no error message of any kind and it continued to work in another Citrix environment without mandatory profiles. I fired up Process Monitor and ran a little trace of Internet Explorer to capture everything that happened after I clicked login. Nothing interesting really stood out but there might be some hope in an activity log activity I saw occurring with the application:

SNAGHTMLab68c01

Opening the log showed:

[W]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure while trying to acquire the crypto context/container (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013
[I]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failed while initializing the crypto context (GetLastError()=-2146893788 (The profile for the user is a temporary profile.)), I will try and re/generate a brand new container Thu Oct 03 22:46:00 2013
[E]    2013/10/03 22:46:00 PM                fyiCryptAcquireContext(): CryptAcquireContext() failure, can’t acquire, nor create a new container (2) (GetLastError() -2146893788, (The profile for the user is a temporary profile.)) Thu Oct 03 22:46:00 2013

 

Some quick research pointed me to RSACryptoServiceProvider fails when used with mandatory profiles. In short:

RSACryptoServiceProvider calls CryptAcquireContext API (http://msdn2.microsoft.com/en-us/library/aa379886.aspx) behind the scenes to get a handle to a key container within a CSP (Cryptographic Service Provider). CryptAcquireContext will fail with NTE_TEMPORARY_PROFILE error when called from a mandatory profile.

Mandatory profiles are read-only user profiles. Since changes to the mandatory profile cannot be saved, PKI design doesn’t allow this operation, and CryptAcquireContext prevents this scenario by failing.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

Some CCM Client Workstations Failing to Install Updates

Posted by William Diaz on October 2, 2013


While browsing various reports for workstation compliancy, I noticed that several reports and/or updates failed to install on a large number of computers. Although we don’t expect complete 100% compliancy with thousands of workstation in our environment, there was some sort of mystery going on here because many of the updates that failed to install were along the same computers, i.e. they were not just random computers across the various reports. For example, below is a report for various updates that were missing from generally the same number of computers and computer names:

image

After some research in the CCM logs, I noticed a repetitive theme in the C:\Windows\SysWOW64\CCM\Logs\UpdatesDeployment.log: “Install not allow as another job is still in progress”:

image

Using the SCCM Client Center utility, we compared the time in the logs to the Advertisement > Execution History in the SCCM Client Center and saw nothing that was actually trying to install at that time. Out of ideas, I decided to delete root\CCM namespace (also accomplished with the SCCM Client Center utility) on a few of the problem workstations in the reports above. After a few minutes, I noticed the CCM Cache in C:\Windows\Syswow64\CCM\Cache was rebuilt, pulling several pending updates. The next step was to wait for the SCCM service windows to pass. The next day when I came in, I remotely checked the workstation Event Setup logs and saw that several (sometimes dozens) of various pending updates had successfully installed.

Knowing that we had a problem with the CCM namespace, I followed up with some more research. My digging around eventually led me to what might have been an update that was advertised to these computers but likely pulled before it could be deployed. Specifically, what I found was that each update gets an unique update ID. To the CCM agent, this property is known as the AssignmentID, which resides in the instance of the CCM_DeploymentTaskEx1 of the root\CCM\SoftwareUpdates\DeploymentAgent namespace. I went around to several workstation in the SCCM reports and ran wbemtest.exe and saw the same assignmentId(s) across all the computers in the reports:

Read the rest of this entry »

Posted in Troubleshooting, Troubleshooting Tools | Leave a Comment »

The Case of Google Earth Interrupting Internet Connectivity

Posted by William Diaz on September 11, 2013


So today I received another complaint of Google Earth causing Internet Connectivity problems. In the past, I had ignored these because I was never able to recreate the issue as I did not have enough information on the method being used to cause it. This time I was a little bit more determined so I had one of the helpdesk techs show me first hand what was happening and armed with that I went off to install Google Earth on a lab and attempt to recreate. The steps to recreate are rather straight forward, just do a few searches and lots of zooming or scrolling in Google Earth until. At some point, the telltale sign that Internet connectivity had been lost would be indicated when when the Tour Guide pane became blank:

image

When operating normally, the Tour Guide pane displays images relevant to the place you are searching or viewing. At this point, any browser would also fail to connect to any external resource, e.g. the Internet, returning a page not found or other connectivity failure message. After what seemed like a couple minutes, connectivity would then be restored.

Some troubleshooting was already attempted earlier by pointing the browser to an unmanaged (free-for-all) proxy, which avoided the problem. My guess at that point was that our TMG was somehow cutting the connection for the workstation for some amount of time. Why? I also assumed that Google Earth is simple saturating the TMG with too many requests. Think about it, every search, zoom, scroll, and pan is basically a file-image request. Keep on doing that in a short period and you are likely to trigger some hardware or software appliance that a DoS attack is taking place. To backup my hypothesis, I turned to my latest and favorite tool, Network Monitor. I started a trace, reproduced the issue, and stopped the trace. The capture was fairly large so I needed to set a filter. Some quick searching through the standard filters revealed a filter for Http error (Load Filters > HTTP > http Error). After applying the filter, I could see the issue:

image

502 Bad gateway – Proxy Error (The number of HTTP requests per minute exceeded the configured limit). Some quick research pointed to this Forefront TMG article Overview of flood mitigation. In short, TMG rules may have to be modified or created to bypass flood mitigation for Google Earth. Currently, these are the two servers Google recommends for bypass:

  • maps.google.com
  • geoauth.google.com

This is also known to be an issue for home and small offices that are not behind a proxy. In those cases, it is likely the router’s firewall-DoS configuration that is the culprit.

Posted in Troubleshooting Tools | Tagged: | Leave a Comment »

Troubleshooting Web Certificate Issues in IE

Posted by William Diaz on September 4, 2013


A while back ago one of our internal servers presented an issue to us. While trying to navigate to it, we were running into the following warning: “There is a problem with this website’s security certificate…”

image

The real problem was that clicking the Continue to this website (not recommended) link didn’t let you proceed to the login page, it would simply refresh this page each time. To explorer causes with certificate issues in Windows you simply need to enable CAPI2 logging. CAPI is Microsoft’s cryptography API. Logging can be enabled by going into the Windows event viewer > selecting Application and Services Logs > Microsoft > Windows > CAPI2:

image

Right-click the Operational log and select Enable Log. Recreate the issue, right-click the log again, select Disable Log, and look at the individual events, especially those error events. You will need to scan through the Details tab to isolate the issue as no general information is provided. This is not as bad as it looks. You don’t necessarily need to understand everything you are looking at. The Internet and your favorite search engine can handle the rest. In this case, I started by copying the ErrorStatus lines that had a boolean of true into my search engine. I hit pay dirt when CERT_TRUST_HAS_WEAK_SIGNATURE pointed me to this Microsoft KB article Microsoft Security Advisory: Update for minimum certificate key length. In short, Microsoft disabled support for weak key lengths, i.e. lengths that were not equal to or more than 1024 bits. From the certificate error below, I could see that the key length for the certificate the server was using was only 512 bits long:

image

To work around the issue, we needed to enable support for weak certificates on those workstations that needed access to the site. To do this, open an elevated command prompts and type certutil -setreg chain\minRSAPubKeyBitLength 512. See the KB article for more command line options. This can also be toggled in the registry at HKLM\SOFTWARE\Microsoft\Cryptography\OID\EncodingType 0\CertDllCreateCertificateChainEngine\Config and creating a DWORD of minRSAPubKeyBitLength equal to 512.

Posted in Troubleshooting | Tagged: | Leave a Comment »

Java 7 Troubleshooting (disabled support for MD2)

Posted by William Diaz on September 4, 2013


Upon trying to connect to a vendors website application, a user was seeing an error pointing to a failed certificate validation:

image

With java logging enabled, the details were more specific:

com.citrix.sdk.jsse.CitrixSSLException: The certificate validation failed. 
    at com.citrix.sdk.jsse.SocketFactory.createSslSocket(Unknown Source)
    at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
    at java.lang.reflect.Method.invoke(Unknown Source)
    at com.citrix.client.io.net.ip.proxy.o.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.io.net.ip.z.a(Unknown Source)
    at com.citrix.client.module.td.tcp.TCPTransportDriver.s(Unknown Source)
    at com.citrix.client.module.td.TransportDriver.run(Unknown Source)
    at java.lang.Thread.run(Unknown Source)
Caused by: javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Certificates does not conform to algorithm constraints
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

Looking at the certificate, I could see it was using the relatively old MD2 algorithm. While the user did not experience this issue previously, its worth noting we had just moved to Java 7 from 6. Likely JRE 7 has disabled support for MD2 because it is considered unsecure. Some quick research revealed this was the case. With the site outside of our control, a need existed for the user to be able to access the application. Instead of downgrading to Java 6, enabling MD2 support in Java 7 is a simple matter of editing the java.security file in C:\Program Files (x86)\Java\jre7\lib\security to comment out jdk.certpath.disabledAlgorithms=MD2 or simply remove the MD2 part:

SNAGHTML67b4bc0

Posted in Uncategorized | Tagged: | Leave a Comment »