Friday, January 27, 2012

SCCM server with SQL db installed was unable to register service principal name (spn)

In my case SCCM server with SQL server 2005 service running under local system (not recommended from SQL Server best practice) was unable to register it's spn in AD. Also, there is event for this behaviour in application log ID 26037 and source MSSQLSERVER :

The SQL Network Interface library could not register the Service Principal Name (SPN) for the SQL Server service. Error: 0x2098, state: 15. Failure to register an SPN may cause integrated authentication to fall back to NTLM instead of Kerberos. This is an informational message. Further action is only required if Kerberos authentication is required by authentication policies.

The reason for this behavior is that someone (or somehow) has removed permission from the computer account where SCCM and SQL were installed to register spn :



From the properties of the computer account you can see that permissions for Validated write to service principal name is missing. After allowing (setting) the permission for Validated write to service principal name, spn for the SQL server was successfully registered in AD.

How to change multivalued properties on Exchange 2010 (SP1,SP2) ?

In my case I wanted to change (add) trusted domains (senders) of Junk mail filter settings for members of distribution group. Set-MailboxJunkEmailconfiguration is the cmdlet for adding (changing) trusted senders and domain for user's outlook safe senders list. TrustedSendersAndDomains is multivalued property and values can be added or removed using following simple syntax without overwriting already populated values:

get-DistributionGroupMember -identity "alias" | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Add='emailaddress@domain.name','domain2.name', ...}

get-DistributionGroupMember -identity "alias" | Set-MailboxJunkEmailConfiguration -TrustedSendersAndDomains @{Remove='emailaddress@domain.name','domain2.name',....}

This syntax can be used for changing any multivalued properties not just TrustedSendersAndDomains property.

Friday, January 20, 2012

How to allow access to certificate private key on IIS 7.5 application ?

In older days of IIS typically access to the private key of the certificate for web application was granted using winhttpcertcfg. But, for IIS 7.5 permission for accessing certificate private key can be granted using mmc console :


Clicking on Manage Private Keys will open standard security dialog where permission can be delegated to iis application pool identity (IIS apppool\"app pool name").

File is locked for editing by 'another user'

In my case, end user was unable to edit excel file located on network share :


In searching for 'another user', I confirmed that no other user was having this document opened and antivirus real time scanners were disabled on both local and server machines. There is Microsoft KB http://support.microsoft.com/kb/814112 suggesting to avoid setting full control on share and ntfs permission. Unfortunately, the suggested KB didn't change the behavior that the file is locked for editing.
In quest for 'another user' I've ended up that sharing violation was causing Windows Explorer trying to collect file info like size,author,date etc ... So, after turning off :
  • Details Pane (Organize -> Layout -> Details Pane)
  • "Show pop-up description for folder and desktop items" (Tools -> Folder Options -> View tab)
  • Preview Pane (Organize -> Layout -> Preview Pane)
the end user was able to open the document for editing.

Wednesday, January 18, 2012

Asking yourself which w3wp.exe worker process represent IIS 7.5 application pool ?

In my case I had to find which IIS 7.5 application pool is running under w3wp.exe process on Exchange 2010 servers. In task manager you can enable PID column to identify w3wp.exe processes :


In IIS 7 and 7.5 there is appcmd utility located in %windir%\system32\inetsrv that will help you to identify w3wp.exe worker processes using appcmd list wp :

Thursday, January 5, 2012

Error events FSEAgent event id 8056 and Microsoft Forefront Protection event id 7063

In my case on one of the Exchange 2010 multi role servers with installed Forefront Protection 2010 for Exchange in server's application log, error events from FSEAgent with event ID 8056 :
1 messages have been archived and purged due to an error while scanning. Please ensure that mail is not queuing.
 
and from Microsoft Forefront Protection with Event ID 7063 :
Archived undeliverable items exist.
started to appear every hour. And as error message is suggesting there was one message that was not processed and queues were not piled up, so user was notified to remove the problematic attachments and resend the message. To avoid these error events from showing up in exchange 2010 application log, I  deleted the "problematic" message from sub folder (for my case in) in drive:\install folder\Microsoft Forefront Protection for Exchange Server\Data\Archive\Undeliverable\ .