Client certificates are a cool technology that, once setup, eliminate the need to use your password on your own website from your own devices.
This article wont run through the entire procedure for setting up a web server, Windows domain, file permissions, server certificates, or a certificate authority. I just want to convey some of the configuration pitfalls that exist in IIS 6.
Network browsing in Windows has always been a fragile system plagued with bugs and configuration pitfalls. If you’ve arrived at this page to find a solution, rest assured you are not alone.
I recently encountered a Windows 8 problem where the “Network” folder only showed the local computer and file shares. When trying the “net view” command, the response was “A remote API error occurred.” Not at all helpful, is it? The Windows 2003 domain controller was not experiencing any problems, and the Windows 8 computer showed up normally on the server.
Symptoms Identified December 8, 2013
After struggling with this dysfunctional operating system for seven months without a solution, I found the pattern that would help identify the main problem.
With only Windows XP and Windows 2003 machines on the network, everything works fine. Computers can see and browse each other without any problems.
With only Windows 8 and Windows 2003 machines on the network, network browsing may or may not work, depending on the Windows 8 network client configuration.
In a mixed environment of Windows XP, Windows 8, and Windows 2003 machines, the Windows 8 machines are sometimes able to browse the network. However, once the Windows XP machines are shut down, the Windows 8 machines are never able to browse the network.
Once I had all these variables figured out, I came up with a list of settings that are compatible across all versions.
This is a quick explanation of some more referencing quirks in PHP.
Let’s say you need to store an array in a specific variable so that another variable can be freed up and overwritten with different information. [To clarify, this array may be very large and copying it would be detrimental to performance in this particular application. For small arrays, copying and not referencing may be preferable.]
The operation for referencing the array with a new variable is quite simple:
$array_goes_here =& $need_to_free_up_this_var;
The code above will reference the array to prevent PHP from making an unnecessary copy of the whole thing.
Back in August, I mentioned the importance of disabling most versions of PPTP for security reasons, and included my own tutorial for How to Secure a Windows VPN with PEAP. That solution works great for Windows, but is not compatible with iPads.
Now I will offer a solution that works great for iPad, but may not work on Windows computers. In addition, I will explain how to get the two solutions to work together securely so that both Windows and iPad computers will be able to connect to a Windows VPN simultaneously without using the insecure versions of PPTP.
The Layer 2 Tunneling Protocol (L2TP) is an obvious choice for the iPad because it is the only supported protocol other than the insecure PPTP option. On the server side, however, there are some implementation nuances that could easily discourage the use of L2TP. I took the time to research L2TP in more depth before writing this article, because I felt that a generic recommendation could leave readers totally confused about the security issues involved. So before delving into a new tutorial, I want to explain two new concepts: L2TP Pre-Shared Key, and L2TP NAT Traversal.
A careful reading of the Microsoft recommendation against NAT-T will reveal that the underlying security problem with NAT-T is not a server problem but a client problem. In other words, Microsoft recommends that Windows XP computers not attempt to use NAT-T to connect to privately-addressed servers. The Windows 2003 server itself fully supports NAT-T out of the box and doesn’t even need to be configured to use it. This is perfect for iPad users, because iPad also supports NAT-T out of the box, and this almost eliminates the address translation challenges of using L2TP.
After replacing a UPS device, Windows may automatically delete the APCUPSD USB driver. When the computer boots up, the tray icon status will say “Network Error” and three errors will be logged in the Windows Event Viewer.
To restore APCUPSD to online status, simply re-install the USB driver by following the manual installation instructions. That information can be found in the program directory. For example, C:\Program Files\apcupsd\driver\install.txt In a nutshell, you need to look in the system’s Device Manager. If there is an item in the Human Interface Devices group named “American Power Conversion USB UPS” then the desired driver is missing. Right click that item, click “Update driver” and then pick the correct driver.
After restoring the driver, restart the APCUPSD service by using the “Start Apcupsd” shortcut in the Start menu, or by using the Services administrative tool.
Two years ago, I devised a Windows XP split tunneling solution that involved static routing. That solution had the advantage of being cheap, but also had the disadvantage of scaling poorly with any number of client computers.
Now I have a second solution that eliminates the static routing problems.
While researching new VPN security issues recently, I came across an obscure piece of information about the Windows VPN client. It is nestled cryptically in this one sentence from a Microsoft whitepaper:
When the Use default gateway on remote network check box is cleared, a default route is not created, however, a route corresponding to the Internet address class of the assigned IP address is created.
Absent any other explanation, that sentence requires some mental gymnastics to understand. Allow me to help with this.
In light of last month’s announcement by Moxie Marlinspike and David Hulton that they developed a method for decrypting Windows VPN traffic in under 24 hours, it is now important to stop using MS-CHAPv2 as a means of authenticating VPN passwords.
There is a relatively simple fix for this. Microsoft VPN servers have the ability to authenticate passwords using another protocol called PEAP, also known as PEAP-EAP-MSCHAPv2. The only reason one might avoid using PEAP in the first place is that the Microsoft documentation is confusing and describes a requirement for Public Key Infrastructure (PKI) deployment. The PKI as described in Deploying Remote Access VPNs requires anywhere from one to three servers just to issue certificates. However, it only specifies the PKI requirement for a slightly different protocol called EAP-TLS.
To be clear, PEAP does not require a full-blown PKI or even an internal Certificate Authority. You can, in fact, use the same certificate that has been, or would be, issued to a web server for SSL encryption. There is no reason to add a second certificate just for a VPN server. This also means there is no investment required in PKI if a free certificate issuer is used, such as startssl.com.
Below is a brief tutorial for configuring an existing RRAS installation with PEAP-MS-CHAPv2.