View previous topic :: View next topic |
Author |
Message |
rdol
Joined: 28 Apr 2002 Posts: 20
|
Posted: Tue Nov 01, 2005 6:31 am Post subject: SSL URL request test and W2K3 SP1 |
|
|
Hi,
currently we use latest non-beta Hostmon v. 5.38 started as a service under Local System account. We also configured domain account for service impersonation in Hostmon configuration.
We applied SP1 on W2K3-based hostmon server yesterday. All test (including tests executed by Hostmon agents in separate DMZs) are ok, except of URL requests on SSL protected pages.
I have spent many hours by investigating this, there are results here:
- we do not use proxy, there is no problem with our company firewall
- https://sslnt.iol.cz is accessible from web browser on our hostmon server
- URL test is OK if I run Hostmon in an application mode
- URL test is Not found if I run Hostmon as a service under Local System
- URL test is OK if I run Hostmon as a service under my domain admin account
It seems that temporary solution is to run Hostmon under domain admin account. The problem is that this service is not manageable - I do not see any icon at systray when I am connected to TS console. Yes, I can try to install beta and use RCC, unfortunately I do not like beta versions on my production servers.
Did anybody solve this issue?
Regards
Radek Dolezel |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Tue Nov 01, 2005 5:02 pm Post subject: |
|
|
Quote: | URL test is Not found if I run Hostmon as a service under Local System |
HostMonitor does not use "not found" status. Probably status is "no answer"?
Have you specified admins account on Service pahe in the Options dialog (HostMonitor's Options dialog)?
Quote: | The problem is that this service is not manageable - I do not see any icon at systray when I am connected to TS console. Yes, I can try to install beta and use RCC, unfortunately I do not like beta versions on my production servers. |
Yes, service cannot display GUI on remote desktops when you are using Terminal Service.
There is non-beta version 5.66 that includes RCC 1.08
www.ks-soft.net/hostmon.eng/downpage.htm
Regards
Alex |
|
Back to top |
|
|
rdol
Joined: 28 Apr 2002 Posts: 20
|
Posted: Wed Nov 02, 2005 1:06 am Post subject: |
|
|
Sorry, status is really "No answer".
[1.11.2005 11:41:36] sslnt.iol.cz HTTPS get No answer URL request
I have specified domain admin account on Options->Startup->Service. This is necessary because I have some tests tested by Hostmonitor. And I need to impersonate service running under Local System to be able to access remote servers in the same domain. Is this correct? I believe so.
The problem appeared after W2K3SP1 installation and only with SSL based URL requests tested by Hostmonitor if hostmon service started under Local System account.
It seems SP1 denies Local System to do something, maybe working with server certificates. Is there anybody who uses the same configuration (service started under Local System on W2K3SP1) and can create an URL request to some https:// page? I would like to know if it is general problem or it is only my problem. You can try https://sslnt.iol.cz/, server certificate is signed by Thawte.
Regards
Radek |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Wed Nov 02, 2005 4:05 pm Post subject: |
|
|
Quote: | I have specified domain admin account on Options->Startup->Service. This is necessary because I have some tests tested by Hostmonitor. And I need to impersonate service running under Local System to be able to access remote servers in the same domain. Is this correct? I believe so. |
Correct
Quote: | The problem appeared after W2K3SP1 installation and only with SSL based URL requests tested by Hostmonitor if hostmon service started under Local System account....
I would like to know if it is general problem or it is only my problem. You can try https://sslnt.iol.cz/, server certificate is signed by Thawte. |
Just tested https://sslnt.iol.cz on Windows 2003 SP1+all security patches - works fine in application and service mode. And it works under local system account
Regards
Alex |
|
Back to top |
|
|
rdol
Joined: 28 Apr 2002 Posts: 20
|
Posted: Thu Nov 03, 2005 11:27 am Post subject: Solved! |
|
|
I solved it! I bet you use Internet Explorer objects for URL request test.
My hostmon server is placed in a secure DMZ and cannot initiate any internet connection except of set allowed on firewalls (ISA 2004 and Cisco PIX).
I found that Microsoft changed default behaviour for checking server certificate revocation in W2K3 SP1 Internet Explorer. Before SP1 the default was not to check. After SP1 the default is to check. In GUI you can find it in Internet Explorer menu Tools->Internet Options...->Advanced->Check for server certificate revocation (requires restart).
My hostmon server was not able to download CA CRL file via http. The result was a little bit magic No answer.
It was easy to revert it back to pre-SP1 configuration. I created one registry key. Hostmon service now runs under Local System. And the SSL tests are faster because they do not download and parse CA CRL files.
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"CertificateRevocation"=dword:00000000
Implicitly it is "CertificateRevocation"=dword:00000001
Regards
Radek
From MS pages:
"Server Certificate Revocation
Internet Explorer 6 includes support for server certificate revocation, which verifies that an issuing CA has not revoked a server certificate. This feature checks for CryptoAPI revocation when certificate extensions are present. If the URL for the revocation information is unresponsive, Internet Explorer cancels the connection." |
|
Back to top |
|
|
KS-Soft
Joined: 03 Apr 2002 Posts: 12795 Location: USA
|
Posted: Thu Nov 03, 2005 12:01 pm Post subject: |
|
|
Quote: | I bet you use Internet Explorer objects for URL request test. |
Yes, URL test method uses wininet.dll. HTTP test method works directly with winsock.
Glad you solved problem. And thank you for information, it can be useful for people
Regards
Alex |
|
Back to top |
|
|
|