HP SIM: Performance Management Pack and Windows 2008

Published on Thursday, January 29, 2009 in ,

The customer I'm currently working at has some c7000 enclosures with Insight Control licenses which gives us the ability to monitor the servers with the HP SIM Performance Management Pack. For a windows 2003 hosts the process is quit straightforward: license, configuring logging, monitoring and sample rate and after a while all is fine.

For all our Windows 2008 hosts I encountered the following problem: at the page where the currently selected target systems get analyzed, all Windows 2008 hosts appear as licensed but they are reported as "unsupported configurations". After double checking the PMP supported OS list, I found out Windows 2008 is fully supported. What bothered me was a counter in the upper left corner which stated that there were several unreachable licensed servers.

After googling I found the following ITRC post: Error unsupported configuration which led me to a solution. I generally dislike the idea of altering database content, but I even less liked the idea of having to change the system properties of each Windows 2008 SIM object. So I came up with the following solution: The PMP_V3_0 database contains a table dbo.supported_software which contains all currently supported OS' by PMP. There are several lines which describe all 2008 flavours, though the exact names slightly mismatched what HP SIM was reporting on the System Properties summary. I simply copied the rows and altered them as seen below on the screenshot:


I'm aware that this is the type of solution which might get broken by a PMP upgrade. But it sure made the HP PMP plugin work for all our Windows 2008 hosts.


Discovering MSCS in HP SIM

Published on Wednesday, January 28, 2009 in ,

Although we figured out the necessary steps to add a Windows 2008 failover cluster to HP SIM (currently version 5.2) in our build environment, for some reason this stopped working after some time.

The necessary steps to add a cluster are described below. At first sight some steps may seem unnecessary, but in the end this has proven to be successful. Skipping some of the steps resulted in nodes being discovered with the name of the cluster and vice versa.

  • Add both nodes

  • Run an identify task on those nodes in SIM

  • Restart the SNMP service on both nodes (it will also restart some HP dependent services)

  • Run an identify task on those nodes in SIM again

  • Add the virtual IP which is used to administer the cluster

  • After performing these steps a HP SIM object should be created which represents the cluster. It should look something like this:

    HP SIM cluster object

    On the other hand, if the call seems to time out and you receive something like this:

    HP SIM Cluster error

    You might need to apply the following registry fix on all your nodes and redo the discovery process:
    Create the key: "CompaqCommonClusterAgent" below HKEY_LOCAL_MACHINE\SOFTWARE\Compaq\

    Create a String (REG_DWORD): “Pathname” with value "%SystemRoot%\\System32\\svrclu.dll" below HKEY_LOCAL_MACHINE\SOFTWARE\Compaq\CompaqCommonClusterAgent

    All credits go to "Karim H" over at HP ITRC forums: HP SIM: Cluster Monitor (ITRC Forums)


    Windows 2008: export printer queues

    Published on Wednesday, January 21, 2009 in ,

    The project I'm currently working on involves a Windows 2008 (32-bit) failover cluster dedicated to printing. The print management console, introducted with Windows 2003 R2 has an export feature which is supposed to replace the printmig utility. I like the idea of having the possiblity to save multiple sets of drivers/ print queues to a file. It's an eassy way to have a roll-back plan when some new installed driver doesn't works the way it's supposed to be working. Besides the fact that some thirdy party printer drives don't install nicely on the virtual print cluster, there seems to be an issue with the export feature. The good news is that it will be fixed in SP2 of Windows 2008.

    I noticed that even with drivers which are provided within Windows 2008, the issue exists. I simply added the HP Laserjet 4 printer driver to the drivers on the cluster:

    HP Laserjet 4

    Which is nicely installed without errors:

    Installed Printer Driver

    But when I want to save the drivers, print queues and ports:


    The following error occurs:


    When I click the event viewer button, no errors seem to have been logged:

    Event Viewer

    And if I perform a manual export by using the printbrm.exe command line utility I receive the following error:


    After using sysinternals process monitor I found out that the export utility is trying to access a share (c$) on the network name "clif01ps". This is actually the name of the printer resource, and because windows 2008 failover clusteirng uses scoped shares, the share isn't available at all at that path.

    I opened a call for this at Microsoft who confirmed they could reproduce this issue. A month later a fix was deliverd which solved the problem for us. Microsoft support confirmed the fix will be included with Windows 2008 SP2.

    Related forumpost: Microsoft Technet Forums


    HP C-Class blades: bulk iLO configuration

    Published on Tuesday, January 20, 2009 in , ,

    People working with HP RDP or the Smartstart Scripting toolkit probably know hponcfg. The HP Online Configuration utility. It can be used to configure the iLO interface of a server by means of XML files.
    Mostly you can use it just from withing the OS running on the server. Lately I found out it is also provided as an option on the Onboard Administrator.

    When opening a ssh (or telnet) session to the Onboard Administrator (the management interface of a c-class enclosure), the same tool is available. The advantage is that you can target all iLO interfaces at once.

    It could be quit usefull when you forgot the password and want to reset it or just when you have no clue about the IP which was set either manually or by dhcp. It might be used to upgrade the firmware of all iLO's at once.

    After setting up a ssh session, type help to receive an overview of the possible commands.

    hponcfg ALL << * (press enter)
    (paste iLO xml script)
    * (press enter)

    The "*" is actually a marker which should not be used in the pasted xml script. It's a way to show the command where the script begins and ends.

    Sample scripts:

  • Delete HP SIM trust

  • <RIBCL VERSION="2.0">
      <LOGIN USER_LOGIN="adminname" PASSWORD="password">
        <SSO_INFO MODE="write">
          <DELETE_SERVER INDEX="0" />

  • Configure Active Directory integration

  • <RIBCL version = "2.0">
       <LOGIN USER_LOGIN="Administrator" PASSWORD=" ">
       <DIR_INFO MODE="write">
          <DIR_LOCAL_USER_ACCT VALUE = "Y"/>
          <DIR_SERVER_ADDRESS VALUE = "domain.local"/>
          <DIR_SERVER_PORT VALUE = "636"/>
          <DIR_OBJECT_DN VALUE = ""/>
          <DIR_USER_CONTEXT_1 VALUE = "@domain.local"/>
          <DIR_USER_CONTEXT_2 VALUE = "OU=Server Admins,OU=Users,OU=site,DC=domain,DC=local"/>
          <DIR_USER_CONTEXT_3 VALUE = ""/>
       <DIR_ENABLE_GRP_ACCT value = "yes"/>
       <DIR_GRPACCT1_NAME value = "CN=IloAdmins,OU=Security,OU=Groups,OU=site,DC=domain,DC=local"/>
       <DIR_GRPACCT1_PRIV value = "1,2,3,4,5"/>

  • Configure HP SIM and trust by certificate to enable SSO

  • <RIBCL version = "2.0">
    <LOGIN USER_LOGIN="Administrator" PASSWORD=" ">
    <SSO_INFO MODE="write">
    <!-- Add an SSO server record using indirect iLO import from -->
    <!-- the network name. -->

    Other iLO XML sample scripts can be found at: HP.com

    Another usefull command available at the Onboard Administrator is the "reset" command. You can use it like this reset server 4. In this case the command would temporary remove all power from blade 4. This can be usefull when the iLO is all locked up. It saves you a walk to the datacenter.


    Configuring Kerberos authentication pass through in an IIS 7 NLB setup

    Published on Monday, January 19, 2009 in , , ,

    Setting up IIS to work with Kerberos authentication might require extra steps when working with NLB configurations. Kerberos is highly dependent of SPN's (Service Principal Names) and DNS. SPN's are defined in Active Directory and are used by the KDC (Key Distribution Center) in the Kerberos authentication process.
    When a user accesses a webservice hosted by a web server, for example http://server01.domain.local, the user will request a Kerberos ticket for the http service hosted on server01.domain.local. The KDC service in the domain will hand out such a ticket and the client will successfully retrieve the website content.
    In the NLB scenario however, we could access http://server01.domain.local and http://server02.domain.local which would work fine, but when setting up a load balancing cluster users are supposed to access the web server at http://nlbweb.domain.local. If we do visit http://nlbweb.domain.local we will notice the kerberos single sign on we had for http://server01 and http://server02 is broken.
    This can eassily be explained by the fact that there is no one responsible for the http://nlbweb.domain.local service in Active Directory. By default a computer will have two SPN's in AD: termsrv and Host. The Host SPN will be used for a services hosted by the computer which use the local system or network account. Therefore when someone accesses a service using the hostname, authentication will succeed.
    Using the setspn tool, available in the Windows 2003 support tools, or built-in in Windows 2008, we can list the registered SPN's and add SPN's.
    In a single web server setup, where we would like the users to access our site with a generic name, we could add a SPN for the dns alias:

    "setspn -A http/web server01"
    "setspn -A http/web.domain.local server01"

    Though in a NLB setup, we cannot do this. There is a simple rule to follow: a SPN for a give service should only be registered once in AD! So never add a SPN for a given service on different AD accounts. If we can't add our http/nlbweb service to server01 and server02, we have to delegate it to a user. The following steps are required:
    Create an AD user for kerberos delegation:

  • Create a dedicated user for this
  • Make sure to check trust for delegation on the user properties in aduc
  • Make this user member of the IIS_IUSR group on IIS nodes
  • Use this user as identity for the application pool used by the website
  • Add the spn's to the user AD account:  setspn -a http/nlbweb ADuser  setspn -a http/nlbweb.domain.local ADuser  Verify with setspn -l ADuser

  • Configuring the authentication on the IIS nodes:

  • open applicationhost.conf (c:\windows\system32\inetsrv\config\)
  • Locate the website you wish to configure
  • search something like <windowsAuthentication enabled="true" useKernelMode="true" />
  • change it to include useAppPoolCredentials="true": <windowsAuthentication enabled="true" useKernelMode="true" useAppPoolCredentials="true" />

  • And most important: configure the browser or the client

  • Add the URL to the local intranet zone (nlbweb and/or nlbweb.domain.local)
  • Enable windows integrated authtentication on the advanced tab (default is enabled)
  • Automatic logon only in intranet zone (default setting) (or even less restrictive: automatic logon with current username and password)

  • When testing:
    Access the website from a workstation and make sure the zone displayed is the intranet zone and not the internet. Testing the website from one of the nodes is pointless as it will use NTLM instead of kerberos.

    You might enable kerberos debug logging, though keep in mind this will give you a lot "safe to ignore" errors in your eventlogs. Set the following registry key to 1 to enable kerberos logging  (0 to disable again), a reboot is not required
    Registry Value: LogLevel
    Value Type: REG_DWORD
    Value Data: 0x1

  • Rakkimk: Enabling Kerberos Delegation on a NLB scenario
  • Ken Schaefer: New in IIS 7 - Kernel Mode Authentication
  • Care, Share and Grow!: Kerberos troubleshooting from IIS perspective
  • Microsoft.com: kb 262177 (enbable kerberos logging)


    Display authentication used when accessing an IIS website

    Published on in , ,

    When playing around with web services and kerberos, the following might be usefull determine which authentication is actually being used.

    Copy past the code below in a test.asp file, put it in the root of your web server, make
    sure asp is enabled and it will tell you what kind of authentication your are using:
    * NTLM
    * Kerberos
    * Anonymous

    DIM userID
    Dim AuthMethod
    Dim AuthType
    Dim AuthLength
    Dim AuthOther
    ' Get the authentication method being used.
    userID= Request.ServerVariables("LOGON_USER")

    Response.Write "<br> User Id = " & userID
    ' Get the authentication method being used.
    AuthMethod = Request.ServerVariables("AUTH_TYPE")
    ' Get the length of the HTTP_Authorization header (to determine Kerberos or NTLM).
    AuthLength = Request.ServerVariables ("HTTP_Authorization")
    ' If some other authentication method (other than Negotiate) is used, call it "Other".
    If LTrim(RTrim(AuthMethod)) <> "Negotiate" Then AuthOtherMethod
    ' If Negotiate is used, go straight to the subroutine to handle it.
    If LTrim(RTrim(AuthMethod)) = "Negotiate" Then AuthNegotiateMethod

    Sub AuthOtherMethod()
    ' Because anonymous authentication will be blank, be sure that you realize that it is enabled to the following:
    If LTrim(RTrim(AuthMethod)) = "" Then AuthMethod = "Anonymous"
    Response.Write "<table width=500>The user was logged in using the <B>" & AuthMethod & "</B> authentication method."
    Response.Write "<P> If you were expecting a different method to be used,"
    Response.Write " please check the settings for the resource you are accessing. Remember, selecting"
    Response.Write " multiple authentication methods, or allowing anonymous access can result in a "
    Response.Write " different method being used.</table>"
    End Sub

    Sub AuthNegotiateMethod()
    ' Typically, NTLM yields a 150 - 300 byte header, and Kerberos is more like 5000 bytes.
    If LEN(AuthLength) > 1000 Then AuthType = "Kerberos"
    If LEN(AuthLength) < 1000 Then AuthType = "NTLM"
    Response.Write "<table width=500>The <B>Negotiate</B> method was used!<BR>"
    ' Indicate the authentication method that is used to authenticate the user (and show a warning about the script).
    Response.Write "The user was logged on using <B>" & AuthType & "</B>."
    Response.Write "<P><font color=#800000><B>Please do not refresh this page</B></font>.<BR>"
    Response.Write " If you do use refresh, <B>Kerberos</B> will always show up as <B>NTLM</B>."
    Response.Write " This is because the HTTP_Authorization header is being used to determine the authentication method used."
    Response.Write " Since the second request is technically unauthenticated, the length is zero. Please open a new browser"
    Response.Write " for any subsequent requests.</table>"
    End Sub



    Speed up startup of applications

    Published on Sunday, January 11, 2009 in ,

    Often people think applications are slow for the wrong reassons, they blame memory or cpu, or even VMware. One of things I've encountered lately is that these applications are trying to accessing CRL's (Certificate Revocation Lists) on the web. When the application is being ran on a server where you simply don't have direct internet access this results in a timeout and a slow start of the application. This can can be eassily solved by changing some settings in Internet Explorer.

    Determing whether your application suffers of this phenomena is quit eassy: use the latest version of the sysinternals process monitor which has a built-in network trace. (Process Monitor)

    The following are example console who suffer from this: Microsoft SQL management, Exchange 2007 management and Citrix Xenapp management console.
    Unchecking both settings in the advanced section of your IE browser will solve the slow startup:

    Internet Explorer Advanced Settings


    AD CS: v3 templates

    Published on in ,

    For those setting up a windows 2008 certificate services server, pay attention when using templates:

    The catch here is that the webenrollment part of the Windows 2008 AD CS only can handle v1 or v2 templates. So if you choose "Windows 2008" template when duplicating your template, you will only be able to use it for auto-enrollment purposes or enrollment by the mmc. It will not appear on the certsrv website.

    When you duplicate a template in orde to change settings like the validity period, the template becomes a version 2 (Windows 2003 ) or a version 3 (Windows 2008 ) certificate. The out of the box provided certificates are version 1 certificates.