The Stone Blog

Why is Windows Server 2008 R2 being overlooked? Part 2 – Why aren’t people moving to it?

2010-03-01T18:18:02Z

Like most situations, there are legitimate reasons why some organizations/admins aren’t moving to R2, and there are many bogus reasons.

Legitimate reasons;

Core application compatibility issues. Unfortunately there are some core Microsoft applications that aren’t supported with R2 in the mix. This is very, very unfortunate and Microsoft is shooting themselves in the foot on this one. The product teams need to get themselves a little more in-sync with the OS teams on this. Many of the core apps are just listed as ‘unsupported’ which essentially means simply that the product team hasn’t certified their product for the new OS. That doesn’t mean it won’t work, just they haven’t tested it yet to make sure it does. The simple fact of Microsoft saying ‘unsupported’ means no corporation will move to the new OS. This alone really hurts adoption of R2. Below are some product examples;

Microsoft Exchange 2003/2007 – Microsoft Exchange 2010 is fully supported on R2, 2007 and 2003 are not. Honestly, that’s not a big deal as no one is going to migrate their OS for Exchange without migrating the app to the next version as well. The tricky part was that you couldn’t have R2 domain controllers with Exchange involved. That’s the problem. Things have changed in this regard. See the links below to see the evolution of this issue;

http://msexchangeteam.com/archive/2009/09/21/452567.aspx – We are not supporting R2
http://msexchangeteam.com/archive/2009/11/04/453026.aspx – We will support R2
http://msexchangeteam.com/archive/2009/11/30/453327.aspx - Releasing the fix

OCS 2007/ 2007 R2 – Office Communications Server 2007 and 2007 R2 are also un-supported on Server 2008 R2. Again, the same scenario as Exchange, you aren’t going to migrate the underlying OS of already existing production servers but the domain controller issue also exists with OCS. The other issue is that OCS is another Microsoft product that is sorely overlooked and as more and more Enterprises are learning of it’s awesomeness (yes, that’s a new word for today) they would like to build the product on the latest OS release to prevent upgrades in the future. Unfortunately they cannot do this. (This is in regards to an issue with .Net framework versions if I recall correctly.) I was actually going to help a customer add in their first 2008 R2 domain controller when we found out about the OCS issue with R2 DC’s. Needless to say the customer was very disappointed we couldn’t add an R2 DC.

This issue is going away in Q1 of this year - http://www.microsoft.com/windowsserver2008/en/us/supported-applications.aspx

So, while this was a major stumbling block for 2008 R2 adoption, Microsoft is quickly rectifying the situation. For a full list of supported applications for Server 2008 R2 and when the apps will be supported, check this link here - http://www.microsoft.com/windowsserver2008/en/us/supported-applications.aspx

Core applications are already in place. This one is fairly self evident. If you already have Exchange 2007 or OCS 2007 or Sharepoint 2007 in place, you aren’t going to migrate these core applications to a new server/OS until the next version is released. This is just fiscally responsible and realistic. For any new applications or expansion of current applications many admins will want to use R2 (again for the purpose of preventing having to do upgrades in the future) and if the application allows them to, they will. (See the above issue.)
Honestly, these are the only legitimate reasons I can think of for NOT moving to 2008 R2. If you know of any others, please let me know in the comments and I’ll update the article.

Bogus reasons;

Windows Server 2008 R2 is a ‘minor’ release. Again, this is where Microsoft is shooting themselves in the foot. The thought behind the server teams doing a ‘major’ and ‘minor’ release schedule was they thought admins were afraid of ‘major’ OS releases and therefore would be more likely to adopt ‘minor’ releases interim. I have to say I completely disagree with this assessment and here is why;

Admins know ANY CHANGE equals RISK. This doesn’t mean just the changes in the OS, but changing your production environment in any way equates some risk. Large production environments are very complex systems and one change in one arena can affect other areas of the environment you would have never expected. (For example, adding an R2 DC and suddenly OCS or Exchange starts having issues, something you wouldn’t expect to occur.) Not to mention there is the bureaucracy and red tape that you have to go through in a large IT organization to make a change to the production environment. That means if Server 2008 is billed as a ‘minor’ release, admins are going to pass on it because as a ‘minor’ release it won’t be worth the hassle and risk. I’ll just wait until the next major release, make it worth my while.
An additional note on this topic, I personally find billing R2 as a ‘minor’ release is also insulting to the product itself and all the hard work that went into it. Personally I would have loved to see Server 2008 R2 sold as ‘Windows Server 7’, and the branding alone would have spurred adoption due to the great market acceptance of Windows 7. (Obviously the Windows Phone division realized this.)

General laziness. Yep, we all know it. There are many admins out there that just plain don’t like learning anything new, and don’t like change. It’s just a job to them, and anything that causes them more work they hate. These admins are easy to spot, they are the ones that complain Microsoft releasing another product is just about ‘making more money without really doing anything other than slapping a new name on an old product with a couple of tweaks.’ Yeah, we know who you are. (By the way, DUH, of course they want to make money. It’s called Capitalism!)
Ignorance. Most admins have no idea why they SHOULD move to R2. Again, this is a failing on Microsoft for not getting the word out. I have never heard Direct Access mentioned by anyone at Microsoft or seen it really talked about in the Tech Press. There have been a few mentions but come on people, this is a POWERFUL and REVOLUTIONARY FEATURE!! Microsoft should be screaming this from the roof tops! Every time I tell an admin about it they stare at me in disbelief. Half the time they think I’m lying, then they wonder why they’ve never heard of it before. I agree with them, why haven’t they heard it before??? My advice to Microsoft is once again, work with the product teams to get your word out! Every admin has their one product they are the experts on and pride themselves on that. If every product team got the word out, you would see a huge improvement in the uptake of Server 2008 R2.
We need to wait until at least the first service pack. This is one of the lamest, stupidest excuses I always hear. Maybe, MAYBE this was true back in the Windows NT days but welcome to the 21st century people. Server 2003 in BETA was the most stable OS I had ever used and proved itself immediately in production. It’s time to stop being cowards and start being men.

Finally there’s one reason that fits in both the legitimate and bogus reasons categories.

Testing before deploying. Many organizations don’t have the time or the resources to deploy a full lab of their production environment to make sure that a new OS isn’t going to wreak havoc. This is a legitimate concern, but Microsoft has taken steps to make this easier. By providing free already configured .VHD’s of new products/OS’s, Microsoft is making it easy for admins to play with the new releases without having to install anything, and Microsoft is going to continue to find ways to make this process even easier and more accessible to even the smallest of IT shops.

So, in conclusion if you haven’t learned about 2008 R2, it’s time you started doing your research. Windows Server 2008 R2 is NOT a ‘minor’ release and should be treated with the same respect and resources that a major server OS release would. Trust me on this, and you’ll be thanking me later.

Why is Windows Server 2008 R2 being overlooked? Part 1 – Why you should look at it

2010-03-01T17:32:58Z

I have been asked by many server admins over the last year about Server 2008 R2, and every time the question essentially is, “So, is there any reason to run R2?” They ask this question assuming to already know the answer of “of course not” and are shocked when I tell them the answer is ABSOLUTELY. Now, this is just my opinion, but I believe that 2008 R2 is as big a leap from 2008, as 2008 was from 2003. Now, I’m sure I’ll hear some detractors on this, but here is why I believe this to be true in all the ways that matter.

So why is R2 so great? Well, ask yourself this. Do you think Windows 7 is far better than Windows Vista? If you answered yes, then ask yourself why? Got it? Well, the exact same reasons why you love Windows 7 over Vista are the exact same reasons you will love R2 over 2008. The resource utilization is vastly superior in R2 to 2008. In my real world experience, I have a good 33% more efficiency in an R2 server over a 2008 one. (That’s not an actual benchmarked stat, that is my observation of servers in production.) Server 2008/Vista and Windows 7/2008 R2 are the same code base and kernel. In fact, the client OS’s are now based on the Server OS’s rather than the other way around. (This happened when they scrapped Longhorn 4000 series builds and based the new code on Server 2003 rather than XP code base.)

Now, there are many new features/improvements over 2008 in R2, but I’m just going to address a few and provide you links to learn about the rest;

Hyper-V R2 – The new Hyper-V has many new features including live migration features, greater than 32GB RAM support/ >4 proc (host), etc. Plus, it’s free. To learn more, go here - http://www.microsoft.com/hyper-v-server/en/us/default.aspx
Direct Access – This is the most advanced feature added to Windows Server since well, maybe Active Directory itself. Now, while I lay claim to some credit of getting this feature into the OS (can’t talk about it :-) ) I about had a heart attack when it actually made it to the product. What is Direct Access?
- Are you familiar with RPC over HTTPS, now called ‘Outlook Anywhere’, which is where your Outlook connects securely to Exchange without a VPN and all traffic just goes over port 443? Well then, Direct Access is the same concept, except we’re talking ALL DOMAIN TRAFFIC. That means you can domain manage laptops in remote offices or at users home the EXACT SAME WAY as you would if they were on your local LAN. That means they talk to the domain before the user even logs in, applying computer and user group policies (including software deployments) access to local file and print shares, etc. You are literally looking at domain controlled computers over the WAN with no VPN’s, MPLS, etc. Users don’t have to change a thing, when the laptop is at work and when they are home, everything just WORKS!
- A couple of notes;
  - First, this requires all client computers be Windows 7+.
  - It uses some new protocols that Microsoft has implemented. A quick layman’s description, RPC inside of IPSEC inside of SSL.
  - I’ve had the documentation detailing exactly how the security layer of all this works and given it to a DOD security contractor to review. I was told it was the most secure commercial implementation he had ever seen, and thought it may even be impervious to ‘man in the middle’ attacks. Again, this was only his opinion, but I trust his opinion.
- In summary I cannot stress this enough. LEARN ABOUT DIRECT ACCESS. Get started with an over-view here - http://www.microsoft.com/downloads/details.aspx?familyid=D8EB248B-8BF7-4798-A1D1-04D37F2E013C&displaylang=en
IIS 7.5 – Don’t be scared, this isn’t the leap of IIS 7 from IIS 6. Far from it, just keep the same concepts of Windows 7 over Vista in mind here. It’s IIS 7 streamlined and more efficient. Enough said.

To learn more about why Server 2008 R2 is so awesome, and why you should switch, see the links below.

http://technet.microsoft.com/en-us/library/cc731400.aspx

http://www.microsoft.com/windowsserver2008/en/us/r2-compare-features.aspx

http://blogs.zdnet.com/perlow/?p=10743

In part 2 I’ll go into some reasons WHY you might not be able to fully go R2 yet…

Windows Phone 7 Series = Zune Phones

2010-02-15T23:34:20Z

Yep, Microsoft has finally announced the Zune Phones. Notice that’s plural, Zune Phones. That means each handset maker is going to be able to make their own dream phone. Also, they’ll have a centralized marketplace like the Apple store, except I can run any app I want that I got from anywhere, unlike the iPhone and others. Now me, my requirements are slide out keyboard (on-screen keyboards have yet to work well enough for me) and an OLED screen. Basically take the HTC Touch Pro 2 and 7 series it. Want to see more, check it out!

http://channel9.msdn.com/posts/LauraFoy/First-Look-Windows-Phone-7-Series-Hands-on-Demo/

Enjoy!

Is your data safe with Google?

2010-02-04T17:55:39Z

I’m not going to say much here as believe it or not I don’t like starting firestorms. But it begs the question, do you feel safe hosting your data with Google? This includes your search data, your email, Google docs, etc. Google has been in bed with the Government for a long time, they’ve been hacked by China, and now they’re getting in bed with the NSA. Read the article below, then let us know in the comments. Do you feel safe hosting your data with Google and tell us why you feel one way or another. I just ask you please don’t be crude in your comments. :-)

http://www.washingtonpost.com/wp-dyn/content/article/2010/02/03/AR2010020304057_pf.html

Update:

Google’s new service ‘Buzz’ is now also ripe is privacy issues. See some below articles just for starters;

Google Responds to Buzz Privacy Issues. Again

Google alters Buzz after privacy complaints

Google Apologizes for Buzz Privacy Issues

Thoughts anyone?

Updated! - Snow Leopard makes Vista ‘issues’ pale in comparison?

2009-11-06T17:16:05Z

Please, correct me if I am wrong but I am hearing from people who have upgraded their Mac’s to Snow Leopard these below major issues/disappointments (now updated with additional user feedback);

1. If you sign in as the ‘Guest’ user account, it deletes your primary profile - http://www.appleinsider.com/articles/09/10/12/snow_leopard_guest_account_bug_deletes_user_data.html (Yep, this is the release product. Even the .1 update still has this issue.)

2. Snow Leopard is a ‘64 bit’ OS, but ONLY if you hold down the 6 and 4 keys together to boot into x64. By default, the OS always boots into 32bit mode due to massive application incompatibility. (Thanks to Paul for this correction.)

3. Massive hardware issues, specifically with printers and lack of properly functioning drivers. (Hmmmm that sounds like one of the primary Vista gripes…) The shocking issue is the firmware upgrade issues. What makes this worse for Apple is that they control their hardware far stricter than Microsoft, especially on the computers themselves. (No OS can have drivers for every printer out there. Sorry people, yell at HP, not Apple on this one.)

(If you are a Snow Leopard user and you have come across other major concerns, please let us know and we’ll update this post.)

4. General software incompatibility issues, specifically with virtual machine and utility software such as anti-virus, etc. Again, doesn’t this sound exactly like one of the primary gripes with Vista? Hmm…

5. Massive stability issues. I was pointed to this one by a Snow Leopard user - http://www.ilounge.com/index.php/backstage/comments/problems-with-mac-os-x-10.6-snow-leopard-join-the-sizable-minority/

So everyone, keep the feedback coming! Other issues you’ve seen, let me know and we’ll update the post here to reflect them!

So again I ask you, where is the tech press on this? Again they prove their hypocrisy! If Vista had issues like this (or Windows 7) I think there would have been people with pitch forks standing in Redmond ready to charge Bill Gates home! So, I call upon the hypocritical and worthless Tech Press to do their job and report on issues no matter who they are with.

(Ok Apple fan boys, let the hate begin!)

So do you think Apple will be honest in their advertising (they never have before) and have their ‘cool’ I’m a Mac guy say “Hi PC, Snow Leopard is out and I’m not feeling so good, *freeze*, Oh hi PC, who am I? Where did all my files go?”
I doubt it.

WARNING! - Windows Update # – KB974571 Breaks OCS 2007 R2!!

2009-10-15T14:41:28Z

I awoke this morning to users telling me they couldn’t sign into OCS. This is very bad as we’re an 100% Enterprise Voice shop. Upon investigation the OCS Edge servers access edge service wouldn’t start. I checked the event logs and found an error stating that my ‘evaluation period had expired.’ Since I was running Volume License software this was obviously puzzling. Then I came across this article when searching Bing;

http://uc2go.wordpress.com/2009/10/14/%c2%ab-migration-from-mcafee-8-7-to-forefront-client-securitykb974571-crypto-api-update-may-break-office-communications-server-2007-r2-installations/

I uninstalled the update as they stated, rebooted, and all services came up just fine. So, I highly recommend you turn off Windows Updates on all your OCS 2007 R2 servers until Microsoft realizes this issue and comes up with a resolution.

The crack down on blogging begins…

2009-10-05T15:08:25Z

The FTC has changed it’s guidelines saying that bloggers must disclose any gifts or money paid to them by products they review. Sounds like a good thing, right? Unfortunately no. The reason why it’s a bad thing is the language is intentionally left very vague which means it becomes very subjectional what counts as ‘disclosure’ and allows them to target blogs they don’t like, even if that blog is trying to obey the law. Think I’m a conspiracy theorist? I guess we’ll just have to wait and see…

http://finance.yahoo.com/news/FTC-Bloggers-must-disclose-apf-468964868.html?x=0&.v=2

(WindowsConnected bloggers always disclose any products we are sent, who sent them, and why before we do any reviews, FYI.)

Pigeon’s do faster data transfer in Africa!

2009-09-09T16:31:41Z

http://www.therawfeed.com/2009/09/carrier-pigeon-used-to-send-data-faster.html

This isn’t a joke, a company is using carrier pigeons with usb thumb drives attached to them to transfer data between offices. While hilarious, it sounds like it’s actually a pretty good solution and whoever thought of it should get a raise… That is until someone shoots down the carrier pigeon and steals the thumb drive.

Apple losing market share, looks like ‘PC Hunter’ ads are effective…

2009-07-16T16:37:59Z

I’m sure this is going to incur the wrath of the Apple boys again but here we go!

First, apparently Apple legal contacted Microsoft to pull their ‘PC Hunter’ ads because Apple decided to drop $100 off the price of some of their laptops. Uhhh… Ok…? Sounds like a pretty stupid thing to do on Apple’s part since it would obviously have no effect whatsoever not to mention it just gives Microsoft fodder to use in the press which is exactly what they did. See the article below;

http://www.techflash.com/microsoft/Microsoft_exec_Apple_lawyers_tried_to_squelch_Windows_ads_50896452.html

Granted, we have to take the story with a grain of salt but I’m sure Apple legal did contact MS, and did ask them to pull the ads on the $100 price drop basis. Which is hilarious in what should have been it’s obvious failure before they even made the call.

Next, it would seem Apple is losing market share…

http://www.electronista.com/articles/09/07/15/idc.prelim.q2.2009/

In any case it would seem that the truth is finally starting to get out so Microsoft, keep up the good work!

Microsoft Security Essentials (Morro) is Anti-Virus actually worth having!

2009-06-24T15:49:29Z

Myself, like many of you I am sure, hate anti-virus products. In fact, I hate them so much that I haven’t ran an anti-virus product on any of my machines for a good 5 years. (I have ran them for limited runs to beta test them, etc.) Why do I hate anti-virus software? Because I have had far more problems and issues caused by anti-virus products than I’ve ever had caused by a virus. (And in those 5 years I’ve never gotten a virus because through simple common sense you can avoid infections.) They are full of bloat with ‘features’ I don’t want, they chew up massive amounts of resources, cause horrible system slowness, are incredibly in-compatible breaking apps, even caused BSD’s, etc. So, when Morro was announced that Microsoft was going to make a free, simple and clean AV product which was more about saving themselves money by preventing virus’s and thus support calls than anything else I had hope that we would finally have a simple anti-virus that does nothing but AV and stays out of my way. I figured it would still hog resources and impact system performance though.

Like many of you, I have now installed Morro and it’s shockingly simple. The install was as easy as it gets, it asked if it could automatically download updates and run a quick scan. I said yes, and the scan was done in under 10 minutes, even though I have 2 large hard drives with a lot of files on this system. It only has 3G of RAM, and an AMD 3200+ processor (so not exactly a speed demon.) Then guess what happened after that? I closed it, and it disappeared. It’s not even in my system tray by default (Windows 7) and it doesn’t harass me every day telling me that it’s updated itself. In fact, most of the day I don’t even remember it’s there. I haven’t noticed any impact on my system performance but it is working in the background. (When I ran AngryIP scanner it decided that was a possible threat, prevented the app from running and asked me what action I wanted to take. I selected allow, and it’s never bothered me about it again!) Truly this is the AV app I’ve been waiting for, and what makes it even better is that it’s free. I am now running it on all my machines in my house and have yet to have any bad experiences.

So, if you haven’t had a chance to get Morro, I suggest you get it now before the downloads stop! - http://www.microsoft.com/security_essentials/

*Update*

So, if you didn’t get your hands on Morro I’m afraid it’s too late now, the downloads have stopped. But, keep an eye on the site for the next release!

FTC to crack down on bloggers

2009-06-22T05:04:24Z

http://tech.yahoo.com/news/ap/20090621/ap_on_hi_te/us_tec_bloggers_freebie_disclosures

Now, whenever we get products from companies here at WindowsConnected.com we typically do a contest and give the hardware away to our readers and we always post honest reviews about what we think. In fact, I would say too honest and get ourselves in trouble. (I’m a perfect example of this.) So naturally, this FTC crack down has us a bit worried.

These proposed ‘revisions’ (in other words changes to law not performed by congress or elected officials but rather by appointed bureaucrats) would allow the FTC to investigate and prosecute bloggers who ‘may’ have conflicts of interest. Of course the ‘revisions’ don’t give clear boundaries on what they can investigate. Look at this line from the article;

“The common practice of posting a graphical ad or a link to an online retailer — and getting commissions for any sales from it — would be enough to trigger oversight.”

That means ANY blog, no matter what it’s about is a target because even the normal public blog sites have ads on them, and the bloggers can be paid by those sites if they generate enough hits. Even if you’ve never reviewed a product on your blog ever, you could be investigated. So, I’m confused. Wouldn’t Michael Jordan or any other celebrity have a ‘conflict of interest’ being paid to promote a product such as Haynes? Or how about paid actors that provide ‘reviews’ of a product in a commercial? Or even better, what about the paid actors pretending to be scientists and providing scientific information about products? And yet I don’t see the FTC going after them.

If the FTC truly is worried about false advertising and are not just looking for a way to exert power and influence over blogs then why aren’t they investigating the absolutely ridiculous claims of AT&T having the ‘nation’s fastest 3G network.’ That is such a blatant lie and misleading advertising and yet I don’t see anything about the FTC investigating them?

13” and 15” MacBook Pro’s have gotten downgrade….

2009-06-15T16:12:02Z

http://www.macrumors.com/2009/06/14/13-and-15-macbook-pros-have-a-slower-sata-interface/

It looks like they’ve dropped the sata controller speed, either through firmware or cheaper hardware. I’m guessing cheaper hardware.

“Fear Grips Google”

2009-06-15T14:31:43Z

I didn’t say it, the New York Post did, shockingly enough. Check the link below;

http://www.nypost.com/seven/06142009/business/fear_grips_google_174235.htm

What’s interesting is that the article after describing the panic at Google that Bing might take away market share then ends by re-assuring Google they have nothing to worry about. Well, Google isn’t stupid and is taking the threat seriously, as they should. I know I’ve switched my home page to Bing and I avoid Google like the plague now. I’ve wanted to stop using Google for a while now (due to the Google founders funding lobbying groups to eliminate ISP’s in favor of a single Government ISP) but their hadn’t been any viable alternatives until Bing.

So, if you haven’t given Bing a shot yet now’s the time, and decide for yourself.

Bing is actually BETTER than Google! Updated!

2009-05-30T05:24:21Z

I know these are fighting words, but all I’m saying is keep an open mind and give it a shot when we all finally get a crack at it. Don’t believe me? Ask Steve Wozniak - http://www.techflash.com/microsoft/Woz_Microsoft_Bingastounding_46404182.html

Also in Mary Jo Foley’s article today, she addresses the question of who will Bing take search share from and the initial consensus is Yahoo. While I think that is true and Microsoft definitely has an uphill battle against Google from a technology standpoint Bing absolutely has a shot.

I think Microsoft’s under playing Bing here and wisely so. If they came out and said “We’ve finally got something that competes head on with Google and actually beats it” people would immediately dismiss it as a failure without even trying it. Smart play MS, but I’m going to say it.

Bing is better than Google. Halleluiah, it’s about time.

Can’t wait for us all to learn for ourselves. Competition is back baby!

Just remember, I said it here first :-)

----------------------------------------------------------------------------------------------------------------------------------------

So, after some side by side comparisons with Google, here’s what I got;

So, I'll be up front. I'm not a fan of Google as a company but they have until this point by far the best search engine. So, I have used Google exclusively and as my start page for years now. Google.com/Microsoft has
been the best way to find solutions to problems with MS servers/software, etc. So, I had hopes for Bing but figured it probably still wouldn't perform anywhere near Google, until I saw it in action. My most common internet searches are 1 - problem solving, 2 - General information, 3 - commercial (such as shopping/movies, etc). So, let me give you some examples;

My initial search was for an issue I've just started experiencing with my Hyper-V servers. Here was my search criteria and experience per search engine;
Search criteria - Hyper-V certificate is expired

Bing - #1 result is the Microsoft support site with the exact issue and solution. #2 result was an MSDN blog about the issue, then ASP.NET forums post, etc. The top 3, all useful. I was shocked.

Google - #1 result, social.technet.microsoft result about an in-accurate topic, relating to an issue with the clock being off, NOT the problem or solution. #2 result a news article about Microsoft releasing a hotfix with the correct solution but a couple of clicks away. #3 result the MSDN blog about the issue, etc.

Google.com/Microsoft - #1 result is the #2 result from Google.com, etc.

First search, Bing wins hands down.

Search criteria - Star Trek

Bing - #1 result was a list of show times for local theaters with direct links. Very cool! #2 result, IMDB. Perfect. #3 result, official site, #4 result, Wikipedia, etc.

Google - #1 results, 'news' results around star trek. LAME. #2 – Official Site, #3 - IMDB, 4 - video results, etc.

Second search, Bing wins again.

So, this isn't an end all, be all, but these were my initial test searches and so far I am shocked and very glad that Bing is not only holding it's own, it's winning. I’ve been doing a lot of casual searching and so far I have remained impressed and happy with the results I am getting. All I’m saying is give Bing a legitimate chance with an open mind and I think you’ll be just as impressed as I am.

OCS 2007 R2 EE Web Services 401.1 Authentication Issue

2009-03-30T14:43:26Z

Yeah I know, the title needs work but here’s the situation.

When deploying the new Reponse Group services workflow I noticed I couldn’t do it from the local server itself (it’s a web UI) but I could do it externally through my ISA server. I also noticed that the response group service couldn’t expand the exchange distribution lists I was trying to use for my agents in the response group either, initially due to an SSL/TLS issue (Which I resolved by replacing my external web services named certificate with a SAN, and adding the server name and OCS pool names (enterprise edition) to my cert for IIS) and after I corrected that, I was getting a 401.1 login issue.

So, it very quickly became obvious that my issue was being caused by Kerberos authentication. It is a Kerberos issue because in the Enterprise Edition of OCS, everything is done via the Pool name, rather than the server name. Kerberos uses the server name to do authentication. Therefore, with Enterprise Edition, the server itself (or internal clients for that matter) will not be able to access OCS web services directly as they will attempt to use Kerberos authentication and it will fail. Since all my users are external to ISA, which passes back only NTLM authentication, I didn’t run into this issue until I needed to server itself to be able to access the web services. So, the simplest solution would be to disable Negotiate (Kerberos) authentication in IIS right? Well, unfortunately wrong, because nothing I could find anywhere (including TechNet, etc) could show me a way that actually works to turn off Kerberos authentication in IIS. For example, you’re going to come across this command in some variation;

appcmd set config /section:windowsAuthentication -/providers.[value='Negotiate']

Unfortunately, this command and every variation of it I could find does NOT work. Nor could I find a good guide to tell me how to alter the applicationhost.config file to disable negotiate, etc. So eventually I abandoned what should have been the far simpler solution and went to correct Kerberos.

Again, this wasn’t as simple as it should have been either. First I had to do a lot of SetSPN commands. Use this KB article as your guide;

http://support.microsoft.com/kb/929650/en-us

I had to do commands for the host, for http, for the authentication pool, for the user account, etc. I did them all, and it still didn’t fix the issue. So then later at the bottom of that KB is a list of ‘additional considerations’ that list things to try other than the SetSPN commands to fix Kerberos. The items I used were ‘setting the accounts for delegation in AD’ (both the computer and RTCComponentService accounts) and disabling the ‘loopback security check.’ This one has you create a DWord value in the registry. It says it is only for Server 2003 (and my OCS is on Server 2008) but it does apply to Server 2008, even though the KB doesn’t say it does, I still had to do it. The KB for it can be found here;

http://support.microsoft.com/kb/896861/

After all this and rebooting the server, Kerberos authentication began working for me and Response Group was able to expand the distribution lists. I realize this isn’t exactly the most well written post (I’ve spent a lot of time on this stupid problem) but I just wanted to get it out there to hopefully save someone else the nightmare of trying to fix this issue.