As a server administrator, primarily focused on IIS, I like spending time in the IIS forums . I frequently see questions related to URL Rewrite rules so I wanted to make a guide for the plethora of information that is available on the Internet. The most obvious place to start is on www.iis.net itself. Section 5 of the site is dedicated to the URL rewrite module containing dozens of individual articles devoted to URL Rewrite. You can start here and find all kinds of helpful articles. If you want to...(read more)

Its been a big month for LeanSentry! We've released several big features to help make supporting and troubleshooting IIS/ASP.NET apps way easier, including smart alerts, automatic error highlighting, server diagnostics, and more. Read on for the juicy Read More......(read more)

In a mixed language environment where the server name or domain name contains international characters, you might encounter an error at the time of enabling replication. The event viewer messages will tell you that “Hyper-V failed to enable replication for virtual machine” and “The server name or address could not be resolved (0x00002EE7)”. The problem could seem a little perplexing because pinging the same FQDN might work just fine. The problem occurs because of Hyper-V Replica’s dependency on HTTP.

To work around the issue, an exception rule needs to be added to the primary server’s name resolution policies. Follow these steps to create the rule:

1. Open the Local Group Policy Editor (Gpedit.msc).
2. Under Local Computer Policy, expand Computer Configuration, Windows Settings, and then click Name Resolution Policy.
3. In the Create Rules area, click FQDN, and then enter the Replica server FQDN that was failing.
4. On the Encoding tab, select the Enable Encoding check box, and make sure that UTF-8 with Mapping is selected.
5. Click Create.

   The rule appears in the Name Resolution Policy Table.

6. Click Apply, and then close the Local Group Policy Editor.
7. From an elevated command prompt, run the command gpupdate to update the policy.

Microsoft IIS Server has what appears to be an odd default for the application pool recycle time. It defaults to 1740 minutes, which is exactly 29 hours. I’ve always been a bit curious where that default came from. If you’re like me, you may have wondered Read More......(read more)

I came across an issue today where a website had a dependency on the SQL Server Native Client 10.0, which is part of SQL Server 2008. A recent upgrade to SQL Server 2012 caused SQL Server Native Client 11.0 to be installed and version 10.0 to be uninstalled. Different versions of the Native Client can be installed side-by-side, and fortunately there is also a redistributable installation. The documentation shows the redistributable located at %CD%\Setup\ on the installation disk. That is great if...(read more)

Hola

Alguien se ha entretenido en coleccionarlos y publicarlos en esta Wiki de TechNet

• E-Book Gallery for Microsoft Technologies

Saludos

David Cervigón

Windows Server 2012 introduces fundamental improvements that make it a cloud-ready operating system. The capabilities provide a flexible and scalable solution which opens up a wide range of opportunities for hosting providers to build new cloud services.

This blog post is co-authored by Uma Mahesh, Senior Program Manager and Yigal Edery, Principal Program Manager in the Windows Server division. The blog article is based on Yigal’s TechEd talk on “Building Hosted Public and Private Clouds Using Windows Server 2012”

In this post, Contoso.com, a Washington DC based fictitious company, replicates its business critical VMs to a hosting provider offering DR as a cloud service.   This article describes integration between different Windows Server 2012 features to enable a complete end to end service which hosting providers (or ‘hoster’) can offer. It uses Hyper-V Replica, Network Virtualization and Remote Access (including both site-to-site (S2S) VPN  &  DirectAccess), which enables a hoster to build a complete, multi-tenant disaster recover (DR) service, using Windows Server 2012.

The technology building blocks are:

1. Hyper-V Replica: Hyper-V Replica in Windows Server 2012 allows you to replicate multiple VMs from different tenants on single physical host.
2. Hyper-V Network Virtualization: Hyper-V Network Virtualization allows a multiple  tenant virtual networks with overlapping IP address space to be created on the same hoster physical network yet providing isolation between tenant network. A replicated VM of a tenant can be brought live in a dedicated virtual network  for the tenant in the hosting provider’s physical   network.
3. Site-to-Site VPN support: Using the S2S VPN solution which is available in Windows Server 2012 (which includes support for S2S VPN over IPsec), tenants can connect to their respective virtual network in the hoster premises.
4. DirectAccess with multi-pathing: Multi-Pathing enables employees of  each tenants to connect to the on-premises DA under normal operations. If the replicated VMs are brought up in the hosting provider premises (say, due to a disaster in the tenant’s site), employees smoothly failover to the hoster DA server and through it to the replicated VMs in their respective virtual network with the hoster.

In this article, we will demonstrate the steps required to set up a deployment to replicate a mission critical app (which is hosted in a VM) from the customers premise to a hoster. When a disaster strikes the customer premises, the administrator fails over to the replicated VM (on the hosting provider premises) which comes up with the same IP address. Clients using DA can seamlessly be routed to the service that’s currently up and running in the hosting provider premises.

 

The topology is as follows:

Contoso.com’s Washington site consists of  an:

1. Edge Gateway (EDGE1) is a Windows Server 2012 VM in which Remote Access is configured.  EDGE1 connects to Internet via a NIC  (131.107.0.2) which connects to the Internet Router (131.107.0.1). It also connects to rest of Contoso’s corporate network (10.0.0.0/24) via another NIC (10.0.0.2, 2001:db8:dc::1)      
2. Domain controller DC1 (10.0.0.1, 2001:db8:dc::1)      
3. Applications server APP1 ((10.0.0.1, 2001:db8:dc::1)  run as VMs on another  WS2012 Hyper-v Server (ContosoP1 – also referred to as the “Primary Server”).  Hyper-V Replica is enabled on this (APP1) VM and the VM is replicated to a Windows Server 2012 Hyper-V server on the hosting provide premises (HosterR1 – also referred to as the “Replica Server”) .

Client:

1. Client1 is a client VM of Contoso that is connected to Internet (131.107.0.200)    
2. DA is configured on Client1 which ensures that it can connect to  Contoso’s corporate  network and access  applications like APP1. Client1 is not concerned whether APP1 is physically present in Washington site or in hoster network as it accesses the application by it’s name  app1.corp.contoso.com using DireactAccess. Furthermore, it can connect to DA server in the enterprise viz, EDGE1 or connect to DA server of Contoso at the hoster premises 3-DAS1. If connectivity to any DA server is lost,  the DA connection automatically reconnects to other active DA server.

Hosting Provider:

1. HosterGW, which is running on Windows Server 2012,  is connected to “Internet” (131.107.0.101). The hoster’s internal network is 192.168.1.101.     
2. NAT is enabled on HosterGW so that applications/services (like Hyper-V Replica )  on  hoster internal network  (eg:HosterR1 ,192.168.1.101) are available over Internet.  HosterR1 can host VMs directly created on it or replicated to it using Hyper-v Replica. 
3. HosterGW machine hosts GW VMs per tenant  so that  the hoster can provide connectivity  between the tenant’s virtual network and  tenant’s on-prem network. In this topology, ContosoCloudGW VM is the S2S VPN GW for Contoso. This VM connects the contoso virtual network at hoster to the contoso corporate network. Hyper-V Network Virtualization is used to create the Contoso’s virtual network of 10.0.0.0/24, 10.6.0.0/24, 2001:db8:dc::/48 and 2001:db8:dc::/48 (collectively called the Customer Address space or CA) over the hoster’s  address space  192.168.1.0/24 (called Provider Address space  or PA).

 

Building the above deployment

Step 1: Building Contoso’s environment

This step is similar to creating the base environment for DA. The test lab guide which demonstrates Direct Access single server setup has detailed steps on creating the environment. Once the steps are completed, you will have a setup where Client1 from Internet (directly connected or behind NAT) can access APP1 over Direct Access as shown in the below diagram.

Step 2: Building Hosters’s environment

The objectives of the hosting provider are:

• Allow Contoso.com to bring VMs with an IP of their choice
• Connect Contoso VMs back to their on-prem network.
• Allow customers to replicate their on-prem VMs to the hosting provider

2a) Steps required to “bring your own IP address”

Hyper-V Network Virtualization (HNV) allows Contoso to bring VMs with an IP address to the hoster. The following cmdlets demonstrate how HNV can be deployed on two hosts viz., HosterGW & HosterR1.

In this example, HosterGW has two NICs one connected to “Internet” (131.107.0.101) and once connected to hoster internal network (192.168.1.101). HosterR1 has one NIC connected to hoster internal network(192.168.1.111). The following PS cmdlets need to be run on both HosterGW and HosterR1 to configure HNV.

# Rename the NIC connected to internal network as “WnvNIC” and run the following cmdlets $WnvNIC = "WnvNIC" $WnvDRV = "ms_netwnv"   Disable-NetAdapterBinding $WnvNIC -ComponentID $WnvDRV Enable-NetAdapterBinding $WnvNIC -ComponentID $WnvDRV   # Run the following cmdlets to enable Contoso virtual network   # ContosoCloudGW 10.6.0.2 New-NetVirtualizationLookupRecord -CustomerAddress "10.6.0.2" -ProviderAddress "192.168.1.101" -VirtualSubnetID "5001" -MACAddress "00155d05df03" -Rule "TranslationMethodEncap" -VMName "ContosoCloudGW-v4" New-NetVirtualizationLookupRecord -CustomerAddress "0.0.0.0" -ProviderAddress "192.168.1.101" -VirtualSubnetID "5001" -MACAddress "00155d05df03" -Rule "TranslationMethodEncap" -VMName "wildcard v4" New-NetVirtualizationLookupRecord -CustomerAddress "2001:db8:ba::2" -ProviderAddress "192.168.1.101" -VirtualSubnetID "5001" -MACAddress "00155d05df03" -Rule "TranslationMethodEncap" -VMName "ContosoCloudGW-v6" New-NetVirtualizationLookupRecord -CustomerAddress "::" -ProviderAddress "192.168.1.101" -VirtualSubnetID "5001" -MACAddress "00155d05df03" -Rule "TranslationMethodEncap" -VMName "wildcard v6"   #ContosoCloudDAServer New-NetVirtualizationLookupRecord -CustomerAddress "10.6.0.6" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059701" -Rule "TranslationMethodEncap" -VMName "ContosoCloudDAServer-v4" New-NetVirtualizationLookupRecord -CustomerAddress "0.0.0.0" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059701" -Rule "TranslationMethodEncap" -VMName "wildcard v4" New-NetVirtualizationLookupRecord -CustomerAddress "2001:db8:ba::6" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059701" -Rule "TranslationMethodEncap" -VMName "ContosoCloudDAServer-v6" New-NetVirtualizationLookupRecord -CustomerAddress "::" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059701" -Rule "TranslationMethodEncap" -VMName "wildcard v6"   #ContosoCloudDC New-NetVirtualizationLookupRecord -CustomerAddress "10.6.0.3" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059700" -Rule "TranslationMethodEncap" -VMName "ContosoCloudDC-v4" New-NetVirtualizationLookupRecord -CustomerAddress "2001:db8:ba::3" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5001" -MACAddress "00155d059700" -Rule "TranslationMethodEncap" -VMName "ContosoCloudDC-v6"   #Customer Routes for VSID 5001 New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "10.6.0.0/24" -NextHop "0.0.0.0" -Metric 255 New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "0.0.0.0/0" -NextHop "10.6.0.2" -Metric 255 #New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "10.0.0.0/24" -NextHop "10.6.0.2" -Metric 255 #New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "10.2.0.0/24" -NextHop "10.6.0.2" -Metric 255   New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "2001:db8:ba::/48" -NextHop "::" -Metric 255 New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "2001:db8:dc::/48" -NextHop "2001:db8:ba::2" -Metric 255 New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "2001:db8:fa::/48" -NextHop "2001:db8:ba::2" -Metric 255 New-NetVirtualizationCustomerRoute -RoutingDomainID "{11111111-2222-3333-4444-000000005001}" -VirtualSubnetID "5001" -DestinationPrefix "2001:db8:ba:1000::/64" -NextHop "2001:db8:ba::6" -Metric 255   #App1 New-NetVirtualizationLookupRecord -CustomerAddress "10.0.0.80" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5002" -MACAddress "00155db1c505" -Rule "TranslationMethodEncap" -VMName "APP1-v4" New-NetVirtualizationLookupRecord -CustomerAddress "2001:db8:dc::80" -ProviderAddress "192.168.1.111" -VirtualSubnetID "5002" -MACAddress "00155db1c505" -Rule "TranslationMethodEncap" -VMName "APP1-v6"   *Replace the MAC addrersses if required

On the HosterGW, run the following cmdlets:

$iface = Get-NetAdapter $WnvNIC New-NetVirtualizationProviderAddress -InterfaceIndex $iface.InterfaceIndex -ProviderAddress "192.168.1.101" -PrefixLength 24   # Make sure the adapter name is correct Rename-VMNetworkAdapter -vmname ContosoCloudGW -Name "Network Adapter" -NewName "Wnv-CA-NIC" Set-VMNetworkAdapter "ContosoCloudGW" -Name "Wnv-CA-NIC" -VirtualSubnetID 5001; Get-VMNetworkAdapter "ContosoCloudGW" | where {$_.MacAddress -eq "808080808002"} | Set-VMNetworkAdapter -VirtualSubnetID 5002

 

On HosterR1, run the following cmdlets:

$iface = Get-NetAdapter $WnvNIC New-NetVirtualizationProviderAddress -InterfaceIndex $iface.InterfaceIndex -ProviderAddress "192.168.1.111" -PrefixLength 24 New-NetVirtualizationProviderRoute -InterfaceIndex $iface.ifIndex -DestinationPrefix "0.0.0.0/0" -NextHop "192.168.1.101"   # Make sure the adapter name is correct Rename-VMNetworkAdapter -vmname ContosoCloudDAServer -Name "Network Adapter" -NewName "Wnv-CA-NIC" Set-VMNetworkAdapter "ContosoCloudDAServer" -Name "Wnv-CA-NIC" -VirtualSubnetID 5001;   # Make sure the adapter name is correct Rename-VMNetworkAdapter -vmname 3-APP1 -Name "WnvNic" -NewName "Wnv-CA-NIC" Get-VMNetworkAdapter "ContosoCloudDC" | where {$_.MacAddress -eq "00155d059700"} | Set-VMNetworkAdapter -VirtualSubnetID 5001 Set-VMNetworkAdapter App1 -Name "Private Corpnet" -VirtualSubnetID 5002 –Passthru

Step 2b: Connect Contoso VMs back to their on-prem network.

While the above steps create the necessary network infrastructure to create Contoso virtual network the following steps are required to create the VMs and ensure that the VMs are able to connect to Contoso on-prem network.

On HosterGW:

• Create a Windows Server 2012 VM ContosoCloudGW with 2 VM NICs
• Connect one VM NIC to the V-Switch connecting to Internet NIC (131.107.0.101)  and another VM NIC to V-switch connecting to Internal NIC.
• Configure MAC address of internal VM NIC as 00155d05df03
• Configure the following IP address scheme:
• Assign IPv4 address 10.6.0.2/24 &2001:db8:6::2/64 to NIC connected to internal NI
• Create site-to-site VPN connections between  ContosoCloudGw & EDGE1 using the following cmdlets

ipmo servermanger add-windowsFeature -name routing -IncludeManagementTools ipmo remoteaccess install-remoteaccess -vpntype vpns2s –IPv6Prefix 2001:db8:6:200::/64 -IPAddressRange ("10.6.0.200","10.6.0.210") Add-VpnS2SInterface EDGE1 131.107.0.2 -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret abc -IPv4Subnet10.2.0.0/24:100 –IPv6Subnet2001:db8:2::/48:100 ##On EDGE1 : Add-VpnS2SInterface 3-EDGE1 131.107.0.30 -Protocol IKEv2 -AuthenticationMethod PSKOnly -SharedSecret abc -IPv4Subnet 10.6.0.0/24:100 –IPv6Subnet 2001:db8:6::/48:100

• The above steps ensure that  VMs of Contoso hosted @ the hoster are accessible from Contoso  Washington site and  Internet Via DirectAccesss from EDGE1.

  Step 2c: Configure Hyper-V Replica

This replica server is ‘published’ using the hoster’s GW via regular HTTPS (customers use cert-based authentication to replicate).

The following links illustrate on how to achieve this:

• Create certificates using makecert – Appendix C of the Understanding and Troubleshooting guide for Hyper-V Replica
• (or) Create certificates from a standalone CA
• (or) Create certificates from an Enterprise CA
• Setup replication for the virtual machine using the certificate based authentication.

Since EDGE1 is acting as DA server it will not allow any non-IPsec traffic thru it. In general customer deployment there would be an IPS device in front of EDGE1. In the above topology to allow HTTPS HVR traffic thru EDGE1, we need to disable IPsec dosp with the following cmdlet

netsh ipsecdosprotection set miscellaneous defaultblock=disable

As Hyper-V Replica takes on the end-server name (not IP address) as input, you could resolve the server name by making an entry in the host file of ContosP1. To achieve this, add an entry in %systemdrive%\drivers\etc\hosts

131.107.0.101 HosterR1

Similarly on HosterR1, add the following entry in hosts file

131.107.0.101 ContosP1

Step 3: Configuring Cloud DA site on top of Hyper-v Network Virtualization:

Now that  we have ensured the the VMs are replicated to the hoster we need to provide and option to Contoso employees  to connect  to their  replicated VMs  from Internet even if Washington DA server is not available.  This is done by deploying a DA server in Contoso cloud. Since DA in WS 2012 supports multiple DA sites, all that’s required here is to enable  a new  Cloud DA entry point.  Following diagram  describes the topology.

Here are the steps to configure DA cloud site:

Configure NAT on 3-EDG1

1. Open rrasmgmt.msc
2. Right click on IPv4 general node

3. Click new Routing Protocol…

 

4. Select NAT

5. Right click on NAT node.

     

6. Select New Interface.

7. Select the interface connected to Internet.

   

8. In NAT tab, select Public Interface connected to private network and check “Enable NAT on this interface” option.

9. Select services and ports tab, select “Secure web server (HTTPS) option

 

     

 

     

Enter the IP address of 3-DAS1, 10.6.0.6 in Private address.

Configure 3-DAS1

Configure IP address 10.6.0.6/24 (default route 10.6.0.2) & 2001:db8:2::/64 (default route 2001:db8:6::/64) with DNS server as 10.0.0.1/24, 10.2.0.1/24 & 2001:db8:1::1/64, 2001:db8:2::1/64 respectively.

1. In the Server Manager console, click Local Server, and then in the Properties area, next to Avez-CA-NIC , click the link.

2. Right-click Avez-CA-NIC, and then click Properties.

3. Click Internet Protocol Version 4 (TCP/IPv4), and then click Properties.

4. Click Use the following IP address. In IP address, type 10.6.0.6, in Subnet mask, type 255.255.255.0.

5. Click Use the following DNS server addresses. In Preferred DNS server, type 10.0.0.1, and in Alternate DNS server, type 10.2.0.1.

6. Click Advanced, and then click the DNS tab.

7. In DNS suffix for this connection, type corp.contoso.com, and then click OK twice.

8. Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

9. Click Use the following IPv6 address. In IPv6 address, type 2001:db8:6::6, in Subnet prefix length, type 64. Click Use the following DNS server addresses, and in Preferred DNS server, type 2001:db8:1::1, in Alternate DNS server, type 2001:db8:2::1

10. Click Advanced, and then click the DNS tab.

12. In DNS suffix for this connection, type corp.contoso.com, and then click OK twice.

13. On the 2-Corpnet Properties dialog box, click Close.

Join 3-DAS1 to corp.contoso.com.. Configure 3-DAS1 as 3rd entry point (similar to step 12).

Obtain certificates on 3-DAS1

1. Click Start, type mmc, and then press ENTER.

2. In the MMC console, on the File menu, click Add/Remove Snap-in.

3. On the Add or Remove Snap-ins dialog box, click Certificates, click Add, click Computer account, click Next, click Local computer, click Finish, and then click OK.

4. In the console tree of the Certificates snap-in, open Certificates (Local Computer)\Personal.

5. Right-click Personal, point to All Tasks, and then click Request New Certificate.

6. Click Next twice.

7. On the Request Certificates page, select the Client-Server Authentication and the Web Server 2008 check boxes, and then click More information is required to enroll for this certificate.

8. On the Certificate Properties dialog box, on the Subject tab, in the Subject name area, in Type, select Common name.

9. In Value, type 3-DAS1.contoso.com, and then click Add.

10. In the Alternative name area, in Type, select DNS.

11. In Value, enter 3-DAS1.contoso.com, and then click Add.

12. On the General tab, in Friendly name, type IP-HTTPS Certificate.

13. Click OK, click Enroll, and then click Finish.

14. In the details pane of the Certificates snap-in, verify that new certificates with the names 3-DAS1.contoso.com and nls.corp.contoso.com were enrolled with Intended Purposes of Server Authentication, and a new certificate with the name 3-DAS1.corp2.corp.contoso.com was enrolled with Intended Purposes of Client Authentication and Server Authentication.

15. Close the console window. If you are prompted to save settings, click No.

Install the Remote Access role on 3-DAS1

1. Click Start, click Server Manager, and in the Dashboard, click add roles.

2. Click Next three times to get to the server role selection screen.

3. On the Select Server Roles dialog, select Remote Access, click Add Required Features, and then click Next.

4. On the Select features dialog, expand Remote Server Administration Tools, expand Role Administration Tools, and then select Remote Access Management Tools, and then click Next.

5. Click Next four times.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

To add 3-DAS1 as third entry-point

1. In the Remote Access Management Console of Edge-1, in the Tasks pane, click Add an Entry Point.

2. In the Add an Entry Point Wizard, on the Entry Point Details page, in Remote Access server, type 3-DAS1.corp.contoso.com, in Entry point name, type 3-Edge1-Site, and then click Next.

3. On the Network Topology page, click Behind NAT, and then click Next.

4. On the Network Name/IP Address page, in Type the public name or IP address to which remote access clients connect, type 3-Das1.contoso.com, and then click Next.

5. On the Network Adapters page, make sure that the External adapter is Internet, and the Internal adapter is 2-Corpnet, and then click Next.

6. On the Prefix Configuration page, in IPv6 prefix assigned to client computers, type 2001:db8:2:2000::/64, and then click Next.

7. On the Client Support page, click Allow client computers running Windows 7 to access this entry point, and click Add.

8. On the Select Groups dialog box, in Enter the object names to select, type Win7_Clients_Site2, click OK, and then click Next.

9. On the Client GPO Settings page, click Next.

10. On the Server GPO Settings page, click Next.

11. On the Network Location Server page, click Browse. On the Windows Security dialog box, click the nls.corp.contoso.com certificate, click OK, and then click Next.

12. On the Summary page click Commit.

13. On the Applying Server Configuration dialog box, click Close and then on the Add an Entry Point Wizard, click Close.

14. Manually Add subnet 20.6.0/24 & 2001:db8:6::/48 in AD site on DC1.

Open Active Directory sites and serices UI from Server Manger on DC1:

     

 

Configure 3-DC1:

Deploy 3-DC1 as  replica DC VM .  Configure IP address 10.6.0.3/24 & 2001:db8:6::3/64 with DNS server as 10.0.0.1/24 & 2001:db8:1::1/64 respectively. Join 3-DC1 to corp.contoso.com.

Now employees of Contoso could connect to either EDGE1 or 3-DAS1 via DirectAccess and access VMs in Washington site or VMs hosted  in  Contoso virtual network @ hoster.

In case of a disaster at Washington site, managed machines (laptops) of Contoso connect to 3-DAS1, DirectAccess Server hosted in Contoso virtual network @ hoster and access application  VMs like APP1 that are recovered using Hyper-V Replica.

Step 5: Validating Disaster Recover as a service

The Hoster  infrastructure in place to replicate the apps. In our case,  Hyper-V server is also running a per-customer DA server and domain controller.

Now that everything is setup lets simulate failover of Washington site and see how it works:

 

• Bring down Contoso Washington site by shutting down EDGE1 & ContosoP1 hosts
• Use Hyper-V Replica to failover the VM on Hoster
• VM APP1 now comes up with same IP address as it had @ Washington site
• Clients of Contoso are now redirected automatically to 3-DAS1 by DA configuration.
• Clients can now access APP1 VMs.
• Validate  that clients can continue to work with minimal service interruption.

The convergence of these platform technologies in Windows Server 2012 provides a big & seamless opportunity for hosters to build powerful services such as Disaster Recovery. Try it out and let us know your experience!

I've written a lot of walkthroughs and blog posts about creating custom FTP providers over the past several years, and I usually include instructions for adding these custom providers to IIS. When you create a custom FTP authentication provider, IIS has a user interface for adding that provider to FTP. But if you are adding a custom home directory or logging provider, there is no dedicated user interface for adding those types of FTP providers. In addition, if you create a custom FTP provider that requires settings that are stored in your IIS configuration, there is no user interface to add or manage those settings.

With this in mind, I include instructions in my blogs and walkthroughs that describe how to add those type of providers by using AppCmd.exe from a command line. For example, if you take a look at my How to Use Managed Code (C#) to Create an FTP Authentication and Authorization Provider using an XML Database walkthrough, I include the following instructions:

Adding the Provider

1. Determine the assembly information for the extensibility provider:
   • In Windows Explorer, open your "C:\Windows\assembly" path, where C: is your operating system drive.
   • Locate the FtpXmlAuthorization assembly.
   • Right-click the assembly, and then click Properties.
   • Copy the Culture value; for example: Neutral.
   • Copy the Version number; for example: 1.0.0.0.
   • Copy the Public Key Token value; for example: 426f62526f636b73.
   • Click Cancel.
2. Using the information from the previous steps, add the extensibility provider to the global list of FTP providers and configure the options for the provider:
   • At the moment there is no user interface that enables you to add properties for custom authentication or authorization modules, so you will have to use the following command line:
     
     cd %SystemRoot%\System32\Inetsrv
     
     appcmd.exe set config -section:system.ftpServer/providerDefinitions /+"[name='FtpXmlAuthorization',type='FtpXmlAuthorization,FtpXmlAuthorization,version=1.0.0.0,Culture=neutral,PublicKeyToken=426f62526f636b73']" /commit:apphost
     
     appcmd.exe set config -section:system.ftpServer/providerDefinitions /+"activation.[name='FtpXmlAuthorization']" /commit:apphost
     
     appcmd.exe set config -section:system.ftpServer/providerDefinitions /+"activation.[name='FtpXmlAuthorization'].[key='xmlFileName',value='C:\Inetpub\XmlSample\Users.xml']" /commit:apphost
   • Note: The file path that you specify in the xmlFileName attribute must match the path where you saved the "Users.xml" file on your computer in the earlier in this walkthrough.

This example adds a custom FTP provider, and then it adds a custom setting for that provider that is stored in your IIS configuration settings.

That being said, there is actually a way to add custom FTP providers with settings like the ones that I have just described through the IIS interface by using the IIS Configuration Editor. This feature was first available through the IIS Administration Pack for IIS 7.0, and is built-in for IIS 7.5 and IIS 8.0.

Before I continue, if would probably be prudent to take a look at the settings that we are trying to add, because these settings might help you to understand the rest of steps in this blog. Here is an example from my applicationhost.config file for three custom FTP authentication providers; the first two providers are installed with the FTP service, and the third provider is a custom provider that I created with a single provider-specific configuration setting:

<system.ftpServer>
  <providerDefinitions>
    <add name="IisManagerAuth" type="Microsoft.Web.FtpServer.Security.IisManagerAuthenticationProvider, Microsoft.Web.FtpServer, version=7.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <add name="AspNetAuth" type="Microsoft.Web.FtpServer.Security.AspNetFtpMembershipProvider, Microsoft.Web.FtpServer, version=7.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" />
    <add name="FtpXmlAuthorization" type="FtpXmlAuthorization, FtpXmlAuthorization, version=1.0.0.0, Culture=neutral, PublicKeyToken=426f62526f636b73" />
    <activation>
      <providerData name="FtpXmlAuthorization">
        <add key="xmlFileName" value="C:\inetpub\FtpUsers\Users.xml" />
      </providerData>
    </activation>
  </providerDefinitions>
</system.ftpServer>

With that in mind, in part 1 of this blog series, I will show you how to use the IIS Configuration Editor to add a custom FTP provider with provider-specific configuration settings.

Step 1 - Open the IIS Manager and click on the Configuration Editor at feature the server level:

Step 2 - Click the Section drop-down menu, expand the the system.ftpServer collection, and then highlight the providerDefinitions node:

Step 3 - A default installation IIS with the FTP service should show a Count of 2 providers in the Collection row, and no settings in the activation row:

Step 4 - If you click on the Collection row, an ellipsis [...] will appear, and when you click that, IIS will display the Collection Editor dialog for FTP providers. By default you should see just the two built-in providers for the IisManagerAuth and AspNetAuth providers:

Step 5 - When you click Add in the Actions pane, you can enter the registration information for your provider. At a minimum you must provide a name for your provider, but you will need to enter either the clsid for a COM-based provider or the type for a managed-code provider:

Step 6 - When you close the Collection Editor dialog, the Count of providers in the Collection should now reflect the provider that we just added; click Apply in the Actions pane to save the changes:

Step 7 - If you click on the activation row, an ellipsis [...] will appear, and when you click that, IIS will display the Collection Editor dialog for provider data; this is where you will enter provider-specific settings. When you click Add in the Actions pane, you must specify the name for your provider's settings, and this name must match the exact name that you provided in Step 5 earlier:

Step 8 - If you click on the Collection row, an ellipsis [...] will appear, and when you click that, IIS will display the Collection Editor dialog for the activation data for an FTP provider. At a minimum you must provide a key for your provider, which will depend on the settings that your provider expects to retrieve from your configuration settings. (For example, in the XML file that I provided earlier, my FtpXmlAuthorization provider expects to retrieve the path to an XML that contains a list of users, roles, and authorization rules.) You also need to enter the either the value or encryptedValue for your provider; although you can specify either setting, should generally specify the value when the settings are not sensitive in nature, and specify the encryptedValue for settings like usernames and passwords:

Step 9 - When you close the Collection Editor dialog for the activation data, the Count of key/value pairs in the Collection should now reflect the value that we just added:

Step 10 - When you close the Collection Editor dialog for the provider data, the Count of provider data settings in the activation row should now reflect the custom settings that we just added; click Apply in the Actions pane to save the changes:

That's all that there is to adding a custom FTP provider with provider-specific settings; I admit that it might seem like a lot of steps until you get the hang of it.

In the next blog for this series, I will show you how to add custom providers to FTP sites by using the IIS Configuration Editor.

(Cross-posted from http://blogs.msdn.com/robert_mcmurray/)

A customer asked me a question a little while ago that provided me the opportunity to recycle some code that I had written many years ago. In so doing, I also made a bunch of updates to the code to make it considerably more useful, and I thought that it would make a great blog.

Here's the scenario: a customer had hundreds of user accounts created, and he wanted to use the FTP service's User Isolation features to restrict each user to a specific folder on his FTP site. Since it would take a long time to manually create a folder for each user account, the customer wanted to know if there was a way to automate the process. As it turns out, I had posted a very simple script in the IIS.net forums several years ago that did something like what he wanted; and that script was based off an earlier script that I had written for someone else back in the IIS 6.0 days.

One quick reminder - FTP User Isolation uses a specific set of folders for user accounts, which are listed in the table below.

User Account TypesHome Directory Syntax Anonymous users %FtpRoot%\LocalUser\Public Local Windows user accounts

(Requires Basic authentication.)

%FtpRoot%\LocalUser\%UserName% Windows domain accounts

(Requires Basic authentication.)

%FtpRoot%\%UserDomain%\%UserName%

Note: %FtpRoot% is the root directory for your FTP site: for example, C:\Inetpub\Ftproot.

That being said, I'm a big believer in recycling code, so I found the last version of that script that I gave to someone and I made a bunch of changes to it so it would be more useful for the customer. What that in mind, here's the resulting script, and I'll explain a little more about what it does after the code sample.

Option Explicit ' Define the root path for the user isolation folders. ' This should be the root directory for your FTP site. Dim strRootPath : strRootPath = "C:\Inetpub\wwwroot\" ' Define the name of the domain or the computer to use. ' Leave this blank for the local computer. Dim strComputerOrDomain : strComputerOrDomain = "" ' Define the remaining script variables. Dim objFSO, objCollection, objUser, objNetwork, strContainerName ' Create a network object; used to query the computer name. Set objNetwork = WScript.CreateObject("WScript.Network") ' Create a file system object; used to creat folders. Set objFSO = CreateObject("Scripting.FileSystemObject") ' Test if the computer name is null. If Len(strComputerOrDomain)=0 Or strComputerOrDomain="." Then ' If so, define the local computer name as the account repository. strComputerOrDomain = objNetwork.ComputerName End If ' Verify that the root path exists. If objFSO.FolderExists(strRootPath) Then ' Test if the script is using local users. If StrComp(strComputerOrDomain,objNetwork.ComputerName,vbTextCompare)=0 Then ' If so, define the local users container path. strContainerName = "LocalUser" ' And define the users collection as local. Set objCollection = GetObject("WinNT://.") Else ' Otherwise, use the source name as the path. strContainerName = strComputerOrDomain ' And define the users collection as remote. Set objCollection = GetObject("WinNT://" & strComputerOrDomain & "") End If ' Append trailing backslash if necessary. If Right(strRootPath,1)<>"\" Then strRootPath = strRootPath & "\" ' Define the adjusted root path for the container folder. strRootPath = strRootPath & strContainerName & "\" ' Test if the container folder already exists. If objFSO.FolderExists(strRootPath)=False Then ' Create the container folder if necessary. objFSO.CreateFolder(strRootPath) End If ' Specify the collection filter for user objects only. objCollection.Filter = Array("user") ' Loop through the users collection. For Each objUser In objCollection ' Test if the user's account is enabled. If objUser.AccountDisabled = False Then ' Test if the user's folder already exists. If objFSO.FolderExists(strRootPath & "\" & objUser.Name)=False Then ' Create the user's folder if necessary. objFSO.CreateFolder(strRootPath & "\" & objUser.Name) End If End If Next End If

I documented this script in great detail, so it should be self-explanatory for the most part. But just to be on the safe side, here's an explanation of what this script is doing when you run it on your FTP server:

• Defines two user-updatable variables:
  • strRootPath - which specifies the physical path to the root of your FTP site.
  • strComputerOrDomain - which specifies the computer name or the domain name where your user accounts are located. (Note: You can leave this blank if you are using local user accounts on your FTP server.)
• Creates a few helper objects and determines the local computer name if necessary.
• Checks to see if the physical path to the root of your FTP site actually exists. before continuing.
• Creates a connection to the user account store (local or domain).
• Determines the container folder name that be the parent directory of user account folders, and creates it if necessary. (See my earlier note about the folder names.)
• Defines a filter for user objects in the specifies account repository. (This removes computer accounts and such from the operation.)
• Loops through the collection of user accounts, checks each account to see if it is enables, and creates a folder for each user account if it does not already exist.

That's all for now. ;-]

(Cross-posted from http://blogs.msdn.com/robert_mcmurray/)

The latest edition of IIS newsletter is available. Lots of great links and information! http://www.iisnewsletter.com/archive/march2013.html Thank you, Steve Schofield ASP.NET/IIS MVP http://www.iislogs.com/steveschofield Rick Barber http://rick.barberfamilyonline.com...(read more)

We announced a release of a final version of Smooth Streaming Plugin for Open Source Media Framework (OSMF). Please read Cenk's blog post for details. Here is a quick blurb from Cenk's post: We are pleased to announce that Windows Azure Media Services team released a RTW version of Microsoft Smooth Streaming plugin for OSMF . Using Smooth Streaming OSMF plugin, you can add Smooth Streaming capabilities to existing OSMF and Strobe Media Playback players and furthermore build rich media experiences...(read more)

We are pleased to announce that Windows Azure Media Services team released a RTW version of Microsoft Smooth Streaming plugin for OSMF.  <?xml:namespace prefix = "o" ns = "urn:schemas-microsoft-com:office:office" />Using Smooth Streaming OSMF plugin, you can add Smooth Streaming capabilities to existing OSMF and Strobe Media Playback players and furthermore build rich media experiences for Adobe Flash Player endpoints using the same back-end infrastructure you use today to target Smooth Streaming playback to other devices like Win8 store apps, browser and so on. This version of the Smooth Streaming plugin includes the following capabilities and works with OSMF 2.0 APIs:

• On-demand Smooth Streaming playback (Play, Pause, Seek, Stop)
• Live Smooth Streaming playback (Play)
• Live DVR functions (Pause, Seek, DVR Playback, Go-to-Live)
• Support for video codecs – H.264
• Support for Audio codecs – AAC
• Multiple audio language switching with OSMF built-in APIs
• Max playback quality selection with OSMF built-in APIs
• This version only supports OSMF 2.0

The initial release notes are available through MS Download Center and can be found here.For getting started with this new plugin, you can download the Smooth Streaming plugin for OSMF from the MS Download Center. Basic information for building an OSMF player with Smooth Streaming plugin and loading Smooth Streaming dynamic plugin to Strobe Media Player, can be found here.

Feedback

If you have feature requests, or want to provide general feedback—we want to hear it all! Please use the Smooth Streaming plugin for OSMF Forum thread to let us know what’s working, what isn’t, and how we can improve your Smooth Streaming development experience for OSMF applications.  

 

From time to time I encounter a website that is maxing out the server’s CPU. In previous versions of IIS, there were two basic options. One, you could do nothing. Or two, you could kill the worker process for a specified number of minutes. Neither is a good option for a production website, ultimately causing administrators to scramble for a sandbox solution for the site (especially if there are other sites running on this same server) and developers to drop everything to help track down the offending...(read more)

This looks real interesting and I thought I’d pass along. IISpeed is a port of Google’s mod_PageSpeed designed to work with Microsoft’s IIS server software. IIS is one of the most popular servers on the web, powering millions of web-sites, and we are excited to bring the full power of PageSpeed optimization to the Windows platform. IISpeed works by minification and compression of HTML-code and resources, reducing the time spent while waiting for the transfer of a webpage to complete. At the same...(read more)

Windows Azure Web Sites has recently been upgraded to a new version. Among all the improvements and bug fixes in the new version there is one change that fixes a known issue with update of WordPress plugins . There have been numerous questions about this problem at the Azure Web Sites forum . After the service upgrade the Windows Azure Web Sites now uses a newer version of WinCache – 1.3.4 . This version has a fix for for the plugin update problem. I tried it and was able to update all of plugins...(read more)

Windows Azure Web Sites has recently been upgraded to a new version. Among all the improvements and bug fixes in the new version there is one change that fixes a known issue with update of WordPress plugins. There have been numerous questions about this problem at the Azure Web Sites forum.

After the service upgrade the Windows Azure Web Sites now uses a newer version of WinCache – 1.3.4. This version has a fix for for the plugin update problem. I tried it and was able to update all of plugins on my site without a problem:

Other PHP related changes in this release of WAWS include newer PHP version (5.3.19) and support for UTF-8 encoding for server variables REQUEST_URI and PATH_INFO.

A colleague at Microsoft just sent me a pointer to this video of his 5th grade son showing you how to use Hyper-V to create a virtual machine:

http://blogs.technet.com/b/yungchou/archive/2013/03/18/are-you-smarter-than-a-5th-grader-in-creating-hyper-v-virtual-machine-and-installing-windows-server-2012.aspx

This seems like an excellent idea for our next Hyper-V advertising campaign!

Cheers,
Ben

I have been spending some time working with the free version of Hyper-V server recently (available here: http://www.microsoft.com/en-us/server-cloud/hyper-v-server/default.aspx).  It is lots of fun to see just how much you can do with this free software (hint: you can do everything you can with Hyper-V on a full installation of Windows).

However – one thing that I realized quickly was that I did not like the default login experience.  Normally, when you login to a Hyper-V server you will get a command prompt and a running instance of the Server Configuration tool:

This is all fine and good when you are first setting the server up.  But after then it gets a bit annoying.  The reality is that most of the time you will be managing Hyper-V remotely – from another Windows computer.  The only reason why you would want to login to a Hyper-V server directly is because something has gone wrong, and you need to do some troubleshooting.

Now, when it comes to troubleshooting a Hyper-V server – there are really only two things I want:

1. I want to know if all of my virtual machines are okay.
2. I want a PowerShell window so I can use the Hyper-V cmdlets to dig in deeper if I need to.

Having PowerShell launch by default is quite easy.  Just launch PowerShell from the command prompt (type in “PowerShell” and hit enter) and then run this command:

Set-ItemProperty "HKLM:\Software\Microsoft\Windows NT\CurrentVersion\WinLogon" Shell 'PowerShell.exe -WindowStyle maximized'

Now you will get a PowerShell window instead of a command prompt whenever you login.  But I wanted a bit more than that.  To get a better experience – I needed to create a PowerShell profile.  To create the profile I ran these commands:

Set-ExecutionPolicy RemoteSigned New-Item -path $profile -type file -force notepad $profile

And put the following information into the profile file:

# Maximize the window (Get-Host).UI.RawUI.BufferSize = New-Object System.Management.Automation.Host.Size(((Get-Host).UI.RawUI.MaxPhysicalWindowSize.Width-3),(Get-Host).UI.RawUI.BufferSize.Height) (Get-Host).UI.RawUI.WindowSize = (Get-Host).UI.RawUI.MaxWindowSize   # Get the colors corrected (Get-Host).UI.RawUI.ForegroundColor = "White" (Get-Host).UI.RawUI.BackgroundColor = "DarkBlue"   # Change path and clear the screen cd \ cls   # Display a welcome message write-host Welcome to $env:computername write-host write-host Current virtual machine status: get-vm write-host

The result is that when I login to my Hyper-V server now, I am presented with a full screen PowerShell window and a listing of my virtual machines straight away. Very handy. 

Cheers,
Ben

Remote Management for IIS 8 on Windows Server 2012 is a great way to connect to your site and accessing IIS features without logging in to the server. It is straight forward to configure but requires a few steps to get working properly. An alternative scenario would be if you are using a 3rd party for Windows shared hosting and you do not have administrative access to the server. You could then use IIS Manager for Remote Administration on your PC to connect to the site and maintain it. Installing...(read more)

If you didn't think that processing XML on the server side can lead to a Denial of Service, Information Disclosure or even Remote Code Execution, read on. The issues discussed here are include a class of issues that is commonly referred to as XML External Entity vulnerabilities (XXE), but are not limited to this. If you are NOT processing untrusted XML and the data comes from a trusted source this article doesn’t really apply for you but is still good to enforce safe usage for hygiene.

Most would consider XML as simple markup data, but you should actually consider it a ‘language’ that actually has powerful runtime features. These runtime features could be enabled on the server-side even if their use is not intended, and this is what unwittingly leads to XML based vulnerabilities on the server side. Following are a few of the classes of issues you could run into with XML processing.

Denial of Service

XML allows you to define entities that are essentially tokens that get replaced at runtime. Some of these are well-known, like &gt; which would get replaced by the greater than sign ‘>’. But you can actually custom define entities as in the example below.

<!DOCTYPE doc [<!ENTITY name "Nazim">]>
<doc>
    &name;
</doc>

During XML pre-processing, this XML would essentially become

<doc>
    Nazim
</doc> 

But we can go further and define entities that reference other entities, like

  <!DOCTYPE doc [
   <!ENTITY greeting “Hello">
   <!ENTITY name “Nazim">
   <!ENTITY sayhello “&greeting; &name;">
]>
<doc>
    &sayhello;
</doc>

So now the XML pre-processor has to go through multiple stages of entity expansion.

 

You have probably put 2 and 2 together at this point and see the issue already. Since this is essentially a tree structure, I can grow the number of nodes to pre-process exponentially. So something like the doc below even though small in size (<1KB) will expand out to a billion lols and can take up almost 3GB in memory. This is commonly referred to as the billion laughs attack and you can read more about it in this MSDN article.

<?xml version="1.0"?>
<!DOCTYPE lolz [
  <!ENTITY lol "lol">
  <!ENTITY lol2 "&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;&lol;">
  <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;&lol2;">
  <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;&lol3;">
  <!ENTITY lol5 "&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;&lol4;">
  <!ENTITY lol6 "&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;&lol5;">
  <!ENTITY lol7 "&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;&lol6;">
  <!ENTITY lol8 "&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;&lol7;">
  <!ENTITY lol9 "&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;&lol8;">
]>
<lolz>&lol9;</lolz>

 

Information Disclosure

Entity expansion is not limited to string literals though. It could very well refer to external data like the example below.

<!DOCTYPE doc [    
    <!ENTITY win SYSTEM “c:\windows\win.ini">
]>
<doc>
    &win;
</doc>

If this document is somehow reflected back to the client it would result in disclosing information on the server that a client wouldn’t have access to.

Remote Code Execution

I think this is best shown by directly diving into an example.

<xsl:stylesheet version="1.0"
    xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
    xmlns:msxsl="urn:schemas-microsoft-com:xslt"
    xmlns:user="http://example.com/ns">
<msxsl:script language="C#" implements-prefix="user">
    <![CDATA[
    public string Code()
    {
        return Environment.MachineName;
    }
    ]]>
</msxsl:script>
<xsl:template match="/">
    <xsl:value-of select="user:Code()"/>
</xsl:template>
</xsl:stylesheet>

Here we have an XML style sheet that essentially has some code that is run as part of applying the style sheet. Imaging replacing the code highlighted with a payload of your choice, including things like a network scan :)

Preventing XML Entity Attacks

You essentially want to disable <!DOCTYPE> definitions (DTDs) when parsing untrusted XML. There are many APIs, that are not safe by default in this respect and you need to explicitly disable DTD resolution on an XML document. See below for API specifics.

 

Preventing XSL Attacks

This is pretty much the same as above and you want to disable DTD and XSL script support. See below for unsafe API specifics.

 

Safe XML API usage on Windows/.NET

The list below was accurate at the time this article was compiled. It is possible that updates to components may have changed the defaults, so it is always better to test your usage.

• System.Xml.XmlDocument
• Load and LoadXml UNSAFE unless you pass a safe XmlReader (DTD disabled) into it during initialization.
• InnerXml is NEVER SAFE.
• System.Xml.XmlTextReader
• UNSAFE by default in .NET 3.5 and below.
• You need to set ProhibitDtd=true to make this safe.
• .NET 4.0 and above are safe be default.
• System.Xml.Xsl.XslTransform
• UNSAFE as it supports both entities and XSL script.
• System.Xml.Xsl.XslCompiledTransform
• Safe for XSL script since this is blocked by default.
• UNSAFE for entity expansion unless a secure resolver is specified.
• Pass an instance of XmlSecureResolver or null
• System.Web.UI.WebControls.XmlDataSource
• NEVER SAFE – supports both entities and XSL script.
• MSXML 5 and below
• UNSAFE by default
• Need to set ProhibitDtd=true, AllowXsltScript=false and AllowDocumentFunction=false
• MSXML 6
• Safe by default

 

Resources

OWASP XXE Page

Adobe Reader XXE Attack

Attacking server side XML parsers (PDF)