IIS Certificate Authentication for Windows 7 and Vista

In order to support the new security features of Windows 7/ Vista, Microsoft has made fundamental changes to the certificate web enrollment process that Windows Certificate Services uses to provide certificates to end users. In the past, Xenroll was the process that was responsible for the assignment and processing of certificate requests through the web site. Now this has been replaced with the CertEnroll process. Unfortunately, this process was not seamless. For months, the only way to use the Certsrv site to provide certificates to Vista was to use Windows Server 2008 or to overlay the Server 2008 ASP site over the older Xenroll-based site on Server 2003. This lead to a number of problems, especially considering the lag between the release of Windows Vista and Server 2008. Fortunately, a patch has been released to allow Server 2003 to comply with the new CertEnroll process and hand out certificates to all clients.


The Hotfix can be found:


An Unexpected Result

Many companies that rely on certificate authentication for web site authentication are running into problems with Windows Vista as the enrollment process appears to work as it had before, but when navigating to the site no certificate is found. This means that you will see the normal “Choose a Digital Certificate” popup on the site, but the box is blank and no certificates are listed. This is further confusing as valid certificates appear in the certificate store on the local machine.

The problem arises in the default certificate type that is requested by Windows Vista, Windows 7 and Server 2008. Instead of the Base or Enhanced Cryptographic Provider, Windows Vista chooses another option. This is especially confusing if you are using the basic enrollment pages or even custom skinned pages as you will not see the advanced options that Vista is changing by default. Once these are changed as below, you will be able to use the certificate for user authentication as you’d expect.

Resolution Steps

  1. Navigate to the normal certsrv page on your CA
  2. On the initial Welcome page of the Certificate server, click Request a certificate, and then click Next
  3. On the Choose Request Type page, click Advanced request, and then click Next
  4. On the Advanced Certificate Requests page, click Submit a certificate request to this CA using a form, and then click Next
  5. On the Advanced Certificate Request page, complete the requesting information, as appropriate
  6. Under Type of certificate Needed , click Client Authentication Certificate
  7. Under Key Options , select Microsoft Base Cryptographic Provider v1.0, click Signature for Key Usage , and then enter 1024 for Key Size
  8. Leave the Create new key set option selected (you can clear the Container Name check box unless you want to specify a specific name), and then click Use local machine store
  9. Leave all the other options set to the default value unless you have to make a specific change
  10. Click Submit . If the Certificate Authority is configured to issue certificates automatically, the Certificate Issued page appears
  11. Click Install this Certificate. The Certificate Installed page appears with the following message: “Your new certificate has been successfully installed.”

Top 8 Mistakes Implementing Agile Methodologies

Agile development practices have been around for years and there seem to be evolutionary new flavors introduced almost daily.  As a testament to its mainstream appeal, even PMI is releasing an Agile certification, opening the floodgates to an organization that has long been seen as the keeper of the Waterfall keys.

As more and more organizations scramble to work in an Agile way, it seems that there are as many failed or ailing attempts as there are successful ones, though I have seen studies putting the successful adoption rate between 20 and 75% — a huge range to be sure.  Looking in from the outside and having worked with organizations making that jump, I have seen a number of trends that I want to call out.  Unfortunately, these are not cited with scientific statistical rigor, but I am hoping they are helpful nonetheless.

Just for full disclosure, I manage a Project Office responsible for delivering a wide variety of development projects in a consulting environment.  This affords a certain perspective favoring the business outcomes of adoption rather than the technical ones.  Further, I am focused on using the correct methodology to meet the situation while building reusable organization assets and collecting performance metrics.  So with that, here we go!

  1. Treating Agile as just a Development Practice rather than a Business Process — Working in an Agile way requires an understanding and realignment of your project selection, portfolio management, budgeting & funding process, requirements gathering and acceptance process.  Assuming that none of the business functions will be affected and that just the development teams will work in an agile way leads to a cognitive disconnect between the business and the delivery side — a gulch that is often there before you even try to implement agile.  This is especially true when Agile is a grassroots effort that is greenlighted without support.
     There needs to be a clear understanding of what the organization will get out of the new process and where there are opportunities to remove barriers before they are even an issue.  Failure to address these alignment issues will just lead to communication gaps and the business side demanding that you revert to the pervious practices.
  2. Using Agile Coaches who don’t have a Stake in a Delivered Product — Bringing in an agile coach can be a huge benefit to your organization as teams usually learn best by doing.  Usually a team (and the business side) will need to go through a full release cycle before the process really sinks in and an agile coach can help you to identify risks and guide the team through this.  Unfortunately, the coaches often will act as academics or shamans who want to sit in an advisory role with no real team deliverables.Always insist that the coach work with the team in a real-life product cycle and plan for the learning curve in your capacity planning.  You’ll get a ton more out of it and will see better adoption. This also means that you’ll be working with a coach who is a practicing professional and able to get things done.  Better yet, tie compensation to adoption metrics or success criteria for the release. 
  3. Forgetting to do Sprint and Release Retrospectives — One of the biggest benefits to agile is the virtuous cycle of continuous improvement, building on the lessons from the previous iteration.  When the going gets tough or there is a perceived lag in the project, this is usually the first area to be cut.  This just bleeds the value out of the Agile process and perpetuates problems rather than learning from them. Repeat after me…   “I will not cut Retrospectives! I will not cut Retrospectives. ” (Especially as they pertain to capacity planning.)
  4. Treating Agile Development as a Replacement for Planning or Requirements — Organizationally this is usually in response to poor planning or badly defined requirements.  The thinking usually goes, “We end up in trouble trying to deliver against half-baked specs and unrealistic project plans, but if we have neither of those things, we’ll be free to just deliver (and no one can say we failed.)”  That last part is usually subconscious.
     If you can’t come to an agreement with the development team as to what you want to deliver or aren’t willing to staff the team appropriately, there is little hope that working in an Agile way will improve things much.  Yes, letting the team interact with the business directly will help to specify what is asked for, but in my experience, the issues usually lies in poor arbitration between parties with conflicting needs.  Agile don’t directly fix that.  Failure to address the root problems can lead to additional churn and rework.
  5. Not Having a Vision of Done — This one might be a bit contentious, but every project needs a picture of done with acceptance criteria associated with it.  Usually this is a set of stories, grouped into a release, with UAT criteria associated with them.  As a consultant, I usually have to be much more specific than that as building a backlog against unlimited time and dollars usually doesn’t get us invited back.  Just make sure that you have a clear picture of whether done is “good enough with a list of nice to haves” or if there is a more stringent criterion that you need to be shooting for.  Not identifying that up front and structuring the team for it leads to bad things.
  6. Not Preparing the Business for Participation — It is essential that the business side of the organization have daily participation in the project.  Most likely, they are used to an intense upfront requirements phase and then are ignored until UAT.  Sure, they will still need to have initial engagement as the Product Backlog is built and the release plan made, but the ongoing participation often comes as a surprise and must be managed carefully.  Often they are happy to do it, but springing that on them with little notice or input can hurt feelings and lead them to a feeling that the development team is needy and unsure of themselves, rather than following a prescribed process.
  7. Starving the Factory — Trying to treat each iteration as its own waterfall or expecting that all story elaboration will be done in sprint often leads to work starts and stops — especially as a team scales.  Planning your stories and digging into the business drivers and needs one sprint ahead allows you to engage with your QA teams and Business Analysts to provide the fuel that the development team needs to keep the factory rolling.  This is not a substitute for having the developers interact with the business directly, but it does take some of the burden off of them and can leverage the specialized skills of your BAs and QA folks.  For me, this seems to be the best blend of sustained agility and supporting a scalable and even geographically distributed team.
  8. Expecting an Agile Experiment to Scale — So you wanted to prove that Agile can work and will be able to be adopted into your organization.  You’ve pulled 4-6 of your top architects and high-potentials into a mini project because you expect them to be leaders of additional projects when you scale.  The project goes great, the team blazes through the deliverables, and you’re ready to go!  Right?  RIGHT?
     This is a great way to train leaders in the overall flow and tenets of Agile, but it doesn’t always paint a good picture of how this will work in a real environment, especially if you work with distributed teams, outsource groups, or 9-5 developers who are phoning it in.  Once you have those leaders, make sure you do a real PoC with a realistic team to work the kinks out, especially around communication and code acceptance.

Wow, that was more typing than I had anticipated and I am sure as soon as I hit publish, I’ll think of 5 more that I just have to include.  Maybe there will be a part 2.  Hopefully this will save you a few headaches and help you to navigate the agile waters.

When to create a new Project Collection

One of the greatest features for TFS 2010 is the ability to create new project collections in the TFS system.  This gives you the ability to separate projects into logical collections and manage them as individual groupings which can be a huge benefit.  There are, however, some things you should consider when creating collections.

The Pros:

  • Each collection gets its own database on the SQL data tier.   This means you have the ability to move it across different database servers and manage it individually.  Also, this gives you a bunch more options in scalability and monitoring.
  • This makes the collection portable, meaning you can detach it and transfer it to another TFS server.  This is especially useful if you are in a consulting environment and will need to transfer just that project or suite of projects back to the client.
  • Scalability!  This means that you can create new collections to spread your databases across SQL servers or instances to isolate their performance and risk profiles.
  • Each collection has its own set of process templates, sites, and linkages.  This gives you an opportunity to isolate projects from each other.

The Cons:

  • You’ll need a separate build controller for each collection.  If you are not planning for the proliferation of build controllers, you may suddenly find yourself supporting more machines than you’d anticipated.  There is a hack that let’s you map multiple collections to a build controller, but it is not supported.
  • Having multiple collections creates an additional support and backup burden.  The backup scenarios with TFS are not simple and they must be done by database.  This needs to be added to the “new collection” SOP.  If you have a dedicated SQL server/ instance, you can add these procedures to the Master database so they’ll be created automatically.
  • While you can change things between collections and have TFS function separately, there is only one data warehouse.  Mismatches in the data types or aggregations in the cubes will cause TFS to throw errors and stop data collection until the conflict is resolved.
  • many of the permissions are set at the collection level.  As you create new collections, you’ll need to manage the permissions individually.

All in all, there are huge benefits in having multiple project collections, but you need to plan them carefully and ensure that you are accounting for the additional overhead needed to make them work well.

AD Health Check (Server 2003/ SBS 2003)

IT Lives!

Every once in a while, I am reminded that nothing on the web should really die.  Looking at my server logs, I noticed a number of hits a day looking for my Health Check best practice document for Active Directory.  When I moved from Community Server to wordpress, this one didn’t make the cut as the command syntax had changed for Server 2008, but I neglected to take into account everyone needing to validate their domains before migration or who are not able to do the upgrade for one reason or other.  For you, here is the blog resurrected from the dead!

Active Directory Health Check

This document outlines a basic procedure for validating the health of your Windows Server 2003 domain and is a good practice for iterative maintenance and an excellent pre-check before doing any potentially dangerous domain operations, like migration or update.

Before doing anything that might jeopardize the integrity of your domain, it is important to ensure that there are no outstanding health issues.  While important, doing this kind of check needn’t be horribly complicated or take a lot of time.  It is important to do every time to be sure that you aren’t replicating problems across your forest as you do domain maintenance.  This is especially critical before schema operations and domain migrations.  Using a few simple Microsoft tools in the Windows Resource Kit, the general health of the domain can be validated and much of the risk associated with the projects can be mitigated.

Tools & Resources

DCDiag —  Basic Domain Diagnostics
NetDiag — Domain Controller Network Diagnostics
REPLMon — Replication Monitor
NETDom — Domain and Trust Diagnostics

 Procedure Steps

A number of people have requested that these steps be posted in HTML format as they don’t have Microsoft Project or can’t open the file with their version of the software.  To make this a little bit easier for everyone, here we go:

Domain Controller Health Check

Preparatory Work

Update Server Documentation

Gather Inventory of domain controllers from the ADU&C | Domain Controllers node

Locate current documentation from client on AD structure

Locate current documentation from client of site/ core topology

Document name of every AD domain and Sub-domain

Document name and IP address of every Server

Document all trust relationships


Install Support Tools

On Each Server

Log on to the server with Server Administrator privileges

Insert the windows 2000/2003 disk into the CD drive

Navigate to CD:\\tools\Support Tools

Run Setup.exe

Wait as the Support Tools are installed on the server


              Preparatory Work Completed



Verify Health of the Domain

Create Log Directories for all Diagnostic Files

Create a Logs Directory at the root of C:\ on the server as C:\Logs


Verify DNS function with NSLOOKUP

Drop to a Command Prompt

At the Command Prompt, key in ‘Nslookup’ <enter>

Resolve each replication partner

Resolve every AD domain and Sub-domain

Remediate any failed resolutions\


Verify replication function and topology with REPLMON

Navigate to Start | Programs | Administrative Tools | Support Tools | Replmon

Select the server (<ServerName>) in the Monitored Servers

Select Action | Server | Generate Status Report

When Prompted, specify the file name as c:\Logs\<ServerName> MMDDYYYY.log in the Report Options, select all of the reporting options

Click OK


Verify DC health with DCDIAG /verbose on each domain controller

Drop to a Command Prompt

Key in ‘DCDIAG /s:<ServerName> /v  /c > c:\Logs\ServerName-DCDIAG-MMDDYYYY.log’ <enter>

Wait as the Diagnostic completes

Remediate any errors displayed

Run DCDIAG /s:<ServerName> /fix

Repeat the diagnostic


Verify network connectivity health with NETDIAG /verbose

Drop to a Command Prompt

NETDIAG /v > C:\Logs\<ServerName>-NetDiag-MMDDYYYY.txt

Wait as the diagnostic completes

Remediate any errors displayed

Run Netdiag /fix

Run the NETDIAG diagnostic again


Verify all trusts with NETDOM

Drop to a Command Prompt

At the Command Prompt, key in ‘NetDom query /verify’ <enter>

Verify that all trusts are working and responding to the stored passwords

Remediate all errors before continuing

Repeat for each additional Controller

Automatically Created TFS Alerts

In TFS 2010 I have a basic set of alerts that I want created on every project.  This becomes tedious and hard to manage on a larger scale where multiple people have rights to create projects and there are a bunch of project starts and stops to consider. 

What you’ll need:

  • TFS 2010 Power Tools installed
  • Name of the Collection Database you want to create alerts for: CollectionDatabase
  • Name of the Account you want to be the owner of the alerts: Domain\UserName
  • Type of the alert: 0 – HTML, 1 – PlainText, 2 – SOAP Connection
  • Sample Alert Criteria from the Alert Explorer
    ‘WorkItemChangedEvent’,   ‘PortfolioProject = ‘[MyProject]’ AND “CoreFields/StringFields/Field[ReferenceName=’System.WorkItemType’]/NewValue” <> ‘Shared Steps|Status Report|Sprint Retrospective’

So to do this, we are going to be building a trigger on the TFS 2010 database that will create our alerts whenever a new project is created.  Modification of the TFS databases isn’t really supported, but this is an addition rather than a change and project creation is a relatively infrequent action so the impact is minimal.

You should be aware of a few tables for this:

  • [ADObjects] This is the table where information about the valid logons is stored, mapping AD SIDs to GUIDs that are internally used.  Every alert needs an owner and the account you select will be the only one able to see the alerts created this way.
  • [tbl_EventSubscription] There is one copy of this table in the tfs_Configuration database and one in each of the individual Collection databases.  Global alerts belong in the tfs_Configuration databases while ones that are project specific should be limited to the individual collection.  I prefer to create alerts at the individual level so they can be more granularly managed, but this is largely a matter of choice.
  • [tbl_Project] This database contains the list of TFS projects that have been created and the matching status of each. There is a seperate table called [tbl_Projects] that could be used for this, but it is updated more frequently with last_update and I don’t really want anything that might cause future triggers to be fired more often than needed.  Further, [tbl_Project] contains a status field, IsDeleted, where we could put an update trigger to delete matching alerts just to clean the database up, however, that is outside the scope of this post.

 So, for this example, I am going to create a SOAP type alert that connects all new projects to the SFTS: Scrum for Team System aggregation service so that aggregation rollups work.  The same steps can be used for email alerts or connection to other custom web services.

First we need to parse out the alert criteria that we copied out of the Alerts Explorer (this is part of the TFS Power Tools) so that we get the SQL escape characters.  In this case, I am telling the service to post the alert for all workitem changes other than Shared Steps, Status Reports, and Sprint Retrospectives.

This gives us the SQL Trigger Create Statement of:

CREATE TRIGGER CreateRollupSubscriptions
ON [tbl_Project]
          ,  (
                    ‘”PortfolioProject” = ”’
                    + i.ProjectName           — This lets us reference only the newly created project
                    + ”’ AND “CoreFields/StringFields/Field[ReferenceName=”System.WorkItemType”]/NewValue” ‘
                    + ‘<> ”Shared Steps|Status Report|Sprint Retrospective”’ 
                        inserted i
            , (
                        dbo.[ADObjects] ao
                        ao.SamAccountName = ‘UserName’)   — This sets the owner of the Alert
            , 0  — Sets the Schedule to be run immediately
            , 2  — Sets the Alert Type to 2 – SOAP Connection
            , http://%5BServerURL%5D:8080/ScrumforTeamSystem/3.0/WorkItemChangedEndPoint.asmx’  — Address or target of the alert
            , ‘TFS Autogenerated Rollups’   — This is the name of the Alert we are creating

Whew and we’re done!  Now any time a new project is created, we will automatically have a new notification made.  Of course, you can create other SQL statements to generate a bunch of alerts, take other actions, or email you that a project was created.  How cool is that.

Special thanks to Aaron Lowe (http://www.aaronlowe.net) who helped me clean up the SQL to be more readable and for catching errors in my rusty tSQL .

TFS Service Authentication (TF30063)

I have some custom and third-party services (SFTS: Scrum for Team System) attached to my TFS 2010 server and began to get the following error in the event logs as the services failed.

Error: ‘TeamFoundationServerUnauthorizedException’
TF30063: You are not authorized to access http://%5BSERVER URL]:8080/tfs/[COLLECTION NAME].
     at Microsoft.TeamFoundation.Client.TfsConnection.ThrowAuthorizationException(Exception e)
     at Microsoft.TeamFoundation.Client.TfsConnection.UseCredentialsProviderOnFailure(Action action)
     at Conchango.TeamSystem.SubscribedEventHandler.Services.ServerConnectionService.ConnectToServer(String connectionString)

The effect that I was seeing was that the services appeared to be working just fine, but when they were attempting to write the results into work items, the server would stop the write claiming that the service did not have sufficient permissions to write to the system.  Since the service was impersonating an administrator on the TFS system, I knew this wasn’t the case, but still…  FAIL!

Following the steps in KB926642 got me through the issue allowing the server to reference itself using the FQDN and everything was working again.


Method 1 (recommended): Create the Local Security Authority host names that can be referenced in an NTLM authentication request

// To do this, follow these steps for all the nodes on the client computer:

  1. Click Start, click Run, type regedit, and then click OK.
  2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  3. Right-click MSV1_0, point to New, and then click Multi-String Value.
  4. In the Name column, type BackConnectionHostNames, and then press ENTER.
  5. Right-click BackConnectionHostNames, and then click Modify.
  6. In the Value data box, type the CNAME or the DNS alias, that is used for the local shares on the computer, and then click OK.

    Note Type each host name on a separate line.

    Note If the BackConnectionHostNames registry entry exists as a REG_DWORD type, you have to delete the BackConnectionHostNames registry entry.

  7. Exit Registry Editor, and then restart the computer.