1. My SQL server was in a domain that had the Certification Authority role installed, but only partially configured, and the web services portion of the role was not installed.  This limited my ability to create the proper certificate in the first place.
2. I am not using a SQL cluster, and many of the blog posts and forum threads I read were focused on resolving the empty drop down menu in a cluster environment.

For me, this is what worked:

1. Create the certificate request on the SQL server

• Open the MMC console and add the Certificates snap-in for the Local Computer (read the MS technet article above on this for more background)
• Right-click the Personal folder and select All Tasks -> Advanced Operations -> Create Custom Request, then click next on the first screen of the enrollment wizard
• Select “Proceed without enrollment policy” under the custom request section and click Next
• Select “No Template” Legacy Key under the template drop down, leave other values as default and click Next
• On the next screen, click the little down arrow Details button to expand an additional properties window, then click Properties
  
• Type in the friendly name as the fully qualified host name, for me, this seemed to even require including proper capitalization because my server name was SRVSQL01.domain.loc, so that is that I used.  I left description blank
  
• On the Subject Tab, I added the values in the screenshot below.
  
• On the Extensions Tab, I added “Key encipherment”  under the Key Usage setting box, and “Server Authentication” and “Client Authentication” under the Extended Key Usage (application policies) settings box.
  
• On the private key tab, under key type, I changed the value from Exchange to Signature.
  
• Finally, click OK, then click Next back in the Enrollment Wizard window.
• Enter a file name and click Finish.
  

2. Process the CSR on your Certificate Server

I won’t go into detail here, but you need to copy the file you created to your Certificate Authority server, process and approve the request, then export the binary key file of the certificate.  Then copy that exported binary file back to your SQL server.

3. Import the certificate into the local certificate store

Back in your MMC console and Certificates snap-in, you can now right-click on the Personal folder again and select Import.  Complete the import wizard using your recently created binary export of the cerficate and the new cert should now show up in the certificates folder under Personal in the Certificates snap-in.

One last step here, and its and important one, on the certificate itself, right-click on the cert name, and select All Tasks -> “Manage Private Keys…”, then give the user the SQLSERVER service runs as Read permission in the security tab.

4. Tell SQL Server which certificate to use

Now, when you follow Microsoft’s instructions and you open the properties of the protocols instance for your SQL Server and view the Certificates tab, you should see the new certificate in the drop down menu! Select the certificate here, click OK, then restart the SQL service.  Clients can now use the encrypted connection and you won’t see errors like, “SSL Provider, error: 0 – The certificate’s CN name does not match the passed value”

I hope this saves some of you some time, I spent the better part of 3 days working on this.  I went through the whole process many times, and for me, I believe the biggest change I made was changing the Exchange key type to Signature.  I don’t know for sure if this is true, but that’s what I’m thinking.  In the comments below, let me know if the process works for you or if you have any questions I’ll be glad to help where I can.

If you’re a user that has a desktop computer always on at home (Mac or Windows) and you carry a laptop around, this post can help set yourself up with some private web browsing.

I’m going to cover all the different Mac & Windows options here, because I know not everyone uses the same set of computers. I hope the post doesn’t get too cluttered…

Home Computer Setup

1. A Dynamic DNS account configured using your high speed internet account.
2. An SSH server running (this is the tricky part)
3. A properly configured home firewall

1. Dynamic DNS

There are lots of Dynamic DNS services out there, but my favorite is DynDNS.com.  I’ve had an account with them for over 10 years and I don’t think they’ve ever been offline.  I use their paid Custom DNS service because it gives me a lot of flexibility and control.

I’m going to leave the setup process for Dynamic DNS on your home account out of this post.  Your firewall may already have integrated support and there are lots of other pages out there to set this up.  Here are a few:

• http://www.dyndns.com/services/dns/dyndns/howto.html
• http://minitutorials.com/apache/dyndns11.shtml
• http://geekswithblogs.net/saifkhan/archive/2008/12/29/setup-dyndns-dynamic-dns-on-a-linksys-wrt54g-router-again.aspx

For reference, I set my custom DNS name to, home.mydomain.com.  This is the hostname I’ll use when configuring the remote SSH tunnel.

2a. An SSH Server using Mac OS X

With Mac OS X as your home computer, you’re in luck, this is easy to setup.  First, I recommend creating a user account used only for SSH connections.  Open System Preferences – Accounts, click the + icon to create a new account, and name it whatever you want, something cryptic maybe, I’ll call my new user, goodbadtechremote2009, and I recommend picking a very strong password, 8+ characters, letters, numbers, symbols, etc.

Next, enable remote access by opening System Preferences -> Sharing.  Then click the checkbox next to “Remote Login”.  In the “Allow Access” section, change the selection to “Only these users”, and add the user you just created.

Last, configure your Mac to use a static IP address.  This can be done under System Preferences -> Network.  Make note of the address you use, I’ll refer to it later as SSHIP.  Take a look at this link for additional help: http://answers.vt.edu/kb/entry/1867/

That’s it on the Mac side, you’re ready to go.

2b. An SSH Server using Microsoft Windows

Running Windows, it’s definitely more of a challenge to get an SSH server online.  I know some people have used Cygwin, but I think using the free VMWare Server product is a better way to go. It makes the whole process much faster, is more reliable and VMWare is just cool.

1. So, step one, download and install VMWare Server.  VMWare provides a lot of great documentation regarding how to get the product downloaded and installs, but typically you just need to download and run the installer with all the default options.
2. Reference my post regarding installing CentOS 5 as a VMWare guest.  Complete the steps in the section, CentOS 5.  Make sure you choose Bridged for the type of network connection. There are also many other places that detail installing Linux operating systems in VMWare, feel free to use a different resource if you have one you prefer.
3. Login to your new Linux operating system as root
   1. Add a new user for SSH connections and set a very strong password, let’s call the user goodbadtechremote2009
      /usr/sbin/adduser goodbadtechremote2009
   2. I recommend you edit /etc/ssh/sshd_config to lock access down.  Here is a sample config that I like to use.

      Port                            22
      Protocol                        2
      ListenAddress                   0.0.0.0
      AllowUsers                      goodbadtechremote2009
      SyslogFacility                  AUTH
      LogLevel                        INFO
      PermitRootLogin                 no
      StrictModes                     yes
      RSAAuthentication               yes
      PubkeyAuthentication            yes
      PasswordAuthentication          yes
      PermitEmptyPasswords            no
      KerberosAuthentication          no
      X11Forwarding                   no
      PrintMotd                       yes
      PrintLastLog                    yes
      KeepAlive                       yes
      UseLogin                        no
      UsePrivilegeSeparation          no
      Subsystem                       sftp            /usr/libexec/openssh/sftp-server
      Banner                          /etc/issue
      UseDNS                          no

   3. I also like to edit the /etc/issue file to include a simple “keep away” statement.

                                  NOTICE TO USERS
      
      This computer system is the private property, whether individual,
      corporate or government.  It is for authorized use only. Users
      (authorized or unauthorized) have no explicit or implicit
      expectation of privacy.
      
      Any or all uses of this system and all files on this system may be
      intercepted, monitored, recorded, copied, audited, inspected, and
      disclosed to your employer, to authorized site, government, and law
      enforcement personnel, as well as authorized officials of government
      agencies, both domestic and foreign.
      
      By using this system, the user consents to such interception, monitoring,
      recording, copying, auditing, inspection, and disclosure at the
      discretion of such personnel or officials.  Unauthorized or improper use
      of this system may result in civil and criminal penalties and
      administrative or disciplinary action, as appropriate. By continuing to
      use this system you indicate your awareness of and consent to these terms
      and conditions of use. LOG OFF IMMEDIATELY if you do not agree to the
      conditions stated in this warning.

   4. Configure a static IP address
      1. run /sbin/ifconfig and note your current IP address and Network.
      2. In CentOS, edit /etc/sysconfig/network-scripts/ifcfg-eth0, so it looks something like the text below.  Make sure to replace the IP address and Gateway with a valid address in your network.  I’ll later referece the IP address you set here as SSHIP

         TYPE=Ethernet
         DEVICE=eth0
         BOOTPROTO=
         IPADDR=192.168.0.10
         GATEWAY=192.168.0.1
         NETMASK=255.255.255.0
         USERCTL=yes
         IPV6INIT=no
         PEERDNS=yes
         ONBOOT=yes

   5. Restart the SSH server

      /etc/init.d/sshd restart

   6. Restart your networking

      /etc/init.d/network restart

   7. That’s it, your Linux setup in Windows should be ready to go.

3. Your home firewall

Disclaimer: Open remote access to an SSH server in your home network at your own risk.  I can’t cover all the details of this setup process here and there are several security concerns to consider.   Also, your internet provider may NOT allow home servers running over the Internet.

In order to access your own computer over the Internet, you’ll need to allow remote access through your home firewall/router (you are using a firewall on your high speed connection right?).

I use a LinkSys WRT300N wireless router.  Most of the LinkSys, Belkin, NetGear, etc routers operate pretty much the same.  For me, I logged into the router, went into the Applications & Gaming section and setup single port forwarding.

A little trick I use is to set the external port to 443 instead of 22 (which is the default for SSH connections) because some networks control outbound traffic and port 443 is more likely to be allowed outbound then port 22 is.  Also, if anyone were to glance at the actual traffic it would look like the HTTPS encrypted traffic they’d expect to see.

Make sure to set the internal port to 22, set the protocol to TCP, and enter the SSHIP address you recorded in earlier and save your settings.

You’re ready to setup your laptop to open the SSH tunnel.

Laptop Setup

Windows SSH Tunnels

• Download putty.exe and save it to your hard drive.  I usually place the executable in my Program Files directory.
• Run PuTTY
• We need to create a saved session for easily opening an SSH connection with all the right settings in the future
  • Expand the Connection section and click Data and enter goodbadtechremote2009 in teh Auto-Login username field.
  • Expand Connection->SSH and click on Tunnels
  • In the Source Port field type 1080
  • Leave the Destination field empty
  • Change the Local radio button to Dynamic
  • Click on the Session category
  • Type in the hostname you configured when setting up Dynamic DNS, home.mydomain.com, in my example
  • Make sure the connection type is SSH
  • The default port will be 22, change this to 443 if you set your home firewall up the way I did in this example.
  • In the Saved Sessions text box, type in a name for the session.  I like to use the remote hostname I’m connecting to, home.mydomain.com.
  • Click Save
• Test the new PuTTY session by clicking open.  If all goes right you’ll get a terminal session window that opens and it will prompt you for a password.  On your first connection attempt you may be asked to verify that you are connecting to a valid host, you can type yes to authorize the connection.
• Shortcut tip:  Create a shortcut on your desktop to the putty.exe application.  Edit the properties of the shortcut and add some information to the target line.  Mine looks like this:

  "C:\Program Files\SSH Client\putty.exe" -load "home.mydomain.com"

Windows Web Browser changes

This is the last step, configuring the browser.  There are a number of different ways to set this up.  I’m going to keep it simple here.  I use Internet Explorer 8 for my primary web browsing, and I downloaded and installed Firefox to use when I want use my private browsing SSH tunnel.   So here is the process for this approach:

• Download and install Firefox if it’s not installed already. http://www.mozilla.com/en-US/firefox/personal.html
• Open Firefox and click on Tools -> Options
• Click the Advanced Icon at the top of the Options Window
• Click the Network Tab
• Click the Settings button
• Select “Manual Proxy Configuration”
• Under SOCKS Host, type in, 127.0.0.1
• Set the port for SOCKS Host to 1080
• Select the SOCKS v5 radio button
• Click OK
• Click OK again to close the Options window

If your SSH connection is still open, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by closing your PuTTY session window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open the PuTTY shortcut you configured on your desktop, then open Firefox and no body at your office or in the coffee shop or where ever will be able to detect or restrict what web sites your visiting.

Mac OS SSH Tunnels

This is a pretty quick process, here goes…

1. Open your Applications folder -> Utilities -> Terminal
2. Type
   pico ~/.bash_profile
3. scroll down to the very bottom of the file
4. Add this line
   alias homessh=”/usr/bin/sshtunnel -D 1080 -f -C -q N  -p 443 goodbadtechremote2009@home.mydomain.com”
5. Type Ctrl+x to exit the Pico editor, type Y, to indicate you want to save the changes
6. Now at your command prompt type, homessh, this should connect to your home SSH server and prompt you for your password. Type in your password and your tunnel will be ready to go.  \

Mac OS Web Browser changes

On my MacBook Pro, I find it works best to use the location functionality. Note: This will only effect the Safari browser.  Firefox will ignore these location settings.

1. I go into the Apple Menu, Select Location, then select “Network Preferences”
2. In the Location drop-down menu select “Edit Locations…”
3. Click the + icon at the bottom of the Locations menu that pops up and name your new location, “Home SSH Proxy”, click Done.
4. Back in the Network system preference, select the new “Home SSH Proxy” location
   
5. Click on the Ethernet icon
6. Click on the Advanced button
7. Click on the proxies tab
8. Click the check box next to Web Proxy (HTTP)
9. In the Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
10. Now click the check box next to Secure Web Proxy (HTTPS)
11. In the Secure Web Proxy Server enter, 127.0.0.1, into the first text field and enter, 1080, into the second field.
    
12. Click OK
13. Repeat steps 6-12 for your AirPort connection

That should be everything.  Just as in the Windows setup, if your SSH connection is still open and your location is set to Home SSH Tunnel, you should be able to visit web pages just like you normally would, go ahead and try to visit GoodBadTech.com and see if it works.

Now this is the real test, close your SSH tunnel by typing exit in your terminal window.  Try to go to http://goodbadtech.com again.  This time the connection should fail.  If it does, your private web browsing configuration is READY TO GO!

In the future, to use private browsing, open a terminal window and type homessh, enter your ssh password, then switch your location to “Home SSH Tunnel”.  Make sure to switch back to your normal network location when you’re done.

Additional Reading

• Read the Public Key Setup section on Public Key Authentication

As always, feel free to post any questions in the comments below.

Note: This post assumes you have a valid multi-domain SSL certificate installed.  I won’t go into that process here, but if I get a few questions I can certainly do a post on that as well.

The first thing I needed to do was run some tests on the local IIS server that provides my Exchange services.  In my case, Exchange and IIS were running on the same server, so I logged in to the server, opened Internet Explorer and typed in:

https://<Servername>/Microsoft-Server-Activesync

You should be prompted for credentials using basic authentication, then you should see an “HTTP 501 Not Implemented/HTTP 505 Version Not Supported Error”

If you see this, ActiveSync itself, which the iPhone relies on for communication with Exchange, should be working correctly.  I did not see this error.  I saw an HTTP 401 file not found error. Now, with Exchange 2007, I generally try not to do a lot of troubleshooting, it’s just easier to start over and reinstall ActiveSync support.

1. On the Exchange server, open the Exchange Management Shell, and run (this command may take a minute to output:

   Get-ActiveSyncVirtualDirectory | fl

2. Search through the text output and look for the line that starts with, Identity, copy/paste the corresponding value into notepad.  It may be something like,  SERVERNAME\Microsoft-Server-ActiveSync (Default Web Site)
3. In Exchange Management Shell, run the command

   Remove-ActiveSyncVirtualDirectory

   1. When prompted, paste in the Identity value you copied in step 2.
   2. Verify that you want to remove ActiveSync
4. Refresh your IIS Admin window to make sure the Microsoft-Server-ActiveSync virtual directory is no longer there.
5. In Exchange Management Shell, run the command

   New-ActiveSyncVirtualDirectory

6. Refresh your IIS Admin window to make sure the Microsoft-Server-ActiveSync virtual directory is back.
7. Close any open Internet Explorer windows and then access https://<Servername>/Microsoft-Server-Activesync again.
8. Hopefully you see the “HTTP 501 Not Implemented/HTTP 505 Version Not Supported” error now.  If you do, your iPhone should be ready to go.  This error means the correct files are there, but that your web request doesn’t include the data that ActiveSync is looking for.

If you didn’t get the 501/505 error, then it’s back to the drawing board.  Post a comment below and I’ll see if I can help out.

Also, check out the link below, it’s a very slick troubleshooting tool from Microsoft that can be used to troubleshoot Exchange 2003/2007 servers for remote connectivity services like Autodiscover, ActiveSync, RPC over HTTP, and many other tests for Exchanged based services.  Its very easy to use and provides detailed test results regarding what works and what doesn’t.

https://www.testexchangeconnectivity.com/

So the question is: Who is my computer connected to and what’s it sending them?

First I needed to know the IP address of my home internet connection.  The home web server is on a Comcast cable modem with DHCP that doesn’t change its IP address very often, but does every once in a while.  To get started I logged in to the home computer via my LogMeIn connection, opened up the web browser, and hit up http://www.whatsmyip.org to verify my IP address, looks like it’s 12.345.678.9 (no, that’s not actually my IP address, but I don’t want to post my real public IP for everyone to see)

Note: I actually use DynDNS to keep track of my home IP address, the whatsmyip.org method is just a little faster if you don’t already have Dynamic DNS running somewhere.

With my remote IP address in hand, I was ready to check out what connections were active.

Open up your Terminal application (Applications -> Utilitys -> Terminal.app) and run,

netstat -napt

Here is what returned:

[goodbadtech@tim:~]$ netstat -napt
netstat: t: unknown or uninstrumented protocol

Oh right, that’s the Linux netstat syntax, it lists all active TCP connections, their process ID, and turns off DNS translations so just the IP address shows up

To get the same output in Mac OS I had to change the syntax a bit:

netstat -na -p tcp

The results this time where much better.  I needed to narrow the results down, 46 TCP connections where too many to scan through.

netstat -na -p tcp | grep 12.345.678.9

Running this command which only outputs connections that contain the IP address I specified, I expected to see an empty result, because I wasn’t aware of any active connections to my home network. However, this is what I saw:

tcp4       0      0  10.1.1.110.50994       12.345.678.9.4242        ESTABLISHED

The destination port was a little suspicious to me, 4242.  I had no idea what the connection was.  I also noticed something else, no process ID was listed.  I forgot about that too.  I’m so used to the Linux version of netstat including PID information, I forget that Mac OS doesn’t include PID.

So how to I find the PID of a TCP connection on a Mac?  Here we turn to lsof.  Note, lsof requires root permission, so we’ll be running the commend with sudo

sudo lsof -i -Pn

-i limits the results to files with Internet connections active
-Pn turns off reverse port and IP address translation which just speeds the results up a bit

Now we’re getting somewhere, expect the list of files returned is still large, 145, and I don’t like to look through so many lines, so let’s get grep involved again to help filter the results

sudo lsof -i -Pn | grep 12.345.678.9

And the one line I was looking for was displayed

java       6756           root   70u  IPv4  0x8c3ce64      0t0    TCP 10.1.1.110:50994->12.345.678.9:4242 (ESTABLISHED)

Okay, process ID 6756, good, that’s the info I was looking for.  However, I saw the process name was java.  Great, that could be anything.  Why in the world was a java process started by root connected to my home computer network?  We go back to lsof to find the answer.  (That sentence makes me think I’ve been watching too much History channel lately)

sudo lsof -p 6756

-p the lower case p limits results to open files in use by process ID 6756.

With a 122 lines returned I saw there was plenty of activity, fortunately, I quickly saw exactly what was going on.

java    6756 root   51u     REG       14,2        44   5116740 /Library/Caches/CrashPlan/cpft366842740763787782x

There were many lines output similar to this one, so I don’t need to include the whole output here, the point is, the line segment /Library/Caches/CrashPlan, tells me that CrashPlan had created the connection.  Okay, I’m cool with that.  I hope you found this useful.  Send me a message on Twitter @goodbadtech if you have any questions.  Back to my original software testing…

Notes:

A quick editorial on CrashPlan, its very slick backup software, especially for those of you that have multiple computers in different locations.  The basic concept is, you backup for your office and your office backs up to your house.  Make sure you at least check out the link.

netstat and lsof are great utilities to get familiar with.  If your computer is running slow or you want to check connections on your web server, they should come to mind right away.  One of my favorites on a Linux web server will list all established connections to your web server (assuming you’re running Apache)

netstat -atp | grep httpd | grep ESTABLISHED

This will count all the established connections to your web server and output the value

netstat -atp | grep httpd | grep ESTABLISHED | wc -l

Here is a great post of netstat commands to try out if you’re looking for some additional reading.

http://www.mydigitallife.info/2007/12/13/how-to-find-and-check-number-of-connections-to-a-server

GoDaddy ’s Valicert root certificate is installed on all mobile devices that run Windows Mobile 5.0 AKU 2 or a later incarnation of the operating system. However, devices that run older versions of Windows Mobile 5.0 do not have the Go Daddy root installed.

To check if the Go Daddy root is installed on your device, please visit the root store on your device:

• Open the “Settings” menu.
• Select “System.”
• Select “Certificates.”
• Verify that the “http://www.valicert.com” is listed in the root store.
• If the root is included, your device is running Windows Mobile 5 AKU 2 or later. No further action is required.
• If the root is not included, follow the instructions below to import and install it.

To install the root certificate on your Windows Mobile 5 device:

• Download the root certificate to your PC in DER format with a .cer file extension (i.e., valicert_class2_root.cer”). The root can be downloaded from the Go Daddy repository.
• Copy the downloaded root certificate to your device using ActiveSync.
• On your mobile device, locate the imported file using File Explorer and click on it.
• The device will display the following prompt: “You are about to install valicert_class2_root.cer certificate issued by http://www.valicert.com/. Do you want to continue?” (If you saved the root under a different name, that file name will show up in the prompt.)
• Accept the prompt to install the root certificate on your device.

https://certs.godaddy.com/InstallationInstructions_alt.go