Develop Reference

Windows server reboots after 5 failed RDP login attempts

We recently discovered a quirk in one of our RDP servers and I cannot figure out why this is happening.
OS: Windows Server 2019 Datacenter - AWS EC2 instance
Low user population system. Between 3 and 5 users simultaneously logged into this system at any time. Used exclusively for SQL access to an AWS RDP SQL Server instance via SSMS.
Scenario A:
User starts their day and logs into the remote server via RDP successfully. They use the system for a while, then minimize the window while they work on something else. After the inactivity period elapses, the remote server forces the user to re-enter their credentials.
(All normal up to this point) ...
The user swears they're entering their password the exact same way the logged into the system at the start of the day, but Windows complains it's a bad password. User attempts their password four (4) more times, and the system immediately reboots.
The only thing in the event logs is this message:
The process C:\Windows\system32\winlogon.exe (HOSTNAME) has initiated the restart of computer HOSTNAME on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found
Reason Code: 0x500ff
Shutdown Type: restart
Comment:
Scenario B (same user as above):
User connects to a fresh RDP session where they were not previous logged in. Login is successful. They use the system for a while, then minimize the window as before and the remote session eventually forces the user to re-enter their credentials.
Same as before, the user enters their password but the server complains its incorrect.
This time, however, the user closes the RDP window and re-starts the RDP session entirely. Password was accepted this time.
Question: What could possibly be causing the server to reboot? I see no other evidence of any failures or errors in the system events to point to any software or OS problems.

Unable to RDP into windows?

I have a windows 16 machine on AWS. I installed Cygwin on it so that I can connect it as a jenkins slave. But once I connected it as a slave, I am NOT able to MSTSC/RDP into the machine. I can still access the machine via ssh/cygwin.
( I repeated the process several times and ended up losing rdp connectivity everytime )
This is what is actually happening now :
The EventLogs on machine are saying that logoff instructions are being initiated by the RDP client.
RDP client is saying "The disconnection was initiated by the user logging off their session on the server"
Visually, if seems like the remote connection was setup for a split second. Then it vanishes.
So, I believe that somehow my Administrator account is not able to maintain the session. It's getting disconnected as soon as it connects.
Can you suggest me which settings should I debug into ? I am able to extract a few details from my machine using ssh, but I can't explore all the settings.
If you are familiar with this behaviour please suggest me what settings might be reponsible for this.
Addition info:
If I restart my ec2 , it will never come back because a status check starts failing
I am able to telnet to 3389 port. So I guess, firewall rules are not an issue.
I have tried various RDP clients, on MAC as well as on Windows.
I found this in event log (ProviderName: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS) on my remote windows machine:
5/10/2019 3:13:44 PM 103 Information The disconnect reason is 12
.
.
.
5/10/2019 3:13:43 PM 228 Warning Disconnect trace:CUMRDPConnection Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4477 err=[0xc], Error code:0xC

It turns out the my problem was occuring due to some cleanup utility deleting up the system files required for mstsc.
Everything started working fine after I switched off the cleanup utility.
Thanks for the help though.

https can not establish a private connection

guys, I need your help. Here is the problem I face now:
I have a Dell XPS laptop and install windows 10 and Linux Mint 18 on it. To keep the clock consistent with my time zone, I have used the following command in Linux:
timedatectl set-local-rtc 1 --adjust-system-clock
The problem now is, in windows 10, I can only connect to Gooogle or gmail during the beginning of the reboot. After long time, or after a suspension of windows 10, I can not connect to Google service anymore. It will report "can not estabish private connection". I can connect to other website normally. The same problem also exist for my dropbox. It will report "can not establish a secured connection".
I have checked the certificate of https for Google services, it seems that the browser locates to a wrong certificate when the connection is failed.
The problem disappear if I use a VPN connection.
I guess the problem is related to clock setting in my windows system, but I don't know how to solve it.
any suggestion is appreciated.

Solved.
The problem is that I use manual DNS settings, so the time in my computer and the server is not consistent. Just need to convert to auto DNS.
Sorry for the interrupt.

Does *anyone* have Windows SVNServe authenticating to AD/Kerberos via SASL/GSSAPI?

Scenario: Windows server in a AD domain hosting a Subversion repository using SVNSERVE only (no Apache), and not VisualSVN.
Objective: Authenticate users to the Subversion repository via SASL through GSSAPI to a Windows domain via Kerberos.
Frequent postings in multiple sites indicate users often dead-end in this configuration with a "Could not obtain list of SASL mechanisms." I've not seen any instance where this is actually running. Does anyone have this running?
I ask this question as a result of a 2011 posting in a Gentoo forum in which someone in precisely this scenario reviewed the relevant source tarballs and concluded that while, at one time, such a configuration probably worked, the files necessary for it are no longer in the source.
GEntoo forum discussion where poster claims svnserve+gssapi+sasl worked at one time, but no longer does.
Now, I don't assert that claim to be accurate, but I do know I am stuck at precisely the same point, and I've not yet seen any posts that claim "victory" over such a setup. If you have, please advise details!
Many thanks in advance.

I've just managed (after close to 30 hours of head scratching, compiling, and sourcecode-less debugging to get decent error codes) to get svnserve+SASL+GSSAPI to work! My setup is as follows:
AD server is Samba 4.1.0 on Debian 7.2 (built from source).
Subversion server is subversion 1.8.5 on Solaris Express (SunOS 5.11 snv_151a i86pc i386 i86pc). Built for x64 from source using native (Sun) SASL.
Client is Windows 7 x64 with TortoiseSVN 1.8.2 (x64 binary release) and Heimdal 1.5.1 (x64 binary from secure-endpoints).
As with anything involving Kerberos, you need to have forward and reverse DNS working smoothly, clocks synchronized, etc.
Steps on a Windows box with domain creds:
Create a "svnserve" user account (not computer account) for the Subversion server.
Run "ktpass -princ svn/server.domain.local#DOMAIN.LOCAL -mapuser DOMAIN.LOCAL\svnserve -crypto RC4-HMAC-NT -pass password -ptype KRB5_NT_PRINCIPAL -out svnserve.keytab". You do not want to turn on DES for this account or Windows 7 will refuse to authenticate to it. I turned it on earlier (following the recipes) and had to turn it off again to get it to work.
Steps for the Subversion server:
Set up /etc/krb5/krb5.conf
[libdefaults]
default_realm = DOMAIN.LOCAL
[realms]
DOMAIN.LOCAL = {
kdc = pdc.domain.local
admin_server = pdc.domain.local
}
[domain_realm]
.domain.local = DOMAIN.LOCAL
domain.local = DOMAIN.LOCAL
# Other defaults left as-is.
Set up repo/conf/svnserve.conf:
[general]
anon-access = none
authz-db = authz
realm = DOMAIN.LOCAL
[sasl]
use-sasl = true
min-encryption = 0
max-encryption = 256
Set up repo/conf/authz:
[aliases]
[groups]
[/]
* =
# Still investigating whether access to the server can be controlled through an AD group.
# Below is for user#DOMAIN.LOCAL, the realm appears to get lost.
user = rw
Set up /etc/sasl/svn.conf:
mech_list: GSSAPI
Drop svnserve.keytab in to /etc/krb5/krb5.keytab (keytab in the sasl configuration doesn't seem to do anything).
Start svnserve.
Steps for the client:
Install TortoiseSVN and Heimdal.
Edit C:\ProgramData\Kerberos\krb5.conf to be like /etc/krb5/krb5.conf on the Subversion server. There's some other defaults in there that I left alone.
Do a checkout, no password required!
One issue with this setup is that the svnserve process has to be able to read /etc/krb5/krb5.keytab, so permissions on that need to be wound back a bit. svnserve is going in to its own zone though so this isn't an issue for me. I also had mslsa_cc.dll crashing while testing things, but I haven't seen any crashes once I got everything sorted out.
With some wrangling, you might be able to get this working for svnserve on Windows as well. I tried MIT Kerberos on the Windows client but it crashed every time on startup so I gave up on it. You might have better luck.
Update: Figured out the crash issue - it's a bug in mslsa_cc.dll (similar to https://github.com/krb5/krb5/commit/7acb524f5aa00274771dbbfac19d2dd779aad409, which also gets it slightly wrong as nOutStringLen needs to be divided by 2 for the way that ANSIToUnicode is called). Binary patch on mslsa_cc.dll is:
Offset 0xB46: Change from FF 15 04 69 00 to D1 EE 0F 1F 40.
Offset 0xB5E: Change from 77 to EB.

After earning a "tumbleweed" badge for this unanswered question, and considerable additional research on my own, I've come to the conclusion that the subject combination for Subversion under Windows is, in fact, not possible under the current code base. I believe something in the SASL authentication layer is the problem here, with some source removed or significantly changed to "break" what did, I believe, work at one point.
My solution has been to add Apache to the mix with mod_auth_sspi, and while it does slow down the repository some, the authentication works perfectly. This appears to be the "fix" for the authentication requirement.

I have done authentication against AD with SASL+LDAP, but not SASL+GSSAPI, and with a small caveat: I have to use and run svnserve from Cygwin in Windows.
1) It was quite easy to get svnserve authenticate users via SASL+LDAP/AD in Linux ( I know the question is about svnserve in Windows, but bear with me ). The important part to get the authentication working against LDAP/AD is saslauthd, and test the authentication using testsaslauthd.
Using Ubuntu as an example:
1a) /etc/sasl2/svn.conf
pwcheck_method: saslauthd
mech_list: PLAIN
This tells subversion / svnserve to use saslauthd to do the authentication on its behalf.
1b) /etc/saslauthd.conf
ldap_servers: ldap://yourADserver.dept.org
ldap_search_base: DC=dept,DC=org
ldap_bind_dn: cn=bindaccount,dc=dept,dc=org
ldap_bind_pw: passwordOfbindaccount
ldap_deref: never
ldap_restart: yes
ldap_scope: sub
ldap_use_sasl: no
ldap_start_tls: no
ldap_version: 3
ldap_auth_method: bind
ldap_filter: sAMAccountName=%u
ldap_password_attr: userPassword
ldap_timeout: 10
ldap_cache_ttl: 5
ldap_cache_mem: 32768
1c) Do a test via testsaslauthd
testsaslauthd -u myusername -p mypassword
1d) If successful, then run saslauthd, and start svnserve. and use whatever svn client to test the authentication.
2) Problem is, there is no native port of Cyrus' saslauthd to Windows, and probably never will be. Answer is to use Cygwin, which has svnserve, testsaslauthd, and saslauthd.
Just repeat the above steps .. but the location of svn.conf may be different.

Issue setting up GIT with SSH on Windows Server 2008

I´m following the steps outlined in Tim Davis´ blog for setting up GIT with copSSH on Windows (http://www.timdavis.com.au/git/setting-up-a-msysgit-server-with-copssh-on-windows/) but I´m having problems. I´ve gotten up to step 15 under the Installing Putty instructions but rather than getting a "Enter Login" message, I´m getting a "Network Error: Unable to connect to server" error.
I know that it could potentially be a myriad of things but I was wondering if by some miracle, someone could give me some ideas of what else I should check?
I´ve doublechecked the following:
IP address is correct
User has been added to copSSH
Key is stored in the specified user folder
Rule has been added to Firewall
(NOTE: We´re using a server on 1and1.com and the firewall rules allow us to specify a local port and a remote port. Have configured to local port 4837 and remote port to Any).
I tried to doublecheck if the SSH service is running but I don´t know what it´s called. I noted down the username and password from the copSSH setup but I haven´t seen anything remotely similar to SSH in the list of services.
Any help would be greatly appreciated!! I´ve never had to do something like this before so I´m a little lost.
Regards,
Kat

Troubleshooting
Are you specifying port 4837 in the Putty window?
I personally suggest using OpenSSH or SmartGit, not Putty... I've seen too many issues with it.
Also, I suspect your firewall configuration needs to be local port=Any and remote port=4837.
The 5 minute shortcut
This installer sets up a windows git server using CopSSH. It configures the firewall, the user accounts, and gives you a GUI for all the SSH and keys stuff. It costs $9, but it saves hours of configuration (it's a 5 minute, 3-step install). It has a self-contained Git install, so no conflicts should happen.
NOTE: I'm the webmaster of windowsgit.com. I got the project started after taking a good look at Davis' tutorial and thinking.... oh, ----! The CopSSH author and I collaborated to make the automate the process and reduce the number of frustration-related keyboard deaths :)