Windows 8

Surface 2 –VPN bug disables Metro Internet Explorer

Update 2 – NOT FIXED


Yeah, so, I was apparently deluded, the problem is still here. It appears to be a bona-fide bug in Windows 8, with a Hotfix at http://support.microsoft.com/kb/2797356 – but that’s only for x86 versions of Windows, and not for the Surface 2.


Update – FIXED


Since I wrote this article, another issue caused me to reset my WMI database, by deleting everything under C:\Windows\System32\wbem\Repository and rebooting. After that, the VPN issues documented in this article have gone away.


Original article


I have a home VPN – everyone should, because it makes for securable access to your home systems when you are out and about, whether it’s at the Starbucks down the street, or half way across the world, like I was on my trip to China last week.


Useful as my home VPN is, and hard as it is to get working (see my last post on Windows 8 VPN problems), it’s only useful if I can get my entire computer to talk through the VPN.


Sidebar – VPN split tunneling


Note that I am not disputing the value of split tunneling in a VPN, which is where you might set up your client to use the VPN only for a range of addresses, so that (for example) a computer might connect to the VPN for connections to a work intranet, but use the regular connectivity for the major part of the public web. For this article, assume I want everything but my link-local traffic to be forwarded to my VPN.


So, in my last VPN post, we talked about setting up the client end of a VPN, and now I want to use it.


Connecting is the easy part, and once connected, most of my apps on the Surface 2 work quite happily, connecting to the Internet through my VPN.


All of the Desktop apps seem to work without restriction, but there are some odd gaps when it comes to using “Windows Store” apps, also known as “Metro” or “Modern UI” apps. Microsoft can’t call this “Metro” any more, even though that’s the most commonly used term for it, so I’ll follow their lead and call this the “Modern UI” [where UI stands for User Interface].


Most glaring of all is the Modern UI Internet Explorer, which doesn’t seem to allow any connections at all, simply displaying “This page can’t be displayed”. The exception to this is if I connect to a web server that is link-local to the VPN server.


I’d think this was a problem with the way I had set up my VPN server, or my client connection, if it weren’t for the fact that my Windows 8.1 laptop connects correctly to this same VPN with no issues on Modern or Desktop versions of Internet Explorer, and of course the undeniable feature that Internet Explorer for the Desktop on my Surface 2 also works correctly.


I’d like to troubleshoot and debug this issue, but of course, the only troubleshooting tools for networking in the Surface 2 run on the Desktop, and therefore work quite happily, as if nothing is wrong with the network. And from their perspective, this is true.


When Bagpuss goes to sleep, all his little friends go to sleep, too.


Of course, Internet Explorer has always been claimed by Microsoft to be a “part of the operating system”, and in Windows 8.1 RT, there is no difference in this respect.


Every Modern UI application which includes a web control, web view, or in some way asks the operating system or development framework to host a web page, also fails to reach its intended target through the VPN.


Technical Support – what’s their take?


Technical support had me try a number of things, including resetting the system, but none of their suggestions had any effect. Eventually I found a tech support rep who told me this is a bug, not that that is really what you’d call a resolution of my problem. These are the sort of things that make it clear that the Surface is still in its early days, and while impressive, has a number of niggling issues that need “fit and finish” work before significant other features get added.

Deploying on the road…

Now that I have a Surface 2, I’m going to leave my laptop at home when I travel.

This leaves me with a concern – obviously, I’m going to play with some of my hobby software development while I have “down time”, but the devices for which I’m building are traveling with me, while the dev machine stays at home.

That’s OK where I’m building for the laptop, because it’s available by Remote Desktop through a Remote Desktop Gateway.

Deploying to my other devices – the Windows Phone and the Surface 2 running Windows RT – is something that I typically do by direct connection, or on the local network.

Windows Phone

For the Windows Phone, there’s a Store called “Beta” as opposed to “Public”, into which you can deploy your app, make it available to specific listed users, and this will allow you to quickly distribute an app remotely to your device.

Details on how to do this are here.

Windows Store

The story on Windows Store apps appears, at first blush, to be far more dismal, with numerous questions online asking “is there a beta store for Windows like there is for the phone?”

The answer comes back “no, but that’s a great idea for future development”.

But it is completely possible to distribute app packages to your Windows RT and other Windows 8.1 devices, using Powershell.

The instructions at MSDN, here, will tell you quite clearly how you can do this.

Error 860 in Windows 8.1 / Surface VPN

It should be easy enough to set up a VPN in Windows, and everything should work well, because Microsoft has been doing these sorts of things for some years.

clip_image002

Sure enough, if you open up the Charms bar, choose Settings, Change PC Settings, and finally Network, you’re brought to this screen, with a nice big friendly button to add a VPN connection. Tapping on it leads me to the following screen:

clip_image004

No problems, I’ve already got these settings ready to go.

clip_image006

Probably not the best to name my VPN settings “New VPN”, but then I’m not telling you my VPN endpoint. So, let’s connect to this new connection.

clip_image008

So far, so good. Now it’s verifying my credentials…

clip_image010

And then we should see a successful connection message.

clip_image012

Not quite. For the search engines, here’s the text:

Error 860: The remote access connection completed, but authentication failed because of an error in the certificate that the client uses to authenticate the server.

This is upsetting, because of course I’ve spent some time setting the certificate correctly (more on that in a later post), and I know other machines are connecting just fine.

I’m sure that, at this point, many of you are calling your IT support team, and they’re reminding you that they don’t support Windows 8 yet, because some lame excuse about ‘not yet stable, official, standard, or Linux”.

Don’t take any of that. Simply open the Desktop.

What? Yes, Windows 8 has a Desktop. And a Command Prompt, and PowerShell. Even in the RT version.

Oh, uh, yeah, back to the instructions.

Forget navigating the desktop, just do Windows-X, and then W, to open the Network Connections group, like this:

clip_image014

Select the VPN network you’ve created, and select the option to “Change settings of this connection”:

clip_image016

In the Properties window that pops up, you need to select the Security tab:

clip_image018

OK, so that’s weird. The Authentication Group Box has two radio buttons – but neither one is selected. My Grandma had a radio like that, you couldn’t tell what station you were going to get when you turn it on – and the same is generally true for software. So, we should choose one:

clip_image020

It probably matters which one you choose, so check with your IT team (tell them you’re connecting from Windows 7, if you have to).

Then we can connect again:

clip_image022clip_image024clip_image026

And… we’re connected.

Now for another surprise, when you find that the Desktop Internet Explorer works just fine, but the “Modern UI” (formerly known as “Metro”) version of IE decides it will only talk to sites inside your LAN, and won’t talk to external sites. Oh, and that behavior is extended to any Metro app that embeds web content.

I’m still working on that one. News as I have it!

For Surfaces rendered

I often thought I’d like to have a career in 3D animation, solely so I could send out invoices with the title of this blog post as their content.


It seems a little late for me to choose that career, so I’ll have to use that title for a blog posting about my Surface, now that I am three weeks in to using it.


There’s no secret (or if there is, it’s poorly hidden) to the fact that MVPs visiting Redmond for the MVP Summit this year received a pretty sweet deal on a 32GB Surface 2 and Touch Cover. Along with hundreds of my brethren, I lined up at the Microsoft Store in Bellevue yelling “shut up and take my money!”


As an actual purchase, rather than a complete giveaway, I did have to pass the purchasing decision through my boss. Fortunately, she agreed that it was a good buy, as long as I treated it as a purchase of a toy for me, and stopped trying to persuade her it was a bona fide business investment for the company. Canny woman, my wife, and skilled at reducing arguments to their simplest and most incisive points.


So, a toy it was pitched as, a replacement for my iPad, which I also got for very little money – I won it in a hacking competition. As a toy, I couldn’t expect to get the Surface Pro, which is convenient, because one wasn’t offered.


What’s it like as a toy?


Does it have the Angry Birds,then? Space and Star Wars versions, yes – Rovio hasn’t been paid to get around to porting the others to Windows 8 yet.


It’s also got Minesweeper and Solitaire, with the added thrill of daily challenges, and an Adventure Mode for Minesweeper that looks a little ripped off from Repton. Mahjong, Jetpack Joyride, Cut the Rope, there’s enough games that while you might find a few individual names here and there that are missing, you’ll be able to replace them with something in the same genre.


The front and back camera make for good Skype use, whether you’re having a face-to-face chat, or showing someone the view out the window.


I can read comics, whether through the dozen or so manga readers, or through the Comics app from Comixology. Books come, of course, courtesy of the Kindle app, and of course there’s a native Amazon app as well, although as usual, it’s hard to get a better shopping experience in an app than Amazon has built into the web version.


That’s right, you actually have a version of Internet Explorer 11 built specially for the touch-screen “Modern UI”, which Microsoft used to call Metro, and which thoroughly needs a new name. This version of Internet Explorer is fairly basic, but fully functional for what most people are going to want it for. For most of what I do on the web, it’s certainly sufficient.


On the fringe of toydom


Social media makes its presence felt nicely in the People hub, like on my Windows Phone, where in one place I can keep up with my Twitter, Facebook and LinkedIn friends/followers/minions. I can also post there, although I miss my phone’s ability to post to multiple outlets at once.


If you’ve been paying attention to my gripes about podcast support on my Windows Phone, I have to say that, out of the box, I have the same – or worse –issues with the Surface 2. The native audio player does allow you to create playlists, but infallibly returns you to the start of an MP3 file almost every time you play it anew, apparently whether you played another MP3 file, skipped to a different app, or received a notification. I await the development of a good podcast / audiobook application with support for local MP3s.


On the video front, things are somewhat improved, with the Xbox Video app being the natively supported method to play my MP4s. Sadly, there’s still no subtitle support, as is the case across every single one of Microsoft’s video playing tools – if the file isn’t streaming across the web, with the closed captions in a separate stream, there’s no way to get captions to display. This is a shame, as there is good support for standard subtitles in MP4s on the Apple competition, whether it’s iPad, iPod or iPhone. Microsoft, this can’t be that hard – support accessibility on all your video players, please! [I’m not deaf, but the bus can get a little loud]


Working up to proper use


The Touch Cover is barely usable as a keyboard – but I’ve added a Bluetooth keyboard to my Christmas wishlist, for the serious typing moments, and the Touch Cover is certainly sufficient for those occasional bon mots on the bus or airplane.


Sadly, Live Writer isn’t available for Windows RT, so I’m not likely to use this for many blogs – although to keep myself honest, I am typing this on the Surface using the Touch Cover keyboard.


To write the blog entry, I’m actually using Word with its blogging template.


Woah, did you say Word? On RT?


Why yes, yes I did – but since the presence of Office 2013 on the Surface was advertised (at least, Excel, PowerPoint, OneNote, Word and Outlook), this was hardly a surprise to me – but it seems like a surprise to many of my Apple-owning friends who are just starting to get excited that Apple have deigned to let them have iWorks on their iPads now.


But the inclusion of Office isn’t the only thing that makes this device veer further into the territory of a non-toy.


Surprisingly functional


I wasn’t really expecting that Windows RT would have a desktop mode. I pretty much thought it would be Modern UI apps and nothing else. That seemed like it would suck, because I can’t then copy files across the network for playing MP3s and MP4s on the bus to and from work.


So a friend of mine set my fears at rest before I bought the Surface, and let me know that there was indeed a desktop, and a Windows Explorer. That was the tipping point to realizing I could get along with my Surface.


Then came the surprises.


There’s a Desktop version of Internet Explorer – and this one is fully functional! It even has “View Source” and the F12 Developer Tools, Microsoft’s best-kept secret in IE for some time now. [On your Touch Cover, you get F12 by holding down the “Fn” key as you press “PgDn”] This means I can carry on my Cross-Site Scripting endeavours on my Surface – which I couldn’t do from my iPad at all.


Also not on the iPad, but present on the Surface, a full version of the Command Prompt – I can run all my old batch scripts. Notepad, too (but no WordPad, sadly). Even, and I can’t imagine using the power of this too much, PowerShell!


Flash Player, as well, which isn’t available on the iPad. Remote Assistance and Remote Desktop, so I can connect to a real computer, something that wasn’t a good experience on the iPad.


Bitlocker.


Woah, BitLocker? Wow, my hard drive is already encrypted. So too could be the 64GB MicroSD card I’ve attached for extra video and audio storage, again something I can’t do on my iPad.


PerfMon, ResMon, Event Viewer, RegEdit, Windows Scripting Host, all sorts of serious tooling works in the desktop environment. Not Visual Studio, yet, but let’s remember… this is a toy, not a real laptop.


The upshot of which is…


I use my Surface 2 far more than I ever used my iPad.


Despite a few niggling sharp corners that need to be addressed, it irritates me far less than any Apple device I’ve ever owned. This just cements in my mind that, while there are many people who love their Apples, I’m just not their target consumer. I’m not sure that I’m exactly the target consumer of the Surface, but it’s inspired me and continues to grow on me. I’m even starting to write code for it. We’ll see if that becomes anything in due course.


 


Java not yet available for Surface – one more advantage.

Security-SPP errors in the event log. EVERY. THIRTY. SECONDS.

I admit that it’s a little strange to look at your event log fairly often, but I occasionally find interesting behaviour there, and certainly whenever I encounter an unexpected error, that’s where I look first.

Why?

Because that’s actually where developers put information relating to problems you’re experiencing.

So, when I tried to install Windows 8.1 and was told that I would be able to keep “Nothing” – no apps, no settings, etc – I assumed there would be an error in the log.

But all I saw was this:

image

So, yes, that’s an error with:

Source: Security-SPP
Event ID: 16385
Error Code: 0x80041316

This goes back to September 2, but only because the Application log that it’s in has already run out of room and ‘rolled over’ with too many entries. Presumably, then, the occurrence that caused this was prior to that.

Searching online, I find that there are some others who have experienced the same thing, the most recent of which is in January 2013, and who posted of this error to the TechNet forums.

A Microsoft representative had answered indicating that the cause could be (of all strange things) a partition with no name. Odd. Then they suggested Refreshing or Reinstalling the PC.

I’m not reinstalling unless there’s something hugely wrong, and the refresh didn’t help at all.

So, on to tracing the cause of the problem.

“Schedule” suggests it might be a Task Scheduler issue, and sure enough, when I open up the Task Scheduler (it’s under the Administrative Tools in the Control Panel, so making it very hard to find in Windows 8), I get the following error:

image

Or for the search engines to find, title: “Task Scheduler”, text: “Task SvcRestartTask: The task XML contains an unexpected node.”

It’s a matter of fairly simple searching (as an Administrator, naturally) to find this file “SvcRestartTask” under C:\Windows\System32\Tasks\Microsoft\Windows\SoftwareProtectionPlatform.

So I moved this file to a document SvcRestartTask.xml in a different folder.

Time to edit it.

Among other lines in the file, these stood out:

    <RestartOnFailure>
      <Priority>3</Priority>
      <Priority>PT1M</Priority>
    </RestartOnFailure>

Odd – two values for Priority, one numeric, one text. So I went hunting in a file from a system that didn’t have that problem. I found these lines in the same place:

    <Priority>7</Priority>
    <RestartOnFailure>
      <Interval>PT1M</Interval>
      <Count>3</Count>
    </RestartOnFailure>

So, clearly something had written to the SvcRestartTask file with incorrect names for these elements. Changing them around in my XML version of the file, I reopened the Task Scheduler UI, navigated down to Microsoft / Windows / SoftwareProtectionPlatform, and imported the XML file there. [This is under “Actions”, but you can also right-click the folder SoftwareProtectionPlatform and select “Import”, then “Refresh”]

Sadly, this wasn’t quite the end of things, because the Task Scheduler UI fails to talk to the Task Scheduler service. Nor can I restart the Task Scheduler service directly.

So a restart will take care of that, and sure enough, now that I’ve restarted, I see no more of these 16385 errors from Security-SPP.

It’s just a shame it took so long to get this answer, and that the Microsoft-supplied answer in the forums is incomplete.

Oh, and of course, one last thing – what does SPP (Software Protection Platform) actually do?

Since this is an element of the Windows Genuine Advantage initiative, with the goal of preventing use of pirated copies of Windows, you might consider you don’t really need / want it around. Either way, you definitely don’t want it clearing your Application event log out every three weeks!

Credential Provider update–Windows 8 SDK breaks a few things…

You’ll recall that back in February of 2011, I wrote an article on implementing your first Credential Provider for Windows 7 / 8 / Server 2008 R2 / Server 2012 – and it’s been a fairly successful post on my blog.

Just recently, I received a report from one of my users that my version of this was no longer wrapping the password provider on Windows Server 2008 R2.

As you’ll remember from that earlier article, it’s a little difficult (but far from impossible) to debug your virtual machine to get information out of the credential provider while it runs.

Just not getting called

Nothing seemed to be obviously wrong, the setup was still executing the same way, but the code just wasn’t getting called. For the longest time I couldn’t figure it out.

Finally, I took a look at the registry entries.

My code was installing itself to wrap the password provider with CLSID “{60b78e88-ead8-445c-9cfd-0b87f74ea6cd}”, but the password provider in Windows Server 2008 R2 appeared to have CLSID “{6f45dc1e-5384-457a-bc13-2cd81b0d28ed}”. Subtle, to be sure, but obviously different.

I couldn’t figure out immediately why this was happening, but I eventually traced back through the header files where CLSID_PasswordCredentialProvider was defined, and found the following:

   1: EXTERN_C const CLSID CLSID_PasswordCredentialProvider;


   2:  


   3: #ifdef __cplusplus


   4:  


   5: class DECLSPEC_UUID("60b78e88-ead8-445c-9cfd-0b87f74ea6cd") 


   6: PasswordCredentialProvider; 


   7: #endif


   8:  


   9: EXTERN_C const CLSID CLSID_V1PasswordCredentialProvider;


  10:  


  11: #ifdef __cplusplus


  12:  


  13: class DECLSPEC_UUID("6f45dc1e-5384-457a-bc13-2cd81b0d28ed") 


  14: V1PasswordCredentialProvider; 


  15: #endif 


  16:  

As you can see, in addition to CLSID_PasswordCredentialProvider, there’s a new entry, CLSID_V1PasswordCredentialProvider, and it’s this that points to the class ID that Windows Server 2008 R2 uses for its password credential provider – and which I should have been wrapping with my code.

The explanation is obvious

It’s clear what happened here with a little research. For goodness-only-knows-what-unannounced-reason, Microsoft chose to change the class ID of the password credential provider in Windows 8 and Windows Server 2012. And, to make sure that old code would continue to work in Windows 8 with just a recompile, of course they made sure that the OLD name “CLSID_PasswordCredentialProvider” would point to the NEW class ID value. And, as a sop to those of us supporting old platforms, they gave us a NEW name “CLSID_V1PasswordCredentialProvider” to point to the OLD class ID value.

And then they told nobody, and included it in Visual Studio 2012 and the Windows 8 SDK.

In fact, if you go searching for CLSID_V1PasswordCredentialProvider, you’ll find there’s zero documentation on the web at all. That’s pretty much unacceptable behaviour, introducing a significantly breaking change like this without documentation.

So, how to support both values?

Supporting both values requires you to try and load each class in turn, and save details indicating which one you’ve loaded. I went for this rather simple code in SetUsageScenario:

   1: IUnknown *pUnknown = NULL;


   2: _pWrappedCLSID = CLSID_PasswordCredentialProvider;


   3: hr = ::CoCreateInstance(CLSID_PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));


   4: if (hr == REGDB_E_CLASSNOTREG)


   5: {


   6:     _pWrappedCLSID = CLSID_V1PasswordCredentialProvider;


   7:     hr = ::CoCreateInstance(CLSID_V1PasswordCredentialProvider, NULL, CLSCTX_ALL, IID_PPV_ARGS(&pUnknown));


   8: }

Pretty bone-dead simple, I hope you’ll agree – the best code often is.

Of course, if you’re filtering on credential providers, and hope to hide the password provider, you’ll want to filter both providers there, too. Again, here’s my simple code for that in Filter:

   1: if (IsEqualGUID(rgclsidProviders[i], CLSID_PasswordCredentialProvider))


   2:     rgbAllow[i]=FALSE;


   3: if (IsEqualGUID(rgclsidProviders[i], CLSID_V1PasswordCredentialProvider))


   4:     rgbAllow[i]=FALSE;



If that wasn’t nasty enough…



Ironically, impacting the Windows XP version of the same package (which uses a WinLogon Notification Provider, instead of a Credential Provider), another thing that the Windows 8 SDK and Visual Studio 2012 did for me is that it disabled the execution of my code on Windows XP.



This time, they did actually say something about it, though, which allowed me to trace and fix the problem just a little bit more quickly.



The actual blog post (not official documentation, just a blog post) that describes this change is here:



Windows XP Targeting with C++ in Visual Studio 2012



What this blog indicates is that a deliberate step was taken to disable Windows XP support in executables generated by Visual Studio 2012. You have to go back and make changes to your projects in order to continue supporting Windows XP.



That’s not perhaps so bad, because really, Windows XP is pretty darn old. In fact, in a year from now it’ll be leaving its support lifecycle, and heading into “Extended Support”, where you have to pay several thousand dollars for every patch you want to download. I’d upgrade to Windows 7 now, if I were you.