Tuesday, September 28, 2010

Active Directory Web Services (ADWS)

This is a service that came with Windows Server 2008 R2 and provides a Web service interface to AD DS, AD LDS and the AD Database Mounting Tool which are running on the same server as ADWS.

ADWS is installed automatically when you add the AD DS or AD LDS role to your server.

What happen if I stop it?
The Powershell module and AD Administrative Center will not be able to access any directory instances on the server. I personally think that in the future even more applications will stop working as well.

Any considerations?
Yes, ADWS requires TCP port 9389 to be open on the servers that run ADWS.

Can I configure how the traffic is handled?
Yes, in the %windir%\ADWS directory there is a file called Microsoft.ActiveDirectory.WebServices.exe.config file you can edit. This is the default values:

Parameter name: MaxConcurrentCalls
Default value: 32
Description: Specifies the maximum number of simultaneous service requests that the ADWS service is configured to process at a given time. Set a higher value for this parameter if the ADWS service on your Windows Server 2008 R2 server must be able to process more than 32 service requests at any given time.

Parameter name: MaxConcurrentSessions
Default value: 500
Description: Specifies the maximum number of client sessions that the ADWS service can accept at any given time. Set this parameter to a higher value if the ADWS service on your Windows Server 2008 R2 server must be able to accept more than 500 concurrent client sessions at any given time.

Parameter name: MaxReceivedMessageSize
Default value: 1 MB
Description: Specifies the maximum message request size, in megabytes (MB), that a client computer can send to the directory service instances that the ADWS service supports. This setting can affect the memory consumption of the ADWS service. For example, if MaxConcurrentCalls is set to 32 and MaxReceivedMessageSize is set to 1 MB, the ADWS service is configured to process a maximum of 32 MB in client message requests at any given time.

Parameter name: MaxStringContentLength
Default value: 32 KB
Description: Specifies the maximum string size, in kilobytes (KB) of a Lightweight Directory Access Protocol (LDAP) attribute that the ADWS service is configured to process in a message request that a client computer sends to a directory service instance that the ADWS service supports. Increasing this value can increase the maximum possible memory consumption of the ADWS service.

Parameter name: MaxPoolConnections
Default value: 10
Description: Specifies the maximum number of LDAP connections for each directory service instance that is used by the ADWS service that is running on a given Windows Server 2008 R2 server.

For example, if MaxPoolConnections on a particular Windows Server 2008 R2 server is set to 10 and there are 3 directory service instances running on this server, ADWS uses a maximum of 10 LDAP connections to each of these directory service instances to process requests that are sent to the ADWS service. Along with MaxConcurrentCalls, this can affect the maximum number of simultaneous requests that the ADWS service can process. Set this parameter to a higher value if you notice that client service requests are timing out while they wait for an LDAP connection to be available to process their request.

Note: To improve performance, the ADWS service on a Windows Server 2008 R2 server maintains a separate LDAP connection pool for every directory service instance that is running on this server. For example if your Windows Server 2008 R2 server is a domain controller (and is, therefore, running the AD DS server role) and also a global catalog server and if it is running two AD LDS instances and one Active Directory Database Mounting Tool instance (a total of five directory service instances), the ADWS service on this Windows Server 2008 R2 server maintains five separate LDAP connection pools. Because a global catalog does not share the same LDAP port as AD DS, it is considered a separate directory instance.

Parameter name: MaxPercentageReservedConnections
Default value: 50%
Description: Specifies the percentage of LDAP connections that are reserved for performing query operations for each directory service instance that the ADWS service supports on a given Windows Server 2008 R2 server. Set this parameter to a higher percentage if the ADWS service on this Windows Server 2008 R2 server is used mostly for running queries.

Parameter name: MaxConnectionsPerUser
Default value: 5
Description: Specifies the maximum number of LDAP connections (to a single directory service instance) that the ADWS service permits to be used at one time for operations that are associated with a single set of client credentials (one user). Set this parameter to a higher value if you are experiencing more than five concurrent client requests by one user to a single directory service instance running on your Windows Server 2008 R2 server. The value of MaxConnectionsPerUser cannot be greater than the value of MaxPoolConnections. If the value of MaxConnectionsPerUser is equal to the value of MaxPoolConnections, it will allow a single set of client credentials (for a single client computer) to consume all available LDAP connections for a given directory service instance.

Parameter name: MaxEnumContextExpiration
Default value: 30 minutes
Description: Specifies the maximum allowed time period during which the ADWS service processes and retrieves the results of a query request from a client computer.

Caution: Changing the default value of this parameter is strongly discouraged. Most of the search results are returned within 30 minutes.

Parameter name: MaxPullTimeout
Default value: 2 minutes
Description: Specifies the maximum allowed time-out value that a client computer can set when it retrieves one page of search results. Set this parameter to a higher value if slow wide area network (WAN) traffic results in a time-out value for returning one page of search results that is longer than two minutes

Note: The ADWS service processes search requests from client computers in the following manner:
- A client submits a search request.
- The ADWS service establishes a search context and returns a search context ID to the client computer.
- Using this search context ID, the client computer issues a page request to extract the search results specifying how many LDAP objects can be returned per page.

MaxPullTimeout controls the maximum amount of time a client can ask the ADWS service to spend retrieving a page of results, while MaxEnumContextExpiration is the maximum time that the search context can be kept open.

Parameter name: MaxEnumCtxsPerSession
Default value: 5
Description: Specifies the maximum number of search requests (search contexts) that can be submitted over a single client session to the ADWS service.

Parameter name: MaxEnumCtxsTotal
Default value: 100
Description: Specifies the maximum number of search requests (search contexts) that can be submitted over all active client sessions to the ADWS service.

Parameter name: MaxGroupOrMemberEntries
Default value: 5000
Description: Specifies the maximum number of group members (recursive or non-recursive), group memberships, and authorization groups that can be retrieved by the Active Directory module Get-ADGroupMember, Get-ADPrincipalGroupMembership, and Get-ADAccountAuthorizationGroup cmdlets. Set this parameter to a higher value if you anticipate these cmdlets to return more than 5000 results in your environment.

Note: This setting can affect the memory consumption of the ADWS service.
This configuration parameter is applicable only to the three Active Directory module cmdlets mentioned above.
If your operation returns an exceptionally large results set, you might run into a non-configurable 5-minute timeout.

Parameter name: OperationTimeout
Default value: 2 minutes
Description: Specifies the timeout limit for any ADWS service-based query request. Set this parameter to a higher value if you expect your query to return an exceptionally large results set that might take longer than 2 minutes to retrieve.

Recommendations:
- Let ADWS run on all domain controllers.
- Don't edit the config file unless you really need to.
- Do remember that this config file is not replicated. You need to edit it on all domain controllers.

Down-level servers (Windows Server 2003 SP2, R2, 2008, 2008 SP2):
The Active Directory Management Gateway Service provides the same functionality as ADWS on 2008 R2. It is available as a download on the Microsoft web site.

Are there absolutely no differences between ADWS and AD Management Gateway Service?
Yes, there is one difference that you will see, the AD Management Gateway Service do not support instances of the AD Database Mounting Tool running on Windows Server 2008.

Authentication Mechanism Assurance

Many people ask me about this feature and how it works. Let me first give an example scenario:


Let's say you have a user named Mark, this user is a member of the department Section5. Section5 deals with classified development. In the classical Windows way, you would create a group, let's name it "S5-Classified" (stupid name but it is just an example) and add the users within the department Section5 to it.

Let's say you have a file server with a share with top secret material, and you want only the members of the group S5-Classified to have access to it. You obviously grant the S5-Classified group the needed access, right?

This is all good, except that you now want them only to be able to access the files when they logon with a certifiacate-based logon. I.e. they should not be able to access it without the smart-card.

So this is what it is all about, granting access based on the logon method. With certificate-based logon you will get a certain access, without a smart-card - you get less access.

What happens behind the GUI:
First, it is not enabled by default in Windows Server 2008 R2 and it requires DFL Windows Server 2008 R2. What happens when you enable it is that authentication mechanism assurance adds a universal group (which you as an admin designate) to the user's access token when the user logon with a certificate-based method.

So if access is granted based on the designated universal group, the user Mark have only access if using a certificate-based logon. If using another logon method the universal group will not be present in the access token, and thus no access.