So Windows 8 is here, to little fanfare at the University. While I am always happy to have an updated version of Windows to work with, I see that I have yet to blog anything about it. Perhaps that is because, unlike with the release of Windows 7, there was so little that was relatively “wrong” with the previous release. I find myself with not much “to do” to get the enterprise ready for Windows 8. Other reasons for the lack of hype… Windows 7 applications seem, for the most part, to “just work” on Windows 8, thus necessitating very little in the way of application compatibility planning.
Still, we have run into a few hiccups. I spent most of the last two days updating the UVM WiFi Configuration Tool scripts and experimenting with Group Policy settings to make WPA2-protected wireless working consistently (Previously discussed here, way back in ought-eight.). In the end, there was very little that I did to the WiFi policies that was Windows 8 specific. The WiFi profile that we are using maintains backward compatibility with both Windows 7 and Windows Vista.
Here are the details:
- The 802.1x settings in our WiFi profile was updated to use “user authentication” instead of “user or computer authentication”. Under XP, this option was called “user reauthentication”. “ReAuthentication” meant that the computer would attempt to log on as the computer account, but that if the connection was lost, it would re-authenticate as the logged on user. Under XP, it was not possible to prevent computer authentication attempts. However, under Win7/Win8, user authentication is just that… only user authentication is attempted, computer authentication is excluded. We have verified this by looking at the RADIUS server logs. Switching to “user authentication” will cut down on log errors on the RADIUS servers, and will result in fewer errors on client systems as well.
- We have added a new trust anchor for our RADIUS server certificate in the WiFi profile. This was necessitated by mergers and acquisitions on the CA business. “Equifax” provided our original WPA2/PEAP certificate. When we went to renew our certificate, we found that Equifax had been acquired by GeoTrust, and that new certificates would be issued from a GeoTrust intermediate CA. However, this intermediate CA would be cross-signed using the Equifax root CA, so the Equifax trust anchor would still work. The problem is that if a system has both the GeoTrustandEquifax certs present in the local trusted roots certificate store, it will validate the “radius.uvm.edu” up to the GeoTrust anchor, and will ignore the cross-signing with Equifax. This results in WiFi connection errors. When I add the GeoTrust cert as an additional trust anchor, the problem goes away.
- The VBScript I use to install the WiFi profile is packaged inside a 7-Zip self extractor. The use of this self-extractor triggers the Windows “Program Compatibility Assistant”, which in turn raises a “This program might not have installed correctly” error after the tool runs. This problem is corrected by embedding a “manifest” file into the tool. Typically, this is done using the “mt.exe” tool included in the Windows SDK. Unfortunately, MT.exe corrupts self-extracting 7-Zip archives (this also is a known problem with WinRAR, and perhaps other similar tools). Fortunately I was able to work around the problem using “Resource Tuner” from Heaventools. I needed to add “trustInfo” and “compatibility” sections to the manifest. My blog engine is really bad about posting XML content in a page, so I will forego posting the manifest here. You can find sample manifests pretty easily though Google.
- When we run the packaged configuration tool, we get a warning that the application package is unsigned and may not be trustworthy. I used “signtool.exe” from the Windows SDK to add a signature to the executable, so now it is considered somewhat more trustworthy. Good instructions on the use of signtool.exe can be found here:
I am using a code signing cert that we obtained from the InCommon.org certificate service, hosted by Comodo. It works.
- Finally, I updated the profile installer VBScript to make reconfiguration a bit easier (subroutines were converted to functions so that variables set at the start of the script can be passed down to the function. We then can set things like the trust anchor name, WiFi network name, and log file name at the start of the script where they are more easily edited. Also, I removed support for Windows XP… no more Service Pack detection, Hotfix installation, or third-party profile installation utilities are needed by the script. I was able to hack the script down to about a quarter of its original size as a result. The new script is included below, for those who like that sort of thing…
Option Explicit 'On Error Resume Next 'Install UVM WPA2-Enterprise wireless profile ' Version 1.3 by J. Greg Mackinnon, University of Vermont ' Supported platforms: Windows Vista, 7, and 8 ' Requires external tools: "CertMgr.exe" (from the Windows Platform SDK) ' Requires external files: Root CA certificate file, ' WiFi XML configuration files for Vista+ Windows OS. ' (obtained by running "netsh wlan export profile UVM .\" ' NOTE: modify variables in the "Define variables" section to suit your environment. 'History: ' Version 1.0 - Supported UVM WiFi using WPA2, Equifax certs, Windows XP SP2+ and Vista OS ' Version 1.1 - Updated to support Windows 7 ' Version 1.2 - Updated to support Windows 8. Removed support for XP ' - Removed third-party "ZWlanCfg" utility and OS Hotfix installation functions (were only needed for XP support) ' Version 1.3 - Converted existing subroutines to functions to allow for easier switching of CAs and WiFi networks. ' - Moved Global Variables to the top of the script for easier modification. ' - Updated CA cert and WPA Profile supporting files to use "GeoTrust" instead of "Equifax". ' Create constants Const cLogFile = "install_UVM_WiFi.log" ' Declare variables Dim oShell, oUserEnv, oFSO, oFile, oRegExp Dim iSPVer Dim sTempEnv, strComputer, sOSTest, sOS, sCertName, sCertFile, sNetName, sProfileFile Dim bReRun ' Define variables bReRun = False strComputer = "." sOSTest = "Vista|Windows 7|Windows 8" 'Regular Expression for OS compatibility testing sCertName = "GeoTrust Global CA" 'Friendly name of the trust anchor certificate sCertFile = "GeoTrustGlobalCA.cer" 'Name of the trust anchor file sNetName = "UVM" 'Name of the WiFi Access Point sProfileFile = ".\Wi-Fi-UVM.xml" 'Name of the Vista+ wlan profile file. ' Instantiate global objects Set oShell = WScript.CreateObject("WScript.Shell") Set oFSO = CreateObject("Scripting.FileSystemObject") sTempEnv = oShell.ExpandEnvironmentStrings("%TEMP%") & "\" Set oFile = oFSO.CreateTextFile(sTempEnv & cLogFile,True) Set oRegExp = New RegExp oRegExp.IgnoreCase = True oRegExp.Global = True oRegExp.Pattern = sOSTest ''''''''''''''''''''''''''''''''' ' Define Functions ' Function fDetectOS(sOS, iSPVer) 'Detect OS Function - detects OS Caption string and Service Pack integer from WMI WIN32_OperatingSystem. 'Expects to varibles passed, returns the full OS Caption String, and SP Major Version intger 'Declare variables Dim colItems Dim objWMIService, objItem 'Instantiate local objects/collections Set objWMIService = GetObject("winmgmts:\\" & strComputer & "\root\CIMV2") Set colItems = objWMIService.ExecQuery("Select * from Win32_OperatingSystem") For Each objItem In colItems sOS = objItem.Caption oFile.WriteLine "Detected Operating System: " & sOS iSPVer = CInt(objItem.ServicePackMajorVersion) oFile.WriteLine "Detected Service Pack Version: " & iSPVer oFile.WriteLine "Service Pack Minor Version: " & objItem.ServicePackMinorVersion Next 'Clean local objects/variables Set objItem = Nothing Set colItems = Nothing Set objWMIService = Nothing End Function Function fInstCert(sCertName,sCertFile) ' Installs cert with sCertName root CA cert into machine "root" store. ' Requires: certmgr.exe from the Windows Platform SDK (available with VS .NET or VS 2008 installations), ' sCertName variable - contains the friendly name of the root CA ' sCertFile variable - contains the name of the root CA certificate file ' Requres: Root CA cert file ' Notes: We use the "root" argument to certmgr.exe to install into the "Trusted Root Certificate Authorities". ' We also could use "ca" to install Intermediate Certificate Authorities. ' In a previous version of this script we used "oShell.Run", but his returned unexpected results on the ' Windows 7 platform... using .Exec now. Dim bCertPresent, bInstSuccess Dim oExec Dim sOut bCertPresent = false bInstSuccess = false set oExec = oShell.Exec("certmgr.exe -c -s -r localMachine root") Do Until oExec.StdOut.AtEndOfStream sOut = oExec.StdOut.ReadLine() if InStr(sOut, sCertName) Then 'oFile.WriteLine sOut 'WScript.Echo sOut bCertPresent = true End If Loop if bCertPresent = false then oFile.WriteLine "Root Certificate for """ & sCertName & """ needs to be installed. Attempting install..." set oExec = oShell.Exec("certmgr.exe -add -c " & sCertFile & " -s -r localMachine root") Do Until oExec.StdOut.AtEndOfStream sOut = oExec.StdOut.ReadLine() if InStr(sOut, "Succeeded") Then 'oFile.WriteLine sOut bInstSuccess = true End If Loop if bInstSuccess = true then oFile.WriteLine "Certificate installed successfully" else oFile.WriteLine "Certificate failed to install... You will need to install the " _ & "certificate manually. See the instructions at https://www.uvm.edu/ets/wireless " _ & ", then run this script again to compelte installation of the UVM wireless profile." WScript.Quit -2 end if else oFile.WriteLine "Root Certificate for """ & sCertName & """ is already installed." End If End Function Function fImportProfile(sProfileFile,sNetName) 'Imports Vista+ Wireless Profile using NETSH command. 'Requires: a Vista+ wifi profile file exported using NETSH, ' sProfileFile - string containing name of the wlan XML profile file to be imported ' sNetName - string contining the name of the wlan profile name (WiFi Network Name) 'On Error Resume Next Const cUserScope = "all" Dim iStrMatch Dim oExec, oStdOut Dim sStdOutLine oFile.WriteLine "Executing command: netsh wlan add profile filename=""" & sProfileFile & """ user=" & cUserScope & "" Set oExec = oShell.Exec("netsh wlan add profile filename=""" & sProfileFile & """ user=" & cUserScope & "") Set oStdOut = oExec.stdOut While Not oStdOut.AtEndOfStream sStdOutLine = oStdOut.ReadLine oFile.WriteLine(sStdOutLine) iStrMatch = CInt(InStr(sStdOutLine, "Profile " & sNetName & " is added on interface")) If iStrMatch > 0 Then WScript.Echo "The " & sNetName & " wireless profile was added successfully to your system" ElseIf iStrMatch = 0 Then WScript.Echo "The wireless profile failed to import. Please see the manual profile " _ & "configuration instructions available at http://www.uvm.edu/ets/wireless. A " _ & "log file named " & cLogFile & " which contains the full error message can be " _ & "found in the " & sTempEnv & " directory." WScript.Quit -3 End If Wend Set oStdOut = Nothing Set oExec = Nothing End Function ' ' End Functions ''''''''''''''''''''''''''''''''' ''''''''''''''''''''''''''''''''' ' Begin Main ' fDetectOS sOS, iSPVer If oRegExp.Test(sOS) = True Then fInstCert sCertName, sCertFile fImportProfile sProfileFile, sNetName Else oFile.WriteLine "Your operating system is not supported for use with this script." WScript.Quit -4 End If oFile.close ' Environment cleanup Set oFile = Nothing Set oFSO = Nothing Set oUserEnv = Nothing Set oShell = Nothing Set oRegExp = Nothing ' ' End Main ''''''''''''''''''''''''''''''''''