I've been doing some work for a client and in order to connect to their system, I need to use a Cisco VPN client. I ran into some problems, and after asking Google about it, really did not find anything useful. So - for the sake of others who may run into this - here's what happened.

After installing the VPN client on my main development workstation, I noticed that connections to other servers on our LAN were slow. Really slow. 30-60 seconds to connect, and the same time to list files in a folder. Essentially I could not use my workstation to do anything on my LAN. This is a problem because nearly everything I work with in enterprise system development is NOT on my workstation - the database, ArcGIS Server, Visual Studio Templates, AzMan etc.

We eliminated problems with my domain account by having other users log into my system, and having me log into other systems. Anyone who logged into my box experienced this same behavior. If I logged into another box, connections to LAN resources were just fine. The problem was isolated to my Windows XP workstation (SP2). 

I un-installed the Cisco VPN client, only to find that the problem did not go away. I tried to restore my system to a previous check point, but that failed (regardless of how far back I chose to go). From here, I turned to our IT group and after a lot of remoting into my box, it was determined that re-paving the box was likely the solution.

While that system was being re-built, I still had to address my client's needs. So I installed the same Cisco VPN client on my notebook and tried to connect via wireless with little success. After some calls to the client's IT group, apparently this VPN client does not jive with wireless - no specifics, just "use the LAN". Since the Ethernet adapter on my notebook is toasted, I warily installed the VPN client on yet another workstation. As soon as it was installed, I experienced exactly the same behavior as on my workstation - exceptionally slow LAN connectivity. Thinking I had just signed up another workstation for re-paving, I tried using system restore, and this time it worked.

I then went back to my notebook and tried accessing LAN resources - and it too has the very slow LAN access. Three out of three - I think I can say that it's the Cisco software! I can live with this on my notebook since I don't do any development with it - mainly presentations and research type coding. I was able to dig up an old USB to Ethernet converter, got hooked into Ethernet, and am working away on my client's system. Getting files to my notebook has devolved into sneaker-net +USB-drive fun and games. And my main workstation is up and running again (still need to install ArcGIS Desktop et al)

Solutions

I don't have any solution that keeps the VPN client on the box. Maybe upgrading, but in talking to others, it sounds like you need to keep the client and server sides of the VPN in synch, so that may not be an option.

1. Un-install the VPN client if at all possible - dedicated an old PC for VPN access if you can.
2. Try doing a system restore in Windows XP - restore to a date prior to installing the Cisco VPN client.
3. Failing that, you're looking at a re-format & re-install your OS. Have fun!

Some stuff for Google...

Software Version: Cisco VPN Connection 4.8.01.0300, Windows XP SP2
Keywords: Slow LAN Windows file share network mounted drives

This was going to be a single post, but it got too long - so this first part introduces Authorization Manager and describes how to get it setup, and the second part will discuss how to apply this technology in the ArcGIS environment.

Authorization Manager
Also known as AzMan, this is a component of Windows Server 2003 which provides a "role-based" security store along with a developer API that you can work against. At it's core, AzMan works with "Operations" to which access is granted or revoked based on role membership. In addition to working directly with roles and groups on the local machine or in Active Directory, AzMan can also manage it's own roles and groups. This is very convenient if IT policy does not allow you to have application specific roles & groups in Active Directory itself. Although the AzMan API (azroles.dll) is installed on XP by default, you need to download the Windows Server 2003 admin kit to get the managment console snap-in. If you are running in Vista or Windows Server 2003, this is already installed.

How it works (30,000 foot view)

The application uses AzMan to ask if a user has access to a particular Operation. AzMan looks at the users group & role membership and determines if they have access. Simple & clean.

This is very nice in that it provides a layer of indirection between your application code and the authorization system. As long as the authorization system knows about the operations you application is going to request, it does not matter how the users are granted access (via Active Directory roles & groups, via AzMan roles & groups, or via individual users). This is much preferable to writing an application which depends on specific roles & groups to exist in Active Directory.

Using AzMan

Before we start building an application, we need to setup an AzMan repository that we can use to control access to our functions. For this example we are using an Xml file to store the repository but it's also worth noting that you can store it in Active Directory. Again, I highly recommend Keith Brown's screen casts for the details. At a high-level, these are the steps:

1) Open the AzMan MMC (Start --> Run --> azman.msc

2) Change to developer mode
3) Create a new repository (xml file)
4) Create an Application ("ExampleApp") and add operations
6) Create roles (Managers) & assign operations to the roles
7) Grant users (local or Active Directory) access to the operation

Just a quick posting for those who get this via an RSS Reader, and may not have seen the update to the original post - I recieved confirmation from ESRI that the password returned in IWorkspace.ConnectionProperties is encrypted. And, for what should be obvious reasons, they will not discuss / disclose the algorithms used (completely reasonable).

I also thought I'd clarify why I wanted to know this information - we are building an application which will manage the connection into ArcSDE, and the end user will not know the connection information. I simply wanted to be sure that they could not get this information via a simple VBA script (like the example @ EDN for IWorkspace.ConnectionProperties). Since the password is encrypted, it would require a substantial hack that's likely on par with the other security layers in the system.

[UPDATE 3/1/07 8:00am : After a few emails with ESRI, they agreed that discussing their public API, as it relates to the security of passwords is reasonable, and they have confirmed that the password that is returned by IWorkspace.ConnectionProperties is encrypted. For obvious reasons they will not disclose any of the technical details. Thanks to ESRI for confirming this, and for permitting me to share the answer.]

[UPDATE 2/28/07 7:50pm : I received a request from ESRI to take this posting, and my related forum post down because they discuss security and encryption related to their software. At this time, I'm taking the posting down, and will work with them to determine a reasonable update. Stay Tuned]

[ORIGINAL POSTING]
I posted a question [I deleted it's contents at ESRI's request] over at the ESRI forums about this, but thought I'd also throw it out here as well. Essentilly, I'm looking to build a secure application, and I want to know if it's possible to extract the connection password from the data returned by IWorkspace.ConnectionProperties. I posted some VBA code from an EDN sample that pulls the connection properties from the first layer in the map and displays the properties in a popup. All I added was a few lines which would actually write out the password byte array.
 
What I'd like to know (preferably from someone @ ESRI) just what that byte array is. I suspect it's the password encrypted, but it could also be a hash. If it is the password encrypted, where is the key? How safe is it? If it is a hash, is it reversible?

[Clarification: In my  original posting, I had asked a series of rhetorical questions (above) - I did not expect to get these answers from ESRI, nor do I really want them - I really just wanted to know that the password is "relatively" safe - i.e. encrypted.]

I'm doing some testing with ArcSDE direct connections and Windows Authentication, and needed a quick way to check how the settings were working for different users. Of course I could go to another PC, and login as one of the test users, or setup a bunch of virtual machines, log into each of them as different users, and test the connections that way, but it seemed like a lot of work when there is the "run as" command in Windows XP.

Basically "Run As" allows you to start up an application or process as a different Windows login. Here's the syntax (showing how to start ArcMap)

runas /user:your-domain\testuser /profile /savecred "C:\Program Files\ArcGIS\Bin\ArcMap.exe"

So, I happliy created some test users on our domain, and whipped up a quick batch file, and ran it, expecting ArcMap to fire up as the specified user. Not quite. I got an error when ArcMap was spinning up - a totally generic "ArcMap has encountered a Problem and needs to close" error. Usually this is a really bad type of error, but before I got too wound up, I thought about things a little, and when ArcMap starts up for the first time, it writes a bunch of stuff into the users profile. But this user does not yet have a profile on my machine since they have never logged in!

So I logged myself out, and logged in as the test user - which created the profile. I then promptly logged out and back in as myself again. Now when I run the batch file - ArcMap happily starts up as the specified user. Nice.

If you are using Windows Authentication with ArcSDE, this can be a useful tool - it can allow you to run in a more restricted mode most of the time, but when you need to you can switch over to a login which has rights to make schema modifications - without having to log out of your windows session.

Let’s face it – ArcGIS Server is not fast. Any there are many processes (raster modeling, map production, data extraction etc) that simply can not be completed in the typical web request – response time frame.

In a recent project, I was creating 36 by 36 inch PDF maps, which was taking around 3 minutes (DRG raster layers really slow this down).

My plan was to create an asynchronous web service which we could simply send requests to, and the client would just continue on, and not wait for a response. The web service itself would notify the end user, via email, when the map was ready to be picked up.

Web Method Attributes

In a generic purely .NET situation, this is relatively easy to do – just add the SoapDocumentMethod attribute to the web method…


When this attribute is in place, the web server returns a HTTP 202 response, which indicates that processing has begun. This occurs prior to the web method being invoked. What’s interesting is that it seems that the ASP.NET impersonation does not work in this situation. When it comes to the point of actually connecting to AGS I get an UnauthorizedAccessException. I added in a little code to show me what the current identify was (WindowsIdentity.GetCurrent().Name) and it was my local ASPNET account. If I change back to SoapDocumentMethod(OneWay=false) the impersonation is working correctly, and right before connecting, I could see the current identity was the impersonated identity that I specified in the web.config file.

Ok – so simply setting SoapDocumentMethod(OneWay=true) is not going to cut it. Time to dig into threading…

Asynchronous Threads
Threading is very cool, and a very hot topic now that multi-core processors are becomming the norm. But, the usual usage is to have some work occur on a background thread, which then notifies the origniating thread that the work is complete. This is not what I want - I want to create a thread, and let it do its work and have it correctly kill itself off. I do not want to have the originating thread wait for it to complete.

Early on in my Googling, I found Mike Woodring’s sample that shows how to support “Fire-and-Forget” for Asynchronous Delegates without leaking. Nice name! Why is this needed you may ask?

Starting with the 1.1 release of the .NET Framework, the SDK docs now carry a caution that mandates calling EndInvoke on delegates you've called BeginInvoke on in order to avoid potential leaks. This means you cannot simply "fire-and-forget" a call to BeginInvoke without the risk of running the risk of causing problems. (from Mike's site)

Mike’s sample code shows exactly how to do this – very elegant, and best of all – it works.  The idea here is that I can call the web service, where I’ve created a delegate to a private method, which actually does the work of creating the map (ok, it calls other classes, but I'm trying to keep this simple!).  Mike’s AsyncHelper class will create a thread and call the delegate, and it will correctly call EndInvoke to clean up memory for me. As soon as FireAndForget is called, the WebMethod exits, and the client can continue. Very nice.

Here’s the web method code:


As you can see, the code is pretty simple, so it was quick to implement, but I ran into the same problem – the identity on the new thread was ASPNET, and not the impersonation account. But – this time I was in a better situation. The impersonation was in effect prior to calling AsynchHelper.FireAndForget – thus I could get the identity without having to dig into the Win32 LogOnUser mess. All I needed to do was create a wrapper function for my real CreateMap function which would take an additional argument: the Identity.

So here’s the new Web Method, and the wrapper function…



The CreateMapAsUser simply impersonates the passed in identity, and then calls the CreateMap function. As long as the impersonation identity has access to ArcGIS Server, all is well.

Summary
If you need to create long-running AGS based web services which can handle their own notification, this is a really good solution. I also tested it’s scalability by firing off requests for ~ 20 maps at a time from my unit tests. And it (slowly) ground through all of them!

I ran into a little trouble getting machines on my LAN to talk to the SQLExpress instance on my workstation, and thought I'd share the answer.

Very simply, all that complaining people did about how Microsoft ships server software in insecure configurations has had an effect. SQLExpress installs in such a way that the only enabled protocol is "Shared Memory" - which basically means localhost access only.

You can change this by opening the SQL Configuration Manager, and enabling TCP/IP and Named Pipes, and then re-starting the service. Then the other client applications can connect.