PAE and VMM… For Parky

Well Parky, you asked, so I’m going to try to answer!

The way I think about PAE is that it kinda works a bit like a stonking great in-memory pagefile might. It doesn’t change the game for 32-bit applications, but it does give the OS more headroom to manage them.

Without PAE, any memory over 4GB can’t be “seen” by the OS itself, so it can’t be used.

With PAE, the memory manager can see all the installed memory, but it doesn’t change the per-process or kernel limits.

So if, for example, you ran 3 database programs at once, each of which used their entire 2GB user address space, with a PAE box and 6+GB, the whole lot would potentially fit into memory (assuming your kernel didn’t mind getting squeezy).

So, in really short form: almost the same architecure, but more RAM!

And you’re right on the other front – after a certain point on a 32-bit Terminal Server, the limiting factor is likely to be kernel address space, so if you’re eyeing PAE as a possible answer and you haven’t yet deployed the box, consider going x64 instead.

Now, here’s the other attempt I was working on, but un-fact-checked and likely subtly (or grossly) misleading – think of it as a work-in-progress lie. For the actual story, hit “Windows Internals, 4th Edition”, by Mark Russinovich and David Solomon.

I’m unlikely ever to finish this, so I figured I might as well post it for… um, well, fun, and to show I care enough to try* (for a while) 🙂


Trial #1: Intro to PAE using Sheep as an accessible metaphor


32 Bit Addressing = 386

The CPUs we know and love today are all descendants of the i386. The ‘386 was a chip that had 32 address lines, which is a techy way of saying that it could talk to up to 4GB RAM. 32 bits = 4 billion possible individual memory locations.


36 Bit Addressing = PAE

Physical Address Extension is a 36-bit addressing thingamabob that got tacked onto Pentium Pro and later CPUs.

PAE is cool, because the extra 4 bits mean that the processor can talk to a whopping 64GB of RAM, instead of the paltry 4GB that seemed so cool just ten short years ago. Heck, in ten years’ time, my phone will probably have 2GB onboard!


Enter The Sheep Metaphor


In short: each process gets a 4GB address space, and the lower 2GB is a play area unique to that process. All processes share their address space with the same kernel, which is the upper 2GB.


Let’s say that Sheep is our 32-bit Windows program. When Sheep is started by the OS, it’ll be plonked into a 2GB field in which it can play, with a small amount of nasty barbed wire near the very bottom, and a big wall with a tiny window near the top.


The Kernel memory area is another 2GB field beyond the wall, with a sign tacked to the front “All that 2GB field is yours, except this 2GB here. Attempt no grazing here.”


Any other programs you run get put in their own totally separate 2GB field (say, SkyscraperBuilder.exe) but they all see the same Kernel field. It’s a bit like the dead people in the Sixth Sense (honestly, if you haven’t seen it yet, you need to stay in more) – they can’t see each other, but the kid (Kernel Kid™?) can see them.


With me so far?


All This Could One Day Be Yours (but you have to allocate it)


Windows doesn’t just hand each process a fully allocated 2GB field of memory – (count the number of processes running on your computer at startup; now imagine having to install 2GB of RAM for each process to run!) – it gives it just enough to get it loaded, and then the process has to actually ask for what it needs.


A Sheep might only use less than 1% of its field while it’s wandering in a small area and grazing, whereas the SkyscraperBuilder is likely to try to use all the space it has available, and subsequently harangue, harass and attempt to blackmail the planning authority for more.


But at the beginning, they both believe that the field is empty, and they just start asking for memory.


Virtual Memory


Virtual memory – to cut a very, very involved story of lies and deception rather short – is how the OS manages to allow each application to request and use memory that all seems nice and contiguous to the application, but is actually “backed” by memory in a physical location elsewhere – and that “elsewhere” can be somewhere else in RAM, or on the hard disk, in the pagefile.

The Kernel address space itself is virtualized, though k-mode components are able to “look behind the curtain” if really necessary.


In a situation where you’ve got less memory than 4GB, VM means that everything gets to actually run, while having this wonderfully seemingly neat memory area to play in, and room to grow.


If you’ve got the whole 4GB (which is our theoretical maximum at this point in the discussion) and a bunch of tiny programs, everything’s going to go swimmingly.


But just flip that on its head for a second – just say your requirements were greater than 4GB. Say that the amount of memory actively used by all the programs on your computer (called the “Working Set”) exceeds 4GB. Say that all up, you really need 6GB in RAM at one time, across a bunch of processes.


The CPU can only use 4GB total… so even if you somehow drop 8GB into the machine, you’re in for some paging (hitting the hard disk to swap memory in and out of physical RAM) without PAE; the OS can only keep track of so much memory.


But Enable PAE, and whop! The CPU can now use however much RAM you’ve got in the box (up to 64GB), so less paging happens. The kernel/user split is still the same – we’re still talking 2GB user space per application and 2GB kernel space, so it’s business as usual to each process on the machine – it’s just that the virtual memory manager can now use all the RAM in the box to satisfy demand before having to go to the page file.



IE7 Beta 2 and Flickering Redrawing Desktop Stuff

Beta 2’s been absolutely stunning for me, but suddenly today my desktop icons were going nuts (er, flickering) whenever I changed tabs, or switched between an IE and a non-IE window.

I couldn’t work out what was different at first, so figured it was probably an addin… after disabling all the add-ins it was still happening, though. 

Then, I stumbled across an oddity in the menu bar: I had “Classic Menus” ticked, but they weren’t showing. I had Links unticked. This seemed weird. More weird was that trying to untick “Classic Menus” didn’t work…

Fixing it: Right-click any spot in the menu area, Untick “Lock the Toolbars”, tick Links (this will show the menus too), then untick both links and Classic Menu”. I locked the toolbars again afterwards. Menus Schmenus.

Yay! No more redraw!


ISA Server Coding Corner

The ISA Server Coding Corner (so corner-y, I didn’t know it was there)… Light on editorial, heavy on script examples.

It’s the first time I’ve seen it, so here’s the plug.

Another scripty tip: If you’re an infrequent user of the ISA Server SDK (as I am), you might find it a pain to find by a web search for “ISA Server SDK” – easy option is to search for FPCArray, and work back from there. If you can remember ISA Server = MSFPC, anyway, which isn’t totally intuitive*.

Restoring My Faith In Humanity

One of the most wonderful things about working in the computer industry is that you’re assumed to be an expert on absolutely everything to do with computers, and saying “I don’t know” about any question is taken as a personal affront by the person asking the question: obviously you know, you’re a computer person, you’re just lying to me because you don’t want to fix my computer.

My girlfriend, an ex-techie, recently called me.

The recycle bin is gone. How can I get it back?

Well, I don’t know.

Not good enough. You could work it out. If you loved me.

Given sufficient time I could rewrite all of the software ever written in history and solve any problem ever created, but I just don’t know, and I’m really busy.


Four seconds into one remote assistance session later (can you see where I found it?)

Unfortunately, while demonstrating my utter* and unfailing* superiority* this type of thing only encourages them to ask again. Sigh.

Signatures You Won’t See In Customer-Facing Emails

Dagnabbit, there’s just no room for humour when it comes to email signatures when you send stuff to a customer. Unless there is, and I’m just a humourless person. Ah. I see.

Still, this is a blog that represents my personal opinion, so I get a bit of latitude and I can post ’em here.

Here’s the shortlist of taglines I’d love to use in my .sig, but just can’t quite bring myself to do so:

  • Lonely? Buy me, I’m cheap!

  • Written on my PS3 running Linux *with a joypad*. This message is not pre-rendered.

  • Support Incident moving too slowly? My Paypal account is here.

  • Caution: Author may contain traces of nuts.


3 Simple Rules to Kerberos Authentication/Delegation SPNs

aka: “Kerbie Goes Bananas

Before starting, go get the updated SetSPN if you’re using Windows 2000 or 2003.

Kerb authentication via HTTP can be a complex and tricky sport… or so the experts would have you believe. (OK, I’m just trying to stir interest here. I promise I’ll stop). If you’re just using the default settings, it all tends to just work, but add host headers or change App Pool identity, and there are more moving parts that need attention.

This lot deals exclusively with HTTP SPNs.

Mild Disclaimer: The information below reflects my current understanding of how it works and/or is meant to work; YMMV. If you have a problem, yell.

It was pointed out to me that the rules below weren’t really rules… So let’s add a quick “You Must Learn” section here:

Those Rules I Mentioned:

  1. The SPN must match the site name
  2. The SPN must be registered against the App Pool identity (IIS6)
  3. The SPN must be registered against only one account

Now, on with the explanations…

1. What Should The SPN Look Like?

Easy to get this part wrong, so here’s the short form:


service = HTTP (for web servers)
hostname = the friendly name of the website, as configured in DNS and the site properties
port = if not the default port for the service, specify it

You need to register every host name that clients will use to connect to the server – the hostname is the name users type into the browser.

For an intranet site called intranetweb in the domain


For an MSCRM v3 site (it uses port 5555, I’m told) in the same network:


Update 17/6/2006: IE6 doesn’t currently include the port number when requesting an SPN, so registering HTTP/mscrm should do the trick for now. I’ll update this if that changes*.

Update 16/02/2007 : It changed shortly afterwards – see the following article: 908209  . I am guessing IE 7 does this right, so if you’re on the latest version or the latest hotfix, you can use the port number. If in doubt, grab a network trace.

Note: Inconsistent behaviour has been seen around port numbers with various clients (eg, .Net, IE, etc); if the port doesn’t seem to be working out for you, register an “un-ported” version as well, eg HTTP/mscrm . If I run across more info on that, I’ll update.

You’ll often register at two SPNs per site (one short name, one long name); sometimes more or less, but it’s a good rule of thumb.

Note: If using DNS CNAMEs to associate the desired name with the real host name (A record), IE prior to update 911149 will request the SPN based on the target of the CNAME, not the alias itself.

The item that you actually need to set the SPN against is explained in Rule 2:

2. Register the SPN against the App Pool Identity!

Short version: Really straightforward! While decrypting the Kerberos ticket, the IIS worker process (assuming IIS6) will be running as the relevant Application Pool’s process identity, so that identity is what the SPN needs to be registered against .

Out of the box, user-created Application Pools run as NetworkService , which means that they’re considered to be acting as the computer account .

So, if your app is running on a single box and the App Pool identity is NetworkService , you need to register the SPN against the computer account in AD.

On the other hand…

If you’re load balancing one app across a number of boxes and want to do Kerb to it, the App Pool will need to run as a domain user account (with the app SPN registered against it), because of Rule #3. You can’t have the same SPN registered against loads of accounts .

If your App Pool runs as a user account , you’ll need to register the SPN for the application against that user account .

It works like this:

SETSPN -A service/hostname:port accountname

Or if you’re using Windows 2008 or later, SETSPN -S service/hostname:port accountname. SetSPN -S is just better.


SETSPN -A HTTP/mscrm:5555 mscrmsvc              (last part is the CRM App Pool’s account)
SETSPN -A HTTP/ mscrmsvc

For an App Pool running as NetworkService on the default port:

SETSPN -A HTTP/intranetweb syd-inet-web01     (that last part’s the machine name)

Important bits: the account you’re registering against (!), and the port, if it’s not the usual port for that protocol. It’s part of what identifies a unique service instance.

3. Only One Account Gets The Service Principal Name (SPN)

This is really important – any given SPN should map to one account onlyMany SPNs can be registered against one account , though, and typically are.

If you register the same SPN against a user account and a computer account, you’ve broken it. If you register the same SPN against two user accounts, you’ve broken it . If you register an SPN once, and someone else registers the same SPN against another account at some point in the future… they’ve broken it . Be careful.

Duplicate SPNs are the bane of a Kerberos implementation. If you thought of an SPN as a Primary Key in a database, you wouldn’t be far wrong – it’s the one thing that must uniquely identify a service’s account to Kerberos. So, keep ’em unique, and we won’t have a problem here.

A Kerberos KDC (Key Distribution Center – which is any DC, in Windows 2000/2003) uses the SPN to look up a domain account, then uses information about the account that it finds to encrypt the ticket it sends back to the client. If there are duplicates, well, Bad Happen.

Finding Duplicates! Gotta Catch Them All!

If you suspect you’ve got duplicate SPNs registered, you can use one of the following techniques:

Search using LDIFDE

First, work out what fragment of your SPN is pretty likely to be unique. For an SPN like HTTP/ , I’d call the part the interesting part, and it’ll let me keep the results down to a manageable number, I hope…

LDIFDE against a Global Catalog (GC)  – search all registered SPNs for the forest:

ldifde -f spns.txt -s gcname -t 3268 -r “(ServicePrincipalName=*spnfragment*)” -l ServicePrincipalName

So, with a GC called mygc.mydomain.dom, I’d use:

ldifde -f spns.txt -s mygc.mydomain.dom -t 3268 -r”(ServicePrincipalName=**)” -l ServicePrincipalName

Then crack open the SPNS.txt file in Notepad, and you’ve got a list of accounts that have that string registered against them. Using LDAP to solve problems! How cool!

LDIFDE against a DC – search all registered SPNs in a domain (SPNs are forest-wide, so you might want to try the forest/GC technique above unless you’re in a single domain)

ldifde -f spns.txt -s dcname -r “(ServicePrincipalName=*spnfragment*)” -l ServicePrincipalName

Look at specific accounts using SetSPN

SetSPN – search for an SPN against a specific account name (not useful if you’re not sure you know which account has the SPN you’re interested in)

SETSPN -L accountname

Just Run AuthDiag

AuthDiag – part of the IIS Diagnostic Toolkit .

AuthDiag is often good for just about any authentication situation. Try it first, and be amazed at the automation.

For more info elsewhere…

There are loads of resources around on Kerberos troubleshooting, and if you’re doing Delegation or even just Kerb authentication, it’s worth your while having at least a quick skim; it’s not named after the triple-headed dog at the gates of Hell for nothing*…

Other Resources You’ll Hopefully Never Need To Read

Somewhere, my nice, simple post turned into a slightly more lengthy article, but the intent’s there*.

Good with LCS, LiveMeeting, Office Communicator? Want Gainful Employment?*

We’re hiring a TS for Unified Messaging in Melbourne – this popped up in the inbox:

Technical Specialist – Unified Communications

Be a part of one of the most exciting areas within Microsoft, the Office Unified Communications Group (UCG) – one of Microsoft’s major growth bets.  As a Regional Unified Communications  Technology Specialist you will evangelize the business value of the Microsoft UCG Products & Services and help drive knowledge of Live Meeting, Live Communications Server, Office Communicator, etc. You will provide pre-sales technical support to enable customers and partners to develop, deploy, and support UGC solutions and help drive sales with deep technical expertise, effective sales and presentation skills, and superior customer focus.

It’s a team with a bright future… IM is the future, you know. I’ve always said that**.


* Gainfulness of employment may vary.
** OK, so most recently, I said “teh intarwebs are teh future”, this is sorta a special case of that. In most cases. Sorta.

Changing the Default Browser (back to IE!?)

I’ve been using Maxthon for a long time (after switching from Avant shortly after this post). I’ve been quite happy with it.

After some positive reviews from some colleagues and friends, I decided I’d try IE7 beta 2 on my primary work machine. Yeah, I know – what was I thinking!?

Anyway… it’s good enough that I’m switching to it as my primary browser.

What tipped me? Well – it’s nice and fast, “feels” better than IE6, and… what’s the word… modern

And now they have the option to “Open tabs to the right of the current one,” I’m there. It took a little getting used to it opening tabs right, then right-of-that-right – had me checking it was turned on – but I’ve gotten used to it.

There’s even rudimentary “where I was at” support when closing IE (though if you tick “don’t bug me again” as well as “remember my tabs”, it’ll forget them. Nearly there…)

So, off into Tools, Internet Options, and the Programs tab I went, and found the “default web browser” item. I wanted to make IE the default, so I hit “Make Default”.

Only it’s sort of half worked.

There are a bunch of file associations that need to be changed when going back from Maxthon that aren’t. Windows Live Messenger, desktop shortcuts, links in email all still open Maxthon. (I still have Maxthon installed and use it, but I find IE with the Windows Live toolbar does mostly everything I need… mostly).

I’ve nutted out what IE’s not changing back – there are a bunch of “URL” entries registered as file types that are still set to Maxthon by default:

You find them from Tools, Folder Options in any file-containing folder.

You need to pick the item from the list, hit the Advanced button, click the “Open” entry under the bolded “Maxthon” entry, and hit Set Default.

The three or four I’ve tried that seemed to get it all back to IE for me are:

Internet Shortcut (on my system, a couple of entries above where the screenshot cuts off)
URL: Hypertext Transfer Protocol (and the With Privacy one)
URL: File Transfer Protocol

Then you’re done. Nice and easy.