Rdp login using a personal certificate. Behind double armor

Surely, many of you have already heard and seen this abbreviation - it literally translates as Remote Desktop Protocol. If anyone is interested in the technical intricacies of the operation of this application level protocol, they can read the literature, starting with the same Wikipedia. We will consider purely practical aspects. Namely, the fact that this protocol allows you to remotely connect to computers running Windows of various versions using the “Remote Desktop Connection” tool built into Windows.

What are the pros and cons of using the RDP protocol?

Let's start with the pleasant - with the pros. The advantage is that this tool, which is more correctly called RDP Client, is available to any Windows user, both on the computer from which the remote control will be managed, and to those who want to open remote access to their computer.

Through a connection to a remote desktop, it is possible not only to see the remote desktop and use the resources of the remote computer, but also to connect local disks, printers, smart cards, etc. to it. Of course, if you want to watch a video or listen to music via RDP, this process is unlikely to give you pleasure, because... in most cases you will see a slide show and the audio will likely be interrupted. But the RDP service was not developed for these tasks.

Another undoubted advantage is that the connection to the computer is carried out without any additional programs, which are mostly paid, although they have their advantages. The access time to the RDP server (which is your remote computer) is limited only by your desire.

There are only two minuses. One is significant, the other not so much. The first and essential one is that in order to work with RDP, the computer to which the connection is being made must have a white (external) IP, or it must be possible to “forward” a port from the router to this computer, which again must have an external IP. Whether it is static or dynamic does not matter, but it must be.

The second disadvantage is not so significant - the latest versions of the client no longer support the 16-color color scheme. Minimum - 15bit. This greatly slows down RDP when you connect over a stunted, dead Internet with a speed not exceeding 64 kilobits per second.

What can you use remote access via RDP for?

Organizations, as a rule, use RDP servers for collaboration in the 1C program. And some even deploy user workstations on them. Thus, the user, especially if he has a traveling job, can, if he has 3G Internet or hotel/cafe Wi-Fi, connect to his workplace remotely and resolve all issues.

In some cases, home users can use remote access to their home computer to obtain some data from home resources. In principle, the remote desktop service allows you to fully work with text, engineering and graphics applications. For the reasons stated above, it won’t work with video and audio processing, but it’s still a very significant plus. You can also view resources that are closed by company policy at work by connecting to your home computer without any anonymizers, VPN or other evil spirits.

Preparing the Internet

In the previous section, we talked about the fact that to enable remote access via RDP, we need an external IP address. This service can be provided by the provider, so we call or write, or go to your personal account and arrange for the provision of this address. Ideally, it should be static, but in principle, you can live with dynamic ones.

If someone does not understand the terminology, then a static address is constant, and a dynamic address changes from time to time. In order to fully work with dynamic IP addresses, various services have been invented that provide dynamic domain binding. What and how, there will be an article on this topic soon.

Preparing the router

If your computer is not connected directly to the ISP cable to the Internet, but through a router, we will also have to perform some manipulations with this device. Namely, forward the service port - 3389. Otherwise, your router's NAT will simply not allow you into your home network. The same applies to setting up an RDP server in an organization. If you don’t know how to forward a port, read the article about How to forward ports on a router (opens in a new tab), then come back here.

Preparing the computer

In order to create the ability to remotely connect to a computer, you need to do exactly two things:

Allow the connection in System Properties;
- set a password for the current user (if he does not have a password), or create a new user with a password specifically for connecting via RDP.

Decide for yourself what to do with the user. However, keep in mind that non-server operating systems do not natively support multiple logins. Those. if you log in as yourself locally (console), and then log in as the same user remotely, the local screen will be locked and the session at the same place will open in the Remote Desktop Connection window. If you enter the password locally without exiting RDP, you will be kicked out of remote access, and you will see the current screen on your local monitor. The same thing awaits you if you log in at the console as one user, and remotely try to log in as another. In this case, the system will prompt you to end the local user session, which may not always be convenient.

So, go to Start, right-click on the Computer menu and click Properties.

In System properties, select Advanced system parameters

In the window that opens, go to the Remote Access tab...

...click More...

And check the only box on this page.

This is the “home” version of Windows 7 - those who have Pro and higher will have more checkboxes and it is possible to differentiate access.

Click OK everywhere.

Now, you can go to Remote Desktop Connection (Start>All Programs>Accessories), enter the computer’s IP address or name there if you want to connect to it from your home network and use all resources.

Like this. In principle, everything is simple. If you suddenly have any questions or something remains unclear, welcome to the comments.

There are cases when, when using RDP (Remote Desktop Protocol), programs that are installed in the system tray are not visible, or errors and notifications simply are not displayed. In order to solve this problem, you can connect to the terminal server in console mode via the same RDP.

Remote Desktop Protocol or RDP is a technology for remotely connecting to a computer (server) for direct control over a local network or the Internet. I have already talked about this technology in the video tutorial “Connecting to a computer via a remote desktop”.

Using any remote administration programs to connect to the desktop directly is not always convenient, for example, if the connection is unstable or the session time is limited. So in this article we will tell you about a simple thing that some colleagues may not have known.

When you use the Windows Remote Desktop (RDP) client as a means of connecting to a computer running Windows Server 2003/2008/2012 running the Terminal Server service, you have the option of connecting to the server console. Using this option, you can log into the server as if you were sitting right in front of it, rather than creating new sessions over a network connection. The fact is that when installing some programs remotely, problems may arise that will not allow you to do this from a terminal session, so you will need to log into the server via the console.

Enable remote access on your computer.

In order to configure remote access on the target computer, the owner or administrator must follow these steps (My Computer\Properties\Remote Access Settings\Remote Access\Allow connections from computers running any version of Remote Desktop).

If you want to allow only certain users or groups of users on your network into your computer, you need to check the “Allow connections from computers running Remote Desktop with network level authentication (recommended)” checkbox.

How to connect to a remote desktop?

This is, of course, using standard Windows tools (Start\All Programs\Accessories\Remote Desktop Connection)

Or use the Run command (Win + R) and enter the mstsc command. This is a faster method and is used mainly by administrators and program developers, because... Often you have to connect to remote desktop servers.

How to connect to the remote desktop console?

To do this, enter the command in the window that appears:

Windows Server 2003 and Windows XP: mstsc /console

Windows Server 2008/2012 and Windows 7/8/8.1: mstsc /admin

Enter the name of the terminal server or computer.

And enter the credentials of a user who has rights to connect remotely.

Since RDP by default creates a virtual console, the connection does not occur to the session itself, but directly to the console (the main console-mouse/keyboard).

What's the difference between a simple remote desktop connection and a console connection?

Connecting via the console is available only to administrators and is actually equivalent to a regular login. While a simple connection via rdp is a terminal session, accordingly, software that resists running under a terminal session can work quite successfully under the console.

In the first case, a new session (mstsc) is created parallel to the existing one. In the second case, the connection is made to your desktop (within the framework of terminal licenses).

Alexander Antipov

The article provides an overview of the operating algorithm of the Single Sign-On transparent authorization technology and the security service provider Credential Security Service Provider (CredSSP). The method of setting up the client and server parts is considered.

One of the main inconveniences for the user when launching a remote desktop or application published on a terminal server is the need to enter their credentials. Previously, a mechanism to save credentials in the Remote Desktop client settings was used to solve this problem. However, this method has several significant disadvantages. For example, when changing the password periodically, it was necessary to change it manually in the terminal client settings.

In this regard, to simplify work with a remote desktop in Windows Server 2008, it became possible to use Single Sign-on (SSO) transparent authorization technology. Thanks to it, the user, when logging into the terminal server, can use the credentials he entered when logging into his local computer, from which the remote desktop client is launched.

The article provides an overview of the operating algorithm of the Single Sign-On transparent authorization technology and the security service provider Credential Security Service Provider (CredSSP). The method of setting up the client and server parts is considered. A number of practical issues related to transparent authorization for remote desktop services are also covered.

Theoretical information

SSO technology allows you to save user credentials and automatically transfer them when connecting to a terminal server. Using group policies, you can define the servers for which this authorization method will be used. In this case, for all other terminal servers, login will be carried out in the traditional way: by entering a login and password.

Transparent authorization mechanisms first appeared in Windows Server 2008 and Windows Vista. thanks to the new security provider CredSSP. It allowed cached credentials to be transmitted over a secure channel (using Transport Layer Security (TLS)). Microsoft subsequently released corresponding updates for Windows XP SP3.

Let's look at this in more detail. CredSSP can be used in the following scenarios:

• for network layer authentication (NLA), allowing the user to be recognized before the connection is fully established;
• for SSO, storing user credentials and passing them to the terminal.

When restoring a session within a farm, CredSSP speeds up the connection establishment process, because the terminal server determines the user without establishing a full connection (similar to NLA).

The authentication process follows the following algorithm:

The client initiates the establishment of a secure channel with the server using TLS. The server gives it its certificate containing the name, certification authority and public key. The server certificate can be self-signed.

A session is established between the server and client. A corresponding key is created for it, which will subsequently participate in encryption. CredSSP uses the Simple and Protected Negotiate (SPNEGO) protocol to mutually authenticate the server and client so that each can trust each other. This mechanism allows the client and server to choose an authentication mechanism (such as Kerberos or NTLM).

To protect against interception, the client and server alternately encrypt the server certificate using the session key and transmit it to each other.

If the results of the exchange and the original certificate match, CredSSP on the client sends the user's credentials to the server.

Thus, the transmission of credentials occurs over an encrypted channel with protection against interception.

Settings

The security service provider CredSSP is part of the operating system and is included in Windows Vista, Windows Server 2008, Windows 7, Windows Server 2008 R2. Additionally, it can be installed as a separate update on Windows XP SP3. This process is described in detail in the article “Description of the Credential Security Support Provider (CredSSP) in Windows XP Service Pack 3" To install and enable CredSSP on Windows XP SP3, you must follow these steps.

1. Run the registry editor regedit and go to the branch: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

2. Add tspkg value to the Security Packages key

3. Go to the registry branch: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders.

4. Add the value of credssp.dll to the SecurityProviders key (the remaining values ​​of this key should be left unchanged).

After CredSSP is enabled, you need to configure its use using group policies or the corresponding registry keys. To configure SSO on client computers, use group policies from the section:

Computer Configuration\Administrative Templates\System\Credentials Delegation .

In Russian-language versions of operating systems it looks like this (Fig. 1).

Rice. 1. Managing the transfer of credentials using group policies

To use SSO, you must enable the policy:

Allow default credentials to be passed on.

In addition, after enabling, you should determine for which servers this authorization method will be used. To do this, you must perform the following steps.

In the policy editing window (Fig. 2), click the “Show” button

Rice. 2. Group Policy editing window

Add a list of terminal servers (Fig. 3).

Rice. 3. Adding a terminal server for transparent authorization

The server addition line has the following format:

TERMSRV/server_name .

You can also specify servers by domain mask. In this case, the line takes the form:

TERMSRV/*.domain_name .

If it is not possible to use group policies, the appropriate settings can be set using the Registry Editor. For example, to configure Windows XP Sp3, you can use the following registry file:

Windows Registry Editor Version 5.00

"Security Packages"=hex (7):6b,00,65,00,72,00,62,00,65,00,72,00,6f,00,73,00,00,\

00,6d,00,73,00,76,00,31,00,5f,00,30,00,00,00,73,00,63,00,68,00,61,00,6e,00, \

6e,00,65,00,6c,00,00,00,77,00,64,00,69,00,67,00,65,00,73,00,74,00,00,00,74, \

00,73,00,70,00,6b,00,67,00,00,00,00,00

"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll"

"AllowDefaultCredentials"=dword:00000001

"ConcatenateDefaults_AllowDefault"=dword:00000001

"1"="termsrv/*.mydomain.com"

Here, instead of mydomain.com, you should substitute the domain name. In this case, when connecting to terminal servers using a fully qualified domain name (for example, termsserver1.mydomain.com), transparent authorization will be used.

To use Single Sign-On technology on a terminal server, you must perform the following steps.

Open the Terminal Services Configuration Console (tsconfig.msc).

In the connection section, go to RDP-Tcp properties.

On the “General” tab, set the security level to “Negotiation” or “SSL (TLS 1.0)” (Fig. 4).

Rice. 4. Setting the security level on the terminal server

At this point, the setup of the client and server parts can be considered complete.

Practical information

In this section, we will consider the limitations on the use of transparent authorization technology and the problems that may arise when using it.

• Single Sign-On technology only works when connecting from computers running operating systems other than Windows XP SP3 and older versions. Computers running Windows Vista, Windows Server 2008, Windows 7 and Windows Server 2008 R2 can be used as a terminal server.
• If the terminal server to which the connection is being made cannot be authenticated via Kerberos or an SSL certificate, SSO will not work. This limitation can be bypassed using the following policy:
  Allow delegation of credentials set to the default "NTLM only" server authentication.
• The algorithm for enabling and configuring this group policy is similar to that presented above. The registry file corresponding to this setting looks like this:

"AllowDefCredentialsWhenNTLMOnly"=dword:00000001

"ConcatenateDefaults_AllowDefNTLMOnly"=dword:00000001

"1"="termsrv/*.mydomain.com"

Authentication using this method is less secure than using certificates or Kerberos.

• If credentials for a server are saved in the terminal client settings, they have higher priority than the current credentials.
• Single Sign-On only works when using domain accounts.
• If the connection to the terminal server is via TS Gateway, in some cases the TS Gateway server settings may take precedence over the SSO settings of the terminal client.
• If the terminal server is configured to prompt for user credentials every time, SSO will not work.
• Transparent authorization technology only works with passwords. If you use smart cards, it will not work.

For SSO to work correctly on Windows XP SP, it is recommended to install two fixes from KB953760: “When you enable SSO for a terminal server from a Windows XP SP3-based client computer, you are still prompted for user credentials when you log on to the terminal server ».

In some cases, it is possible that transparent authorization technology may or may not work on the same terminal client, depending on the profile of the connecting user. The problem is solved by re-creating the user profile. If this is too time-consuming a task, you can try using the tips from the discussion: “RemoteApp Single Sign On (SSO) from a Windows 7 client» Microsoft Technet forums. In particular, it is recommended to reset Internet Explorer settings or approve the corresponding add-on for it.

Another major limitation of SSO technology is that it does not work when running published applications through TS Web Access. In this case, the user is forced to enter credentials twice: when logging into the web interface and when authorizing on the terminal server.

In Windows Server 2008 R2 the situation has changed for the better. More information about this can be found in the article: "Introducing Web Single Sign-On for RemoteApp and Desktop Connections" ».

Conclusion

The article discusses the technology of transparent authorization on Single Sign-On terminal servers. Its use allows you to reduce the time spent by the user to log into the terminal server and launch remote applications. In addition, with its help, it is enough to enter credentials once when logging into the local computer and then use them when connecting to terminal servers of the domain. The mechanism for transferring credentials is quite secure, and setting up the server and client parts is extremely simple.

If the only barrier to accessing your data is a password, you are at great risk. The pass can be hacked, intercepted, stolen by a Trojan, or fished out using social engineering. Not using two-factor authentication in this situation is almost a crime.

We have already talked about one-time keys more than once. The meaning is very simple. If an attacker somehow manages to obtain your login password, he can easily access your email or connect to a remote server. But if there is an additional factor in its way, for example a one-time key (also called an OTP key), then nothing will work. Even if such a key gets into the hands of an attacker, it will no longer be possible to use it, since it is valid only once. This second factor could be an additional call, a code received via SMS, a key generated on the phone using certain algorithms based on the current time (time is a way to synchronize the algorithm on the client and server). The same Google has long recommended its users to enable two-factor authentication (a couple of clicks in account settings). Now it’s time to add such a layer of protection for your services!

What does Duo Security offer?

A trivial example. My computer has an RDP port open “outside” for remote connection to the desktop. If the login password is leaked, the attacker will immediately gain full access to the machine. Therefore, there was no question about strengthening OTP password protection - it just had to be done. It was stupid to reinvent the wheel and try to implement everything on my own, so I just looked at the solutions that are on the market. Most of them turned out to be commercial (more details in the sidebar), but for a small number of users they can be used for free. Just what you need for your home. One of the most successful services that allows you to organize two-factor authentication for literally anything (including VPN, SSH and RDP) turned out to be Duo Security (www.duosecurity.com). What added to its attractiveness was the fact that the developer and founder of the project is John Oberheid, a well-known information security specialist. For example, he hacked into Google’s communication protocol with Android smartphones, which can be used to install or remove arbitrary applications. This base makes itself felt: to show the importance of two-factor authentication, the guys launched the VPN Hunter service (www.vpnhunter.com), which can quickly find the company’s unhidden VPN servers (and at the same time determine the type of equipment on which they are running), services for remote access (OpenVPN, RDP, SSH) and other infrastructure elements that allow an attacker to get into the internal network simply by knowing the login and password. It's funny that on the official Twitter of the service, the owners began to publish daily reports on scanning of well-known companies, after which the account was banned :). The Duo Security service, of course, is aimed primarily at introducing two-factor authentication in companies with a large number of users. Fortunately for us, it is possible to create a free Personal account, which allows you to organize two-factor authentication for ten users for free.

What could be the second factor?

Next, we'll look at how to strengthen the security of your remote desktop connection and SSH on your server in literally ten minutes. But first I want to talk about the additional step that Duo Security introduces as a second authorization factor. There are several options: phone call, SMS with passcodes, Duo Mobile passcodes, Duo Push, electronic key. A little more about each.

How long can I use it for free?

As already mentioned, Duo Security offers a special “Personal” tariff plan. It is absolutely free, but the number of users should not be more than ten. Supports adding an unlimited number of integrations, all available authentication methods. Provides thousands of free credits for telephony services. Credits are like an internal currency that is debited from your account every time authentication occurs using a call or SMS. In your account settings, you can set it so that when you reach a specified number of credits, you will receive a notification and you will have time to top up your balance. A thousand credits cost only 30 bucks. The price of calls and SMS differs for different countries. For Russia, a call will cost from 5 to 20 credits, an SMS - 5 credits. However, nothing is charged for a call that occurs while authenticating on the Duo Security website. You can completely forget about credits if you use the Duo Mobile application for authentication - nothing is charged for it.

Easy registration

To protect your server using Duo Security, you need to download and install a special client that will interact with the Duo Security authentication server and provide a second layer of protection. Accordingly, this client will be different in each situation: depending on where exactly it is necessary to implement two-factor authentication. We'll talk about this below. The first thing you need to do is register in the system and get an account. Therefore, we open the main page of the site, click “Free Trial”, on the page that opens, click the “Sing up” button under the Personal account type. After which we are asked to enter our first name, last name, email address and company name. You should receive an email containing a link to confirm your registration. In this case, the system will automatically dial the specified phone number: to activate your account, you must answer the call and press the # button on the phone. After this, the account will be active and you can begin combat testing.

Protecting RDP

I said above that I started with a great desire to secure remote connections to my desktop. Therefore, as a first example, I will describe how to strengthen RDP security.

Any implementation of two-factor authentication begins with a simple action: creating a so-called integration in the Duo Security profile. Go to the “Integrations  New Integration” section, specify the name of the integration (for example, “Home RDP”), select its type “Microsoft RDP” and click “Add Integration”.

The window that appears displays the integration parameters: Integration key, Secret key, API hostname. We will need them later when we configure the client part. It is important to understand: no one should know them.

Next, you need to install a special client on the protected machine, which will install everything necessary into the Windows system. It can be downloaded from the official website or taken from our disk. Its entire setup boils down to the fact that during the installation process you will need to enter the above-mentioned Integration key, Secret key, API hostname.

That's all, actually. Now, the next time you log into the server via RDP, the screen will have three fields: username, password and Duo one-time key. Accordingly, it is no longer possible to log in to the system with just a login and password.

The first time a new user attempts to log in, they will be required to go through the Duo Security verification process once. The service will give him a special link, following which he must enter his phone number and wait for a verification call. To get additional keys (or to get them for the first time), you can enter the keyword “sms”. If you want to authenticate using a phone call, enter “phone,” if using Duo Push, enter “push.” The history of all connection attempts (both successful and unsuccessful) to the server can be viewed in your account on the Duo Security website by first selecting the desired integration and going to its “Authentication Log”.

Connect Duo Security anywhere!

Using two-factor authentication, you can protect not only RDP or SSH, but also VPNs, RADIUS servers, and any web services. For example, there are ready-made clients that add an additional layer of authentication to the popular engines Drupal and WordPress. If there is no ready-made client, don’t be upset: you can always add two-factor authentication for your application or website yourself using the API provided by the system. The logic of working with the API is simple - you make a request to the URL of a certain method and parse the returned response, which can come in JSON format (or BSON, XML). Complete documentation for the Duo REST API is available on the official website. I will just say that there are methods ping, check, preauth, auth, status, from the name of which it is easy to guess what they are intended for.

Protecting SSH

Let's consider another type of integration - "UNIX Integration" to implement secure authentication. We add another integration to our Duo Security profile and proceed to install the client on the system.

You can download the source code of the latter at bit.ly/IcGgk0 or take it from our disk. I used the latest version - 1.8. By the way, the client works on most nix platforms, so it can be easily installed on FreeBSD, NetBSD, OpenBSD, Mac OS X, Solaris/Illumos, HP-UX and AIX. The build process is standard - configure && make && sudo make install. The only thing I would recommend is to use configure with the --prefix=/usr option, otherwise the client may not find the necessary libraries when starting. After successful installation, go to edit the configuration file /etc/duo/login_duo.conf. This must be done from root. All changes that need to be made for successful operation are to set the values ​​of Integration key, Secret key, API hostname, which can be found on the integration page.

; Duo integration keyikey = INTEGRATION_KEY; Duo secret keyskey = SECRET_KEY; Duo API hostnamehost = API_HOSTNAME

To force all users logging into your server via SSH to use two-factor authentication, just add the following line to the /etc/ssh/sshd_config file:

> ForceCommand /usr/local/sbin/login_duo

It is also possible to organize two-factor authentication only for individual users by combining them into a group and specifying this group in the login_duo.conf file:

> group = wheel

For the changes to take effect, all you have to do is restart the ssh daemon. From now on, after successfully entering the login-password, the user will be prompted to undergo additional authentication. One subtlety of configuring ssh should be specially noted - it is strongly recommended to disable the PermitTunnel and AllowTcpForwarding options in the configuration file, since the daemon applies them before starting the second stage of authentication. Thus, if an attacker enters the password correctly, he can gain access to the internal network before the second stage of authentication is completed thanks to port forwarding. To avoid this effect, add the following options to sshd_config:

PermitTunnel noAllowTcpForwarding no

Now your server is behind a double wall and it is much more difficult for an attacker to get into it.

Additional settings

If you log into your Duo Security account and go to the “Settings” section, you can tweak some of the settings to suit you. The first important section is “Phone calls”. This specifies the parameters that will be in effect when a phone call is used to confirm authentication. The “Voice callback keys” item allows you to specify which phone key will need to be pressed to confirm authentication. By default, the value is “Press any key to authenticate” - that is, you can press any one. If you set the value “Press different keys to authenticate or report fraud”, then you will need to set two keys: clicking on the first confirms authentication (Key to authenticate), clicking on the second (Key to report fraud) means that we did not initiate the authentication process , that is, someone has received our password and is trying to log into the server using it. The “SMS passcodes” item allows you to set the number of passcodes that one SMS will contain and their lifetime (validity). The “Lockout and fraud” parameter allows you to set the email address to which a notification will be sent in the event of a certain number of unsuccessful attempts to log in to the server.

Use it!

Surprisingly, many people still ignore two-factor authentication. Do not understand why. This really greatly enhances security. It can be implemented for almost anything, and decent solutions are available for free. So why? From laziness or carelessness.

Analogue services

• Signify (www.signify.net) The service provides three options for organizing two-factor authentication. The first is the use of electronic keys. The second method is to use passkeys, which are sent to the user’s phone via SMS or sent by email. The third option is a mobile application for Android phones, iPhone, BlackBerry, which generates one-time passwords (essentially an analogue of Duo Mobile). The service is aimed at large companies, so it is completely paid.
• SecurEnvoy (www.securenvoy.com) Also allows you to use your mobile phone as a second layer of security. Passkeys are sent to the user via SMS or email. Each message contains three passkeys, that is, the user can log in three times before requesting a new portion. The service is also paid, but provides a free 30-day period. A significant advantage is the large number of both native and third-party integrations.
• PhoneFactor (www.phonefactor.com) This service allows you to organize free two-factor authentication for up to 25 users, providing 500 free authentications per month. To organize protection, you will need to download and install a special client. If you need to add two-factor authentication to your site, you can use the official SDK, which provides detailed documentation and examples for the following programming languages: ASP.NET C#, ASP.NET VB, Java, Perl, Ruby, PHP.