Seen while attempting to install Microsoft Management Framework 5.1 on Server 2012 R2, (to upgrade PowerShell).
Windows Update Standalone Installer
The update is not applicable to your computer
Solution
Well in the the end it turns out I was being a doofus! I was installing W2K12-KB3191565-x64.msu which is for Server 2012 (Not Server 2012 R2!) Look a bit lower, you need Win8.1AndW2K12R2-KB3191564-x64.msu.
The solution was in front of me the whole time!
Related Articles, References, Credits, or External Links
I got an email from a colleague who was setting up an RDS farm, (2012 R2). He was having some problems and asked me; “If the Connection Broker brokers the connections to the Session Hosts, how do I RDP to the Session Broker?”
This threw me completely, I usually jump on the console in VMware or use a third party remote management tool, I don’t tend to to RDP onto servers. I had fallen into the same trap he had. I assumed: You connect to a SESSION BROKER and it BROKERS YOUR SESSION to the least busy session host, (or reconnects your broken sessions).
THIS IS WRONG!
How Session Brokers Work
You don’t connect to a session broker, (unless you are an admin who is about to do some work on the Session Broker). You connect to a DNS RECORD, and that record points to a SESSION HOST, (I know that makes no sense, but bear with me). And you create a DNS record with the SAME NAME for every Session Host like so,
This works because, (by default) Windows DNS uses ’round robin’ so if it has multiple values for one DNS name is responds with the first one to the first request, the second one to the second etc.
But Pete? Round Robin is Bobbins for Load Balancing? Yes it is, that’s what the Session Broker is for! In reality this is what happens;
This is two scenarios that should clear things up, User1 queries DNS for TSFarm.my-domain.com and gets an IP of 192.168.1.1, They go to that SESSION HOST, the the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User1 already has a session on another session host, if so they are reconnected to that session, above that’s on SESSION HOST 2.
Then User2 attempts to connect toTSFarm.my-domain.com and gets an IP of 192.168.1.2 (Because of DNS ’round-robin’). They go to that SESSION HOST, then the session host CHECKS WITH THE CONNECTION BROKER, firstly to see if User2 already has a session on another session host, in this case they don’t. But, this host already has User1 connected to it, so it redirects User2 onto SESSION HOST 1.
Of course a user can connect to a SESSION HOST and after checking with the the CONNECTION BROKER they get connected to the host they originally queried if, (for example) the other session hosts are busier, (and the user has no existing sessions.)
But With Server 2012 You Can Do Connection Broker Load Balancing? Yes, you can, but that’s load balancing for the connection brokers, NOT the user sessions!
Related Articles, References, Credits, or External Links
As I’ve said UAC is a good thing, it’s there for a reason, but in this case I was logged onto a clients domain servers, with an administrative account, doing administration! Every time I tried to open regedit, Active Directory Users and Computer, or even a command line window, I was getting prompted.
Solution
Even if you have disabled UAC, there are some times when it does not properly ‘go-away’. To make it stop you need to edit the following registry key;
[box]HKLM > SOFTWARE > Microsoft > Windows > CurrentVersion >Policies > System[/box]
Locate the ‘EnableLUA’ Value and change it to 0 (zero).
Reboot the server, problem solved
Related Articles, References, Credits, or External Links
Thanks to Paul Sanderson for pointing this out to me.
I first saw this problem a few months ago, when I wasted to download some .bin and .pkg files from a web server running IIS, into a Cisco firewall. Then again this week I needed to get a large .iso file into a clients network so I put it on a publicly accessible web server running IIS, and had the problem again.
Solution
On the IIS server, open administrative tools > Internet Information Services (IIS) Manager > Drill down to the default website > Locate the ‘MIME Types‘ and open them.
You will probably find there is not one for the file extension you cannot download (in this case .iso) > Add one in > Set the MIME type to;
application/octet-stream
Then re-try your download.
Related Articles, References, Credits, or External Links
I’ve had to do a rollout of Remote Desktop Services on Server 2012 R2, and publish it with Active Directory Federation Services and Web Application Proxy. I’m a little rusty on RDS and needed to deploy a few roles, so for my proof of concept I deployed RDS on TWO servers. Below is a run though and my notes on deploying RDS ONLY (I’ll put the links to other articles at the bottom of this post as I write them).
Solution
To save yourself some hassle, visit every server that will be in the Remote Desktop Server deployment, and add all the others into each others ‘server manager’ console.
Manage > Add Roles and Features > Next > Remote Desktop Services Installation > Next.
Standard Deployment. Note: If you choose Quick Start it puts all the roles on one server > Next.
Session-based desktop deployment > Next.
Next.
Select the server that will host the Connection Broker Rule and add it > Next.
Add the server that will host the Remote Desktop Web Access role > Next.
Add the server that will host the Remote Desktop Session Host role > Next.
Tick the ‘restart the destination server automatically if required’ > Deploy.
Finish. (Note: There will be a licensing error, we will address that in a minute).
In Server Manager > Remote Desktop Services > Overview > Note: There are two options yet to be configured, (shown in green). Select ‘RD Gateway’.
Add in the server that will host the RD Gateway role > Next.
Add in the public name of the RD Gateway server, this will generate a self signed certificate, (you can replace this with a proper one later).
Add.
Close
Now Add RD Licensing.
Add in the server that will host the licensing role > Next.
Add
Close
All the nodes should now be displayed..
In production you would now add your Remote Desktop Licences, If you don’t, the whole thing will run for 120 days, (though it continues to nag you about adding licences). I’m content with the 120 day licence for my test deployment. But I will still ‘Activate’ my licensing server.
Follow the instructions
Now you need to create a ‘Collection‘, this is a group of host servers that host applications you can publish. Server Manager > Remote Desktop Services > Collection > Task > Create Session Collection.
Next.
Give the collection a name > Next.
Add in the server(s) running the RD Host role that will be included in this collection > Next.
Select the user groups that you want to grant access to. Here Im simply using the domain users group > Next.
If you want to deploy ‘profile disks’ enter a UNC path to the share > Next.
Create.
Close.
To actually publish applications, select the collection you just created > RemoteApp Programs > Tasks >Publish RemoteApp Programs.
Select the applications, (or add them in if they are not displayed) > Next.
Publish.
Note: You can change certificates from within Server Manger, but I prefer the manual approach, on the RD Gateway Server > Launch the IIS Manager > Select the server > Server Certificates.
Import > Import your publicly signed certificate, (you can use a self signed certificate but DON’T FORGET your remote client needs to be able to check your CRL, and trust your issuing CA if you do).
Sites > Default Web Site > Edit Bindings.
Select ‘https’ > Edit > Add in your certificate > OK > Close.
Bounce the services with an ‘iisreset‘ command.
Update 070316 You also will need to restart the Remote Desktop Services Service!
Connect to the server on the https://{FQDN}/RDWeb address, and you can check the correct certificate is used.
You should now be able to log into Remote Desktop Services Web Access.
Related Articles, References, Credits, or External Links
I had just built a Windows Server 2012 R2 server, and needed to download some updates. When I went to Microsoft to get them This is what I got;
Javascript is disabled Please enable javascript and refresh the page.
Solution
All you should need to do is disable IESC > Server Manager > Local Server > IE Enhanced Security Configuration > Turn it off, (Note: Here I’m just doing that for administrators).
This should fix the problem;
If not check your IE settings.
Disclaimer: You should turn this back on again, remember it’s a server, you should be browsing from your client PC.
Related Articles, References, Credits, or External Links
I was working on some Server 2012 R2 servers this morning, and every time I tried to launch IE, instead of the normal IE 11, it stubbornly kept opening the the IE App.
Solution
Hit the Windows key > Type in ‘internet options’ > make the following changes;
Programs Tab > Opening Internet Explorer > Select ‘Always in Internet Explorer on the desktop’ > Apply > OK.
Related Articles, References, Credits, or External Links
ESXi comes with a self signed certificate, and for most people thats fine, but some clients want to have a ‘Trusted’ certificate on theirs, and have their own PKI infrastructure for issuing them.
Below I will generate a new certificate for my ESXi server using the Active Directory Certificate Services role on Windows Server 2012. Then replace the self signed certificate with my new one.
Solution
Generating a Certificate Request From the ESXi Server
1. Before we start there are a couple of hoops to jump through, and a Windows machine (it does not mater which one), install the following tow pieces of software;
Microsoft Visual C++ 2008 Redistributable Package (x86) and Shining Light Productions installer for OpenSSL x86 version 0.98r (or later)
Accept all the defaults and it should install to C:OpenSSL-Win32 go there, and in the bin directory make a backup of the openssl.cfg file.
2. Open the original openssl.cfg file and delete everything out of it, then paste in the following text, replace the values in red with your own, and save the file.
You will notice rui.csr has been created in the bin directory this is the file you need to request your certificate, if you open the file with Notepad you can copy the text.
Submit the Certificate Request and Get an ESX Certificate From a Windows CA
4. Open the web console of your certificate services server (it needs to be running the Certification Authority Web Enrollment role). The URL is usually http://{servers IP or Name}/Certsrv. Select ‘Request a certificate’.
5. Advanced certificate request.
6. Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
7. Paste in the text from your csr file (with no extra spaces!). Set the Certificate Template to ‘Web Server’ (the default lifetime for the Web Server template is 2 years. If you require longer, I suggest you clone the Web Server Template, change the lifetime and republish it in Active Directory Certificate Services).
8. Base 64 encoded> Download certificate.
9. Save the file as rui.cer and put it in the bin directory.
10. ESX needs the certificate to be in x509 format, so open a command window and execute the following commands;
[box]
cd C:OpenSSL-Win32bin
openssl x509 -in rui.cer -out rui.crt
12. Connect to the ESX host via SSH, and make a backup of the current keys (just in case).
[box]
cd /etc/vmware/ssl
mv rui.crt backup.rui.crt
mv rui.key backup.rui.key
[/box]
13. Using WinSCP copy the rui.crt and the rui.key files from the bin directory, to the /etc/vmware/ssl directory on your ESX host. WARNING: Set the copy type to ‘Text’ or ASCII or you may get some strange results.
14. Then either restart the management agents, or from your SSH session execute the following command;
[box]/sbin/services.sh restart[/box]
15. The simplest way to check is browse to the FQDN or your ESX host (the same name you used as the common name in step 2), and take a look at the certificate.
Related Articles, References, Credits, or External Links
I was trying to enroll some ASA firewalls to NDES to get some certificates. Each time the process failed with the following error.
[box]
% Error in receiving Certificate Authority certificate: status = FAIL, cert length = 0[/box]
That’s a pretty generic error, and does not give me a lot to go on. So I thought I would try from another network device, (a Cisco Catalyst switch). It’s a little easier to ‘debug’ the process in IOS rather than on the ASA, so that’s what I did.
[box]
Enable NDES Debugging
Petes-Router# debug crypto pki messages
Crypto PKI Msg debugging is on
Petes-Router# debug crypto pki transactions
Crypto PKI Trans debugging is on
Petes-Router#
[/box]
The switch failed with the same error as the firewall but at least now I had some debugging information.
[box]
Petes-Router# show logg
Jan 4 10:31:11.818: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet0/21,
changed state to up
Jan 4 10:32:40.648: CRYPTO_PKI: pki request queued properly
Jan 4 10:32:40.648: CRYPTO_PKI: Sending CA Certificate Request:
GET /CertSrv/mscep/mscep.dll/pkiclient.exe?operation=GetCACert&message=PNL-Trustpoint HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.100
Jan 4 10:32:40.648: CRYPTO_PKI: locked trustpoint PNL-Trustpoint, refcount is 1
Jan 4 10:32:40.656: CRYPTO_PKI: http connection opened
Jan 4 10:32:40.656: CRYPTO_PKI: Sending HTTP message
Jan 4 10:32:40.656: CRYPTO_PKI: Reply HTTP header:
HTTP/1.0
User-Agent: Mozilla/4.0 (compatible; MSIE 5.0; Cisco PKI)
Host: 192.168.1.100
Jan 4 10:32:40.656: CRYPTO_PKI: unlocked trustpoint PNL-Trustpoint, refcount is 0
Jan 4 10:32:40.656: CRYPTO_PKI: locked trustpoint PNL-Trustpoint, refcount is 1
Jan 4 10:32:40.673: CRYPTO_PKI: unlocked trustpoint PNL-Trustpoint, refcount is 0
Jan 4 10:32:40.673: CRYPTO_PKI: Reply HTTP header:
HTTP/1.1 200 OK
Content-Length: 7946
Content-Type: application/x-x509-ca-ra-cert
Server: Microsoft-IIS/8.5
Date: Wed, 07 Jan 2015 10:30:36 GMT
Connection: close
Content-Type indicates we have received CA and RA certificates.
Jan 4 10:32:40.673: CRYPTO_PKI:crypto_process_ca_ra_cert(trustpoint=PNL-Trustpoint)
Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED :
signature algorithm not supported):crypto_certc_pkcs7_extract_certs_and_crls failed
Jan 4 10:32:40.673: CRYPTO_PKI: status = 0x722(E_SIGNATURE_ALG_NOT_SUPPORTED :
signature algorithm not supported): crypto_pkcs7_extract_ca_cert returned
Jan 4 10:32:40.673: CRYPTO_PKI: Unable to read CA/RA certificates.
Jan 4 10:32:40.673: %PKI-3-GETCARACERT: Failed to receive RA/CA certificates.
Jan 4 10:32:40.673: CRYPTO_PKI: transaction GetCACert completed
Petes-Router#
[/box]
So we are getting the CA cert and the RA cert from the NDES server but we can’t read them.
Here’s the slightly less descriptive debug from the ASA firewall.
[box]
Petes-ASA(config)# debug crypto ca transactions
Petes-ASA(config)# crypto ca authenticate PNL-Trustpoint
ERROR: receiving Certificate Authority certificate: status = FAIL, cert length = 0
Petes-ASA(config)# show loggcrypto_certc_pkcs7_extract_certs_and_crls failed (1826):
crypto_certc_pkcs7_extract_certs_and_crls failed
CRYPTO_PKI:crypto_pkcs7_extract_ca_cert returned 1826
Petes-ASA(config)#
[/box]
Solution
I really struggled with this one, the bottom line is the Cisco device can’t read the certificates, and the reason it can’t is actually shown above;
E_SIGNATURE_ALG_NOT_SUPPORTED
What this is telling us is that the signature algorithm that Windows Certificate Services is using can not be understood by the Cisco network devices. At first I thought It might be because I was using Windows Server 2012 R2, and it might have some new security feature.
So I built a test Server in VMware Workstation, and presented an ASA and router to it from GNS3 and it worked first time, (annoyingly). When I looked at the certificates and compared them, and took into account the debug above, I spotted the difference.
If the signature algorithm is set to sha1RSA, it works if it’s set to RSASSA-PSS it fails. To compound my problem even further I have a three tier PKI deployment with an offline root, intermediate (Sub CA), and an issuing CA (Sub CA). And the signature algorithm needs to be correct for EVERY CERTFICIATE IN THE CERTIFICATE PATH (CHAIN).
Why Has This Happened?
Basically when the offline root was created, I followed the instructions for deploying an offline CA as per the instructions on Technet. Before you even install the role, Microsoft recommend you create a CApolicy.inf file with the following line in it;
[box]AlternateSignatureAlgorithm=1[/box]
I says that this signature algorithm is more secure, but it’s not compatible with Windows XP. What IT DOES NOT SAY, is it’s incompatible with Cisco devices wanting to get certificates from NDES!
Note: Executing the following command also enables this;
From this point forward, all new certificates issued by this CA will use the older signature algorithm. So if you renew the CA Certificate the new one will be fine.
WARNING: When renewing the CA Cert MAKE SURE YOU DO NOT generate new keys (or previously issued certificates may stop working!)
If you only have one certificate server you can then simply remove NDES.
When NDES is reinstalled the new RA certs will use the correct signature algorithm.
What If You Have a Two or Three Tier PKI Deployment
If like me you have a multi tiered PKI deployment, you need to go all the way back to the Root CA > Fix that > Reissue all the Sub CA certs down the certificate path fixing each tier as you go.
Here’s the process I used, (Use at you own risk and I accept no responsibility if you trash your PKI environment).
Related Articles, References, Credits, or External Links
Firstly, the lock screen is there for a valid security reason, so I would not advocate doing this on a production network. But on my test network when I’m jumping between multiple servers all the time, it’s annoying to have to press CTRL+ALT+DELETE and tap the password in, each time I change console sessions.
Solution
In older versions of Windows you could simply go to the following registry key;