Azure Pass-through Authentication

KB ID 0001642

Problem

I’ve never really taken the time to look at pass-through authentication, I set up Azure AAD sync, then I either use ADFS or I don’t. It was only when looking at removing ADFS, that I even looked at it as an option. 

How does Pass-through Authentication Work?

  1. Remote client attempts to authenticate to Office 365 (Azure Active Directory).
  2. Azure queues the request and sends it to an Azure Authentication Agent (on-prem), of which there may be many. Note: The requests will load balance.
  3. The Azure Authentication Agents check the authentication request against the load Active Directory.
  4. The Azure Authentication Agents sends its response back to Azure Active Directory.
  5. The client is authenticated (or denied!)

Why is that Good?

Well you don’t need to deploy ADFS, or WAP. The agent only needs https (outbound) on the firewall Note: If you have a proxy server, theres some URL’s you need to allow. And you don’t need to wait for the default 30 minute AAD replication cycle for changes etc.

Solution

I’m assuming you already have Azure AD sync setup and running, (Simply accept ‘Express settings’ and accept all the defaults), once you have your  local AD replicated to Azure, then you can switch over to pass-through authentication.

Open Azure AS Sync > Configure > Change user sign-in > Proceed to ‘User sign-in’ >pass-through authentication > Finish the wizard.

What happens is the ‘first’ Azure Authentication Agent is installed on the Azure AAD server > Force an AAD Sync > Then look in your Azure Portal > Azure Active Directory > Azure Ad Connect > Pass-through authentication > You should see your first agent.

You can select it and check its details. Note: You can download the Azure Authentication Agent software form this page for you to deploy additional Azure Authentication Agents.

The additional agents are simple to deploy, they will require you to authenticate to Azure though.

They will appear one at a time as deployed.

 

Related Articles, References, Credits, or External Links

NA

VMware Converter ‘Unable to Connect to the Network Share’

KB ID 0001583

Problem

I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;

Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.

Solution

It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;

As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

VMware Converter – Unable to Deploy Agent

VMware Converter – Unable to Deploy Agent

KB ID 0001345

Problem

I still think P2V conversions are cool, and I’ve been doing them since version 3! It seems though every time I try and do one with the standalone converter though I get this error;

VMware vCenter Converter Standalone
Unable to complete installation/uninstallation of converter agent on ‘{target}’

Solution

I always spend five minutes messing with firewalls, checking remote registry services, credentials, and the fix is nearly always the same;

Locate VMware-Converter-Agent.exe in  C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone, copy it to the target machine, and install it manually. Then try the conversion again.

If it gets this far, your problem is solved.

Related Articles, References, Credits, or External Links

NA

VMware View – Using Persona Management

KB ID 0000615 

Problem

Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.

Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.

Solution

Create a “Roaming Profile” Network share with the correct permissions

1. On a network accessible server, create a folder and set the SHARE permissions as follows;

Share Permissions

Everyone = Read. Domain Users = Full Control.

Note: You may also want to DISABLE Caching on this folder.

2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;

Security / NTFS Permissions

Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.

Note: I’m using domain users, you might have a different security group that you want to substitute.

3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).

Configure Windows 7 to be a VMware View Desktop

4. You need to get the administrative template for Persona Management. You will find it on your VMware Connection Server in the following location;

[box] C:Program FilesVMwareVMware ViewServerextrasGroupPolicyFiles [/box]

Locate the ViewPM.adm file and copy it to a domain controller.

5. Create a new group policy that is linked to the OU containing your View machines.

6. Edit the policy > Expand Computer Configuration > Policies >Administrative Templates > Right Click > add/Remove Administrative Temple > Add in the ViewPM.adm template.

7. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management [/box]

8. In the roaming and Synchronisation Section > Manage user persona > Set to Enabled > Next Setting.

9. Enable > Enter the shared folder you created earlier > Next Setting.

10. Enabled (to remove local cached copies of the profile).

11. Enabled to roam the local folder > That’s all I’m going to configure in this branch of the policy.

Persona Management Folder Redirection

12. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management > Folder Redirection [/box]

Here you will find the folders that can be redirected to a central location.

13. For example, here I’m redirecting the users “My Documents” folder.

14. And their “My Pictures” folder.

15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.

Creating a ‘Manual Pool’ and Connecting a View Client

Deploying Linked Clone View Desktops

16. Now when your users connect to their View Desktops.

17. Their user profile will be persistent.

18. Because their settings are stored in your profile shared folder.

Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.

Related Articles, References, Credits, or External Links

NA

VMware View – Windows Pool ‘Stuck’ on Customizing

KB ID 0000646 

Problem

While trying to deploy a Windows XP Pool yesterday, I hit upon this problem. Windows 7 works fine, but as soon as I tried to roll out a Windows XP pool, they stopped like this;

After a couple of hours, the whole operation timed out, and each machine shows as;

Status
{Date}{Time} o’clock {Time-Zone}:
Customization operation timed out

I tried to deploy the pool with both ‘quick prep’ and ‘sysprep’, but the results were the same. The replica is created, the pool creates the machines, but they DO NOT join the domain.

Solution

Despite my best efforts, I had to admit defeat and call VMware. Turns out they knew what the problem was straight away.

1. In my case the pool was going to be a linked clone pool. Go to the reference XP machine that you are using for this pool, and power it on.

2. Start > Run > appwiz.cpl {Enter}.

3. Locate and uninstall the VMware View Agent software.

4. Reboot the machine.

5. Download and install Microsoft Update 944043 on the XP Source machine. (Note: here’s the x32 bit version for XP).

6. Reboot the machine, (or the next step will fail and ask for a reboot!)

7. Reinstall the VMware View Agent.

8. Now if you are creating a linked clone pool, release the IP address > shut down the guest machine > snapshot the guest machine > recreate your pool.

Conclusion

VMware tell me that this is well documented in this kb article. But both at the time, and since, I’ve analysed the logs on the connection server, and the agent logs on the deployed machines, and found no mention of the following error,

“View Composer agent initialization state error (18): Failed to join the domain”

Hopefully this will help out someone stuck in the same position.

Related Articles, References, Credits, or External Links

NA

Trend Micro (Worry-Free Business Security) Cannot Remove Agent

KB ID 0000630 

Problem

While working on a badly Malware affected server the other day, I tried to resurrect the Trend Micro Security Agent. It refused to run, so I attempted to remove it. Then I could reinstall it cleanly. (I knew the password that it required for removal). However this it what happened when I tried;

Trend Micro Worry-Free Business Security Agent Setup
Unable to Uninstall

An error has stopped the removal of the Trend Micro Worry-Free Business Security Agent. No changes have been made to this computer. Please contact Trend Micro for help.

Click the button below to close this window.

Solution

This procedure was carried out on Worry-Free Business Security Version 7.

1. Download and extract this zip file, (password novirus) to your desktop.

2. Run the SA_Uninstall_2360.exe file, it will create a folder on your desktop called SA_Uninstall.

3. Open that folder and run the ‘uninstall.bat’ file.

4. Press a key when prompted, then enter ‘Y’ to reboot.

5. Post reboot, I went back to Add/Remove programs, and it was still there! however now it let me uninstall it without error.

6. I now went to the server running the Worry-Free console, and pushed out a fresh agent to this machine, updated it, and did a full manual scan.

Related Articles, References, Credits, or External Links

NA

RSA SecurID Error – ‘106: The Web server is busy. Please try again later’

KB ID 0000975 

Problem

Not the most descriptive of errors! In fact this has got nothing to do with the busyness of the web server at all.

Solution

What’s actually happening is the RSA agent on this machine (in this case a web server) cannot communicate with the RSA Authentication Manager. In my case the web server was in a DMZ, and the RSA Authentication Manager Appliance was in another DMZ. The ports required (TCP 5500, UDP 5500, and TCP 5580). were not open from the agent to the appliance. Once I fixed that, we were up and running.

Related Articles, References, Credits, or External Links

NA

Installing the HP Power Agent on ESX

KB ID 0000275 

Problem

Assuming you already have the HP Power Monitor installed on another server (Windows or Linux) and you want to add the ESX server as a device.

Solution

1. Download the HP Linux Power Agent i.e. hppm40-linux-remote-agt.tar

2. Use a utility like 7Zip to extract the files in the agent to a folder on your computers C drive.

3. Create a username and password on the ESX Server.

4. Install FastSCP on your Laptop

5. File > Add Server > Give it the IP address > Supply the root credentials.

6. Supply the user credentials you created earlier > And the root password.

7. Next > Tick “Connect When I click Finish”.

8. Expand the ESX Server and etc folder > Inthe right hand window, right click and select “New Folder.”

9. Copy the Files you extracted in step 2 to the new folder on the ESX Server.

10. Go to the ESX Server console and login as root.

11. Execute the following commands,

[box]

cd /etc/power
./SetupRA

[/box]

12. Press the Space Bar (A LOT) to get to the end of the EULA.

13. Type yes to accept.

14. Type in the IP address of the server running HP Power Manager (or simply type an asterisk for all IP addresses).

15. The service should start.

WARNING: By Default it WON’T work, the ESX firewall will block the traffic so you need to run the following two commands,

[box]

esxcfg-firewall –openPort 3573,tcp,in,HPPMAgent
service DevMan restart

[/box]

16. Now add the ESX Server into to HP Power Manager Console.

17. Attached Devices > Add New Device >Add in the IP of the ESX server and the load bank it’s plugged into on the UPS.

18. Save changes > you will need to press “Refresh Page” a few times, before it will go green.

Related Articles, References, Credits, or External Links

NA