mac OSX: Opening JNLP Files?

KB ID 0001767

Problem

I needed to get onto a HPE server’s iLO at work today. I was using Firefox and the .Net extensions no longer work, so I was forced to use Java web start. Annoyingly that opened my Windows 10 VM (that runs in VMware Fusion), then it fell over!

So the problem is, I need to be able to ‘RUN‘ jnlp file on my MacBook, but there’s no Java application in the applications folder.

Opening JNLP Files (mac OSX)

Try to execute the jnlp file again, but under ‘Open with” Select Other.

Select your hard drive, then System > Library > CoreServices > JavaLauncher.app > (Tick Do this automatically for files like this from now on.) > Open.

Now the file will get blocked by security (if you’ve done anything technical on a Mac you should know how to get round that) Click the Apple Icon (at the top of your screen) > Preferences > Security and Privacy > General Tab > Open Anyway.

You might get some further Java warnings but you should now be able to run the application.

Related Articles, References, Credits, or External Links

NA

macOS: ASDM Developer Cannot Be Verified

KB ID 0001667

Problem

When trying to connect to a Firepower 1010 ASDM I was met with this;

“Cisco ASDM-IDM.app” cannot be opened because the developer cannot be verified.
macOS cannot verify that this ap is free from malware

Solution

If you’ve spent much time using macOS then this is quite common, Open System Preferences > Security and Privacy > General tab > You will see a warning about the Cisco ASDM-IDM > Click ‘Open Anyway‘.

If you are prompted again simply click ‘Open‘.

Related Articles, References, Credits, or External Links

NA

Cannot Access / Open ASDM

KB ID 0000458

Problem

Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.

Solution

Make sure the client machine you are using is not the problem

1. The ASDM runs using Java make sure the machine has Java installed.

Note: If you are using Java version 7 Update 51 see the following article.

Unable to Access ASDM – “Unable to launch device manager from…”

2. Make sure the internet browser you are using is supported:

Operating System
Browser
 
Java SE Plug-in1
Internet Explorer
Firefox2
Safari
Chrome

Microsoft Windows

10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP

Yes

Yes

No support

Yes

8.0

Apple Macintosh OS X:

10.6
10.5
10.4

No support

Yes

Yes

Yes (64 bit only)

8.0

Ubuntu Linux 14.04
Debian Linux 7

N/A

Yes

N/A

Yes

8.0 (Oracle only)

Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.

Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.

3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!

4. Can another machine access the ASDM?

5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.

Make sure the ASA is configured correctly, and your PC is “allowed” access

1. Connect to the firewall using either SSH, Telnet, or via the Console Cable.

2. Log into the firewall, go to enable mode > Enter the enable password

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#

[/box]

3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”

[box]

PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside

[/box]

Note: if the command is NOT there, you need to issue the following three commands:

[box]

PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)# 

[/box]

Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).

4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:

[box]

PetesASA# configure terminal
PetesASA(config)# http 10.254.254.5 255.255.255.255 inside
PetesASA(config)# http 10.254.254.0 255.255.255.0 inside
PetesASA(config)# http 123.123.123.123 255.255.255.255 outside
PetesASA(config)# write mem
Building configuration...

Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89 9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

5. At this point try and access the ASDM again.

6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.

[box]

PetesASA# show run asdm
asdm image disk0:/asdm-739.bin

Note: on a Cisco PIX the results will look like..

PetesPIX# show run asdm
asdm image flash:/asdm-501.bin

[/box]

7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.

[box]

PetesASA# show flash
--#-- --length-- -----date/time------ path
142 15943680 May 08 2010 18:10:42 asa831-k8.bin
144 14240396 May 08 2010 18:11:50 asdm-739.bin
3 2048 Jul 21 2009 12:04:26 log
6 2048 Apr 28 2010 15:08:32 crypto_archive
163 393828 Feb 14 2010 12:23:28 crypto_archive/crypto_arch_1.bin
164 393828 Apr 28 2010 15:08:32 crypto_archive/crypto_arch_2.bin
147 9526560 Jul 21 2009 12:04:52 csd_3.4.1108.pkg
148 2048 Jul 21 2009 12:04:54 sdesktop
150 2648712 Jul 21 2009 12:04:54 anyconnect-win-2.3.0254-k9.pkg


127135744 bytes total (29583360 bytes free)

[/box]

Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.

Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).

[box]

PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89

9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco Allowing Remote Management

Cisco ASA5500 Update System and ASDM (From ASDM)

Exchange 2010 – EMC Error ‘GetSteppablePipeline execution of scripts is disabled’

KB ID 0001351 

Problem

Seen when attempting to open the Exchange Management Console;

Exception calling “GetSteppablePipeline: with “1” argument(s): File C:\ProgramFiles\Exchange Server\v14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because the  execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.”

Solution

This is usually caused by an update rollup, and can be easily fixed by running the following command at an administrative PowerShell session.

[box]Set-ExecutionPolicy RemoteSigned -scope LocalMachine[/box]

Note: Sometimes you may get an error message;

Set-ExecutionPolicy : Access to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell’ is denied.

If that happens launch regedit.exe navigate to the above value and change it from ‘Restricted’ to ‘Unrestricted’.

Related Articles, References, Credits, or External Links

NA

Users Cannot Access Public Folders Post Migration (Exchange 2016)

KB ID 0001295 

Problem

This post comes form my colleague Andrew Dorrian, he usually follows my migrating public folders article. Recently after a couple of Exchange 2016 migrations he has seen a problem where the public folders are visible in the Exchange Admin Console, but the users can’t access them.

Solution

Open ADSIedit.msc and connect to the ‘Configuration’ context.

Navigate to;

CN=Services > CN=Microsoft Exchange > CN=(your organization name) > CN=Administrative Groups > CN=Exchange Administrative Group (FYDIBOHF23SPDLT) > CN=Databases.

Locate you mailbox database(s) > Right Click > Properties > Locate: msExchHomePublicMDB  > Edit > Clear > OK > Apply > OK.

Open an Exchange administrative shell and run the following command;

[box]Set-OrganizationConfig -PublicFoldersEnabled Local[/box]

Note: Depending on the size of your organisation, you might want to wait a while for the changes to get replicated.

Related Articles, References, Credits, or External Links

NA

SBS Exchange Certificate Expired

KB ID 0000535

Problem

When you setup SBS2008 (and Exchange 2007) it creates and uses a self signed certificate, which is fine. But by default it only lasts two years. The best option is to buy a proper certificate, but if you simply want to generate a new one here’s how to do it.

Solution

1. Here you can see your certificate has expired.

2. Normally you need to access your certificate services web enrolment console to carry this procedure out. But when you navigate to https://localhost/certsrv you will probably see this:

Server Error in Application “SBS WEB APPLICATIONS”

Note: If web enrolment is installed, and you still cant access certificate services (CertSrv) then click here

3. You are seeing this error because certificate services might be installed, but the “Certificate Authority Web Enrolment” role service is not, you can add it from server manager.

4. Select it and follow the on screen prompts > Go and have a coffee.

5. Now you should be able to access the web front end.

6. To get a certificate we need a certificate request, you can write the powershell yourself like so:

[box] New-ExchangeCertificate -GenerateRequest -Path c:mail_yourpublicdomianname_co.csr -KeySize 2048 -SubjectName “c=gb, s=Your State COunty, l=Your City, o=Your Org, ou=Your Department, cn=mail.yourpublicdomianname.com” -PrivateKeyExportable $True [/box]

OR simply go here and let the good folk at Digicert do the heavy lifting for you.

7. Now you have the code, generate the request, on the Exchange server >  Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell > Execute the command you copied above.

8. This will dump the request on the C: drive (because in your command above you set the path to C:mail_yourpublicdomianname_co.csr) Locate it and open it with Notepad. Then select and copy ALL the text (copy as shown no extra spaces etc.)

9. If you have closed it down log into certificate services web access. Select “Request Certificate” > We will be submitting an advanced certificate request.

10. “Submit a certificate request by using………..”.

11. Paste in the text you copied at step 8, change the certificate template to “Web Server” > Submit.

12. Download the certificate.

13. Save it somewhere you can find it (the root of the C: drive is easiest, as you are going to be referencing it in a command shortly).

14. Job done, close the browser window.

15. Back at the Exchange Management Shell issue the following command:

[box] Import-ExchangeCertificate -Path c:the-name-of-your-cert.cer [/box]

As it imports it shows you the thumbprint of the certificate, mark this and copy it to the clipboard.

16. Now you have the certificate imported you can enable it, issue the following command:

[box] Enable-ExchangeCertificate -Services “SMTP,POP,IMAP,IIS” [/box]

It will ask you for the thumbprint > paste it in > when prompted enter “A” to confirm all.

17. That’s the job finished.

SBS2008 Unable to access Certificate Services

I’ve seen this on a few SBS2008 Servers, when you install the web enrolment service it installs into the servers “Default Web Site”, For any other Windows/Exchange combo that’s fine but SBS likes to do things its own way. It creates another web site called “SBS Web Applications” and uses that. That’s fine, but only one can be up and running at a time.

CertSrv The Webpage cannot be found

1. Warning: You are about to stop things like OWA briefly. From Administrative tools launch the Internet Information Services (IIS) Manager > Locate the SBS Web Applications site and click stop (right hand column) > then select the Default Web site and start it.

2. Select the CertSrv virtual directory.

3. You can now browse via http/https and this will open the site in your default browser. Don’t forget to stop the Default website, and restart the SBS Web Applications site when you are finished.

 

Related Articles, References, Credits, or External Links

NA

Exchange – Outlook Web Access ‘Your request could not be completed..’

KB ID 0001093 

Problem

Whilst doing an Exchange 2003 to Exchange 2010 migration last week, I moved a test mailbox to the new Exchange 2010 server. But when I attempted to open the mailbox in OWA I got this;

“Your request couldn’t be completed because no server with the correct security settings was found to handle the request. If the problem continues, contact your helpdesk.”

Solution

At first I assume this was some IE error and was probably because I was on the Exchange 2010 server and trying to open the test mailbox there, instead of a client where the security on IE would be a little more lax.

But that was not the case, it turns out you see this error when the mailbox is still on the 2003 server and has not yet moved to the new server. When I actually checked the mailbox move was ‘stuck’ in a queued state.

Related Articles, References, Credits, or External Links

NA

Microsoft Edge Can’t Be Opened Using The Built-In Administrator Account

KB ID 0001096 

Problem

Not only the built in administrator account, if you try and open Microsoft Edge whilst logged in as the Domain Administrator you will also see the same error message.

To be honest this is a good thing, you shouldn’t be doing something potentially dangerous like going on the Internet as the administrator anyway. However for my test Windows 10 machine on the bench I’m not really bothered, I just want it to work,

Solution

Enable Microsoft Edge for Administrators (one machine)

1. From the Start/Run menu type and execute secpol.msc (local security policy editor).

2. Navigate to;

[box]Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ >Apply > OK.

4. Reboot.

5. Boom! There it is.

Enable Microsoft Edge for Administrators (Multiple Domain Machines via GPO)

Warning: With great power comes great responsibility, if you have some test machines in one OU and you want to do this for them, thats fine. But REMEMBER this setting is a good thing DO NOT go linking this GPO to the root of your domain!

1. On a DC or a machine with the RSAT tool installed, Launch Group Policy Editor. Create a new GPO or edit and existing one.

2. Navigate to;

[box]Computer Configuration >Policies > Windows Settings > Security Settings > Local Policies > Security Options > User Account control: Admin Approval Mode for the Built-in Administrator account[/box]

3. Set the policy to ‘Enabled’ > Apply > OK.

4. Close the Group Policy Management Editor. If you have a Windows 2012 domain you can force the policy refresh on a particular OU, or simply run ‘gpupdate /force’ on the target machine, (or you could also wait a couple of hours, or simply reboot the target machines).

Enable Microsoft Edge for Administrators (one machines via the registry)

‘Home’ editions of windows have local policy editing options, for those you will have to edit the registry directly.

1. Open regedit.

2. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft >Windows > CurrentVersion > Policies > System[/box] Locate and set the value of ‘FilterAdministratorToken’ (Note: You may need to create the 32-bit DWORD,) to 1.

3. Navigate to;

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Policies > System > UIPI[/box]

Locate and set the value of ‘(Default)’ to 1.

Related Articles, References, Credits, or External Links

NA