I get it, older versions of TLS and SSL are insecure and we should not be using them. However I needed to get on an HPE Server iLO management interface last week and I
was met with this.
Firefox Error: SSL_ERROR_UNSUPPORTED_VERSION Microsoft Edge, Chrome, and Opera Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Microsoft Internet Explorer Error: This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. Your TLS security settings aren’t set to the defaults, which could also be causing this error.
Firefox Solution : SSL_ERROR_UNSUPPORTED_VERSION
I advise you just do this to get to the page you need to and set it back afterwards. In your browser windows enter about:config, Type TLS into the search bar and locate security.tls.version.min and change its value to 1, Then tick to save.
And now, I can get to where I want to go.
IE Solution : SSL_ERROR_UNSUPPORTED_VERSION
Yeah, I know Internet Explorer is supposed to be dead, but it’s still there and you can utilise it to solve this problem, from your internet options in IE > Advanced > you can then enable TLS 1.1. and 1.2.
You will still get a warning but now you can click past it.
Related Articles, References, Credits, or External Links
I had to update the ‘self-signed‘ certificate on my VMware vCenter today, but when I went to browse to it, I got this.
Net:: ERR_CERT_AUTHORITY_INVALID
Well yes of course I don’t trust the CA that issued this certificate it’s a self-signed certificate! So HOW DO I TRUST IT?
Solution : Bypass Blocked Certificate
The answer I didn’t believe when I read it – because it sounds like an IT Department prank, but it works. Make sure you have clicked into the page somewhere, so it is the window that’s in focus and, type the following on your keyboard.
thisisunsafe
The website will open.
Note: If you are in an inPrivate browsing window, it will only persist in that session, but for normal browsing the site will be added to the “allowed” website list.
Related Articles, References, Credits, or External Links
In a fit of lunacy Microsoft have called ‘their’ new browser Microsoft Edge, so we can spend the next few months confusing it with Edge. Plus every Google search for GPO settings, error messages etc will all now show search results for the old Edge Browser not the new Microsoft Edge browser! Perhaps the same doofus at Microsoft who called the Exchange sync Active Sync when Microsoft already had a product called Active Sync was involved?
Anyway I got a request from a client this week to have Microsoft Edge on their Citrix environment, there was some confusion (imagine that), because Edge does not work on server 2016, (and it’s not shipped as part of server 2016), but would Microsoft Edge work?
Installing Microsoft Edge on Server 2019/2016 (With IE11)
Why is Internet explorer still alive? Anyway If you want to install Edge on a modern Windows server firstly ensure you are fully up to date with updates! Then open IE. Internet Options > Security > Custom > Scripting > Enable Active Scripting > OK > Yes > Apply > OK.
The first test was, ‘would it run on Server 2016’, it detected the OS as Windows 10 (unsurprisingly), and installed fine;
Microsoft Edge on Remote Desktop Services
Well Citrix is really just Remote Desktop Services in a leather jacket, so the next test was,’ would it work in RDS?’ I span up an RDS farm on the bench, and was pleased to see I could select Microsoft Edge as a RemoteApp, (not that I needed to deploy it using RemoteApp, but it being detected was promising).
And in an RDS session it worked faultlessly.
Deploy Microsoft Edge on Citrix (Server 2016)
Here’s where we had a problem, it installed fine, but every time I went to open it, all I got was a ‘white screen’ for about 5 minutes, after this it burst into life, which I couldn’t really ask the client to put up with!
As this was happening when I launched the browser I ‘wrongly’ assumed it was a ‘first run‘ problem (for the uninitiated, previous Microsoft browsers got an annoying ‘how do you want to set the browser up’ routine, then finally dumped you on the MSN webpage, (does anyone actually use the MSN webpage?) While it didn’t cure my problem it’s worth mentioning how I stopped the first run dialog happening);
Controlling Microsoft Edge with Group Policies
If you are used to importing ADMX and ADML files then this will be a breeze to you. If you are really interested I cover the subject in great deal in the following post;
Computer configuration > Policies > Administrative Templates > Microsoft Edge
[/box]
Microsoft Edge: Stop Importing of Bookmarks/Favourites
Locate: ‘Automatically import another browser’s data and settings at first run‘ > Enable the policy, and select ‘Disable automatic import and the import section of the first run experience is skipped‘ > Apply > OK.
Microsoft Edge: First Run
This will disable the entire first run dialog;
Locate: ‘Hide the First-run experience and splash screen‘ > Enable the policy > Apply > OK.
As it was working in RDS and not working on Citrix, then the problem was probably Citrix*. Citrix is one of my weaker subjects, so credit for the actual fix should go to my colleague (Dan Brookes).
*After I had discounted existing group policies, and other installed applications.
Running Microsoft Edge while it was ‘hanging’ and looking at what was going on in ‘Process Monitor’ showed a lot of hook64.dll entries;
This pointed to the culprit, open the registry Editor (regedit) and navigate to;
[box]
HKEY_LOCAL_MACHINE > System > CurrentControlSet > Services > CtxUvi
[/box]
Locate the UviProcesExcludes REG_SZ value, edit it and add ‘msedge.exe;‘ to the end.
Theres probably one service you can restart, but I simply rebooted the server, (problem solved).
FSLogix and Microsoft Edge
If you are running FSLogix you should also add an ‘exclusion’ to the Redirections.xml file, (located in your \\{domain-name}\NETLOGON folder).
I was asked to setup a VPN to help out a colleague this week. When I had a look, one end turned out to be an Edge Gateway, I wasn’t that concerned, I’d done similar things in my prior role, I just didn’t have access to the vCloud or VMware at this datacenter.
Depite my best efforts on the ASA, the tunnel refused to come up, it took a little looking ‘under the covers’ to accurately diagnose the problem. But to save you my pain, I’ll post the setup of both ends so yours will be a little less stressful.
VMware Edge Gateway VPN Setup
Locate the Edge Gateway in vCloud Director > VPN > Create new VPN > Tick ‘Enable This VPN‘ configuration > Set the local and remote networks > Local ID is the local public IP of the Edge Gateway > Remote ID is the pubic IP of the Cisco ASA > Set the encryption protocol as AES256 > Copy the pre-shared-key (Warning: some browsers wont select all of the key, and you will end up characters short, make sure you have it all!) > OK.
On the ‘Firewall’ Tab allow all traffic TO and FROM the remote subnet, (behind the Cisco ASA).
Note: There no need to make a NAT Exemption.
Cisco ASA VPN Setup (For Edge Gateway)
Note: The version of Edge Gateway I was using, was using (once AES256 is selected)
IKE Version: 1
Encryption:AES-256
Hashing: SHA
Diffie Hellman: Group 2
Perfect Forward Secrecy: Enabled (group 2)
I’m aware that newer Edge Gateways support IKEv2 but debugging the incoming requests told me mine was using IKEv1.
You DO NOT have any existing VPNs configured, (if you do, change the name of the CRYPTO-MAP (above) to match the name of your cryptomap and use a higher number, e.g. ‘outside_map 2‘).
Troubleshooting Edge Gateway End of the VPN
You need access to the underlying VMware infrastructure > Select Networking and Security > Locate the NSX Edge > VPN > IPsec VPN > Show IPsec Statistics > Here you can see some meaningful error massages if theres a problem.
Troubleshooting Cisco ASA End of the VPN
I’ve covered this to death in the past, so rather than reinvent the wheel;
This question appeared in my inbox today, ‘Edge’ has a nasty habit of assigning itself the default PDF reader, particularly after a round of updates!
Solution
First I went and had a look at my old Experts Exchange Buddy Ramesh’s site (www.winhelponline.com) who had done the heavy lifting and worked out the registry keys;
Note: I’m only concerned with .pdf files, if you want to block .htm and/or .html files, then just repeat this process using the the REG_SZ values from above;
The solution for a single machine is to create the following two registry string values;
HKEY_CURRENT_USER\Software\Classes\AppXd4nrz8ff68srnhf9t5a8sbjyar1cr723
REG_SZ Name = NoOpenWith
REG_SZ Name = NoStaticDefaultVerb
Then set the correct file associate like so;
Which is fine for one machine but what if you have hundreds of complaining users! Then we need to employ some Group Policies. But there’s a few hoops to jump though first. On your client machine, the one you have just tested the procedure on, export your file association to an XML file. Open an administrative command window, and execute the following command;
If you take a look at the a file you will see, (providing you did it right) the Adobe/PDF file association.
Now copy the file to a location all your domain clients can see, in my case I’m going to drop it in the sysvol directory.
Crete a new Group Policy linked to the computers you want to apply the change to, then edit it.
Navigate to;
[box]Computer Configuration > Policies> Administrative Templates > Windows Components > File Explorer > Set default associations configuration file >Enable > Put in the path to your .XML file[/box]
Save and exit the, group policy, now create a SECOND POLICY linked to your USERS.
Navigate to;
[box]User Configuration > Preferences > Windows Settings > Registry > New > Registry Item[/box]
Note: Ive already created the registry values on the machine I’m configuring the policy on, (you can export the key and import it on a domain controller to make things easier for you). Close and exit the policy editor.