I get it, older versions of TLS and SSL are insecure and we should not be using them. However I needed to get on an HPE Server iLO management interface last week and I
was met with this.
Firefox Error: SSL_ERROR_UNSUPPORTED_VERSION Microsoft Edge, Chrome, and Opera Error: ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Microsoft Internet Explorer Error: This might be because the site uses outdated or unsafe TLS security settings. If this keeps happening, try contacting the website’s owner. Your TLS security settings aren’t set to the defaults, which could also be causing this error.
Firefox Solution : SSL_ERROR_UNSUPPORTED_VERSION
I advise you just do this to get to the page you need to and set it back afterwards. In your browser windows enter about:config, Type TLS into the search bar and locate security.tls.version.min and change its value to 1, Then tick to save.
And now, I can get to where I want to go.
IE Solution : SSL_ERROR_UNSUPPORTED_VERSION
Yeah, I know Internet Explorer is supposed to be dead, but it’s still there and you can utilise it to solve this problem, from your internet options in IE > Advanced > you can then enable TLS 1.1. and 1.2.
You will still get a warning but now you can click past it.
Related Articles, References, Credits, or External Links
When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.
In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication
Solution
The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.
Make Internet Explorer Accept Your Certification Authority
Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.
1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.
2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.
3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.
4. Restart the browser and try again.
Set IIS to serve Certificate Services Securely (via https).
This assumes you have your CA and the web portal installed correctly.
1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.
Note: If https is missing simply add it!
2. Expand Default Web Site > Certsrv > SSL Settings.
3. Tick ‘Require SSL’ > Apply.
4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.
Related Articles, References, Credits, or External Links
Install-WindowsFeature : ArgumentNotValid: The role, role service, or feature name is not valid: ‘Desktop-Experience’. The name was not found. At line:1 char:1 + Install-WindowsFeature Desktop-Experience + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : InvalidArgument: (Desktop-Experience:String) [Install-WindowsFeature], Exception + FullyQualifiedErrorId : NameDoesNotExist,Microsoft.Windows.ServerManager.Commands.AddWindowsFeatureCommand
Success Restart Needed Exit Code Feature Result ——- ————– ——— ————– False No InvalidArgs {}
PS C:\Users\administrator.PNL>
[/box]
Solution
Note: You need Server Datacenter version to do this.
If you o to the flash website and it (wrongly,) thinks you are using Windows 10 (we it’s the same code, I’ll let them off,) and it also says “it’s already installed just enable it”, but it’s not there?
You need to install it with the following command;
While attempting to manage vSphere Center with Internet Explorer. Access is blocked as it was not signed by valid security certificate.
Content was blocked because it was not signed by a valid security certificate
For more information see “About Certificate Errors” in Internet Explorer Help.
Solution
The client simply does not trust the certificate VMware is presenting, (it’s a self signed certificate). So we just need to trust the CA that issued it! Open you browser and navigate to the hostname/IP of the vCenter. From there choose “Download trusted root CA certificates“.
Your machine should download the certificates in a Zip file. Open and extract that file. Locate the security certificate and double click it > Install Certificate.
Next > Select “Place certificate in the following store” > Locate the “Trusted Root Certification Authorities” container, and select that > Next > Finish.
When prompted select “Yes” > OK.
Try again.
Related Articles, References, Credits, or External Links
Out of the box Cisco PIX/ASA devices should have a working ASDM. This config can get broken over time, and also there are a few things that can trip you up on your client machine.
Solution
Make sure the client machine you are using is not the problem
1. The ASDM runs using Java make sure the machine has Java installed.
Note: If you are using Java version 7 Update 51 see the following article.
10
8(8.1)
7
Server 2012 R2
Server 2012
2008 Server
XP
Yes
Yes
No support
Yes
8.0
Apple Macintosh OS X:
10.6
10.5
10.4
No support
Yes
Yes
Yes (64 bit only)
8.0
Ubuntu Linux 14.04
Debian Linux 7
N/A
Yes
N/A
Yes
8.0 (Oracle only)
Note: Support for Java 5.0 was removed in ASDM 6.4. Obtain Sun Java updates from java.sun.com.
Note: ASDM requires an SSL connection from the browser to the ASA. By default, Firefox does not support base encryption (DES) for SSL and therefore requires the ASA to have a strong encryption (3DES/AES) license. As a workaround, you can enable the security.ssl3.dhe_dss_des_sha setting in Firefox. See http://kb.mozillazine.org/About:config to learn how to change hidden configuration preferences.
3. Make sure you are NOT trying to access the ASDM through a proxy server, this is a common “gotcha”!
4. Can another machine access the ASDM?
5. If the ASDM opens but does not display correctly, then do the following, File > Clear ASDM Cache > File > Clear Internal Log Buffer > File > Refresh ASDM with the running Configuration on the Device.
Make sure the ASA is configured correctly, and your PC is “allowed” access
2. Log into the firewall, go to enable mode > Enter the enable password
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ********
PetesASA#
[/box]
3. The ASDM is enabled with the command “http server enabled”, to make sure that’s there issue a “show run http” command”
[box]
PetesASA# show run http
http server enable
http 10.254.254.0 255.255.255.0 inside
http 123.123.123.123 255.255.255.255 outside
[/box]
Note: if the command is NOT there, you need to issue the following three commands:
[box]
PetesASA# configure terminal
PetesASA(config)# http server enable
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c69
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Note: If you see a number after the command e.g. “http server enable 2456” then you need to access the ASDM on that port, like so {IP address/Name of ASA}:2456 (This is common if you’re port forwarding https but you still want to access the ASDM externally).
4. Assuming that the ASDM has been enabled, the IP address you are accessing from (or the subnet you are on) also needs to be allowed access. You will notice in step 3 above that when you issue the show run http command, it also shows you the addresses that are allowed access, if yours is NOT listed you can add it as follows:
6. The ASA needs to be told what file to use for the ASDM, to make sure its been told issue the following command, (If there is NOT one specified then skip forward to step 7 to see if there is an ASDM image on the firewal)l.
[box]
PetesASA# show run asdm
asdm image disk0:/asdm-739.bin
Note: on a Cisco PIX the results will look like..
PetesPIX# show run asdm
asdm image flash:/asdm-501.bin
[/box]
7. Write down the file that it has been told to use (in the example above asdm-632.bin). Then make sure that file is actually in the firewalls memory with a “show flash” command.
Note: If the file you are looking for is NOT there then (providing you have a valid support agreement with Cisco) download an ASDM image and load it into the firewall see here for instructions.
Note: If the file is in the flash memory but was not referenced in step 6 then you can add the reference with the following command (obviously change the filename to match the one that’s listed in your flash memory).
[box]
PetesASA# configure terminal
PetesASA(config)# asdm image disk0:/asdm-631.bin
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 9c4700fe 475d22c4 13442d06 b0317c89
9878 bytes copied in 1.550 secs (9878 bytes/sec)
[OK]
PetesASA(config)#
[/box]
Related Articles, References, Credits, or External Links
I needed to reboot one of my ESX hosts yesterday, so I jumped on the DRAC and got this?
An internet search turned up, “The best way to fix this is, firmware update the iDRAC”, which I did. But sadly it didn’t fix the problem.
Solution
In IE11 they have done a good job of hiding compatibility settings > Options > Compatibility View Settings > Type in the IP/URL > Add > Close > Wait a few seconds.
And we are good to go!
Related Articles, References, Credits, or External Links
I was working on some Server 2012 R2 servers this morning, and every time I tried to launch IE, instead of the normal IE 11, it stubbornly kept opening the the IE App.
Solution
Hit the Windows key > Type in ‘internet options’ > make the following changes;
Programs Tab > Opening Internet Explorer > Select ‘Always in Internet Explorer on the desktop’ > Apply > OK.
Related Articles, References, Credits, or External Links
Chrome is my browser of choice, so I don’t look at my website with IE often. (Yes I know that’s bad practice for a webmaster). So I was surprised when I opened my home page and saw this.
If you have a lot of them this is quite time consuming, but you can add the attribute of border and set it to zero within the IMG section of your hyperlink like so;
Option 2: Edit your CSS
This would be the preferred option, because you make one change and it will effect all your images. Simply add the following commands to your CSS.
Fixed!
Related Articles, References, Credits, or External Links
I put in a Remote Desktop Services Server this week, and every time the users launched their line of business app,
Open File - Security Warning
The publisher of this file can not be verified. Are you sure you want to run this software.
Name: {Application name}
Publisher: Unknown Publisher
Type: Application
From: {PathApplication name}
This file does not have a valid digital signature that verifies its publisher. You should only run
software from publishers you trust.
Solution
OK the program is not digitally signed, but this is going to annoy the client even more, I need to suppress this warning.
1. Open the local group policy editor on the machine in question. (Start > Run > gpedit.msc {enter}).
2. Navigate to;
[box]
Computer Configuration > Administrative Templates > Windows Components > Internet Explorer
[/box]
3. Locate the ‘Turn off the Security Settings Check feature’ > Set it to enabled.
Related Articles, References, Credits, or External Links
We have had IESC (or IE Enhanced Security) in previous iterations of Windows Server, It is not a bad thing, in most cases you will not want people browsing the internet from a server anyway. Though when you have just built a server, and you are trying to get software and patches onto it it can be very annoying. With IESC enabled you will see this every time you visit a site;
Content from the website listed below is being blocked by the Internet Explorer Enhanced Security Configuration.
And this every time you try and download something;
You are attempting to download a file form a site that is not part of your Trusted Sites and that might be different from the website you are viewing.
Solution
1. From Server Manager (ServerManager.exe) > Local Server > IE Enhances Security Configuration > Then you can change the IESC for both administrators and normal users.
Related Articles, References, Credits, or External Links