The Web Site for the CA Must be Configured to use HTTPS

KB ID 0000838 

Problem

When attempting to contact a server running the Certification Authority Web Enrolment role, you may see the following error.

In order to complete certificate enrolment, the Web site for the CA must be configured to use HTTPS authentication

Solution

The correct fix is to set the web server (IIS) to serve the certificate website securely using https, though you can just set Internet explorer to ‘work’ from your client machine if you are in a hurry.

Make Internet Explorer Accept Your Certification Authority

Note: This would need to be done on every machine that you wanted to access the Certificate Services web portal from.

1. From within Internet Explorer > Internet Options > Security > Trusted Sites > Sites.

 

2. Untick ‘Require server verification (https:) for all sites in this zone’ > Then add in the URL of the CA > Close.

3. With Trusted sites still selected > Custom level > ‘Initialize and script ActiveX controls not marked as safe for scripting’ > Enable > OK > Yes.

4. Restart the browser and try again.

Set IIS to serve Certificate Services Securely (via https).

This assumes you have your CA and the web portal installed correctly.

1. On the Certificate Services Server > Launch IIS Manager > Expand {server-name} > Sites > Default Web Site > Right Click > Edit Bindings > https > Edit > Select the self signed server certificate [NOT the CA ONE] > OK.

Note: If https is missing simply add it!

2. Expand Default Web Site > Certsrv > SSL Settings.

 

3. Tick ‘Require SSL’ > Apply.

4. That should be all you need, if it does not take effect straight away then drop to command line and run iisreset /noforce.

Related Articles, References, Credits, or External Links

NA

macOS: ASDM Developer Cannot Be Verified

KB ID 0001667

Problem

When trying to connect to a Firepower 1010 ASDM I was met with this;

“Cisco ASDM-IDM.app” cannot be opened because the developer cannot be verified.
macOS cannot verify that this ap is free from malware

Solution

If you’ve spent much time using macOS then this is quite common, Open System Preferences > Security and Privacy > General tab > You will see a warning about the Cisco ASDM-IDM > Click ‘Open Anyway‘.

If you are prompted again simply click ‘Open‘.

Related Articles, References, Credits, or External Links

NA

Windows Folder Redirection

KB ID 0000467 

Problem

Q: What is Folder Redirection?

A: Essentially you can take folders that hold things like your “My documents” or your “Favorites” folder, and put them out on a network server, which is great if you want to back that sort of information up for disaster recovery.

Q: What’s the difference between this and a roaming / roving profile?

A: Folder redirection keeps information on a server and you access it remotely, Roaming profiles are designed to sync that information (and your WHOLE user profile) backwards and forwards to a network share as your users logon and log off.

Q: What folders can be redirected?

A: From Server 2008 onwards, and with Windows 7 clients and above, the following can be redirected.

  • AppData(Roaming)
  • Desktop
  • Start Menu
  • Documents
  • Pictures
  • Music
  • Videos
  • Favorites
  • Contacts
  • Downloads
  • Links
  • Searches
  • Saved Games

Solution

1. On a server create a folder to hold the redirected data, In this case you will notice I’ve called my share Redir$ (The dollar sign just means it’s a hidden share, and can’t be seen if people are network browsing).

Folder Redirection: Permissions for the Root Folder

2. Set the share permissions to Everyone: Full Control (Don’t worry we will secure it with NTFS permissions).

3. On the security tab of the folder click advanced.

4. For Server 2012 / 2016 you should see something like this;

For Server 2008 and older it should look more like this;

5. For server 2012 / 2016 Disable Inheritance and select ‘Convert’.

For 2008 and older, untick “Include Inheritable permissions from this objects parent” > At the warning click “Add”.

6. Select each User in turn (You will need to add the Everyone group) > Then Edit the permissions so that they are as follows.

  • CREATOR OWNER – Full Control (Apply onto: Subfolders and Files Only).
  • System – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Domain Admins – Full Control (Apply onto: This Folder, Subfolders and Files).
  • Everyone – Traverse Folder/Execute File (Apply onto: This Folder Only).
  • Everyone – List Folder/Read Data (Apply onto: This Folder Only).
  • Everyone – Read Attributes (Apply onto: This Folder Only).
  • Everyone – Create Folder/Append Data (Apply onto: This Folder Only).

2012 / 2016

‘Show Advanced Permissions’

2008 and older.

7. Now REMOVE BOTH the entries for USERS > Apply  > OK.

7. On your domain controller open the Group Policy Management Console, (Under Administrative Tools) and either create a new USER policy of edit one that already linked to the users you want to enforce this policy upon.

8. I prefer to create a new policy and call it something sensible so if there’s a problem it’s easy to find in the future.

9. Navigate to:

[box]User Configuration > Policies > Windows Settings > Folder Redirection[/box]

Locate the folder you want to redirect (In this case its just the documents folder) > Right click > Properties.

10. I’m going to redirect all my users documents to the one folder I created earlier, so I will choose basic.

Note: You can choose “Advanced” and redirect different groups folders to different locations.

Enter the path to the root folder AS A UNC PATH, DONT click the browse button and browse to it.

11. I’m going to accept the defaults on the settings tab, the option I’ve highlighted creates the folders with exclusive rights on the folders for the user in question and SYSTEM, so the domain admin had no access (this is OK, it’s the same way user profiles work, you can still back them up).

12. Now as your users log on their folders will be redirected to the share you setup.

Backing up Redirected Folders

13. Even with exclusive rights you can still back this data up:

Related Articles, References, Credits, or External Links

Original Article written 22/06/11

VMware View – Using Persona Management

KB ID 0000615 

Problem

Persona Management, is the VMware version of “Roaming Profiles” and “Redirected Folders” rolled into one. Though the redirected folders bit is a lot easier to set up and less problematic than the Microsoft Folder Redirection policy.

Its handy if you using floating pools but still want your users to have a persistent user interface. Having these files centrally makes them easier to backup, and the more your users can customise their desktops and settings the better their level of equipment husbandry.

Solution

Create a “Roaming Profile” Network share with the correct permissions

1. On a network accessible server, create a folder and set the SHARE permissions as follows;

Share Permissions

Everyone = Read. Domain Users = Full Control.

Note: You may also want to DISABLE Caching on this folder.

2. Stop inheritable permissions from propagating to the folders and set the security permissions as follows;

Security / NTFS Permissions

Creator Owner (Subfolders and Files Only) = Full Control. Domain Users (This folder Only) = List Folder/Read Data and Create Folders/Append Data. System (This Folder, Subfolders and files) = Full Control. Creator Owner (Subfolders and Files Only) = Full Control. Everyone = No Permissions.

Note: I’m using domain users, you might have a different security group that you want to substitute.

3. Make sure that the machines that you will be using as view targets, have the View Persona Management option selected (this is selected by default).

Configure Windows 7 to be a VMware View Desktop

4. You need to get the administrative template for Persona Management. You will find it on your VMware Connection Server in the following location;

[box] C:Program FilesVMwareVMware ViewServerextrasGroupPolicyFiles [/box]

Locate the ViewPM.adm file and copy it to a domain controller.

5. Create a new group policy that is linked to the OU containing your View machines.

6. Edit the policy > Expand Computer Configuration > Policies >Administrative Templates > Right Click > add/Remove Administrative Temple > Add in the ViewPM.adm template.

7. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management [/box]

8. In the roaming and Synchronisation Section > Manage user persona > Set to Enabled > Next Setting.

9. Enable > Enter the shared folder you created earlier > Next Setting.

10. Enabled (to remove local cached copies of the profile).

11. Enabled to roam the local folder > That’s all I’m going to configure in this branch of the policy.

Persona Management Folder Redirection

12. Navigate to;

[box] Computer Configuration > Polices > Administrative Templates > Classic Administrative Templates > VMware View Agent Configuration > Persona Management > Folder Redirection [/box]

Here you will find the folders that can be redirected to a central location.

13. For example, here I’m redirecting the users “My Documents” folder.

14. And their “My Pictures” folder.

15. Make sure you have a pool created, and your users are have an ‘entitlement’ to them. These machines will also HAVE TO be in the OU your policy is applying to.

Creating a ‘Manual Pool’ and Connecting a View Client

Deploying Linked Clone View Desktops

16. Now when your users connect to their View Desktops.

17. Their user profile will be persistent.

18. Because their settings are stored in your profile shared folder.

Note: Persona Management will store the profile in username.domainname format. The reason there is a V2 on the end of it, denotes the profile is for Windows 7 or Vista. If users swap between these OS’s and any older Windows OS’s, then they will get a separate profile for those as well. If this is the case rely on the folder redirection rather than the profile.

Related Articles, References, Credits, or External Links

NA

Sharing Files from Ubuntu to Windows

KB ID 0000412

Problem

If you have only a few files to share, you might want to consider using Dropbox, however if you want to share your files over the network then you need to install samba and configure it.

Solution

 

Related Articles, References, Credits, or External Links

Special Thanks to Morbuis1 Over at the Ubuntu Forms for the help.

Samba Install Error

 

Windows Server – Setup Home Folders and Profile Folders

KB ID 0000739 

Problem

A while back I got an email,

Message: Hallo Pete,

Can you make a tutorial for me for sharing a Home Folder or Profile Path folder for every user?
It’s hard to get one.

Thanks in advance.

Sincerely,
Matthew Wittenberg
</br

Well it’s taken me a while (sorry!) But here you go,

Solution

Creating and Allocating Home Folders to Users

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Home’ as the folder name, open the folder’s properties.

3. Sharing Tab > Advanced Sharing.

4. Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

5. Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

6. Security tab > Advanced.

7. Change Permissions.

8. Untick ‘Include inheritable permissions……’ > Add.

9. Select CREATOR OWNER > Edit > Permissions should apply to ‘Subfolders and files only’ > Full control.

10. Select SYSTEM > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

11. Select DOMAINNAMEAdministrators > Edit > Permissions should apply to ‘This Folder, subfolders and files only’ > Full control.

12. Remove the Users (the one with Read & Execute).

13. Remove the Users (the one with Special).

14. Add.

15. Everyone > check Name (make sure it underlines Everyone) > OK

16. Sett Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Home Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties.

3. Profile tab > You can connect a drive letter (I usually use H:) and connect that to the users home drive. Set the path like so;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Home$\%username%

[/box]

4. This is what the users will see.

5. On the server the folders are all created straight away.

Creating and Allocating Roaming Profile Folders to Users

The process for setting up the folder is identical to the one above for the home folders.

1. Create a folder that is on a drive or volume with plenty of room.

2. I’ve simply used ‘Profile’ as the folder name, open the folder’s properties > Sharing Tab > Advanced Sharing > Tick to share > put a dollar ‘$’ symbol onto the end of the share name (this just stops the folder being visible to someone browsing the network) > Permissions.

3.  Grant Everyone ‘Full Control’, Don’t worry we will lock it down with NTFS permissions (Remember permissions are cumulative, and most restrictive apply) > Apply > OK.

4. Security tab > Advanced.

5. Change Permissions > Untick ‘Include inheritable permissions..’ > Add.

6. Remove the Users (the one with Read & Execute).

7. Remove the Users (the one with Special).

8. Add.

9. Everyone > check Name (make sure it underlines Everyone) > OK.

10. Set Apply to = This folder only > Allow the following.

Traverse Folder / execute file
List Folder / read data
Read attributes
Create Folders / append data

Allocate the Roaming Profile Folder to the Domain Users

1. From within Active Directory Users and Computers locate your users, (you can press Windows Key+A to select them all).

2. Open their properties > Profile Tab > Tick ‘Profile path’ > Set the path as follows;

[box]

\\Server-name\Folder-name\%username%
e.g.
\\PNL-DC\Profiles$\%username%

[/box]

3. Unlike home folders, profile folders are only created when the users log onto the network, here you can see this profile has a V2 on the end of it (a version 2 profile means it has come from a Windows Vista or newer machine). For this reason if your users use Windows XP (or older) clients, AND Windows Vista (or newer) clients they will get TWO DIFFERENT profiles.

Related Articles, References, Credits, or External Links

NA

XCOPY – Insufficient Memory

KB ID 0000810 

Problem

If I’m migrating client data, I use Xcopy a lot, especially if I want to preserve the permissions. One of the questions I usually ask is “Do any of your users have file names that are very long, i.e. longer than 256 characters?” Because if you are moving a lot of data and it’s been running for a few hours, then suddenly fails saying ‘Insufficient Memory‘, then that’s probably what the problem is.

Solution

1. At the point of failure, you will have successfully moved some data, so you want a solution that just moves the remaining data, Robocopy will do that for you.

Note: For Server 2008, Server 2008 R2, Server 2012, and Windows Vista/7/8, you will already have Robocopy installed, for older clients you will need to install the 2003 Resource Kit.

[box]

Syntax

robocopy "source" "destination" "options"

robocopy S: D:Shared /MIR /SECFIX /SEC

Note:Robocopy by default will retry 1000000 times, and wait 30 seconds each time (if it has a problem). You might want to add /R:3 /W:1 as switches to stop that.

[/box]

/MIR – Mirror the two locations, this will copy the difference IN BOTH DIRECTIONS! (Simply use /E if you don’t want this).

/SECFIX – Checks the Permissions on ALL FILES as it goes through (to make sure)

/SEC – Copies the data with its security ACL’s intact.

Use Robocopy to copy only newer files/folders

Thankfully this is the default behaviour, simply run the same command again.

Related Articles, References, Credits, or External Links

NA

Certificate Import Error – ‘Exception from HRESULT: 0x80070005’

KB ID 0000818 

Problem

Seen on Windows Server 2012 when trying to complete a certificate request.

There was an error while trying to perform this operation
Details:
Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))

Solution

1. Open Windows Explorer and navigate to;

[box]
C:ProgramDataMicrosoftCryptoRSAMachineKeys
[/box]

Note: ProgramData is a hidden folder.

2. Open the folder properties > Security > Advanced > Permissions.

3. Make sure the Administrators group, has the following rights to ‘This folder, subfolders, and files’ > Full control.

4. Make sure the Everyone group, has the following rights to ‘This folder only’ > Select ‘Show advanced permissions’.

List folder/read data>
Read attributes
Read extended attributes
Create folders/append data
Write attributes
Write extended attributes
Read permissions</br

 

Related Articles, References, Credits, or External Links

NA

Add a URL to Clients “Trusted Sites” with Group Policy

KB ID 0000146 

Problem

You want to have a URL added to everyone’s “Trusted Sites” list, and to avoid visiting each machine you want to use Group Policy, Or users don’t have the rights to do this themselves and you want to add one for them, i.e. the URL of your corporate CRM System.

Solution

The Group Policy you need to edit is,

Computer Configuration > Policies (This level is on Server 2008 only) > Administrative Templates > Windows Components > Internet Explorer > Internet Control Panel > Security Page > Site to Zone Assignment List.

Click Enabled > Show

Click “Add” > Enter the URL in the “name of the item to be added” > Enter the number 2 in “Enter the value of the item to be added” > OK > OK > Apply > OK.

On your client reboot or run “gpupdate /force”

Related Articles, References, Credits, or External Links

NA

Internet Explorer “Only Secure Content is Displayed”

KB ID 0000502 

Problem

I was trying to do some online VMware training today, and this was really annoying me, every link I clicked up it came.

Popup:
Only secure content is displayed – What’s the risk? – Show all content

Eventually after clicking show all content (A LOT) I could take no more, and had to disable it.

Solution

Warning: There’s a sound reason for this, over https all traffic is encrypted with SSL/TLS and cannot be seen by someone analysing network traffic, if you are sending password or credit card data you might not want to do this.

1. Click Start and in the search/run box type inetcpl.cpl {enter}.

2. Select the Security tab > Internet > Custom Level.

3. Locate the “Display mixed content” section and enable it > OK.

4. Select Yes to confirm, and restart Internet Explorer.

 

Related Articles, References, Credits, or External Links

NA