Your vSphere Client Session Is No Longer Authenticated

KB ID 0001711

Problem

I updated my vCenter to 6.7.0.45100 yesterday, and since then every time I tried to login to the HTML5 web client, it authenticated, let me in, showed me the error (below), then kicked me out again?

Solution

I assumed, (wrongly) that the upgrade had overwritten the webclient.properties file that controls timeouts. this may be you problem, see the following article If my ‘fix’ does not work for you.

vSphere HTML5 Web Client – Disable the Console Timeout

In the end my fix was quick and simple, go to add/remove programs and locate the vSphere Enhanced Authentication Plugin (in my case version 6.5.0) and uninstall it.

Related Articles, References, Credits, or External Links

NA

VMware Horizon Machines Stuck ‘Customizing’

KB ID 0001595

Problem

In all honesty there’s lots of reasons for this.

I’ll cover the ones that have tripped me up, if you find some new ones feel free to post them below.

Solutions

Before continuing, the image needs to have the Horizon Agent installing within it, and it has to be the SAME version that your Composer and Connection servers are running, (or newer). Also your Horizon servers are connecting to VMware vCenter using an account, (in a lot of cases that will be the domain administrator account, or an account you setup for this reason), make sure that account has global administrator properties in vSphere.

Also in your image install the LATEST version of VMWare Tools, Note: that might be NEWER than the one that you have on your ESX servers, download it and install it manually, (to do this uninstall the old VMWare Tools, then Uninstall the Horizon Agent, then Install the NEW VMWare Tools, then finally reinstall the Horizon Agent again. (Note: If using Horizon Composer, make sure you install the composer option!)

Horizon Inability to get a licence for your KMS Server.

Check this first;

[box]

slmgr /dli

[/box]

It goes without saying you need a network connection (to the right VLAN) before KMS will work. I’ve ran though KMS setup and troubleshooting here.

Horizon Sysprep Problems

For sysprep obviously you need to be deploying images with sysprep and NOT quick prep, if you are using sysprep check the error log, (if the error log is empty, then sysprep is not your problem).

Navigate to: C:\Windows\System32\Sysprep\Panther\setuperr.log

Sysprep Problem 1

Problem 0x0f0043 Failed DeleteInstance AntiSpywareProduct

[box]

Error      [0x0f0043] SYSPRP WinMain:The sysprep dialog box returned FALSE
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904

[/box]

Seen On Window Server 2016 and Windows 10: In your Source Image you need to remove Windows Defender, like so;

[box]

Uninstall-WindowsFeature Windows-Defender-Features

[/box]

Sysprep Problem 2

Problem 0x0f0073

[box]

Error      [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
Error                 SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0

[/box]

This is happening because the machine you are using as your image has been sysprepped too many times, you nee to make some changes on the reference image to reset/rearm it, so it can be sysprepped.

On your image machine  run regedit and navigate to;

HKLM > SYSTEM > Setup > Status > Sysprep Status

Ensure the following;

  • CleanupState is set to 2
  • GeneralizationState is set to 7

Open an administrative command window and execure the following commands;

[box]

msdtc -uninstall
msdtc -install

[/box]

Back in registry editor navigate to

HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > SoftwareProtectionPlatform

Set SkipRearm to 1

Try again.

Related Articles, References, Credits, or External Links

NA

VMware View Connection Server – Stop Session timeouts

KB ID 0000605

Problem

For security reasons, the VMware View Administrator will timeout after a short period of inactivity, and you will see the following.

Server Error
Your session has timed out. Please log in again.
Click OK to be redirected to the login screen.

However if you work in the console a lot, this can get quite annoying.

Solution

From within the View Administrator console > View Configuration > Global settings > Edit > Tick “Enable automatic status updates” > OK > OK.

Note: Another advantage to doing this is, you don’t have to keep pressing refresh to update the interface.

Related Articles, References, Credits, or External Links

NA

Remote Desktop Web – Session Timeouts (Altering)

KB ID 0001215 

Problem

Timeouts for the RDWeb portal are defined by the choice you made when you logged in, if you selected ‘private’ or ‘public’ on the PC options, this sets the timeout. The default is 240 mins for private, and 20 minutes for public connections.

Solution

To alter these values you need to make changes in the ‘Internet Information Services Management Console’ on the RDWeb server.

Navigate to {Server-name} > Sites > Default Web Site > RDWeb > Pages > Application Settings.

You need to alter;

PrivateModeSessionTimeoutIn… AND PublicModeSessionTimeoutIn…

Edit the values according to your requirements.

If you find that the changes don’t take effect immediately drop to command line and issue an ‘iisreset’ command.

Related Articles, References, Credits, or External Links

NA

Event ID 3033

KB ID 0000130 

Problem

You receive an Event ID 3033 error, with the following description,

‘The average of the most recent <?> heartbeat intervals used by clients is less than or equal to <?>. Make sure that your firewall configuration is set to work correctly with Exchange ActiveSync and direct push technology. Specifically, make sure that your firewall is configured so that requests to Exchange ActiveSync do not expire before they have the opportunity to be processed. For more information about how to configure firewall settings when using Exchange ActiveSync, see Microsoft Knowledge Base article 905013, “Enterprise Firewall Configuration for Exchange ActiveSync Direct Push Technology”

Solution

If you have an ISA Firewall the fix is Here http://support.microsoft.com/?kbid=905013

However thats not much help if you have a Cisco ASA, if that’s the case do the following,

If you have Active Sync already running through the outside Interface, skip to step 2

1. Allow the https Traffic in;

[box]

Newer than version 8.3 Commands

Petes-ASA# configure terminal
Petes-ASA(config)# object network OBJ-Exchange-Server
Petes-ASA(config-network-object)# host 192.168.1.1
Petes-ASA(config-network-object)# nat (inside,outside) static interface service tcp http http
Petes-ASA(config-network-object)# exit
Petes-ASA(config)# access-list inbound permit tcp any object OBJ-Exchange-Server eq http
Petes-ASA(config)# access-group inbound in interface outside 
8.3 and Older Commands

Petes-ASA# configure terminal
Petes-ASA(config)#
access-list inbound extended permit tcp any interface outside eq https
Petes-ASA(config)#access-group inbound in interface outside
Petes-ASA(config)#static (inside,outside) tcp interface https 192.168.1.1 https netmask 255.255.255.255

[/box]

Note: Above assumes 192.168.1.1 is the inside IP address of the Exchange Server.

If your Mail server has a Static Public address you will not need to do port forwarding (Like the example above) in that case you would have;

[box]

Newer than version 8.3 Commands

Petes-ASA# configure terminal
PetesASA(config)# access-list inbound permit tcp any host 192.168.1.1
PetesASA(config)# access-group inbound in interface outside
PetesASA(config)# object network OBJ-Exchange-Server
PetesASA(config-network-object)# host 192.168.1.1
PetesASA(config-network-object)# nat (inside,outside) static 123.123.123.123
PetesASA(config-network-object)# exit
8.3 and Older Commands 
Petes-ASA# configure terminal
Petes-ASA(config)# access-list inbound extended permit tcp any host 123.123.123.123 eq https
Petes-ASA(config)#access-group inbound in interface outside

[/box]

Note: Above assumes the Exchange servers public IP address is 123.123.123, and 192.168.1.1 is the private IP address.

2. Create Class Map and apply bind it to an access-list.

Note: For versions older than 8.3 use the public IP address in the ACL.

[box]

Petes-ASA# configure terminal
Petes-ASA(config)# access-list ACL-HTTPS-INSPECT permit tcp any host 192.168.1.1 eq https
Petes-ASA(config)# class-map CM-HTTPS-INSPECT
Petes-ASA(config-cmap)# match access-list ACL-HTTPS-INSPECT
Petes-ASA(config-cmap)# exit

[/box]

3. Create a Policy Map and add the class map you created above and set your timeout, (here it’s set to 9 minutes).

[box]

Petes-ASA(config)# policy-map PM-HTTPS-TIMEOUT
Petes-ASA(config-pmap)# class CM-HTTPS-INSPECT
Petes-ASA(config-pmap-c)# set connection timeout tcp 0:09:00 reset
Petes-ASA(config-pmap-c)# exit
Petes-ASA(config-pmap)# exit

[/box]

4. Apply Policy map to the Interface using a Service-Policy command.

[box]

Petes-ASA(config)# service-policy PM-HTTPS-TIMEOUT interface outside

[/box]

Note: You can only have one Global Policy, but you can also have one policy applied to an interface

Related Articles, References, Credits, or External Links

Original Article Written 10/11/09

Server 2012 R2 – Disable Lock Screen

KB ID 0000965 

Problem

Firstly, the lock screen is there for a valid security reason, so I would not advocate doing this on a production network. But on my test network when I’m jumping between multiple servers all the time, it’s annoying to have to press CTRL+ALT+DELETE and tap the password in, each time I change console sessions.

Solution

In older versions of Windows you could simply go to the following registry key;

[box]HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlPowerPowerSettings7516b95f-f776-4464-8c53-06167f40cc998EC4B3A5-6868-48c2-BE75-4F3044BE88A7[/box]

And change the value of the ‘Attributes’ value. But that does not work on Server 2012 R2.

Disable Lock Screen on a Single 2012 R2 Server

1. Windows Key+X > Control Panel > Power Options (switch to small icons if you can’t see it) > Edit your Power Plan > Turn off the display.

2. Change the value to ‘Never’ > Save Changes.

Disable Server 2012 Lock Screen via Group Policy

1. The policy is located at;

[box]Computer Configuration > Policies > Administrative Templates > Control Panel > Personalization > Do not display the lock screen.[/box]

2. Edit and enable the policy.

3. Close the Policy editor, then either reboot the clients, wait a couple of hours, or manually run “gpupdate /force” on them.

Related Articles, References, Credits, or External Links

NA

Exchange 2019, 2016, 2013 – Allowing a Host/IP to Relay Mail

KB ID 0000891 

Problem

There a a few more hoops to jump through to allow a host to relay though Exchange 2013. For earlier versions of Exchange see the links below.

Allow Relay from an IP With Office 365 (Exchange Online)

Allow Relay from an IP with Exchange 2010

Allow Relay from an IP with Exchange 2007

Allow Relay from an IP with Exchange 2003

Allow Relay from an IP with Exchange 2000

Solution

How to create a ‘Relay’ Receive Connector

 

1. Connect to the Exchange admin center > Mail flow > receive connectors > Add.

2. Give the connector a name (take note of it, you will need it in a minute) > Select ‘Frontend Transport’ > Custom > Next.

3. Accept the default of TCP Port 25 (SMTP) > Next.

4. REMOVE the 0.0.0.0-255.255.255.255 range. (WARNING: If you do not do this you will become an open relay).

5. Add in the IP address of the host (from which you want to allow relaying) > Save.

6. Open the properties of the connector you just created > Security > Under Authentication select ‘Externally Secured (for example with IPSEC) > Under Permission groups, select ‘Exchange servers’ and ‘Anonymous users’ > Save.

7. At this point, you may find that when you test from the host you get the following error;

421 4.4.1 Connection timed out

I would suggest you change some parameters of the receive connector. Execute the following PowerShell command;

[box]

Get-ReceiveConnector -Identity “Relay-Connector-Name” | Set-ReceiveConnector -TarpitInterval 00:00:00 -ConnectionTimeout 00:30:00 -ConnectionInactivityTimeout 00:20:00 -MaxAcknowledgementDelay 00:00:00 -MaxInboundConnection 10000 -MaxInboundConnectionPercentagePerSource 100 -MaxInboundConnectionPerSource unlimited

[/box]

8. Restart the Microsoft Exchange Transport Service on the Exchange server.

[box]Restart-Service MSExchangeTransport[/box]

Exchange 2013 – Test Email Relaying from your ‘Allowed IP’

1. Go to the machine you have allowed relaying from, and attempt to ‘relay’ mail. In the example below I’m attempting to send an email to test@relay.com. In the first example we cannot relay, so something has been misconfigured.

2. However this time we CAN relay so our connector is configured properly.

 

Related Articles, References, Credits, or External Links

NA