I needed to change the certificate used by an ADFS server today. I’d used a temporary self signed wildcard cert to get me up and running now I needed to replace it with a new publicly signed one.
I found a number of ways of doing this INCORRECTLY, so hopefully I will save you making the same mistakes!
Solution
Firstly you need to import your certificate, here from a PFX file, (if you want a PFX file import by double clicking the certificate, then export the certificate, include the private key, and set a password on it). I’ve done this in lots of different articles just use the search bar above it you get stuck.
Make sure your certificate has a small key over the icon, or says ‘you have a private key that corresponds to this certificate‘. If yours does not, then import it on the server/PC you created the CSR (Certificate Signing Request) on, then export it to PFX, them import it using the command above on your ADFS server.
On your certificate > All Tasks > Manage Private Keys.
Add > Object Types > Select Service Accounts > Locate and select your ADFS service account. Grant full control.
Launch the AD FS management console > Service > Certificates > Set Service Communication Certificate.
Select the correct (new) certificate > OK.
On the properties of your new certificate locate the thumbprint (not the serial number!) Copy it to the clipboard, then execute the following command;
[box]
Set-AdfsSslCertificate -Thumbprint {Paste in the thumbprint - minus the spaces!}
[/box]
Note: BEWARE: If you press tab to complete the above command make sure you DON’T use Set-AdfsCertificate it’s Set-AdfsSslCertificate(it will accept the wrong command, without error, and then wont work at the end).
Changing ADFS Certificates: Things That Might Go Wrong
Error;
The ServiceCommunications primary certificate cannot be used because the KeySpec must have a value of AT_KEYEXCHANGE (1).
This value can be changed by reimporting the certificate from a pfx file. From an elevated command prompt, use the command “certutil -importpfx filename.pfx AT_KEYEXCHANGE”. For more information, see http://go.microsoft.com/fwlink/?LinkId=798501
You will also see an Event ID 550
Solution: Import the certificate using the ‘certutil -importpfx certificate-name.pfx AT_KEYEXCHANGE‘ syntax.
Error
Solution: Disable certificate rollover with ‘Set-ADFSProperties -AutoCertificateRollover $false‘ syntax. (Note: Dont forget to enable it again afterwards!)
Related Articles, References, Credits, or External Links
Back in part one we setup SQL and our Composer server, now we will deploy our VMware Horizon View Connection Server(s).
Install VMware Horizon View Connection Server
On a domain joined Windows server, download and launch the Connection Server installer.
Accept the EULA > Next > Acept or change the install location > Next > Select Horizon ‘Standard’ Server > Next > Set a data recovery password > Next.
Select configure the Windows Firewall > Next > Type in a domain account, (I typically use the domain administrator, you may wish to use another account > Next > Untick the UEIP > Next > Next > Finish.
Deploying Additional Horizon Connection Servers
Repeat the install on any additional connection servers BUT this time choose Horizon Replica Server, and specify your first connection server as the ‘Source Server’.
Note: I don’t Deploy Horizon Security Servers any more, it’s much easier to deploy a UAG.
To access the Horizon Administrator console you will need Flash, this is not normally enabled on Windows Server. To enable it follow this article.
You can now login to Horizon Administrator.
Configuring VMware Horizon Connection Server(s)
First you need to enter your Horizon Licence > View Configuration > Product Licensing and Usage > Edit Licence > Paste yours in > OK.
Vire Configuration > Servers. >vCenter Servers > Add > Type in your vCenter details > Next.
If using Horizon Composer, enter the server details > Next.
Add in your domain details > OK > Next.
Accept the defaults > Next.
Finish.
Horizon Connection Server Certificates
Over on the main dashboard at this point you may see some certificate errors. You can either import certificates from your own CA. But Im going to use a wildcard certificate published by a public CA.
I have my wildcard certificate in PFX format, so I can simply double click it and import it like so. (Note: Remember to I port if to local machine).
Finish the import wizard.
On the connection server settings you will need to change the URLs to match your certificate. (Note: You will disable this later, if you are also deploying UAG appliances).
Now to swap to the newly imported certificate> Start > mmc.exe > Add/Remove Snap-In > Certificates > Add.
Computer account > Local computer > OK.
Navigate to Certificates > Personal > Certificates > Locate the certificate that has the friendly name vdm and change its friendly name to vdm-backup.
Now locate your publicly signed certificate and change its friendly name to vdm.
Restart the VMware Horizon View Connection Server service to make the swap.
Configure Horizon Event Database
Back in part one we created the database for this, now we just need to enter the details.
View Configuration > Event Configuration > Edit > Enter you SQL Event Database details, as shown below, if you have a Named SQL instance it will be on a different port number.
That is your infrastructure setup. Now you simply need to create an image, and deploy that image with a pool, and grant a user entitlement to that pool. Creating an Image is quite a lengthy process, and there is always a much better and up to date guide on doing that on VMWare’s website, so I’m not going to cover it here.
Just remember to make sure you put your image in Audit mode, and always install an agent that is the same version as the connection server, and get the latest version of VMWare Tools on there as well!
Related Articles, References, Credits, or External Links
I deployed Horizon v7 a while ago for a client, they messaged me to say their wildcard cert was about to expire, could I replace it in the Horizon infrastructure.
On logging in, sure enough;
Connection Server Details
Status: The service has a minor issue
SSL Certificate: About to expire {Date} {Time}
This is why I like VMware, it’s picked up the problem, and pointed me in the right direction, (the connection servers).
Solution
Firstly you will notice I’ve got two connection servers, DO ONE AT A TIME, then if something breaks, you can still get into the manager! If you only have one connection server, I’d suggest taking a snapshot of it first!
Import your new certificate onto the connection server. Make sure you select local computer when you import it. Then you will notice that your ‘old’ one has a friendly name of ‘vdm‘. Rename vdm to OLD-vdm, then rename the new one to vdm.
Finally, either restart the VMware Horizon View Connection Server service, or reboot the server.
Related Articles, References, Credits, or External Links
After a colleague deployed Citrix for a customer the other day, they complained that they had a mac user that was getting certificate errors. They had a publicly signed wildcard certificate, but this user was still having problems.
After I heard a few “tell him to stop using a mac” comments, I said, “I’m using a MacBook here, would you like me to test it?” The URL opened fine in Safari, and the certificate looked good (all green), I was prompted to install the Citrix receiver, and was presented with a session to open, when I did so, I got this;
You have chosen not to trust {Certificate-Name} the issuer of the servers security certificate.
Solution
Head over to https://www.sslchecker.com and put your Citrix URL in and check it, I found this. So I downloaded the two certificates it said I was missing.
Note: For someone who works with certificates, this makes no sense, (as I got to the portal without an error). I had to trust the root CA, and its intermediate CA, (what’s being called a Chain Cert below). But I thought I’d play along to see what happened.
‘Double Click’ each downloaded certificate, then choose ‘Add’, (repeat for each certificate in the chain).
Close any open Citrix receiver sessions, restart you browser, and try again.
Related Articles, References, Credits, or External Links
In Part-One we covered Exchange Pre-Install Tasks, in Part-Two we installed Exchange 2016, but it still won’t be working properly, so we need to carry out a few Post-Install Tasks.
Solution
Install Exchange 2016 Product Key
Log into Exchange Admin Center > Servers > Servers > Select the Server > Enter Product Key.
Manually enter your product key > Save.
Heed the warning > OK.
Open an administrative PowerShell window, and run the following command;
[box]Restart-Service MSexchangeIS[/box]
Now if you hit the refresh button it should say the product is licensed,
Exchange 2016 Install Certificate
As you can see (below) Exchange 2016, (like its predecessors) creates and installs a locally signed certificate. These days I just recommend that clients use wildcard certificates, they are much less hassle even if they are a bit more expensive.
To create the request > Servers > Certificated > Select the server > Add.
Create a request > Next > Give the request a sensible name > Next.
Don’t forget the asterisk i.e “*.publicly-addressable-domain.com” > Next > Add in the server > Next.
You need a “share” to save the certificate request in > Finish.
The request will be stored in PEM format, this is the information you will need to send to your certificate provider to obtain your wildcard certificate. Use the link below to get the correct certificate.
Once you have received your certificate back from your certificate vendor, then locate your request and ‘Complete’ it.
Browse to the certificate you have saved > OK.
Exchange 2016 Assigning Services to a Certificate
Now we have the certificate we need to enable it, select the new cert > Edit.
Select SMTP and IIS > Save > Yes.
Note: POP and IMAP will be disabled and don’t like using wildcard certificates!
Now navigate to https://{server-FQDN}/ecp and log back into Exchange Admin Center, to check it’s using the correct certificate.
Remember you need to use the FQDN, NOT the server name, or you will get certificate errors!
Exchange 2016 Create a Send Connector
Before you can send mail externally, you need to create a send-connector. Mail flow > Send Connectors > Add.
Give it a sensible name, select ‘Internet’ > Next > Unless you have a mail filtering appliance/server then you will want to use DNS/MX records to route mail > Next.
Add > Simply add an asterisk to the FQDN field (meaning all domains) > Save > Next.
Finish.
Beware: By default this connector has a 35Mb limit on it, for most people that will be fine, but you may need to change this.
Exchange 2016 Add An Accepted Domain
Freshly installed the Exchange server will only be serving email addresses for your internal domain, most people will need to add in their public domain name. See the following article;
Freshly installed your Exchange databases will be in the program install directory, I prefer to have the databases on their own volumes. See the following article;
Most people have a different domain name publicly to their internal domain name, if yours is the same then skip this section. The easiest way to address this is to use split DNS, see the following article;
Finally: Don’t forget to add your new Exchange servers into your backups! And install some AV (Note: Some AV providers have very specific settings that might need disabling, (I’m looking at you you McAfee). At the very least exclude the folders holding your data-stores, logs, and queue databases from AV scanning.
Related Articles, References, Credits, or External Links
Remember if you use the standard ‘Web Server’ template then this does not allow you to export the private key of a certificate, so clone your template and allow the private key to be exported, then use that cloned template to create your wildcard cert.
Open the certificate on a Windows machine > Install Certificate.
Select ‘Local Machine’ > Next.
Manually put the certificate in the ‘Personal’ container > OK > Next.
Now open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > All Tasks > Export.
Note: Make sure there is a small key icon over the cert, if not create a new one or follow this article.
Yes ‘Export the private key’, (if you don’t see this page, then you have done something wrong).
Export as PKCS 12 (PFX) > Next.
Set a password, (you will need this in a minute, so don’t forget it) > Next.
Save the exported cert with a pfx extension > Next.
OK
Now EXPORT THE CERT AGAIN, this time you DO NOT want to export the private key. This time you want to export it as Base 64 (CER) > Follow the wizard and save it in the same location as the PFX file you exported earlier.
So now you should have two exported certificates like this;
Log into the NetScaler > Configuration > Traffic Management > SSL > Import PKCS#12.
Set the Output Name file to have a .key extension and call it something sensible > Browse to your PFX file > Enter the import password > set a PEM Passphrase, (set it the same as the export password for simplicity) > OK.
Now navigate to Configuration > Traffic Management > SSL > Certificates > Add.
Again give it a sensible name that you can identify like the FQDN, call it certificate and you will have problems down the line when you have loads of certificates! For ‘Certificate File Name’ browse to the .CER file you exported earlier. For ‘Key File Name’ browse the appliance and select the .KEY file you created above. Type in the PEM password > Install.
You can now assign this certificate without error.
Related Articles, References, Credits, or External Links
Now you may be thinking, “If you have your own CA/PKI solution why would you need to create a Wildcard Certificate”? If you can generate as many certificates as you want whats the point? Well today I need to setup ADFS, WAG (Web Application Gateway), and Remote Desktop Services Gateway Server. To make the whole thing wok on my test bench would be a lot less hassle if I could just use one certificate for everything!
Certificates > Personal > Right Click > All Tasks > Advanced Operations > Create Custom Request.
Proceed without enrolment policy > Next.
In nearly every case you can accept the default of ‘(No template) CNG Key’ However some applications (Particularly Active Directory Federation Services), need to user an older set of Cryptographic Service Providers (CSP’s). If that is the case change the option to ‘(No Template) Legacy Key’. > Next.
Details > Properties.
General Tab: Friendly Name > *.{your domain}.
Subject Tab: Ensure the Common Name (CN) is set to *.{your domain} > Enter the rest of your details as shown.
Extensions Tab: Add in Digital Signature and Key Encipherment.
Private Key: Key Size=4098 > Make private key exportable > Apply > OK.
Save the certificate request > Finish >Leave the Certificate console open, (you will need it later).
Locate the certificate request you just saved > Open it with Notepad > Select ALL the text and copy it to the clipboard.
Open the web enrolment portal of your certificate services server (https://server.domain.com/certsrv) > Request a certificate.
Advanced Certificate Request.
Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.
Paste in the Text > Certificate Template = Web Server > Submit.
Base 64 encoded > Download certificate.
Save the certificate, and change its name from certnew > Save.
Back in the certificate console > Right Click ‘Persona’l > All Tasks > Import.
Next.
Navigate to the certificate you have just saved.
Next.
Finish.
Hopefully.
Now this may seem a little odd, but having just imported the certificate, to get it in PFX format you need to export it again. Right click the cert > All Tasks > Export.
Next
Yes, export the private key > Next.
Personal Information Exchange > Next.
Enter and re-type a password (You will need this to import the certificate so remember it) > Next.
Save it somewhere you can find it > Next.
Finish > OK.
Related Articles, References, Credits, or External Links
Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.
The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.
For the first time in about ten years I had to deal with EIGRP last week, so I thought I would run it up in a lab. Normally I would use GNS3 but for this procedure I’ll use Cisco Packet Tracer.</p<
In fact I’ll include the files so you can download and use the lab yourself, (if you have a copy of Packet Tracer). And I’ll also include the configs for all the routers.
In the lab I’ve got three sites connected via serial connections, and one of those sites has the Internet connection.
As you can see I’ve used VLSM to split up the 192.168.0.0/24 subnet to create the six networks I need, (three on the sites, and three for the links).
Solution
1. I will start at the beginning with Router R1 in site 1. As you can see I’m going to give the FastEthernet 0/0 interface to the inside network (192.168.0.1/28). I will use Serial 3/0 to connect to Site 2 (192.168.64.2/30), and Serial 2/0 to connect to Site 1 (192.168.68.1/30). I will mirror these three settings around the network (going clockwise) and I will configure all the Serial 2/0 interfaces to set the clock speed for the serial links.
number of 1, then I am adding all the networks that I want this router to advertise (don’t forget to add the subnet that connects each router to its neighbour). When enabled EIGRP will send routing updates onto each of these networks. As you can see from the diagram, this would mean that the router would send routing information onto the LAN. While this wont cause any problems, it does generate traffic that does not need to be on the LAN, so I’ve disabled that by using a passive-interface* command.
*Note: If you have a lot of interfaces you want to be passive, you can ‘swap the logic’ by using passive-interface default and then setting all the interfaces you want to advertise networks out of, as no passive-interface.
I’ve also disabled auto-summary of networks, I’ve seen other pages and blogs that incorrectly say this makes the EIGRP routing protocol classless. EIGRP is classless out of the box! At a basic level network-summary is the process of advertising one route for many networks. This works best for contiguous networks (i.e. 192.168.1.x, 192.168.2.x, etc). But if you let EIGRP auto-summarise for you, then this happens,
Above you can see it has added three more routes to networks that (at the moment) don’t exist, which is fine, but then you can NOT use those subnets in the future. If you did and this router saw that traffic it would send it to Null0 (i.e. drop the traffic). With auto-summary disabled, the routers routing table is a lot cleaner (see below).
The last thing you will notice is that the subnet masks are a little strange, you need to use wildcard masks, these are easy to work out, just subtract each octet of the subnet mask from 255 like so;
[box]
R1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#router eigrp 1
R1(config-router)#passive-interface FastEthernet0/0
R1(config-router)#network 192.168.0.0 0.0.0.15
R1(config-router)#network 192.168.64.0 0.0.0.3
R1(config-router)#network 192.168.68.0 0.0.0.3
R1(config-router)#no auto-summary
R1(config-router)#end
R1#
[/box]
5. Repeat the process for routers R2 an R3.
[box]
Router 2
R2#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R2(config)#router eigrp 1
R2(config-router)#passive-interface FastEthernet0/0
R2(config-router)#network 192.168.16.0 0.0.0.15
R2(config-router)#network 192.168.64.0 0.0.0.3
R2(config-router)#network 192.168.72.0 0.0.0.3
R2(config-router)#no auto-summary
R2(config-router)#end
R2#
Router 3
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#router eigrp 1
R3(config-router)#passive-interface FastEthernet0/0
R3(config-router)#network 192.168.32.0 0.0.0.15
R3(config-router)#network 192.168.72.0 0.0.0.3
R3(config-router)#network 192.168.68.0 0.0.0.3
R3(config-router)#no auto-summary
R3(config-router)#end
R3#
[/box]
6. EIGRP Adding a Route to the Internet
To add in the networks ‘route out’, I need to bring up and configure another interface on router R3 (FastEthernet4/0). Then I will configure that as the default route (GOLR) for that router, and add that new network into the advertised routes.
To get all the other routers to use the static route I’ve just configured on this router, I use the redistribute static command (while in config-router mode).
[box]
R3#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
R3(config)#interface FastEthernet4/0
R3(config-if)#ip address 123.123.123.1 255.255.255.252
R3(config-if)#no shutdown
R3(config-if)#ip route 0.0.0.0 0.0.0.0 123.123.123.2
R3(config)#router eigrp 1
R3(config-router)#network 123.123.123.120 0.0.0.3
R3(config-router)#redistribute static
R3(config-router)#end
R3#
[/box]
7. Then I will add the ISP (Internet Router). I will also add this to the EIGRPAS group (though I could just use static routing.)
Note: In the lab I don’t have a link to the Internet so I’ll simply use the Loopback interface on the Internet router and give that the 4.2.2.2 IP address.
As a final ‘belt and braces’ approach, I will add a summary route back to the LAN. If you are unsure how to calculate a summary route, simply write your subnets out in binary, and the mask will be the the length from the first to the last bit, that all the subnets have in common, like so;
Summarisation for these networks will be 192.168.0.0/17 (255.255.128.0)