Category Archives: Windows

Get Secretserver secret

Since we are using SecretServer as our credential store it is of great help to be able to get credentials directly from powershell. This is a small function that connects to secretserver webservices and retrieve a secret based on secred ID. The function will connect to the webservice as the signedin user or by a supplied credential or lastly by a predefined stored credential. To use stored credential I’am using functions from https://github.com/cunninghamp/PowerShell-Stored-Credentials .

Usually you would use the PS credential object directly. To get the password as text you could use it from the PSobject referring to the get networkcredential().


$cred=get-secretid -secretID 2007
$password_As_text=$cred.GetNetworkCredential().Password

Or if you need the password in clear text, displayed on screen, you could specify that as a an argument.

The function is made for my usage, so there is definitive roomfor improvement .


function Get-SecretID
{
param(
[parameter(ValueFromPipeline=$True)]
[int] $secretID,
[pscredential]$sscred,
[switch]$Cleartext
)

$where = 'https://secretserverdnsname/secretserver/winauthwebservices/sswinauthwebservice.asmx'

if($sscred -ne $null){
    $ws = New-WebServiceProxy -uri $where -Credential $sscred
}else{

  try{
    $ws = New-WebServiceProxy -uri $where -UseDefaultCredential -ErrorAction SilentlyContinue
    if($ws -eq $null){
      if (!(Test-Path Variable:\ssuser)){
        throw {
          Write-Host "No secretserver user specified or variable 'ssuser' defined.`nThis is to be used by 'get-storedcredential'"
        }
      }
        $credacc=Get-StoredCredential -UserName $ssuser
        $ws = New-WebServiceProxy -uri $where -Credential $credacc -ErrorAction SilentlyContinue
        if($ws -eq $null){throw{Write-host "Unable to connect to SecretServer"}}
    }
  }
  catch{

  }
}

$wsResult = $ws.GetSecret($secretId, $false, $null)
if($wsresult.errors -ne $null){
  $Cred=New-Object PSObject
  $Cred | add-member -NotePropertyName "Username" -NotePropertyValue $wsresult.errors
  $Cred | Add-Member -NotePropertyName "Password" -NotePropertyValue $wsresult.errors
 
  return $Cred
} else {
 
$u=$wsResult.Secret.Items[1].value.ToString()
$ep = ConvertTo-SecureString $wsResult.Secret.Items[2].value.ToString() -AsPlainText -Force
[pscredential]$Cred = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $u,$ep
if($Cleartext){
  [psobject]$Cred=New-Object PSObject
    $Cred | add-member -NotePropertyName "Username" -NotePropertyValue $u
    $Cred | Add-Member -NotePropertyName "Password" -NotePropertyValue $wsResult.Secret.Items[2].value.ToString()
    $Cred | Add-Member -NotePropertyName "Domain" -NotePropertyValue $wsResult.Secret.Items[0].value.ToString()
  }
return $Cred
}
}

Make sure you have the correct CSP for Your CA

Got some weird errors on our new Skype for Business server install. After a straight forward install users was unable to login from external and some issues regarding conferences. Skype services seemed to start but ended up running with unknown details when get-windowsservices. Also we had one error in the eventviewer on frontende server.

The most important clue was : CA_Failure: InternalError . So this pointed towards a certificate error. What could be wrong with the CA server (A windows server 2016 Enterprise Root CA).

This was the first time I have seen a ECDSA CSP used. Next was to verify S4B requirements. https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/environmental-requirement

  • Encryption key lengths of 1024, 2048, and 4096 are supported. Key lengths of 2048 and greater are recommended.
  • The default digest, or hash signing, algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 algorithms are also supported.

Once again check CA configuration:

This CA was installed with the ECDSA_P256 CSP, We did not have the option to reinstall/migrate the CA to a supported version, so our workaround was to install a new standalone CA using RSA256 CSP and use this CA to issue certificates for Edge server internal and frontend certificate. (We published the new CA public key to clients using GPO).

After we assigned the new certificates and rebooted it all seems to work OK. The new certs are now RSA256

No connectivity with any of Web Conferencing Servers.





This event started to appear every 20 seconds or so. The Skype for Business servers had recently been patched. In the patch list was updates to .Net framework. Included in these patches is a security update that resolves an security bypass feature. https://support.microsoft.com/en-us/help/4014510/description-of-the-security-and-quality-rollup-for-the-net-framework-4 . To solve this all I had to do was add the required registry key : HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319          –   DWORD: RequireCertificateEKUs=0 and restart the “Skype for Business Server Web Conferencing” service.  The fix can be applied to Lync server 2013 as well.

Error installing Skype for Business server 2015

Tried to install S4B server 2015 in my lab. Tried this from a computer with no internet access, also I did not install any prerequisites.

Error: Prerequisite installation failed: Prerequisite installation failed: SqlInstanceRtc For more information, check your SQL Server log files. Log files are in the folder C:\Program Files\Microsoft SQL Server\MSSQL*.Rtc\MSSQL\Log, where the * represents your SQL Server version number. For example, SQL Server 2012 uses this path: C:\Program Files\Microsoft SQL Server\MSSQL11.Rtc\MSSQL\Log.”

installerror

Continue reading Error installing Skype for Business server 2015

Exchange 2010 : MapiExceptionNetworkError

exchangeOne of our Exchange 2010 servers had its mailboxdatabases dismounted sometime during the night. When we tried to mount them we got a strange error message : “MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)”

Mountdatabase

As we usually do with issued like this on Exchange is to check that all services have been started. Went into service manager and sorted on “Startup type” to see if all marked as Automatic startup was started, and they where. Next was to check all DNS records and Eventviewer. No luck. Rebooted server. Still no luck. Finally, a closer inspection, the “Microsoft Exchange Information Store” service was set to “Disabled”. Enabled and started it. Now it was possible to mount the databases. How it ended up being disabled is another issue, perhaps some update did it..

Couldn’t mount the database that you specified. Specified database: MBXDATABASE; Error code: An Active Manager operation failed with a transient error. Please retry the operation. Error: Database action failed with transient error. Error: A transient error occurred during a database operation. Error: MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)

 

Lync DHCP options and Windows 2012 R2

Lync2013Recently had a issue where Lync phones (Polycom CX600) using number and pin where unable to download the CA certificate chain. Tethered phones worked fine. Some network packet inspection revealed that the DHCP server did not provide any of the options 43 information. The client (phone) asked for the correct vendor class “MS-UC-Client”, but there was no response from DHCP server. To add these options to the DHCP server we used the same script as we always use, so it was sure there was nothing wrong with the server. Asked the crew running the network equipment to check but they did not notice anything being blocked.  Continue reading Lync DHCP options and Windows 2012 R2

Outlook contact phone number will not display in Lync client.

Lync2013There have been some issues where phone numbers in Outlook does not show in Lync 2013 Client. After some time we discovered that this was because of a Lync/Office update.  Yesterday Microsoft releast August update for Lync 2013 Client, this includes a fix for this issue. The updated version is 15.0.4641.1000

Can be downloaded from : http://support.microsoft.com/kb/2881070

Lync client will not show contact photos when external.

Installed Lync 2013 on a Windows 2012R2 server. When I login with an external Lync Client there are no photos of internal users. A validation shows that the thumbnailPhoto attribute has bin populated with images of the correct size.

If the client Connect directly to the frontend server photos are presented correctly.

An examination of the Lync Addressbook shows the addressbook files and also the photo files. The photo files are renamed jpg files exported from Active Directory. The Lync server create these PHOTO files when a client request photos of users. Since these photos are placed in the addressbook folder they are downloaded through https to the Lync Client.

Running netstat on Lync front end did not show any TCP Connection from reverseproxy server !

A network monitor show that connection are reset after half a TLS 1.2 handshake – a strong indication that there is something wrong with ssl/tls. Revalidated all sertificates and also publishing rules on F5 reverseproxy.

Used Bing to find any issues regarding TLS 1.2 and Windows 2012 R2, and yes, someone have hade the same issue. Entered registry keys as below – rebooted and now it works –

To Resolve this issue do the following:

– On the Lync 2013 server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols

– Create the following Key under Protocol: TLS 1.2

– Create the following two Keys under TLS 1.2: Client and Server

– Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled

– Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0

– Reboot the server.

Entering these keys Disables TLS 1.2 on the server forcing the client and server to communicate over TLS 1.1.

Good Luck,

Matt

http://social.technet.microsoft.com/Forums/lync/en-US/41718327-203f-445f-8657-87b0a8545ead/lync-2013-client-signin-issue-with-lync-2013-server?forum=lyncprofile

How to test network routing from remote Lync client.

Often we have to troubleshoot routing and firewall rules as seen from a client on a internal client subnets. I use PSEXEC and PORTQRY from Microsoft. This will work if it is a Windows pc and I have permissions to connect to it. Run these commands from a server in the server lan

I try to check if the port is open from the client to server (10.10.10.100) :

PsExec.exe
\\clientpc.domain.local -c portqry.exe
-n 10.10.10.100 -P TCP -e 443

If this fails I will run a tracert from the client to the server IP (10.10.10.100):

PsExec.exe
\\clientpc.domain.local tracert -h 8 -d
10.10.10.100

Replacement for TMG reverse proxy.

Are you looking for a replacement for TMG now that its end is nearing. You could buy a thirdparty reverseproxy from Sophos og some appliance. The simplest solution is probably to install a Windows server 2012(R2) and add ARR module to IIS.

To install this module you would use the
Microsoft Web Platform Installer

All information you will need are at the IIS web site : http://www.iis.net/downloads/microsoft/application-request-Routing