Since we are using SecretServer as our credential store it is of great help to be able to get credentials directly from powershell. This is a small function that connects to secretserver webservices and retrieve a secret based on secred ID. The function will connect to the webservice as the signedin user or by a supplied credential or lastly by a predefined stored credential. To use stored credential I’am using functions from https://github.com/cunninghamp/PowerShell-Stored-Credentials .
Usually you would use the PS credential object directly. To get the password as text you could use it from the PSobject referring to the get networkcredential().
Got some weird errors on our new Skype for Business server install. After a straight forward install users was unable to login from external and some issues regarding conferences. Skype services seemed to start but ended up running with unknown details when get-windowsservices. Also we had one error in the eventviewer on frontende server.
The most important clue was : CA_Failure: InternalError . So this pointed towards a certificate error. What could be wrong with the CA server (A windows server 2016 Enterprise Root CA).
Encryption key lengths of 1024, 2048, and 4096 are supported. Key lengths of 2048 and greater are recommended.
The default digest, or hash signing, algorithm is RSA. The ECDH_P256, ECDH_P384, and ECDH_P521 algorithms are also supported.
Once again check CA configuration:
This CA was installed with the ECDSA_P256 CSP, We did not have the option to reinstall/migrate the CA to a supported version, so our workaround was to install a new standalone CA using RSA256 CSP and use this CA to issue certificates for Edge server internal and frontend certificate. (We published the new CA public key to clients using GPO).
After we assigned the new certificates and rebooted it all seems to work OK. The new certs are now RSA256
This event started to appear every 20 seconds or so. The Skype for Business servers had recently been patched. In the patch list was updates to .Net framework. Included in these patches is a security update that resolves an security bypass feature. https://support.microsoft.com/en-us/help/4014510/description-of-the-security-and-quality-rollup-for-the-net-framework-4 . To solve this all I had to do was add the required registry key : HKEY_LOCAL_MACHINE\Software\Microsoft\.NETFramework\v4.0.30319 – DWORD: RequireCertificateEKUs=0 and restart the “Skype for Business Server Web Conferencing” service. The fix can be applied to Lync server 2013 as well.
Are your planning to use SAP on you DirectAccess enabled clients?
Please consider doing this:
Make sure your SAP GUI client version is 7.20
Set Systen Environment Variable on client pc: SAP_IPv6_ACTIVE to value 1
Reboot client PC.
This is what I had to do to get it to work! 🙂
Tried to install S4B server 2015 in my lab. Tried this from a computer with no internet access, also I did not install any prerequisites.
“Error: Prerequisite installation failed: Prerequisite installation failed: SqlInstanceRtc For more information, check your SQL Server log files. Log files are in the folder C:\Program Files\Microsoft SQL Server\MSSQL*.Rtc\MSSQL\Log, where the * represents your SQL Server version number. For example, SQL Server 2012 uses this path: C:\Program Files\Microsoft SQL Server\MSSQL11.Rtc\MSSQL\Log.”
One of our Exchange 2010 servers had its mailboxdatabases dismounted sometime during the night. When we tried to mount them we got a strange error message : “MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)”
As we usually do with issued like this on Exchange is to check that all services have been started. Went into service manager and sorted on “Startup type” to see if all marked as Automatic startup was started, and they where. Next was to check all DNS records and Eventviewer. No luck. Rebooted server. Still no luck. Finally, a closer inspection, the “Microsoft Exchange Information Store” service was set to “Disabled”. Enabled and started it. Now it was possible to mount the databases. How it ended up being disabled is another issue, perhaps some update did it..
Couldn’t mount the database that you specified. Specified database: MBXDATABASE; Error code: An Active Manager operation failed with a transient error. Please retry the operation. Error: Database action failed with transient error. Error: A transient error occurred during a database operation. Error: MapiExceptionNetworkError: Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)
Recently had a issue where Lync phones (Polycom CX600) using number and pin where unable to download the CA certificate chain. Tethered phones worked fine. Some network packet inspection revealed that the DHCP server did not provide any of the options 43 information. The client (phone) asked for the correct vendor class “MS-UC-Client”, but there was no response from DHCP server. To add these options to the DHCP server we used the same script as we always use, so it was sure there was nothing wrong with the server. Asked the crew running the network equipment to check but they did not notice anything being blocked. Continue reading Lync DHCP options and Windows 2012 R2→
There have been some issues where phone numbers in Outlook does not show in Lync 2013 Client. After some time we discovered that this was because of a Lync/Office update. Yesterday Microsoft releast August update for Lync 2013 Client, this includes a fix for this issue. The updated version is 15.0.4641.1000
You have installed Lync edge server and have issues federating with some or all of your partners. If you check the eventlog you might see multiple errors like event Source : “LS Protocol Stack” and Event ID 14428.
When Publishing a Windows 2012R2 web site using F5 it all works fine as long as you publish HTTP. When you switch to HTTPS the published page is blank. The F5 report that the server has reset the SSL session. Continue reading HTTPS/SSL session reset.→
Installed Lync 2013 on a Windows 2012R2 server. When I login with an external Lync Client there are no photos of internal users. A validation shows that the thumbnailPhoto attribute has bin populated with images of the correct size.
If the client Connect directly to the frontend server photos are presented correctly.
An examination of the Lync Addressbook shows the addressbook files and also the photo files. The photo files are renamed jpg files exported from Active Directory. The Lync server create these PHOTO files when a client request photos of users. Since these photos are placed in the addressbook folder they are downloaded through https to the Lync Client.
Running netstat on Lync front end did not show any TCP Connection from reverseproxy server !
A network monitor show that connection are reset after half a TLS 1.2 handshake – a strong indication that there is something wrong with ssl/tls. Revalidated all sertificates and also publishing rules on F5 reverseproxy.
Used Bing to find any issues regarding TLS 1.2 and Windows 2012 R2, and yes, someone have hade the same issue. Entered registry keys as below – rebooted and now it works –
To Resolve this issue do the following:
– On the Lync 2013 server open the registry and browse to the following location: HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\Protocols
– Create the following Key under Protocol: TLS 1.2
– Create the following two Keys under TLS 1.2: Client and Server
– Create the following DWORDs under both the Client and Server Key: DisabledByDefault and Enabled
– Under both Client and Server set the following: DisabledByDefault=1 and Enabled =0
– Reboot the server.
Entering these keys Disables TLS 1.2 on the server forcing the client and server to communicate over TLS 1.1.
Often we have to troubleshoot routing and firewall rules as seen from a client on a internal client subnets. I use PSEXEC and PORTQRY from Microsoft. This will work if it is a Windows pc and I have permissions to connect to it. Run these commands from a server in the server lan
I try to check if the port is open from the client to server (10.10.10.100) :
Are you looking for a replacement for TMG now that its end is nearing. You could buy a thirdparty reverseproxy from Sophos og some appliance. The simplest solution is probably to install a Windows server 2012(R2) and add ARR module to IIS.