Loading MS Certificate Server CRL to F5 BIGIP 11.3

I was asked to manually load a Certificate Revocation List (CRL) from an MS Server 2008 R2 Certificate Server to a F5 BIPIP appliance for use when authenticating client certificates.

Having a CRL loaded as a local file into the BIGIP is probably the easiest way to get it to check a CRL since you are avoiding the use of MS Enterprise/Datacenter Servers with OCSP. I also had various issues that the F5 tech support could not explain with CRLDP and MS cert services. So the CRL is an easy fix for a lab environment. I also could not find the proper method to do this in the online knowledge-base for F5’s product either.

For starters, you need to get a copy of the CRL from your MS Certificate Server.

Download CRL

1) Browse to http://SERVERNAME/CertSrv Sign in if needed.
2) Click on Download a CA certificate, certificate chain, or CRL.
3) Select DER format and click on Download Latest Base CRL
4) Save the file to your machine.

Load the CRL to the BIGIP
1) Open up your BIGIP Admin Gui
2) Navigate to Sytem -> File Management -> SSL Certificate List -> Import
3) From the Import Type PullDown, Select ‘Certificate Revocation List’
4) Enter in the Name you want use when referencing this File in BIGIP. Select Create New or Overwrite as needed.
5) Use the Browse Button to select the cert file called ‘certcrl.crl’
6) Click Import to finish the Process.
Import CRL to F5 BIGIP

Now that the CRL is imported, it can be used in any SSL Client Profile in the Certificate Revocation List (CRL) Dropdown.

This CRL is static. Any newly revoked certs on the MS Server will, of course, not be seen by the F5 until the CRL file is updated.

MS Windows 2008 r2 Server and OCSP Online Certificate Status Protocol

I’ve been using a F5 BIG IP in a test lab as a VPN concentrator using client certs as part of the Authentication of the client. We have a windows 2008 r2 domain controller on the inside LAN running MS Certificate Services. The 2008r2 host is running as the Certificate Authority (CA) and is used to issue the client certs that are used in the Auth process.

The key here is that the BIG IP must have access to the Certificate Revocation List (CRL) from that 2008 r2 CA. So I started looking into Online Certificate Status Protocol (OCSP) and with a little research was able to find the bits needed to get the 2008 r2 server to operate as a OCSP Responder so that the BIG IP could query and list revoked client certs thus preventing those bad certs from being used by clients to establish a VPN Session.

The steps here are to:
1) Setup the MS Certificate Services with an OCSP Certificate Template.
2) Allow the CA to support OCSP responder services.
3) Setup an OCSP Responder
4) Create a Revocation Configuration

So, I started with a working 2008 r2 host.

Setup the MS Certificate Services with an OCSP Certificate Template.
1) Open the Certificate Templates snap-in.
2) Right-click the OCSP Response Signing template, and then click Properties.
3) Click the Security tab. Under Group or user name, click Add.
4) Click Object Types, select the Computers check box, and then click OK.
5) Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click OK.
6) In the Group or user names dialog box, click the computer name, and in the Permissions dialog box, select the Read and Enroll check boxes. Then click OK.

Allow the CA to support OSCP responder services.
Note that the Online Responder must be running 2008 R2 Enterprise or 2008 R2 Datacenter

1) Open the Certification Authority snap-in.
2) In the console tree, click the name of the CA.
3) On the Action menu, click Properties.
4) Click the Extensions tab.
5) In the Select extension list, click Authority Information Access (AIA), and then click Add.
6) Specify the locations from which users can obtain certificate revocation data, such as http://computername/ocsp.
7) Select the Include in the online certificate status protocol (OCSP) extension check box.
8) In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.
9) In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
10) Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.

Setup an OCSP Responder
An OCSP responder is basically a 2008 r2 Enterprise or Datacenter server Running the Online Responder role service in the Active Directory Certificate Services.

1) Open the Certification Authority snap-in.
2) In the console tree, click the name of the CA.
3) On the Action menu, click Properties.
4) Click the Extensions tab.
5) In the Select extension list, click Authority Information Access (AIA), and then click Add.
6) Specify the locations from which users can obtain certificate revocation data, such as http://computername/ocsp.
7) Select the Include in the online certificate status protocol (OCSP) extension check box.
8) In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.
9) In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
10) Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.

And Finally, Create a Revocation Configuration
Microsoft has this information available here.

 

If you plan on using this Online Responder to answer requests from non-MS sources, you may need to set a few additional options for NONCE support and ‘allow all valid requests’.

1) Open Server manager
2) Navigate to Roles -> Active Directory Certificate Services -> Online Responder
3) Highlight Revocation Configuration
4) Right click on the Revocation Entry From the center column and select ‘Edit Properties’
5) In the Properties Window, click the Signing Tab
6) Here you can enable NONCE Support if needed.
7) ‘Use any valid OCSP signing

Additional MS OCSP Options

MS OCSP Options to allow all valid OCSP requests and to enable NONCE support

certificate’ will allow non-MS hosts to use this responder for lookups.

Removing Sharepoint 2013 Backups

Sharepoint 2013 backups leave a lot to be desired. But here’s something new I just came across. Sharepoint 2013 has no built in way to setup a backup retention period or any method to remove old backups to free up space.

So whether you use a backup script running as a scheduled task or you take manual backups from the Central Admin GUI, MS gives you no way to remove the old data.

So here’s how I do it:

1) You have to go to the folder used as the backup target and locate the spbrtoc.xml file. Make a backup of that file just in case.

2) Edit spbrtoc.xml. Note that each SPHistoryObject references a backup date, folder, and whether it was Full or Differential.

3) Delete the SPHistoryObjects entries in the spbrtoc.xml and the respective folders that correspond to the backups you wish to remove. I tend to remove the oldest backups and keep 2 weeks worth of backups.

4) Check Central Administration -> Backup and Restore -> View Backup and Restore History. The older backups should now be gone.

Have a better way of doing this? Let me know about it. Thanks.

Exchange 2010 Error applying Service Pack “Setup previously Failed while performing action Install”

I encountered this error while performing an install of an Exchange 2010 Service Pack:

Some controls aren’t valid.
– Setup previously failed while performing the action “Install”. You can’t resume setup by performing the action “BuildToBuildUpgrade”

Exchange 2010 BuildToBuildUpgrade Error

To fix the issue, we need to open the registry, find and remove the offending key.

1) Open the Registry editor START – RUN – regedt32
2) Navigate to HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv14
3) Look at each of the Dozen or so entries. You will find one or more that has a key call Action with Value Install
4) Delete every Action Key with Value Install.

Rerun the setup and you should be good to go.

Active Directory Domain Controller Error “The target principal name is incorrect” Event ID 3210 and Event ID 5722

My business closed one of their remote branches recently. The ex-employees took their time packing and sending the hardware back to our HQ. The Domain Controller was offline for more than a month. When we finally got it back, I recreated the routing and plugged the server back in so that I could run a DCPROMO and take it down gracefully. However, since the server was offline for so long, when I ran DCPROMO, the server complained that it could not sync up with the Domain Controllers. This is the same thing for other windows hosts that have been offline for 30 days. The Event Viewer showed Event ID 3210 and 5722 related to this issue.

This error is also seen when using the AD sites and services snap in to force a replication between domain controllers. I would get the following error window stating “The Target principal name in incorrect”.
AD Target principal name is incorrect.

How how to fix it:
From any DC, open command line (CMD) and run

netdom query fsmo

That will list out the servers in your Domain with the Domain roles. Look for the server running the PDC role.

Next, on the server that is having the issues we need to disable Kerberos.
1) Click Start -> Programs -> Administrative Tools -> Services
2) Double click the Kerberos service (KDC) and change the startup type to Disabled.
3) Reboot

When the machine starts back up, get back to a Command Line (CMD) and reset the secure channel to the PDC with the following command:

netdom resetpwd /server:server_name /userd:domain_nameadministrator/passwordd:administrator_password

Where server_name is the server holding the PDC role. administrator/administrator_password can be substituted for any account that is a Domain Admin.

Restart the troubled DC. Reset the Kerberos Service back to Automatic Startup.

Everything should now be back to normal.

Lync 2013 Error “Failed while updating destination pool” migrating a user from Lync 2010 to Lync 2013

So, lets say you’ve built up a Lync 2013 installation in parallel to your existing Lync 2010.    It’s time to migrate users from Lync 2010 registrar pool to the Lync 2013 pool.

Lync 2013 Migrate User

Select User – Action – Move Selected Users to pool

 

But when you do this, you get the following error “Failed while updating destination pool”

Lync 2013 Error

Lync Error Failed while updating destination pool

 

The issue seems to be caused by a problem with the inheritable permissions on the user account. To fix it, use ADSIEdit. Find the user account that you are trying to move, pull up it’s Properties click the Security Tab then Advanced. Check the box that says Include inheritable permissions from the object’s parent.

ADSIEdit Include permissions

Check Include inheritable permissions

Save the changes to the user. Return to Lync and migrate the user.

How to Install Lync 2013

Today I was given an Evaluation of Lync 2013 and asked to install it in a Lab setting to have a look at it.

So to get started, I spun up a Virtual 2008 R2 SP1 server, got it patched, assigned a static IP, and joined it to the lab domain. I spun up a 2nd 2008 R2 server and assigned it to the DMZ with a static 1 to 1 NAT to an external IP (this will become the Lync Edge Server).

I’m using the Technet Evaluation DVD for office 2013. Lync 2013 is found on the CD in the LyncServerStandard Folder, or you can grab the Eval right from the MS website. However you get it, place it somewhere your server can get to it. Mine went right onto the desktop.

Some Prereqs for this install.

    • Install the .Net 4.5 Framework. You need to Download this from MS website here
    • Powershell V3.0. You need to download this from the MS website here
    • Windows Identity Foundation. You need to download this from the MS website here
    • You need Patch from KB 2646886. You need to download this from the MS website here
    • IIS 7 Server role must be enabled
    • Install MS Visual c++ 2012 x64 Runtime. This will be done by the setup if you don’t already have it.
    • For 1st installs, you need AD administrative tools (to extend the Schema). It’s installed from Server Manager -> Features -> Add Feature -> Remote Server Administration Tools
    • You will need a shared folder on a host to use during the Front End Pool Setup. i.e. \servershare should be available.
    • Serveral features are needed as well, these can be installed from the PowerShell using the following command

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client

 

Now the Installer begins:
Pick your Location and hit install
Lync 2013 Installer

Agree to the EULA
Lync 2013 EULA

Lync 2013 has a required AD Schema extensions to the AD must be prepped. Click on Prepare Active Directory to start.
Lync 2013 Installation

This will run the Deployment wizard. These are several steps you must take to prepare the domain for the Lync 2013 install. If you have used Lync 2010, this should look very familiar.
Lync 2013 Deployment Wizard

Once the Wizard is complete, you will find a new AD group called CSAdministrator. Members of this group get administrative access to the Lync Server.

Hit BACK when complete.

On the right hand side, you will see install items for additional components.

If this is the 1st server, then click on the Prepare First Standard Edition Server
Lync 2013 Prepare Single Server

Click Next through the info screen and wait for it to complete.

Lync 2013 Prepare Single Server - 1
Lync 2013 Prepare Single Server - 2

Set up Lync Server Components

Next you will want to install the Admin tools. These tools will include the Topology builder which you need to use before installing the Server System components. The tools will install withour any additional input.
Lync 2013 Install Admin Tools

Launch the Topology Builder that was installed with the admin tools.
Lync 2013 Topology Builder Menu

When you launch, the Topology builder will ask if you want to Import, Load, or Create a New Topology. Make the appropriate selection based on your situation. If this is your 1st Lync server, you will, of course, want to pick a New Topology.
Lync 2013 Topology Builder start

For this basic setup, we will use the single server as the Front-End Server, A/V Conference, and mediation pool servers. In a production environment, you could install these roles onto different servers or into pools as needed.

  • Right click on Standard Edition Front End Server -> New Front End Pool.
  • Click Next Past the Welcome screenhyrule
  • Enter the FQDN of the server you will use for the install. For 1st Timers, it will probably be the same server you are on now.
  • Select the Features for this install. IM and presense are included by default, but you can select additional features as needed. With enterprise voice, you can integrate Lync with other 3rd party VOIP providers like Cisco CUCM, but I’ll cover those integrations in a future post.
  • For this lab install and most small installs you can Collocate the Mediation Server on the Front End Server.
  • Select Enable an Edge Pool. Later on we will use a 2nd host in the DMZ to enable external IM and features.
  • For this Standard Install, local SQL is used, so hit Next.
  • Define the file Store. Here you enter the shared folder info that we created earlier in the pre-reqs.
  • Web Services – Internal and External URLs should be defined here. You can leave this as the default if you are unsure.
  • If you have an Office Web Apps Server, you can associate it with Lync here, otherwise, clear the checkbox.
  • Front End Edge Pool. The Edge Servers sit in the DMZ and accept traffic from the public internet. Here we are pausing the front end server config and will define the edge server config. Click NEW and and then follow these steps below to setup the edge host. We will continue with the Front end pool when the Edge is completed.

We need to sidetrack here and create the Front Edge Server Pool. This server will sit in the DMZ and listen for traffic from the public internet.

  • Right click on Edge Pool -> Select New Edge Pool
  • Define the FQDN. Something like sipedge.company.com or lyncedge.company.com would be a good choice. Select whether it’s single or multiple. For this setup, we use single.
  • Select 1st option to use a single FQDN and IP so that 1 edge pool server will handle all traffic.
  • IP Options – leave these at ipv4. If the edge pool is behind a NAT, check that box. You will need to provide the Public IP info for that NAT later.
  • External FQDN – Here you will specify the FQDN’s for the services. sip.company.com or lync.company.com are good choices. Later on, we will tie all the FQDNs together with DNS.
  • Internal IP – Enter the internal IP of the edge server.
  • External IP – Enter the external NAT IP of the edge Server
  • External AV IP – Enter the external NAT IP of the edge Server again. WE are using a single server/ip for all services.
  • Select the Next Hop – This will be the Front end Pool Server that we are creating.
  • Done

… Continuing with the Front End Pool

  • Select the Edge Server we just created
  • Done.

Last thing you will want to do is take the topology you just defined and Publish it to the domain.
Right Click on Lync Server -> Publish Topology

Now that the topology is created we can begin the server installations.

Next step is to Install the Lync Server. Select that option back at the Deployment window:
Lync 2013 Deploy Lync

You should see another Deployment Wizard for the Server Installation.

Lync 2013 Server Deployment

Install Local Config Store
Select the option to retrieve the information from the Central Management Store that you need. Most should be able to leave this at the default for this setup. Hit Next and let it complete.
Lync 2013 Server install Step 1

Setup Lync Server Components
This step pulls in the topology from the topology builder and installs the needed components to this host based on how you built the topology. Just hit Next and the server components will be installed. This might take a while….. Hit Finish when complete.
Lync 2013 Server Components Complete

Request, Install, Assign Certificates
Lync requires a certificate for the server and the web services. Highlight and select the certs you want to request and hit the Request Button. This will generate the cert req to an online authority, or create the request file you can send via email or post to a form of an offline request.
Once you get, or if you already have a cert, click the Import button and browse to the location of the PFX or CER file.
After the Cert is Imported, you use the Assign button to assign a cert to each service, Default Cert and OAuthTokenIssuer. Select the Cert from the list, inspect the cert, then assign it.
Lync 2013 Assigning certs

Start Services
Finally, start the services to launch the Lync Server.

This should complete the Front End Pool Server.
You will need to run the same deployment wizard on the Edge Server as well before you are finished. Copy the setup folders to the edge server or have it access the setups somehow. Have the Edge host run through the same deployment wizard that we just ran through for the Front End host.

MS SQL Server 2008 R2 installation error 0x84B20001

 

I was attempting to install MS SQL Server 2008 R2 SP1  and would get the following issue detecting a previous installation for  RS_Server_Adv with error 0x04B20001.

sqlerror1

 

Following a few posts and blogs, I found out the SQL server modifies certain registry keys during installation attempts.   By resetting the key values, you can force the app to think no previous installation was attempted.

 

This was the method I used to solve this issue.

On the SQL server:1. Run REGEDT32

2. Open Key ComputerHKEY_LOCAL_MACHINESOFTWAREMicrosoftMicrosoft SQL ServerMSRS10_50.MSSQLSERVERConfigurationState

3. Change the RS_Server_adv Value from 3 to 1

 

After that, I reran the SP1 install and it completed without any issues.

 

 

How to List User Names and Emails from a Windows Domain to a file

This is a quick and easy way to get a Tabbed list of Usernames and emails from a Windows Domain while on the domain controller.

By using the dsget and dsquery commands, we can list users and then send the output to a file.

dsquery user cn=Users,dc=domain,dc=com -name * -limit 0 | dsget user -display -email > userlist.txt

Dsquery hits ldap and pulls the records, dsget pulls the interesting info from those records and we just use plain old CLI to sent the output to a file.

Android Phone Email Provisioning Errors with Exchange Active Sync

This problem came for me recently. Several employees where trying to setup Android phone email clients to check mail on an Exchange 2010 mail server. They would constantly get the following message: “Remote Security Administration, The Server requires that you allow it to remotely control some security features of your phone.”

Android Email Client Active Sync Error

There was a similar issue in Android with email account setups traced to some bug in the way Android handles Active Sync Policies.    This time around, we confirmed this to be the case with all versions of android from 2.2 through ICS using the stock client.

The Fix / Workaround:

To get around this issue, we removed the default Active sync policy on the accounts in question.   Not a great fix since you don’t get the ability to force pins and the like, but since the policy wasn’t applied correctly anyway, it was an easy choice.

Step 1 – In Exchange MMC, Create a blank A.S. policy.   MMC -> Organization Config -> Client Access -> Active Sync Policy Tab.     Create the new policy here and call it “Deleteme”     Highlight the policy and make it the default.

Step 2 – Since the GUI forces you to select a default policy, open up the Power shell.   Run the following command:

 Set-ActiveSyncMailboxPolicy “Deleteme” -IsDefaultPolicy $False

This forces the Deleteme policy to not be the default. The GUI should now show no default policy at all.

Step 3 – Assign the Deleteme policy to the mailbox for the user. MailBox Properties -> Mailbox Features -> Exchange ActiveSync (Click properties). Browse and select the Deleteme policy.

Step 4 – Go back to MMC -> Organization Config -> Client Access -> Active Sync Policy Tab and delete the Deleteme policy.

Now check the assigned Active sync policy on the mailbox and it should be blank.  

Have the user test the email account setup.    After I did this, all the mailboxes could be provisioned correctly and would no longer get that popup error.

I also found out that after any Service Pack or Rollup pack was applied to the Exchange Server, a Default Active Sync Policy was recreated.    I had to run through the same procedure again after the update to SP2 and to Rollup 4.