Search This Blog

Saturday, July 18, 2015

Trouble with ADFS Proxy Certificate update\renewal

We recently had to apply new certificates to an ADFS infrastructure. There are plenty of articles out there that detail how to do this, however we came an across and issue after the supposed successful replacement\install.

In general we followed this procedure

http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx

However what we discovered was that the ADFS proxy server would not update the Certificate. The command to do it

Set-WebApplicationProxySslCertificate

would complete successfully.

When you run the

Get-WebApplicationProxySslCertificate

we were getting back no results. It did not error, just returned nothing.

We tried a number of things to fix this, all to no avail in the end.

Ultimately we had to remove the Web Application Role from the server and then re-add it again, and then step through the configuration wizard.

During the troubleshooting we found an 383 event in the event log, not sure if that is indicative of this problem, but I include here for future reference and comment

https://social.technet.microsoft.com/Forums/windowsserver/en-US/c0889fba-29ce-4215-8423-773c0c386f71/2012r2-web-application-proxy-adfs-error-event-383-corrupted-config-file?forum=winserverDS

Reference:

https://technet.microsoft.com/en-us/library/dn770156.aspx

http://blogs.msdn.com/b/javaller/archive/2014/06/18/why-isn-t-my-adfs-ssl-certificate-updating.aspx

http://www.scug.nl/infrastructure/part-2-update-active-directory-federation-services-3-0-web-application-proxy-ssl-certificates/

http://blogs.perficient.com/microsoft/2014/05/office-365-replacing-the-ssl-certificate-in-ad-fs-3-0/


Share/Bookmark

Friday, July 10, 2015

WLW 2012 and Blogger–Username \ Password Incorrect

Google have changed the login mechanisms to make them more secure, so with default settings in Google, WLW will not connect.

The only way to get WLW to connect is to enable “Allow less secure apps” in Google. It is unclear to me at this time (https://support.google.com/accounts/answer/6010255?hl=en-GB), what the real implications of turning on this setting are. However turning it on allowed WLW to connect.

The setting can be found in Google under My Account\Sign-in & Security

image_thumb[1]

My preference at the moment is to write these articles offline, enable the setting in google, publish the post and then disable the setting.

Related: http://mumblestiltskin.blogspot.com/2015/07/windows-live-writer-windows-10-and.html


Share/Bookmark

Windows Live Writer, Windows 10 and Blogger

OK, so I heard today that Scott Hanselman, tweeted in June that WLW may be released by Microsoft as open source.

I hope this is true, or that Microsoft updates it. Smile It’s a great tool, simple to use and does most things really really well.

Anyway I have been trying out Windows 10 in the fast ring, and was wondering whether it would run WLW.

I am currently using Build:10162.

WLW 2012, is part of the windows live essentials that is still available from Microsoft.

http://windows.microsoft.com/en-us/windows-live/essentials

When you run this you maybe prompted to install .Net 3.5, this is needed so allow it to do so.

Once the .Net installation is complete WLW 2012 will be installed.

That’s pretty much it, it worked straight away. Now I haven’t used WLW for a while, and I had trouble connecting to my blogger account, WLW kept complaining about username and password. I could log into blogger directly on the web using these details so I knew they were not incorrect. In the end, I tracked it down to a setting in my google account.

Google have changed the login mechanisms to make them more secure, so with default settings in Google WLW will not connect.

The only way to get WLW to connect is to enable “Allow less secure apps” in google. It is unclear to me at this time (https://support.google.com/accounts/answer/6010255?hl=en-GB), what the real implications of turning on this setting are. However turning it on allowed WLW to connect.

The setting can be found in google under My Account\Sign-in & Security

image

My preference at the moment is to write these articles offline, enable the setting in google, publish the post and then disable the setting.


Share/Bookmark

Thursday, July 09, 2015

Logging in Powershell - transcript

I come from a strong batch file background, and so to create logs whilst running batch files was just a matter of redirecting IO to a file.

As i migrate to powershell I discovered this was not as easy, maybe I am missing something, but anyway the closest I could find was the transcript command.

By running this command it would direct any output to a file.

Start-Transcript -path $scriptPath\psOutput_name.log


Once this command is run, any output generated that would normally be directed to the powershell command window will be directed to the transcript log.

You must stop the transcript at the end of the process, otherwise you will get errors the next time it runs.
Stop-Transcript


However I found issues if the script error-ed or was terminated with out the stop-transcript command having been run.

Therefore whilst I have a transcript command in each script, the first command is always a stop-transcript command. This may throw an error if a transcript is not running, but for me that is better than having no output logged.
Start-Transcript -path $scriptPath\psOutput_name.log Stop-Transcript


Share/Bookmark

Saturday, March 14, 2015

Mounting a windows share permanantly in Ubuntu 14.04

I wanted to setup a machine that would allow me to play music in my garage, as such I thought it would be a good exercise to use Ubuntu as I spend most of my life in Windows.

My music is on a windows machine at home currently and available via a windows share.

The Ubuntu installation of 14.04 was trouble free, and it sees the windows network straight away and I was able to browse around the windows share.
However it was not particularly easy to add these network shares to my playlist in either Rhythmbox or Clementine media players. It must be said that I made certain assumptions that because I could see and browse and play music from the network, after a vanilla install of Ubuntu, I thought everything was in place to access these folders. This is not the case

I wanted a easier a method, and this appeared to be mounting the windows share within Ubunutu permanently. To be honest it sounded straight forward however I encountered a few hurdles and I want to detail here what I did to get this up and running. I have pulled together a few articles/forum posts into this posting. I include these references at the bottom of this page.

In Ubuntu you can mount drives via the mount command, and you can do that manually every time you reboot, however if you want to get it to mount automatically then you need to add commands to the /etc/fstab (file system table) file, which is read by the mount command every time you reboot.

Note: I got confused, being from windows CIFS is an older variation of SMB, and as such is frowned upon. However using cifs in linux seemed to be recommended, eventually I believe this is just a naming issue. It seems that the smbfs is an older deprecated module, and that the current smb/cifs module for ubuntu is called cifs, however it supports current mordern variations of smb (inc 3.02). So by using the vers=3.02 in the options section of the mount command I was able to force SMB version. (I was connecting to a windows 8.1 machine, hence why I could use 3.02).


 As I said a number of items are not installed by default which caused me issues when  trying to mount. These were
  • winbind - netbios name resolution
  • cifs util - provides a helper for connecting to smb shares

Netbios - name resolution 
(not sure if this is needed but its one of the hoops I jumped through)

sudo apt-get install winbind
Then we need to tell Ubuntu to use wins lookup, we do this by editing a file that dictates how and in what order Ubuntu will attempt name resolution. Open the /etc/nsswitch.conf file, look for the line that starts hosts: and add wins prior to dns.

sudo gedit /etc/nsswitch.conf

hosts: files wins dns

Save the file.

CIFS (smb access)
sudo apt-get install cifs-utils

Now we add the mount commands to the /etc/fstab file. Now we can include the username and password as free text in this file, and that may be acceptable in most home scenarios. But we can put the credentials in a seperate file and then restrict access to that file to help protect the contents. This credential file can then be refernced in the mount commands.

gedit ~/.smbcredentials

Note: ~ here is short hand for /home/, now whilst ~ works in the command line you will find it does not always work within files. Therefore you will see later on we expand ~ fully in fstab.

In .smbcredentials enter these two lines, replacing and for the windows username and password
username=  
password=

Save this file.


Lets create the folder where we want to mount the windows share. I used the /media/ folder

sudo mkdir /media/

Ok, now we will enter the commands for the mount command into the fstab file. When Ubuntu is booting it will run these lines against the mount exe.

sudo gedit /etc/fstab

Add the following line (note: you can ommit vers=3.02 and it will default to smb1, however if you know the correct smb vers for your windows machine you should be able to specify it here)
/// /media/Mount cifs credentials=/home//.smbcredentials,iocharset=utf8,sec=ntlm,vers=3.02 0 0

Save the file

Now we can force the mount command to rerun all commands in the fstab file

sudo mount -a

Now everything being good, we should be able to access the windows share under the mount point we created.

In addition the mount should be available after a reboot.

Troubleshooting
I kept getting the following message whenever I tried to mount, this was because I had not installed the CIFS UTILS (again I made the assumption because I browse the network everything was already installed).I believe you can get this message for a number of reasons and the best way to figure it out is to use the command it suggests dmesg | tail

mount: wrong fs type, bad option, bad superblock on //windowsserver/share, missing codepage or helper program, or other error (for several filesystems (e.g. nfs, cifs) you might need a /sbin/mount. helper program) In some cases useful info is found in syslog - try dmesg | tail or so

References
https://wiki.ubuntu.com/MountWindowsSharesPermanently
https://help.ubuntu.com/community/MountWindowsSharesPermanently
https://wiki.samba.org/index.php/LinuxCIFSKernel

https://wiki.samba.org/index.php/Samba3/SMB2
https://www.thomas-krenn.com/en/wiki/Mounting_a_Windows_Share_in_Linux
http://stackoverflow.com/questions/74626/how-do-you-force-a-cifs-connection-to-unmount







Share/Bookmark

Wednesday, March 11, 2015

Disappearing DNS entries: Windows 7 registered DNS entries deleted after period.

For some time I have had to support a desktop machine that someone setup with SVN on it, its meant to be being deprecated so I have never spent time on moving the services off.
But like all "temporary" items in the tech world, its on the large side of temporary.. :)

Anyway, to enable the service to be moveable, I set up an CNAME entry in DNS that pointed at the machine name record.

SVN.contoso.com (CNAME) --> MACHINE.contoso.com (A)

Now this worked for a while but then suddenly developers reported the SVN dns was resolving. On review this turned out to be MACHINE.contoso.com had been deleted... Huh?

The machine is part of a windows domain, and is set to register itself (like all the other machines). So I rebooted, this fixed the problem.... briefly. Then same thing happened.

I have tried numerous things to try and resolve, manual static DNS entry, ticking boxes on the DNS tab of the MACHINE network adapter properties. None of these seem to have worked...

However today I have now found a microsoft hotfix that seems to be aimed at my particaulr problem.

http://support.microsoft.com/kb/2895683

So I have now downloaded this fix, and applied to the MACHINE. Lets see how we go....



Share/Bookmark

Tuesday, March 03, 2015

Windows Azure - Setting up a static ip for a windows azure VM

A quick article to note down the steps to assign static IP, I am sure not all my terminology will be correct.

If you are reading this then you are probably aware of the fact that windows azure VMs are given internal IPs via DHCP, and they are dished out in order. The first four addresses are reservered, so for a range of 192.168.1.0/24, IPs
  • 192.168.1.0 (network address), 
  • 192.168.1.1, 
  • 192.168.1.2, 
  • 192.168.1.3
are all taken by Azure.

So the first VM you fire-up will take the next IP 192.168.1.4. All seems good..
It is, however as these are DHCP they have a lease as it can expire. So say you down a couple of machines for maintenance, depending on in what order these machines are restarted you can find the machine will come up with a difference IP address.

Now late in 2014 Microsoft announced that you can actually force an IP to be assigned to a particular VM. It is still given via DHCP but the VM is guaranteed the same IP.

Currently there is no way to achieve this via the GUI/portal and it maust be achieved via powershell.

If you have not used powershell to configure windows azure, you will need to download and install the powershell


OK, now first thing is to configure the computer to talk to Azure this can be down manually or automatically. Below I show how to setup automatically.

Open powershell and type

Get-AzurePublishSettingsFile

A browser window will appear to

Login and a file download should begin. If you open this file you will see its an XML file containing subscription information.

Now we need to get the powershell session logged into Azure, we do this by calling get-crendential and assigning to a variable.

$cred = get-credential

This command will open a dialog that will allow you to type in your azure username and password.

Now lets import the subscription info.

Change to the path and name of the publish file downloaded earlier, you should see the contents of this file printed on the screen.

Import-AzurePublishSettingsFile .publishsettings

Ok, lets now test the IP we want to assign is available

Test-AzureStaticVNetIP -VNetName -IPAddress


Output should tell its or isn't available. If its not available it probably means the VM is still running, go to the azure and shutdown properly and then retest.

Ok now we get to the pointy end.

Get-AzureVM -ServiceName -Name | Set-AzureStaticVNetIP -IPAddress | Update-AzureVM





Share/Bookmark