Category Archives: Configuration

Hyper-V Manager – Connect to VM CredSSP error

[Window Title]
Remote Desktop Connection

[Content]
An authentication error has occurred.
The function requested is not supported

Remote computer:
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

The most annoying part about this was everything was fine

So I did the usual checks

1. Make sure the Windows Remote Management (WS-Management) Service is running

2. verify that CredSSP is enabled

3. Review the current settings

4. Make sure delegation is allowed from the host hyper-v server

Everything looked ok

Finally I stumbled on this MS article on credssp remediation error when RDP

Made the necessary registry key and value here
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters
“AllowEncryptionOracle”=dword:00000002

There is no reboot required, it worked immediately.
Yes you may now be vulnerable to the encryption oracle attack see Microsoft here

Windows HyperV Server inplace upgrade – broken network

Windows Server HyperV 2012 > 2012 R2 > 2019

Cannot connect HyperV Manager to HyperV server after in-place upgrade when your domain controller is a virtual machine

So you’ve decided on your upgrade path and committed to action, only to find out your HyperV virtual machines cannot be seen on your network after upgrade.

My home lab operates on 2012 HyperV console, as you should know that means no GUI, which i am very happy with for many reasons. The attack surface is minimal, the resources aren’t needlessly used up and best of all its free

I decided to upgrade, mainly because testing Microsoft Intune meant i needed to enable TPM in HyperV, that and i was due an upgrade anyway

Microsoft HyperV Server 2012 > HyperV 2012 R2 > HyperV 2019

So I downloaded HyperV Server 2012 R2, created a bootable usb and performed an in-place upgrade on my HyperV

Once completed i immediately faced connectivity problems. My home lab is budget, which means my Domain Controller is a VM, yup you guessed it, hosted by the HyperV server

So how do i fix a network when i can’t remotely connect HyperV manager to the HyperV server? The problem being the authentication method is not contactable, the DC as a VM cannot approve the connection request to the HyperV server because the virtual switch is no longer configured properly

My suspicion is that with any in-place windows upgrade, the network adapters always tend to renew in some way shape or form

Know you’re setup

To really understand this problem and the solution I should probably describe my network setup

My hyperV box has 4 VMs and 2 virtual switchs

  • swInternal (Internal LAN switch to my home LAN)
  • swExternal (External WAN switch to my virgin router that is currently in “modem mode”)
  • VM 1 = Firewall gateway (has two virtual NICs swInternal and swExternal)
  • VM 2 = Domain controller (swInternal)
  • VM 3 = webserver (reading this blog from it right now) (swInternal)
  • VM 4 = test machine (constantly being destroyed and re created) (swInternal)

My setup is such that the firewall gateway VM has two network adapters, one for my internal LAN and one for the WAN. The rest of the VMs only have the internal LAN

Identify the problem

  • We cannot connect or see any of the VMs on the LAN, cant ping anything
  • We can’t connect HyperV manager to the HyperV server
  • We can however connect directly using a spare keyboard, mouse and display. Login and then break out PowerShell

Solving the problem

There is a 99% chance that fixing the virtual switches will solve all our problems, so whats the process?

You will need to know a local admin account for your hyperv server

  • 1. Shutdown all VMs
  • 2. Review the current setup. Enumerate the Virtual Switchs, and VM adapters
  • 3. Detach the adapters from the VMs
  • 4. Destroy and recreate the virtual switches
  • 5. Re attach the adapters to the VMs

sounds simple right? ok lets crack on

login to HyperV and execute the following PowerShell commands

This will give you an idea of the current switch setup

From here you can tell I have two hardware NICs and one Virtual NIC on the HyperV machine itself
I also have two virtual switches
And the virtual machines have all been assigned accordingly
In a broken environment you would likely see no IP addresses, moreover the Status’s would be different

So now we need to destroy and recreate everything

  1. Stop all the VM’s
  2. Disconnect the virtual adapters from the VM’s
  3. Remove the virtual switch’s
  4. Recreate the virtual switches
  5. Re attach the virtual adapters

Stop all VM’s

I’ve filtered this command to only stop VM’s that are running

Disconnect the virtual adapters

I’ve filtered this command to filter out the swExternal virtual switch.

Remove the HyperV virtual switch

I only want to remove the swInternal Switch

At this point I decided to rename my Network adapters on the Host, you dont have to do this at this stage.

Re-Create HyperV Virtual Switch

I’ve shown here commands to create the external switches as if the External switch didnt exist. The only difference between the two is that I’m not allowing the swExternal switch management os connectivity.

The difference between a switch category of “internal” & “external” is that internal will isolate the switch from your LAN, keeping internal to the VM host. So basically if you want connectivity to your LAN, always create a virtual switch categorised as External, which is in fact the default category, so you dont need to specify it on creation

If you want to tweak the settings on your newly created switches you can you the following command

Re-Attach the HyperV Virtual machine adapters

I’ve filtered this command to avoid adapters already connected to the swExternal switch here,

Now that the HyperV Host adapters, and Virtual switch’s have been reconfigured you are now ready to start the VMs

At this point i’d recommend restarting your HyperV host, If you have a Domain controller as a VM you’ll need to.
If you are still having connectivity issues you can further diagnose the it by dropping the firewall of the HyperV host by running the following command

If you are having problems with network adapters not setting the correct connection profile, you can force the profile to change

Mopping up

Finally we need to tidy-up the windows.old folder created on the root.
3 steps.
1. Take ownership of the folder
2. reset the security permissions
3. delete the folder

Visual Studio 2017 – SSDT – F5 to execute query

SSDT re-map “F5” to Execute Query, not to compile to project!

I’ve been an advocate of using SQL Server Management Studio (SSMS) to manage procedures, views, functions, triggers and other SQL server objects.

Primarily because it was the right tool for the job and secondly because we have always been able to integrate with source control using the MSSCCI provider downloadable for the version of VS

However since VS 2017 Microsoft have decided to deprecate MSSCCI and push people to use the SSDT shell instance of VS

They have even gone as far as deprecating the “Query Designer” toolbar in VS

So, now when you are editing a stored procedure or function and want to execute it against the database, you have to use the mouse to perform many operations before you can finally execute it

I’ve accepted the push from SSMS to VS SSDT however, I tweaked my install. I prefer to use the F5 key to run my T-SQL against my connection. Believe it or not, this greatly improves the experience of using VS over SSMS

Here’s How

What we are going to do is create two re-maps, that will only apply when you are editing t-sql scripts

1. In your Visual Studio 2017 SSDT shell instance, goto tools > options > Environment > Keyboard

2. In the show command containing type “execute”

3. select the item “SQL.TSqlEditorExecuteQuery”

Now we create the two maps

4a. From the “use new shortcut in” select “Microsoft SQL Server Data tools, T-SQL Editor”

in the “press shortcut key” press F5, then click assign

4b. From the “use new shortcut in” select “Microsoft SQL Server Data tools, T-SQL PDW Editor”

in the “press shortcut key” press F5, then click assign

Note that the Debug.Start(F5 (Global)) mapping will not be affected

Lastly, I prefer that “Ctrl-N” opens a new query window ready to execute against my DB

Add another mapping for this action “Tools.TSqlEditorNewQueryConnection”

Now you can test to see if this has worked. Note that Ctrl-N will only operate from an existing open .sql file

Open a .sql file and hit F5, if you are not already connected, you should see the connection prompt

Exchange Web Service (EWS) configuration

Exchange Web Service (EWS) configuration

The idea here is to create two groups within the Active Directory. The first group will contain the Mailbox accounts you wish to allow access and manipulation of objects within the mailbox (sgEWSImpersonatable). The second will contain the accounts you wish to allow access to the accounts within the first group (sgEWSImpersonate).

What we want to do is

  • AD – Create a security group (sgEWSImpersonateAble), this group will hold the accounts we want to be able to impersonate (eg testAccounts, devsystems etc etc)
  • AD – Create a security group (sgEWSImpersonate), this group will hold the accounts we want to allow impersonation of the accounts in the group sgEWSImpersonateAble
  • EX – Create a Scope (scopeEWSImpersonate), this scope we use to link the ApplicationImpersonation Exchange role to the security group created in the previous step. . Ie we assign the scope to the security group sgEWSImpersonateAble
  • EX – Create a RoleAssignment (mraEWSImpersonation) this Management Role Assignment will be used to tie the ApplicationImpersonation role to the scope. this then compeltes the loop between AD and Exchange

Follow these steps

  1. Create the Security Group in AD (it can be mail enable or not, it makes no difference)
    Group Name: sgEWSImpersonateAble
    Group Description: Exchange Web Service Impersonation, accounts in this group will grant members of the group sgEWSImpersonate impersonation ability via Exchange Web Service calls
    Group Members: TestAccounts, testsqlmailuser, etc,etc,etc
  2. Create the Security Group in AD (it can be mail enable or not, it makes no difference)
    Group Name: sgEWSImpersonate
    Group Description: Exchange Web Service Impersonation, accounts in this group be able to impersonate members of the group sgEWSImpersonateAble via Exchange Web Service (EWS) calls
    Group Members: Developer1,Developer2, Sysadmin1, svcAccount, etc,etc
  3. Create the Scope (This is a one time only requirement to run) In Exchange Management Powershell console run the following, this will link the scope to the groupGet the location of the security group we created for the accounts to impersonate

    >$sgEWSImpersonateAble = $(Get-DistributionGroup sgEWSImperonateAble).Identity.DistinguishedName

    verify we have it by looking at the vaariable
    >$sgEWSImpersonateAble
    CN=sgEWSImpersonateAble,OU=OrganisationalUnitContainingTheGroup,DC=DomainName,DC=local

    Now Create the Scope linking it to the group
    >New-ManagementScope -Name:scopeEWSImpersonate -RecipientRestrictionFilter:”MemberOfGroup -eq ‘$sgEWSImpersonateAble'”

  4. Create the Role Assignment (to link the scope to the group containing the accounts we want to allow impersonation to)>New-ManagementRoleAssignment –Name:mraEWSImpersonation –Role:ApplicationImpersonation –SecurityGroup “sgEWSImpersonate” –CustomRecipientWriteScope: scopeEWSImpersonate

For a long story short execute the following in the Exchange Management Powershell console. Replace the names to those you would prefer.

>$sgEWSImpersonateAble = $(Get-DistributionGroup sgEWSImperonateAble).Identity.DistinguishedName
>$sgEWSImpersonateAble
CN=sgEWSImpersonateAble,OU=OrganisationUnitContainingTheGroup,DC=Domain,DC=local
>New-ManagementScope -Name:scopeEWSImpersonate -RecipientRestrictionFilter:”MemberOfGroup -eq ‘$sgEWSImpersonateAble'”
>New-ManagementRoleAssignment –Name:mraEWSImpersonation –Role:ApplicationImpersonation –SecurityGroup “sgEWSImpersonate” –CustomRecipientWriteScope: scopeEWSImpersonate

Now you can add and remove people and mailboxes to and from the two groups to allow impersonation of mailboxes from accounts

References

http://msdn.microsoft.com/en-us/library/exchange/bb204095(v=exchg.140).aspx

Set-ManagementRoleAssignment
http://technet.microsoft.com/en-us/library/dd335173(v=exchg.141).aspx
New-ManagementRoleAssignment
http://technet.microsoft.com/en-us/library/dd335193(v=exchg.141).aspx
New-ManagementScope
http://technet.microsoft.com/en-us/library/dd335137(v=exchg.141).aspx
Set-ManagementScope
http://technet.microsoft.com/en-us/library/dd297996.aspx

SQL 2008 SSRS Web Service access from .NET

When you try to access a report server web service to execute code you get an error similar to, where the scheme or header varies a tiny bit

The HTTP request is unauthorized with client authentication scheme ‘Basic’. The authentication header received from the server was ‘Negotiate,NTLM

Basically my situation is that we have a MS 2008 Server running SSRS outside of our domain in the DMZ. However we need to execute code on a domain machine that will connect and run over 100 reports on the SSRS Server, then dump them on a share in our domain in excel format.

To get around the negotiation problem you need to make sure the SSRS server is allowing connections configured using basic authentication

Find the file

rsreportserver.config

This is usually buried in the install folder

C:\Program Files\Microsoft SQL Server\MSRS10_50.MSSQLSERVER\Reporting Services\ReportServer

Then change the authentication to support your desired connection authentication type

More info at MSDN
Once you have done that you should be good to connect.
Here is some sample code to get you started with connecting to your web service and pulling back a list of items

ASP.NET Combine & Minify CSS & JSS on the fly (Also tested in Umbraco) in 5 easy steps

Automatically Combine, minify, compress and much more on the fly.
Here you will learn in 5 steps how to implement the combine and minify project originally from codeplex into any .net application. I’ve just tested this on an Umbraco installation and it works flawlessly, the project also makes use of 2 open source libraries.

The original project can be found http://combineandminify.codeplex.com/ I have converted this project from c# to vb and made some considerable further optimisations in the code around the caching mechanism.

The two other libraries included are:

EcmaScript.NET.modified.dll
Yahoo.Yui.Compressor.dll

Along with a lot of custom code to automatically provide a cached based minify & compress  for your css & jss files. But it doesn’t stop there you can also use this project to remove white space from the html rendering to the client (default operation), all comments and commented code in .js and .css file includes is striped , you can insert VersionId’s in font urls and images and even preload images.

Ok so lets break it down.

What does it do and how?

Taking the .js and .css includes in particular, during the request life-cycle of the .net engine combineAndMinify will scan the header of the page just prior to rendering to the client, it will collect up the .js and .css includes, minify, compress, remove comments and white spaces and place the new combined content into the cache. So that’s one cache record for the .js and one for the .css. It will then strip out all the include references from the page header and replace them with a unique include reference pointing to the cached version for the browser to process. in your webconfig you have told IIS that all requests to .js and .css files must be routed through the combineandminify class, so when the browser then requests the include eg 33212cce52b6065a.js, the combineAndMinify handler then pulls the content from the cache and sends it to the client.

This process optimises your site in two ways, it caches the includes, and provides the client with only one include per type to request from the server.

The unique names are calculated using logic on various aspects, for example if you wished that the caching occur per page or for the entire website at domain level.

Out of the box the combineAndMinify is intelligent enough not to touch any include that references a different domain, and is in fact very customisable in that respect.

Furthermore it also knows when any of the files that it has cached change and will automatically update the cached version on the active request the change has been detected on.

See the full spec on codeplex.

Configuration settings:

configuration>combineAndMinify
Config Attribute Default Value Possbile Values
removeWhitespace false true/false
insertVersionIdInFontUrls false true/false
insertVersionIdInImageUrls false true/false
makeImageUrlsLowercase false true/false
prioritizedImages true true/false
preloadAllImages false true/false
cookielessDomains
enableCookielessDomains Always Never
Always/ReleaseModeOnly/DebugModeOnly
minifyJavaScript true true/false
minifyCSS true true/false
combineJavaScriptFiles PerGroup None/PerGroup/All
combineCSSFiles PerGroup None/PerGroup/All
headCaching None None/PerSite/PerFolder/PerPage/PerUrl
exceptionOnMissingFile Never Never/Always/ReleaseModeOnly/DebugModeOnly
active ReleaseModeOnly Never/Always/ReleaseModeOnly/DebugModeOnly

If your even half technical you can guess what half of these configuration settings do, if you need a further understanding on all the configuration settings please visit the codeplex project website because its beyond the scope of this how to.

Implementation

  1. Copy the binaries to your bin folder and add references to them or include the project into your solution
  2. Copy and rename “HeadAdapter.browser.txt” to HeadAdapter.browser to your App_Browsers folder
  3. make the required changes to your web.config file
  4. change the combineAndMinify config attribute “active” from “Never” to “Always”
  5. test the solution in firefox, ie or chrome and verify the compression in firebug F12 Developer tools or FireBug Lite respectively.

The vb.net converted, enhanced version of the project compiled to binaries and other  files you will need:

CombineAndMinify_Dlls

HeadAdapter.browser.txt

web.config.txt

If anyone has any problems at all, I will help where I can. If you want the vb.net version of this project then let me know and I’ll send it over.

Exchange 2010 and exchange 2003 there is currently no route to the mailbox database

As an Administrator, If during your Exchange 2010 install, when you migrated that single test mailbox from the old Exchange 2003 server into the nice shiny new Exchange 2010 mail server on that new MS Server 2008 64bit you have up and running. You found you couldn’t send mail internally or receive mail internally or in fact receive mail from an external source either, your not alone.

Reviewing the “Queue Viewer” on your Exchange 2010 bi you see there are mails in the queue trying to send with the following error

there is currently no route to the mailbox database

And you also see mails in the inbound queue on your exchange 2003 box.

Fear not, for there is a simple fix. You must Create A Routing Group Connector Between Exchange 2003 and Exchange 2010

According to Microsoft when you installed the new Exchange server 2010 despite the compatibility that exchange 2003 and exchange 2010 can coexist on your domain, they don’t quite let you know that the routing may not properly be configured, my guess is because there are too many permutations of network configurations you might have. So if your like me, you have a single Exchange 2003 server that you want to talk to your Exchange 2010 server then the solution is pretty simple.

Make sure you login to the exchange 2010 box with an account that has “GOD” privileges on your domain
1. Click start
2. in the search box type “Shell”
3. Right click and run “Exchange Management Shell”
4. Copy and paste the following line into notepad

New-RoutingGroupConnector -Name “Interop RGC” -SourceTransportServers “exchange2010FQDN” -TargetTransportServers “Exchange2003FQDN” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

Adjust the names accordingly and be sure the quotes are quotes and not some funky character that looks like quotes as is what sometimes happens when copying from the internet.
5. Paste the line into the Exchange Management Shell (EMS) and you should see something not too different from this.

response from adding route, and verifying route exists

6. Now you can verify the creation by running “Get-RoutingGroupConnector”
7. On your exchange 2003 box restart “Simple Mail Transport Protocol” Service
8. On your Exchange 2010 box restart “Mail Exchange Transport” Service

Hope this helped you all

References I used
Message Rerouting and the Unreachable Queue
http://technet.microsoft.com/en-us/library/bb232161.aspx

Routing group connector between an Exchange 2010 organization and Exchange 2003 organization doesn’t exist
A routing group connector between the Exchange 2010 routing group and Exchange 2003 routing groups hasn’t been configured, or the last routing group connector between the Exchange 2010 routing group and Exchange 2003 routing groups has been removed. No routing group connector exists to provide a routing path to the Exchange 2003 recipients. To resolve this problem, first verify that the routing group connector is missing. If that’s the case, you can create a routing group connector. For more information, see Create Additional Routing Group Connectors from Exchange 2010 to Exchange 2003. If a routing group connector does exist, the message is in the Unreachable queue for some other reason. Check the configuration of the routing group connector

Create Additional Routing Group Connectors from Exchange 2010 to Exchange 2003
http://technet.microsoft.com/en-us/library/aa997292.aspx

New-RoutingGroupConnector -Name “Interop RGC” -SourceTransportServers “Ex2010Hub1.contoso.com” -TargetTransportServers “Ex2003BH1.contoso.com” -Cost 10 -Bidirectional $true -PublicFolderReferralsEnabled $true

Upgrade from Exchange 2003 Transport
http://technet.microsoft.com/en-us/library/dd638103.aspx
Exchange Management Shell in Exchange 2010
http://technet.microsoft.com/en-us/library/dd795097.aspx

user control is ambiguous in the namespace ‘ASP’

This one was a particular pain.

Long story short try this in your web config

Set batch=”false” under compilation

This will allow you to drill further into the problem, its not a particularly desirable attribute to set in production.