Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Home
Xadean's contribution to the consulting community through sharing his anthology of lesson's learned and technical insights.
November 26
Skype for Business (SFB) Client Drops from A/V Web Conferences Immediately after Joining

Description of Issue:

In an environment with the following on-premises elements installed, a single user kept experiencing getting dropped from SFB Online Meetings immediately after joining with audio.

 

  • Windows 2012 R2 Active Directory
  • Enterprise SFB 2015 Front End Pool
  • Enterprise SFB 2015 Edge Pool
  • SFB 2015 Persistent Chat Server
  • Office Web Apps Server
  • Windows 2012 R2 Web Application Proxy
  • Windows 2016 IIS ARR

 

The user began to experience this issue following a perimeter firewall upgrade and laptop rebuild. Ergo, there were several potential culprits as a root cause.

 

Root Cause Analysis & Resolution:

Since the firewall was recently upgraded, the initial thinking was the inbound access policies could be misconfigured and causing the user to be dropped. The peculiar thing was that other remote users did not experience the same issue. The assumption was that all users should be experiencing the same behavior if the firewall was the issue. Nonetheless, we configured a packet sniffer on the firewall and captured traces from the user with the issue and other users without the issue to compare the traffic flow. All traces showed the clients connecting to the SIP Access, Web Conferencing, and A/V Conferencing Edge interfaces as expected. We did notice that the user with the error was sending TCP rst and ICMP requests to the A/V Conferencing Edge interface right before being disconnected. Ruled the firewall out since it was accepting all the inbound traffic.

 

Analyzed the PC of the user with the issue beginning with adding exceptions to Windows Defender for the Lync.exe application. Disabled the firewall and real-time protection on the PC. Still the user experienced the issue. Had the user join another organization's SFB online meeting and the user did not experience the disconnect behavior. Looked at the SFB Edge Pool configuration and noticed that there is a SSL certificate assigned that was issued by an internal Certificate Authority (CA) Server. Exported the internal CA Server's root certificate and imported it into the Trusted Root Certificate Authorities store on the user's PC. VOILA! That solved the issue (importing the internal CA's root certificate).

November 05
Exchange Server 2013 Management Tools (EMS & EAC) Failing with Errors

Issue Experienced:

When attempting to launch Exchange Management Shell (EMS) and Exchange Admin Center (EAC), running into the following error messages respectively.

EMS Error #1:

 

Welcome to the Exchange Management Shell!

 

Full list of cmdlets: Get-Command

Only Exchange cmdlets: Get-ExCommand

Cmdlets that match a specific string: Help *<string>*

Get general help: Help

Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?

Exchange team blog: Get-ExBlog

Show full output for a command: <command> | Format-List

 

Show quick reference guide: QuickRef

Tip of the day #63:

 

Any cmdlet that accepts a size value lets you specify whether the integer value is in kilobytes (KB), megabytes (MB), gi

gabytes (GB), or terabytes (TB). For example:

 

Set-Mailbox "Kim Akers" -ProhibitSendQuota 200MB -UseDatabaseQuotaDefaults $False

 

VERBOSE: Connecting to ExchSrvr.mail.com.

New-PSSession : [ExchSrvr.mail.com] Connecting to remote server ExchSrvr.mail.com failed with the

following error message : <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"

"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head>

<title>IIS 8.0 Detailed Error - 500.0 - Internal Server Error</title>

<style type="text/css">

<!--

body{margin:0;font-size:.7em;font-family:Verdana,Arial,Helvetica,sans-serif;}

code{margin:0;color:#006600;font-size:1.1em;font-weight:bold;}

.config_source code{font-size:.8em;color:#000000;}

pre{margin:0;font-size:1.4em;word-wrap:break-word;}

ul,ol{margin:10px 0 10px 5px;}

ul.first,ol.first{margin-top:5px;}

fieldset{padding:0 15px 10px 15px;word-break:break-all;}

.summary-container fieldset{padding-bottom:5px;margin-top:4px;}

legend.no-expand-all{padding:2px 15px 4px 10px;margin:0 0 0 -12px;}

legend{color:#333333;;margin:4px 0 8px -12px;_margin-top:0px;

font-weight:bold;font-size:1em;}

a:link,a:visited{color:#007EFF;font-weight:bold;}

a:hover{text-decoration:none;}

h1{font-size:2.4em;margin:0;color:#FFF;}

h2{font-size:1.7em;margin:0;color:#CC0000;}

h3{font-size:1.4em;margin:10px 0 0 0;color:#CC0000;}

h4{font-size:1.2em;margin:10px 0 5px 0;

}#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS",Verdana,sans-serif;

color:#FFF;background-color:#5C87B2;

}#content{margin:0 0 0 2%;position:relative;}

.summary-container,.content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}

.content-container p{margin:0 0 10px 0;

}#details-left{width:35%;float:left;margin-right:2%;

}#details-right{width:63%;float:left;overflow:hidden;

}#server_version{width:96%;_height:1px;min-height:1px;margin:0 0 5px 0;padding:11px 2% 8px 2%;color:#FFFFFF;

background-color:#5A7FA5;border-bottom:1px solid #C1CFDD;border-top:1px solid #4A6C8E;font-weight:normal;

font-size:1em;color:#FFF;text-align:right;

}#server_version p{margin:5px 0;}

table{margin:4px 0 4px 0;width:100%;border:none;}

td,th{vertical-align:top;padding:3px 0;text-align:left;font-weight:normal;border:none;}

th{width:30%;text-align:right;padding-right:2%;font-weight:bold;}

thead th{background-color:#ebebeb;width:25%;

}#details-right th{width:20%;}

table tr.alt td,table tr.alt th{}

.highlight-code{color:#CC0000;font-weight:bold;font-style:italic;}

.clear{clear:both;}

.preferred{padding:0 5px 2px 5px;font-weight:normal;background:#006633;color:#FFF;font-size:.8em;}

-->

</style>

 

</head>

<body>

<div id="content">

<div class="content-container">

<h3>HTTP Error 500.0 - Internal Server Error</h3>

<h4>Module &quot;WSMan&quot; could not be found</h4>

</div>

<div class="content-container">

<fieldset><h4>Most likely causes:</h4>

<ul> <li>The module could not be found.</li> <li>IIS received the request; however, an internal error

occurred during the processing of the request. The root cause of this error depends on which module handles the

request and what was happening in the worker process when this error occurred.</li> <li>IIS was not able to access

the web.config file for the Web site or application. This can occur if the NTFS permissions are set incorrectly.</li>

<li>IIS was not able to process configuration for the Web site or application.</li> <li>The authenticated user

does not have permission to use this DLL.</li> </ul>

</fieldset>

</div>

<div class="content-container">

<fieldset><h4>Things you can try:</h4>

<ul> <li>Verify that the module name is not misspelled in the configuration/system.webServer/globalModules

config section. The error description may contain additional information to help you determine which module is causing

the error.</li> <li>Ensure that the NTFS permissions for the web.config file are correct and allow access to the

Web server's machine account.</li> <li>Check the event logs to see if any additional information was logged.</li>

<li>Verify the permissions for the DLL.</li> <li>Create a tracing rule to track failed requests for this HTTP

status code. For more information about creating a tracing rule for failed requests, click <a

href="http://go.microsoft.com/fwlink/?LinkID=66439">here</a>. </li> </ul>

</fieldset>

</div>

 

<div class="content-container">

<fieldset><h4>Detailed Error Information:</h4>

<div id="details-left">

<table border="0" cellpadding="0" cellspacing="0">

<tr class="alt"><th>Module</th><td>&nbsp;&nbsp;&nbsp;IIS Web Core</td></tr>

<tr><th>Notification</th><td>&nbsp;&nbsp;&nbsp;BeginRequest</td></tr>

<tr class="alt"><th>Handler</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr>

<tr><th>Error Code</th><td>&nbsp;&nbsp;&nbsp;0x80070002</td></tr>

 

</table>

</div>

<div id="details-right">

<table border="0" cellpadding="0" cellspacing="0">

<tr class="alt"><th>Requested URL</th><td>&nbsp;&nbsp;&nbsp;https://ExchSrvr.mail.com:444/powershell?serial

izationLevel=Full;ExchClientVer=15.0.1395.4;clientApplication=ManagementShell;TargetServer=;PSVersion=3.0&amp;sessionID

=Version_15.0_(Build_1394.4)=rJqNiZqNgaqsuqe8t8/O0ZyQkYuWkYqKkpGai9GckJKBzsbLzsbGycbOyoHNz87H0s7O0s/Kq8/LxczJxc3H</td><

/tr>

<tr><th>Physical Path</th><td>&nbsp;&nbsp;&nbsp;C:\Program Files\Microsoft\Exchange

Server\V15\ClientAccess\PowerShell-Proxy</td></tr>

<tr class="alt"><th>Logon Method</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr>

<tr><th>Logon User</th><td>&nbsp;&nbsp;&nbsp;Not yet determined</td></tr>

 

</table>

<div class="clear"></div>

</div>

</fieldset>

</div>

 

<div class="content-container">

<fieldset><h4>More Information:</h4>

This error means that there was a problem while processing the request. The request was received by the Web server,

but during processing a fatal error occurred, causing the 500 error.

<p><a href="http://go.microsoft.com/fwlink/?LinkID=62293&amp;IIS70Error=500,0,0x80070002,9200">View more information

&raquo;</a></p>

<p>Microsoft Knowledge Base Articles:</p>

<ul><li></li></ul>

 

</fieldset>

</div>

</div>

</body>

</html>

Error occurred during the Kerberos reponse.

[Server=ExchSrvr, TimeStamp = 114/2018 23:28:18]

For more information, see the about_Remote_Troubleshooting Help topic.

At line:1 char:1

+ New-PSSession -ConnectionURI "$connectionUri" -ConfigurationName Microsoft.Excha ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin

gTransportException

+ FullyQualifiedErrorId : -2144108173,PSSessionOpenFailed

 

EMS Error #2:

failed with the following error message: [ClientAccessServer=,BackEndServer=,RequestId=d89f6ed1-19

8b-4a00-9941-a08f1bb78c54,TimeStamp=11/5/2018 6:58:02 AM]

[AuthZRequestId=b2c5b4c3-edd9-410c-a7fe-af0499783858][FailureCategory=AuthZ-SetupVersionInformationCorruptException] Unable to determine the installed file version from the registry key 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellEngine'. For more information, see the about_Remote_Troubleshooting Help topic.

At line:1 char:1

 

EAC Error #1 (occurs with EMS Error #2):

Connecting to remote server failed with the following error message : IIS 8.0 Detailed Error - 500.0 - Internal Server Error

 

Cause:

EMS Error #1 occurs because the WS-Management (WSMan) module is not registered / loaded in IIS.

 

EMS Error #2 and EAC Error #1 occurs because Windows PowerShell version 2.0 is not installed.

 

Resolution:

To resolve EMS Error #1 follow these steps.

  1. Open IIS and navigate to the Default Web Site.
  2. In the control pane, click on Modules.
  3. WSMan should not be found in the enabled modules list.
  4. Click on Configure Native Modules in the action pane.
  5. Verify that WSMan is listed there without a check in the box next to it.
    1. If WSMan is not listed, go to step 10.
  6. Navigate to PowerShell virtual directory under Default Web Site.
  7. Click on Modules in the control pane.
  8. Verify WSMan is not in the list of enabled modules.
  9. Click on Configure Native Modules in the action pane. Verify that WSMan is listed without a check in the box next to it.
  10. If WSMan does not appear in the list, click on the Server's Name in the left navigation pane and then click on Modules in the control pane.
  11. Click on Configure Native Modules in the action pane.
  12. Click on the Register button.
  13. Enter "WSMan" in the Name field and "%windir%\system32\wsmsvc.dll" (both entries without the quotation marks). Click OK button to save and register.
  14. WSMan should now appear in the list of native modules without a check in the box next to it.
  15. Open a Command Prompt (w/ administrator privileges) and execute IISRESET /noforce command.

Error EMS #1 should now be resolved when you retry performing the action.

 

To resolve EMS Error #2 and EAC Error #1, perform the following steps to install Windows PowerShell version 2.0.

  1. Open Server Manager.
  2. Click on Manage and then select Add Roles and Features.
  3. Click next a few times in the wizard until you reach Select Features screen.
  4. Expand Windows PowerShell selection and check the box next to Windows PowerShell 2.0 Engine and then keep clicking next until you see an install button.
  5. Click install and wait until the operation completes.
  6. Reboot the server.

When you launch EMS or EAC, you should be able to get into both tools without any issue at this point.

September 01
Sonus SBC -  Not able to access web GUI

Problem Description:

Encountered the following error when attempting to access the web GUI of a Sonus SBC 1000/2000 using https://<IP_Addr>:

GOOGLE CHROME

This site can't provide a secure connection

10.22.203.15 uses an unsupported protocol.

ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Unsupported protocol

The client and server don't support a common SSL protocol version or cipher suite.

MOZILLA FIREFOX

An error occurred during a connection to 10.22.203.15. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP

INTERNET EXPLORER

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://10.22.203.15 again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

 

RESOLUTION:

  1. In INTERNET EXPLORER, go to Tools, Options, select Advanced Tab, scroll down to Security section and check box next to SSL2.0, SSL3.0, and TLS1.0 and uncheck TLS1.1 and TLS1.2.
  2. Upgrade SBC firmware from 4.1.1 to 7.0.2. After upgrading, should be able to access with any browser.
September 01
Azure AD Connect Health Sync Agent failed to register

Description of Issue(s) Experienced:

Encountered the following error messages after upgrading Azure AD Connect on a Windows 2012 member server running Exchange Server 2013 in hybrid configuration. This server is responsible for executing periodic directory synchronization fo the on-premises Active Directory to Azure AD (Office 365). The AAD Health Sync Agent monitors the process and sends notification alerts via email to global administrators if there are any issues.

 

PS C:\>

PS C:\> $azureUserName="globaladmin@TenantID.onmicrosoft.com"

PS C:\>

PS C:\> $azurePassword="**********"

PS C:\>

PS C:\> $azureSecurePassword = ConvertTo-SecureString $azurePassword -AsPlainText -Force

PS C:\>

PS C:\> $azureCreds = New-Object System.Management.Automation.PSCredential $azureUserName, $azureSecurePassword

PS C:\>

PS C:\> Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

2018-05-31 13:53:54.349 ProductName: Microsoft Azure AD Connect Health agent for sync, FileVersion: 3.0.164.0, Current

UTC Time: 2018-05-31 13:53:54Z

 

2018-05-31 13:53:54.349 enableRegiration: True

 

2018-05-31 13:53:54.349 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService

/

 

2018-05-31 13:53:54.364 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

 

2018-05-31 13:53:54.364 AHealthServiceUri (ARM): https://management.azure.com/providers/Microsoft.ADHybridHealthService

/

 

2018-05-31 13:53:54.364 AdHybridHealthServiceUri: https://s1.adhybridhealth.azure.com/

 

2018-05-31 13:53:54.786 AHealthServiceApiVersion: 2014-01-01

 

2018-05-31 13:53:56.112 Detecting AadSyncService roles...

 

2018-05-31 13:53:57.063 Detected the following role(s) for ContinuumInnovations.onmicrosoft.com:

 

2018-05-31 13:53:57.063     Microsoft Azure Active Directory Sync Services

 

2018-05-31 13:54:02.976 Aquiring Monitoring Service certificate using tenant.cert

 

Register-AzureADConnectHealthSyncAgent : Failed configuring Monitoring Service using command: C:\Program

Files\Microsoft Azure AD Connect Health Sync

Agent\Monitor\Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe sourcePath="C:\Program Files\Microsoft

Azure AD Connect Health Sync Agent\tenant.cert" version="1.1.819.0"

At line:1 char:1

+ Register-AzureADConnectHealthSyncAgent -Credential $azureCreds

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : NotSpecified: (:) [Register-AzureADConnectHealthSyncAgent], InvalidOperationException

+ FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Identity.AadConnect.Health.AadSync.PowerShell

.ConfigurationModule.RegisterAzureAdConnectHealthSyncAgent

 

 

 

PS C:\temp> .\AADConnect-CommunicationsTest.ps1

 

Security warning

Run only scripts that you trust. While scripts from the internet can be useful, this script can potentially harm your

computer. If you trust this script, use the Unblock-File cmdlet to allow the script to run without this warning

message. Do you want to run C:\temp\AADConnect-CommunicationsTest.ps1?

[D] Do not run [R] Run once [S] Suspend [?] Help (default is "D"): R

Running all tests.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully logged on to Azure Active Directory as .

[2018-07-20 09:54:37] [SUCCESS] :: User is a member of Global Administrators.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully resolved _ldap._tcp.CONTINUUMNET.COM.

[2018-07-20 09:54:37] [SUCCESS] :: Successfully resolved BOSDC2.CONTINUUMNET.COM.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:53.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:135.

[2018-07-20 09:54:37] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:389.

[2018-07-20 09:54:38] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:445.

[2018-07-20 09:54:38] [ERROR] :: Exception: Error attempting TCP connection to BOSDC2.CONTINUUMNET.COM:3268.

[2018-07-20 09:54:38] [INFO] :: Testing CRL endpoint tests (Invoke-WebRequest).

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://mscrl.microsoft.com/pki/mscorp/crl/msitwww2.crl.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://ocsp.verisign.com.

[2018-07-20 09:54:38] [SUCCESS] :: Successfully obtained CRL from http://ocsp.entrust.net.

[2018-07-20 09:54:38] [INFO] :: Testing Required Resources (TCP:443).

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to adminwebservice.microsoftonline.com [13.106.56.10]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [23.100.72.34]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [23.100.72.33]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.18]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.193.138]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.16]:443

[2018-07-20 09:54:38] [ERROR] :: Error resolving or connecting to login.microsoftonline.com [65.52.1.17]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [65.52.193.139]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.100.72.36]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [65.52.1.19]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.101.165.170]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to provisioningapi.microsoftonline.com [23.100.72.35]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [23.100.72.33]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.18]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.17]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.137]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.1.16]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.138]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [23.100.72.34]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to login.windows.net [65.52.193.136]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to secure.aadcdn.microsoftonline-p.com [104.88.91.203]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to management.core.windows.net [23.102.135.246]:443

[2018-07-20 09:54:39] [ERROR] :: Error resolving or connecting to bba800-anchor.microsoftonline.com [157.55.130.72]:443

[2018-07-20 09:54:40] [INFO] :: Testing Optional Resources (TCP:443).

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to management.azure.com [52.235.62.51]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.101.165.170]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [65.52.193.139]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.100.72.36]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [23.100.72.35]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to policykeyservice.dc.ad.msft.net [65.52.1.19]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [65.52.193.139]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.100.72.36]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.100.72.35]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [65.52.1.19]:443

[2018-07-20 09:54:40] [WARN] :: Error resolving or connecting to s1.adhybridhealth.azure.com [23.101.165.170]:443

[2018-07-20 09:54:40] [INFO] :: Testing Required Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:41] [SUCCESS] :: Successfully connected to https://adminwebservice.microsoftonline.com/provisioningservice.svc.

[2018-07-20 09:54:41] [SUCCESS] :: Successfully connected to https://login.microsoftonline.com.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://provisioningapi.microsoftonline.com/provisioningwebservice.svc.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://login.windows.net.

[2018-07-20 09:54:48] [SUCCESS] :: Successfully connected to https://secure.aadcdn.microsoftonline-p.com/ests/2.1.5975.9/content/cdnbundles/jquery.1.11.min.js.

[2018-07-20 09:54:48] [INFO] :: Testing Optional Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:49] [SUCCESS] :: Successfully connected to https://policykeyservice.dc.ad.msft.net/clientregistrationmanager.svc.

[2018-07-20 09:54:49] [INFO] :: Testing Seamless SSO Endpoints (TCP:443).

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.193.138]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.16]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.17]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [23.100.72.34]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [23.100.72.33]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to autologon.microsoftazuread-sso.com [65.52.1.18]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.16]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.17]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [23.100.72.34]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [23.100.72.33]:443

[2018-07-20 09:54:49] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.1.18]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to aadg.windows.net.nsatc.net [65.52.193.138]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to 0.register.msappproxy.net [52.173.21.84]:443

[2018-07-20 09:54:50] [ERROR] :: Error resolving or connecting to 0.registration.msappproxy.net [52.173.21.84]:443

[2018-07-20 09:54:50] [INFO] :: Testing Additional Resources Endpoints (Invoke-Webrequest).

[2018-07-20 09:54:50] [WARN] :: Error resolving or connecting to watchdog.servicebus.windows.net [70.37.104.240]:5671

[2018-07-20 09:54:51] [INFO] :: Checking TLS settings for Windows Server 2012.

[2018-07-20 09:54:51] [INFO] :: Done! Logfile is 2018-07-20_AADConnectConnectivity.txt.

 

Recent changes that could have possibly contributed to creating this issue were as follows:

  1. Ran IISCrypto.exe to disable weak protocols (i.e. SSLv2 and SSLv3) and ciphers (i.e. RC2, RC4, DES, and 3DES) and enable strong protocols and ciphers (i.e. TLSv1.2, AES128, and AES256).
  2. Enabled and then disabled FIPS compliant security using the steps summarized as follows:
    1. Using an account that has administrative credentials, log on to the computer.
    2. Click Start, click Run, type gpedit.msc, and then press ENTER.
    3. In the Local Group Policy Editor, under the Computer Configuration node, double-click Windows Settings, and then double-click Security Settings.
    4. Under the Security Settings node, double-click Local Policies, and then click Security Options.
    5. In the details pane, double-click System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing.
    6. In the System cryptography: Use FIPS-compliant algorithms for encryption, hashing, and signing dialog box, click Enabled, and then click OK to close the dialog box.
    7. Close the Local Group Policy Editor.
    8. If you wish to do this manually, you can also simply change the registry key HKLM\System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\Enabled to 1
  3. Added these two (2) registry keys:

 

Eventually we were not able to RDP to the Windows 2012 Server as a related issue experienced.

 

Resolution:

We resolved the issue by doing the following:

  1. Navigating to the "C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys" folder.
    1. Modifying the security permissions on this folder (right-click on MachineKeys folder, click on properties, click on security tab, click on advanced, click on permissions, add full control permissions to Local Administrators group on the server, click on replace permissions check box). Note that you may need to take ownership of this folder in order to modify the permissions.
  2. Creating a subfolder named "Archive".
  3. Moving all the system files in this directory into the Archive subfolder (system files will have long alpha numeric names such as "f686aace6942fb7f7ceb231212eef4a4_ac81b1e3-5312-44a2-b264-124a1cc52d0f").
  4. Launched an elevated Windows PowerShell.  Executed the following command to manually register the health sync agent: Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false.

After executing the preceding steps, the AAD Health Sync Agent was successfully registered and we could once again RDP into the Windows 2012 server successfully.

 

Tools / Resources Used:

PowerShell Commands

# The following command manually registers the Azure AD Connect Health Sync Agent.

Register-AzureADConnectHealthSyncAgent -AttributeFiltering $false -StagingMode $false

 

# The following command tests/validates the Azure AD Connect Health Sync Agent connectivity.

Test-AzureADConnectHealthConnectivity -Role Sync -ShowResult

PowerShell Scripts

AADConnect-CommunicationsTest.ps1

 

Reference Links:

What actually happens when you enforce FIPS140-2 compliant encryption within Windows. Details are at http://technet.microsoft.com/en-us/library/cc750357.aspx.

The official instructions to enable FIPS 140-2 compliance are at http://support.microsoft.com/kb/811833,

Article relating to resolving issues with connecting to Terminal Services via RDP: https://blogs.technet.microsoft.com/the_9z_by_chris_davis/2014/02/20/event-id-1057-the-terminal-server-has-failed-to-create-a-new-self-signed-certificate/.

May 28
Enable TLS 1.1 & 1.2 as Default Secure Protocols in WinHTTP

Reference Links:

https://www.admin-enclave.com/en/articles/windows/402-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in-winhttp.html

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

 

The setting in the graphic is INCORRECT (this setting enables TLS 1.0, 1.1, and 1.2).  The CORRECT setting is 0x00000a00 (2560), which is Hex 0200 + Hex 0800 to enable TLS 1.1 & 1.2.

 

The registry value is a DWORD bitmap. The value to use is determined by adding the values corresponding to the protocols desired. 

DefaultSecureProtocols Value

Protocol enabled

0x00000008

Enable SSL 2.0 by default

0x00000020

Enable SSL 3.0 by default

0x00000080

Enable TLS 1.0 by default

0x00000200

Enable TLS 1.1 by default

0x00000800

Enable TLS 1.2 by default

For example:

The administrator wants to override the default values for WINHTTP_OPTION_SECURE_PROTOCOLS to specify TLS 1.1 and TLS 1.2.

Take the value for TLS 1.1 (0x00000200) and the value for TLS 1.2 (0x00000800) then add them together in calculator (in programmer mode), the resulting registry value would be 0x00000A00.

May 17
Two-Factor Authentication with Skype for Business
May 07
OneNote Desktop Client Unable to Open Notebooks Stored on O365 SharePoint/OneDrive for Business

Issue: On a Mac where previously notebooks were opened simultaneously from multiple sources (OneDrive (Personal), OneDrive for Business, SharePoint (multiple tenants)) was reset to default and now not able to open notebooks stored in different O365 tenant subscriptions.

Root Cause: Cached ADAL credentials need to be removed.

Resolution: Perform the following steps:

  1. Go to applications -> utilities -> keychain access -> search and delete cache/identity and ADAL.
  2. During above steps, please check to have all the Office applications closed.
  3. Once all those deleted, please check the behavior again.

   

If notebook fails to open after following the preceding steps, please try to reinstall the Office package:

-          https://support.office.com/en-us/article/uninstall-office-2016-for-mac-eefa1199-5b58-43af-8a3d-b73dc1a8cae3 

May 02
Microsoft Announces Support for TLS 1.0 & 1.1 will be disabled in Office 365

Reference Links:

April 25
Enable DirectAccess on Windows 2012 R2
April 04
Accessing Website on the Actual Hosting Windows IIS (Web) Server Does Not Work

As a safeguard for reflection attacks, Microsoft has disabled loopback access to websites on the actual server that is hosting the site when attempting to access with something other than the DNS FQDN (i.e. "localhost" or "hostname of server"). However, it works when the site is accessed externally from another computer. To fix this so that you may access the site from the server, do the following:

  1. Configure the registry settings as prescribed in the following reference links:

    Reference Links:

    https://support.microsoft.com/en-us/help/896861/you-receive-error-401-1-when-you-browse-a-web-site-that-uses-integrate

    https://support.microsoft.com/en-us/help/281308

  2. Ensure that the Internet Options settings of Internet Explorer are using the same protocols as are enabled or disabled on the server. For instance, if the server has TLS 1.0, SSL 2.0, and SSL 3.0 disabled, uncheck TLS 1.0, SSL 2.0 and SSL 3.0 in the Internet Options settings of Internet Explorer. Close the browser and then re-open. Attempt again.
1 - 10Next
 

 Image Viewer

 
 

 About this blog

 
About this blog
Welcome to Xadean's contribution to the consulting community through sharing his anthology of lesson's learned and technical insights.