Fun with certificates

Good morning. I have had a few requests for an article on how to work with certificates, specifically the SSL variety. In this article we are going to walk through the whole process, from the CSR (Certificate Signing Request) to exporting a certificate. The process need not be a mystery any longer. So let’s get started.

The first step is to create the CSR. There are a couple ways to do this. In this article we will use IIS (Internet Information Services) to create the request. If you do not want to use IIS or do not have it installed, there is a very good article on using certreq.exe here.

  1. Launch IIS. Right-click the Windows icon in the bottom left corner and choose the run option. Type inetmgr and press enter.
  2. Click the name of the server on the left and then double-click Server Certificates in the middle section.

  3. Choose the option to “Create Certificate Request” from the actions pane on the right. This will launch the CSR wizard.

  4. Fill out the certificate information. The common name is the domain name that the certificate will be used for. You will want to change it and the other fields to match your needs. Once completed, click Next.
  5. By default the bit length is set to 1024 bytes. Change this to 2048 and click Next.

  6. Give it a filename and click Finish.

Now that the CSR is created it will need to be submitted to the 3rd party CA (Certificate Authority) of choice. Once that process is completed and a certificate file provided, the last step can be completed.

The last step is to complete the certificate request. You will want to launch IIS and go to Server Certificates as explained above. Then proceed with detailed steps below.

  1. Choose the option to “Complete Certificate Request” from the actions pane on the right. This will launch the Complete Certificate Request dialog.

  2. Provide the path to the certificate file received from the 3rd party CA, give it a friendly name and click OK.

At this point the certificate is installed and ready to use. If you want to know more about how certificates work be on the lookout for an upcoming post that goes into more detail. I will update this post with a direct link when that article is created.

I hope you have found this post useful. If you have anything you want to add or think I missed something, please use the comments section below. If you made it this far, thanks for reading.

The machine attempted to join the domain but failed. The error code was 2700.

Good morning.  I ran into an interesting issue a couple of weeks ago.  I had a customer that was not able to join any of their client systems to a newly created Windows Essentials domain.  When running the domain join wizard they were receiving a generic error.  When digging into the event log we were able to find an error code in the following event.

Event ID: 4097
Source: NetJoin
Type: Error
Description:
The machine <server name> attempted to join the domain <domain name> but failed. The error code was 2700.

So what does error code 2700 mean anyway.  I did some checking and could not find a good answer.  I dug into the clientsetup.log and found the following line that gave me the answer I was looking for.

[3156] 170119.143840.1334: ClientSetup: nativeNetJoinDomain returned ErrCode=2700
[3156] 170119.143840.1334: ClientSetup: Join domain fails on the first time, exception: System.ComponentModel.Win32Exception (0x80004005): This device is joined to Azure AD. To join an Active Directory domain, you must first go to settings and choose to disconnect your device from your work or school

This makes sense as a client cannot be connected to two domains at the same time.

Now that we know what the issue, here is the fix.

  1. Open the settings menu in Windows.  This can be done by clicking start icon and choosing Settings.  Choose the Accounts option.
    1-settings
  2. Pick the Access work or school option.
    2-access-work-or-school
  3. Click on the Azure connection to bring up the option to disconnect.
    3-disconnect
  4. When you click on Disconnect, you will get a prompt.  Click Yes.
    4-disconnect-yes
  5. You will get another prompt.  Choose Disconnect again.
    5-disconnect-are-you-sure
  6. Enter alternate account information and click OK.
    6-enter-alt-contact-information
  7. Finally choose the option to Restart now.
    7-restart

After restarting you should now not have any issues joining the Windows domain.

I hope you found this article informative.  If you have anything to add or want to comment, please do so below.

 

 

 

 

 

 

How to activate a license server and install CALs

This is the 3rd article in a series of articles on RDS (Remote Desktop Services)  In this installment I will cover how to activate a license server and installing RDS CALs (Client Access Licenses)

To activate the license server:

  1. Open the RD Licensing Manager.  (Right-click Stat button, Run, licmgr.exe)
  2. Expand All servers.
  3. Right-click the server name and choose Activate Server.
    Activate Server1
  4. Click Next on the Welcome screen.
  5. Click Next on the Connection Method screen.
  6. Enter the company information.  This should match the information given when the RDS CALs were purchased.  Click Next when complete.
  7. This screen is optional.  You can enter the information if you choose.  Click Next when complete.
  8. The Completing the Activate Server Wizard screen should come up and indicate the server was activated successfully.  If the CALs are available to install, Click Next.  Otherwise uncheck the “Start Install Licenses Wizard now” option and click Finish.

 

To Install RDS CALs:

  1. Open the RD Licensing Manager.  (Right-click Stat button, Run, licmgr.exe)
  2. Expand All servers.
  3. Right-click the server name and choose Install Licenses.  See the picture above.
  4. Click Next on the Welcome screen.
  5. Choose the licensing program that is applicable.  The two most common programs are retail, using a product key, and Open License.  With the Open License program you should receive an email from the re-seller with the authorization and license number.  Click Next.
  6. Enter the license information and click Next.
  7. If prompted, enter the type and quantity of CALs.
  8. Click Finish to complete the install.

 

To verify that the above process worked correctly:

  1. Launch Server Manager.
  2. From the top right, choose Tools, Terminal Services, RD Licensing Diagnoser.

If all worked there should be no errors and the licensing mode and number of CALs should match what was installed.

OWA, Something went wrong :( and the case of the missing sharedwebconfig.config

Good morning.  I wanted to take the time this morning to go over an issue I saw the other day.  This issue was pretty difficult to track down, so I figured I would go over as many of the symptoms as possible.  This is in hope that someone suffering this issue will have an easier time of it.

So I am working with a deployment consultant and he has an issue where OWA (Outlook Web Access) is not working.  We have a new deployment of three 2016 Exchange servers. First thing, I checked the version of .NET, as my group have seen a few cases of .NET 4.6.1 on Exchange.  Well it appears that WSUS had pushed it.  I figured we had found the issue.  We reverted .NET to 4.5.2 and tested on one server.  OWA is now working.  So I was thinking great, we have the issue resolved.  Unfortunately, after reverting all 3 servers there are still problems.  It appears that one of them is working, but two are not.  Here are the symptoms I found.

  • In the IIS logs for the Exchange frontend are the following lines:
    timestamp::1 POST /owa/auth.owa &CorrelationID=<empty>;&ClientId=123&cafeReqId=123;&encoding=; 443 user.name ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/owa/auth/logon.aspx?replaceCurrent=1&url=https%3a%2f%2flocalhost%2fowa%2f%23authRedirect%3dtrue 302 0 0 0
    timestamp::1 POST /owa/sessiondata.ashx appcacheclient=1&acver=15.1.225.42&crr=1&CorrelationID=123;&ClientId=123&ClientRequestId=123&encoding=;&cafeReqId=123; 443 user.name ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 302 0 0 15
    timestamp::1 GET /owa/auth/errorFE.aspx httpCode=500&CorrelationID=123;&ClientId=123&cafeReqId=123;&encoding=; 443 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 703
    timestamp::1 POST /owa/plt1.ashx cId=123&msg=USRCompositeServerErr&tg=&MDB=789&nId=0000000000000000&MBX=123&sdCoId=123_123&sds=200&fe=FrontEndSERVERNAME&be=null&cbe=null&cver=15.1.225.42&sdver=null&...+like+Gecko - 302 0 64 15
    timestamp::1 GET /owa/auth/errorFE.aspx httpCode=500&CorrelationID=<empty>;&ClientId=123&cafeReqId=123;&encoding=; 443 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 0
    timestamp::1 GET /owa/ bO=1&CorrelationID=<empty>;&ClientId=123&ClientRequestId=123&encoding=;&cafeReqId=123; 443 user.name ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 302 0 0 0
    timestamp::1 GET /owa/auth/errorFE.aspx httpCode=500&CorrelationID=<empty>;&ClientId=123&cafeReqId=123;&encoding=; 443 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko - 200 0 0 15
  • In the IIS logs for the Exchange backend, the following is found:
    timestamp ::1 GET /owa/auth/15.1.225/themes/resources/segoeui-regular.eot &CorrelationID=<empty>;&ClientId=123&cafeReqId=123;&encoding=; 443 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/owa/auth/errorFE.aspx?httpCode=500 200 0 0 0
    timestamp ::1 GET /owa/auth/15.1.225/themes/resources/segoeui-semilight.eot &CorrelationID=<empty>;&ClientId=123&cafeReqId=123;&encoding=; 443 - ::1 Mozilla/5.0+(Windows+NT+6.3;+WOW64;+Trident/7.0;+rv:11.0)+like+Gecko https://localhost/owa/auth/errorFE.aspx?httpCode=500 200 0 0 0
  • Checking the event log gives an event ID 1309 every time OWA is accessed.  Below are the details.
    Log Name:      Application
    Source:        ASP.NET 4.0.30319.0
    Date:          3/19/2016 5:49:48 AM
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      Exchange2016.MyExchange.com
    Description:
    Event code: 3005 
    Event message: An unhandled exception has occurred. 
    Event time: date/time 
    Event time (UTC): date/time 
    Event ID: ...
    ...
    
    ...
    ...
    
    <Data>Exception has been thrown by the target of an invocation.
       ...
    ...
    ...
    ...
       at System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext)
    
    Could not load file or assembly 'Microsoft.Exchange.Diagnostics, Version=15.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35' or one of its dependencies. The system cannot find the file specified.
       at Microsoft.Exchange.Clients.Owa2.Server.Core.OwaApplication..ctor()
       at Microsoft.Exchange.Clients.Owa2.Server.Core.BaseApplication.CreateInstance()
       at ASP.global_asax..ctor()
    
    </Data>
    ...
    ...

 

After some extensive checking of the modules in IIS (Internet Information Services), there did not appear to be a configuration issue.  I then tripped upon the following blog article.  This led me to a Microsoft KB on the topic.  It turns out that sometimes when you install Exchange, the SharedWebConfig.config file does not get created.  The fix is to copy one from a working server.  Well what if you don’t have a working server?  In this case we did, but what if you just have one server?  You are in luck.  Here is a copy of the SharedWebConfig.config file.  Just rename the extension from .doc to .config.  I took this from an RTM Exchange 2016 server, so I am not sure it will work in 2013.

I hope this helps you out.