Categories
blog network server windows

FreeRadius.net service doesn’t work

The FreeRadius.net package built for windows uses the XYZservice.exe wrapper tool to start a normal application as a service. However on Windows 2008 and higher the service starts but RADIUS is not listening on the configured ports. You can check if it is listening with netstat.
netstat -an | findstr 1812

The Debug mode of FreeRadius.net (using the provided batch file) however works fine. It seems the built radiusd.exe will not start with the default options on Windows 2008 and higher. You can check this by manually starting from a command prompt:
C:\FreeRADIUS.net\bin\radiusd.exe -f -d C:/FreeRADIUS.net/etc/raddb
So that is the reason why the service doesn’t start.

Solution: COnfigure the XYZservice to start the application with the debug parameters.
Edit C:\FreeRADIUS.net\bin\XYZservice.ini
change:
CommandLine = C:\FreeRADIUS.net\bin\radiusd.exe -d C:/FreeRADIUS.net/etc/raddb -AX

Now if you start the FreeRadius.net service and check with netstat you will see the RADIUSD.exe listening

Categories
blog network server windows

RAS or NPS forward RADIUS request to same server different port

The address of the remote RADIUS server x.x.x.x in remote RADIUS server group yyyyy Resolves to local address x.x.x.x.
The address will be ignored.

Use case scenario: You want to forward RADIUS requests incoming on the server to some software, possibly for setting up OTP authentication.

My scenario: Extra security for PPTP vpn tunnel to Windows server with RAS (Routing and Remote Access) by using VASCO Identikey OTP (One-Time-Passkey) software (the same applies for other software such as RSAid). Normally the recommended setup is using two servers, one for the RAS connection and one with the VASCO Identikey middleware software on it. When you deploy like this you will not face the problem I’m about to describe. However if you have only 1 Windows server at your disposal and you install the VASCO Identikey software on the same server as the RAS and NPS (Network Policy Server) role you will run in to this problem.

Problem description: You have configured RAS correctly for PPTP MSCHAP v2 connections. In NPS you have configured a connection policy to forward the RADIUS requests (authentication and accounting) to a remote RADIUS server group. The authentication fails, VASCO audit viewer does not show any attempt to authenticate to the VASCO Identikey Radius server. In the eventviewer application log there is an event ID 25 with the following error:
The address of the remote RADIUS server x.x.x.x in remote RADIUS server group yyyyy Resolves to local address x.x.x.x.

The problem is that NPS cannot forward RADIUS requests to the same IP address as itself. Even if the software is listening on another port, or you configure 2 IP addresses on the same network card. NPS insists that the IP address of the remote RADIUS server is the same as it’s own IP address and ignores your configuration to forward the RADIUS requests.

The solution is to use the loopback IP address range. For example 127.0.0.2. Unfortunately VASCO Identikey is licensed on IP address and as such you can’t change it to listen to the loopback IP address without also requesting a new license. I have not tried this, so even with the new license I’m not sure VASCO Identikey will listen on loopback IP address. Maybe other OTP software can do this, check with your vendor or manual.

What can you do? Use a RADIUS proxy to sit between the NPS and VASCO Identikey. If you have a linux server around you can use opensource FreeRadius software on that linux box to proxy the RADIUS requests between RAS/NPS and VASCO Identikey.
If like me you had nothing but this 1 windows server, you can use the FreeRadius.net software, this is a prebuilt binary of the opensource FreeRadius software made for windows versions. The software is quite old and not updated but it still seems to work for our simple setup.

I have installed the FreeRadius.net software in C:\FreeRadius.net
I have configured it to accept RADIUS requests on interface 127.0.0.2 port 11812 and forward them to a RADIUS server on IP x.x.x.x on port 18120 (I changed the default RADIUS ports for VASCO and FreeRadius to avoid conflicts with NPS/RAS).

configuration file c:\FreeRadius.net\etc\raddb\clients.conf
I have put all the default things in comment (#) and add
client 127.0.0.2 {
secret = testing123
shortname = localhost2
}

configuration file c:\FreeRadius.net\etc\raddb\radiusd.conf
I have put the default listen directive in comment (#) but you must leave the bind = * line and add
listen {
ipaddr = 127.0.0.2
port = 11812
type = auth
}
listen {
ipaddr = 127.0.0.2
port = 11813
type = acct
}

configuration file c:\FreeRadius.net\etc\raddb\proxy.conf
In this file I configured both the NULL realm for plain usernames and the DEFAULT realm for all others to forward to VASCO Identikey wich I have listening on the port 18120 & 18130 (auth & acct).
# This realm is for requests which don't have an explicit realm
# prefix or suffix. User names like "bob" will match this one.
#
realm NULL {
type = radius
authhost = 10.x.y.z:18120
accthost = 10.x.y.z:18130
secret = testing123
}

#
# This realm is for ALL OTHER requests.
#
realm DEFAULT {
type = radius
authhost = 10.x.y.z:18120
accthost = 10.x.y.z:18130
secret = testing123
}

You can now start the FreeRadius.net in debug mode, using the supplied batch file you can test your configuration.

Below I will attach screenshots of my configuration for NPS, RAS and VASCO.
RAS settings (EAP can be enabled if you like)
NPS RADIUS client
NPS configure remote RADIUS server group
NPS connection policy screenshot
NPS Network Policy
VASCO port settings

With thanks to:
http://bent-blog.de/vasco-identikey-server-auf-microsoft-forefront-tmg-2010/

Categories
exchange network server windows

Uninstall Exchange 2010 on crippled 2008 R2 DC (SBS2011)

FASTTRACK ARTICLE

Exchange 2010 was installed on a domain controller, it actually was a Small Business Server 2011. Something happened to the AD database, backup not good. Server would only boot in AD restore mode.

In AD restore mode, we could login using domain credentials because the other DC (backup) was providing logon and authentication. We could even start a whole bunch of services and also the Exchange services. We seized the Roles on our other DC so that users would be able to logon without issues.In the next days we prepared to move the mailboxes away, in our case to Office365 in the cloud.
After that happened we followed the steps to remove the last Exchange server including disconnecting all mailboxes from AD users, removing public folders and such. On the final step, to uninstall Exchange it would not continue stating that the server was pending a reboot.
“A reboot from a previous installation is pending. Please restart the system and then rerun Setup.”
Restarting did not help of course, because we could only boot in to directory services restore mode.
So I had to find a way to fix the AD.

1) Checking the AD database (ntds.dit) from restore mode:
Open a CMD command prompt (As Administrator);
execute command ntdsutil
at the prompt type: activate instance ntds
at the prompt type: files

A] If you get an error about corruption ->
Move all the .log files in C:\windows\ntds\ to another directory (desktop perhaps);
Open a new CMD command prompt (As Administrator);
execute command: ESENTUTL.EXE /p C:\windows\ntds\ntds.dit
execute command: ESENTUTL.EXE /g C:\windows\ntds\ntds.dit
Try the files command again in the open ntdsutil command prompt.

B] If you get an error about being in the recovered state ->
Open a new CMD command prompt (As Administrator);
execute command: ESENTUTL.EXE /g C:\windows\ntds\ntds.dit
The integrity check will show all is normal, otherwise see step A.
Reboot the computer and set the date in the BIOS a couple of months or from before the backup-date if you tried a AD restore. Or set it a year back or so if you are unsure. Try to boot in normal mode. Normally it should boot up, but could take a while, change the date/time back to the correct values when it’s booted up.

2) Replication and authentication to other domain controllers
If you have other domain controllers to replicate to, then you might probably need to change BURFLAGGS for non-authorative restore (to fix NTFRS corruption on SYSVOL) and first reset the machine account password for the secure channel to the other domain controllers. See this post: http://ares.gobien.be:8080/2013/07/sync-issues-krb_ap_err_modified-0x80090322-target-principal-name-incorrect/

3) Now you can either try to fix everything further or go ahead and uninstall Exchange. Try the uninstall the normal way.
If you get errors about the sate of the Active Directory, try it like this:
Open a new CMD command prompt (As Administrator);
execute command: cd %programfiles%\Microsoft\Exchange Server\v14\bin
execute command: setup.com /m=uninstall /dc:otherdc.domain.local

Make sure the server is still in the “Exchange Servers” security group.
Make sure there are no entries in the hosts file for your DC’s. Because it can also trigger the following error:
Setup encountered a problem while validating the state of Active Directory: ‘server.domain.local’ isn’t a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: ‘SERVER’.

Happy uninstalling!

Log excerpt:

[12/31/2014 08:27:56.0273] [1] Active Directory session settings for 'Get-ExchangeServer' are: View Entire Forest: 'True', Configuration Domain Controller: 'SRV-APP1.contoso.com', Preferred Global Catalog: 'SRV-APP1.contoso.com', Preferred Domain Controllers: '{ SRV-APP1.contoso.com }'
[12/31/2014 08:27:56.0273] [1] Beginning processing Get-ExchangeServer -Identity:'SBS2011'
[12/31/2014 08:27:56.0273] [1] Searching objects "SBS2011" of type "Server" under the root "$null".
[12/31/2014 08:27:56.0273] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 08:27:56.0273] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 08:27:56.0273] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 08:27:56.0273] [1] Ending processing Get-ExchangeServer
[12/31/2014 08:27:56.0491] [1] [REQUIRED] There is a pending reboot from a previous installation of a Windows Server 2008 role or feature. Please restart the system and rerun Setup.
[12/31/2014 08:27:56.0523] [1] Ending processing test-setuphealth
[12/31/2014 08:27:56.0538] [0] **************

[12/31/2014 08:28:01.0312] [1] Ending processing Get-ExchangeServer
[12/31/2014 08:28:01.0702] [1] [REQUIRED] There is a pending reboot from a previous installation of a Windows Server 2008 role or feature. Please restart the system and rerun Setup.
[12/31/2014 08:28:01.0702] [1] Ending processing test-setuphealth
[12/31/2014 08:34:16.0514] [0] End of Setup

[12/31/2014 10:17:29.0782] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:17:30.0047] [1] [REQUIRED] Unable to read data from the Metabase. Ensure that Microsoft Internet Information Services is installed.
[12/31/2014 10:17:30.0047] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on SBS2011.contoso.com. The supplied credential for 'CONTOSO\Administrator' is invalid.

[REQUIRED] Setup encountered a problem while validating the state of Active Directory: Active Directory operation failed on SBS2011.contoso.com. The supplied credential for 'CONTOSO\Administrator' is invalid.

[12/31/2014 10:53:05.0881] [1] Searching objects "SBS2011" of type "Server" under the root "$null".
[12/31/2014 10:53:05.0897] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:53:05.0897] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:53:05.0897] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:53:05.0912] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:53:06.0287] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:53:06.0318] [1] Ending processing test-setuphealth

[12/31/2014 10:54:32.0491] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:54:32.0491] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:54:32.0491] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:54:32.0491] [1] Ending processing Get-ExchangeServer
[12/31/2014 10:54:33.0043] [1] [REQUIRED] Active Directory does not exist or cannot be contacted.
[12/31/2014 10:54:33.0043] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:54:33.0043] [1] Ending processing test-setuphealth

[12/31/2014 10:56:00.0320] [1] Previous operation run on domain controller 'SRV-APP1.contoso.com'.
[12/31/2014 10:56:00.0320] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 10:56:00.0320] [1] Ending processing get-EdgeSubscription
[12/31/2014 10:56:00.0574] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: 'SBS2011.contoso.com' isn't a fully qualified domain name (FQDN). Please provide a valid FQDN. For example: 'SBS2011'.
[12/31/2014 10:56:00.0670] [1] Ending processing test-se

[12/31/2014 12:31:07.0542] [1] Previous operation run on domain controller 'SVR-DC1.contoso.com'.
[12/31/2014 12:31:07.0542] [1] Previous operation run on domain controller 'SVR-DC1.contoso.com'.
[12/31/2014 12:31:07.0542] [1] Preparing to output objects. The maximum size of the result set is "unlimited".
[12/31/2014 12:31:07.0542] [1] Ending processing Get-ExchangeServer
[12/31/2014 12:31:07.0791] [1] [REQUIRED] Setup encountered a problem while validating the state of Active Directory: The user-specified domain controller SRV-APP1 does not exist.

Categories
blog howto linux network server virtualization

Virtual Private Server on SSD storage

 Update: After reviewing the offerings, I’m no longer running my VPS at digitalocean. Instead I’m using Linode at the moment.
www.linode.com

Easily deploy an SSD cloud server on @DigitalOcean in 55 seconds.

Recently I read about the virtual private servers you can create on www.DigitalOcean.com. They call them Droplets, and they get created in less then a minute if you don’t enable back-ups, or just a couple of minutes with back-up service enabled. You can choose between different geographically located data centers. You can choose between New York, San Francisco, London, Amsterdam and Singapore. You get one public ip address (or ipv6 if you prefer, but who does anyway).

You can choose out of some pre selected minimal OS installations such as Ubuntu, CentOS, Debian, Fedora and CoreOS. Or you could even deploy your VPS complete with a LAMP (Linux, Apache, MySQL and PHP) or even with WordPress of Drupal setup. If I looked at the price (10$/month or 12$ with back-up) for a VPS, with 1 CPU, 1GB RAM, 30GB DISK and 2TB data transfer, and compared that to what I was currently paying for 2 shared hosting plans, the math was clear. For a bit less than what I was paying I get my very own Virtual Private Server where I can configure everything I want and have full rights on everything.

For me, as an enthusiastic system engineer, with experience on multiple Linux flavors, this was a very nice project. Starting from a minimal CentOS 7 installed Droplet, I quickly installed and configured Apache, Nginx, MySQL and PHP and started serving web pages. My first tests were a success. I configured different management tools and secured the system with a software firewall. Because your VPS has a public ip address you must think good about security. It took some time getting used to the new firewall software system in CentOS 7 called firewalld. After some cursing I had it set up as I wanted.

The next step was to migrate the first of my existing websites over to the new VPS. I chose to configure virtual hosts in an organized manner so that I could always expand to more websites if needed. After transferring the databases and website data, I set course for a new goal. Making my sites more secure by using HTTPS encryption on the login pages. By using the free 1 year class 1 certificates from www.startssl.com I did not have to make any extra costs. Update: Using Let’s Ecrypt now and HTTPS on all pages! After some hours of configuring and testing I had everything running smoothly. I migrated all the DNS records to my new VPS and shortly after my 1st website was running live on the new VPS.

My next goal was to set up mailboxes for every virtual host and using IMAP to connect to them. I choose POSTFIX as the SMTP server and DOVECOT as the IMAP server. POSTFIX was configured for using virtual mailboxes that don’t require a Linux user. DOVECOT was configured for SSL/TLS encrypted connections so password are never sent in clear text. To finish it off I installed ROUNDCUBE as a web mail solution.

After my successful first website migration the second one followed quickly and went smoothly as well. This time I also needed a FTP setup and I chose VSFTPD and again made it possible to use SSL encryption.

The VPS is now running all of my websites, except this blog.

PS: If you are wondering why I don’t migrate this blog, running on my home server, that’s because it’s a challenge to keep a website running on a homeserver with minimal hardware costs and dynamic internet ip address. It also has some other uses for me besides serving this blog.

Categories
blog howto network server windows

Backup domain controller sync issues KRB_AP_ERR_MODIFIED 0x80090322 target principal name incorrect

My case:
1x Windows 2008 Small Business Server (named: SBS2008)
1x Windows 2008 R2 standard on off-site location (named: TS2008) BACKUP DOMAIN CONTROLLER & GC
Connection between the 2 servers was lost for nearly 3 months.
Replication would only work from SBS2008 to TS2008 but not from TS2008 to SBS2008.
I couldn’t view the shares on \\SBS2008 from the console on TS2008, i received the error “The target principal name is incorrect”. On SBS2008 I could view the shares on TS2008.
In the eventlog there were errors:

The Knowledge Consistency Checker (KCC) was unable to form a complete spanning tree network topology. As a result, the following list of sites cannot be reached from the local site.

Sites:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domein,DC=local

The Knowledge Consistency Checker (KCC) has detected problems with the following directory partition.

Directory partition:
DC=domain,DC=local

There is insufficient site connectivity information for the KCC to create a spanning tree replication topology. Or, one or more directory servers with this directory partition are unable to replicate the directory partition information. This is probably due to inaccessible directory servers.

All directory servers in the following site that can replicate the directory partition over this transport are currently unavailable.

Site:
CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=local
Directory partition:
DC=domain,DC=local
Transport:

CN=IP,CN=Inter-Site Transports,CN=Sites,CN=Configuration,DC=domain,DC=local

The File Replication Service is having trouble enabling replication from SBS2008 to TS2008 for c:\windows\sysvol\domain using the DNS name SBS2008.domein.local. FRS will keep retrying.
Following are some of the reasons you would see this warning.

The session setup from the computer SBS2008 failed to authenticate. The name(s) of the account(s) referenced in the security database is SBS2008$. The following error occurred:
Access is denied.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was E3514xx-xxxxxxxxxxxxxxx/yyyyyyyyyyyyyyy/domain.local@domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server sbs2008$. The target name used was DNS/sbs2008.domain.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Please …

Demote and the promote for TS2008 would not work without forcing and doing a lot of NTDS cleanup on the PDC. So this was my last resort.

1st reboot -> did not work.
Doing a lot of searching and looking up the SPN for SBS2008 on both DC’s did not show any differences.

Luckily I found an older KB from microsoft on how to reset the kerberos secure channel between two DC’s.
http://support.microsoft.com/kb/288167

I had to disable the KDC (Kerberos Key Distribution Center) service on TS2008 and then reboot.
Immediately after reboot I noticed I could browse the shares on the SBS2008 without error.
This is because TS2008 was no longer supplied Kerberos tickets itself but requesting them from SBS2008.
Now I opened an elevated command prompt and forced a sync of all replica partitions and triggered the KCC checker.
repadmin /syncall /ade
repadmin /kcc

To check the replication backlog queue use:
repadmin /queue

After replication was succesful I put the KDC service back to automatic and started it. Problem solved.

If you can’t get replication working yet, you’ll need these extra steps.
klist /purge
netdom resetpwd /server:sbs2008 /userd:domain\Administrator /passwordd:* (the * will make it prompt for password).

Also you might need to check your DNS settings and put the IP adres of SBS2008 as primary DNS IP on the NIC of TS2008.

Other helpful information:
http://support.microsoft.com/kb/2090913

Categories
blog howto network server windows

RDWeb shows no icons with Internet Explorer 10 TSWeb (server side fix)

RDWeb or TSWeb is the Microsoft Remote Desktop service web access page from Windows 2008 or Windows 2008 R2.

When using Internet Explorer 10 to browse to an RDWeb (>=2008 R2) or TSWeb (=2008) the icons for the published apps are missing or blank and WKSPRT.EXE (provides SSO) does not load. You have to click the compatibility icon in the browser and then it does work.

If you want to make sure that users don’t have to click compatibility mode, you can send the header to emulate IE9 from server side, so Internet Explorer automatically uses the right mode.

You can choose between 2 options (I prefer option2, easier and less work):

1) Edit all the *.aspx pages (except logoff.aspx) under the %windir%\Web\RDWeb\Pages\en-US\ folder.
Add <META HTTP-EQUIV="X-UA-COMPATIBLE" CONTENT="IE=9"> right below the lines <html><head id=”Head1″ runat=”server”>
screenshot source code

2) Add the header in IIS for the RDweb so that it is automatically added to all pages served from RDweb.
Open IIS Management under Administrative tools in the start menu.
Expand the Default Web Site using the plus sign next to it. Click on RDWeb and then in the middle pane double click on HTTP Response Headers (under the IIS category). In the list with headers right click on the empty space and click Add. Under name fill in: X-UA-Compatible and under value fill in: IE=9
IIS-add-header-compatibility-IE9

Categories
blog howto network server windows

Exchange 2010: moved mailbox to new database Blackberry Enterprise won’t sync

When you create a new Database in Exchange 2010 you also need to add special rights to this database for the Blackberry Enterprise service account (standard: BESAdmin) to this database.

Source: http://btsc.webapps.blackberry.com/btsc/viewdocument.do?externalId=KB02276&sliceId=2&cmd=displayKC&docType=kc&noCount=true&ViewedDocsListHelper=com.kanisa.apps.common.BaseViewedDocsListHelperImpl

Click Start > Programs > Microsoft Exchange Server 2010 > Exchange Management Shell
Execute the following command:
Get-MailboxDatabase | Add-ADPermission -User "BESAdmin" -AccessRights ExtendedRight -ExtendedRights Receive-As, ms-Exch-Store-Admin, ms-Exch-Store-Visible

Categories
blog howto network virtualization windows

Delete or show hidden no longer active or present network adapters Device Manager

Open a command prompt. Start: RUN -> CMD (OK)
At the prompt type:
set devmgr_show_nonpresent_devices=1
At the prompt type:
start devmgmt.msc
In the menu view, click on “Show hidden devices”.
Now go to network adapters and uninstall the ones that you were looking to uninstall, it will be greyed out.

Categories
blog howto network

VPN tunnel between Netscreen and Cisco

Recently I had some troubles setting up a VPN between a Netscreen and a Cisco device from the remote party.

We had agreed upon a Preshared Key and 3DES/SHA1 encryption/hash algorithms using main mode and DH group 2. The Cisco side had added group 2 to their isamkp setting but they could not add the same group command to the transform command so my Phase2 had NOPFS set while my Phase1 was DH group 2.

The tunnel still did not come up, debugging was not useful as it was the Netscreen that initiated the tunnel every time and the log just showed an answer from the Cisco with “no proposal chosen”. After looking into their config and a hint on the internet, I configured the proxyID on the tunnel with local address = my WAN IP and remote address = their WAN IP. And that did the trick, tunnel was up.

Categories
blog network

FORTIGATE : Static routes must have lower distance then default GW

Had this problem on a Fortigate 60B & 60C. Static routes did not work as expected.
The static route did not work until the distance was set to 1 which is lower than the 0.0.0.0 default route who has distance 10. Maybe this is not a bug, but intended behaviour. On Netscreen the 0.0.0.0 default route is always the last to be applied and all other static routes go first.