UAG 2010, an unknown error occured while processing the certificate

While fixing some other errors on our UAG 2010 server (enabling Windows 8.1 and Internet Explorer 11 support), I came across a strange error about the backend server certificate. The error I got was:

“An unknown error occurred while processing the certificate. Contact the site administrator”

I connected to the backend server (a sharepoint 2010 server) and checked the certificate. It was a certificate issued by my domain CA and nothing was wrong with it. There was no error if I open the site from within my network but the UAG server was still giving me error.

The solution was to disable the certificate validation and CRL validation on the UAG server. This are the steps you need to do on your UAG server:

  1. On the UAG Server, open the Registry Editor (Start –> Run –> Type “regedit” and click OK).
  2. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL.
  3. To cancel the validation check, right-click ValidateRwsCert, select Modify, and change the Value data to 0.
  4. To cancel the CRL check, right-click ValidateRwsCertCRL, select Modify, and change the Value data to 0.
  5. Close the Registry Editor
  6. Activate the UAG configuration to make the change permanent (otherwise, a reboot will revert it)
  7. If this is applied to a UAG array, the registry needs to be edited only on the array manager. The activation will push it to the other server/s
  8. Restart the IIS service on the Forefront UAG server. If this is an array, this needs to be done on all members.

After the restart the webpage was again accessible from all devices (mobile, outside the network, domain computers…)

 

Posted in Forefront UAG 2010, SharePoint 2010, SharePoint 2013, Windows Server 2008 R2 | Tagged , , , , , | Leave a comment

Hyper-V virtual machine not starting, “General access denied error” (0x80070005)

Last night I got a strange error after restoring a vhd from our Data Protection Manager 2012 R2 server. The virtual machine didn’t start and all the error was a General access denied error, like the system cannot read the vhd file.

I started digging and found a KB article from Microsoft with the same description: http://support.microsoft.com/kb/2249906

The actual error you get if you click the job is something like this:

‘VMName’ failed to start.
Microsoft Emulated IDE Controller (Instance ID
{83F8638B-8DCA-4152-9EDA-2CA8B33039B4}): Failed to Power on with Error ‘General
access denied error’

IDE/ATAPI Account does not have sufficient privilege to open attachment
‘E:\VMs\VMName\Disk0.vhd. Error: ‘General access denied error’

Account does not have sufficient privilege to open attachment
‘E:\VMs\VMName\Disk0.vhd. Error: ‘General access denied error’

If you click see details you will see some additional information:

‘VMName’ failed to start. (Virtual machine ID
5FC5C385-BD98-451F-B3F3-1E50E06EE663)

‘VMName’ Microsoft Emulated IDE Controller (Instance ID
{83F8638B-8DCA-4152-9EDA-2CA8B33039B4}): Failed to Power on with Error ‘General
access denied error’ (0x80070005). (Virtual machine ID
5FC5C385-BD98-451F-B3F3-1E50E06EE663)

‘VMName’: IDE/ATAPI Account does not have sufficient privilege to open attachment
‘E:\VMs\VMName\Disk0.vhd. Error: ‘General access denied error’ (0x80070005). (Virtual
Machine ID 5FC5C385-BD98-451F-B3F3-1E50E06EE663)

‘VMName’: Account does not have sufficient privilege to open attachment
‘E:\VMs\VMName\Disk0.vhd. Error: ‘General access denied error’ (0x80070005). (Virtual
Machine ID 5FC5C385-BD98-451F-B3F3-1E50E06EE663)

To fix the error follow this steps:

  1. Note the Virtual Machine ID that is listed in the “‘General access denied error’ (0x80070005)” error message.

    For example, consider the following error message:

    ‘VMName’: IDE/ATAPI Account does not have sufficient privilege to open attachment
    ‘E:\VMs\VMName\Disk0.vhd. Error: ‘General access denied error’ (0x80070005). (Virtual
    Machine ID 5FC5C385-BD98-451F-B3F3-1E50E06EE663)

    In this example, the Virtual Machine ID is 5FC5C385-BD98-451F-B3F3-1E50E06EE663.

  2. Open an elevated command prompt.
  3. To give the Virtual Machine ID (SID) access to the .vhd or .avhd file, type the following command, and then press Enter:
    icacls <Path of .vhd or .avhd file> /grant "NT VIRTUAL MACHINE\<Virtual Machine ID from step 1>":(F)

    For example, to use the Virtual Machine ID that you noted in step 1, type the following command, and then press Enter:

    icacls "E:\VMs\VMName\Disk0.vhd" /grant "NT VIRTUAL MACHINE\5FC5C385-BD98-451F-B3F3-1E50E06EE663":(F)
  4. Start the virtual machine.

After this the Virtual Machine starts normally.

Posted in Hyper-V, SC DPM, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 | Tagged , , , , , , | 2 Comments

Installing Forefront Unified Access Gateway 2010 service packs

Recently some of our users started complaining that they get a strange error every time they try to access a sharepoint page published through our UAG 2010 Sp1 server. They all have Windows 8.1 and Internet Explorer 11 so they started getting the mobile access page instead of the usual UAG access page.

I’ve tried to trick the browser using the developer mode in internet explorer and set it to emulate an older version of Internet Explorer but couldn’t make it work.

The only thing left to do was to update our UAG server to the latest service pack (SP4) which supports Windows 8.1 and Internet Explorer 11.

Microsoft claims that if you are doing an in-place update or installation of a service pack for UAG 2010 that the setup process takes care of the export, update and import of the configuration. As I found out 2 hours later after my initial SP installation, that is not true. The first strange thing is that the UAG service packs are not cumulative. If you have Forefront UAG 2010 SP1 update rollup 1 installed you will have to install first SP2, then SP3, then update rollup 1 for SP3 and in the end SP4. And every time you upgrade you will have to do a configuration update using the Config Update utility.

Before you begin the procedure I advice you do either a snapshot if your server is a virtual machine, or a DPM backup of the virtual machine. We are using Data Protection Manager 2012 R2 so I’m going to do a virtual machine backup before I start the procedure.

After you create a backup or a snapshot you need to do an export of your configuration. Open the UAG console and select export from the menu. Save the file and please don’t forget the password 🙂

The installation of all the service packs is pretty straightforward. If your server has UAC enabled you will have to start a CMD in administrator mode and start the update from there.

You should always restart the server after every update. After the restart check if your configuration got imported properly. Mine wasn’t so I had to start the Configuration Update utility (you can find it in Common\Bin directory).

The whole process lasted a little over 2 hours on our UAG server. After that the users with Windows 8.1 had no trouble accessing the sharepoint webpage.

 

Posted in Forefront UAG 2010, Windows Server 2008 R2 | Tagged , , , | Leave a comment

Asterisk trace your calls

How to traceroute calls in Asterisk (do a sip trace of your call)

log in to shell

Type asterisk -r to enter the CLI

core set verbose 3

core set debug 3

sip set debug ip X.X.X.X, this is the source or the destination IP address that you want to capture

Place your calls and after you are finished you can disable debugging using:

sip set debug off

Posted in Asterisk | Tagged , , | 1 Comment

How to install Linux integration Services on CentOS 6.5 on Microsoft Hyper-V Server

With the new version of CentOS (6.5) and the new version of Microsoft’s Linux Integration Services (LIS) 3.5 we don’t need to add a legacy network adapter first and then change it with a standard network adapter. This is a step by step guide for installing LIS on a Microsfot Hyper-V Server virtual machine running CentOS 6.5.

  1. Create new VM with a standard Network Adapter.
  2. Download CentOS 6.5 minimal if you want to install a server without GUI or CentOS 6.5 if you need the  server with the GUI. You can download it from www.centos.org
  3. Download LinuxICv3.5.iso (http://www.microsoft.com/en-us/download/details.aspx?id=41554)
  4. After the installation of CentOS is finished mount the LinuxICv3.5.iso
  5. To copy and install the Integration Services package type the following commands:

mkdir -p /mnt/cdrom

mount /dev/cdrom /mnt/cdrom

cp -rp /mnt/cdrom /opt/linuxIC

umount /mnt/cdrom

cd /opt/linuxIC/RHEL63

./install.sh

After the installation of the Integration Services is finished you can update your network settings using VI:

vi /etc/sysconfig/network-scripts/ifcfg-eth0

The settings should look something like this. To start typing just click i (insert mode):

DEVICE=”eth0″

BOOTPROTO=static

ONBOOT=”yes”

TYPE=Ethernet

HWADDR=(this is where your MAC address will be. You can check if it is the same as the MAC address assigned to the machine in Hyper-V)

IPADDR=(You will enter your static IP address here)

NETMASK=(Type your network mask here)

GATEWAY=(Your default gateway IP)

DNS1=(Primary DNS Server IP)

DNS2=(Secondary DNS Server IP)

networking=yes

You can save your file by clicking ESC and then entering :wq.

After you set up your IP address you have to bring the interface UP:

ifup eth0

or

ifconfig eth0 (IP) netmask (MASK) up

The last thing you have to do is restart networking:

service network restart

You can enter your DNS servers in the file /etc/resolv.conf. You don’t need to specify them in the ifcfg-eth0 file for your interface.

nameserver (Primary DNS server IP)

nameserver (Secondary DNS server IP)

If you need to add a special route for your network you can add it in a file named /etc/sysconfig/network-scripts/route-eth0

You can add your hostname and gateway in a file named /etc/sysconfig/network like this:

NETWORKING=yes

HOSTNAME=(Your hostname)

GATEWAY=(Your Gateway IP)

If you don’t need the firewall on your server you can disable it by using this commands:

service iptables save

service iptables stop

chkconfig iptables off

 

Posted in CentOS, Linux, Windows Server 2012 R2 | Tagged , , , , | 1 Comment

IIS error 401 Unauthorized access is denied due to invalid credentials

This weekend while I was creating a publishing rule for an IIS webpage on our TMG server I noticed a strange behaivour on the IIS server.  When you try and open the page through a web browser you get an http authentication window and after you enter your credentials the same http authentication window popups again. After the third iteration the server reports 401 Unauthorized: Access is denied due to invalid credentials.

The problem was solved by changing the order for the authentication mechanisms. We had Negotiate above NTLM and the server had trouble authenticating the users.

To change the order you have to do the following:

  • Open IIS and select the website (or directory) that is causing the 401
  • Open the “Authentication” property under the IIS header
  • Click the “Windows Authentication” item and click Providers
  • Change the order and put NTLM on top.

After the change open Command Prompt and do a iisreset /noforce.

The error should be gone and credentials should be working again.

 

Posted in IIS, Windows Server 2008 R2 | Tagged , , , | Leave a comment

SharePoint 404 error while creating a new web application

SharePoint 2010 and SharePoint 2013 both have the same problem when you try to create a new Web Application. There is a timeout limit that occurs during the creation of the Web Application and the web application is provisioned only on the local server. The wwwroot folder for this web application is empty and all you can do is delete the application. You cannot create a site collection using this web application.

Microsoft says that his error occurs because more and more web applications are created on the same server (i have seen this error even when creating the fourth or fifth web application)  and during the creation process IIS is reset and by default the application pool allows 90 seconds for the connections to close off before forcibly shutting down. When you have more than one web application apparently 90 seconds is not enough for the provisioning to finish. As a result the w3wp process is killed and the provisioning process is stopped prior to the timer jobs being created.

The solution is to open IIS manager on the server hosting the Central Administration:

1. in the tree view, expand the server name and click on Application Pools.

2. Locate the SharePoint Central Administration v4 application pool. Right click on it and choose Advanced Settings.

3. In the Process model section, set the Shutdown Time Limit to a greater value.

ProcessModel1 ProcessModel2

4. You can also set the idle shutdown to False.

ProcessModel1

5. Restart IIS

 

 

Posted in SharePoint 2010, SharePoint 2013 | Tagged , , , | 2 Comments

SharePoint 2010 incoming e-mail size limit

SharePoint 2010 and SharePoint 2013 use the same IIS 6.0 SMTP server for incoming e-mail configuration. Because of the default configuration the incoming e-mail size limit is set to 2048 KB.

The error that your receive when you try to send an e-mail larger then 2MB or that has attachments larger then 2MB is something like this:

This message is larger than the current system limit or the recipient’s mailbox is full.  Create a shorter message body or remove attachments and try sending it again.

You will have to go to IIS 6.0 administration console end right click the domain and then go to the Messages tab. In the message size limit you can enter the desired size for the incoming e-mail messages.

Virtual SMTP server properties

After you change the message size you will have to do an IIS reset to apply the changes.

Posted in Exchange Server 2007, Exchange Server 2010, Exchange Server 2013, SharePoint 2010, SharePoint 2013 | Tagged , , , | Leave a comment

System Center Data Protection Manager problem with protected Workgroup Server

If you have a protected workgroup computer in your System Center Data Protection Manager environment and you forget or you don’t want to check the box Password never expires for the synchronization account for DPM, then you will probably get this error cca. 42 days after you configured your Workgroup server for backup with SC DPM.

Description: Unable to contact DPM protection agent.
The protection agent operation failed because it could not access the protection agent on YOURPROTECTEDDPMSERVER. YOURPROTECTEDDPMSERVER may be running DPM, or the DPM protection agent may have been installed by another DPM server

In the Event Viewer on the protected server running the DPM agent I noticed a bunch of event id 85.

Event Type: Error
Event Source: DPMRA
Event Category: None
Event ID: 85
Date:  2011-01-15
Time:  13:30:38
User:  NT AUTHORITY\SYSTEM
Computer: YOURPROTECTEDDPMSERVER
Description:
A DPM agent failed to communicate with the DPM service on YOURDPMSERVER because of a communication error. Make sure that YOURDPMSERVER is remotely accessible from the computer running the DPM agent. If a firewall is enabled on YOURDPMSERVER, make sure that it is not blocking requests from the computer running the DPM agent (Error code: 0x800706ba, full name: YOURDPMSERVER).

The problem is that the password for the local account on the protected server has expired and the account has the box next to User must change password at next logon checked. You will have to execute the following commands on the protected server and on the DPM server:

– on the protected server:

SetDpmServer.exe -dpmServerName YOURDPMSERVER -isNonDomainServer -updatePassword

Be careful to use either the FQDN or the name of your DPM server (it has to be the same name that you used when you configured this the first time), otherwise you will get an error stating that this computer is not protected as a workgroup computer.

– on the DPM server

Update-NonDomainServerInfo -PSName YOURPROTECTEDDPMSERVER -dpmServerName YOURDPMSERVER

 

 

Posted in SC DPM, Windows Server 2008 R2, Windows Server 2012 | Tagged , , , | Leave a comment

Lenovo T430 problem with Wi-Fi adapter when using Hyper-V

This one has been making me crazy ever since I got my Lenovo T430 laptop. This laptop has an Intel Centrino Advanced-N 6205 WiFi card. The minute I got Windows 8 up I’ve installed Lenovo System Update and made sure that every single driver has been updated. The problem started when I enabled the Hyper-V role and created the WiFi Hyper-V switch. The internet connection lasted for about 5 minutes and than it would just show the yellow exclamation mark and the internet will go dead. I had to disable and enable the WiFi adapter or disconnect or connect to the network. It would work for 5 or 10 minutes and then it will go down again. I reverted to using a cable connection and didn’t use the WiFi connection for virtual machine traffic for a while and yesterday I wanted to give it another go.

It was a disaster until I realised that Intel has a newer driver for this card than Lenovo.

https://downloadcenter.intel.com/Detail_Desc.aspx?agr=Y&DwnldID=22741&lang=eng

I’ve installed the Wireless_15.8.0_De64.exe file and the problems disappeared. I had 4 virtual machines running and downloading updates from the internet and the card just keep on working without a problem.

Lenovo should really integrate this Intel drivers for the WiFi card as soon as they can because I’ve seen a lot of people having troubles with the WiFi connection on certain routers.

 

Posted in Hyper-V, Intel Centrino Advanced-N 6205, Lenovo T430, Windows 8 | Tagged , , , , , | Leave a comment