Author Archives: TheSchwenkster

2012R2 RADIUS Authentication for Dell PowerConnect 8024f

I am not going to re-invent the wheel here. See these two blogs for info on initial setup on the PowerConnect and Radius server.

Daryl Hunter – Network Cowboy “Dell PowerConnect + RADIUS + Windows Server 2008 NPS”

vNetWise Virtual Blatherings and “2008R2 RADIUS Authentication for Dell PowerConnect 6248”

Both of these links do a great job explaining what you need to do on the PowerConnect and the Server. Make sure you at least do the following:

Setup Local Admin
Setup Radius List
Setup Radius servers – Two servers seemed to work however vNetWise mentioned issues in their implementation
Configure Telnet, SSH, HTTP(s)
Configure Radius Clients on Windows Server
Create NPS Network Policy

There are two things that are not mentioned or only mentioned by visitors in the comments.

First, there is a 48 character limit for the Radius key. If the standard 64 characters generated by the server are used, you will get Event 6273, Error 16 “Authentication failed due to a user credentials mismatch. Either the user name provided does not map to an existing user account or the password was incorrect.”

Second, you have to setup a connection request policy or the Network Policy Server will refuse the connections with Event 6273, Error 49 “The RADIUS request did not match any configured connection request policy (CRP).”

These are the settings I used to create a our connection request policy:

Connection_Request_Policies

After both of these changes were implemented, we were able to successfully authenticate with radius.

Hopefully these steps help you in your quest to use radius authenticate on your Dell PowerConnect Switch!

Remember, tips are always appreciated – BTC 17QJoiG7uWvumPjpvECXZgi5GqSPUbYf21

Tagged , , , , , , , , , , , , ,

Disabling Deprecated SSL and TLS versions with Group Policy

While working on a client’s system today, I noticed that some newer sites were pointing to an error that went something like this:

This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to again. If this error persists, it is possible that this site uses an unsupported protocol. Please contact the site administrator.

Sample_Error

This was on a site that should not have caused any issues, Southwest Airlines. A quick check showed that SSL3 and TLS 1.0 were both enabled but nothing else. SSLv3 and TLS 1.0 are insecure and with SSLv3 being fully deprecated. A change was needed however their needs required keeping the settings in place and adding TLS 1.1 and TLS 1.2 in as accessible without causing issues to end users.

Initial_settings

Enter Group Policy

There are two ways to go about this. One is through Group Policy User Preferences and the other is through hardened Computer Policies. While both accomplish the same goal, they do so in different ways. If you require the users be able to disable or re-enable other versions and you simply want to set defaults, User Preferences will be your recommendation. If you are looking for something more secure and unchangeable, go with computer policies.

User Preferences

If your requirements put your solution as User Preferences, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Next navigate to User Configuration -> Preferences -> Control Panel Settings -> Internet Settings and Create or Edit an Internet Explorer 10 setting.

User_Preferences

Once opened, go to Advanced tab and select the versions you wish to add or subtract.

UserPreferencesSettings

Apply and perform a group policy update on an end point and user covered by this group policy and verify the settings have been updated. You will notice that the settings have been updated but remember, these are preference and not hard settings. An end user can make adjustments and changes that can not be fully controlled after the setting is applied.

UserPreferencesInAction

Computer Policies

If you requirements put your solution as Computer Policy, open Group Policy management and either create a new policy or edit an existing policy. Make sure your policy is linked appropriately. Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> Internet Explorer -> Internet Control Panel -> Advanced Page and find “Turn off encryption support.” While this name sounds scary, never fear as you are only turning off encryption support as you see fit and ensuring only those protocols that you deem needed are enabled!

ComputerPolicyDisableEncryptionSupport

Enable the setting if it is not already enabled and then select the combination of security Protocols you wish to use, in this case SSL 3.0, TLS 1.0, TLS 1.1, and TLS 1.2.

ComputerPolicySettingsEnforced

Apply and perform a group policy update on an end point covered by this group policy and verify the settings have been updated.

ComputerPolicyInAction

You will notice that the settings have been updated and can not be changed. This will prevent users from select insecure or unneeded protocols.

Hopefully you are able to use these settings to help enforce security across your organization.

Remember, tips are always appreciated – BTC 17QJoiG7uWvumPjpvECXZgi5GqSPUbYf21

Tagged , , , , , , , , ,

Java Silent Update Part 4 – The Deployment with Script

Last week, I described how to deploy Java via Group Policy.  When this isn’t an option, you will be turning to a deployment program / service or scripting.  In this point, I will go into details on how to script this deployment from a location that is accessible on your network.  Please take this advice and make it your own and fit it to your design needs.

After deciding what works best for you environment, you will be able to put everything together. We created a filed called INSTALL.CMD and used this for the task. We then combined the commands from previous posts into this file in the following configuration:

@echo off

taskkill /F /IM iexplorer.exe

taskkill /F /IM iexplore.exe

taskkill /F /IM firefox.exe

taskkill /F /IM chrome.exe

taskkill /F /IM javaw.exe

taskkill /F /IM jqs.exe

taskkill /F /IM jusched.exe

REM Uninstall Java

wmic product where "name like 'java%% 6%%'" call uninstall /nointeractive

wmic product where "name like 'java%% 7%%'" call uninstall /nointeractive

wmic product where "name like 'java%% 8%%'" call uninstall /nointeractive

REM Install JRE x86

msiexec.exe /QN /i "\\server\share\Java\jre1_8_0_65\x86\jre1.8.0_65.msi" TRANSFORMS="\\server\share\Java\jre1_8_0_65\x86\KD_Custom.mst" REBOOT=ReallySuppress

if not errorlevel 0 goto failed

REM Install JRE x64

msiexec.exe /QN /i "\\server\share\Java\jre1_8_0_65\x64\jre1.8.0_65.msi" TRANSFORMS="\\server\share\Java\jre1_8_0_65\x64\KD_Custom.mst" REBOOT=ReallySuppress

if not errorlevel 0 goto failed

REM Return the exit code to Deployment Software

exit /B %EXIT_CODE%

:failed

echo %computername% errored on %date% at %time%>>"\\server\Share\Java\failedinstalls.txt"

exit /B %EXIT_CODE%

Stepping though the script:

Kill tasks that use Java
Uninstall previous version
Install current versions
Send codes back to deployment software

For all of this, you need to make sure that your method of deployment has access to the shared location. You will also want to make sure that the correct files are all living next to each other just as mentioned in previous posts.

Once tested in your environment, you should be able to use your favorite method of deployment to successfully upgrade to the newest version of Java. Please share and comment if you were able to use this information in a successful deployment!

Tips are also appreciated – BTC 1zALFY18ky39ne63Q9SMNFhzJZS6CARFH

Tagged , , , , , , , , ,

DNS EnableLogFileRollover Update via Regedit instead of Powershell

Today we had a remote site report that two computers had limited to no connectivity.  The issue lead to the site’s DHCP / DNS server.  DHCP was no longer authorized and the DNS server would not come up.  After DHCP was re-authorized, DNS still had issues.  The server happened to the a server core install which added a further wrinkle to troubleshooting.

Once firewall rules were in order, we were able to gather two errors:

Event 2204, DNS-Server_Service - The registry value HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters\EnableLogFileRollover contains an invalid value or could not be read. The DNS server cannot start. You must change this value to valid data or delete it and then attempt to restart the DNS service.

and

Event 3152, DNS-Server_Service - The DNS server was unable to open file c:\windows\system32\logfiles\dns\dns.log for write.  Most likely the file is a zone file that is already open.  Close the zone file and re-initiate zone write.

Research into the issue pointed to making a change with PowerShell.  This site describes fixing the same issue with PowerShell.

https://www.stigviewer.com/stig/microsoft_windows_2012_server_domain_name_system/2015-03-30/finding/V-58549

However the powershell cmdlets did not work.  A quick check with Microsoft showed the command should have been working.

https://technet.microsoft.com/en-us/library/dn593669.aspx

https://technet.microsoft.com/en-us/library/dn593669.aspx

https://technet.microsoft.com/en-us/library/cc735712%28v=ws.10%29.aspx

To enable the Rollover function and allow the service to start up successfully, use the following setting:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DNS\Parameters
DWORD32 - EnableLogFileRollover
Value - 1

EnableLogFileRollover

In our case, the entry did not exist.  Adding the entry allowed for DNS to successfully load and resolved all of out issues.

Hopefully this information is helpful for those that are looking to resolve a similar issue.

Tips are appreciated – BTC 16hAUEAYn5reugvNcWBXLbp7za89hTx9jA

Tagged , , , , , , , , , , , , ,

Java Silent Update Part 3 – The Deployment with GPO

Last week, I described how to prepare for deployment of Java to an organization. With those pieces, we were able to deploy the software silently in several different ways. In this post, I will go into the details on how we deployed software with Group Policy.

First stop would be to upload the files to a location. We deployed to a smaller organization and simply used the location \\TheDomain\NETLOGON and created a folder for Java with a folder under that for versions and an additional folder for both x86 and x64. This may be overkill for your needs but helps with separation and troubleshooting in the future.  This also gives you the ability to add another version prior to removing a previous version, which is discussed at the end of this post.

Example Folder Layout

Example Folder Layout

Once the folders are created, upload the .MSI, .MST, and .CFG files for each installation to the appropriate locations.

Example File Layout

Example File Layout

Once uploaded, Navigate to Control Panel –> System and Security –> Administrative Tools –> Group Policy Management and navigate to a test Organizational Unit. Right click on the OU and select “Create a GPO in this domain, and Link it here…”

Create GPO

Create GPO

Name the new GPO and leave Source Starter GPO as none.

Name GPO

Once created, right click on the GPO and select “Edit”

Java GPO Edit

Next, navigate to Computer Configuration –> Policies –> Software Settings –> Software installation. Once there, right click in the right pane and select New –> Package…

Package Creation

A window will appear and you will be able to select the MSI package for Java.

Select Java MSI

Select Java MSI

At Deploy Software, select Advanced and push OK.

Deploy Software

Deploy Software

There will be a short pause while the MSI info is read into the system. A properties box will appear with much of the needed info already filled in. The setting to edit are on the Deployment and Modifications tabs. First, add a check in Deployment for “Uninstall this application when it falls out of the scope of management.”

Deployment Tab Options

Deployment Tab Options

Next, go to the Modifications tab and click Add. Navigate to the MST file and click OK to open.

Select MST

Select MST

Select OK one more time and you have selected this version of Java.

Now that you have done this for one architecture, do the same for the other (x86 or x64)

Once completed for both architectures, wait or force replication between all sites.  Once replicated, a forced test can be accomplished by running the following from a computer within the test OU:

gpupdate /force

Once ran, a reboot will be required.  If everything was successful, the software (s) should install prior to allowing users to login. Once successfully tested, apply this GPO to other OUs by right clicking on OU within Group Policy Management and selecting “Link an Existing GPO…”

Link Existing GPO

Link Existing GPO

A popup gives you an option to select the newly created Java GPO.

Select GPO to Link

Now that you have deployed the software, what happens next week when either Java releases a new version or you are ready to move to the next supported version?

To start, leave the original GPO in place until you are ready to replace that version in production.  This will prevent the software from being “Upgraded” which can cause issues.  It also ensures that you don’t push the next versions directly to production when it should be tested first.

Assuming you have tested and deployed a new version, we can now navigate to the old version.  We did not upgrade any elements so there should be no dependencies to cause issues.  You are also protected if the computer goes to a different OU that has a different version as it will uninstall since we selected the “Uninstall this application when it falls out of the scope of management.”  To uninstall, right click and edit the desired version’s GPO.  Navigate to the software to be uninstall by going to Computer Configuration –> Policies –> Software Settings –> Software installation.  From there, right click and choose All Tasks –> Remove.

Software to uninstall

Software to uninstall

A pop up is displayed, select “Immediately uninstall the software from users and computers”

Immediately Uninstall

Immediately Uninstall

Once the policy has replicated to all sites, again force a Group Policy to update on the endpoint and restart.  The software should uninstall prior to login.

A few words of advice and caution.

First, this will work if you are using a Direct Access VPN, computer authenticated wireless LAN or wired LAN.  Direct Access VPN works best with Windows 8.1 or better.

Second, deploying through GPO can cause slowness upon startup for users.  This is hardly noticed upon a modern LAN but can be significant on older WLANs or on slower Direct Access VPN connections.

Third, try to avoid upgrading from version to version within the same GPO.  I discovered that the version that was upgraded from did not uninstall.

Fourth, this deployment style works well but do not provide easily accessible reporting nor a way to remove all previous versions.  You can use WMIC commands to remove software BUT you are not able to easily remove and deploy all in one place.

Lastly, I can’t stress how important testing is before large scale deployments.  Testing will help prevent end user complaints as well as extra time for IT staff.

Thanks for viewing and stay tuned from a scripted version that can accomplish a remove of ALL previous versions prior to installation of new version.  Please comment if you have questions, comments, or requests!

Tips are appreciated – BTC 1NTuVYMcGUMSYZ6tkhg7qMEr7XP2fcQJjL

Tagged , , , ,

Java Silent Update Part 2 – The Preparation

Previously, I described how to uninstall Java. Now that you have uninstalled Java, you need to install the most recent release. While the uninstall was discovered largely in house, we had to search Google to complete the task properly.

Firstly, we were able to run the following

jre-8u65-windows-i586.exe /s

which was silent. This may suit your needs but we found that this did not meet the needs of the organization. The install is silent, it did not prevent auto updating and all of the other pesky pieces of Java. Because of this, we decided to prepare a proper solution and at this point seek further assistance.

Java’s site isn’t freely available for information on what route we needed to go but there were plenty of other sites that were more than helpful. Two of the most helpful sites are the following

http://www.klaus-hartnegg.de/gpo/msi_java8.html

https://maddog2050.wordpress.com/2015/09/09/gpo-deploying-java-8-update-60/

The highlights as to what you need to look for and configure are:

You will need a software for MSI DB editing. We used Orca.

The change to the CustomAction – installexe – Value=3090 and I have confirmed that it does work on JRE8u65 x86 & x64.

These settings were successful within the java.settings.cfg file that you MUST create:


INSTALL_SILENT=Enable
AUTO_UPDATE=Disable
WEB_ANALYTICS=Disable
REBOOT=Disable
SPONSORS=Disable

I would also recommend generating a transform and applying it to the MSI and not just editing the MSI directly. While editing the MSI directly means you don’t have to apply a transform, it increases the risk of issues with the MSI and needing to keep or retrieve the version at a later date.

Following the guidance provided in the above sites, we were able to prepare a silent install package. We were also able to confirm that the procedures work for JRE8u65 x86 & x64.

In the next article, I will discuss deployment option to ensure success within your environment.

Tips are appreciated – BTC 19HwWXXuihiWPVCXLtimfngtJGz7ntZPke

Tagged , , , , , , , , , ,

Java Silent Update Part 1 – The Uninstall

Recently I was tasked with updating the organizations Java. With the help of some colleagues and Google, we were able to put together a fully functional and silent uninstall of all previous versions prior to installation of the newest version. In this edition, we will discuss the uninstall.

First, let me preface this caution as some of these commands can cause issues with running or install programs if proper testing is not performed prior to deployment.

The first step to uninstalling Java is stopping any programs that might currently be using the software. This is a starting point to which you can expand depending on the applications used in your environment.

taskkill /F /IM iexplorer.exe

taskkill /F /IM iexplore.exe

taskkill /F /IM firefox.exe

taskkill /F /IM chrome.exe

taskkill /F /IM javaw.exe

taskkill /F /IM jqs.exe

taskkill /F /IM jusched.exe

These commands will stop all the above processes instantly and without option to save. This can be used to force an install or prevent users from starting a program with installation is performed upon login.

Once all programs have been closed, you can proceed with uninstall of Java. There are two ways to proceed with the uninstall, targeted or complete. For a complete uninstall, run the following

wmic product where "name like 'java%%'" call uninstall /nointeractive

which will uninstall ALL versions of Java, both x86 and x64.

For a more focused and targeted uninstall, run the following

wmic product where "name like 'java%% 8%%'" call uninstall /nointeractive

which will uninstall ALL Java 8 version, both x86 and x64.

Please check back soon for part 2 in which we silently install the most recent version of Java, JRE8u65.

Tips are appreciated – BTC 1EiKhcZYRkapENTXmEXoYxdYheM1otuW7b

Tagged , , , , , , , , , , ,

Introduction

Welcome to Schwenk Solutions Technology blog. Here we will discuss information that we find interesting or how-to articles from everything from general web safety to more complex enterprise setups. Hopefully you will find the information here helpful.