Using Internet Information Services (IIS) to Redirect HTTP to HTTPS on a Web Application Proxy (WAP)Server

For those of you who do not know, Microsoft’s Web Application Proxy (WAP) is a reverse HTTPS proxy used for redirecting  HTTPS requests from multiple incoming domains (or subdomains) to internal servers. it does however not handle HTTP at any point, which is a failure in itself, I mean it would not be hard to add a part of the system where if enabled it redirects HTTP to HTTPS itself, rather than having to use a workaround, come on Microsoft stay on the ball here, but I digress.

As I stated the main issue here is it does not within the WAP itself redirect a HTTP request to the equivalent HTTPS address. I have played with multiple possible solutions for this including a Linux server running Apache 2 using PHP to read the requested URL and redirect it to the HTTPS equivalent. None of these however have the simple elegance of this solution which includes the HTTP to HTTPS redirect on the same box as the WAP system itself.

First of all you need to log into the WAP server and install the Internet Information Services role. Once done open the management console and you should get a window similar to below.

01-OpenIISManager

Now navigate to the required server by clicking on it, and on the right hand side click “ Get New Web Platform Components ”.

02-GetNewWebPlatformComponents

This will open a new web browser window as shown below, when it does simply select “ Free Download ”.if you have issues with not being able to download the file due to a security warning, you should see the earlier blog here to see how to enable the downloads. Download and install the software via your chosen method.

03-FreeDownload

Once it is installed a new page will appear, this is the main splash page of the Web Platform Installer

04-WebPlatformInstaller5.0HomeScreen

Using the search box (which at the time of writing, using Web Platform Installer 5.0, is in the top right hand corner) search for the word “ Rewrite ”. This will then display a “ URL Rewrite ” result with the version number appended to the end (which at time of writing this article is 2.0) and click the “Add” button to the right of the highlighted “ URL Rewrite ” line,

05-URLRewriteAdd

This will change the text on the button to “ Remove ” and activate the “ Install ” button the the lower right of the screen, click the install button.

06-URLRewriteInstall

Clicking this install button will bring up a licensing page, click the “ I Accept ” button (assuming of course you do accept the T’s & C’s)

07-LicenceAcceptance

You will then get an install progress page

08-RewriteInstallProcess

Which will change to a completed page after it is done, so click the “ Finish ” button in the lower right hand corner

09-RewriteInstallFinish

This will drop you back to the same original splash screen of the Web Platform Installer, click “ Exit

10-WPI-Finish

You will now need to close and re-open the IIS Manager and reselect the server you were working on. You should now see two new options, the first being “ Web Platform Installer ” which we do not need to concern ourselves with any further, the second is “ URL Rewrite ”,

11-IISManager-NewModule

Double click on “ URL Rewrite ” and open up the URL Rewrite management console, on the right hand side of this console in the “ Actions ” pane, click “ Add Rule ”.

12-AddRewriteRule

This opens up a box of possible rewrite rules, what we want to create is an “ Inbound Rule ” as our requests are coming into the server from an external source. Select “ Blank Rule ” and click the “ OK ” button

13-NewRule-BlankRule(Inbound)

In the new page that opens, in the “ Name ” field type the name that you want to give the rule, I use and suggest HTTP to HTTPS Redirect, as this tells you exactly what it does at a glance

14-NewRule-NameRule

In the next section, “ Match URL ” set “ Requested URL ” to “ Matches the Pattern ” (default), “ Using ” to “ Regular Expressions ” (default) and most importantly “ Pattern ” to “(.*)” (without the quotes). I suggest you take this opportunity to test the pattern matching.

15-NewRule-Regex Match

In the “ Conditions ” section, ensure that the “ Logical grouping ” is set to “ Match All ” (default) and click the “ Add ” button.

16.01-NewRule-AddCondition

In the new box that appears enter the following, in the “ Condition input ” field type “ {HTTPS} ” (again without the quotes, and yes those are curly braces, not brackets). Change the “ Check if input string ” dropdown to “ Matches the Pattern ” and in the “ Pattern ” box below type “ ^OFF$ ” (again, no quotes), and “ Ignore case ” should be checked. With this one I do not suggest testing the pattern, as even though this system works fine for me, this test ALWAYS fails. Click the “ OK ” button (mine is not highlighted here as I had already clicked it away and had to re-open the box)

16.02-NewRule-ConditionSettings

This will take you back to the new rule screen, check the conditions match as shown and then we can move on.

16.03NewRule-ConditionComplete

This is the part where we now tell it what we want to do when it matches the previous conditions, in the Action pane change the “ Action type ” to “ Redirect ”, Set the “ Redirect URL ” to “ https://{HTTP_HOST}/{R:1} ” (again, they are curly braces and of course no quotes), you can select whether “ Append query string ” is checked or not, but I highly recommend leaving it checked, as if someone has emailed out a URL with a query on it, but not put in the protocol headers (http:// and https:// being the ones we are concerned about) we want the query string to be appended to the end of the redirected URL so they end up where they intended to be. Finally make the “ Redirect type ” dropdown read “ Permanent (301) ” (default).

17-NewRule-ActionConfiguration

Restart the server service for good measure and there you have it you now have HTTP being redirected to HTTPS which in theory at least is on the same server. Ensure that you have ports 80 (HTTP) and 443 (HTTPS) redirected from your router to the server and the firewalls (and any other intermediaries) on both the router and server set to allow the traffic as required

Enjoy and as always have fun

Justin

Fixing a Corrupt Active Directory Database

Recently I was contacted by a colleague who was having issues with an Active Directory database. Whist there is nothing unusual in this colleague contacting me for help or vice-versa, this issue was beyond the norm.

What he had reported to me was that there was issues with the primary domain controller (PDC) and secondary domain controller (SDC) on this site having out of sync databases, which came to the fore as he was adding new devices (through WDSUtil) to be imaged, they appeared on the SDC but not on the PDC, with this causing issues predominantly with the fact they would image the machine, and get the correct name from the SDC which was also acting as the (Windows Deployment Services) WDS server but it would not bind to the domain, as there was no account for it on the PDC.

Upon further investigation (over the phone at this point) we discovered the the two domain controllers were out of sync and the tombstone had exipred, fixing this problem allowed for a partial sync as outlined below;

On PDC
PDC==>SDC – Success
SDC==>PDC – Fail

On SDC
PDC ==>SDC – Success
SDC==>PDC – Success

These tests were run from the “Active Directory Sites and Services” tool on the domain controllers as shown above.

Looking at the error logs it showed AD Domain Services errors of 1988  and an error stating

Active Directory Domain Services Replication encountered the existence of objects in the following partition that have been deleted from the local domain controllers (DCs) Active Directory Domain Services database. Not all direct or transitive replication partners replicated in the deletion before the tombstone lifetime number of days passed. Objects that have been deleted and garbage collected from an Active Directory Domain Services partition but still exist in the writable partitions of other DCs in the same domain, or read-only partitions of global catalog servers in other domains in the forest are known as “lingering objects”

It did also give a whole bunch of sensitive information (hence I will not publish it) stating the object that was causing it. Looking for the cause of the error I came across the repadmin (AD Replication Admin command line tool)- repadmin /removelingeringobjects ServerWithLingeringObjects CleanServerGUID NamespaceContainingLingeringObject which I ran, and I ran the replication tests again and got the same results.

So figuring I had nothing to loose I deleted the object that was referenced in the error, which in my case was a user, so I do this and try the replication again. This time I got an error stating that “An internal error occurred”, great what next. Looking at the error logs again (on the PDC, as by this time I was pretty sure it was the PDC that was causing the issues) I found an error of 467 meaning a corrupt database…. Oh SHIT… ok not that bad really but still.

I decided that I would try to repaid the database directly rather than using ADRM on the server (as I only had remote access). I stopped the Active Directory Domain Services – service in the Services Manager (services.msc) and knowing that the AD database is a JET database and that it is stored in  C:\Windows\NTDS   (NTDS Stands for NT Directory Services) I copied the file ntds.dit (the AD Database itself) to the desktop twice (two different file names, one to work on one to back up)

So once I had the two files I ran a verify on the database through the command esentutl /g C:\Users\<USER>\Desktop\ntds.dit  the results coming back that the database is in fact corrupt so I ran the fix  esentutl /p C:\Users\<USER>\Desktop\ntds.dit   I then moved the fixed file back to  C:\Windows\NTDS,   restarted the Active Directory Domain Services – service in the Services Manager (services.msc) ran the replication tests again, and they all passed

Crisis averted, and I am now owed a good bottle of Scotch Whisky

This was all done over a remote session so it is possible

Justin

Internet Explorer Cannot Download a File on Server 2012 R2

So you have just set up a new Server 2012 (R2) server, and gone to download that fine you need for the next step, only to be shown a nasty message stating that you cannot do that, as file downloads have been disabled.

NoFileDownload

Well the good thing to know is that its an easy fix, simply open up “ Internet Options ” go to the “ Security ” tab, select the “ Internet ” zone and Select the “ Custom level… ” button

InternetOptions-SecurityTab-CustomLevel

This opens up a “ Security Settings – Internet Zone ” window. In the main section of the windows scroll down to where it says “ Downloads ”, and the the subsection of “ File download ” (as of this writing the setting is just above half way down the options list) and simply change it from “ Disable to “ Enable ”. Click ok and drop back to the main screen and retry that download again

EnableDownloads

If you get a warning, as shown below, simply OK it and continue on

Warning

Have fun

Justin

EMCO Remote Shutdown

Remote Shutdown  from  EMCO Software  is a great piece of software for helping to manage fleets of Windows Based PC’s in large environments, it uses Wake on LAN to start PC’s up at a certain time, certainly nothing fancy with that, however what else it can do is force log offs and shutdowns on a schedule as well. It does this through some clever use of facilities already built into Windows, but little used. I would certainly rate this software highly and recommend its use to anyone with large fleets to manage.

I have used it at several clients to manage their fleets to start up the PC’s before workers get there, and to shut them down after they leave, this is to stop people leaving them on from sheer forgetfulness (if it needs to be left on we can exclude the PC from shutdown for the required time, but people do need to tell us) and we use it as part of our environmental program to minimize power wastage. People if logged in and using the PC at the time the shutdown or log off instructions come in, can cancel it themselves (we do not want to stop people working now do we).

This has helped with several things, as we have a specified lunch period at each site, I shut down the PC’s 10 minutes after it has started, this is to allow updates to install, and restart the PC’s 5 minutes before people are due back at work. We have a much greater patch ratio now, than before this happened. The schedules at the sites are simply, start at 0800, shutdown at 1345, restart at 1455, shutdown some PC’s at 1610PM, shutdown all PC’s at 2000.

In addition to this when one of the clients had an environmental audit (they were chasing a 6 star environmental rating) the auditor was impressed with the technology and it aided in their gaining of their 6 star rating

All in all I am very impressed with the EMCO solution and highly recommend it

Internet Explorer & Other Multi-Tab Group Policy Settings

So visiting a client today and I noticed that the group policy settings for Internet Explorer were not applying correctly, some settings were aplying, some not. After looking at the settings and the RSoP, I decided to take a look at the XML generated for the GPO, and that’s when I saw it… disabled=1, hello. Now the question is where did it come from, I know the GPO is working in other respects, and checking the XML confirms this, so I re-generate the settings, 5 minutes work but still no resolution, its still stating that it is disabled.

What is a IT professional to do, woe is me… Looking further into the situation I came across something I had long forgotten, and filed under “I will never need that”. What was happening or rather not happening was  I was not enabling the fields, specifically in a multi-tabbed setting you will see a red dashed line or a red “No” symbol (the same red border and line that you see everywhere something is prohibited, no smoking sign for example). As shown below

stopped symbol    Dashed Line

To enable the settings you need to hit one or more keys depending on how you want to do it, these keys are as outlined below

F5 – Enable all items on the Page/Tab
F6 – Enable Currently Selected item on Page/Tab
F7 – Disable Currently Selected item on Page/Tab
F8 – Disable all items on the Page/Tab

Once you have enabled the items you will get either a solid green line or a green OK symbol as shown below

green line   go symbol

 Once this was done, I simply forced an update of group policy, and viola, everything worked as it should once more

Moral of this story, its the things you think you don’t need, that ultimately you will need

Hyper-V Fix Time Sync issues

I know this has been done to death, but as this is my Blog, and the original idea for it was for me to put all the odds and sods of knowledge in one location so  I did not have to remember every little command, I am doing it again.

Hyper-V on Server 2008 and 2008 R2 has a known issue with time slipping slipping slipping into the future (sorry Steve Miller Band moment there) when using a Hyper-V based Primary Domain Controller (PDC). The first part of this is an east step, you turn OFF “Time Synchronisation” for the PDC, or whichever server takes care of your time syncing on the network (although I do it for all servers) on the Hyper-V host, this is done by selecting the Virtual Machine in the Hyper Visor, opening its properties, selecting integration services and unchecking “Time Synchronisation” as shown in the image below

Virtual Machine Settings - Integration Services - Turn off Time Sync
Virtual Machine Settings – Integration Services – Turn off Time Sync

Secondly to that, on the PDC you should set a known reliable time source, I normally select one from http://pool.ntp.org .

To add this sever and set it to your PDC time server open an Administrative Command Prompt and enter the following commands

net stop w32time
w32tm /config /manualpeerlist:PEERS /syncfromflags:manual /reliable:yes /update
net start w32time

Where PEERS is the selected time server or time server pool.

This should update itself instantly, and keep itself updated

Global DNS Blocklist

After the rebuild of a AD Domain Controller I was wondering why I could not longer get response from WPAD, when it hit me like a ton of bricks….. Global DNS Blacklist, this is a “feature” in some Microsoft products, and in this case specifically Server 2008 R2 that blocks the query of specific DNS names (isatap and wpad by default, although you can add and remove names to the list), apparently for security so that the address cannot be used to gain unauthorized access to the system through spoofing, all well and good, and I am all for added security but a number of browsers require it for automatic proxy detection, hence we  have to disable it.

Thankfully that is easy enough through an ADMINISTRATIVE command prompt using the following commands

If you want to check that the DNS blocklist is enabeld, type; dnscmd /info /enableglobalqueryblocklist if it displays 1, its enabled, if 0 its disabled nice and simple, but wait what if you want to see the contents of the blocklist, again simple through an administrative command prompt (lets assume from now on in this article that all command prompts are administrative shall we) simply type; dnscmd /info /globalqueryblocklist this will make the blocklist print out onto your screen

Now how to disable it, easy simply input the following commands

  1. dnscmd /config /globalqueryblocklist (Optional, this clears the blocklist that way if something happens and it is re-activated it is empty)
  2. dnscmd /config /enableglobalqueryblocklist 0

The second command there is the one that does the actual disabling, conversely if you want to enable it you should type dnscmd /config /enableglobalqueryblocklist 1. As an asside, if you want to ADD an item to the blocklist this is done by typing the following: dnscmd /config /globalqueryblocklist name where name is the item you want to add to the blocklist.

 

Also dont forget to ensure that the mimetype for the file is defined as “application/x-ns-proxy-autoconfig”

[SOLVED] WSUS Update Error, Not reporting and error 800B0001

After a WSUS Rebuild, I started noticing that Machines, although associating with WSUS were showing up that they had not yet reported to the server, upon investigating this it was discovered that the clients were erroring and displaying error code 800B0001. The machine in question hosting WSUS is a 64 Bit Server 2008 R2 machine, with these details in hand I go off looking for a solution.

Looking for solutions to this I came across several sources indicating that this is a known problem, and thankfully that there is a solution available from Microsoft ( http://www.microsoft.com/en-us/download/details.aspx?id=29999 )

I simply installed the update, and restarted at then end as asked by the installer, once the server is back up I went back to the same clients and re-ran windows update, and off it went working again.

Nice Simple fix, if only everything was that easy

 

Windows Server Update Service Not installing due to WSUSService and Performance Counters

Today whilst installing a new WSUS server on a 2008R2 Standard server for a client I came across a new error I had not seen before, basically WSUS install got part of the way through and then threw up the error: “Windows Server Update Service 3.0 SP2 could not install WSUSService and the Performance Counters”

To be honest this was a quick fix, basically it in my case came down to entirely the performance counters, which is about a 5 minute check and a 30 second fix

First we want to open RegEdit and check the “Counter” entry under ” HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib” and then compare it to the last number value in Counter under “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009 “. In this case 009 is the locale ID for english, and therefore 009 would be different for other locales

In my case this was all ok, however if it is not you may need to make sure that you have not disabled the Performance Counters, looking under “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib” see if you have the “Disable Perforamance Counters” setting, if it is missing, then do not worry it simply means that they are enabled and never have been disabled (the entry is only generated once the counters have been disabled for the first time). If the key is set (has a value of 1) then turn it off (set it to 0)

Once this is done you need to rebuild the counters, this is thankfully easy to do from the command line, simply open an administrative command prompt and type the following

cd %systemdir%\system32
lodctr /R

The first command uses the SystemDir Environmental Variable and the System32 path to drop you into the system 32 directory (Normally C:\Windows\system32, but will change depending on install location, the environmental variable will change so it always points to the correct directory). The second command tells the counters to Rebuild the entries from scratch, alternatively if you have a backup of the perf counters (generated by the lodctr /s:<;filename>; command) you can load it with lodctr /R:<;filename>;

As I said, takes longer to do the checks than it does to apply the fix (isn’t that always the case)

References:
http://support.microsoft.com/kb/300956

OSX Lion, Printers not working due to Authentication CUPS Fix

  1. Delete the problematic printers using your preferred method
  2. Open CUPS on the local machine ( http://localhost:631 )
  3. Click on the “Administration” tab on the top of the page
  4. Click the “Add Printer” button
  5. Select, “Windows printer via spoolss”, click continue
  6. In the connection box enter
    smb://DOMAIN;USERNAME:PASSWORD@PRINTER HOST/PRINTER QUEUE
  7. Click Continue
  8. On the Next Screen enter details for the printer (Name, Location etc), Cick Continue
  9. Select Brand and Model of Printer, Click Add Printer
  10. Print Test Page
%d bloggers like this: