You are browsing the archive for IIS.

How to replace expired certificates on ADFS 3.0 the right way

1:44 pm in 2012R2, ADFS, ADFS 3.0, BYOD, certificates, Cloud, Enterprise Mobility Suite, Global Managed Service Account, IIS, Known Issue, Lab, Power Management, WAP, Web Application Proxy by Kenny Buntinx [MVP]

 

As with all IT equipment that is using certificates for enhanced security, there will be a time when the certificates expire and it will need to be replaced. Below you will find the procedure for ADFS 3.0 and the Web Application Proxy:

First step is to create a new CSR on one of you’re servers and request a renewal of the existing certificate ( in our case a *.demolabs.be) . After the request has been processed , download your certificate and import the certificate on the server where you created the CRS earlier. For ADFS / WAP it is very important you will have the private key exported with the certificate. You can only export the certificate with a private key on the sever where you previously created the CSR .Export with private keys to *.pfx and import on WAP + ADFS

If you do not do it as described above with and export of the private keys , you will face issues even if you did it exactly as described below as shown in the screenshot below :

image

 

Follow the procedure below , starting with the ADFS server:

  1. Log onto the ADFS server.
  2. Import the new (exported with private key) certificate to the server. Make sure this is added to the personal certificate store for the computer account.
  3. Find your thumbprint for the new certificate. Either use the GUI thru the MMC to see the details of the certificate or us powershell with Run Get-AdfsSslCertificate.. Take a copy of the thumbprint and ensure that the spaces are removed.
  4. Make sure that the service account that is running the ‘Active Directory Federation Services’ service is granted read access to the private key.
  5. Launch AD FS Management, expand ‘Service’ within the left pane and click ‘Certificates’ , then click ‘Set Service Communications Certificate

image

 

  1. Restart the ADFS services. However this is not enough. Changes made in  the GUI does not change the configuration based on the HTTP.sys. To complete the configuration change, run the following PowerShell command : Set-AdfsSslCertificate –Thumbprint <Thumbprintofyourcertificate>.
  2. Make sure to restart the server

Now you need to log onto the WAP server.

  1. Import the new (exported with private key) certificate to the server as in step 1. 
  2. Run the PowerShell commando for changing the certificate: Set-WebApplicationProxySslCedrtificate –Thumbprint <Thumbprintofyourcertificate>
  3. All of your publishing rules defined in the WAP need to be updated with the thumbprint of the new certificate. Use Powershell for  updating them with the new thumbprint. Run: Get-WebApplicationProxyApplication –Name “WebAppPublishingRuleName” | Set-WebApplicationProxyApplication –ExternalCertificateThumbprint “<Thumbprintofyourcertificate>”
  4. Restart the Web Application Proxy services to complete the configuration

Now you are done and you are a happy admin once more . Took me some time to figure it out .

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

CM12 : Issue with ASP.Net when installing the Application Catalog Website Point Role

7:24 am in CM12, ConfigMgr 2012, ConfigMgr V.next, dotnet, IIS, SCCM 2012, SCCM v.Next, System Center by Kenny Buntinx [MVP]

Yesterday I faced an issue at one of my customers when installing CM12 in a lab environment. I wanted to install the Application Catalog Website Point Role .

Scenario :

  • My CM12 site is installed and running
  • I am adding the necessary roles such as Fallback status point , Application Catalog website point and the Application Web Service Point.

To do that I added in IIS the ASP.net component as stated in the prerequisites here :

http://technet.microsoft.com/en-us/library/gg682077.aspx

SCCMprim018

Then I added the necessary roles and after looking in the appropriate log file , I discovered an error : “ Error: IIS Asp.net is NOT registered . Setup failed – Error 126. “

SCCMprim020

To solve this , you will need to navigate to "%systemroot%\Microsoft.NET\Framework\v.4.0\” and run “aspnet_regiis.exe –i “

Make sure that you register the latest version of Dot.net framework . In this case it is would be version 4 of dot net framework.

SCCMprim021

After restarting the CM12 services , the role reinstalled correctly without any issues .

Hope it Helps ,

Kenny Buntinx

SCCM OSD Deployment : The IIS Admin service is not starting anymore on a deployed sysprepped Windows Embedded 2009 with IIS 6.0 installed

12:44 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, IIS, Installation, Known Issue, OSD, sccm, SCCM 2007, SCCM 2007 R2, SCCM 2007 SP2, sccm2007, script, WES, WES 2009, WES2009, XPe by Kenny Buntinx [MVP]

Lately I have been busy with testing & deploying for a big project some Windows Embedded 2009 devices , called the Advantech ARK –1388 .One requirement from the customer was to have IIS 6.0 installed.We decided to include the IIS 6.0 component into the WES 2009 image with Target builder  ( witch is a tool for building the WES image ), but every time we deployed an image after it had been sysprepped with SCCM, the IIS Admin service would fail to start .

Because this needed to be deployed onto three thousand (3000) WES devices , we contacted Microsoft PSS support for some help. Below you will find our findings and workaround for the issue .

Our problem :

We installed a Windows Embedded 2009 image with IIS 6.0 on a Advantech ARK-1388 and it is running fine.The OS is prepared for system cloning using the sysprep.exe tool ( supported since WES 2009 ).

When we reapplied the master image  with SCCM R2 SP2 and mini-setup was completed, the OS seems to run fine, however the "IIS Admin" service does not start and returns the following error:
"Windows could not start the IIS Admin on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2146893818."

There are no related errors in the Event Logs. IIS cannot be repair-installed using the Add/Remove Programs component of the Control panel.( this was done to see if we could automate a self –repair )

We would like to deploy the WES image using the OSD feature of SCCM 2007 R2 ,but the problem also occurs when customer calls sysprep.exe manually without the usage of SCCM. ( that’s what we thought , SCCM always works great !! :-) )

 

Our environment :

We have a Windows Embedded 2009 image with IIS 6.0
We have a SCCM 2007 R2 SP2 environment

 

The summary of our troubleshooting :

1. Microsoft CSS discussed with the WES and SCCM teams if WES2009 is supported on SCCM 2007 R2. After a discussion they have modified there statement on the web , see http://blogs.technet.com/configmgrteam/archive/2010/01/25/things-you-need-to-know-when-using-windows-embedded-standard-2009.aspx

2. the proposed workarounds from Microsoft (re-installing MSDTC and IIS) from the " WES Resource Kit" didn’t solve the problem.

3. We checked the FBWF status on the sysprepped image. It was still disabled as it should .

4. Microsoft spoke with the IIS team about the issue. Discussion results:
  a) It’s a known problem that IIS doesn’t work after sysprepping the image because of the changes made by sysprep.
  b) Using sysprep on XP Pro is not supported, see KB326779 "Supported IIS configurations for use with Sysprep"
  c) The only supported solution is to install IIS after the sysprep phase. On XP Pro PCs you can run an unattended IIS installation
     using the Sysocmgr command (which can add or remove Windows Components). E.g. as described in
     KB309506 "How To Perform an Unattended Installation of IIS 6.0"
     Here is the catch !! : Unfortunately Sysocmgr.exe is not shipped with the XPe database ===> meaning that it is impossible to install IIS 6.0 after we have deployed our WES 2009 client !

5. As discussed with Microsoft and the IIS team I tried to "repair" the IIS Admin service after the final sysprep boot by using SysOCmgr.We have copied the missing sysocmgr.exe from an XP Pro SP3 PC and I’ve had to insert an XP Pro SP3 CD into the CD drive for the missing files.We don’t believe this workaround can be used by my customer (legal and technical issues).

6. For a test we have used fbreseal instead of sysprep. The IIS Admin service was running after fbreseal.But as I know deployment via SCCM 2007 OSD requires the usage of sysprep and fbreseal cannot be used in this scenario.

 

Our Solution :

Together with the WES product team & Microsoft PSS support we found an easy workaround to get the "IIS Admin" service running again on the sysprepped WES 2009 image.
The workaround switched off the IIS components in the registry and called the FBAOC.exe tool to re-install IIS.It solved the problem on our test devices.

Here’re the details about this workaround:

1. It doesn’t need the XP Pro SP3 CD.
2. It doesn’t need any file from an XP Pro SP3 PC (like sysocmgr.exe).
3. It doesn’t need to collect any IIS files into a special installation location.

The workaround is just:

1. Uses your original SLX file and WES 2009 image which uses the FBOCMgr phase 5550 for the IIS components.
   It means you can run the workaround on your original sysprep-ed images.
2. Changes some IIS registry settings used by the OS to install IIS.
3. Uses a WES-specific command (FBAOC.exe) which is part of your original SLX file and image.
4. Step 2-3 can be executed by the attached files:

  a) MyIIS-Off.reg      for changing the registry

*********************************CODE BEGIN**********************************

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OC Manager\Subcomponents]
"iis_common"=dword:00000000
"iis_inetmgr"=dword:00000000
"iis_www"=dword:00000000
"iis_www_vdir_scripts"=dword:00000000
"iis_www_vdir_printers"=dword:00000000
"iis_doc"=dword:00000000
"iis_ftp"=dword:00000000

*********************************CODE ENDS**********************************


  b) MyIISinstall.bat   runs the workaround (by using MyIIS-Off.reg)

*********************************CODE BEGIN**********************************

@echo off

echo Changing registry settings…
regedt32 /s \MyIIS-Off.reg

echo Enabling IIS features…
\windows\FBA\FBAoc.exe

echo Done.

*********************************CODE ENDS**********************************

Pls. put the files in the C:\ root folder on your sysprep-ed WES 2009 image and call the MyIISinstall.bat file from a command line.

When running properly the batch file will run for 1-2 minutes and it’ll display 3 output lines:
        Changing registry settings…
        Enabling IIS features…
        Done.

Afterwards the "IIS Admin" service should be running.

So this scenario is not supported on XP Pro. But this workaround is supported.
This is a known problem/limitation on XP Pro. The same problem occurs on WES installations because WES uses exact the same XP Pro binaries.

 

Hope it Helps ,

 

Kenny Buntinx

SCCM : Upgrading secondary sites to SP2 via Software Distribution on Windows 2008 could generate some issues

2:39 pm in ConfigMgr, ConfigMgr 2007, ConfigMgr 2007 R2, ConfigMgr SP2, configmgr2007, IIS, sccm, SCCM 2007, SCCM 2007 SP2 by Kenny Buntinx [MVP]

Scenario : Your Primary site server has been upgrade from SCCM 2007 SP1 R2 towards SCCM 2007 SP2.You want to upgrade all your secondary site server with are running on Windows Server 2008 to Service pack 2 on an automated way with Software distribution. The Secondary site server have the Proxy MP , State migration point and PXE service point role installed.

You will create a package with the source files and create a program that runs unattended with the following parameters: setup.exe /upgrade <path to SP2 prereqs>

Issue :

After the Client receives the advertisement , the secondary site will search for a distribution point . He will find it locally (same server) and will start the BITS transfer.

At that point in time , he will give a HTTP 404.8 error.He will also give you the same error when browsing manually in IE to the URL where the source files are stored.When looking this error 404.8 up , you will see that it will say :”hidden namespace of hidden segment error”.Into the request filtering module from IIS 7 , there are some directories excluded by default where no files could be transfered from. One of those excluded folders is the “bin” folder.

Within the source of SCCM Service Pack 2 , there are folders with the name “bin” , with will lead that the tranfer of the source files will be blocked.Only after removal of the exclude on the “bin”folder within IIS7 request filtering module, the files and folders with the name “bin” are available.

Solution :

Only after removal of the exclude on the “bin”folder within IIS7 request filtering module, the files and folders with the name “bin” are available for download.

The configuration file where the excludes are written down %windir%\system32\inetsrv\config\applicationhost.config (Also to be modified with appcmd).
The log files to be checked : DataTransferServices.log of the SCCM client, and the u_exdate.log in c:\inetpub\logs\logfiles\w3svc1 folder.
An example of the folder that was blocked : /smssetup/adminui/bin/">/smssetup/adminui/bin/">/smssetup/adminui/bin/">http://server/sms_dp_smspkgd$/<packageID>/smssetup/adminui/bin/

************* Update **************

Microsoft has foreseen a nice section to specifically address our concern, as they document how to configure Windows Server 2008 (and above) for site systems here:

http://technet.microsoft.com/en-us/library/cc431377.aspx

While they don’t explicitly call out this specific scenario (They can’t possibly anticipate everything), this general “problem” is covered by the following text…

To modify the requestFiltering section on BITS-enabled distribution point computers

If package source files distributed to BITS-enabled distribution points contain file extensions that are blocked by default in IIS 7.0, the requestFiltering section of the applicationHost.config file must be modified to allow required extensions.

~b727336Important

Enabling WebDAV and modifying the requestFiltering section of the applicationHost.config file for the Web site increases the attack surface of the computer. Enable WebDAV only when required for management points and BITS-enabled distribution points. If you enable WebDAV on the default Web site, it is enabled for all applications using the default Web site. If you modify the requestFiltering section, it is modified for all Web sites on that server. The security best practice is to run Configuration Manager 2007 on a dedicated Web server. If you must run other applications on the Web server, use a custom Web site for Configuration Manager 2007. For more information, see Best Practices for Securing Site Systems.

************* Update **************

 

Thanks to my colleague Merlijn for helping me figuring this out.

 

Hope it helps ,

 

Kenny Buntinx