Creating, requesting, approving, installing Certificates on IIS Core

One way:

  1. Open Certificates Snap-in from Remote Management computer.
  2. Connect to remote computers Machine store (Core-IIS).
  3. Right click the Personal Store object (folder) -> All tasks -> Advanced Operations -> Create Custom Request…
  4. Pick Enrollment Policy (Custom Request for 3rd Party CAs) I have internal CA, So I picked AD Enrollment Policy.
  5. Template – Web Server | PKCS #10
  6. Click Details to expand the AD EP – Web Server template properties (Make sure you enter a common name of the host name of the server, and SAN names for any sites you plan to use this certificate for)
  7. Save the Request file.
  8. Navigate to your CA sign the certificate. (In my case I have web enrollment, so I simply navigated to my CA web page and picked custom request, then opened the request file in notepad and copied the request contents into the text box of the web request, after issued, saved a copy in Base64 format) OR Open the CA snap-in, Right click the CA -> All tasks -> Submit a new Request, Save the issued cert file.
  9. Right click the Personal store on the remote Certificates Snap-in again, select All Tasks -> Import.
  10. Your Certificate is ready for use on the Website binding section of IIS.

Second way:

  1. Creating an INF file to set the certificate properties[Version]
    Signature=”$Windows NT$”
    [NewRequest]
    Subject = “CN=SERVER.CONTOSO.COM” 

    Exportable = FALSE                  ; Private key is not exportable
    KeyLength = 2048                    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
    KeySpec = 1                         ; AT_KEYEXCHANGE
    KeyUsage = 0xA0                     ; Digital Signature, Key Encipherment
    MachineKeySet = True                ; The key belongs to the local computer account
    ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
    ProviderType = 12
    SMIME = FALSE
    RequestType = CMC
    ; At least certreq.exe shipping with Windows Vista/Server 2008 is required to interpret the [Strings] and [Extensions] sections below[Strings]
    szOID_SUBJECT_ALT_NAME2 = “2.5.29.17”
    szOID_ENHANCED_KEY_USAGE = “2.5.29.37”
    szOID_PKIX_KP_SERVER_AUTH = “1.3.6.1.5.5.7.3.1”
    szOID_PKIX_KP_CLIENT_AUTH = “1.3.6.1.5.5.7.3.2”
    [Extensions]
    %szOID_SUBJECT_ALT_NAME2% = “{text}dns=computer1.contoso.com&dns=computer2.contoso.com
    %szOID_ENHANCED_KEY_USAGE% = “{text}%szOID_PKIX_KP_SERVER_AUTH%,%szOID_PKIX_KP_CLIENT_AUTH%”

    [RequestAttributes]
    CertificateTemplate= WebServer

  2. Compiling the INF file into a REQ fileThe following command-line command will generate key material and turn the INF file into a certificate request.
    certreq –new ssl.inf ssl.req

    Once the certificate request was created you can verify the request with the following command:

    certutil ssl.req
  3.  Submitting the REQ file to the CA: if the CA is reachable via RPC over the network, use the following command to submit the certificate request to the CA:
    certreq –submit ssl.req

    You will get a selection dialog to select the CA from. If the CA is configured to issue certificates based on the template settings, the CA may issue the certificate immediately.If RPC traffic is not allowed between the computer where the certificate request was created and the CA, transfer the certificate request to the CA and perform the above command locally at the CA.

    If the certificate template name was not specified in the certificate request above, you can specify it as part of the submission command:

    certreq -attrib "CertificateTemplate:webserver" –submit ssl.req
  4. Installing the certificate at the IIS or ISA computer: Once the certificate was issued and is available as a file on the target computer, use the following command to install it.
    certreq –accept ssl.cer

    The installation actually puts the certificate into the computer’s personal store, links it with the key material created in step #1 and builds the certificate property. The certificate property stores information such as the friendly name which is not part of a certificate.After performing steps 1 to 4 the certificate will show up in the IIS or ISA management interface and can be bound to a web site or a SSL listener.

Manage IIS on Server Core remotely

I’ve started to mange server core installations more and more. I recently required to manage on that was utilize IIS. While I’m fairly used to IIS manager, I wasn’t exactly quite sure how remote management worked.

At first I thought it was a part of RSAT, nope, but fret not it is a feature of Windows, just not enabled by default.

As I expected there to be a bunch of configuration  BS required figured I’d google how to do it instead of googling errors. 😀  I found this really nice right tot the point YouTube video. Luckily this made my life easy.

So on the Core server:

#Install the required service
Install-WindowsFeature -Name Web-Mgmt-Service

#enable IIS remote management
reg add HKLM\SOFTWARE\Microsoft\WebManagement\Server /v EnableRemoteManagement /t REG_DWORD /d 1

#Enable service at boot
Set-Service WMSVC -StartupType Automatic

#Enable Service
Start-Service WMSVC

On the Client Machine (Windows 7-10)

#Enable IIS management tools
Programs and Features -> Turn Windows Features on or off -> IIS -> (check off all items under Web Management Tools, you may not need them all but to be safe doesn’t hurt to add them)

#Open IIS Manager
Either through Server Manager -> manage -> IIS
Or Under the Star menu -> Admin Tools -> IIS Manager

*NOTE* Don’t bother adding the IIS manager Snap-in to an existing MMC session, I found it’s missing the top menu bar.

*NOTE 2* You also need to install IIS Manager for Remote Administration 1.2 (Cause you know this isn’t bundled with RSAT, cause… reasons)
Else you’ll be missing the connect to server option under the file menu.

*NOTE 3* You have to prepend the admin user name with the domain name, else the connection will failed stating unauthorized.

Thanks SSmith!

RSAT MMC CA “Install CA Certificate” Bug

I plan on releasing a 3 part series blog post on configuring a new CA infrastructure, in an existing one where an Enterprise root CA has already been configured. In my series I decided to utilize core servers, these provide an additional layer of issues as managing them is a little more difficult as it usual requires more cmd based knowledge or better yet PowerShell whenever there are such options available. Turns outs in this case even more so then ever.

I won’t go over too much details here, as I’ll save that for my series. Basically one step requires me to import the signed certificate into the Sub Enterprise CA, being core I have to use the RSAT MMC CA snap-in (funny enough even if you have desktop experience it’s the same tool and snap-in used).

What I discovered is when I’d use the RSAT tool on and remote client system loading my actual CA server when loading the nap-in, it would never actually load the input wizard.

I’d right click my CA, select the option to install a CA certificate:

Then it simply act as if it’s reloading the snap-in…

Then nothing… So I asked about it on Technet. Lucky for me Mark Cooper the Master PKI guy came to my rescue.

The solution: On the Sub CA

certutil -installcert <your certificate file name here>

Get your Free ESXi here!

Get ’em while they’re hot. Fresh from the bunnums of the internet!

Now I love my ESXi, and I recently converted my old gaming rig into a hypervisor with non other than my favorite beast ESXi! I first played with 6.5, and don’t get me wrong the fact it was a direct login to the host right from a fresh install is such a thing of beauty. With a plugin available for a smoother console experience from the web driven one.  While the HTML5 based web interface is very slick, the console isn’t exactly 100% real time. With the plugins it’s a nice way around that, however the host management tasks are all locked down to the hosts HTML 5 web interface. So long goes any chance of using the old phat (.Net based) client. I have to say thats sad cause I LOVE the phat client, it is by far the smoothest of all management interfaces, in my experience.

Anyway, logging into my personal host… I see this

This of course doesn’t surprise me. However believe it or not you can continue to run ESXi completely free. It’s generally enough for most peoples needs, there however some limitations.

  • No support
  • Free ESXi cannot be added to a vCenter Server
  • 2 physical CPUs
  • Unlimited cores per CPU
  • Unlimited physical Memory
  • max. 8 vCPU per VM

I won’t go over the details too much but the basics steps are as follows:

  1. Sign up to VMware.com
  2. Goto the vSphere Download Center 6.5 or 5.5.
  3. Register, Download your ISO and grab your Key.

Free ESXi 6.5 – How to Download and get License Keys

 

USB 3.0 Support on Windows 7 Guest VM

In Short, it’s not supported. If you’re running Workstation 9 or above, there’s this trick.

Now this guy goes into the real nitty gritty, and I love that! I however was working with ESXi 5.5 u3b. Now VMware did the same thing with the ESXi hypervisor and introduced USB 3.0 support via the xHCI controller. However the exact same limitation apply.

1) Drivers of USB 3.0 Host Controller are not provided by VMware Tools.

2) VMware USB 3.0 Host Controller will work only if your Virtual Machine OS has Native USB 3.o Support. Examples of such OS are – Windows 8, Windows Server 2012 and Linux Kernel 2.6.31 and above.

He goes on to say he’s screwed, but I’ve found the older EHCI +UHCI controller works for USB 1.1 and 2 devices I haven’t fully tested all case scenarios however. .For a Windows Server 2016 VM, on a HP Gen9  server with ESXi 5.5. My findings were as follows:

  1. Installed xHCI usb controller, via VM settings.
  2. Guest OS picked up hardware change and installed driver without issue.
  3. Plugged in USB 2.0 device, showed up in Host, as USB device became available to add to VM via VM settings, so added device.
  4. Guest OS didn’t see the USB device connected.
  5. Removed device via VM settings, then disconnected from host.
  6. Connected USB 3.0 Stick into host, added to VM via VM settings.
  7. Device was seen on Guest VM, and performance was equal to that of the sticks specs. (18~20  MB/s write, 100+MB/s Read)

I wasn’t sure why the USB 2.0 Device didn’t show up, so I simply removed the xHCI USB controller, and instead installed the EHCI +UHCI. Re-Connected the USB 2.0 devices and added it to the VM, this time the device did show up. I can’t remember the exact performance counters. I’ll update this post when I do some better analysis. My plan is to script some I/O tests using diskspd and PowerShell. Stay tuned. 😀

I’m also going to see if I can connect the same USB device via hardware pass-through instead of utilizing the USB controllers and Devices VM settings options.  I’ve manly done this with RDM’s and storage controllers with storage type VM’s (FreeNas mostly).

As for the main point of this post… I figured the main link I posted and this one here as well form the VMware forms that I’d be able to get a way to make the xCHI controller work on the Windows 7 VM guest.  The answer is basically grab the Intel xCHI drivers for Windows 7/2008R2 from Intel and install it manually, not via the setup.exe.

To my dismay I couldn’t get it to work, the wizard simply couldn’t locate the device (since the hardware IDs didn’t match) and installing the otherwise the device wouldn’t start.

I even decided to try and use double driver (extracts drivers) against a newer guest OS. This also failed. I simply couldn’t get it to work.

Lame mans V2V

This one will be short n sweet.
V2V a VMDK to a VHDX

Get this.

DO this:

Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’

ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath (Drive):\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination (Drive):\vm-disk1

Don’t Squat on my Name

I found this interesting, I was checking out my DNS server to make some new static host records for my newly networked Test environment/sandbox. To my surprise I found these weird new records DHCID (Dynamic Host Configuration Identifier) I wasn’t sure what was up with these but I did notice them paired along with an A host record (same name, different value). A quick google search revealed this nice old MS gem.

While it states “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a Windows-based computer.” and even Susie Long pretty much states the same thing from this TechNet Post.

What I found in my case was it was created for only a couple users and it was from their iPhones after I had renewed them with new iPhones and updated their phones by using iTunes to make a backup and copy their contents to their new phones. I’m assuming cause the same name already existed in DNS from the old phones DHCP request, and the new phone had the same device name after the restore. In my case I knew they weren’t important records since noone would ever need to access their phones via DNS name, lol. So I simply deleted them. We’ll see if they come back.

I already knew all about DHCP and DNS scavenging but this was a new one for me. 😀

Clearing the DNS cache

This one will be nice and short. I was working on a DNZ zone migration, from one domain to another. Since the zone wasn’t the parent zone of the AD domain it was in I had two options.
One make the new domain authorative for the zone, once trust is established they would take over for the zone.
Or in this case since there were only a few records and the new AD domain was already created with the same domain anem as the zone I was attempting to migrate, I figured I’d simply recreate the records manually.
Basically setup your conditional forwarders to the new domain DC’s which will be authorative for the new zone. Generally allow UDP (TCP as well if you want to be extra safe) on port 53 through the firewall, and records should resolve just fine.
In this case you’ll clearly notice that resolving the record for the transferred zone from the orginal domain now replies with non-authorative answer.
This is to be expected as the domain’s DC that you are associated with (and generally your DNS settings configured to via DHCP of course) are no longer controlling the zone (adding/removing/editing records).
Again as to be expecting these are now managed via the new domain which teh zone was transferred to.

So low and behold I messed u one of the records IP addresses. So sure it’s super fast to adjust and force replication, however replication would be domain/forest wide. Which even though I did on both domains i found my previous DC’s would update the non-authorative answer.
I tripple checked all systems in teh new domain could get the proper reply from the DC/DNS servers. So what gives why were the old DC’s DNS servers replying with the old IP address, when the conditional forwarders were setup to query the proper DNS servers and they were 100% holding the correct IP address?
The answer? Cache? yup the lovely blessing and nightmare that is cache. so what does any regular workstation admin try… yeah you guessed it “ipconfig /flushdns” (cmon were talking AD here which is Microsoft specific AFAIK). Do a query from your old domain DC’s and yet the record is still the old IP adress?!?!
What gives? Well… in this case ipconfig /flushdns is only used for clients. You maybe wondering isn’t the old DC a client in this case? Yes/No It’s still a DNS server, and it still needs to answer queries it recieves, the command provided would help if simply doing a query (yes we are doing a query but for a record it needs to hold a record for to reply with).
Just to stop beating around the bush, as a DNS server it needs to clear its own cache, the records to retains to provide to requesting clients. this is a different command. in this case it’s dnscmd /clearcache.
That’s it, do another lookup and find your old DC DNS servers showing a non-authorative answer of the new IP address. Of course you could have also simply waited for cache to clear and replication to occur naturally… but ain’t no body got time for that!

 1) To Clear Dns from a client system (Windows): ipconfig /flushdns
 2) To clear non-authoritative DNS servers cache:	 dnscmd /clearcache

Arrays Gone Astray

I love powershell, and as one figures you’ll have to deal with arrays. and when you learn them, they become a handy tool for any dev/scripters toolkit.
This guy covers it well. in short do this

PS C:\Scripts> $Fruit = @("Apple","Banna","Orange")
PS C:\Scripts> $Fruit.Add("Kiwi")
Exception calling "Add" with "1" argument(s): "Collection was of a fixed size."
At line:1 char:1
+ $Fruit.Add("Kiwi")
+ ~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [], MethodInvocationException
    + FullyQualifiedErrorId : NotSupportedException

PS C:\Scripts> $Fruit = $Fruit + "Kiwi"
PS C:\Scripts> $Fruit
Apple
Banna
Orange
Kiwi
PS C:\Scripts> $Fruit.GetType()

IsPublic IsSerial Name                                     BaseType
-------- -------- ----                                     --------
True     True     Object[]                                 System.Array


PS C:\Scripts> $Fruit = $Fruit - "Kiwi"
Method invocation failed because [System.Object[]] does not contain a method named 'op_Subtraction'.
At line:1 char:1
+ $Fruit = $Fruit - "Kiwi"
+ ~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidOperation: (op_Subtraction:String) [], RuntimeException
    + FullyQualifiedErrorId : MethodNotFound
PS C:\Scripts> $Fruit = $Fruit -ne "Kiwi"
PS C:\Scripts> $Fruit
Apple
Banna
Orange
PS C:\Scripts> $FruitIsFixedSize
PS C:\Scripts> $Fruit.IsFixedSize
True

Center Write-Host Output

Write-Host

It’s great and it’s main purposes is to well write to the host. Nothing more. So often people abuse it and leaving people to rant about it.
E.G. This guy and the “Gurus”
I agree with both of them in terms of displaying data, hands down. However, when it comes to simple informing the admin/user of the script the “it displays and gets rid of that info” is efficient, and interactive (colors).

With that out of the way. I am working on a script to clear web parts from a sharepoint page via powershell.
I always like clean code an usually my scripts are interactive, for other non-interactive scripts I’d stick with Write-Output as described by the scripting guys.
However since I like to display things colorfully and neatly Write-Host is perfect!

The Problem

Turns out there’s no easy way to get-write host to center it’s output, no mater how hard I googled. This reply from James Bernie however kicked off the idea it was possible.
There were actually a decent amount of issues with his propsed idea, when implemented. First we’ll want a static variable of the window size at start of script.
Then it turns out Bernies fancy full integer trick may return whole numbers, but does so as a dang string type. Instead of wasting time dicking around with another method, i simply did this trick of dividing by 1 on the variable.
The final problem with his concept which was driving me nuts for a good while was due to the fact of how padding method actually works.
PadLeft adds spaces to the left of a string.
This is handy for numeric out-put because padding keeps the numbers properlly aligned on the right.
This was exactly the problem I was facing, testing my existing function with a series of dots of different lengths, I found them all to be right aligned, and not centered.
Another issue I found was that the pipe into measure method under an expression based section of code and calling its sub routine of count ($var | measure).count wasn’t returning the correct value.
That line was pretty stupid anyway when you can simply call any variable thats of a string type length method.
And the final nail in the logical coffin, the padding was again aligning more right of center than actual center due to the fact that’s what it was comparing to first in the convert.
So it made more sense to take ((Wdith of screen) – String.Length)/2 + String.Length, this associated with a left and right padding, creates a centered master piece!!
Finally!!Here’s the final thing I had to overcome. My function I wanted to support Write-Host outputs color param.
As it turns out, overloading functions isn’t supported in powershell, but that didn’t stop someone from comming up with a work around!
This guy and his buzz works… Woo Ad-hoc Polymorphism!!! OK OK… here’s my final piece of code for you guys. NOTE I didn’t do fully ad hoc polythingy I cheated and only supprted foreground color via an if else.
If you *burp* want to make it support background and foreground… Uhhhhh.. do it yourself… getting to wasted right now…

#Function to Centralize Write-Host Output, Just take string variable parameter and pads it
#Nerd Level over 9000!!! Ad-hoc Polymorphic power time!!
$pswwidth = (get-host).UI.RawUI.MaxWindowSize.Width
function Centralize()
{
  param(
  [Parameter(Position=0,Mandatory=$true)]
  [string]$S,
  [Parameter(Position=1,Mandatory=$false,ParameterSetName="color")]
  [string]$C
  )
    $sLength = $S.Length
    $padamt =  "{0:N0}" -f (($pswwidth-$sLength)/2)
    $PadNum = $padamt/1 + $sLength #the divide by one is a quick dirty trick to covert string to int
    $CS = $S.PadLeft($PadNum," ").PadRight($PadNum," ") #Pad that shit
    if ($C) #if variable for color exists run below
    {    
        Write-Host $CS -ForegroundColor $C #write that shit to host with color
    }
    else #need this to prevent output twice if color is provided
    {
        $CS #write that shit without color
    }
}

*Update* This code is being managed on GitHub, please download or fork the latest version from there, maybe one day I’ll implement background color.. :S