The Network Policy Server Service (NPS or IAS) Fails to Start on Windows SBS Server 2008 with an unspecified error (0x80004005)

vss registry keySo I was recently helping out a client clean up their Small Business Server environment, one thing they weren’t using was SharePoint, so we decided to remove it from their SBS 2008 server. The removal went smoothly, simply uninstalling SharePoint Services via Add/Remove control panel did the trick. But after a restart we found that clients were no longer connecting to their Wireless network, so I went did some troubleshooting and found that the NPS service hadn’t started since boot-up.

I then tried starting it up but got an error after trying to start the service with an unspecified error 0x80004005 which was very helpful. After some more digging around and Google-Fu I found that this had to do with permissions on a registry entry for VSS. The following key needed to be updated from the value 1 to 0.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\VssAccessControl

Make sure that the setting for NT AUTHORITY\NETWORK SERVICE is set to 1. If this is not and set to 0, change it to 1.  Once you have changed the value you can restart or terminate any IAShost.exe that are running via task manager and then start up the NPS service.

This issue has been documented by Microsoft to occur if you remove SharePoint from SBS Server 2008, so just a heads up if you do and rely on NPS for authentication for things like Remote Access or Wireless.

How to log into ASDM for a Cisco ASA when you get the Unable to launch device manager error

I like to keep my client’s devices up to date to prevent any issues from arising and have access to the devices latest features. Unfortunately not everyone is happy to pay that little extra to have an on-going support / maintenance agreement.  I was recently out at a customer who had an ASA 5505 which had been running for years but needed some new NAT translations added in.  So I fired up my laptop and loaded up ASDM Launcher, after typing in the credentials I got Unable to launch device manager on ASA-5505 error.  One thing I like to do when this happens is to check why, click on the Java icon in the login window and you will be prompted with the Java console, I saw the following;

javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: Java couldn't trust Server
    at sun.security.ssl.Alerts.getSSLException(Unknown Source)
    at sun.security.ssl.SSLSocketImpl.fatal(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.Handshaker.fatalSE(Unknown Source)
    at sun.security.ssl.ClientHandshaker.serverCertificate(Unknown Source)
    at sun.security.ssl.ClientHandshaker.processMessage(Unknown Source)

java_securityThe main thing sticking out to me was Java couldn’t trust Server to fix this I needed to load up the Java control panel once open navigate to the Security tab > Edit Site List… > Add > Enter the URL of ASDM.  In my case that was https://192.168.1.254/ once I added that, click Ok and Apply and close out of your browser / ASDM Launcher.  Now if you try to log in again it should let you through into ASDM and allow you to make the changes you need.

Another method to resolve this error is to export the certificate of the device to your computer (use firefox and navigate to the appliance web page and export the SSL certificate) then import it into Java using the control panel method above but hit Manage Certificates…

If you’re running a new version of ASDM, this doesn’t happen, also some say downgrading Java to 1.6 will remove the issue also.  Hope that helps someone out.

Backing up your EVA SAN (4400 or P63x0) Configuration with HP StorageWorks Storage System Scripting Utility (SSSU)

SSSUJust a short one today.  I was assisting in the change from a stand-alone Hyper-V environment to a clustered environment, the customer had an HP EVA P6300 SAN which was going to be used for the Clustered Shared Volumes.  As a precaution before beginning work on the EVA, I loaded up SSSU which was installed on one of their servers and took a backup of their current configuration of the EVA.  The backup file would come in handy if something were to happen and can assist HP Support in restoring your array if something were to happen.

When you load up SSSU it will firstly ask you to login with a user and password with rights to the Storage Array, once in, we need to select a Storage System and then finally issue a configuration backup to the local workstation.

select system
capture configuration filename

Replace filename with something like c:\SAN_backup.txt the backup is a plaintext file telling the Storage Array how it has been configured with LUNs and Hosts.

Random password prompts with users running Windows Phone / Mobile Active Sync for Exchange through ISA 2006 or TMG Reverse Proxy

form options

So I recently came across an issue where some end users were getting prompted for their password when running a Windows Phone device (Android and Apple devices seem immune).  The client had recently had an Office 365 hybrid configuration completed and where using ISA / TMG as a reverse proxy to authenticate to their local infrastructure for external users. Their move to a hybrid deployment required some changes to the way they had TMG setup (adding another web listener and re-configuring some rules).

Judging from the password prompt, I quickly gathered that the issue was around a web listener, so opening up their one for Exchange, the listener used forms based authentication, so I went to the Forms tab and hit Advanced to see what options had been enabled or disabled.  I could see that Apply session timeout to non-browser clients was enabled. After disabling this option and applying the changes, ActiveSync clients stopped prompting users for their passwords and the sessions remained active even after the timeout value expired.

Hyper-V Virtual Machine stops responding to network traffic if VMQ (Virtual Machine Queues) are enabled on a 1GB physical NIC

vmqI recently took on a new customer who’s IT infrastructure was a mess.  They have good hardware but the setup they had was just awful (it was an internal guy who had great ideas but little skill).  They had Hyper-V running on a nice new Gen9 HP Server on Windows Server 2012 R2, which is a nice combination.  Once they were on boarded they let us know that the server kept on crashing (they had no idea their setup was virtualised or that they had more than one server…).    Virtual Machine Queuing or VMQ allows the “virtualization” of the network allowing for the NIC to create paths to each virtual NIC to offload the traffic.

After about a week, I got the call I was waiting for to tell me their server had stop responding, the virtual machine was still up but wasn’t responding to pings or allowing access to network resources (it was their SBS server).   So as a quick fix, I disabled and re-enabled the NIC on the server (as a best practice you should have a dedicated Management NIC to allow access to the host), this brought things back online.  After having a quick look at the Broadcom NIC it had VMQ enabled, I then set it to disabled and restarted the server out of hours.  Since then there hasn’t been any issues with the servers dropping off the network.

The issue hasn’t resurfaced since and is documented in the following Microsoft KB article https://support.microsoft.com/en-us/kb/2986895

It is interesting to note that the server had the latest drivers and firmware installed but was still having the issue, so I’d recommend leaving VMQ Disabled completely as the benefits aren’t that great (unless your high-traffic 10 Gbps).

Specify ClickView Server IP settings via the Registry using Group Policy with an ADMX Template

So I was recently going through our Group Policy and found that we were applying a reg file to specify the Server IP for our ClickView Players.  I don’t really like this approach anymore and tend to try and have everything nice and neat so I set about creating a ADM file to store the setting, I also wanted the ability to disable the School Bag feature for our Labs.

Whilst creating the file I relied on the Language Reference for Administrative Templates on MSDN.  I find it much quicker to build it in Notepad with old Syntax then to go around making an XML based ADMX file.

Once I was done, I then got my hands on Microsoft’s free ADMX Migrator (download here) and used it to convert my ADM file.  After a quick clean up, imported them into one of our Domain Controllers and I was then able to manage our ClickView Player a little easier and without having to rely on a reg file.

Download the ADM/ADMX files here 2.7 kB.

Hope that makes life easier for someone.

Use Microsoft Excel to split words into cells for easier data manipulation

excel_formulaA client was recently part of an expo and used the opportunity to collect subscribers for their mailing list. Unfortunately the data input method wasn’t designed with their back end database in mind which has a potential customer’s first name and last name separated into different fields.  Luckily the data was clean enough that we could use Excel to perform some manipulation and using formula’s pull words apart.

To do this, there are two formula’s that we need to use, one being LEFT and the other is MID.  In the example above, we have John Smith as the name, we use LEFT to get John and MID to get Smith into separate cells.  The two formulas you need are;

=LEFT(B2,(FIND(" ",B2,1)-1))
=MID(B2,FIND(" ",B2)+1,200)

Using these, simply change the cell location to where your data is (in our case B2). Once everything is split up, the spreadsheet can be exported out and imported into a database table located for example in MySQL.