Luke Puplett's questions

I'm running Ubuntu 18.04 on Windows Subsystem for Linux 2. I am making a curl request to a web service running on the Windows side using a self-signed certificate. I receive this error:

curl: (60) SSL certificate problem: unable to get local issuer certificate

I'd like to add the cert to the local store. I have a .pfx file available. I know I can use -k but I want to use other command line tools against this server.

How do I do this?

My own trials

openssl s_client -showcerts -servername server -connect server:443 > foo.pem
openssl x509 -in foo.pem -inform PEM -out foo.crt
sudo cp foo.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

This looks plausible but didn't work, curl still has the same complaint.

I also tried to use a DER version.

sudo rm /usr/local/share/ca-certificates/windows_cert.crt
openssl x509 -in windows_cert.pem -inform PEM -out windows_cert_der.crt -outform DER
sudo cp windows_cert_der.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

Give up

Don't worry, I started following some of the replies here.

https://askubuntu.com/questions/73287/how-do-i-install-a-root-certificate

But got nowhere, its obviously a very hard problem in the world of computing.

I've found that a few months back they added a switch to the command line tool I need to use that ignores certificate problems.

I am running a console app in Windows 10 which has a self-hosted HTTPS server listening on port 44340. It's an ASP.NET Core website (Kestrel) and its perfectly browsable on the Windows side.

I cannot reach this port from within a Windows Subsystem for Linux 2 (WSL2) console running Ubuntu 18.04, testing with curl.

I've tried adding a Windows Firewall rule for that port but it doesn't seem to work.

I've tried via localhost, as well as the two IPs I can see for my machine. One is the real NIC using DHCP and the other is a vEthernet adapter for WSL with a 172.31 address.

I'm authoring some PowerShell on a laptop in a coffee shop and I don't have a server to hand, and I need to know the Windows Feature names for use with DSC and Install-WindowsFeature.

Does anyone have a list?

Taking a new Windows Server 2012 installation, I need to get it fit for hosting and automation.

That means getting it ready for remote PowerShell and DSC, which means installing the latest version of the Windows Management Framework, and then configuring WinRM for HTTPS and Basic Authentication.

I've not really 'engineered' Windows since 2008, but it seems that solving this egg-chicken problem requires a mouse and a browser.

And yet a couple of non-GUI footprints of Windows Server exist today, so what's the quick solution to getting these basics setup (at a command line) so that I can move on to automating the more advanced configuration of the host?

It kinda strikes me that there should be a single CmdLet in-the-box to get this fundamental stuff up and going.

Is there?

On Windows 10, using PowerShell 5.0.10586.494 the New-ModuleManifest cmdlet just returns after prompting for the file path. This goes against the documentation.

How to Write a Module Manifest

https://msdn.microsoft.com/en-us/library/dd878297(v=vs.85).aspx

UAC can be set to never notify, but that's not the same as not having UAC at all.

What I mean is, does the OS still create a dual token for admin users but just auto-elevate everything?

The difference is important since various file-system ops will still behave differently to say, Windows NT 4.0.

For example, when Explorer sees a folder with only Administrators:Full-Control it often prompts that you don't have access and elevates, then auto-adds your user into the ACL.

That's what I seem to observe, and I really don't like it. By setting UAC to not prompt, I assume this elevate-and-modify-ACL will just happen, but its still screwing with my ACLs.

In general, since UAC, I seem to spend so much time not having rights to things and messing around with ACLs whereas in the NT 4.0 days, life was simple, the ACL was the truth.

I "get" UAC for my mother-in-law, but on a server, where experts roam?!

We have a Forefront TMG proxy at work. When I configure some command line tools with the proxy address, I often include my credentials using username:password@proxy-address but it never works.

I suspect that this only works for Basic Authentication but the TMG proxy doesn't have this setup, I have seen the headers in the challenge response.

Does TMG support Basic Auth and will it use AD credentials or will it use some kind of internal list of users?

Is it possible to run a Windows-based enterprise and have people authenticate with the proxy server using AD credentials without ever having to type credentials in?

This also includes using PowerShell or command-line tools. i.e. all internet traffic is authenticated automatically, or at least can be traced back to a person.

If so, how? What are the high-level systems and steps?

I'm a programmer and in any sizable company, proxy auth has been a nightmare for the team, expensive friction, sometimes a complete barrier to "cooler" start-up technologies.

As of 2015, are there any simple CmdLets, either in an MS module or a community project, for managing roles and permissions and ACLs, as easy to use as the old DOS commands, e.g. net localgroup?

I don't mean to ask the same thing over and over, answered in myriad ways all across the web, but I'm a programmer and former IT pro for large enterprise estates, I have written many CmdLets in C# for all kinds of stuff.

I've always thought that the 'UX' for many of the simplest automation tasks has been overly arduous, needing every IT shop to churn out the same helper scripts, and wondered if it had been solved yet.

An example is this:

http://blogs.technet.com/b/heyscriptingguy/archive/2014/10/02/use-powershell-to-create-local-groups.aspx

# CreateLocalGroup.ps1

$cn = [ADSI]"WinNT://edlt"
$group = $cn.Create("Group","mygroup")
$group.setinfo()
$group.description = "Test group"
$group.SetInfo()

Which isn't hard, per se, but considering that this has got to be a top 10 use-case for PS, I'm amazed there isn't a simple CmdLet for it - only one of my programmer colleagues at this gig knew what ADSI is, sort of.

I can get and set proxy settings for a WebClient object and make outbound calls.

I can also supply -Proxy and -ProxyCredential to individual CmdLets, but how can I just set a global default so CmdLets don't need the extra arguments?

Thanks

Luke

I have an Azure VM with a data disk attached and mounted in a folder in c:\ - the VM is bricked after uninstalling .NET 4.5 (don't do that on 2012 R2).

I have created a new VM. Now how do I detach my data disk and reattach it to the new VM?

The detach disk option for the VM only lists its primary C: system disk.

I copied a small database from one SQL Server 2008 R2 Express (physical) server to another of the same version, but I cannot re-attach. It attaches but the DB is greyed and read-only. It was writable in its former location.

Imagine a website that shows the value of a remote registry key, live, such as the version of the anti-virus definitions on a remote PC. To be clear, there are 3 computers involved, the web server acting as a go-between.

The website uses Windows Authentication, so from a browser on Windows, your AD credentials are passed through and IIS authenticates the user (in ASP.NET, the user token is attached and can programmatically checked).

We're running on IIS 7.5 with kernel-mode authentication, does an SPN need setting-up in AD to allow the Kerberos part of the Windows Authentication to happen??

The site runs under an Application Pool under AD account DOMAIN\AV1, this account is a member of a group that has rights to the computers on the LAN.

The code in the site does not perform impersonation, for it doesn't want to assume the ID of the site user (who doesn't have remote reg rights), so it simply makes a remote registry call.

Does the web server machine account or the DOMAIN\AV1 account need an SPN to negotiate and perform Kerberos auth to the remote computers??

Simple question: Can I avoid using NETSH in Windows Server 2008 R2 and instead use PowerShell CmdLets to manipulate things like HTTP?

If so, what are some CmdLets to get me started and are they part of some extra module?

I'm so confused.

Consider the following:

• Active Directory environment with a domain called DOM
• An IIS 7 box with a NetBIOS name VS1
• A DNS record providing an alias for VS1 as pineapple.london.uk.corp
• An Application Pool running as DOM\PineappleService
• Windows Authentication enabled.
• Clients use HttpWebRequest to call the XML/JSON ASP.NET services on the box.

The service calls out to workstations on the network to gather information. This works in development where I use IIS Express which runs as me, since IISX is just an .exe

In production, services work fine, authentication works, but invoking functions that cause the service (running as PineappleService) to access stuff on the network, fails.

I suspect an SPN registration issue but I don't know what SPNs to setup.

Most recently, I've stumbled across this article which seems to say fly in the face of some other articles:

http://blogs.msdn.com/b/webtopics/archive/2009/01/19/service-principal-name-spn-checklist-for-kerberos-authentication-with-iis-7-0.aspx

Note that it says

The SPN requirements remain the same as above. You don't have to add SPNs like http/ for the Domain1\Username1 unlike in IIS 6.0 (where we had to add an SPN of the form http/ for the Application Pool identity).

So I don't know what's right anymore. I don't know if I need to register HTTP SPNs or HOST SPNs or use the DNS alias or the NetBIOS name, and set them on the PineappleService account or on the VS1 computer account.

I can't tell if when I try things that there's a slow AD replication issue that means I must wait an hour between trial and error.

It's all so complicated now. I've worked as a sysop and dev for 15 years and I sense the end of domains and workstations and rights and policies. It's all gotten too much.

Thanks for your help.

Luke

There doesn't seem to be a single reference document where I can look up what attributes are each object class, such as group, user, person etc.

Does anyone know of one??

(would like to avoid ADSIEDIT)

I'm trying to very simply run an executable and pass a file path in as the first argument. In DOS, this would be the command:

import.exe "C:\Some Path\With\Spaces.txt"

By placing the path in quotes, the path is correctly parsed as the first token into the executable.

In PowerShell I'm using this:

$feeds = dir 'T:\Documents\Company\Product Development\Data
foreach ($feed in $feeds) { start -FilePath import.exe -ArgumentList $feed.FullName }

The problem with the Start-Process cmdlet in PowerShell is that it uses a string array for arguments, so the path is broken up and sent to the executable as separate tokens, or effectively as a string without those important quotes.

Adding quotes to my PowerShell command line force "$feed.FullName" to be treated literally.

And double quotes "" make PowerShell not see anything in the argument list. "The argument is null or empty." it tells me.

I expect that this is a known headache and has had a known workaround from day one.

Thanks

Luke

UPDATES AND RESPONSES

foreach ($feed in $feeds) { Invoke-Expression "start import.exe `"$feed.FullName`"" }

Note: I'm using Start since despite setting my location to the folder in which import.exe resides, PowerShell seems to have been written to look for executables in the file-system current location.

The variable gets interpreted with the .FullName as a literal string!:

filename.txt.FullName

This one:

foreach ($feed in $feeds) { Invoke-Expression "C:\Users\Public\Documents\~Main\Data.Importer\Data.Importer\bin\Release\import.exe ($feed.FullName)" }

Results in:

Invoke-Expression : Unexpected token '_data.txt.FullName' in expression or statement.

Interestingly, on its own, this works:

C:\Users\Public\Documents\~Main\Data.Importer\Data.Importer\bin\Release\import.exe $feed.FullName

But this:

foreach ($feed in $feeds) { Invoke-Expression C:\Users\Public\Documents\~Main\Vuplan\Evoq.Vuplan.Data.Epg.Importer\Evoq.Vuplan.Data.Epg.Importer\bin\Release\import.exe $feed.FullName }

Results in this:

Invoke-Expression : A positional parameter cannot be found that accepts argument 'T:\Documents\Company\Product Development\Data\3112_data.txt'.

I have an odd thing occuring here. From a Windows 7 netbook, I cannot ping an HP printer on the network, while all other machines (Win7/Vista) can. And the netbook can also ping everything else on the LAN.

Example showing that the netbook can ping 192.168.3.4 but not 3.6.

C:\Users\backdoor>ping w7ue1m

Pinging w7ue1m.corp.biz.co.uk [192.168.3.4] with 32 bytes of data:
Reply from 192.168.3.4: bytes=32 time=7ms TTL=128
Reply from 192.168.3.4: bytes=32 time=4ms TTL=128
Reply from 192.168.3.4: bytes=32 time=2ms TTL=128
Reply from 192.168.3.4: bytes=32 time=2ms TTL=128

Ping statistics for 192.168.3.4:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 2ms, Maximum = 7ms, Average = 3ms

C:\Users\backdoor>ping uktnprint1

Pinging uktnprint1.corp.biz.co.uk [192.168.3.6] with 32 bytes of data:
Reply from 192.168.3.0: Destination host unreachable.
Reply from 192.168.3.0: Destination host unreachable.
Reply from 192.168.3.0: Destination host unreachable.
Reply from 192.168.3.0: Destination host unreachable.

Ping statistics for 192.168.3.6:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),`enter code here`

The IPCONFIG result for the netbook is fine.

   IPv4 Address. . . . . . . . . . . : 192.168.3.0
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 192.168.1.1

Most unusual network thing I've seen in years. I must reiterate that only this netbook is having trouble pinging/printing.

Thanks, Luke

** UPDATE **

Am now on a Vista box, and here's the IPCONFIG:

   IPv4 Address. . . . . . . . . . . : 192.168.3.3
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : 192.168.1.1


Pinging uktnprint1.corp.biz.co.uk [192.168.3.6] with 32 bytes of data:
Reply from 192.168.3.6: bytes=32 time=2ms TTL=60

Firewall is off. I'll look into the chance of an IP conflict because it's the only thing I can think of - compare arp caches of each machine.

Cheers!

since configuring a Windows Web Server 2008 R2 x64 to be hardened for an internet-facing deployment I receive this:

"Device Manager is running in read-only mode because you are running it on a remote computer."

when entering Device Manager.

I have tried reversing the changes I have made, such as:

• Re-adding Client for Microsoft Networks
• Re-enabling NetBIOS over TCP-IP
• Re-adding File and Printer Sharing
• Disabling the Windows Firewall in all profiles (public, domain, private)

I get no joy. It looks like a Microsoft ballsup. I'll try and use Process Monitor to have a look. Google returns only 1 page for this error.

Luke

I am trying to install Windows Web Server 2008 x64 (have tried 32-bit, too) onto an IBM eServer 326m and am getting the following error message some time after the unpacking files section:

Windows could not update the computer's boot configuration. Installation cannot proceed.

I can repair the boot information using the Repair option in the WinPE bit of the setup, and it reboots into the Windows installation, so it has good boot data on the drive.

Just to complicate things, the server does not have a DVD-ROM so I'm installing from HDD to HDD, both SATA, one an SSD. I've tried each drive in isolation, e.g. removing the SSD and installing from spindle onto itself, same error every time.

Flashed IBM BIOS, too.

Thanks for your help.

Luke

*UPDATE 1

Windows setup, when run right from booting the WinPE bit gives:

Required cd/dvd drive device driver is missing.

And will not continue. I thought this was a quirk of running setup from the disk so I've previously exited and gone into the command shell and ran setup from the \Sources folder on the media (copied to the HDD) and not the \Sources in the RAM disk.

This works, but gives the original problem above. I'm thinking that the two issues are related. Two different articles on Technet point to the UpperFilter registry entry but for both errors.

There's clearly a driver missing. Even though setup can see and use my drives, it doesn't like something. Being an IBM server, the software for it is typical IBM garbage.

I can't understand how putting a PC in a long thin case makes them suddenly need 100 BIOS updates and 50 bespoke drivers. No wonder Google use desktop PCs as servers.

*UPDATE 2

Windows 2003 Server (64) has gone on fine with just the single SSD online. When I connect the other SATA drive (stock IBM part), the POST boot just halts at the point where it should hand off to the boot sectors; just a flashing cursor, top left.

My current focus is now on SATA drivers for the the machine - says its a ServerWorks, Broadcom controller but cannot find a driver anywhere.

*UPDATE 3

I finally figured out the right Update Xpress CD to run (4.05 CD1) in Windows and boot from DOS (I chose to upgrade the ISMP (whatever that is), which defaulted to 'don't update' for some reason), and now I can attach the other HDD. Hope this good behaviour sticks.

Even though the LSI Logic SCSI adapter was disabled the last time I looked, it does show in Windows and now with the right driver, I think. No more yellow ! bad devices.

Painful work but I Will try upgrading to 2008 Server soon.