Duo Two Factor Authentication -Microsoft Routing and Remote Access (RRAS) Server.

Setting up Duo Two Factor Authentication with Microsoft Routing and Remote Access (RRAS) Server:

We installed the Duo Proxy on a separate server than the Microsoft RRAS server. We couldn’t get it to work on the same server. When we ran it on the same server, we were getting errors like the following:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

RRAS Server is Windows Server 2012 R2.  In our case RRAS happened to be a Domain Controller (doesn’t have to be – but made things easier).

RRAS was already configured and working for VPN client.  People were VPN/PPTP to it but we wanted to implement Duo two factor authentication to add another layer of security to VPN.

Clients were remoting into the RRAS server using Microsoft PPTP client that is built into Windows machine (could be working using SSTP or L2TP).

By the way we didn’t have to do anything with Windows Network Policy Server NPS. NPS had no role in this kind of setup.

On the Duo portal we chose to protect Microsoft RRAS server. You could find it in the list of Application to protect.

The Duo proxy final config file authproxy.cfg looked like the following:

——————-

[ad_client]
host=10.10.10.10   (This is the IP address of the Domain Controller not the RRAS server – But happened to be the RRAS server in our case)
service_account_username=DuoUser  (Created this user in the domain for Duo to use)
service_account_password=Password123  (Password for the DuoUser)
search_dn=DC=LocalDomain,DC=com  (Our local Windows domain was called LocalDomain.com)
security_group_dn=CN=DuoVPNUsers,OU=Company,DC= LocalDomain,DC=com (Created a Windows Security Group in AD called DuoVPNUsers and stored it inside an OU called Company – We created the OU and called it that name “Company”. VPN’d users Windows accounts need to be added to this security group. We placed DuoVPNUsers group and DuoUser inside the Company OU – We intend to be placing VPN users inside that OU).

[radius_client]
host=10.10.10.10  (This is the RRAS server IP)
secret=PickASecretPasswordHere  (This is kind of a password that will be used between the RRAS and the Duo Proxy. Make something up.  Use complex passwords for security)

[radius_server_auto]
ikey=xxxxxxxxxxxxxx (This is obtained from the Duo Portal)
skey=yyyyyyyyyyyyyyy (This is obtained from the Duo Portal)
api_host=zzzzzzz.duosecurity.com (This is also obtained from the Duo portal)
radius_ip_1=10.10.10.10 (This is the IP address of RRAS Server)
radius_secret_1= PickASecretPasswordHere  (matches the one above)
client=ad_client
port=1812
pass_through_all=true
allow_concat=true

——————

Open Routing and Remote Access on the RRAS server. Right-click on the Server and choose Properties. Go to the 2nd tab that is called Security, and under Authentication Provider choose Radius Authentication (change it from Windows Authentication). Click Configure. Click Add
Server name would be the IP address of the server where the duo proxy software is installed. In our case it was 10.10.10.40.
Time out change to 60 secs so you would have enough time to respond to the Duo pushed messages.
Shared Secret is the secret/password that you used in the authproxy.cfg file.  Must match.
Port 1812 – this is the default and should match the one in authproxy.cfg under [radius_server_auto] section. Click OK to add it.

Also under the Security tab click on Authentication Method. Make sure “Unencrypted password (PAP)” is checked off.  This should match the one you have in the property of the VPN connection on the client Windows machine (the machines that you and your clients use to VPN in), under Security, PAP is also checked off for authentication under “Allow these protocols” Make sure Microsoft CHAP Version 2 (MS-CHAP v2) is Unchecked off. Checking off Challenge Handshake Authentication Protocol CHAP (not v2) seemed to work too.

If you find this article helpful, please click to like our Facebook page below so we can keep on adding quality hands-on articles.

 

Scan to network share SMB not working – Windows Updates

After applying one of Jan 2018 Windows updates to windows servers 2012 and could be 2008, scanning to network shares SMB fails from Network printers/copiers, the scan user gets locked out at times.

We’ve had issues with different kind of copiers like Canon iR3035, imageRUNNER 6275 and image RUNNER advance iR-ADV4235.

One full week of troubleshooting the culprit was Windows update KB4056896 that came  out in Jan 2018 and added mores security to SMB.

Solution:

Uninstall Update.

Exchange server Mailboxes size report 2010 2013 2016

Exchange Server Mailboxes size report 2010 2013 2016

 

Create a C:\Temp1 directory.

Obtain Mailbox Database name from the Microsoft Exchange Console that would look like “Mailbox Database XXXXXXXXXXX”

Using Exchange PowerShell (Run as Admin) , type the following:

Get-MailboxStatistics -Database   “Mailbox Database XXXXXXXXXXX”  | Select DisplayName, ItemCount, TotalItemSize | Sort-Object TotalItemSize -Descending | Export-CSV C:\temp1\mailBox-Size.csv

 

That will generate a csv report saved in C:\Temp1.

If you find this article helpful, please click to like our facebook page below so we can keep on adding quality hands-on articles.

Exchange 2013 Cumulative Update CU 18 Fails – Certificate

When trying to install Exchange 2013 Cumulative Update 18 or others, update terminates with the following error:

—————
The following error was generated when “$error.Clear();
Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
” was run: “System.Security.Cryptography.CryptographicException: The certificate is expired.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

———————

This occurs when you have an expired SSL Certificate.

Open Manage Computer Certificates (you can search for it), under Personal and under Trusted Root Certification Authorities, look for any certificate that you might have installed in the past and that has expired.  You can sort by expiration date to easily find it.  Delete that certificate.

Go back and try to install the Cumulative Update again and I will restart from the stage at which it terminated.

After done and when you open the exchange Admin Center, it might open a blank page, go to IIS and make sure the frontend and backend sites are bound to an SSL certificate

 

How to Allow Windows Remote Desktop remotely through command line

How to modify firewall rules remotely command line Windows 7
How to allow Remote Desktop remotely through command line

Download psexec
https://docs.microsoft.com/en-us/sysinternals/downloads/psexec

Extract to al temp place.

Make sure you are able to access remote computer NetBIOS name i.e \\RemoteComputerName without getting an error message

On your local computer, from command line and from the the temp directory that has psexec, type

psexec \\RemoteComputerName netsh advfirewall firewall set rule group=”remote desktop” new enable=Yes

For Windows 10

psexec \\RemoteComputerName netsh firewall set service type = remotedesktop mode = enable

 

Windows update will not download – stuck at 0% downloading

Windows Server 2008/2012 R2 Virtual Machine VM – Hyper-v

Windows update will not download – stuck at 0% downloading.  Every time I start windows update it won’t download the updates.  Download bar keeps on running and moving but nothing downloads and the percentage stays at 0%.

Ran into this issue several times.

Go to the Ethernet Properties inside the VM having the issues, Click on Configure (You can get to that from Device Manager as well), Under Advanced, disable:

Large Send Offload V2 (IPv4).

Run Windows updates again.

If that doesn’t work restart the Windows VM.

No need to make any changes to the Hyper-v Host.

 

Boot/Start Windows to Safe Mode from Command Line – Windows Server 2012 R2

 

How to force Windows server 2012 R2 to boot/restart/start into Safe Mode after restart:

Go to Command Line, and type:

bcdedit /set {default} safeboot minimal

Reboot Windows and it will start in Safe Mode

 

To change Windows to boot normal from command line while in safe mode.

Go to Command Line, and type:

bcdedit /deletevalue safeboot

Reboot Windows and it will come up in Normal mode

Cisco WAP 551 561 SSID disappearing – Stop Broadcasting

Cisco Wireless Access Points WAP551 and 561 stop broadcasting SSID intermittently, sometimes every day or two.
WAP551 is a Cisco Wireless-N Single Radio Selectable-Band Access Point

Had to troubleshoot this issue for a customer.

We noticed this happening more when WAP radio is configured in 5GHz mode
Issue was caused by a new wireless feature called MFP
Login to the Access Point, go to Wireless section –> Networks. Choose the SSID that is disappearing and Edit. Show Details.
Under MFP make sure “Not Required” is checked.

Make sure you have the latest firmware.

MFP might be available if you have “WAP versions” WPA-TKIP check.  Only Check WPA2-AES.

 

Error Connecting to the MKS: Error Connecting to the /bin/vmx process – Veeam, VMware

We had a VM on VMware ESX that kept locking up mysteriously once or twice a week.  The server would become inaccessible, we would have to shut it down to get it back and running.

Upon investigation, and while looking on the vCenter we noticed that error message.

“Error Connecting to the MKS: Error Connecting to the /bin/vmx process”

We were unable to login to the Windows VM to see what is happening inside.  The server was un-ping-able either.  We thought of corruption in the beginning.  But Veeam turned out to be the culprit.

We use Veeam backup and replication 8.0 in the environment.  We discovered a snapshot for that VM sitting on VMware.  Every time Veeam finished up the backup or replication  for that VM, it go through “snapshot consolidation” that would lock the server for about 15 minutes.  We removed that snapshot and the VM now is no longer locking up.

We didn’t check with Veeam on that.  We didn’t need that old snapshot either.  Removing the snapshot was all we needed to rectify the issue.

OneDrive issues users 90 day notice

Microsoft has given its users of there cloud storage service OneDrive, their 90-day notice. Microsoft is shrinking its free storage size from 15GB to 5GB in late July. That is a 67% reduction in storage size. The reduction will take effect on July 27,2016.

As part of the storage space cuts, Microsoft eliminated two paid plans that had offered 100GB for $2 per month and 200GB for $4 a month. Instead, it now offers only a 50GB Plan for only $2 a month.

If you are effected by the shrinking we recommend backing up all OneDrive data.