Archive for category: Knowledge base

 

If you have to comply to recent PCI standards, a PCI scan on your Exchange server might reveal that it’s no longer compliant because TLS 1.0 is still enabled on it and you need to disable TLS 1.0 to pass test.  This applies to Exchange 2010, 2013 and 2016.  Not sure about 2007…

Tried the following on two implementations and had no issues.  Has been running fine for a while.

To pass PCI 3.1 test you need to disable TLS 1.0 on Windows server.  If you disable it, Outlook on Windows 7/8 machines will not work, it will show disconnected.  You might not be able to delete items, Auto-discover won’t work….This applies to Outlook on Windows server 2008, 2008 r2 and 2012.

In short this is what this article will have you do, you will have to disable TLS on the Windows server running exchange (done through registry setting – the tool below will do it for you), make sure your Windows 7/8 has a certain update installed, that came out in 2016 (obtained through Windows Updates) and it also applies to servers 2008 and 2012.  The update adds support for TLS 1.1 and 1.2 but doesn’t enable them automatically, and lastly make changes to the registry on those client machines to enable TLS 1.1 and 1.2.  Very straight forward as will explain below.

Windows 10 clients don’t need any updates or changes since TLS 1.1 and 1.2 is supported and enabled out of the box.

Here are the details:

Before you start:

1- Apply latest Windows updates to Windows server including Updates for Exchange server.  As of this article, Cumulative Update 20 (CU 20) for Exchange 2013 is available.  You don’t need to be at CU 20, but I usually cover all bases in case I overlook updates.

2- You should update Windows 7/8 machines and Server 2008, 2008 R2 and Server 2012 – Windows Updates.  There is an update that came out in 2016 that added support for TLS 1.1 and TLS 1.2 – chances are you do already have it unless you never updated Windows or never checked.

http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb3140245

3- As always have a good back up of your server..

Action:

Disable TLS 1.0 on the Windows server running Exchange.  There is a tool called IISCrypt, download it.

https://www.nartac.com/Products/IISCrypto

Run it on the Exchange server.  Under Templates choose PCI 3.1.  Apply and reboot your Exchange.  Now Exchange has TLS 1.0 disabled and if you run the PCI 3.1 scan you should pass on TLS 1.0

BUT with disabling TLS 1.0 on that server, you won’t be able to remote/RDP into it from Windows 7/8 machines (You will however be able to do that from Windows 10 machines) Outlook on Windows 7/8 machine won’t connect.  To make it work do the following:

Copy the following text (marked in bold) into a notepad and save it as something like “EnableTLS1.1-1.2.reg“.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
“DefaultSecureProtocols”=dword:00000A00  

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
“DefaultSecureProtocols”=dword:00000A00  

 

Double click on this file on the Windows 7/8 machines and it should add all necessary registry keys to enable TLS 1.1 and 1.2.

Reboot Windows 7/8.  Outlook should work normally now.

You don’t need to do anything for Windows 10 machines.

You might have issues with older smart phones and Email.

Make sure you don’t have any third party applications that communicate with Exchange with TLS 1.0.  Look for applications updates.  Consult third party support.

 

After applying one of Jan 2018 Windows updates to windows servers 2012 and could be 2008, scanning to network shares SMB fails from Network printers/copiers, the scan user gets locked out at times.

We’ve had issues with different kind of copiers like Canon iR3035, imageRUNNER 6275 and image RUNNER advance iR-ADV4235.

One full week of troubleshooting the culprit was Windows update KB4056896 that came  out in Jan 2018 and added mores security to SMB.

Solution:

Uninstall Update.

When trying to install Exchange 2013 Cumulative Update 18 or others, update terminates with the following error:

—————
The following error was generated when “$error.Clear();
Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
” was run: “System.Security.Cryptography.CryptographicException: The certificate is expired.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

———————

This occurs when you have an expired SSL Certificate.

Open Manage Computer Certificates (you can search for it), under Personal and under Trusted Root Certification Authorities, look for any certificate that you might have installed in the past and that has expired.  You can sort by expiration date to easily find it.  Delete that certificate.

Go back and try to install the Cumulative Update again and I will restart from the stage at which it terminated.

After done and when you open the exchange Admin Center, it might open a blank page, go to IIS and make sure the frontend and backend sites are bound to an SSL certificate

 

Windows Server 2008/2012 R2 Virtual Machine VM – Hyper-v

Windows update will not download – stuck at 0% downloading.  Every time I start windows update it won’t download the updates.  Download bar keeps on running and moving but nothing downloads and the percentage stays at 0%.

Ran into this issue several times.

Go to the Ethernet Properties inside the VM having the issues, Click on Configure (You can get to that from Device Manager as well), Under Advanced, disable:

Large Send Offload V2 (IPv4).

Run Windows updates again.

If that doesn’t work restart the Windows VM.

No need to make any changes to the Hyper-v Host.

 

Cisco Wireless Access Points WAP551 and 561 stop broadcasting SSID intermittently, sometimes every day or two.
WAP551 is a Cisco Wireless-N Single Radio Selectable-Band Access Point

Had to troubleshoot this issue for a customer.

We noticed this happening more when WAP radio is configured in 5GHz mode
Issue was caused by a new wireless feature called MFP
Login to the Access Point, go to Wireless section –> Networks. Choose the SSID that is disappearing and Edit. Show Details.
Under MFP make sure “Not Required” is checked.

Make sure you have the latest firmware.

MFP might be available if you have “WAP versions” WPA-TKIP check.  Only Check WPA2-AES.