Click on Pictures to View

To view a larger version of an image within a post, just click on the picture you want to view :)

Wednesday, October 18, 2017

Remove Expired Client Operations - SCCM Admin Console

POWERSHELL - Remove Expired Client Operations in SCCM Admin Console


​​1) Launch Configuration Manager Admin Console
2) File -> Connect via Windows Powershell
SCCM_GUI

3) Copy and paste below code:

Foreach($CMOperation in Get-CMClientOperation)
{
    If ($CMOperation.IsExpired -eq 1) 
    {
        Remove-CMClientOperation -Id $CMOperation.ID -Force
    }
}


4) After script finishes running, verify Client Operations count = 0:

Get-CMClientOperation | measure

5) Confirm in Configuration Manager Console the Client Operations items = 0





**For a progress display, instead use below code:

Foreach($CMOperation in Get-CMClientOperation)
{
    If ($CMOperation.IsExpired -eq 1) 
    {
$CMOperation.ID
        Remove-CMClientOperation -Id $CMOperation.ID -Force
​ }
}






Thursday, October 12, 2017

Cisco WLC Continually Prompts for Network Login Credentials

So the issue was several network admins were no longer able to login to our Cisco WLC with their network credentials.  One user was able to log in with their network credentials successfully.

Upon logging into the WLC using a local account, and after some research online, I verified we had the correct RADIUS server entered into the WLC's RADIUS configuration tab, and that it had the setting enabled for management.

I did notice in the logs that looked like this right after an attempted and failed login by network account "austec" via network creds:

*emWeb: Oct 12 15:02:58.126: %EMWEB-3-LOGIN_FAILED: ews_auth.c:2175 Login failed for the user:austec. Service-Type is not present or it doesn't allow READ/WRITE permission..
*emWeb: Oct 12 15:02:58.126: %AAA-5-AAA_AUTH_NETWORK_USER: aaa.c:2752 Authentication failed for network user 'austec'


I also confirmed the Network Policy Server security events in Event Viewer on the RADIUS server actually showed the user login as successful.  However when trying to log into the WLC it still would continually prompt for username and password for most folks.

Researched the "Service Type is Not Present" error, and debugging/terminal monitor equivalent on the WLC in an SSH session and came across a Cisco article called "Cisco Radius Server Authentication of Management Users on WLC Configuration Example" (see bottom of post for link) that described the issue, and explained debugging in relation to it:

Troubleshoot

There are certain circumstances when a controller authenticates management users via the ACS, the authentication finishes successfully (access-accept), and you do not see any authorization error on the controller. But, the user is prompted again for authentication.
In such cases, you cannot interpret what is wrong and why the user cannot log into the WLC by just using the debug aaa events enable command. Instead, the controller displays another prompt for authentication.
One possible reason for this is that the ACS is not configured to transmit the Service-Type attribute for that particular user or group even though the username and password are correctly configured on the ACS.
The output of the debug aaa events enable command does not indicate that a user does not have the required attributes (for this example, the Service-Type attribute) even though an access-accept is sent back from the AAA server. This example debug aaa events enable command output shows an example.
 (Cisco Controller) >debug aaa events enable

During troubleshooting, I discovered I could still log into the new virtual Cisco WLC at one of our new remote sites.  I compared the RADIUS settings, and saw they were using different servers as the default/top server.

RDP'd into the two different RADIUS servers and followed these instructions to help me compare the settings:

  1. On the NPM server, in Server Manager, click Tools, and then click Network Policy Server. The NPM console opens.
  2. Double-click Policies, click Network Policies, and then in the details pane double-click the policy that you want to configure.
  3. In the policy Properties dialog box, click the Settings tab.
  4. In policy Properties, in Settings, in RADIUS Attributes, ensure that Standard is selected.
  5. In the details pane, in Attributes, the Service-Type attribute is configured with a default value of Framed.

I noticed that our Service-Type was set to "Administrative" on both boxes.  But what I did notice was that the conditions for the relevant Network Policy was different.  On the server to which the virtual WLC was authenticating successfully, the Policy conditions were specified to two different Active Directory user groups, using an "OR" condition.




On the server where authentications were breaking, it was listed one group below the other, which I inferred indicated it must be a member of both groups.

To test my theory, I added myself and another user who was unable to log into the WLC to the Telecomadmin security group in AD and waited a minute.  We then tried logging into the WLC and were both able to get in.  To confirm, I removed us from the group, and the logins broke again.

So to resolve the issue, I logged onto the RADIUS server with the implied "AND" network policy conditions.  In the NPS window, I went into the appropriate policy's properties, clicked the "Conditions" tab, edited the first entry (Domain\Network Admins Group) and added the Domain\Telecomadmin group.  It defaulted to an OR statement after Applying & OK.  Last, I removed the standalone Telecomadmin group entry.

We then tested logging into the WLC, and it worked.  So if you are having issues with this, make sure your RADIUS network policy conditions or groups didn't change.















Sources:

Cisco Forums - Watching Debug Via SSH Session to the WLC:
https://supportforums.cisco.com/t5/getting-started-with-wireless/watching-debug-via-ssh-session-to-the-wlc/td-p/2123603

Cisco WLC Debug & Show Commands:
https://www.cisco.com/c/en/us/support/docs/wireless/4400-series-wireless-lan-controllers/112064-wlc-commands.html#control

Cisco Forums - Service Type is Not Present Error When Attempting to Authenticate WLC Management Users:
https://supportforums.cisco.com/t5/aaa-identity-and-nac/service-type-is-not-present-error-when-attempting-to/td-p/1733782

Document - Generic TACACS+ for WLC Configuration:
https://supportforums.cisco.com/t5/aaa-identity-and-nac/service-type-is-not-present-error-when-attempting-to/td-p/1733782?attachment-id=15929

Cisco Cheat Sheet Common Wireless Issues:
https://www.cisco.com/c/en/us/support/docs/wireless/5508-wireless-controller/200072-Cheat-Sheet-Common-Wireless-issues.html#anc6

**Cisco Radius Server Authentication of Management Users on WLC Configuration Example:
https://www.cisco.com/c/en/us/support/docs/wireless-mobility/wlan-security/71989-manage-wlc-users-radius.html

**Microsoft Configure Network Policies:
https://docs.microsoft.com/en-us/windows-server/networking/technologies/nps/nps-np-configure#configure-nps-for-vlans

Microsoft Connection Request Policies:
https://msdn.microsoft.com/en-us/library/cc753603(v=ws.11).aspx

RADIUS Attribute - Service-Type:
https://www.dialogic.com/webhelp/BorderNet2020/2.2.0/WebHelp/radatt_service_type.htm

WLC Authentication by ISE Server:
https://rscciew.wordpress.com/2014/06/19/wlc-authentication-by-ise-server/

Friday, July 21, 2017

Windows 10 Updates Won't Download

I was having an issue where my Windows 10 machine wouldn't download updates.  It was stuck at 0%.  Other previous updates I noticed failed to install altogether as well.

I tried installing them via PowerShell (see resources links at bottom for method) to no avail, it would just get stuck downloading in the PS session.

Came across an article that had a solution.  Here's the rundown of what worked for me from it (supposedly should work for Windows stuck at downloading at any point - see link to original article also at the bottom)

1.  Open a elevated command prompt (right click cmd.exe and run as admin)

2.  Enter the following two commands one at a time:

                      net stop wuauserv
                      net stop bits         

3.  Browse to C:\Windows\SoftwareDistribution folder; delete or move all folders and files inside to a desktop folder if you are cautious about deleting...

4.  Type in the elevated command prompt the following two commands, one at a time:
                       net start wuauserv
                        net start bits

5.  Run Windows Update again - the updates should download and install successfully.

6.  Restart to complete the update process.

update 3/3/2023 I believe this process also works in the context of Windows Server 2012 or other with the correct update package and path.



SOURCES:

"Windows Update stuck downloading updates in Windows 10" - http://www.thewindowsclub.com/windows-update-stuck-downloading-updates

"Update and Upgrade Windows 10 using powershell" - 

Thursday, July 13, 2017

Ending Calls When iPhone Screen Locks During Call

Here's a simple problem, and a simple solution.

So I was having the problem where my work iPhone screen would lock during a call.  Trying to end the call was a nuisance, thinking I had to type in my company's required 10-digit pin to unlock the phone to access the red "End Call" button.

I no longer use the Thumbprint to unlock, because I once forgot my new passcode after a required pin update, and subsequently lost all my work phone contacts and data since unable to unlock the phone after a random restart and it wasn't syncing to the cloud, and I couldn't get it to open on a computer because of security prompts within the phone needing to be accepted but of course, the phone was still locked.

Anywho, I've also noticed that for whatever reason pressing the power button never ends a call for me either, but after some brief research I found a helpful solution.

SOLUTION:  During the call, if the screen has locked, first click the home button.  The locked screen shows the caller's name or number in big font above the call time duration, also displayed on the locked screen.  Just simply TAP the name or number of the call, and the iPhone call controls will appear, including the red "End call" button, allowing you to then end the call or take whatever other action you like using the controls.



For example:

On a locked screen, I would just tap the name or number of the caller on the other end (the words Work Cell in this picture) and it brings back the Call Menu so the call can be ended.


















SOURCES:

"Prevent Screen Lock During Calls" -
https://discussions.apple.com/message/30673156

Friday, June 23, 2017

Recover Deleted Active Directory Object

Today I needed to restore an object accidentally deleted from Active Directory Users & Computers.  There is likely another or more direct way to do this but this is what I did.

Here was my process after I was given the name of the computer needing recovery and approximate time it was deleted:

1.  Connected to the Event Viewer of the domain controller the object was just deleted from

  • Open Event Viewer
  • Go to menu "Action" and select "Connect to Another Computer..."
  • Check option to connect to "Another computer" and type the name of the domain controller & click OK

2.  Explore and filter Security event logs for account deletion events for computer SID

  • Click "Security" under "Windows Logs" in left pane
  • In right pane under "Actions" choose "Filter Current Log..."
  • Enter the event ID 4743 in <All Event IDs> box to filter by category "Computer Account Management"
  • Checked events near the date and time reported by the tech (I believe you can sort further with other criteria, but I didn't have a lot of security events so it was just as easy to click on a few entries)
  • Located event with Target Computer Account Name matching the object's name followed by $
  • Copied the Security ID (SID) of the deleted computer given in the event (just above the Account Name)


3) Launch ldp.exe from an elevated (aka run as administrator) command prompt

  • Locate cmd.exe
  • Right click and "Run as administrator"
  • Type and then press enter: ldp.exe

4) Display the Deleted Objects container in Ldp.exe admin tool (taken from MS Technet, source listed at end of post)

  • On the "Options" menu, click "Controls"
  • In the "Controls" box, choose "Return deleted objects" from the "Load Predefined" drop-down menu
  • Connect and bind to the domain controller
    • Click "Connections" menu, click "Connect" and type the domain controller name
    • Click OK
    • Under "Connections" menu again, click "Bind" and choose "Bind as currently logged in user" (you'll need the proper rights to do this of course)
    • Click "View" menu, select "Tree" and for BaseDN type DC=<mydomain>,DC=<com> where <mydomain> and <com> are the appropriate names of your domain/AD DS environment
    • Double-click the root of the tree and find CN=Deleted Objects, DC=<mydomain>,DC=<com>, again where  <mydomain> and <com> are the appropriate names for your environment


5) Search in Ldp.exe for the SID

  • Click "Utilities" from the menu bar, and select "Sid lookup"
  • Enter or paste the SID from the Security event log found earlier in Step 2
  • Ldp.exe will return the current distinguished name of the object followed by SID, for example:

                CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                        Objects,DC=austec,DC=com [S-1-5-21-1883794253-430958161-68370779-32434]

6) Restore the deleted computer to Active Directory UC (FYI you have to run Ldp.exe from an elevated command prompt to do this part, and must be a member of Domain Admins or equivalent to complete the procedure)

  • Right click in the results pane and select "Modify" in the popup menu
  • In DN, make sure the distinguished name for the object returned in the results list from the SID search is present (without the SID in brackets), for example (using name in example object above):

            CN=JenLaptop\0ADEL:91efb6d4-ecec-4e9a-a245-d7d9080e34a8,CN=Deleted
                    Objects,DC=austec,DC=com

  • In "Edit Entry Attribute" type isDeleted
  • Leave the "Values" box empty
  • Under "Operation" click Delete, and then click Enter button, just to the right
  • Now in "Edit Entry Attribute" replace isDeleted and type distinguishedName
  • In "Values" type the original distinguished name (aka DN) of the Active Directory object
  • Under "Operation" choose Replace
  • Check the box for Extended
  • Click Enter button again
  • Finally, click Run


7)  Check the results window for entry to ***Call Modify... to make sure it was successfully modified


8)  Last, go into Active Directory Users and Computers and look for the restored object.



Sources:

Work with Event Logs on a Remote Computer - https://technet.microsoft.com/en-us/library/cc766438(v=ws.11).aspx
4743 - A Computer Account was Deleted -
https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4743
Viewing Deleted Objects in Active Directory - https://support.microsoft.com/en-us/help/258310/viewing-deleted-objects-in-active-directory
Restore a Deleted Active Directory Object - https://technet.microsoft.com/en-us/library/dd379509(v=ws.10).aspx
How to Recover Deleted Object from Active Directory Using LDP.exe - http://techguyvijay.blogspot.com/2012/01/how-to-recover-deleted-object-from.html

Friday, March 24, 2017

Edit HKCU in Remote Registry

There have been many instances when I've needed to edit in the HKEY_CURRENT_USER of a remote machine.  Here's the general process I tend to use:

1) If not already running, start the Remote Registry service on the remote machine using PSTools
    In an elevated command prompt, navigate to your PSTools directory and execute:

 > psservice.exe \\computername start "Remote Registry" -accepteula

2) Next in the elevated command prompt, open the Registry Editor:

> regedit

3)  Click File -> Connect Network Registry...


4) Type in the remote computer's computer name (also used in step 1) and click OK


5) Expand the newly added computer from the left pane to view the registry keys
6) Expand HKEY_USERS - the currently logged in user will be the longest key without "_Classes" at the end of the name

7)  To confirm the username of the currently logged in user, navigate to HKLM\CurrentControlSet\Control\hivelist and looking at the matching SID in the string name.  The user's username can be found in the value of that string.

8) Disconnect the remote registry under File -> Disconnect Network Registry when finished



SOURCES:

"Accessing 'HKEY_CURRENT_USER' on a remote machine" -
https://community.spiceworks.com/topic/138653-accessing-hkey_current_user-on-a-remote-machine

"Run commands remotely with psexec" -
http://heresjaken.com/run-commands-remotely-psexec/

"PSTools" (Suite Download) -
https://technet.microsoft.com/en-us/sysinternals/pstools.aspx

"PSService v.2.25" -
https://technet.microsoft.com/en-us/sysinternals/psservice

"Connect to the Registry" -
https://technet.microsoft.com/en-us/library/cc732388(v=ws.11).aspx


Tuesday, January 24, 2017

Cisco Jabber 11.5 Certificate Error

Cisco Jabber was presenting a certificate error, without option to accept the certificate. 


Certificate in question was self-signed.

I compared this to a working machine’s certificates.

In command prompt on affected machine, while logged in as the troubled user, typed mmc, then went to File -> Add/Remove Snap-ins -> selected Certificates to add to snap in list and opted to view for “My User Account”.
No certificates for the required servers for Jabber were found under Enterprise Trusts nor the Trusted Root Certification Authorities.

Based on various threads and Cisco documentation, attempted solutions were:
1)exported registry key from a working machine at:
HKCU\Software\Microsoft\SystemCertificates\trust\Certificates
And imported into the problem machine’s registry.  This added the certificates to the Enterprise Trust certs, but did not resolve the issue.

2)disable FIPS in registry by setting “Enabled” value to 0 at:
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\FipsAlgorithmPolicy
Confirmed in local policy editor (gpedit.msc in command prompt) under Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options that “System cryptography: Use FIPS compliant algorithms for encryption, hashing and signing” was set to DISABLED.
This still did not resolve.

3)Supposedly if you use Cisco AnyConnect for VPN, if the .xml file has FIPS set to TRUE, it will override the Windows setting, so that must be set to false.  On Windows 7, went to C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\AnyConnectLocalPolicy.xml, edited “FipsMode” to false and saved the document.  Still did not resolve.

RESOLUTION:

This can be done by downloading the certs from the appropriate Cisco administration console, but I just exported the certs from a working machine.
In the Certificate Store on a working machine, I right clicked the cert, went to All Tasks, and selected “Export…”
Exported as DER, gave it a file name and save location, and finished the wizard.  Then, copied the exported cert to the problem machine under C:\temp.  On the problem machine, in command prompt, cd’d to C:\temp, then typed the following command for each certificate required, tabbing out the various cert names in place of CERTNAME for ease:

certutil –addstore –user –f Root “.\CERTNAME.cer”


This command must be done as the logged in end user so that it is store in the “current user” trusted root certificates.  There might be a way around needing to be logged in as the end user but I didn’t bother looking any further.


SOURCES:

"Jabber Invalid Certificate" - 

"How To: View Certificates with the MMC Snap-In" -
https://msdn.microsoft.com/en-us/library/ms788967(v=vs.110).aspx

"Certificate Error - No accept button" - 

"Jabber Complete How-To Guide for Certificate Validation" -
http://www.cisco.com/c/en/us/support/docs/unified-communications/unified-presence/116917-technote-certificate-00.html

"Issue with Cisco Jabber certs in Enterprise Trust store and GPO" -