Friday, October 16, 2015

Generate a Certificate Signing Request (CSR) without IIS

Generate a Certificate Signing Request (CSR)

  1. Log in as an administrator
  2. From a command prompt or the run menu:
    1. To create the certificate in the local machine store (recommended):
      1. Type mmc
      2. On the File menu, click Add/Remove Snap-in.  Click Certificates in the left pane, then click Add.  
      3. Select Computer Account, then click Next.
      4. Select Local Computer, then click Finish.  
      5. Click OK.  
  3. In the left pane expand Certificates (Local Computer), expand  Personal, then click Certificates.  
  4. On the Action menu, click All Tasks, then click Advanced Operations, then click Create Custom Request.
  5. Click Next.
  6. Select Proceed without enrollment policy.  Click Next.
  7. In the Template menu, select (No template) CNG key, and verify that Suppress default extensions is not selected.  (Note:  Some software may not be compatible with CNG keys.
  8. Under Request Format, select PKCS #10.  Click Next.  
  9. Click the arrow next to Details to expand the selection.  Click Properties.  
  10. On the General tab, provide a Friendly name and Description for the certificate.  These can be anything you want.  
  11. On the Subject tab, in the Subject name box:
    1. In the Type menuselect Common name
    2. In the Type menuselect Organization.
    3. In the Type menu, select Organizational Unit.
    4. In the Type menu, select Street Address.
    5. In the Type menu, select City.
    6. In the Type menuselect State.
    7. In the Type menuselect Country.
  12. (Optional) If you want to restrict how this certificate can be used, you can select the appropriate options under Key usage and Extended Key Usage on the Extensions tab.  
  13. On the Private Key tab, expand Cryptographic Service Provider.  Select RSA, Microsoft Software Key Storage Provider.  Make sure no other options are selected. 
  14. On the Private Key tab, expand Key Options.  
  15. In the Key size menu, select a value of at least 2048.  
  16. Select Make private key exportable.
  17. Click OK.
  18. Click Next.
  19. Choose a file name and location for the CSR.  Select Base 64.  Click Finish

For more detailed information and how to add a SAN, check out the Microsoft Technet page below.

How to Request a Certificate With a Custom Subject Alternative Name

https://technet.microsoft.com/en-us/library/ff625722%28v=ws.10%29.aspx
Posted by at 1 comment:

Tuesday, April 21, 2015

RDS On Windows Server 2012 R2

RDS in Server 2012 R2

RDS in Server 2012 R2 is cake wake walk, but I didn't need all the fancy features. I just needed a simple RDS server with Per User licensing for running Windows specific application from a Debian Linux.

Licensing

To solve the Licensing issue, I found a TechNet blog with the fix.

http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx

Configuring License server manually

There might be situation when you want to configure License server on the RD Session Host or on the RD Virtualization Host manually since you do not have any RD Connection Broker in your environment. You have already configured RD Session Host server or Virtualization Host Server as required and now you want to configure the License server which is already installed and configured with licenses. All you are left to do is configure the License Server and the Licensing mode on the corresponding RD session Host or Virtualization Host servers.

Note The following commands must be ran from an Administrative PowerShell prompt.

To configure the license server on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.SetSpecifiedLicenseServerList("License.contoso.com")
Note “License” is the name of the License Server in the environment


To verify the license server configuration on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()
To change the licensing mode on RDSH/RDVH:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj.ChangeMode(value) - Value can be 2 - per Device, 4 - Per user
To validate the licensing mode:
$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting
$obj. LicensingType
$obj.LicensingName
* To add the license server to the 'Terminal Server License Servers' group in AD, you need to be a domain admin or have the domain admin add the computer account to the group ahead of time. I ended up doing it after and it worked, but kept reporting an error in the licensing diagnostic.

rdesktop

rdesktop stable version 1.8.3 appears to correct the issues I was seeing with graphics and the drive redirection, but it is having issues with spanning dual monitors if they are not the same resolution.

downloaded and compiled the latest version and using the following connection parameters, things are looking better
>rdesktop -u <username> -d <domain> -r disk:home=$HOME [-g <% or WxH> | -f <fullscreen>] rdshost.fqdn

I am not using credssp, but you need to choose during the compile to have the option

Posted by at 2 comments:
Labels: , , , , ,

Wednesday, April 1, 2015

Broken domain trust when reverting VM to old checkpoint

I keep setting up test virtual machines for various projects, get it perfect, then set a checkpoint. Weeks go by and I finally get around to testing. Then when everything is done, revert to the last checkpoint. The VM boots and will not log on due to broken domain trust, the Machine Password has changed.

This is probably better documented else where, but this is documentation for myself with a preamble rant.

To prevent this issue, disable the machine password change in the registry. Here is a rough powershell script to run on your test lab VM's. This will be added to a configure VM master script that will do multiple functions, but I'm starting here because you have to start somewhere. 

<#
.Synopsis
    Disables machine password changes for virtual machines
   
.Description
    This script disables machine password changes for Windows 7 Guest VMs
    allowing the restoration of older snapshots without losing domain trust.
   
    Note : Elevated permissions are required to execute this script.
           Cross-domain scenarios are supported by this script.

.Notes
    Name     : Set-DisablePasswordChange.ps1
.Created
    04/01/2015
#>


$result = Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name DisablePasswordChange -ErrorAction SilentlyContinue
if ($result.DisablePasswordChange -eq 0)
{
    $result = Set-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters' -Name DisablePasswordChange -Value 1 -PassThru
    Write-Host "Successfully Disabled Machine Password Change"
}
elseif ($result.DisablePasswordChange -eq 1)
{
    Write-Host "Machine Password Change is already Disabled"
}
Posted by at 1 comment:
Labels: , , ,
Subscribe to: Posts (Atom)