Windows NPS Stops Authenticating Wireless Users

Had a funny issue raised from the helpdesk today. All of a sudden all of our Wireless users were no longer to connect to the internal wifi network that was protected by 802.11x PEAP via Merkai -> RADIUS -> NPS (Network Policy Server) -> Active Directory.

We had errors like this:

“Network Policy Server discarded the request for a user.”

“An internal error occurred. Check the system event log for additional information.”

And of course the logs at c:\windows\system32\logfiles had nothing of value in them.

Another thing was that Event Logging from NPS stopped although the service was still running.

CAUSE:

It turns out it was just because the certificate NPS uses was renewed automatically thanks to GPO / AD. NPS doesn’t handle the transition well.

FIX:

All you have to do is change the certificate to another certificate and back to the one that was auto renewed. if you only have one then create another, change it to that, then swap back to the correct auto renewed on.

If you don’t know where to select it, it is under Policies -> Network Policies -> <your policy that grants users access) -> Constraints tab -> Authentication Mode -> Microsoft: Protected EAP (PEAP) [EDIT]

image

Dell XPS 13 Ultrabook vs Apple Macbook Air | Day 1

image

Hey everyone, you may have seen the marketing hype in the last few days for the Dell XPS 13″ Ultrabook. Professionally, I have been using a first generation Macbook Air with Bootcamp running Windows 7 on it for a while now. Yes I know many Mac users might be upset by this. Too bad, Windows 7 is fantastic and far greater then OSX (let the comments begin).

History

Windows 7 on the MacBook Air:

Windows has never had a good notebook like the MacBook Air to run on (other than the Air of course.) The experience has been fantastic other than a few things that I can’t stand.

1) The FN key is where the Control key should be. It drives me nuts although I am just about used to it now.

2) The ALT key and the Windows Key (the command key for you Mac users) are swapped and in the wrong position. Thankfully I was able to reprogram Windows to swap them back. I wish I could have done the same for the FN and CRTL keys.

3) No backlit Keyboard. I could have used it many times. Apple has put this in newer MacBook Airs.

4) No grip on bottom. The Air slides all over the place, not unmanageable but not perfect ether.

The fact is I LOVE the experience I got from the MacBook Air. However I have wanted to get a non-Apple notebook for some time now. I work as a Windows IT Manager and I hate the elitist feel I get from owning the Air. Additionally, I don’t like the looks I get when I go to Microsoft Conferences. I also want to support the Windows OEM’s. I want to believe that freedom of choice yields better options.

Did Dell come through?  Read on………..

Unboxing

Packing

imageimage

First, I got to say my hats off to Dell. They finally got the packaging right. The outer box leads to an inner box that is high quality and even opens at a hinge.

image

First Impressions

Well, its pretty nice. I was worried it would have a plastic, not so solid feel to the unit but thankfully it feels like a rock (that weighs almost nothing). The Aluminum edging gives it a very solid feel to the touch.

The keys are slightly rounded in the corners, I haven’t decided if that’s a good thing or not. But what is really nice is the plastic / rubber area around the keys. Its has a very nice feel to it.

image

The touch pad seems perfect to the touch.

The carbon fiber bottom is really nice and in my opinion perfect. It’s a very nice touch and it has rubber strips that keep a nice grip on whatever its sitting on.

image

Dell XPS 13 Ultrabook vs. MacBook Air

I will not be covering everything each notebook has. Instead I will be covering items of high contrast between the two. If I didn’t mention something it is likely because they are very similar.

Screen Resolution

The Dell has a smaller height and this smaller size means it had to lose some rather important screen real-estate vs. the MacBook Air.

image

Due to its reduced size, the Dell XPS 13 Ultrabook only has a 1366 x 768 screen resolution. The MacBook Air has an impressive 1440 x 900 screen resolution.

1366 x 768 puts this unit firmly in the Netbook consumer range not the pro-sumer Ultrabook range. In fact, Windows 8 minimum requirements will be 768. It is the lowest possible resolution that will be supported with the up and coming release of Windows 8.

Display Quality

One of the things that made me think Dell was focusing more on quality was the screen was covered in Gorilla Glass. That would be the same stuff on the iPhone, iPad, and other mobile devices.

Unfortunately though, the display behind that glass is awful. To a uneducated consumer I would think it would be fine, however anyone that truly enjoys or works in computing will notice the display is low quality. Image reproduction is terrible.

The Dell XPS 13 Ultrabook at any angle other then dead center is hard and almost impossible to see. Even then the colors are just okay.

The MacBook Air has a simply beautiful screen. The colors and contrasts are perfect at any viewing angle.

Additionally the Dell XPS 13 Ultrabook has a much higher glare then the MacBook Air. Many people noticed it while sitting in my office which has dimmed lighting and tinted Windows. I can only wonder what outside in the light will look like.

Look and Feel

As I have said the Dell is smaller. I guess that could be a good thing. The only reason I can think why they did this was to make it less expensive (smaller screen) and to make it easier to use on a airplane (although I never had a problem with the MacBook Air).

image

Here is a little side by side. Notice the additional length at the top and bottom of the units.

image

image

Perhaps the Dell feels a little fatter on its underside.

image

Accessories

The power adapter is kind of junky too. Maybe I am just spoiled by the MagLock adapter from Apple but given Dell had to create a new adapter for this form factor I was hoping they would come up with something a little more useful. At least provide a way to wrap the cord around it. However all we got was this:

image

Battery Meter

I should point out there is a button on the side of the unit you can press to get the power level of the battery. This was a nice touch, good job Dell!

Speed

Not going to spend too much time on this but the Dell XPS 13 Ultrabook with i5 and 256GB SSD is blazing fast. It is a pleasure tinkering on it. Things load just as fast as my i7 desktop with 8GB of RAM and a SSD.

Conclusion

image

It kills me that Dell has taken so much effort to make this a quality notebook then turns around and dumps an inferior display in it. I am not just talking about screen resolution, the quality of image reproduction is just awful.  Maybe if you are used to Dell displays its not that bad but if you are coming from a MacBook Air (or any MacBook really) then you are in for a real shock.

Its also sad that Dell didn’t do more with the power adapter. It could have been much more functional.

Its not all bad though.  The rest of the unit really looks promising. I will mention that I am running into a lot of issues with finding drivers for Windows 8 (blog post about that to follow) but that shouldn’t be used when trying to decide to make the move.

The Dell XPS 13 Ultrabook has a good solid feel to it. I am going to use it over the next week and see if I can live with the few things I thought were not up to par. If not, however, its going back. Check back to see if I switch back to the MacBook Air or not.

Net Net…

If you can deal with the less then eye popping image reproduction, then this might be the right notebook for you. The price is great for what you are getting and its very fast.

Fix: Lync Client for Mac OSX disconnects within 1 minute of connecting.

This comes second hand from a work college but I figured I should post it since there is nothing on the web about this issue.

Basically as it is described to me, Lync client for Mac OSX (10.6 and 10.7) will connect, show presence, but within one minute it blanks out and disconnects with an error.

Here is a sample error log from a TechNet Forums post where I got the solution from:

2011/12/22 10:46:04.328 [o365] process server certificate from input token failed

http://social.technet.microsoft.com/Forums/en-US/ocsclients/thread/af8935f3-e1a0-47bc-9792-536c07e0ecf2 

So there isn’t a fix just yet however there is a work around. This seemed to resolve the issue, thanks to "Jonathanpisarczyk" on the forums:

Open Lync Control Panel -> security
in the right pane we can find the authentication methods
Double click on the global setting so that we can edit that.
Uncheck the Enable Certificate Authentication.
Commit the changes.
User will need to signoff and back on.

If you have any other details on resolutions please leave them below in the comments.

 

UPDATE: Ok here some new info. This fixed us only for a few days then we had the problem again. We then fixed it by re-enabling the certificate based authentication. Some posts claim post CU4 you should keep it enabled. Perhaps turning it off and back on fixes it? My college likes to say "jiggle the toilet handle"

-Eric

DNS Error | The server forwarders cannot be updated.

If you ever get the following message:

The server forwarders cannot be updated.
A zone configuration problem occurred.

image

When setting up conditional forwarders in Windows 2003 R2 DNS Server then more then likely its because the zone already exists as a stub zone.

In my case I tried to add xyz.local and got this error message each time. My first move was to check if there was a xyz.local stub zone and sure enough there was NOT. After some more checking I noticed there was a “local” stub zone.

Make sure to check for the root level as a stub zone, I bet you will find that is your issue.

Hope it helps!

-Eric

Fix: Access 2010 SP1 Wizard Error | “The database cannot be opened because the VBA project contained in it cannot be read. The database can be opened only if the VBA project is first deleted”

 

Real quick one today, one of my users today told me she had been holding off upgrading to Office 2010 SP1 due to an error using one of the Wizards in Access 2010.

She happened to be on x64 but I believe this was a bug in both.

Error Details:

"The database cannot be opened because the VBA project contained in it cannot be read. The database can be opened only if the VBA project is first deleted. Deleting the VBA project removes all code from modules, forms and reports. You should back up your database before attempting to open the database and delete the VBA project."
Once you click OK on this message, you may receive any of the errors below:
Cannot update. Database or object is read-only.

OR

The Visual Basic for Applications project in the database is corrupt.

OR

Microsoft Access can’t find the wizard. This wizard has not been installed, or there is an incorrect setting in the Windows Registry, or this wizard has been disabled.

Well all you need to do to fix it is get the hotfix from Microsoft:

http://support.microsoft.com/default.aspx?scid=kb;en-US;2581301

Just simply scroll down to the large consumer focused icon that say "Microsoft Fix It" and click it. You download a quick package which patches Access.

Note: Make sure you close down all of Office first!

Enjoy,

Eric

Can not connect to Lync Mobile Client | Access is Denied

So I am so happy Microsoft finally released mobile clients for WP7, Android, and yes even iOS!!!

I was a good admin and installed CU4 and the Mobile Connectivity add-on however it wasn’t working.

First thing to know about troubleshooting is to enable logging on the CLIENT. Its in Help –> About or near it depending on platform. Microsoft did a great job with the logging. One easy button emails everything you need to a email address of your selection.

Second thing is to do a basic test. Using a desktop browser, can you get to https://lyncdiscover.domainname.net (replace domainname.net with your SIP domain) and be offered a download OR does it give you access is denied message?

If you get accessed denied then you had the same problem I did. Turns out if you don’t use the bootstrap install method for the mobile connectivity pack IIS doesn’t get configured correctly.

While I am not totally sure I “think” what’s missing is in the web.config file this section:

<rule name=”autodiscover rule 1″ enabled=”true” stopProcessing=”true”>
<match url=”(.*)” />
<conditions logicalGrouping=”MatchAll”>
<add input=”{HTTP_HOST}” pattern=”.*lyncdiscover.*” />
<add input=”{REQUEST_URI}” pattern=”Autodiscover/AutodiscoverService.svc/root” negate=”true” />
</conditions>
<action type=”Rewrite” url=”Autodiscover/AutodiscoverService.svc/root” />
</rule>

See access denied isnt for lync, its for you trying to browse the root directory of IIS. Without the above rule it delivers you to the root.

So anyways thanks to Matthew C. Evans from the comments on this excellent post on how to install Mobile Service: http://blog.schertz.name/2011/12/deploying-the-lync-2010-mobility-service/

If that is your problem then just uninstall the mobile component from add / remove programs (its headless don’t be scared when it just vanishes) then follow that post above for using the bootstrap to install the client. Like magic everything started working for me.

I had followed “most” of Microsoft’s directions but I think I hit page down one two many times and skipped the bootstrap method of installing the mobility service. Just IMO the installer should be fixed OR blocked from installing without being done via the bootstrap.

Hope it helps others, I couldn’t find any good posts about this one issue.

Please leave comments if you know anything additional about it.

Get all SMTP Address from Public Folders or Groups or anything in Exchange!

Here is a quick one, just change your mail domain where it says “MyDomain.com”

Public Folders Only:

Get-recipient -RecipientTypeDetails PublicFolder | select Name -ExpandProperty EmailAddresses | ? {$_.SMTPAddress -like “*MyDomain.com*”} | select Name, SMTPAddress

To pump to CSV:

Add this to the end: | Export-CSV C:\Filename.csv

Other  RecipientTypeDetails types? Just change the RecipientTypeDetails to one or more of the following (comma delimited):

  • MailUniversalDistributionGroup
  • MailUniversalSecurityGroup
  • DynamicDistributionGroup
  • MailNonUniversalGroup
  • MailUser
  • UserMailbox
  • PublicFolder
  • MailContact
  • DiscoveryMailbox
  • SharedMailbox
  • RoomMailbox

Set Processor Affinity with Powershell

Hey all I know its been far to long since my last post. I have been doing a lot of great things with powershell and I am going to start sharing them as they come up. Here was a helpful one this morning…

So the Backup Server is going nuts with these storageservice.exe processes consuming 100% of the CPU. It makes it very hard to troubleshoot when the server doesn’t have enough CPU to let the OS run.

image

Below is a script I just created that takes all of them and sets them to only use cores 1 – 4 (basically only allowing it 50% of the total CPU power.


# Set Processor Affinity by adding the number together. For cores 1 – 4 its 15 for example.
# 1 (CPU 1)
# 2 (CPU 2)
# 4 (CPU 3)
# 8 (CPU 4)
# 16 (CPU 5)
# 32 (CPU 6)
# 64 (CPU 7)
#128 (CPU 8 )

$instances = Get-Process storageservice
foreach ($i in $instances) {
    $i.ProcessorAffinity=15
}


Ah much better, now time to figure out why its going nuts….

image

Fix: None of your e-mail accounts could send to this recipient.

So I am a huge fan of these odd ball issues. When one of my users called me telling me they couldn’t send a “few” messages to people I told the helpdesk I was going to look into it myself.

They got this NDR back:

“None of your e-mail accounts could send to this recipient.”

image

Now I have never seen that error before, and what really got my interest was there was no x.x.x error code. This lead me to think it was a local issue with the client.

Some Google searching lead me to think it had to do with missing message connectors (like fax, etc..) but this user didn’t have any of that.

Some times it really helps to just talk to the end user. After speaking to her we discovered this only happened when clicking a mailto: hyperlink from a forwarded email down in the thread.

image

When I went back to my desk I noticed that my FROM: tags were not hyperlinked like the ones from my user.

After comparing the differences I finally noticed that she had the SalesForce.com plug-in installed. What it is doing is actually sending outlook a email type of “MAILTO” instead of SMTP.

After pressing ALT+K you can double click the resolved address and see what the email type is. If its set to MAILTO it will not work. You can however press the internet type button and it will change it to SMTP (which will allow it to send).

image

So there is no real solution right now, I am going to check with SF.com enterprise support but I have a feeling they wont do anything about it. After showing the end user what not to do and showing how to correct it she was happy enough with the solution.

If you find the same problem or any other add-on causing this please let me know so I can add it to the list.

UPDATE: Thanks to Andrew down there in the comments Outlook 2007 has been patched by MS: http://support.microsoft.com/kb/2475888/en-us

UPDATE 2: Thanks to Tom, we now know MS is hopefully rolling out a patch for Outlook 2010 sometime this month (fingers crossed).

UPDATE 3: I just saw there might be a fix for 2010 you can test out this hotfix from MS. If it works let me know in the comments: http://support.microsoft.com/kb/2475888/en-us or possibly http://support.microsoft.com/kb/2597052.

Microsoft Office Communication Server 2007 Client for BlackBerry 6.0 / BlackBerry Torch

UPDATE: RIM released a new version that works with 6.0, simply go to their download section to get it.

Hey I just got the torch and I am loving it! Sure it’s a little laggy now and then and sometimes it doesn’t play nice with my WiFi but all in all, BEST BLACKBERRY EVER! The two things I mentioned I believe will be fixed with soon upcoming future releases of the OS.

However there is one problem, BES isn’t push my OCS / Communicator Client to the phone. I did a little Google Searching and didn’t find anything. Here is how I fixed it.

Special Note: If RIM releases a new version please don’t follow these directions anymore, this is just a work around for now and I am not responsible if you toast your torch 😉

 

1) Download the desktop version from RIM’s site: https://www.blackberry.com/Downloads/entry.do?code=24E01830D213D75DEB99C22B9CD91DDD

2) Extract the following files to your desktop
– \oc2007\For_5.0.0\net_rim_bb_qm_oc2007.cod
– \oc2007\For_5.0.0\net_rim_bb_qm_oc2007_resource_en.cod

3) Download BBSAK 1.7 (if you don’t already have it) from here: http://rimgeeks.com/viewtopic.php?f=62&t=56

4) Open BBSAK (if no start menu short cut its here: C:\Program Files\BBSAK\BBSAK.exe)

5) Put in your device password (if you have one) then go to the Modify COD’s tab

6) Click on “JAD Maker”

7) Add the two files on your desktop, Name the App “Enterprise Manager”, give it a description, Version “2.5.20”, and Vendor is Research in Motion”.

8) Finally click Create JAD

9) Once its created click the INSTALL JAD button and select the newly created JAD file. NOTE: This may reboot the device, scared me a lot but it came up just fine after the boot and application works.

Thanks and let me know if you have any problems!