Installing certificate into Citrix Netscaler VPX -part 1

In my future articles, I am going to write about Skype for Business(SFB) Front End Pool Load Balancing via Citrix Netscaler VPX. In order to do it, we need to import SFB SAN certificate into Netscaler. Windows certificates can not be imported on NetScaler in PFX format, so we must first convert the certificate to PEM format.

Open MMC console, add Certificates Snap-in(choose local computer store), then go to Personal Certificates in find your SAN certificate. ( I am using SAN certificate from GoDaddy.) Right click on certificate, All Tasks&Export

 

 

Choose Yes, export the private key:

 

Store it on local drive:

Hit finish

 

Now login to Netscaler and make sure SSL Offloading is enabled. (Under Configure Basic Features)

 

Then go to SSL\Tools\Import PKCS#12

 

 

Type Oupout name, in my case SFB_FE_certificate.cer, in PKCS12 file, browse for PFX from you local drive, type password, choose DES3 encoding format and type your passphrase. Hit OK.

Under Manage Certificates / Keys / CSRs you will be able to see newly imported certificate, but we are not done yet.

Now go to SSL\Certificates and hit Install

 

Choose imported CER file:

Certificate is now imported:

 

In second part, I will show you how to import server certificate for Intermediate Certificate Authority and bind it to SAN certificate.

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 2

Previous part:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 1

 

Now we need to create DNS record for our new HTTP CDP Point.

Log in to your Domain Controller, go to Server Manager, Tools and DNS Management:

Right click on your Forward Lookup Zones and choose New Host (A or AAAA).

Use crl as name and Certificate Authority IP address, so all request to http://crl.yourdomain.com will go to your CA.

Now you can close DNS management and go back to your CA server.

Log in to your CA, go to Server Manager, Tools and Internet Information Services (IIS) Manager

Rigt click on Default Web Site, pick Add Virtual Directory

type CRLD as Alias and then click on … go to C:\ drive and create folder CRLDist. Confirm Add Virtual Directory with hitting on OK.

Click on newly create Virtual Directory CRLD and choose Directory Browsing

Enable feature on right side via Actions

Go back and open Configuration Editor (at the bottom)

 

 

go to system.webServer/security/requestFiltering and change allowDoubleEscaping from False to True and hit Apply.

You can now close IIS manager.

Go to This PC, C:\ drive and open properties of CRLDist folder. Click on Advanced Sharing, check Share this folder, as Share name use CRLDist$ and click on Permissions.

In Permissions tab, click Add. (In Object types, check Computers) and add your CA computer account, grant Full control

 

Go back to Security tab and grant CA server computer account full control. Confirm with OK.

Now go back to Certificate Authority console, right click on Revoked Certificates, All Tasks, Publish

 

 

Choose New CRL and hit ok

Now go to your CRLDist folder and you should see following:

 

To test HTTP CDP point, open Internet Explorer and type following url:

http://crl.<youdomainname>.com/crld/<filename>.crl

and you should be able to download your crl, if all is configured properly:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 1

In this article I will walk you through a process to set up a certification authority (CA) to publish a certificate revocation list (CRL) distribution point via HTTP.

Prerequisites:

Installed & Configured Windows Server with Active Directory Certificate Services.

Configure the CDP settings on the CA

  • In Server Manager, go to Tools and open Certificate Authorities, click on Properties. On the Extensions tab, click Add.
  • In Location, type http://crl.<the domainname>/crld/ For example, http://crl.yourdomainname.com/crld/
  • In Variable name, click <CaName>, click Insert; click <CRLNameSuffix>, click Insert; click <DeltaCRLAllowed>, click Insert.
  • In Location, type .crl at the end of the Location string and then click OK.
  • Select Include in CRLs. Clients use this to find Delta CRL locations. And Include in the CDP extension of issued certificates, then click Apply.
  • Click No in the dialog box asking you to restart the ADCS.

Configure the file share:

Click Add.

In Location, define the file server and share name.I am using share folder on local server so: C:\crldist .

 

In Variable, click <CAName>, click Insert; In Variable, click <CRLNameSuffix>, click Insert; In Variable, click <DeltaCRLAllowed>, click Insert.

In Location, type .crl at the end of the Location string and then click OK.

Select Publish CRLs to this location and Publish Delta CRLs to this Location, then click Apply. Click Yes in the dialog box asking you to restart the CA.

 

I have also deleted all other CDP points as my infrastructure will use  HTTP access as my only CDP point

.

Now you can close the CA console.

Next part:

Creating a HTTP Certificate Revocation List Distribution Point for Your Internal Certification Authority – Part 2

 

Email stuck in Exchange Message queue: SMTPSEND.SuspiciousRemoteServerError; remote server disconnected abruptly – returned 451 4.4.0

After migrating on new Exchange environment I have noticed that couple of emails are stuck in Message queue with following error:

 

SMTPSEND.SuspiciousRemoteServerError; remote server disconnected abruptly – returned 451 4.4.0

 

After some troubleshooting, we found out that our Firewall had IPS feature enabled on SMTP traffic. Once disabled, emails successfully went through.

The HTTP service located at https://sfbfrontendserver01/liverserver/userpinmanagement/fabricmanagement is unavailable

After fresh Skype for Business 2015 frontend pool installation, I was not able to start RTCSRV service, I tried different things and I ended up reseting pool with command Reset-CsPoolRegistrarState. Command failed with following error:

 

After some troubleshooting I noticed that I forgot to install latest Cumulative Update.

I downloaded Skype Server Update installer from:

https://www.microsoft.com/en-us/download/details.aspx?id=47690

followed following guideline:

https://support.microsoft.com/en-us/kb/3061064

and installed CU on all FrontEnd servers.

After reboot all CS services started successfully.

 

Cannot remove VM in Stopping state from VMM2012R2

I came across a problem with deleting Virtual Machine and Service instance from VMM console where my VM was already deleted on Hyper-V host, but still showing in Stopping State in VMM.

VMM delete VM job failed with following error:

Then I tried powershell command

Get-SCVirtualMachine | where { $_.Name -EQ “VM NAME HERE“} | Remove-SCVirtualMachine –Force

Again no success.

Action that helped was stopping my VMM cluster and restarting VMM service. After VMM restart, I logged in back and found my VM in Missing state.

Next „Delete VM“ job was successful.

 

NVGRE Gateway deployment stuck at 70%

I came accross following error where my NVGRE Gateway deployment got stuck at 70%. VM was deployed, but when I connected to console, I noticed  below screen, giving me Boot failure:

 

After some troubleshooting I noticed that I used by mistake a Generation2 VM for my Service Template. Lesson learned, NVGE GW VMs must always use Generation1 VM templates.

HA NVGRE Gateway: No available connection to selected vm network can be found

I came across these errors when I was creating Service Template for HA NVGRE Gateway:

The virtual machine or tier load balancer configuration requires an ip pool and there are no appropriate IP pools accessible from the host.

and

No available connection to selected vm network can be found.

 

After some troubleshooting I noticed that some of my port profiles do not match.

Make sure you have two Logical Switches deployed on your Gateway Hots. Here is my configuration:

LS-Management with Logical Networks and Virtual Adapters configured for Management, Cluster, Live Migration networks.
LS-Gateway (Front-End Network is enabled but no Virtual Adapters are created on GW Hosts)

In case you are using custom Port profiles and Port Classification, make sure they are properly configured.

Once I reviewed Switch settings on GW hosts and my Host ratings went back to normal.

Azure pack VM provisioning not working & ID 26726 “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

When using the Azure pack Tenant Portal, all users (except Administrator) were unable to create VMs. In my case, when the user tried to create new VM, it failed with none specific error.

After some digging, I was able to find following error in my Azure Pack Tenant Hub server:

Potential version mismatch between WAP and SPF, please verify both component’s versions and if they’re compatible, Exception: ‚System.Data.Services.Client.DataServiceQueryException: An error occurred while processing this request. —> System.Data.Services.Client.DataServiceClientException: <Error xmlns:i=“http://www.w3.org/2001/XMLSchema-instance“ xmlns=“http://schemas.microsoft.com/windowsazure“><Code>InternalError</Code><Message>The server encountered an internal error, please retry. If the problem persists, contact support.

I checked all my Azure pack, VMM and SPF servers – are all were up to date with latest updates.

 

So I was suspecting something is wrong with SPF. I followed instructions in this link:

http://blogs.technet.com/b/privatecloud/archive/2013/11/08/troubleshooting-windows-azure-pack-spf-amp-vmm.aspx

In my case there were no issues with SPF.

I also found following error in VMM Jobs History:

ID 26726: “Either the specified user role or the specified user (Domain\SPF-SVC) is not valid. User is not a member of the role. Add (Domain\SPF-SVC) as a member of the user role and try again or provide a different user role or a different user.”

My SPF account was member of Administrator role in VMM, so, I tried to login on to SPF server with SPF service account and open VMM console.

I got following error:

SCVMM console error „could not update managed code add-in pipeline due to the following error

Quick fix:

I fixed it with granting „authenticated users“ read/execute rights to the folder „C:\Program Files\Microsoft System Center 2012\Virtual Machine Manager\bin\AddInPipeline“ and all subfolders and files

 

Than I reopened VMM console and tried to create new VM, but it again failed with following error:

spf-svc access error

I reviewed my SPF service account permissions to make sure nothing is missing:

Group name

Purpose

Members

<DOMAIN>\ SPF-Admins Service Provider Administrators domain group used to provide domain accounts administrative rights to all Service Provider Foundation components and web services. <DOMAIN>\ SPF-SVC
<DOMAIN>\ SPF-Provider Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Provider web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-VMM Service Provider domain group used to provide domain accounts access to the Service Provider Foundation VMM web service. Appropriate domain accounts to be delegated permissions to services
<DOMAIN>\ SPF-Usage Service Provider domain group used to provide domain accounts access to the Service Provider Foundation Usage web service. Appropriate domain accounts to be delegated permissions to services
<SPF Server>\SPF_Admin Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

 

<Service Provider Foundation Server>\SPF_Provider Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Provider

 

<Service Provider Foundation Server>\SPF_VMM Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-VMM

 

<Service Provider Foundation Server>\SPF_Usage Local group created by Service Provider Foundation setup process to provide access to the Admin web service. Domain groups and accounts must be added after setup finishes. ·         <Service Provider Foundation Server>\Local-SPF-SVC

·         <DOMAIN>\SPF-Admins

·         <DOMAIN>\ SPF-Usage

 

 

Solution:

One thing which helped me to get VM provisioning with SPF service account working was adding the VMM Service account to the Windows Authorization Access group in Active Directory. Once I did it, I was able to provision VMs logged as SPF service account. It also worked in Azure Pack Tenant portal.

 

 

 

 

Query on Active Directory Account for identity Domain\Useraccount returned empty attribute values.

I have deployed&integrated ADFS with Azure pack and I am using ExtendASP control panel for Hosted Exchange & multitenant Active Directory. All my Tenant accounts are created via ExtendASP and reside in Hosting OU. My goal is to use ExtendASP as central management for my Cloud identities, so Tenant administrators will be able to manage Azure pack IaaS service and ExtendASP SaaS services with single AD account.

When I created first customer in ExtendASP and tried to login to Azure Pack Tenant Portal through ADFS with Company Administrator, I got following error:

adfs_error

Also following errors were generated in ADFS log:

Error1:

Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

Error2:

An error occurred during processing of a token request. The data in this event may have the identity of the caller (application) that made this request. The data includes an Activity ID that you can cross-reference to error or warning events to help diagnose the problem that caused this error.

Additional Data

Caller: Domain\Useraccount

 

Error3:

The Federation Service encountered an error while processing the WS-Trust request.
Request type: http://schemas.microsoft.com/idfx/requesttype/issue

Additional Data
Exception details:
Microsoft.IdentityServer.Service.SecurityTokenService.ADAccountValidationException: MSIS8006: Query on Active Directory Account for identity ‚Domain\Useraccount‘ returned empty attribute values.

 

Solution:

Grant Read rights to ADFS service account on Hosting OU in AD. Do not forget to apply it to: This object and all descendant objects.