Saturday, April 14, 2018

Using Azure AD credentials to sign into Atlassian site with SAML integration configured fails with: "Sorry, but we’re having trouble signing you in. AADSTS70001: Application with identifier ‘https://auth.atlassian.com/saml/D4327……’ was not found in the directory…”

Problem

You’ve completed configuring Azure Active Directory integration with Atlassian Cloud using SAML as per the following Microsoft document:

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-atlassian-cloud-tutorial

However, you notice the sign on process fails with the following error when you are redirected to the https://login.microsoftonline.com authentication portal:

Sorry, but we’re having trouble signing you in.

AADSTS70001: Application with identifier ‘https://auth.atlassian.com/saml/D4327……’ was not found in the directory 90f21aaa-b870….

image

This page then quickly reidrects you to the following https://id.atlassian.com/login/callback?continue... page:

Oops, there was an error logging you in.

Hmm... we're having trouble logging you in. You'll need to talk to your Organization admin - tell them we sent you, and that there appears to be an issue with the identity provider entity ID used for your SAML single sign-on configuration.

image

Solution

This error is usually caused by an incorrectly entered Identity provider Entity ID URL in the SAML configuration on the Atlassian portal. In the case of this example, the URL was missing a / at the end and correcting this would fix the issue:

image

Friday, April 6, 2018

Problems after upgrading VMware Horizon View to 7.4.0

Referring the following blog post I wrote a couple of months back:

VMware Horizon View 7.4.0 virtual desktops does not automatically power on after upgrade
http://terenceluk.blogspot.com/2018/02/vmware-horizon-view-740-virtual.html

… the environment I had upgraded to VMware Horizon View to 7.4.0 continued to have desktop power on policies, which required chronic weekly reboots to resolve so I ended up opening a ticket with VMware to have them review the issue. The case was eventually escalated to the engineering team and the following was the response I received:

We would like to inform you that our Product Development Team reviewed the logs and figured out that it is an issue with VcCache.

The escalated engineer told me that our options were to try a patched build that hasn’t been fully tested for production environments or wait for the next version and since there wasn’t an official release date for the next version, we opted to try the patched build.  I’ve scheduled the upgrade to go on this weekend and will update this post in a week with the results.

In addition to the desktop power on issue, the VMware engineer also mentioned that other customers have experienced refresh task and provisioning issues with 7.4.0, which this patch fixes.  For reference, the following are the details of the patched build file:

VMware-viewconnectionserver-x86_64-7.4.0-14570406.exe

image

imageimage

The following is the native 7.4.0 build:

VMware-viewconnectionserver-x86_64-7.4.0-7400497.exe

image

imageimage

Monday, March 26, 2018

Attempting to generate a new CSR with OpenSSL fails with: “13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:”

Problem

You’ve downloaded OpenSSL and have began the process of generating a new CSR to submit to a Certificate authority but notice that executing the following command:

req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

… generates the following error:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Can't open C:\Program Files\Common Files\SSL/openssl.cnf for reading, No such file or directory

13536:error:02001003:system library:fopen:No such process:crypto\bio\bss_file.c:74:fopen('C:\Program Files\Common Files\SSL/openssl.cnf','r')

13536:error:2006D080:BIO routines:BIO_new_file:no such file:crypto\bio\bss_file.c:81:

Generating a 2048 bit RSA private key

........+++

............................................+++

writing new private key to 'mykey.pem'

-----

unable to find 'distinguished_name' in config

problems making Certificate Request

13536:error:0E06D06A:configuration file routines:NCONF_get_string:no conf or environment variable:crypto\conf\conf_lib.c:272:

error in req

OpenSSL>

image

Solution

One of the reasons why the error above would be thrown is if the openssl_confg is not configured properly to the openssl.cfg file.  To do so, execute the following command (change the path as required):

set openssl_conf=c:\OpenSSL-Win64\bin\openssl.cfg

The CSR generation will proceed as expected once the configuration file is specified:

C:\OpenSSL-Win64\bin>openssl.exe

OpenSSL> req -new -newkey rsa:2048 -nodes -keyout mykey.pem -out myreq.pem

Generating a 2048 bit RSA private key

...................................................+++

.....................+++

writing new private key to 'mykey.pem'

-----

You are about to be asked to enter information that will be incorporated

into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:

image

Please refer to one of my older posts if you’re using OpenSSL to generate a certificate for a Cisco Wireless Controller:

Generating SSL certificate with OpenSSL for Cisco Wireless Controller
http://terenceluk.blogspot.com/2015/03/generating-ssl-certificate-with-openssl.html

Friday, March 16, 2018

Configuring Azure Active Directory integration with Atlassian Cloud using SAML

I recently had to configure Azure Active Directory integration with Atlassian Cloud using SAML and was a bit lost as I went through the instructions from the Microsoft Azure documentation:

Tutorial: Azure Active Directory integration with Atlassian Cloud

https://docs.microsoft.com/en-us/azure/active-directory/active-directory-saas-atlassian-cloud-tutorial

Microsoft typically writes great documentation and judging by the slightly different screenshots between what I see on the Atlassian portal and the documentation, the instructions are most likely a bit out-of-date.

Not really sure how to proceed, I reached out to Atlassian support and quickly received the following reply indicating what I really should be doing is:

  1. Start at step #11 to setup the organization in the Atlassian site
  2. Stop at step #19
  3. Log into the Azure portal to setup the Atlassian cloud application via step #1 under Add Atlassian Cloud from the gallery
  4. Navigate into the Single sign-on section of the Atlassian Cloud application
  5. Navigate down the window to the Configure Atlassian Cloud section and click on it as shown in step #9 under Configure Azure AD single sign-on
  6. Obtain the Azure AD SMAL Entity ID
  7. Obtain the Azure AD Single Sign-On Service URL
  8. Downloaded Metadata Certificate (Base64 encoded)
  9. Then navigate to the SAML single sign-on in the Atlassian administration portal and click on Add SAML configuration
  10. Fill in the fields as directed in step #19 then save the configuration
  11. Copy the SP Entity ID and SP Assertion Consumer Service URL from portal
  12. Then navigate back to the Azure Active Directory admin center console and continue step #20 then to step #1 through #7 under Configure Azure AD single sign-on
  13. Once the configuration has been saved, use the Test SAML Settings button to test launching the dashboard and ensure authentication works

The above can get confusing quite fast so here are the steps along with the screenshots:

1. Start at step #11 to setup the organization in the Atlassian site
2. Stop at step #19 which will bring you to this screen allowing you to launch the Add SAML configuration:

image

3.  Log into the Azure portal to setup the Atlassian cloud application via step #1 under Add Atlassian Cloud from the gallery

image

4. Navigate into the Single sign-on section of the Atlassian Cloud application

image

5. Navigate down the window to the Configure Atlassian Cloud section and click on it as shown in step #9 under Configure Azure AD single sign-on

image

6. Obtain the Azure AD SMAL Entity ID
7. Obtain the Azure AD Single Sign-On Service URL
8. Downloaded Metadata Certificate (Base64 encoded)

image

9. Then navigate to the SAML single sign-on in the Atlassian administration portal and click on Add SAML configuration:

image

10. Fill in the fields as directed in step #19 then save the configuration:

image

11. Copy the SP Entity ID and SP Assertion Consumer Service URL from portal:

image

12. Then navigate back to the Azure Active Directory admin center console and continue step #20 then to step #1 through #7 under Configure Azure AD single sign-on:

image

13. Once the configuration has been saved, use the Test SAML Settings button to test launching the dashboard and ensure authentication works:

image

Hope this helps anyone who may be a bit confused with the instructions provided by Microsoft.

Wednesday, March 14, 2018

Monitoring Exchange 2013 and 2016 message queues with PowerShell

I’ve been asked several times in the past by colleagues how would they go about monitoring Exchange message queues so that they would be notified if a threshold is exceeded and while I usually recommend looking for this feature in their existing monitoring solution, an alternative and free method of achieving this is to use a PowerShell script with conjunction of the task scheduler.

What I’ve used in the past is to modify a script found here at the Microsoft Office TechCenter:

Powershell - Check Exchange 2010 Queue and mail alert on queue threshold
https://gallery.technet.microsoft.com/office/e0bb250e-e699-4c6c-a5be-f1af245a2219

As this script was written for Exchange 2010, a slight modification to the line:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 

… would need to get changed to:

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

The script would look as such for Exchange 2013 or 2016 (The variables you’ll need or could to change are highlighted in red):

$s = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri yourExchangeServer/PowerShell/ -Authentication Kerberos

Import-PSSession $s

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

. $env:ExchangeInstallPath\bin\RemoteExchange.ps1

Connect-ExchangeServer -auto

$filename = “c:\Scripts\ExchangeQueues.txt

Start-Sleep -s 10

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 })

{

Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 } | Format-Table -Wrap -AutoSize | out-file -filepath c:\Scripts\ExchangeQueues.txt

Start-Sleep -s 10

$smtpServer = “yourSMTPserver

$msg = new-object Net.Mail.MailMessage

$att = new-object Net.Mail.Attachment($filename)

$smtp = new-object Net.Mail.SmtpClient($smtpServer)

$msg.From = “Monitor@contoso.com

$msg.To.Add("admin1@mycompany.com")

#$msg.To.Add("admin2@mycompany.com")

#$msg.To.Add("admin3@mycompany.com")

#$msg.To.Add("admin4@mycompany.com")

$msg.Subject = “Exchange queue threshold of 30 reached.

$msg.Body = “Please see attached queue log file for queue information

$msg.Attachments.Add($att)

$smtp.Send($msg)

}

Note that the cmdlet used to check the queues can be modified to omit queues such as the Shadow Redundancy by adjusting:

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 })

… into this:

if (Get-ExchangeServer | Where { $_.isHubTransportServer -eq $true } | get-queue | Where-Object { $_.MessageCount -gt 30 -and $_.DeliveryType -notlike "ShadowRedundancy"})

Adding the notlike operator will exclude the Shadow Redundancy queues when evaluating whether the threshold has been exceeded.

Once the script has been tested and verified to be in working order, you can then schedule it as a task to run every, say, 15 minutes as such:

imageimage

Program/script: powershell.exe

Add arguments (optional): -command "& 'C:\Scripts\CheckExchangeQueues.ps1'"

image

Sunday, March 11, 2018

Monitoring Microsoft Exchange Server 2010, 2013 and 2016 services with PowerShell script and task scheduler

Most enterprise environments have solutions that provide monitoring services to ensure Microsoft Exchange Server services are running and if they are not, restart the service and send an email notification to administrators but I have constantly come across smaller business that may not be able to afford such applications and therefore have implemented scripts with task manager scheduled tasks to provide some form of service monitoring. The Exchange Health Check Report by Paul Cunningham (https://practical365.com/exchange-server/powershell-script-exchange-server-health-check-report/) is great for daily reports but it is not practical to constantly use it for monitoring so what I’ve typically used is implement the service_check.ps1 script written by Kevin Olson:

Check for hung or stopped services
https://gallery.technet.microsoft.com/scriptcenter/Check-for-hung-or-stopped-67bc718d

The small adjustment I’ve made to the script is to move the Send-Mailmessage cmdlet to execute after the Start-Service because if you do not have another SMTP relay setup and need to rely on the Exchange server this script is monitoring, the email will not be sent out if the service that is hung or stopped is the transport service. The following are the scripts along with the Exchange services added into the script for each version:

Microsoft Exchange 2010

#NAME: service_check.ps1 

#AUTHOR: Kevin Olson

#DATE: 4/29/2011

#Machine to be monitored

$Computer = "brcl-exchange"

#Create an array of all services running

$GetService = get-service -ComputerName $Computer

#Create a subset of the previous array for services you want to monitor

$ServiceArray = "MSExchangeADTopology","MSExchangeAB","MSExchangeAntispamUpdate","MSExchangeEdgeSync","MSExchangeFDS","MSExchangeIS","MSExchangeMailSubmission","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeProtectedServiceHost","MSExchangeRepl","MSExchangeRPC","MSExchangeSearch","MSExchangeServiceHost","MSExchangeSA","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeFBA","W3SVC";

#Find any iWFM service that is stopped

foreach ($Service in $GetService)

{

    foreach ($srv in $ServiceArray)

    {

        if ($Service.name -eq $srv)

        {

            #check if a service is hung

            if ($Service.status -eq "StopPending")

            {

            $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID

            Stop-Process $ServicePID

            Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)

            #email to notify if a service is down

            Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost

            }

            # check if a service is stopped

            elseif ($Service.status -eq "Stopped")

            {

            #automatically restart the service.

            Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)

                   #email to notify if a service is down

            Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost

            }

        }

    }

}

The services I included in the script are all of the ones listed as Automatic as well as Automatic (Delayed Start):

image

Microsoft Exchange 2013

#NAME: service_check.ps1 
#AUTHOR: Kevin Olson
#DATE: 4/29/2011
 
#Machine to be monitored
$Computer = "bm1-azim-40-001"
 
#Create an array of all services running
$GetService = get-service -ComputerName $Computer
 
#Create a subset of the previous array for services you want to monitor
$ServiceArray = “HostControllerService","MSExchangeADTopology","MSExchangeAntispamUpdate","MSExchangeDagMgmt","MSExchangeDelivery","MSExchangeDiagnostics","MSExchangeEdgeSync","MSExchangeFastSearch","MSExchangeFrontEndTransport","MSExchangeHM","MSExchangeIS","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeRepl","MSExchangeRPC","MSExchangeServiceHost","MSExchangeSubmission","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeUM","MSExchangeUMCR","W3SVC";
 
#Find any iWFM service that is stopped
foreach ($Service in $GetService)
{
     foreach ($srv in $ServiceArray)
     {
         if ($Service.name -eq $srv)
         {
             #check if a service is hung
             if ($Service.status -eq "StopPending")
             {
             $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID
             Stop-Process $ServicePID
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
             #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost
             }
             # check if a service is stopped
             elseif ($Service.status -eq "Stopped")
             {
             #automatically restart the service.
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
         #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost
             }
         }
     }
}

The services I included in the script are all of the ones listed as Automatic as well as Automatic (Delayed Start):

image

World Wide Web Publish Service is also included.

Microsoft Exchange 2016

#NAME: service_check.ps1 
#AUTHOR: Kevin Olson
#DATE: 4/29/2011
 
#Machine to be monitored
$Computer = "prpmbx16-02"
 
#Create an array of all services running
$GetService = get-service -ComputerName $Computer
 
#Create a subset of the previous array for services you want to monitor
$ServiceArray = "HostControllerService","MSComplianceAudit","MSExchangeADTopology","MSExchangeAntispamUpdate","MSExchangeCompliance","MSExchangeDagMgmt","MSExchangeDelivery","MSExchangeDiagnostics","MSExchangeEdgeSync","MSExchangeFastSearch","MSExchangeFrontEndTransport","MSExchangeHM","MSExchangeHMRecovery","MSExchangeIS","MSExchangeMailboxAssistants","MSExchangeMailboxReplication","MSExchangeRepl","MSExchangeRPC","MSExchangeServiceHost","MSExchangeSubmission","MSExchangeThrottling","MSExchangeTransport","MSExchangeTransportLogSearch","MSExchangeUM","MSExchangeUMCR","W3SVC";
 
#Find any iWFM service that is stopped
foreach ($Service in $GetService)
{
     foreach ($srv in $ServiceArray)
     {
         if ($Service.name -eq $srv)
         {
             #check if a service is hung
             if ($Service.status -eq "StopPending")
             {
             $servicePID = (gwmi win32_Service | where { $_.Name -eq $srv}).ProcessID
             Stop-Process $ServicePID
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
             #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is hung on $Computer" -from exchange@contoso.com -Body "The $srv service was found hung." -SmtpServer localhost
             }
             # check if a service is stopped
             elseif ($Service.status -eq "Stopped")
             {
             #automatically restart the service.
             Start-Service -InputObject (get-Service -ComputerName $Computer -Name $srv)
         #email to notify if a service is down
             Send-Mailmessage -to administrator@someDomain.com -Subject "$srv is stopped on $Computer" -from exchange@contoso.com -Body "The $srv service was found stopped." -SmtpServer localhost
             }
         }
     }
}

The services I included in the script are all of the ones listed as Automatic (Microsoft Exchange Notifications Broker is excluded) as well as Automatic (Delayed Start):

image

World Wide Web Publish Service is also included.

Task Scheduler Configuration

One of the methods to execute the script repeatedly on the server is to create a task in the Task Scheduler as such:

image

Create a trigger and specify a Repeat task every however frequently you like:

image

Then create an action with powershell.exe as the Program/script and the following as the Add arguments (optional) field:

-command "& 'C:\Scripts\service_check.ps1'"

image

Extra Setup Information

This script can be used for other services as well and an easy way of obtaining the service names to monitor is use cmdlets such as the one below to list all the services that contains, say, Microsoft Exchange:

Get-Service | Where {$_.DisplayName -like "Microsoft Exchange*"} | format-table -autosize

Status  Name                          DisplayName
------  ----                          -----------
Running HostControllerService         Microsoft Exchange Search Host Controller
Running MSComplianceAudit             Microsoft Exchange Compliance Audit
Running MSExchangeADTopology          Microsoft Exchange Active Directory Topology
Running MSExchangeAntispamUpdate      Microsoft Exchange Anti-spam Update
Running MSExchangeCompliance          Microsoft Exchange Compliance Service
Running MSExchangeDagMgmt             Microsoft Exchange DAG Management
Running MSExchangeDelivery            Microsoft Exchange Mailbox Transport Delivery
Running MSExchangeDiagnostics         Microsoft Exchange Diagnostics
Running MSExchangeEdgeSync            Microsoft Exchange EdgeSync
Running MSExchangeFastSearch          Microsoft Exchange Search
Running MSExchangeFrontEndTransport   Microsoft Exchange Frontend Transport
Running MSExchangeHM                  Microsoft Exchange Health Manager
Running MSExchangeHMRecovery          Microsoft Exchange Health Manager Recovery
Stopped MSExchangeImap4               Microsoft Exchange IMAP4
Stopped MSExchangeIMAP4BE             Microsoft Exchange IMAP4 Backend
Running MSExchangeIS                  Microsoft Exchange Information Store
Running MSExchangeMailboxAssistants   Microsoft Exchange Mailbox Assistants
Running MSExchangeMailboxReplication  Microsoft Exchange Mailbox Replication
Stopped MSExchangeNotificationsBroker Microsoft Exchange Notifications Broker
Stopped MSExchangePop3                Microsoft Exchange POP3
Stopped MSExchangePOP3BE              Microsoft Exchange POP3 Backend
Running MSExchangeRepl                Microsoft Exchange Replication
Running MSExchangeRPC                 Microsoft Exchange RPC Client Access
Running MSExchangeServiceHost         Microsoft Exchange Service Host
Running MSExchangeSubmission          Microsoft Exchange Mailbox Transport Submission
Running MSExchangeThrottling          Microsoft Exchange Throttling
Running MSExchangeTransport           Microsoft Exchange Transport
Running MSExchangeTransportLogSearch  Microsoft Exchange Transport Log Search
Running MSExchangeUM                  Microsoft Exchange Unified Messaging
Running MSExchangeUMCR                Microsoft Exchange Unified Messaging Call Router
Stopped wsbexchange                   Microsoft Exchange Server Extension for Windows Server Backup

Copy the output to a text file and extract the services as such:

HostControllerService

MSComplianceAudit

MSExchangeADTopology

MSExchangeAntispamUpdate

MSExchangeCompliance

MSExchangeDagMgmt

MSExchangeDelivery

MSExchangeDiagnostics

MSExchangeEdgeSync

MSExchangeFastSearch

MSExchangeFrontEndTransport

MSExchangeHM

MSExchangeHMRecovery

MSExchangeIS

MSExchangeMailboxAssistants

MSExchangeMailboxReplication

MSExchangeRepl

MSExchangeRPC

MSExchangeServiceHost

MSExchangeSubmission

MSExchangeThrottling

MSExchangeTransport

MSExchangeTransportLogSearch

MSExchangeUM

MSExchangeUMCR

Saturday, March 10, 2018

Logging into Windows displays the system tray message: “You’ve been signed in with a temporary profile.”

One of my biggest pet peeves when asking fellow colleagues to delete a user’s profile on a desktop or server is when they do so by launching Windows Explorer, navigate to the C:\Users folder then deletes the folder because that almost always causes the following message to be displayed for the deleted user:

You've been signed in with a temporary profile.

You can’t access your files, and files created in this profile will be deleted when you sign out. To fix this, sign out and try signing in later. Please see the event log for details or contact your system administrator.

image

This also happens to be one of the causes of profiles to not work with VMware Horizon View Virtual Desktop profile disks because the deleted profile isn’t cleanly removed from the Windows OS and thus a new profile cannot be created properly.

To delete a user’s profile correctly, navigate to the User Profiles menu by clicking on Advanced system settings within the System window:

image

Then the Settings… button under the User Profiles section in the System Properties:

image

Remove the profile by selecting it from the list and clicking on the Delete button:

image

To correct the issue when a profile was deleted incorrectly causing the message shown above to be displayed every time the user logs in, simply launch the registry editor on the server and navigate to:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

Then locate the folder that represents the deleted user by finding one with the corresponding ProfileImagePath directory:

image

… and deleting it.