Posts

Showing posts from 2015

Citrix Access Gateway Certificate Format

I got a call a few days ago to renew the certificate on a Citrix Access Gateway appliance.

The appliance was very - and I mean very - old so I had my hands full...

After I found out that the proper software for management was installed on the Web Interface servers, I requested the certificate in PFX format in order to get the private key too and scheduled the change for after hours since it requires a restart of the devices.

When I tried to install the certificate, the appliances refused to accept it. Then I recalled an article I've read a long time ago, where the author mentioned that the certificate has to be in PEM format and not PFX.

After a google search, I found this article on the Citrix Knowledge Center that describes the process of converting a PFX file to PEM for that purpose.

All you have to do is to download the openssl binaries and execute the following command in order to convert the file:
openssl pkcs12 -in c:\certs\yourcert.pfx -out c:\certs\cag.pem –nodes

You shou…

Citrix Command Center Cipher Suites

I recently installed and configured Citrix Command Center on a client to monitor and configure their NetScaler appliances.

When I opened the management page with Chrome, I got a message that the server was using a weak DH public key.

Since the guys didn't seem to be very helpful with issuing a certificate from their CA, I decided to disable the Diffie-Hellman cipher suites used by Command Center as a workaround.

To do that, you have to edit some apache configuration files.

The first step is to stop the Command Center service. Then make a backup copy of the following files:
1. CommandCenterInstallDirectory\apache\tomcat\conf\backup\server.xml
2. CommandCenterInstallDirectory\conf\transportProvider.conf

Search the server.xml file for "ciphers" to get to the part where the cipher suites are defined and then remove all the DH ciphers.
Set the same ciphers on the <CipherSuites></CipherSuites> part of the transportProvider.conf file.
Start the Command Center servi…

Creating a SelfSigned Certificate using Powershell

Most of the time I get my certificates from an Active Directory CA but there are times when I want a temporary certificate to test something, like in a lab for example.

With the following commands, you can create and export a self signed certificate:

To create the certificate at the Personal store of Local Machine use:
New-SelfSignedCertificate -DnsName server.lab.local -CertStoreLocation Cert:\localmachine\my
In most cases, like IIS, you should be ready to assign the certificate to your application server by now. In case you want to export the certificate in PFX format (that included the private key), use the following cmdlets:

First, you'll need the thumbprint of the certificate from the above command, so save the output to a variable like: $Certificate = New-SelfSignedCertificate -DnsName server.lab.local -CertStoreLocation Cert:\localmachine\my
Please note that if you have already created the certificate using the first cmdlet, the second one will create a new certificate. If this is…

Powershell Trapping Get-WMIObject

There are many times when I have to connect to remote servers and get information using WMI but not all of the servers in my list are available all the time...

Even though the error from the Get-WMIObject cmdlet is not terminating, I want to handle it.

So I use the following code to do it:

# Declare the variable to hold the result
$servicename

# Call the Get-WMIObject cmdlet
try
{
        $servicename =get-wmiobject win32_service -computername $server -ErrorActionStop
}
catch
{
        # If an exception is thrown, set the variable to null
        $servicename = $null
}

# Check the value of the variable.
if(-Not($servicename -eq $null))
{
     # Continue processing
}
else
{
    # Exception was thrown
}








I've added the "-ErrorAction Stop" in order to handle the non terminating error.

Delegating Administration of NetScaler InSight Center to Active Directory group

On my previous article on Delegating NetScaler Administration to Active Directory Group, I described how you could allow members of Active Directory groups to login on NetScalers with their AD credentials.

Now we are going to do the same thing with NetScaler InSight Center.

First of all, we have to setup the external authentication. Login on the InSight Center and navigate to System - Authentication - LDAP and click "Add". Fill in the details of the server like the IP and port and the detailes of the domain.

Now that we have configured the authentication, we have to create the groups on the InSight Center. Go to System - User Administration - Groups and add a group with the same name as the group configured on Active Directory. Assign the permissions you want and hit "Create".

The only thing left is to enable the authentication. Navigate to System - Authentication and click on "Authentication Configuration". Select "LDAP" as the type and then t…

Delegating NetScaler Administration to Active Directory Group

I often get the request to delegate the administration of NetScalers to an active directory group, particularly in very large organizations.

This is very simple procedure but you should be very careful when giving permissions on such devices since a small mistake may lead to serious problems.

Let's get started then...

The first thing you have to do is create an LDAP server. This is the server that the authentication requests are going to be directed to. You should add more than one servers as a best practice. I always create an LDAP (and sometimes an LDAPS) vServer with all the AD Domain Controllers and use that one.

So, to create the LDAP server, navigate to System - Authentication - LDAP, click "Servers" and then "Add". Fill the friendly name, IP address and port of the server (AD server of LDAP vServer) and the details about the domain and then create the server.

Next, you have to create the Authentication policy, click on the "Policy" tab and the…

Active Directory Trust Relationship

I fired up a virtual machine on my lab server today to do some tests around Citrix and I got the well know message that "The trust relationship between this workstation and the primary domain failed."

I got this because my server had been offline for a long time and thus hadn't connected to any domain controller.

To fix this issue you can use the powershell command Reset-ComputerMachinePassword  that is available on Windows Server 2012 R2. To my opinion this is the faster way to fix the issue comparing to leaving the domain and joining again or the method using NETDOM.

So, you have to do the following:

Log in to the server using a local user with administrator privilegesStart powershell with administrator privileges (Run As Administrator)Run the above command (Reset-ComputerMachinePassword)Restart the server (Restart-Computer)That's it!

NetScaler Management Login Log

I recently visited a client and started doing some health checks on the NetScaler pair they're using.

Among other messages I got a message that a user was trying to log in to the appliances using SSH.

The message on the Command Center did not provide any information about the source of the attemts, only the username used. Since these attempts were about fine a day and at certain times of the day, I realized that it should be some kind of monitoring tool. But I had to get the IP of the source in order to investigate further...

The first few searches did not yell any results since they were all related to the AAA servers that could be set up on the NetScaler. I then decided to search within the BSD system logs and put the NetScaler logs aside.

You can find the login attempts, for the NetScaler system, by reviewing the log file located at /var/log/auth.log

I found the IP of the source there and it was a monitoring tool!

Adobe Reader Disable Tools and Fill & Sign Menus

Image
Being an engineer taking part in a VDI project, I was asked today if the menus "Tools" and "Fill & Sign" could be disabled from the master image's adobe reader.



After a few searches I found out that the quickest way to do this is to rename two files in the "C:\Program Files\Adobe\Reader 11.0\Reader\Services" folder, "DEXEchoSign.spi" and "DEXShare.spi".

After renaming the files, open Adobe Reader, close it and open it again. The menus should have disappeared just like in the following picture.


Hyper-V Disk Resize

One of the cool features with Hyper-V 3 and Windows Server 2012 R2 is the ability to resize virtual hard disks without the need to shutdown the virtual machine, use diskpart and WinPE etc...

You just have to open up Hyper-V Manager and use the edit wizard on the hard disk that needs more space.

The more "cool" way to do this is to use powershell of course! You can use the following command on the parent partition (this is the Hyper-V host) to extend the hard disk:

Get-VM "WindowsServer2012" | Get-VMHardDiskDrive -ControllerType SCSI | Resize-VHD -SizeBytes 100GB

There are some limitations though... You won't be able to use the edit hard disk wizard when the virtual machine has snapshots. This is also supported only on VHDX virtual disks connected to SCSI adapters.

I can't say I haven't resized the virtual hard disk of a snapshot with the above command but you should not do this because you will break the chain. You shouldn't have snapshots anyway!

Grea…

Windows Server DHCP Migration

With Microsoft Windows Server 2003 End Of Live coming up in a few months, a growing number of companies start to examine the migration plans. Most times the DHCP in installed on the 2003 server and has to be migrated.

In case you do not have a complicated DHCP configuration with many reservations or options it may be easier to just install the DHCP role on the new server and configure it from scratch. You should be very careful though when having both servers active because this will result in IP conflicts.

To avoid conflicts I use exclusion ranges. I just exclude let's say half of the IPs from one server and the other half from the other. Even after that, there might be conflicts also because there might be clients that have already got an IP from the range that you excluded on the old server. Thus you should wait for a period of time longer than the lease time.

If you want to migrate the entire DHCP configuration, there is a great article on Technet that describes the process go…