Configuring RDS 2012 TLS Certificate

I was working on a deployment of Windows 2012 R2 RDS, where i have couple of servers participating in a session host pool (Collection), one server acting as a broker, and a TS Licensing server.

I have two Session Host servers (SRV1 and SRV2), so i have created two DNS records, both with the same Host Name ( Apps.contoso.com) and each one pointing to one of the Session Host servers (DNS Load Balancing).

The problem is that when users are connecting to (Apps.contoso.com), they are getting some certificate warning regarding certificate name mismatch.

 

RDS TLS

This is because the Session Host servers will generate self signed certificate with the name of the session host server, and not (Apps.contoso.com).

So i have created a digital certificate with subject name (Apps.contoso.com), i installed on on SRV1 and SRV2, and i could not find any place to instruct the session host servers to use my certificate, not the self signed one.

Then i found the solution:

  • Install the Apps.contoso.com certificate on SRV1 and SRV2 ( which are the session host servers), and take note of the thumbnail of the certificate.
  • On each session host server, open PowerSehll using Admin credentials, and type :

$path = (Get-WmiObject -class “Win32_TSGeneralSetting” -Namespace root\cimv2\terminalservices -Filter “TerminalName=’RDP-tcp'”).__path 

Set-WmiInstance -Path $path -argument @{SSLCertificateSHA1Hash=”‎Thumnail”} 

Note: replace Thumbnail with your custom certificate thumbnail

  • Restart both servers
  • Use this command to get the certificate hash being used already

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Get SSLCertificateSHA1Hash

  • Or you can use this command to do it in one command:

wmic /namespace:\\root\cimv2\TerminalServices PATH Win32_TSGeneralSetting Set SSLCertificateSHA1Hash=”Thumnail”

2013 blogging in review

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The concert hall at the Sydney Opera House holds 2,700 people. This blog was viewed about 12,000 times in 2013. If it were a concert at Sydney Opera House, it would take about 4 sold-out performances for that many people to see it.

Click here to see the complete report.

Tips when buying a new home laptop

If you are thinking of buying a new laptop for your home or for your personal use , then there are some tips you may find here that can help you out.I am assuming you are a Windows user and not considering one of those Mac laptops.

laptop_image

1. RAM (Physical Memory)

When buying a new laptop, 4 GB RAM is the ideal thing. Less RAM is not efficient, higher RAM for home usage is wasting money.

2. Disk

Generally speaking, make sure your disk is fast. 7200 RPM is the minimum. It is fast and will make your laptop run faster.

If you want super fast disk, you can spend more money and get your future laptop with the new SSD hard disk. SSD stands for (Solid State Drive) and it is super fast but comes smaller in size and costs little much.

Usually for home use laptops, hard disk size is not important unless you want to download many videos and pictures. 500GB size hard disk is more than enough generally speaking.

3. Processor

For home usage, make sure your laptop comes with dual core processors or even quad cores.
Processors nowadays comes with Intel Core i3, Core i5, core i7,….
Core i5 is better than Core i3, and Core i7 is better than both. Usually Core i5 is a good choice for home users at the time of writing this blog post.

4.  Ports

If you want to attach your laptop to your HD home screen, it is better to check if your future laptop comes with HDMI port.
At the time of writing this blog, USB 3.0 is the latest standard for USB. It is good to have a laptop that supports USB 3.0 because it is really faster.

5.  Screen Size

It depends on your preference. Usually laptops comes with different size of screens. 14 inch laptop screen is the medium size.

6. Touch Screen

As Windows 8 comes with as a touch enabled operating system, you can see many new laptops with touch screens. I have one of those and the experience is really nice. Nevertheless, you will not usually use the touch screen most of the time.

Touch Enabled Laptops _232

7.  Brand

Make sure you are buying a laptop from a famous brand. HP, DELL, LG, Samsung, TOSHIBA,…

8.  Do you really need a laptop at home?

If you want to browse internet, connect to social media channels (Facebook,YouTube, and twitter) and that’s it, then buying a tablet nowadays can be a good alternative.
On the other hand, if you want to use Microsoft office(Word, Excel, PowerPoint,..) or install custom video and media players, then tablets will not be a good choice.

Note: As technology changes so fast, those tips applies until one year from now.

Cisco Aironet 1200 Series

I got Wireless Access point (Cisco Aironet 1200) with Software version 12.2(13)JA4 . I’m currently using WEP encryption with static key. Now I’m planning to implement Enterprise Wireless Security using WPA 2.

First of all ,  I manage to learn the following :

  • In order to support AES /WPA 2 , I need hardware upgrade ( Firmware upgrade is not enough) .For example ,the Cisco Aironet (AIR-AP1231G-X-K9) support WPA 2 .
  • So ,to live without hardware upgrade , i can perform firmware upgrade to my access point so i can implement at least WPA 1 (TKIP).

Second : What version should i upgrade to ????

  • I first upgraded the AP to firmware version 12.3 (11) .After that i discovered that the AP is now utilizing something named (LWAAP Mode) and it keep restarting each 10 seconds . At the end of the blog is how I fix this.
  • I then realized that I have to upgrade to firmware version below 12.3(7) ,or else the AP will be using the (LWAAP Mode) and will keep rebooting.
  • I fond that the firmware version 12.3(4)JA .This version support WPA (TKIP) and works beautifully.

Third : To upgrade to 12.3(4)JA :

  • Connect to the AP Console .
  • Install TFTP Server at your machine .Give your AP and your machine IPs from the same subnet.
  • Download the firmware from Cisco Site to the TFTP Server folder.
  • Do the following:
    • from the AP console , go to Enable Mode .
    • Type archive download-sw /overwrite /reload tftp:[[//location]/directory]/image-name

 

Fourth :Troubleshooting the issue when upgrading AP to firmware 12.3(7) or later and having the AP reboot itself many times :

After you upgrade your wireless access point to firmware 12.3 (7) or later , you will have your AP to restart every 10 seconds with the following errors :

Mar 1 00:00:23.563: %LWAPP-5-CHANGED: LWAPP changed state to DISCOVERY
*Mar 1 00:00:23.579: LWAPP_CLIENT_ERROR_DEBUG: lwapp_crypto_init_ssc_keys_and_c
erts no certs in the SSC Private File
*Mar 1 00:00:23.579: LWAPP_CLIENT_ERROR_DEBUG:
*Mar 1 00:00:23.579: lwapp_crypto_init: PKI_StartSession failed
*Mar 1 00:00:23.640: %SYS-5-RELOAD: Reload requested by LWAPP CLIENT. Reload Re
ason: FAILED CRYPTO INIT.
*Mar 1 00:00:23.640: %LWAPP-5-CHANGED: LWAPP changed state to DOWN
*Mar 1 00:00:23.640: %LWAPP-5-CHANGED: LWAPP changed state to DOWNXmodem file s

The reason is that firmware 12.3(7) or later is operating in LWAPP mode instead of the earlier Autonomous mode and your AP is trying to located a controller and keep restarting.

To solve this issue , you need to revert back to earlier version of IOS (firmware) with version less than 12.3(7).For example ,to revert back to version 12.3(4) , do the following :

Step 1 The PC on which your TFTP server software runs must be configured with a static IP address in the range of 10.0.0.2 to 10.0.0.30.

Step 2 Make sure that the firmware file (.tar) file is located in the TFTP server folder .Usually this file is named (c1200-k9w7-tar.123-4.JA2.tar) .You have to rename it to (c1200-k9w7-tar.default) .This is because the AP is configured to locate a file with this name on all TFTP servers that have IPs between ( 10.0.0.2 – 10.0.0.30).

Step 3 Disconnect power from the access point.

Step 4 Press and hold the MODE button while you reconnect power to the access point.

Step 5 Hold the MODE button until the status LED turns red (approximately 20 to 30 seconds), and release the MODE button.

Step 6 Wait until the access point reboots as indicated by all LEDs turning green followed by the Status LED blinking green.

Welcome Message

Hi everyone , my name is Ammar Hasayen and i created this blog to share technical contents and ideas about Information Technology stuff ,sepcially Microsoft services and Infrastructure.
 
Please feel free to drop your comments on any subject you find interesting and i hope we will have an exciting talk and results.