Tag Archives: Windows

But I _am_ on the Internet!

For some time I have had some strange symptoms on Windows 10 systems when they were accessing the Internet over a VPN connection. In my case the VPN provider was TigerVPN. This issue is unrelated to the provider, but is instead caused by the Windows networking stack when used with the OpenVPN software (which many VPN providers use). More on that later, first let’s explore the symptoms.

In my case the problem manifested itself in many different ways, but it seems they all stem from the inability to sign in to Microsoft Accounts (MSA) when the VPN connection was active.  For example the Microsoft Store app did not work and I was constantly informed that I needed the Internet to do what I wanted to do (hence the title of this article). This was the error the Store gave me;

You’ll need the internet for this.

It doesn’t look like you’re connected to the internet. Please check your connection and

try again.

Ox800704cf

The network location cannot be reached. For information about network

troubleshooting, see Windows Help.

Hitting the “Send Feedback” button would open the Feedback Hub app , which would be stuck at an endlessly looping “Let’s get you signed in” screen. Very helpful…

Other problems include, but are probably not limited to, not being able to change your Windows Insider settings and issues with the Xbox app. All other network operations that I tried worked fine, but there could also, of course, be other issues.

So why did this happen?

It turns out that OpenVPN supports IPv6 connections inside the tunnel by default since version 2.3.0. This is good, we all like IPv6, but not all VPN providers support it on their servers, which is also fine. But not forever, and not without telling you. Windows 10 (and all versions since Vista) also support IPv6 by default and has a dual IPv4/IPv6 stack that will try to use both protocols simultaneously. In addition, Windows also has a number of IPv6 transition technologies built in. This is also good. If everything supported IPv6 through the entire stack and connection these problems would not present themselves. But this time that was not the case. My VPN provider did not support IPv6 and had it turned off. (I am unsure of how, exactly, they disabled IPv6 but I see the message did_ifconfig_ipv6_setup=0 every time I connect and take that to mean that IPv6 has been disabled either as a setting pushed by the server or in the client config file (.ovpn). But Windows did not know that IPv6 was disabled in the OpenVPN software so the tunnel adapter that OpenVPN creates still had IPv6 enabled. So Windows thought that the connection supported IPv6, but it did not. This is usually not a problem. When I looked in network connections this is what I saw:

The TAP adapter (Ethernet 2) is the OpenVPN software tunnel adapter. As you can see the Connectivity status is listed as “No network access”, but network access was working fine except for the issues mentioned. The properties of the adapter looked like this:

Notice that the IPv6 protocol is enabled. When I disabled IPv6 on the adapter, and thus making the connection pure IPv4, the Connectivity status immediately changed to “Internet access”, and all problems were resolved. And there was much rejoicing…

I can’t say exactly what caused this issue to arise. After all, having IPv6 enabled on adapters that are connected to IPv4-only networks works fine. I suspect this has something to do with one of IPv6’s transition technologies, Teredo, 6to4, ISATAP or PortProxy, but I did not investigate this further. This is a case where I am happy to accept the empirical fact that turning off IPv6 resolves the problem.

I have not seen any negative effects of this “fix”. My VPN provider does not support IPv6 yet so I am not loosing anything by disabling it on my adapter. When TigerVPN finally implements IPv6 support I expect that I can leave IPv6 enabled and not experience any issues. Time will tell.

NOTE: While we are on the subject of VPNs and IPv6 I would be remiss if I did not mention what is known as “IPv6 leak”. Very quickly “IPv6 leak” can happen if your VPN provider only supports IPv4 and not IPv6, and worse, just ignores any IPv6 traffic. If your ISP supports IPv6 and you get an IPv6 public address over which you can route traffic; that traffic will not be captured by your VPN provider (since they ignore it), and could thus “leak” and expose your identity, location and activities. Some VPN providers support what they call “IPv6 leak protection” where they still do not support IPv6, but when the VPN connections is established they insert black hole routes to all IPv6 destinations. I strongly recommend you find out exactly how your VPN provider handles IPv6 if you rely on VPNs to maintain your privacy (as you should).

M

More information:

What’s special about the builtin Administrator account?

Every installation of Windows based on the Windows NT code base has a builtin admin account called Administrator. Every installation of Active Directory Directoy Services also has a builtin admin account called Administrator. (If you are running a version of Windows other than English, your accounts may be named something else.) This account provides complete access to files, directories, services, and other facilities. But are there other things that make these account special?

  • The Relative Identifier (RID) is always 500
    In Windows each Security Principal is identified with a Security Identifier or SID. The SIDs have two parts; the machine or domain component and the Relative Identifier (RID). The RID is simply a whole number incremented with one (1) each time a new Security Principal, typically a group or user, is created. The builtin Administrator accounts, whether they are in a local SAM database or in Active Directory, always have the RID 500. This means that if you know the domain or machine component of the SID, you also know the full SID of the builtin Administrator. From there it is easy to do a “reverse lookup” and find the actual username of the builtin Administrator, and then to start trying to break into it. (Some older code even lets you authenticate with the SID directly, as opposed to a username.) See next bullet.
  • The account cannot be locked out
    The builtin Administrator account cannot be locked out of the system no matter how many failed logon attempts it accumulates. This makes it a prime target for brute force attacks. Auditing can help you find out if someone is trying to do a brute force attack using the builtin Administrator account. Other, manually created, administrator accounts can be locked out, and therefore do not present a similar threat. Renaming your builtin Administrator account will afford you some protection, but be aware of the limitations of this; see previous bullet.
  • The account cannot be deleted
    At least not using the default Windows tools.
  • The account is disabled on client OSs as of Windows XP
    In Windows XP and onwards, the builtin Administrator account does not have a password and is disabled. During setup you are required to create at least one new account, and this account becomes an administrator.

Error when trying to reset a password when Fine Grained Password Policies (FGPP) are in effect

I had created a Fine Grained Password Policy (FGPP) which, among other things, turned off the requirement for complex passwords. I had applied this policy to users through a group. When I tried to reset the password of one of the users for which this FGPP applied, Active Directory Users and Computers would give me this error:

—————————
Active Directory Domain Services
—————————
Windows cannot complete the password change for <user> because:

The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.

—————————
OK
—————————

Originally I though that my password did in fact violate my FGPP, but after testing this further I concluded that it was something else. After a bit of looking I discovered that this domain was in Windows Server 2003 Functional Mode. A requirement for FGPP is at least Windows Server 2008 Functional Mode. After changing it to Windows Server 2008, the FGPP took effect and I could reset my passwords.

Perhaps the *-ADFineGrainedPasswordPolicy cmdlets should check the domain functional level. At least New-ADFineGrainedPasswordPolicy should display a warning if the domain is not at the required level. The requirement is listed in the Step-by-Step guide (thank you PTS), but I didn’t catch that this time.

References:

Office 2010 Professional Plus fails with unexpected restart on Windows XP

The Situation

Office 2010 Professional Plus (32-bit) deployed to Windows XP Professional Service Pack 3 (32-bit) clients with System Center Configuration Manager (SCCM) 2007 R2 (64-bit). Office 2010 configured with Office Customization Tool (OCT) according to Microsoft guidelines.

The Problem

Upon completion the installation would initiate a forced reboot without prompting the user or giving any warning. After the reboot the Office 2010 installation would continue, but since it already completed before the reboot, this would be interpreted as a modification, prompting the user to select Add/Remove components, change product key etc. This, however, was not visible to the user since the program was configured to run without user interaction in SCCM. The result was that the Configuration Client (CcmExec) would wait for setup.exe for the maximum allowed run time and then terminate setup.exe, logging the installation as a failure. The whole process looked like this in the SCCM Advertisement Status report:

Time Message State Name Message Name Message ID Record ID
10.11.2011 12:37 Accepted Program received 10002 1164453
10.11.2011 12:37 Waiting Waiting for content 10035 1164454
10.11.2011 12:54 Running Program started 10005 1164461
11.11.2011 08:24 Failed Program failed (unexpected restart) 10021 1165171
11.11.2011 08:29 Running Program started 10005 1165174
11.11.2011 13:28 Failed Program failed (run time exceeded) 10070 1165445

Screenshot from SCCM

At 11.11.2011 08:29 Office 2010 restarts the installation after the reboot, even though it actually succeeded before the reboot, and the reboot is just to complete the installation. This is interpreted as a modification to the existing install and setup.exe prompts the user for what modifications to make. The user cannot see this, however, because he cannot interact with the program. CcmExec lets setup.exe run until the max run time is reached and then terminates setup.exe (11.11.2011 13:28) logging the install as a failure.

The Office 2010 setup log, located in %systemroot%System32Temp indicates that the install is successful, but that a restart is needed.

The Solution

To work around this problem it is necessary to suppress the reboot. This is done by adding the following to the MSP file in OCT (or the equivalent to config.xml):

image

With this setting in the MSP file the installation of Office 2010 will not be “fooled” by its own restart and complete successfully. You will first receive a status of Program completed successfully (reboot pending), until you initiate a restart on your own. After this restart the status will change to Program completed with success. Office 2010 seems to be fully functional even without performing this restart immediately, but the advertisement status in SCCM will not change until you restart.

Notes

Reports from other who have experiences similar issues indicate that the forced restart only happens on Windows XP computers, not Windows 7. I have not tested this myself.

References

Poor sound quality in Spotify

I love Spotify, but recently I have been plagued by poor sound quality. Specifically I experienced clipping, popping and variations in volume level during playback. As far as I could tell this affected all the songs I played in Spotify. At first I thought the problem was specific to Spotify, but after doing some tests with Grooveshark and Windows Media Player I discovered that the problem affected all apps playing sound. After a little digging I discovered a workaround for the problem.

Open the Sound properties:

image

Select Properties for the Default Device, the select the Enhancements tab:

image

Select Disable all enhancements. If you are playing music it will momentarily pause and then continue, hopefully (as it did for me) with now crystal clear quality.

Happy listening!

Last.FM profile: www.last.fm/user/morgands

Morgan

Computer naming schemes

I often get asked what I recommend for server/client naming schemes. Although there is no definitive answer; this always depends on your organization and what your specific requirement are, here are some pointers:

Things you would often want to include in the name of a machine:

  • Your organization name or an abbreviation of it: <org>
  • The machine type; laptop, desktop, workstation, server etc.: <type>
  • The computers MAC address: <MAC>
  • Asset tag: <asset tag>
  • Make/Model: <model>
  • The name of the user who owns/uses the machine: <username>
  • The department it belongs to: <dep>
  • A running number: <n>
  • The OS the machine is running: <OS>

You can combine these any way you want; using hyphens or other separators, or not. Here are a few I often use:

  • <org>-01234 (eg. BigFirm-56798)
  • <org>-<type>-01234 (eg. BigFirm-l-87980)
    V=Virtual
    W=Workstation
    L=Laptop
    K=Kiosk
    etc.
  • <org>-<asset tag> (eg. BigFirm-A5B98)
  • <org>-<MAC address> (eg. BigFirm-AABBCCDDEEFF)
  • <org>-<model>-01234 (eg. BigFirm-HP8100-89476)
  • <org>-<username>(-<type>) (eg. BigFirm-BobH-V)

If you have any suggestions of either complete schemes or things you like to include in your machine names, please leave a comment and I will update the article.

Also, remember that Windows computers use both DNS hostnames and NetBIOS names. NetBIOS names are limited to 15 characters, but DNS hostnames are not. Windows will not stop you from using names that are longer than 15 characters, but the NetBIOS name of the machine will be limited to the first 15 characters of the name you choose. If the part of your name that makes it unique is beyond the 15th character you will have more than one machine on your network with the same NetBIOS name. Furthermore, although Windows itself will work with a name longer than 15 characters, many tools will not. An example of this is MDT 2010.

Happy naming!

Remote Desktop on Linux?

With the momentum behind desktop virtualization; both with VDI and Remote Desktop Sessions (formerly Terminal Services), more and more people are looking for ways to access the Windows Desktop from platform other than Windows. Citrix offers the Citrix Receiver which supports virtually all platforms, but if you want to use the Remote Desktop Protocol (RDP) your choices are limited. This is a list of the RDP clients I have found for Linux:

Unfortunately none of these support more than RDP v5.1, which do not offer any of the newest features such as multi monitor support etc.

SHA1 Thumbprints for trusted .rdp publishers

Remote Desktop Connection (RDC) has a Group Policy setting that determines which publishers are to be considered trusted when launching connections (typically .rdp files served in various ways).

The publisher is identified by the SHA1 thumbprint of the certificate of the publisher (the certificate used to sign the .rdp file). You get the thumbprint from the certificate:

image

The setting is located under:
Computer Configuration\Policies\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Connection Client

Setting:
Specify SHA1 thumbprints of certificates representing trusted .rdp publishers

Description:
This policy setting allows you to specify a list of Secure Hash Algorithm 1 (SHA1) certificate thumbprints that represent trusted Remote Desktop Protocol (.rdp) file publishers.

If you enable this policy setting, any certificate with an SHA1 thumbprint that matches a thumbprint on the list is trusted. If a user tries to start an .rdp file that is signed by a trusted certificate, the user does not receive any warning messages when they start the file. To obtain the thumbprint, view the certificate details, and then click the Thumbprint field.

If you disable or do not configure this policy setting, no publisher is treated as a trusted .rdp publisher.

Notes:

You can define this policy setting in the Computer Configuration node or in the User Configuration node. If you configure this policy setting for the computer, the list of certificate thumbprints trusted for a user is a combination of the list defined for the computer and the list defined for the user.

This policy setting overrides the behavior of the “Allow .rdp files from valid publishers and user’s default .rdp settings” policy setting.

If the list contains a string that is not a certificate thumbprint, it is ignored.

As you can see; no mention of how the thumbprint is to be entered!

I found out the hard way that you have to remove all spaces and convert all letters to uppercase for the thumbprint to be valid. You are not informed if the format you enter is incorrect, it is just silently ignored if not recognized as a valid thumbprint.

This quick PowerShell command will do these two operations:

(“<your thumbprint here>”).ToUpper().Replace(” “,””)

If this Group Policy setting is not in effect, either because you have not set it or the thumbprint is incorrect/invalid, your users will get a warning when connecting, even if the certificate used to sign the .rdp file is trusted:

image

Error: A website wants to run a RemoteApp program. Make sure that you trust the publisher before you connect to run the program.

It is interesting to note that the rdpsign.exe command line utility that is used to sign .rdp files manually, requires that the thumbprint of the certificate must be provided in just this way: http://technet.microsoft.com/en-us/library/cc753982(WS.10).aspx

More info:

A note on copying the thumbprint

If you look at the highlighted/selected thumbprint in the image above you will see what looks like a leading whitespace. If you select the whole string (not as above), you will get a strange leading character in your thumbprint. Have a look at this zoomed image:

image

I do not know what character this is, but it invalidates the thumbprint string if you paste it into the SHA1 thumbprint field in your GPO. Even stranger is that it does not show up in the pasted text in the GPO object; it just “looks” right. As I said, I have no explanation, but remember to skip the leading whitespace when you copy your thumbprint.

This is how it should look:

image

GPS Fun with the Windows 7 Sensor and Location Platform

Introduction

Windows 7 has a new framework; the Windows Sensor and Location Platform. In short it is a system that enables the OS to utilize different sensors; e.g. a GPS device to track your location, a light sensor to dynamically adjust your screen brightness based on the ambient lighting, an accelerometer to use for games etc. I want to focus on GPS in this post.

Architecture

Up until now; the usual way to connect a GPS device to your computer was for it to emulate a COM port and then send standard NMEA GPS data to the port at a specified baud rate. This worked OK in my opinion, but with the new framework the GPS device, or sensor, is exposed directly to the OS. No more intermediary COM ports. This works the same for any sensor, by the way.

GPS in action

As of this writing, there are very few devices compatible with the new framework out there. I only know of the USB GPS Devices from ublox. To work around this you can use Michael Chourdakis’ excellent GPSDirect driver that acts as a layer between a legacy GPS device that sends NMEA data through a COM port, and the Sensor and Location Platform.

To set this up do the following:

  1. Configure your GPS to work with Windows. This can be through Bluetooth, USB or special software for use with built in devices. When done you should have at lease one new COM port that sends the GPS NMEA data, and you should also know the baud rate of this port. This screenshot is from the COM port associated with my HOLUX GPSlim236 device:
    image
  2. Download and run the GPSDirect software and input the data from your COM port:
    image
    Then hit Install.
  3. You should immediately be prompted by Windows if you want to enable the new sensor:
    image
  4. Select Enable.
  5. You can now close the GPSDirect software. The driver will remain loaded until you remove it.
    Note: There is an issue with the current version of GPSDirect, v 0.0.0.16, in that it does not reconnect to the COM port if the GPS is disconnected or turned off.
  6. Open the Location and Other Sensors applet in Control Panel and configure your sensor:
    image
    Pay special mind to who can use the sensor as you may not want you location information used by all the selected users:
    image

Testing

Unfortunately there are very few applications that are able to use the location information a GPS device can provide. In fact I know of only one; the Windows Weather Desktop Gadget!

If you add this gadget to your desktop, and have a your GPS working, it will automatically detect that your computer is “location aware” and try to automatically find the weather forecast for your location.

image

image

Notice the little “signal” icon in the gadget. This indicates that the location was determined by using the computer’s location framework.

Don’t have a GPS?

If you do not own a GPS device but still play around with the location functionality, you can try the GeoSense application. What GeoSense does is that it uses a hybrid mix of geolocation service providers and geolocation methods to pinpoint your location as accurately as possible. It currently supports Google Location Services (WiFi) and Google Location Services (IP), with several more under consideration. GeoSense is written natively for the Sensor and Location Platform so you just have to install it to use it.

After installation you will have a new sensor in you Location and Other Sensors applet, which can be configured in the same way as GPSDirect (or any other location sensor).

image

Other uses

GPS is just one of many applications of the new framework. Especially for games I think we will see a whole new group of controllers that utilize the new API. One example of this is a driver written by Rajasekharan Vengalil, that lets you use the Nintendo Wiimote with Windows 7! Check it out here.

More info

Printing nuggets

Someone once told me “Users and printers take the fun out of the whole network.” The printing part I am inclined to agree with…

I met up with an old friend today that works for a large printer manufacturer and he imparted the following printing tips to me:

  • Disable bidirectional support on your printer
    This is done under the Sharing tab on the server:
    image
    This will save traffic from the clients to the printer every time a user views the properties of the printer, thus speeding up the printer properties dialogue. If you install new equipment on the printer; temporarily enable bidirectional support to update the printer on the server.
  • Never use the driver drop down box
    This setting is found on the Advanced tab of the printer:
    image
    Instead, use the New Driver button right next to it. If you use the drop down box it is a good chance that the printer will not load all the DLLs and other files that it needs. This is a common fault with printers not displaying the correct features etc.
  • Printer drivers use SNMP to query print devices for their supported features
    If you are having problems detecting the features of the printer, try to enable SNMP through any firewall that is between the server and the print device. Also, the SNMP functionality is usually implemented in the driver itself, and as such is not dependent on the SNMP functionality in Windows.
  • Universal printer drivers are usually slower than dedicated drivers
    This might be so, but the benefits of using only one driver per printer manufacturer far outweighs this problem, in my mind.

Happy printing!