Wow, that does look really straight forward.

Have a user that insists she needs a Mac for Photoshop. Someone noticed when this user would generate a print from Windows and send it down to the local print shop (who use a Mac), that the formatting is way off when the shop goes to view/print.

I haven't saw the issue personally so I can only speculate.

User has since switched to a Mac, just curious what the deal is. What are some realistic thoughts here aside from user error?

First, a disclosure. This is a school lab, but it is not homework. I'm helping the instructor re-write part of the lab to help get a certain part working for future classes. Also, we've already reached out to Microsoft as the class has a bunch of hookups with Microsoft since they are teaching a lot of their technology. Also checked on technet/msdn. I will also attach the lab. If you needed a Smart Card walk through anyway, this one has a ton of hours sunk into the writing and is quite literally a cook book that can be done in about 20 minutes. But, the attachment is more so you can see the screen shot of the error (at the very bottom). There is also a resolution just above it, regarding re-issuing the cert. You can also see in another screen shot further up that the cert is issued to the client, as well as present on the Smart Card.

Here's a couple things that work in VMware (flawlessly), but not in Hyper-V...

• Being able to discover the smart card from within devmgmt

  • In Hyper-V, I just went ahead and did this manually, with a generic driver.

• Log into a VM remotely, with a Smart Card.

  • This I could not get to work with Hyper-V at all. If you aren't in an enhanced session, it won't see the card at all (but that should be obvious). If you are in an enhanced session, there are certificate issues. However, the cert has been reissued to the DC (which then gets issued to the client manually within Personal/Certificates > Request new certificate. All tabs within the certificate have been configured correctly as this works fine on a physical workstation. To verify, you can log into the workstation without the Smart Card, open the management utility, and see the certificate on the card.

The first point is just a janky work around, so it'd be nice to figure that out if possible. But the second point has gone unresolved, so that's more of the focus here.

Edit: Here is my attempt at making this copy-paste look okay. All in all, it's not going to look as good as written on a document. But there's nothing I can do about that, since this is not a file hosting site, and providing a link to any file hosting site could be malicious. This is going to take me some time to format for easier reading, so please be patient.

Smart Card Implementation Server 2012

User Logon only - No Exchange

This lab requires a Domain Controller with Active Directory and Certificate Services installed and an Online responder configured. In addition, two Windows 10 Generation 2 domain workstations are required. They cannot be differencing disks. Also, they need to be added to the domain. If you have more servers it is not a problem.

Lab overview: We are going to configure one of the Win10 workstations as an enrollment station and a user name Emily as the enrollment agent. Users must see Emily to get a smartcard and certificate. After that, users will be able to login to their own workstations using their smart card.

Smart card overview - First we install the reader and the driver associated with the reader. Next, we have to install the middleware provider by the smartcard manufacturer. In class, we are using the ACS ACOS5 cards. The middleware includes the CSP (Cryptography Service Provider) ACS which is needed to create a certificate that can be written to this specific smart card. Next, we need to force the default driver for the smart card (the manufacturer does not provide one). And finally, Emily will request a smart card logon certificate on behalf of our users.

1. Create the enrollment user and the Enrollment Agent Template.
2. Create a user named Emily.
3. Create a global group name Enrollment Agents. Make Emily a member of the global group.
4. On DC01, duplicate the certificate template Enrollment Agent. This certificate is not going to be written to Emily's smart card. It is just going to be installed on the enrollment workstation.
   1. General Tab:
   1. Name it INTCXX Enrollment Agent.
   2. Place check mark next to Publish in AD

2. Request Handling Tab:
  1. Purpose - signature
  2. Check mark on "Allow private key to be exported"
  3. Verify enroll subject without requiring any user input
3. Subject Name Tab: (verify)
  1. Verify Build from AD
  2. Subject name format:  Fully Distinguished Name
  3. Include this information:  UPN
4. Issuance Requirements tab - do not select anything.  In the workplace you most likely want a manager or admin's approval for any enrollment agents.  We are not going to do this today.
5. Security tab - Add enrollment agents and allow them read and enroll
6. Extensions tab - Click Application Policies and verify that Certificate Request Agent is listed in the bottom pane
7. Superseded Template - Add Enrollment Agent
8. OK

4. Issue the certificate template in your CA.
5. App deploy
6. Create a share on DC01 named appdeploy - assign users the NTFS read and execute permission.
7. Copy the ACOS5 SDK folder from studentfiles to appdeploy on your DC.
8. Configure the enrollment workstation - do this as the domain admin
9. Install the ACOS5 middleware and the ACR38 reader driver on both of the Windows 10 workstations.
   1. On both WIN10 workstations, access \DC01\appdeploy\ACOS5 SDK and execute the autorun file.
   2. Click on Install ACR38 Reader Driver and select the defaults in the install.
   3. Click on Install SDK Components
   1. Next in the welcome window
   2. Next in the destination folder
   3. In the product features - you do not need to install the sample codes or the reference material but you need everything else. It will not hurt anything if you just install everything, it just takes longer.
   4. Reboot when asked to

4. Plug in the reader and verify that windows detected it.  Check device manager and verify that the reader is listed as CCID USB Smart Reader (should be under "Smart card readers").  If you cannot get your virtual to connect to the USB device (in VMware), check VM on the menu bar and removable devices.  Verify that the Advanced Card Reader has a check mark next to it. In Hyper-V, I could not get it to show up automatically.

2. Insert a smart card into the reader. Windows does not find the driver for the smart card automatically. We have to force the default generic driver.
   1. Open devices manager in your VM.
   2. Right click WIN10 and select add legacy hardware, next in the welcome window
   3. Select Install the hardware that I manually select from a list
   4. From the list select smart cards
   5. Select the Identity Device (Microsoft Generic Profile), next, next, finish
   6. You should now have both a smart card and a reader listed in Device Manager
3. Add Emily to the local groups: administrators and cryptographic operators. Note: I am not sure that Emily needs to be in the administrators group. I did not test this lab without her being a member of administrators. This is something you would want to test in a real implementation.
4. Repeat step a and b above to configure the second Windows 10 workstation. When finished, attach the reader to the Win10 enrollment station so you can complete the following steps.
5. As Emily, request an enrollment agent certificate:
6. Login to the workstation as Emily. Make sure you use an enhanced session.
7. Remove the smart card from the reader - we do not want the enrollment agents certificate to be written to the card. We want it installed on the workstation.
8. Use the certificates snap-in (user account) to request the enrollment agent certificate
   1. Run an MMC console and add the certificates snap-in. Verify my user account is selected.
   2. Expand certificates, right click personal and select All tasks, request new certificate
   3. Before you begin windows - next
   4. Cert Enrollment policy - Verify AD enrollment policy - next
   5. Place a check mark next to INTCXX Enrollment Agent - enroll
   6. Finish
   7. Verify there is a certificate for Emily listed under personal/certificates.
9. On your CA, configure the smart card logon certificate:
10. Duplicate the template Smartcard Logon - Be sure to accept the default of Windows Server 2003 -
    1. General Tab:
    1. Name it INTCXX Smartcard Logon
    2. Place check mark next to Publish in AD

2. Request Handling Tab:
  1. Purpose - signature and smartcard logon
  2. Check mark on "Allow private key to be exported"
  3. Verify that prompt the user during enrollment
3. Cryptography tab:
  1.  - Verify that "Requests can use any provider available on the subject's computer" is selected.  This is important, during the certificate enrollment we have to choose the ACS CSP or the certificate cannot be written to the card.  In an ideal situation we would be able to add the ACS CSP to the window in the template but Certificate Services does not allow us to add CSPs.
4. Subject Name Tab:
  1. Verify Build from AD
  2. Subject name format:  Fully Distinguished Name
  3. Include this information:  UPN
5. Issuance Requirements tab
  1. Place a check mark next to This number of authorized signatures - Type 1 in the box
  2. In the Application Policy drop down select "Certificate Request Agent"
  3. Change the Require for reenrollment to "Valid existing certificate" (this allows users to reenroll without having to go to the enrollment agent - this would be an organizational decision)
6. Security tab -
  1. Add enrollment agents and allow them read and enroll
  2. Add the students and instructors groups and allow them read and enroll
7. Superseded Template tab - Add Smartcard Logon and Smartcard User
8. OK

2. Issue the certificate template in your CA
3. As Emily, initialize the card and request a certificate for your users:
4. On the Win10 workstation, login as Emily
5. Open the ACOS5 Initialization Tool from Programs
   1. Insert the smart card for your first user
   2. Important - Do NOT clear the enable clear card after initialization option. This makes the card only useable for this user. Each card costs $12 and I do not want to have to purchase more. Click Start in the Initialization Tool window, click Yes and OK
   3. Notice that the SO Pin and User Pin were set to '12345678'. This is the default for this card manufacturer
   4. Repeat this process for your other cards
6. Open an MMC console with the certificates snap-in (user account)
   1. Insert the smart card you are going to write to
   2. Right click personal, all tasks, advanced operations, enroll on behalf of
   1. Before you begin window - next
   2. Cert Enrollment policy - Verify AD enrollment policy - next
   3. Signing certificate - browse and select Emily's certificate - next
   4. Select INTCXX Smartcard logon and click details
   5. Click properties
   6. Click the down arrow next to Cryptography Service Provider
   7. Clear the check mark next to Microsoft
   8. Place a check mark next to Advanced Card Systems CSP (You will not see ACS listed if there is not a smart card in the reader)
   9. Ok, next
   10. User name - browse to find the active directory object for the user you are enrolling for. You will need to change the location to your domain. Verify that INTCXX\username is listed in the field before you click enroll
   11. Enroll
   12. Insert one of your smart cards
   13. Enter the user pin - 12345678 - It takes a few minutes to write the certificate to the card.
   14. Click next user and repeat the process for 2 more users.
   15. When you are finished close the mmc console and logout
7. Logon as a user using their smart card and change your pin. I could not get this to work for the second user.
8. Press Ctrl+Alt+Ins to login to the windows workstation
9. Click switch user and insert the smart card of one of your users

c.The login window should reflect the correct user and prompt you to enter the pin associated with the card. Enter the pin 12345678 and click the
4. After you login, Open the ACS Admin Tool from Programs
1. The admin tool will find the reader and the card.
2. Click Log-in and provide the default pin.
3. The certificate should be listed on the left hand side. Take a screen shot.

1.
1.
1. Click Change Pin and enter a unique pin - write it on the smart card
2. Group Policy and Smart Cards - It is possible to configure group policy so that a smart card is required for logon for a specific group of users or for a specific group of computers.
3. Bottom line: Smart card logon works the way we expected it to work. However, you have to install the CSP (Cryptography Service Provider) on every workstation you want the cards to work with. Also, you have to select the CSP when requesting the certificates that you want stored on the cards. The reading I did in preparation for this lab indicates that this process is going to get better. It is expected that smart card manufactures will make the drivers more readily available and not require their own CSP. That will make it much smoother for us administrators.
4. Lab Challenge – Change the Exchange User Certificate that you created in Lab 13 and add the cryptography requirements. Request an Exchange Certificate and store it on your smart card. Use the certificate to digitally sign messages.
5. When you are finished with today's lab:

1. Login to the enrollment station as Emily and use the ACOS5 clear card tool to put the cards back to the factory state.
   1. Click connect to card
   2. Click clear card
2. Give the reader and the cards back to the instructor
3. If you get the following message complete the steps to solve the problem:
4. "The system could not log you on. You cannot use a smart card to log on because smart card logon is not supported for your user account. Contact your system administrator to ensure that smart card logon is configured for your organization."
5. Re-issue the Domain Controller Authentication cert by following these steps:
   1. On DC01, open an mmc.
   2. Add the certificates snap-in directed at the computer account
   3. Expand Certificates, right-click Personal, click All Tasks, and then click Request New Certificate.
   4. Cert Enrollment policy - Verify AD enrollment policy - next
   5. Request Certificates page select Domain Controller Authentication
   6. Next, finish

Take a screen shot of the Windows 10 login window using a smart card as the login method.

Take a screen shot of CA Showing both templates:

Without converting a CTR (because it'll break after about a week, even guides that show the conversion state it'll break), does anyone have any ways you can coexist a CTR & MSI on the same computer, which would otherwise throw an error?

I understand this is not officially supported by Microsoft as stated in MSDN. Just curious if any have found a work around that is stable.

Anyone compared anything to Symantec PGP? If so, what have you looked at?

Anyone supported Rackspace email? I've heard about a few SMBs using it but haven't heard much. My sister's realty company uses it currently.

As an example of comparison, I've supported GoDaddy email and it is terrible. I've always SMBs to use the products they specialize in... Speaking to GoDaddy, they can host a domain but stay away from their email. I've recommended things like O365, on-premises Exchange, and Google Domains/Gmail accordingly.

Is Rackspace the same?

@StrongBad said in Networking clear up question:

What did they have to say when you explained the difference between a protocol and a physical connector?

Acted like they didn't hear what I said. lol

Getting to the point where I'll have to run a full restore on an SBS server (infected with fantom. From Russia with love). Granular restore in BackupExec just freezes. I just know something is going to break since it's SBS. Usually it is Exchange, sometimes it is workstation trusts with AD. They have other servers setup to get away from SBS, but they're in their last ~2 months of reliance on it.

Share your SBS restore horror stories here.

@MattSpeller So I did a little testing with some users. Lol I honestly have never tried to deselect an attribute in bulk before. So the left box checked has to be checked to select the right box.

If you check only the left box, you are removing a checked box on the user's profile (like cannot change password). If you check both boxes you are checking off an attribute (like user must change password at next login).

Just thought I'd pop in and clarify...

Now I see some clarification after a little testing. If I use the graphical tool Users and Groups, I cannot save the user by only entering the username (blank comment), I have to enter a full name which then creates a comment. But if I use adduser and just hit enter on the full name section, it doesn't create a comment automatically. Command line wins again.

Option 1: Stop doing any kind of business with us.

Option 2: Only do business with us.

I'd go with option 1 if they are trying to force me into doing something I don't want to do.

@tim_g said in IIS on prem to hosted migration:

@scottalanmiller said in IIS on prem to hosted migration:

Add to this the tendency to disastrously choose MS SQL Server as a datastore and the problems just skyrocket.

What do you typically recommend as a MS SQL replacement (given the software using it would support other solutions)?

Really depends on what you're trying to accomplish. MariaDB or Postgre seem to be very popular. MySQL works fine, but it's very close to MariaDB. MariaDB is a fork of MySQL, but has some added benefits with bug fixes, added storage engines, performance gains, etc. Here's a breakdown of MySQL vs. Postgre.

A client is consolidating a ton of Gmail and Hotmail accounts from a bunch of their businesses, into O365. I've been doing exports/imports, setting up forwarding, etc.

One things I've noticed, during a Gmail and Outlook migration to O365... Gmail has many little things that have made this pretty easy to get off Google. You can pretty much export whatever you want down to a granular level of services; you can also make it even easier and use Google Takeout. Outlook/Hotmail, so far, blows. You can't export a calendar, or your mailbox. You can do contacts though.

I ended up having to use the local Outlook client, add the user's hotmail account, export to PST, then import the PST into the other account. Anyone know of any easier way to export mail pst and calendar ics directly from the Outlook/Hotmail web login?

Edit: Migration issues was in another thread. I wasn't getting any contacts or calendars, and thought the migration was only intended to migrate email. https://mangolassi.it/topic/16297/o365-gmail-migration-issues/2

ASRock and Gigabyte are good choices. Avoid Intel boards. I haven't seen the others on this side of the Atlantic.

@emad-r said in server barebones: asrock, gigabyte, tyan, intel, chenbro. Opinions?:

@bbigford said in server barebones: asrock, gigabyte, tyan, intel, chenbro. Opinions?:

For production, absolutely not. I would never build a white box for production.

For a lab, I have built quite a few higher end PCs for that. Where I can just do nested virtualization to install and test hosts (some platforms do not support nested), and then everything is virtualized just as it should be. But again, this is strictly for lab purposes and would never be put into production.

It is good to get as close to production when testing. That is why lots of people will fork out a fortune to buy the exact same gear (systems, networking, storage, etc). But I just refuse to spend that kind of money and I know work isn't going to for a test lab (past employers did, if it was for a customer and they were getting some kind of return... They were mimic environments). Since I won't buy servers, I'll just virtualize them. The hardware I'd be missing, and pretty important to understand, is working with different RAID controllers and iDRAC/iLO. But once you understand how those work, I'm not spending thousands just to have them in my lab.

For my networking stuff, I'll just use GNS3/etc.

You just have to read the manual of every part, and be knowledgeable and be able to predict how it will all fit together.

Lol, reading manuals and knowing how things fit together has absolutely zero to do with my decision of not using a whitebox build for a production system. It makes sense that you might build, if you're outside of the USA. I get black boxes at a low price, so some regions overseas might have to build because of some increased costs. There's no reality where building a whitebox in the USA makes any financial sense, from both an initial cost and operating cost should anything go wrong. There's just too many solid vendors that offer affordable black box systems.

Also, our servers don't use SATA drives, they are all SAS. Also not dropping in A4 CPUs, they are all x2 8-12 core CPUs for hosts. I just can't build that out for the same price, and it honestly isn't worth my time or the client's money to have so much hands on with one system (let alone multiple if they are in a cluster or multi-cluster environment). For operating costs if something goes wrong, it's more cost effective to have "one throat to choke" instead of me spending lots of time troubleshooting and replacing parts. I can just open a service request with the vendor, and move on to the next client.

@jaredbusch said in Office 365 Account Deleted While Using:

@minion-queen said in Office 365 Account Deleted While Using:

@jaredbusch said in Office 365 Account Deleted While Using:

@minion-queen said in Office 365 Account Deleted While Using:

@dbeato said in Office 365 Account Deleted While Using:

@minion-queen said in Office 365 Account Deleted While Using:

Mine went down too. So an old MS Concierge person that connected O365 to AD 2 years ago that was"disconnected" ... wasn't.

We are both back up now. WHAT A FREAKING PAIN!

So were any of the accounts using AD SYnchronization by any chance?

Yeah and we deleted some workloads on Azure today I will let you guess what one of them was...

So user caused issue.

Did no one check that AD sync was still active?

Well The Concierge person did something funky back then (remember scott's issues from way way back?), and we thought that the disconnection was done. But they had to repair things on their side still for both our accounts (I didn't have issues last time but I did today), but no one else on the team did. So weird.

Well, I didn't say you caused the issue.

Failure to verify, but something that should not have needed to be verified.

Same issue I had with a Dell tech that replaced a drive and rebuilt an array for me 5 years ago. I found out 2 years ago that he rebuilt it as a RAID0 .......

Lmao!

...I don't have anything constructive to say. That's just funny as shit.

@bbigford said in Backing up a Synology:

After looking at pricing, past 2TB it makes sense to go with CrashPlan. It looks like their pricing is a flat $10/device/month for unlimited storage. But under 2TB BackBlaze can save quite a bit of money in the long run.

The setup is very unsupported though. https://miketabor.com/install-crashplan-synology/

Pretty ugly setup overall.

@coliver said in SodiumSuite sign up temporarily frozen?:

@romo said in SodiumSuite sign up temporarily frozen?:

The register now button in the hero image is redirecting properly to https://sodium.waxquixotic.com/companyCreation, so new accounts can indeed register.

It took my way too long to find that button when I looked this morning.

@coliver I like the look of the new changes in the last couple days. Register is super clear and works on Firefox as well now it looks like. After you've already registered though, where are you supposed to login? The previous had both registration and login; I can only find registration now. Searched for SodiumSuite login via search engine, dug through the site, tried on different browsers (thinking a web part wasn't loading again).

@vhinzsanchez said in Zimbra help..multi-domain each with own external relay:

@dbeato
Wow! You are one of the gems which has set it up correctly.

How? How? How?

RHEL if support is required, CentOS if I'm being lazy on updates (joke); beginning to just use Fedora Server for everything not requiring support. I will probably start phasing out CentOS.