Category Archives: IT

Yubikeys and Citrix Web Interface

I’ve had a look at using yubikeys with the xenapp 5 web interface recently to enhance the security of external access to our systems. I’ve installed a yubiradius server on our ESX infrastructure and have it validating users correctly. The only issue is the odd way that the server handles passcodes. Sending simply the passcode on it’s own won’t work. Yubiradius will be unable to parse the key, as it attempts to split the string int “password” and “yubikey”. Now, as far as I can tell nothing happens to the actual password field. I’ve been logging on with my user name, password and in the passcode box I can enter any rubbish followed by the yubikey OTP. The server then parses this correctly and everything seems to be ok. So, in order that users don’t ahve to enter some rubbish before the OTP, I’ve written a short bit of java to prepend some rubbish to the passcode box and then sending the form.

You’ll need to find “login.js” on the server and add the following somewhere. The document.get element should be on a single line. Wrapped for readbility
function mangle()
{
document.getElementById("passcode").value=
document.getElementById("password").value+
document.getElementById("passcode").value;
}

Find the function “function setup_login_submit_keys()” and edit it so that it looks like this:
if (keynum == 13) { // enter key
mangle()
submitForm();
return false;
}

This should work. As the yubikey has an “enter” at the end of it, then this will run the manglescript when the form is submitted with enter. It doesn’t do anything clever. It jsut adds the entered password before the yubikey OTP is sent. Seems to work fine for me.

Enjoy!

2003 P to V 100% CPU

I been ahving issues with a P to V recently where the CPU is pegged at 100% shortly after boot, making it impossible to login or do anything. I gave it more RAM and somehow managed to log in and fire up task manager before the madness started. I killed the offending tasks and had a look through the services to see which one was no longer running. It turns out that “HP Insight Foundataion Agent” was the culprit. I’ve disabled this along with al the other HP Agents and things seem fine. It was a pretty old version we were running, and it might be fixed in a newer one. However they serve no purpose now it’s a VM so disabling them is probably a good thing either way.

SCCM, OSD and Bitlocker PIN

I’ve been having some fun this week sorting out a task sequence with SCCM that will deploy everything and enable bitlocker with a PIN. I want users to be prompted for a password when they boot their PC. I have the tasks correct, I used HP’s BIOS configuration tool to turn on the TPM. I then take ownership it with the following command

%systemroot%\System32\manage-bde.exe -tpm -o information

It’s then rebooted just to be sure. The problem I had was when I was running the command to enable the pin. I received a Group Policy error “The task sequence execution engine failed executing the action xxx in the group yyy with the error code 2150695008” and “Group Policy settings do not permit the use of a PIN at startup. Please choose a different BitLocker startup option.” I double checked and all my Group Policy options were correct. What gives?

Well, it turns out that the OSD doesn’t pick up any group policies that I could find. Running a gpupdate after using the F8 debug just hung and eventually errored. My solution was to export the registry settings from a working PC on the domain and then run an import as part of the task sequence. The settings are located HKLM\Software\microsoft\policies\fve . These are exported to a package with a program that just calls “regedit /s bitlocker.reg”. After the import, I run the command

%SYSTEMROOT%\system32\manage-bde.exe -protectors -add %SystemDrive% -tp 1234567890

This sets the pin and everything is now working well. Obviously, swap 1234567890 to something a bit less obvious 😉

SCCM OSD 80004005

I’ve been having a lot of trouble recently with this error. Running an OSD from PXE results in the error 80004005. Nothing specific in the logs other than that error message. I noticed tat if I disabled the install drivers part of the TS, then it worked ok. So clearly one of the drivers was a mess. After a lot of searching I found an article that basically said it was due to the entwork drivers. Now, WinPE includes network drivers, and if this drive is different to the one used by Windows itself, when the driver is updated it will cause a disconnection from the DP. This causes the error. The way around that I have found is to make the advertisement download the content lcoally. This means that it won’t disconnect from the DP, as it’s running locally. Why this is a problem I don’t know. Surely it should jsut try to connect again, but I guess not.

There is an article here on Windows Noob (very good site) http://www.windows-noob.com/forums/index.php?/topic/1688-nic-devices-that-require-a-special-driver-for-winpe-may-cause-a-configmgr-task-sequence-to-fail/ that explains it a bit more

2008 R2 svchost fun / crashing

Our citrix farm has been displaying interesting performance recently. We’ve deployed xen app on to new servers that sit on an ESX farm. We’ve been having huge issues with random services crashing for no reason, affecting most of the servers. Error messages below are the appropriate ones.

The Windows Management Instrumentation service terminated unexpectedly

The Shell Hardware Detection service terminated unexpectedly.

The User Profile Service service terminated unexpectedly.

The Application Information service terminated unexpectedly

The Application Experience service terminated unexpectedly.

Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1
Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802
Exception code: 0xc000071f
Fault offset: 0x000000000006e51c
Faulting process id: 0x1f3c
Faulting application start time: 0x01cb612b72787ca8
Faulting application path: C:\Windows\system32\svchost.exe
Faulting module path: C:\Windows\SYSTEM32\ntdll.dll
Report Id: 3d10f918-cd20-11df-a871-005056b14de0

Faulting application name: svchost.exe, version: 6.1.7600.16385, time stamp: 0x4a5bc3c1Faulting module name: ntdll.dll, version: 6.1.7600.16559, time stamp: 0x4ba9b802Exception code: 0xc000071fFault offset: 0x000000000006e51cFaulting process id: 0x1f3cFaulting application start time: 0x01cb612b72787ca8Faulting application path: C:\Windows\system32\svchost.exeFaulting module path: C:\Windows\SYSTEM32\ntdll.dllReport Id: 3d10f918-cd20-11df-a871-005056b14de0

Anyway, this appears to be casued by a bug in the WMI service, that MS have provide a (scolding) hot-fix that is located here http://support.microsoft.com/kb/982293

Hopefully this will be of use to someone! Took a long time for me to find!