Category Archives: windows

Yubikeys and Citrix Web Interface

I’ve had a look at using yubikeys with the xenapp 5 web interface recently to enhance the security of external access to our systems. I’ve installed a yubiradius server on our ESX infrastructure and have it validating users correctly. The only issue is the odd way that the server handles passcodes. Sending simply the passcode on it’s own won’t work. Yubiradius will be unable to parse the key, as it attempts to split the string int “password” and “yubikey”. Now, as far as I can tell nothing happens to the actual password field. I’ve been logging on with my user name, password and in the passcode box I can enter any rubbish followed by the yubikey OTP. The server then parses this correctly and everything seems to be ok. So, in order that users don’t ahve to enter some rubbish before the OTP, I’ve written a short bit of java to prepend some rubbish to the passcode box and then sending the form.

You’ll need to find “login.js” on the server and add the following somewhere. The document.get element should be on a single line. Wrapped for readbility
function mangle()

Find the function “function setup_login_submit_keys()” and edit it so that it looks like this:
if (keynum == 13) { // enter key
return false;

This should work. As the yubikey has an “enter” at the end of it, then this will run the manglescript when the form is submitted with enter. It doesn’t do anything clever. It jsut adds the entered password before the yubikey OTP is sent. Seems to work fine for me.


My own Symantec Stupidity

Having not looked at the SEPM console for a while, I failed to ntice that there were hardly any clients listed. Approximately 1000 were missing. Ooops. The upshot of this is that I discovered fixing this is a total pain. The problem began when I decided to load balance clients between our two management servers. However, I managed to do the following.
Make a typo in both of the server names
Enable SSL without an actual SSL cert

This took a long time to fix, mostly because I tried things suggested on forums before using my own brain. A lot of them suggested pushing out a new sylink.xml file to the clients to get them to update the server they conenct to. This had no effect. The file is never read from what I can tell. The registry entries didn’t change. I tried both of Symantec’s tools but after a few days of messing around with SCCM advertisements I gave in.

The simple solution for me, was to add a CNAME in DNS for the wrong server name, and point it to the correct one. Once they connected, they will pick up the new policy with the corrected server names. I also added the correct certificate in IIS on the SEPM server. I assumed it used its own server rather than IIS, but there we go.

2008 R2 SQL Reporting Services 2005

Well I’ve been having a lot of fun trying to get this installed. For anyone else wondering why the option to install it is greyed out. I’ve discovered that you need the folling installed on the 2008 R2 box:

The most trouble is caused by IIS, and the fact that you need the following bits and pieces in order to make it work.

Component Folder
Static Content Common HTTP Features
Default Document Common HTTP Features
HTTP Redirection Common HTTP Features
Directory Browsing Common HTTP Features
ASP.Net Application Development
ISAPI Extension Application Development
ISAPI Filters Application Development
Windows Authentication Security
IIS Metabase Management Tools
IIS 6 WMI Management Tools

Hopefully, when you have those installed everything should work ok and it will no longer be greyed out. Don’t forget to put SQL SP3 on afterwards!

SCCM OSD 80004005

I’ve been having a lot of trouble recently with this error. Running an OSD from PXE results in the error 80004005. Nothing specific in the logs other than that error message. I noticed tat if I disabled the install drivers part of the TS, then it worked ok. So clearly one of the drivers was a mess. After a lot of searching I found an article that basically said it was due to the entwork drivers. Now, WinPE includes network drivers, and if this drive is different to the one used by Windows itself, when the driver is updated it will cause a disconnection from the DP. This causes the error. The way around that I have found is to make the advertisement download the content lcoally. This means that it won’t disconnect from the DP, as it’s running locally. Why this is a problem I don’t know. Surely it should jsut try to connect again, but I guess not.

There is an article here on Windows Noob (very good site) that explains it a bit more