Category Archives: windows

Yubikeys and Citrix Web Interface

January 28, 2013 Barry Mercer Leave a comment

I’ve had a look at using yubikeys with the xenapp 5 web interface recently to enhance the security of external access to our systems. I’ve installed a yubiradius server on our ESX infrastructure and have it validating users correctly. The only issue is the odd way that the server handles passcodes. Sending simply the passcode on it’s own won’t work. Yubiradius will be unable to parse the key, as it attempts to split the string int “password” and “yubikey”. Now, as far as I can tell nothing happens to the actual password field. I’ve been logging on with my user name, password and in the passcode box I can enter any rubbish followed by the yubikey OTP. The server then parses this correctly and everything seems to be ok. So, in order that users don’t ahve to enter some rubbish before the OTP, I’ve written a short bit of java to prepend some rubbish to the passcode box and then sending the form.

You’ll need to find “login.js” on the server and add the following somewhere. The document.get element should be on a single line. Wrapped for readbility
function mangle() { document.getElementById("passcode").value= document.getElementById("password").value+ document.getElementById("passcode").value; }

Find the function “function setup_login_submit_keys()” and edit it so that it looks like this:
if (keynum == 13) { // enter key mangle() submitForm(); return false; }
This should work. As the yubikey has an “enter” at the end of it, then this will run the manglescript when the form is submitted with enter. It doesn’t do anything clever. It jsut adds the entered password before the yubikey OTP is sent. Seems to work fine for me.

Enjoy!

Stuff, symantec, windows

My own Symantec Stupidity

February 24, 2011 Barry Mercer Leave a comment

Having not looked at the SEPM console for a while, I failed to ntice that there were hardly any clients listed. Approximately 1000 were missing. Ooops. The upshot of this is that I discovered fixing this is a total pain. The problem began when I decided to load balance clients between our two management servers. However, I managed to do the following.
Make a typo in both of the server names
Enable SSL without an actual SSL cert

This took a long time to fix, mostly because I tried things suggested on forums before using my own brain. A lot of them suggested pushing out a new sylink.xml file to the clients to get them to update the server they conenct to. This had no effect. The file is never read from what I can tell. The registry entries didn’t change. I tried both of Symantec’s tools but after a few days of messing around with SCCM advertisements I gave in.

The simple solution for me, was to add a CNAME in DNS for the wrong server name, and point it to the correct one. Once they connected, they will pick up the new policy with the corrected server names. I also added the correct certificate in IIS on the SEPM server. I assumed it used its own server rather than IIS, but there we go.

computers, windows

2008 R2 SQL Reporting Services 2005

February 17, 2011 Barry Mercer Leave a comment

Well I’ve been having a lot of fun trying to get this installed. For anyone else wondering why the option to install it is greyed out. I’ve discovered that you need the folling installed on the 2008 R2 box:

The most trouble is caused by IIS, and the fact that you need the following bits and pieces in order to make it work.

Component	Folder
Static Content	Common HTTP Features
Default Document	Common HTTP Features
HTTP Redirection	Common HTTP Features
Directory Browsing	Common HTTP Features
ASP.Net	Application Development
ISAPI Extension	Application Development
ISAPI Filters	Application Development
Windows Authentication	Security
IIS Metabase	Management Tools
IIS 6 WMI	Management Tools

Hopefully, when you have those installed everything should work ok and it will no longer be greyed out. Don’t forget to put SQL SP3 on afterwards!

IT, windows

SCCM OSD 80004005

January 13, 2011 Barry Mercer Leave a comment

I’ve been having a lot of trouble recently with this error. Running an OSD from PXE results in the error 80004005. Nothing specific in the logs other than that error message. I noticed tat if I disabled the install drivers part of the TS, then it worked ok. So clearly one of the drivers was a mess. After a lot of searching I found an article that basically said it was due to the entwork drivers. Now, WinPE includes network drivers, and if this drive is different to the one used by Windows itself, when the driver is updated it will cause a disconnection from the DP. This causes the error. The way around that I have found is to make the advertisement download the content lcoally. This means that it won’t disconnect from the DP, as it’s running locally. Why this is a problem I don’t know. Surely it should jsut try to connect again, but I guess not.

There is an article here on Windows Noob (very good site) http://www.windows-noob.com/forums/index.php?/topic/1688-nic-devices-that-require-a-special-driver-for-winpe-may-cause-a-configmgr-task-sequence-to-fail/ that explains it a bit more