How to set time server on PDC

  1. Log in to your PDC Server and open the command prompt as administrator.
  2. Configure the external time sources, type: w32tm /config /syncfromflags:manual /manualpeerlist:0.pool.ntp.org
  3. Make your PDC a reliable time source for the clients. Type: w32tm /config /reliable:yes
  4. Restart the w32time service: net stop w32time && net start w32time
  5. The windows time service should begin synchronizing the time.
  6. You can check the external NTP servers in the time configuration by typing: w32tm /query /configuration
Advertisements

Windows Server Remote Desktop Services grace period expoired

Remove the RDS licensing time-bomb registry entry with the help of Sysinternals PSExec (Regedit alone couldn’t do it because it had to be run under highest privileges):

psexec -s -i regedit.exe:

Locate the registry key: HKLM\system\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

 

Remove the registry key GracePeriod and reboot the computer.

Bind multiple sites on same IP address and Port in SSL

Until IIS 7.5, the major limitation of IIS is that IIS will allow you to bind only one site for one IP: Port combination using an SSL certificate.  If you try to bind a second site on the IP address to the same certificate, IIS will give you an error when starting the site up stating that there is a conflict. In order to assign a certificate to be used by multiple IIS sites on the same IP address and port, we need to use a special mechanism. Before we go there let’s understand why it is not possible for IIS to allow the binding of multiple sites on same IP: Port combination using an SSL certificate.

Classic Chicken and Egg Problem

We know that IIS identifies a site using three piece of data:

1. IP-Address

2. Port

3. Host Header

You can have multiple HTTP site configured with different combination of above. The binding, for example 192.168.1.0:80 can be configured to site “MyServer1.com”. That means if I browse to IP-address 192.168.1.0 over port 80 then I will hit the site “MyServer1.com”. I can have the binding as 192.168.1.0:80:myserver2.com configured for site “MyServer2.com”. That means when I browse the site over IP-address 192.168.1.0 over port 80 with a host header as “myserver2.com” then I will hit the site MyServer2.com. This allows multiple DNS hostnames on a single server at the same IP address.

However this doesn’t work in HTTPS. To know why it doesn’t work in HTTPS lets understand the SSL handshake briefly.

1. Client – > (SSL Handshake) – > “ Hello, I support XYZ algorithm for encryption”

2. Server -> (SSL Handshake) -> “Hi there, Okay so here is my public certificate. Let’s use algorithm X”

3. Client -> (SSL Handshake)-> “Great we can use that”

4. Client -> (In Encrypted format)-> “HTTP Request”

5. Server -> (In Encrypted format)-> “HTTP Response”

<And now cycle continues>

Now let’s say hypothetically, you have set two sites on same IP-address and port and different host headers and you set two different certificates on both of them.

Look at the steps in SSL Handshake, Client sends the HTTP Request only in Step 4. That means Server doesn’t know what host header HTTP request is referring to until step 4. So at Step 2, Server has only IP-Address and Port information with it, so how can server figure out which certificate it needs to send to the Client as you have bind two certificates to same IP-Address and port.

When a request comes to HTTP.SYS layer, the HTTP.SYS reads the site configuration, including the certificate used to encrypt/decrypt the data. The host name is encrypted in SSL Blob that the client sends. However, IIS needs to know the host name in order to get the right certificate. Without the host name IIS cannot get to the correct site. As IIS is not able to get to the correct site so it cannot get the right certificate to decrypt the SSL blob to get the host name. This is the classic Chicken and Egg problem. We are turning into circles with no way out.

This is the precise reason; HTTP server can only allow one site per IP-Address: Port combination for HTTPS browsing. If you need to bind another site over HTTPS then you need to get either a different IP-Address or bind the site to a different port.

Sometimes getting a new IP-Address or port for each website becomes costly affair. So how we can attach two website to HTTPS over same IP: Port. There are two ways to do it in IIS7.

Wild Card Certificate.

A wildcard certificate can secure an unlimited number of first level sub domains on a single domain name. For example, you can get a certificate which is issued to *.mydomain.com. This certificate will secure www.mydomain.com, secure.mydomain.com, welcome.mydomain.com etc. Basically it will work on any subdomain that replaces the wildcard character (*).

Setting up the Wild Card Certificate

Step 1: Install the wildcard certificate.

Verify if the certificate is properly installed.

1. Select Start –> Run

2. Type in “MMC” and hit enter

3. From the console, select File –> Add / Remove Snap-in

4. Select Certificates from the Add / Remove dialog

5. Select Computer Account when prompt for which certificates the snap-in will manager.

6. Select Local Computer when prompted

7. Click OK to add the Snap-in to the MMC

8. Locate your SSL certificate

9. Right click on the certificate and select properties

10. You should see the * in the friendly name.

clip_image002

Once you have installed the certificate then the issued to should be the *.mydomain.com

clip_image004

Step 2: Setup the wildcard certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.myserver.com              10.0.1.1              80                  443
Test2                        test2.myserver.com               10.0.1.1              80                  443

Test3                        test3.myserver.com                10.0.1.1             80                  443

IIS6

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

To know how to bind the certificates in IIS6 please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https://test1.myserver.com, https://test2.myserver.com or https://test3.myserver.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:test1.myserver.com”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:test2.myserver.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:test3.myserver.com”

clip_image007

You can also change this by changing the metabase.xml for that particular site.

For Example your site id is 1 then you would see following in the Metabase.xml

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

IIS7

In IIS7, attaching a wild card certificate is much easier. You can attach the certificate to the website you need to attach to. The moment you select the wildcard certificate the hostname field in the UI will be enabled. You can type the host header in it. You can do the same procedure for multiple sites.

clip_image009

How Wild Card Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (wildcard certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that wildcard certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of Wild Card Certificate.

There are certain limitations of wild card certificate.

1) It can only be applicable to single level of subdomain. For example you got a wild cart certificate for *.mydomain.com then you can bind this certificate to sites such as site1.mydomain.com or site2.mydomain.com. However, you cannot bind the wildcard certificate to Site1.myexample.mydomain.com or Site1.example2.mydomain.com or xyz.abc.mydomain.com etc.

That means the wild cart certificate will work only till first level of subdomain.

2) The wild card certificate will work only if the site has same domain name. That means if you have certificate for *.mydomain.com then you cannot bind this certificate to sites such as www.example.com or www.mydomain2.com etc. Wild card certificate will work only for sites which have same domain name.

3) You can set the wildcard certificate only for one top level domain. For example you can bind a wild card certificate forwww.test1.myserver.com or www.test2.myserver.com, but you cannot bind the same certificate for hostheader www.test2.myserver.org orwww.test2.myserver.net etc.

SAN Certificate (Subject Alternative Name Certificate)

You can setup the wildcard certificate if the domain name for all the sites are same and first level subdomain changes. What if you want to set up the sites which should work on two different domain names, for example, a site with host header as www.testserver1.com and another site with hostheader as www.testserver2.com. In this case Wildcard certificate won’t help you. To resolve this issue we have SAN Certificate.

A SAN cert allows for multiple domain names to be protected with a single certificate. For example, you could get a certificate for myserver.com, and then add more SAN values to have the same certificate protect myserver.org, myserver.net and even myserver2.com orwww.example.com.

You can see the domain names in the Subject Alternative Name option in the Certificate

clip_image011

clip_image012

Setup the SAN certificate in IIS

Let’s say you need following configuration

So let’s say you have the following configuration:

Website                   Host Header Value                  IP Address      Port             SSL Port
==================================================================
Test1                         http://www.test.edu               10.0.1.1              80                  443
Test2                        http://www.test.com               10.0.1.1              80                  443

Test3                    www.test.testing.com 10.0.1.1             80                  443

IIS 6

You need to select the SAN certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates please follow the following link

http://blogs.iis.net/robert_mcmurray/archive/2011/02/17/iis-6-setting-up-ssl-part-3-installing-the-certificate.aspx

After you installed the Certificate on all the websites with same IP address and port and you try to browse the sites. You will see that all of the HTTPS responses come from one specific site.

That means if you try to access https:// http://www.test.edu, https://www.test.com or https://www.test.testing.com you will get the response from one site only.

You won’t get the corresponding pages from different Websites depending upon the site in URL. Why? Because of the chicken and Egg problem remember. When the request comes to HTTP.SYS layer then Schannel will be able to decrypt the request but after decrypting the request it doesn’t know which site it needs to send the request as all the sites listening to same IP-Address and port.

You will also see that only one of the Websites will be running. Other Websites will be in stopped state because we cannot have multiple Websites running with same IP and same SSL port binding. If you try to start the other Websites you may see something like this below:

clip_image005[1]

How to resolve above issue

To resolve this issue we need to add host headers to the sites.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Type the following command at the command prompt:

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/<site identifier>/SecureBindings “*:443 :< host header>”

For example

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/1/SecureBindings “10.0.0.1:443:www.test.edu”

Do this for all the three sites

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/2/SecureBindings “10.0.0.1:443:www.test.com”

C:\Inetpub\AdminScripts>cscript.exe adsutil.vbs set /w3svc/3/SecureBindings “10.0.0.1:443:www.test.testing.com”

clip_image013

You can also change this by changing the metabase.xml for that particular site

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

Add the hostname in the SecureBindings explicitly for each site.

<IIsWebServer Location =”/LM/W3SVC/1″

AuthFlags=”0″

SSLCertHash=”ee6c56aaacd9e52137ccd4563131c35bdb020712″

SSLStoreName=”MY”

SecureBindings=”:443:www.test.com”

ServerAutoStart=”TRUE”

ServerBindings=”:80:”

ServerComment=”ssltest”>

clip_image015

IIS7

You need to select the certificate for all the three sites which are configured for same IP-Address and port.

Note: The hostheaders which are defined in the Subject Alternative Name, only to those hostheaders you can bind the site. That means if you set the Subject Alternative Name to www.test.edu, http://www.test.com, http://www.test.testing.com then you cannot bind this certificate to a site with hostheader say http://www.example.com.

To know how to bind the certificates in IIS7 please follow the following link

http://www.iis.net/learn/manage/configuring-security/how-to-set-up-ssl-on-iis

To configure the SAN certificate you need to run the below command after changing the website name, ip-address and port and the host header value.

Go to Start Menu, click Run, type “cmd”, and then click OK.

Go to the location “C:\Windows\System32\inetsrv”

Type the following command at the command prompt:

appcmd set site /site.name:”<WEBSiteName>” /+bindings.[protocol=’https’,bindingInformation=’*:443:<hostHeaderValue>‘]

For example

appcmd set site /site.name:”Test1” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.edu’]

appcmd set site /site.name:”Test2” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.com’]

appcmd set site /site.name:”Test3” /+bindings.[protocol=’https’,bindingInformation=’*:443:http://www.test.testing.com’]

clip_image017

Alternatively you can go to the applicationhost.config and modify the binding part of the website to add the host header. Do this for all the three sites. For example

<site name=”TestSite” id=”2″ >

<application path=”/” applicationPool=”TestSite”>

<virtualDirectory path=”/” physicalPath=”C:\Publish” />

</application>

<bindings>

<binding protocol=”http” bindingInformation=”*:8089:TestSite” />

<binding protocol=”https” bindingInformation=”*:443:TestSite” />

</bindings>

</site>

clip_image019

How SAN Certificate resolve the Chicken and Egg problem

We have multiple sites on same IP: Port with the same certificate (SAN certificate) attached to them. When the request reach to HTTP.SYS layer, the Schannel gets the IP: Port information from the request. Since there is only one certificate attached to that IP: Port Schannel use that SAN certificate and decrypt the request using the private key. After decrypting the request, HTTP.SYS is able to get the host header information. Using the host header, HTTP.SYS can put the request into the proper request queue.

Limitation of SAN Certificate.

There are certain limitations of SAN certificate.

1) One major limitation of SAN certificate is if you have issued the SAN certificate for say two host-headers http://www.test1.com andwww.test2.edu but you need to setup a site for www.test3.net using the same certificate then you can’t use it. You need to get another SAN certificate from the CA with all the three host-headers. In short, for every addition of a host-header you need to get another SAN certificate.

2) There are certain limitations which are defined by the CA on the number of host-header you can add to the Certificate. That means, after a certain number of host-header you cannot add further host-header into it.

 

Taken from: https://blogs.msdn.microsoft.com/varunm/2013/06/18/bind-multiple-sites-on-same-ip-address-and-port-in-ssl/

How to change the Port of ADFS 3.0 (Windows server 2012 R2) to 444

Thanx to: http://inogic.com/blog/2014/07/how-to-change-the-port-of-adfs-3-0-windows-server-2012-r2-to-444/

This worked also on Windows Server 2008 R2 with AD FS 2.0  installed for me.

 

 

There have been times when we need to configure IFD and both, ADFS and CRM are installed on same server.

In case of Windows server 2008, we need to install ADFS 2.0 and in Windows server 2012 standard, ADFS 2.1 comes by default as a part of windows features, we just need to install and configure ADFS. But in both cases, ADFS gets installed on Default website in IIS. Hence we used to change the port of ADFS to 444 directly from the IIS default website and CRM (https) remains on 443. So that we could easily browse CRM IFD URL as https://orgname.domainame.com without appending port to the URL.

But this is not the same with Windows server 2012 R2, as ADFS 3.0 on Windows server 2012 R2 does not depend on IIS. So in that case, as ADFS port cannot be changed we used to change CRM (https) port to 444. As a result of which the users need to browse CRM IFD URL ashttps://orgname.domainame.com:444.

But sometimes the requirement is that they should not be required to append the port in IFD URL. To achieve this we should have ADFS to use port 444 instead which can be done by some PowerShell commands.

We have outlined below our experience and learning during IFD configuration on such Windows server 2012 R2 having both ADFS 3.0 and CRM installed on same server.

1)      Firstly install ADFS 3.0 on Windows Server 2012 R2,

2)      Now after that configure ADFS 3.0. You can get the detailed steps of configuring ADFS 3.0 and IFD from here.

3)      During the configuration of ADFS 3.0, you will come across following screen where you can clearly see that, you can only configure the Federation Service Name and *not* the port which could be done with earlier ADFS versions and earlier windows server versions.

img1

1)      Hence after configuring ADFS 3.0 and IFD. You need to run some commands in PowerShell, but before that first you need to check how many URLs are reserved by ADFS already, so that for them you can run some PowerShell commands,

netsh http show urlacl

The above command will display the list of reserved URLs. As you can see below form the list, the highlighted 2 URLs are reserved by ADFS 3.0 on port 443 i.e. https://+:443/adfs/ andhttps://+:443/FederationMetadata/2007-06/

img2

5)      Now we need to first delete them using following PowerShell commands.

netsh http del urlacl https://+:443/adfs/

netsh http del urlacl https://+:443/FederationMetadata/2007-06/

img3

6)      After deleting them you need to execute following commands to add them on port 444.

netsh http add urlacl https://+:444/adfs/ user=”NT SERVICE\adfssrv” delegate=yes

netsh http add urlacl https://+:444/FederationMetadata/2007-06/ user=”NT SERVICE\adfssrv” delegate=yes

img4

7)      Finally run following command

Set-ADFSProperties -HttpsPort 444

Note: If you change the Port of ADFS to 444 from default port then it will give following warning. It means, if you set ADFS on 444, then you will not be able to register mobile device in ADFS, hence you will not be able to develop Mobile device app for CRM.

img5

8)      After performing above step, you need to restart the “Active Directory Federation Services”.

img6

9)      Now if your FederationMetadata URL is shifted to port 444, then it will look likehttps://sts1.adventure25.com:444/federationmetadata/2007-06/federationmetadata.xmland if you browse this URL then it will not work, as shown in the below screen. So there seems to be some issue with ADFS 3.0 configuration

img7

10)      Microsoft says ADFS 3.0 does not depend on IIS i.e. not installed under default website of IIS, and this is true, because you will not find any ADFS related files under default website of IIS

11)      But still if you go to IIS and set the binding of Default Website to port 444, then it starts working as shown in below screen:

img8

12)      After completing above steps, first you need to change the CRM website port to 443, then you need to configure Web Address Properties, Claim Based, IFD from Deployment Manager to this new Federation Metadata URL, and then update the relying party in ADFS. Then IFD will start working and you just need to browse it like https://orgname.domainame.com