Wednesday 3 May 2017

Configure HTTPS authentication to CA Server

In previous post, I demonstrated steps to install a Certificate Authority server as well as enabling Web enrollment. All good so far. However, when we tried to proceed with web enrollment, below message box appeared :

In order to complete certificate enrollment, the Web site for the CA must be configured to use HTTPS authentication.

To make it worst (not really), if we tried to access to the web page by using HTTPS, no page can be displayed. 

Luckily, Microsoft has compiled all needed steps on how to get it resolved, as posted here.
Implementing SSL on a Web site in the domain with an Enterprise CA
The following example will assume that you have an Enterprise CA from which to issue certificates. Further, the assumption is that you have a Certification Authority Web Enrollment pages installed, either on that CA or on another computer in the domain. This example will walk through the steps necessary to do the following:
  1. Configure an appropriate certificate template for SSL certificates.
  2. Obtain a certificate for IIS using the certificate template
  3. Configure the HTTPS on the Default Web Site
  4. Connect to the HTTPS location for certificate enrollment

So, let's start with those steps.

1) Configure an appropriate certificate template for SSL certificates.
  1.  Launch Certificate Authority Console

  2.  Right click Certificate Templates | Manage

  3.  Certificate Templates Console will launch. Look for Web Server template, right click at it, and choose Duplicate Template

  4.  At Compatibility tab, you may want to maintain or change the settings depending on the environment.

  5.   Go to General tab, and change the name of the template to reflect correct usage. Change the certificate validity and renewal period if needed.

  6.  Go to Security tab, add 2 information :
    • User/Group Accounts which will be used in enrollment
    • Computer accounts which require ability to enroll

  7.   Go to Cryptography tab, make changes if needed. Once all good, click Apply then OK.

  8.  New template created. Close the Certificate Templates Console.

  9. At Certificate Authority Console, right click at Certificate Templates | New | Certificate Template to Issue. Find the newly created certificate templates, click on it, then click OK.

2) Obtain a certificate for IIS using the certificate template

  1.  Launch MMC console

  2.  Go to File | Add/Remove Snap-in...

  3.  Click at Certificate | Add >

  4.  Choose Computer account, and click Next >

  5.  Choose Local computer, then click Finish.

  6.  Click OK.

  7.  Expand certificate (Local Computer) | right click at Personal | Choose All Tasks | click at Request New Certificate

  8.  click Next.

  9.  Select Active Directory Enrollment Policy, then click next

  10. Click at ' More information is required to enroll for this certificate. Click here to configure settings. ' (coloured in blue).

  11.  We need to configure who will receive the certificate. In this case, the rootCA server. At Subject tab, at Subject name box, change the type to Common name, put in the value, and click Add >. Once done, click Apply then OK.

  12.  Click enroll.

  13.  Enrolling

  14.  Click Finish.

3) Configure the HTTPS on the Default Web Site

  1.  Launch IIS Manager

  2.  Navigate to Default Web Site (or if you have more, choose appropriately).

  3.  At Action column, click at Bindings...

  4.  Click at https, and click at Edit...

  5.  Change the SSL certificate to correct certificate (you can press View... to check to whom certificate is being issued)

  6.  Click OK.

  7.  Click Close.

4) Connect to the HTTPS location for certificate enrollment

  1.  launch the web enrollment with HTTPS. UID required, access the web using ID which previously configured.

  2.  This page will appeared if you try to access using unauthorized user ID.

  3.  Website launched successfully with HTTPS.

Friday 4 November 2016

Thursday 27 October 2016

Citrix Studio - Change Hypervisor Connection

In Citrix Studio, it is possible to create a new hypervisor connection, and move the VMs to that new connection. The reason new connection be created and we move VMs to that connection can be varies – from commissioning new vCentre server to changing to a new hypervisor platform (from Microsoft Hyper-V to VMware vSphere).

This post will explain on how to change the connection from current to a new one. The connection needs to be already established prior to implementation of this steps.

  1.  RDP to Citrix Studio server, and launch PowerShell. Add Citrix snap-in by following below command.

    Command : asnp citrix*

  2. Identify current and to be used Broker Connection IDs by using below command. In this example, I want to change from Hypervisor Connection UID 1 to Hypervisor Connection UID  3Command : get-BrokerHypervisorConnection

Monday 24 October 2016

PowerShell - To Perform DNS Resolution Check-Up

So this is my second PowerShell script created by me. The first one was so simple and I use it in my XenDesktop environment. This script on the other hand, is aprt of my initiative in performing Active Directory clean-up in my environment. 

The task of the script is simple - check the IP address of a machine name, then check the hostname of that IP address. 

- If the machine name (A host record) and the hostname (PTR record) is similar, we are good. 
- If the machine name (A host record) and the hostname (PTR record) is different, error prompted
- If the machine name (A host record) is available but the hostname (no PTR record) is not, error prompted
- If the machine is not avaiable (no A host record), error prompted.

I use $PSScriptRoot so the location of the script is dynamic, it does not necessarily need to be put at a specific location.

This is only part 1. I wish to add more features so it could be better next time.

#       This script is created by Heiry Zulkifli, in order to check DNS resolutions for hostnames.

Function FunctChkIPAdd ($Machine)
$arr = [System.Net.Dns]::GetHostAddresses($Machine)  | findstr "IPAddressToString"
$SplitArr = $arr -split ': '
$IPAdd = $SplitArr[1]
$ErrorCode = 0
RETURN $ErrorCode, $IPAdd
} Catch {
$ErrorCode = 1
RETURN $ErrorCode, $IPAdd
Function FunctChkHostname ($IPAdd)
$arr = [System.Net.Dns]::GetHostbyAddress($IPAdd) | findstr "{}"
$SplitArr = $arr -split ' '
$FQDN = $SplitArr[0]
$SplitArr2 = $FQDN.Split('.')
$Hostname = $SplitArr2[0]
$ErrorCode = 0
RETURN $ErrorCode, $Hostname
} Catch {
$ErrorCode = 2
RETURN $ErrorCode, $Hostname
$strFileName = "$PSScriptRoot\result.txt"
if (Test-path $strFileName) {remove-item $strFileName}
write-host ("Script starts...")
write-host ("Performing Flush DNS...")
ipconfig /flushdns
write-host ("Flush DNS completed")
write-host (".")
write-host (".")
write-host (".")

forEach ($Machine in get-Content $PSScriptRoot\machines.txt)
  write-host ("Checking $Machine")
$ResultIPAdd = FunctChkIPAdd ($Machine)
If ($ResultIPAdd[0] -eq 0)
$ResultHostName = FunctChkHostname ($ResultIPAdd[1])
$Result = $ResultHostName[0]
IF ($Result -eq 0)
{ $IPAdd = $ResultIPAdd[1]
$HostName = $ResultHostName[1]
IF ($Machine -eq $HostName)
$info = "$Machine $IPAdd $HostName | OK"
} ELSE {
$info = "$Machine $IPAdd $HostName---------------| ERROR - Maching Different With Hostname"
} ELSE {
$info = "$Machine $IPAdd -------------------------------------------| ERROR-HostName Not Found"
} ELSE {
$info = "$Machine ----------------------------------------------| ERROR-machine Name Not Found"
$info >> $strFileName
write-host (".................................Completed")
write-host (".")
write-host (".")
write-host (".")
write-host ("Script completed. Please check result.txt")

When launches...

Example of result.txt


Thursday 20 October 2016

Certificate Authority – Requesting, Downloading, Installing, and Binding Certificates

Certificate Authority is a server role introduced by Microsoft, to issue digital certificates to target recipients. These digital certificates enable the environment to communicate securely between each other.

This post illustrates on how to :-
  1. Request certificate from an internal root CA
  2. Download the certificate from internal root CA
  3. Install the certificate to server
  4. Bind the certificate to HTTPS protocol

However, this post won't explain on how to install internal CA server. you may refer here for that. So let's get started.

Request Certificate From an Internal Root CA

  1.  Launch IIS Manager

  2. Click at the server name. Inside the working space area, locate Server Certificate feature, and double click at it / right click | open feature

  3. Click at Create Certificate Request...

  4. Put in all needed info, and click Next

  5. Select crypto service provider and bit length, click Next

  6. Specify the location of the certificate request file. In can be in TXT file. Click Finish.

  7.  CR file can be found at the location stated earlier.

Download the Certificate From Internal Root CA
  1.  Access to CA web enrollment address

  2.  Click at Request a certificate

  3.  Click at advanced certificate request.

  4.  Click at Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

  5.  Open previously created CR file, copy the content...

  6.  Paste it inside the Saved Request. Change the Certificate Template to SSL template, and click Submit

  7.  Click Yes.

  8.  Click at Download certificate

  9.  Certificate downloaded.

Install the Certificate To Server
  1.  Launch IIS Manager, click at the server name, and open Server Certificates feature

  2.  At Action column, click at Complete Certificate Request

  3. Locate the cert (*.cer) previously downloaded, provide friendly name (usually I put the server name), and ensure the store is set to Personal. Click OK.

  4.  Installing...

  5.  Certificate Installed.

Bind the certificate to HTTPS protocol

  1.  Launch IIS Manager, navigate to <serverName> | Sites | Default Web Site (or any different name if applicable).

  2.  At Action column, click at Bindings...

  3. Click at https, and click at Edit...

  4.  Change the SSL certificate to previously installed certificate, then click OK.

  5.  Click Close.

  6.  The server is now good to use HTTPS protocol.
