Blog

We had an issue come up with a group of Citrix Presentation Servers that were recently introduced as a pilot for one of our customers. All the Citrix servers are newly built using mostly application defaults. Our first application silo contained routine applications like Office, IE, and file share resources. Setup and testing went very smooth. However, the second silo we built published a core application that was launched using a batch file. Testing of the application by our network engineers and by the customer’s head of IT raised no concerns. Everything worked as expected. The application was published to a small set of regular users chosen as a pilot group and we were quickly alerted that none of the users could launch the application. Here is the error that was displayed: [more]

“The desktop you are trying to open is currently available only to administrators”

We were aware of some ongoing Terminal Server licensing issues that this customer was experiencing so we automatically assumed that was the problem. We scrambled to put another Windows 2003 server on the network to run TS licensing thinking it was only a matter of time before the other Citrix servers started having issues. By the end of the day, we had the new TS licensing server online and all the settings deployed via group policy to the problematic servers. A reboot of the servers would fix it…not so much. After the reboot, the issue persisted. Back to square one. After digging through all the settings a few times, I finally found the following setting:

On the surface this setting doesn’t look like it would cause any issues. After all, we were using a published application and it looks like this setting would only prevent users from opening a published desktop on the server. However, after doing some testing, we found that the ICA protocol doesn’t consider launching a batch file to be a published application. Only files with .exe extensions count. Our testing failed to uncover this issue because we had unintentionally done all of our testing with administrator accounts and all the applications published on the first silo were standard .exe apps. Unchecking this box fixed the problem.

While working with a client, I recently promoted a new Windows 2008 R2 virtual server to a domain controller.  Prior to running dcpromo.exe everything looked and performed great, but I noticed a large amount of system resource issues following the promotion.  I also ran into several cases of not being able to open various management console snap-ins or other applications.  After troubleshooting various issues I finally decided that they all must have had a singular root cause. 

After digging around in the event viewer and scratching my head a bit, I asked another network engineer what I was missing. He looked around for a few minutes and asked me if disk quotas had been enabled via group policy.  I opened up the Group Policy Management console on another server and discovered a disk quota group policy object for terminal servers that had been applied to the Domain Controllers OU.  After excluding the new domain controller from receiving the policy, and then manually removing the existing disk quota entries the server was running at full speed with full functionality.

After installing Windows updates a customer’s HP 6000 Desktop, running Windows 7, would not POST (Power On Self Test). After powering on it would display a HP logo and go no further. I had access to another identical system so I switched the memory, then hard drive and got the same problem both times. I decided to just put the other system in place of that original one. I connected all the cable and got the same problem on the second desktop. At that point I unplugged all but the display and power, since I have seen keyboards cause this type of problem, this time it booted without hanging. I reconnected the mouse and keyboard and it booted fine. I then reconnected the USB printer and it would not POST. I put the original system back in place, without the USB printer connected and it worked fine.

The HP 3005 printer that was connected was bought refurbished and apparently had started affecting the boot process. The decision was made to replace the defective printer so it was retired.

I experienced some odd behavior in Word last week while working on an audit report (I was docked in my office).  Periodically, the blinking cursor in Word would disappear and my document would appear to freeze up.  Neither Word nor my laptop was not locked up because I was able to scroll in the document but when doing so, the document would turn black and my text would either disappear or become garbled, with lines appearing to repeat over and over.  This would last for 20-30 seconds or more.  I tried rebooting to no avail.
 
At one point, I noticed the proofing cursor was animated, as it does when it is writing to disk. [more]

This made me think the problem might be network latency.
 
I mentioned my problem to another information security auditor. He suggested it might be related to offline files.  I thought I had reversed the “Always available offline” option for this folder.  However, upon further investigation I found out that I had not.  Once I did so, the problem did not recur.

Cisco's IOS documentation says that pre-shared keys used for VPNs can be 128 characters long.  If you try to specify a 128 character key this message appears "Pre-shared key length exceeds 127 characters.   Key not added."  So, I have been using 127 character pre-shared keys for a long time.  Then IOS 15 came out and we are still doing VPNs just fine with that version, but not using 127 character pre-shared keys.  It still allows them but the VPN will not come up and "%CRYPTO-4-IKMP_BAD_MESSAGE" is logged, which means the keys do not match.  It now looks like the pre-shared keys cannot be longer than 125 characters.

Microsoft has introduced a technology that competes with the QR codes. One of the main differences in the Microsoft Tag is that there is a tracking mechanism that will tell the tag owner how many people have accessed the tag… and also allows the tag owner to change the contents of the tag over time.  QR tags are static.

All the tagging technology (readers, creators and the web site to control the content) are free at this time from Microsoft. [more]

Here are a couple articles of interest:

http://tag.microsoft.com/overview.aspx

http://www.signsoveramerica.com/sign-blog/index.php/2010/11/15/qr-codes-vs-microsoft-tag-reader-predicting-the-winner/

I was having some problems with my laptop's Bluetooth radio turning itself off when I reboot without powering off. I found an online posting indicating resetting the BIOS to defaults would fix the problem. I went into the BIOS setup and reset it then rebooted. However, that changed the system enough to make Bitlocker to ask for the recovery key. I put in the recovery key then suspended Bitlocker on the C drive after Windows came up (as the Bitlocker message instructed). I then resumed Bitlocker and it seemed to work after another reboot. [more]

However, when I rebooted the laptop at home later that day, Bitlocker asked for the recovery key again. I found another Microsoft support entry that indicated the problem might be that the boot order was changed. That made sense because my configuration at home involved an external USB device that wasn't connected at the office.

I suspended Bitlocker then rebooted and went into the BIOS setup and made sure the first (and only in this case) boot device listed was my C drive.

After rebooting, I resumed Bitlocker protection and haven't had a problem since.

I was recently assisting a client who was receiving TSCAL (licensing) errors when logging into 2008 terminal server via a Wyse thin client.  After researching found that it was caused by the default User not having write access to the registry that is needed to be able to re-write the hardware ID under MS licensing.  Here is how I was able to fix the problem: [more]

1. Login as Administrator locally in to the device and disable the write filter
2. Launch the registry editor and navigate in to Hkey_local_machine\Software\Microsoft\
3. Select MSLicensing > right click select Permission  > Click on Advance tab
4. Set the User  and the Power User  to have full control

When out of town on an audit there are times when I need to shutdown my laptop (rather than just letting it go to sleep) but I don't want to take the time or chance any problems when installing Windows updates. For example, I needed to get to a bank for a meeting and installing updates first thing in the morning wasn't what I need to happen (especially when one was Windows 7 Service Pack 1 which would take a long time to install).

The problem is when I use the Start button to select shutdown, the only option I have is install updates first then shutdown. A co-worker showed me there is a plain shutdown option available if you use Alt-F4 - easiest if all windows are minimized. That's a good one to know! [more]