2017-06-08

The target principal name is incorrect. Cannot generate SSPI context.

You might encounter this error when trying to connect remotely to MS SQL via management studio. Basically it means that Kerberos is not working, you can verify this by running this query while connected to MS SQL locally:

select auth_scheme from sys.dm_exec_connections where session_id=@@spid

 You should see NTLM in the result if Kerberos is not working.

The error says that SPN is incorrect, however you verify that SPN is actually ok:
SETSPN -L

Additionally on domain controller you might see similar event logged:


While processing an AS request for target service krbtgt, the account did not have a suitable key for generating a Kerberos ticket (the missing key has an ID of 1). The requested etypes : 18 17 3. The accounts available etypes : 23 -133 -128. Changing or resetting the password of will generate a proper key.

In my case I solved this by changing the SQLServer service account to a newly created one, since I was not able to reset the password for it, due to the fact it might have been used elsewhere. Generally resetting password for that account as suggested in the event log should fix this also. 

Links:
https://blogs.msdn.microsoft.com/meer_alam/2015/05/10/the-target-principal-name-is-incorrect-cannot-generate-sspi-context/ 

2017-03-29

Enabling AntiSpam agents on Exchange 2016 Mailbox server, including Connection Filtering Agent

If you have no Edge server and want to use Exchange anti spam features, you probably already know how to install antispam agents on mailbox server:

& $env:ExchangeInstallPath\Scripts\Install-AntiSpamAgents.ps1

However this does not enable connection filtering agent, which is by far the most useful of all the agents since it allows to use online blacklists. To enable this service in exchange shell run (one line):

Install-TransportAgent -Name "Connection Filtering Agent" -TransportService FrontEnd -TransportAgentFactory "Microsoft.Exchange.Transport.Agent.ConnectionFiltering.ConnectionFilteringAgentFactory" -AssemblyPath "C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\agents\Hygiene\Microsoft.Exchange.Transport.Agent.Hygiene.dll"

You will also need to configure it with your favorite RBLs, for example:

Add-IPBlockListProvider -Name zen.spamhaus.org -LookupDomain zen.spamhaus.org -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name bl.spamcop.net -LookupDomain bl.spamcop.net -AnyMatch $true -Enabled $true
Add-IPBlockListProvider -name b.barracudacentral.org -LookupDomain b.barracudacentral.com -AnyMatch $true -Enabled $true
Enable-TransportAgent -TransportService FrontEnd -Identity "Connection Filtering Agent"
Restart-Service MSExchangeTransport

Links:

2015-01-27

Publishing FTPS on TMG 2010.

For instructions on creating FTP site on IIS read this post - Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).
 
I. Configure FTP for Firewall Support (IIS 8.5)
1. Open IIS Manager, in connections pane select your FTPS server and in Features View double click FTP Firewall Support
 
 2. Enter port range for Data Channel for example we will be using 50100-50200. Also enter external IP of your firewall in this example yyy.yyy.yyy.yyy and in Actions pane click Apply.
Note: do not forget to allow this port range on your FTPS servers windows firewall, if it is not added automatically.
 
3. Repeat same step on FTP site level. Select your FTP site and in Feature View double click FTP Firewall Support.
 
 4. Data Channel Port Range should be greyed out with the value you specified earlier. For External IP Address of Firewall enter your firewalls external IP: yyy.yyy.yyy.yyy and in Actions pane click Apply.
 
 
II. Create Publishing rule on TMG
1. Open Forefront TMG console, right click Firewall Policy and choose New->Create new Non-Web Server Protocol Publishing Rule...
 
 
2. Enter the name of your FTPS rule for example "FTPS" and click Next
 
3. Enter IP address of your FTPS server
 
3. Click New... to create new protocol definition
 
4. Specify name for you protocol definition for example "FTPS Custom" and click Next
 
4. Click New to add port range for your protocol definition
 
 
 
5. Specify the following
Protocol type: TCP
Direction: Inbound
Port Range: From: 21 To: 21
and click OK
 
6. In New Protocol Definition Wizard click New one more time to add port range for data channel we specified in step I.2.
Specify the following
Protocol type: TCP
Direction: Inbound
Port Range: From: 50100 To: 50200
and click OK
 
7. Check if protocol configuration is fine and click Next
 
8. On following step leave the default No selected and click Next
 
9. Double check the settings and click Finish
 
10. After protocol definition has been created we can proceed with the rule. Click Next
 
11. Select checkbox next to External network and click Address... to specify external IP on which the FTPS service rule will be listening
 
12. Select Specified IP addressess on the Forefront TMG computer in the selected network and add the IP you specified in step I.2 (in this example yyy.yyy.yyy.yyy). After that click OK
 
13. Click Next to proceed
 
14. Click Finish to end the Publishing Rule Wizard
 15. Click Apply in TMG console and then click OK. Wait a few minutes and you are ready to test your FTPS server from external client.
 
 
 
 Links:
 
 
 
 
 

2015-01-26

Creating FTP or FTPS on IIS 8.5 (with Active Directory User isolation).

The goal of this article is to describe how to create FTP(S) on IIS  so we can use Active Directory accounts to authenticate to FTP. And configure AD user isolation, so  the users have individual home folders.
 
1. Install IIS Role and required features
 
In Server Manager click on Add roles and features
Click Next
Installation Type - choose Role-based or feature-based installation and click Next
Server Selection - choose your server and click Next
Server Roles - select Web Server (IIS) and confirm required features by clicking Add Features in the popup window, click Next
In the Features and Web Server Role (IIS) sections click Next
Role Services - deselect the roles you don't need, if it's going to be dedicated FTP server then leave only FTP Server/FTP Service and Management Tools/IIS management Console selected and click Next
Confirmation - click Install
 
2. Create FTP users and Groups
In active directory create your FTP users for example:
FTPuser1
FTPuser2
FTPuser3
 
And create FTP users security group:
FTP Users
 
Add all ftp users to the membership of "FTP Users" group.
 
3. Create folders and assign permissions
Prepare folder structure on your preferred location. In this example we will be using Fileserver as FTP root so users can access ftp folders directly via file share while they are connected to company network.
 
Share a folder on Fileserver
Set sharing permissions for group "FTP Users" to Full Control.
Set NTFS permissions (security tab) for "FTP Users" group to List folder contents.
 
Next we will create home folder for every user group that needs to be isolated.
For example users FTPuser1 and FTPuser2 will share same home folder, because they are colleagues and are working with the same data and FTPuser3 is from another department, so he will have separate home folder.
 
Add security permissions for users FTPuser1 and FTPuser2 and set them to Modify
 
Add security permissions for user FTPuser3 and set them to Modify
 
4. Configure IIS
Open IIS Manager in Control Panel->Administrative Tools->Internet Information Services (IIS) Manager
 
In IIS Manager expand your server, right click Sites and choose Add FTP Site...
Enter site name: myFTP
Physical path: \\Fileserver\FTProot
 
If you want to run FTPS select Require SSL and select your SSL Certificate, otherwise select No SSL.
 
 
Authentication:
Basic
Auhorization:
Select Specified roles or user groups from drop-down menu.
Type FTP Users.
Select Read and Write checkboxes.
Click Finish.
 
Next configure FTP User Isolation.
Under myFTP site open FTP User Isolation.
Select Isolate users. Restrict users to the following directory:
FTP home directory configured in Active Directory
and enter credentials of user that has access to read AD properties.
 
5. Configure user AD properties
Open Active Directory Users and Computers (ADUC) and modify properties for your FTPusers.
To be able to modify attributes, first in ADUC select View and turn on Advanced Features.
Now you should see Attribute Editor tab in user properties.
Configure AD properties as follows:
 
FTPuser1
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
 
FTPuser2
msIIS-FTPDir: \Home1
msIIS-FTPRoot: \\Fileserver\FTProot\
 
FTPuser3
msIIS-FTPDir: \Home2
msIIS-FTPRoot: \\Fileserver\FTProot\
 
6. Login
For testing login we will use FileZilla FTP client.
Configure connection as follows.
Host: address of your FTP server
Protocol: FTP File Transfer Protocol
Port: 21
Encryption: if your FTP requires SSL select Require explicit FTP over TLS, otherwise select Only use plain FTP (insecure)
Logon type: Ask for password
User: FTPuser1
 
Click Connect, enter your password and click OK.
 
 
7. Conclusion
If everything went to plan users FTPuser1 and FTPuser2 should login to \\Fileserver\FTProot\Home1 folder and user FTPuser3 should login to \\Fileserver\FTProot\Home2.
 
Links:

2014-12-30

Check Microsoft Office 2010/2013 activation type and status. Change from MAK to KMS (or from KMS to MAK). Troubleshoot KMS activation.

To check if your office is activated with MAK or KMS key:
 
1. Launch CMD as administrator
 
2. In command prompt navigate to Office installation folder:
Office 2010: C:\Program Files (x86)\Microsoft Office\Office14
Office 2013: C:\Program Files (x86)\Microsoft Office\Office15
Office 2010 x32: C:\Program Files\Microsoft Office\Office14
Office 2013 x64: C:\Program Files\Microsoft Office\Office15
 
3. In the command prompt type "cscript ospp.vbs /dstatus" (without quotes) and press enter
 
4. You can identify license type from "LICENSE NAME" and activation status from "LICENSE STATUS"
example of MAK activated Office 2013:
example of KMS activated Office 2010:
 
To change from MAK activation to KMS (or vice versa) - change to appropriate key:
 
1. Launch CMD as administrator
 
2. In command prompt navigate to Office installation folder:
Office 2010: C:\Program Files (x86)\Microsoft Office\Office14
Office 2013: C:\Program Files (x86)\Microsoft Office\Office15
Office 2010 x32: C:\Program Files\Microsoft Office\Office14
Office 2013 x64: C:\Program Files\Microsoft Office\Office15
 
3. Change to KMS key by entering the following command with corresponding KMS keys:
Office 2010 ProPlus: cscript ospp.vbs /inpkey:VYBBJ-TRJPB-QFQRF-QFT4D-H3GVB
Office 2013 ProPlus: cscript ospp.vbs /inpkey:YC7DK-G2NP3-2QQC3-J6H88-GVGXT
 
note: those are KMS keys available publicly, if you need to change from KMS to MAK, enter your MAK keys instead
 
4. After changing the key you can go ahead and activate office to KMS host by entering command in the cmd: "cscript ospp.vbs /act" (without quotes).
 
If KMS activation fails you can check the following:
 
1. See if the right KMS host resolves from DNS:
In the command prompt run "nslookup -type=srv _vlmcs._tcp" (without quotes),
you should see something like this:
_vlmcs._tcp.pzu.lt      SRV service location:
          priority       = 0
          weight         = 0
          port           = 1688
          svr hostname   =
kms-host.company.com
kms-host.company.com      internet address = 192.168.1.17
 
2. If you see correct host, check if you can access it on port 1688:
in the command prompt type "telnet kms-host.company.com 1688"
If connection is successful you will see black window, if it's not successful you will receive message:
Connecting To kms-host.company.com...Could not open connection to the host, on port 1688:
Connect failed
 
3. If you see incorrect host, you should resolve problems in your infrastructure (deactivate wrong KMS hosts and delete entries from your DNS server). Meanwhile you can specify KMS host to activate to manually by running the following command "cscript ospp.vbs /sethst:kms-host.company.com" (without quotes)
and activate afterwards with the command "cscript ospp.vbs /act" (without quotes).
 
Links: