Windows: Schannel error 40 and Internet Explorer

When I needed to access a secure page (HTTPS) from Internet Explorer 11 on a Windows 2008 R2 server, I always got a “Page cannot be displayed” error. I could, though, access that page from another machine or another browser on the same server.

Looking in the Event Viewer I saw:

Log Name: System
Source: Schannel
Date: 05.01.2015 12:11:58
Event ID: 36887
Task Category: None
Level: Error
Keywords:
User: SYSTEM

Description:
The following fatal alert was received: 40.

Schannel error 40 means: SSL3_ALERT_HANDSHAKE_FAILURE

So I checked with SSL Labs which Ciphers my browser offers:

https://www.ssllabs.com/ssltest/viewMyClient.html

It looks like it was offering very old ciphers first

TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_3DES_EDE_CBC_SHA

I checked the following Registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002

It contained exactly the same old ciphers first!

So I looked at a Windows 7 client that was working and saw that there were the newer and more secure ciphers listed first:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P521
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P521

I copied the Registry entry of the working machine to the server, rebooted the server and – Bingo – I could now access the web page.

ESXi 5.5: How to install an update via SSH

Download the current update (i.e. ESXi 5.5 Update 2) from MyVMWare. For HP Servers, download the special HP Version. Download the .zip file, not the .iso file.

Copy the .zip file to the datastore via vSphere client.

Login to ESX via SSH

Run the command

esxcli software vib update -d "/vmfs/volumes/datastore1/Install/VMWare-ESXi-
5.5-U2-HP/VMware-ESXi-5.5.0-Update2-2068190-HP-5.77.3-Nov2014-depot.zip"

Reboot VMWare ESXi

Apple iOS8: How to download iOS updates manually

If you need to download the Apple iOS manually, do the following. Go to:

http://www.ipswdownloader.com

Choose the hardware model (e.g. iPad4 (GSM)

Then download the .ipsw file (this can be 2GB in size or more).

Place this file in the following directory (that’s for Windows 7):

C:\Users\UserName\AppData\Roaming\Apple Computer\iTunes\iPad Software Updates

When you connect your iOS device to your computer and start iTunes, you can directly load the update.

Apple iOS 8: How to factory reset a locked iPad or iPhone

If you forget your device passcode or PIN, there is no way to get into it again. You have to do a factory reset of the device. For that, you need iTunes and a USB cable to connect your device to your PC.

Find below the steps to recover your handheld:

Important: These steps will wipe (delete) all your data and settings from your device.

  1. Remove all cables from your device.
  2. Switch your device off by holding the Standby button and swiping to the right.
  3. Hold the home button and connect your handheld to a running iTunes. Keep holding the home button until the “Connect to iTunes” logo appears on the device.
  4. In iTunes, click “Restore”.
  5. In iTunes, click “Restore and Update”.
  6. If you are shown an iOS Update screen, click “Next”.
  7. On the License Agreement, click “Agree”.
  8. iTunes now downloads the latest iOS software and puts your device in “Recovery Mode”.
  9. The update and factory reset can take up to an hour.

Windows Active Directory: How to move the FSMO Roles via the GUI

All 5 FSMO roles of Active Directory can be moved via script, but lets see how it works via GUI (MMC):

RID Master, Infrastructure Master, and PDC Emulator

  1. Login to the target DC via RDP
  2. Open “AD Users and Computers
  3. Right-click the Domain and choose “Operations Masters…”
  4. Choose the appropriate tab
  5. Click “Change…”
  6. Click “Yes” to confirm

Schema Master

Make sure you are member of the “Schema Admins” group. Being in the “Enterprise Admins” group is not enough!

  1. Login to the source DC via RDP
  2. Open “AD Schema
  3. Right-click “Active Directory Schema” and choose “Change Active Directory Domain Controller”
  4. Choose the target DC
  5. Right-click “Active Directory Schema” and choose “Operations Masters…”
  6. Click “Change…”
  7. Click “Yes” to confirm

Domain Naming Master

  1. Login to target DC via RDP
  2. Open “AD Domains and Trusts
  3. Right-click “Active Directory Domains and Trusts” and choose “Change Active Directory Domain Controller”
  4. Choose the target DC
  5. Right-click “Active Directory Schema” and choose “Operations Masters…”
  6. Click “Change…”
  7. Click “Yes” to confirm

Windows Active Directory: Who holds the FSMO Roles?

The easiest way to find out which Active Directory Domain Controller holds the FSMO roles is the following:

  • Open a CMD box
  • Type netdom query fsmo
  • The output is something like

    C:\Windows\system32>netdom query fsmo

    Schema master               DC1.ad-domain.local
    Domain naming master      DC1.ad-domain.local
    PDC                         DC1.ad-domain.local
    RID pool manager            DC1.ad-domain.local
    Infrastructure master       DC1.ad-domain.local

    The command completed successfully.

Windows: How to elevate the Command Prompt to System Rights

Have you ever tried to configure something on a windows system as Administrator and still got a permission denied?

While the Administrator is powerful, he still can’t do everything. There is an account that is even more powerful, it is called SYSTEM. So how could you run something as SYSTEM? Here is how:

  • Start a command prompt as Administrator
  • From Sysinternals, download psexec.exe and put it on the C: drive
  • In the command prompt, navigate to the directory with psexec.exe
  • Run “psexec.exe -i -s cmd.exe” (without the quotes)
  • Now a second command prompt opens with SYSTEM privileges
  • Type “whoami” to confirm that you are SYSTEM

Be careful as with these rights, you can easily destroy a system.

HP ILO: Configure it via ESX

When you can’t access HP ILO via Web Console anymore (e.g. because you have configured the IP address wrongly or enabled DHCP by accident), there is a possibility to configure the ILO IP settings via ESX.

Login to the ESX vSphere Client

Make sure that SSH is running on ESX (ESX host > Configuration > Security Profile > Services > Properties, Start SSH if it is not started)

Download Putty on the Windows machine where the vSphere Client runs. Start Putty.exe and use the IP address of the ESX host to login.

After you have entered the user name (root), it takes a while for the password prompt to be shown. Wait and then enter the password.

cd /opt/hp/tools

Export the current config: ./hponcfg -w /tmp/ilo_config.txt

Now, copy this file to the Windows machine (for example with WinSCP).

Open it with WordPad and change the following lines:

<IP_ADDRESS VALUE = “10.10.10.20″/>
<SUBNET_MASK VALUE = “255.255.255.0″/>
<GATEWAY_IP_ADDRESS VALUE = “10.10.10.1″/>
<DHCP_ENABLE VALUE = “N”/>

Copy it back to the ESX host (overwrite existing file)

./hponcfg -f /tmp/ilo_config.txt

Let the ILO restart.

You should now be able to login to ILO via the Web Console.

 

BES 5.0.4: How to add an administrative user

On BES 5.0.4, it is a bit tricky to add an administrative user. Normal Blackberry users are added under User > Create user, but admin users have to be added from a different menu.

First, login with BESAdmin. Then, you have to go to

Administrator user > Create an administrator user

BES Admin User 1

Then, fill in the fields, which are not self-explanatory:

BES Admin User 2

Display name: Use the display name from Active Directory
User name: Use the AD login name
Domain: Use the AD domain name
Administrator password: Use the password from BESAdmin, not from the user you are creating