LDAPS Identity Source for VMware vCenter Single Sign On 5.1

May 21, 2013

ldap-logo

Once you are done with installation of VMware vCenter 5.1; you will notice that vSphere 5.1 client wont let you login into your vCenter Server. Either you will need to configure a local admin ID on your vCenter Server or if you have an active directory (AD) running in your environment; you will need to link that to your vCenter Server i.e. by configuring an identity source.

During installation of vCenter Single Sign On 5.1; it tries to add the identity source but in my case resulted in error (Error 29155.Identity source discovery error). I then found out its the case with other users as well and also was pointed out in VMware in their KB articles. The workaround for the issue given was to add the identity source manually. Doing so I got the following errors.

[LDAP: error code 8 – 00002028: LdapErr: DSID-0C0901FC, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v1db1]

and

simple bind failed:yourdomain:636

These errors are due to the fact that your AD is configured to communicate over LDAPS SSL connection. Hence to register your identity source; you will need the X.509 certificate of your AD domain controller (DC). For that export the certificate of your AD but make sure its the Base-64 X509 Certificate.

Cert 03

Once imported; again add the identity source as demonstrated below.

LDAPS

Once you chose the certificate from Choose Certificate tab; make sure you get the following confirmation. If not there must be something wrong with your certificate.

certsucc

You can click on Test Connection to verify your AD connectivity.

connecsucc

If you are still facing problems in adding the identity source; make sure of he following things:

  • Your vCenter, vSphere, vSphere Web Client, vCenter SSO etc must all be installed in the same default directories.
  • Do add the port 3269 with your FQDN.
  • There must a proper forward and reverse pointer entry on your DNS for your vCenter Server.
  • Enter the complete user name for authentication e.g. user@domain.com
  • If your domain controller is behind a firewall; make sure you have configured a policy to allow vCenter traffic.

SQL Database Creation for vCenter 5.1 and vCenter Single Sign On 5.1

May 17, 2013

vmw_logo_1

I am not a database guy and always have avoided anything related to it. When installing VMware vCenter 5.1 or earlier; you are prompted to create a DB instance. You can carry on by creating a default instance of SQL Express (zero effort required; YES I have always done that). But doing so is not recommended in a production environment as the DB gets populated and there are limited options to purge/protect your logs. Hence installation of separate SQL server is recommended. For a dumb person like me VMware is kind enough to include scripts for the DB creation and permission rights are available in the setup package but I found that customization was required. Hence for all the linked-minded fellows out there; this post might be of some help.

There are basically two DB’s needed to be created. One for the vCenter and other for the vCenter Single Sign On (SSO). VMware has made a major change in vCenter 5.1 for with its mandatory to install the SSO module.

I used Microsoft SQL Server 2008 (Enterprise Edition) to carry on my installation. For the basic requirement; select the following features:

  • Database Engine Services.
  • Client Tools Connectivity.
  • Integration Services.
  • Management Tools Basic/Complete

Once installed. Open the SQL Database Enterprise Manager and create a New Query. Execute the following three scripts one by one. (WordPress wont let me upload .sql or .txt files hence bear with .doc extension 🙂 )

  1. VCENTER_DB_CREATION_SCRIPT
  2. SSO_RSA_DB_CREATION_SCRIPT_1
  3. SSO_RSA_DB_CREATION_SCRIPT_2

Once done with this; make sure to create the ODBC SYSTEM DSN for the vCetner DB (VCDB). Following are the steps to create the SYSTEM DSN.

  1. Go to ODBC DATA SOURCE ADMINISTRATOR from the Control Panel. Click the SYSTEM DSN tab from the top. Click ADD.DSN 01
  2. Double click SQL NATIVE CLIENTDSN 02
  3. Enter the NAME for the data source and the IP of the DB Server. Click NEXTDSN 03
  4. Select the SQL SERVER AUTHENTICATION OPTION and give the user (default: vpxuser) credentials (you provided in VCENTER_DB_CREATION_SCRIPT). Click NEXTDSN 04
  5. Make sure that VCDB database is selected in the CHANGE THE DEFAULT DATABASE TO tab. Click NEXTDSN 05
  6. Leave the default settings and click FINISHDSN 06
  7. You can verify your DB connectivity by clicking TEST DATA SOURCEdsn-07

DSN 08

After doing this; you can now proceed with your vCenter installation. Start the installation by clicking the vCenter Server Simple Install from the vCenter Setup Wizard.

During the SSO installation you will be asked to provide the DB details as illustrated below.  Provide the credentials you created in script SSO_RSA_DB_CREATION_SCRIPT_2.

Single Sign On 01

When the SSO and vCenter inventory setups get completed; the installation for the vCenter Server will begin. During the setup you will be again asked to provide the DB details. Select the radio tab for USE AN EXISTING SUPPORTED DATABASE and select the already created SYSTEM DSN (VCDB).  Make sure to enter the credentials you entered while you creating the SYSTEM DSN.

VCENTER 01

VCENTER 02

Thats all you need to configure the DB’s for your vCenter installation. I am personally done with my installation but now am stuck on a couple of up-gradation issues from 5.0 to 5.1. Hence in my next blog I will be writing on those issues.

CentOS + Tumy

January 6, 2013

# yum install salad.bar

😀

20130106-024511.jpg

HTTPS sites not loading in Windows 8

December 17, 2012

While I am still in the process of tweaking my Windows 8 workstation; apparently Microsoft has decided to block websites that have SSL certificates with keys that are less than 1024 bits.

Untitled

Evidently this not only an issue with Windows 8 (which I presumed) but rather a development with IE 8 and beyond. For the Windows 7; Microsoft did released a patch. While in Windows 8 (thanks to the forums) I did the following work around to get the sites load in the default IE10 provided with Windows 8.

  • Run command prompt with administrator privileges.
  • Execute the following commands

certutil -setreg chain\minRSAPubKeyBitLength 512

–          This will set the minimum allowed key length to 512 bits rather than 1024 bits.

certutil -setreg chain\EnableWeakSignatureFlags 8

–          This flag will not enforce blocking of keys with length less than 1024 bits.

certutil -setreg chain\WeakSignatureLogDir “c:\Under1024KeyLog”

–          This is required when you set the flag described in the previous command to 8. All the keys with length less than 1024 bits will be written to this folder. (Though I have to admit I haven’t found this folder physically :\)

CertUtil

  • After giving my Windows a restart; things started working for me!

Microsoft Knowledge Bases: 2661254, 813444 .

Remote Server Administration Tools for Windows 8

December 16, 2012

Windows-8-Logo

I remember that installing the Remote Server Administration Tools (RSAT) on Windows 7 was installing a simple patch. But doing the same for my Windows 8; nothing happened! There were no tools available; no DSA.MSC, no DHCPMGMT.MSC. And I was getting fed up of taking RDP’s of the servers.

After googling around I did found the solution. The problem was with my language pack. I dont know why Windows 8 media are only released with English-Great Britain pack while the generic tools are dependent on the English-United Stated language pack. So here is how I came around those problems.

1. Download the language pack for Windows 8. You can download it from MSDN but that not free. So get yourself a subscription or find any other way 😉

2. Once downloaded;  Open the RUN prompt and type lpksetup.exe

Lpk

 

3. Click Install display languages.

01

4. Browse to your language pack media and select the EN-US LP (language pack) and click OK. Click Install then.

02

5. Once done; download the RSAT for Windows 8 from their download center;  yes this is free :p

6. Extract the .MSU using WinRar or any other tool you prefer. You will need the .CAB file which will appear after you extract the .MSU contents.

7. Open the Windows Power Shell with administrator privileges.

8. Execute the following command.

Add-WindowsPackage -PackagePath 'C:\Windows6.2-KB2693643-x84.cab' -Online -LogPath RSAT.log 

I placed the .CAB file on my C Root for easy access. Just use the TAB key and find your way to it. In my case I had a 32-Bit OS. Once done you will have a nice set of icons like these in your start menu.

RSAT

Hopefully this time you will get your RSA tools 😉 Not more RDP’s for me!

Thanks to IT Pro Powershell for a reference blog on this issue 🙂

Dot Net Framework 3.5 on Windows 8

December 16, 2012

Windows Power ShellAfter migrating to Windows 8; Some of my old applications were not able to execute due to non-availability of Dot Net Framework 3.5. Dot Net Framework 4.0 is provided with Windows 8 but downloading the standalone installer version of 3.5 was not possible (Even the standalone version tries to connect to the Internet; And in many cases that failed too which I came to know of some blogs online.)

But did you knew that Framework 3.5 can be directly installed on Windows 8 provided you have the DVD\ISO of Windows 8. If you have that then its just a command from the power shell and you are done. Here is it how it can be done.

 

1. Mount the Windows 8 DVD\ISO.

2. Open the Windows Power Shell with Administrator privileges.

3. Execute the following command (You DVD Driver letter as X):

Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -Source 'X:\sources\sxs'

And voila; you are done.

Recovering a stolen USB Drive

October 4, 2012

Am feeling all CSI at the moment! Yesterday; I got involved in an investigation of a USB mass storage device theft. The clue I had at start was the Windows 7 machine from which the device was stolen and a CCTV camera. The video from the CCTV wasn’t much helpful without any supporting evidence from the machine hence my only resort was to dig deep into the machine’s OS and get to some conclusion.

I did what anyone would have done; checking out the event viewer. Unfortunately no such logs about USB devices are recorded there. So I resorted to some Googling.  Once again I owe one to the immense help available out there online on forums and blogs; you can just find any solution these days!  What I did found was that a USB device when plugged into a machine; leaves all kind of traces. These traces includes time stamps, vendor & product ID’s, serial numbers, product make\model etc. Of all these what more internal to forensics is the time stamps! and getting them accurate is the key to get some productivity out of the homework.

I found two really great utilities that helped me in ending the case. USBDeview by Nirsoft and Windows USB Storage Parser by TZWorks LLC. Of these two USBDeview is simple and more efficient and I will tell you here why.

So getting to homework! First get to know your machines and devices well.

Get to know which USB devices are used on a machine

You can get to know by going into the Registry Editor and checking out  HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR. This is what you will get.

As from the snap shot you can see; there are a total of three devices used on this machine with the serial numbers mentioned under the product names. Serial numbers are unique and will give you a head start.

USBDeview

So now I know the device, and mapped the serial number as well. I then used a simple utility USBDeview to get the information I required.  The great thing this utility is that It also shows you the details\time stamps etc from the previous dates.

This very efficiently shows the complete details in nicely sorted columns. The important entry that helped me a lot here is the  Last Plus\Unplug time stamp.

Windows USB Storage Parser

This is another great command line tool. This tool will tell you about the different USB devices used on a machine, their vendor\product ID’s along with serial numbers and time stamps. But most important of all this will also tell you the “account name” that mounted the USB device which can really help in forensics.

As you can see in the snap shot above, its pretty well self explanatory. What missing from there is the unmounts event time stamp. That why I mentioned earlier in this blog that the USBDeview holds its ground pretty well and gives us a combined plus\unplug time stamp. This is what helped me in nailing the case.

So to complete the investigating, and to further cement my findings; I used these tools on the suspect’s machine as well and bingo!!! It was all filled up with familiar traces! I rested my case 🙂 !!!

System Center Configuration Manager 2012 Prerequisite Check – Verification Failure

October 1, 2012

Continung with my SCCM 2012 troubleshooting; there are a few other things I came across. During the installation; at one point it carries out a prerequisite check. The following two checks invlolved required some googling.

  • One was the BITS error. To continue with this make sure that ISS role is intalled on your SCCM 2012 server. If its installed and you are still getting the error; make sure you have checked the ISS 6 Compability check boxes by going inside the Add Services to Role.

  • The other error was related to RDC. You can simply overcome this by installing Remote Differential Compression feature from the Intall Feature tab on Server Manager.

Downloading Configuration Manager 2012 Prerequisites

September 29, 2012

Recently I faced a problem while configuring my SCCM 2012 sever. During the initial steps of the installation; the setup requires to download some prerequisites in order to continue with the installation. As for my case the server was offline and not connected to the Internet hence I needed to download them on a separate machine. I searched a lot of forums and blogs but the solutions presented were not clear. I then tried to download the required files separately on my own but to no avail and the SCCM installer first verifies the prerequisites and then continues with the installation. Hence if you are downloading the prerequisites on a separate machine; make sure of the following points.

  • Make sure the machine connected to the internet on which you are downloading the prerequisites is a 64-bit machine.
  • Many forums suggested to copy the %\SMSSETUP\BIN\X64\setupdl.exe to the internet machine. Only downloading this file wont work. Hence make sure to download the complete folder %\SMSSETUP\BIN\X64\ to the Internet machine.
  • Once the folder is copied to the internet machine; simply double-click the setupdl.exe. This is what you will get:

  • When prompted; specify the path for the downloads.

  • Now just set back a relax! It will take a good 30 mins or so depending upon you Internet link. It will specify a total number of 41 files to be downloaded.

  • There would be a total of 406 files on granular level and a total of 394 MB. BTW am loving my Windows 8! 😉 Its light, its fast! And its very customizable! Just note the date in the above snap 😛 Ok jokes apart!
  • Just copy the folder to your SCCM server and continue with your installation.

  •  Now my SCCM server is all ready but still not mature yet! As I learn the basics and prop my server; I will make sure to share along! Till then Adios!

Installation of VMware vSphere 5.0

September 29, 2012

So folks here is another of the VMware series blog I promised. The first one was about the setup of the VMware ESXi 5.0. This time am going to tell you about how to install the VMware vSphere 5.0 which you will use to log into your ESXi server. And here’s how you would be able to do that.

1.   To install VMware vSphere take any network PC with Windows XP/2003Srv/2008Srv/Vista/7 (32 bit or 64 bit), minimum 600 MB free space and minimum of 2 GB ram. Locate the setup file having the name “VMware-viclient-all-5.0.0-455964.exe” and double click it.

2.   Click Run to bypass the security warning.

3.   Setup will start extracting the files.

4.   Select the installation language and click OK.

5.   Click next to begin installation procedure.

6.   Click Next to agree to end-user patent agreement.

7.   Click “I agree to terms…” to agree to VMware end-user license agreement and click Next.

8.   Enter the required information and click Next.

9.   Browse to the destination installation folder and click Next.

10.   Click Install to begin the installation.

11.   Click finish to complete the installation.

12.   An icon for vSphere client will appear on your desktop. Double-click on it to launch the vSphere client.

13.   Enter the credentials for the virtual host machines and click login.

That all folks! Enjoy!


%d bloggers like this: