You are currently browsing the archives for the Windows sbs 2008 category.

Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

Receiving Certificate Errors When Connecting to Clients/Servers with TS Gateway or Remote Web Workplace on SBS 2008

Remote Desktop Disconnected

You may receive the following errors when attempting to access a client machine through the Remote Web Workplace (RWW) or the TS Gateway:

clip_image001

[To connect to Remote Web Workplace, you must install the proper certificate. Contact the person who provides technical support for your network.]

Likewise, connections to TS Gateway will fail as well. You will receive the following error:

clip_image003

[This computer can’t connect to the remote computer because the certificate authority that generated the Terminal Services Gateway server’s certificate is not valid.  Contact your network administrator for assistance.]

To determine whether you trust the certificate or not, browse to RWW from Internet Explorer. If it’s not trusted, you will receive the following error in IE:

clip_image005

Also, check for the certificate status to the right of the URL field:

clip_image006

Certificate Creation

When you complete the Internet Address Management Wizard for the first time, a certificate installation package is created for distribution to non domain-joined client machines and mobile devices. Details regarding this package can be found here:

http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

NOTE: This package is not for installation on the SBS 2008 server

Connections to TS Gateway or Terminal Services through RWW will fail if either the certificate is not trusted, or the name on the certificate does not match the name of the server that you are connecting to.

Certificate Not Trusted

If you are receiving these errors, you need to install the root CA certificate from the SBS server by using the certificate installation package as described in:

http://blogs.technet.com/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

Once the certificate is installed, you can view it in IE by going to Tools > Internet Options > Content > Certificates. You will also stop receiving certificate errors once to connect to RWW.

clip_image008

Certificate Name Does Not Match

Connections will also fail if you connect to TS Gateway or RWW using a different address than that on the certificate. In this case, you will receive the following error when you connect.

For RWW, you will receive these errors in IE:

clip_image010

If you check the certificate status to the right of the URL field, you’ll see this:

clip_image012

For TS Gateway, you will receive the following:

clip_image014

In either case, click on View certificates to show the Issued to name on the certificate. This is the name that you need to put into IE or the RDP client:

00c4000.tmp

In the case of the above certificate, I would type https://remote.contoso.com/remote to connect to RWW. For TS Gateway, I would connect in the following manner:

clip_image018

Certificate Has Expired

This issue can also occur if the SSL certificate has expired.  SBS 2008 self-signed leaf certificates are valid for 2 years and the root cert is valid for 5.  If your self-signed certificate has expired run the “Fix My Network” wizard from the Connectivity tab.  This wizard will automatically issue a new matching cert.  If you are using a trusted (purchased) certificate you will need to contact the cert issuer for a new cert and import it using the “Add a trusted certificate” wizard.

hdcFB23.tmp

Wrong Version of Remote Desktop Connection

RWW and TS Gateway require that the connecting client have Remote Desktop Connection 6.1 or greater installed.   RDP 6.1 is included with XP SP 3, Windows 2008, and Vista SP 1. RDP 6.1 is available as a separate download for XP SP 2 (requires a reboot).

You can tell the version of the RDP client by looking at the version of C:windowssystem32mstsc.exe

  • 6.0.6001.18000 is RDP 6.1
  • 6.0.6000.16386 is RDP 6.0

NOTE: After installing SP3 for XP you may see the following error “Remote Desktop Web Connection ActiveX control is not installed. A connection cannot be made without a working installed version of the control.”  If you receive this error please review KB951607 for information on enabling the IE-add on to support RWW.

In Summary:

  1. For TS Gateway or RWW to function properly, you cannot receive any certificate errors when you connect.
  2. Your client machine must trust the Root CA certificate.  Install the certificate installation package on the client accomplish this. (This package is created by running the Internet Address Management Wizard.)
  3. You must connect to TS Gateway or RWW using the address listed on the Issued to field on the certificate.
  4. The certificate must NOT be expired.
  5. You must be running Remote Desktop Connection 6.1 on the client making the connection.  (http://support.microsoft.com/kb/951616)
Categories: Windows sbs 2008Bookmark

SBS 2008: Introduction to Remote Web Workplace

SBS 2008: Introduction to Remote Web Workplace
Just as it was in SBS 2003, Remote Web Workplace (RWW) is an integral component in the SBS feature set for 2008. Its purpose is to provide a secure centralized web portal for employees and administrators to access network resources. Users can perform the following actions when logged in:

  1. Check their E-mail.
  2. Access the Internal Web Site (CompanyWeb).
  3. Connect to a computer through RDP (only network admins can connect to the SBS server)
  4. Change their domain password
  5. Access help and configuration information for RWW
  6. Access customized corporate links (more information available at: http://technet.microsoft.com/en-us/library/cc527586.aspx)

RWW is installed on the server during SBS Setup, but is not fully configured for Internet access until you complete the “Internet Address Management Wizard” (IAMW). Note: If you are using a 3rd party SSL certificate, you must complete the “Add A Trusted Certificate Wizard” also. It is installed as the remote virtual directory under the SBS Web Applications site, which accepts SSL connections on port 443. By default, the IAMW will add the prefix “remote” to your chosen domain name to distinguish the SBS 2008 in your web presence as the remote user portal. In this case, if you chose contoso.com as your domain name, you would access RWW using “https://remote.contoso.com”.

For full access to the RWW feature set from the Internet, you must ensure the following:

  1. TCP 443 and TCP 987 (For SharePoint) are open on your Internet firewall.
  2. Clients are running Internet Explorer 6.0 SP2 or higher
  3. The RDP 6.1 client or higher is installed on the client machine
  4. The client must trust the SSL certificate that is installed on the SBS Web Applications site
  5. The client must connect using the URL that matches the common name on the certificate.

Features

From a centralized location, users can launch OWA, connect to an authorized computer, launch CompanyWeb, change their password, and access the built-in corporate links (help for RWW and Outlook Anywhere) or customized links (these links are shared with the Vista Desktop Gadget).

clip_image002

Administrators and users are presented with the same features upon login to the homepage, with the following exceptions:

  1. Users are not offered the “Connect to Server” option. Only network administrators can connect to the SBS server.
  2. Users are not presented with the “Administration” links

SBS Console Integration

From the SBS 2008 console, you can perform a variety of management tasks for the website itself. You can access this under “Shared Folders and Web Sites”. The various tasks you can perform include:

  1. Enabling or disabling the website
  2. Browse the website (opens in IE using https)
  3. Add or remove users permissions to login to RWW
  4. Enable or disable RWW homepage links (OWA, Connect to Computer, Internal Website, Change Password, Connect to Server, Help, and Remote Web Workplace Link List)
  5. Manage Organizational and Administrative links that are displayed upon user login. Here you can enable/disable them, change permissions (who can see them), remove them or add new ones, or change their titles

clip_image004

Login Requirements

As it did in SBS 2003, RWW uses forms based authentication, which stores the encrypted credentials from the user’s initial login as a cookie in the web browser. This cookie is used to authenticate further connections to restricted resources inside RWW, such as OWA and CompanyWeb. Only members of the Windows SBS Remote Web Workplace Users security group are allowed to login to RWW. To modify membership for this group, use the SBS 2008 Console:

clip_image006

User Account Properties for RWW Login Rights

clip_image008

Launching OWA and CompanyWeb

When OWA and CompanyWeb are launched in RWW, your browser is connected to either https://remote.domain.com/owa or https://remote.domain.com:987 respectively; where remote.domain.com is the domain name that you have configured in the IAMW. By default, they open in their own restricted Window with no address or navigation bar, preventing you from navigating to a different site in the same window. You can override this (only in IE 7) on the client machine by opening Tools > Internet Options > General > Tabs > Settings and allowing pop-ups to be opened in a new tab:

clip_image010

Connect to a computer

When a user clicks “Connect to a computer”, they are presented with a list of computers in which they are authorized to connect to and set as their default. Once they choose a default computer, they will no longer be presented with a list and will connect automatically to their chosen machine. Note: If the user is authorized to only a single machine, a list is not shown and instead will be directly connected to their authorized machine. This is meant to give the Administrator greater control over what machines their users can connect to. This information is defined both on the user account and computer account properties from the SBS 2008 console:

clip_image012

Computer account properties:

clip_image014

Once “Can log on remotely to this computer” is checked, the next group policy refresh will add the user account to the “Remote Desktop Users” local group on the machine. Note: Administrators automatically have the right to remotely connect to any machine in the domain.

If you have installed Terminal servers in your domain, you can run into a problem where they will not show up in the list of computers to connect to for standard users. To override this behavior to display all computers in the domain, perform the following:

  1. To open the Registry Editor, click Start, click Run, type regedit in the text box, and then press ENTER.
  2. Browse to HKEY_LOCAL_MACHINESoftwareMicrosoftSmallBusinessServer.
  3. Right-click SmallBusinessServer, click New, and then click Key.
  4. Name the key BusinessProductivity.
  5. Right-click BusinessProductivity, click New, and then click DWORD (32-bit) Value.
  6. Name the new value ShowAllComputers.
  7. Right-click ShowAllComputers, type 1 in the Value data text box, and then click OK.

clip_image016

TSGateway Integration

RWW in SBS 2008 leverages the TSGateway service that is running on the SBS server to perform the remote desktop connection to the chosen machine. Like RWW, TSGateway is fully enabled when the IAMW is completed (“Add a Trusted Certificate” must also be completed if you are using a 3rd party SSL certificate). This allows remote desktop connections to your domain-joined machines through port 443. This is different from RWW in SBS 2003, where you had to open port 4125 through your firewall.

The following screenshot shows what an RDP connection to TSGateway looks like. We can see that the “Gateway server” field is populated with the URL of the server, which is resolvable both externally and internally in DNS. The “Remote computer” field is populated with the internal machine name of the computer that we are connecting to:

clip_image018

You can, in fact, configure the RDP 6.1 client or higher to connect directly through TSGateway without having to first login to RWW. The only difference between this and connecting through RWW is that RWW does this for you automatically. Click on “Options” > select the “Advanced” tab > and click on “Settings” under “Connect from Anywhere” to display the TSGateway configuration settings:

clip_image020

Enter in the URL for the SBS 2008 server (which you configured during the IAMW)

clip_image022

Finally, on the “General” tab, enter the internal machine name of the computer you wish to connect to:

clip_image024

Categories: Windows sbs 2008Bookmark

How to Install a GoDaddy Standard SSL Certificate on SBS 2008

How to Install a GoDaddy Standard SSL Certificate on SBS 2008
Many providers offer inexpensive SSL certificates for domain-only validation.  GoDaddy seems to be a popular choice given just how inexpensive the certificates are.  GoDaddy’s inexpensive cert is called Standard SSL certificate.

Before we dive in, let’s recap the certificate story in Windows Small Business Server 2008. There are two “types” of certificates and four “states” your certificate can be in.  Those are defined on TechNet in the Managing Certificates section of the SBS documentation.  The two types are “Self-Issued” or “Trusted”, and by default, SBS 2008 ships using a self-issued certificate infrastructure, which is used to authenticate the server to the client, and encrypt the traffic between the remote client and the server. The obvious downside here is there is extra work with the certificate installer package on your remote/non-domain joined clients, and Windows Mobile devices.  At some point there are enough of these to warrant the low cost to upgrade to a 3rd party Trusted certificate.  With a 3rd party trusted certificate, the client computers and mobile devices already trust the root of the 3rd party certificate, as these are maintained by Microsoft Update (and various other solutions for non-Microsoft based clients/devices).

As you probably read when you learned about the Internet Address Management Wizard, we have a number of domain name providers, eNomCentral, GoDaddy, and Register.com.  All three of these providers are very well equipped to sell you and facilitate installing a trusted certificate for your small business network, so feel free to shop around! 

I’ll be going through the steps for GoDaddy today as they are the only provider that requires intermediate certificates, which is a bit more challenging.  The process is the same for all the providers, except for eNomCentral and Register.com, you can skip the intermediate certificate steps, and naturally the UI would be different.  On a final note, I have not had luck with the GoDaddy certificate and Windows Mobile 5 (Update Below), if you have Windows Mobile 5 devices, you may want to consider one of the other partners, but the best thing to do here is open the certificate store on your WM5 device and validate the root cert for the provider you’re going with is available in the certificate store.

provide detailed steps, specific for SBS 2008:

  1. In your Windows SBS Console on the server, navigate to the Network tab and the Connectivity sub-tab and launch the Add a Trusted Certificate connectivity task
  2. Click Next on the welcome screen and choose I want to buy a certificate from a certificate provider and click Next.
  3. Verify this information is correct.  This information will be encoded in the request to the certificate provider, and cannot be changed without buying a new certificate.  Additionally for some certificate requests this information could be used to contact you to validate the ownership of the domain name.  Then click Next.
  4. Once you get to the screen below, you are now going to deal with only the certificate provider, with the encoded certificate request shown in the gray box.  Since most providers have you paste this into a web browser, you should click the Copy button to place this into your clipboard. image
    1. IMPORTANT: It’s important not to click back or next-back on this page, as it will re-generate a new encoded string, which will not match the request you make to your cert provider.
  5. Once the encoded string is copied safely (I paste it into Notepad so I don’t loose it during the process) Let’s close the Trusted Certificate wizard for now to get it out of the way and prevent errors now that we have that encoded text in the clipboard (and hopefully in Notepad).  Let’s click Next and then select My certificate provider needs more time to process the request, and click Next again, the wizard will show a warning that it could not import the certificate into Remote Web Workplace.
    1. You will also notice after you click Finish, that the console now shows Request Submitted and you have an option to Remove this Certificate, which we don’t want to do unless we want to go back to the beginning.
  6. At this point, go to your providers website and follow the instructions for purchasing a certificate.  The provider will most likely ask you to purchase the certificate before they collect the certificate information (encoded text above) from you. Notes:
    1. The provider may try to sell you other services, feel free to browse, but the server doesn’t require additional services
    2. The server does not require a wildcard certificate, port numbers (such as 987) are used to save you the cost of purchasing a wildcard certificate
    3. You should get a confirmation email with instructions on how to install the certificate.  My particular email has this section in it, stating to log into the website to obtain my cert: image
  7. Once I log into my account, It’s abundantly clear that I have a certificate set up waiting for me: image
  8. I log in to my account using the ID and choose to use your certificate credit image
  9. Next you will want to go to the Manage Certificate Control Panel: image
  10. In the control panel, select your certificate credit and click Request Certificate image
  11. Now you are prompted to insert the CSR, or Certificate Signing Request, which is all of the information you copied out of the trusted certificate wizard (and put into Notepad right?)
    1. IMPORTANT: Make sure you select the server software to be Microsoft IIS.
    2. Note: the actual domain name you are requesting for is encoded in the string from within the Trusted Certificate wizard
  12. Validate the information in the cert is correct, once you confirm it, it’ll cost more money to do this over again, and then click Confirm.
  13. Once you confirm, an email gets sent to the email account on file for that domain name, once you get that email, there is a verification link inside that email that needs to be clicked.  Click it and approve the request, some more email will come into that account you just checked.  One to tell you that it was approved, and one to give you the link to go and get the encoded text.
    1. One thing to note here is there are two things to download, the signed certificate itself, and the intermediate certificates which must also be installed on the website.
  14. Validate the install type is IIS and click Continue, then proceed to the Download Signed Certificate link and save the certificate to the desktop of the server.
  15. Then click the IIS Installation Instructions link to open up the installation instructions.  It’s important to use these instructions for installing the Intermediate Certificate Bundle.  You can follow the Installing the SSL certificate steps as well, but it will change the flow through the Trusted Certificate wizard shown later in this instruction set.
    1. So follow the steps from GoDaddy.com, but I’m going to paste and modify them for SBS 2008 here for you as well… These are of course subject to change without notification!!!
      1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC). Agree to the UAC prompt
      2. In the Management Console, select File; then “Add/Remove Snap In.”
      3. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
      4. Choose Computer Account; then click Next and Finish.
      5. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
      6. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
      7. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
      8. Follow the wizard prompts to complete the installation procedure.
      9. Click Browse to locate the certificate file (gd_iis_intermediates.p7b). You’ll have to change the file filter at the bottom right to PKCS #7 Certificates.
      10. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
      11. Click Finish.
  16. Once this is imported, we can go back to the Trusted Certificate wizard in the product
    1. Click Add a Trusted Certificate in the console to re-launch the wizard if you closed it (as recommended above), and click Next on the welcome page.
    2. Click I have a certificate from my certificate provider and click Next.
    3. Since GoDaddy provided me with a file, I’m going to browse to the file (alternatively if the provider gave back encoded text, that could be pasted into the wizard too) that matches my domain name, in this case, remote.seandaniel.net. and clicking Next. image
    4. We’re finally done, click Finished!  Now remote clients will get the benefit of a trusted certificate, and the console reports Trusted as the certificate type.

It’s important to use the Trusted Certificate wizard for the last step, to ensure that the certificate is bound to the correct IIS website, as well as TSGateway for remote desktop access.  If you followed all the steps from GoDaddy to install the certificate, simply run the Trusted Certificate wizard and choose I want to replace the existing certificate with a new one, and you’ll get shown the trusted certificate and the self-issued certificate for your domain name, just choose the appropriate one based on the type and the expiration date:

image

On a final note, renewing your certificate after the year, just click that Add a Trusted Certificate link in the console but this time through choose I want to renew my current trusted certificate with the same provider, and follow the instructions!

Categories: Windows sbs 2008Bookmark

How to Restore Active Directory on windows servers

How to Restore Active Directory on windows servers
On Windows Server 2003 or Windows 2000 domain controllers the Active Directory can be backed up while the domain controller is online. You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.

Categories: SBS 2008, Windows sbs 2008Bookmark

Can I backup the system state while the Active Directory is online?

Can I backup the system state while the Active Directory is online?
Yes – On Windows Server 2003 or Windows 2000 domain controllers the Active Directory can be backed up while the domain controller is online.?

You can restore these backups only when the domain controller is booted into Directory Services Restore mode by using the F8 key when the server is starting.

Categories: Windows sbs 2008Bookmark