Tag Archives: fixed

Fixed: NPS using Azure AD not prompting for 2 factor on phone

Screenshot of Yubico numbers for 2FA verification

We were recently came across an issue with configuring the NPS (Network Policy Server) to use Azure AD’s 2FA authorization to validate VPN access to one of our clients. The initial configuration was fairly straightforward with the instructions at https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension but after connecting to the VPN server, we were not getting the push notification to our phone for the final verification steps.

Going through the Network Policy Server logs in event viewer we saw an error message as follows ” NPS Extension for Azure MFA: CID: 341b704d-03f1-4ba6-ae92-eb19ae2f2bf3 :Exception in Authentication Ext for User myusername :: ErrorCode:: CID :341b704d-03f1-4ba6-ae92-eb19ae2f2bf3 ESTS_TOKEN_ERROR Msg:: Verify the client certificate is properly enrolled in Azure against your tenant and the server can access URL in Registry STS_URL. Error authenticating to eSTS: ErrorCode:: ESTS_TOKEN_ERROR Msg:: Error in retreiving token details from request handle: -895352831 AADSTS7000112: Application ‘981f26a1-7f43-403b-a875-f8b09b8cd720′(Azure Multi-Factor Auth Client) is disabled. “

The key was the last line – Azure Multi Factor Auth Client is disabled. Despite the fact that 2FA was already in use to verify access to the Office365 portal and desktop apps, it seems that the client was not enabled in Office365.

This was fixed by running the following in a powershell window connected to Azure AD..

Set-MsolServicePrincipal -AppPrincipalId “981f26a1-7f43-403b-a875-f8b09b8cd720” -AccountEnabled $True
Set-MsolServicePrincipal -AppPrincipalId “1f5530b3-261a-47a9-b357-ded261e17918” -AccountEnabled $True

This then enabled 2FA to work with NPS. I put in a PR request to the official documentation to have this as an official troubleshooting step but the PR was closed. Hopefully this post and the PR will help others in their configuration as it did seem to be a fairly common problem.

Fixed – Screenconnect blocked by Windows Smartscreen

Due to an expired code sign certificate, the version of Screenconnect that is launched from Connectwise Automate (aka Labtech) fails to run on 2 of my Windows 10 machines but works fine on the rest of the machines. The error message “Your administrator has blocked this application because it potentially poses a security risk to your computer”. The ones that fail are running Windows 1809 and 1903 so I suspect that there is some of the new features of SmartScreen are enabled and older versions do not have these settings.

Your administrator has blocked this application because it potentially poses a security risk to your computer

Checking out the file used for Screenconnect, I saw that the certificate used to sign the exe file expired on February 1st this year, but I’m not sure why my machines suddenly started to refuse to run it the last few days of March.

The Screenconnect.WindowsClient.exe is downloaded to a random subdirectory of appdata\local\apps\2.0 so I recommend you navigate to this directory and then search for *.exe and check the correct screenconnect file as per the screenshot below which shows the certificate expiring on the 1st February

ScreenConnect certificate expiry dates

After searching around and contacting Connectwise Support they advised me this would be fixed in an upcoming version. In the meantime setting the registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\Security\TrustManager\PromptingLevel\Internet to a string type of Enabled will allow the ClickOnce application to popup and this allows the dialog box to give an option as to whether the file should be run or not (the previous setting was Disabled). This then allows the user to select yes to install and run the file overriding the invalid SSL certificate.

Obviously this is not a great idea but it does allow you to run Screenconnect from within the Automate window. (The other alternative is to use the Screenconnect website itself to connect).

Fixed: pihole -up gives “Could not update local repository”

I received a notification on my pihole web console that it needed an update and the process is usually simple – log into the server and run pihole -up

However, this time I received the error “Could not update local repository. Contact support” – not very helpful.

pihole -up gives a Could not update repository. Contact support error messageReading several articles it seems that any change to the pihole files means the local git repository can get out of sync with the master repository and therefore cannot be updated. I had installed the bandwidth test plugin so I suspect that was the issue. As this plugin didn’t work it was not a huge problem resetting back to a vanilla install.
There were several articles on the pihole site and piecing a few of them together I came up with the following solution.

  cd /var/www/html/admin
  sudo git fetch –tags
  sudo git reset –hard
This gave me the following error:-

fatal: Unable to create ‘/var/www/html/admin/.git/index.lock’: File exists.

Another git process seems to be running in this repository, e.g.
an editor opened by ‘git commit’. Please make sure all processes
are terminated then try again. If it still fails, a git process
may have crashed in this repository earlier:
remove the file manually to continue.

Removed with the following

  cd .git
  sudo rm index.lock
Final update command and this time it completed successfully.

  pihole -up

This completes the install with 

Update Complete!

Current Pi-hole version is v4.2.2
Current AdminLTE version is v4.2
Current FTL version is v4.2.2

Fixed: Unmountable Boot Volume error with Windows Server 2016 and Storagecraft’s SPX

BSOD imageWe’ve been tracking down issues with Windows Server 2016 on a multitude of servers this week where the servers will reboot and come back with Unmountable Boot Volume which is a pretty nasty experience for oncall. So far we’ve mainly seen it on Domain Controllers but also on a Hyper-V server. The solution is typically to do a last known good boot on the machine and then try to work out what has changed on the server and needs redoing. So far we’ve had issues with duplicate servers in Webroot and Automate along with a couple of server functions not working correctly.

Initially we thought it was a problem with Windows Updates, but it seems that the culprit is Storagecraft’s SPX version 6.7.4
The solution is either to downgrade to version 6.5 or get a patch for 6.7.4 that fixes this issue.

Download location for SPX 6.5.2:

For 6.7.4, You will need to get the patched stcvsm.sys  from Storagecraft and then apply these instructions.

Patch is a very manual process. New version of the stcvsm.sys driver is 2.2.73.0.36
1. Install SPX 6.7.2:
2. Do NOT reboot
3. Rename %windir%\system32\drivers\stcvsm.sys to %windir%\system32\drivers\stcvsm-rtm.sys
4. Copy the 2.2.73 driver to %windir%\system32\drivers. Be sure to select the correct ‘bitness’.
5. Reboot

It’s been very frustrating to have gone through this issue without any notification of this pretty serious bug from #Storagecraft

Edit: Today I discovered that Storagecraft now have a more detailed knowledge base article about resolving Inaccessible Boot Device after upgrade to 6.7.x. Judging from the comments I’ve had here, I’m not the only one who has had this issue and it still keeps happening for some users.

Fixed: Office 2010 installation with MAK key gives Error: Can’t decode PIDKey – Invalid digits! ErrorCode: 0(0x0)

After doing an administrative installation of Office Professional Plus 2010 for a client, I was trying to test the installation of office on a desktop machine but kept getting “Error: Can’t decode PIDKey – Invalid digits! ErrorCode: 0(0x0).” as the error message. I confirmed that the key was correct by doing a manual installation of the software and using the same product key that was successful. I was unable to find any useful pages on the internet with this error message so ended up logging a call with Microsoft Product Support to troubleshoot the installation.

Our troubleshooting steps were to remove the updates folder completely and try an installation – this worked so we knew the problem was in the updates directory. Recopying back the files from the extracted service pack 1 dvd worked successfully so the problem was either service pack 2 or the setup.msp file. I copied back the sp2 files and again the software installed successfully (note that having a virtual test pc makes these tests very easy. No uninstalling of office required!)  Again the installation was successful. I then copied the setup.msp file back into the updates directory and the installation failed again. As the configurations that are made in the setup.msp can either be set in the config.xml or group policy it was ok to proceed without using the setup.msp.

Full details of the log files and more information can also be found at the Microsoft forums where I posted the initial request for help.

Fixed: Facebook update constantly downloading and google play not working afterwards.

Last week my mobile phone started to constantly download a Facebook update which was draining the battery due to the constant downloading attempts. Trying to stop the download, I somehow managed to disable the download manager – this did fix the problem but for some reason also stops the Google play store from working. Every time I opened Google Play the application would just disappear from the screen. There was no forced close error message.  This was a bit of a problem as I had removed the Facebook app from my phone trying to stop the download and then was unable to reinstall it as the store would not open.

To fix this issue, Open Settings, Application Manager, scroll to All applications and then scroll down to the bottom of the screen. It is necessary to scroll all the way down as the disabled applications are at the bottom of the alphabetical list. Click on Downloads and then enable the application.

The app store will then start working and hopefully you won’t get the facebook update pushed down to your phone (I didn’t at least)

Fixed: bootshieldsvc and offline files disabled after a reboot for Lenovo machines)

For the short answer go here.
For those of you that follow me on Facebook, you may have seen my frustration with Microsoft support. I had to log a support call with their support as every time my computer rebooted, offline files were disabled. Unfortunately the technician attempting to support me obviously had no idea of what offline files were or even how to create a new user account in Windows7 (to troubleshoot if it was my account or not that was causing the problem). At no point in time did either of the 3 techs look at the event log, despite me trying to tell them there was issues reported in the log.
To cut a very long and frustrating story short, I initially followed the diagnostic steps at Jonathan’s blog and the follow up post but the setting was still disabled after a reboot. I did find that enabling the offline files service from disabled (or manual) and then starting the service, the offline files were temporarily enabled.
As part of this troubleshooting step, the issue was obviously something resetting the services on startup so off to the eventlogs. The Offline Event Logs section had nothing in it out of the ordinary but my Application log was full of Bootshieldsvc errors. One “offline files bootshieldsvc” search later
shows this is a known problem with Lenovo’s rapid boot software. The Rapidshield patch from Lenovo was downloaded, extracted, installed and the pc rebooted and sure enough offline files was STILL not enabled. Urgh.
clicking start, and entering RapidBoot confirms the version is 1.23 and the gui has an option to disable the feature. This requires a reboot so I used the opportunity to re-enable offline files again and rebooted – STILL disabled. After another reboot, just to be sure Offline files was still disabled. Checking RapidShield Gui, the software claims it is not running, but checking the application log after a reboot still shows the various errors – for example Event 256 for BootShieldsvc – “An error has occured (—query FLAG_AUTO_SVC_CHANGED key success failed with 1,The Code is:0x24.).
Apart from the fact that there is a “success failed” – it’s really not encouraging that software is still running and making changes despite it being disabled. Next stop was an uninstall (and enabling offline files again) followed by yet another reboot. It’s a good thing this machine is fast at rebooting.
So after uninstalling – the problem still occurs – arghhhhhhhh.
Checking the status of the Offline Files service I noticed it was still set to manual. Comparing against another machine where offline files works, the service should be set to automatic. I changed the service to automatic and started. Offline files was now showing it was enabled. Another reboot and the service was back to manual again and offline files disabled – more arghhhhhhhhhhh
Next stop is to try and hack out the Fast Boot Service of Lenovo. UNfortunately I get access denied when trying to stop the service. msconfig stops the service but it still somehow manages to try and make changes as evidenced by the events in the eventlog after a reboot.
sc delete “BootShieldSvc” from an elevated command line also removes the service but it comes back after a reboot. After a reboot into safe mode I was able to disable the Fast Boot Service of Lenovo, set the Offline Files to be automatic and now offline files works.

In Summary –
Uninstall the Lenovo Rapidshield software (or upgrade).
If that fails – boot into safe mode, disable Fast Boot Service of Lenovo, Set Offline Files to automatic.

Fixed: Firefox Autocomplete address bar is empty – disable the Delicious plugin

During the past week my Firefox (v16.0) Autocomplete drop down box has had missing text appear when I start typing in the address bar as seen in the screenshot below.
Firefox autocomplete address has missing text in the drop down.
Initially I thought it was Firefox using up too much memory, but the problem occurred on all of my machines even after a recent reboot so some troubleshooting was required.
After restarting Firefox in safe mode (Click the firefox button, choose Help, Restart with add-ons disabled) I confirmed it was a problem with one of my extensions. It took several minutes to disable half the addons and see if the problem continued and then repeat the process until I could work out the offending solution.
It turns out it was the Delicious addon (v3.2.1). Disabling this I have a drop down box with url’s that I can see. The proper behaviour is shown below. The A’s are greyed out as that is the character I typed to start the autocomplete sequence off.
All Autocomplete details shown with Delicious addon disabled
With only this extension enabled I get the problem so it’s not a combination of extensions having problems. I have reported this extension as incompatible.

Fixed: Installing Powershell 3 fails on Windows7 with “The update is not applicable to your computer”

Powershell 3 was released this week and is now available to download for Windows 7 (sp1) platforms. I tried to install it on my home machine this weekend and got
“The update is not applicable to your computer”. It turns out that this is actually because .net framework 4 (or higher) has not been installed.
The full .net 4 framework package is available at http://www.microsoft.com/en-us/download/details.aspx?id=17718 or you could install the newer 4.5 framework at http://www.microsoft.com/en-us/download/details.aspx?id=30653. Make sure that you close the false powershell installation before attempting the .net installation or the .net will try to install for about 5 minutes on your computer and then complain that another install is already in use and does not give you the option to retry. You can only abort and then run the whole installation again. All in all a pretty bad user experience for trying to install the software.

Thanks to the Troubleshooting guide for the beta version of Powershell 3 that tipped me off for the pre-reqs which are not mentioned on the original download page for Powershell 3 and unfortunately there is no place on that web page to provide feedback.

Fixed – Sharepoint returns “Could not access the Search administration database. A generic error occurred while trying to access the database to obtain the schema version info. “

I’ve been fighting working with SharePoint for about a week and trying to get the Search Service started on my SharePoint Server. The only thing that seemed consistent in all the troubleshooting was that the SharePoint error messages were only slightly more helpful than “An error has occurred”. I ended logging a PSS support call with Microsoft and didn’t get very far for a while. My SharePoint farm consisted of the SharePoint Server and a separate SQL server to host the data and attempting to start the service I would get ‘Could not access the Search administration database. A generic error occurred while trying to access the database to obtain the schema version info.’
There are several other posts out there on updating the version of SharePoint to the latest Service Pack, Installing the latest cumulative update(2598321) and ensuring that the protocols were enabled on the SQL instance. All things I corrected, applied and did not fix the issue. (Note that installing the latest cumulative update DOES require a reboot and may stop SharePoint working until you do reboot – so make sure you install this out of hours.)
Upgrading the database is done with ‘psconfig -cmd upgrade -inplace b2b -force -cmd applicationcontent -install -cmd installfeatures’ After running this command I noticed that the checking the status of the server with (get-spserver servername).NeedsUpdate would work fine on the SQL server, but running against the SQL server from the Sharepoint Server, it would tell me the database needed updating.
On one of my servers, Add/Remove Programs said that the hotfix was not required yet the Admin console on the website said it was. This issue was fixed with a “psconfig -cmd installcheck -noinstallcheck” (Thanks to http://tinyurl.com/7pkrbem)

After starting the service on the sql server instance, we wanted to get the SharePoint Server working as originally intended. After a long time of troubleshooting, our next step was to uninstall the SQL Native Client and reinstall it. As I went to uninstall the Native Client, Add/Remove programs told me the package was not installed. A repair or modify would not work either. Opening Regedit and searching for Native Client under HKey_Classes_Root\installer and deleting this key meant I was then able to reinstall the NativeClient.
We then tried starting the service and this time it worked. The strange thing is that some communications between the SharePoint server and the SQL server were obviously working fine – the database on SQL was created with no problems and SharePoint could see the data – it’s just weird that the initialising/upgrading of the database required the SQL native client but did not give any useful information that pointed to this fact.