2016 Essentials – Anywhere Access setup fails

When setting up new 2016 Essentials or really any version of Essentials and you’re trying to create/add a domain to append to the remotewebaccess.com domain name the UI wizard fails with this error window:

An error occurred while setting up your domain name: The domain name was not setup for your server. Wait a few minutes and run the wizard again. An unknown error occurred.

No matter how much time you wait, the same error pops up each time. The problem isn’t DNS, or the server itself but rather the Cert revocation checks for .Net Framework!!

To fix this you have to create a .reg file (call it what you want but it has to include the following settings:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319]
“SystemDefaultTlsVersions”=dword:00000001
“SchUseStrongCrypto”=dword:00000001

After making the reg file, merge, REBOOT the server or the Anywhere access wizard may still show above error message. After reboot, open Essentials Console and re-rerun the Anywhere Access wizard, user a Hotmail account to create the domain <customer>.remotewebaccess.com. Then click the wizard to install VPN and Remote Desktop Make sure the router and ISP are forwarding port 443 to the Essentials server.

UPDATE: December 5, 2022.

Tonight after having a similar issue with a 2016 Essentials server and Devices all turning to gray (Offline state) after installing the Anywhere Access to the server. (Had to manually install RRAS for Direct Access and VPN before the Anywhere Access wizard would install successfully – but that’s another blog I need to write). Installing the Direct Access role disconnected all the clients from the dashboard and no matter what we tried to “fix” the client nothing worked. argh!!

Options we tried on the Client:

1. Uninstalled the Connector;

2. Delete Data & Logs folders from \ProgramData\Microsoft\Windows Server;

3. Open Task Scheduler, delete all tasks under: Microsoft >Windows >Windows Server Essentials. Then delete this folder.

4. Delete the VPN SSTP connector.

5. Reboot client

6. Reinstall the Client connector. For most other occasions this should fix the clients.

In tonight’s case though, messing with the client did not fix it. What did finally work is found under this Blog by ShoemakerBrian.

Not sure how he found this solution but it instantly fixed the clients Online status:

Open Admin PowerShell and run command below, changing the IP with the IP address of the Essentials server:

Set-NetNatTransitionConfiguration –IPv4AddressPortPool @(“192.168.1.10, 6001-6601”, “192.168.1.10, 6603-47000”)

Brilliant! – All clients now showed up in the Dashboard.

Hope this helps everyone that runs into this issue. It’s a frustrating one and not many solutions out there.

Advertisement
Categories: Active Directory

Remotewebaccess VPN disconnects (Error 829)

Client told me he couldn’t access the remotewebaccess.com vpn to the office.  Would connect and disconnect and or any connection would only last a few seconds before disconnecting. Event log errors include Error 829.

At first I thought it could be the server needed a reboot. Nope, wasn’t it.

Looked at the RWA certificates on the server and did notice that the one that was being used expired today. Hmmm. So I checked IIS and looked at the Bindings for the Default Website – but the server had already bound the new RWA certificate to it. Still clients couldn’t connect.

Looking further at the client event logs this is example of one of error messages:

CoId={3AE1BD1D-CF91-4B7B-A93F-7A59705A1EF5}: The user WIN10TEST\username dialed a connection named customerDomain.remotewebaccess.com which has terminated. The reason code returned on termination is 829. All this means is a disconnected session. Great no help there.

Searched the web and found this bit of information:

The RWA certificate set in IIS is also used by Routing and Remote Access Server Configuration – not for authentication but for maintaining secure TLS connection. So even though the IIS cert was updated, RRAS console doesn’t upgrade it automatically :(.

Solution: Go to Routing and Remote Access snap-in, right-click on the properties of your router (MACHINE-NAME (local) properties in the tree-view to the left) select the Security Tab; you will be warned that there’s no TLS certificate selected (the previous has expired in my case) and select the certificate that has the next year’s expiration date – can select and then view them prior to saving. This will force a RRAS service restart. Thereafter clients can connect and remain connected :).

Procedures for joining workgroup PCs to remote Server Essentials domain

First step with new computer setup: Create Local user on workstation – skip the OOBE, do not use Hotmail account to create user, instead select limited or no internet and then create local user account – say pcadmin.  Set password and continue on till you get to the desktop.

Connecting PC to the Essentials Server:

  1. Go to https://foo.remotewebaccess.com/connect to download the connector tool to the workstation PC1
  2. Run connector software – what this does is install the certificate and the VPN connection to foo.remotewebaccess.com site which connects to the foo.local domain.
  3. The connector then joins the domain or at least once you’re connected, you can open: sysdm.cpl and join the domain manually.
  4. After joining the domain manually, DO NOT REBOOT.  The reason is because you want to cache the new user1 credentials onto the workstation before rebooting and “losing” the remote connection.  So you do two things 1) add user1 to local administrators group and 2) logon with user1 to workstation before you reboot – yes it will work.
    1. Open elevated cmd prompt.
    2. Type:  net localgroup administrators foo\user1 /add   – this adds user1 to Administrators group on PC1
    3. Type: runas /user:foo\user1 cmd.exe  <enter key>  – then type in password for user1
    4. This opens CMD prompt under user1 credentials which thereby creates user1 profile.
  5. Now you’re still connected to the VPN network so you can switch user and logon to PC1 with user1 creds
  6. Click start, then go to admin account and choose switch user.
  7. At logon prompt type foo\user1 with password – this will finish with user profile creation and cache password.  Also, best once at desktop to lock workstation and unlock again with password.
  8. Then reboot computer
  9. Try logging on with user1 to foo domain.
  10. If it fails, then go back to local Admin account on PC1 and reconnect the remotewebaccess VPN
  11. Then switch user again and proceed to setup rest of items – like outlook, files etc.

    Error code 80090016 TPM has malfunctioned

    Every once in a while you will encounter this error message when trying to activate a users’ office 365 license. The window that pops up doesn’t always point you in the right direction.

    Typical Error message when entering creds to activate o365 license.

    Researched many sites and each had many different solutions. However it seems one hit the nail on the head. First though here are other options I tried:

    1. Rename this folder to something else – have to first logon (after reboot) with admin account to machine. Rename C:\users\$dir\AppData\Local\Packages\Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy to same folder with .old at end of it. Note – doing this didn’t work for me but it did for others. https://www.experts-exchange.com/questions/29156991/How-do-I-fix-Outlook-error-code-80090016-TPM-malfunctioned.html
    2. Get access to this folder and clear the NGC folder: C:∖Windows∖ServiceProfiles∖LocalService∖AppData∖Local∖Microsoft∖; Link for this: https://www.sysinfotools.com/solve-error/outlook-365-module-error-code-80090016.html; However in my case, there wasn’t anything in NGC folder – so yeah well not a solution.
    3. Reset – and or Clear TPM from windows. Did this and while it didn’t fix, for a time I couldn’t reboot the computer into windows. Removed UEFI boot/set to legacy boot – No joy. Multiple tries, shutdowns, unplug device, drain all power from system and then booting back and setting UEFI boot back and boom goes the dynamite!! – it booted back into Windows. Some days… Link for doing this procedure: https://answers.microsoft.com/en-us/msoffice/forum/all/error-code-80090016-trusted-platform-module-has/87e44378-b7cd-4493-970e-cceab7a8ee68
    4. Last and final attempt which happened to solve this riddle. Tried this one after performing #3. This link https://social.technet.microsoft.com/Forums/en-US/f4742bab-4e27-4963-a151-2349a234132b/outlook-365-2016-trusted-platform-module-error-code-80090016?forum=outlook – under 3 post by Binod Shrestha, he shows to just open Device Manager, open Security Devices and Uninstall the “Trusted Platform Module 2.0 (or 1.1.2) from the PC.

    After that reboot, log back in as the user with o365 issues, try opening up any Office app and now it just works, Office is activated and user config for OneDrive is all correct and no further problems. That’s just crazy!!

    Hope this helps you the next time you run into such an error. Frustrating!!! again, thank you Microsoft!! <Rant>Seriously have to disconnect Office licensing from TPM and from Hotmail/live accounts </Rant).

    Ubiquity Edgerouter enable offloading to increase throughput

    I was just reading about throughputs on the Edgerouter 4 and Lites and Ubiquity came back with this article on how to increase speeds/throughput on the Edgerouters:

    https://help.ui.com/hc/en-us/articles/115006567467-EdgeRouter-Hardware-Offloading#:~:text=One%20of%20the%20most%20basic%20examples%20is%20IPv4,offloading%20enabled%2C%20the%20throughput%20will%20be%20about%20950Mbps.

    For these Edgerouter Models: ER-X, ER10X, ER-X-SFP, EP-R6

    Open terminal (ssh/putty) to router:

    Then run these commands:

    configure
    set system offload hwnat enable
    set system offload ipsec enable
    commit ; save

    For these Edgerouter Models: ER-LITE,ERP0E5,ER-8,EP-R8,ER-6P,ER-12,ER-12P,ER-8-XG

    Open terminal

    Then these commands:

    configure

    set system offload ipv4 forwarding enable

    set system offload ipv4 gre enable

    set system offload ipv4 pppoe enable

    set system offload ipv4 vlan enable

    set system offload ipv4 bonding enable

    set system offload ipv6 forwarding enable

    set system offload ipv6 pppoe enable

    set system offload ipv6 vlan enable

    set system offload ipsec enable

    commit ; save

    After doing so on either type of Router, reboot it to make the changes effective. 

    For the ER-Lite, it’s supposed to increase from 300Mbps to 900Mbps throughput.  I call that a winner winner chicken dinner!

    Categories: Active Directory

    Datto (Autotask) RMM Agents showing previous AV endpoint after removing from Agent endpoint.

    Recently I switched from using two separate endpoint AV solutions (ESET and Webroot) to using Windows 10 Defender and Huntress labs scanning agent. The cost difference was significant enough and have found that Huntress has found infections that previous AV software missed/didn’t report on.

    In order to make this all happen successfully, one needs to uninstall the AV endpoints (ESET/Webroot/Sentinel1,others) first. My Datto RMM had several uninstallers built-in and I even added some that went through and purged the Endpoint from registry after doing a manual uninstall of the endpoint using the MSI file on the systems. The problem arose when looking at the devices in my RMM console, the display still showed either Endpoint as the primary AV product. Subsequent calls to ESET, Webroot and others, proved that re-installing and re-uninstalling had no effect.

    I even tried deleting the RMM agent from system and re-installing figuring it as something in the RMM agent software – NOPE!

    I connected via Chat to Datto community and the engineer there suggested I run this powershell command: Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct

    Results showed this:

    __GENUS : 2
    __CLASS : AntiVirusProduct
    __SUPERCLASS :
    __DYNASTY : AntiVirusProduct
    __RELPATH : AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}”
    __PROPERTY_COUNT : 6
    __DERIVATION : {}
    __SERVER : XXXXX
    __NAMESPACE : ROOT\SecurityCenter2
    __PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{D68DDC3A-831F-4fae-9E44-DA132C1A
    CF46}”
    displayName : Windows Defender
    instanceGuid : {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}
    pathToSignedProductExe : windowsdefender://
    pathToSignedReportingExe : %ProgramFiles%\Windows Defender\MsMpeng.exe
    productState : 397568
    timestamp : Thu, 17 Mar 2022 18:24:07 GMT
    PSComputerName : XXXXX

    __GENUS : 2
    __CLASS : AntiVirusProduct
    __SUPERCLASS :
    __DYNASTY : AntiVirusProduct
    __RELPATH : AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00F440}”
    __PROPERTY_COUNT : 6
    __DERIVATION : {}
    __SERVER : ODIN
    __NAMESPACE : ROOT\SecurityCenter2
    __PATH : \ODIN\ROOT\SecurityCenter2:AntiVirusProduct.instanceGuid=”{885D845F-AF19-0124-FECE-FFF49D00
    F440}”
    displayName : ESET Security = > this is what showed in the RMM Console.
    instanceGuid : {885D845F-AF19-0124-FECE-FFF49D00F440}
    pathToSignedProductExe : C:\Program Files\ESET\ESET Security\ecmds.exe
    pathToSignedReportingExe : C:\Program Files\ESET\ESET Security\ekrn.exe
    productState : 266240
    timestamp : Tue, 14 Sep 2021 19:43:46 GMT
    PSComputerName : XXXXXX

    The Datto support tech then said to run same powershell command but with delete option to delete all wmi objects for the Security Center:

    Get-WmiObject -Namespace root\SecurityCenter2 -Class AntiVirusProduct | ForEach-Object{$_.Delete()}

    The result cleared all objects for Security Center and in the RMM console, the computers showed Windows Defender – the required result. No reboots necessary.

    Hope this proves helpful for those with similar types of RMM console trouble when switching AV products.

    Categories: Remote Monitoring

    Outlook client can’t find O365 to authenticate license

    Have had several colleagues have a problem authenticating and authorizing their O365 office software to the O365 license servers.

    Red Bar: Invalid license/not licensed

    Yellow bar: other said Activate now – nothing worked to activate user to O365.

    To fix this problem, had to import this registry info via a O365fix.reg file

    Note: copy and paste below starting with the Windows Registry… to the 001 value on last line.

    save file as o365fix.reg to c:\temp folder and then right click and merge the key on the client machine. from there it should authenticate to the license servers and be able to be used from there.

    Windows Registry Editor Version 5.00

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\AutoDiscover]
    “ExcludeHttpsRootDomain”=dword:00000001
    “PreferLocalXML”=dword:00000000
    “ExcludeHttpRedirect”=dword:00000000
    “ExcludeHttpsAutodiscoverDomain”=dword:00000001
    “ExcludeScpLookup”=dword:00000001
    “ExcludeSrvRecord”=dword:00000001
    “ExcludeExplicitO365Endpoint”=dword:00000001

    hope this helps all out there.

    Categories: Active Directory

    Unifi Cloud Key WEB UI Password doesn’t work: “Invalid username and/or password”

    Attempts to logon to the Unifi Cloud-Key website for example: http://10.1.10.10 fails no matter if the username/password you enter is correct. Error message you get is: “Invalid Username and/or password”.

    Well that stinks. hmmm how to fix. Let’s try to connect using SSH (I like to use putty.exe)

    Putty to 10.1.10.10 – using username and password combination that failed above worked just fine, I’m in, i can see all the commands etc. Okay that works but then the UI should work – Nope!

    After hours… I mean hours of searching different communities and solutions, this was the solution to fix it. It did happen to come from a Unifi Tech – 5 years ago – which means they still haven’t fixed it in their cloud key products :(.

    FROM UNIFI techs:   The issue appears to be arising from incorrect SUID account privileges on the UCK system.

    This can be confirmed by sshing into the CloudKey and running the following command:

    ls -l /usr/bin/sudo

    This should return output similar or identical to the following if the same root cause:

    -rwxr-xr-x 1 root root 106820 Jan 10 2016 /usr/bin/sudo

    To resolve this and ensure that any suid issues are not causing the issue, run the following command (Recommend copy & paste):

       chmod u+s /usr/bin/sudo

    Re-test logging in to the WebUI and confirm the issue is resolved. YEP that worked!

    I’m posting this again so people searching for this can find it faster than searching through 13 pages of the above solution from this link: https://community.ui.com/questions/Cannot-log-in-to-Cloud-Key-WebUI/e31a1fc1-7e19-40a7-a266-4d36c35825e4

    or better: https://community.ui.com/questions/Cannot-log-in-to-Cloud-Key-WebUI/e31a1fc1-7e19-40a7-a266-4d36c35825e4?page=13

    Categories: Active Directory

    Outlook Crashes/hangs since July 2020

    Outlook Crashes/hangs July 2020

    Ever since July of 2020, Msft has pushed out a few bad versions of office 365 which has caused client outlooks to crash and burn :(… The first time this happened, a large portion of my clients had this problem and so I created a script to fix them and used my RMM to push out the fix to all windows 10 machines with O365. By doing this they were able to get back to a working Outlook until MSFT fixed their bad update. It happened again later in 2020 and had to perform similar steps:

    1. “C:\Program Files\Common Files\microsoft shared\ClickToRun\officec2rclient.exe” /update user updatetoversion=16.0.6366.2062  all as one line. 

    2. If that fails run this:

    “C:\Program Files\Common Files\microsoft shared\ClickToRun\officec2rclient.exe” /update user updatetoversion=16.0.12827.20470

    Best of luck!

    Windows 10 1903 ESENT Event 455

    The powers that be… err rather the developers that be at Microsoft missed a step for the 1903 upgrade.  Every Windows 10 device that has this event message in the Application Log because the folder is missing under the systemprofile AppData folder… Doh.

    Here’s the error message:

    Log Name: Application
    Source: ESENT
    Date: 11/8/2019 10:22:06 AM
    Event ID: 455
    Task Category: Logging/Recovery
    Level: Error
    Keywords: Classic
    User: N/A
    Computer: Computername…
    Description:
    svchost (1332,R,98) TILEREPOSITORYS-1-5-18: Error -1023 (0xfffffc01) occurred while opening logfile C:\WINDOWS\system32\config\systemprofile\AppData\Local\TileDataLayer\Database\EDB.log.

    So how to fix and remove the error message… open Admin cmd prompt and go to the C:\WINDOWS\system32\config\systemprofile\AppData\Local Folder and type:

    md TileDataLayer

    followed by

    md TileDataLayer\Database

    Thereafter you can close cmd.exe prompt and the error should go away.

     

    Categories: Active Directory