Thanks to Jonas Lenntun from Approved Consulting AB http://www.approved.se/ in Sweden, you can now watch the recorded version of my presentation at the SCOM Days in Göteborg.

It's a 45 minute presentation about the best practices in tuning your Operations Manager Environment and your management packs.

Enjoy!

http://youtu.be/GgLkscRz6oo

And there's more coming soon - Watch this blog closely in the next months.

/Danny

What is Lateral Movement?

Lateral movement is an activity used when an attacker is scavenging a network for credentials, typically used in a Pass-The-Hash scenario.

From Mitigating Pass-the-Hash (PtH) Attacks and Other Credential Theft Techniques.pdf

"In this activity, the attacker uses the credentials obtained from a compromised computer to gain access to another computer of the same value to the organization. For example, the attacker could use stolen credentials for the built-in local Administrator account from the compromised computer to gain access to another computer that has the same user name and password."

 The local accounts issue

- What's the problem with local accounts, they're local to the machine right?

Well, there is a functionality like the  "Windows for Workgroups" behaviour, inherited from previous versions of Windows, that makes local accounts a security issue. In this behaviour a client trust a local account from another machine if the password is exactly the same. This means that if you know the password of the local administrator account on one machine you could use that account to connect to other machines where the local administrator password is identically.

Normally you do not need local accounts when your machine is domain joined. You should use domain accounts instead.

How do you solve it?

One really good mitigation is to make the local administrators accounts passwords unique. Then you cannot use this account to connect to other machines.

But , how about other local accounts? Can you be sure there's no other local accounts created anywhere?

The best way is to prevent all local accounts to access other machines over the network via a group policy.

This can be done with the two new Well-known groups:

Local account S-1-5-113

All accounts in the local SAM .

Local account and member of Administrators group S-1-5-114

All accounts in the local SAM and member of the administrators Group.

How do you get these two new groups?

If you already have  Windows 8.1/Windows Server 2012 R2  they're there waiting to be used.

If you have Windows 7, Windows Server 2008 R2, Windows 8 or Windows Server 2012 machines you have to install the security update KB2871997.

This update adds the new groups among other new great security features.

Before installing KB2871997 the group list for the local administrator account will look like this:

With KB2871997 installed:

Create the Group Policy 

By adding the new group "Local Account" to the user right assignment "Deny access to this computer from the network", you deny access to the computer for local accounts over the network. Set this setting in a group policy and apply it to your machines you would like to protect. I suggest you to make sure you do not have an application relying on this old legacy behaviour before applying it to the masses.

The Result 

Local accounts will be limited to the machine where they are stored.

Perfect! They are kept right where they belongs.

Conclusion

This setting in combination with unique password and preventing local accounts from logging on using remote desktop you have relatively easy made a big impact on security!

From: Mitigating-Pass-the-Hash-Attacks-and-Other-Credential-Theft-Version-2.pdf

Overview

One of my customer was in the process of migrating away from Windows XP. As a part of this work, the customer was verifying application compatibility. During the testing of applications, they discovered that 2 applications that are business critical for the customer were having issues with file creations. These issues are counted as showstoppers for the roll out of Windows 7. The purpose of this blog is to describe the technical reasons of this issue and its resolution.

The customer´s technical issue with creating files via a web based tool with an ActiveX Component that will save information locally and Scanning Application on the client machine, focusing two specific error messages:

Error message “unable to create file” in the Scanning application

Error message “Internet explorer has had a fatal error” in the ActiveX component application

Both these application are working in Windows XP without any issues. The customer is doing a 1:1 migration of the application when they move the applications to Windows 7.

Security settings

The will give the users the same NTFS permissions as they had on Windows XP.

Based on the documentation on the applications there is a need to save temporary files in C:\. Based on this configuration shown in the Picture above, the application user will have all the necessary NTFS permission to write the application files to %systemroot%, in this case C:\.

Even though when the user is having Full Control in C:\, the user will get the access denied message.

Something strange magic is at Work here. There are more things going on than meets the eye.

The customer has high security requirements and has enabled User Account Control. One of the setting that are set is the following:

This UAC setting must be enabled for Virtual Store to be functional.

More information about this setting is available here:

http://technet.microsoft.com/en-us/library/dd851895.aspx

This means that they have enabled Virtual Stores, which means that information from the application should be written to Virtual Store directory (%LOCALAPPDATA%\VirtualStore, C:\Users\user\AppData\Local\VirtualStore).

After verifying the application we are seeing that Virtual Store is not being used.

Based on this information, we realized that we are not getting access denied when we are trying to write to C:\

As mention above in the UAC policy we should have a write failure to start the virtualization of file and registry. Without having a write failure on C:\ the Virtual Store functionality will not work.

So we have given Full Control to the user on C:\ and we have verified that the Virtual store will not be used as the user has write access to C:\.

This would mean that the user can write the temp files to C:\, but still we get Access Denied from the application.

There is another security feature at work here:

As we are trying to write to %systemroot%, the operating system will protect itself, by implementing Windows Integrity Mechanism.

Windows Integrity Mechanism is a functionality to ensure that a lower privileged process can´t alter system configuration that are critical for the operating systems.

Integrity level assignment

Based on this information we came to the conclusion that we had two processes, the ActiveX Component running in a Low Mandatory Level and the scanning application running at a Medium Mandatory Level. These applications are trying to write their temporary files to C:\, which is %systemroot%. %Systemroot% is containing several system critical files that is needed for the operating system. This means that you will need High Mandatory Level Integrity Level permission to be able to write to C:\

More information about Integrity level can be found here:

http://msdn.microsoft.com/en-us/library/bb625957.aspx

http://msdn.microsoft.com/en-us/library/bb625963.aspx

So the actual issue is that the operating system is protecting itself from having critical operating system files being altered.

Based on this information we realized that the NTFS file and folder permission are evaluated first in the perspective if the UAC configuration about Virtual Store should be used and then the Windows Integrity Level will verify if it should allow a write to %systemroot%.

This is the actual issue on why we get Access Denied even though we have given the user Full Control on C:\. The operating system is trying to protect itself from being compromised by a low privileged process!

Conclusion
 

So how did we get the application to Work?

By giving the user Read Only to C:\ we get the expected Access Denied on the write attempt on the expected C:\ folder that the application wants to do. Hence the Virtual Store will be used and the temp files are written to C:\Users\user\AppData\Local\VirtualStore, where the user has write access.

So the correct NTFS Permission for these application would be

So by giving less permission on %Systemroot% the user will get the permission to write the temporary files to the Virtual Store and the application will work again.

Sometime you probably like to re-install your system or replace a disk where you have installed Hyper-V.

In that situation you better keep track of your VMs files.

Here's a one-liner to list the location of the VM files:

get-vm * |sort-object| ft -auto Name,path,configurationlocation,snapshotfilelocation,@{L="Disks";E={$_.harddrives.path}}

I guess I'm not the only one that have been sitting and wondering .. Hmm.. What permissions does these users got in Active Directory actually? I can see a lot of groups in the access control list but how do I relate that to a certain user.

Ok, we got the Effective Rights tab under Advanced Security. But it does not show everything I expect it to do.

http://support.microsoft.com/kb/933071/en-us

I have used it from time to time and it has been a nice complement to investigating the actual permissions.

But it's hard to get a good overview of permissions, since you can't export the result or do more than one object at a time.

 To address this problem I have added more functionality to the AD ACL Scanner tool.

https://adaclscan.codeplex.com/

How to scan effective rights for a user with AD ACL Scanner:

1. Download and launch the script in Powershell.
2. Click Connect or List Domains if you would like to select and connect to another domain then you default.
3. Browse to the object you would like to scan for effective rights and select it.
4. Click on the Effective Rights tab and check "Enable Effective Rights".
5. Type the samAccountName of the user/Group or computer in the textbox. You could choose an object from a trusted domain if you first click Locations... And select the domain name.
6. Click Get Account and the Selected Security Principal field should be filled in. If you like you can take a look at all contributing memberships this account got by clicking View Account.
7. Press Run Scan to generate the report.

The result will show all permissions this account is granted through its memberships.

Why will not all Well-known SIDs be evaluated?

There are several Well-known security identifiers (SIDs) you should not expect the report to match against.

Well-known SIDs

http://msdn.microsoft.com/en-us/library/windows/desktop/aa379649(v=vs.85).aspx

2.4.2.4 Well-Known SID Structures

http://msdn.microsoft.com/en-us/library/cc980032.aspx

Why is this not in the tool?

Because first of all the account to be evaluated has to logon or be impersonated through all these scenarios to get these SIDs.

The second reason is that they are relative self explanatory. If I have granted users permissions to create group objects as a member of INTERACTIVE, they need to logon interactively
on a DC and make sure they point the tool or LDAP operation to the local machine to be able to create a group.

Well-known security identifiers (SIDs) generated at logon that is evaluated

• Everyone
• Authenticated Users
• This Organization (All accounts in all trusted forests)
• Other Organization (Accounts from an incoming domain or forest trust with Selective Authentication ) 

 If you really would like to know if a user with the Well-knonw SID  INTERACTIVE have permissions in AD you could use the filter function in AD ACL Scanner and filter for "NT AUTHORITY\INTERACTIVE" as Trustee

How to quickly determine the degree of permissions in the report?

To do that I have added a function that will mark the permissions with color codes based on the criticality of the permissions according to this table:

All you have to do is check the box "Show color coded criticality" and run a scan.

Works only for Effective Rights reports.

This is not optimal but I hope it will give you a hint on accounts with high privileges.

You have probably another view on what is critical or not depending on the situation you have.

For example I think it is more critical to create user objects than shared folder objects, since user objects are security principals.

For example I think Write Properties permissions to the Personal-Information property set would not be considered as Medium while Write Properties to pwdLastSet on user objects could be considered as critical.

I suggest all of you to create an administrtive model using Roles-Based Approach with the principle of least privilege in assigning rights and permissions.

Hopefully this tool simplify the work of building an administrative model.

 Download tool from here:

AD ACL Scanner

https://adaclscan.codeplex.com/

Suggested reading  Best Practices for Securing Active Directory

What is the state of your delegation?

Have you a documented and recent report over the permissions in your Active Directory?

Have you granted permissions on the relevant OU's in the past and left it like this ever since??

Maybe it’s time to take a look again to see what’s actually delegated in Active Directory?

Things you probably find when re-visiting the permissions: 

• Permissions given to users or groups that does not exist anymore.
• Permissions set to high up in the OU structure so users have the possibility to create/delete/modify Active Directory objects in the wrong places.
•  The permissions grant the user more than needed e.g.  Helpdesk is supposed to reset passwords on user’s accounts in the defined OU but can create\delete any type of objects.
• Same set of permissions delegated to two groups. Usually only one group is needed for one set of permissions.
• Permissions granted to users or groups that is not needed anymore. This can happen when enabling a project to create objects for a limited period of time or if there were a transition between out-sourcing partners.

What to do?

Every Active Directory should have a documented delegation model that includes the permissions set for the data in Active Directory.
I'm not saying you should type down every single permission on every object, but the permissions that is needed for you organization to be able to perform their given tasks. 

Here's a simple example of how you could document Helpdesk's permissions in AD: 

To verify that the permissions in Active Directory is reflecting the need of you organization you have to go through every OU in your Active Directory where permissions is modified.

It's usually a quite daunting task to click your way through the directory tree to get control over the permissions. For every OU or any object for that matter there are at least 4 clicks to reach the Advanced Security Settings tab, which is often the required view, and if you got a large OU structure that could take a while.

 AD ACL Scanner

To simplify the work of creating and documenting the delegation model in Active Directory I have written a tool in PowerShell with a GUI.

This tool creates reports of the access control list for all of your Active Directory objects. With these reports you can see what/where and when permissions have been set.

To run the script you need at least PowerShell 2.0 and Windows 7/Windows Server 2008, (Windows Server 2003 with Limited functionality).

Enabled unsigned scripting:

Set-ExecutionPolicy Unrestricted

If you are not local admin and cannot set it on your machine you can set it for your profile:

Set-ExecutionPolicy Unrestricted -Scope CurrentUser

You do not need Powershell Module for Active Directory.

To create a report for an OU.

1. Click Connect and the tool will connect to your domain.
2. The Domain Node will be populated in the large tree view box below and you can click your way to the OU.
3. When the OU is selected click Run Scan and you will get a HTML report of the permissions.

This is an example of a report:

By default you will only get the selected OU, but if you like to list all sub OU's you can clear the One Level check box. Be aware that it can take a long time to though a large OU structure.

To get the date when the permissions where modified check the Replication Metadata check box. This will add a column to the report with the latest change of the permissions on each object in the report.

This is an example of a report with the date when the access control list was modified.

To browse all objects, click All Objects in the Browse Options box. This is necessary when you would like to get the permissions on another object like a user for example. Then you also have to select All Objects in the Report Objects box too.

If you like to create a report of the whole domain I strongly suggest you select CSV file in the Output Options since it will take a long time to go through all OUs and create a HTML table for it. If you select CSV file it will be much faster and you can convert it to a HTML report afterwards in the Additional Options. You can even use it for comparison.

The Power of AD ACL Scanner

- Comparing

The cool thing with AD ACL Scanner is that you can compare the current state with a previous result. If you select to create a CSV file of the report you can use that to compare the current state with this file and you will get a report of what is missing or what is added.

 This is an example of a comparison report:

 - Filtering

Another nice feature is the filtering feature.

• You can filter on Allow or Deny permissions.
• You can filter on object types, like user or computer.
• You can filter on Trustee, this is a free text field where you can type any kind of name you are looking for. For example: QLIP\JaneGonzalez.

Here's an example of a report with filtering:

Go ahead and download AD ACL Scanner script from Codeplex:

https://adaclscan.codeplex.com/

Go ahead and explore permissions in AD!

I encourage you to get to know your permissions in AD and starts to document it.

During the evening yesterday my daughter wanted to read some E-books on her new Windows RT slate. She wanted to borrow an E-Book from our local library in Sweden. I was expecting this to be an easy task and gladley tried to find a download link for Windows RT at the library hompage. I found every type of possiblity to read it on different types of Operating System, exept the Windows RT.

The main issue is that the main E-library system is using books protected with EPUB with DRM protection from Adobe. As the official statement from Adobe is that Windows RT is not a supported platform (http://blogs.adobe.com/digitalpublishing/supported-devices), this means that there is no offical Adobe way to borrow these books.

The workaround in this case is to use the Overdrive app (http://www.overdrive.com/news/new-overdrive-app-taps-power-of-windows-8-2/) This can directly downloaded from here (http://apps.microsoft.com/webpdp/app/overdrive-media-console/0c1b24d6-bf93-44da-90fb-601c6a99e379)

With this app you are now able to download the .acsm file from the library. To be able to read this DRM protected E-Book you will have to register an Adobe ID (http://www.adobe.com/account/sign-in.adobedotcom.html) and provide the required info to get your Adobe ID

You will also need to enter your Adobe ID into Overdrive which can be done through the 'Accounts' option in the Settings menu. Swipe in from the right of the screen to open the menu and select 'Settings'. Select 'Accounts' and then 'Authorize'. Enter your
Adobe ID and password.

Now you are ready to get the .acsm file from the library and open the E-book and start Reading the book.

Do you or did you back in the days use your own code or a third party tool to create user accounts that did not update the userAccountControl attribute after the account was created?

Well then there's a change you might have accounts in your domain that are allowed blank passwords or even worse have accounts with blank passwords! 

Why?

Because user objects are allowed using blank passwords by default when created, something that must be handled afterwards. Unless that's in line with your security policy ;)

This is the default setting of userAccountControl on user objects at creation:

userAccountControl: 0x222 = (ACCOUNTDISABLE | PASSWD_NOTREQD | NORMAL_ACCOUNT); 

How does this setting affect my environment? 

Q: We have a password policy in our domain that does not allow blank passwords, are we protected from blank passwords?

A: No, this setting overrides the password policy in the domain or your fine grained password policy when you do reset password operations.  

So when is the "blank password" setting on user accounts effective: 

When users are delegated the permissions to do password resets on user accounts with ADS_UF_PASSWD_NOTREQD, they can set a blank password. 

A normal change password procedure by a user do not follow the ADS_UF_PASSWD_NOTREQD, it will follow the password policy in your domain or fine grained password policy if you got defined for the user.

So let say that an user with the delegate right to do password reset accidentally press OK in the password reset dialog box without the "User must change password at next logon" or someone in your organization with permissions to create user objects accidentally runs a script that sets blank password.  Then you will have accounts in you domain with no password.

How do I find accounts with ADS_UF_PASSWD_NOTREQD?

How will I know if any of the accounts in my domain have "password not required" set?

The easiest way to do it is to do a search with ADUC (Active Directory Users and Computers) mmc snap-in:

1. Right click the domain root.

2. Select Find....

3. In the Find: drop down box select Custom Search.

4. Click the Advanced tab.

5. In the Enter LDAP Query: field type: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=32)).

6. Click Find Now.

This will give you all accounts in the select domain that does not requires a password.

What are NETBIOSNAME$ accounts?

Some accounts should have this value so you might expect to find user accounts called  "Trust Short Domain Name"$ . ie. CORP$ or CHILDDOMAIN$.

These are trust accounts, located in the Users (CN=Users, + Domain DN) container, named after the NETBIOS domain name of the domain you share a trust with plus a dollar sign ($).

Leave these accounts alone, if you try to change the userAccountControl value alone for these accounts you will get Access Denied!

Here can you read about the trust account (TDO Passwords):

How Domain and Forest Trusts Work

http://technet.microsoft.com/en-us/library/cc773178(v=ws.10).aspx

How to create users?

To create users without allowing blank passwords you must deal with the userAccountContol values: 

Here you can read on how to create user accounts:

Creating a user (Windows) 

PASSWD_NOTREQD flag:

This Vbscript code example will create a user with ADS_UF_PASSWD_NOTREQD. The user will be allowed using blank passwords. 

This Vbscript code example manage the userAccountControl attribute. It removes both the disabled state and "password not required" setting: 

How do I know if I got blank passwords and how do I deal with it?

Well, you can run a script to test every account against a blank password or why not find users with passwords that don't comply with the password policy and remove the user setting for other users at the same time? :) 

There's a code-sample (RemoveUserPASSWD_NOTREQD.ps1) attached below that remove the ADS_UF_PASSWD_NOTREQD flag and If a user has a blank password the script will fail and report an error stating it does not follow the password policy for the domain, as long as you have a password policy in the domain that requires minimum length above zero characters.

If the script succeeds to remove the ADS_UF_PASSWD_NOTREQD flag  it will also report the status of the account, since if the account is also disabled it still could have a blank password. Something you will get aware of when you try to enable it.

If you try to enable an account that has no password you will get this:

You could test your environment with this code-sample and review the output.

Here is an example of output: 

This PowerShell script requires Active Directory Module for Windows PowerShell. 

What happens when I remove the ADS_UF_PASSWD_NOTREQD flag?

The afftect account can not get blank password at the next password reset, unless the password policy in the domain or fine grained password policy allow it!

Hopefully you do not have accounts with ADS_UF_PASSWD_NOTREQD.

You could still have accounts with blank passwords in case you had a domain password policy with no minimum password length.

To fix this you have to :

• make sure your password policies are in line with your security policy
• verify that users are required to change their passwords
• verify that users don´t have "Password never expires" ticked in.

Go and verify!

In Windows Server 2012 there is a new service called DS Role Service.
This is used for the promotion and demotion of the AD DS. This service is
created due to a change in how the Domain Controllers are setup. The Domain Controller
is now a Role in the same way as DHCP or DNS. This creates a need for a
separate service handling the Promotion and Demotion of domain controllers.

This DS Role Service has it startup set to manual, as it will only be
used for the Promotion.

If you set this service startup to Disable (either due to lack of knowledge or
for hardening reasons), you will prevent the domain controller from being
demoted or promoted.

When running the Active Directory Services Configuration Wizard will
present the following error message.

“The operation failed with the following error:

The service cannot be started either because it is disable or because it
has not enabled devices associated with it.”

 And followed by the error: “An error occurred when demoting the Active Directory domain controller.”

The solution is to set the startup type to Manual.

This is due to the change on how a Domain Controller is setup. In Windows Server 2012, Domain Controllers are a role in the same way as DHCP or File and Print as described on this wiki page:

http://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-windows-server-2012-domain-controller.aspx

Step-by-step walkthrough: installing an Operations Manager 2012 Gateway Server

To make this document, I installed 3 test servers; the evaluation image of Windows Server 2008 R2 can be downloaded from the Microsoft site here: http://technet.microsoft.com/en-us/evalcenter/dd459137.aspx

This installation was done on a generation 1 Core i7 portable with 1 SSD drive and 8GB of memory. The ISO image and the 3 Hyper-V VMs are on that 1 SSD drive. All at the same time installing, while opening Microsoft OneNote and Microsoft Word and creating this document – it’s not slow at all!

Windows 8 is great!!!

And so is OneNote – Windows+S gives you a really nice integrated screenshotting tool!

The setup will be as follows:

- OM12DC: Active Directory, including AD CS (Certificate Services) to generate the certificates for the gateway server. AD CS will be installed as an online enterprise root CA.

- OM12MS: management server, including Operations Manager Reporting, the Operational database and the Data Warehouse database

- OM12GW: a separate server in a workgroup. This one is the reason we need to have AD CS.

This document is meant to further clarify the TechNet article http://technet.microsoft.com/en-us/library/hh456447.aspx Deploying a gateway server which links to a further explanation http://technet.microsoft.com/en-us/library/hh212810.aspx Authentication and Data Encryption for Windows Computers

More about certificates can also be found here:

Win2008 Enterprise CA: http://technet.microsoft.com/en-us/library/dd362553.aspx

Win2008 Standalone CA: http://technet.microsoft.com/en-us/library/dd362655.aspx

After the Windows Update process is finished, you can start installing Active Directory on the DC.

When you have installed and configured AD DS, add the AD CS role + the web site to request certificates.

And the rest is NNF (Next-Next-Finish).

Remove PKI and add Client / Server Authentication to Application Policies

From the GW server, the one that is not in the domain, you don’t trust the Enterprise CA by default.

That’s why you first have to get and install the Root CA certificate from the AD CS.

Add both My user account and Computer account – you’ll need both anyway

The certificate from the Root CA needs to be added in this list.

Open a web browser on the gateway server, and go to the CA Web service: http://OM12DC1/certsrv

Add the certsrv website to the Trusted Sites by going to internet options and under security choose Trusted Sites, and click on Sites to add this site.

Since the certsrv website uses ActiveX, change the security settings of Trusted Sites so that ActiveX is allowed.

Here we need to request the CA chain

If you don’t see these 2 popups, you need to enable ActiveX first.

The certificate is in the list now, meaning our workgroup gateway server will trust certificates issued by the Enterprise Root CA.

Now we need to request a certificate for our gateway server

Advanced request

Create and submit

Select the template that was created earlier, and fill in the Name and Friendly Name fields with the FQDN of your gateway server.

Since mine is in a workgroup, the NetBIOS name is sufficient.

And now the certificate is generated and we can install it

Done

But wait a minute… Installed, where???

We need to authenticate computers, and the certificate is imported in the personal certificate store.

So we need to open the Certificates MMC and copy the certificate from the personal store to the local computer store.

The certificate is now installed and you can verify everything is installed correctly by opening the certificate and checking if the certification path is ok.

On the Management Server, we also need to install a certificate. Since we have an Enterprise Root CA, integrated with AD, the root CA certificate is already trusted by our MS who is a domain member.

We can also request certificates in another way: we can request a new certificate from our CA directly from the MMC.

Click next

Select the certificate that we’ve created earlier

The extra information needed is the Common Name in the first box (OM12MS) and the FQDN in the bottom box with DNS.

And click Enroll to finish this

NOW we’re done

Now we have to approve the gateway to be able to communicate with the management server.

Copy the Microsoft.EnterpriseManagement.GatewayApprovalTool.exe and the corresponding Microsoft.EnterpriseManagement.GatewayApprovalTool.exe.CONFIG file from the support tools directory on your installation media to the installation path of your OpsMgr installation, in my case that’s C:\Program Files\System Center 2012\Operations Manager\Setup

1. Approve the gateway server: At the command prompt, run Microsoft.EnterpriseManagement.gatewayApprovalTool.exe /ManagementServerName=<managementserverFQDN> /GatewayName=<GatewayFQDN> /Action=Create

If the approval is successful, you will see The approval of server <GatewayFQDN> completed successfully.

Now you can install the gateway software by clicking the Gateway Management Server link in the setup splash screen

We did this, so we can continue the setup

Give the management group name - this can be found in the title bar of the console on the management server - and the management server name

The port number can be changed if desired. Only this 1 port needs to be open on the firewall, that’s the big advantage of using a gateway server!

Copy the MOMCertImport.exe tool to the gateway server, into the gateway installation path.

In my case, this is C:\Program Files\System Center Operations Manager\Gateway

Export

You’ll get a message that the action succeeded, and you can check progress in the Operations Manager event log.

Do the same for the gateway server:

Troubleshooting:

If you get event 21006, make sure the firewalls on the gateway and/or on the management server are not blocking communication

Don‘t forget to enable Agent Proxy for the gateway, as this one will act as a proxy for other systems connecting through the gateway server!

To check if it’s working, go to the Operations Manager Console – you should see something similar to this!!

HTH and a big thank you to my colleague Ingo for double-checking the certificate part!

/Danny

More information can be found here: http://windowsteamblog.com/windows/b/bloggingwindows/archive/2012/07/09/upcoming-windows-milestones-shared-with-partners-at-wpc.aspx

From this post, the most important news is "Tami confirmed that Windows 8 is on track to Release to Manufacturing (RTM) the first week of August. For enterprise customers with Software Assurance benefits, they will have full access to Windows 8 bits as early as August."

:-)

The upgrade history for CLM/ILM has vastly improved with the ILM FP1 SP1 release, with this release the admin can upgrade all versions of CLM to the latest regardless of version.

Prior to this the upgrade could require an uninstallation of the existing installation, depending on which version of CLM you were running.

The current full upgrade package upgrades to ILM FP1 SP1 3.3.1139.02.

See http://support.microsoft.com/kb/977791 for details.

See also http://support.microsoft.com/kb/2346516 for updating to the latest builds of ILM post-upgrade, 3.3.1169.02.

Anyone who's ever read Douglas Adams' HGTTG knows the value of having a traveling companion you can stuff into your pocket.

Something that you can rely on being with you day and night, no matter where in the world you are or what set of clothes you're wearing :)

Something that keeps track of your schedule and answers your questions before you ask them.

For the Premier Field Engineer rangers - this something is the Windows Phone with the internal Microsoft business app suite.

As Tolkien might have put it (at least if he'd had a Windows Phone and been a PFE)...

One App to rule time
one App to find it
one App to Bing it all
...and in the darkness sync it with the internal Dynamics server
In the land of Microsoft, in the PFE life

/ingo

For those wanting to get rid of the SCCM MP error (introduced in the latest version 6.0.6000.3) "Failed to read %PROCESSOR_ARCHITECTURE environment variable from Win32_Environment WMI class", there is a hotfix available now:

http://support.microsoft.com/kb/2692929

More information, as always, can be found on Kevin Holman's blog: http://blogs.technet.com/b/kevinholman/archive/2011/09/30/mp-update-new-configmgr-2007-mp-version-6-0-6000-3-resolves-top-issues.aspx

HTH,

Danny

• Issue 1: There is a reliability issue in AD FS 2.0 in which AD FS 2.0 Federation Service stops responding to requests in certain cases, especially when there is a large load on AD FS 2.0 federation server or federation server proxy. This issue can occur in both federation passive and federation active scenarios.

• Issue 2: The whr parameter that is specified by an application for a home realm discovery scenario overwrites the previously set home realm discovery cookie. This causes a user to be redirected to a different identity provider that the user cannot use to sign in when the user uses a different application.

• Issue 3: The AD FS 2.0 service stops unexpectedly when a valid certificate is set to the archived state

• Issue 4: When you add an AD FS 2.0 federation server to a Windows Internal Database (WID) farm, you receive an error message. This issue occurs when the federation server is in a time zone that is later than the primary federation server in the WID farm.

• New capability 1: AD FS 2.0 does not fully support the RelayState parameter for Security Assertion Markup Language (SAML) protocol. The Update Rollup 2 for AD FS 2.0 update adds a new capability that enables AD FS 2.0 to consume relay state in order to redirect the user to the RP application.
  For more information, please see Supporting Identity Provider Initiated RelayState

System Center 2012 Operations Manager Update Rollup 1 is now available and can be downloaded here

http://www.microsoft.com/en-us/download/details.aspx?id=29697

Update Rollup 1 contains a number of fixes for System Center 2012 Operations Manager, including cross platform fixes, as well as support for Oracle Solaris 11.

A number of fixes may require manual steps to install. A detailed list of fixes can be found on Knowledge Base Article KB2686249 - http://support.microsoft.com/kb/2686249 .

The System Center 2012 VMM/AC Update Rollup 1 is also available, that one is to be found here

http://www.microsoft.com/en-us/download/details.aspx?id=29679

It applies to Virtual Machine Manager and App Controller only, so you'll need to install both packages.

The monitoring pack for System Center 2012 - Operations Manager monitors availability of VMM and the availability, health, and performance of all virtual machines and virtual machine hosts that VMM manages.

More information about Update Rollup 1 can be found here

http://support.microsoft.com/kb/2686249

As always, make sure to test this before deploying in a production environment!

HTH,

Danny

The purpose of this blog will be to evangelize the work the PFE organization in Sweden is doing.