In a previous post, I outline the steps for deploying Hybrid cloud print. Here are some noteworthy issues and errors you may encounter when deploying/ testing this solution through either of the supported pre-authentication methods, and some ways to remediate them. Publishing permissions. This error indicates that you do not have permissions print server management permissions or permissions to modify the Mopria database file. Address this by following steps #2 and #8 of the referenced post above. Read and Sign-in Authorization for Native client or web apps This error indicates that required permissions are missing on Native client or Web apps it further indicates that you’ve not delegated permissions to the app for required APIs, as outlined in steps #10 … Read More
Hybrid Cloud Print with Passthrough Authentication – Detailed steps
In a previous post, I gave an overview of the Windows Server Hybrid Cloud Print solution. This is a solution that enables organizations to support print functionality for MDM-managed BYOD and Azure AD joined devices. Organizations will find this solution useful if they plan to: Leverage existing global printing investments to support BYOD and non-domain joined devices deploy Azure AD joined devices into existing AD and global print environment support MDM managed BYOD support printing while away from the corpnet The solution supports single sign-on user authentication and allows your to leverage your existing authorization processes. I briefly covered this in the previous post. In this article, I will go over the steps for configuring Hybrid Cloud Print using … Read More
Overview of Hybrid Cloud Print Solution
Hybrid Cloud Print is a relatively new feature that is built on the Windows Print Server role in Windows Server 2016. It enables users to discover and securely print to on-premises printers from their Azure AD joined, and MDM managed devices, and from wherever they have an internet access. The solution is built on a Windows print service and discovery service endpoints, both of which are running on IIS services supporting the internet Printing protocol and Mopria Alliance industry printer discovery standard, respectively. For the server-side configuration, you will need to : install the Print Server Windows Server feature Install Hybrid cloud Print through for instance, the PowerShell modules Configure IIS endpoints to support SSL Install and configure SQLite package … Read More
Reinstate Missing BitLocker recovery tab in ADUC
Quick fix for reinstating BitLocker recovery tab for locating and viewing BitLocker Drive Encryption (BDE) recovery passwords stored in Active Directory Domain Services (AD DS). The tab is enabled by the Active Directory BitLocker Recovery Password Viewer tool, which is an optional feature that is part of the BitLocker Drive Encryption Administration Utilities component of the Remote Server Administration Toolkit (RSAT). You can enable this feature manually through server manager or via PowerShell: Install-WindowsFeature RSAT-Feature-Tools-BitLocker-BdeAducExt If you’d also like to install the manage-bde and repair-bde command line tools for BitLocker Drive Encryption, you can install the BDE Administration utilities. Get-WindowsFeature | where{$_.Name -eq ‘RSAT-Feature-Tools-BitLocker’} | Install-WindowsFeature Once the feature is enabled, you can view recovery passwords for computer objects and … Read More
Migrating from Mixed Mode AD FS to a Full Windows Server 2016 AD FS Farm
I recently designed a solution to provide AD FS high availability for a client, using Azure IaaS and PaaS. This necessitated deploying Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in order to align with desired DR testing plan, and accommodate downtime schedules. This article will review the specific steps for making the cutover from a mixed mode AD FS environment to a full Windows Server 2016 AD FS farm. It will not go into detail about installing the AD FS roles. At the time of writing this article, adding Windows Server 2016 AD FS servers to a Windows Server 2012 R2 farm in a so-called “mixed-mode” scenario is fully supported, and you can subsequently … Read More
SCOM 2016 Certificate Errors. Event ID 20049
In this article, I’ll review SCOM Certificate Event ID 20049. This error event can be seen during an attempt to initiate mutual authentication across untrusted boundaries such as in a gateway or workgroup boundary scenario. In SCOM, certificates will need to be used for mutual authentication between the management servers and any gateway servers/ agents when Kerberos-based mutual authentication is not possible. If there’s an issue with the certificate, mutual authentication will fail, and one of the errors you could likely encounter is as shown below: The event detail reads: “The specified certificate could not be loaded because the key Usage specified does not meet OpsMgr requirements. The certificate must have the following usage types: Digital Signature, Key Encipherment.” This … Read More
Create a Certificate Template from a Server 2012 R2 CA
In order to export the private key for a certificate, you will need to base the certificate on a template that has that option enabled. While this task can be easily accomplished using PowerShell, I’ll document a step by step using the GUI to show what this entails. Open Server Manager in your CA, click Tools, select Certificate Authority Select your CA, select and right-click Certificate Templates, and right-click Manage In the Certificate Templates Console, select the relevant Template Display Name (Web Server in my case), right-click and select Duplicate Template In the resulting Properties of New Template window, leave the default compatibility settings for backward compatibility with older clients Click on the General tab, and enter the Template display … Read More
Certificate Private Key Error
While working with certificates today, I stumbled upon an error that indicated something was amiss with my CA certificate templates. Ordinarily I make only certificate templates with exportable private keys available in my CA web enrollment pages, and I’d explicitly requested and installed the certificate with the thumbprint shown in the error below. So I donned my sleuth knickers, and decided to delve a little deeper. An attempt to manually export the certificate with its private key from the certificate store indicated that there was no private key to be exported, as that option was greyed out I identified the certificate template from which the certificate was created in the MMC | Certificates snap-in, and then reviewed … Read More
Monitoring Azure IaaS with OpsMgr 2012 – Part 2
In the first part of this article, I introduced the concept of monitoring Azure IaaS VMs with OpsMgr, and briefly reviewed the prerequisite steps for setting up connectivity from your corpnet to the Azure network. In this part of the article, I will demonstrate the necessary configuration steps for monitoring the Azure VMs with OpsMgr. Recall that my lab is comprised of a AD domain, a OpsMgr Management group, and a Microsoft PKI, and that I have configured cross-premises connectivity to my Azure virtual network which contains my Azure VMs. We also confirmed that the test Azure VM, AppSrv2, can connect to the OpsMgr Management Server in my lab. The Azure VM is outside of the trusted environment of the … Read More
Monitoring Azure IaaS with OpsMgr 2012 – The basics
A customer recently posed a question, and it was one that coincided with a subject I had been meaning to write about for some time. Can virtual machines (VMs) running applications in Microsoft Azure be monitored with OpsMgr and if so, how does one configure this monitoring? Yes, a VM running in Windows Azure IaaS is essentially a VM running an OS, and as such the VM and any applications that reside on it can be monitored with OpsMgr just like you would monitor any other on-premise VM. There are however two important considerations for the monitoring of the VMs in Azure. Cross-premises connectivity would have to be configured between your corporate network and the Azure network in order for … Read More