UniFi Access Point.. Go Home

I have a UniFi AP’s at home, two to be exact. It’s likely overkill, however I am in “IT” and I have to do everything overboard at home. Plus my plaster walls inside my house are terrible for wireless connectivity. I hard wire what I can, the remaining such as phones and tablets have no choice.

I will be forthright, I really like the system and it’s potential, it has some awesome features and some software bugs I have run into time to time. Hence the post…

I new router at home meant I was changing my IP scheme, relatively easy task once AD/DNS was flipped over. The problem I ran into was once the scheme changed the AP’s lost connectivity with the controller and POW! Wireless Down!

No worries, I thought, reboot, get DHCP, and they are back… No
No worries, I thought, reset to factory defaults, and they are back… No
No worries, … Damn these things were not coming back…

Aside from the factory resets using UniFi Discover to finding a small enough paper clip for resets, no dice. I ended up using SSH and the UniFi default admin UN/PS to access the AP’s. Executing info gives me..

Status: Server Reject (http://1.1.1.1:8080/inform)

 

In troubleshooting I found that the controller was rejecting the AP’s. To fix, do the following in order.

  • Reset (each) AP to factory defaults
  • Remove (each) from the device section of the controller software/site
  • Run “set-inform http://1.1.1.1:8080/inform” on one at a time
  • Within the device section of the controller, select adopt on the AP you ran the command on
  • Wait…
  • Magic

I found a few other posts on the issue, ranging from the obscure to strange. Mine was relatively simple and avoidable. Lesson learned, have putty handy at all times.

AP Firmware: 3.7.39.6089

https://community.ubnt.com/t5/UniFi-Wireless/Adoption-and-Server-Reject/td-p/565829

https://community.ubnt.com/t5/UniFi-Wireless/Troubleshoot-Server-Reject-Error/td-p/888804

https://community.ubnt.com/t5/UniFi-Wireless/UAP-set-inform-Decrypt-error-or-Server-Reject/td-p/1568794

https://community.ubnt.com/t5/UniFi-Wireless/AP-s-can-t-discover-controller/td-p/588425

SharePoint 2013, InfoPath and External Data Connections

I will be brief today, busy day, however I wanted to get this one out there.

Here is the list…

Broken Infopath Form (You do not have permission to access a database that contains data required for this form the function correctly) – Check!
External Data Connection, SQL – Check!
SharePoint 2013 – Check!
Data Connection Library Created – Check!
Secure Store Service Application Setup – Check!

I have run into this quite a few times. SharePoint 2013, Web Applications have kerberos enabled and the form breaks. This usually doesn’t happen “just because” unless you have a residual form that someone found recently… Either way, it’s broken.

Find the UDCX file in the data connection library of the site the form resides in. Generally under site contents. Make a copy of it and edit, notepad works.

Here is the change that is needed.

Before. Uncomment and set the Application ID.

</udc:UpdateCommand>
<!–udc:Authentication><udc:SSO AppId=” CredentialType=” /></udc:Authentication–>
</udc:ConnectionInfo>

After. Enter in the App ID and Cred Type.

</udc:UpdateCommand>
<udc:Authentication><udc:SSO AppId=’InfoPathForms‘ CredentialType=’NTLM‘ /></udc:Authentication>
</udc:ConnectionInfo>

This has fixed it most of the time.

 

 

SharePoint 2013: Error: ID3204: WS-Federation SignIn request must specify a ‘wtrealm’ or ‘wreply’

As you may know, I work with Microsoft products, SharePoint specifically lately. I ran into an issue with the setup of utilizing ADFS as a claim token provider for authentication on a specific URL.

The issue was…

Error: ID3204: WS-Federation SignIn request must specify a ‘wtrealm’ or ‘wreply’

There was more to this with custom errrors on. I like it when I get the full spiel from .NET.

While I care very much for wreply in my situation, I didn’t get initially what was broken… the setup of a token issuer is quite simple, especially ADFS, it’s less fuss and a Microsoft product. Plus my scripts usually don’t fail me much.

After a quick working environment comparison and running a few powershell scripts, I saw that my realm providers did not have the URN attached.

Key                                        Value
—-                                      —–
https://URL1/
https://URL2/
https://URL3/
https://URL4/
https://URL5/
https://URL6/
https://URL7/

Bah Humbug…

A quick clear, of the values.

$ap = Get-SPTrustedIdentityTokenIssuer
$ap.ProviderRealms.Clear()
$ap.Update()

And re-run my script… and voila…

Key                                        Value
—-                                      —–
https://URL1/                     urn:fancy1:fancy1
https://URL2/                     urn:fancy1:fancy1
https://URL3/                     urn:fancy1:fancy1
https://URL4/                     urn:fancy1:fancy1
https://URL5/                     urn:fancy1:fancy1
https://URL6/                     urn:fancy1:fancy1
https://URL7/                    urn:fancy1:fancy1

The urn:fancy1:fancy1 provider realm matches the ADFS relying party I had setup before. Now my site works…

 

 

 

 

Please Reset My Password

Yesterday I was faced with logging into a website I knew the username and password, while I didn’t “own” this information of my wife’s, we share almost everything (except pizza, she isn’t cool with sharing pizza) I thought I would login to save her time. Of course our account was locked which resulted in a call. While I had all the info they required, username, password, account number, last four of social, the helpful person on the other end decided not to reset based off my “male” voice because my wife’s name is female. While I understood, I was frustrated since I had what they wanted and I didn’t get what I want. I thought to myself, this business set their requirements and decided, hey, just because you sound like a dude, no way. Frustrated or not, we cordially hung up the phone and I gave up.

This got me processing, no longer are passwords over the phone or e-mail a way to reset in a secure way. I know what you are thinking, what if I can’t get in, I need to call someone. The beauty of technology means that, no, you don’t need to call anyone. While very few companies have deployed two factor authentication, most of the world relies on remembering 2-3 passwords which people use for everything (You know who you are). Kids birthdays or the ever more important family pet.. This puts one important factor on the table, a single password can turn your life upside down.

As you and I have seen the past few years, everything is hack-able (NSA Hacked?) and it’s scary to me and should be to you too. I know, there are a billion people out there, no way am I the one, unfortunately what if you are? Just like you would never get in a car accident?

While I can talk all day about this, here are some articles in regards to services being “hacked” and how they may affect you in some way.

Dropbox 68 Million Users Passwords on the Internet
Target Credit Card’s Stolen
NSA Hacked? (Valid?)
Twitter, 33 Million Passwords
11 Data Breaches that Stung US Consumers

So reading these, is your twitter or Dropbox password the same as your banking password?

I just want to get you thinking about the what if? If someone cleans out your bank account, you ok with that? Or signs up for a new credit card? Trust me, it can happen to you and it takes time, effort and money to fix it.

While I talked long enough, let’s get to the part where I tell you how to fix this…

Let’s focus first on passwords since this is the easiest change.

  • When possible, use a tool like 1Password, Keypass, etc (Recommendations). Change your passwords to complex passwords when possible and unique for each website or service. Even the shopping sites since most save your credit card info.
  • Update your security questions… Mother’s maiden? “Bob Loblaw”. A product like keypass has a notes section where you can store a non-traditional security question note. Just don’t forget your keypass password.
  • Enable two factor authentication. What the hell is that you say? If you have a mobile phone with text / SMS capabilities, you tell the service or website the number, they text you at login (Usually only once if it’s the same computer or phone). Why is that secure you say? Anyone else recieving text messages to your number? It’s an additional security layer that I personally like and enable when possible (Even on wordpress). While not everyone has this, it’s generally under the password change or security section of a website.
  • On a more extreme route, use unique usernames, again I know… crazy. However with a tool, this becomes relatively easy.
  • Credit monitoring, most of these services are junk, like an extended warranty the cost outweighs the real benefit here. Most banks provide services like this as part of their offerings, see if you can get it for free.

Now credit cards… Most people really don’t understand how credit cards work, and with the recent ATM and credit card skimmers, it’s more evident this is going to become common place.

  • First and foremost, you aren’t secure unless you utilize chip technology in your card. That 1/4 inch little chip on the front, while real’ pretty, is a way to encrypt your transaction, and this is good. FAQ about chips.
  • Use your iPhone, android or accompanied watch to pay at the terminal. Again, your credit card data is stored encrypted and uses token technology, read more about it. To add an additional layer here, you need a eye (no pirates please) or finger (If you use your toe, wear sandals) even use the service.
  • Paypal. It’s been around for a long time. Not all sites accept this method, however because of the technology, your banking info is never sent to the merchant. They also have iPhone apps that support some secure payment transfers. Read more here.

From a consumer perspective, these are what I believe are the best and easiest options for you. Security is becoming an important part of life, more so than ever before, so keep an eye out and change your password from “password” to “Password1”.

 

 

ML110 G6, Please Don’t Die

In a recent post I talked about my purchase of a ML110 G6. Well, purchase is a strong word, I would call it free as it appears to be the result of a known “bug” with these machines where they just fail / die / power off  without notice or event. Great, I found a winner… The replacement server I received has been rock solid, so let’s not start off on the wrong foot yet.

A few go(ogle)d searches and found the following..

http://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/HP-Proliant-ML110-G6-Breaks-down-offen/td-p/4786107

http://community.hpe.com/t5/ProLiant-Servers-ML-DL-SL/HP-Proliant-ML110-G6-Breaks-down-offen/td-p/4786107/page/2

https://social.technet.microsoft.com/Forums/en-US/fc303b36-91be-4335-9d7e-2e13e43b0f3f/server-stops-answering-suddently?forum=smallbusinessserver

Summary of suggestions..

  • Patch firmware, drivers and BIOS
    • Possibly a BIOS vs. Hardware resource issue
  • Use HP memory specific to this model
    • Duh, why does HP have to be that picky
  • Use a HP array in lieu of the B110i on-board
    • HP P212 or P410 models?
  • Motherboard Rev C instead of A
    • Possibly, considering there are different revision makes you consider
  • New Motherboard
    • No warranty…
  • Power supply under powered
    • Possibly, however why drop out once in a while and not all the time
  • Disable Memory Interleaving
    • You lose half the memory as this won’t utilize both channels
  • Buy something else
    • I think this may be the answer

For me, I noticed improvement when I did the following. Meaning, failures once in a while vs. multiple times daily..

  • Patch firmware, drivers and BIOS
  • Use a HP array in lieu of the B110i on-board
    • HP P212

Preforming the above alone improved the machine dramatically.

Ilo responds, however it does not respond to any of the virtual power commands, screen is dead, which screams hardware issue. So I am still having to hard reset once in a while, now it’s just less frequent. And when the machine is under heavy load, i.e. CPU 100% for long period of time or a lot of network transfer, it has a 6TB RAID on the P212, it dies more frequently.

Strange enough the second server I received has not died once since initially booting. Considering the unstable machine is a secondary server I may look into this again one day, for now it’s on the list… Or just buy another one and use this one for possessed parts works too.

Hyper-V Replication

I recently decided my home server was a little much for my needs. While the dual Xeon and 48GB of memory was ample for me years ago, I find I spend less time at home and more time at work in regards to testing. Because of that, I of course got excited and delved into looking at new hardware.

I liked the ML150 G6 I had been using, so I opted into purchasing two ML110 G6, same design and build, however only a single Xeon and capped at 16GB of memory. With SSD so cheap, disk isn’t and shouldn’t be a concern for anyone.

Of the two I purchased, one was the “main” machine, holding the 16GB of memory I needed for a few VM’s and a single build of SP. The other held disk resources, admin and the replica partner… aw, they are getting married! The replica housed much more disk space and way less memory. In the event of a failover, it would keep the lights on, relatively speaking, albeit slow due to the RAID5 and 6TB volume the VM’s were sitting on. I wasn’t too worried as it would only take a few hours to rebuild it all anyways.

After installed Windows 2012 R2 and getting Hyper-V up and running with the exact same configuration. Replication setup was relatively simple, painless and easier than I expected since my time with VMware had shown it shouldn’t be “that easy”. The steps to configure a partner in the same domain involved a few simple steps, selecting a server and some easily understood configuration options. They were in the same domain, plus, I used CredSSP, plus plus, all other settings were best recommendation and made sense to me, plus plus plus.

And now on to the not-so-fun-parts.. Some things I didn’t like…

  • Because I am picky about paths being the same between servers, I ended up completing the following list so that all the disks and configuration was in the same path. I know… why do I do this, I blame the internet or too many cartoons as a kid.
    • replicating to replica server
    • removing replication on replica server
    • re-setup replication to original primary server
    • replicate from replica to primary
    • removed replication
    • cleanup up replication on initial replica server
    • Re-setup replication

Overall, a good and quick experience. Now my VM’s are relatively safe (meh, who needs backups) from disaster.

SharePoint 2016, New Features?

With SharePoint 2016 right around the corner, I will try to post when I find relevant information and updates. I have been working with the RC1 for a while, and with RC2 out, it’s like a better party…

Some of my person favorites so far are… while I don’t see anything extreme, I like where things are going with SharePoint. It’s no surprise that Microsoft is pushing cloud, and some of these new features play into that imitative. However, those wanting and/or needing to stay on premises can appreciate the need for new features, otherwise, what is the point to upgrade?

Durable links
Encrypted Connections
Hybrid in SharePoint 2016
Information Rights Management
SharePoint business intelligence
SharePoint Search

New and improved features in SharePoint Server 2016 Release Candidate

https://technet.microsoft.com/en-us/library/mt346121(v=office.16).aspx

eature Description More information
Access Services New Access features are available when you deploy Access Services in SharePoint Server 2016 Release Candidate . For more information, see Access Services.
Compliance features New compliance features for SharePoint Server 2016 Release Candidate include the document deletion and in-place hold policies. For more information, see Compliance features.
Customized web parts The compile time for customized XSLT files used for Content Query, Summary Links, and Table of Contents Web Parts is improved. NA
Document Library accessibility SharePoint Server 2016 Release Candidate includes new document library accessibility features. For more information, see Document Library accessibility.
Durable links Resource-based URLs now retain links when documents are renamed or moved in SharePoint. NA
Encrypted Connections SharePoint Server 2016 Release Candidate supports TLS 1.2 connection encryption by default. For more information, see Encrypted Connections.
Fast Site Collection Creation The Fast Site Collection Creation feature is a rapid method to create site collections and sites in SharePoint. For more information, see Fast Site Collection Creation.
Filenames – expanded support for special characters SharePoint Server 2016 Release Candidate now supports using some special characters in file names that were previously blocked. For more information, see Filenames.
Hybrid in SharePoint 2016 Hybrid in SharePoint Server 2016 Release Candidate enables you to integrate your on-premises farm with Office 365 productivity experiences, allowing you to adopt the cloud at your own pace. For more information, see Hybrid in SharePoint 2016.
Identify and Search for sensitive content SharePoint Server 2016 Release Candidate now provides the same data loss prevention capabilities as Office 365. For more information, see Identify and search for sensitive content in both SharePoint 2016 and OneDrive documents.
Image and Video previews You can now preview images and videos in SharePoint Server 2016 Release Candidate document libraries. For more information, see Image and Video previews.
Information Rights Management SharePoint Server 2016 Release Candidate provides Information Rights Management (IRM) capabilities to secure information by encrypting and securing information on SharePoint libraries with OneDrive for Business. For more information, see Information Rights Management.
Large file support SharePoint Server 2016 Release Candidate now supports uploading and downloading files larger than 2,047 MB. For more information, see Large file support.
MinRole MinRole is a new feature in SharePoint Server 2016 Release Candidate that allows a SharePoint farm administrator to define each server’s role in a farm topology. For more information, see MinRole farm topology.
Mobile experience SharePoint Server 2016 Release Candidate offers an improved mobile navigation experience. For more information, see Mobile experience.
New controls for working with OneDrive for Business SharePoint Server 2016 Release Candidate provides controls at the top of your personal document folders that make common tasks in OneDrive for Business more accessible. For more information, see New controls for working with OneDrive for Business.
New Recycle Bin in OneDrive and Team sites SharePoint Server 2016 Release Candidate adds a link for the Recycle Bin in the left navigation area of the OneDrive and Team sites. NA
Open Document Format (ODF) SharePoint Server 2016 Release Candidate adds support for Open Document Format (ODF) files to use in document library templates. For more information, see Open Document Format (ODF) available for document libraries.
Project Server New Project Server features are available in SharePoint Server 2016 Release Candidate. For more information, see Project Server.
ReFS file system support SharePoint Server 2016 Release Candidate now supports drives that are formatted with the ReFS file system. For more information about the ReFS file system, see Resilient File System Overview andResilient file system.
SharePoint business intelligence SharePoint Server 2016 Release Candidate now supports SQL Server 2016 CTP 3.1 and the Power Pivot add-in and Power View. For more information about SharePoint business intelligence, see Power Pivot add-in and Power View are now available to use with SharePoint Server 2016 Beta 2.
SharePoint Search SharePoint Search Server Application has significant changes to its deployment. For more information, see SharePoint Search Server Application.
Sharing improvements SharePoint Server 2016 Release Candidate has many new sharing improvements available. For more information, see Sharing improvements.
Site Folders view SharePoint Server 2016 Release Candidate provides a new Site Folders view that lets you access the document libraries in sites that you’re following. For more information, see Site Folders view.
Sites page pinning This new feature helps you see and follow sites. For more information, see Sites page pinning.
SMTP Connection Encryption SharePoint Server 2016 Release Candidate supports sending email to SMTP servers that use STARTTLS connection encryption. For more information, see SMTP Connection Encryption.
SMTP ports (non-default) SharePoint Server 2016 Release Candidate adds support for SMTP servers that use TCP ports other than the default port (25). For more information, see Use SMTP ports other than the default (25).
Web Application Open Platform Interface Protocol (WOPI) You can now rename files, create new files, and share files from within the WOPI iframe on the browser page. NA