Enable TLS 1.2 on Windows 2008 R2

Problem

How to enable TLS 1.2 on Windows Server 2008 R2?

Resolution

QuoVadis recommends enabling and using the TLS 1.2 protocol on your server.  TLS 1.2 has improvements over previous versions of the TLS and SSL protocol which will improve your level of security.  By default, Windows Server 2008 R2 does not have this feature enabled.  This KB article will describe the process to enable this.

 

    1. Start the registry editor by clicking on Start and Run. Type in “regedit” into the Run field (without quotations).

     

      1. Highlight Computer at the top of the registry tree.  Backup the registry first by clicking on File and then on Export.  Select a file location to save the registry file.


      Note:

           You will be editing the registry.  This could have detrimental effects on your computer if done incorrectly, so it is strongly advised to make a backup.



          1. Browse to the following registry key:
            HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols

           

            1. Right click on the Protocols folder and select New and then Key from the drop-down menu. This will create new folder.  Rename this folder to TLS 1.2.

             

              1. Right click on the TLS 1.2 key and add two new keys underneath it.

               

                1. Rename the two new keys as:
                  • Client
                  • Server

                 

                  1. Right click on the Client key and select New and then DWORD (32-bit) Value from the drop-down list.

                   

                    1. Rename the DWORD to DisabledByDefault.

                     

                      1. Right-click the name DisabledByDefault and select Modify… from the drop-down menu.

                       

                        1. Ensure that the Value data field is set to 0 and the Base is Hexadecimal.  Click on OK.

                         

                          1. Create another DWORD for the Client key as you did in Step 7.

                           

                            1. Rename this second DWORD to Enabled.

                             

                              1. Right-click the name Enabled and select Modify… from the drop-down menu.

                               

                                1. Ensure that the Value data field is set to 1 and the Base is Hexadecimal. Click on OK.

                                 

                                  1. Repeat steps 7 to 14 for the Server key (by creating two DWORDs, DisabledByDefault and Enabled, and their values underneath the Server key).

                                   

                                  1. Reboot the server.

                                  Your server should now support TLS 1.2.

                                   

                                  Note: This article cannot be used on a Windows Server 2003 (IIS 6).  Windows Server 2003 does not support the TLS 1.2 protocol.

                                  Reverting Back

                                  If you make a mistake or something just isn’t right, you can revert back to your previous registry settings by opening the Registry Editor and importing the backup you made in step x.

                                  The trust relationship between this workstation and the primary domain failed Hyper-V Server

                                  The trust relationship between this workstation and the primary domain failed

                                  When playing around with some Hyper-V servers that have been inactive for some time, we received an error:

                                  Screenshot 2016 01 05 19 31 45

                                  The cause of this is due to the fact that Active Directory is doing a lot more than simple user name and password storage. We found that a Hyper-V system that remains off for some time, then is turned on again can suffer this. The reason for this has to do with the way that some applications use the Active Directory. Take Exchange Server, for example. Exchange Server stores messages in a mailbox database residing on a mailbox server. However, this is the only significant data that is stored locally on Exchange Server. All of the Exchange Server configuration data is stored within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange Server from scratch (aside from the mailbox database) simply by making use of the configuration data that is stored in the Active Directory.

                                  The suggestion by some other blogs is to: simply reset the computer account. To do so, open the Active Directory Users and Computers console and select the Computers container. Right click on the computer that you are having trouble with. Select the Reset Account command from the shortcut menu, as shown in Figure 2. When you do, you will see a prompt asking you if you are sure that you want to reset the computer account.  Click Yes and the computer account will be reset.

                                  NewImage

                                  This is perfectly safe to do, but is not likely to resolve the issue.

                                  The Fix

                                  1. Log into the server in question using the non domain admin account.

                                  2. Open the Power Shell and run the command:

                                  $credential = Get-Credential

                                  (When prompted, you need to enter the domain administrator account and name.)

                                  3. Then run the command: 

                                  Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere

                                  (Replacing the “ClosestDomainControllerNameHere” with your domain AD domain. domain.com for example.)

                                  After running this you should be good to login.

                                  CRM 2015 Extend Auto Logout Time in IFD

                                  CRM 2015 and CRM 2016 IFD will Automatically Logout the user with a Message:

                                  Your session in Microsoft Dynamics CRM is about to expire. To continue working, you must sin in again.

                                  CRM 2015 Auto Logout

                                  By Default this setting is 60 minutes, and the message will pop up around 20 minutes before logout.

                                  Any unsaved changes will be lost as your session ends.

                                   

                                  The Fix

                                  To extend the automatic logout time in CRM 2015, we must extend the time set in ADFS 3.0 using the PowerShell command. First we need to know the name that was used to set up the Relying Party Trust in ADFS.

                                  1. Open Server Manager and from the Tools menu select ADFS Management

                                  ADFS Management

                                  2. in AD FS management, open Relying Party Trusts and find the Display name for the CRM IFD Relying Party Trust

                                  Screenshot 2015 04 03 17 30 58

                                  In this case, we have called the Relying Party Trust – “CRM IFD Relying Party” as we keep things simple when we create things. Using the exact name for the title of the trust as we created it. But really it could be anything. One distinguishing feature is that the URL identifier is going to be optioning to the URL that displays in the browser window when you are in the process of login into your IFD CRM.

                                  3. Start PowerShell

                                  Screenshot 2015 04 03 17 35 57

                                  4.  Check you have the correct name of the Relying Party Trust by typing the following command.

                                  Get-ADFSRelyingPartyTrust -Name "relying_party"

                                  Where you replace the “relying_party” with the name you identified in Step 2 above. In our case the command will be: 

                                  Get-ADFSRelyingPartyTrust -Name “CRM IFD Relying Party

                                   

                                  The result should look something like this if you get it correct.

                                  Screenshot 2015 04 03 17 40 02

                                  5. Not type the command to set the time you want to set for Auto Logout.

                                  Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

                                  (Again replacing the “CRM IFD Relying Party” with the name used on your system.)

                                  Note: The 720 is time in minutes. 12 Hours in this case. You can change the value up and down as liked.

                                  Set-ADFSRelyingPartyTrust -Targetname “CRM IFD Relying Party“ -TokenLifetime 720

                                  Screenshot 2015 04 03 17 43 47

                                  6. Close out the PowerShell and you are done.

                                  CRM 2015 IFD Adding a New Organization Additional Steps

                                  Error when attempting to login to a New Organisation in CRM 2015 IFD

                                  When attempting to login to a newly configured Organisation you may receive an error looking like this.

                                  Screenshot 2015 03 28 18 43 05 

                                               An error occurred
                                  An error occurred. Contact your administrator for more information.

                                   

                                  • Activity ID: 00000000-0000-0000-1400-0080010000ff
                                  • Error time: Sat, 28 Mar 2015 07:37:45 GMT

                                   

                                  The Cause

                                  Because IFD (Internet Facing Deployment) uses the AD FS Authentication it requires an additional step after using the CRM Deployment Manager to setup a new Organisation to then register at login with the AD FS setup.

                                  Basically it is saying that you have set up the org, but not gin figured the authentication login settings in AD FS.

                                   

                                  The Fix

                                  1. Open AD FS Mananagement

                                  Screenshot 2015 03 28 18 46 58 

                                  2. Click on AD FS / Trust Relationships / Relying Party Trusts and local your CRM IFD Relying Party Trust associated with the IFD Authentication.

                                  Screenshot 2015 03 28 18 49 52 

                                  3. Highlight it, and select Update Federation Metadata

                                   Screenshot 2015 03 28 18 50 30

                                  4. Update

                                  Screenshot 2015 03 28 19 04 29 

                                  And you are done!

                                  You should now be able to login to the CRM server without getting the error message, and with no need to reset IIS or any other services.

                                   

                                   

                                   

                                  CRM 2015 Reporting Extension Setup Error The SQL Server Reporting Services account is a local user and is not supported

                                  Error Message installing CRM 2015 Reporting Extensions

                                  When installing Microsoft Dynamics CRM Reporting Extension Setup you receive an error message: The SQL Server Reporting Services account is a local user and is not supported. This is during the System Checks.

                                  SQL 2014 CRM 2015 Reporting Extension Setup Error.png

                                  In our instance this was with MS CRM 2015 on SQL 2014 on the same server in a test environment.

                                  The Solution

                                  The fix is easy.

                                  1. Open the SQL 2014 Reporting service configuration Manager

                                  Screenshot 2015 03 28 17 56 17

                                  2. Connect to your Server.

                                  Screenshot 2015 03 28 17 57 04

                                  3. Select the Service Account

                                  Screenshot 2015 03 28 17 57 37

                                  4. Select the Local System account and apply with the appropriate security levels.

                                  Screenshot 2015 03 28 17 58 25

                                  That’s about it. Run the setup process again and you should be good to go.

                                  Windows 2012 Turn off Password Complexity

                                  How to disable (turn off) the default Windows 2012 Administrator Complexity

                                  1. Open the Administrative Tool

                                  Windows 2012 Password Complexity.png

                                  2. This places you in the Administrative Tools section. Select Local Security Policy.

                                  Windows 2012 Password Local Security Policy.png

                                  3. Change the password Must Meet Complex Requirements option to Disabled.

                                  In a Domain Environment, for an Active Directory Domain Server.

                                  • In the Server Manager click on Tools and from the drop down click Group Policy Management
                                  • Expand Forrest >> Domains >> Your Domain Controller.
                                  • Right click on the Default Domain Policy and click on the Edit from the context menu.
                                  • Now Expand Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Account Policies -> Password Policy
                                  • Double-click on the Passwords Must Meet Complexity Requirements option in the right pane.
                                  • Select Disabled  under define this policy setting:
                                  • Click Apply then OK all the way out and close the GPO window.
                                  • In order to refresh the policy type the following command: “gpupdate /force”  in the CMD window and click ENTER.

                                  Windows 2012 R2 Remote Desktop Enabled Cannot RDP Connect

                                  Windows 2012 RDP Remote Desktop Enabled but you Cannot Connect

                                  You find that after you enable the Windows 2012 RDP or Remote Desktop Connection features to allow you to remote desktop into your new server, you are still unable to connect to the server.

                                  The Cause

                                  By default on new installs of Windows 2012 R2 the server firewall is enabled for TCP IP on Remote Desktop User Mode In TCP-IP.

                                  The Fix

                                  Enable the rule that permits access through the Windows Firewall.

                                  1. Search for Firewall and open “Windows Firewall and Advanced Security”.

                                  2. Find the rule “Remote Desktop – User Mode TCP-in” and ENABLE Rule

                                  Windows 2012 Remote Desktop Firewall Rule

                                  Enabling Replication Failed The System Cannot Find the Path Specified Hyper-V

                                  Enabling Replication Failed The System Cannot Find the Path Specified Hyper-V

                                  While trying to replicate a Hyper-V server you receive the following error:

                                  Enabling replication failed

                                  Hyper-V failed to enable replication for virtual machine “Machine Name”: The system cannot find the path specified. (I0x80070003). (Virtual machine ID “ID Number”)

                                  HyperV Replication Failed Path

                                  Cause

                                  The likely cause is that you have removed the path that was set under the replication server (or receiving servers) replication settings.

                                  Under the Hyper-V Setting on the receiving or replication server, click on the “Replication Configuration Enabled as a Replication server”

                                  Screenshot 2014 10 09 02 47 09

                                  The Fix

                                  Browse to the directory defined under “Specify the default location to store replica files” and ensure that the path is valid. 

                                  The likely cause is that the folder defined here was removed and needs to be redefined. This can happen when you are cleaning shop.

                                  Replciation Folder Selection Hyper-V

                                   

                                   

                                  Microsoft CRM 2011 Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry

                                  Error

                                  When attempting to login to an IFD (Internet Facing Deployment of CRM) you receive this error:

                                  Event code: 3005 Event message: An unhandled exception has occurred. Event time: 10/06/2014 1:54:52 AM Event time (UTC): 9/06/2014 3:54:52 PM Event ID: 6da606a9a6794c2a8f504cc6b8b3be3e Event sequence: 2 Event occurrence: 1 Event detail code: 0  Application information:     Application domain: /LM/W3SVC/2/ROOT-1-130468028783689054     Trust level: Full     Application Virtual Path: /     Application Path: C:\Program Files\Microsoft Dynamics CRM\CRMWeb\     Machine name: VSERVER08  Process information:     Process ID: 1540     Process name: w3wp.exe     Account name: NT AUTHORITY\NETWORK SERVICE  Exception information:     Exception type: SecurityTokenException     Exception message: ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer.   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
                                    Request information:     Request URL: https://auth.interactivewebs.com:444/default.aspx     Request path: /default.aspx     User host address: 101.164.212.248     User:      Is authenticated: False     Authentication Type:      Thread account name: NT AUTHORITY\NETWORK SERVICE  Thread information:     Thread ID: 8     Thread account name: NT AUTHORITY\NETWORK SERVICE     Is impersonating: True     Stack trace:    at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.CreateClaims(SamlSecurityToken samlSecurityToken)   at Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Tokens.SecurityTokenHandlerCollection.ValidateToken(SecurityToken token)   at Microsoft.IdentityModel.Web.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequest request)   at Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)   at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()   at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)  Custom event details: 

                                  The Problem

                                  For unidentified problems, the ADFS authentication is failing and needs to be reset.

                                  Solution:

                                  Run the Deployment Manager with same certificate

                                  These instructions are the last part of the instructions we have created for updating an out of date SSL certificate used in an IFD deployment. Basically we are following the same instructions, but skipping the step of replacing with a new SSL certificate. We are just running the deployment again against the same certificate. 

                                  1. Run the CRM deployment manager:

                                  image

                                  2. Run the Configure Claims-based Authentication

                                  image

                                  Select the default settings.

                                  image

                                  image

                                  Which should be the default from your IFD setup

                                  But when you get to the Certificate, you need to select the new certificate.

                                  image

                                  image

                                  Which should be visible from the list after importing it in the steps above.

                                  3. Run the Configure Internet Facing Deployment action and just step though it with the default settings.

                                  image

                                  4. Restart the AD FS 2.0 Windows Service

                                  image

                                  Configure AD

                                  Set the Service Communication Certificate

                                  1. Start AD FS 2.0 Management

                                  image

                                  2. Expand certificates and select Set Service Communications Certificate

                                  image

                                  3. Select the new certificate that will be listed here.

                                  image

                                  Update Relying Party Trusts

                                  1. From the AD FS 2.0 Management, Select your replying party trusts and update from the federation metadata one by one.

                                  image

                                  Update both listed. They will likely have a red cross before you do this.

                                  Restart Services

                                  Restart AD FS Service:

                                  image

                                  and restart IIS the usual way.

                                  And you should be done. Login to your CRM IFD again and enjoy.

                                   

                                  Adding .OFT Fonts to IIS Mime for DNN DotNetNuke

                                  Making .OTF Font work in DotNetNuke DNN Skin

                                  To get a DotNetNuke DNN site to correctly display .OTF fonts, it is necessary to add a MIME type to IIS.

                                  Making this change is easy.

                                  • In IIS, click on the Server Name.Double Click on MIME Types

                                  IIS 7 MIME

                                  • Add a New MIME Type – .otf – Font/otf

                                  OTF MIME Type in DNN

                                  That’s it.

                                  For good measure you could restart IIS from a command prompt with “IISRESET”