Meraki VPN Client Issues

Not sure what's up with Meraki and the native Windows 10 VPN, but there are weird issues that seem to occur.

A couple of fixes I found to work:

Not really a "fix", but reset the account password on the Meraki site > Network-wide > Configure > Users page (and don't forget the save the change).  This is a weird one, because when I originally create an account, the password is set and emailed out, but yet the password is incorrect.  Not sure if this is a browser-related issue or on their back-end, either way this has happened to me five times now of the last couple years.

This was something I found today, starting the old school app at the command line.
C:\Windows\System32\rasphone.exe -d “connection-name”
And you may need to run it a second time, as I've had it fail to find the path the first time.  And should it connect properly, the "new" Windows 10 way of connecting from the network icon should work after that.
~ And a shout out to Phil Eddies for this last one.

Resetting a Lost Windows Password

So, you need to get into an old Windows system with a forgotten password, or perhaps you're helping out a hapless friend.

Luckily all you need is a bootable Windows disk, preferably Windows 7 or newer.

Note: If this is an encrypted system, you are likely hosed.

There's only a handful of steps to get you logged back in...

1. Once booted into the Install screen, choose Repair my computer

2. Choose Open a Command Window

3. Find the drive that contains Windows, usually C: or D:

4. cd to Windows\System32, then you need two commands

5. copy Utilman.exe \  (this is to preserve the file if you to restore it later)

6. copy Cmd.exe Utilman.exe  (Overwrite confirm: Yes)

7. Exit and Reboot

8. On login screen, click the accessibility app (now Cmd.exe)

9. Reset the administrator password:  net user administrator YourCoolP@ssword

10. Enable the administrator account:  net user administrator /active: yes

11. Now go to the login prompt (may need to choose Other User), and enter .\administrator (to use the local administrator account) and your newly reset password.

12. High-fives all around!

Windows Broken Program Installs

We've all been there, not able to install, update, or remove a program because there is something else installed that is damaged or didn't properly clean up after itself.

That happened to me again recently with a Visual C++ Runtime, but this time I found this little updated gem from Microsoft.

It removes corrupted Registry entries, errant file entries in Programs and Features, plus I'm sure more they don't even mention.

Using Diskpart for a Bootable USB

Q: How many systems come with CD or DVD drives these days?

A: Close to nil.

If you need to create a bootable USB drive, Diskpart can get the job done for you. You can then dump whatever it is you need to run onto the remainder of the free space.

1. Open a Cmd window as Administrator
2. Run diskpart
3. Type list disk, this will show which one is your USB drive
4. Type select disk # where # is the USB drive from Step 3
5. Type clean, hit enter
6. Type create part pri + enter, then select part 1 + enter
7. Type format fs=ntfs quick + enter (for UEFI systems, use format fs=fat32 quick)
8. Type active + enter, then exit.
9. Optional: Copy your files onto the USB drive, i.e. the contents of an ISO

Someone is currently logged into the APC

Time was APC was the Cadillac of the power management world. But in my opinion, as with many vendors they're not keeping up with the times. Case in point our APC AP7990 PDUs. We're no longer able to use any modern browser to manage them. And when we use an older browser, we've been getting "Someone is currently logged into the APC Management Web Server." when attempting to login, because it's not resetting the session when disconnecting.

Logging into the terminal and back out to reset the web interface fixes this, but if you're doing that securely as you should with SSH, not Telnet, using PuTTY, you get an error message "Received SSH2_MSG_CHANNEL_SUCCESS for nonexistent channel 65536". To get around that try using a Linux or BSD-based system to SSH to the PDU, although that resulted in a "Broken pipe" error at times...

Unfortunately the heart of the matter is their products, like many manufactures' devices are using old, broken security protocols, ciphers and versions of Java, with no hope of ever being updated. And now with all modern browsers and JVM security settings at all-time high, they block access to these remote management web interfaces. Truly a frustrating development since there is no way to push manufacturers to update what should amount to a simple fix (if they have sensible software dev practices). I don't expect companies to support products forever the way Microsoft does, but when their products become completely unmanageable because of far-reaching, widely-known security flaws in Bash, OpenSSH, SSL and Java, they should be on the hook to spend a few cycles on helping the people who buy their products. (Okay, off my soapbox.)

And by all means, click Log Off when using the APC PDU web interface.

Ifconfig: command not found

CentOS, say it isn't so! Having just done the minimal install of CentOS 7 as a VM, I wanted to install VMware tools. I thought I installed all the prerequisites when the script halted at "Setup is unable to find the "ifconfig" program on your machine."

I ended the script and incredulously ran the ifconfig command, thinking it had to be wrong, but it's no longer included. The ip command has now taken over networking duties, but the VMware script didn't care. I ran yum provides ipconfig, but no love: "No package ifconfig available". A couple of web searches later and I found the package I needed to bring it back...

# yum install net-tools

BTW, don't be surprised if Fedora and RHEL (and it's other offspring) are missing ifconfig as well.

Developer Cannot Be Confirmed

I bought a new camera recently and decided I needed the "old" version of Photoshop I had lying around on my MacBook so I could salvage pics taken with my n00btastic photo skills. So as any reasonable person would do, I installed and then attempted to update Photoshop with the latest available patch from Adobe.

Finding the correct patch on Adobe's site wasn't exactly intuitive, which is surprising from a company that specializes in making software for the web, anyway I digress. Once the patch was downloaded, it wouldn't install. "AdobePhotoshop12-4-mul-AdobeUpdate.dmg can't be opened because the identity of the developer cannot be confirmed." Seems hard to believe, and I'm not sure who's to blame here, but after some searching it seems there are a number of rather large companies, i.e. Oracle, that have the same issue. (Either devs are signing their apps incorrectly or Apple released a patch/update breaking the previous verification mechanism.)

In any case, if you trust the developer, this can be overruled with a few clicks and your password:

System Preferences > Security & Privacy > General tab and you will see "App in question" was blocked from opening because the identity of the developer cannot be confirmed.

Click the button to allow anyway and enter your password, the app should start installing immediately.

Disabling the Yum RHN Plugin

Due to the sheer number of RHEL installs we have on our network it was time to have our own Yum repo. The setup was fairly straightforward and their are many useful articles available.

Once setup and configured, testing began; both the new test systems worked perfectly. But apparently it was too soon to start slapping myself on the back, because systems already registered with RHN would error out once I removed their subscription, rather than use the local repo.

"There was an error communicating with RHN.
RHN Satellite or RHN Classic support will be disabled.
Error communicating with server. The message was:
Error Message:
        Please run rhn_register as root on this client
Error Class Code: 9
Error Class Info: Invalid System Credentials."

I did many an Internet search only to find numerous suggestions that didn't fix the problem. It wasn't until I looked at the man page for yum.conf did I see the answer. The related files portion at the bottom listed a number of other files, the important one under /etc/yum/pluginconf.d the rhnplugin.conf file. Setting it to enabled=0 stops the plugin from being used and voilà, the local repo was working. With each of these, I also follow up with a yum clean all just to be sure it's a fresh start.

Excel Closing Slowly

Excel seemed to open fast enough for someone in our accounting department, but its closing was glacial.

I removed all Add-ins (File > Options > Add-Ins) and even started it in Safe Mode (Run... excel /s), but it still lagged on close.

Not surprising, Excel has a default template like Word's Normal.dot named ExcelXX.xlb, XX being the version number of Excel, in this case it's 2010 which is version 12.

Once Excel12.xlb was renamed in C:\Users\%username%\AppData\Roaming\Microsoft\Excel, the file was regenerated upon start starting Excel and from then on, it closed without hesitation.

For further troubleshooting steps, visit the overlords at Microsoft.

Testing an External NTP Server

First off, NTP uses port 123. That was the first thing I checked when trying to telnet to one of the pool.ntp.org servers. Seems most NTP server ignore the telnet command.

Then I thought I'd use net time, but it has been deprecated in Windows 7 in favor of the newer w32tm command.

There's a litany of switches to use with it, but the /monitor /computers:server are the ones you want.

And using the command: c:\w32tm /monitor /computers:time.nist.gov
You will get the following output, showing it works:

time.nist.gov[64.250.177.145:123]:
    ICMP: 59ms delay
    NTP: -0.1402919s offset from local clock
        RefID: 'ACTS' [0x53544341]
        Stratum: 1

You can find a huge amount of popular public NTP servers at NTP.org

Finding a Linux Application Version

During a recent Wordpress installation endeavor, I needed to confirm I had the correct versions of Apache, PHP, etc., and didn't exactly know how to accomplish that. As with many things in the computer world, there are many ways to skin a cat...

This example uses Apache, which is httpd as a service (daemon in Linux-speak).

Add -v to the binary (or -V depending on the app), and this doesn't work for everything.

[root@spidey ~]# httpd -v

Server version: Apache/2.2.15 (Unix)

Server built:   Feb  7 2012 09:50:11

Use which to locate the full path of a command

[root@spidey ~]# which httpd

/usr/sbin/httpd

Use whereis to locate the binary, source and man pages

[root@spidey ~]# whereis httpd

httpd: /usr/sbin/httpd /usr/sbin/httpd.event /usr/sbin/httpd.worker /etc/httpd /usr/lib64/httpd /usr/share/man/man8/httpd.8.gz

Querying the installed package by using rpm -q

[root@spidey ~]# rpm -q httpd

httpd-2.2.15-15.el6_2.1.x86_64

You can do a locate to see everywhere on the system httpd shows up

[root@spidey ~]# locate httpd

/etc/httpd

/etc/httpd/conf

/etc/httpd/conf.d

/etc/httpd/logs

...

Or a find with -name

[root@spidey ~]# find / -name httpd
/etc/httpd
/etc/rc.d/init.d/httpd
/etc/sysconfig/httpd
/etc/logrotate.d/httpd
...

And yes, I did have the correct version :)

FATAL: Pppd is not setuid-root

We've been rolling out shiny new MacBooks lately along with the SonicWALL SSL-VPN NetExtender client. Little did we know that some of the MacOS X connections were going to fail. Luckily the error message pointed the way: "FATAL: Pppd is not setuid-root and the invoking user is not root."

It seems the later versions of Mac OS X (10.6+) don't allow the setuid flag to be set on PPPD.

You can fix this by getting your bash on.

1. Open Terminal (Applications > Utilities > Terminal)


2. Type: sudo chmod u+s /usr/sbin/pppd and hit Enter


3. Type the user’s password and hit Enter


4. Now connect and get to work :)

Setting Google Chrome as your Default Mail Client

Want Google Chrome to handle all of your mail links or perhaps calendar requests? Or stop Chrome from taking those requests?

Go to the Settings subpage for the handlers: chrome://chrome/settings/handlers

More info can be found here.

Removing the U3 Partition from a Flash Drive

I find most extra software bundled with hardware unnecessary and usually annoying; U3 luckily is both.

After attempts to format, fdisk /mbr, diskpart clean, etc. all failed. I did some poking around and found the uninstaller is bundled with the startup app, clever...

1. Insert your U3 flash drive  and Launch the U3 application.


2. Click on the U3 Launchpad Settings


3. Click the Uninstall tab on the Settings menu (all windows and files accessed from the flash drive must be closed).


4. Finally, click Uninstall U3 Launchpad

That's it, no more pop-ups and annoying software.

Resetting a Verizon MiFi 2200

A recently returned Verizon MiFi 2200 was found to have been reset by the user, with now-forgotten settings. Luckily the reset is easy...

1. Power on the MiFi (if it isn't already).


2. Take off the back cover and depress the reset button with a paperclip or similar (look for a hole labelled RESET in one of the corners).


3. Hold the button in until the status LED turns green, then blinks once (this can take up to ten seconds).


4. Let it go and then you'll find the SSID listed on the back in your available wireless networks (typically Verizon MIFI4510L XXXX).

Dell Latitude Unknown Data Interface Driver

Installing a system from scratch can be a bear when it comes to finding device drivers, especially when the device in question doesn't have a manufacturer, model or even name associated with it. The latest install in which I had to deal with this was a Dell Latitude D430, but this device seems common to other D-Series Latitudes like the D620.

It's listed in the Device Manager simply as Data Interface with the typical unknown icon, and there were two of them. Digging further into the details of the device yielded the Hardware ID values below.

USB\VID_413C&PID_8114&MI_00\7&24B185B&0&0000
USB\VID_413C&PID_8114&MI_01\7&24B185B&0&0001

Turns out these are for the Verizon cellular modem card and drivers are readily available from Dell, under Technical Support, with your trusty Service Tag. I found the Verizon WWAN Card driver under the Communications heading (as VZW Mobile Broadband).

Removing Remote Desktop Login Wallpaper

This annoyance has popped up off and on for years. You initiate a Remote Desktop connection to a system over VPN and the login screen has a large bitmap image causing it to draw and redraw while you wait.

This is typical for Windows Storage Server 2003 on Dell hardware. Unfortunately there isn't a GUI setting for this, so it 's just better to search for the file and delete or rename it. In this case it's: C:\Windows\System32\dellwall.bmp which is 3MB, no wonder it takes time to draw over a slower connection.

Locked Out of Track-It! Admin Console

Great! The only one in with admin privileges on Track-It! is no longer with the company. If you have access to the server and the Track-It! MS SQL database you're in luck.

• Log into the Track-It! server and fire up the MS SQL Management Studio


• Drill down under "Server" > Databases > TRACKITX > Tables


• Find dbo.STAF, right-click and choose Open Table


• Choose a username you wish to give administrative access to, scroll to the right to the SECPOLICYID column and change the entry to the number 2.


• Close the table and Management Studio.


• Log out of Track-It! and back in, now you have access to the Administration Console.

Cisco ASA 5505 Initial Configuration Commands

One thing I can say about the Startup Wizard in the Cisco ASA 5505, is that it would be kicked out of Hogwarts. Lame joke sure, but so is Cisco for selling something so complex to small businesses. What my customer of eight employees needs is a firewall with the robust dependability of a Cisco PIX with the simplicity of a Linksys. Seems like a no brainer, but since the 2003 purchase, I don't think Cisco hasn't done anything even close. Enough of my rant...

Some of the Startup Wizard went okay (like changing the external IP and enable password only), but when it came to changing the inside network, it hung a number of times, once for over 30 minutes, before I turned it off. Turned out I needed to actually change the internal IP address via the command line, but not before wiping out DHCP, because that locks the internal subnet from being changed. Oh yeah, don't forget to change the subnet from which you can access the internal web server, otherwise you're locked out of that as well. And yes, I attempted to do this via the ASDM, but it hung every time I tried to change the internal IP address. Sorry, I guess my ranting wasn't done.

Below are the commands I used to complete the above tasks...

Note: All of these require you to be logged into the "enable" account, i.e. type enable at the command-line in your terminal window and enter the password

Turn DHCP off:
ciscoasa# config term
ciscoasa(config)# no dhcpd enable inside

Updating your internal IP address/subnet (assuming it's VLAN 1)
ciscoasa# config term
ciscoasa(config)# interface Vlan 1
ciscoasa(config-if)# ip address 10.0.1.1 255.255.255.0
ciscoasa(config-if)# no shut

Adding an outside route (your gateway address (and why isn't this in the wizard?!?!))
ciscoasa# config term
ciscoasa(config)# route outside 0.0.0.0 0.0.0.0 76.176.56.86 1

Update access to the ADSM (so you can reach it from your new network listed above)
ciscoasa# config term
ciscoasa(config)# http 10.0.1.0 255.255.255.0 inside
ciscoasa(config)# exit
ciscoasa# show run | include http
http 10.0.1.0 255.255.255.0 inside (this shows your new network has access)
http 192.168.1.0 255.255.255.0 inside

Turn on DHCP and configure for use
ciscoasa# config term
ciscoasa(config)# dhcpd address 10.0.1.201-10.0.1.240 inside
ciscoasa(config)# dhcpd dns 10.0.1.10 10.0.1.11
ciscoasa(config)# dhcpd wins 10.0.1.10
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd domain contoso.com
ciscoasa(config)# dhcpd enable inside

Write running config to flash (saving all of your changes)
ciscoasa# write memory

Restarting your Cisco ASA from command line
ciscoasa# reload noconfirm

Should you post any questions, I'll be happy to try and help, but I can't promise anything...

Adding Windows XP Media Center to a Domain

During another domain migration yesterday, I came across a Windows XP Media Center PC in the workplace. This is certainly common with small companies, especially when they're bootstrapping. You buy what you can afford and that usually means Home and Media editions of Windows. Those work great for a small network, but of course can't be added to a domain, at least Home can't. Luckily Windows XP Media Center can be hacked into joining a domain, because unlike XP Home Edition, it won't upgrade to XP Professional.

So here's the hack:

1. If you haven't already, install the Windows Recovery Console (you'll need your Windows XP disk for this)


2. Boot into the Microsoft Windows Recovery Console when prompted
   
   
   
   1. Select the proper OS (usually 1) and enter the Administrator password (if prompted)
   
   
   
   


3. Copy the SYSTEM registry hive to C:\ copy c:\windows\system32\config\SYSTEM c:\


4. Type exit and boot into your Windows XP Media Center system as an administrator


5. Open Registry Editor (Start > Run... type regedit, click OK
   
   
   
   1. Highlight HKEY_LOCAL_MACHINE
   
   
   2. Click File > Load Hive...
   
   
   3. Browse and select C:\SYSTEM
   
   
   4. Enter your PC-name or anything really
   
   
   5. Drill down to HKEY_LOCAL_MACHINE\PC-name\WPA\MedCtrUpg
   
   
   6. Change the IsLegacyMCE key in the right pane to the number 1 (default is 0)
   
   
   7. Highlight the PC-name under HKEY_LOCAL_MACHINE and click File > Unload Hive..., click Yes
   
   
   
   


6. Reboot into the Microsoft Windows Recovery Console as in step 2
   
   
   
   1. Copy the SYSTEM registry hive back copy c:\SYSTEM c:\winsows\system32\config\system enter Y to overwrite
   
   
   2. Rename the old SYSTEM hive on C:\ ren c:\SYSTEM SYSTEM_old
   
   
   3. Type exit and reboot back into your Windows XP Media Center system as an administrator
   
   
   
   


7. Now you should be able to add the system to the domain


8. Optional: delete c:\SYSTEM_old and change the boot selection time from 30 seconds to 2 or 3 (now that the Recovery Console has been added)

Thanks to Aaron Tiensivu, who's article helped me yesterday. I decided to make an abridged post here since I'm getting annoyed at having to find this hack every time.