Bypass CredSSP to regain RDP access

In my line of work RDP is an essential tool. Take it away and you might as well have cut off one of my arms.

And so it was this morning where after my Windows 10 machine (running the latest 1803 build) applied updates overnight, all my attempts at RDP-ing to systems presented me with this:

RDP-Blocked

An authentication error has occurred.
The function requested is not supported
Remote computer: blah.contoso.com
This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

You can read more about it here:

Continue reading ‘Bypass CredSSP to regain RDP access’ »

Auto-shutdown an unused SBA

I’m encountering a growing number of customers upgrading and centralising their Skype for Business infrastructure, and as part of that they’re decommissioning their Survivable Branch Appliances.

At some stage I’ll be asked how they can turn off the SBA, which in the case of the Sonus/Ribbon SBAs is running on a daughter-board inside the appliance (known as the Application Solutions Module or “ASM”). It’s possible to start and stop the SBA from the SBC’s admin interface, but not to turn it off “for good”. Having shut it down, the next time the appliance is power-cycled the daughter-board will spring back to life.

There’s always the option to crack open the box and fish the ASM out, but you’re heading into murky unsupported territory – and you might not want the outage or the pain of wrangling a heavy SBC2k out of its spaghetti mess in the rack and back in again.

PowerShell to the rescue!

Here’s a quick and simple chunk of PowerShell to create a Scheduled Task that automatically shuts the machine down 5 minutes after it powers up. The 5 minutes gives you a chance to login and issue the “shutdown /a” command to cancel said shutdown and disable the Task should you actually wish to use the machine for something.

Continue reading ‘Auto-shutdown an unused SBA’ »

Compare-Objects.ps1

Hands up if you’ve tried to compare 2 objects of some type to see what – if any – differences there are between them?

I tried and gave up. PowerShell’s native “Compare-Object” isn’t very helpful. It will tell you IF there’s a difference, but it’s not particularly forthcoming.

Borne of that experience comes “Compare-Objects.ps1”. You might see some similarities here with two of my other scripts (Compare-PkiCertificates & Update-SfbCertificate.ps1) as the comparison engine is essentially the same between them.

Feed this script the “type” of the object and the names of two of them, and it will present a tabular comparison, highlighting all those attributes that differ.

All of these formats are valid input examples:

Compare-Objects.ps1 –type csuser –object1 “greig” –object2 “jessica”
Compare-Objects.ps1 –type csuser –object1 greig –object2 jessica
Compare-Objects.ps1 get-csuser greig jessica

Armed with the above input the script performs two “get-” commands to query the objects, then feeds the results into the differencing engine. The “get-” is implied in the command-line input, and the script will cope fine if you absent-mindedly include it, like in the last example above.

For more information add the “-verbose” switch, and if you don’t want it querying my blog in search of an update, use “-SkipUpdateCheck”.
Continue reading ‘Compare-Objects.ps1’ »

Lync 2013 / SfB 2015 Client Update – May 2018

Last month’s client update took us to 15.0.5023.1000, and now Kb4018377 increments us to 15.0.5031.1000.

What’s Fixed

Just the one update this month:

  • Kb4133098 Location is still displayed even if UseLocationForE911Only is set to true in Skype for Business

What’s New / Changed

Nothing documented.

Known Issues

Nothing documented.

Continue reading ‘Lync 2013 / SfB 2015 Client Update – May 2018’ »

The Mk-III Safety Net for SfB Gateway AD-Lookups

It’s been a long while between visits to the subject of Sonus (now Ribbon) AD-based routing in the SBC1k, 2k & SWe Lite, but my colleague Tristan recently pointed out a new feature that I wasn’t previously aware of.

In my 2012 Mk-II Safety Net I showed how you could do a second AD lookup against an incoming call so as to ensure the transformation table passed regardless of whether their LineURI contained an “ext=” suffix or not.

Now it seems that’s been superseded by the addition of wildcard handling in AD lookups! [Reference]. And so here’s the Mk-III!

The Mk-III AD Lookup

For context, here’s what the Mk-II looked like:

Capture-MkII-TransformationTable-4

Continue reading ‘The Mk-III Safety Net for SfB Gateway AD-Lookups’ »

VX says VVX “Not Acceptable Here”

Protocols and standards. We live and die by them, and while we can’t live without them, sometimes they can be a royal PITA. And so it is apparently, with Polycom’s interpretation of RFC4568 Session Description Protocol (SDP), with which I became all too familiar this week.

I was called in to try and figure out why a customer’s Polycom VVX’s intermittently couldn’t call out to the PSTN. They could place the call seemingly OK, but as soon as the external party answered it dropped.

Incoming calls were fine, and none of their other clients had any outgoing problems: their Office 2013 and Office 2016 PC clients were fine, as were the fading old CX600’s. Making this scenario all the more interesting is that the PSTN Gateways are NET / Sonus “VX 1200” gateways still running flawlessly from their Lync 2010 days – and still supported by the vendor until the end of 2018 BTW!

Media Bypass is enabled in this environment, so the obvious conclusion to draw was that we were dealing some some kind of incompatibility between the new-ish phones and the (ahem) “mature” VX’s.

Continue reading ‘VX says VVX “Not Acceptable Here”’ »

Lync 2013 / SfB 2015 Client Update – April 2018

What’s with the monthly client update cadence at the moment? No complaints here though: I personally benefit from possibly two of these fixes! The March update took us to 15.0.5015.1000, and our early April update (Kb 4018334) adds 8 builds to hit 15.0.5023.1000.

What’s Fixed

This update fixes the following issues:

  • Kb 4095404 A call to yourself is initiated when you add audio to an existing meeting in Skype for Business
  • Kb 4095405 High memory usage and crash when you receive an HTML message in Skype for Business
  • Kb 4095406 External user can’t sign in Skype for Business that uses TLS-DSK or modern authentication
  • Kb 4095407 Splitter bar in a tabbed conversation window doesn’t show when DPI setting is larger than 100% in Skype for Business
  • Kb 4095408 Repeated “You were added as delegate for” message at every logon in Skype for Business 2015 (Lync 2013)
  • Kb 4095409 Searching chat room history by date returns incorrect results when the date format is other than US format (mm/dd/yy)

Continue reading ‘Lync 2013 / SfB 2015 Client Update – April 2018’ »

Adding Direct Trunk Select to Skype for Business

At about the same time any given Skype for Business deployment gains its second PSTN gateway / Session Border Controller, the old diagnostician in me wants a means to be able to directly send calls to each one individually. By being able to directly focus my outgoing calls on just one SBC I can confirm all sorts of things: that it’s talking to SfB OK, its carrier connection is working correctly, it’s sending the expected CallerID outbound to the PSTN, it’s handing calls from “unknown” calling numbers (foreign to the services attached to the SBC)… It’s also helpful if you want to test calls *in* to a different SBC, and you don’t want your outgoing call to muddy the logging captures on the SBC under test.

If your SBCs are in different states or countries you can usually take advantage of the Least Cost Routing (LCR) you’ve built into the deployment to achieve this – but what if they’re across town from each other in the same calling zone, or butting up against each other in the same rack in a load-sharing config? Enter “Direct Trunk Select”.

Continue reading ‘Adding Direct Trunk Select to Skype for Business’ »

Review: Polycom Pano

I recently had the opportunity to spend some quality time with “Pano”, Polycom’s meeting room collaboration interface, and I found it a really useful piece of kit.

Pano-Front

What Is It?

Pano is an interface device that lets you share content from your PC, Mac or mobile device into a meeting or meeting room. You can do so wirelessly or via HDMI cable if you’re old-school.

Features and Capabilities

Continue reading ‘Review: Polycom Pano’ »

Event 18456 – Start-CsPool Error Failed to Connect to BackEnd

I hit an expected snag recently where I wasn’t able to get an existing SfB 2015 Front-End pool to start after growing it from 1 to 3 servers. Coincidentally I’d performed this same job for another customer maybe a month prior and it had gone off without a hitch. Not so this time.

Try as I might, no amount of resetting the fabric with Reset-CsPoolRegistrarState was going to work; the pool steadfastly refused to start:

StartCsPool-Fails

Start-CsPool : Please make sure at least 2 machine<s> are in running or starting state to achieve fabric network ring quorum from the following machine list. Also makes sure Windows Fabric Host Service is running on those machines.

Continue reading ‘Event 18456 – Start-CsPool Error Failed to Connect to BackEnd’ »