Tag: windows 2008 r2

May 21, 2014

Load Specific Theme not working with Run Only Specified Windows Applications

Problem

When configuring a very restricted desktop for 3rd party access we configured the ‘Run Only specified Windows Applications’

Surprisingly very little actually stopped working.

However the Windows Aero.theme was no longer being applied:

Solution

Add the following executables to allow the theme to apply: shell32.dll, dwm.exe, rundll32.exe svchost.exe, regsvr32.exe in the group policy location

User Configuration> Policies > Administrative Templates > System > Run only specified Windows applications

April 28, 2014

Windows 2008 R2 / XenApp server hanging at 'Applying Microsoft Offline Files Policy'

Problem:

After a recent image update one of our XenApp/Windows servers was booting but hanging at the ‘Applying Microsoft Offline Files Policy’ and taking a long time to ‘finish’ and display the CTRL + ALT + DEL screen. The Windows offline files policy set to disable for all.

Solution:

This was in fact a red herring, it was a server powershell start up script that was hanging the device. Running a tasklist /s \%servername it was noted there were copies of powershell.exe and gpscript.exe still running

Upon terminating these processes the server instantly sprang into life.

March 20, 2013

IIS 7.0 Logging and List of Error Codes

IIS 7.0 logging is NOT enabled by default. You must add this as an additional role service under Health and Diagnostics > HTTP Logging.

Default path to logs is: %SystemDrive%inetpublogsLogFiles

Error Codes (taken from here http://support.microsoft.com/kb/943891)

1xx – Informational
These status codes indicate a provisional response. The client should be prepared to receive one or more 1xx responses before receiving a regular response.
100 – Continue.
101 – Switching protocols.

2xx – Success
This class of status codes indicates that the server successfully accepted the client request.
200 – OK. The client request has succeeded.
201 – Created.
202 – Accepted.
203 – Non-authoritative information.
204 – No content.
205 – Reset content.
206 – Partial content.

3xx – Redirection
The client browser must take more action to complete the request. For example, the browser may have to request a different page on the server or repeat the request by using a proxy server.
301 – Moved Permanently
302 – Object moved Temporarily
303 – See Other
304 – Not modified.
307 – Temporary redirect.

4xx – Client Error
An error occurs, and the client appears to be at fault. For example, the client may request a page that does not exist, or the client may not provide valid authentication information.
400 – Bad request.
401 – Access denied. IIS defines a number of different 401 errors that indicate a more specific cause of the error. These specific error codes are displayed in the browser but are not displayed in the IIS log:
401.1 – Logon failed.
401.2 – Logon failed due to server configuration.
401.3 – Unauthorized due to ACL on resource.
401.4 – Authorization failed by filter.
401.5 – Authorization failed by ISAPI/CGI application.
401.7 – Access denied by URL authorization policy on the Web server. This error code is specific to IIS 6.0.
403 – Forbidden. IIS defines a number of different 403 errors that indicate a more specific cause of the error:
403.1 – Execute access forbidden.
403.2 – Read access forbidden.
403.3 – Write access forbidden.
403.4 – SSL required.
403.5 – SSL 128 required.
403.6 – IP address rejected.
403.7 – Client certificate required.
403.8 – Site access denied.
403.9 – Too many users.
403.10 – Invalid configuration.
403.11 – Password change.
403.12 – Mapper denied access.
403.13 – Client certificate revoked.
403.14 – Directory listing denied.
403.15 – Client Access Licenses exceeded.
403.16 – Client certificate is untrusted or invalid.
403.17 – Client certificate has expired or is not yet valid.
403.18 – Cannot execute requested URL in the current application pool. This error code is specific to IIS 6.0.
403.19 – Cannot execute CGIs for the client in this application pool. This error code is specific to IIS 6.0.
403.20 – Passport logon failed. This error code is specific to IIS 6.0.
404 – Not found. 404.0 – (None) – File or directory not found.
404.1 – Web site not accessible on the requested port.
404.2 – Web service extension lockdown policy prevents this request.
404.3 – MIME map policy prevents this request.
404.4 – No Handler (IIS 7)
404.5 – Request Filtering: URL Sequence Denied (IIS 7)
404.6 – Request Filtering: Verb denied (IIS 7)
404.7 – Request Filtering: File extension denied (IIS 7)
404.8 – Request Filtering: Denied by hidden namespace (IIS 7)
404.9 – Denied since hidden file attribute has been set (IIS 7)
404.10 – Request Filtering: Denied because request header is too long (IIS 7)
404.11- Request Filtering: Denied because URL doubled escaping (IIS 7)
404.12 – Request Filtering: Denied because of high bit characters (IIS 7)
404.13 – Request Filtering: Denied because content length too large (IIS 7)
404.14 – Request Filtering: Denied because URL too long (IIS 7)
404.15- Request Filtering: Denied because query string too long (IIS 7)
405 – HTTP verb used to access this page is not allowed (method not allowed.)
406 – Client browser does not accept the MIME type of the requested page.
407 – Proxy authentication required.
412 – Precondition failed.
413 – Request entity too large.
414 – Request-URI too long.
415 – Unsupported media type.
416 – Requested range not satisfiable.
417 – Execution failed.
423 – Locked error.

5xx – Server Error
The server cannot complete the request because it encounters an error.
500 – Internal server error.
500.12 – Application is busy restarting on the Web server.
500.13 – Web server is too busy.
500.15 – Direct requests for Global.asa are not allowed.
500.16 – UNC authorization credentials incorrect. This error code is specific to IIS 6.0.
500.18 – URL authorization store cannot be opened. This error code is specific to IIS 6.0.
500.100 – Internal ASP error.
501 – Header values specify a configuration that is not implemented.
502 – Web server received an invalid response while acting as a gateway or proxy.
502.1 – CGI application timeout.
502.2 – Error in CGI application.
503 – Service unavailable. This error code is specific to IIS 6.0.
504 – Gateway timeout.
505 – HTTP version not supported.

August 11, 2012

Windows 2008 unable to connect or map shares to downlevel SMB Shares on Windows 2000 clients

Situation: After a server refresh from Windows 2008 SP1 to Windows 2008 R2 – we were unable to connect to ANY share on a windows 2000 client.

Other servers like windows 2003 server could connect fine

Our previous SOE desktop running windows 2008 SP2 was also ok.

Server 2008 SP2 and Server 2008 R2 server images out of the box were unable to connect to the 2000 server and browse its shares.

Error Message: The account is not authorized to login from this station.

Solution: From the connecting windows 2008 server (client) create a new GPO with the following configuration

Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesSecurity OptionsMicrosoft network client: Digitally sign communications (if server agrees) = DISABLED

System Must REBOOT

Other Issues:

Citrix PVS Servers

This solution simply wouldnt work on a standard Citrix PVS server image

The registry key had to be ‘tattooed’ into the image before connections would work at all (its on this environment we first noticed the issue and its due to this problem that we were unable to pinpoint the problem immediately)

References:

Microsoft article http://support.microsoft.com/kb/887429

July 16, 2012

Lock and Windows Security Slow to Appear in XenApp 6.5 desktop session

Clients – Windows XP Thin Client T5740, Receiver 3.1

Servers – Windows 2008 R2, XenApp 6.5

Problem: When end users were selecting the Start> Windows Security or Start > Arrow > Lock option in the desktop menus there is a 10 – 20 second delay before the menu appears. It also affected volume control speed and even the ability to select the Speaker icon on the task bar.

Solution: Microphone redirection. Disable anything to do with microphone redirection and then the menus listed above should then appear instantly.

June 27, 2012

Disable Citrix Server to Client File Redirection (FTA)

Iexplore.exe sessions were opening and hanging with the description of the iexplore.exe typically when clicking links in outlook.

Add the HKEY_LOCAL_MACHINE SOFTWAREWow6432NodeCitrixSFTADisableServerFTA registry key with the following values:

Name: DisableServerFTA
Type: REG_DWORD
Value: 1

June 18, 2012

Remove 'Scan With Sophos Anti-virus' Context Menu

Remove right click ‘ Scan With Sophos Anti-virus’ from the Context Menu for Citrix / Terminal Servers for all users.

Solution: [HKEY_CLASSES_ROOT*shellexContextMenuHandlersSavShellExt]
@=”{A3A1D8A1-006D-4B93-BA27-6F6B4C9C4F1D}”

May 8, 2012

Windows 2008 Certificate Authority Error – 0x80094009

Problem: When adding or revoking certificates we were getting the following error

0×80094009 – The operation is denied. It can only be performed by a certificate manager that is allowed to manage certificates for the current requester.

Even though I was a domain AND enterprise admin!!!???? Panic!

Also our CA had been migrated and updated from Windows 2003 so there was some concern about the upgrade and its process and of course the testing done after.

Resolution:

After the CA was migrated we HAD tested the CA process, so we confirmed this was working previously.

Somewhere, somehow the CA now has corrupted ACL’s or something (or something like that)

1) Right click the CA Name > Properties

2) Certificate Managers tab

3) Tick ‘do not restrict certificate managers’

4) try your addition or deletion (just to check it works)

5) go back and undo step 3 – (i.e. tick to re-Restrict Certificate Managers)

6) You should now be able to add and delete certificate requests etc as expected as a Domain or enterprise admin

Good Luck!

May 2, 2012

Windows 2008 R2 change "My Computer" to be %username% on %computername%

You cannot edit this as the administrator, (only trustedinstaller is given write access) so you must take ownership of the parent registry key/s first, then assign your accounts rights to write to the key.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREClassesCLSID{20D04FE0-3AEA-1069-A2D8-08002B30309D}]
@=”Computer”
“LocalizedString”=hex(2):25,00,75,00,73,00,65,00,72,00,6e,00,61,00,6d,00,65,00,
25,00,20,00,6f,00,6e,00,20,00,25,00,63,00,6f,00,6d,00,70,00,75,00,74,00,65,
00,72,00,6e,00,61,00,6d,00,65,00,25,00,00,00