IKEv2 VPN Suddenly Stops Working with Authentication Error

With a previously working IKEv2 configuration on pfSense, you may suddenly start receiving these messages:

iOS: User Authentication Failed
Windows 10: IKE authentication credentials are unacceptable

The reason in this case was related to the certificate.  The first step is to log in to pFsense webConfigurator, then verify the certificate is still valid using the Certificate Manager and the Valid Until date.

If the certificate is valid and recently renewed, it could be that the IPsec service still has the previous certificate in memory. This can be verified by running a shell command. In the webConfigurator, choose Diagnostics then Command Prompt. Execute the following command and look for the validity dates of your certificate:

ipsec listcerts

If it has the expired certificate, a quick fix is simply stopping and starting the IPsec service. Go to VPN->IPsec->Disable then Enable the tunnel, applying changes each time.  You can also simply reboot the firewall.

If you want to automate the restart of IPsec you can use cron:

In PfSense Package Manager, install cron.  Then go to Services -> cron -> and Add a new new job. For example a job that restarts the service on the first day of every month:

0 0 1 * * root /usr/local/sbin/strongswanrc restart 2>&1 | logger &

Notes:

Attempting to manually restart the ipsec service from the console will result in the error below.  This is due to strongSwan still running and the certificate will not get updated.
charon is already running (/var/run/charon.pid exists) — skipping daemon start

If you have Service Watchdog enabled and watching the ipsec service, you’ll see the following 2 lines in the System Log shortly after the service is stopped.
servicewatchdog_cron.php: Service Watchdog detected service ipsec stopped. Restarting ipsec (IPsec VPN)
servicewatchdog_cron.php: Forcefully reloading IPsec

Posted in Uncategorized | Leave a comment

Remote Desktop Connection Fails for Local Account on Domain Computer

I tried saving an RDP file with a prepopulated username to connect to a remote server using a local account on that server.  The local machine was an Azure AD joined to the same domain as the remote server.

Typically the username would be .\localuser or servername\localuser however in both cases the prefix is stripped out and the username shows up as simply localuser.  If you supply the correct password you get the error: The logon attempt failed

If you click the More choices button, you discover the username is now appended @domain.com.  If you choose the option for Use a different account, then add back the prefix from above the connection will be successful.  However I wanted the RDP file to do this step automatically.

The solution is to modify the RDP file using a text editor.

Find and modify the line username:s:value to be similar to the following:

username:s:servername\.\localuser

Then save and try the RDP file again. The username should correctly prepopulated with the prefix as .\localuser

 

 

Posted in Uncategorized | Leave a comment

Rename Windows 10 User Account Username and Profile Folder

This is a quick guide for changing both the login username and profile folder for a user account in Windows 10.

  1. Log in with an account that has administrator rights and is not the one you want to modify
  2. Computer Management -> Local Users and Groups ->Users
  3. Right click and rename the desired user
  4. Navigate to C:\Users
  5. Right click and rename the folder of the user account
  6. Open Registry Editor and locate the following:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
  7. Under ProfileList there are several keys corresponding to SIDs of various user accounts. Inspect each one, looking at the value of ProfileImagePath.  This stores the location of the profile folder, and one will have a value that matches what was renamed in step 4.
  8. Once located, right click on ProfileImagePath and choose Modify.
  9. Provide the new folder path and click OK
  10. Reboot to flush out any remaining references
Posted in Uncategorized | Leave a comment

ERROR 1064 (42000) when installing phpMyAdmin

Attempting to install phpMyAdmin 5.1.1 on Ubuntu 18.04 (Bionic Beaver) from the PPA linked below, I received error 1064.

https://launchpad.net/~phpmyadmin/+archive/ubuntu/ppa

An error occurred while installing the database: 
mysql said: ERROR 1064 (42000) at line 1: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'IDENTIFIED BY 'PASSWORD'' at line 1 . Your options are:

These are the steps I used to complete the install.

  1. When the error is reached, copy the password shown. Then abort the install.
  2. At the console, access mysql:
    sudo mysql -u root -p
  3. Delete the user the installer tried to create
    DROP USER ‘phpmyadmin’@’localhost’;
  4. Create the user (using the same password as the installer), the database and set the permissions
    CREATE USER ‘phpmyadmin’@’localhost’ IDENTIFIED BY ‘PASSWORD’;
    CREATE DATABASE phpmyadmin;
    GRANT ALL PRIVILEGES ON *.* TO ‘phpmyadmin’@’localhost’ WITH GRANT OPTION;
    FLUSH PRIVILEGES;
    exit
  5. Go back and try to reinstall. When the error is reached, choose ignore. This should complete the install.
  6. Access phpMyAdmin web interface and login with username phpmyadmin and the password from step 4.
  7. You will see the error
    The phpMyAdmin configuration storage is not completely configured, some extended features have been deactivated. Find out why.
    
    Or alternately go to 'Operations' tab of any database to set it up there.
  8. Click on Find out why
  9. At the top, choose the option for: Create missing phpMyAdmin configuration storage tables. 
  10. Once complete, phpMyAdmin should now be working and without any errors.

Note: If you later change the password for the phpmyadmin account, you will start getting the following error message:

mysqli::real_connect(): (HY000/1045): Access denied for user 'phpmyadmin'@'localhost' (using password: YES)
Connection for controluser as defined in your configuration failed.

To clear the error, you will need to update the file below with the same password:
/etc/phpmyadmin/config-db.php

Posted in Uncategorized | Leave a comment

Veeam 11 Error When Editing Backup Job After Upgrade to ESXi Host

After upgrading the ESXi 7.0 host (Update 3), I was receiving the following error in Veeam Backup and Replication 11  (11.0.1.1261) when trying to edit an existing Backup Job:

Host with id ‘a-b-c-d-e’ was not found

The solution was to modify the Veeam database for a guest VM to point to the correct host ID.

  1. Using Microsoft SQL Server Management Studio, navigate to the dbo.BObjects table
    Databases -> VeeamBackup -> Tables -> dbo.BObjects
  2. Right click and Edit Top 200 Rows
  3. Locate the id from the error message in the host_id column
  4. Replace it with the correct host_id (with dashes).  Note – you can get a list of all host IDs by using PowerShell in a Veeam B&R console session with the command Get-VBRServer.  If needed you can also crosscheck the guest VM by matching the object_id column in the database with the Vmid of the VM on the host.
Posted in Uncategorized | Leave a comment

Unable to delete Time Machine Shared Folder in OMV 5

In OpenMediaVault the button may be greyed out if the Shared Folder is still Referenced. References can include file shares but also plugins.  In this case there was a Shared Folder that had been used for Time Machine and after removing the SMB share and verifying plugins, the Delete button was still greyed out.

First you can try to verify what is referencing the shared folder in this OMV file.
/etc/openmediavault/config.xml

Find the shared folder in question and note the UUID. Then search for that UUID in the same file.

In this case I had an afp section with data between the tags <afp> and </afp>. It had the the UUID stored as <sharedfolderref>UUID</sharedfolderref>.

The afp section was used by the the old netatalk plugin that was in OMV 4 but is no longer part of OMV 5 (the system had been upgraded).  However it was not possible to uninstall the plugin since it didn’t appear in the list of available packages.

Alternatively the plugin can be uninstalled via command line. Close the config.xml file then run the console command:

sudo dpkg -P openmediavault-netatalk

Once uninstalled, you can go back to the config.xml file and verify that the afp section was removed automatically.

Refresh the OMV control panel -> Access Rights Management -> Shared Folders. The folder in question should no longer be Referenced and the delete button no longer grayed out.

Posted in Uncategorized | Leave a comment

Set a Quota for Time Machine with SMB on OMV 5.6

This details an OpenMediaVault configuration where an SMB share was created and Time Machine support was enabled for it.  There was a need to limit the size of the Time Machine backups so that it does not consume all available space, and to do that you use the filesystem quotas:

  1. In OpenMediaVault navigate to Storage->File Systems
  2. Select the device that has the Time Machine shared folder
  3. Click the Quota button at the top. 
  4. Note – without any quotas set, Used Capacity for users will show zero even if data is already there.
  5. Set a quota value for the user associated with Time Machine.
  6. Click the grey save button
  7. Click the blue save button
  8. Apply changes
  9. If you click the Quota button again, you can verify that Used Capacity is populating for that user (if data is already in the shared folder).
Posted in Uncategorized | Leave a comment

pfSense IKEv2 VPN for Windows 10 and iOS Devices

This is an out of the box workaround if having trouble connecting to a pfSense IKEv2 VPN with iOS and Windows 10 devices after following the pfSense recipe:
https://docs.netgate.com/pfsense/en/latest/recipes/ipsec-mobile-ikev2-eap-mschapv2.html

When iOS clients (version 15) tried to connect, the device error was “An unexpected error occurred.”  In the pfSense logs there were errors similar to:

[IKE] <con-mobile|112> no acceptable proposal found
[IKE] <con-mobile|112> failed to establish CHILD_SA, keeping IKE_SA
[CHD] <con-mobile|112> CHILD_SA con-mobile{71} state change: CREATED => DESTROYING

The following change may work for you:

  • Phase 2 configuration -> Encryption Algorithms -> AES – change to Auto

When Windows 10 clients tried to connect, the device error was “Policy match error”. In the pfSense logs there were errors similar to:
[CFG] <con-mobile|122> no acceptable ENCRYPTION_ALGORITHM found
[IKE] <con-mobile|127> no acceptable proposal found

The following changes may work for you:

  • Phase 1 configuration -> create a new Encryption Algorithm -> Algorithm AES -> Key length 256 bits -> Hash SHA1 -> DH Group 2 (1024 bit)
  • Phase 2 configuration -> Hash Algorithms -> add SHA1

Note: the pfSense recipe indicates a PFS key group is not supported with a manual VPN configuration in iOS, however setting it to 14 (2048 bit) per the recipe did not cause any issues in iOS15.

Try the connection again to verify if it is successful.

Long term you may want to consider modifying the Windows 10 VPN configuration due to security issues:
https://docs.microsoft.com/en-us/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections

You can modify an existing VPN configuration using the PowerShell cmdlet Set-VpnConnectionIPsecConfiguration:
https://docs.microsoft.com/en-us/powershell/module/vpnclient/set-vpnconnectionipsecconfiguration?view=windowsserver2022-ps

For example, perform these steps to force Windows 10 to use a more secure method by avoiding SHA1 and DH Group 2.  Replace EXAMPLE with the name of the VPN connection you created.

  1. Similar to iOS clients, in pfSense set Phase 2 configuration -> Encryption Algorithms -> AES – change to Auto
  2. Modifying the existing VPN connection using PowerShell:
    Set-VpnConnectionIPsecConfiguration -ConnectionName "EXAMPLE" -AuthenticationTransformConstants SHA256128 -CipherTransformConstants AES256 -EncryptionMethod AES256 -IntegrityCheckMethod SHA256 -DHGroup Group14 -PfsGroup PFS2048
  3. When asked to change the Cryptography Settings, choose Yes to continue.
  4. Try to connect to the VPN
Posted in Uncategorized | Leave a comment

Autologon User at Startup in Windows Server

This simple method has worked for me in Windows Server versions 2012 R2 through 2022. Create a new .reg file with the contents below, adjusting the USERNAME, PASSWORD strings as appropriate.  Then run it to add to the registry

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"DefaultUserName"="USERNAME"
"DefaultPassword"="PASSWORD"
"AutoAdminLogon"="1"

If it is a domain joined machine, then add this line and modify the DOMAIN string.

"DefaultDomainName"="DOMAIN"

Sourced from:
https://community.spiceworks.com/topic/1911274-autologin-autologon-sysinternals-with-windows-10-issue#entry-6360895

More information on this method:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/user-profiles-and-logon/turn-on-automatic-logon

Posted in Uncategorized | Leave a comment

Change Autodesk Licensing Mode (Post Install)

We recently changed the licensing type for Autodesk 2021 Products (AutoCAD, Inventor, Plant 3D, 3ds Max, etc.) from a license server to individual users. This is the method I used, based on the Autodesk website, by using the product key, product version and the Licensing Installer Helper tool:

https://knowledge.autodesk.com/support/autocad/troubleshooting/caas/sfdcarticles/sfdcarticles/Use-Installer-Helper.html

  1. Go to the directory:
    %CommonProgramFiles(x86)%\Autodesk Shared\AdskLicensing\Current\helper
  2. Run the command:
    AdskLicensingInstHelper.exe list
  3. Make note of def_prod_key and def_prod_ver for each product you want to change
  4. Run the change command. In this example I was changing it from Network to User licensing but Standalone is also available.
    AdskLicensingInstHelper.exe change –pk (place value of def_prod_key here) –pv (place value of def_prod_ver here) –lm USER
  5. Test by launching the product

Note: for Inventor, I had to modify the licensing for the feature_id INVNTOR and also INVPROSA

Posted in Uncategorized | Leave a comment