Step-by-step guide to setting up LDAPS on Windows Server 2022

Secure your LDAP Server connection between the client and server application to encrypt the communication. Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.

1. Install Certificate Authority, Create and Export the certificate

1.1 Install “Active Directory Certificate Services” role through Server Manager roles.

• Log On to Windows Server 2022, click on Start -> Server Manager -> Manage -> Add Roles and Features.

Click on Next

Choose Role-based or feature-based installation option and Click on Next button.

Choose Select a server from the server pool option & Select ldap server from the server pool and click on Next button.

Choose Active Directory Certificate Services option from the list of roles and click on Add Features and then click on  Next button.

Leave default settings from the list of features and click on Next button.

In Active Directory Certificate Services (AD CS), Click on Next button.

Select Certification Authority from the list of roles and Click on Next button.

Click on Install button to confirm installation.

Now, click on Configure Active Directory Certificate Services on Destination Server option and click on Close button

We can use the currently logged on user to configure role services since it belongs to the local Administrators group. Click on Next button.

Select Certification Authority from the list of roles and Click on Next button.

Select Enterprise CA option and Click on Next.

Select Root CA option and Click on Next.

Select Create a new private key option and Click on Next button.

• Choose SHA512 as the hash algorithm and Click on Next.
  UPDATE : Recommended to select the most recent hashing algorithm.

Click on Next button.

Click on Next button.

Select the default database location and Click on Next.

Click on Configure button to confirm.

Once the configuration succeeded then click on Close button.

1.2 Create a certificate template

Go to Windows Key+R and run certtmpl.msc command and choose the Kerberos Authentication Template.

Right-click on Kerberos Authentication and then select Duplicate Template.

• The Properties of New Template will appear. Configure the setting according to your requirements.
• Go to the General tab and Enable publish certificate in Active Directory option.

Go to the Request Handling Tab and Enable ‘Allow private key to be exported’ option.

Go to the Subject Name tab and Enable subject name format as DNS Name and click on Apply & OK button.

1.3 Issue certificate template

Go to Start -> Certification Authority Right click on “Certificate Templates” and select New-> Certificate Template to Issue.

Now, select your recently created Certificate Template and click on OK button.

1.4 Request new certificate for created certificate template ( ADCS-LDAPS )

Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then click on Ok button 

Now, right Click on Certificates select All Tasks and click on Request for new Certificate.

Click on Next button

Click on Next button

Select ADCS-LDAPS in Active Directory Enrollment Policy and then Click Enroll

Click on Finish

1.5 Test LDAPS Connection using LDP.EXE

Select Start >> All Program >> Windows Support Tools >> Command Prompt. On the command line, type IDP to start the tool.

From the IDP window, select Connection >> Connect and type the local FQDN ex: dc01.myousufali.labs and port number (636). Also select the SSL.

Click on OK

2. Configure LDAPS on the client-side server

2.1 Export the created LDAPS certificate

Go to Windows Key+R -> mmc -> File -> Add/Remove snap-in. Select Certificates, and click on Add button and then Select Computer Account Click Next then again Select Local Computer click on Finish button and last OK Button.

Now, right Click on Certificates select All Tasks and click on Export….

Click on Next button

Select No, do not export the private key then Click Next button.

Select Base-64 encoded X .509 file format and click on Next.

Export the .CER to your local system path and click on Next.

Click on Finish button.

Click OK button to finish export.

2.2 Connect your Linux server with Active Directory ( LDAPS )

Convert Certificate Format and Install the Certificate using OpenSSL

• Run the following command to install the Openssl.
  • For Ubuntu:
    • sudo apt-get install openssl
  • For RHEL/CentOS:
    • sudo yum install openssl
  • Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
    For example:
    /openssl x509 -in LDAPS.cer -out LDAPS.pem
This creates the certificate file in a form that OpenLDAP Client Library can use.
  • Place the .pem file generated in a directory of your choosing (/etc/openldap/ may be a good choice since that directory already exists.)
  • Add the following line to your ldap.conf file:
    TLS_CACERT /etc/openldap/LDAPS.pem
  • This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

2.3 Test Connection

For Linux:

# Without security port
ldapsearch -H ldap://dc01.myousufali.labs:389 -D 'CN=DC01,OU=IT,OU=Enterprise,DC=myousufali,DC=labs' -w P@ssword9a! -b "dc=myousufali,dc=labs" -s sub "(objectClass=user)" givenName

# With security port
ldapsearch -ZZ -H ldaps://dc01.myousufali.labs:636 -D 'CN=DC01,OU=IT,OU=Enterprise,DC=myousufali,DC=labs' -w P@ssword9a! -b "dc=myousufali,dc=labs" -s sub "(objectClass=user)" givenName

• ZZ: Start TLS (for LDAPS)
• h: IP/hostname of Active Directory server
• D: BindDN or User principal name
• W: Password (to be provided interactively)
• b: Base DN for search (where in the LDAP tree to start looking)
• s: One of base, one, sub or children (search scope)

For Windows:

• For Windows:

• You can obtain this software from here: http://gnuwin32.sourceforge.net/packages/openssl.htm if you don’t already have it.
• Copy the certificate file you generated in the previous step to the machine on which PHP is running. Run the following command:
  For example:
  C:\openssl\openssl x509 -in LDAPS.cer -out LDAPS.pem
This creates the certificate file in a form that OpenLDAP Client Library can use.
• Place the .pem file generated in a directory of your choosing (C:\openldap\sysconf may be a good choice since that directory already exists.)
• Add the following line to your ldap.conf file:
  TLS_CACERT C:\openldap\sysconf\LDAPS.pem
• This directive tells the OpenLDAP Client Library about the location of the certificate, so that it can be picked up during initial connection.

Microsoft Ignite Cloud Skills Challenge – 2021

Microsoft Ignite Cloud Skills Challenge – Free Voucher

The Microsoft Ignite Cloud Skills challenge is a limited time challenge in which you can get a free certification. The challenge starts at March 2, 2021 at 4:00 PM UTC and ends on March 30, 2021 at 4:00 PM UTC. Similar to previous Ignite Cloud Skills Challenges, you need to finish a Microsoft Learn Path in order to get the exam voucher for free, however, this time Microsoft really shrunk down the list of available exams. This exam offer is exam-specific and only redeemable for select Microsoft exams. Eligible exams are:

• AZ-104: Microsoft Azure Administrator
• DP-100: Designing and Implementing a Data Science Solution on Azure
• MS-700: Managing Microsoft Teams
• MS-100: Microsoft 365 Identity and Services
• MS-101: Microsoft 365 Mobility and Security
• DA-100: Analyzing Data with Microsoft Power BI
• SC-200: Microsoft Security Operations Analyst
• SC-300: Microsoft Identity and Access Administrator
• SC-400: Microsoft Information Protection Administrator

Links

• Official Page / Sign up for the challenge: https://csc.docs.microsoft.com/ignite/registration/March2021
• Rules: https://csc.docs.microsoft.com/ignite/OfficialRules/March2021

AZ-900 : Microsoft Azure Fundamentals Exam Prep

Microsoft Azure certifications are organized into 4 levels:

1. Fundamentals

2. Associate

3. Expert

4. Specialty

Microsoft Azure Role-based Certification Roadmap

Azure Fundamentals Learning Path

If you planning to take this exam, you have to be well prepared with the topics:

1. Cloud Concepts
2. Azure Core Services
3. Security, Privacy, Compliance and Trust
4. Azure Pricing and Support

For Self learning about Azure Fundamentals Study Guide Check out the AZ-900 Study Guide

For new course outline about Azure Fundamentals Exam  Click here 

AZ-900 Azure Fundamentals Exam Details

Exam Name	AZ-900 Microsoft Azure Fundamentals
Requirement for	Microsoft Certified: Azure Fundamentals
Cost of the Exam	$99 [USD]
Total No. of. Questions	32-40
Duration of the Exam	90 Minutes
Passing Score	700/1000
Job Role	Developer

Microsoft Azure Virtual Training Day: Fundamentals

Attend webinar, virtual training event and take a giveaway Microsoft exam voucher for free.

For Microsoft Azure Fundamentals virtual training registration Click here 

For List of Available Certifications: Click here

Schedule exam

For schedule exam AZ-900 Microsoft Azure Fundamentals Click here 

For cheatsheet AZ-900 Microsoft Azure Fundamentals Click here 

Exam Retake Policy

• First of all, if a candidate fails in the first attempt, he/she has to wait 24 hours before exam retake.
• Secondly, if he/she fails in the 2nd attempt, then they should wait for 14 days to retake the exam.
• A candidate can take a maximum of 5 retakes in a year.

Sample Certificate

How to free up disk space? Deleting files and folders from windows temp directory

Quick command to delete files and folder under windows temp directory.

Here is the Power shell command you can run:

Get-ChildItem -Path "C:\Windows\Temp" *.* -Recurse | Remove-Item -Force -Recurse

If run command as a normal user you will get Get-ChildItem : Access to the path 'C:\Windows\Temp' is denied error. So, open Windows PowerShell as an administrator.

Generally some files will be in use by another process, you cannot delete those files. But, you will get an error as below which is normal.

Wild card *.* is used to remove all of the items.

Remove-Item : Cannot remove item C:\Windows\Temp\vmware-SYSTEM\vmauthd.log: The process cannot access the file
'vmauthd.log' because it is being used by another process.

How to delete or remove mobile devices connected to Exchange Activesync List

Trick to delete or remove mobile device connected to exchange activesync.

Using Exchange OWA:

1. Login to your account using exchange owa
2. Goto Options > See All Options…
3. Select Phone. The Mobile Phones tab show a list of all exchange activesyncdevices connected to your account.
4. Select the device you want to remove and click Delete.

 

From Exchange server cmdlets:

Get-ActiveSyncDevice -ResultSize unlimited | Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-60)} | out-gridview

It will show device list older than 60 days.

Get-ActiveSyncDevice -ResultSize unlimited| Get-ActiveSyncDeviceStatistics | where {$_.LastSyncAttemptTime -lt (get-date).adddays(-365)} | select-object guid | Out-File C:\Temp\list.txt

It will export device GUID that need to be delete.

Get-Content .\list.txt | Get-ActiveSyncDevice | Remove-ActiveSyncDevice

Once you have list for device to delete, run above code to delete / remove devices.

 

Exchange 2013 : Default virtual directories settings & Virtual Directories Configuration using GUI and Powershell

Configure Virtual Directories in Exchange 2013

Login to the Exchange Admin Center.

• Step 1 -> Click on Servers.
• Step 2 -> Click on Virtual Directories
• Step 3 -> Click the drop down menu and select your first server, leave the select type as “All”

 

In the next section we are going to setup/configure the following:

• Autodiscover
• ECP
• EWS
• ActiveSync
• OAB
• OWA
• PowerShell

Autodiscover

Double Click Autodiscover (Default Web Site) or click on the name and then click the Pencil.

• Click on the Authentication Tab.
• Select your Authentication Type.
• Click Save.

ECP

Double Click ECP (Default Web Site) or click on the name and then click the Pencil.

• On the General tab configure you Internal and External URL (this is the name you specified on your certificate)
• Click on the Authentication Tab and set your preferred method.
• Click Save.

EWS

Double Click EWS (Default Web Site) or click on the name and then click the Pencil.

• On the General tab configure you Internal and External URL (this is the name you specified on your certificate)
• Click on the Authentication Tab and set your preferred method.
• Click Save.

Microsoft-Server-ActiveSync

Double Click Microsoft-Server-ActiveSync (Default Web Site) or click on the name and then click the Pencil.

• On the General tab configure you Internal and External URL.
• Click on the Authentication Tab and set your preferred method.
• Click Save.

OAB

Double Click OAB (Default Web Site) or click on the name and then click the Pencil.   

• Configure you Internal and External URL.
• Click Save.

OWA

Double Click OWA (Default Web Site) or click on the name and then click the Pencil.

• On the General tab configure your Internal and External URL.

• On the Authentication Tab select your method.

• On the features tab, enable the features you want users to have access to/see.

• On the file access tab make your selections.
• Click Save.

PowerShell

Double Click Powershell (Default Web Site) or click on the name and then click the Pencil.

• On the General tab configure you Internal and External URL.
• Click on the Authentication Tab and set your preferred method.
• Click Save

 

 

Setup Exchange Virtual Directories using PowerShell

 

Setup Exchange Virtual Directories using PowerShell

OWA

 

Set-OwaVirtualDirectory 

Set-OWAVirtualDirectory –Identity "OWA (default web site)" -ExternalURL "https://mail.myousufali.com/OWA" 

Set-OWAVirtualDirectory –Identity "OWA (default web site)" -InternalURL "https://mail.myousufali.com/OWA"

 

OAB

 

Set-OABVirtualDirectory 

Set-OABVirtualDirectory –Identity "OAB (default web site)" -ExternalURL "https://mail.myousufali.com/OAB" 

Set-OABVirtualDirectory –Identity "OAB (default web site)" -InternalURL "https://mail.myousufali.com/OAB"

 

ECP

 

Set-ECPVirtualDirectory 

Set-ECPVirtualDirectory –Identity "ECP (default web site)" -ExternalURL "https://mail.myousufali.com/ECP" 

Set-ECPVirtualDirectory –Identity "ECP (default web site)" -InternalURL "https://mail.myousufali.com/ECP"

 

EWS

 

Set-WebServicesVirtualDirectory 

Set-WebServicesVirtualDirectory –Identity "EWS (default web site)" -ExternalUrl "https://mail.myousufali.com/ews/exchange.asmx" 

Set-WebServicesVirtualDirectory –Identity "EWS (default web site)" -InternalUrl "https://mail.myousufali.com/ews/exchange.asmx" 

ActiveSync

 

Set-ActiveSyncVirtualDirectory 

Set-ActiveSyncVirtualDirectory –Identity "Microsoft-Server-ActiveSync (default web site)" -ExternalURL "https://mail.myousufali.com/Microsoft-Server-ActiveSync" 

Set-ActiveSyncVirtualDirectory –Identity "Microsoft-Server-ActiveSync (default web site)" -InternalURL https://mail.myousufali.com/Microsoft-Server-ActiveSync 

 

 

Autodiscover

 

Set-AutodiscoverVirtualDirectory 

Not enabled as default. Please note that autodiscover must be set as an A-record in your DNS. Also note that you do not provide an url for this. 

Set-ClientAccessServer -Identity ex2013 -AutoDiscoverServiceInternalURI https://mail.myousufali.com/Autodiscover/Autodiscover.xml  

Set-AutodiscoverVirtualDirectory -Identity 'Autodiscover (Default Web Site)' -WindowsAuthentication $false -BasicAuthentication $false -DigestAuthentication $true

 

MAPI/HTTP

MAPI over HTTP

 

Not enabled as default. Requires Exchange 2013 SP1. Clients must be Outlook 2013 or newer. Fallback is OutlookAnywhere for older clients.

 

Set-MapiVirtualDirectory -Identity "mapi (Default Web Site)" -InternalUrl "https://mail.myousufali.com/mapi" -IISAuthenticationMethods NTLM,Negotiate

 

After setting up the Virtual Directory you need to enable it:

Set-OrganizationConfig -MapiHttpEnabled $true 

 

Exchange 2013 : Default virtual directories settings

On Exchange server, configuring virtual directory might be pain sometime. A simple misconfiguration of Virtual directory might be the worst nightmare and create login loop, because I had this few days back. While configuring additional CAS server  after few changes done on the Virtual directory, my OWA/ECP page start to go on loop whenever I tried to get login. I was on dark what mistake I had made. So, I tried to list down what might the issue that is causing on looping of my OWA/ECP page. While listing down, I have found two things.

1. SSL Certificate.
2. Issue with configuration of Virtual Directory.

SSL Certificate can also be the reason behind this kind of issue. So, you need to make sure you do have correct SSL assigned with IMAP, POP, IIS and SMTP. Also 2nd thing is that SSL certificate is across all of your Exchange server. If the issue is with SSL Certificate, you are lucky and can be resolve easily. But with virtual directory it is not so.

Above you can find how to configure Virtual Directory. But as going on, I came for the conclusion with that might not be enough if OWA/ECP login loop issue arises. Hence, here I have made an Table with the specific configuration required while configuring the OWA/ECP Virtual Directory.

On the IIS Manager expand to the default web site and check if the configuration you have made are as of the below Table are not.

Table: Chart of Virtual Directory configuration.

Similarly, only configuration of Default website is not going to solve this issue. Hence you need more Knowledge on configuration of Exchange Back End site too, else you will keep on going loop. Below is the detail configuration you can have on Exchange Back End.

Table: Exchange Back End Virtual Directory Configuration.

Virtual directory	IIS Default Authentication methods	IIS SSL settings	HTTP Redirect
Exchange Back End		• Not Required	Yes
Autodiscover	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
ecp	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
EWS	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
Exchange*		• SSL required • Ignore client certificates	No
Exchweb*		• SSL required • Ignore client certificates	No
mapi*	• Anonymous authentication	• SSL required • Ignore client certificates	No
Microsoft-Server-ActiveSync	• Basic authentication	• SSL required • Ignore client certificates	No
OAB	• Windows authentication	• SSL required • Ignore client certificates	No
owa	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
owa\Calender	• Anonymous authentication	• Ignore client certificates	No
PowerShell	• Windows authentication	• SSL required • Accept client certificates	No
Public*		• SSL required • Ignore client certificates	No
PushNotifications	• Anonymous authentication • Windows authentication	• SSL required • Ignore client certificates	No
Rpc	• Windows authentication	• Ignore client certificates	No
RpcWithCert	• Windows authentication	• Ignore client certificates	No

I hope this will help you solving the Exchange OWA/ECP login loop issue. 

How to reduce lsass.exe bandwidth traffic

Go to windows firewall > Advance Settings >  Inbound Rules > Active Directory Domain Controller – LDAP (UDP-in) and change the connection to “Allow the connection if it is secure”.

If rule not exists, other than AD server create a new rule and apply.

 

How to install MS17-010 security update

To install MS17-010 security update, we need to download the corresponding patch from Microsoft update catalog server depending upon operating system.

Windows XP SP3

Open Microsoft Update Catalog Server’s URL then search for KB4012598.

Click on Security Update for Windows XP SP3 (KB4012598) to view update details and language selection, click Download to download the patch for Windows XP SP3.

Click the windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe link to begin the download.

Double click the downloaded .exe file to install the patch.

Click Next, Select I Agree then Click Next.

Click Finish to restart.

After system restart. You can verify the patch using below command.

C:\Users\myousufali>wmic qfe get Caption,Description,HotFixID,InstalledOn | findstr /C:”KB4012598″

 

How to change or reset the SA password for MSSQL in Linux

To  reset SA password execute:

First you need to stop  mssql-server  using this command

 sudo systemctl stop myssql-server

sudo /opt/mssql/bin/mssql-conf setup

Setting up Microsoft SQL Server

Enter the new SQL Server system administrator password:

Confirm the new SQL Server system administrator password:

Starting Microsoft SQL Server…

Enabling Microsoft SQL Server to run at boot…

Setup completed successfully.

To change MSSQL SA password

Login to MSSQL by executing these commands.

    cd /opt/mssql-tools/bin/

    ./sqlcmd -S srv01 -U sa 

To change MSSQL sa account password, execute these commands.

EXEC sp_password NULL, 'Mssql@12345','sa'

go

 

How to Disable SSL 2.0 and SSL 3.0 on Exchange 2013 running on a Windows 2012

Resolution:

Open the registry and edit the values. If you don’t find the entries create the entries.

 

To disable SSL 2.0

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000

To disable SSL 3.0

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000

 

To disable Ciphers:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000

Alternate way to do this save above registry information keys as .reg files then execute on the system.

You can also download from here.

Before executing take the complete registry backup.  You need to restart the server.

Using the http://ssllabs.com/ web site to perform a test against you site. You should see overall Rating A.