Tuesday, August 23, 2016

RDP-TCP recreation on Windows 2012/R2

Good day All,

Welcome back!!!

Recently on a Windows 2012 R2 domain controller unable to RDP. We tried almost everything and eventually rebooted it still we had the same issue unable to RDP Server and using the  KVM we able to see everything was healthy.
So decided that we should try deleting RDP-TCP connection and see if this helps.
Well i remember in old Windows 2008 days you go into Remote desktop Session Host configuration (tsconfig.msc) and delete it and recreate it .. simple right well that is gone in Windows 2012,R2 .. as MS moved to a improved version of RDSH they incorporated all this to GPO Settings

Windows 2008:













Windows 2012:



















After searching for a while there is absolutely no way we could recreate the RDP-TCP using gui so came across this excellent article which talks about how to re-create it by deleting and recreating the registry Key and it worked like a charm and we able to RDP back.

Note: If any one would like to thank , then follow the link and convey it, i take no credit for this one.

Recreate the default RDP Listener

How to recreate the RDP listener.
  1. Export the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  2. Delete the following registry key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
  3. Copy and paste the below text into notepad, and save the file as RDP-Tcp.reg. Additionally, if the operating system is 2012 R2, another file will be required with the contents of the second box.

    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
    "fInheritMaxIdleTime"=dword:00000001
    "fPromptForPassword"=dword:00000000
    "fResetBroken"=dword:00000000
    "PdClass"=dword:00000002
    "LoadableProtocol_Object"="{5828227c-20cf-4408-b73f-73ab70b8849f}"
    "UserAuthentication"=dword:00000001
    "fDisableCam"=dword:00000000
    "fInheritAutoLogon"=dword:00000001
    "InteractiveDelay"=dword:00000032
    "Domain"=""
    "fInheritReconnectSame"=dword:00000001
    "SelectTransport"=dword:00000000
    "MinEncryptionLevel"=dword:00000002
    "fInheritShadow"=dword:00000001
    "WFProfilePath"=""
    "fReconnectSame"=dword:00000000
    "PdDLL"="tdtcp"
    "PortNumber"=dword:00000d3d
    "PdFlag1"=dword:00000000
    "WdName"="Microsoft RDP 8.0"
    "fInheritMaxSessionTime"=dword:00000001
    "WdFlag"=dword:00000036
    "SelectNetworkDetect"=dword:00000000
    "fLogonDisabled"=dword:00000000
    "MaxDisconnectionTime"=dword:00000000
    "Callback"=dword:00000000
    "PdDLL1"="tssecsrv"
    "NWLogonServer"=""
    "MaxIdleTime"=dword:00000000
    "fDisableEncryption"=dword:00000001
    "fInheritCallback"=dword:00000000
    "fDisableCcm"=dword:00000000
    "ColorDepth"=dword:00000003
    "PdName"="tcp"
    "fEnableWinStation"=dword:00000001
    "OutBufLength"=dword:00000212
    "PdFlag"=dword:0000004e
    "CallbackNumber"=""
    "CdClass"=dword:00000000
    "Shadow"=dword:00000001
    "fDisableCdm"=dword:00000000
    "PdName1"="tssecsrv"
    "fInheritSecurity"=dword:00000000
    "CdDLL"=""
    "LanAdapter"=dword:00000000
    "fInheritResetBroken"=dword:00000001
    "CfgDll"="RDPCFGEX.DLL"
    "InitialProgram"=""
    "fDisableClip"=dword:00000000
    "InputBufferLength"=dword:00000800
    "fAllowSecProtocolNegotiation"=dword:00000001
    "fDisableAudioCapture"=dword:00000000
    "Password"=""
    "CdName"=""
    "fDisableLPT"=dword:00000000
    "CdFlag"=dword:00000000
    "PdClass1"=dword:0000000b
    "fAutoClientLpts"=dword:00000001
    "fAutoClientDrives"=dword:00000001
    "fInheritCallbackNumber"=dword:00000001
    "OutBufCount"=dword:00000006
    "fInheritMaxDisconnectionTime"=dword:00000001
    "MaxInstanceCount"=dword:ffffffff
    "KeyboardLayout"=dword:00000000
    "fDisableExe"=dword:00000000
    "AudioEnumeratorDll"="rdpendp.dll"
    "Username"=""
    "KeepAliveTimeout"=dword:00000000
    "fUseDefaultGina"=dword:00000000
    "fHomeDirectoryMapRoot"=dword:00000000
    "fInheritColorDepth"=dword:00000000
    "fForceClientLptDef"=dword:00000001
    "WorkDirectory"=""
    "SecurityLayer"=dword:00000001
    "DrawGdiplusSupportLevel"=dword:00000001
    "WdPrefix"="RDP"
    "fInheritAutoClient"=dword:00000001
    "fDisableCpm"=dword:00000000
    "Comment"=""
    "OutBufDelay"=dword:00000064
    "fInheritInitialProgram"=dword:00000001
    "MaxConnectionTime"=dword:00000000

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\VideoRemotingWindowNames]
    "AGFullScreenWinClass"="*"
    "MacromediaFlashPlayerActiveX"="*"
    "EVRVideoHandler"="*"
    "MicrosoftSilverlight"="*"
    "ShockwaveFlashFullScreen"="*"

    Additional 2012 R2 values:
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp]
    "UserAuthenticationBackup"=dword:00000000
    "MaxMonitors"=dword:00000004
    "MaxXResolution"=dword:00000a00
    "MaxYResolution"=dword:00000640
  4. Double-click the RDP-Tcp.reg file and click Yes at the prompt.

So later after sometime started to poke around to see if there is any other way rather than deleting and creating the registry setting , well none in Windows 2012.

Well then i went back to Windows 2008 Server opened tsconfig.msc and tried to connect to a Windows 2012 R2 Server and see if it connects and sure enough i was able to connect and it showed the RDP-TCP settings and tried deleting and recreating it and it worked like a charm.

















































































































In Windows 2016 TP4 i don't see any option to delete it from MMC, tested it from Windows 2008, was able to connect and recreate the Listener as well..

Windows 2016 TP4:











                                                                                                                                                               

Let's hope final release of Windows 2016 probably this option comes back which i highly doubt it .
As long as Windows 2008 around it works ,if not we have to work with registry, no much choice :)

Hopefully this helps someone, until next one you all have a great day ahead!!!!!!!!!!!!!!!!!!!!!

Monday, August 8, 2016

SSL Offloading Where to do it? in Citrix Storefront 7.6

Good day All,

Welcome back!!!

We are trying to setup SSL for our new Citrix 7.6 farm and we had a  question from our Network guy asking how is password been sent when user types the user name and password on the Citrix URL.
Well  Citrix support was called they kept saying it was clear text so to double confirm it i setup a lab and installed Netmon on the Storefront server.

My Source IP was 192.168.1.5 and my destination Storefront IP was 192.168.1.72 and by delivery controller was 192.168.1.73.

So opened the URL , typed it username and password before i hit enter logged on to the Store front Server and installed the Netmon and started the capture.

Logged into client machine 192.168.1.5 and at Citrix URL login screen hit entered and i was logged in to Citrix and my published app showed up.So i quickly jumped to my storefront and stopped the Netmon.

Microsoft Netmon  is very simple and powerful tool , all you have to do is Click All Traffic you will see it beautifully segregates traffic between 2 hosts..
















Well i high-lighted in yellow, now you know my username and password for my Citrix login.

So i was curious and wanted to check how is password been sent from Storefront to Delivery Controller and my delivery controller IP was 192.168.1.73 and for every one knowledge its is been set at port 80 for communication


















if you see the screen shot Storefront is sending a xml query to delivery controller on port 80 and good thing is password is not been sent as clear text but its been de-crypted .
Well there are tools out there which can help in de-crypting so at least it not clear-text.

So the big question becomes how far we should go to encrypt the traffic?????

1. It depends on how the client is connecting? if external then SSL is a must on for Citrix URL
2.If all Client communication is internal probably we can get away with no SSL
3.Is SSL needed between storefront and delivery controller, it would depend on company to company how far we need to go and how secured you want.. understand there will always be over head associated to it.
4.Most of the companies i have seen is they offload SSL on load balancer either on F5 or Net scalar to avoid over head on the Storefront, that means traffic from Client to F5 or Net Scalar will be 443 and from there it will be port 80 to Storefront.


So testing,testing and more testing how secure and how how fast you need the apps to users will determine how much secure you need it.


before i conclude i added SSL for storefront so now see the communication from user desktop to Storefront.. its all been encrypted on port 443 and Secure..



















Let me know how secure you have implemented in your environment , so until next one you all have good day!!!!!!!!!!!!!!!!!!!!