Wednesday, July 18, 2018

Browser video problem, media_error_unknown, ssl_error_rx_record_too_long

My wife recent brought her macbook to me with a problem that suddenly popped up. Pretty much every website that had embedded video in it, other than youtube, was suddenly not working. The media player plugins were showing various errors, one of which was media_error_unknown. I opened chrome's developer tools for a better look at the errors. There were a few that indicated there might be a plugin or extension that was causing problems with some of the content. I tried disabling a few extensions like ad blockers and other security related plugins to see if that helped, but it didn't. I found some suggestions that pointed to proxies, but no proxy was configured. Avast was doing some web filtering, but turning that off didn't help either. Checked a few other browsers besides chrome and all had the same issue. When opening the media's link directly, it gave a browser "site is insecure" type of ssl error page. Lastly I thought dns would be a good place to check as our home wifi pushes out cleanbrowsing.org's dns servers. Usually these filtering companies redirect blocked ssl to some other ssl site that would have an invalid cert. So after switching her dns to static with google's 8.8.8.8, everything was up and running again. So likely it was a mistaken classification of a content delivery network that cause this problem for news web sites and other normal content sites.

Thursday, April 5, 2018

FIM / MIM checking PCNS events for a specific user

The following script can be used along with some previous functions that I have written, AD object meta data check, and time functions.  This will look at the user's last password set time and the domain controller that the change was recorded on.  It will take the change time from the AD metadata for that last password reset, and use it to remotely search the domain controller's application log for the PCNS (password change notification service) events that match the user's SamAccountName.  Of course it will need to be run with an account that has remote WMI permissions to the domain controller, which will typically be domain admin unless you made some wmi permissions modifications to the cimv2 portion of the wmi namespace.

param (

                $samaccountname

)



#put some . link here for the time functions and meta data check if its not already in your profile



function get-PCNSEvents-inrange([string]$server,$time,$seconds,$username) {

                $myTimeRange = wmitime-timerange $time $seconds

                $filter = "logfile='application' and timegenerated>='" + $mytimerange[0] + "' and timegenerated <= '" + $mytimerange[1] + "' and sourcename='PCNSSVC'"

                $results = gwmi -computer $server win32_ntlogevent -filter $filter | 
      where {$_.message -match $username} |select -last 1 -exp message

                return $results

}



try {

                $pwdChangeEvent = show-adobjmeta -type user -name $samaccountname | where {$_.attribute -eq "unicodePwd"}

                if ($pwdChangeEvent -eq $null) {Throw "Cannot find user in active directory"}

                $eventtime = dt-toWMITime $pwdChangeEvent.ChangeTime

                $server = $pwdChangeEvent.originator.split(",")[0].replace("CN=","")

                $event = get-PCNSEvents-inrange $server $eventtime 10 $samaccountname

                if ($event -eq $null) {throw "No events found on domain controller around the time of the last password change."}

                $event

} catch { $_}

Thursday, March 29, 2018

IIS certificate completion failure 0x80094004

I had this error brought up to me recently as someone was trying to install a certificate that was issued and sent along with CA chain links.  Often certificate providers will include multiple formats as well as certificate chain information, which can lead to some confusion among application owners that aren't so familiar with all aspects of PKI.  Unfortunately this is usually necessary as many different systems have different requirements for setting up certificates, some of which include the need to manually import the chain.

This particular error suggests something is wrong with a detail on the certificate.  After discussing with the application team that was doing the install, it turned out they were trying to complete the request with one of the certificate authority certificates instead of the certificate that was issued for the CSR request.  After clarifying the matter, they were able to install the correct certificate without any issue.