I am getting below error when trying to login into my AWS EC2 instance. Last login was around 2 weeks back and everything was working fine so the password I am using is correct. No other information is available on the error message.
Is there a way I can see any logs through management console ?
Appreciate any help on this.
Remote Desktop Connection
An authentication error has occurred.The function requested is not supported
It seems like you are facing this issue.
Bottemline, This is caused by a Microsoft Security Patch. The Microsoft Security patch issued on Tuesday, May 8th 2018 triggered the problem by setting and requiring remote connections at the highest level.
Simply adjust the Remote Desktop settings on the host machine to a lower security level. From File Explorer, choose Computer, right-click and select Properties, then click Change Settings, and go to the Remote tab.
From Windows 10, uncheck the option to “Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended)”
From Windows 7, it’s setting the option to the Less Secure option rather than More Secure
Once these are set, users can remote to the machine again.
If you don't have any other way into the machine except Remote Desktop, I'm afraid the machine is lost.
For anyone facing this issue. Below is response from AWS technical support team:
Looking at the error message you posted, this is due to a recent patch (KB4103727) that Microsoft has released to fix a vulnerability. It is a mandatory requirement from Microsoft that both the client machine (the computer from which you are trying to RDP into your instances) and the remote server (your EC2 instance) has the latest updates installed. If one of these machines has the latest updates installed and the other does not, RDP connection would fail.
Note: If you see your Windows is up to date and you do not see the KB4103727 installed, it could be a different KB article which applied the KB4103727 as a cumulative update. If this is the case, please uninstall all KBs that were installed recently before the RDP connection was broken.
For more information about this hotfix, please refer to the Microsoft documentation below:
https://blogs.technet.microsoft.com/yongrhee/2018/05/09/after-may-2018-security-update-rdp-an-authentication-error-occurred-this-could-be-due-to-credssp-encryption-oracle-remediation/
https://support.microsoft.com/en-us/help/4093492/credssp-updates-for-cve-2018-0886-march-13-2018
There are multiple workarounds for this issue:
Option 1: If the update is installed on your client (workstation) and is not installed on your EC2 instance.
Uninstall KB4103727 from your client machine. After you uninstall the KB and gain RDP access to the EC2 instance, you can patch the instance with latest updates first and then update your client machine with the KB by running Windows Update again.
Alternately, you can keep your client machine updated and you can install latest Windows updates on your EC2 instance remotely using SSM Run Command. For detailed instructions on how to configure your instance to use SSM Run Command, please refer to the below documentation:
SSM Prerequisites: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-prereqs.html
Run Command Tutorial: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/tutorial_run_command.html#rc-tutorial-ui
After you configure your instance to use SSM Run Command, you can execute the Run Command document "AWS-InstallWindowsUpdates" remotely on your instance.
Option 2: If the KB is installed on your EC2 instance and is not installed on your client machine
Run Windows Update on your client machine and install latest software updates. Once the latest updates are installed on both your instance and the client machine, you should be able to RDP into the instance.
Alternately, if you have a backup AMI or an EBS snapshot created before the patch was installed on your EC2 instance, you may consider restoring your instance from the backup to roll back the installed software updates.
Option 3: There is a workaround suggested by third party websites to disable the check altogether on the unpatched Windows machine and RDP should work normally. On the unpatched machine, open a command prompt with Administrator privileges and run the command mentioned below:
reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters" /f /v AllowEncryptionOracle /t REG_DWORD /d 2
Please note, you may have to reboot your Windows machine for the changes to take effect after you install/uninstall the KB.
So, finally I had to uninstall mentioned update from client machine(using which I was trying to connect to the aws instance) which allowed me to connect to the instance. Once connect, I updated the instance with windows updates and rebooted it which resolved the issue.
Related
I am performing some UI Automation on GCP using a Windows Server.
The process is as follows:
=> Machine Switches on at a defined time
=> RDP Connection to Machine
=> UI Interaction Script Runs on Startup
=> Process Ends
=> Machine Switches off at a defined time
All the components have been fulfilled except for automating the RDP connection in some way or other. I referred to this link but didn't find much insights or documentations.
Does anyone know a way to Automate an RDP connection right after instance turns on in GCP?
There is a windows application called IAP Desktop, using that you can manage multiple remote Desktop connection to Windows VM. While connecting to the VM you can save the credentials which will allow you to access the Windows VM using RDP just after boot on.
Also to automate the Windows password generation here is the documentation related to 1, inside of that document there are both options available automate or manually.
How are you deploying your startup script?
During the boot sequence, a script will either run before, after or during the boot process. By declaring Windows-specific metadata keys, you can run startup scripts after the instance turns on.
If that doesn't work, there is a paid Cloud Automation service that sounds like it will meet your requirements.
Tried using startup-scripts but no luck IAP Desktop didn't work due to scheduling as well. Finally Managed to solve it via using Windows 10 Auto login settings. This skips login screen and the best part was that out of all the users, it allows you to login via user of your choice. After I Login to the system, I added a startup a bat file by running shell:startup and it worked great.
Using vSphere Update Manager I've installed some updates and patches onto my host, however I have an issue with it picking up a datastore now so I want to roll back these changes to see if that fixes the issue.
From my research I understand that you can't uninstall these patches and you have to revert back to a previous ESXi version. I'm attempting to do this following the steps here: https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1033604
However it does not give reference on how to access the Console for the Host. I can't find a way to access it in vSphere, but found a way by downloading putty and running the DCUI command.
The problem I have is that it says Reboot and then:
When the Hypervisor progress bar starts loading, press Shift+R.
However when I reboot putty loses connection to the host (presumably because it is rebooting) so I never get to see the boot up screen and Hypervisor progress bar to press Shift+R.
Am I missing something simple here? Server is Dell running ESXi 5.5. Thank you.
Dell ilo interface shall provide you the recover(Shift+R) while rebooting and hence rollback option.
The default credentials for dell ilo would be,
username : root
pwd : calvin
The steps to achieve this would be as follow,
Get ur ILO link, please see if below link is useful to you in this regard.
https://www.dell.com/community/Systems-Management/How-to-get-the-DRAC-IP-address-from-the-localhost/td-p/2374426
otherway would be ping your server FQDN and it would return the ILO IP.
Once you find ilo url or IP, login to it using above mentioned default login credentials(root/calvin).
Now, in ILO interface find the option to launch the console (server -> Virtual console preview -> Launch).
Save the JNLP file and run it.
Further, Press F12 for "Shout down /restart"
Here onward I believe you will get it.
Thanks,
Manjunath.
I have an AWS EC2 windows machine running Windows Server 2012 R2.
I am having an issue with one application and I am suspecting that the machine does not have the latest .Net patches.
I looked into Windows Update and noticed it's turned off by default. Can I turn it on and update the machine? Right mow there are 20 important updates waiting...
Yes, it is safe to install Windows updates (either automatically or manually).
Actually, it is recommended that you always update your Amazon EC2 instances to maintain the latest security patches.
They're just normal Windows machines. No need to handle them any differently to how you would normally maintain a Windows server.
You can also use the patch manager https://aws.amazon.com/blogs/mt/getting-started-with-patch-manager-and-amazon-ec2-systems-manager/
I am trying to install an MSExchange 2016 in an EC2 instance from scratch without success. By from scratch, I mean I start from a new EC2 instance without any AD yet installed.
I am not very familial with Windows Server. I got a lot of problem during the installation. By digging the web, I fixed a lot of them, but I think there is something I miss to succeed in my installation. Any help would be greatly appreciated
Here is the procedure I followed:
I created an EC2 Windows Server 2012RC2 instance
I created a simple Active Directory in AWS.
I provided the AD DNS to my Windows Server (via Network and Sharing Center, properties of Internet Protocol v4)
I joined the server into that AD (Via Control Panel > System and Security > System, change computer workgroup to the domain defined in my AWS Simple AD)
Restart computer
Log into the server as Administrator, with the AD domain
Download Exchange from here
Set-up the active directory, as in this procedure: https://judeperera.wordpress.com/2015/07/24/step-by-step-guide-for-installing-exchange-server-2016-preview/
The Step 4.1. of that procedure indicates to execute the following code
Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
When I execute it, I get the following error:
I do not understand what I need to do/fix to continue the installation.
Thanks in advance for your help!
The issue you are encountering is that Simple Directory is not an Active Directory product, it is powered by Samba v4. What you need is to setup a Microsoft Active Directory (Enterprise Edition) or Microsoft AD, which is powered by Windows Server 2012 R2. The Simple AD is powered by Samba v4 and is simply Active Directory compatible but does not support the added schema features which are needed by Exchange Server 2016.
The other option is to back away from hosting your own instance of Exchange server and instead take a look at AWS WorkMail. It is an exchange like service which supports active sync with Outlook 2007+ and all current mobile smart devices such as Android and iOS. I currently use this and it took a lot of the headache out of managing my own mail server as the complexities are offloaded to the AWS environment and all you need to do it add mail accounts and group addresses.
Either option should solve your issue.
tldr; This question was to get help setting up Micro Cloud Foundry on Windows XP behind a corporate firewall as an innovation-demonstration project for a Fortune 500 IT departent. Basically, the project stalled, despite this stackoverflow page - the magic wasn't strong enough. I am accepting #DanHigman answer below, but if anyone sees this and can provide a simple straight-forward answer, by all means...
Can anyone provide a clear step-by-step on setting up MCF on a Windows (XP in my case) machine behind a corporate firewall, for demostrating the feasibility of PaaS in the corporate IT world?
My VM is installed and running and I can use the menu ok. I have vmc working. I have a test Node.js server app, that works on local, ready to push. But I can't get past that stage.
The firewall gave me trouble so I lowered my goal to just work offline. I followed the instructions noted below as best I could, but often the instructions are mac oriented - I would like them for a Windows command line (especially SSH tunneling):
http://blog.cloudfoundry.com/2011/09/08/working-offline-with-micro-cloud-foundry/
http://support.cloudfoundry.com/entries/20332921-micro-cloud-foundry-trouble-shooting-help
This blogger may have half-way covered my problem doing the SSH tunnel settings, but all it gives is "use Putty" - more detail would help:
http://support.cloudfoundry.com/entries/20419943-using-micro-cloud-locally
Also, whenever the vmc obviously gets an error or other message, it only outputs the following in the command line:
vmc target http://api.vcap.me
<<<
[200, "<html><body>SNP/2.0/102/Unknown Command 'info'</body></html>\r\n\r\n", {}
]
>>>
Thanks for any help. BTW - I know I could do this on my mac, the big obstacle is the windows and firewall environment.
Update:
#Dan and #ebottard: Thanks to your help, I'm almost there. ping is working now, hosts file seems right, but the vmc target api.vcap.me still does not find the VM at that 192.168.253.128 IP - even tho ping does. In the first link above, Martin wrote the following, but assuming we are doing it on a mac:
After the update is complete, you will need to make some changes on your local system. What you will need to do is to set up an SSH tunnel to access your Micro Cloud Foundry VM (note that you will need to supply the IP address in the command below with the actual IP of your VM, which is displayed in the console).
sudo ssh -L 80:192.168.168.149:80 vcap#192.168.168.149
Password:
vcap#192.168.168.149's password:Â
The first password being prompted is the sudo password for your machine, as it is needed to open port 80 which requires root privileges. The second password is the vcap user password which you entered during the initial configuration of your Micro Cloud Foundry.
I need to have these instructions translated into Windows, and all I have to go on is that I might use puTTy (which I have downloaded) to do it. Any more ideas?
Looks like you're running an application on your Windows machine called "Snarl" (a poor Windows-based clone of the OS 10 app Growl :-p). It looks like it's interfering with communication to the MCF intstance, close it and have another try.