Getting Schannel 36874 Errors



To workaround this issue, we can set the event logging value to 0 under:


Basically turning off Schannel alerting.


How to renew a self signed certificate in Exchange Server 2007

How to renew a self signed certificate in Exchange Server 2007

The Exchange 2007 self signs a certificate when the server role is first added for all the Exchange services that run in unison with IIS (smtp & owa etc). The  certificate expires after one  year from the date the server was first installed or the date the certificate was assigned manually.

First, check the status of the certificate by opening the Exchange Management Shell and executing the commandGet-ExchangeCertificate |FL’ – this displays all information about the currently assigned certificates and the status of each certificate.

It is common that they may be more than one certificate listed in the display – if that is the case, find the certificate that shows an expired date in the field ‘NotAfter‘ – as this defines when each certificate becomes invalid/expired. An expired certificate may cause problems such as connectivity to web services, SMTP transport and Outlook prompting certificate security warnings.

Use the following steps to generate a new certificate and enable it to run IIS services:

1. Type ‘Get-ExchangeCertificate |FL’ – This only lists details of certificates that are assigned to Exchange Services. Then note down the Thumbprint of the expired certificate.

2. Then type ‘Get-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63” | New-ExchangeCertificate’ . This generates a new certificate, and you will then be prompted to confirm if you want to overwrite the expired certificate and use the new one for the SMTP service.

3. If you run the cmdlet in step 1 you will notice the new certificate is not used to secure IIS services anymore. Make a note of the new thumbprint and run the following command typing the new thumbprint between the quotation marks: ‘Enable-ExchangeCertificate – Thumbprint “7A843B04EA2865CA9E6C34B42329AEE4456F9013” –Services IIS’

4. Be sure to verify all the services are working correctly after renewing and enabling the certificate – test Outlook clients by closing and opening Outlook to esnure there are no security certificate warnings.

6. Finally, Remove the old certificate by typing the following cmdlet into the management shell: Remove-ExchangeCertificate –Thumbprint “9E6DD4B4EA2865CA9E6C34B42329A9AC994EBF63″.

[SOLVED] The Group Policy Client service failed the logon. Access denied


2 Methods to Fix “The Group Policy Client service failed the logon. Access denied.”


When you try to log on to your Windows account, you might encounter the error “The group Policy Client service failed the logon. Access is denied.


When you click OK, the system will return you back to the login screen. Searching this on the net gave a lot of answers but none of them seemed to solve it. In the end we discovered that it is a permissions problem and not a corrupt profile problem. Here’s two methods to fix this issue.

Before getting started, you need to log on to your computer with a working administrator account. Then follow the solutions below to fix the problem for your affected account.

Method 1: Regain Registry Permissions

  1. Press the Windows key + R to bring up the Run box. Type regedit and hit Enter.
  2. When the Registry Editor opens, select HKEY_USERS in the left pane. Now, pull down the File menu and choose the Load Hive option.


  3. When the Load Hive dialog appears, select All Files in the Files of type box. Navigate to your affected profile folder (for example, C:\Users\<user_name>) and select the NTUSER.DAT hive. Click Open.


    Note: if the NTUSER.DAT file doesn’t show up, you might need to configure Windows to display the hidden files.

  4. It will ask you for a name. Give it any name, it doesn’t matter what it is.


  5. You will now see the hive you just loaded with the name you gave it under the HKEY_USERS key. In my example, the entire NTUSER.DAT hive has been loaded into the Registry Editor under the registry location: HKEY_USERS\NTUSER.
  6. Right-click on HKEY_USERS\NTUSER and select Permissions.


  7. Here you should see at least three accounts: System, Administrators and the name of your affected user account who’s profile you are fixing. If ANY of these are not shown it will not work. You need to add all three and then give them full control in the Permissions section.


  8. Once you have added all three and given them the correct permissions, click the File menu and select Unload Hive. Close the Registry Editor.


  9. Log off or restart your computer. You should be able to login successfully with your account that you were having trouble with.

Method 2: Deleting the Local Profile

This method works by deleting your affected local profile, so you can then log back on. After successfully logging on, Windows will automatically create a new profile for your account. Here’s how to delete the profile for your affected Windows account in Windows 10, 8, 7 and Vista:

  1. Right-click on My Computer icon on your desktop, and then select Properties.


  2. From there, click the Advanced System Settings link on the left-hand side.


  3. When you see the System Properties dialog, click the Settings button in the User Profiles section.


  4. In the User Profiles dialog box, select the profile of your affected user account and click on Delete.


  5. Click OK to confirm. Now you’ve successfully deleted a user profile. Your problem should be fixed by now.

SCCM Not Downloading Updates

WSUS Synchronization failed.
 Message: Failed to sync some of the updates.
 Source: Microsoft.SystemsManagementServer.SoftwareUpdatesManagement.WsusSyncAction.WSyncAction.SyncUpdates.

You may experience this problem if a computer is behind a firewall or behind a proxy server.


If you are using WSUS 3.0 with a Windows Internal Database that was created by a default WSUS installation, type the following command:

%programfiles%\Update Services\Setup\ExecuteSQL.exe -S %Computername%\MICROSOFT##SSEE -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”

If you configured WSUS 3.0 to use an existing installation of SQL Server, type the following command:

%programfiles%\Update Services\Setup\ExecuteSQL.exe -S %Computername% -d “SUSDB” -Q “update tbConfigurationC set BitsDownloadPriorityForeground=1”
Restart the Update Services service and reset wsus by : wsusutil.exe reset
Or use SQL Studio Manager to update table.

List Exchange OWA Users

Outlook Web Access (OWA) and ActiveSync reporting using IIS logs


Outlook Web Access (OWA) and ActiveSync reporting using IIS logs

I was asked to report on how many people were still accessing a legacy Exchange server via Outlook Web Access for the purposes of retiring it permanently.  Here is a step by step walk through. Pasted commands may not work.  Please type directly into the cmd window!

  1. Locate your IIS logs on your exchange server.  Mine were stored in C:\inetpub\logs\LogFiles\W3SVC1.  For more help refer to this article.
  2. For this example we will be copying the logs we need locally to the C:\log directory.  This method could easily be adapted to use UNC paths but was not needed for my purposes.  IIS should create one log per day so copy the number of days you would like to report on to c:\log on your local machine.
  3. Download Log Parser 2.2 from the Microsoft website and install it to the default directory.
  4. Next we will use log parser to combine all of these logs into a single file.  Create a subdirectory under c:\log called mergedlog.  From the command line navigate to the log parser directory “C:\Program Files (x86)\Log Parser 2.2” and run the following command “logparser.exe -i:iisw3c “select * into c:\log\mergedlog\merge.log from c:\log\*” -o:csv”  This will create a single log file named merge.log and convert the data from iisw3c to csv format.
  5. Next we will need to run a command that will pull the information we are looking for out of the log.  Here are three examples that list User Name, Date, Time, IP, page accessed, and user agent. Each will output the results into a file named output.csv in the c:\log directory.

The first command looks for OWA access

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%get%’ and cs-uri-stem LIKE ‘%owa%’

This next command lists ActiveSync users

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs-uri-stem LIKE ‘%Microsoft-Server-ActiveSync%’

Finally as a Bonus This one looks for Mac Office Users

LogParser -i:csv “SELECT cs-username, date, time, c-ip, cs-uri-stem, cs(User-Agent) FROM C:\log\mergedlog\merge.log TO C:\log\Output.csv WHERE cs-method LIKE ‘%post%’ and cs(user-agent) LIKE ’%Macoutlook%’

There is a good book you can get on Amazon called Microsoft Log Parser Toolkit that has a goldmine of knowledge on how to use this tool.

[SOLVED] Server 2012 RDS ‘there are no Remote Desktop License Servers available to provide a license.’

On a Server 2012 RDS farm that has been deployed and working for some time you begin to receive errors stating ‘The remote session was disconnected because there are no Remote Desktop License Servers available to provide a license. Please contact the server administrator.”

Server 2012 RDS 'there are no Remote Desktop License Servers...' Fig1

You verify your configuration is as expected, that you have valid CALs installed on a Server 2012 terminal server licensing server and that the RD Licensing Diagnoser doesn’t report any errors.

The issue may be that there is a bug with Server 2012 RDS session hosts where they will not look to the licensing server for CALs when the grace period ends. Microsoft are reportedly aware of this but as yet there is no KBA or hotfix for it.

The solution is to open the registry editor on the affected session hosts and browse to the following:

HKLM\System\CurrentControlSet\Control\Terminal Server\RCM

If the ‘GracePeriod’ key exists you will need to delete it.

Server 2012 RDS 'there are no Remote Desktop License Servers...' Fig2

Note: You will need to give administrators read and write access to the key or you won’t be able to delete it. *(Must take ownership before changing permissions)* Also please observe the usual precautions when working with the registry and take a backup first.

Give your session hosts a reboot and all should be well.

Error Remote Desktop web portal Farm

Error Remote Desktop web portal Farm

I recently encountered the following errors the event logs of our load balanced RD GW farm:

* Source: ASP.NET 2.0.50727.0
* Event Log: Application
* Type: Warning
* Event ID: 1309
* Event User: N/A
* Event code: 3005
Event message: An unhandled exception has occurred.
Stack trace: at System.Web.Configuration.MachineKeySection.EncryptOrDecryptData(Boolean fEncrypt, Byte[] buf, Byte[] modifier, Int32 start, Int32 length, IVType ivType, Boolean useValidationSymAlgo, Boolean signData)
at System.Web.Security.FormsAuthentication.Decrypt(String encryptedTicket)
at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication. TSFormsAuthentication.ExtractInfoFromCookies(HttpContext objHttpContext)
at Microsoft.TerminalServices.Publishing.Portal.FormAuthentication. TSFormsAuthentication.OnAuthenticateRequest(Object source, EventArgs e)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web. HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

On the client side we saw the following error:


This error occurs when a active and authenticated session on the web portal gets failed over or load balanced to another RD web portal server. IIS uses an encryption key to encrypt the data, and a validation key to check if the encrypted data is valid (session id, etc). Since the standard setting in IIS is to automatically generate these keys at runtime. The keys are different each time and are different on each members server of the farm. Because of this the web server which gets the session is unable to decrypt and validate the session because it has different keys.


To be able to use the authentication across all member computers in a farm, all the member servers must use the same validation and encryption keys. (Don’t change these settings on a live production environment). The first step is to generate the keys. Open IIS manager and navigate to the server or application, double click on machine key.


Clear all the check boxes “Generate a unique key for each application” and “Automatically generate at runtime” for both validation and decryption keys.


And then click Generate Keys in the Actions pane, and apply.


Copy and paste these keys to the other members of the farm. All new sessions should use these new keys enabling load balancing or fail over between the members of the farm.

Funny thing is, that after I changed this on our servers, I encountered an error on the Microsoft forefront mail site I was logged on and didn’t do anything for a while. After clicking on a link I saw the following:


Could this be the same issue? It looks an awful lot like it. smiley-tongue-out