Rv-on-web & Isabel authentication cards: “The page cannot be displayed”

Today I came across an issue where a customer could not login to Rv-on-web (Belgian withholding tax administration website) using an Isabel card. After countlessly checking the certificate chain, I tried to log in to the Isabel webservices, and that didn’t work either. But I was redirected to a troubleshooting site which led me to this article: Error: “The Isabel 6 software cannot be accessed with Internet Explorer 64 bit” when trying to access Isabel 6. After following the instructions step 2 (setting TabProcGrowth in the registry), the magic pincode entering applet finally appeared and login to Rv-on-web was working.

This is the registry change in question:

Windows Registry Editor Version 5.00 
[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
 "TabProcGrowth"="1"

More information on TabProcGrowth: Opening a New Tab may launch a New Process with Internet Explorer 8.0 (also applies to Internet Explorer 11). I suspect the pincode applet fails to load when its started in a new process after clicking the “login” button on Rv-on-web, leading to “The page cannot be displayed”, because the selected certificate cannot be decoded without the pincode. Setting TabProcGrowth to 1 changes this interaction. It’s not immediately clear to me why this trick works though.

The mysterious black box that popped up every minute

So a customer called me up with a complaint that his screen didn’t automatically turn off anymore after 5 minutes and every minute or so a black box comes up and disappears immediately. I logged in via Teamviewer to take a look at what the problem could be and yes, a black box did turn up every minute.

The hunt

At first, I tried pressing print screen when it came up but the window just disappeared too fast and kept eluding me. After a few more tries I gave up and looked for another way (I’m sure gamers would persist until they got it right – I felt the urge too). I quickly found the “record session” feature in Teamviewer (“Extras” -> “Record”) and waited until the window popped up. After the recording was completed, playing it back with the built-in Teamviewer player was totally useless as you could only navigate through the video with a precision of 10 seconds. Luckily enough, Teamviewer does allow you to export the recording to an AVI file, which I played back with VLC giving me fine-grained navigation through the video. Success! The culprit was found.

The return of an old enemy

This was the window in question that kept popping up:

blackberry_crap

Hum. What’s that? Research In Motion? It looks like I’m not done yet eradicating every last piece of BlackBerry crap off of my customer base.

For Googlers:

tunmgr.exe

There was an error deleting C:\ProgramData\Research In Motion\Tunnel Manager\rimtun-2013-07-11-07-29-47.2388.bugz

Unknown arg ‘-Embedding’

The fix The workaround

Further investigation, this was caused by the “BlackBerry Link Communication Manager” service. I disabled the service and the window stopped popping up.

Of course, the actual cause is some developer that made a mistake programming this, calling some program with the wrong arguments. Maybe the version of “some program” is different from the one he expected. But anyway, the “fix” I applied to the client (disabling the “BlackBerry Link Communication Manager” service) sufficed, as my customer only connected his BlackBerry to put files on it, not having this service working wasn’t a problem.

PowerShell: remove home folder mapping for every user in Active Directory

Get-AdUser -Filter * -Properties * | Foreach {
   Write-Host "- " $_.Name
   if ($_.HomeDrive -ne $null) {
    Write-Host -NoNewline "|-  Current home:" $_.HomeDrive "->" $_.HomeDirectory": removing... "
    Set-AdUser -Identity $_.DistinguishedName -HomeDirectory $null -HomeDrive $null
    Write-Host "Done."
   }
}

Convert a Zyxel console cable to a Cisco console cable

If you have a console cable for a Zyxel device and you want to convert it to a Cisco console cable, remove the 8P8C end and rewire as following:

+-----+--------------+---------------+
| DB9 | Cable color  | 8P8C position |
+-----+--------------+---------------+
|   1 | Brown        | 5             |
|   2 | Green        | 3             |
|   3 | White green  | 6             |
|   4 | Orange       | 7             |
|   5 | White blue   | 4             |
|   6 | White orange | 2             |
|   7 | Blue         | 8             |
|   8 | White brown  | 1             |
|   9 | Not wired    | Not wired     |
+-----+--------------+---------------+

So left to right with retaining clip not visible:

White brown – white orange – green – white blue – brown – white green – orange – blue

Pinout for the original Zyxel cable

+-----+--------------+---------------+
| DB9 | Cable color  | 8P8C position |
|-----+--------------+---------------+
|   1 | Brown        | 8             |
|   2 | Green        | 6             |
|   3 | White green  | 3             |
|   4 | Orange       | 2             |
|   5 | White blue   | 5             |
|   6 | White orange | 1             |
|   7 | Blue         | 4             |
|   8 | White brown  | 7             |
|   9 | Not wired    | Not wired     |
+-----+--------------+---------------+

So left to right with retaining clip not visible:

White orange – orange – white green – blue – white blue – green – white brown – brown

References

  • Cisco cable pin-out: http://pinouts.ru/SerialPortsCables/CiscoConsole9_pinout.shtml

Setting up an aggregated link between a Cisco switch and a VMware ESXi server

Goal

Increase bandwidth between the network and an ESXi host by setting up an aggregated link between the two.

These aggregated links are commonly refered to as an etherchannel, trunk, portchannel or teamed NIC’s.

Prerequisites

  • A recent Cisco switch that supports load balancing over an Etherchannel based on source and destination IP addresses. (For example, the popular Catalyst 2950 series do not support this loadbalancing method). You can check if your switch supports this load balancing by checking if the exec command
    port-channel load-balance src-dst-ip
    is available. If it’s not, you can’t use this switch for the purpose described in this post.

Caveats

  • ESXi does not support dynamic aggregated links with protocols like LACP. One must manually configure the link on both ends.
  • Available bandwidth to 1 single host will not increase, as this is the nature of the aggregation link technologies being used. If you have two 100 MBit links, the maximum attainable speed between a virtual machine and a single host on the network will still be 100 MBit. However, if two hosts were to connect to the virtual machine, chances are pretty good one host’s traffic will go via one physical link and the other host’s via the second physical link.
  • This example aggregates two physical links into one, you can use more. You can mix different port speeds, but recommended configuration is all links having the same speed.

Configure ESXi

Edit the network settings by going to Configuration -> Networking. Edit the virtual network properties which you want to create an aggregated link for, in this example this is vSwitch0.

Next, add the second network interface to the vSwitch in the Network Adapters tab:

Now we need to configure ESXi to bond the links on these to adapters together. Go back to the Ports tab and edit the vSwitch properties:

On the vSwitch properties window, go to the last tab NIC Teaming and set Load Balancing to “Route based on IP hash”:

That’s it for vmware. Now we need to configure the switch to create the aggregated link.

Configure the switch

In this example FastEthernet 0/23 and FastEthernet 0/24 are connected to my VMware ESXi server, so I’m going to use the interface range commands to apply the necessary configuration to both switchports.

It’s important you match the loadbalancing method ESXi uses to the one the switch uses. This is done using the port-channel load-balance command.

s2(config)#interface range FastEthernet 0/23 – 24
s2(config-if-range)#
s2(config-if-range)#channel-group 1 mode on
Creating a port-channel interface Port-channel 1
00:25:49: %LINK-3-UPDOWN: Interface Port-channel1, changed state to up
00:25:50: %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel1, changed state to up
s2(config-if-range)#exit
s2(config)#port-channel load-balance src-dst-ip

Verify port-channel operation:

s2#show interface port-channel 1
Port-channel1 is up, line protocol is up (connected)
  Hardware is EtherChannel, address is 64d9.89ee.1234 (bia 64d9.89ee.1234)
  Description: To vwmare for VMs
  MTU 1500 bytes, BW 100000 Kbit/sec, DLY 100 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 100Mb/s, link type is auto, media type is unknown
  input flow-control is off, output flow-control is unsupported
  Members in this channel: Fa0/23 Fa0/24
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input never, output 00:00:01, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 6000 bits/sec, 2 packets/sec
  5 minute output rate 3000 bits/sec, 3 packets/sec
     32312407 packets input, 33220875322 bytes, 0 no buffer
     Received 135526 broadcasts (71135 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 71135 multicast, 0 pause input
     0 input packets with dribble condition detected
     55382934 packets output, 67979911754 bytes, 0 underruns
     0 output errors, 0 collisions, 1 interface resets
     0 unknown protocol drops
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out
s2#

References

SSH with key authentication on Cisco IOS devices

Goal

Connect to a Cisco switch, router, etc… using SSH with key authentication.

Prerequisites

  • Have putty and puttygen.
  • You have already configured your Cisco device to be able to accept SSH logins using usernames and passwords.

Caveats

Keep your SSH keys in a safe place, treat them like the keys to your house (unless you don’t particularly care about your house). If you suspect your keys have been stolen, make sure no devices will accept your stolen SSH key! Setting a passphrase on your key is a smart idea.

Generating a RSA key with PuTTYgen

Open puttygen.exe and set the parameters: the type of key must be SSH-2 RSA. You can vary the number of bits in the generated key, a higher number is more secure. Click the Generate button to generate a new key, move the mouse around the window to create additional randomness.

Appropriately comment your key.

You may wish to enter a passphrase, this passphrase will be asked every time you connect to a device using that key. It’s like a password.

Save your public key by clicking Save public key.  Create a folder to store your keys and name the file publickey.pub. Next, click Save private key, save it under the same folder as privatekey.ppk. Also, copy the “Public key for pasting into OpenSSH authorized_keys file” bit and save it to file.

The end result should look something like this:

Setting up your Cisco device to accept your key

Assuming you have a user called “admin” as which you want to perform key based authentication, we will associate this user with a key he’s allowed to login with.

Enter the following commands:

ip ssh pubkey-chain
 username admin
  key-string

Now, you need to copy the bit from authorized_keys. You only need the signature, you must leave away the “ssh-rsa” and the comment at the end bits. So, if you have this authorized_keys:

ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAIBztRNLSqzuIDxATAl6zAhLcsTL40XHAANd+7ljTpbgvYX5IDJjYyD4jpDW9x8Qml553k0chDNFuW2ZE0gVL+MetDatI/DrgMIVRVcU9ZJLsVGqv6SuXeQI7UpvkP7ow+HS0hTd7GDw9sJ+OjAEIIcAhlBJ+4CPIeWjs98Z5ube6Q== my-cisco-device-key

You need to paste the

AAAAB3NzaC1yc2EAAAABJQAAAIBztRNLSqzuIDxATAl6zAhLcsTL40XHAANd+7ljTpbgvYX5IDJjYyD4jpDW9x8Qml553k0chDNFuW2ZE0gVL+MetDatI/DrgMIVRVcU9ZJLsVGqv6SuXeQI7UpvkP7ow+HS0hTd7GDw9sJ+OjAEIIcAhlBJ+4CPIeWjs98Z5ube6Q==

part. (Pasting is right-click in PuTTY). Press enter.

Exit a few times to leave the device’s configuration.

That’s it for configuring the Cisco device. You can add multiple keys per user and you can have multiple users each having their own keys for logging in.

Setting up a PuTTY profile

To make use of your key, you must specifically configure PuTTY to do so. Open PuTTY and go to Connection -> SSH -> Auth. On the Private key file for authentication field, browse to your privatekey.ppk file.

You may also wish PuTTY automatically tries to login with the username. Go to Connection -> Data and fill in the Auto-login username field.

Once you’ve completed your setup, you may wish to save your session in the Session dialogue, so you don’t have to repeat this every time you want to login to your device.

Testing

When you login using your key, the result should be like this: