SSO no longer works with VMware vSphere Client (SEC_ERROR_INADEQUATE_KEY_USAGE)

Last week I noticed that the Single Sign-On (SSO) for the vSphere Client (Flex and HTML5) no longer works in my Firefox. Normally, the VMware Enhanced Authentication Plugin toolbar disappears at the bottom and you can enable the "Using Windows Session Authentication" option, but the checkbox remains unchecked. Reinstalling the VMware Enhanced Authentication plugin, updating the vCenter Server and reinstalling the plugin does not work.

Then I open a ticket at Vmware Support. Hours and some technology later, we had no idea what was going on. But, we find out that the local web server at https://vmware-plugin:8094/ (used by the SSO) displays the following error message in Firefox:

SEC_ERROR_INADEQUATE_KEY_USE

It looks like a problem with the Enhanced Authentication Plugin certificate. This is provided by the plugin. It creates a local web server to communicate with the web page. The VMware support team then created the certificate manually, but the error still occurred - even with IE and Edge.

Then I tried it with a fresh portable Firefox and it worked. In my installed Firefox I removed certificate exceptions for the normal host from the vCenter and vmware-plugin. I also - and most importantly - remove the certificate from the vCenter host and the vmware plugin from the certification authorities in Firefox. Reload the page and it's working again.

How to Backup and Restore the VMware ESXi 6.x Configuration

Backup Configuration
  • Connect via SSH to your running ESXi Host
  • Run to backup config from host 
    vim-cmd hostsvc/firmware/backup_config

  • Config saved under /scratch/downloads
  • Copy config to a safe location
Restore Configuration
  • Run enter maintenance mode 
    vim-cmd hostsvc/maintenance_mode_enter
  • Run to restore config 
    vim-cmd hostsvc/firmware/restore_config /tmp/configBundle.tgz

Restore Configuration on a blank machine
  • Install Host
    • Install the new host with the same ESXi Version and Build
    • Follow the installation assistent
    • Reboot machine
  • ISO
    • Create a ISO with your backuped configBundle.tgz
    • Burn ISO or Load ISO as Virtual Drive in your LOM
  • ESXi Shell
    • From the Direct Console User Interface, press F2 and Login to access the System Customization menu.
    • Click Troubleshooting Options.
    • Select Enable ESXi Shell and press Return to Enabled.
    • Press Alt+F1 to open the ESXi Shell
  • Mount CD-ROM
    • Load the iso9660 module with 
      vmkload_mod iso9660

    • Find the Path to the CD-ROM with 
      esxcfg-mpath -l | grep -i cd-rom

    • Set the loaded module to the CD-ROM 
      vsish -e set /vmkModules/iso9660/mount <mpx.vmhba33:C0:T0:L0>
    • Now you can see the CD-ROM in the "ls /vmfs/volumes/"
  • Restore config
    • Copy config from mounted CD-ROM Drive to tmp 
      cp /vmfs/volumes/<CDROM ISO9660 NAME>/CONFIGBU.TGZ /tmp/configBundle.tgz
    • Run to enter maintenance mode 
      vim-cmd hostsvc/maintenance_mode_enter
    • Run to restore config 
      vim-cmd hostsvc/firmware/restore_config /tmp/configBundle.tgz

[via]https://graspingtech.com/backup-vmware-esxi-6-5-configuration/[/via]
[via]https://www.techcrumble.net/2017/05/how-to-mount-the-host-cd-rom-to-the-esxi-shell/[/via]
[via]https://kb.vmware.com/s/article/2004746[/via]

Windows 10 1903 – BSOD (WDF_VIOLATION)

After updating an iMac Late 2010 to Windows 10 1903 I got a blue screen "WDF_VIOLATION". After checking the minidump, I could see that the MacHALDriver.sys (Macintosh Hardware Application Layer Driver) is involved. After renaming the file (c:\windows\system32\drivers\MacHALDriver.sys) over the network (works because the system crashes after user login) or in safe mode and rebooting, I was able to log back in. Since I don't use an Apple keyboard I can do without the driver.

While researching I found out that other users also have problems with a similar keyboard driver for HP. In this case it is called HpqKbFiltr.sys. Is also responsible for the hotkeys (screen brightness and co.).

[via]https://forums.overclockers.co.uk/threads/macbook-air-win-10-1903-wdf_violation.18855372/[/via]

TIL: Very useful Linux/Unix commands

Here is a list of useful unix commands or code parts. Who does not know it? You have a problem and looking for a solution where you find at stack overflow or similar pages? Here I collect all the commands that I have encountered over time or whose switch I simply can not remember (or want).

  • How do I find all files containing specific text? 
    grep -rnw '/path/to/somewhere/' -e 'pattern'
  • How i change the default file permissions (mask that controls file permissions) 
    umask
  • Untar (unzip) file/folder 
    tar -zxvf archive.tar.gz
  • Tar (zip) file/folders 
    tar -cvzf archive.tar.gz file1 file2
  • Copy files via rsync from one host to another 
    rsync -avz [USER@]HOST:SOURCE [USER@]HOST:DEST
rsync -avz [USER@]HOST:SOURCE rsync://[USER@]HOST[:PORT]/DEST
rsync -avz -e "ssh -p 12345" LOCAL/SOURCE [USER@]HOST:DEST
  • Using rsync with sudo on the destination machine
    1. Find out the path to rsync: which rsync
    2. Edit the /etc/sudoers file: sudo visudo
    3. Add the line <username> ALL=NOPASSWD:<path to rsync>, where username is the login name of the user that rsync will use to log on. That user must be able to use sudo

Then, on the source machine, specify that sudo rsync shall be used:

rsync -avz --rsync-path="sudo rsync" SOURCE [USER@]HOST:DEST

  • Preserve SSH_AUTH_SOCK (Environment Variables) When Using sudo

    sudo --preserve-env=SSH_AUTH_SOCK -s

  • nslookup missing? Install dig

    sudo apt-get install dnsutils

  • find without "Permission denied"

    find / -name 'filename.ext' 2>&1 | grep -v "Permission denied"

  • flush dns cache

    sudo systemd-resolve --flush-caches

  • show open ports

    netstat -tulpn

  • Directory size

    du -sh /var
du -shc /var/*
du -h --max-depth=1 /var
du -sh /var/lib/docker/containers/*/*.log

  • Search multiple PDF files for a "needle"

    pdfgrep -i needle haystack*.pdf

  • Show hidden files with ls

    ls -lar

  • Redirect STDOUT and STDERR to a file

    nice-command > out.txt 2>&1

  • Installs your SSH public key to a remote host

    sh-copy-id 'user@remotehost'

  • A command-line system information tool 

    neofetch

  • Show disk usage, folder size, items per folder, find big directorys, ... with ncdu

    ncdu

  • Fancy resource monitor

    btop

  • Display disk activity

    iotop

  • Display network activity

    iftop or iptraf

  • Cleanup Docker

    docker system prune --help

  • Find and repair disk errors on ext (ext2, ext3 and ext4) filesystems

    sudo e2fsck -f </dev/sda2>

  • Forward TCP/UDP ports with socat

    socat TCP-LISTEN:8080,fork,reuseaddr TCP:homeserver.local:8080

  • Traceroute and ping in one, visual console tool

    mtr <host>

Run command in background on a Synology NAS with nohup

To run a programm  that doesn't quit if you close the ssh session use nohup (no hangup). Attention, you have to run it as root for it to work!

admin@DiskStation:~$ sudo su
Password:
ash-4.3# nohup <command> &

maybe:
ash-4.3# nohup cat /dev/zero | split -b 4095m - /volumeUSB2/usbshare/zeros -d --additional-suffix=.file &

PowerCLI error after vCenter Server upgrade

After upgrading to vSphere 6.7, a PowerCLI script aborts with this error message:

The vCenter Server is unable to decrypt passwords stored in the customization specification.

To resolve the issue, retype the password in the VMcustomization specifications (under Policies and Profiles). Edit the customization specifications and retype the password under the following two preference points:
- Administrator password
- Workgroup or domain

Write zeros to a hard drive – Wipe/Erase unused or free space

Windows: Format and write zeros to every sector of the drive.
format <Driveletter> /fs:NTFS /p:0

Windows: Format and write zeros to every sector of the drive. After the first pass write random numbers.
format <Driveletter> /fs:NTFS /p:2

Windows: Fill free space.
cipher /w:<Driveletter>[:\foldername]</span>

Unix: Wipe full drive.
dd if=/dev/zero of=/dev/<block device> bs=<block size 1M, 32M, etc.> status=progress

Unix: Fill free space.
dd if=/dev/zero of=/path/to/drive/zeros.file status=progress

Unix: Fill free space on FAT32 drive (4GB limit per file).
cat /dev/zero | split -b 2000m - zero -d --additional-suffix=.file

To run the process in background see Run command in background on a Synology NAS with nohup

How to configure RPC dynamic port allocation to work with firewalls

Windows XP use per default a dynamic port range from 1024 to 5000 for RPC/WMI/DCOM. To set up a fixed Port or Range use this settings:

  1. regedit: HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc
  2. Add key "Internet"
  3. Add this three values:

Ports: REG_MULTI_SZ: 5000-5100
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y

  1. run winmgmt -standalonehost
  2. net stop winmgmt
  3. net start winmgmt
  4. Reboot

[via]https://support.microsoft.com/en-us/help/154596/how-to-configure-rpc-dynamic-port-allocation-to-work-with-firewalls[/via]
[via]https://msdn.microsoft.com/en-us/library/bb219447%28v=vs.85%29.aspx[/via]