Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Generic User Avatar

KB2757011 breaks Remote Web Access in SBS / WHS11 - Fixed!


  • Please log in to reply
6 replies to this topic

#1 protivakid

protivakid

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 21 September 2021 - 05:25 PM

Not recommending anyone actually run a WHS2011 box online, this is simply for fun.

 

I have an old Windows Home Server 2011 box (very similar to 2008 R2), that I am running just for fun. (See this thread where I fixed server backup). It has no important files on it. I have a good time keeping this going for whatever reason but this year ran into a problem that I wanted to document here in case it helps anyone else.

The two semi-related problems that I ran into this year were that:
 

  1. On the Dashboard, the "Set up" button under Domain name simply showed an error when clicked.
  2. For existing setups the free .homeserver.com Domain name was no longer being updated with the current IP.

This week I dove in to see if this functionality could be restored.

Diving into the SharedServiceHost-DomainManagerServiceConfig log file I could see entries such as this.

 
DomainManager: Throwing FaultException with detail DomainManagerFault:[Reason:CommunicationFailure, Message:UpdateDNS failed, Detail:An error occurred while making the HTTP request to https://dyndns.domains.live.com/service/livedyndns.asmx. This could be due to the fact that the server certificate is not configured properly with HTTP.SYS in the HTTPS case. This could also be caused by a mismatch of the security binding between the client and the server. ]

Originally I thought the dyndns.domains.live.com site was now defunct with Home Server 2011 no longer officially supported. To my surprise though I was able to pull up the site via a browser so what was going on? That pointed me to the second part of the error message, security.

I first found this site which walks you through increasing the security on SBS 2011, which is very similar to WHS 2011: https://windowspoweressentials.com/2015/12/14/sbs-2011-standard-disable-tls-1-0/

Going through the steps and rebooting I still encountered the same problem but on the site he mentions a PowerShell script from Hass Alexander that takes his steps to the next levels as far as increasing web security goes. The script can be found here: https://www.hass.de/content/setup-microsoft-windows-or-iis-ssl-perfect-forward-secrecy-and-tls-12

I ran the script and rebooted when prompted. I then rebooted a second time after the script finished and to my surprise it worked! Using Nslookup I was able to verify that that the .homeserver.com domain name I was using now had my current IP and the logs no longer showed error entries, awesome! The server also achieved an "A" rating on the SSL Server Test site lol.

Now to tackle the dashboard setup. Looking at the Dashboard.log file, when trying the button you will see the following entry:
 

 
DomainConfigWizard: Error occurred in Domain Manager Object Model operations: System.Net.WebException: The remote name could not be resolved: 'www.microsoft-sbs-domains.com'

On a fresh install of WHS2011 in a VM the Set-up button still works fine, so it's not some dependency that's been changed, it's something internal to the system. I then started to apply recommended updates to the fresh install a few at a time, testing the Set-up button in-between until I saw the error. I was able to narrow the issue down to KB2757011 which is a rollup update for the system. Removing the update will restore set-up button functionality.

But what specifically broke this? Using WinMerge to compare file system contents before and after the update I had a few things to dig into. After testing by replacing different "before update" files onto a VM that had the update applied I discovered that it was Wssg.Web.DomainConfigWizard.dll inside of the Program Files\Windows Server\Bin folder. The new post-update file has a date of 11/3/2012, and the pre-update version that comes on a fresh server install was dated 3/2/2011 on my system. I simply renamed the 2012 file bak_ and then copied the working 2011 version into the directory.

After a reboot this button now worked again as well! I was able to register for a free new homeserver.com domain and had the option to change to my own provider. Again this was all just for fun, I'll be shutting down the server now but wanted to share in case anyone here was ever in a similar boat.


Edited by protivakid, 21 September 2021 - 06:01 PM.


BC AdBot (Login to Remove)

 


#2 protivakid

protivakid
  • Topic Starter

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 29 September 2021 - 11:23 AM

Hold your horses! After stepping through the above I realized that I accidentally broke Client PC Backup on the server. It seems that script from Alexander Hass did "too much" haha. No problem, I was able to figure out the issue and now you have two options.

 

A. If you only want to fix the updating of the DNS you simply need to add the following registry keys and reboot. You can copy/paste the below into a Powershell script .ps1 file if you want.

# Add and Enable TLS 1.2 for client and server SCHANNEL communications

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '0xffffffff' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null
Write-Host 'TLS 1.2 has been enabled.'

# Exchange Server TLS guidance Part 2: Enabling TLS 1.2 and Identifying Clients Not Using It
# https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/
# New IIS functionality to help identify weak TLS usage
# https://cloudblogs.microsoft.com/microsoftsecure/2017/09/07/new-iis-functionality-to-help-identify-weak-tls-usage/
Write-Host 'Enable TLS 1.2 for .NET 3.5 and .NET 4.x'

New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -name 'SystemDefaultTlsVersions' -value 1 -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path "HKLM:\SOFTWARE\Microsoft\.NETFramework\v4.0.30319" -name 'SchUseStrongCrypto' -value 1 -PropertyType 'DWord' -Force | Out-Null



B. If you like the idea of running Alex's whole security script to fix the issue and better protect your aging server, yet still want Client PC Backup to work then after the script runs Delete the following registry keys and reboot:

HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\Enabled 
HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server\DisabledByDefault

Either of these options will get your backup working. With option B though I can't promise that Alexander's script won't disrupt anything else, the PC Backup was just one thing I happened to notice. He does offer an un-installer script on his site too in case you find other issues after running it.

 

Hope this helps someone down the road.


Edited by protivakid, 29 September 2021 - 11:26 AM.


#3 svott

svott

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 23 October 2021 - 11:16 PM

Thank you for posting this.  I arrived here after searching for the same DomainManagerFault error message that I found in the logs on my WHS2011.   After running the Powershell script I'm back in business with remote web access, and no more alerts in the WHS dashboard.  Much appreciated.



#4 protivakid

protivakid
  • Topic Starter

  •  Avatar image
  • Members
  • 7 posts
  • OFFLINE
  •  
  • Local time:03:27 PM

Posted 25 October 2021 - 11:31 AM

Thank you for posting this.  I arrived here after searching for the same DomainManagerFault error message that I found in the logs on my WHS2011.   After running the Powershell script I'm back in business with remote web access, and no more alerts in the WHS dashboard.  Much appreciated.

 

Glad it helped someone. Did you run the whole script and fix client backup after or only enable what was needed.



#5 svott

svott

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:02:27 PM

Posted 26 October 2021 - 11:35 AM

 

Thank you for posting this.  I arrived here after searching for the same DomainManagerFault error message that I found in the logs on my WHS2011.   After running the Powershell script I'm back in business with remote web access, and no more alerts in the WHS dashboard.  Much appreciated.

 

Glad it helped someone. Did you run the whole script and fix client backup after or only enable what was needed.

 

 

I just ran the excerpt from your previous message.   That was sufficient to restore the domain name registration, and it didn't interfere with the client backups.



#6 Count_Magnus

Count_Magnus

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 17 November 2022 - 03:27 PM

protivakid, Many Thanks for the help with my WHS2011 problem. I hope this will fix it. Using option A. Will let you know once I have tried it.

#7 Count_Magnus

Count_Magnus

  •  Avatar image
  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:07:27 PM

Posted 18 November 2022 - 08:51 AM

Sorry but did not work and solve my problem. Thanks anyway






4 user(s) are reading this topic

0 members, 4 guests, 0 anonymous users