Public CA do not allow internal names and reserved IP address any more

With November 2015 public CAs do not issue new certificates that uses internal names or reserved IP addresses in subjectAltName or in commonName. Furthermore such certificates will be revoked on October 1st, 2016.

Internal names are hostnames that do not end with an Top Level Domain ending (.com, .de, …). For example: .local, .internal. Also NetBIOS names without any domain extension are affected.

Reserved IP addresses are defined by Internet Assigned Numbers Authority (IANA). You can look reservations for IPv4 here  (RFC 1918 range) and IPv6 here (RFC 4193 range).

If you are using an internal CA you are not affected. For more information about this change of public CAs click here. For more information about VMware products click here.

Public CA do not allow internal names and reserved IP address any more

Some useful notes about KMS and VDI

Here are some very useful links and commands to implement and troubleshoot Microsoft KMS (Office and Windows).

Steps to install KMS for Windows (Link: here):

  1. Install KMS Server, install the KMS Key:
    slmgr.vbs /ipk kms-key
    You should get an success-message after a few seconds. If not, maybe the key is not an KMS Key or the wrong key.
  2. Activate the KMS Server online:
    slmgr.vbs /ato
  3. Check Information about the service
    slmgr.vbs /dlv (less information)
    slmgr.vbs /dli (more information)

Steps to install KMS for Office 2010 (Link in german: here):

  1. Download Office 2010 KMS Host License Pack here and install it on KMS Server. During the installation you fill in you KMS Key for your Office 2010 license.
  2. Check Information about the service
    – slmgr.vbs /dlv all (for Windows and Office)
    slmgr.vbs /dlv bfe7a195-4f8f-4f0b-a622-cf13c7d16864 (just for Office)

Stuff for troubleshooting:

  • Install Volume Activation Management Tool (VAMT) in KSM Server
  • For Windows you need at least 25 devices that tries to activate using KMS to bring KMS to work. For Office you need at least 5.
  • slmgr.vbs /dlv shows this counter (Current counter). It stops counting at the double of the limit (50 respectively 10). It can go down again, if no more unique devices try to activate for some time.
  • These devices have to be unique! Just enrolling 5 View desktops to enable KMS will not work, because the Office-ID for every device is the same!
    •  Display this ID: cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /dcmid
    • Rest/Rearm Office 2010: C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\ospprearm.exe
  • For VDI, one way to keep KMS working (it stops working when for 180 day the counter of unique devices is beneath the limit of 20 respectively 5) is to enroll your desktops and rearm them afterwards.
  • Event ID 12290 gives information about whats going on, it shows also the ID. More information on this you can find here.
  • When you want to use a master for a different domain using a different KMS server, you should be aware of that KMS client is caching its server.
    • To disable caching, run: slmgr /ckhc
    • To remove caches server, run: slmgr /ckms

    in master VM. So KMS client should use DNS to resolve KMS server again.

Some useful notes about KMS and VDI

How to create certificates for VMware View (and others) using a Windows CA

This is a rather short post for a checklist respectively a step-list of things you should know/do to create certificates for VMware products like VMware View. The steps in this post should work for Windows 2008 and later. Furthermore you can use Step 1 and 2 for other products next to VMware View like vSphere.

If you don’t have a Windows CA but want to use it to assign certificates, you have to create it. You can either install it onto a domain controller or a member sever. When you install the CA onto a domain controller, you have to remove the CA before you demote the domain controller. This is the only limitation I know respectively I was told. But it is quite easy to move the CA to another server within the domain. So the limitation is important to know but it is no showstopper!

  1. Install a Windows CA if not already exists
    1. Add the role Active Directory Certificate Services to a server.
      • Install and configure CA to meet your requirements.
    2. Export the root-certificate into a text-file.
    3. Create a GPO to share the certificate as Trusted Root Certification Authority within the domain. To do this import the certificate into the GPO beneath Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Trusted Root Certification Authorities.
    4. Link the GPO to the AD level you need it.
    5. Check that the certificate is installed as Trusted Root Certification Authorities on domain members.
  2. Create a certificate template for VMware products. This Step is optional but it is quite useful if you plan to create more than one certificate.
    1. Log into Windows CA using mmc.exe.
    2. Manage Certificate Templates.
    3. Duplicate Web Server template and configure the copy:
      • Leave compatibility to Windows Server 2003.
      • Rename the copy and set a recognizable name.
      • You can change validity and renewal period.
      • For older versions (for example vSphere 5.0) consider to set Signature is proof of origin (nonrepudiation) and Allow encryption of user data in Extensions –> Key Usage. Furthermore add Client Authentication in Extensions –> Application Policies.
      • To enable the creation of SAN certificates, ensure Subject Name –> Supply in the request is selected.
      • Add the groups of computer accounts in Security and allow them to Read and Enroll the template.
    4. To enable it, you have to issue the template using New –> Certificate Template to Issue.
    5. Now domain members should be able to select the template for requesting certificates.
  3. Request a certificate for View Connection Server.
    I will describe the way to use mmc.exe to request a certificate, because this is a quite simple way.

    1. Open the local computer certificate store using mmc.exe
    2. Open the Personal folder and Request New Certificate… and select the newly created template to configure the required settings:
      • In tab Subject add FQDN as Common name and as type DNS beneath Alternative name. Also add the hostname as type DNS. If you plan to provide your user a single hostname to connect to more than one connection server, provide the FQDN as DNS too.
      • In tab General set “vdm” as Friendly name.
      • In tab Private Key enable Make private key expotable beneath Key options.
    3. Enroll the certificate.
    4. Check the personal certificates of the server. If there is more than one certificate using freindly name “vdm”, delete the unwanted self signed certificate.

That’s it!

How to create certificates for VMware View (and others) using a Windows CA

(my) guideline to microsoft licensing for VDI

The list does not claim to be comprehensive. Use this information at own risk!

User or device CALs

  • Take user CALs when user uses more than one device to access the desktop.
  • Take device CALs when there are more or equal devices than users.
  • Microsoft licenses the physical person (named user) NOT an Active Directory-User!

RDS CALs and VDA licenses

  • VDA license includes the license for the virtual desktop.
  • If you use a Windows Server OS instead of a Client OS to present to a user, you need a RDS-CAL instead of a VDA license to allow a user to connect to this server. The price are almost the same for server-CAL and VDA. Anyway this is just a good idea if a Windows Datacenter license is mapped to the Host.
  • Virtual desktop (no Software Assurance) accessed by Linux/Windows embedded/Windows Home/… –> VDA license
  • Virtual desktop (with Software Assurance) accessed by any client –> already licensed
  • A windows device with active Software Assurance that connects to a virtual desktop –> virtual desktop and connection is licensed by Software Assurance
  • To use RDS (Applications or Desktops) you need RDS-CALs.

Additional server CALs

  • Connection Brokers needs also windows CALs for users or devices.
  • If external user are not countable, you can license them with an External Connector license for Windows. If you know how many, you need CALs for users or devices.
  • Licenses for SQL Server based on CPUs are bases on core number NOT socket number.
(my) guideline to microsoft licensing for VDI

nfs client for windows (server 2012)

Installation and how to use:

  • Install the client by adding the feature “nfs client for windows” – straight forward … no reboot required
  • use nftadmin to configure the client, if necessary
  • use mount to map shares
  • use umount to remote mount points

mount \\nas-device\nas\share u:
could be interesting:

  • -o mtype=soft|hard
    hard: in case the nfs-server goes offline, the nfs client for windows will try to reconnect until the server is online again.
  • –o nolock
    better performance in case of just read-access
  • -o fileaccess=mode

man page mount
man page nfsadmin

nfs client for windows (server 2012)