Log4J MS Fix with Active Directory and Detection with Lansweeper

Log4J has been in the news for a while, so to patch the windows systems, I updated everyone's version of Java to the latest version.  In accordance with Microsoft's Environmental variable fix, I setup the variable to be deployed with Active Directory (After I verified that no apps would lose functionality).  You can read more about the Environmental variable fix by clicking on this article Microsoft Statement and Mitigations for Log4J.

So to deploy the fix I used Active Directory.  I have a global GP for setting basic permissions and it is enforced with everyone so it makes the most sense to put it there.

So edit the policy go to Computer Configuration -> Preferences -> Windows Settings ->Environment.  

Right click (or under action) New -> Environment Variable

Enter in the following:

NAME = LOG4J_FORMAT_MSG_NO_LOOKUPS

Value=TRUE

Along with the variable, I have also updated Java to the latest version using LANSWEEPER's Software push functions.  I have 70 clients to update, and I deployed this early afternoon, and over half of them were done by the time I left.

I wrote a script in Lansweeper that checks for the environmental variable.  You first have to enable Environmental scanning.  Under Scanning Select Scanned Item Interval

By default Environment is not checked (disabled) as shown below.

You have to enable it for this detection script to work.

With that done this script will check for to see if the Environmental Variable has been added.

/******************************************************************************/

Select Top 1000000 tblassets.AssetID,

  tblassets.AssetName,

  tsysassettypes.AssetTypename,

  tsysassettypes.AssetTypeIcon10 As icon,

  tblassets.IPAddress,

  tblassets.Lastseen,

  tblassets.Lasttried,

  tblEnvironment.Name As Name1,

  tblEnvironment.VariableValue As VariableValue1

From tblassets

  Inner Join tblassetcustom On tblassets.AssetID = tblassetcustom.AssetID

  Inner Join tsysassettypes On tsysassettypes.AssetType = tblassets.Assettype

  Inner Join lansweeperdb.dbo.tblEnvironment On tblassets.AssetID =

      tblEnvironment.AssetID

Where tblEnvironment.Name = 'LOG4J_FORMAT_MSG_NO_LOOKUPS' And

  tblEnvironment.VariableValue = 'true' And tblassetcustom.State = 1

Updating SSL Certificate for Lansweeper

Lansweeper has some great instructions for adding a SSL certificate to their IIS server.  I added a SSL certificate to the lansweeper server 11 months ago, and now it was time to update the certificate.  I logged into my digicert account and downloaded a pkcs 7 certificate to install into lansweeper.  I installed the cert to Certificates -> Personal -> Certificates.

and following Lansweeper's instructions also updating the iisexpressSvc.exe.config and restarting the service.  To my surprise I got the following error.

Being unable to bypass the error I discovered that putting the old certificate's thumbprint back into place or setting  "UseCustomSSLCertificate" to 0 you would be able to access lansweeper again.

<add key="UseCustomSSLCertificate" value="0"/>

<add key="CertificateThumbPrint" value="‎$TLSThumbprint"/>

The error logs were not really helpful either; showing just a binding error.

--------------------------------------Error Logs----------------------------------

me: 22-04-2021 12:06:50 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:06:50 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:07:04 - Result: === Stop ===

Time: 22-04-2021 12:07:29 - Result: === Start ===

Time: 22-04-2021 12:07:29 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:07:29 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:07:40 - Result: === Stop ===

Time: 22-04-2021 12:08:03 - Result: === Start ===

Time: 22-04-2021 12:08:03 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:08:03 - Result: ADD Custom SSL -  Port: 443

Time: 22-04-2021 12:21:09 - Result: === Stop ===

Time: 22-04-2021 12:21:29 - Result: === Start ===

Time: 22-04-2021 12:21:29 - Result: ADD Custom URL -  Port: 443

Time: 22-04-2021 12:21:29 - Result: Error Performing Commands. System.ComponentModel.Win32Exception (0x80004005): A specified logon session does not exist. It may already have been terminated    at SslCertBinding.Net.HttpApi.ThrowWin32ExceptionIfError(UInt32 retVal)    at SslCertBinding.Net.CertificateBindingConfiguration.<>c__DisplayClass1_0.<Bind>b__0()    at SslCertBinding.Net.HttpApi.CallHttpApi(Action body)    at SslCertBinding.Net.CertificateBindingConfiguration.Bind(CertificateBinding binding)    at IISExpressSvc.ServiceStart.PerformCommands(String thumbPrint, Boolean isCustom, Boolean debug)

Time: 22-04-2021 12:21:53 - Result: === Stop ===

Doing some checks on Lansweeper's website I came across the same error on the forums. PR_CONNECT_RESET_ERROR when trying to connect via HTTPS - Followed the instructions. Why is my result bad?

After trying the notepad instructions, and it failing spectacularly, I researched the error "A specified logon session does not exist.  It may already have been terminated."

On techraptor.net I found this post https://techraptor.net/guides/how-to-fix-iis-server-error-specified-logon-session-does-not-exist stating that the certificate had to be reimported, following this procedure:

Run MMC

Here’s how to fix:

Open up certificates in MMC

Step 1: Open up a Run window and type “mmc”

Step 2: Click File > Add/Remove Snap In

Step 3: Add > Certificates, Click OK

Step 4: Choose “Computer Account”, then “Local Computer” and proceed.

Step 5: Hit OK

Export Certificate in MMC

Step 1: Open “Certificates”

Step 2: Open the folder where your certificate is stored.

Step 3: Right Click on Certificate, All Tasks, Export

Step 4: Export to the server Desktop

Now you should be able to re-import your certificate into IIS (or just into MMC) without issue. Restart IIS, and Note: You may have to reimport as “Complete certificate renewal” depending on your certificate.  This did not fix the certificate issue.

What did fix the SSL Issue in lansweeper was the following this article on Microsoft.com to repair the certificate and added the private key.  https://docs.microsoft.com/en-us/troubleshoot/iis/assign-certificate-private-key

Below is the output from powershell, showing the successful repair of the certificate, and after running the commnad Lansweeper was able to run under the new certificate.

Windows PowerShell

Copyright (C) 2014 Microsoft Corporation. All rights reserved.

PS C:\Users\Administrator> certutil -repairstore my "Certificate Serial Number"

my "Personal"

================ Certificate 9 ================

Serial Number: 0933dade655d53658470d076c90446ff

Issuer: CN=GeoTrust TLS DV RSA Mixed SHA256 2020 CA-1, O=DigiCert Inc, C=US

 NotBefore: 2021-03-22 6:00 PM

 NotAfter: 2022-04-23 5:59 PM

Subject: CN=*.sapl.ca

Non-root Certificate

Cert Hash(sha1): 01 e5 53 e4 cc cf f9 73 15 11 35 2e 0b fd c4 d1 91 74 b5 05

  Key Container = {63B4CC61-46F3-4C4B-9F8E-CB38E333DD79}

  Unique container name: 3f90b86fe9b728070aead75c51dfc869_ebcb9c16-cc6e-4b9c-b957-49c2f2cdfce1

  Provider = Microsoft Enhanced Cryptographic Provider v1.0

Encryption test passed

CertUtil: -repairstore command completed successfully.

PS C:\Users\Administrator> 01 e5 53 e4 cc cf f9 73 15 11 35 2e 0b fd c4 d1 91 74 b5 05

After running the repair command in powershell as an administrator, lansweeper started working with the new certificate after updating the thumbprint and restarting IIS.

Upgrading From SQL Compact DB to SQL Express (LocalDB)

As of version 7.2.107.4 (Jan 2020) of lansweeper it was the last to support sql compact (express) as it was removed in version 7.2.108.6.  Doing a simple double click upgrade is not possible, and the process for doing the migration is pretty straight forward.  

I have a video here of the whole migration.

If your running a version lower then 7.2.108.6 you need to upgrade to 7.2.108.6.  You can see your version of lansweeper after you login by going to Configuration -> Your Lansweeper License

Before you start make a backup of your Lansweeper data.  To do that in my documents folders I created two folders labelled 721086 and 8013014.  In 721086 with the previous versions of lansweeper (in my case 721054) just in case you have to recover, and repeat the process for your upgrade to version 8013014.  In there after stopping the Lansweeper Server and IIS Express Services

Go to your Lansweeper program directory (typically C:\Programs (x86)\Lansweeper) and backup 2 Folders SQLData and Key.  Key has your encryption key (if enabled) and SQLData has your SQL COMPACT and SQL Express databases (SQL Express only after you have upgraded to version 7.2.108.6)

You can read about the entire process from this Lansweeper KB
https://www.lansweeper.com/knowledgebase/backing-up-your-installation/

Lansweeper has done a great job automating this, after you upgrade to version 7.2.108.6 your database will be converted, it takes about 5 minutes.  Once the installer has finished you will see a new service called Lansweeper LocalDB Service.

To upgrade to version 8 download the lastest version of Lansweeper https://www.lansweeper.com/update-lansweeper/ and repeat the steps from the beginning of the blog but save the SQLDATA and Key to the 8013014 directory.  Once done you will be on the latest version of lansweeper (at the time of this post).  The version of SQL Express Lansweeper is using is version 2014.

If you want to upgrade the database you can follow this KB from Lansweeper, https://www.lansweeper.com/knowledgebase/moving-your-database-from-sql-compact-to-sql-server/

***UPDATE***

After this update I had an issue with email tickets being 10 tickets lower then the last Lansweeper ticket. To fix the issue I reset the ticket id counter as described in https://www.lansweeper.com/knowledgebase/resetting-the-ticket-id-counter/

The section we want to follow is the "Resetting the ticket ID counter if you are using SQL LocalDB or SQL Server" and before you go ahead and do that be sure to take a backup of your Lansweeper LocalDB https://www.lansweeper.com/knowledgebase/backing-up-your-installation/#heading2

I will be doing a post about doing this later.

Reference

https://www.lansweeper.com/knowledgebase/sql-compact-deprecated/
https://www.lansweeper.com/knowledgebase/sql-compact-deprecated/#heading2
https://www.lansweeper.com/news/installing-lansweeper-end-of-support-for-sql-compact/
https://www.lansweeper.com/knowledgebase/moving-your-database-from-sql-compact-to-sql-server/
https://www.lansweeper.com/knowledgebase/resetting-the-ticket-id-counter/

Fixing Lansweeper Active Directory USER LDAP Syncing Error

In our organization we use lansweeper for ticketing and system inventory and management.  Recently we had an issue where our AD users would not sync with lansweeper.  The error shown was that the LDAP Server was unavailable

LDAP ERROR

The issue was caused by using a preferred domain controller that had died.  Theses settings are under "Scanning Targets"

We removed the Preferred domain controller

And setup a new scan

Setup a new scan after the preferred ad controller has been removed

Lansweeper Syncing with AD

After the scan the Users started to sync with the AD Controller again.  However having had this issue once before, you may need to reboot the lansweeper server if the users continue to have the LDAP error after the rescan.  After the reboot the LDAP Error should be gone.