azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sync: auto-sync from DESKTOP-0O8A1RL at 2026-05-06 08:02:12

Browse Source 
Author: Mike Swanson
Machine: DESKTOP-0O8A1RL
Timestamp: 2026-05-06 08:02:12
This commit is contained in:
Mike Swanson
2026-05-06 08:02:13 -07:00
parent 95ad40bdbe
commit eaae28c201
1 changed files with 133 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

133
clients/dataforth/session-logs/2026-05-06-session.md Normal file
View File

@@ -0,0 +1,133 @@
# Session Log — Dataforth Corporation
**Date:** 2026-05-06
**Duration:** Multi-hour session
**Type:** Client work — RDS/RemoteApp troubleshooting, SSL cert replacement, RDS licensing fix
## User
- **User:** Mike Swanson (mike)
- **Machine:** DESKTOP-0O8A1RL
- **Role:** admin
---
## Session Summary
Investigated RDP permission prompts for Dataforth users launching RemoteApps, identifying that the TSAppAllowList registry key on SAGE-SQL lacked CustomRDPSettings, leading to interactive prompts. The registry was updated with appropriate settings for authentication, clipboard, and printer redirection. A separate issue with an "Unknown publisher" warning was noted; a new self-signed SSL cert was created and configured for RemoteApp signing but GPO distribution to domain machines was not completed this session.
SSH key authentication was configured for SAGE-SQL by adding Mike's public key to the administrators_authorized_keys file. A new self-signed SSL certificate was created and bound to RDWeb to replace an expired certificate. The old certificate binding was removed from IIS — initial attempts failed due to a stale binding — and the new cert was exported and manually installed on Mike's local machine. The TSGateway service was disabled on SAGE-SQL as it is no longer required since the server is not externally exposed at the firewall.
Error 0x104 ("remote computer could not be found") was resolved by disabling TSGateway and replacing the SSL certificate. After that fix, Error 0x3 ("connection dropped") occurred and was traced to an expired RDS licensing grace period — the L$RTMTIMEBOMB registry value showed -739741 days remaining. The GracePeriod registry key was deleted to reset the 120-day grace period. A full reboot of SAGE-SQL was required because TermService was slow to stop due to active sessions.
GPO-based certificate distribution was partially started — GPMC installed on SAGE-SQL, cert exported — but creation of the GPO on AD2 via WinRM was not completed due to Windows command line length limits when base64-encoding the certificate in a PowerShell remote command. The session ended with SAGE-SQL rebooting and RemoteApp connection verification pending.
## Key Decisions
- Set `redirectdrives:i:0` in CustomRDPSettings to exclude drive redirection — user confirmed drives not needed, reduces security exposure and eliminates drive prompt entirely
- Disabled TSGateway service on SAGE-SQL — server no longer externally exposed at firewall, gateway adds no value and was the source of 0x104 errors
- Used self-signed cert instead of Let's Encrypt — LE requires firewall exposure for HTTP-01 or acme-dns setup for DNS-01; self-signed with GPO distribution is simpler for an internal-only server
- Deleted GracePeriod registry key to reset 120-day RDS grace period rather than purchasing CALs immediately — buys time to evaluate CAL count needed; grace period expires again without CALs
- Full reboot instead of TermService restart — active user sessions caused TermService to hang; reboot was faster than waiting
## Problems Encountered
- **SSH password prompting on SAGE-SQL**: Fixed by configuring SSH key auth — added public key to `C:\ProgramData\ssh\administrators_authorized_keys`
- **WinRM double-hop to SAGE-SQL unreachable**: Workstation not domain-joined; switched to SSH for direct access
- **Bitdefender (GravityZone managed AV) blocking PowerShell execution**: User disabled Bitdefender on SAGE-SQL; GPMC then installed successfully
- **`netsh http add sslcert` Error 183**: Old expired cert still bound to 0.0.0.0:443; deleted old binding first then added new cert binding
- **SYSVOL write access denied**: Non-domain workstation can't write SYSVOL; switched to using SAGE-SQL → AD2 via WinRM hop for GPO work
- **Command line too long**: Base64-encoded cert in PowerShell remote command exceeded Windows command line limit; GPO creation on AD2 not completed — pending next session
- **TermService restart slow**: Active sessions caused slow stop; user rebooted machine entirely
- **Error 0x104**: Fixed by disabling TSGateway + replacing expired SSL cert
- **Error 0x3**: Root cause — expired RDS licensing grace period (L$RTMTIMEBOMB = -739741 days). GracePeriod key deleted to reset 120-day period. Machine rebooted. Verification pending.
---
## Configuration Changes
| File / Key | Location | Change |
|---|---|---|
| `HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList` | SAGE-SQL | Added `CustomRDPSettings`: authentication level:i:2, redirectclipboard:i:1, redirectdrives:i:0, redirectprinters:i:1, drivestoredirect:s: |
| `C:\Windows\Web\RDWeb\Pages\web.config` | SAGE-SQL | DefaultTSGateway set to empty string |
| IIS SSL cert binding (0.0.0.0:443) | SAGE-SQL | Old expired cert binding removed; new self-signed cert bound via netsh |
| TSGateway service | SAGE-SQL | Disabled (Stop-Service + Set-Service -StartupType Disabled) |
| `HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod` | SAGE-SQL | Deleted entire key to reset 120-day RDS licensing grace period |
| `C:\ProgramData\ssh\administrators_authorized_keys` | SAGE-SQL | Added Mike's SSH public key; permissions set to Administrators + SYSTEM only |
| `TSAppAllowList``fHasCertificate` / `CertificateHash` | SAGE-SQL | Set to new self-signed cert for RemoteApp signing |
| Local machine Trusted Root CAs | DESKTOP-0O8A1RL | Imported sage-sql-rdweb.cer |
| Local machine Trusted Publishers | DESKTOP-0O8A1RL | Imported sage-sql-rdweb.cer |
---
## Infrastructure & Servers
| System | Detail |
|---|---|
| SAGE-SQL | 192.168.0.153 — Windows Server, RDS Session Host + Connection Broker + Gateway + Web Access (all roles) |
| AD2 | 192.168.0.6 — Domain controller (intranet.dataforth.com) |
| RDWeb URL | https://sage-sql.intranet.dataforth.com/RDWeb |
| New self-signed cert | Subject: CN=sage-sql.intranet.dataforth.com; exported to C:\Temp\sage-sql-rdweb.cer (874 bytes) on SAGE-SQL; D:\sage-sql-rdweb.cer locally |
| TSGateway | Disabled — SAGE-SQL not externally accessible |
---
## Commands & Outputs
```powershell
# CustomRDPSettings fix — suppress permission prompts
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList' `
-Name 'CustomRDPSettings' `
-Value "authentication level:i:2`nredirectclipboard:i:1`nredirectdrives:i:0`nredirectprinters:i:1`ndrivestoredirect:s:"
# SSH key auth setup on SAGE-SQL
# (Add public key to C:\ProgramData\ssh\administrators_authorized_keys)
# (icacls to restrict permissions)
# Remove stale SSL cert binding
netsh http delete sslcert ipport=0.0.0.0:443
# Bind new self-signed cert
netsh http add sslcert ipport=0.0.0.0:443 certhash=<thumbprint> appid='{...}' certstorename=MY
# Disable TSGateway
Stop-Service TSGateway -Force
Set-Service TSGateway -StartupType Disabled
# Delete RDS grace period key to reset 120-day window
Remove-Item -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod' -Recurse -Force
# Local cert install (on DESKTOP-0O8A1RL)
certutil -addstore Root D:\sage-sql-rdweb.cer
certutil -addstore TrustedPublisher D:\sage-sql-rdweb.cer
```
---
## Credentials & Secrets
No new credentials created this session. SSH key auth uses existing key pair.
---
## Pending / Incomplete Tasks
- [ ] **[VERIFY FIRST]** Confirm SAGE-SQL came back online after reboot — ping 192.168.0.153, check TermService running
- [ ] **[VERIFY]** Confirm RDS grace period reset — `Test-Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod'` should return False, or new key with 120-day value
- [ ] **[TEST]** Launch a RemoteApp from RDWeb — verify 0x3 error is gone and connection completes
- [ ] **[COMPLETE]** GPO cert distribution on AD2 — create "SAGE-SQL RDS Certificate Trust" GPO, import sage-sql-rdweb.cer to Trusted Root CAs + Trusted Publishers, link to domain
- [ ] Non-domain joined users (Mike, Sage admin): manually run `certutil -addstore Root sage-sql-rdweb.cer` and `certutil -addstore TrustedPublisher sage-sql-rdweb.cer` — Mike's machine done; Sage admin pending
- [ ] Re-enable Bitdefender GravityZone on SAGE-SQL (was disabled to allow GPMC install / PowerShell work)
- [ ] **[LONG-TERM]** Purchase proper RDS CALs for SAGE-SQL — 120-day grace period will expire again; determine CAL count needed (Per User mode, LicensingType=4)
- [ ] Consider acme-dns (DNS-01 ACME challenge) for Let's Encrypt automation if proper cert needed in future — avoids firewall exposure
---
## Reference Information
- SAGE-SQL RDWeb: `https://sage-sql.intranet.dataforth.com/RDWeb`
- Cert file on SAGE-SQL: `C:\Temp\sage-sql-rdweb.cer`
- Cert file local: `D:\sage-sql-rdweb.cer`
- TSGateway registry: `HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\TSAppAllowList`
- RDS grace period key: `HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod`
- L$RTMTIMEBOMB pre-fix value: -739741 days (well past expiry)
- SSH authorized_keys on SAGE-SQL: `C:\ProgramData\ssh\administrators_authorized_keys`
- RDS licensing mode: Per User (LicensingType=4)