Wednesday, September 5, 2018

Match vmware virtual machine hard disk to computer hard disks

One of the common problems that vcenter admins have faced is mapping the hard disks seen in vmware to the hard disks seen on computers in disk management.

This powershell script helps in matching disks seen in vcenter to those seen on the computer.
Install the vmware powercli before this. Recent powercli link is here
https://code.vmware.com/web/dp/tool/vmware-powercli/6.5.4

Even if you have an updated one the script should work fine. Unless the cmdlets are changed.

You also need to have at least read permissions in vmware and administrator on the server.

If the disk serial number is missing in the OS this script will not work.

Check  if the disk serial number is present by running this in powershell.

Get-WmiObject -Class Win32_DiskDrive | select serialnumber

If there is no serial number then add/modify the following parameter in the vm's advanced configuration.

disk.EnableUUID = “TRUE

KB link is here
https://kb.vmware.com/s/article/52815


 ## Show corresponding disks in vmware and computer ##

param(
   [Parameter(Mandatory=$true)]
[string] $Computername
)


Function OutData($data) {Write-host $data -ForegroundColor Green}
Function Get-LocalDisk($Computer,[System.Management.Automation.CredentialAttribute()]$Credentials)
{
$PDiskDrives = Get-WmiObject -Class Win32_DiskDrive -ComputerName $Computer -Credential $Credentials

return $PDiskDrives
}

## Load Vmware assemblies ##
Import-Module VMWare.VimAutomation.sdk
Import-Module VMWare.VimAutomation.Core

## Connect Vmware
$Credentials = Get-Credential  -Message "Enter your Vcenter credentials"
$LocalDriveObjects =  @()
Connect-VIServer Vcenter -Credential $Credentials
$LocalDisks = Get-LocalDisk $Computername -Credentials $Credentials
$vmHardDisks = Get-VM -Name $ComputerName | Get-HardDisk
$vmDatacenterView = Get-VM -Name $ComputerName | Get-Datacenter | Get-View
$virtualDiskManager = Get-View -Id VirtualDiskManager-virtualDiskManager
Write-Host "Number of disks : $($LocalDisks.count)"
foreach($DObject in $LocalDisks)
 {

     # Write-host "Working on $DObject"
 
      foreach($vmHardDisk in $vmHardDisks)
              {
              $vmHardDiskUuid = $virtualDiskManager.queryvirtualdiskuuid($vmHardDisk.Filename, $vmDatacenterView.MoRef) | foreach {$_.replace(' ','').replace('-','')}
            
              if($DObject.SerialNumber -eq $vmHardDiskUuid)
                {
                 $Output = "$($vmHardDisk.Name) $($vmHardDisk.capacityGB)" + "GB" + " Computer Disk: " + $("Disk " + $Dobject.Index) + " " + $([math]::round($DObject.Size/1GB, 3)) + "GB" + " on $Computername"
                 $Vdisk = "Vcenter: $($vmHardDisk.Name) $($vmHardDisk.capacityGB)" + "GB "
                 $ComputerDisk = "Computer: " + $("Disk " + $Dobject.Index) + " " + $([math]::round($DObject.Size/1GB, 2)) + "GB"
                 Write-Host $Vdisk -ForegroundColor Yellow -NoNewline
                 Write-Host $ComputerDisk -ForegroundColor White
             
               
                }
              }
   
 }






 ## Author: Parag Waghmare


Wednesday, August 1, 2018

Service Now: Invoke-WebRequest : The remote server returned an error: (403) Forbidden.

If you get 403 for an api call in service now. One of the reasons could be that the user does not have permissions on the table. Which in my case was the "sc_requests"
Here is the error:
Invoke-WebRequest : The remote server returned an error: (403) Forbidden.
Open the service now portal and elevate permissions if not already done

Click System Definition -- Tables and search for your table



 The click Access controls.
Either create a new one or find one which has been already created with name sc_request.* . If you open this ACL you may see that it has the catalog and itil roles added to it.
Click on catalog and edit users tab to add the user account which is being provided in your web request.



You can also directly search for the catalog user role in User Administration - User Roles and add permissions from there.




Service Now: Script to access servicenow Api using powershell.


Script to access servicenow Api using powershell.

# Eg. User name="admin", Password="admin" for this code sample.
$user = "admin"
$pass = "admin"

# Build auth header
$base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $user, $pass)))

# Set proper headers
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add('Authorization',('Basic {0}' -f $base64AuthInfo))
$headers.Add('Accept','application/json')

# Specify endpoint uri
$uri = "https://myservicenow.service-now.com/api/now/table/sc_request?sysparm_limit=10"

# Specify HTTP method
$method = "get"

# Send HTTP request
try{$response1 = Invoke-WebRequest -Headers $headers -Method $method -Uri $uri}
catch{$_.Exception.Response.StatusCode.Value__}

# Print response
$response1.RawContent

Thursday, May 10, 2018

How to force servers to communicate only on TLS 1.2

TLS 1.2 is a crytographic protocol of communication between computers.

The RFC link is below and more details on the protocol can be found on it.

https://tools.ietf.org/html/rfc5246#section-5

First of all you have to determine the tools that you would use to confirm TLS communication in your environment.


First I used netmon and wireshark to determine the communication. Both of them showed TLS 1.2 in the packet captures.



But microsoft message analyzer did not show TLS communication.It showed this.
 


If i look at a packet for RDP however I could see it using TLS 1.2.

Screenshot below is for an RDP session.



 

And that is how the communication between my IIS and SQL should have looked.

After a lot of searching and testing these were the things that were done to have servers communicate only on TLS 1.2.

1. Installing the right patches.
https://support.microsoft.com/en-us/help/3154520/support-for-tls-system-default-versions-included-in-the-net-framework
You can also upgrade the .net framework to 4.6 and above which is what I did.

2. Adding registry entries to disable protocols other than  TLS 1.2.


Windows Registry Editor Version 5.00
 
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"Enabled"=dword:00000000
"DisabledByDefault"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"Enabled"=dword:ffffffff
"DisabledByDefault"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"Enabled"=dword:ffffffff
      "DisabledByDefault"=dword:00000000



3. Adding SQL certificate(pfx) in SQL server configuration manager to enable encrypted communications.
https://docs.microsoft.com/en-us/sql/database-engine/configure-windows/enable-encrypted-connections-to-the-database-engine?view=sql-server-2017



After making the changes given above and restarting the servers. I was able to see the same behavior in Message Analyzer for the communication between our IIS and SQL.





Additional reading
https://blogs.perficient.com/2016/04/28/tsl-1-2-and-net-support/
Implications of turning off FIPS compliance policy.
https://blogs.technet.microsoft.com/secguide/2014/04/07/why-were-not-recommending-fips-mode-anymore/

Environment:
SQL 2016,Windows 2012 R2.