OneDrive for Business 'Authentication Protocol Not Supported'

by Ed Sparks

OneDrive for Business (ODB) has become a major selling point of the Office 365 cloud platform for small and medium business, particularly as the service moved to virtually unlimited storage, and many of the limitations that remained from its SharePoint based architecture have been removed or improved upon.

Unfortunately, an ongoing low point of the experience has been the sync client.  Based on outdated technology Microsoft acquired from the disaster that was Ray Ozzie and his Groove product, it has gone through a myriad of name changes and tweaks, none of which ever seemed to solve the problems.  It would often throw errors and most egregiously in this era of Ultrabooks and small SSD drives, had no selective sync capability.

Thankfully, Microsoft is finally turning a corner with the overall reliability and functionality of ODB, and is at last merging and improving the client experience with the Next Generation Sync Client. However, this client is still only in 'First Release' stage, remains unavailable for Windows 8.1, and only supports ODB itself, not other SharePoint libraries.  They've indicated all of these will be solved in the 'first quarter 2016' so here's hoping.  If you're using only ODB and on Windows 7 or 10, we highly recommend using the Next Gen client.

However, for those on 8.1 or with more complex needs the (previous gen?) OneDrive for Business client remains the only choice, complete with bugs.  One of the most frequent glitches we see - and there appears to be no consistency as to why it shows up or when - is the dreaded Unsupported Server message

The server you are trying to access is using an authentication protocol which is not supported by this version of Office

This often happens for users when they first logon and the OneDrive for Business client launches, but can also occur when setting up a sync for the first time.  It's our hunch that this is related to TLS changes Microsoft made on the server side as part of discontinuing old ciphers and encryption, but there's never been any good communication or clarity from them on what changed.  More frustratingly, there's also been no useful instructions from them on how to fix this.

We've therefore put together the following steps gleaned from numerous forum posts and tests that this consistently fixes the problem, albeit with a bit of work.

  1. Shut down the OneDrive for Business Desktop Client (dark blue cloud icon), by right clicking and choosing Exit.  This sometimes causes the client to crash, and then restart itself and perform recovery steps (which won't work).  If so, simply repeat the Exit step and it should close correctly.

  2. Close all Office 2013 or 2016 desktop applications - Word, Excel, etc.

  3. Remove the following folders from the user's profile

    c:\users\<username>\appadata\local\microsoft\office\sp
    c:\users\<username>\appadata\local\microsoft\office\16.0\OfficeFileCache (if it exists) c:\users\<username>\appadata\local\microsoft\office\15.0\OfficeFileCache (if it exists)

    These folders will be automatically recreated by a repair, and the applications.

  4. Open Control Panel, and search for and open Credential Manager.  Under the Windows Credentials section, find an remove any Generic Credentials related to the Office 365 account in question.  These will be in the format
    MicrosotOffice16_data:SSPI
    or similar
  5. In Control Panel / Programs and Features, find the Microsoft Office 365 Business or ProPlus install, then Right Click and choose Change.
  6. Select an Online Repair and click Repair.  
  7. When the Online Repair is complete, click Start and search for OneDrive for Business desktop client, and open it.
  8. OneDrive for Business should ask for the Office 365 account logon and password information, and then proceed to sync correctly.

Offline Files Service Crashing/Unavailable

by Ed Sparks

A common scenario that bites many a company that extensively uses Windows imaging for deployments, is that Offline Files completely melts down after a newly imaged system is setup.

This will show up in the event logs as the Offline Files service being unable to start, Folder Redirection breaking etc.  The first sign is usually a system event log error like

Windows could not start the Offline Files service.
Error 3: The system cannot find the path specified.

The best resolution is to make sure the reference system (where you took the image from) always has Offline Files disabled before the image is taken, in addition to Sysprep being run.

However, if you've already taken an and applied an image and have a broken system, then thankfully the fix is simple.  Just set a registry key to reset ("Format") the Offline Files ("Client side cache") database.  On Windows 7 and 8, this can be easily done by running the following from an Administrative command line:

REG ADD "HKLM\System\CurrentControlSet\Services\CSC\Parameters" /v FormatDatabase /t REG_DWORD /d 1 /f

Reboot the computer, and the Offline Files database will be reset and recreated.  Offline Files should start normally, and things like Folder Redirection and the like will follow.

 

Offline Files, Folder Redirection and DFS are some of the most complex to configure Microsoft technologies with an enormous amount of gotchas and hotfixes.  It's one of our most frequently requested support items from customers.   We've developed a great deal of expertise and best practices around these and will be posting an article soon detailing our findings.

In the meantime, why not contact us to help today!

EAP! Event logs are full of DLL path validation errors

by Ed Sparks

Once again, Tier 1 PC vendors are failing to send out products with proper drivers and clean, smoothly operating OS builds.  

It's shocking that in this era of Ultrabooks and tablets - all aimed at a premium market and with premium prices to match - vendors still send out systems littered with terrible bloatware, outdated drivers, and long lists of outstanding OS updates waiting.  Often even the OS is full version-behind or more behind current.

We're particularly looking at you Dell!

The latest cases we're seeing are from current Dell and Lenovo systems with Haswell ("4th Generation Intel Core") chipsets and Intel WiFi onboard.  On these systems, the System Event Logs are littered with entries similar to this:

The description for Event ID 2002 from source Microsoft-Windows-EapHost cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.
The following information was included with the event: 
Eap method DLL path
25
9
0
0
The handle is invalid

As is also often the case the Corporate tech support sites were of no use, and the available driver updates from the vendor did nothing to clear the events or resolve the root cause.

Our own investigation found the issue appears to be some Cisco-specific EAP registry keys are being added, without proper driver or backing software.

The solution? Fire up our old friend RegEdit and look under the following registry path:

HKLM\System\CurentControlSet\Services\Eaphost\Methods\311

There will be several entries referencing paths for Cisco drivers or DLLs that don't exist. Remove any of these type of keys.

No reboot is necessary, and the errors go away immediately.

We've also found this resolves some Cisco and other third-party IPSec VPN issues as well.

The shockingly easy way to hack or reset a forgotten Windows password

by Ed Sparks

This trick has been around for years, and long assumed fixed.  Surprisingly, while recently investigating a related issue we discovered this one is still going strong in Windows 7 and 8 (along with Vista, where it originated).

Image Courtesy Icone-gif

Image Courtesy Icone-gif

In what has become known as the "Utilman Trick," if you are able to physically access a system and boot from a Windows install or recovery disk, you can quickly change a file, reboot into the original Windows install and with a few clicks change the password of any account.  You can also create new accounts, and perform all order of administrative management.

While Bitlocker, or physically denying access to the system will obviously solve this, it's shocking that this continues to exist.

The details, and simple process are well documented here at Technibble, among hundreds of other places.

Here it is in a nutshell:

1. Recovery Boot

cd windows\system32
ren utilman.exe utilman.exe.bak
copy cmd.exe utilman.exe

2. Normal boot

net user administrator newpassword


Yes, really!

806 - Actiontec Killed the VPN Star

by Ed Sparks

This was one of those "pull your hair out" cases, with a completely non-obvious cause and, thankfully, a surprise happy ending.

While troubleshooting a VPN connection problem for a client, we noted the inability to connect to some PPTP VPN servers while behind any TELUS (Canadian ISP) provided Actiontec V1000H DSL modem/router.

Of course, we didn't initially connect the dots, and tried all order of troubleshooting steps related to client OS (Windows 8, 8.1, 7 and 2008 all were unsuccessful, as was iOS). Strangely some Hyper-V hosted test VMs were able to connect, which indicates that they somehow must encapsulate the packets differently.

After much head-scratching and hyper-specific web searches, a few articles were found discussing Actiontec devices arbitrarily blocking GRE - the mysterious and troublesome protocol that allows PPTP to work.  

Sure enough, if we then tried all of the same devices connecting to PPTP over a cellular connection - bingo - they worked like a charm!  This ruled out the OS at least.

Sadly, these combo router/wifi/modems provided by telcos are wonderful non-user-serviceable and tend to be patched and upgraded at the whim of the provider.  We needed a resolution though, as these are widely deployed with our customers and their employees so this could be a big support nightmare.

In a rare win, however, TELUS came through and provided a heavily upgraded firmware for the device which not only resolved this issue, but improved the overall DSL connection speed and dramatically improved wireless range, stability and performance. As a bonus they've added IPv6 support internally, and for a future external deployment.

Solve your headaches: call TELUS (or your local equivalent) if you have an Actiontec V1000H or V2000H and ask for early access to the latest firmware.  It makes a dramatic difference.  You're VPNs and WIFI devices will thank you!

The magic firmware versions:
V1000H:   31.121L.11
V2000H:   31.122L.11

On the flip-side - the broken buggy firmware version appears to be 31.30l.57.

at.png

For another common and annoying issue with Windows L2TP VPNs  see our older article here.

Yes, we know PPTP is ancient and proven somewhat insecure, but it's still generally the easiest to get going for basic needs without all the bother of IPSEC or certificates.

Generate custom, self-signed, long-expiry certificates on Windows

by Ed Sparks

We recently were introduced to a great utility that a Microsoft IIS Team employee maintains called SelfSSL7.   This is an upgraded version of the old SelfSSL tool that used to ship as part of the IIS Resource Kit.

Self-signed certificates have a myriad of useful purposes for internal uses in testing and staging environment, but are an awful pain to deal with using the (almost completely lacking) internal tools. 

SelfSSL7 to the rescue! 

Thomas has all the details at his blog below, but in a nutshell you simply download the tool, unzip and run from a command line.

For example, to create a self-signed certificate for a web server with a 5 year expiry and automatically export the whole thing to a PFX file for safe keeping, all while adding it to the local computer store and binding it to an IIS site automatically - simply execute the following at an elevated command prompt:

selfssl7 /k 2048 /v 1825 /x /f c:\SelfSSL7\my-5-year-cert.pfx /i

There is no step 2!

Such a time saver! 

 

Source: http://blogs.iis.net/thomad/archive/2010/0...

Goodbye imageX, hello DISM for Windows 8 Imaging and Deployment

by Ed Sparks
This article seems to be getting a tremendous amount of traffic!
Leave a comment with any suggestions or questions you might have about Windows 8 deployment.  Contact us for help with your project too!

A quick note for those starting to work with Windows 8 deployment, or just playing around with images.

ImageX has been flagged by Microsoft as a deprecated utility, and has been replaced with DISM - Deployment Image Servicing and Management.  Catchy.  There's no Metro/Windows-8/Store-style/Technologywithoutaname version, though.

The good news is that DISM is an excellent replacement and has matured quite a bit since ImageX, while still keeping most of the same command structure.

In our testing it has proven much quicker and more reliable, and is built into Windows 8, Server 2012 and PE 4.

There's even PowerShell commandlets to do all sorts of useful things.

Find out more by running from an Administrative command prompt:

dism /?

Our one-liner quick and dirty capture/deploy commands for a standard Windows install is as follows:

1. Plug in a large USB drive 

2. Boot into Windows PE 4 (here's how)

3. At the command prompt find out the drive letter of your USB drive (e: in the example below) then execute:

dism /Capture-Image /ImageFile:d:\my-windows-partition.wim /CaptureDir:e:\ /Name:"My Windows Partition"

To then place this image on a new drive or rebuild, do the opposite,  again while booted into PE 4

dism /Apply-Image /ImageFile:d:\my-windows-partition.wim /index:1 /ApplyDir:C:\

 

Further reading:

http://technet.microsoft.com/en-us/library/hh825251.aspx
http://blogs.technet.com/b/heyscriptingguy/archive/2012/09/27/use-the-powershell-dism-cmdlets-to-manage-windows-8.aspx