Category: Microsoft

The user must enroll their device with an approved MDM provider like Intune

October 4, 2024 by Roger·Comments Off

Product:

Microsoft Power BI portal

Issue:

When refresh a powerbi report ( e.g. Semantic model ) we got a error – this report worked before in the Power BI portal workspace. Error is like:

Data source error{“error”:{“code”:”DMTS_OAuthTokenRefreshFailedError”,”pbi.error”:{“code”:”DMTS_OAuthTokenRefreshFailedError”,”details”:[{“code”:”DM_ErrorDetailNameCode_UnderlyingErrorMessage”,”detail”:{“type”:1,”value”:” Device is not in required device state: compliant. Conditional Access policy requires a compliant device, and the device is not compliant. The user must enroll their device with an approved MDM provider like Intune…

Solution:

You must be in Microsoft Edge web browser to do this change, if you do the change in Chrome, it will not work.

On your reports Semantic model – click on the 3 dots and select “settings”.

Go to data source credentials and click on edit credntials that is marked as not working.

And enter your windows account credentials again.

Now it should be green, and this login is affecting all your reports – if the access point is the same.

Now click the “refresh” icon to update you PowerBi report semantic model in the portal.

If above does not work, try below.

Download the Semantic model to you computer.

Restart your computer.

Open the PowerBI pbix file, and refresh the report.

You will be prompted to login to the datasource.

Enter your credintials for windows account.

When the report is refreshed and working in PowerBI on your computer.

Save the report.

Publish the report to the powerbi portal – overwrite the previus report.

More Information:

https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-conditions

Blood, Sweat, and built-in compliance policy

There is a known issue with the Chrome browser that can cause this error to occur. If there is no device information sent in the sign-in logs, this might be the problem. Device information is sent when there is a PRT and the user is logged onto the browser. If the user is using Chrome, the Windows 10 accounts extension is needed.

If this is the case, you can test by asking the user to logon to the Edge browser or install the Windows 10 accounts extension to see if the issue is resolved.

https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/concept-conditional-access-conditions

If they are signing in using Edge, they cannot use an incognito window because it will not pass the device state.

Is Microsoft Authenticator App is installed on the device? As Microsoft Authenticator is an broker app for iOS and would be needed to pass MFA and Device claims to Azure AD.

Sign-ins from legacy authentication clients also do not pass device state information to Azure AD.

Some years ago Microsoft stated that the in-app browser must be using a supported browser such as Edge, however, the Windows store uses Edge, and it also does not pass the device ID, so the conditional access policy can’t be compliant.

Many 3rd party applications use in-app browsers that are “not supported,” and it appears that Microsoft doesn’t offer the appropriate developer documentation that would allow 3rd parties to include this conditional access device information in their in-app browsers, even if they used Edge.

These are the links that were provided as dev resources:

https://www.graber.cloud/en/aadsts50131-device-not-required-state/

https://cloudbrothers.info/entra-id-azure-ad-signin-errors/

You may need to do below in chrome to get it to work…

this is the exact requirements (Chome-side, your Azure AD setup has its own stuff) you needed:

Latest “Chrome Enterprise Policy List”: https://support.google.com/chrome/a/answer/187202?hl=en

GPO Settings
User Configuration\Policies\Administrative Templates\Google\Google Chrome\HTTP Authentication
-Kerberos delegation server whitelist
autologon.microsoftazuread-sso.com,aadg.windows.net.nsatc.net
-Authentication server Whitelist
autologon.microsoftazuread-sso.com,aadg.windows.net.nsatc.net
# Needed if you’re blocking extensions from being installed to whitelist this one
User Configuration\Policies\Administrative Templates\Google\Google Chrome\Extensions
-Configure the list of force-installed apps and extensions (Enabled)
ppnbnpeolgkicgegkbkbjmhlideopiji
-Configure extension installation allow list (Enabled)
ppnbnpeolgkicgegkbkbjmhlideopiji

Note: That extension ID I pulled from https://chrome.google.com/webstore/detail/windows-accounts/ppnbnpeolgkicgegkbkbjmhlideopiji (Windows Accounts)

How do i check what server we sync time with?

September 6, 2024 by Roger·Comments Off

Product:
Microsoft Windows 2019 server

Issue:

We need to check what server our server contact to syncronice the time with?

Solution:

Start a command prompt (CMD)

Enter command:

w32tm /query /status

gives you information such as:

stratum
leap indicator
precision
last sync
NTP server
poll interval

More Information:

https://learn.microsoft.com/en-us/windows-server/networking/windows-time-service/windows-time-service-tools-and-settings?tabs=config

https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/ff799054(v=ws.11)

https://www.meinbergglobal.com/english/info/ntp-w32time.htm

Windows explorer (process id: 4860) error when install 7-zip

August 20, 2024 by Roger·Comments Off

Product:
Microsoft Windows 2019 server

7 zip program

Problem:

During upgrade of 7zip you run the MSI installer, it gives a error “some files that need to be updated are currently in use”. To close all windows explorer windows does not help.

if you get above error, it can be needed with a restart of the windows server to complete the installation.

Solution:

Uninstall previous version of 7-zip program before you install the new version.

Download the zip program from https://7-zip.org/download.html

Download 7-Zip 24.08 (2024-08-11) for Windows:

Link	Type	System	Description
Download	.exe	64-bit Windows x64	7-Zip installer for Windows
Download	.exe	32-bit Windows x86
Download	.exe	64-bit Windows arm64
Download	.msi	64-bit Windows x64	(alternative MSI installer) 7-Zip for 64-bit Windows x64
Download	.msi	32-bit Windows x86	(alternative MSI installer) 7-Zip for 32-bit Windows
Download	.7z	Windows x86 / x64	7-Zip Extra: standalone console version, 7z DLL, Plugin for Far Manager

Go to control panel – program and features – right click on old 7zip version and select uninstall.

Make the new 7zip msi file accessible from inside the windows server, and run it to install it.

Click Next in all dialogs, ensure that the path is C:\Program Files\7-Zip.

When installation is done, check in control panel that you have correct version installed.

If you want to use a command file, there in the 7-zip extra exist a 7za.exe file you can use in a folder. Download the 7z2408-extra.7z file and unzip it. Place the needed files on the server where it should be run.

And create batch files that interact with it, with parameter like this;

Usage: 7za <command> [<switches>...] <archive_name> [<file_names>...] [@listfile]

<Commands>
a : Add files to archive
b : Benchmark
d : Delete files from archive
e : Extract files from archive (without using directory names)
h : Calculate hash values for files
i : Show information about supported formats
l : List contents of archive
rn : Rename files in archive
t : Test integrity of archive
u : Update files to archive
x : eXtract files with full paths

<Switches>
-- : Stop switches and @listfile parsing
-ai[r[-|0]][m[-|2]][w[-]]{@listfile|!wildcard} : Include archives
-ax[r[-|0]][m[-|2]][w[-]]{@listfile|!wildcard} : eXclude archives
-ao{a|s|t|u} : set Overwrite mode
-an : disable archive_name field
-bb[0-3] : set output log level
-bd : disable progress indicator
-bs{o|e|p}{0|1|2} : set output stream for output/error/progress line
-bt : show execution time statistics
-i[r[-|0]][m[-|2]][w[-]]{@listfile|!wildcard} : Include filenames
-m{Parameters} : set compression Method
-mmt[N] : set number of CPU threads
-mx[N] : set compression level: -mx1 (fastest) ... -mx9 (ultra)
-o{Directory} : set Output directory
-p{Password} : set Password
-r[-|0] : Recurse subdirectories for name search
-sa{a|e|s} : set Archive name mode
-scc{UTF-8|WIN|DOS} : set charset for console input/output
-scs{UTF-8|UTF-16LE|UTF-16BE|WIN|DOS|{id}} : set charset for list files
-scrc[CRC32|CRC64|SHA256|SHA1|XXH64|*] : set hash function for x, e, h commands
-sdel : delete files after compression
-seml[.] : send archive by email
-sfx[{name}] : Create SFX archive
-si[{name}] : read data from stdin
-slp : set Large Pages mode
-slt : show technical information for l (List) command
-snh : store hard links as links
-snl : store symbolic links as links
-sni : store NT security information
-sns[-] : store NTFS alternate streams
-so : write data to stdout
-spd : disable wildcard matching for file names
-spe : eliminate duplication of root folder for extract command
-spf[2] : use fully qualified file paths
-ssc[-] : set sensitive case mode
-sse : stop archive creating, if it can't open some input file
-ssp : do not change Last Access Time of source files while archiving
-ssw : compress shared files
-stl : set archive timestamp from the most recently modified file
-stm{HexMask} : set CPU thread affinity mask (hexadecimal number)
-stx{Type} : exclude archive type
-t{Type} : Set type of archive
-u[-][p#][q#][r#][x#][y#][z#][!newArchiveName] : Update options
-v{Size}[b|k|m|g] : Create volumes
-w[{path}] : assign Work directory. Empty path means a temporary directory
-x[r[-|0]][m[-|2]][w[-]]{@listfile|!wildcard} : eXclude filenames
-y : assume Yes on all queries

More Information:

https://7-zip.org/faq.html

https://a32.me/2010/08/_7zip-differential-backup-linux-windows/

https://nagimov.me/post/simple-differential-and-incremental-backups-using-7-zip/

https://sourceforge.net/projects/blat/

https://help.goodsync.com/hc/en-us/articles/360007773451-Automated-Backup-with-Compression-and-Encryption

The Managed Identity is not ready.

July 4, 2024 by Roger·Comments Off

Product:
Microsoft Azure Blob storage

Issue:

The Azure Data Factory (ADF) does not run the job.

Operation on target LookupFileNames failed: ErrorCode=MICredentialUnderSyncing,’Type=Microsoft.DataTransfer.Common.Shared.HybridDeliveryException,Message=The Managed Identity is not ready. This could happen if it is newly assigned or inactive for more than 90 days. The system is updating it now. Please try again after 10 minutes.,Source=Microsoft.DataTransfer.MsiStoreServiceClient,”Type=Microsoft.Rest.Azure.CloudException,Message=Acquire MI token from AAD failed with credential under syncing issue. ErrorCode: invalid_client…

Solution:

Wait ten minutes. If the ADF have been not running for 90 days, the system is “turned off” and will take some time for Microsoft to get up and run again.

More Information:

https://learn.microsoft.com/en-us/azure/automation/troubleshoot/managed-identity

https://docs.uipath.com/automation-cloud/automation-cloud/latest/admin-guide/azure-ad-integration

https://azure.status.microsoft/en-us/status/history/

https://learn.microsoft.com/en-us/azure/data-factory/connector-azure-blob-storage?tabs=data-factory

https://learn.microsoft.com/en-us/fabric/data-factory/connector-azure-blob-storage

https://k21academy.com/microsoft-azure/data-engineer/connect-azure-data-lake-to-azure-data-factory-and-load-data/

How list only rows of newer dates?

July 3, 2024 by Roger·Comments Off

Product:
Microsoft SQL server

Issue:
How to in a view only list the data rows for the last 3 years?

Solution:

You need to have a column with the date in your fact table. If the date column in your fact table is a int, you have to join it with a date conversion table or use cast/convert.

We have used a date table (DM.dimdate).

The key_dimdate is a integer, and the date column is in the date format in SQL. The date format make it easy to compare it to a date question in SQL.

Create a SQL similar to this:

SELECT a.[Customer]
,a.[Account]
,a.[Order]
,a.[key_dimDate]
,a.[key_dimVersion]
,a.[Amount]
,a.[startDate] as [startDate]
,a.[endDate] as [endDate]
,a.[IsActive] as [IsActive]
FROM [DM].[facttable] a
inner JOIN [DM].[dimDate] f on a.[key_dimDate] = f.[key_dimDate]
where 1=1
and a.[IsActive] = 'Y'
-- and DATEADD(year, -3, GETDATE() ) < f.[Date] -- will list 3 years
and DATEADD(Quarter, -13, GETDATE() ) < f.[Date]  -- will list 39 months

If you get error like Column ‘id’ in field list is ambiguous, then you have missed to set the alias letter in front of all the columns references in the SQL query.

If you are getting an error: “Arithmetic overflow error converting expression to data type datetime.” Is that the F.Date in above SQL is a int, you have to convert it to a date somehow.

Only using CONVERT(DATETIME,[key_dimDate],103) can give overflow error.

Change the SQL to reflect your columns and tables.

More Information:

https://www.w3schools.com/sql/func_sqlserver_convert.asp

https://www.sqlshack.com/sql-server-functions-for-converting-string-to-date/

https://www.w3schools.com/sql/func_sqlserver_dateadd.asp

Let’s say you need to add five months to current date, use this:

SELECT * FROM YourTable
WHERE YourDate < DATEADD(month, 5, GETDATE())

I used function GETDATE() for getting current DateTime.

If you need to subtract some time, just add minus to second parameter:

SELECT * FROM YourTable
WHERE YourDate < DATEADD(month, -5, GETDATE())

https://koz.tv/sql-query-for-todays-date-minus-year-month-day-or-minute/

https://www.mssqltips.com/sqlservertip/2509/add-and-subtract-dates-using-dateadd-in-sql-server/

https://www.sqlshack.com/how-to-add-or-subtract-dates-in-sql-server/

To see the SQL job log for a time period, try this in SQL server (will not work in Azure SQL)

SELECT
@@SERVERNAME as ‘Server’, j.name as ‘Job Name’,
jh.run_date as ‘Run Date’, jh.run_status as ‘Job Status’
FROM msdb.dbo.sysjobs j
LEFT OUTER JOIN (
SELECT ROW_NUMBER() OVER(PARTITION BY jh.job_id ORDER BY jh.run_date DESC) AS row_num, jh.*
FROM msdb.dbo.sysjobhistory jh
WHERE
jh.step_id = 0 AND
jh.run_date >= CONVERT(varchar(8), DATEADD(DAY, -7, GETDATE()), 112) AND
jh.run_date <= CONVERT(varchar(8), GETDATE() + 1, 112)
–ORDER BY jh.run_date DESC
) AS jh ON jh.job_id = j.job_id
WHERE j.enabled = 1 AND jh.run_status = 0
ORDER BY j.name, jh.run_date;

https://www.w3schools.com/sql/sql_join.asp

Here are the different types of the JOINs in SQL:

(INNER) JOIN: Returns records that have matching values in both tables
LEFT (OUTER) JOIN: Returns all records from the left table, and the matched records from the right table
RIGHT (OUTER) JOIN: Returns all records from the right table, and the matched records from the left table
FULL (OUTER) JOIN: Returns all records when there is a match in either left or right table

How create a bootable USB

June 14, 2024 by Roger·Comments Off

Product:

Linux Mint
Microsoft Windows 10

Problem:

How make a bootable usb to install a OS to old computer? Old computer only have CDROM drive, and modern OS does not fit on that. They need GB of space.

Solution:

Download the ISO you need – for example Linux Mint from here:

https://www.linuxmint.com/download.php

Download software to create USB drive, like

https://etcher.balena.io/#download-etcher

https://rufus.ie/en/

How to do it:

https://youtu.be/764JLB13GjE?si=Gby6iZeC79FGZLll

Start the program balenaEtcher.

Select the iso file to use.

Select the USB stick to use.

Click on Flash to create the usb media.

If you get error, reboot your laptop, and try again.

Ensure that the computer you are going to install Linux to, have in BOOT setup, that it will start from USB stick, before hard drive.

https://www.zdnet.com/article/how-to-install-linux-on-an-old-laptop/

https://itsfoss.com/install-linux-mint/

For old computers with 32 bit processor , you need to install the 32 version of linux.

https://www.linuxmint.com/edition.php?id=308

https://www.debugpoint.com/32-bit-linux-distributions/

What does the name on Windows OS ISO file mean?

This post is not made to list every possible filename there is, only summarize what other have written about the subject. They iso code may vary slightly between products and editions.

We believe that J_CPRA_X64FRE is Windows 10 Pro 64 bit.

The coding does not seem to be formally or comprehensively documented, but you can assemble hints from various scattered observations around the web.

J_CPRA_X64F looks like a short form version designed to fit in the legacy 11 character disk label from the old FAT volume label limits. J is the Windows 10 release. CPRA is the Pro edition, where the “C” is for “client” (as opposed to “server”) “PR” is for “Professional” and “A” is the variant of the professional edition (most times there is only one). X64 is the CPU architecture. F is short for FRE is a final-released (checked) build as opposed to a CHK (checked) build, used for debugging. (source: https://forums.whirlpool.net.au/archive/2468594).

The typical full version of an ISO file name is longer, including the language and region, and sometimes the target medium. For example, JM1_CCSA_X64FRE_EN-US_DV9 was the Windows 10 Technical Preview install DVD (dual layer, 8.5GB aka DVD9) and JM1_CCSA_X64FRE_EN-US_DV5 is a Windows 10 install DVD (single layer, 4.7GB, aka DVD5). EN-US is US English. X64 is for the x86 64-bit version. JM1 is a pre-release of “Redstone” (Windows 10); CCSA is the “Windows Technical Preview Edition.”

Other Windows 10 edition examples include:

CENA (Client, ENterprise, “A”)
CEDA (Client, EDucational, “A”)

You can seem some historic product to volume label mapping at https://support.microsoft.com/en-us/help/889713/how-to-determine-the-channel-that-your-copy-of-windows-server-2003-was

and also

Original CD/DVD Volume Labels for Windows

Some of the Windows 7 media labels can be found at Get Windows 7 SP1-U Media Refresh MSDN/TechNet ISO (Download or Convert) « My Digital Life. and Official Windows 7 SP1 ISO from Digital River « My Digital Life.

Windows 7 releases started with the letter “G”.

Windows 8 releases started with the letter “H”. (Windows 8 Enterprise x86 Volume Licensing ISO Leaked « My Digital Life)

Windows 10 uses the letter “J”. I would presume that “I” was skipped to avoid confusion with “1”.

https://www.quora.com/How-do-I-determine-what-version-of-Windows-installation-is-on-my-USB-drive-like-J_CPRA_X64F

The two Windows 7 ISO file names, can be explained like this:
——–

Language of the OS. Always two letters (with one exception). Example: en, en-gb, cs, da, no, sv.
Minor version build of the OS.
Compile date of the OS (not of the ISO). Indicates YYMMDD-HHMM.
Platform architechture and target. x86 = 32bit 8086-based, x64 = 32bit 8086-based with 64bit AMD-64 extensions. fre = Free, for end user. chk = Checked, debug version. Examples: x86fre, x64chk.
SKU version. Examples: enterprise, enterprisen, professional, starter.
Full language tag of the OS. Must match (1). Examples: en-us, en-gb, sv-se.
Volume license identifier. Optional.
Upgrade identifier. Optional.
Original equipment manufacturer identifier. Optional.
Matches (5).
Volume label of the mounted ISO volume. Contains various codes to identify language, SKU, volume/OEM and media.

——–

Language of the OS. Always two letters (with one exception). Example: en, en-gb, cs, da, no, sv.
Product name. Examples: windows_7, windows_8, windows_server_2012.
SKU version. Examples: enterprise, enterprisen, professional, starter.
Integrated service pack level. Optional.
Platform architechture and target. x86 = 32bit 8086-based, x64 = 32bit 8086-based with 64bit AMD-64 extensions. chk = Checked, debug version. Examples: x86, x64chk.
Storage media
Update flag. The ISO was updated with some critical patch.
Unique MSDN/Technet image number ID.

——–

Language of the OS. Always two letters. Example: en, cs, da, no, sv.
?
Single or double layer DVD. DVD5 = 4.7GB
Product name. Win = Windows.
SKU version. Examples: Pro, Pro KN, Ent.
7 With. Means it’s an integrated installation with a service pack. Combined with (7) for full service pack level information. Optional.
Integrated service pack level. Optional.
Platform target. 32BIT = x86, 64BIT = x64.
Language of the OS.
Updated ISO. Base ISO with added KB update.
Microsoft Licensing Fulfillment
Microsoft Part Number as it appears on the physical installation media.

https://www.betaarchive.com/forum/viewtopic.php?t=26026

More information:

https://itsfoss.com/watch-tv-channels-on-ubuntu-or-linux-mint/

Downloads

https://kodi.tv/

https://www.tecmint.com/linux-media-center-distros/

https://www.computerhope.com/history/processor.htm

Have fun!

How link in PowerBI service dataflow to sharepoint

June 14, 2024 by Roger·Comments Off

Product:
PowerBI Portal service

Problem:
How to import a csv file to dataflow from sharepoint area.

If you use sharepoint connection, you may get error like this;

an exception occurred: DataSource.Error: Microsoft.Mashup.Engine1.Library.Resources.HttpResource: Request failed:
OData Version: 3 and 4, Error: The remote server returned an error: (404) Not Found. (Not Found)
OData Version: 4, Error: The remote server returned an error: (404) Not Found. (Not Found)

Solution:

There exist different solutions to this issue, they way that work for you can depend on how your company have set up the security.

Go to your power bi portal https://app.powerbi.com/home?experience=power-bi

Open up your workspace area where you have administrator rights.

Click NEW DATAFLOW

Click Add new tables

Select csv file, not SharePoint file.

From you SharePoint folder, where you have stored your file, copy the link.

Then edit the link in notepad, so you remove /:x:/r/ between .sharepoint.com/ and /teams, also remove all garbage after ?.

Then you get a “clean” url path that will work. Like this (replace with your company info):

https://company.sharepoint.com/teams/powerbiworkspacename/foldername/General/enkel.csv

Paste the adjusted url to link to file field.

You may need to select data gateway to be “none”.

Enter “Organizational account” at authentication kind, if your SharePoint are part of you company, you will be prompted with your company azure login. If you are not already logged in to azure in your web browser.

If all works, you get a preview of the file. Change the file origin to ensure that the special characters are handled correctly in the file. UNICODE-7 (utf-7) will support Swedish characters.

Click on transform data.

You will now have a similar look to power-bi desktop transform, where you can change the data before it is loaded into the cache.

The code is similar to below:

Csv.Document(Web.Contents(“https://company.sharepoint.com/teams/powerbiworkspacename/foldername/General/enkel.csv”), [Delimiter = “,”, Columns = 2, Encoding = 65001, QuoteStyle = QuoteStyle.None])

More Information:

https://www.linkedin.com/pulse/analytics-tips-connecting-data-from-sharepoint-folder-diane-zhu

https://learn.microsoft.com/en-us/power-query/connectors/sharepoint-folder

https://learn.microsoft.com/en-us/power-bi/transform-model/dataflows/dataflows-create

https://www.phdata.io/blog/how-and-when-to-use-dataflows-in-power-bi/

Dataflow Gen2 (fabric) is indeed an enhancement over the original Dataflow. One of the key improvements is the ability to separate your Extract, Transform, Load (ETL) logic from the destination storage, providing more flexibility. Gen2 also comes with a more streamlined authoring experience and improved performance.

For a more detailed comparison, you can refer to this link:

Differences between Dataflow Gen1 and Dataflow Gen2 – Microsoft Fabric | Microsoft Learn

Datamart primarily utilizes data streaming technology to import data into Azure SQL Server. Datamart then automatically generates and links datasets. You can then actually create data streams that connect to the Datamart, which can be used for DirectQuery or import if the Advanced Compute Engine is enabled.

For a more detailed comparison, you can refer to this link:

Introduction to datamarts – Power BI | Microsoft Learn

Your role in the dev subscription will expire in 1 day

June 7, 2024 by Roger·Comments Off

Product:
Microsoft Azure

Issue:
You get a mail about that some of your subscriptions parts are expire in a few days like “Your Storage File Data Privileged Contributor role in the prod subscription will expire in 1 day(s)”

Solution:

Depending how your Azure accounts are setup and handled by your organisation, but it should be similar to this:

(you need to be owner of the subscription, to be able to extend the role for your self)

Go to azure Home – Microsoft Azure

Search for PIM. Click on Privileged Identity Management

Expand tasks and click on my roles.

Go to Azure Resources, and for the subscriptions you need to extend, go to owner line and activate you as owner.

click on activate. After someone have approved, go to next step.

Click on Privileged Identity Management, to get back to the start page of PIM.

Click now on Azure resources under Manage, and from the new page drop down select the subscription you want to handled.

Click on Manage button, after you have selected a subscription.

Click on Assignments under Manage. Then browse the lines to the right, to find what roles you can extend. Click on extend link.

Set a date, at least a year in the future. Press save. Repeat for all roles you need to extend.

If you do not find your role, check under the Expired assignments tab – to see if it is there, and you can extend it there.

Repeat for all subscriptions you have in Azure.

More Information:

Renew Azure resource role assignments in PIM – Microsoft Entra ID Governance | Microsoft Learn

Extend or renew PIM for groups assignments – Microsoft Entra ID Governance | Microsoft Learn

What is Privileged Identity Management? – Microsoft Entra ID Governance | Microsoft Learn

TLS_RSA_WITH_3DES_EDE_CBC_SHA

May 8, 2024 by Roger·Comments Off

Product:
Microsoft Windows 2019 server

Issue:

Your security scan software report that you have a issue on the Windows server with ciphers.

TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)
Negotiated with the following insecure cipher suites:
* TLS 1.2 ciphers:
* TLS_RSA_WITH_3DES_EDE_CBC_SHA

Configure the server to disable support for 3DES suite.

Solution:

Check that the application software you use on the server does not need this cipher.

Then run this powershell command to remove the support for the cipher:

Disable-TlsCipherSuite -Name 'TLS_RSA_WITH_3DES_EDE_CBC_SHA'

Reboot the windows server for the change to take affect.

Get list of cipher that is 3DES:

Get-TlsCipherSuite -name “3DES”

Get list of all cipher on server:

Get-TlsCipherSuite | Format-Table Name

Get list of curves:

certutil.exe –displayEccCurve

More Information:

A cipher suite is a set of cryptographic algorithms. The schannel SSP implementation of the TLS/SSL protocols use algorithms from a cipher suite to create keys and encrypt information. A cipher suite specifies one algorithm for each of the following tasks:

Key exchange
Bulk encryption
Message authentication

Key exchange algorithms protect information required to create shared keys. These algorithms are asymmetric (public key algorithms) and perform well for relatively small amounts of data.

Bulk encryption algorithms encrypt messages exchanged between clients and servers. These algorithms are symmetric and perform well for large amounts of data.

Message authentication algorithms generate message hashes and signatures that ensure the integrity of a message.

Developers specify these elements by using ALG_ID data types. For more information, see Specifying Schannel Ciphers and Cipher Strengths.

In earlier versions of Windows, TLS cipher suites and elliptical curves were configured by using a single string:

Diagram that shows a single string for a Cipher Suite.