Problems with IIS (when combined with FIPS GPO and VMware vCM)

I ran into an issue this week when testing VMware vCenter Configuration Manager (vCM).  It turns out it does not play nicely when installed on 2008 R2 IIS Server that ALSO has the following GPO setup:

"System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing"

vCM runs on IIS, and when the server is forced to run FIPS-compliant, some of the internal vCM code must clash with IIS.

The fix is easy, of course.  If it is defined in GPO, fix the GPO.  If all you need is a quick fix, then you can change the following registry value from 1 to 0, then restart IIS.

HKLM\CurrentControlSet\Control\LSA\FipsAlgorithmPolicy: Enabled (change from 1 to 0)

 

 

3 Useful links for SCCM and App-V

My customer has invested a large amount of money in their existing SCCM/App-V infrastructure.  When working on new VDI deployments, I emphasize re-using existing infrastructure when possible, to save costs and shorten deployment timelines.

Having the SCCM Agent and the App-V agent installed on a VDI master image is not always desirable, but it can be done successfully.  Here are some links that I found useful:

Problems with Sysprep not reading the App-V Q:\ drive (Includes a simple .bat file solution):
http://tech.zsoldier.com/2010/03/view-composer-agent-initialization.html

Manually Uninstalling / Installing SCCM Client (it's not hard, but it is all command line,  no GUI):
http://technet.microsoft.com/en-us/library/bb693546

Preparing a Master Image with a pre-installed SCCM Client:
http://systemscenter.ru/smsv4.en/html/d34f1195-ffad-4e7b-b302-5df64d373710.htm

McAfee HIPS always causes extra work...

Using the default settings, the client-side interface does not provide much in the way of alerts.  I have been dealing with this product for several years, and it has plenty of ways to silently break all sorts of functionality.  For security reasons, HIPS is a necessary evil in many environments.  Most recently we found HIPS on our VDI master image and had to remove it, which was not as simple as uninstalling a regular application.

Here is a useful  KB for uninstalling HIPS in a McAfee-supported way:

https://kc.mcafee.com/corporate/index?page=content&id=KB58629

Verbose logging for VMware View Components

It's a pain to make a change to the master VM, but it may yield some useful data for dealing with View Composer timeouts:

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&docTypeID=DT_KB_1_1&externalId=1010388

VMWare View Time Zone issue

I am starting to see an issue where thin clients are failing to synchronize time with Vista VM's in VMware View 4.6.  This article explains how to turn off time synchronization via a VMware GPO file, not sure if I am going to use this or not: going to use this immediately!  I have a set a of thin clients that use UTC and it is throwing the time off in the VDI environment.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006773

Packet loss with "Flexible" VMnic type

Ran into a packet loss issue today.  Normally I usually only use E1000's in production.  We had some Server 2003 VM's running with Flexible NICs.  Caused intermittent packet loss, once we changed them to VMXNet2 adapters, the connections were perfect.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1001805

VMware View Domain Filtering...

I found a KB article discussing domain filtering using the VDMadmin command for View.  I hope this works!

**Update, this worked, FTW!!!!

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014103

Another one, this one is for View 5.0:
http://pubs.vmware.com/view-50/index.jsp?topic=/com.vmware.view.administration.doc/GUID-3E9924EC-1554-43E5-A812-84F9711909A5.html