Unifi Access Point SSH upgrade

I was in the process of upgrading a few Unifi Access Point firmware’s and ran in to a problem where the AP’s would not (re)connect to the Unifi Controller when I initiated the firmware update. It was stuck in the update state without actually updating the firmware. The controller showed them as offline/updating.
It was still able to ping it and it was reachable over SSH.

I needed a way to update the firmware using SSH. I looked up the exact firmware download URL on https://www.ui.com/download/. I connected to the specific AP using SSH (Putty) and was able to perform the update manually by running the following command:

((`which nohup` /usr/bin/syswrapper.sh upgrade http://dl.ui.com/unifi/firmware/U7PG2/4.0.42.10433/BZ.qca956x.v4.0.42.10433.190518.0923.bin >/dev/null 2>/dev/null)&) ; sleep 1

This command took a few minutes to start running and successfully completed the firmware update. I was able to manage them again in the controller with it’s new firmware.

If the AP is on a low firmware level, it may come back with a error that it could not download the firmware because of a certificate error. In that case you can simply change https:// to http://.

Citrix Director: ‘Cannot retreive the data’ after CU2 update

After installing the Citrix Director CU2 release (7.6.2000), I received the error ‘Cannot retrieve the data‘ when viewing information like connected sessions, logon duration and Virtual Desktop details. I have seen this error after updating to CU2 at two customer sites, both sites are enterprise hospital environments. I have not seen this error at testing environments and our own company environment.
Viewing the licensing status in Director is working perfectly fine.  Viewing logged in users is fine to, but viewing virtual desktop details wasn’t working.

Next to updating Citrix Director to the CU2 release, I have also updated the Delivery Controllers, License Server and Storefront to CU2.

There were a small amount of users that had no issues with Director and did not receive any error message. Most of them had an admin account and a user account. The user account was working fine. I made a clone of my own user account, deleted some AD groups and the errors were gone in Director. The users that had the error message all were IT users with a lot of (nested) groups, mostly more than 300.

Citrix Director looked like this after the update:

The event viewer on the server where Director is installed showed the following error:

After having contact with Citrix Support and reviewing the Citrix Director trace files, we saw that Director fails with HTTP Error 400.The size of the request header is too long. This is because Director machines is not able to retrieve any information due to bloated kerberos ticket.

We were able to fix the Cannot retrieve the data error by setting the following registery keys (DWORD) on both the Citrix Delivery contoller(s) and the Storefront server(s). The servers required a reboot after setting these keys.

HKEY_LOCAL_MACHINE\system\CurrentControlCet\control\Lsa\Kerberos\Parameters
DWORD: MaxTokenSize = 48000 (decimal)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
DWORD: MaxFieldLength = 48000
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
DWORD: MaxRequestBytes = 12288000

 

Allow change password via RDP

I’ve experienced a few times that i’m not allowed to login using RDP because my password is expired or that ‘use must change password at next login’ is enabled in the Active Directory.

Today was one of those moments. I could not login to an customer environment i havent logged in to for a while, because my password was expired. So ehm.. I had to login to change my password, but I could not login to change my password because my password was expired.. right..
Now what? The customer wasn’t available at that time and I had to get to work.

I have found the following work around for that.

Lokaal

  1. Start mstsc.exe
  2. enter the remote desktop connection
  3. Click ‘Save as..’
  4. Save the RDP file as something like: ChangePassword.RDP
  5. Open notepad.exe and open the RDP file you just created.
  6.  add enablecredsspsupport:i:0 at the bottom of the file.clip_image003_thumb

Save the file, start the RDP connection using this file. Now you will have the possibility to change your password!

What if CredSSP is required?

If CredSSP (Credential Security Support Provider is required to login to the remote desktop, you will get the following error message:
Try to make an RDP connection using the full FQDN (servername.domain.local) in stead of just the servername. Otherwise, the above solution is not possible. Except when you disable CredSSP.

CredSSP can be disabled to change de RDP settings on the remote desktop to disable ‘Allow connections only from computers running Remote Desktop with Network Level Authentication (recommended).’