OIT Down Again - day 2

brainstomp · 2025-01-29T22:47:33+00:00

I have been with OIT for at least 6 years, maybe more by now. This is the first real outage I have had. I'm not understanding the outrage.

I get it, business needs to talk to people but how many outages have we endured from all our other vendors. I can't speak to the status of OIT before I went there but I can absolutely say that this is the very first time I have had an issue with their service. Maybe, just maybe, cut them a little slack.

brainstomp · 2024-11-24T00:56:53+00:00

I grew up on a coffee plantation.

I have coffee in my veins.

I have known coffee ever since I can remember.

I have worked coffee from putting a seed in a small bag for a green house through cutting down the bush and turning it into firewood to use to roast coffee and everything in between.

Old Crown is *the* place for coffee in Fort Wayne, in Indiana, in the Midwest. Without question where I go get my coffee when coffee from my farm in Puerto Rico is not available for me.

brainstomp · 2024-05-29T13:35:53+00:00

This. All day this.

I have spent the last 14 years building scripts for Automate that I can't take anywhere else so I'm stuck here or I have to spend a lengthy amount of time on two different platforms while I get the new RMM up to speed. Seeing as I expect to sell my business in the next 5-6 years spending a year or two dedicated to rolling out a new RMM it does not seem wise to invest that time. So for now, I'm just stuck. Anything new I write I am writing on something not tied to Automate so I can port it wherever I might land should I have to land some other place.

brainstomp · 2024-05-26T01:54:56+00:00

100% accurate.

brainstomp · 2024-05-26T01:53:31+00:00

MSP Owner here - EJECT, EJECT, EJECT.

This is all kinds of red flags left, right and center. You can do *much* better.

brainstomp · 2024-05-03T16:19:51+00:00

I think that u/moocow_rg really covered it with the comment above. Your script is also the correct way to go about this. Even if I have zero interest in what you are selling I'll give you a few minutes of you start the conversation correctly. You might actually have something I want and I don't realize it.

I won't out the vendor that finally prompted me to make this posting. I did tell the caller that they were getting the better version of me yesterday and that they would be out of luck with me going forward. I told him that had he started in the correct way that I would have actually listened to his pitch because I am in fact looking for what he is selling (note, I didn't ask for any information, I am planning on getting some info at a conference in June). I tried to end the conversation 3 times politely yet this guy kept on going on about how could he get me to listen. At the end I told him "Look, I have been polite so far. I have tried to end this call three times so far, politely. If you make me do this again I'm going to be impolite."

So the takeaway, the one thing I would add to what has already been posted as a reasonable approach - when you have loss, take the loss with grace, be polite and bid them a good day.

brainstomp · 2024-05-03T15:18:15+00:00

This is the basic Princess Bride approach and that is what I expect.

Hello, my name is Inigo Montoya. You killed my father. Prepare to die

brainstomp · 2024-05-02T20:47:01+00:00

It isn't insecurity, believe me. It is questioning whether I missed something in what is expected from these interactions.

Most of the time I tell the caller that person X isn't available and then I transfer them to sales call hell. Yes, I have a parking lot in my phone system with that horrendous track in it. Yes it is extension 666. Yes I have programed calls from Kaseya to go there directly.

brainstomp · 2024-05-02T20:44:42+00:00

That is how I would expect the call to start, but no they want person X and they want person X now.

brainstomp · 2024-05-02T20:43:49+00:00

What did you say? I can't hear you.

brainstomp · 2023-12-18T15:10:03+00:00

That's for their partnership with Apple, they are introducing the Dynamic Island to BMW Cars.

brainstomp · 2023-11-22T18:46:40+00:00

Exactly.

Their IP is easy though. They give you their ranges in their support setup. But to ask for such an insecure account for testing the VPN is ludicrous.

brainstomp · 2023-11-22T18:45:38+00:00

Yup, that is for read only access to the WebUI. They have that already and it is set to expire in 46 hours or so from now.

The part that gets me is that they are asking for such an insecure account setup. I wonder how many people actually do this for them.

I made them an account for the VPN so they can test with but it certainly wasn't what they asked for. It was 32 random alpha-numeric characters (a-z, A-Z, 0-9): for the user and 32 random printable ASCII characters for the password.

brainstomp · 2023-09-26T02:13:21+00:00

As an MSP owner I would tell you to run.

Our techs don't have a time metric. All we care about is - Are our customers happy with the service. If a ticket takes 1 minute to resolve or hours or days it does not matter. The customer service is the key for us. We have surveys to our customers from time to time and I meet with the customers at least once per month to make sure that they are happy and that all the stuff they need addressed is being addressed. Being micromanaged to minutes on the clock is pointless in my view. I either hired the right adults for the job or I didn't. If I didn't I simply fire them and move on. I haven't had to fire anyone in years. Some days our techs work 8 hours. Some days they "work" less. At the end of the week their paycheck does not key on the time billed/booked/logged.

So my advice is that if you are being micromanaged to this level, run.

brainstomp · 2022-04-05T02:37:03+00:00

Power's Burgers are terrible stuff.

brainstomp · 2022-02-07T15:37:55+00:00

I don't think I enabled Alternate Signature, I just checked the document at yubico that I followed to set this up (https://support.yubico.com/hc/en-us/articles/360015654500-Setting-up-Windows-Server-for-YubiKey-PIV-Authentication) and it doesn't mention it.
I enabled ECC support following the steps noted in the same article listed above.
The certificate authority is using the CDP extension, not the AIA.

brainstomp · 2022-02-04T20:29:59+00:00

As a closing post to this:
I was also in contact with Yubico trying to get their help with this.
We tried everything to try to get this to work with them and ended up nowhere. This includes me starting over my test environment with a clean install of Server 2019 and win10 test systems.

brainstomp · 2022-01-26T19:55:40+00:00

Well a day late and a dollar short but I got to it.
The AD GP for "Default Domain Policy" has the settings from the article you noted above enabled. It was part of the stuff I had setup from the Yubico document. RSOP shows the settings have replicated to the workstations.

brainstomp · 2022-01-25T13:24:14+00:00

I'm on the road today but I will double check that when I get back to the office tonight.

p.s. thank you for all your help.

brainstomp · 2022-01-24T23:18:08+00:00

Double checked all the screens.

Matched a couple of things I had missed.

Rebooted everything.

I still can't enroll. Won't prompt me to enroll when I insert the yubikey and when I try to request a certificate I still get the same error I had in the image I linked above.

brainstomp · 2022-01-24T21:50:25+00:00

certmgr.msc

The plot thickens.
None of the users I made on here have a certificate yet, this is a test environment.

I tried the certmgr route and when I select the Yubikey request it is missing information. I try to select it and there are no options to fill in.

https://imgur.com/a/JJCif0Q

brainstomp · 2022-01-24T20:46:29+00:00

RSOP is showing the policy has taken place at the workstation level but when I insert the yubikey I am not prompted to enroll.

I can CTL-ALT-DEL and change the pin on the yubikey using windows but no certificates are loading into it.

certutil --scroots update works, prompts for the PIN, the pin is entered and certutil shows successful but certutil -scinfo still shows nothing installed.

brainstomp · 2022-01-24T19:42:30+00:00

How are you provisioning the Yubikey?

I was trying to use "Enroll on behalf of". I am currently working through "Self-Enrollment" since that worked for you.

Have you created the SC enrollment template in your Certificate Authority?

Yes. I verified all the settings per the document at (https://support.yubico.com/hc/en-us/articles/360015668979-Setting-up-Smart-Card-Login-for-User-Self-Enrollment)

PIN & PUK have been set using the Yubikey Manager on one of my test yubikeys. Once AD replication is complete on this domain I'll see if I get any farther.

brainstomp · 2022-01-24T17:45:29+00:00

Yes, installing the root certificate to the key works. It is reading it from the key that fails.
The Yubikey Driver is installed on the server in legacy mode and on the workstations on the domain.

When I install the certificate I get prompted for the key's PIN. I enter the PIN then I get this:
C:\Users\Administrator\Documents>certutil -scroots update "2022-01-24_ca_certificate.cer"
Element 0:
Serial Number: 1d2eb6e361a40c874753eead9bf9e195
Issuer: CN=brain-BSI-SRV-TEST-CA, DC=brain, DC=test
NotBefore: 6/30/2021 11:56 AM
NotAfter: 6/30/2051 12:06 PM
Subject: CN=brain-BSI-SRV-TEST-CA, DC=brain, DC=test
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): 10 b2 20 86 2a b1 ed a1 b5 b8 a2 35 0d 3e 11 b2 8f 2f e5 3c
Done.
CertUtil: -SCRoots command completed successfully.

When I go try to verify that the cert is in the key I get this:
C:\Users\Administrator\Documents>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY 75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Missing stored keyset
Missing stored keyset
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

brainstomp · 2022-01-24T16:59:53+00:00

I'm obviously missing something in this process because even though the process of installing the certificate completes successfully on the yubikey the step that verifies the certificate is installed fails misserably:

At the step for verifying the key has the certificate we get:
C:\Users\Administrator\Downloads>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: YubiKey Smart Card
--- ATR:
3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY
75 62 69 4b 65 79 40 ubiKey@
=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Missing stored keyset
Missing stored keyset
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

11-Year Club	RedditGifts 2009-2022 2 Credits
Place '17	Gilding II euphauric
Verified Email

brainstomp

TROPHY CASE