All Articles – Project Runspace

Windows Admin Center v2 with Certificate Cannot Load Site

Microsoft released a substantially upgraded Windows Admin Center with build 2410. Microsoft has offset it as “v2”. You can read the release announcement on the Windows Admin Center blog. You can download Windows Admin Center from aka.ms/windowsadmincenter. This article explains how to fix a condition when you use a true PKI certificate and cannot access the Windows Admin Center v2 site.

Problem Description

You install Windows Admin Center (WAC) v2, build 2410 or later, in gateway mode, either fresh or as an upgrade to an existing installation. During installation, you select an installed PKI certificate for the Windows Admin Center site. After installing, you cannot load the Windows Admin Center page from any computer, including the computer that runs Windows Admin Center. Chrome and Edge report “ERR_CONNECTION_CLOSED”.

This excludes general problems, such as the “Windows Admin Center” service failing to start. WAC should write to the Windows Event Log. For this problem, it does not.

Quick Solution

Grant “Read” permissions on the certificate’s private key to the “Network Service” account.

Longer Solution

On the host that runs Windows Admin Center, run certlm.msc as administrator. When you open the Start menu, you can type “Certificates” and it should suggest “Manage computer certificates”, which will open the snap-in. If that server runs Windows Server Core or you would like to connect remotely, you can start the MMC on any Windows machine, add the Certificates snap-in, and connect remotely. Once you have the MMC open, follow these directions:

Expand Personal and Certificates. Locate the certificate to use for Windows Admin Center. Right-click it, hover over All Tasks, and choose Manage Private Keys.

In the security dialog, click the Add button.

You need to add the “Network Service” account. If the computer belongs to a domain, it will default to searching for a domain user account. Override by clicking Locations.

In the locations dialog, click the local machine at the top.

Back in the select dialog, type “Network Service” into the text box (case does not matter). Click Check Names to ensure that you have entered the name properly. As an alternative to going through the Locations selection, you can type the computer name directly into the text box, followed by a backslash, then the service account name, e.g. “svmanage1\network service”. Click OK once the dialog has identified the account.

Back in the security dialog, an item titled NETWORK SERVICE will appear. Windows will have given it Full control permissions. Reduce it to “Read”. Click OK.

The Windows Admin Center site will now open normally. You do not need to restart anything. Note that if you later remove this permission, Windows Admin Center will continue to operate temporarily. Without the permission, it will absolutely stop working at the next reset of the “Windows Admin Center” service.

Additional Information

As of this writing, Microsoft has not said whether you can safely change the account that runs the Windows Admin Center service. If you do, then you will need to grant the same permission on the certificate to that account. v1 ran as “Local System” (SYSTEM), which has “Full Control” by default. “Local System” cannot access network-based resources without overrides, which is probably why v2 runs under “Network Service”.

The installer does not warn when the service account lacks the correct permissions. As seen in the following screenshot, it lists some prerequisites, but not the need for anything other than default permissions:

When you choose a certificate, the installer may mark it as “invalid” and include a line that says “PreConfigurationRequired”. However, it includes the same lines even if you have set the correct permission. I do not know what criteria it uses to mark the certificate as invalid. Mine works just fine.

So that it has been said, this problem absolutely does not make it better to use a self-signed certificate. I did not even test to find out if the problem also occurs with self-signed certificates. They are less than useless and not worth the time to investigate.

Kernels, Shells, and Operating Systems (Re)Visited

While recording a podcast episode in the wake of the 2024 Crowdstrike Incident, I spoke briefly about the reactions I had seen from the technical community. At that moment, I realized that, even though many of us treat the terms “kernel”, “shell”, and “operating system” as 101 level, basic, simple concepts, we should not. You can become a grizzled IT veteran while knowing surprisingly little about them. I witnessed a spread of misinformation from individuals that I thought would know better. Let’s have a serious talk about this.

Commonly Misused IT Term: Deprecate

When a company “deprecates” something, it means that they won’t put any more resources into developing it. They will usually continue to support it. Sometimes that support has a clear end date, sometimes it does not. As a fairly famous example, Microsoft deprecated the SNMP feature quite some time ago, but you can continue to install and use it in their current operating systems.

Importantly, “deprecated” DOES NOT mean “removed”. You can continue to use deprecated features, but the company or developer has effectively put you on notice to start looking for alternatives.

Do not confuse “deprecate” with “depreciate”. “Depreciate” is an accounting term that deals with the reduction in value of an object.

PowerShell Parameters: Combine Effects of Mandatory and Default Value

I had one simple goal: I wanted to provide a default value for a PowerShell parameter, but I wanted to make sure that an operator did not override it with a null or empty value. PowerShell provides a very simple way to accomplish this, and you can find examples all over the Internet. However, if you have conceptualized the PowerShell components in the way that I did, or you haven’t encountered them yet, then you might not recognize that those answers apply to your problem.

Supercharge Powershell with Github Copilot

Hey sysadmins! Do you want to automate more, but get bogged down in the time and complexity of bulletproof PowerShell scripting? After a period of skepticism and reading a lot of negative opinions on Copilot, I finally decided to try it out for myself. I discovered that you can’t simply allow it to go off on its own. However, the positives greatly outweigh the negatives. Even though my title seems “click-baity”, I genuinely believe that you can supercharge Powershell with Github Copilot. I will demonstrate my experience in this article.

Understanding the Two Virtual Machine Licenses with Windows Server Standard

Software licensing is a special form of awful that nearly rises to the frustration level of dealing with printers. Windows Server licensing pushes it even further. Virtual machine licensing in Windows Server takes it to an extreme. This topic has a lot to unpack, but I want to scope specifically down to the subtopic of the two virtual machine licenses with Windows Server Standard. That confuses more people than any other part.

It’s OK to Like Light Mode

Gatekeeping is one of the worst ills of the technology world. Someone with no authority finds an arbitrary reason to tell you that you’re not a “real” something, or they use it to try to shame you. For reasons that I certainly can’t explain, many people in tech love jumping on the bandwagon and gatekeeping whenever possible. The latest “big thing” is dark mode. Not only is it the foundation for enormous amounts of shaming and gatekeeping, it’s also been a great excuse for software houses to avoid real problems. Software buggy? Divert resources to building dark mode! Customers unhappy with software behavior? Divert resources to building dark mode! And so on. Well, if you don’t like dark mode, that’s OK. If they don’t like that you don’t like dark mode, that’s OK too. If you think that developers should spend time on actual problems instead of focusing on dark mode, that’s definitely OK.

No, Hyper-V Is Not Dead

(Somewhat) jokingly, I have long said that a certain company famous for virtualization has set a goal of bankrupting all its customers as its victory condition. That company was recently purchased (again), and the new owners promptly set about trying to prove me correct with massive price increases. As part of their campaign to do anything except set reasonable pricing, they have begun telling customers that Hyper-V is dead. At best, they’re wrong. At worst, they’re lying. Hyper-V is not dead. Hyper-V is not dying. Hyper-V is an integral part of Microsoft’s product lineup.

How to Configure Ubuntu for Public Key WinSCP Access

[citationic]

As with many of my articles, this one serves as a public “note to self” for a problem that I run into often enough to need to skip a lot of searching but not often enough to remember how to fix. I have set up a new Ubuntu server system and I want to manipulate files from my desktop using WinSCP. This works almost automatically if you enter your password each time or you don’t work with files that require sudo permissions. Of course, I want both. I guess you came here for the same reason. Follow the steps in this article to configure Ubuntu for public key WinSCP access. Because WinSCP uses PuTTY-formatted key files, I added a section on configuring PuTTY for public key access as well.

Fiber Channel or iSCSI Disk Appears Two or More Times in Disk Management

Scenario: You connect your Windows or Hyper-V system to a FiberChannel or iSCSI target device that supports multi-path I/O (MPIO). When you view Disk Management, it shows up twice (or more). You can bring one online, but any others show “Offline (The disk is offline because it has a redundant path with another device)”.

The basic issue is that multipath I/O needs to be configured at the Windows level. If you have specialized software from your hardware vendor, use that first. They will often enable and configure the necessary Windows components for you.