Category: AWS

Power BI Gateway SSL Issues with managed AWS RDS SQL Server instances

John Leave a comment

I had a customer call up and explain their Power BI reports had stopped working, they’re not managed so after working a few things out we got to work and jumped into their Datawarehouse environment in AWS. After a quick look we could see that their RDS SQL Server instance had TLS turned on and that no one had managed or bothered to rotate the certificate which had now expired. This is a very quick and painless process (since it’s a managed instance) and simply requires a reboot. Once loaded, refreshing a report would result in an error of Something went wrong, and looking in the details we could see The certificate chain was issued by an authority that is not trusted.

You also need to ensure to load the AWS RDS Root certificates onto their Power BI Gateway and Reporting server, downloading them from AWS here and then loading them into the trusted certificate authority in the Windows Certificate store. Once done, we could see reports refreshing and pulling data as expected.

Moral of the story? Just because it’s managed doesn’t mean it’s set and forget…

AWS and Windows Activation

John Leave a comment

Quick one today where I was on a client server hosted in AWS that wasn’t activated and trying to activate it via Settings App throws and error. Like most large scale cloud vendors (except Azure), AWS use KMS to activate their windows machines, however sometimes the servers need some help to reach the internal KMS servers at Amazon – especially so when using your own DNS servers.

Open an administrative PowerShell console and enter the following commands

Import-Module "C:\\ProgramData\\Amazon\\EC2-Windows\\Launch\\Module\\Ec2Launch.psd1"
Add-Routes
Set-ActivationSettings

Then perform an activate online command as per a normal KMS activation (or you can wait…)

slmgr /ato

And that should get it activated and the watermark removed.

Bad Image Error when installing CrowdStrike sensor on Amazon WorkSpaces

John Leave a comment

Long time since I’ve posted – I promise I’ve been very busy with life.

I was recently assisting a customer with a CrowdStrike Falcon Sensor deployment and we were in the process of updating the gold images in their VDI platform, Amazon WorkSpaces.  CrowdStrike have a nice installation document on their website that you can follow to get the sensor deployed.  After going through the process (starting from about page 10 since we already have WorkSpaces and using the yearly billing option), we deployed the sensor with the following parameters, with the NO_START being important so that the sensor doesn’t imprint IDs (similar to most other cloud managed tooling).

WindowsSensor.exe /install /norestart CID=<falcon id here> NoFA=1 NoDC=1 NO_START=1

After executing and the progress bar getting about half way, we ended up encountering an error. CSFalconServiceUninstallTool_x64.exe – Bad Image relating to spacedeskHookUmode.dll  Reading up in the CrowdStrike support portal, the error usually relates to Citrix or some sort of DLP protection triggering, however we had neither operating in the VDI environment.

After some further digging, we found a PDF on the Amazon site and found that the culprit is actually part of Amazon WorkSpaces, as the dll file provides the ability to use Web Access.  In our use case, we don’t use this so simply set the following registry keys to disable web access in the image.

HKEY_LOCAL_MACHINE\SOFTWARE\Amazon\WorkSpacesConfig\update-webaccess.ps1

Set the RebootCount DWORD to 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\spacedeskHookKmode

Set the Start DWRORD to 4

Once done, we rebooted and then had a successful sensor install.

Hope that helps.

Add AWS CLI to Windows Terminal

John Leave a comment

I am a fan of Windows Terminal and some of the recent things Microsoft seem to be doing for SysAdmins. I like having all the tools I need in a single spot. Adding the AWS CLI is fairly straight forward but makes life a heap easier.  Start by installing Python from python.org if you don’t already have it on your machine. Once installed (take note of the version, which as of publishing is 3.11) open up Windows Terminal.

Now let’s install AWS Shell using Python, enter the following command

pip install aws-shell

once that completes we will need to locate the aws-shell executable, for quick reference it resides under the user profile like follows Note that Python311 will change depending on the version you have installed.

C:\Users\John\AppData\Local\Programs\Python\Python311\Scripts\aws-shell.exe

We can also use PowerShell to quickly search for it using the following command

(Get-command aws-shell).Path

Now that we have the location, we can begin to configure Windows Terminal. Go into settings from the drop-down menu and under the Profiles section, select Add a new Profile now drop down pick a console that you like and let’s duplicate it (we’ll use PowerShell).

Under Name, enter a better name, such as AWS Shell. For Command Line, enter the path of the aws-shell executable we found earlier. Starting Directory is fine as-is (it isn’t really used). For an icon, you can grab it from this file aws_icon.zip , paste it into the same location as aws-shell and browse to it. You can also customise the appearance and add a background image or change colours as you see fit. You can see an example JSON profile here.

        {
            "name": "AWS Shell",
            "commandline": "C:\\Users\\John\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\aws-shell.exe",
            "icon" : "C:\\Users\\John\\AppData\\Local\\Programs\\Python\\Python311\\Scripts\\aws-logo.ico",
            "acrylicOpacity" : 0.90,
            "fontFace": "Consolas"
        }

If you decide that you need to edit the JSON file directly, keep in mind that you need to escape special JSON characters, which includes a backslash. You need to escape a single backslash with double backslash.