By using AWS re:Post, you agree to the Terms of Use
/Windows Provisioning/

Questions tagged with Windows Provisioning

Sort by most recent
  • 1
  • 90 / page

Browse through the questions and answers listed below or filter and sort to narrow down your results.

Cannot run GUI/OpenGL on headless macOS EC2 Instance

Hello, I am currently trying to use EC2 mac instances to run a CI/CD pipeline which involves running tests with electron/selenium. In order to run these tests openGL needs to be available. Im currently getting there error on line 49 of https://chromium.googlesource.com/chromium/src/+/8f066ff5113bd9d348f0aaf7ac6adc1ca1d1cd31/ui/gl/init/gl_initializer_mac.cc. With the output on the instance giving: ``` 2022-06-09 19:38:25.937 Electron[52243:188559] +[NSXPCSharedListener endpointForReply:withListenerName:]: an error occurred while attempting to obtain endpoint for listener 'ClientCallsAuxiliary': Connection interrupted [52245:0609/193826.555969:ERROR:gl_initializer_mac.cc(65)] Error choosing pixel format. [52245:0609/193826.556035:ERROR:gl_initializer_mac.cc(193)] GLSurfaceCGL::InitializeOneOff failed. [52245:0609/193826.664827:ERROR:viz_main_impl.cc(188)] Exiting GPU process due to errors during initialization ``` The root cause of this is there is no display connected to the mac1 bare metal dedicated host. It seems the work around here is either using a plug to fake that a display is connected, or connecting to the instance via vnc with the following commands: **On ec2 instance** ``` sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \ -activate -configure -access -on \ -configure -allowAccessFor -specifiedUsers \ -configure -users ec2-user \ -configure -restart -agent -privs -all sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart \ -configure -access -on -privs -all -users ec2-user ``` **On local macbook** ``` ssh -L 5900:localhost:5900 -C -N -i <your private key.pem> ec2-user@<your public ip address> open vnc://localhost ``` After establishing the connection over screen share, I no longer get the openGL issues and the run succeeds. Unfortunately this is not a solution/workaround for my use case as I will need to restart/reboot these instances after each run. I have tested this multiple times and after rebooting the instance the display is no longer present. (I have verified the displays being recognized / not being recognized with displayplacer list) Some more background, this is an issue on the latest AWS Monterey and BigSur AMIs. Is there any way to make the mac1 mini dedicated host think that there is a display plugged into it or trick it into thinking there is a display via software. I need a solution here that can be implemented via a script so setting something up like https://github.com/waydabber/BetterDummy does not work for me. Github seems to have a solution for this with their self-hosted github action runners so I am curious why AWS doesn't seem to support this / should this not be a common use case for an EC2 Mac Instance?
1
answers
0
votes
36
views
asked a month ago

AWS Managed AD ADFS user sign-on URL is not accessible outside of ADFS server.

We have setup a test ADFS on a Windows Server 2019 EC2 in our AWS Managed Active Directory. We have enabled the ADFS sign-on page (example URL: https://sts.contoso.com/adfs/ls/idpinitiatedsignon.aspx). ADFS is successful for signing in with our AD credentials, and for accessing our AWS Console when tested from our ADFS server. The issue is that this URL is only opening when directly logged into the ADFS Windows Server. This sign-on URL is not available from another Windows 2019 EC2 test server that is within the same VPC and subnet. All Security Group ports, and Windows Firewalls are temporarily off on both EC2s. The servers can ping each other and using Nmap it displays all the open ports on the ADFS server. Route 53 has a hosted zone for this AWS Managed domain name, and both the ADFS server and test Windows 2019 server have DNS entries for them. We need to test accessing the ADFS sign-on from outside of the ADFS server. Is there another ADFS URL that is for this purpose or another ADFS configuration that is missing? Both links below were used for setting up ADFS on AWS Managed AD https://aws.amazon.com/blogs/security/aws-federated-authentication-with-active-directory-federation-services-ad-fs/ https://aws.amazon.com/blogs/security/enabling-federation-to-aws-using-windows-active-directory-adfs-and-saml-2-0/ Thank you.
1
answers
0
votes
9
views
asked 2 months ago

AWS IoT Thing provisioning fails on Windows during certificate loading

Hello, I have a problem during the provisioning of the IoT thing using claim certificates. We are using the fleet provisioning by claim mechanism. We are following the steps described in this PDF: https://d1.awsstatic.com/whitepapers/device-manufacturing-provisioning.pdf When we start the provisioning process, we are providing the `AwsIotMqttConnectionBuilder` with the claim certificate and claim private key(which are generated in previous step). The problem comes when we are building the `MqttClientConnection` with which to make the request to the AWS IoT core for the provisioning. Here is a detailed exception: ``` Exception occurred during fleet provisioning by claim at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:50) at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:60) at com.iav.de.ota.provisioning.ProvisioningFacade.provisionToDeviceManagementCloud(ProvisioningFacade.java:54) at com.iav.de.ota.provisioning.ProvisioningFacade.provision(ProvisioningFacade.java:39) at com.iav.de.ota.Main.main(Main.java:42) Caused by: software.amazon.awssdk.crt.CrtRuntimeException: TlsContext.tls_ctx_new: Failed to create new aws_tls_ctx (aws_last_error: AWS_IO_FILE_VALIDATION_FAILURE(1038), A file was read and the input did not match the expected value) AWS_IO_FILE_VALIDATION_FAILURE(1038) at software.amazon.awssdk.crt.io.TlsContext.tlsContextNew(Native Method) at software.amazon.awssdk.crt.io.TlsContext.<init>(TlsContext.java:24) at software.amazon.awssdk.crt.io.ClientTlsContext.<init>(ClientTlsContext.java:26) at software.amazon.awssdk.iot.AwsIotMqttConnectionBuilder.build(AwsIotMqttConnectionBuilder.java:502) at com.iav.de.ota.mqtt.MqttConnectionFactory.create(MqttConnectionFactory.java:44) at com.iav.de.ota.provisioning.flow.FleetProvisioningByClaimFlowExecutor.execute(FleetProvisioningByClaimFlowExecutor.java:42) ``` Going throught the error, I have found that this error `AWS_IO_FILE_VALIDATION_FAILURE(1038)` indicates that the expected claim private key/certificate is not matching the ones which we are giving it to it. So, I started going further into the issue and found that the library which we are using for reading the private key(bouncy castle) is reading a key which different than the input one. In other words, when I inspect the claim private key with Notepad and compare it with the one which the BouncyCastle has read - they are different. The problem is more interesting because this does not happen on Linux machines and only on Windows machines. I have even tried to read the claim private key as plain string from the file and pass it to the MqttConnection and this works. Unfortunately, this is not a solution because later on(after the provisioning) we are storing the real certificate and private key, for later on communication with the AWS IoT Core, in a KeyStore which we are reading with BouncyCastle, again. So, we need the library(BouncyCastle or other) in order to read the private key/certificate in any moment of the execution of the progam(either during the provisioning or later on during the other AWS IoT Core calls with the real certificates). Forgot to mention, the claim private key and claim certificate are stored in PEM format. Could you tell me what can be done here? Is there any AWS supported library for reading the claim private key/certificate without using BouncyCastle? Any suggestions here are welcomed because we are stucked and the requirements are that each AWS IoT Things will be running on Windows OS. Thanks a lot, Encho
1
answers
0
votes
41
views
asked 6 months ago

FSx for NetApp ONTAP - Windows permission issues

Hi there, I managed to add FSx for NetApp ONTAP to our domain with FSxServiceAccount as described on the product page. However, I am running into issues when I am trying to attach it to my Windows instance. (It works fine on Linux). I see the following issues: - When I am running this command New-SmbGlobalMapping -Persistent $true -RemotePath \\<IO of my smb>\share -Credential $creds -LocalPath G:` I get the following error: `New-SmbGlobalMapping : Access is denied.` - I am using domain admin credentials - When I am running this command `net use Z: \\<dns address of the smb>\share` I got the following error: `System error 5 has occurred. Access is denied.` - Also with domain admin creds - I can successfully attach via File Explorer > This PC > Computer >Map network drive, however I can not read/write to it. If I check the FIle permission mode in Propertires I can see that only the owner (FSxServiceAccount?) is allowed to write, however Read should work, but I can not change the permissions as domain Admin. I am using Directory Service Standard Edition. Did you guys experience issues with this? What am I doing wrong? **Update:** I managed to attach the disk, but I can not write or read any file on the disk. It is in OU=Computers, and allowed Everyone Full Access, also allowed Everyone Read/Write the NFS filesystems attached to the AD, but still not working. I am suspecting this is something NetApp specific, but we will see. **Update #2** Based on CloudWreck's comment I found the following: I am using mixed style. I use the following code: ``` net use P: \\WINDOWS\vol1 $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $AccessRule = New-Object System.Security.AccessControl.FileSystemAccessRule($CurUsr,"FullControl","ContainerInherit,ObjectInherit","None","Allow") $acl.SetAccessRule($AccessRule) $acl | Set-Acl $CurTgt ``` Get-Acl returns ``` Path Owner Access ---- ----- ------ P:\ Everyone Everyone Allow -1 ``` Also using this one: ``` $CurTgt = "P:" $CurUsr = [System.Security.Principal.WindowsIdentity]::GetCurrent().Name $acl = Get-Acl $CurTgt $usersid = New-Object System.Security.Principal.Ntaccount ($CurUsr) $acl.PurgeAccessRules($usersid) $acl | Set-Acl $CurTgt ``` Also tried this: ``` takeown /F * /R takeown : ERROR: File ownership cannot be applied on insecure file systems; ``` But I am still unable to write/read files or create folders. **Update#3** I ran the following commands and changed the permission from the ONTAP side ``` vserver security file-directory show -vserver windows -path /vol1 vserver security file-directory ntfs create -ntfs-sd sd1 -owner DomainName\Administrator vserver security file-directory ntfs sacl add -ntfs-sd sd1 -access-type success -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory ntfs dacl add -ntfs-sd sd1 -access-type allow -account DomainName.COM\EVERYONE -rights full-control -apply-to this-folder,sub-folders,files vserver security file-directory policy create -policy-name policy1 vserver security file-directory policy task add -policy-name policy1 -path /vol1 -ntfs-sd sd1 vserver security file-directory apply -policy-name policy1 vserver security file-directory show -path /vol1 -expand-mask true ``` It changed the file permissions (mode), however I am still unable to read/write files. These are the current settings: ``` File Path: /vol1 File Inode Number: 64 Security Style: mixed Effective Style: ntfs DOS Attributes: 10 DOS Attributes in Text: ----D--- Expanded Dos Attributes: 0x10 ...0 .... .... .... = Offline .... ..0. .... .... = Sparse .... .... 0... .... = Normal .... .... ..0. .... = Archive .... .... ...1 .... = Directory .... .... .... .0.. = System .... .... .... ..0. = Hidden .... .... .... ...0 = Read Only UNIX User Id: 0 UNIX Group Id: 0 UNIX Mode Bits: 777 UNIX Mode Bits in Text: rwxrwxrwx ACLs: NTFS Security Descriptor ``` ``` ALLOW-Everyone-0x1f01ff-OI|CI 0... .... .... .... .... .... .... .... = Generic Read .0.. .... .... .... .... .... .... .... = Generic Write ..0. .... .... .... .... .... .... .... = Generic Execute ...0 .... .... .... .... .... .... .... = Generic All .... ...0 .... .... .... .... .... .... = System Security .... .... ...1 .... .... .... .... .... = Synchronize .... .... .... 1... .... .... .... .... = Write Owner .... .... .... .1.. .... .... .... .... = Write DAC .... .... .... ..1. .... .... .... .... = Read Control .... .... .... ...1 .... .... .... .... = Delete .... .... .... .... .... ...1 .... .... = Write Attributes .... .... .... .... .... .... 1... .... = Read Attributes .... .... .... .... .... .... .1.. .... = Delete Child .... .... .... .... .... .... ..1. .... = Execute .... .... .... .... .... .... ...1 .... = Write EA .... .... .... .... .... .... .... 1... = Read EA .... .... .... .... .... .... .... .1.. = Append .... .... .... .... .... .... .... ..1. = Write .... .... .... .... .... .... .... ...1 = Read ```
1
answers
0
votes
101
views
asked 6 months ago

SMS Patching Fails for ALL Windows Server 2019 EC2 Instances

I just starting using SMS to manage Windows 2019 Server EC2 instance patching (security updates). I noticed that by default, AWS prevents Windows OS to automatically run Windows Update. I followed the instructions for SMS Quick Setup and the Patching of my servers are failing with the following error message: (I have been searching ALL day for a resolution to this. Modifying registry settings, running DSIM commands, etc. Nothing helps. Seems like some type of certificate issue but I can't resolve it). Has anyone else had issues with getting SMS to patch AWS Windows Server 2019 EC2 instances? **Invoke-PatchBaselineOperation : Exception Details: An error occurred when attempting to search Windows Update. Exception Level 1: Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. (Exception from HRESULT: 0x800B0109)** Stack Trace: at WUApiLib.IUpdateSearcher.Search(String criteria) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateAgent.SearchForUpdates(String searchCriteria) At C:\ProgramData\Amazon\SSM\InstanceData\i-03638bdca902ef8fd\document\orchestration\86ed2eda-065a-49d3-b084-69bfc89c14 3d\PatchWindows\_script.ps1:233 char:13 + $response = Invoke-PatchBaselineOperation -Operation Scan -SnapshotId ... + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ + CategoryInfo : OperationStopped: (Amazon.Patch.Ba...UpdateOperation:FindWindowsUpdateOperation) [Invoke -PatchBaselineOperation], Exception + FullyQualifiedErrorId : Exception Level 1: Error Message: Exception Details: An error occurred when attempting to search Windows Update. Exception Level 1: Error Message: A certificate chain processed, but terminated in a root certificate which is not trusted by the t rust provider. (Exception from HRESULT: 0x800B0109) Stack Trace: at WUApiLib.IUpdateSearcher.Search(String criteria) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateAgent.SearchForUpdates(String searc hCriteria) Stack Trace: at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateAgent.SearchForUpdates( String searchCriteria) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.SearchAndProcessResult(Lis t`1 kbGuids) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.SearchByGuidsPaginated(Lis t`1 kbGuids, Int32 maxPageSize) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.FilterWindowsUpdateSearch( List`1 filteringMethods) at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.FindWindowsUpdateOperation.DoWindowsUpdateOperati on() at Amazon.Patch.Baseline.Operations.PatchNow.Implementations.WindowsUpdateOperation.DoBeginProcessing() ,Amazon.Patch.Baseline.Operations.PowerShellCmdlets.InvokePatchBaselineOperation failed to run commands: exit status 4294967295
3
answers
0
votes
218
views
asked 7 months ago

NVIDIA Driver installation on g5.xlarge instance not working

I have been trying to set up a g5.xlarge (windows server 2019) instance to run some tests on but I'm having difficulty with the NVIDIA driver installation. I followed this page: https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/install-nvidia-driver.html (Option 2), on how to install the driver correctly and from checking the device manager I can see the NVIDIA A10G card under display adapters. All the program files seem to be there as well. The device manager says teh device is working correctly and the Events log shows it installed the driver. I noticed I can't open the NVIDIA Control Panel, use NDI 5 Studio Monitor (Gives an error about OpenGL Shaders not supported), or find the GPU from my GC app which detects the GPUs on system to use for rendering if you prefer that. To me this would indicate that the driver isn't actually installed correctly because no applications seem to be able to find or use it. However, I was able to run GPU optimization commands into powershell (https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/optimize_gpu.html) and it worked just fine which I was not expecting since I thought it wasn't actually installed correctly. We have set up multiple other EC2 instances using g4dn and following the same installation process everything is working just fine. I need to specifically test the new g5 stuff with our products but like I said, I can't seem to get the GPU to work at all Would anyone have an idea as to why I can't use the GPU for anything and get it to start working?
2
answers
0
votes
87
views
asked 8 months ago

Lightrail: Oh boy, this is very frustrating

Hi everyone, I am new here but having a terrible time with Lightrail that I hope you can guide me with. I set up a Windows 2019 Instance for $8/mth. I followed the online video instructions as I just need a simple web server to serve web pages. Since WordPress is not available under Windows I installed IIS and copied a single index.html file to it. I can remotely browse to the page albeit very slowly, or sometimes not at all. The system itself on AWS though is completely unusable, the browser-based RDP connection is very hit and miss and always takes many minutes to connect (if it does at all). I stop the server or reboot but nothing helps with RDP and I am locked out for hours. When I **can** RDP connect each and every mouse-click takes minutes to respond, most of the time open windows (when they finally do open) display a "Not Responding" message as they slowly paint and repaint on the screen, application use on the server is impossible (they never start and even the Start menu can takes minutes to open). I have also used my local Remote Desktop client to connect with the same performance issues. I am on a gigabit connection. Can anyone tell me what I am doing wrong, or is Lightrail a realistic solution for a website? I am running IIS locally and have never had a problem but could that be incompatible with Light rail in some way? Is there an option I should be using that I am not aware of (all I did to start was select N. Virginia and Windows 2019). Any guidance you can give me would be a great help as I think I need to delete what I have and start again. Thank you for any help you can provide.
3
answers
0
votes
1
views
asked 2 years ago

1st time configuring SES and I am missing something to make it work

I am moving a client from an AWS installation controlled by a 3rd party. I dont have access to the installation to get all the configuration data. Most things are working, but one thing I am having issues with is getting SES and Email from 2 applications working. This isnt mass email distribution, it it occasional email from 2 systems that customers use. The email comes from the following 2 systems. SQL Server Reporting Services aka SSRS (a few reports sent out daily) Custom ASP.NET application that uses legacy .NET SMTP API. I have gotten to the point where I have created a domain in SES, added and verified a few email addresses for testing and have created SMTP credentials. --Have sent a test email to my email account from SES through the test tool, but the emails havent arrived--. EDIT: Test Emails from SES test tool have came through. I also went into SSRS and configured the email server. This is simply the email server, the userid, and password supplied when I created credentials. I setup a schedule for a report to run and be delivered to one of the test email addresses I verified. It doesnt arrive and when I look at the SSRS logs it seems like SSRS is having issue connecting to the SES email server. Do I have to create any special Security Group to allow the Windows Server to connect to the SES email server? For the legacy ASP.NET application I believe I need to setup the SMTP Service on Windows Server. I have done that using the same information I used with SSRS according to the following article. https://docs.aws.amazon.com/ses/latest/DeveloperGuide/send-email-windows-server.html When I try to send a test message it never comes through. What am I missing? Edited by: KeithF1138 on Mar 24, 2020 11:45 AM
1
answers
0
votes
16
views
asked 2 years ago

Invalid environment type: Codebuild curated windows container

Hello, Creating/Updating AWS CodeBuild project using WINDOWS_CONTAINER works well until yesterday via CLI but It's not working anymore from today with this exception. ``` An error occurred (InvalidInputException) when calling the UpdateProject operation: Invalid environment type ``` Original command was (nothing has changed from yesterday) ``` aws codebuild update-project --cli-input-json {"name": "build_test_naoko", "description": "build test naoko", "source": {"type": "GITHUB", "location": "...", "gitCloneDepth": 0, "buildspec": "buildspec.yml", "auth": {"type": "OAUTH", "resource": "..."}, "insecureSsl": true, "sourceIdentifier": "master"}, "artifacts": {"encryptionDisabled": true, "location": "hbsmith-codebuild-artifacts-us-east-1-20190423", "overrideArtifactName": true, "packaging": "ZIP", "path": "naoko", "type": "S3"}, "cache": {"type": "NO_CACHE"}, "environment": {"type": "WINDOWS_CONTAINER", "image": "aws/codebuild/windows-base:1.0", "computeType": "BUILD_GENERAL1_LARGE", "environmentVariables": []}, "serviceRole": "arn:aws:iam::...:role/aws-codebuild-build-test-naoko-role", "timeoutInMinutes": 90, "badgeEnabled": true, "secondaryArtifacts": [{"artifactIdentifier": "lastest", "encryptionDisabled": true, "location": "hbsmith-codebuild-artifacts-us-east-1-20190423", "overrideArtifactName": true, "packaging": "ZIP", "path": "naoko", "type": "S3"}]} ``` I updated CLI with latest version but problem still occurs. CodeBuild document still cites it supports **aws/codebuild/windows-base:1.0**. What cause the problem? Is it my fault or CodeBuild's fault?
4
answers
0
votes
4
views
asked 3 years ago
  • 1
  • 90 / page