Filtering “Assigned To” field in TFS 2010

When you select the Assigned To drop down in a TFS work item, you’ll often see a lot of system accounts that you don’t want.  Nikos’ post on TFS 2008 still works for TFS 2010 with the Power Tools.  Previously, I was exporting the XML, editing it, and then re-imported based on Edward Smit’s post and several other forums but once I found Nikos’ post I’ve started just updating it direct with the Power Tools.  I wanted to filter by the Project Administrators and Contributors groups.

I also wanted the ability to “unassign” a task after it had been assigned to a user.   If there’s an easy way to set a work item back “nothing” for the assigned user after it’s been assigned, I don’t know it.  But this is an easy work around.  Create a user called Unassigned and then we just set it to that when we want to let them team know it’s currently unassigned. Here’s the steps…

  1. In VS 2010, click Tools, Process Editor, Work Item Types, and Open WIT from Server. (assumes you’ve install TFS Power Tool)
  2. Select the Work Item Type you want to edit for your Team Project.
  3. Double click the row for Assigned To.
  4. Click the Rules tab.
  5. Select VALIDUSER and click Delete (if you don’t do this you want see users that aren’t valid like our Unassigned user)
  6. Click New and select ALLOWEDVALUES and click OK
  7. On ALLOWEDVALUES, leave For and Not blank.  Click New and enter each of these:
    • [Project]\Contributors
    • [Project]\Project Administrators
    • Unassigned


  1. Click OK


  1. Click OK again.

That should do it.  Refresh you Team Project and now open the work item of the type you edited and the Assigned To should be filtered now and should include the option to set it Unassigned.

Cisco UC560 factory reset

If you’re setting up a UC560, there’s times when you just want to start over (especially if you’ve made changes with the CLI).  There’s a great post by John Platts with the steps so all credit to John but I thought I’d also put them here as well. 

  1. Using your  blue console cable, connect the RJ-45 to the console port on the UC-500.  I use Putty to connect and now I use my KeySpan console-to-USB adapter as I can’t find a laptop with a serial cable any more.  So for me, I fire up the Keyspan utility, set Putty to serial and put the com port keyspan is using and I”m good to go. (Note: I always unplug all ethernet connections to the UC.  I’ve tried it with something plugged in and at times it seems the reset just doesn’t take and I have to do it all again).
  2. Once connected, type en and then Show Flash and you’re looking for something like <UC500model>-factory-<software pack>.cfg.  So you might see something like UC560-FXO-K9-factory-  For me it’s usually the last entry after doing Show Flash.
  3. Copy that file to startup-config.  So the command for my config name example above would be copy UC560-FXO-K9-factory-8.0.0.cfg startup-config and enter to confirm.
  4. Type service-m i0/0 se to access the CUE.
  5. Enter your username/password and hit enter (sometimes it needs Enter twice)
  6. In John’s post he says you’ll get UC500-CUE# if you’re in the CUE but I’ve been getting se-10-1-10-1# .  In fact, sometimes it takes me to se-10-1-10-1(config)# and I have to do en to get back for the next command.   But for others, it’s giving them UC560# when they are in CUE.  Not sure what’s up with that. (Note: If you have an issue connecting and it times out saying “Connection refused by remote host”, first issue the command service-m i0/0 se clear and then do service-m i0/0 se.
  7. From the CUE prompt, enter offline and y to confirm.
  8. Now your prompt should be se-10-1-10-1(offline)#.  type restore factory default and again y to confirm.
  9. At Press any key to reload: hit enter.
  10. At the System Online message, press Enter key.  Type Exit and press Enter.
  11. Once out of CUE, type reload and y to confirm to proceed with reload.

Once the UC500 is rebooted, it’s back to default and you can connect via IP as usual to the default IP for your unit.

Outlook 2010 Email Reading Tips

Personally, I like Outlook 2010 a lot but it does take some getting use to first.  On a new setup, here’s a couple of things I change right away to suit my needs.

Tip #1 Change Reading Pane to bottom

This one is pretty easy and know some people use it on the side.  But I like to see the columns with date and size so putting the reading pane on the bottom works much better for me.  For this just click the View tab at the top and you’ll see in the Layout section Reading Pane with a down arrow.  Just click the down arrow and select Bottom.

Tip #2 Mark email as read if viewed for 3 seconds

Since we read most emails in the preview Reading Pane, I also like to change it so the email is marked as read if I look at that email for 3 seconds.  To make that change:

  1. Click File and Options
  2. Select Mail on the left
  3. Click Reading Pane in the middle and check Mark items as read when viewed in Reading Pane and I usually change the seconds to 3.


Tip #3: After moving or deleting an email, move up

The other big one for me is after I delete an email, I want my selection to move Up, not Down.  I generally read emails from the bottom starting with the oldest so if I delete or move and email I want to then move on to the one above.  Here’s how:

  1. Click File and Options (just like before)
  2. Select Mail on the left
  3. Scroll all the way to the bottom and look in the section called Other.
  4. Where it shows After moving or deleting an open item, select Open the Previous Item.

So not the most glamorous or amazing tips but key tips for me and at least one is not in an obvious place to look…at least not to me. :)

Windows Platform FIPS error

Not sure what started it, but my Visual Studio projects stopped building with this error:

This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

Others could build the code fine so that made it “my problem”.   While banging my head on the wall, another application we use that’s really a web based app wrapped in a desktop app quite working. It would just give an unhandle exception error and say “System.InvalidOperationException” error.  On a whim, I decided to let it debug and that fired up Visual Studio 2010.  To my suprise, there was the same FIPS error.  Now I had a root cause for both my issues which let me to Raj Rao’s post.  It was an old post (2007) but it got me going.  Other MS KB’s were related to .Net 2.0 and apps so I was at a lose so I gave it a shot.  Following Raj’s post, here’s what I did…

  1. I went to Administrative Tools, opened Local Security Policy
  2. Expand Local Policies
  3. Clicked Security Options
  4. There I found System cryptography: Use FIPS 140 compliant cryptographic algorithms, including encryption, hashing and signing algorithms was indeed set to Enabled.

I changed that setting to Disabled and everything started to work…didn’t even require a restart.  The default for that setting is Disabled so what enabled it I have no idea.  I didn’t need it so my researched ended there.  

TMG 2010 SP1 introduces issue with HTTP custom port listener

We replaced a single TMG 2010 server with a pair of TMG 2010 servers using NLB for internal and external NIC’s.  That process in itself was somewhat of a challenge.  Along the way we found a bug that was introduced in TMG 2010 SP1.  On the single server (non SP1), we had a HTTP listener using a custom port of 8080 (this was for TFS just so you know).  On the new servers, we added SP1 for TMG 2010 before adding any rules and then tried to add the HTTP listener on port 8080.  However, in the listener properties,  as soon as we change the HTTP port and tried to apply we received this error: “This Web Listener is configured to use SSL.  You must specify a certificate for use in this Web Listener.”

You can duplicate this by simply creating a new listener, click on the Connections tab, change HTTP port to anything other than 80 and try to apply as shown below.

After seeing the error you may notice that without SP1, the Certificates tab will have all it’s options disabled if you don’t check Enable SSL on the Connections tab.  However, after applying SP1 those options on the Certificates tab are not getting disabled and I guess there’s code that keys off that resulting in the erroneous error message we received.

We opened a case with Microsoft and it was confirmed that this is a issue introduced with TMG 2010 SP1 and they are working on a fix.  Currently, I see two workarounds:

  1. Add you listeners with custom HTTP ports prior to applying TMG 2010 SP1.  I haven’t tested this but I’m fairly confident this will work.
  2. Select a SSL Certificate on the Certificates tab for this non-SSL enabled listener.  This is the real workaround (and the only workaround if you're already applied SP1) and will allow you to save the listener and everything will work just fine.  I already had a “real” SSL certificates on this TMG pair so this was easy.  Self-signed cert would probably also work as you’re not really using the cert but just selecting any cert to work around the GUI issue.

So there you have it.  Just select any SSL cert to get you going even though you may be adding a non-SSL rule/listener.  I hope this saves you some time and headache.

Windows Update Error 80072EE2 on TMG 2010

After you install TMG 2010 on a server, you’ll probably notice that Windows Update no longer works giving error 80072EE2.

The fix is to set you Internet Explorer proxy setting to point to TMG on port 8080.  You probably know the steps but just in case, here’s what you need to do:

  1. Open Internet Explorer and go to Tools, Internet Options.
  2. Click the Connections tab and then Lan Settings
  3. Check the box to “Use a proxy server for your LAN” and then enter localhost for the address and 8080 for the port (assuming you haven’t changed TMG)
  4. Click OK and OK.

You should be able to run Windows Updates now without any problem.  Not sure I totally understand why that’s required for Windows Update since if you allow Localhost to External, you can browse the Internet just fine without adding TMG as your proxy server.  If anyone knows why it effects Windows Update, let me know.

Windows 2008 R2 Firewall with SQL Server

By default, installing SQL Server 2008 R2 on a brand new Windows Server 2008 R2 server does not open the required Windows Firewall port.  I always wonder why they don't give you the option and install to have MS make the changes for you.  At any rate, MS has a tool to "Fix It" but on my Windows Server 2008 R2 it ran but said it didn't apply to my setup. ???? 

You can of course follow Microsoft's KB articles and manually add the Windows Advanced Firewall rules.  For me, a script to do this was the way to go.  Rolly Perreaux had a great post on setting up SQL and he had the script I've been using to open all SQL ports for my Domain profile on SQL servers.  Here's that script.   

SQL Firewall Ports Script

netsh advfirewall firewall add rule name="SQL Server (TCP 1433)" dir=in action=allow protocol=TCP localport=1433 profile=domain
netsh advfirewall firewall add rule name="SQL Admin Connection (TCP 1434)" dir=in action=allow protocol=TCP localport=1434 profile=domain
netsh advfirewall firewall add rule name="SQL Service Broker (TCP 4022)" dir=in action=allow protocol=TCP localport=4022 profile=domain
netsh advfirewall firewall add rule name="SQL Debugger/RPC (TCP 135)" dir=in action=allow protocol=TCP localport=135 profile=domain
netsh advfirewall firewall add rule name="SQL Browser (UDP 1434)" dir=in action=allow protocol=UDP localport=1434 profile=domain

netsh advfirewall firewall add rule name="Analysis Services (TCP 2383)" dir=in action=allow protocol=TCP localport=2383 profile=domain
netsh advfirewall firewall add rule name="SQL Browser (TCP 2382)" dir=in action=allow protocol=TCP localport=2382 profile=domain

netsh advfirewall firewall add rule name="Web Server HTTP (TCP 80)" dir=in action=allow protocol=TCP localport=80 profile=domain
netsh advfirewall firewall add rule name="Web Server SSL (TCP 443)" dir=in action=allow protocol=TCP localport=443 profile=domain



SBS 2008 - Cannot connect to the configuration database

After installing the seemingly harmless Security Update for Windows SharePoint Services 3.0 x64(KB9834444) update on a SBS 2008 server, users complained the next day that they couldn't open CompanyWeb.  They would receive the error "Cannot connect to the configuration database."  In short, the fix was to re-run the Configuring Sharepoint Products and Technologies Wizard.  As soon as we kicked that off we received the message that there were new files that needed to be updated so obviously something needed to get upgraded that the Windows Update process didn't handle.  Seems like the kind of thing that should have received a pop-up of some sort during the Windows Update install.

At any rate, re-running the Configuring Sharepoint Products and Technologies Wizard in Administrative Tools fixed the issue. 

TMG 2010 - URL Redirect

One of the issues with the "cloud" world is most apps are hosted using SSL for security.  This means your URL is their URL.  For instance, Microsoft Online (BPOS) will use for OWA for North America.  If you just add a CNAME entry in DNS, that will redirect traffic but you'll get an SSL error since the names don't match.  For instance, redirecting .com">.com">https://owa.<yourdomain>.com to will sort of work but with the SSL error so it's ugly.

In the past I'd setup IIS pages that would just redirect http traffic to the https URL I wanted but that's a pain to setup each time.  With TMG 2010 (and really ISA 2006 also I believe), you can just deny that traffic and then redirect it to any URL you'd like.  Here's the steps to redirect in TMG 2010.

  1. Create a new non-SSL web publishing rule. 
  2. Give it any name for the internal site.  You have to give it something to get through the wizard but you won't actually publish anything internal.
  3. Create a listener for the IP that your DNS entry points to for that A Record.
  4. Once the rule is created, go to it's properties and select the Action tab
  5. Check the Deny option, the Redirect box, and enter your destination URL.



Here’s a screen shot of how I redirect OWA to BPOS.


Now when you browse to http://<initialURL> that traffic will be redirected to https://<targetURL>.  That'll at least give your users an easy initial URL to remember.  It won't hide that target URL which can be a shame in certain scenarios.  If the site just users HTTP, then CNAME records work great for that but as I mentioned before that'll give ugly verification errors for HTTPS.

Unable to RDP with one-way trust

We recently set up a one-way trust between two domains.  Some admins however were unable to make RDP connections to the servers in the trusting domain even though they were in a group that was part of the administrators group on the local servers.  After providing login credentials to domain A, they'd get authenticated and begin to login to comptuters in domain B only to get this error:

Logon Failure: The machine you are logging onto is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine

This error is occuring because we set up a "selective authentication" when we created our one-way trust.  We did that deliberately as we wanted to do just that and selectively allow access to resources in domain B.   Here's the fix...

  1. Open Active Directory for Users and Computers.
  2. Click View and enable Advanced Features
  3. Right click on the computer you need to allow access to and select Properties.
  4. Select Security tab.
  5. Add the desired user or group and check Allow for Allowed to authenticate.

That should get you going!