Remote WMI security via GPO

I recently wanted to create a limited access user account for accessing WMI remotely on servers. 
I came across this blog post http://blogs.msdn.com/b/spatdsg/archive/2007/11/21/set-wmi-namespace-security-via-gpo-script.aspx for deploying the WMI security via GPO and a script.

Unfortunately this wasn't the entire pictures for me with either Server 2008 R2 or 2012.  (in addition I found that it's important to ensure that propogation is set properly before deploying)

To get it to work for me I had to do the following extra steps:

1. When setting the security, in order to get propagation, I had to click add permissions via the following steps
1. Do this before you retrieve the security descripter
2. Click Security Tap
3. select the level (ie root)
4. click Security
5. click Advanced
6. Click Add
7. ensure that the Apply to: is set to "This namespace and subnamespaces" is selected
2. I also had to put the user in the "Performance Log users" security group.  This can be done in GPO or at the local level.  For GPO:
1. Open GPO and select the policy that you want this in
2. Under Computer Configuration - Policies - WIndows Settings - Security Settings - Restricted Groups
3. Right click and add
4. "Performance Log Users"
5. In members of this group add your WMI user
6. gpupdate /target:computer on a server that it's linked to.

Performance Log Users
http://technet.microsoft.com/en-us/library/cc749154.aspx

Note: Performance Log Users have more permissions than Performance Monitor Users.  I tried using just the Performance Monitor Users group without success.

Opsview Core Agentless WMI Setup

Recently I set to building Opsview Core setup to monitor my network.  I had found this really nifty setup here: http://community.spiceworks.com/how_to/show/2832-create-an-lcd-network-monitor-using-opsview-nagios-and-nagvis written by awesome spicer Jamin289.

Unfortunately along the way I found that for a non-Linux person like me it left some of the installation steps for me to stumble through.  I don't know linux at all, so some of the below may be obvious, but it wasn't to me so I included everything I could.  This includes adding in WMI for agentless checks :)

Very important to follow the steps to the T, as a lot of this has prerequesites.  Remember CaSE SensiTiVE (if you don't use the right case on some of the setup then an error can occur that requires digging in config files to fix)

NOTE: For logging out of opsview I found that I couldn't with IE v9, the screen was flaky.  But, I could with Firefox.  On the flip side of that I found that editing the Nagvis maps SUCKED in Firefox, but worked great in IE v9.  HAHA, have fun.

I did this with the Opsview Core Appliance v4.4

1. Import the appliance
2. Log into the appliance with conf / conf
3. 'sudo su' to get to root access
4. Change the IP address with netconf
5. use 'passwd' to change the password of conf
6. Download the gadgets you want and install (download from the link in the spiceworks guide)
1. extract the contents
2. Use winscp.exe and login with the conf user
3. copy all the gadget files to the conf users directory
4. go to the opsview appliance console and ensure you're at root still
5. run the following:
1. cp /home/conf/scale_thermometer.php /user/local/nagios/nagvis/nagvis/gadgets/
2. cp /home/conf/rawWords.php /user/local/nagios/nagvis/nagvis/gadgets/
3. cp -r /home/conf/rawWords /user/local/nagios/nagvis/nagvis/gadgets/
7. Skip the section about Installing the opsview Agent Install, remember we're going agentless with WMI!
8. Now we need to install WMI options
1. First we need autoconf, Type 'apt-get install autoconf'
2. Next we need C Compiler, Type 'apt-get install gcc'
3. Now we need WMI (http://www.edcint.co.nz/checkwmiplus/InstallationTerminalSession)
1. type 'cd /tmp/'
2. 'wget www.edcint.co.nz/checkwmiplus/wmi-1.3.14.tar.gz'
3. 'tar xzvf wmi-1.3.14.tar.gz'
4. cd wmi-1.3.14
5. make
4. Now we test WMI
1. wmic -U computername/administrator%adminpassword //computername "select * from Win32_ComputerSystem"
2. You should get WMI info back on that system.
5. Now we'll install check_wmi_plus.pl to the nagvis location (so that it shows in the dropdown list)
1. cd /usr/local/nagios/libexec
2. wget http://edcint.co.nz/checkwmiplus/sites/default/files/check_wmi_plus.v1.54.tar.gz
3. tar xzvf check_wmi_plus.v1.54.tar.gz
4. Reset permissions: (remember, I'm not that great at linux, so probably a better way to do this)
1. chmod -R 555 check_wmi_plus*
2. chown -R nagios check_wmi_plus*
3. chgrp -R nagios check_wmi_plus*
4. ls -la check_wmi_plus.* (shows the permissions)
5. Now we need some extra CPAN modules (Perl) otherwise we'll see "Can't locate Number/Format.pm" with the nagios plugins and other like errors. This may not all be required, idk. 
1. cpan Statistics::Basic
2. cpan Config::IniFiles
3. yes anytime it prompts
4. cpan Module::Build
5. yes anytime it prompts
6. cpan (to get to cpan shell)
7. force install DateTime
8. yes anytime it prompts
9. q (to quit cpan shell)
10. cpan Getopt::Long
11. cpan Data::Dumper
12. cpan Scalar::Util
13. cpan Number::Format
14. cpan ExtUtils::Config
15. cpan ExtUtils::Helpers
16. cpan ExtUtils/InstallPaths
17. cpan TAP::Harness::Env
18. cpan Module::Build::Tiny
19. cpan Package::Stash
20. yes anytime it prompts
21. cpan CLass::Load
22. cpan Storable
6. Now we can test :)
1. /opt/nagios/bin/plugins/check_wmi_plus.pl -m checkcpu -H computername -U computername/administrator -P password
2. Run it again.  Should get cpu average on second run.
7. Cleanup!
1. rm check_wmi_plus.v1.54.tar.gz
2. cd /
3. cd /tmp/
4. rm cwpss_checkcpu_SMonitor___.state
9. Open opsview
10. login to opsview with admin / initial
11. In the top right corner click admin
12. Change the Admin password  (note: I found that Firefox works best for opsview)
13. Go to Settings - Service Checks
1. Click + to add
2. We'll do a test for Average CPU Utilization
3. Name: Average CPU Utilization
4. Server Group = enter a new one called "OS - Windows Agentless WMI" or whatever you want to group your WMI checks by.
5. Check Period: 24x7
6. Plugin: check_wmi_plus.pl
7. Arguments: -H $HOSTNAME$ -m checkcpu -u %WINCRED:1% -p %WINCRED:2%
8. Submit
14. Go to Settings - Attributes
1. Click + to add
2. Name: WINCRED
3. Default Value: leave blank
4. Default Arg1: USERNAME
5. Default Arg2: PASSWORD
6. Submit
15. Go to Settings - Host Templates
1. CLick + to add
2. Name: Windows Agentless
3. Monitors tab
4. Drill into "OS - Windows Agentless WMI"
5. Select the Average CPU Utilization (green +)
6. Submit
16. Go to Settings - Hosts
1. Add Host
2. Enter hostname, title
3. Change Icon
4. Host Templates: Windows Agentless and click the arrow to add it.
5. Go to Attributes tab
6. Click the grey +
7. Select WINCRED
8. Click the Eye icon
9. Value: none
10. Check arg1: Enter domain/username (example computername/administrator or domainname/username)
11. Check arg2: Enter the password (remember no special meta characters unless you escape them, ie !)
12. Submit
17. Settings - Apply Changes
18. Reload Configuration
19. Monitoring - Hosts
1. Click your new host
2. Click the Mass Re-Checks icon in top left
3. Toggle all checkboxes - Submit
4. Do the mass re-checks again.
5. Should show your cpucheck (or error if you missed a step / got your username or password wrong)
20. Now you can add the rest of your WMI checks!
1. http://mastermonsvr.smartmon.com.au/mp-bin/public/public.cgi?mode=public&mode2=showplugindetails&plugin=check_wmi_plus.pl
2. http://www.edcint.co.nz/checkwmiplus/?q=MakePerfRawDataClassCheck
3. https://wmie.codeplex.com/
21. Now you can do your other steps with ease since you know a little Linux :)
22. Copy your nagvis map as described in Spiceworks post (and icons)
1. Back to Winscp.exe
2. Once again copy your jpg to the conf home
3. While your at it unzip the Icon that Jamin289 posted and drop them into the conf home
1. I unzipped to a folder named blocks and thin_blocks and copied those folders to the conf home
4. Back to Putty to copy them to the proper location (doing them to these locations allows them to populate the opsview dropdown lists)
1. cp /home/conf/NagvisLayout.jpg /usr/local/nagios/nagvis/nagvis/images/maps/
2. cp -r /home/conf/blocks/* /usr/local/nagios/nagvis/nagvis/images/iconsets/
3. cp -r /home/conf/thin_blocks/* /usr/local/nagios/nagvis/nagvis/images/iconsets/
5. Apply Changes
6. Reload Configuration
23. Load the Nagvis map
1. Modules - Nagvis
2. Edit Current Map
3. Right click in the text area and select Manage - Maps
4. Under the "Create Map" area
1. Name Map
2. User with read Permissions: EVERYONE
3. User with write Permissions: EVERYONE
4. Map Iconset: Select Blocks or Thin_Blocks
5. BackGround: Select NagvisLayout.jpg
5. Click on your new map and begin loading the iconsets
1. Edit Current Map
2. Right click - Add Object - Icon - Service
3. Select Host_name and service_description
4. Place it where you want it.
5. Save
6. Continue as you desire with the guide from Jamin289

Good Luck!!

Don't forget to donate if you like what they've done to get you WMI.   http://www.edcint.co.nz/checkwmiplus/?q=donations_and_sponsorship

Citrix Receiver Progress Bar / Application open in background

In the newer versions of Citrix Receiver the connection progress bar / status bar launch in the background by default.  In addition once the application opens it is launched in the background.

Application opens in background:
There is a seamless flag that can be set that allows the application to open again in the foreground.  This is set at the XenApp server level.
HKLM\SYSTEM\CurrentControlSet\Control\Citrix\wfshell\TWI
dword=SeamlessFlags
value = 0x4

You can also set this at the Receiver client level.
http://support.citrix.com/article/CTX131977
HKLM\Software\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\WFClient
HKLM\Software\Wow6432Node\Citrix\ICA Client\Engine\Configuration\Advanced\Modules\WFClient
Reg_SZ = TWISeamlessFlag
Value = 1


Progress Bar launches in background:
With Citrix Receiver 4.1 there is now a registry key that can be added to force the progress bar to the foreground.  This is set on the client.
http://support.citrix.com/article/CTX138197
HKLM\Software\Citrix\ICA Client
HKLM\Software\Wow6432Node\Citrix\ICA Client
dword = ForegroundProgressBar
Value = 1

CAS Array Object / RpcClientAccessServer

About a year and a half ago (somehow I forgot to post this) I needed to decommision an old Exchange 2010 server and move all the mailboxes to a new one due to a Hypervisor switch.  I learned a very good lesson then that I wish I'd known when I originally setup my first CAS server...

I quickly found that even though all the mailboxes where moved and all clients had connected to the new box that turnning off the old Exchange server caused Outlook to lose connection.  After looking for a few brief moments I found that they where still connecting through the old CAS box. ACK

http://blogs.technet.com/b/exchange/archive/2012/03/23/demystifying-the-cas-array-object-part-1.aspx

I always thought of the CAS Array by what it's name sort of indicates, more than one CAS, but I was wrong and I paid for it.

You want to setup the cas array object to populate outlook with an FQDN that isn't server specific.  For instance outlook.domain.com.  You would then have DNS setup to tell Outlook which server to point Outlook.domain.com (or which load balancer).  Thus if you migrate to a new server you just update DNS.

Failure to do this results in having to touch each and every outlook install or using a prf to update (or some other method).

Do yourself a favor, setup a CAS array from the begining or if you already missed this step go ahead and setup the cas array and then begin slowly changing all your outlook installs to point to the array.


also read
http://blogs.technet.com/b/exchange/archive/2012/03/28/demystifying-the-cas-array-object-part-2.aspx

NETLogon not replicating - Replication service stopped replication on volume C

After a dirty shutdown of a Windows Server 2012 DC I found that my NETLogon was no longer replicating

Event log had event ID 2213 listed under DFS Replication:

The DFS Replication service stopped replication on volume C:. This occurs when a DFSR JET database is not shut down cleanly and Auto Recovery is disabled. To resolve this issue, back up the files in the affected replicated folders, and then use the ResumeReplication WMI method to resume replication.

Additional Information:
Volume: C:
GUID: guidofvolume

Recovery Steps
1. Back up the files in all replicated folders on the volume. Failure to do so may result in data loss due to unexpected conflict resolution during the recovery of the replicated folders.
2. To resume the replication for this volume, use the WMI method ResumeReplication of the DfsrVolumeConfig class. For example, from an elevated command prompt, type the following command:
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUIDofvolume" call ResumeReplication

In Server 2012 the default behavior has changed to a manual recovery from dirty shutdown.

http://blogs.technet.com/b/filecab/archive/2012/07/23/understanding-dfsr-dirty-unexpected-shutdown-recovery.aspx


In my case just executing the wmic command resolved.
wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="GUIDofvolume" call ResumeReplication


At that point you can either start monitoring your eventvwr on your DC :)  or set this back to autorecovery
wmic /namespace:\\root\microsoftdfs path dfsrmachineconfig set StopReplicationOnAutoRecovery=FALSE

DHCP options for SIP server and SIP port

In a recent deployment of a VOIP system (NEC sv8100) I wanted to setup DHCP to hand out the SIP options.

This is pretty simple although some of the references I looked at made it look confusing.
For the system I was working on only two options are necessary, SIP Server IP address and SIP server port (if different than the default).

1. Open up DHCP, right click IPv4 and choose "Set Predefined Options"
2. Note that "option name" for 120 doesn't exist (unless added previously).  Click "Add"
3. Put in a name of SIP Server IP Address, Data type should be binary, code equals 120, and a description as you see fit.
4. Click OK
5. Go to your server options (or scope options depending on what you want). 
6. Click "Configure options"
7. Check mark option 043 Vendor Specific Info
1. This option specifies the port to use
2. enter the HEX value under the binary section with A8 02 appended to the front. For instance for port 5080 it would look like A8 02 13 D8
1. A8 = 168 sub option
2. 02 = required first byte
3. 13 D8 = 5080 in HEX
4. if you wanted port 5060 it would be A8 02  13 C4
8. Check mark option 120 SIP Server IP Address
1. Here you enter the SIP server IP address in HEX format with a 01 appended to the front.
2. Then the ip, so 192.168.1.2 would be C0 A8 01 02.
3. Put the 01 in front and get 01 C0 A8 01 02
4. 01 = indicates that it's the first sip server
5. C0 = 192
6. A8 = 168
7. 01 = 1
8. 02 = 2
9. Put the hex value in the binary section.  (note, the ASCII will look like nonsense)

Your all set.  Bounce your phone so it gets DHCP from your server and ensure it finds the SIP server.  If you get an error "SIP Server not found" then you either have the IP address incorrect or the SIP Server port incorrect. 

Note: troubleshooting DHCP is very easy with wireshark, just filter for the Bootp.  This way you can see what options it's handing out.  There is also a handy tool out there called DHCPtest
http://blog.thecybershadow.net/2013/01/10/dhcp-test-client/

Exchange SSL renewal - "pending certificate signing request"

After getting a renewal for exchange server and doing the "complete pending request" the certificate still shows in the EMC with "This is a pending certificate signing request (CSR)."  This is after the completing successfully with the crt downloaded from the cert authority.

Opening MMC certs and looking at the cert shows the cert is missing it's private key and in my case also the friendly name didn't carry over.

http://www.petri.co.il/forums/showthread.php?t=52766
Open the the certificate from the CA and on the details tab find the thumbprint field and copy it to your clipboard.
Now run the following command from a command prompt:
certutil -repairstore My ""

In addition, in the MMC you can right click your cert and go to properties to assign the friendly name.

Fiberlink Maas360 MDM - Warning! Stay away

I don't usually post things like this, but this has been one of the worst experiences I've had with a company.

I'll keep it short and sweet.  If your looking into an MDM and you're looking at Fiberlink Maas360 (now IBM) move along, nothing (good) to see here.

The product itself worked okay, that's not entirely the issue (although I did have some issues with the product).

More importantly!  Sales / Billing at Fiberlink and their business policies are terrible.  They are not very consumer friendly.   Read that contract very carefully!!  They have an "auto-renew" section in there and they WILL NOT warn you in advance.  They where completely unwilling to work with us.



HINT: take a look at XenMobile...
https://www.citrix.com/products/xenmobile/overview.html?ntref=hp_hero_xenmobileMDM

Citrix XenMobile - Bulk assign corporate device

After moving away from Fiberlink Maas360 (soooo glad we did) I found that I needed to mark over 100 devices in XenMobile as corporate owned.  This would allow us to mark the devices as either corporate or employee owned so that we could push deploments based on ownership.

This can be done manually one at a time... or

Citrix put together this how to which works great!


Looks like the URL changed: http://support.citrix.com/proddocs/topic/xmob-dm-85/xmob-dm-manage-devices-tagging-auto-tsk.html

Convert XenServer to Hyper V 2012

Built a new Windows Server 2012 Hyper-V environment for my test and non-critical machines.  Below are the steps that I used to move some of my machines out of XenServer and into Hyper-V.

This was using XenServer 6.0

1. Export VM as OVF
1. Shutdown the machine
2. Right click and Export
3. Choose the OVF format, location, and name
4. Next through the rest of the screens
2. This leaves you with a VHD that we can attach to and use.
3. In Hyper-V create a new diskless VM in your cluster share
4. Copy the VHD to the subfolder for the VM
5. In the settings of the VM under the IDE Controller 0 add a new hard drive
1. Browse to the VHD and OK
6. Convert the VHD to VHDX
1. In Hyper-V Manager select the VM and click "edit disk".
2. Select the VHD, Next
3. Click Convert, Next
4. Select VHDX, Next
5. Leave at Dynamically Expanding, Next
6. Browse to the VM folder (where it will create the VHDX), typically the same location as where the VHD is currently.
7. Name it (can be the same name since extension will be different)
8. Finish and wait for it to create.
7. Change the VM to point to the VHDX.
1. Edit the VM and change the virtual hard disk path to point to the vhdx instead of the vhd.
8. Ensure it boots properly
9. Login and remove the XenServer tools (note it will be very slow at this point), Reboot
10. Ensure integrated services is the latest version by inserting the disk and running the update.
11. Remove integrated services disk
12. Change IP address as needed
13. After saving the IP, go back in and make sure the default gateway is listed properly.
14. Remove the old VHD file.

Create preconfigured AppCenter / Delivery Services Console

In the past I've always just had the other IT staff configure the Delivery Services Console on first run themselves.  With AppCenter I found that each time they launched it through their Citrix Profile it wouldn't save the server discovery.

Found the following that worked perfectly.  This allowed me to configure their server discovery and add in the idle times and reorder the columns as desired for everyone.

http://support.citrix.com/article/CTX126752

Windows 2008 R2 Password Notification causes more issues than helps

With Windows 7 / 2008 R2 Microsoft changed the way password notifications look. 

After upgrading from PS 4.5 to XenApp 6.5 we fairly quickly found that the default password expiration notification changes from 14 days down to only 5 days.  This doesn't work well in an environment where part time workers may be off a week at a time.  No problem, set the GPO and mark it for 14 days right...  One would think.

Unfortunately, MS changed the popup.

This presents 2 issues in my environment:

• The popup doesn't display for long enough  (this can be corrected via GPO)
• Users tend to miss it
• Or ignore it
• CTRL+ALT+END doesn't work for our Citrix sessions. 
• When connected through the web interface it just doesn't do anything
• When connected from a thin client (Wyse and HP clients) it disconnects the session  ACK!

In our case when connecting from:

• Thin Client - CTRL+ALT+DEL works fine...
• Web Interface - CTRL+F1 works

After messing around with several options I ended up opting for the following:
http://serverfault.com/questions/140816/with-no-password-expire-notification-at-logon-in-windows-7-how-are-you-configur

With a slight amount of modification to the message you can make it fit your scenario.
I then added it to GPO as a user configuration logon script.  With this I added the GPO Loopback mode as "Merge" and applied the policy to the machines that needed it (Citrix, RDS / Terminal Services, others)

Dim oDomain Dim oUser Dim maxPwdAge Dim numDays Dim warningDays warningDays = 300 Set LoginInfo = CreateObject("ADSystemInfo") Set objUser = GetObject("LDAP://" & LoginInfo.UserName & "") strDomainDN = UCase(LoginInfo.DomainDNSName) strUserDN = LoginInfo.UserName Set oDomain = GetObject("LDAP://" & strDomainDN) Set maxPwdAge = oDomain.Get("maxPwdAge") '======================================== ' Calculate the number of days that are ' held in this value. This is line 20 '======================================== numDays = CCur((maxPwdAge.HighPart * 2 ^ 32) + _ maxPwdAge.LowPart) / CCur(-864000000000) 'WScript.Echo "Maximum Password Age: " & numDays '======================================== ' Determine the last time that the user ' changed his or her password. '======================================== Set oUser = GetObject("LDAP://" & strUserDN) '======================================== ' Add the number of days to the last time ' the password was set. '======================================== whenPasswordExpires = DateAdd("d", numDays, oUser.PasswordLastChanged) fromDate = Date daysLeft = DateDiff("d",fromDate,whenPasswordExpires) 'WScript.Echo "Password Last Changed: " & oUser.PasswordLastChanged if (daysLeft < warningDays) and (daysLeft > -1) then Msgbox "Your password expires in " & daysLeft & " day(s)" & chr(13) & "Date Expires: " & whenPasswordExpires & chr(13) & chr(13) & "Press CTRL-ALT-DEL and select the 'Change a password' option" & chr (13) & chr (13) & "NOTE: For PPH Citrix Website:" & chr (13) & "If you logged in through the PPH Citrix Website then please press CTRL+F1 and select the 'Change a password' option", 0, "PASSWORD EXPIRATION WARNING!" End if '======================================== ' Clean up. '======================================== Set oUser = Nothing Set maxPwdAge = Nothing Set oDomain = Nothing


Who would have thought that something as simple as "changing your password" would be such a

nuisance and so poorly implemented by Microsoft.

Fixing the Outlook Address Cache / Autofill after recreating email address in Exchange

Recently I had a scenario where we wanted to convert a distribution group to a user mailbox. This was an email address that everyone uses. Of course this can't be done without deleting the dist group and creating as a user mailbox. Unfortunately when you delete the distribution group and recreate as a user the Outlook autocomplete / autofill will break because the value that outlook looks at is different for the new object.

This will result in a NDR like the following: (for dist group test@mydomain.org)

Delivery has failed to these recipients or groups:

'Test' <mailto:IMCEAEX-_O%3DHERE_OU%3DEXCHANGE%2B20ADMINISTRATIVE%2B20GROUP%2B20%2B28FYDIBOHF23SPDLT%2B29_CN%3DRECIPIENTS_CN%3DTesta56@mydomain.com>

The e-mail address you entered couldn't be found. Please check the recipient's e-mail address and try to resend the message. If the problem continues, please contact your helpdesk.

Diagnostic information for administrators:

Generating server: Server.mydomain.com
IMCEAEX-_O=HERE_OU=EXCHANGE+20ADMINISTRATIVE+20GROUP+20+28FYDIBOHF23SPDLT+29_CN=RECIPIENTS_CN=Testa56@mydomain.com
#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##



As Ben points out this can easily be fixed: https://www.simple-talk.com/sysadmin/exchange/exchange-e-mail-addresses-and-the-outlook-address-cache/

This helps keep our 200+ users from having to fix on their own or more likely calling the help desk to have us fix it


And to help convert the IMCEAEX string
http://support.microsoft.com/kb/2807779

\Windows\System32\config\system Status: 0xc000014c missing, or corrupt

On a Lenovo E520 running Windows 7 x64 user ran out of power and system crashed.  When it came back up the user was presented with:
File: \Windows\system32\config\system
Status: 0xc000014c
Info: Windows failed to load because the system registry file is missing, or corrupt.

I tried using the Lenovo recovery media without success.

I then plugged in a Dell recovery disc and just went into the Windows recovery cmd prompt.  At that point I found that the hard disk was mapped to the D drive.

sfc /scannow /offbootdir=d:\ /offwindir=d:\windows


After it finished running I rebooted the computer and gave back to the user (after tucking away my handy Dell disc)

IIS7 - Cannot find the certificate request that is associated with this certificate file

Seems like once a year (or longer) when I renew our SSL cert this causes me some headache.  The worst part about the error is that it's false and the cert was created just fine!

In this case I create the CSR and get the new cert which is delivered in PKCS #7 (.p7b).  When you "complete Certificate Request" and point it to the p7b file (note you have to change it to *.*) you then get the error "Cannot find the certificate request that is associated with this certificate file".

At that point I usually troubleshoot if I created the p7b incorrectly (which I did nothing wrong).


Instead you just need to click OK and then hit refresh (F5) on the IIS7 certificates screen.  Your new cert appears :)

At this point you can export it as pfx and convert to pem if needed.