SmartScreen, ClickOnce and Intranet Applications

I work in a company where we develop several Intanet Applications. Some of them are distributed into a shared folder while a lot of them use ClickOnce.

Code Signing Certificates has changed over the past year, so that you need a USB key in the computer that needs to sign the application, which effectivly has pulled the certificate from 4-5 developers so that only our public production application gets signed correctly with our company cert.

I've been poking around with enrolling a Code Signing Cert from a Windows Server 2025 with the Certificate Authority installed

I've also installed both the Root Cert in the domain as well as adding the CSC into the Trusted Authors..

But SmartScreen ignores it all...

I then tried adding the ClickOnce website into the Trusted Intranet Zone, which also didn't help in regards to warnings and untrusted file alerts....

So, can it really be true that the ONLY way to fix SmartScreen is by disabling it using GPO ?

Why isnt a CSC from the CA on the Domain enough to trust an Intranet Application ?

reddit.com
u/Turbulent_County_469 — 4 days ago

Finally received an age verification

I guess it was triggered by the surgeon app that contained a nude woman or by the other medical app that i downloaded.

Having beard long enough to make a Taliban proud aint enough, they needed either yet-another 7 euro or a picture of my driver's license.

I hate this new world of mass surveillance.

u/Turbulent_County_469 — 4 days ago
▲ 8 r/TpLink

DECO: Main vs Guest vs IOT

I had the wrong idea of how these 3 Wifi Networks are supposed to work and wanted to share my findings

My Initial wrong idea:

  • Main : 2.4 + 5 GHZ , has access to each other as well as internet
  • Guest: has access to Internet but not LAN
  • IOT: has access to internet but not LAN

To my surprise, IOT DOES have access to LAN so here is how they do work and why:

  • Main: High performance roaming clients as well as static (apple tv, printer, streaming)
  • Guest: High performance roaming clients which MAY have access to LAN (on/off setting)
  • IOT: 2.4 ghz limited meant for devices that need range and good quality wifi rather than speed. IOT DO have access to LAN in order for hub's to communicate with wifi bulbs and sensors.

So what devices should be placed where ? (according to google)

  • Main: Phones, Computers, NAS, Printer (even though printer is arguable),
  • Guest: Phones and Computers that only need internet
  • IOT: 2.4ghz smart devices

HOWEVER (in terms of security)

Since "smart" devices should be isolated in order to prevent them from being hacked and attack your LAN ... it's actually better to put them on the GUEST network and disable LAN access.

And since i use TAPO, HUE, TUYA and Siemens SMART devices which all communicate via online servers, it's perfectly fine to place them on GUEST network.

The IOT network could then be used for devices that dont need 5ghz wifi but still need LAN, like the home office printer.

So what i've done is:

  • Main: limit to trusted clients
  • Guest: use as iot for smart devices and guests and disabled 5ghz
  • IOT: use it for static devices like Printer on 2.4ghz
reddit.com
u/Turbulent_County_469 — 10 days ago

Update SSL cert using Powershell and Certify Manager (solution)

NOTE: This script require that you are able to generate SSL Certificate using Certify Manager (or another ACME client) , eg for Wildcard or specific domain.

  1. Setup Certify Certificate Manager to Export the 4x PEM files (Deploy Generic Server multi purpose)
    • name the files: certificate.pem, key.pem, ca-chain.pem (intermediate) and fullchain.pem
  2. Place them in a folder that you can access from the powershell script.
  3. Create a new Administrator account :
    • Name = Whatever you want
    • Password = Something strong like a GUID or whatever
    • Dont enable 2 factor for this account.
    • Administrators group
    • NO permissions for shares
    • DSM allow, the rest deny

The script:

#Requires -Version 5.1


Set-StrictMode -Version Latest
$ErrorActionPreference = 'Stop'


# ── Configuration ────────────────────────────────────────────────────────────
$NetworkPath  = "C:\SSLCert" #<-- Path to Certificates 
$DsmHostname  = "192.168.1.50" # <-- Synology hostname or IP
$DsmPort      = 5001
$DsmUser      = "CertificateAdmin"  # <-- DSM username (cert-update account, no 2FA)
$DsmPassword  = "STRONG_PASSWORD"  # <-- DSM password
$LogFile      = "$PSScriptRoot\synology-cert-update.log"


$DsmBaseUrl = "https://${DsmHostname}:${DsmPort}"


# Fixed PEM filenames in the network share
$CertFile         = Join-Path $NetworkPath "certificate.pem"
$KeyFile          = Join-Path $NetworkPath "key.pem"
$IntermediateFile = Join-Path $NetworkPath "ca-chain.pem"


# ── Logging ──────────────────────────────────────────────────────────────────
function Write-Log {
    param([string]$Message, [string]$Level = "INFO")
    $line = "[$(Get-Date -Format 'yyyy-MM-dd HH:mm:ss')][$Level] $Message"
    Write-Host $line
    Add-Content -Path $LogFile -Value $line -Encoding UTF8
}


# ── DSM API helper (curl.exe -- bypasses .NET TLS stack entirely) ─────────────
function Invoke-DsmCurl {
    param([hashtable]$Params, [string]$Sid = "")
    if ($Sid) { $Params["_sid"] = $Sid }
    $query = ($Params.GetEnumerator() | ForEach-Object {
        "$([Uri]::EscapeDataString($_.Key))=$([Uri]::EscapeDataString($_.Value))"
    }) -join "&"
    $rawLines = & curl.exe -sk "$DsmBaseUrl/webapi/entry.cgi?$query"
    $json = ($rawLines -join '') -replace '^\s+|\s+$', ''
    if (-not $json) { throw "curl.exe returned no response for query: $query" }
    try {
        return $json | ConvertFrom-Json
    } catch {
        throw "curl.exe returned invalid JSON. Raw response: $json"
    }
}


# ── Write a PEM file as UTF-8 without BOM with LF line endings to a temp path ─
function Copy-PemAsUtf8 {
    param([string]$SourcePath)
    $content = Get-Content $SourcePath -Raw
    $clean   = $content -replace '\r\n', "`n" -replace '\r', "`n"
    $tmp     = [System.IO.Path]::GetTempFileName() + ".pem"
    [System.IO.File]::WriteAllText($tmp, $clean, [System.Text.UTF8Encoding]::new($false))
    return $tmp
}


# ── Load an X509 certificate from a PEM file (compatible with .NET Framework) ─
function Get-CertFromPem {
    param([string]$PemPath)
    $pemContent = Get-Content $PemPath -Raw
    $base64 = ($pemContent -split '\r?\n' | Where-Object { $_ -notmatch '^-' }) -join ''
    $certBytes = [Convert]::FromBase64String($base64)
    return New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(,$certBytes)
}


# ── 1. Verify PEM files exist ─────────────────────────────────────────────────
Write-Log "Checking PEM files in $NetworkPath"
foreach ($f in @($CertFile, $KeyFile, $IntermediateFile)) {
    if (-not (Test-Path $f)) {
        Write-Log "Required file not found: $f" "ERROR"
        exit 1
    }
}
Write-Log "All PEM files found."


# ── 2. Load certificate.pem to read cert info ─────────────────────────────────
try {
    $newCert = Get-CertFromPem $CertFile
} catch {
    Write-Log "Could not load certificate.pem: $_" "ERROR"
    exit 1
}


$newCN = if ($newCert.Subject -match 'CN=([^,]+)') { $Matches[1].Trim() } else { $newCert.Subject }
$newFingerprintNorm = $newCert.Thumbprint.ToUpper()


Write-Log "New certificate:"
Write-Log "  CN         : $newCN"
Write-Log "  Expires    : $($newCert.NotAfter)"
Write-Log "  SHA1       : $newFingerprintNorm"


# ── 3. Log in to DSM ─────────────────────────────────────────────────────────
Write-Log "Logging in to DSM ($DsmBaseUrl)..."


$loginParams = @{
    api     = 'SYNO.API.Auth'
    version = '7'
    method  = 'login'
    account = $DsmUser
    passwd  = $DsmPassword
    session = 'CertUpdate'
    format  = 'sid'
}
$loginResp = Invoke-DsmCurl $loginParams
if (-not $loginResp.success) {
    Write-Log "Login failed (code $($loginResp.error.code)). Check username/password." "ERROR"
    exit 1
}
$sid = $loginResp.data.sid
$synoToken = if ($loginResp.data.PSObject.Properties['synotoken']) { $loginResp.data.synotoken } else { '' }
Write-Log "Login OK$(if ($synoToken) { ' (SynoToken received)' })."


try {
    # ── 4. Fetch list of installed certificates ───────────────────────────────
    $listResp = Invoke-DsmCurl @{
        api     = 'SYNO.Core.Certificate.CRT'
        version = '1'
        method  = 'list'
    } -Sid $sid


    if (-not $listResp.success) {
        Write-Log "Could not retrieve certificate list from DSM (code $($listResp.error.code))" "ERROR"
        exit 1
    }


    $installNeeded = $true
    $replaceId     = $null


    foreach ($cert in $listResp.data.certificates) {
        if ($cert.subject.common_name -ne $newCN) { continue }


        # Normalize DSM fingerprint (remove colons/spaces) for comparison
        if ($cert.PSObject.Properties['fingerprint'] -and $cert.fingerprint) {
            $dsmFingerprintNorm = $cert.fingerprint.ToUpper() -replace '[^0-9A-F]', ''
            if ($dsmFingerprintNorm -eq $newFingerprintNorm) {
                Write-Log "Certificate already installed on DSM (same fingerprint). No action needed."
                $installNeeded = $false
                break
            }
        }


        # Compare expiry dates -- DSM returns e.g. "Jan  1 00:00:00 2026 GMT"
        try {
            $cleanDate = $cert.valid_till -replace '\s+', ' ' -replace ' GMT$', ''
            $dsmExpiry = [datetime]::ParseExact($cleanDate,
                [string[]]@('MMM d HH:mm:ss yyyy', 'MMM dd HH:mm:ss yyyy'),
                [System.Globalization.CultureInfo]::InvariantCulture,
                [System.Globalization.DateTimeStyles]::AssumeUniversal -bor [System.Globalization.DateTimeStyles]::AdjustToUniversal)
            Write-Log "DSM cert found: CN=$($cert.subject.common_name)  id=$($cert.id)  expires=$dsmExpiry UTC"
            if ($newCert.NotAfter.ToUniversalTime() -gt $dsmExpiry) {
                Write-Log "New certificate is newer -- will replace existing cert (id=$($cert.id))."
                $replaceId = $cert.id
            } else {
                Write-Log "DSM certificate is same age or newer. No action needed."
                $installNeeded = $false
            }
        } catch {
            Write-Log "Could not parse DSM date '$($cert.valid_till)' -- importing anyway." "WARN"
            $replaceId = $cert.id
        }
        break
    }


    if (-not $installNeeded) { exit 0 }


    # ── 5. Upload PEM files to DSM via curl.exe ───────────────────────────────
    Write-Log "Uploading certificate to DSM..."


    $tmpCert  = Copy-PemAsUtf8 $CertFile
    $tmpKey   = Copy-PemAsUtf8 $KeyFile
    $tmpChain = Copy-PemAsUtf8 $IntermediateFile
    try {
        $curlArgs = [System.Collections.Generic.List[string]]::new()
        $uploadQuery = "_sid=$([Uri]::EscapeDataString($sid))"
        if ($synoToken) { $uploadQuery += "&SynoToken=$([Uri]::EscapeDataString($synoToken))" }


        $uploadQuery += "&api=SYNO.Core.Certificate&method=import&version=1"


        $curlArgs.AddRange([string[]]@(
            '-sk', '-X', 'POST',
            '-F', "as_default=true",
            '-F', "desc=$newCN",
            '-F', "id=$(if ($replaceId) { $replaceId } else { '' })",
            '-F', "cert=@`"$tmpCert`"",
            '-F', "key=@`"$tmpKey`"",
            '-F', "inter_cert=@`"$tmpChain`""
        ))
        $curlArgs.Add("$DsmBaseUrl/webapi/entry.cgi?$uploadQuery")


        $uploadJson = & curl.exe u/curlArgs
        if (-not $uploadJson) {
            Write-Log "curl.exe returned no response -- verify curl.exe is available." "ERROR"
            exit 1
        }


        $uploadRaw  = ($uploadJson -join '') -replace '^\s+|\s+$', ''
        $uploadResp = $uploadRaw | ConvertFrom-Json
        if (-not $uploadResp.success) {
            Write-Log "Certificate upload failed (code $($uploadResp.error.code))" "ERROR"
            Write-Log "Full DSM response: $uploadRaw" "ERROR"
            exit 1
        }


        $newId = if ($uploadResp.data.id) { $uploadResp.data.id } else { $replaceId }
        Write-Log "Certificate installed on Synology DSM. Cert ID: $newId"
    } finally {
        Remove-Item $tmpCert, $tmpKey, $tmpChain -ErrorAction SilentlyContinue
    }


} finally {
    # ── 6. Log out ────────────────────────────────────────────────────────────
    try {
        Invoke-DsmCurl @{
            api     = 'SYNO.API.Auth'
            version = '7'
            method  = 'logout'
            session = 'CertUpdate'
        } -Sid $sid | Out-Null
        Write-Log "Logged out of DSM."
    } catch {
        Write-Log "Logout failed (non-critical): $_" "WARN"
    }
}


Write-Log "Done."
reddit.com
u/Turbulent_County_469 — 13 days ago

Code 5511 when uploading Certificate using API ?

Using Claude i've made a Powershell script that connects to my DSM (DS124) and want to upload a Certify (Wildcard) Certificate

Certify generates 4x PEM files that i used to install the certificate through the DSM Interface - so i know its good and correct format.

The script then logs into the API , gets a token, checks the fingerprint and date to see if it needs to update..

I've checked the file for encoding and made sure its UTF8 ..

when uploading the new certificate im gettin a Code 5511 and fail.

The user account is Administrator without access to anything but DSM.

Anyone experienced this and found a solution ?

EDIT:

I made it work -> https://www.reddit.com/r/synology/comments/1ucqrba/update_ssl_cert_using_powershell_and_certify/

reddit.com
u/Turbulent_County_469 — 14 days ago

Install SSL Certificate using API ?

I have a Windows Server which has Certify Manager installed,

Certify Manager uses DNS API to generate a Wildcard certificate and saves the PFX + PEM files to a network share (which is then installed on multiple other servers)

My DSM uses 2factor authentication for the currently single priviledged user

From what i can read about the API, i need to authenticate to generate a token and in that authentication i need to use the OTP to authorize ... this wont work for automation.

So im wondering

- should i make a service account without 2factor which only job is to install certificates ? (which roles does it need?)

- Is there another way ?

- Mayb SSH ?

PS: the DSM is not able to generate the CertifyTheWeb Cert so i need to push the Cert to the DSM.

Thanks

EDIT:

I made it work -> https://www.reddit.com/r/synology/comments/1ucqrba/update_ssl_cert_using_powershell_and_certify/

reddit.com
u/Turbulent_County_469 — 14 days ago

Can't join my 3 Bedrock servers after recent updates.

I've had 3 Bedrock servers running on my Windows 10 "server" for about 1-2 years.

I've made an update script which updates all other files than the AllowList, Permissions and Server.Properties files. It has worked fine until lately.

Currently i cant join the servers - AT ALL.

I've tried disabling firewall on Server and Client computer and the Bedrock console doesn't even register the attempt to join.

Has something dramatically changed lately ?

EDIT:

After i unzipped the newest version and did a brief compare of the server.properties i can see a ton of changes in the new version. i guess i have to migrate .

reddit.com
u/Turbulent_County_469 — 14 days ago

OSConfig could be better and preferably visual

I discovered OSConfig and its ability to set a baseline of Microsoft's advise for security settings...

So i had to try it out 😃

The first thing to do was to get a "report" in powershell that told me that all 340 settings was off - the report is really hard to read because it doesnt explain what i should do about it...

well.. I decided to try letting it do its thing by running the Set command on 2 servers:

DomainController -> DomainController settings

IIS/RRAS -> MemberServer

After first reboot i was kind of dissapointed. Now, before i can login i'm met with a very serious message: "NOTICE TO USERS: AUTHORIZED ACCESS ONLY"

mkay - im sure that hackers and malicious users will DEFINITLY respect that...

I also noticed that my RDCMAN no longer saves the login so i have to punch it in every time.

Waiting for 900 seconds now auto log me out... i guess i can live with that.

Everything else is more or less invisible.

I was told that SMB, TLS and other important stuff has been increased in security, but i'd have to dig deep to confirm it.. everything works almost the same as before.

Here's the thing: I REALLY would like for OSConfig to be visual,

I would LOVE to see a tree of all settings and decide which to take and which to leave out.

I would love to be able to tweak GPO's to deploy all these nice settings across domain computers.

maybe i can ? - I didn't see the option anywhere.

because i didn't get a usefull report over what changed and why, i'm left unsure whether everything is just OK now ? how battle-ready is the server now ?

sorry for my ramblings, i just wanted to give my perspective on this tool.

reddit.com
u/Turbulent_County_469 — 19 days ago

Server 2016 , Administrator vs Administrator

I know that Server 2016 is old but its what we got 😓

I've been working on a testbench , to setup DNS + IIS/RRAS

When installing Server 2016 i'm asked to create a password for the local Administrator account.

Then later i'll join the domain which coincidentally is done with domain\Administrator

Now the funky things start to happen :

at Windows logon screen i'm presented with Administrator and Administrator to choose from, picking either one and logging in, results in logging in as Local Administrator , NOT the domain Admin.

So i was suggested by ChatGPT to rename the computer admin account to LocalAdmin

doing so completely messed up the Domain\Administrator login

so if i login as Domain\Administrator , nothing works , eg Powershell is dead and cant be opened, WhoAmI also doesnt work....

Logging in as .\LocalAdmin now results in logging in as Domain\Administrator - at least to WhoAmI

Luckily i had another account with Domain Admin rights which was able to reverse the renaming and saving the Domain\Administrator account on the machine 😅

The annoying part is when logging in on the Logon screen, that i need to punch in D-O-M-A-I-N\A-D-M-I-N-I-S-T-R-A-T-O-R , every time ... Unless i RDP to the machine using a stored login...

is this just a quirk in Server2016 or am i completely wrong ?

I have worked with 2008r2 for years without such issues.

reddit.com
u/Turbulent_County_469 — 27 days ago

Debugging / Solving stuff with ChatGPT is frustrating.

Over the weekend i used first Claude then later ChatGPT to fix errors and setup Windows Server ...

Claude was the best experience , even though it guessed a bit wrong a few times regarding issues and sent me onto the wrong paths, it was nice that we only tried 1 thing at a time... until i ran out of free tokens.

Then i shifted to ChatGPT and holy smokes its a different experience. Fixing the syncronization of two domains and demoting the old server ran a bit smoother.

BUT DAMN, i had to wack it on the head to stop asking 5 different questions and asking 5 new when i answer the first .... 🤯 ... like "STOP ASKING 5 QUESTIONS"

I also very much dislike that it creates "answer categories" in chunks of 5-8 categories with short answers in each category - its VERY annoying and seems to be the default.

ChatGPT also have a tendency of "knowing better" : "you dont need that..." , well i asked how to get desktop icons onto the desktop, i didnt ask for your opinion !

Claude gives me 1 concise answer without shooting in all directions.

reddit.com
u/Turbulent_County_469 — 28 days ago

Horizon+ game gone from my headset ?

I've had Horizon+ for 3 months and have now paid my first monthly subscription.

Within the first 2 weeks of owning the Quest3 i signed up for Horizon+ and got the 3 month free period.

I downloaded a bunch of Horizon+ games : one of them was Assassins Creed Nexus

I never tried the game because there was a bunch of other games i've been busy with.

Now where i had time i wanted to try it out and its gone !?

My understanding of Horizon+ is that games i redeem is downloaded and work as long as i pay for Horizon+ ?

Or am i mistaken ?

What's the point of shelling out 10€ a month or 60€ pr year if i'm not sure i have access to the games i redeem ?

reddit.com
u/Turbulent_County_469 — 1 month ago
▲ 1 r/TpLink

EdgeRouter ER605 VPN server issues

I purchased an ER605 router a couple of days ago and is currently experimenting with the VPN Server features.

Firmware Version: 2.3.3 Build 20251029 Rel.18054

Hardware Version: ER605 v2.30

I've setup a L2TP (encrypted) server and can connect my PC and/or my iPhone.

however, if i do a Speedtest.net and reach 100mbit upload, the vpn connection is dropped.

I've consulted the GPT oracles and they state that the issue is the fault is with small CPU in the router... but in my mind it makes no sense... unless noone ever tested this device at TP-link...

So - is there any tweaks i should do to make it more stable ?

Regarding the Connection-Drops when VPN connection is established: so far i havent experienced that issue (fingers crossed) https://community.tp-link.com/en/smart-home/forum/topic/532900?sortDir=ASC&page=2

Im also a bit puzzled why i get around 150 Mbit throughput with L2TP (encrypted) when the specs on the website state that it should only handle 45mbit ....???

https://preview.redd.it/1bn0rys7hb4h1.png?width=732&format=png&auto=webp&s=eef2a334d0b80b623c2d990c062511d9153ff756

EDIT:

I've noticed that the connection is disconnected / crashes every time i try to upload data..

eg: with Speedtest.net i get 100-150 mbit download which works fine..

When the upload test is running, the connection drops.

I've seen this happen 5 times in a row now.

EDIT 2:

I just consulted the GPT oracle again , who sugged the MTU is the problem..

so i tried pinging 8.8,8.8 with different messages sizes until i found that 1344 was the biggest that came through.

on Windows i can easily set MTU to 1360 and fix the problem, but not on iPhone 😞

reddit.com
u/Turbulent_County_469 — 1 month ago

Ask the bot about its persona profile it has about you

I see a lot of 'hey look what chatgpt just said'

Im curious if it has a profile description that says 'the user like to hear crazy shit'

It would explain why some people get the 'gone wild' answers while people like me, who use it for useful answers do not.

reddit.com
u/Turbulent_County_469 — 1 month ago
▲ 3 r/MixtapeAI+1 crossposts

Surreal and Strange AI Video | Not Made For The Cage | Kelly Boesch

Very interesting AI Music Video made by Kelly Boesch.

Unsure which tools were used.

youtube.com
u/Turbulent_County_469 — 1 month ago