office 365

Office 365/Outlook 2016 with MFA and the dreaded Password prompt of doom

Posted by robd on October 12, 2018
Exchange Online / No Comments

We recently started implementing Multiple Factor Authentication with office 365 and today I ran into a weird issue while working from home.

Laptop – Windows 10 1703

Outlook 2016 – 16.0.7726.1049

While opening Outlook 2016 I was prompted for my 365 credentials (over and over again) without any MFA prompt.

Would not not go away and would not connect.

So I checked

OWA – https://outlook.office365.com/owa – worked no problem and was prompted with MFA.

Teams – local install, worked no bother with MFA.

So I went to Azure Active Directory and could see loads of failed attempts:

Specifically: User did not pass MFA challenge (non Interactive)

So my guess was Outlook wasnt prompting me for MFA for what ever reason. I tried a new Outlook profile which wouldnt connect and the following registry entried to try and force basic connections from Outlook:

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

dword value 0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALatopWAMOverride

dword value 1

None of this worked so I went all out and did the following which fixed the issue:

  1. Sign out of Office 365
    1. Open Word
    2. In the upper-right corner of the Office 2016 app, click your name, and then click Switch Account.
    3. On the Accounts screen, click Sign out.
    4. Locate the account that you want to remove, and then click Sign out.
  2. Remove the cached credentials in Credentials Manager.
    1. To do this, follow these steps: Open Control Panel, and then click Credentials Manager.
    2. Under Windows Credentials, remove all the accounts under Generic Credentials
  3. Clear cached credentials on the computer from the registry.
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and backup then delete the following registry subkey:

4. Launch Word and sign into Office 365 (it logged in without issue)

5. Launch Outlook and I was prompted for my MFA credentials and which I authenticated via my phone and I was in.

 

Tags: , ,

Office 365 to Exchange 2010 on prem calendar free/busy information

Posted by robd on August 22, 2018
exchange 2010 / No Comments

Hello,

Preface this post by saying a man from Exchange support said “This is the most complicated Exchange environment I’ve ever seen”.

That said this issue is pretty common and hopefully this post will help someone else.

We have an Exchange 2010 to 365 hybrid environment that look a bit like this:

We had an issue where users on our 365 tenancy couldn’t see on the Exchange 2010 on-premises free/busy info for users in Group2.contoso.com.

Now I know what your thinking, just compare the settings on Group1 to Group2, well due to company rules and politics I can’t….I can only troubleshoot group2 and the servers there.

So first things first, check users permissions and setup a test user and find the error in Outlook:

Thanks to Babunski and his post I found this really good troubleshooting guide and everything looked ok:

https://support.microsoft.com/en-us/help/10092/troubleshooting-free-busy-issues-in-exchange-hybrid-environment

  • Firewall is fine,
  • Network is ok,
  • DNS surprising is working,
  • Check Exchange online tool:

https://www.testexchangeconnectivity.com

  • 365 to prem relationship is ok:

  • IIS Logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • EWS logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • Checked the external URL – seems ok.

  • Check the IIS permissions with – this looked ok

  • Checked IIS EWS and Autodiscover:

  • Checked more relationship stuff – all ok

Next – contact support!  🙁

 

Before I contact support I did find one more URL that suggests to check the certs and import the cert you used to setup the federation onto the CAS server which unfortunately didn’t work for us:

https://support.microsoft.com/en-gb/help/3057905/exchange-online-users-cannot-access-free-busy-information-of-users-in

 

Soooo here I am, time to contact support.

 

The first thing they checked was the local url on the client access server:

https://ClientAccessGroup2Server1.group.contoso.com/ews/exchange.asmx

So there’s an issue, basically we didn’t add the server to our wild card cert.  So added the server names as Subject alternative names and imported it using PowerShell onto both Client access servers and then rebooted:

Fixed:

Checked the URLS set in Exchange:

Our internal URL was actually set to Client Access array for Contoso rather than group2.contoso.com so we changed this:

And rebooted again.

 

Next we disabled and re-enabled ISS security (this broke OOF for a while, we had to run this twice):

So here are stuck…..

 

MS ran some traces using Extra:

 

And went away for a while and came back with:

Internet facing Site Conotso.com is able to look up the user and send a request to Group2 servers.

The request failed with an empty response.

On group2 server we notice below error,

 

So the long and short of it is they think IIS is broken. The traffic is being passed to the Group2 services but these services are not passing the information back up the stream.

 

MS decided they wanted swap out the EWS web.config with a new one from:

 

The reason being in the config file it was referencing:

And it should be referencing (or where ever you install of Exchange is):

And another reboot.

 

Next we checked the logging from Outlook:

Which dumps files too: %Temp%\outlook logging

And they found this error:

 

This prompted MS to check the IIS bindings which were wrong

So we added some missing bindings using these command:

No change and still the same error: Response Code ErrorProxyRequestProcessingFailed

 

So we checked windows services and would you believe it but these dot net services were not installed:

net.tcp lisener adapter

net.pipe listener adapter

 

So we installed the missing features:

Rebooted both.

And Boom we are working!!!!!!!!!!!!!!!!!!!!!

Tags: , , , ,

365 – Shared Mailbox on a mobile device

Posted by robd on February 06, 2018
Server / 1 Comment

Some users need shared mailboxes on their mobile devices, this can be done via IMAP.

Add a IMAP:

Add the shared mailbox email:

Choose IMAP

This is the most important section; add the user’s username and the name of the shared mailbox, for example: Rob@DOMAIN.LOCAL/SHARED.MAILBOX

Tags: ,

Office 365 Group Functions

Posted by robd on April 16, 2016
Office 365, powershell / No Comments

Before I get started this is not referring to standard Distribution Groups, this email refers to the groups that can be created in the newer version of Office 365 that allow a “Lync-esque” conversation feature but with added functionality, such as reviewing previous messages when added at a later date.

 

In most environments this would be a great feature, workplace and alike, however in environments like  schools it can lead to some administrative troubles as there is no, current, way to administrate the groups once created as they are hidden to the admin unless viewed within the mailbox/OWA of the user doing the creating.

 

In this particular case these groups needed to be, A: removed manually, and B: disabled from future creation.

 

First you have to log in to the exchange mailbox via PowerShell, so have your admin credentials ready, once you are in and are ready to make changes, this is the command to run;

 


 

You can create a new policy and apply the above change to it, then set that policy as the default for your users/groups.

 

Please see this article for a much more in-depth overview of the feature and how to disable or utilize it.

 

If you have any questions please email me.

Tags: , , ,

Copy Protected by Chetan's WP-Copyprotect.