office 365

Exchange 2010 On Premesis accessing Office 365 Mailboxes

Posted by robd on December 04, 2019
Office 2010, Office 365, Outlook 2010 / No Comments

Had a very weird issue where users on prem couldnt access mailboxes for users online even though the permissions were correct.

The error was:

Cannot expand the folder. The set of folders cannot be opened.

Had a good google and the recommendations were to do the following which didnt work for me:

Connect to 365 and run:

#remove permissions
Remove-MailboxPermission -Identity Manager@bohemiangrove.co.uk -User User1@bohemiangrove.co.uk -AccessRights FullAccess

#Add permissions
Add-MailboxPermission -Identity Manager@bohemiangrove.co.uk -User User1@bohemiangrove.co.uk -AccessRights FullAccess -InheritanceType All -AutoMapping:$false

So what I did to fix this was to add this for

  1. Exit Outlook.
  2. Start Registry Editor. To do this, use one of the following procedures, as appropriate for your version of Windows:
  3. In Registry Editor, locate and then click the following registry subkey:
    HKEY_CURRENT_USER\Software\Microsoft\Exchange
  4. On the Edit menu, point to New, and then click DWORD Value.
  5. Type AlwaysUseMSOAuthForAutoDiscover, and then press Enter.
  6. Right-click AlwaysUseMSOAuthForAutoDiscover, and then click Modify.
  7. In the Value data box, type 1, and then click OK.
  8. Exit Registry Editor.

Tags: , , ,

Office 365/Outlook 2016 with MFA and the dreaded Password prompt of doom

Posted by robd on October 12, 2018
Exchange Online / No Comments

We recently started implementing Multiple Factor Authentication with office 365 and today I ran into a weird issue while working from home.

Laptop – Windows 10 1703

Outlook 2016 – 16.0.7726.1049

While opening Outlook 2016 I was prompted for my 365 credentials (over and over again) without any MFA prompt.

Would not not go away and would not connect.

So I checked

OWA – https://outlook.office365.com/owa – worked no problem and was prompted with MFA.

Teams – local install, worked no bother with MFA.

So I went to Azure Active Directory and could see loads of failed attempts:

Specifically: User did not pass MFA challenge (non Interactive)

So my guess was Outlook wasnt prompting me for MFA for what ever reason. I tried a new Outlook profile which wouldnt connect and the following registry entried to try and force basic connections from Outlook:

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

dword value 0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALatopWAMOverride

dword value 1

None of this worked so I went all out and did the following which fixed the issue:

  1. Sign out of Office 365
    1. Open Word
    2. In the upper-right corner of the Office 2016 app, click your name, and then click Switch Account.
    3. On the Accounts screen, click Sign out.
    4. Locate the account that you want to remove, and then click Sign out.
  2. Remove the cached credentials in Credentials Manager.
    1. To do this, follow these steps: Open Control Panel, and then click Credentials Manager.
    2. Under Windows Credentials, remove all the accounts under Generic Credentials
  3. Clear cached credentials on the computer from the registry.
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and backup then delete the following registry subkey:
HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity\Identities

4. Launch Word and sign into Office 365 (it logged in without issue)

5. Launch Outlook and I was prompted for my MFA credentials and which I authenticated via my phone and I was in.

 

Tags: , ,

Office 365 to Exchange 2010 on prem calendar free/busy information

Posted by robd on August 22, 2018
exchange 2010 / No Comments

Hello,

Preface this post by saying a man from Exchange support said “This is the most complicated Exchange environment I’ve ever seen”.

That said this issue is pretty common and hopefully this post will help someone else.

We have an Exchange 2010 to 365 hybrid environment that look a bit like this:

We had an issue where users on our 365 tenancy couldn’t see on the Exchange 2010 on-premises free/busy info for users in Group2.contoso.com.

Now I know what your thinking, just compare the settings on Group1 to Group2, well due to company rules and politics I can’t….I can only troubleshoot group2 and the servers there.

So first things first, check users permissions and setup a test user and find the error in Outlook:

“No Information. No free/busy information could be retrieved”

The recipient’s server could not be contacted. Contact your administrator.

Thanks to Babunski and his post I found this really good troubleshooting guide and everything looked ok:

https://support.microsoft.com/en-us/help/10092/troubleshooting-free-busy-issues-in-exchange-hybrid-environment

  • Firewall is fine,
  • Network is ok,
  • DNS surprising is working,
  • Check Exchange online tool:

https://www.testexchangeconnectivity.com

  • 365 to prem relationship is ok:
OrganizationRelationship -Identity "Exchange Online to On Premises Organization Relationship" | FL
  • IIS Logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • EWS logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • Checked the external URL – seems ok.
Get-WebServicesVirtualDirectory | FL Name,Server,externalURL
  • Check the IIS permissions with – this looked ok
Get-WebServicesVirtualDirectory | fl name,server,externalURL,ExternalAuthenticationMethods
  • Checked IIS EWS and Autodiscover:

  • Checked more relationship stuff – all ok
Get-OrganizationReationship -Identity "On Premises to Exchange Online Organization Relationship”

Next – contact support!  🙁

 

Before I contact support I did find one more URL that suggests to check the certs and import the cert you used to setup the federation onto the CAS server which unfortunately didn’t work for us:

https://support.microsoft.com/en-gb/help/3057905/exchange-online-users-cannot-access-free-busy-information-of-users-in

 

Soooo here I am, time to contact support.

 

The first thing they checked was the local url on the client access server:

https://ClientAccessGroup2Server1.group.contoso.com/ews/exchange.asmx

So there’s an issue, basically we didn’t add the server to our wild card cert.  So added the server names as Subject alternative names and imported it using PowerShell onto both Client access servers and then rebooted:

Enable-ExchangeCertificate -Thumbprint 011111111111111111111111111111111111 -Services SMTP,IIS

Fixed:

Checked the URLS set in Exchange:

Get-WebServicesVirtualDirectory | FL

Our internal URL was actually set to Client Access array for Contoso rather than group2.contoso.com so we changed this:

set-WebServicesVirtualDirectory –identity ClientAccessGroup2Server1 –internalurl https://CASARRAY.Group2.contoso.com/EWS/exchange.asmx

And rebooted again.

 

Next we disabled and re-enabled ISS security (this broke OOF for a while, we had to run this twice):

Set-WebServicesVirtualDirectory -Identity 'ClientAccessGroup2Server1\ews (Default Web Site)' -BasicAuthentication $false -WindowsAuthentication $false -WSSecurityAuthentication $false

Set-WebServicesVirtualDirectory -Identity ' ClientAccessGroup2Server1\ews (Default Web Site)' -BasicAuthentication $true -WindowsAuthentication $true -WSSecurityAuthentication $true

So here are stuck…..

 

MS ran some traces using Extra:

 

And went away for a while and came back with:

Internet facing Site Conotso.com is able to look up the user and send a request to Group2 servers.

Testy1@contoso.mail.onmicrosoft.com: Request for Testy2@group2.contoso.com is being proxied to https://CASARRAY.Group2.contoso.com/ews/exchange.asmx

Testy1@contoso.mail.onmicrosoft.com: Setting exception to all queries: Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException: System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.

The request failed with an empty response.

at Microsoft.Exchange.InfoWorker.Common.Availability.AsyncWebRequest.EndInvokeWithErrorHandling(). The request information is ProxyWebRequest type = CrossSite, url = https://ClientAccessGroup2Server1.group2.contoso.com:443/ews/exchange.asmxMailbox list = <Bert Test>SMTP: Testy2@group2.contoso.com, Parameters: windowStart = 30/07/2018 00:00:00, windowEnd = 10/09/2018 00:00:00, MergedFBInterval = 30, RequestedView = MergedOnly. ---> System.InvalidOperationException: Client found response content type of '', but expected 'text/xml'.

On group2 server we notice below error,

<TraceRecord xmlns="http://schemas.microsoft.com/2004/10/E2ETraceEvent/TraceRecord" Severity="Error"><TraceIdentifier>http://msdn.microsoft.com/en-GB/library/System.ServiceModel.Diagnostics.EventLog.aspx</TraceIdentifier><Description>Wrote to the EventLog.</Description><AppDomain>/LM/W3SVC/1/ROOT/EWS-1-131788827699531225</AppDomain><ExtendedData xmlns="http://schemas.microsoft.com/2006/08/ServiceModel/DictionaryTraceRecord"><CategoryID.Name>WebHost</CategoryID.Name><CategoryID.Value>5</CategoryID.Value><InstanceID.Name>WebHostFailedToProcessRequest</InstanceID.Name><InstanceID.Value>3221356547</InstanceID.Value><Value0>System.ServiceModel.ServiceHostingEnvironment+HostingManager/39086322</Value0><Value1>System.ServiceModel.ServiceActivationException: The service '/EWS/Exchange.asmx' cannot be activated due to an exception during compilation.  The exception message is: This collection already contains an address with scheme http.  There can be at most one address per scheme in this collection.

 

So the long and short of it is they think IIS is broken. The traffic is being passed to the Group2 services but these services are not passing the information back up the stream.

 

MS decided they wanted swap out the EWS web.config with a new one from:

c:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\exchweb\EWS

 

The reason being in the config file it was referencing:

<assemblyIdentity name="Microsoft.Exchange.Common.IL" publicKeyToken="31bf3856ad364e35" culture="neutral" />

<codeBase version="0.0.0.0" href="file:///%ExchangeInstallDir%bin\Microsoft.Exchange.Common.IL.dll"/>

And it should be referencing (or where ever you install of Exchange is):

<assemblyIdentity name="Microsoft.Exchange.Common.IL" publicKeyToken="31bf3856ad364e35" culture="neutral" />

 <codeBase version="0.0.0.0" href="file:///C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.Common.IL.dll"/>

And another reboot.

 

Next we checked the logging from Outlook:

Which dumps files too: %Temp%\outlook logging

And they found this error:

Exception Type Microsoft.Exchange.InfoWorker.Common.Availability.ProxyWebRequestProcessingException

Response Code ErrorProxyRequestProcessingFailed

 

This prompted MS to check the IIS bindings which were wrong

So we added some missing bindings using these command:

C:\Windows\system32>cd inetsrv

appcmd set site /site.name:"Default Web Site" /+bindings.[protocol='net.tcp',bindingInformation='808:*'] SITE object "Default Web Site" changed

appcmd set site /site.name:"Default Web Site" /+bindings.[protocol='net.pipe',bindingInformation='*'] SITE object "Default Web Site" changed

appcmd set site /site.name:"Default Web Site" /+bindings.[protocol='net.msmq',bindingInformation='localhost'] SITE object "Default Web Site" changed

appcmd set site /site.name:"Default Web Site" /+bindings.[protocol='msmq.formatname',bindingInformation='localhost'] SITE object "Default Web Site" changed

No change and still the same error: Response Code ErrorProxyRequestProcessingFailed

 

So we checked windows services and would you believe it but these dot net services were not installed:

net.tcp lisener adapter

net.pipe listener adapter

 

So we installed the missing features:

Rebooted both.

And Boom we are working!!!!!!!!!!!!!!!!!!!!!

Tags: , , , ,

365 – Shared Mailbox on a mobile device

Posted by robd on February 06, 2018
Server / 1 Comment

Some users need shared mailboxes on their mobile devices, this can be done via IMAP.

Add a IMAP:

Add the shared mailbox email:

Choose IMAP

This is the most important section; add the user’s username and the name of the shared mailbox, for example: Rob@DOMAIN.LOCAL/SHARED.MAILBOX

Tags: ,

Office 365 Group Functions

Posted by robd on April 16, 2016
Office 365, powershell / No Comments

Before I get started this is not referring to standard Distribution Groups, this email refers to the groups that can be created in the newer version of Office 365 that allow a “Lync-esque” conversation feature but with added functionality, such as reviewing previous messages when added at a later date.

 

In most environments this would be a great feature, workplace and alike, however in environments like  schools it can lead to some administrative troubles as there is no, current, way to administrate the groups once created as they are hidden to the admin unless viewed within the mailbox/OWA of the user doing the creating.

 

In this particular case these groups needed to be, A: removed manually, and B: disabled from future creation.

 

First you have to log in to the exchange mailbox via PowerShell, so have your admin credentials ready, once you are in and are ready to make changes, this is the command to run;

 

Set-OwaMailboxPolicy -Identity <strong>DOMAIN.LOCAL</strong>\OwaMailboxPolicy-Default -GroupCreationEnabled $false


 

You can create a new policy and apply the above change to it, then set that policy as the default for your users/groups.

 

Please see this article for a much more in-depth overview of the feature and how to disable or utilize it.

 

If you have any questions please email me.

Tags: , , ,