Category: Microsoft

Exchange 2013 EAS / EWS Multi Instance後續

 

 

 

 

 

基於係一部Exchange CAS之內同意可以用唔同嘅Authentication Method (Password, Kerberos, Certificate) 。 而發現Exchange EWS係會兩個instance 同時response(Password Auth / Certificate Auth) , 邊成Outlook Client 當要用Web Service做notification嘅時候,IIS出現 Error 500 0 64。

“POST /EWS/Exchange.asmx – 443 – 10.0.1.35 Microsoft+Office/16.0+(Windows+NT+10.0;+Microsoft+Outlook+16.0.7927;+Pro) – 500 0 64 15”

但係點解呢?

係無人講EWS Multi Instance嘅情況之下,搵左四日都無咩頭粹。 方向改變諗如何令Outlook 只搵Default 個EWS,而MobileDevice 既Mail Profile 因為由MDM (MobileIron) 控制,所以EWS 係指定用Cert Auth。再引伸落去諗就係AutoDiscover 去做Restriction。 亦發現用 ‘https://testconnectivity.microsoft.com’ 去試會出現 Failure。原因係用咗CBA 嘅 EWS vDIR….. Test Failed….

最後好彩地搵到Hints,就係AutoDiscover WebSite 嘅URL。 當初係用CNAME 指去 CAS 嘅 internal name。呢個就係Root Cause。

搵出嘅係,當DNS 搵AutoDiscover而係用 CNAME point去CAS internal name。 當用CAS internal name 去 用EWS。係會兩個site用晒。

相信係有幾多個EWS 都會用晒,因為所有Exchange Virtual Directory確實係under同一部機。

所以係呢種設定下AutoDiscover嘅DNS record轉成Host (A) Point 死 Default WebSite EWS 嘅IP…

但原本問題仍然未解決……

To be Continue….

Refernce site:

https://forums.iis.net/t/1230097.aspx?http+500+0+64+IIS+with+Client+Certificate+Required

Quote:

500 = Internal Server Error

64 = The specified network name is no longer available.

https://support.microsoft.com/en-us/help/940726/outlook-2007-security-warning-the-name-of-the-security-certificate-is-invalid-or-does-not-match-the-name-of-the-site

Quote:

Important These steps assume that a host record exists in the DNS to map the FQDN that you specify to the IP address of the CAS server. For example, consider the following scenario:

  • The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following:
    https://ServerName.contoso.com/ews/exchange.asmx
  • The FQDN that is specified on the certificate points to the externally accessed host name of the server. For example, the certificate specifies an FQDN, such as “mail.contoso.com.”

In this scenario, you must add a host record for the mail host name that is mapped to the internally accessed IP address of the CAS server to let internal clients access the server.

Exchange 2013 – Web Service(EWS) Virtual Directory Creation

 

 

 

 

 

Microsoft EWS Virtual Directory,比create ActiveSync Virtual Directory更古怪,更小人討論

絕對會諗所有creation可以係Exchange Management Shell做到,但係”偉大”嘅M$再一次俾Surprise我哋。。。

最後我試出黎嘅結果係。。。。

EWS Virtual Directory Creation – 係用普通PowerShell ,再用”AddPSSnapin Microsoft.Management.PowerShell.E2010″
睇到呢到,你無睇錯。。係2010 Module
點解我知?就係因為錯誤哋create左多一個PowerShell VirtualDirectory 係Default Web Site,但係又remove唔到…….
最後搵到expect exchange有人講同一問題……

Create PowerShell vDir – Exchange Managment PowerShell

Remove PowerShell vDir – Normal PowerShell + PSSnapin (E2010)

Create – Web Services vDir – Normal PowerShell + PSSnapin (E2010)

Remove Web Service vDir – Exchange Managment PowerShell

Reference site

https://www.experts-exchange.com/questions/26813020/remove-powershellvirtudirectory-not-working.html

http://hkeylocalmachine.com/?p=180

Microsoft ActiveSync – New EAS Website with Certificate Base Authentication(CBA) in same server

為左唔使起多部CAS,但又可以試CBA, 只係用加多一張NIC,多一粒IP。 絕對係快靚正。

但係,係deployment嘅過程,係絕對俾Exchange/IIS玩死。

呢下Website嘅步驟絕對無錯(推薦第一個)
遇到問題如下
1。同一張NIC用二粒IP,係setup時會衍生Host 錯IP問題,所以唔建議
2。當中避免用IIS去Set,特別係Step 11開clientCertificateMappingAuthentication,同埋最尾enable “Require Client Certificate”

雖然係IIS都會改到,但係偉大嘅M$話Exchange 野應該返Exchange Admin Center(EAC)做,同SharePoint 一樣……

唔相信….我自己得到嘅代價,就係唔同嘅IIS Error。。
可能係403.7 ,接403.16……..
再唔係,出Error 500。。恭喜~GameOver。。。 遇過好幾次,要delete site,由頭再嚟…..

3。EWS IIS Error 413, 唔Fix, Notification亦會停唔work

需要改以下

C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\autodiscover\web.config
C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\ews\web.config
2. Replace the value “uploadReadAheadSize” of 0 to 1048576 (bytes) in both files

4。最後,亦係最奇怪。 話Server Local Machine Trust Root Authority 太多Cert,最後係用條 filter script 搵返啲 Intermediate Cert,再搬反走佢。。。。

而Client Device用嘅Cert,可以係有AD Enrolment Policy 由GPO落。 Domain Member PC 係Login 時自動安落PC….
又或者由MDM,從SCEP Profile 落Cert都可以。
最重要係Cert既Subject 係User Email Address, Cert 入面SAN 有User DN, UPN就會認得到

Filter Script…

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”

https://support.microsoft.com/en-hk/help/2802568/internet-information-services-iis-8-may-reject-client-certificate-requests-with-http-403.7-or-403.16-errors

https://support.microsoft.com/en-hk/help/2795828/lync-server-2013-front-end-service-cannot-start-in-windows-server-2012

Reference

Step 11. Enabled cba on the ActiveSync website from elevated command prompt.
a. APPCMD.EXE set config “EAS_CBA/Microsoft-Server-ActiveSync” -section:system.webServer/security/authentication/clientCertificateMappingAuthentication /enabled:”True” /commit:apphost

Additional EAS vDir creation

In Exchange Mgmt shell:

Command: New-ActiveSyncVirtualDirectory -WebSiteName “EAS_CBA” -ExternalUrl https://mailcba.domain.com/Microsoft-Server-ActiveSync -Server servername -InternalURL https://mailcba.domain.com/Microsoft-Server-ActiveSync

Setup Procedure Reference

http://www.o-xchange.com/p/configuring-exchange-active-sync-for.html

https://blogs.technet.microsoft.com/exchange/2012/11/28/configure-certificate-based-authentication-for-exchange-activesync/

http://i-evgeny.blogspot.hk/2015/09/exchange-2013-413-request-entity-too.html

Microsoft OCSP configuration procedure , 唔duplicate template必定會fail

Setup 唔難,但係好高機會睇漏,唔duplicate template

Reference

https://blogs.technet.microsoft.com/yungchou/2013/10/22/enterprise-pki-with-windows-server-2012-r2-active-directory-certificate-services-part-2-of-2/

http://www.tech-coffee.net/public-key-infrastructure-part-8-ocsp-responder/

https://jorgequestforknowledge.wordpress.com/category/active-directory-certificate-services-adcs/ocsp/

 

RODC + Remote Desktop Gateway + Remote Desktop Authentication Certificate

有趣又古怪嘅buildup。
係用嘅benifits 絕對有,自己用Mac係有用VPN同冇,電力耐用明顯有增加.

整體Concept非常簡單。 RDP over SSL,即係可以代表替唔需要VPN.

Microsoft 有三個做法,但係自己覺得用RODC Extend隻AD點都會有用。clip_image010_thumb

 

 

 

 

 

 

Deploy RODC 絕對唔難,
Pre-config 定RODC Machine account 同放夠用嘅Port就一定join到。

但係Member server join就開始奇怪。 自己嘅做法係先係RODC用command gen好file,之後再係target server load返個file.

Provision – File Generation / File Load

djoin /provision /domain <domain_name> /machine <destination computer> /savefile <filename.txt> [/machineou <OU name>] [/dcname <name of domain controller>] [/reuse] [/downlevel] [/defpwd] [/nosearch] [/printblob] [/rootcacerts] [/certtemplate <name>] [/policynames <name(s)>] [/policypaths <Path(s)>]
djoin /requestodj /loadfile <filename.txt> /windowspath <path to the Windows directory of the offline image> /localos

當全部setup好,就剩下Add Role, 非常簡單。 只係allow authorize user group用就完成.

係setup 完成後,再進一步諗再將Trust Network入面所以有機RemoteDesktop Auth 嘅 Self-Signed Cert 轉成internalCA  sign

同樣地, Trust Zone轉好易, 但係DMZ入面嘅Member Server亦需要更多procedure, 需要安裝Certificate Enrollment Web Services(Username Password), 新嘅Certificate Template for DMZ,同最後需要command手動轉Remote Desktop Listener Cert

Reference:

Remote Desktop Gateway

https://blogs.technet.microsoft.com/enterprisemobility/2009/07/31/rd-gateway-deployment-in-a-perimeter-network-firewall-rules/

http://www.lemonbits.com/2014/06/20/installing-standalone-remote-desktop-gateway-on-the-windows-server-2012-r2-without-complete-remote-desktop-services-infrastructure/

RODC Setup

https://technet.microsoft.com/en-us/library/dd728035(WS.10).aspx#run_join_script

Offline Join

https://technet.microsoft.com/en-us/library/offline-domain-join-djoin-step-by-step(WS.10).aspx

Trusted Remote Desktop Auth Certificate

https://www.derekseaman.com/2013/01/creating-custom-remote-desktop-services.html

Certificate Enrollment Web Services

https://blogs.technet.microsoft.com/askds/2010/05/25/enabling-cep-and-ces-for-enrolling-non-domain-joined-computers-for-certificates/

Remote Desktop Listener Certificate

https://support.microsoft.com/en-us/kb/3042780

 

初試SAML大集會 ….. 1.OKTA 2.Sales Force 3.ADFS

saml  salesforceoktaadfs-logo

絕對係新挑戰 !!!!!

SAML      一直係以往唔多敢去掂嘅野。相比Kerberos,SAML有自己覺得好難睇嘅XML (Recursive xml)。諗起都怕怕。怕怕。

基如嚟緊好高機會要用同自己嘅未雨綢繆,決定放手睇睇佢……

第一係搵用嘅IdP(Identity Provider) 同SP(Service Provider)
雖然已經有ADFS係到可用, 但係ADFS唔係呢個今次Buildup最初會用嘅。

SalesForce已知嘅係大路嘅Service Provider。。 Production 要錢無可能。但係Developer Edition係兩個User免費 ,未搵到有無Support。 超孤寒。。。。
已IdP係搵嘅當中睇到OKTA。。 佢對比好啲。 三個App,一百個User係永久免費,亦有Support。 好啲

好。。。 準備完成。。 開工

大至上嘅Concept

rtaimage

AD 係Identity  Source, 最初令自己亂嘅係點開OKTA嘅UserID.
因為係未安OKTA Agent同AD link埋之前。 OKTA 自己嘅user account都係用同一個domain suffix. Password 一樣會難去確定。
但係發現當安完OKTA Agent match 好user之後。 係得返AD password. 即係唔需要搵account 做local account。

之後係Salesforce拖OKTA。
兩者integration當個中有個伏位係OKTA。 Support SAML 嘅 App 當中,Salesforce App有三個。而”Salesfforce.com(Federate ID)”係有問題,唔work。。。 因此咁而報case support。。

開始時候做法幾乎一樣,都係要諗用另一個account作為Full Rights Admin。亦因為呢個原因。係Salesforce create自己嘅account用唔同Password。
係OKTA加Salesforce app, 同Salesforce 裡面config Single Sign-On幾乎係照跟就可以。所以假若唔係 “Salesforce(Federate ID)”出事。。
係可以兩日整好。。。

Set好後不論係 SP Initiated(Salesforce 會有多個Auth Option)還是IdP Initiated(OKTA App list,SSO 直接list)都會 開到。。

最後,係Salesforce 駁ADFS。

步驟唔多,仍然要係Salesforce portal加Single Sign-On setting
但係伏位係ADFS Server入面嘅Issuer
當開 FederationMetadata 睇嘅時候
“https://adfsserver.domain.com/federationMetadata/2007-06/FederationMetadata.xml”

adfssalesforceconfig

ADFS 入面嘅Metadata.xml , 佢嘅Element名叫”entityID”, 而個名同ADFS server Web URL睇落一樣,但係佢唔係https,係http 。
呢一樣錯,就會fail。
SAML Assertion會check 到mismatch。。。。

Done ! That’s it

Reference:

Salesforce integration with OKTA

http://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-in-Salesforce.html

Salesforce integrate with ADFS 3.0

https://developer.salesforce.com/page/Single_Sign-On_with_Force.com_and_Microsoft_Active_Directory_Federation_Services

Troubleshooting Tools

https://www.samltool.com/base64.php

SharePoint 2013 – SAML Auth

index

 

 

 

對比Kerberos, SAML絕對係未明但係照跟照做嘅。 係本身行緊嘅SharePoint2013 幾乎無變動,只需要Extend 其中一個 Web Application作為Target.  其餘只係跟Sample Syntax照改。 Sample 有 minor typo mistake但係唔會死人

Reference

http://summit7systems.com/beginners-guide-to-claims-based-authentication-ad-fs-3-0-and-sharepoint-2013-part-iii-configuring-sharepoint-2013-for-ad-fs/

https://technet.microsoft.com/en-us/library/hh305235.aspx

痛苦嘅AD Upgrade/Phase Out, Exchange 2003/2007 Removal.

index

 

 

images

 

 

 

 

因為從來未做過,步驟係錯嘅。

第一錯,係AD Site,未除Decommision Exchange 2003/2007 前,唔應該dcpromo DC…… 基於呢個咁愚蠢嘅apporach. 隻Exchange 2003 係係ADSIEdit強行Delete… , Server remove registry… 真係笨到無朋友
第二錯,Public Folders… 呢一樣野點去到Replica.係有Exchange20032/07, 到呢家得返隻2010…係唔同嘅。最後到比我搵到有人講。。 頂!@#$%?&*(!   M$  !!!

最後(唔係我錯)…. Remove Exchange 2007… 再俾多個error我睇

“Error: Unable to create IIS (Internet Information Service) directory entry. Error Message is: Exception from HRESULT: 0x80005008. HResult = -2147463160”

要係 %SystemRoot%/System32/inetsrv/metabase.xml .. 有三行有會有IpSecurity=””   , 全部 Delete 佢先可以uninstall到Exchange2007…

Shit !@#$%^&*()_

Reference Information:

The Resolution

I spoke to a Microsoft exchange architect named Indarraaj. He informed me that this is this error is by design. You can only have one exchange 2003 and one exchange 2007 server as a replica at these parent level public folders. However if you look at the sub folders, it is possible to add all your servers as replica’s. As long as you add all your servers as replica’s to your sub folders you will be fine.

I asked him why this was not documented on the internet anywhere, as I did research this pretty intensively and there was hardly any information! He said there is a KB article for this however it is a Microsoft internal KB which is not available externally for the public! I think this is pretty strange, if this error is by design, shouldn’t Microsoft at least document this if every exchange organisation around the world experiance this issue at a given time when migrating from exchange 2003 to 2007?

Anyway all in all just check the child public folders and ensure that the replica’s are set right on them.

http://clintboessen.blogspot.hk/2009/06/cannot-add-replicas-to-certain-system.html

https://social.technet.microsoft.com/Forums/exchange/en-US/18fbfc64-eae5-4660-8f7e-b57f35dc862e/iis-ip-restriction-on-cas-server-destroys-it?forum=exchangesvrgenerallegacy

MFA Server upgrade 6.3.1 > 7.0.2 . 後知後覺~中伏了~

mfa_thumb

 

 

 

 

 

 

咩都唔使講~.Net2.0轉去.Net4.0 ADFS Adapter 改名,要用舊source先uninstall,再用新source再安個,再Register Adapter…
M$記:你玩得透。。。。~!@#$%?&*()

 

Reference site:

http://c7solutions.com/2016/04/upgrading-azure-multi-factor-authentication-server

http://c7solutions.com/2016/04/upgrading-mfa-6-3-1-to-version-7