Monday, March 31, 2014

Forms based authentication and anonymous folders

Sometimes I have seen some weird issues with some forms based authentication.  On the logon form, the images do not show up and the text and other information does not line up correctly.  The images are in the .\images folder and the style sheet is in the .\styles folder.

Turns out, this is by design because forms-based authentication is enabled and the authorization section specifies that anonymous users are denied access (in the <authorization> tag.

    <authorization>
      <deny users="?" />
      <allow users="*" />
    </authorization>


I found a lot of discussion threads indicating that the <location> could be used with the path option to specify a path that could be accessed anonymously.  But, I found conflicting information.  One poster said you could only have ONE <location> tag.  However, upon testing it, I found that you can indeed have 2 different <location> tags.  See below.

    <!-- This location tag specifies that the styles and images folders are accessible before logon. This allows the logon page and logo to be displayed correctly. -->
     <location path="styles">
      <system.web>
         <authorization>
            <allow users="*"/>
         </authorization>
      </system.web>
   </location>
     <location path="images">
      <system.web>
         <authorization>
            <allow users="*"/>
         </authorization>
      </system.web>
   </location>


  I put these inside the <configuration> tag of the web.config file near the bottom.  This seems to clear up the issues. 

Saturday, February 01, 2014

Exchange 2013 Architecture Poster

Microsoft just released a PDF version of their Exchange Server 2013 Architecture Poster.  Free to download.

Tuesday, December 17, 2013

Convert OST file to PST file

I still see questions in the forums from time to time where someone is asking if it is possible to convert an OST file to a PST file.  This is usually due to a mailbox being deleted, but the OST file remains.

Microsoft does not provide any mechanism to convert an OST file to a PST file.  However, if you can open up the OST file when you open Outlook, you can create a new PST file and just export email to it or drag-and-drop items in to the PST file.

There are a few third party tools that will do this, but I have not tested any of them.

http://www.convertost.com/
http://www.brothersoft.com/convert-ost-to-pst-68529.html
http://www.windowsreference.com/ms-exchange-server/how-to-convert-ost-to-pst-format-for-outlook/
 

Sunday, December 15, 2013

.NET Framework 4 application issues on fresh Windows 2008 R2 installation

A bit of frustration with Windows Server 2008 R2 and the .NET Framework 4.0.  Just because you use the Add-WindowsFeature Application-Server option to add the .NET Framework, the 4.0 Framework may not be properly registered with IIS.  This seems to be true when you install the 4.0 Framework first and then later add Web-Server and Application-Server options to Windows later.

I installed the prerequisites, then installed my 4.0 Framework application and got this error:

HTTP Error 500.21 - Internal Server Error

Handler "PageHandlerFactory-Integrated" has a bad module "ManagedPipelineHandler" in its module list

This implies that the ASP.NET managed handler is incorrect, but in reality the 4.0 Framework is not properly registered.

Open up a command prompt as an administrator, then change to this folder:
C:\Windows\Microsoft.NET\Framework\v4.0.30319 

Run this command:
aspnet_regiis.exe -iru 

  There are a couple of different installation/registration options for aspnet_regiis.exe, but the -iru option is the safest since it only registers the 4.0 Framework and does not change/update any existing applications or web sites.  That is helpful if you have web applications that are still using the 2.0 Framework.

Sunday, December 08, 2013

Ithicos Solutions Customer Survey

If you are a customer of Ithicos Solutions and use our Active Directory self service tools such as Directory Update, Directory Manager, Directory Search, and/or Directory Password products, we would like your feedback:

Ithicos Solutions survey

This survey should take no more than 5 minutes to complete and will help us determine better ways to support you in the future.  The survey is completely anonymous, but if you can leave your email at the end for a chance to win an Amazon gift card.


Labels:

Saturday, December 07, 2013

Convert user mailbox to linked mailbox in Exchange 2010

A few weeks ago, someone enabled the user accounts for a bunch of our Exchange 2010 linked mailboxes.  One of the workflows in our FIM system saw this as an indication that they should be user mailboxes rather linked mailboxes and thus converted them all from linked mailboxes to user mailboxes.

I did a bit of research and was somewhat heartbroken to find this TechNet article
http://technet.microsoft.com/en-us/library/bb201694%28v=exchg.141%29.aspx

This article implied that converting user mailboxes back to linked mailboxes was not possible using the EMC. 

After a bit more research and an email from Jason Sherry, I fortunately found out this article is wrong.  (I'm hoping Microsoft updates this.)

It is pretty simple to convert a user mailbox with E2K10 SP2 or E2K10 SP3 back to a linked mailbox.

Set-User <userID> -LinkedMasterAccount  AccountDomain\UserID  -LinkedDomainController AccountDomainControllerFQDN

Here is an example:

Set-User jim -LinkedMasterAccount Contoso\Jmcbee -LinkedDomainController dc01.contoso.local


Labels:

Monday, November 25, 2013

Search Exchange for credit card or social security numbers

A question came up recently at a customer site about how they could search their Exchange mailboxes for email messages that contain credit card numbers.  (This is prohibited by their company policy, but they still find credit card numbers occasionally.)   Almost immediately after that, someone on a newsgroup asked if it was possible to search all mailboxes using Exchange Server 2010 or 2013 eDiscovery tools for social security numbers.

While searching for text or numerical patterns, such as "XXXX XXXX XXXX XXXX" or XXX-XX-XXXX is a piece of cake for some search engines using regular expressions (RegEx), this is not possible with Exchange eDiscovery tools.   I should not that you can do some pattern matching using transport rules and it is possible to intercept messages in transit, but not possible at rest.  So, if you are looking for data that is already in your database, then you are somewhat out of luck.  At least "out of the box".

Sherpa Software's Discovery Attender does, however, do more complex pattern matching.

Tuesday, July 30, 2013

Update to Exchange 2013 CU2

Microsoft has released an update to Exchange 2013 CU2 that fixes an issue with public folder permissions.  Check the build number if you have recently deployed.  The build number for the new release should be 712.24.  See Microsoft KB2859928 for more information.

Thursday, July 25, 2013

ResolveP2 headers in Exchange 2010 and 2013

Exchange 5.5, 2000, and 2003 had a feature called ResolveP2 headers.  Essentially, it allowed Exchange to accept an inbound message, inspect the sender's SMTP address (or other type of address back in the olden days) and if the address was associated with an object in the Global Address List / Active Directory, then replace the sender's address with the name from the GAL.

For example, if the email was sent from snuffy@volcanosurf.com, but you had a mail-enabled contact or mail-enabled user in GAL with that SMTP address, it would resolve the name and the From would instead say "Snuffy Smith" or whatever the display name was.   You can read more about this feature from the olden days in this blog by David Lemson: 
ResolveP2, RerouteViaStore, and its equivalent in Exchange 2003

This feature was turned off by default to keep spammers from sending "reputable" looking mail by trying to make a message look like it came from a valid internal sender.

Recently, we were trying to figure out out to turn this back on due to an ongoing migration.  We needed the senders in DomainX to be resolved properly to GAL objects when they sent to DomainY.

The ResolveP2 feature does not exist in Exchange 2010 (and 2013).  Exchange will only resolve the sender's address to a GAL object if the message comes from an authenticated or trusted source.

You can duplicate this functionality in Exchagne 2010 / 2013 with a receive connector that is configured to allow relay and on the Authentication properties, include the "Externally Secured" property.

Bharat Suneja has an excellent article on how to do this.
How To Allow Relaying in Exchange 2010 and Exchange 2007 

Once you have set up the relay receive connector, add the sending system's IP addresses to the authorized source IP addresses.

Take care with this feature because you can inadvertently allow people to relay through your system which will inevitably add you to block lists, get you in trouble with your ISP, and bring about plague-o-locust across the land.  Anyone that sends through this particular receive connector will have these rights.


ms-Exch-SMTP-Accept-Authoritative-Domain
ms-Exch-Bypass-Anti-Spam
ms-Exch-Bypass-Message-Size-Limit
ms-Exch-SMTP-Accept-Exch50
ms-Exch-Accept-Headers-Routing
ms-Exch-SMTP-Submit
ms-Exch-SMTP-Accept-Any-Recipient
ms-Exch-SMTP-Accept-Authentication-Flag
ms-Exch-SMTP-Accept-Any-Sender


Friday, July 19, 2013

Exchange 2013 CU2 - OWA Forms Based Authentication automatically enabled

I think most people automatically use OWA Forms Based Authentication (FBA) for web mail, but in some cases you may have just Basic or Integrated Windows Authentication enabled.

Some people have been reporting that even though FBA is disabled in their environment, once the update to E2K13 CU2, the logon form is displayed rather than using Basic or IWA.

If you check the OWA virtual directory properties, the FormsAuthentication form option is set to "False", yet the FBA form still appears. 
Get-OwaVirtualDirectory | FL forms*,basic*
FormsAuthentication : False
BasicAuthentication : True

  This happens because when CU2 is installed, it replaces the existing web.config file with a new one that has FBA enabled.  This is easy to fix, though.

Simply "enable" and then "disable" FBA on your OWA virtual directories. 

Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $True
Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -FormsAuthentication $False 

This should reset FBA back to off.

For more information, see this KB article "The FBA page is displayed when a user accesses OWA or ECP to log on to Exchange Server 2013"

Thursday, July 18, 2013

OWA for the iPad and iPhone for Office365 users

If you are on Office365, this should be some good news.  Microsoft has released Outlook Web App for the iPad and iPhone.  They are available for download from the Apple App Store.  Unfortunately, this seems to be only for Office365 users rather than on premises users.

Thursday, July 11, 2013

Exchange 2013 RTM CU2

Microsoft released Exchange 2013 RTM CU2 this week.  Cumulative Release 2 includes a number of big fixes and product improvements.  Some important notes include that the RBAC roles have been updated (so test thoroughly) and the AD schema will need to be updated. 

See Ross Smith IV's EHLO blog posting on Exchange 2010 RTM CU2.

Tuesday, May 07, 2013

Filed-based antivirus scanners on Exchange servers

Have I ever mentioned that really dislike file-based antivirus scanners on Exchange Servers?  Really, really, really dislike them.....

For the past 6 weeks, at work we have been fighting weird latency issues for most of our users.  Outlook slows down to a crawl at some points during the day.  We have been blaming WAN congestion, but this past week we noticed that the Test-MapiConnectivity cmdlet was showing much higher than expected latency. (Normal should be less than 20-100ms).  We were seeing spikes on all databases as high as 1,000ms.

The plague of modern IT is LOTS of agents and we are no exception.  Inventory, monitoring, security, antivirus, etc....   The latency went away when we removed Symantec Endpoint Protection.  While the exclusions were all supposed to be in place, we were still seeing the latency until the SEP client was removed entirely.  (A side note, the local firewall component of SEP was disabled.)

So, I guess I'm now questioning whether Exchange servers really need file-based antivirus scanners any longer?  Provided clients are well protected and administrators don't logon to the server console frequently to perform day-to-day administration, do we really need those file-based scanners?


Wednesday, April 10, 2013

Moving jpegPhoto photos to the thumbnailPhoto attribute

There are a lot of clever people out there.  Unfortunately, I'm not amoungst them.  But, Joe Richards and Brian Desmond are!  Thanks to Joe for developing some great tools and Brian for showing me how to use some of them to do something tricky.

Anyway, on past the credit.  There are quite a few organizations out there that used the jpegPhoto attribute to store photos of users for use with 3rd party applications including my Directory Update Self Service Updateand Directory Manager thumbnailphoto Active Directory applications.  Microsoft is now using thumbnailPhoto as their photo-attribute-of-choice for Exchange 2010 and Outlook 2010.  That leaves a lot of us with our photos in jpegPhoto.

Using the ADFind and ADMod applications from Joe Richards, though, you can copy the jpegPhoto data in to the thumbnailPhoto attribute.  First, download and unzip these two applications. 

Here is an example of how to move user LukeHusky's photo:
adfind -f "(&(objectCategory=person)(objectClass=user)(samAccountName=LukeHusky)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}}

If this works for one user, you can actually run this against ALL users that have data in the jpegPhoto attribute with this command.
adfind -f "(&(objectCategory=person)(objectClass=user)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}} -unsafe

You can also run this so that it will stop after a specific number of errors, such as 5 in the case below:
adfind -f "(&(objectCategory=person)(objectClass=user)(jpegPhoto=*))" jpegPhoto -adcsv | admod BIN##thumbnailPhoto::{{jpegPhoto}} -exterr -upto 5

As always, test before doing AD-wide deployments!

Labels:

Thursday, February 21, 2013

Exchange maximum send and receive message size not working

I see a lot of posts in the newsgroups about the maximum message size limits not working correctly.  People are continually trying to change global message size limits, send connectors, etc... I keep meaning to write about this.

Out of the box, Exchange's maximum send and receive message size limit is 10MB.  But, that is the "internal" message size limit.  When a message is sent from one Exchange server to another within your organization, the format remains in MAPI format.  This means that attachments remain in their original binary format.

However, if you send a message OUTSIDE of your Exchange organization the message must be converted in to an Internet standard. This standard is almost always MIME (Multipurpose Internet Mail Extensions).  Binary attachments (ZIPs, DOCs, PPTs, XLSs, etc...) must be converted from there standard binary format to Base64.  When an attachment is converted to Base64, the resulting attachment size is about 37% LARGER than the original file.

So, an internal e-mail message that is around 7.5MB (including attachments) will expand to just over 10MB.   Exchange will issue an NDR that the message size is too large.

When explaining to your users the maximum send and receive (outbound and inbound) message sizes, it is best to explain that the "internal" limit is 10MB, but the external limit is around 7MB.