Office 2007 Cumulative Update for February 2011 is now released

To follow my previous blog “Watch out from latest outlook updates !

the Exchange team has announced that the Office 2007 Cumulative Update for February 2011 is now available.

The update adds Personal Archives support in Outlook 2007.
For more details about the hotfix, see KBA 2475891: Description of the Office Outlook 2007 hotfix package (Outlook-x-none.msp): February 22, 2011. and also fixes quite a lot of issues that were presented from the original outlook December hotfix, Autodiscover issues, POP3 Authentication issues and few more..

As always ! test your hotfix !

Happy Archiving ๐Ÿ™‚

Authentication pop ups and annoyances with Exchange 2007 / 2010 and Outlook Anywhere

Hi again,

This issue has came up too much, so I wanted to blog something short about this.

Prerequisites:

  • Update (Added June 29th 2013) – If using Exchange 2013, check out Exchange 2013 Outlook Anywhere Considerations for some additional specific Exchange 2013 issues.
  • Exchange 2007 or 2010
  • Outlook 2003 / 2007 / 2010
  • Windows XP / 7 / etc..
  • Outlook Anywhere ( RPC over HTTP ) enabled – with Basic Authentication or NTLM Authentication
  • Autodiscover – working correctly ๐Ÿ˜‰

So, you’ve got it all configured, you enabled Outlook Anywhere, configured ISA 2006 / TMG / UAG to publish the Outlook Anywhere (or not), you published Autodiscover records an all is working great !

BUT ! you have this annoying user credentials pop ups, and users are going nuts ! and so do you !@ ( enough sarcasm ) it may work for a while, and then you are prompted again for user and password, or even worse – it might not work at all…

Here’s what can go wrong in bullets because we have a few different issues that might cause troubles..

  • Outlook Anywhere is configured to use NTLM authentication:
    • Solution 1 – Configure MSSTD or the Certificate Principle Name correctly (see below)
    • Solution 2 – Configure your clients local security policy, in specific – LmCompatiblilityLevel to 2 or 3
    • Solution 3 – If you try to pull NTLM with ISA / TMG / UAG, either configure “Kerberos Constrained Delegation” – check links below for the white-paper from Microsoft” or change the publishing rule to apply to “All Users” and in the Authentication Delegation tab choose the option “No delegation, but client may authenticate directly”
  • SSL Certificates issues
    • Outlook Anywhere was enabled for – mail.company.com (ExternalHostName), but you have a wildcard certificate or the certificate subject name does not match mail.company.com
    • Solution – Configure MSSTD or the Certificate Principle Name correctly (see below)
  • Outlook Anywhere continuously keep being configured automatically !%

So what’s that MSSTD or Certificate Principle Name ? well it’s a method Outlook can verify that the server you are connecting to indeed holds the correct SSL certificate subject name before sending credentials to.. well yeah it ain’t that secure.

Microsoft Exchange Proxy Settings

This setting is actually being configured automatically since Exchange 2007 and continue to be with Exchange 2010.

So here’s what you can do with it – all examples follow the Set Outlook Provider cmdlet syntax:CertPrincipalName

    • You have a wildcard certificate – Run this command:

Set-OutlookProvider EXPR -CertPrincipalName msstd:*.company.com

    • You have a differnet subject name on your SSL certificate then the ExternalHostName you configured for Outlook anywhere on your CAS server

Set-OutlookProvider EXPR -CertPrincipalName msstd:correctsubject.company.com

    • You don’t want that “only connect to proxy servers that have this principle name in their certificate” check box marked at all ! ๐Ÿ™‚

Set-OutlookProvider EXPR -CertPrincipalName none

New feature with Exchange 2010 – The Set-OutlookProvider cmdlet now allows Outlook 2010 clients to connect exclusively through RPC over HTTP (Outlook Anywhere) before trying RPC over TCP connections when connecting over the Internet. !

This means you can control the check box “On fast network, connect using HTTP first, then connect using TCP/IP”, here’s the two options:

    • Always connect using HTTP (mark “on fast networks”) :

Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect

    • User TCP/IP first then HTTP (default):

Set-OutlookProvider EXPR -OutlookProviderFlags:None

This should cover it, no more pop ups and hopefully Outlook Anywhere and you will be friends again !

ilantz

Credits (or links) :

When, if and how do you modify Outlook Providers?

Set-OutlookProvider

Publishing Outlook Anywhere Using NTLM Authentication With Forefront TMG or Forefront UAG

Exchange 2013 Outlook Anywhere Considerations

Enable or disable POP3 and IMAP4 by group membership in Exchange 2007

Hi everyone !

My good friend podlisk has finally got his blog up and running, check out the script for this highly required task for Exchange 2007 / 2010 ๐Ÿ™‚

http://podlisk.wordpress.com/2011/01/13/enable-or-disable-pop3-and-imap4-by-group-membership-in-exchange-2007

Enjoy !

Configure Static “fake” server names for RPC over HTTPS

Hi !

This came up with a request to “fake” exchange server names, which are actually old DE-commissioned servers. users are using RPC over HTTP , and the exchange profile they use had those server names as the actual mailbox server.

This issue might show up when performing cross forest migration or removing servers, while manipulating name resolving using DNS CNAME records, etc..

With Exchange 2010 and Exchange 2007 Outlook Anywhere settings are applied automatically when you enable the outlook anywhere feature on a CAS server, proxy names in the registry ( HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxy) are automatically entered, that is all back-endย  servers that were enabled for RPC over HTTP (2003) and all mailbox servers 2007 / 2010.

So by default RpcProxy will only answer for existingย  mailbox servers, we want to add our own “old” , “fake” exchange server names.

Here’s how to manipulate the RpcProxy entry in the Exchange server make it stick.

Use at your own risk!

Under each CAS you will enable for Outlook Anywhere follow these steps:

  1. Configure “PeriodicPollingMinutes” to 0 , this will stop automatic settings overwrite – removing the static entries you will add later.Locate the valueย  PeriodicPollingMinutes, under HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesMSExchangeServiceHostRpcHttpConfigurator
  2.  

  3. Configure the “fake” names, for example “email2.fake.com” will be the fake mailbox server we will add.
    Append “;email2.fake.com:6001-6002;email2.fake.com:6004” to the value of “ValidPorts_AutoConfig_Exchange”
    The String Value is under : HKEY_LOCAL_MACHINESOFTWAREMicrosoftRpcRpcProxyFor example:

    EX2010:6001-6002;EX2010:6004;EX2010.test.lab:6001-6002;
    EX2010.test.lab:6004;ex2k3:6001-6002;ex2k3:6004; ex2k3.test.lab:6001-6002;ex2k3.test.lab:6004;
    email2.fake.com:6001-6002;email2.fake.com:6004
  4.  

  5. Restart the services: MSExchangeServiceHost and MSExchangeProtectedServiceHost
  6.  

  7. IISReset

Done !

Now configure outlook to use the email2.fake.com server and configure Outlook Anywhere to verify it works.

FPSMC Agent Installation Error

Forefront Protection Server Managment Console 2010 was latly been released, see the FSS blog entry

So a quick install, reveled some issues with the Deplay Agent task on some servers.. failing with this error:

Failed to deploy the Agent. Could not connect to net.tcp://ex-cas.contoso.com:8816/PushInstaller. The connection attempt lasted for a time span of 00:00:21.0157595. TCP error code 10060: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 192.168.5.20:8816.

Quick workaround, just configure the Firewall State for the specific failed servers for the domain profile to off ๐Ÿ™‚ or, configure the inbound port 8816 from the FPSMC consle server to that server..

Just a heads up for anyone who sees this.

Happy holidays !

Ilantz

Exchange Calendar Update Tool – Extract Mailboxes from Exchange 2010 fails

Every year at December, we at Israel ( and at some other points of the year, over the world.. ) have to rebase some calendar appointments..

This entry is not about daylight saving bashing ๐Ÿ˜‰ but just a note to anyone that will use the Exchange Calendar Update Tool against Exchange 2010 mailboxes and servers.

I did not had enough time to actually find out why and what is the appropriate fix for this, but here’s a workaround for the error and the empty result when extracting the mailboxes from the servers..

If you will examine the logs in the msextmz extract log, when trying to search for the mailboxes on the required servers, you will notice that the output will be empty, and zero mailboxes will be reported.

needless to say that this obviously eliminates the possibility for extracting timezones from the mailboxes – i will not cover this issue, because in Israel we need to rebase the appointments just to reflect the current daylight saving durations..

Any way here’s the error:

[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Please log on to a profile with administrator privileges.
[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Unable open mailbox table for server /o=Contoso/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EX-2010.ย  Error 0x80004005.
[20-Dec-2010 12:51:56][3684]:HrProcessMailboxTable:Returning Error 0x80004005

You can easily report the mailboxes from powershell using:

Get-mailbox -ResultSize:unlimited -RecipientTypeDetails usermailbox | select ServerLegacyDN, LegacyExchangeDN | Export-Csv mailboxes.csv

Then use excel to export the data and match it with the format for the update tool which should be like this:

ServerLegacyDN <TAB> LegacyExchangeDN <TAB> TimeZone

Save that to a TXT, watch the formatting and tabs ! remove all the csv hyphens,commas etc..

 

Hope this will be fixed anytime soon, or a clarification will be published..

until then, good luck !

and Happy Holidays !

ilantz

 

Some Links:

Using the Exchange Calendar Update Tool to address daylight saving time changes for Exchange Server

December 2010 DST Cumulative Update for Windows operating systems

Managing email addresses in Exchange 2010 and 2007

Shay Levi (MVP) has posted yet another great PowerShell tip,

this time he blogged about how to modify the EmailAddresses property ( which is actually a MultiValuedProperty ) with powershell 2.0 new capabilities, making adding an additional or removing an email address from a recipient a snap!

check it out

Managing email addresses in Exchange 2010

Grant Full Access to All Mailboxes in Exchange 2010 – even for new databases

Hi again,

Since Exchange 2010 was released I always run into this request from administrators and help desk personnel:

“I want full access to all mailboxes, and also to all future mailboxes too ! uh and new mailboxes in new mailbox databases too !”

๐Ÿ™‚

The following commands will do the trick, copy the first row separately- Exchange 2010 only:

$user = Read-Host -Prompt:"Enter UserName to grant permissions";

$organization = Get-OrganizationConfig;
$databasesContainer = "CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups," + $organization.DistinguishedName;
Add-ADPermission -User:$user -AccessRights ExtendedRight -ExtendedRights Receive-As, Send-As, ms-Exch-Store-Admin -Identity:$databasesContainer;

And remember with Active Directory permissions an explicit allow overwrites an inherited deny. so this will work even if you do this to an admin user / group.

Hope this helps !

Hub Transport Role Install Failed with error 2147504141

Wanted to share with an experience I’ve had with installing Exchange 2010 SP1 on Windows Server 2008 R2 in Hyper-V 2008 R2 environment.

When I i tried to install a fresh server for testing Exchange 2010 SP1 Beta, the setup failed when installing the Hub Transport Role:

Error:
The execution of: “$error.Clear(); install-ExsetdataAtom -AtomName SMTP -DomainController $RoleDomainController”, generated the following error: “An error occurred with error code ‘2147504141’ and message ‘The property cannot be found in the cache.’.”.

An error occurred with error code ‘2147504141’ and message ‘The property cannot be found in the cache.’.

This issue is not “new”, as IPV6 is tend to be disabled as default by many customers, and installations of Exchange 2007 and Exchange 2010 fails with the exact same error if IPV6 is Disabled.

My virtual machine was clean and did not had IPV6 disabled, so I’ve searched this up to the following thread in the Technet Social Forums : Hub Transport Role Install Fail error # 2147504141

A comment from Scott Landry gave a new solution for this, and seems it’s now also been related to Hyper-V, as the suggested KB http://support.microsoft.com/kb/980050 – Error message when the Exchange Server 2010 setup on a Hyper-V virtual machine fails:โ€œ2147504141โ€

Anyhow, disabling the ” Time synchronization ” from the Integration Services settings on the Virtual Machine solved this !

Just a heads up for all of you that might encounter this.