tag:blogger.com,1999:blog-39203472194211577972024-03-18T12:57:42.350-07:00Clint Boessen's BlogLots of Hints, Tips and Tricks for IT Professionals....Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.comBlogger838125tag:blogger.com,1999:blog-3920347219421157797.post-15104565712502531022022-11-05T08:29:00.006-07:002022-11-05T20:02:36.312-07:00Mass Converting Video Files changing Audio or Video FromatMy family has a 12 volt projector that we take camping with us. It's a "<a href="https://www.kickassproducts.com.au/buy/kickass-12v-portable-outdoor-cinema-projector/KAODCPPROV4KIT1">KickAss 12V Portable Outdoor Cinema Projector"</a> and we have issues playing certain media types of USB flash drives because the projector often doesn't understand the audio codec (or sometimes even the video codec).<div><br /></div><div>This is common with MKV files as they can have numerous audio codecs such as AC3, DTS, AAC and so on.</div><div><br /></div><div>I noticed that certain MKV files would not play with audio on the projector due to no support for the Audio Format. If you open a file in VLC Media Player, you can press "CTRL + J" to view both the Video and Audio codecs being used as shown in the following screenshot.<br /></div><div><br /></div><div>I was able to work out quickly that it was A52 Audio (aka AC3) format that my projector didn't support.</div><div><br /></div><div><i>Note: Many Smart TVs will also have issues with some codecs, this blog post will also help you with a TV, Projector or any smart device that you are looking to decode video / audio files.</i></div><div><i><br /></i></div><div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB-BrbYSpUQnvkfUE82gMZ2j27Ki9Pa9BLU5cxXZAnydmEemSBWjlFW2vCuWwHYj90viLgz6pDehRkLr646BepqIIue9zlTV3I6SzwkwtvtGu2SyX-qNuiZZU0Qcjq4E6mK2p9EsPkTg3jMDmDO5nIu_pAeZCJ2786h8y-Rd9Qadm-e9OcnzOQSDjY/s598/vlcaudiocodec.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="445" data-original-width="598" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiB-BrbYSpUQnvkfUE82gMZ2j27Ki9Pa9BLU5cxXZAnydmEemSBWjlFW2vCuWwHYj90viLgz6pDehRkLr646BepqIIue9zlTV3I6SzwkwtvtGu2SyX-qNuiZZU0Qcjq4E6mK2p9EsPkTg3jMDmDO5nIu_pAeZCJ2786h8y-Rd9Qadm-e9OcnzOQSDjY/w640-h476/vlcaudiocodec.PNG" width="640" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div></div><div>Knowing its a codec issue, we needed to convert the video files to a format the projector could understand.</div><div><br /></div><div>There are lots of tools on the Internet for converting codec's on video files however as I had a lot of videos, I wanted to automate this across numerous files.</div><div><br /></div><div>I came across a free command-line based conversion tool called ffmpeg that you can download from the following link:</div><div><br /></div><div><a href="https://ffmpeg.org/download.html">https://ffmpeg.org/download.html</a></div><div><br /></div><div>Being open source and cross platform, it stood out from most of the paid software on the Internet. This program also has a heavy community base behind it.</div><div><br /></div><div>Like anything open source it comes with an awesome manual with all the syntax for the command line tool available <a href="https://ffmpeg.org/ffmpeg.html">here.</a></div><div><br /></div><div>To automate the conversion, move all MKV files (or another video format) to a folder by itself.</div><div><br /></div><div>Create a batch script as follows and name it something like <b>convertffmpeg.bat</b> placing it in the same folder as your MKV files.</div><div><br /></div><blockquote style="border: none; margin: 0px 0px 0px 40px; padding: 0px; text-align: left;"><div><div><b><span style="color: #2b00fe;">set avidemux="C:\ffmpeg-5.1.2-full_build\bin\ffmpeg.exe"</span></b></div></div><div><div><b><span style="color: #2b00fe;">set videocodec=copy</span></b></div></div><div><div><b><span style="color: #2b00fe;">set audiocodec=aac</span></b></div></div><div><div><b><span style="color: #2b00fe;"><br /></span></b></div></div><div><div><b><span style="color: #2b00fe;">for %%f in (*.mkv) do %avidemux% -i "%%f" -c:v %videocodec% -c:a %audiocodec% -channel_layout "5.1" "converted %%f"</span></b></div></div></blockquote><div><br /></div><div>This batch script will does the following:</div><div><ul style="text-align: left;"><li>Sets the location of ffmpeg.exe</li><li>Tells ffmpeg.exe to keep the Video Codec "as is"</li><li>Sets the Audio Codec to AAC format.</li><li>Then for EACH MKV file type run ffmpeg.exe with the conversion.</li><li>Name the converted files "converted + original filename.mkv"<br /></li></ul><div>This script will automatically convert all files to the new format as shown in the following screenshot.</div></div><div><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuFFC1VqeLMrRfefmcd98GFV0NIJ8uBUO-VTCFmt6vUxSn4zpH25eYDRA7wjWE7tOnbtYXV0mARshdc-ZTVDGZnnej5jUPvfKMQaowJkRcSvayiTBaiJ7UMOrjbgsiUEZR7LoDpm8mxVKYsjrUNswC30saHjQtVI0mxM7eGfEcYK0Ar97Yvu2x4LKo/s833/videoconverting.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="512" data-original-width="833" height="394" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuFFC1VqeLMrRfefmcd98GFV0NIJ8uBUO-VTCFmt6vUxSn4zpH25eYDRA7wjWE7tOnbtYXV0mARshdc-ZTVDGZnnej5jUPvfKMQaowJkRcSvayiTBaiJ7UMOrjbgsiUEZR7LoDpm8mxVKYsjrUNswC30saHjQtVI0mxM7eGfEcYK0Ar97Yvu2x4LKo/w640-h394/videoconverting.PNG" width="640" /></a></div><br /><div><i><br /></i></div><div><i>Note: In my example I converted the audio from AC3 format to AAC. During this conversion i had an issue with the 5.1 audio and VLC showed the channels as "ERROR". Also the mapping of audio channels were incorrect during the conversion (Center to Center, Right Front to Right Front, Left Front to Left Front etc).</i><i> Telling ffmpeg.exe that it was a 5.1 channel audio with the channel_layout command fixed this issue. This article was also amazing at showing you what type of Audio Channel Manipulation you can do <a href="https://trac.ffmpeg.org/wiki/AudioChannelManipulation">https://trac.ffmpeg.org/wiki/AudioChannelManipulation</a></i></div><div><br /></div><div>I also tried setting audio codec to MP3 without the channel_layout set to 5.1, this fixed the audio problem but but MP3 is only stereo (to my understanding) so it would have stripped the additional channels of audio. You may not need to specify the channel_layout if your going to other formats, <b><u>I would try it without first!</u></b></div><div><br /></div><div>This was also useful in understanding what audio codec types can go with what video formats.</div><div><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ-sJSu-mnXvSR-zxhZLmzvc36qnE5LSKCmxbGJurl9rzfL8o0QoEDnfU9kh3dclsvBZxBWIHsUdQox5ywKie71YoyNiaSBCNOdfv8lqvVQZa-GpqS2_0MwK3Tn3x2jqFTa22i0LBlggC3Lr76Ns3Kl5T1gH_fAscAHKER5lbLGFTM98yzf_fvH2-z/s984/audioformatsupported.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="363" data-original-width="984" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQ-sJSu-mnXvSR-zxhZLmzvc36qnE5LSKCmxbGJurl9rzfL8o0QoEDnfU9kh3dclsvBZxBWIHsUdQox5ywKie71YoyNiaSBCNOdfv8lqvVQZa-GpqS2_0MwK3Tn3x2jqFTa22i0LBlggC3Lr76Ns3Kl5T1gH_fAscAHKER5lbLGFTM98yzf_fvH2-z/s16000/audioformatsupported.PNG" /></a></div><br /><div><br /></div><div>After the script has processed all MKV files in the directory we can see the audio format has changed to MPEG AAC format.</div><div><br /></div><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WTCDEpVSrK70E2JOjzLKX-2zVClZSpVccd2qsL493XoUyF2CvOHSwTzFxHb0bmdNK6IfH48ClS8UE4S0z0PIYLGNMGS4aJveN5QLmBgn7xPT0IDoI3aA9QX26Xoq30SGWuZa0Crg1kOv0HCvmiw4mjjmbIJgDBX3v_iVfA9zNbOH83bP-07Q-9ZJ/s588/vlcaudiocodec2.PNG" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="451" data-original-width="588" height="490" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_WTCDEpVSrK70E2JOjzLKX-2zVClZSpVccd2qsL493XoUyF2CvOHSwTzFxHb0bmdNK6IfH48ClS8UE4S0z0PIYLGNMGS4aJveN5QLmBgn7xPT0IDoI3aA9QX26Xoq30SGWuZa0Crg1kOv0HCvmiw4mjjmbIJgDBX3v_iVfA9zNbOH83bP-07Q-9ZJ/w640-h490/vlcaudiocodec2.PNG" width="640" /></a></div><br /><div><br /></div><div>Anyway hopefully this blog post was helpful - a quick way to convert your video files to a supported format for your TV / Projector to understand.</div><div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-86041165998020540012021-05-03T22:01:00.001-07:002021-05-03T22:01:10.179-07:00Resetting Broken Default Exchange RBAC<p>I had a customer who needed re-created the default Exchange Groups under the "Microsoft Exchange Security Groups" organisational unit. This was done as someone had moved these groups to another location (not supported) and the support engineer was unable to move the groups back to the original location due to an error.</p><p>Moving the default groups results in you being unable to:</p><p></p><ul style="text-align: left;"><li>Install new Exchange Servers into the organisation</li><li>Perform Cumulative Updates</li><li>Perform Recover Server installations</li></ul><div>After recreating the groups, all AssignedRoles were stripped off the default Role Groups.</div><p></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQZF8KUX_IQ3o4KWF49PkzuHXI_MlRDVNsFQmApz7KJq4usf910kAXR6uEKbKfpC2HuHuuDr-L0oXmDjEledOycr-tsuAYU7MvpCz0E3kUjC7JBd3ghClZCH0L69HrrSokS8IYu-U3O3Y/s940/rbac1.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="770" data-original-width="940" height="525" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQZF8KUX_IQ3o4KWF49PkzuHXI_MlRDVNsFQmApz7KJq4usf910kAXR6uEKbKfpC2HuHuuDr-L0oXmDjEledOycr-tsuAYU7MvpCz0E3kUjC7JBd3ghClZCH0L69HrrSokS8IYu-U3O3Y/w640-h525/rbac1.png" width="640" /></a></div><p>The server is fully functional, however administrators are unable to administer Exchange.</p><p>The only way we were able to access Exchange with administration access was to add the Exchange Snap-in from an administrative PowerShell.</p><p><b>add-pssnapin *exch*</b></p><p>To re-store the default Role Based Access Control objects to factory install, use the following commands from an administrative command prompt.</p><p><b>Add-Pssnapin *Setup*</b></p><p><b>Install-CannedRbacRoleAssignments –InvocationMode Install –Verbose</b></p><p><b> Install-CannedRbacRoles -Verbose</b></p><p><b> Install-CannedRbacRoleAssignmentsRAP -Verbose</b></p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKr7S68CKAHZrxfI9vtSv7ck6pLbrrcxWk7VvNyhJ2au26D01e38dA_7hHWLQeLBbUXai1qewAiTnHhAOwhREebNxwkDeW67XUGGI1HE-WQd_lKvlWSQcUGrGD0BJvz7dO3PuSwZSf1eU/s871/rbac2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="700" data-original-width="871" height="514" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKr7S68CKAHZrxfI9vtSv7ck6pLbrrcxWk7VvNyhJ2au26D01e38dA_7hHWLQeLBbUXai1qewAiTnHhAOwhREebNxwkDeW67XUGGI1HE-WQd_lKvlWSQcUGrGD0BJvz7dO3PuSwZSf1eU/w640-h514/rbac2.png" width="640" /></a></div><br /><div>This will restore access so administrators can access Exchange Admin Center and Exchange Management Shell.</div><p></p><div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-40468325189652469502020-09-18T01:18:00.004-07:002020-09-18T01:20:54.199-07:00Troubleshooting Account Lockouts in Active Directory<p>In this post we will look into troubleshooting Account Lockouts in Active Directory. From my experience identifying the source of an Account Lockout can often be easy, or extremely difficult.</p>
<p>When an authentication attempt hits a domain controller that is incorrect, a second authentication attempt will always hit the Primary Domain Controller (PDC). This is due to Active Directory replication intervals, if you reset a users password, it may take a few hours for the password change to propagate across the network based on how you have configured your Inter-Site Transport links in AD Sites and Services. The Primary Domain Controller (PDC) always has the latest list of passwords (one of the many things the PDC emulator role performs).</p>
<p>The easiest way to troubleshoot Account Lockouts is simply login to the Primary Domain Controller and review the security log, as this will have a list of all account lockouts that have occured across all domain controllers. The EventID that represents an account lockout is EventID 4740.</p><p>The screenshot below shows a typical Account Lockout event on the PDC. It will display the account name that was locked out, and the computer in which the account was locked out on.</p><div class="separator" style="clear: both; text-align: left;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnviMtj9CVfoxdqZh1l3XBmacOf6tdX5wNPQKPofWi6HFkn91yQRgzTmUbTN9nFj-B4ySraey8DfbxEI0ZQm0yQUq-Ne9rbLbj1gLDKU6mF7sbq6m0G7BRMFg5PEf_p0SrnOneWC-obqI/s714/accountlockout.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="544" data-original-width="714" height="488" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnviMtj9CVfoxdqZh1l3XBmacOf6tdX5wNPQKPofWi6HFkn91yQRgzTmUbTN9nFj-B4ySraey8DfbxEI0ZQm0yQUq-Ne9rbLbj1gLDKU6mF7sbq6m0G7BRMFg5PEf_p0SrnOneWC-obqI/w640-h488/accountlockout.png" width="640" /></a></div><br /><p>However this is where it can get more complicated. If the lockout came from a system not in Active Directory, the "Caller Computer Name" value will always be blank. This can include numerous scenarios such as:</p><p></p><ul style="text-align: left;"><li>Mobile Devices (Android / IOS) that are authenticating against an Exchange Server through Active Sync.</li><li>Proxy Servers</li><li>Java Applications</li><li>UNIX/Linux Systems</li><li>Other non-domain joined computer objects.</li></ul><div>For these events we cannot simply only look at the PDC Emulator role, we need to look at where the "Bad Pwd Count" is incrementing the the "Last Bad Pwd" timestamp across all domain controllers in the Active Directory Domain. Microsoft has a tool called lockoutstatus.exe that allows us to easily the domain controller which the lockout occurred so we can review the security logs on the domain controller in question.</div><div><br /></div><div>Download this tool from here:</div><div><br /></div><div><a href="https://www.microsoft.com/en-au/download/details.aspx?id=15201">https://www.microsoft.com/en-au/download/details.aspx?id=15201</a></div><div><br /></div><div>If you want to see it utilised, refer to this post:</div><div><br /></div><div><a href="https://clintboessen.blogspot.com/2018/08/troubleshooting-account-lockouts.html">https://clintboessen.blogspot.com/2018/08/troubleshooting-account-lockouts.html</a></div><p></p><p>The EventID Security logs you want to filter are as follows:</p><p></p><ul style="text-align: left;"><li>Event ID 4625 - An account failed to log on</li><li>Event ID 4776 - The computer attempted to validate the credentials for an account.</li><li>Event ID 4771 - Kerberos pre-authentication failed</li></ul><div><i>Note: The Event ID's for Windows Server 2000/2003 are different but I assume your not running this anymore!</i></div><div><br /></div><div>These Events ID's will reveal the source IP address the authentication attempt failed from.</div><p></p><p>For many companies still running on-premises Exchange, Mobile Devices on Active Sync are a common cause for account lockouts. If you have confirmed using the EventID's above that the account lockout is coming from your Exchange Server, you can utilise the IIS Logs to identify the device and external IP address that caused the lockout. You need to check the IIS Logs on the Exchange Server for a HTTP 401 "Unauthorized" error for the user in question. IIS Logs can easily be imported into Excel for easy formatting/review. Also check out the following blog post that has a Logparser.exe query that lets you quickly search IIS Logs for the account lockout. </p><p><a href="http://messagingadmins.blogspot.com/2014/08/troubleshoot-exchange-cas-server-is-lockout-source.html">http://messagingadmins.blogspot.com/2014/08/troubleshoot-exchange-cas-server-is-lockout-source.html</a></p><p>In addition to the HTTP 401 "Unauthorized" error, the Exchange IIS Logs also can provide additional information in the Sc-Win32-status code:</p><p></p><ul style="text-align: left;"><li>1326 - The user name or password is incorrect.</li><li>1330 - The password for this account has expired.</li><li>1331 - This user can't sign in because this account is currently disabled.</li><li>1909 - The referenced account is currently locked out and may not be logged on to.</li></ul><div><i>Note: I have seen an account lockout event at a customer site where 4771 Event ID's were logged pointing at the Exchange Server, however I could not see the user account in the IIS Logs with the 401. </i></div><p></p>
<div>More Reading / References:</div><div><br /></div><a href="https://www.business.com/articles/powershell-active-directory-lockouts/">https://www.business.com/articles/powershell-active-directory-lockouts/</a>
<div><p class="MsoNormal"><a href="https://social.technet.microsoft.com/Forums/en-US/735602f0-3ddc-4bb4-b6ba-dffcb7605ca1/account-lockout-on-windows-2008-r2-and-windows-7?forum=winserverDS">https://social.technet.microsoft.com/Forums/en-US/735602f0-3ddc-4bb4-b6ba-dffcb7605ca1/account-lockout-on-windows-2008-r2-and-windows-7?forum=winserverDS</a><o:p></o:p></p><p class="MsoNormal"><a href="https://www.windowstricks.in/2016/06/account-lockout-caller-computer-name-blank-cisco-workstation-domain-controller.html">https://www.windowstricks.in/2016/06/account-lockout-caller-computer-name-blank-cisco-workstation-domain-controller.html</a><o:p></o:p></p><p class="MsoNormal">
</p><p class="MsoNormal"><a href="https://kb.netwrix.com/2744">https://kb.netwrix.com/2744</a><o:p></o:p></p></div><div><br /></div><div>I also recommend reading the following article "The Low Down on Password Policies".</div><div><br /></div><div><a href="https://clintboessen.blogspot.com/2009/12/low-down-on-password-policies.html">https://clintboessen.blogspot.com/2009/12/low-down-on-password-policies.html</a></div><div><br /></div><div>Hopefully this post has been informative for you in troubleshooting Account Lockouts.</div><div><br /></div><div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-90345839953943835752020-07-19T04:07:00.001-07:002021-03-04T15:42:11.396-08:00Exchange Not Functional after installing Patches<div dir="ltr" style="text-align: left;" trbidi="on">
We had an Exchange 2016 server running Exchange 2016 Cumulative Update 15 where as part of Windows Updates it rendered the server not functional. The update that we installed was the Security Update for Exchange 2016 - KB4536987.<br />
<div>
<br /></div>
<div>
After the update, the following symptoms were experienced.</div>
<div>
<br /></div>
<div>
All Outlook clients received the following message when attempting to open Outlook.</div>
<div>
<br /></div>
<div>
<span style="color: red;">Cannot start Microsoft Outlook. Cannot open the Outlook window. The set of folders cannot be opened. The attempt to log on to Microsoft Exchange has failed.</span><br />
<br /></div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsEDhUW9ROILKKAEQfUCQxASPCsVlEw0OmjQzI8ycjX5gqQ3eDfFL-04eJ2B9PzCiQh-HQBU7eisd5KWTHmO0xFsEcaH4AezAVAqqXVFr2ol89bymhFyOogcRXrgZtc2uy4blGbqiRCdI/s1600/couldnotstartoutlook.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="137" data-original-width="359" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsEDhUW9ROILKKAEQfUCQxASPCsVlEw0OmjQzI8ycjX5gqQ3eDfFL-04eJ2B9PzCiQh-HQBU7eisd5KWTHmO0xFsEcaH4AezAVAqqXVFr2ol89bymhFyOogcRXrgZtc2uy4blGbqiRCdI/s1600/couldnotstartoutlook.png" /></a></div>
<div>
<br /></div>
<div>
Users could log onto Outlook Web App (OWA) however could not send email. All messages sent would go straight to Draft folder with the message:<br />
<br />
<span style="color: red;">Something went wrong and we haven't been able to send your message yet.</span><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8oQIL51470hGJiwQRRw-moYZdT36bU_F0CVW_je-vXvoOP0qt1VLOtriEx5y6-L7rJYtAg6QevJfCg9jjaIcLyracoXQqTtuLVjogckfeFrNWyzG788goQP3WcmRUepfm4XK5C-PrrsE/s1600/owadraftfolder.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="377" data-original-width="1180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8oQIL51470hGJiwQRRw-moYZdT36bU_F0CVW_je-vXvoOP0qt1VLOtriEx5y6-L7rJYtAg6QevJfCg9jjaIcLyracoXQqTtuLVjogckfeFrNWyzG788goQP3WcmRUepfm4XK5C-PrrsE/s1600/owadraftfolder.png" /></a></div>
<br /></div>
<div>
The Exchange Remote Connectivity Analyzer tool passed all tests under "Outlook Connectivity".<br />
<br />
Attempting to connect to the SMTP service on localhost results in the SMTP Error Code "421 4.3.2 Service not active".<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC1RKdzIPQVGJM7yc11wupPA8dg8QWgwD5Y7gJ5bGlgAs38r8bYMEZ9_G5H4KSnO8qBl3emY9ckkYrQ2s4TPPo5IODEkFZsppKAuBMRGWZaQSYZCrOx-f63wZGDC8kveRiGZZr_cJjkGU/s1600/telnetlocalhost.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="160" data-original-width="602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhC1RKdzIPQVGJM7yc11wupPA8dg8QWgwD5Y7gJ5bGlgAs38r8bYMEZ9_G5H4KSnO8qBl3emY9ckkYrQ2s4TPPo5IODEkFZsppKAuBMRGWZaQSYZCrOx-f63wZGDC8kveRiGZZr_cJjkGU/s1600/telnetlocalhost.png" /></a></div>
<br />
This lead me to a previous blog post:<br />
<br />
<div class="MsoNormal">
<a href="http://clintboessen.blogspot.com/2015/10/exchange-2013-421-432-service-not-active.html">http://clintboessen.blogspot.com/2015/10/exchange-2013-421-432-service-not-active.html</a><o:p></o:p></div>
<br />
The Server Component States were inactive on all Exchange Services after the patch.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfoko-FpEHaTPjj4zUPg8WxnM9c4ViovYQEcL0uF5eKf-7L5PME5kVVgLRYPvRRyTB7k6B4U8_AaD0Bz_rpf6jQUNUP8YXLCOhG6VxG5x5ZffZBVCMXtYEZ2aWMGioOaSS_vdIPvbi4rY/s1600/servicecomponentstate.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="425" data-original-width="602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfoko-FpEHaTPjj4zUPg8WxnM9c4ViovYQEcL0uF5eKf-7L5PME5kVVgLRYPvRRyTB7k6B4U8_AaD0Bz_rpf6jQUNUP8YXLCOhG6VxG5x5ZffZBVCMXtYEZ2aWMGioOaSS_vdIPvbi4rY/s1600/servicecomponentstate.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In my previous blog post, I used the following command to activate the component states.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Set-ServerComponentState -State Active -Requester Maintenance -Identity SERVER -Component ServerWideOffline</b></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVCzbs2MtGvytwarj_ybL_DVUxUh0oBN1C7UYWu8VcqCyb4KYJuaeFFzYd9xSoOiSqhoSjywbtYAoOG37zoJoecyRmArRudDE5hrvj3B4q0hg9wk47pdwHEVwKScOTvuh1pn8NOO4W9AY/s1600/setservercomponentstate.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="68" data-original-width="969" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVCzbs2MtGvytwarj_ybL_DVUxUh0oBN1C7UYWu8VcqCyb4KYJuaeFFzYd9xSoOiSqhoSjywbtYAoOG37zoJoecyRmArRudDE5hrvj3B4q0hg9wk47pdwHEVwKScOTvuh1pn8NOO4W9AY/s1600/setservercomponentstate.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
This however did not work... All components remained in the state Inactive.<br />
<br />
To change the component states to Active, I needed to change the requester to Functional.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-xcDb1ZVvLgvi3F-3wQ_suL-4paUbqSvZez_e39QeBylE5Nv4aAopjeGISzHD88sTNmTHhQ1ugVTKBK8zXGu_HKC13XJj8eBd86kEZzJnYJ9eg0weCz3EQM18_MM8DBNCsgA_KmrI6tk/s1600/setservercomponentstate2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="926" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-xcDb1ZVvLgvi3F-3wQ_suL-4paUbqSvZez_e39QeBylE5Nv4aAopjeGISzHD88sTNmTHhQ1ugVTKBK8zXGu_HKC13XJj8eBd86kEZzJnYJ9eg0weCz3EQM18_MM8DBNCsgA_KmrI6tk/s1600/setservercomponentstate2.png" /></a></div>
<br />
Boom we were back online!<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIiOgOb9Wz3H3dR1PhKwxSfmFaVdbw7jajyCXXBaJkirlf8jnWT_j27PpOm9rb55lFZhRv5Gc99Wxd2YwLXpvMtCxd6Nhnf3m0SL28eRHubSwitbkGr93gnJ5rK9D8s9OOysWc29SOlsM/s1600/servicecomponentstate2.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="602" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjIiOgOb9Wz3H3dR1PhKwxSfmFaVdbw7jajyCXXBaJkirlf8jnWT_j27PpOm9rb55lFZhRv5Gc99Wxd2YwLXpvMtCxd6Nhnf3m0SL28eRHubSwitbkGr93gnJ5rK9D8s9OOysWc29SOlsM/s1600/servicecomponentstate2.png" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Note: If Requester Maintenance doesn't work, try Functional istead.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Set-ServerComponentState -Identity Bentley-MAIL -Component ServerWideOffline -State Active -Requester Functional</div>
<br /></div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-27141388578563676362020-07-16T22:53:00.003-07:002020-07-16T23:27:39.876-07:00SMTP Namespace Sharing - How it differs in the Cloud<div dir="ltr" style="text-align: left;" trbidi="on">
When you enter Hybrid with Microsoft Office 365, you establish a concept called SMTP Namespace sharing to allow mailboxes in the cloud and on-premises to share the same address space such as @contoso.com.<br />
<div>
<br /></div>
<div>
Microsoft Exchange handles SMTP Namespace Sharing with Office 365 in a different manner to implementing SMTP Namespace Sharing with another Exchange Server or third party mail system.</div>
<div>
<br /></div>
<div>
In this blog post we are going to run through how to configure SMTP Namespace Sharing between an Exchange Server and another mail system, and then look at how SMTP Namespace Sharing works with Office 365.</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;"><u>Configuring SMTP Namespace Sharing</u></span></b></div>
<div>
<br /></div>
<div>
Before we talk about SMTP Namespace Sharing, we must first understand the concept of an Exchange Accepted Domain. There are three types of Accepted Domains:</div>
<div>
<ul style="text-align: left;">
<li>Authoritative Domains - This tells an Exchange Server that the "Exchange Organisation" has a recipient (in particular a mailbox) for that inbound email such as recipient@contoso.com and it needs to deliver it locally. All email address namespaces that your Exchange Servers receive email for need to be setup as Authoritative Accepted Domains.</li>
<li>Internal Relay Domains - Internal Relay Domains are used when you share a domain between the Exchange organization and a third-party messaging system. When an Exchange Server receives an email for an email address such as user@contoso.com, it will look to see if a mailbox exists, else send it out a Send Connector.</li>
<li>External Relay Domains - No mailboxes exist on the Exchange Environment, send it out a send connector matching the address space. You would use these if your Exchange Server is setup to perform mail cleansing at a transport layer most likely with a third party Transport Agent, then send the email on its way.</li>
</ul>
<div>
For more information please refer to <a href="https://docs.microsoft.com/en-us/exchange/mail-flow/accepted-domains/accepted-domains">https://docs.microsoft.com/en-us/exchange/mail-flow/accepted-domains/accepted-domains</a></div>
<div>
<br /></div>
<div>
To configure SMTP Namespace Sharing, you would change the Accepted Domain to an "Internal Relay Domain" and then create a send connector. An example config would look like this:</div>
</div>
<div>
<br /></div>
<div>
<b>Set-AcceptedDomain contoso.com -DomainType InternalRelay</b></div>
<div>
<br /></div>
<div>
<div>
<b>New-SendConnector -Name "SMTP Namespace Sharing for Consoto.com" -Custom -AddressSpaces contoso.com -SmartHosts 10.1.1.54 -SourceTransportServers ExchangeServerFQDN</b></div>
<div>
<br /></div>
</div>
<div>
This will tell all Transport Servers in the Exchange Organisation to perform the following:</div>
<div>
<ol style="text-align: left;">
<li>Look in Active Directory to see if a mailbox exists, if it does route the email to the Mailbox Server and deliver it.</li>
<li>If a mailbox doesn't exist, route it out a Send Connector to a remote mail environment for delivery instead of sending the typical 550 5.1.10 RESOLVER.ADR.RecipientNotFound error.</li>
</ol>
</div>
<div>
<br /></div>
<div>
<b><span style="font-size: large;"><u>Configuring SMTP Namespace Sharing with Office 365</u></span></b></div>
<div>
<br /></div>
<div>
When you enable Hybrid Exchange using the Hybrid Configuration Wizard (HCW), SMTP Namespace sharing is setup differently. After you move a mailbox to Exchange Online, it replaces the mailbox on-premises with a "Remote Mailbox" object. These mailboxes can be viewed in the Exchange Admin Center as "Office 365" Mailboxes or with the following on-premises Exchange cmdlets:<br />
<ul style="text-align: left;">
<li>Get-RemoteMailbox</li>
<li>Set-RemoteMailbox</li>
</ul>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqDCqoKAsey7sd5KJAxLoshInE5XLH2JaUZW_niEk2QNsRK57HH6ohECP05HakwPhy2vTpHlMoVFp9Or5tJ9gBJgO9GQX57RFDeaujcVIJl69XtMw8JoC_FvBdaTuEVdoXvtQfgDDh6YQ/s1600/o365mailbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="75" data-original-width="676" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqDCqoKAsey7sd5KJAxLoshInE5XLH2JaUZW_niEk2QNsRK57HH6ohECP05HakwPhy2vTpHlMoVFp9Or5tJ9gBJgO9GQX57RFDeaujcVIJl69XtMw8JoC_FvBdaTuEVdoXvtQfgDDh6YQ/s1600/o365mailbox.png" /></a></div>
<div>
<br />
Each of these Remote Mailboxes have a "Remote Routing Address" which looks like alias@tenant<tenantname>.mail.onmicrosoft.com. If we look at one of the Remote Mailboxes in Exchange Admin Centre on-premises, we can see there is a new box to specify the Remote Routing Address.</tenantname><br />
<tenantname><br /></tenantname>
<tenantname><i>Note: This can also be set using Set-RemoteMailbox "mailbox name" -RemoteRoutingAddress "avantgarde@tenant.mail.onmicrosoft.com"</i></tenantname><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU7ggJ6GcrL1eiYpoA0rhqEEiFC_3G9Tn0aELQjc_5lp134qvidipsUv8tBENx4k0GObhbYvJtIBJBxjSNxXd_LkgNyxa1ITFX1e7mdLoIQD60OUkOKSsXyHbDbGfANVjjd1dvjm45_kA/s1600/avantgarderemotemailbox.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="624" data-original-width="712" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU7ggJ6GcrL1eiYpoA0rhqEEiFC_3G9Tn0aELQjc_5lp134qvidipsUv8tBENx4k0GObhbYvJtIBJBxjSNxXd_LkgNyxa1ITFX1e7mdLoIQD60OUkOKSsXyHbDbGfANVjjd1dvjm45_kA/s1600/avantgarderemotemailbox.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<br />
In addition, SMTP Namespace Sharing does not require the Accepted Domain be changed to an "Internal Relay Domain". It should stay "Authoritative" due to these Remote Mailbox objects.<br />
<br />
<b><span style="font-size: large;"><u>How the Remote Routing Address is Set</u></span></b><br />
<br />
By default, when you run Hybrid Configuration Wizard and move a mailbox to Office 365, the Remote Routing Address is set automatically and you never need to touch/look at this value.<br />
<br />
We had an incident however for a customer where the Remote Routing Address was getting automatically set to the users primary domain name, not the Office 365 tenant.mail.onmicrosoft.com SMTP namespace.<br />
<br />
How Exchange Server sets the Remote Routing Address automatically is unclear. I can confirm it does not get set by an Email Address Policy.<br />
<br />
We have reached out to Microsoft to find an answer, as it is important this is set to the correct value automatically!</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-22642754426577535662020-07-02T07:17:00.000-07:002020-07-02T07:17:17.930-07:00Configuring Centralized Transport with Office 365 Exchange Online<div dir="ltr" style="text-align: left;" trbidi="on">
I was called in to assist a customer make changes to their Office 365 mail routing. The customer had a requirement to implement a Centralized Transport Model to ensure all email routes through on-premises so that a custom Transport Agent could run across all email and stamp the companies email signature. Before we get into the changes needed to setup Centralized Transport, lets run through what the customer currently had in place.<br />
<ul style="text-align: left;">
<li>All mail from the Internet was routed to a cloud emailing service known as Forcepoint.</li>
<li>Force point delivers all inbound email to the on-premises server.</li>
<li>The on-premises server has a send connector to Forcepoint for all outbound Internet email "*".</li>
<li>The on-premises has a second send connector to Office 365 for cloud based mailboxes</li>
<li>There is a route from Office 365 cloud to Forcepoint for all internal mail recipient domains (no idea why this was done, Office 365 EOP should route directly to on-premises Exchange for any internal emails. Luckily Forcepoint was able to route email back to on-premises.).</li>
<li>When Office 365 needed to email any Internet Recipients, it routed directly to the Internet bypassing the Forcepoint cloud.</li>
</ul>
<div>
I drew up in Visio a quick overview of what the mail routing looked like.</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk6uZYoZkUX5J9DXomp1aNVUmgnIeFfVi5oJ_lP9M5TPvuQXOgVKpPCMhvAVBY3_3nH7u4w4SLFKzmajxJaT6ejKb7TDW4wCXS4r00GS8u-6XoJzpQU-tykRdMmir6aIRxLGcJ2lCo3aw/s1600/Mail+Flow+Diagram+old.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="391" data-original-width="725" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjk6uZYoZkUX5J9DXomp1aNVUmgnIeFfVi5oJ_lP9M5TPvuQXOgVKpPCMhvAVBY3_3nH7u4w4SLFKzmajxJaT6ejKb7TDW4wCXS4r00GS8u-6XoJzpQU-tykRdMmir6aIRxLGcJ2lCo3aw/s1600/Mail+Flow+Diagram+old.png" /></a></div>
<br />
Now the customer needed to enable a "Centralized Transport Model" to ensure all email from Office 365 was routed through the on-premises server whether it is destined for an external recipient or not. This is because the on-premises server has a custom Exchange Transport Agent which was responsible for stamping signatures on all outbound email.<br />
<br />
<i>Note: A Centralized Transport Model is a very bad configuration and should be avoided at all costs as it means the cloud cannot send/receive email in the event the on-premises Exchange environment is down. It should only be used when there is a technical requirement such as this one.</i><br />
<br />
I drew up what the mail routing will look like in a Centralized Transport Model:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6SL0xgjnItUGIgy5qxTYGAqmnxxyJK-_AYPkAV31ghyphenhyphen7PyhBUUpUzyh26t7goVPq7JyPfFFHMU4uIBZynyDITvHYrMNyhs2MXnCc_Urp_vCukMtqIgEGQ5LEe9fJvU77sQ83eKfNGKm0/s1600/Mail+Flow+Diagram+centralised+transport.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="391" data-original-width="725" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6SL0xgjnItUGIgy5qxTYGAqmnxxyJK-_AYPkAV31ghyphenhyphen7PyhBUUpUzyh26t7goVPq7JyPfFFHMU4uIBZynyDITvHYrMNyhs2MXnCc_Urp_vCukMtqIgEGQ5LEe9fJvU77sQ83eKfNGKm0/s1600/Mail+Flow+Diagram+centralised+transport.png" /></a></div>
<br />
<br />
It is important to note, you can configure a Centralized Transport Model using the Hybrid Configuration Wizard. This was not an option for this customer as they were on Exchange 2013 CU13 and wanted to address patching at a later date despite being <a href="https://www.helpnetsecurity.com/2020/02/26/cve-2020-0688-exploitation/">vulnerable to zero day cve-2020-0688</a> but that's another story. Hybrid Configuration Wizard is constantly updated by Microsoft and is only supported on the two latest CU updates. Make sure your Exchange environment is running one of the latest CU updates as Microsoft does not test HCW on old releases of Exchange.<br />
<br />
<i>"Hybrid deployments require the latest Cumulative Update (CU) or Update Rollup (RU) that's available for your version of Exchange. If you can't install the latest update, the immediately previous release is also supported."</i><br />
<br />
Source: <a href="https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites">https://docs.microsoft.com/en-us/exchange/hybrid-deployment-prerequisites</a><br />
<br />
<span style="color: #0b5394; font-size: x-large;"><b><u>Manually Enabling Centralized Transport</u></b></span><br />
<br />
To get this customer into a Centralized Transport Model we must do two things:<br />
<ol style="text-align: left;">
<li>Create a new "Inbound from Office 365" Receive Connector and i'll explain why this is required in a minute.</li>
<li>Modify the Outbound connector in Office 365 to route all email "*" to the on-premises Server.</li>
</ol>
<div>
<br /></div>
<div>
<span style="font-size: large;"><b><u>Create a Inbound from Office 365 Receive Connector</u></b></span></div>
<div>
<br /></div>
<div>
By default, all email from Office 365 enters through the Default Frontend Receive connector. The only change made by the Hybrid Configuration Wizard needed to receive email from Office 365 is by modifying the "TlsCertificateName" attribute on the Default Frontend Receive connector so that SMTP TLS can be established between all emails from Office 365 to the on-premises environment.</div>
<div>
<br /></div>
<div>
In a Centralized Transport Model we can no longer use the Default Frontend Receive Connector. The Default Frontend Receive Connector can receive email for all "Accepted Domains" domains which have mailboxes on the on-premises server. The Default Frontend Receive connector by default cannot accept email for external Internet Domain Names then route the email to a remote server on the Internet via a Smart Host or MX records for a good reason - this would make the mail server an open relay!</div>
<div>
<br /></div>
<div>
As a result, if you have a requirement to configure a Centralized Transport Model, you will need to create a new receive connector with a name such as "Inbound from Office 365".</div>
<div>
<br /></div>
<div>
As a side note, if you don't do this any emails trying to route out to the Internet through your on-premises server from Office 365 will bounce with the following error:</div>
<div>
<br /></div>
<div>
<div class="MsoNormal">
<b><span lang="EN-AU">“550
5.7.1 Unable to relay”<o:p></o:p></span></b></div>
</div>
<div>
<br /></div>
<div>
To create the new "Inbound from Office 365" connector required for a Centralized Transport model we need to do the following things:</div>
<div>
<ol style="text-align: left;">
<li>Create the Frontend Receive Connector and call it "Inbound from Office 365" on TCP25</li>
<li>Configure the Authentication and Permission Groups</li>
<li>Lock the Receive Connector down to the Office 365 IP ranges.</li>
<li>Configure SMTP TLS on the Receive Connector required for Office 365</li>
<li>Configure the ExtendedRight MS-Exch-SMTP-Accept-Any-Recipient so that the Receive Connector can route email out a Send Connector for internet bound emails it receives from Office 365.</li>
</ol>
<div>
When you create the new Frontend Receive Connector enable TLS required for Office 365 and Anonymous Users as we are accepting emails destined for external recipients on the Internet.</div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRTqSqa_NP8J10FCBR5iBtIWzxZIzks_BdwSGyKmhi07YNuRD0fzJFJeSBNg6CD9pcIjbNtppg0WXHlN-yqsIcNmJcvxXv-CwQvO5wSEjZ_mZ2CEGPGIZ5vsYxKpg42Nd4Ui-aFosMazI/s1600/authenticationandpermissiongroup.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="780" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRTqSqa_NP8J10FCBR5iBtIWzxZIzks_BdwSGyKmhi07YNuRD0fzJFJeSBNg6CD9pcIjbNtppg0WXHlN-yqsIcNmJcvxXv-CwQvO5wSEjZ_mZ2CEGPGIZ5vsYxKpg42Nd4Ui-aFosMazI/s1600/authenticationandpermissiongroup.png" /></a></div>
<div>
<br /></div>
<div>
Lock it down to the Exchange Online Protection IP Ranges documented here:<br />
<br />
<a href="https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges">https://docs.microsoft.com/en-us/office365/enterprise/urls-and-ip-address-ranges</a></div>
<div>
<br /></div>
<div>
40.92.0.0/15, 40.107.0.0/16, 52.100.0.0/14, 52.238.78.88/32, 104.47.0.0/17<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinrPRLQjxwscVwRee8LqPnUCBb5OZreeI2gm4kqLhgzSEi5UlsYNt5Mq9qmOgCsO2YM4iHQ84Xwsx7pL9y6PGN8PsBdB9unsmEGrT39nWo-kwRMC6BNqf_G0h9_wApkRTpVATc6fWNp_E/s1600/office365ipranges.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="646" data-original-width="780" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEinrPRLQjxwscVwRee8LqPnUCBb5OZreeI2gm4kqLhgzSEi5UlsYNt5Mq9qmOgCsO2YM4iHQ84Xwsx7pL9y6PGN8PsBdB9unsmEGrT39nWo-kwRMC6BNqf_G0h9_wApkRTpVATc6fWNp_E/s1600/office365ipranges.png" /></a></div>
<br />
To configure the SMTP TLS on the receive connector refer to the following article by Paul Cunningham. It should look like my screenshot below.<br />
<br />
<div class="MsoNormal">
<span lang="EN-AU"><a href="https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/">https://practical365.com/exchange-server/configuring-the-tls-certificate-name-for-exchange-server-receive-connectors/</a><o:p></o:p></span></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzvD8cfN2dWwNxTv9i-vlv0DTArT7pGhXyB5oc4pu6YykiCSOayUohoDwOI2Hop-j5VQunfawoVX7cRxgItpEs5UXmZSppJV6YokvwGQ-02cYGIns4FrifWkdYZZhZu5cdwseG9tnYdgc/s1600/receiveconnectortlschanges.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="94" data-original-width="890" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhzvD8cfN2dWwNxTv9i-vlv0DTArT7pGhXyB5oc4pu6YykiCSOayUohoDwOI2Hop-j5VQunfawoVX7cRxgItpEs5UXmZSppJV6YokvwGQ-02cYGIns4FrifWkdYZZhZu5cdwseG9tnYdgc/s1600/receiveconnectortlschanges.png" /></a></div>
<br />
Lastly you need to allow the receive connector to accept and relay email for non authoritative domain names (domains that are not an Accepted Domain in your Exchange environment) by adding the ExtendedRight MS-Exch-SMTP-Accept-Any-Recipient. A command similar to the one below will achieve this.<br />
<br />
<b>Get-ReceiveConnector "Inbound from Office 365" | Add-ADPermission -User 'NT AUTHORITY\Anonymous Logon' -ExtendedRights MS-Exch-SMTP-Accept-Any-Recipient</b><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp7hbo07EldGhM9CpD4sbixLwjsfT5xa4odD8cFPiEptH4FH9Kmgurd2XmqD9acc9BNwVkqBG0bbw9ZUZOzgbesBIVpy0yxqbvF2qsVXzcnjw_UPkjjZTdKuG8KiDrwapry9p4paTgeyI/s1600/receiveconnectorpermissionchange.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="90" data-original-width="1199" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgp7hbo07EldGhM9CpD4sbixLwjsfT5xa4odD8cFPiEptH4FH9Kmgurd2XmqD9acc9BNwVkqBG0bbw9ZUZOzgbesBIVpy0yxqbvF2qsVXzcnjw_UPkjjZTdKuG8KiDrwapry9p4paTgeyI/s1600/receiveconnectorpermissionchange.png" /></a></div>
<br />
Cool now we have a receive connector on-premises locked down to the Office 365 ranges that will be able to relay email for internet-bound receipts through the Send Connector marked with "*" for all internet recipients.<br />
<br />
<b style="font-size: x-large;"><u>Modify the Outbound Connector in Office 365</u></b><br />
<br />
Next we need to modify the Outbound Connector in Office 365 to route all email through the on-premises server in a "Centralized Transport Model" configuration. I blocked out information below for privacy reasons and using the Microsoft test domain contoso.com instead of my customers.<br />
<br />
Get-OutboundConnector "Outbound to GUID" | Set-OutboundConnector -RecipientDomains "*" -RouteAllMessagesViaOnPremises:$true -SmartHosts mail.contoso.com<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU-URXnSeWLC-7i2tf0m8Yizjjp4DxcY7DxtIB4_pBab85nbHDGvvBqQgUIoKbpqZNULpafmkhDxHPy1qum_f_je9UDvHZtPmgXwqfFTaKQQqBsC2BVA1No02X1SVluqoGgimMP0RnnLI/s1600/enablecentralizedconfig.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="666" data-original-width="834" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjU-URXnSeWLC-7i2tf0m8Yizjjp4DxcY7DxtIB4_pBab85nbHDGvvBqQgUIoKbpqZNULpafmkhDxHPy1qum_f_je9UDvHZtPmgXwqfFTaKQQqBsC2BVA1No02X1SVluqoGgimMP0RnnLI/s1600/enablecentralizedconfig.png" /></a></div>
<br />
This will ensure every email leaving Office 365 will go to the on-premises server "mail.contoso.com.<br />
<br />
<span style="font-size: large;"><b><u>Mail Loop Issue</u></b></span><br />
<br />
Despite the configuration for Centralized Transport being correct, we experienced a Mail Loop when routing emails from the on-premises environment to Office 365. This is what we experienced.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDs7byhMrqCKxV21MbebyrM4cuux9WotD2XTm9FX_8MnAnAwRhJW5NhSx3BZ8Zi4DVqRz60QCFQ-ewRutxsIivwmeYMpXwh0w7sTAyASjWxnncZHRDkc4oaFd4UwXXnp88-Fh8xRaPnhs/s1600/mailloop.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="414" data-original-width="817" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDs7byhMrqCKxV21MbebyrM4cuux9WotD2XTm9FX_8MnAnAwRhJW5NhSx3BZ8Zi4DVqRz60QCFQ-ewRutxsIivwmeYMpXwh0w7sTAyASjWxnncZHRDkc4oaFd4UwXXnp88-Fh8xRaPnhs/s1600/mailloop.png" /></a></div>
<br />
The bounce back we received from the mail loop was as follows, the NDR shows the email bouncing back and forth between Office 365 and Exchange 2013 until Loop Detection kicks in and blocks the email generating an NDR.<br />
<br />
<span style="color: red; font-size: x-small;">Delivery has failed to these recipients or groups:</span><br />
<span style="color: red; font-size: x-small;">Test User</span><br />
<span style="color: red; font-size: x-small;">A problem occurred during the delivery of this message. Please try to resend the message later. If the problem continues, contact your email admin.</span><br />
<span style="color: red; font-size: x-small;">The following organization rejected your message: Exchange2013.domain.local.</span><br />
<span style="color: red; font-size: x-small;"><br /></span>
<span style="color: red; font-size: x-small;"><br /></span>
<span style="color: red; font-size: x-small;">Diagnostic information for administrators:</span><br />
<span style="color: red; font-size: x-small;">Generating server: SYBPR01MB4362.ausprd01.prod.outlook.com</span><br />
<span style="color: red; font-size: x-small;">Test.User@contoso.com</span><br />
<span style="color: red; font-size: x-small;">Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">Remote Server returned '554 5.4.6 <exchange2013 -="" .domain.local="" 5.4.6="" count="" exceeded="" hop="" loop="" mail="" possible="" smtp="">'</exchange2013></span><br />
<span style="color: red; font-size: x-small;">Original message headers:</span><br />
<span style="color: red; font-size: x-small;">Received: from ME2PR01CA0046.ausprd01.prod.outlook.com (2603:10c6:201:14::34)</span><br />
<span style="color: red; font-size: x-small;"> by SYBPR01MB4362.ausprd01.prod.outlook.com (2603:10c6:10:56::21) with</span><br />
<span style="color: red; font-size: x-small;"> Microsoft SMTP Server (version=TLS1_2,</span><br />
<span style="color: red; font-size: x-small;"> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.27; Sun, 24 May</span><br />
<span style="color: red; font-size: x-small;"> 2020 10:03:55 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from ME1AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:201:14:cafe::d5) by ME2PR01CA0046.outlook.office365.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:201:14::34) with Microsoft SMTP Server (version=TLS1_2,</span><br />
<span style="color: red; font-size: x-small;"> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend</span><br />
<span style="color: red; font-size: x-small;"> Transport; Sun, 24 May 2020 10:03:54 +0000</span><br />
<span style="color: red; font-size: x-small;">Authentication-Results: spf=softfail (sender IP is 203.54.134.98)</span><br />
<span style="color: red; font-size: x-small;"> smtp.mailfrom=avantgardetechnologies.com.au; contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dkim=none (message not signed) header.d=none;contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dmarc=none action=none</span><br />
<span style="color: red; font-size: x-small;"> header.from=avantgardetechnologies.com.au;compauth=none reason=405</span><br />
<span style="color: red; font-size: x-small;">Received-SPF: SoftFail (protection.outlook.com: domain of transitioning</span><br />
<span style="color: red; font-size: x-small;"> avantgardetechnologies.com.au discourages use of 203.54.134.98 as permitted</span><br />
<span style="color: red; font-size: x-small;"> sender)</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (203.54.134.98) by</span><br />
<span style="color: red; font-size: x-small;"> ME1AUS01FT014.mail.protection.outlook.com (10.152.232.114) with Microsoft</span><br />
<span style="color: red; font-size: x-small;"> SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id</span><br />
<span style="color: red; font-size: x-small;"> 15.20.3021.23 via Frontend Transport; Sun, 24 May 2020 10:03:53 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (192.168.0.13) by</span><br />
<span style="color: red; font-size: x-small;"> Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server (TLS) id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6; Sun, 24 May 2020 18:00:02 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from AUS01-SY3-obe.outbound.protection.outlook.com (104.47.117.51)</span><br />
<span style="color: red; font-size: x-small;"> by Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server (TLS) id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6 via Frontend Transport; Sun, 24 May 2020 18:00:02 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from SY4P282CA0010.AUSP282.PROD.OUTLOOK.COM (2603:10c6:10:a0::20) by</span><br />
<span style="color: red; font-size: x-small;"> SYCPR01MB5248.ausprd01.prod.outlook.com (2603:10c6:10:84::23) with Microsoft</span><br />
<span style="color: red; font-size: x-small;"> SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id</span><br />
<span style="color: red; font-size: x-small;"> 15.20.3021.27; Sun, 24 May 2020 09:59:56 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from SY3AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:10:a0:cafe::23) by SY4P282CA0010.outlook.office365.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:10:a0::20) with Microsoft SMTP Server (version=TLS1_2,</span><br />
<span style="color: red; font-size: x-small;"> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend</span><br />
<span style="color: red; font-size: x-small;"> Transport; Sun, 24 May 2020 09:59:56 +0000</span><br />
<span style="color: red; font-size: x-small;">Authentication-Results-Original: spf=softfail (sender IP is 203.54.134.98)</span><br />
<span style="color: red; font-size: x-small;"> smtp.mailfrom=avantgardetechnologies.com.au; contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dkim=none (message not signed) header.d=none;contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dmarc=none action=none</span><br />
<span style="color: red; font-size: x-small;"> header.from=avantgardetechnologies.com.au;compauth=none reason=405</span><br />
<span style="color: red; font-size: x-small;">Received-SPF: SoftFail (protection.outlook.com: domain of transitioning</span><br />
<span style="color: red; font-size: x-small;"> avantgardetechnologies.com.au discourages use of 203.54.134.98 as permitted</span><br />
<span style="color: red; font-size: x-small;"> sender)</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (203.54.134.98) by</span><br />
<span style="color: red; font-size: x-small;"> SY3AUS01FT014.mail.protection.outlook.com (10.152.234.114) with Microsoft</span><br />
<span style="color: red; font-size: x-small;"> SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id</span><br />
<span style="color: red; font-size: x-small;"> 15.20.3021.23 via Frontend Transport; Sun, 24 May 2020 09:59:55 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (192.168.0.13) by</span><br />
<span style="color: red; font-size: x-small;"> Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server (TLS) id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6; Sun, 24 May 2020 17:59:22 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from AUS01-SY3-obe.outbound.protection.outlook.com (104.47.117.55)</span><br />
<span style="color: red; font-size: x-small;"> by Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server (TLS) id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6 via Frontend Transport; Sun, 24 May 2020 17:59:22 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from SYBPR01CA0077.ausprd01.prod.outlook.com (2603:10c6:10:3::17) by</span><br />
<span style="color: red; font-size: x-small;"> SY3PR01MB1738.ausprd01.prod.outlook.com (2603:10c6:0:1e::9) with Microsoft</span><br />
<span style="color: red; font-size: x-small;"> SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id</span><br />
<span style="color: red; font-size: x-small;"> 15.20.3021.27; Sun, 24 May 2020 09:59:16 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from SY3AUS01FT016.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:10:3:cafe::2f) by SYBPR01CA0077.outlook.office365.com</span><br />
<span style="color: red; font-size: x-small;"> (2603:10c6:10:3::17) with Microsoft SMTP Server (version=TLS1_2,</span><br />
<span style="color: red; font-size: x-small;"> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.3021.23 via Frontend</span><br />
<span style="color: red; font-size: x-small;"> Transport; Sun, 24 May 2020 09:59:15 +0000</span><br />
<span style="color: red; font-size: x-small;">Authentication-Results-Original: spf=softfail (sender IP is 203.54.134.98)</span><br />
<span style="color: red; font-size: x-small;"> smtp.mailfrom=avantgardetechnologies.com.au; contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dkim=none (message not signed) header.d=none;contoso.mail.onmicrosoft.com;</span><br />
<span style="color: red; font-size: x-small;"> dmarc=none action=none</span><br />
<span style="color: red; font-size: x-small;"> header.from=avantgardetechnologies.com.au;compauth=none reason=405</span><br />
<span style="color: red; font-size: x-small;">Received-SPF: SoftFail (protection.outlook.com: domain of transitioning</span><br />
<span style="color: red; font-size: x-small;"> avantgardetechnologies.com.au discourages use of 203.54.134.98 as permitted</span><br />
<span style="color: red; font-size: x-small;"> sender)</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (203.54.134.98) by</span><br />
<span style="color: red; font-size: x-small;"> SY3AUS01FT016.mail.protection.outlook.com (10.152.234.71) with Microsoft SMTP</span><br />
<span style="color: red; font-size: x-small;"> Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384) id</span><br />
<span style="color: red; font-size: x-small;"> 15.20.3021.23 via Frontend Transport; Sun, 24 May 2020 09:59:14 +0000</span><br />
<span style="color: red; font-size: x-small;">Received: from Exchange2013.domain.local (192.168.0.13) by</span><br />
<span style="color: red; font-size: x-small;"> Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server (TLS) id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6; Sun, 24 May 2020 17:59:06 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from cluster-m.mailcontrol.com (116.50.58.190) by</span><br />
<span style="color: red; font-size: x-small;"> Exchange2013.domain.local (192.168.0.13) with Microsoft SMTP Server id</span><br />
<span style="color: red; font-size: x-small;"> 15.0.1156.6 via Frontend Transport; Sun, 24 May 2020 17:59:06 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from mail.avantgardetechnologies.com.au (mail.avantgardetechnologies.com.au [59.167.109.99])</span><br />
<span style="color: red; font-size: x-small;"><span style="white-space: pre;"> </span>by rly15m.srv.mailcontrol.com (MailControl) with ESMTPS id 04O9x0Xr067289</span><br />
<span style="color: red; font-size: x-small;"><span style="white-space: pre;"> </span>(version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK)</span><br />
<span style="color: red; font-size: x-small;"><span style="white-space: pre;"> </span>for <test .user="" contoso.com="">; Sun, 24 May 2020 10:59:01 +0100</test></span><br />
<span style="color: red; font-size: x-small;">Received: from Bentley-MAIL.at.local (10.1.30.18) by Bentley-MAIL.at.local</span><br />
<span style="color: red; font-size: x-small;"> (10.1.30.18) with Microsoft SMTP Server (version=TLS1_2,</span><br />
<span style="color: red; font-size: x-small;"> cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.529.5; Sun, 24 May 2020</span><br />
<span style="color: red; font-size: x-small;"> 17:58:53 +0800</span><br />
<span style="color: red; font-size: x-small;">Received: from Bentley-MAIL.at.local ([fe80::fc2d:dec2:9b22:4f2a]) by</span><br />
<span style="color: red; font-size: x-small;"> Bentley-MAIL.at.local ([fe80::fc2d:dec2:9b22:4f2a%3]) with mapi id</span><br />
<span style="color: red; font-size: x-small;"> 15.02.0529.008; Sun, 24 May 2020 17:58:47 +0800</span><br />
<span style="color: red; font-size: x-small;">From: Clint Boessen <clint .boessen="" avantgardetechnologies.com.au=""></clint></span><br />
<span style="color: red; font-size: x-small;">To: Test User <test .user="" contoso.com=""></test></span><br />
<span style="color: red; font-size: x-small;">Subject: RE: Test External Email through new Receive Connector</span><br />
<span style="color: red; font-size: x-small;">Thread-Topic: Test External Email through new Receive Connector</span><br />
<span style="color: red; font-size: x-small;">Thread-Index: AQHWMbHMsLmpvI1RokaklktqWBJNSKi3AGdQ</span><br />
<span style="color: red; font-size: x-small;">Date: Sun, 24 May 2020 09:58:46 +0000</span><br />
<span style="color: red; font-size: x-small;">Message-ID: <db8ba13106a042f59f1b4cc7154685ff avantgardetechnologies.com.au=""></db8ba13106a042f59f1b4cc7154685ff></span><br />
<span style="color: red; font-size: x-small;">References: <meapr01mb493526b33cbbc51383eaf79edcb20 ausprd01.prod.outlook.com=""></meapr01mb493526b33cbbc51383eaf79edcb20></span><br />
<span style="color: red; font-size: x-small;">In-Reply-To: <meapr01mb493526b33cbbc51383eaf79edcb20 ausprd01.prod.outlook.com=""></meapr01mb493526b33cbbc51383eaf79edcb20></span><br />
<span style="color: red; font-size: x-small;">Accept-Language: en-AU, en-US</span><br />
<span style="color: red; font-size: x-small;">Content-Language: en-US</span><br />
<span style="color: red; font-size: x-small;">X-MS-Has-Attach: yes</span><br />
<span style="color: red; font-size: x-small;">X-MS-TNEF-Correlator:</span><br />
<span style="color: red; font-size: x-small;">x-originating-ip: [10.2.10.104]</span><br />
<span style="color: red; font-size: x-small;">Content-Type: multipart/related;</span><br />
<span style="color: red; font-size: x-small;"><span style="white-space: pre;"> </span>boundary="_006_db8ba13106a042f59f1b4cc7154685ffavantgardetechnologiesc_";</span><br />
<span style="color: red; font-size: x-small;"><span style="white-space: pre;"> </span>type="multipart/alternative"</span><br />
<span style="color: red; font-size: x-small;">MIME-Version: 1.0</span><br />
<span style="color: red; font-size: x-small;">X-Modified-HTML: 6</span><br />
<span style="color: red; font-size: x-small;">X-Mailcontrol-Inbound: VasuXYiFy3qCtpA1zsc0iLOFFGXQvwm!nVYR6ThwFMIidec+qhp6ZSi!Mnl8Fsmw0sAYU+ZMD9zpwrW47BjDsw==</span><br />
<span style="color: red; font-size: x-small;">X-Spam-Score: -2.9</span><br />
<span style="color: red; font-size: x-small;">X-MailControl-ReportSpam: https://www.mailcontrol.com/sr/4vHmKlvfRcfGX2PQPOmvUtMaodt6qto8zwizKSQwqRUN24RXJczj00urrTqFWStbC6mdJoQP7nEhR_AbTPK7tQ==</span><br />
<span style="color: red; font-size: x-small;">X-Scanned-By: MailControl 44278.2096 (www.mailcontrol.com) on 10.77.0.125</span><br />
<span style="color: red; font-size: x-small;">Return-Path: clint.boessen@avantgardetechnologies.com.au</span><br />
<span style="color: red; font-size: x-small;">X-EXCLAIMER-MD-CONFIG: 659f567a-0ab7-4104-a8ab-4b8b5d34a680</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">X-EOPAttributedMessage: 2</span><br />
<span style="color: red; font-size: x-small;">X-EOPTenantAttributedMessage: 7e0e266c-0475-408b-9eb7-cb0cf8b31e59:2</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFiltered: SY3AUS01FT016.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-Forefront-Antispam-Report-Untrusted: CIP:203.54.134.98;CTRY:AU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:Exchange2013.domain.local;PTR:abi3057722.lnk.telstra.net;CAT:NONE;SFTY:;SFS:(53546011)(2616005)(86362001)(33964004)(19627405001)(26005)(15974865002)(36756003)(356005)(83080400001)(66574014)(166002)(5660300002)(81166007)(24736004)(6916009)(1096003)(336012)(44832011)(108616005)(8676002)(36906005)(19607625011);DIR:INB;SFP:;</span><br />
<span style="color: red; font-size: x-small;">X-MS-PublicTrafficType: Email</span><br />
<span style="color: red; font-size: x-small;">X-MS-Office365-Filtering-Correlation-Id: 8134a206-5e1e-4c8c-50b8-08d7ffc9c425</span><br />
<span style="color: red; font-size: x-small;">X-MS-TrafficTypeDiagnostic: SY3PR01MB1738:|SYCPR01MB5248:|SYBPR01MB4362:</span><br />
<span style="color: red; font-size: x-small;">X-MS-Oob-TLC-OOBClassifiers: OLM:6790;OLM:6790;OLM:6790;</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam-Untrusted: BCL:0;</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam-Message-Info-Original: =?us-ascii?Q?iA2wyOTRoRwZLE3dlGXOPjuc/V5nlVGk0qx3c3cVWVq6DeIGm1BllHTCVSiP?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?WdgykixTEOiu5qMNLlDbyvS2B3E3qFunMZOmsip1wW+2+EYpZWRl3h3p1qMe?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?gyHb+gYsWcLLLO/d2oyvKNCusbLDzM+doRdC675aXRpQLJVN0nkIvoeTlN8q?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?uAxB3OZWclI1iz0LWyGk7q7bEL0cf1B7+L5gEvxv+6ccBVjGxDCUARbDvLnH?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?l0az2fYOYGteZOTgZkL/QA4P+UdTnL/ZJFD524SawSpoIipAp4/jd7q4HCdF?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?ii+IYIBvHSb+Ib07PQyBHWQZWcetnQvin6wKe4zFmVxal3O331OUhADCrNX2?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?dABvHfIW5pde9NNG+gtPKa4839nANzsibjIrC4S5/myohU3D0tfQNc21sV9c?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?X8ajwUqsg8oiwXaJEXeZqyS9+em0DhmjpML3/H8aLUa9krvS1hjk/T/95gaU?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?9JlTkvW7otLXXP3scvj9VPvP45JDQ0T4/UV+tS8NciviPlgMPcPHSck6tAE1?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Bbvs5/mIP8ExRjpHLOrAP1bnFdotp7LAeP9zDvnQ4noFncY7VDCGA7aRAYvp?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?gzi5CYKQc6W7E7vMJaQ4poq567KhRJOgBiLy7/P6LwTaGAQDkCJtydjtCdMX?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?D3gaOUKUGptP07VQXA5kSOqYbXIIzkLuMAzUMpdJ9sUMCuYqZntL7oEJs5Vz?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?7ya/OmOTaSGyWqXURw6jyt7s3sPxXRwZYrszcZx/fTi7CpgMzhgNsVvlyplQ?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?DxgEO7zetqixpz+MfGCpO4oqxlnEaBAcLf7ml8A/UsavMy3MCnghUtFKfZzy?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?C2fXr0H5Q7dm0GS2UA4UwIwGx27nU2ah2542blE+41kzfT2yj0Pya36mePgi?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Eie4ZoX7lxJ5Ob1l5b6g4Fn6cd2iOVwZw8ldz7TVZEus/r9HbKD96H7E+0gO?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Jzr37suMHpaKJdTwrQUvXPff7rt3NhglfVoFFc0YaEiJqUKK8YvoyDDqriBg?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?7mSl3nudaNDXcsrZwMH39Ee8glstaFgu3Iht1G5bXjIjzAnu4d8DAONd/Vuw?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?lmIf3jkbeczjusoRukL7qLwFHx766qhLVbNT5ublsgPn8Ed2qUeJcPawb8gf?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?SYCLxnFICDvNWpMogjNuqJr1Vl6dJWtQRruNF0kUNm4rlJnuVXtQ0+B4eeyL?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Hi2Xi4zvRHnA4EezF7lkDe4XE4/XN74zr1l2KXbTC2qFyAX1UUuKWST9INZU?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?bzlyIW+f4GylBSwuFknr?=</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-Transport-CrossTenantHeadersStamped: SY3PR01MB1738</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: SY3PR01MB1738.ausprd01.prod.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFiltered: Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFiltered: SY3AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-Transport-CrossTenantHeadersStripped: SY3AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-Forefront-Antispam-Report-Untrusted: CIP:203.54.134.98;CTRY:AU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:Exchange2013.domain.local;PTR:abi3057722.lnk.telstra.net;CAT:NONE;SFTY:;SFS:(36756003)(336012)(2616005)(44832011)(6916009)(15974865002)(8676002)(1096003)(36906005)(2160300002)(108616005)(86362001)(5660300002)(53546011)(166002)(26005)(33964004)(24736004)(81166007)(356005)(83080400001)(19627405001)(66574014)(19607625011);DIR:INB;SFP:;</span><br />
<span style="color: red; font-size: x-small;">X-MS-Office365-Filtering-Correlation-Id-Prvs: 88288457-f197-4473-a57d-08d7ffc91d97</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam-Untrusted: BCL:0;</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam-Message-Info-Original: =?us-ascii?Q?HDO3W+nr056uwZuOZ7TYTG2KW9HPxRSExlC/7yQL77Lh8xd5toPU9ZMXlt+/?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?q8S3K0REYizRMHkthA3wNJb6MU4vgHvsPbRJNHjBeJw08xJepEx7YRJklYdx?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?nSegk5JXfkz3FnYHpVhO1t7qoKwwcMFHifB69QFoA0V6ggrIjDJEwNq27sTb?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?u2vrAss33OY+1dUUp1GiiBZzT4DpL16QotqSIEfiRFWWXS/KqbwJEJ0+wp7l?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?ujFm3W1ndL5XWmRlztxS3+/E4mHNVqAj0hgoUu97adO/E0+oqbYn61mqNOH0?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?FkDij6ZoUw3XFYNu0hTpsUoGBEWCu9aX1/cz2TVmAGN5DBXfYI9+ZgLeXOF2?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?7/5m+E9c6zQLpPRWNj+0q821bxNzE4yhUB+C+K5PNqCpg3YAd2kws7e2+HjT?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?ybEvvGfrX/JVlhTA+5yK0YQwNm0caLgx/BTKx0dEFUoHGaDqg0LRQlnEXr9y?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?zPftt3dapzVbKQdVp15Ae1ErOleQLDRZEpQ/m50pQji37iHH/jpf84LthOQB?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?NX/oUDEZsyj83RowWP6sSAZ7Z9NFSoFKkubvDqMeXflQbW3vz+oL/cJfuSoZ?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?eC12mwEvYibjhWqUsYB5NnSQ1DmvW/WGZNioxbinDOlxrclSm/g7RwKdkkl1?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?NADfKmk3dN5roljcmd/MrBszuC4nigH7USGCCVMDTPSmoP9I+TAPhhKaRP26?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?LNQh5Fe50kxOxwdUGSDoQTr56sUkaGEIsoiP/ue4PMRRXZMjPGTbCI6eCRde?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?hdfTd9fMIeSBjKhNXDtc5P63e9fhp8SXVeT5T4MycPOs+VKEgL9K8cassjbr?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?KmbSdhp00ftDoi9Q8of6jV/Ve6CSYgFIqi9MYd5EUwGOYTK6hcAiU4B1oe5G?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?sVMksEY0SMKTcHn3gnQVuWRXKpjDMU5nYVh2SklhVa1sgo2SR+9i2dDw8Wsd?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?TVt3bMWhm33WMVi79TZla9z3DOqzS9HRZ8lpJKzHS/iO3KMDPq1GwryMRu63?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?PVjn+KYYvEs+l1c5/Qbgb64uwjoL+VZ76x4E4YvR6WaSScFLtuqs6pwAzoYB?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?hFRxmXcdjdnPGh3klPWyqBARJOlKMTR3tzcA7g6MFm7wp4lmKh7PwwPLJIkA?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?QVIN591rFcQ8RQIj47kf5BaJRj3GoosyZsnilb8L2wIwRiQjSsmUmk+cqQ3G?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?M3UtTLIA53MQk6UL1Z1Sd9iXZDdZwY8p9r7vi5lPWmtjQ9Aeo/AomnwY71N3?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?eZ6E2tP8thFY//uSKB7l?=</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYCPR01MB5248</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: SYCPR01MB5248.ausprd01.prod.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFiltered: Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: Exchange2013.domain.local</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFiltered: ME1AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-Transport-CrossTenantHeadersStripped: ME1AUS01FT014.eop-AUS01.prod.protection.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-Forefront-Antispam-Report: CIP:203.54.134.98;CTRY:AU;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:Exchange2013.domain.local;PTR:abi3057722.lnk.telstra.net;CAT:NONE;SFTY:;SFS:(24736004)(36756003)(36906005)(19627405001)(26005)(53546011)(5660300002)(33964004)(108616005)(44832011)(6916009)(15974865002)(2616005)(86362001)(1096003)(166002)(336012)(356005)(66574014)(83080400001)(8676002)(81166007)(19607625011);DIR:INB;SFP:;</span><br />
<span style="color: red; font-size: x-small;">X-MS-Office365-Filtering-Correlation-Id-Prvs: 2bb48326-def0-492c-8752-08d7ffc935e8</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam: BCL:0;</span><br />
<span style="color: red; font-size: x-small;">X-Microsoft-Antispam-Message-Info: =?us-ascii?Q?vyA9jQ5YP4tbiJQ1N2ff25VgnM+SJiFhE3Yln6tQVaileyKRkO+BuzPHYj6Q?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?R+XgxcBUeNcGuLQOtJZJD6XEXu0UbScHjmvFzBtKM6xT7AC9PD1aTcQ364rJ?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?c8SxdVfBKMuOWjAKK/SHGyuZdAvObLEbgloQS/lG3UEJkCUTEHm8n2WqXggb?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?IZiBNwqd4iWWStR+UyIM/h3t/TIToNx5FHbPD4fPAvZG/L+lCasiGPkaw7sf?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?ZQJfKrllu9oRIjrxw4NYTtDfQdr2OJ+IA606UhprZ7tmrlBIoid+NsFDXB62?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?G/9VH6IvGRNxA445F6764dIyXifRsuaGYs/T11WSIzAJ/5ArCemQuAf+1Ek6?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?KyhsNPSmh9+rGGmNuvV5RXh2E4aqDhZWS6ZGK1aMSTXO6KHeQd+FrEZHM3nf?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Xl5OdF6OPKdLlMv1nEa1UVpMi52rkMvxXp7DRmWxspsi9JkIhlU/OBdMjOmC?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Us+aJLNXT9O/JIc/7mPwNE3e8+Hj9zIHxNIcrYelEoopTGXSmcdTP0eOslts?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?Ap1JQ0sEeODnnNs4Z0r2NjzrHOOKRY8YjLhXz4vE+iWzzMhLUgW+17Lc9cHG?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?/z9uQm800gOM7k6By+jhkxzM8Ho49Uin65W3YMI31VqWQzTgg6kBxoYgNqls?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?VylLdyHSa8rjX3n31TNqzFxN7DHZRLL+0Ar/53pw9yj6YETYgoBZX8b4zQCD?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?KZl6GY+7WSjn1MlecYlPAlCCY3rSkwPWGaP5nb1OMPryBPa/hCna5UQJpQK0?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?NKCSLmg374I4/+jrylQ/fR1upcDBJwDfX0c28v3kzCxv1wlGwWK4LSn5SWrM?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?GZOW6Cc3K+/G/prlpPrCPsRHdNNGVaGWHqoaaFrLgnFeJQiKDu+afKXAaSem?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?yqCF551HYU+ItucZDwzF2L2yAu0hX3PZohye+tT4ErFrGAtYrZdAWHr23wL4?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?+LH54epp83Xrgl0aZm4N1XomI0G94LY+vBQiNK3W075GoK2bhNvYYmVGR03q?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?w0uD8TzzRXd7MSOC6nwwKCJDiovNYq3ms4AsY4B/t4UQyf/mhTr9h24yuBCa?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?1GUkuH/ta2m/4NfpUefV0dlBJtCS1QWEZsCClWHo0UPUb+PwtPNO7atyR4vj?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?hmIkERJe2CYWSVa3B8mKM+Md70ZSPNIdSCHM+FXhM28DAntZmBt3Ox8zVl5Y?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?2yDsCXoYhGM9UByN5JXDkMe3WwH14Mm++895YPqAMT9u5Zd8OeWAw7WztPC3?=</span><br />
<span style="color: red; font-size: x-small;"> =?us-ascii?Q?RDfJkidLJlLE5XVEABX7?=</span><br />
<span style="color: red; font-size: x-small;">X-OriginatorOrg: contoso.onmicrosoft.com</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-CrossTenant-OriginalArrivalTime: 24 May 2020 10:03:53.9414</span><br />
<span style="color: red; font-size: x-small;"> (UTC)</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-CrossTenant-Network-Message-Id: 8134a206-5e1e-4c8c-50b8-08d7ffc9c425</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-CrossTenant-Id: 7e0e266c-0475-408b-9eb7-cb0cf8b31e59</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-CrossTenant-FromEntityHeader: Internet</span><br />
<span style="color: red; font-size: x-small;">X-MS-Exchange-Transport-CrossTenantHeadersStamped: SYBPR01MB4362</span><br />
<span style="color: red; font-size: x-small;">X-OrganizationHeadersPreserved: SYBPR01MB4362.ausprd01.prod.outlook.com</span><br />
<span style="color: red; font-size: x-small;">X-CrossPremisesHeadersFilteredByDsnGenerator: SYBPR01MB4362.ausprd01.prod.outlook.com</span><br />
<br />
Reverting the change we needed to troubleshoot. With Centralized Transport disabled on the Outbound connector we saw that any emails passing from on-premises to Office 365 had in the header:<br />
<br />
<div class="MsoNormal">
<b>X-MS-Exchange-Organization-AuthAs: Anonymous</b><o:p></o:p></div>
<br />
Office 365 should be receiving any emails from the on-premises Exchange Server as "Internal" if they are in the same tenant. This means the emails were not hitting an Inbound Connector in Office 365 and were coming into Office 365 as anonymous. This can also cause the SMTP error "451 4.7.500 Server busy" for very large tenants as Microsoft throttles emails from anonymous sources to limit spam in Office 365 - for more information see .<br />
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<span lang="EN-AU"><a href="https://www.alitajran.com/error-code-451-4-7-500-server-busy-email-delivery-issues/">https://www.alitajran.com/error-code-451-4-7-500-server-busy-email-delivery-issues/</a><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
After researching the issue and a call with Microsoft, we saw that there was a problem with the Certificate configuration on the Inbound connector. The common name on the certificate - lets say "mail.contoso.com" was correct on both ends however the Organisation Name on the certificate was different which was enough to cause inbound SMTP email from on-premises to be not identified by the Inbound Connector and get flagged as anonymous.</div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrlSgMXkPf-dTzMyrnApIHfqYUxCGm1co6CUEdIAfDkkYRp3872OoMcbf0ajanBtx5fRy3GbQTVci3sHj4C5iNUxx4CBW4zKNc8VvzBYweAUgmF8l9iacxQjgCFUJcIjstPSUlhN_xgQ/s1600/certissue.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="939" data-original-width="1132" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjLrlSgMXkPf-dTzMyrnApIHfqYUxCGm1co6CUEdIAfDkkYRp3872OoMcbf0ajanBtx5fRy3GbQTVci3sHj4C5iNUxx4CBW4zKNc8VvzBYweAUgmF8l9iacxQjgCFUJcIjstPSUlhN_xgQ/s1600/certissue.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="MsoNormal" style="margin-bottom: .0001pt; margin-bottom: 0in;">
To fix this issue, we needed to modify the Inbound Connector from having multiple attributes of the certificate as shown below.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh82ixaeWZRtVIOEqtIgKr1pRvkQ6ar9tzoVq6Qodcy7fM4BCp6KV8M6Qd9vbPUi2gWkp1XdL9Rc4FxvhhD2ulxKmxsEPiJnjiBxom7GIgDsYj6p0o_7tUSUVYojEp3Y2UYQrDLBGFT4ts/s1600/inboundconnector1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="892" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh82ixaeWZRtVIOEqtIgKr1pRvkQ6ar9tzoVq6Qodcy7fM4BCp6KV8M6Qd9vbPUi2gWkp1XdL9Rc4FxvhhD2ulxKmxsEPiJnjiBxom7GIgDsYj6p0o_7tUSUVYojEp3Y2UYQrDLBGFT4ts/s1600/inboundconnector1.png" /></a></div>
<br />
To only having the "Common Name" of the on-premises certificate which for argument sake lets call it "mail.contoso.com".<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7jzjFVy40qlgE_11SZ7iZBry3nZ3-Pg3Cdj0nRfOdZjyCfO-xbA3J_fHPwqciVmO6A8ax-8E2BKFAJ0rFk-sS6aDjHatqT0ClDPtFHCXS47MwqfyEJFjozW5EAJQ88E2zNeGd7LD8YTk/s1600/inboundconnector2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="690" data-original-width="892" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7jzjFVy40qlgE_11SZ7iZBry3nZ3-Pg3Cdj0nRfOdZjyCfO-xbA3J_fHPwqciVmO6A8ax-8E2BKFAJ0rFk-sS6aDjHatqT0ClDPtFHCXS47MwqfyEJFjozW5EAJQ88E2zNeGd7LD8YTk/s1600/inboundconnector2.png" /></a></div>
<br />
After fixing the certificate details on the Inbound Connector, emails from on-premises to the cloud were identified as Internal. This can be verified by looking in the message header in one of the emails.<br />
<br />
<i>Note: You need to wait an hour for any changes to Exchange Online to propagate to Exchange Online Protection unless you speak to Microsoft Support, they have a script that forces it on the backend!</i><br />
<br />
830fecf9-8ece-4d66-2536-08d81e5f643a<br />
X-EOPAttributedMessage: 0<br />
X-MS-Exchange-Organization-MessageDirectionality: Originating<br />
<b>X-MS-Exchange-Organization-AuthAs: Internal</b><br />
X-MS-Exchange-Organization-AuthMechanism: 04<br />
X-MS-Exchange-Organization-AuthSource: Exchange2013.domain.local<br />
X-MS-Exchange-Organization-SCL: -1<br />
X-CrossPremisesHeadersPromoted:<br />
SY3AUS01FT006.eop-AUS01.prod.protection.outlook.com<br />
X-CrossPremisesHeadersFiltered:<br />
SY3AUS01FT006.eop-AUS01.prod.protection.outlook.com<br />
<br />
After this, we re-instated the Centralized Mail Configuration and it worked perfectly.</div>
</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-71873235467914029612020-05-05T01:51:00.003-07:002020-05-05T01:51:59.365-07:00Direct Access not working with Windows Firewall Enabled on Client<div dir="ltr" style="text-align: left;" trbidi="on">
We had an interesting issue with Microsoft Direct Access on Windows 10 latest build 1909.<br />
<br />
<ul style="text-align: left;">
<li>When Windows Firewall is disabled, Direct Access <b>works </b>on the client.</li>
<li>Enabling Windows Firewall on the client breaks Direct Access resulting in no connection.</li>
</ul>
<div>
<b><u><span style="font-size: x-large;">Symptoms of Issue</span></u></b></div>
<div>
<br /></div>
<div>
Here is the symptoms we were receiving:</div>
<div>
<br /></div>
<div>
Get-DAConnectionStatus returned "CouldNotContactDirectAccessServer"</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupOKhu3Ci8DbVoib-wwGfV0BqCFEGZfrC9dIR0Zn5vPtkduktl8rsrdfvg2ej3jSRT-8saJiKyiBH6Y35bJq3hha7Ty7QJuqWc7dpYGW2exCOBL6472UbDWL81_zQcjEGqsK96DBYjZk/s1600/daerror1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="172" data-original-width="624" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjupOKhu3Ci8DbVoib-wwGfV0BqCFEGZfrC9dIR0Zn5vPtkduktl8rsrdfvg2ej3jSRT-8saJiKyiBH6Y35bJq3hha7Ty7QJuqWc7dpYGW2exCOBL6472UbDWL81_zQcjEGqsK96DBYjZk/s320/daerror1.png" width="320" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div>
<br />
<b>netsh interface httpstunnel show interface</b> shows the Interface is Active<br />
<br />
IPHTTPS interface active<br />
Last Error Code 0x0<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX-bhw1csE1TXgnDvfXx1-RANUxDGImed1m4rjvv7XAEnCgqr70HCu9iYUmueWWHL4fE05r_U-qJvB4Wdp8A8mEq9-b1_c8S9dk4EUwGx-iX4NvyMr3ZbFuGXY8isA1v2PR6bz45Vlsr0/s1600/daerror2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="157" data-original-width="624" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX-bhw1csE1TXgnDvfXx1-RANUxDGImed1m4rjvv7XAEnCgqr70HCu9iYUmueWWHL4fE05r_U-qJvB4Wdp8A8mEq9-b1_c8S9dk4EUwGx-iX4NvyMr3ZbFuGXY8isA1v2PR6bz45Vlsr0/s640/daerror2.png" width="640" /></a></div>
<br />
<br />
The issue appears to be with Name Resolution Policy Table (NRPT). When Windows Firewall was enabled on the client, you were able to ping IPv6 addresses on the Direct Access server through the tunnel but all name resolution failed.<br />
<br />
For example, you can ping the tunnel endpoints discoverable using the<b> Get-DAClientExperianceConfiguration </b>cmdlet on the client. You can also ping IPv6 addresses of hostnames previously resolved when the Windows Firewall was in a disabled state. For example, whilst Windows Firewall was in a disabled state, ping domain.local (your AD forest name), copy the IPv6 address, re-enable Windows Firewall and you will notice you can resolve it by the IPv6 address, not by hostname using NRPT.<br />
<br />
<span style="font-size: x-large;"><b><u>Resolution</u></b></span><br />
<br />
The issue was caused by Windows Firewall set to a disabled state on the server.<br />
<br />
What we found was when the Windows Firewall is disabled on the server, Windows Firewall must be disabled on the client.<br />
<br />
If DA Server Firewall is <b>disabled</b>, but DA client Firewall is <b>enabled </b>- <u>Direct Access breaks.</u><br />
If DA Server Firewall is <b>enabled</b>, but DA client Firewall is <b>disabled</b> - <u>Direct Access breaks</u><br />
<br />
You must have Windows Firewall disabled on both the DA Server and DA Client, or enabled on both the DA Server and DA Client.<br />
<br />
We also identified another issue on the DA server with regards to Windows Firewall being disabled. In our environment, disabling Windows Firewall on the DA Server breaks Direct Access reporting in the "Remote Access Management" console.<br />
<br />
As a result, it is strongly recommended to keep Windows Firewall enabled on both the DA Server and DA clients.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-3018295643905263282019-11-01T01:14:00.002-07:002019-11-01T01:14:37.949-07:00Patching old Exchange 2013 or Exchange 2016 servers<div dir="ltr" style="text-align: left;" trbidi="on">
When patching Exchange 2013 or Exchange 2016 from an old Cumulative Update version, it is common to need to hop through multiple versions of Exchange Server.<br />
<br />
For example, if your on Exchange CU11... to remain in a supported state you will need to patch as follows:<br />
<ul style="margin-top: 0in;" type="disc">
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade Exchange 2013
from CU11 to CU15.<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade the .NET
Framework to 4.6.2<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade from Exchange
2013 CU15 <span style="font-family: Wingdings; mso-fareast-font-family: "Times New Roman";">à</span>
CU20<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade .NET Framework
to 4.7.1<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade from Exchange
2013 CU20 <span style="font-family: Wingdings; mso-fareast-font-family: "Times New Roman";">à</span>
CU22<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade .NET Framework
to 4.7.2<o:p></o:p></li>
<li class="MsoListParagraph" style="margin-left: 0in; mso-list: l0 level1 lfo1;">Upgrade from Exchange
2013 CU22 <span style="font-family: Wingdings; mso-fareast-font-family: "Times New Roman";">à</span>
CU23<o:p></o:p></li>
</ul>
See the support matrix here:<br />
<br />
<a href="https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019">https://docs.microsoft.com/en-us/exchange/plan-and-deploy/supportability-matrix?view=exchserver-2019</a><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7i5jOouhQuOY0OXuc4AAruJ9UCxeFMR3Gxt9zXCx0sGlkvwnf4__hUkjRar165aDuL2E7BmCHZn6SISYYu-77Fc6tZ3lIhaiKe9BdHySEC6-PjG3kap89iOdoDr2SrMWO6Z7o66kqt8w/s1600/exchangesupportmatrix.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="660" data-original-width="1008" height="419" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7i5jOouhQuOY0OXuc4AAruJ9UCxeFMR3Gxt9zXCx0sGlkvwnf4__hUkjRar165aDuL2E7BmCHZn6SISYYu-77Fc6tZ3lIhaiKe9BdHySEC6-PjG3kap89iOdoDr2SrMWO6Z7o66kqt8w/s640/exchangesupportmatrix.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The problem that most people on old patch levels find, is Microsoft has removed many of the older CU updates which makes moving from an old patch level a difficult task.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Luckily we have a legend that has posted all the Exchange updates here:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://www.msexchangeupdates.com/?fbclid=IwAR2VCl5BgXaAApJ9MPSxBYkbl3D_gCcC2juU-apCx63_OJsJP6bhWUHLhCg">https://www.msexchangeupdates.com/?fbclid=IwAR2VCl5BgXaAApJ9MPSxBYkbl3D_gCcC2juU-apCx63_OJsJP6bhWUHLhCg</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Very handy link to keep in your favorites.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-49282947993207379362019-09-25T21:02:00.001-07:002019-10-01T18:28:12.648-07:00Basic Authentication being Disabled in Exchange Online<div dir="ltr" style="text-align: left;" trbidi="on">
On the 13th of October 2020, Microsoft announced they are turning of Basic Authentication across all protocols in Exchange Online apart from SMTP. Basic Authentication will be turned of on all web services on 13th of October 2020 including POP and IMAP. This was published here:<br />
<br />
<a href="https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Improving-Security-Together/ba-p/805892">https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/Improving-Security-Together/ba-p/805892</a><br />
<br />
Microsoft are pushing people to use Modern Authentication (OAUTH2) which provides numerous advantages over basic authentication. Basic Authentication is secure provided it is encrypted with TLS and has been used since Exchange 5.5 and is still heavily used now even in Exchange Sever 2019, however there are more secure ways which provide support for additional security such as Multi Factor Authentication (MFA).<br />
<br />
I have issues with this announcement - many customers that have enterprise applications which connect to Exchange via basic authentication using POP or IMAP4 over TLS - and this is the only connectivity option these applications support.<br />
<br />
Microsoft say in the announcement that they know this will cause potential disruption but they want to force companies to adopt the new authentication technology. I have many customers with help desk ticketing systems, ERP solutions, document management, life-cycle management system etc that only support basic authentication. Not to mention, as of 26/09/2019 Microsoft still doesn't even support Modern Authentication on POP or IMAP (commonly used for applications to connect) and say in their article "we are planning on adding OAuth Support to both POP and IMAP in next few months". Great - gives application vendors lots of time to prepare!<br />
<br />
The benefit of Exchange Server on-premises is you can control your own destiny and if you have applications you have invested 10 million+ into developing or rolling out, you wont expect that your cloud vendor will suddenly flick a switch and cause your application to stop functioning correctly.<br />
<br />
If your using Basic Authentication in O365 - and I know many of you reading this article would be in some extent (most likely mobile phones) - make sure you address this, install the Outlook for Mobile application, upgrade your enterprise applications to ensure your ready for this significant change.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-58244088601871526282019-08-26T21:33:00.000-07:002019-08-26T21:33:21.294-07:00Preparing Exchange Topology - PrepareAD, PrepareSchema, PrepareDomain etc<div dir="ltr" style="text-align: left;" trbidi="on">
I'm about to sit the Exchange Upgrade Exam (MS-202: Microsoft 365 Messaging Administrator Certification Transition) on Friday and currently doing a last minute brush up. Having done all the certifications in Exchange Server since MCSE: Messaging 2003 all the way through to the latest Exchange 2016 exam (70-345) I know the types of Questions Microsoft has asked in the past.<br />
<br />
One area tested that I recall from all previous exams was the process for preparing schema and domain...<br />
<br />
Whilst the latest Exchange 2019 Exams are definitely going to be heavily focused on Exchange Online in Office 365 given this is Microsoft's primary drive, they also test on all the on-premises content. I wouldn't be surprised if topology preparation is tested once again... even though in my professional opinion it is not an item of significant importance given that over 99% of businesses simply rely on the Cumulative Update wizard to automatically extend the schema and prepare the domains.<br />
<br />
In Exchange 2003 we had the setup.exe /forestprep and setup.exe /domainprep.<br />
<br />
From Exchange 2007 all the way to Exchange 2019 we have a number of commands now including:<br />
<ul style="text-align: left;">
<li>Setup /PrepareAD</li>
<li>Setup /PrepareSchema</li>
<li>Setup /PrepareDomain</li>
<li>Setup PrepareAllDomains</li>
</ul>
<div>
I remember there use to be a fantastic article on TechNet which gave a breakdown of exactly what each of these commands did - however after spending a good 5 minutes on Google i came up short trying to find the article and not sure if it is still published.</div>
<div>
<br /></div>
<div>
I could find no "clear" breakdown of each of these commands and the descriptions given on the installer help is useless as shown below:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Ljot8ppPm2THPloy2Z0Zv_cz3PwG1E1eR1Q9_w7juR_OcbVkQ28uSLQRURRcdYT-CYzF1rjZhDC14cFwFv_88EC_Z1eyimKTAEI2S2odKUPdIr611KmiN_qNK6kYHnyIRwOJ0rlUQdE/s1600/SetupPrepareTopology.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="789" data-original-width="594" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7Ljot8ppPm2THPloy2Z0Zv_cz3PwG1E1eR1Q9_w7juR_OcbVkQ28uSLQRURRcdYT-CYzF1rjZhDC14cFwFv_88EC_Z1eyimKTAEI2S2odKUPdIr611KmiN_qNK6kYHnyIRwOJ0rlUQdE/s1600/SetupPrepareTopology.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I did come across the book however Exchange Server 2010 Administration: Real World Skills for MCITP Certification and Beyond (Exams 70-662 and 70-663) published by Joel Stidley and Erik Gustafson that touched on these commands in more detail.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Given the lack of content covering these commands, I decided to do a quick blog post.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Setup /PrepareSchema</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><br /></div>
<div class="separator" style="clear: both; text-align: left;">
This command does one thing, prepares the schema (additional class objects and attributes required for Exchange Server). It must be run in the same Active Directory site as the Schema master.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To run this command you must be a Schema Admin.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Setup /PrepareDomain</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
This command must be run in each domain within an Active Directory forest. This command simply creates special domain accounts and security groups in each domain for hosting Exchange Servers. Thing of it as creating some additional "Active Directory" objects, no schema extensions within the "Domain Partition" only.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To run this command you must be an Enterprise Admin.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>Setup /PrepareAD</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><br /></div>
<div class="separator" style="clear: both; text-align: left;">
The PrepareAD command performs three things:</div>
<ul style="text-align: left;">
<li><div class="separator" style="clear: both; text-align: left;">
Prepares the Schema if not done already (same as PrepareSchema)</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Prepares the Domain (for the forest root domain only in a multi-domain forest)</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Creates the Global Exchange Objects in the Configuration Partition.</div>
</li>
</ul>
<div>
It is important to note, PrepareAD runs the PrepareSchema command for the forest and PrepareDomain for the forest root domain only (if not done already).</div>
<div>
<br /></div>
<div>
For a single forest, single domain environment - PrepareAD is the only command you need to run.</div>
<div>
<br /></div>
<div>
If you have multiple child domains or new tree domains in the same Forest, after you run /PrepareAD in the forest root domain, you will need to /PrepareDomain for each of the additional domains within the forest.</div>
<div>
<br /></div>
<div>
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">To run this command you must be an Enterprise Admin and a Schema Admin.</span></div>
<div>
<br /></div>
<div>
<span style="-webkit-text-stroke-width: 0px; background-color: white; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Setup /PrepareAllDomain</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div>
If you have multiple domains in an Active Directory forest and you wish to run /PrepareDomain across all domains at the same time, this is what the /PrepareAllDomains command is for.<br />
<br />
Hopefully this post has been useful.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-18758019876103071052019-08-26T01:37:00.002-07:002019-08-26T04:23:00.474-07:00Exchange RBAC Example - Provide User access to manage Contacts<div dir="ltr" style="text-align: left;" trbidi="on">
In June 2010, I wrote an article explaining how Exchange Role Based Access Control (RBAC) works - a new feature released with Exchange 2010. RBAC is still heavily utilised today with Exchange 2019 and Office 365 following these principals.<br />
<br />
My article from 2010 can be found here:<br />
<br />
<a href="https://clintboessen.blogspot.com/2010/06/exchange-2010-role-based-access-control.html">https://clintboessen.blogspot.com/2010/06/exchange-2010-role-based-access-control.html</a><br />
<br />
After having not worked with RBAC for while, I found myself re-reading the principals of RBAC and re-running through what is involved to configure the security model. Knowing this well is also essential and I'm doing my Exchange upgrade exam this Friday (MS-202 Microsoft 365 Messaging Administrator Certification Transition) so a refresher on these principals is always handy!<br />
<br />
I had a requirement given to me by a customer which I need to spin up in my test lab, and I thought whilst I lab the requirement it might be a good idea to write a quick blog post on the process of implementing the RBAC changes.<br />
<br />
<span style="color: #073763; font-size: x-large;"><strong><u>RBAC Requirement</u></strong></span><br />
<br />
<em>"A user in the business must be able to create mail enabled contacts for external workers. This user must only be able to create mail enabled contacts and no other objects, and the contacts must be stored under a specific organisational unit only".</em><br />
<br />
<strong><u><span style="color: #073763; font-size: x-large;">RBAC Security Model</span></u></strong><br />
<span style="color: black; font-size: small;"></span><br />
<span style="color: black; font-size: small;">With the design of RBAC, The Exchange Product Team referred to RBAC as the Triangle of Power. This is elaborated in this blog post here:</span><br />
<br />
<a href="https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/RBAC-and-the-Triangle-of-Power/ba-p/597147">https://techcommunity.microsoft.com/t5/Exchange-Team-Blog/RBAC-and-the-Triangle-of-Power/ba-p/597147</a><br />
<br />
The security model has three arms:<br />
<ul>
<li><strong>Step 1: Where</strong> - Where are the objects stored that we want to change or what attributes or identifying factors must the object have? They can be in a security group, organisational unit, anyone with a job title set to XYZ... the possibilities are endless. My requirement for "Where" is contacts must be contained only under a particular organisational unit.</li>
<li><strong>Step 2: What</strong> - What is what you want to do. What Exchange PowerShell cmdlets do you want to give the administrator access to be able to run? Think of "What" as the access rights you wish to delegate. The commands we are interested in for my example are New-MailContact and Remove-MailContact.</li>
<li><strong>Step 3: Who</strong> refers to who is able to perform the operation. Which user do you want to delegate control to in order to run the commands under the What section.</li>
</ul>
This all glued together by a concept known as Management Role Assignments.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-4FrCJUZKHitiyXh3kF9v74knHLxU3cB1nc-d3FBcPckbX0QAp2P6arB-fCyAC07U7voYFKvDZmzhduwpfjXHTZE_-YnErWf1CVqFlCz04nO6FBI0DjLq2qfIHoZUddcsGWMu4TFAKSk/s1600/triangleofpower.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="401" data-original-width="441" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-4FrCJUZKHitiyXh3kF9v74knHLxU3cB1nc-d3FBcPckbX0QAp2P6arB-fCyAC07U7voYFKvDZmzhduwpfjXHTZE_-YnErWf1CVqFlCz04nO6FBI0DjLq2qfIHoZUddcsGWMu4TFAKSk/s1600/triangleofpower.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I will break this down using my three headers listed above.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<strong><u><span style="color: #073763; font-size: x-large;">Step 1: Where</span></u></strong></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
In my lab environment we only want contact objects to be changed under the OU "Contacts".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<strong>avantlab.local/Contacts</strong></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As a result we are going to create a new "Management Scope". By default all RBAC Management Roles have access to the entire Active Directory forest and no Management Scopes exist. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'm locking it down to the Organisational Unit based on a RecipientRestrictionFilter with the following query:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<strong>New-ManagementScope "AvantLab Contacts" -RecipientRestrictionFilter {DistinguishedName -Like '*,OU=Contacts,DC=Avantlab,DC=Local"}</strong></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxsFnhPLI62oYiznQMum28AOAyJ9RR38UtKTxBFxPadBhoZrfTAcPic0HkRJAjL-Hi8vRwxNqta1hG9EUHv6_YJHFjBEtSPFB_SV_hROISr1Lrg3v7TyJZ7HuOSe2Mnivs6I3IyC4XVmI/s1600/managementscope.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="138" data-original-width="1138" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhxsFnhPLI62oYiznQMum28AOAyJ9RR38UtKTxBFxPadBhoZrfTAcPic0HkRJAjL-Hi8vRwxNqta1hG9EUHv6_YJHFjBEtSPFB_SV_hROISr1Lrg3v7TyJZ7HuOSe2Mnivs6I3IyC4XVmI/s1600/managementscope.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<strong><u><span style="color: #073763; font-size: x-large;">Step 2: What</span></u></strong><br />
<br />
Now we are interested in assigning "What" cmdlets we want the admin to be able to run. The "What" refers to two cmdlets:<br />
<ul style="text-align: left;">
<li>New-MailContact</li>
<li>Remove-MailContact</li>
</ul>
Cmdlets are linked as "ManagementRoleEntries" to objects known as "ManagementRoles".<br />
<br />
There are a few rules you need to understand when creating new Management Roles for the "what section":<br />
<ul>
<li>It is not possible to simply create a new Management Role and add the cmdlets you wish to run under the role as Management Role Entries. All custom (non default) Management Roles must be linked to a parent Management Role. Parent Management Roles are ones that come by default with Microsoft Exchange Server "out of the box". Think of it as your "cloning" the parent Management Role to create your "Custom" management role.</li>
<li>It is not possible to add additional cmdlets that were not in the parent - you can however remove cmdlets.</li>
</ul>
Base on these two rules, when your creating a new Management role your essentially taking a management role similar to what your trying to create "with too much access", and removing the additional access from the role.<br />
<br />
So the first step I need to do is find an existing Management Role that contains the two cmdlets I'm interested in. I did this by running the following cmdlets:<br />
<br />
<strong>Get-ManagementRole -Cmdlet New-MailContact</strong><br />
<strong>Get-ManagementRole -Cmdlet </strong><strong>Remove-MailContact</strong><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdvaVw9WX_TK-D_QayAeaaWroloqiIsdxk5Z_BGYWovnp14Sp-LECWqAps2g_TMUEpB5UcXjbnPFdfucQigH_6mmosHmMZCN-L9u6oYts0HTHB52OepLqWU9qrpAWIdWpi0yNzoLn6BI/s1600/findcmdlets.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="237" data-original-width="558" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAdvaVw9WX_TK-D_QayAeaaWroloqiIsdxk5Z_BGYWovnp14Sp-LECWqAps2g_TMUEpB5UcXjbnPFdfucQigH_6mmosHmMZCN-L9u6oYts0HTHB52OepLqWU9qrpAWIdWpi0yNzoLn6BI/s1600/findcmdlets.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
A Management Role that contains both these cmdlets is "Mail Recipient Creation" - so this is the Management Role we will use as the template for creating my new Management Role.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I'm calling my new Management Role "Contact Management" and I'm basing it on "Mail Recipient Creation". As a result, the new Management Role was created with the following cmdlet:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<strong>New-ManagementRole -Name "Contact Management" -Parent "Mail Recipient Creation"</strong></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXd_4kR1hTuSWyOC7nXrt8rq3CG2uEpRRjCk5y7LugjnSqmLQc3w0BfPn2w7cJfp5zqbTH5H5oyvI-X6AZP9_u2LCNphUCrrc_IDNFWvPWfI2CUXxoBl6A9T7AsmIfF3rGXScBYrA7jxk/s1600/newmanagementrole.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="96" data-original-width="731" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXd_4kR1hTuSWyOC7nXrt8rq3CG2uEpRRjCk5y7LugjnSqmLQc3w0BfPn2w7cJfp5zqbTH5H5oyvI-X6AZP9_u2LCNphUCrrc_IDNFWvPWfI2CUXxoBl6A9T7AsmIfF3rGXScBYrA7jxk/s1600/newmanagementrole.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Now the default "Mail Recipient Creation" Management Role had more cmdlets then we want the delegated access users to have access to. To list all the cmdlets that this Management Role can run, execute the following command:<br />
<br />
<strong>Get-ManagementRoleEntry "Contact Management\*"</strong><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6deCW6KcDmR4T5Y_IVv2M__UxoXYHmIQCiKAXEYJRUO7_Stu8nhXJNzMrHtFJAjl3gOBYrOhC4JWdtzQ1FDDLhwTy5QfSDeYyjk2IuIeTZfSuSAH3IaDmQ2P7Pu3RYI-odA0JP4JPCMY/s1600/allmanagementroleentries.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="836" data-original-width="591" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6deCW6KcDmR4T5Y_IVv2M__UxoXYHmIQCiKAXEYJRUO7_Stu8nhXJNzMrHtFJAjl3gOBYrOhC4JWdtzQ1FDDLhwTy5QfSDeYyjk2IuIeTZfSuSAH3IaDmQ2P7Pu3RYI-odA0JP4JPCMY/s1600/allmanagementroleentries.png" /></a></div>
<br />
We want to remove all cmdlets not related to our Contact Management. Most importantly we want to remove any cmdlets with "New-, Set-, Start-, Remove-, Disable-, Write-, or Remote-" as they have elevated access. "Get-" cmdlets you cant make changes, you can only view data.<br />
<br />
To remove the unwanted cmdlets from the Contact Management Management Role the following cmdlet was used:<br />
<br />
<strong>Get-ManagementRoleEntry "Contact Management\*" | where {$_.name -eq "New-MailUser"} | Remove-MagementRoleEntry</strong><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpvgAptrKHQ6B-U00RvpEZ4wsypZGDh7AfUGRkSqtBFEJESMXLR8gctcVRd0-FvQgjTLbeAf1OlPbrmCy8UbHXS335JfDrq7V2RLhcGUGN3jw7g9Vy4hFrbvaJv1jXJfXZg2F2cEeUFRw/s1600/removemanagementroleentry1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="305" data-original-width="1206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpvgAptrKHQ6B-U00RvpEZ4wsypZGDh7AfUGRkSqtBFEJESMXLR8gctcVRd0-FvQgjTLbeAf1OlPbrmCy8UbHXS335JfDrq7V2RLhcGUGN3jw7g9Vy4hFrbvaJv1jXJfXZg2F2cEeUFRw/s1600/removemanagementroleentry1.png" /></a></div>
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX4qF0KIKQzHSmDXhib95J1x-WC8VnqJ2BgDmpgRZ7VLYsYCtB2ntzLte_TlT-jXs21Xo8QEulqJuUvzwtVpKlY5dXs0mU6BIT-PdTYAB58sddYOQUUl6X7cBwPoY3OKeMd_vAPvKFfwE/s1600/removemanagementroleentry2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="804" data-original-width="1206" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjX4qF0KIKQzHSmDXhib95J1x-WC8VnqJ2BgDmpgRZ7VLYsYCtB2ntzLte_TlT-jXs21Xo8QEulqJuUvzwtVpKlY5dXs0mU6BIT-PdTYAB58sddYOQUUl6X7cBwPoY3OKeMd_vAPvKFfwE/s1600/removemanagementroleentry2.png" /></a><br />
<br />
And a few Get- commands I wanted removed:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIOC-FKzoWayETMUYLzrf0c_TC1BV6FkddzrtZ3QuQaGTsseehayAOpa8_24pBpFnQ01RSNBJo9TxlsLAcyUSud3sDpCZE_aC3ROd8FYzy3OTrguEZB6O983WraOXW3eNzqadjLWfYGks/s1600/removemanagementroleentry3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="86" data-original-width="1208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiIOC-FKzoWayETMUYLzrf0c_TC1BV6FkddzrtZ3QuQaGTsseehayAOpa8_24pBpFnQ01RSNBJo9TxlsLAcyUSud3sDpCZE_aC3ROd8FYzy3OTrguEZB6O983WraOXW3eNzqadjLWfYGks/s1600/removemanagementroleentry3.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrPIGavD10C5Zs15cAnVQ6NBLAoEW3JpnZbC5b9i2E-MHXk4I-lWvqrtWVvmEfCUekDNhvshCtd3y35Ulm0hG5vW9LeXWTHEd5_Rr3j40gq3RO5Z2itP9aQCTkPV7J4AWn1Uo_Steot7g/s1600/removemanagementroleentry4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="64" data-original-width="1212" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhrPIGavD10C5Zs15cAnVQ6NBLAoEW3JpnZbC5b9i2E-MHXk4I-lWvqrtWVvmEfCUekDNhvshCtd3y35Ulm0hG5vW9LeXWTHEd5_Rr3j40gq3RO5Z2itP9aQCTkPV7J4AWn1Uo_Steot7g/s1600/removemanagementroleentry4.png" /></a></div>
<br />
This left the Contact Management role with the following cmdlets associated:<br />
<br />
<strong>Get-ManagementRoleEntry "Contact Management\*"</strong><br />
<br />
This left Management Role access to run the following cmdlets. The "Get-" commands present cannot make any changes or expose any information that I would not want the delegated user to see. As a result I didn't clean these up but you can if you want. Most importantly, the New-MailContact and Remove-MailContact cmdlets were left present.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38OTpQm__V6pHeLNxH8RRXaFNHhtOf3-K25lrY8hpdqE_AcQfksq_YCbqXDSJadLKZtH_xRxpwc-JIMaRcmp7aY1FCNJugNE_RGukXbXF2VBnzqEr7dGIipHVQLx0H1IprqZK_m5-WzA/s1600/getmanagementroleentrycontactmanagement.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="452" data-original-width="912" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi38OTpQm__V6pHeLNxH8RRXaFNHhtOf3-K25lrY8hpdqE_AcQfksq_YCbqXDSJadLKZtH_xRxpwc-JIMaRcmp7aY1FCNJugNE_RGukXbXF2VBnzqEr7dGIipHVQLx0H1IprqZK_m5-WzA/s1600/getmanagementroleentrycontactmanagement.png" /></a></div>
<br />
<strong><u><span style="color: #073763; font-size: x-large;">Step 3: Who</span></u></strong><br />
<br />
The last step is the "delegation of control", which staff members will have access to be able to run the Cmdlets in the Management Role "Contact Management".<br />
<br />
To determine the "Who" I created a new Role Group called "Contact Management Admins" defining the "Contact Management" Management Role and the "AvantLab Contacts" Management Scope. This was done with the following command:<br />
<br />
<strong>New-RoleGroup "Contact Management Admins" -Role "Contact Management" -CustomRecipientWriteScope "AvantLab Contacts"</strong><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiGpI98COLBR73WX6_PRHXHcsDR7SUZ_atoSF7dvxkbxYZlUD0vZoprGLxErsnmHxq6a3d2byVoiz9-nVMhr3-70fX1CM0aiJocL1M0229MX4TOvW_0kRt2eWCRtHGnNl3PE_-il4Szus/s1600/NewRoleGroupContactManagement.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="565" data-original-width="1180" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjiGpI98COLBR73WX6_PRHXHcsDR7SUZ_atoSF7dvxkbxYZlUD0vZoprGLxErsnmHxq6a3d2byVoiz9-nVMhr3-70fX1CM0aiJocL1M0229MX4TOvW_0kRt2eWCRtHGnNl3PE_-il4Szus/s1600/NewRoleGroupContactManagement.png" /></a></div>
<br />
This creates a new Group under Microsoft Exchange Security Groups in Active Directory for the new Role Group.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0EJGMb3BXdIyq09hJGKjy9uTyNgGnHIoTPfbuhHKgHZnIkjxTFdXu2I7Z4_z2qzJkRcSKX8GLWedU1mjxCtZZQgp0wGqge8IEgIEeHBH1w_HgcQF0_6Fymmh4SrvcvL3gBoGw38naS10/s1600/ContactManagementADUsersComputers.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="474" data-original-width="859" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0EJGMb3BXdIyq09hJGKjy9uTyNgGnHIoTPfbuhHKgHZnIkjxTFdXu2I7Z4_z2qzJkRcSKX8GLWedU1mjxCtZZQgp0wGqge8IEgIEeHBH1w_HgcQF0_6Fymmh4SrvcvL3gBoGw38naS10/s1600/ContactManagementADUsersComputers.PNG" /></a></div>
<br />
<br />
<strong><u><span style="color: #073763; font-size: x-large;">Testing the RBAC Security</span></u></strong><br />
<br />
I went and added a user called DelegationUser to the Contact Management Admins group.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggfNzmtyDmE7V_O-FwIeel3PU6HsiqtORQjqq2P8LPSp6OKY-Y-Vlh-ElUi7CM9uvGkkD2oZG5NStL4523OOIqSM7OQdHRjERgfcMdX-neKRhxubkjnyVpMRXtjqlxWaPkMEZVEB4AHPo/s1600/GroupMembership.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="473" data-original-width="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggfNzmtyDmE7V_O-FwIeel3PU6HsiqtORQjqq2P8LPSp6OKY-Y-Vlh-ElUi7CM9uvGkkD2oZG5NStL4523OOIqSM7OQdHRjERgfcMdX-neKRhxubkjnyVpMRXtjqlxWaPkMEZVEB4AHPo/s1600/GroupMembership.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Logging into Exchange Control Panel (now known as Exchange Admin Centre (EAC) in later revisions of the product), the webpage only renders the areas of EAC the user has access to. RBAC and being "Cloud Friendly" are the two primary reasons the old Exchange Management Console from Exchange 2007/2010 was retired.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh53_3IvyU8OUhA9XdQbmIILRb29RruigX3W-DjNf-gJyVE5adQwa7XM6WQx4iv-Rfud-McWa9QeZmgF-GRRSaiXXxU2uNMSgINbYUsNc6zpfTyVSubIOgj-K61LjkEAxX5lgFn1ymyunA/s1600/ecp1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="914" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh53_3IvyU8OUhA9XdQbmIILRb29RruigX3W-DjNf-gJyVE5adQwa7XM6WQx4iv-Rfud-McWa9QeZmgF-GRRSaiXXxU2uNMSgINbYUsNc6zpfTyVSubIOgj-K61LjkEAxX5lgFn1ymyunA/s1600/ecp1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The user can successfully run the New-MailContact command via the webpage and place a Contact object under the Contacts OU - the Step 1: Where? section.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD6QQ2OJYw0zBCbS0QVnKuR_tUZJZCEQbpyzusYWQJWnWUFPaDCq_GgivQmHejrZBEV12TIuMrcWwUBVSHys8638B5LC1WDl7vQ5glPvtl5KMjD1IooSIT7zl4LsJwbH_5710ViwDex1w/s1600/ecp2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="652" data-original-width="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhD6QQ2OJYw0zBCbS0QVnKuR_tUZJZCEQbpyzusYWQJWnWUFPaDCq_GgivQmHejrZBEV12TIuMrcWwUBVSHys8638B5LC1WDl7vQ5glPvtl5KMjD1IooSIT7zl4LsJwbH_5710ViwDex1w/s1600/ecp2.png" /></a></div>
<br />
This is shown in the following screenshot:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4_fxTvxuQAOQK_DmAoHcIMoK5Mm3Q8v-Mpu4Zy-KdV02i3x5ubpYjSeDHwAHv8ubKjgUSDhlY45vB6cjmZpNv7pvZVivyfZc32EtHdLJmTXon0qwn0nYLo_ZuqRCT5UaXPO89vO_be6I/s1600/ecp3.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="515" data-original-width="729" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj4_fxTvxuQAOQK_DmAoHcIMoK5Mm3Q8v-Mpu4Zy-KdV02i3x5ubpYjSeDHwAHv8ubKjgUSDhlY45vB6cjmZpNv7pvZVivyfZc32EtHdLJmTXon0qwn0nYLo_ZuqRCT5UaXPO89vO_be6I/s1600/ecp3.PNG" /></a></div>
<br />
However if I try and create a contact in the default Users container, I get the message:<br />
<br />
<strong>'avantlab.local/Users/DefaultUser Container' isn't within your current write scopes. Can't perform safe operation.</strong><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkPsH1fxon9CcpnIsEM6EMPHWsX8ZtH7pZDbnDKVZPt7TqSDp-KaqpZ8oemgwUvpGM7GbBjBeaw4caZUQ85CgoT_qIeid2umblpnYnPcyIPG3lcxBjGZNieuBQtpdmFmH0WMQagRBmy7U/s1600/ecp4.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="656" data-original-width="516" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgkPsH1fxon9CcpnIsEM6EMPHWsX8ZtH7pZDbnDKVZPt7TqSDp-KaqpZ8oemgwUvpGM7GbBjBeaw4caZUQ85CgoT_qIeid2umblpnYnPcyIPG3lcxBjGZNieuBQtpdmFmH0WMQagRBmy7U/s1600/ecp4.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
This is because Step 1 "Where"... the management scope is restricted to only the Contacts OU. Obviously Management Scopes are ridiculously granular and you can go far beyond restrictions of something as basic as an OU.</div>
<br />
<br />
<strong><u><span style="color: #073763; font-size: x-large;">What about the Glue?</span></u></strong><br />
<br />
Stop sniffing the glue Clint, I thought there was Glue in between holding these objects together as shown in the diagram below.<br />
<br />
When I created the Role Group I also specified the Management Role and Management Scope. This automatically created a ManagementRoleAssignment called "Contact Management-Contact Management Admins" as shown in the screenshot below.<br />
<br />
Creating ManagementRoleAssignments manually useful especially when you want to create associations between existing objects that already exist on the system.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsRsvNuPfCpooslNX4uoXeRhY8bb7Fk10y7g3-VzGbED2naH-MCSJfYQMCgayxuuaByw_feB8q6XSJeA5unR1FSQvE-4LOv5cSX3dqw65Rur8WorItNwQcENU7A-j-TD82DTNyY8t4W5U/s1600/theglue.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="113" data-original-width="1163" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsRsvNuPfCpooslNX4uoXeRhY8bb7Fk10y7g3-VzGbED2naH-MCSJfYQMCgayxuuaByw_feB8q6XSJeA5unR1FSQvE-4LOv5cSX3dqw65Rur8WorItNwQcENU7A-j-TD82DTNyY8t4W5U/s1600/theglue.PNG" /></a></div>
<br />
If we look at the Management Role Assignment "i.e. the glue" closer, we can see that it has all three components created above are "glued" together.<br />
<ul style="text-align: left;">
<li>The Management Scope... Step 1: Where (CustomRecipientWriteScope: AvantLab Contacts)</li>
<li>The Management Role... Step 2: What (Role: Contact Management)</li>
<li>The Role Group... Step 3: Who (RoleAssigneeName: Contact Management Admins)</li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVHZNFt5L_faYVnnAe5PiLhEZe4vOacNAc6cR8K-8y6007-ncSm0WQmK0nj3BJd0LZscGOPE9r__v8iIhL_M4jgsTJDkpYkB2x2nRmP8_kG6Ke8VT2GcnpRYjDfMBdUAiWVs1Vz0jx3T4/s1600/managementroleassignment.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="622" data-original-width="1098" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVHZNFt5L_faYVnnAe5PiLhEZe4vOacNAc6cR8K-8y6007-ncSm0WQmK0nj3BJd0LZscGOPE9r__v8iIhL_M4jgsTJDkpYkB2x2nRmP8_kG6Ke8VT2GcnpRYjDfMBdUAiWVs1Vz0jx3T4/s1600/managementroleassignment.PNG" /></a></div>
<br />
Hopefully this step by step guide to using Role Based Access Control was useful and can be put to use within your environment!</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-52027490652867255412019-06-16T05:27:00.002-07:002019-06-16T05:27:38.348-07:00Unable to remove RDS Session Host<div dir="ltr" style="text-align: left;" trbidi="on">
A customer had a failed RDS Session Host which needed to be removed from a cluster. We were not able to login to the failed host as it was blue screening and needed to be forcefully removed.<br />
<br />
Even using PowerShell with the -force switch we were unable to remove the server getting the following error:<br />
<br />
<b><span style="color: red;">"Unable to cleanup the RD Session Host server"</span></b><br />
<b></b><span style="color: red;"></span><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh253qOoWzZVurLAyLpLyFUmx0731bOSIqVseq3drX0XrwxvzIPhML_GWnthfynGmh0QAvaFaLRgJ_juCTaeggRJufj4RG4_i-ro94LEAEbVZ8h-IgiojGF8qqU8ZPopbrFjy0KtdmdqZQ/s1600/rdssql0.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="153" data-original-width="860" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh253qOoWzZVurLAyLpLyFUmx0731bOSIqVseq3drX0XrwxvzIPhML_GWnthfynGmh0QAvaFaLRgJ_juCTaeggRJufj4RG4_i-ro94LEAEbVZ8h-IgiojGF8qqU8ZPopbrFjy0KtdmdqZQ/s1600/rdssql0.png" /></a></div>
<br />
To remove the server we needed to install SQL Management Studio and connect to the RD Broker Windows Internal Database (WID) which is a lightweight install of MS SQL.<br />
<br />
SQL Management Studio was downloaded and installed from the following link:<br />
<br />
<br />
<a href="https://go.microsoft.com/fwlink/?linkid=2094583">https://go.microsoft.com/fwlink/?linkid=2094583</a><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
Make sure you run SQL Management Studio as "Administrator" and you should be able to connect to the following instance as a Domain Admin:<br />
<br />
<b>\\.\pipe\MICROSOFT##WID\tsql\query</b><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><b></b><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ8pXld_u6IiXAxFErEIvsBjpXb9kTYcPY1cQ47XGKfUlKrIZWOE_q_pbTZw_26zI6BEPM8EfshzXDxee4qvfxbXypS5exzyLD-zqmupsMKSIFpL_EIEYMdtqtAdw10-sfZPnPUWjkxxE/s1600/rdssql1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="527" data-original-width="813" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZ8pXld_u6IiXAxFErEIvsBjpXb9kTYcPY1cQ47XGKfUlKrIZWOE_q_pbTZw_26zI6BEPM8EfshzXDxee4qvfxbXypS5exzyLD-zqmupsMKSIFpL_EIEYMdtqtAdw10-sfZPnPUWjkxxE/s1600/rdssql1.png" /></a></div>
<br />
The server needs to be removed from two tables:<br />
<ul style="text-align: left;">
<li>rds.Server</li>
<li>rds.RoleRdsh</li>
</ul>
<div>
Make note of what ID number the server you want to remove is... mine is ID 4 as shown in the screenshots below.</div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDfK5yUR-KLJTU2sakr5B8LhTtKHHvsRFVCm99yBVTyaNfxPPuJIUmVY6pdcHgGw0SHp9qRxU1ThS5ldMIa5lpSh-O3R-ENurPufTcNNQDLa0bNqOWM4Sj262fGwShGAs1-7M3n225hMA/s1600/rdssql2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="723" data-original-width="801" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiDfK5yUR-KLJTU2sakr5B8LhTtKHHvsRFVCm99yBVTyaNfxPPuJIUmVY6pdcHgGw0SHp9qRxU1ThS5ldMIa5lpSh-O3R-ENurPufTcNNQDLa0bNqOWM4Sj262fGwShGAs1-7M3n225hMA/s1600/rdssql2.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ4bp6-MTNX_DMRm4kRX9aRKJhdx6itruabeYf5oJsCDPfukcNpuVgbfFWbjlH30JgnPlATnZKeImJfVYZjCO4sFb428hrUddGPHSWWCidXPMvcpCKlzdcWqPCIW1eWin1t_aAWnEHueo/s1600/rdssql3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="681" data-original-width="859" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQ4bp6-MTNX_DMRm4kRX9aRKJhdx6itruabeYf5oJsCDPfukcNpuVgbfFWbjlH30JgnPlATnZKeImJfVYZjCO4sFb428hrUddGPHSWWCidXPMvcpCKlzdcWqPCIW1eWin1t_aAWnEHueo/s1600/rdssql3.png" /></a></div>
<br />
Next I used the following command to remove the failed server from the RD Broker database:<br />
<br />
<br />
<div style="line-height: normal; margin-bottom: .0001pt; margin-bottom: 0cm; mso-layout-grid-align: none; text-autospace: none;">
<span style="color: blue; font-family: "consolas"; font-size: 9.5pt;">use</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> RDCms</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt;">;</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"></span></div>
<span style="color: blue; font-family: "consolas"; font-size: 9.5pt;">delete</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> </span><span style="color: blue; font-family: "consolas"; font-size: 9.5pt;">from</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> rds</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt;">.</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;">RoleRdsh </span><span style="color: blue; font-family: "consolas"; font-size: 9.5pt;">where</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> ServerID </span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt;">=</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> </span><span style="color: red; font-family: "consolas"; font-size: 9.5pt;">'4'</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt;">;</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"></span><br />
<span style="color: blue; font-family: "consolas"; font-size: 9.5pt;">use</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"> RDCms</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt;">;</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt;"></span><br />
<span style="color: blue; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">delete</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;"> </span><span style="color: blue; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">from</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;"> rds</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">.</span><span style="color: blue; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">Server</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;"> </span><span style="color: blue; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">where</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;"> Id </span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">=</span><span style="color: black; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;"> </span><span style="color: red; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">'4'</span><span style="color: grey; font-family: "consolas"; font-size: 9.5pt; line-height: 107%;">;</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSfzEmCkraFwCaDR7HkxXCyLoMJl50e1DvxNPXVDFQnFBwFQ_8IOHwPLcNOBKvNtHhe0toVSwFVfStb22PjrznNWfeoZ_9Pv7_I8KEyK-XTaCKbOZRCEMRdw4UklX88gGtEN-BtYpOyxQ/s1600/rdssql5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="525" data-original-width="743" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSfzEmCkraFwCaDR7HkxXCyLoMJl50e1DvxNPXVDFQnFBwFQ_8IOHwPLcNOBKvNtHhe0toVSwFVfStb22PjrznNWfeoZ_9Pv7_I8KEyK-XTaCKbOZRCEMRdw4UklX88gGtEN-BtYpOyxQ/s1600/rdssql5.png" /></a></div>
<br />
I strongly recommend a full backup of the SQL database be taken before making any changes.<br />
<br />
Hope this post was helpful.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-76095699160377951882019-05-21T20:34:00.002-07:002019-05-21T20:34:32.715-07:00Azure AD Seamless SSO - Prompts on Connecting to aadg.windows.net.nsatc.net<div dir="ltr" style="text-align: left;" trbidi="on">
At a customer site when attempting to access the <a href="https://myapps.microsoft.com/companydomain.com">https://myapps.microsoft.com/companydomain.com</a> portal to test Single Sign-on with Azure AD, we were constantly being prompted "Connecting to aadg.windows.net.nsatc.net".<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfo3tgCWORPdhtQcmG8n0n0Rbt_icuxTPdhBnadpt6ryB4USdZhve6QlEz-X2hrLapTiWZ5HjWP3jC1GSgsURsBYTIJxHtcY6kNLBN6NSaQZYrMYtd-mw9pkSlc4Q3Dm5ADdvQVu3ceGg/s1600/authenticationprompt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="545" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgfo3tgCWORPdhtQcmG8n0n0Rbt_icuxTPdhBnadpt6ryB4USdZhve6QlEz-X2hrLapTiWZ5HjWP3jC1GSgsURsBYTIJxHtcY6kNLBN6NSaQZYrMYtd-mw9pkSlc4Q3Dm5ADdvQVu3ceGg/s1600/authenticationprompt.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
We had gone through significant troubleshooting on the issue but could not find a resolution online. This troubleshooting included but was not limited to:</div>
<ul style="text-align: left;">
<li><div class="separator" style="clear: both; text-align: left;">
Confirmed that we have received the Kerberos ticket from the AZUREADSSOACC with “klist get AZUREADSSOACC”</div>
</li>
<li>Added https://autologon.microsoftazuread-sso.com and https://aadg.windows.net.nsatc.net to the Trusted Sites</li>
<li>Confirmed the servicePrincipalNames on the AZUREADSSOACC are correct</li>
<li>Validated the Single sign-on is enabled on the Azure AD Portal and in the Azure AD Connect tool</li>
</ul>
<div>
Troubleshooting sites we went through included:<br />
<br />
<div class="MsoNormal" style="margin: 0in 0in 0pt;">
<span lang="EN-AU" style="color: #1f497d; mso-ansi-language: EN-AU;"><a href="http://tiftomorrow.blogspot.com/2017/10/azure-ad-sso-troubleshooting.html"><span style="color: #0563c1; font-family: "calibri";">http://tiftomorrow.blogspot.com/2017/10/azure-ad-sso-troubleshooting.html</span></a><o:p></o:p></span></div>
<span lang="EN-AU" style="color: #1f497d; mso-ansi-language: EN-AU;"><a href="https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso"><span style="color: #0563c1; font-family: "calibri";">https://docs.microsoft.com/en-us/azure/active-directory/hybrid/tshoot-connect-sso</span></a><o:p></o:p></span><br />
<br />
After speaking with Microsoft, they mentioned that "https://autologon.microsoftazuread-sso.com" must also be in the "Local Intranet" zone.</div>
<div>
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_d-Wt3DnxoVYN-ZgUmU6Gbt-kVMAPROJ7bGUocxznylsq7vTHOS0805xD0GSvro6KwcvfY5mgdncFfi2As4raqIwEIKgPgfmWYK_4_qpPbBPv3Il0NQrKil9ZB2qAIMj21k3KG0cY4Dg/s1600/localintranetsite.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="590" data-original-width="632" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_d-Wt3DnxoVYN-ZgUmU6Gbt-kVMAPROJ7bGUocxznylsq7vTHOS0805xD0GSvro6KwcvfY5mgdncFfi2As4raqIwEIKgPgfmWYK_4_qpPbBPv3Il0NQrKil9ZB2qAIMj21k3KG0cY4Dg/s1600/localintranetsite.png" /></a></div>
<div>
</div>
<div class="separator" style="clear: both; text-align: left;">
This is due to the default security setting "Automatic logon only in Intranet zone". If this was set to "Automatic logon with current user name and password" this would have also fixed the issue but is not as secure.</div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPSnFE0LFE2g7WIacotkE_ttu5ywth7RLOUB6EhWzklugU64tyvKcWO63if3wqDUgUl0mbXquMc0XpBTjMTXAw2T-TvAWSNSp04Yfi67cQlq80uw2cMy1mBIbk6FFT1HDpk6RU7eV-X9U/s1600/autologinsetting.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="534" data-original-width="437" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPSnFE0LFE2g7WIacotkE_ttu5ywth7RLOUB6EhWzklugU64tyvKcWO63if3wqDUgUl0mbXquMc0XpBTjMTXAw2T-TvAWSNSp04Yfi67cQlq80uw2cMy1mBIbk6FFT1HDpk6RU7eV-X9U/s1600/autologinsetting.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: left;">
After making this change Single Sign-On works.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-71341575804318633422019-05-15T23:54:00.000-07:002019-05-15T23:54:00.975-07:00Office 365 Tab not working in Exchange Admin Center<div dir="ltr" style="text-align: left;" trbidi="on">
After running the Hybrid Configuration Wizard, the Office 365 tab doesn't work by default which catches out many people. The tab is found at the top of Exchange Admin Centre where it says "Enterprise" and "Office 365".<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLn-hb9UC4NPAe-2O2JHIKFvsNgBC6sf7zF1_nMAQc9buI7t2b1_6QINXpPdTrm0OmX3rMXKCgUgzra8V5Tiu2VC8BDrLZpeh3Zyo7YyVWOSltKj24rpinLLV5D3aG571owEUwOmcRvqc/s1600/screenshot2-o365tab.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="227" data-original-width="736" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgLn-hb9UC4NPAe-2O2JHIKFvsNgBC6sf7zF1_nMAQc9buI7t2b1_6QINXpPdTrm0OmX3rMXKCgUgzra8V5Tiu2VC8BDrLZpeh3Zyo7YyVWOSltKj24rpinLLV5D3aG571owEUwOmcRvqc/s1600/screenshot2-o365tab.PNG" /></a></div>
<br />
When you click Office 365 it directs to "Get the most from Office with Office 365" webpage asking you to purchase the product.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoPqyIRXuBS6WPHO_MmTTCDbDVd6s3Xj1FXq0J_39sTQ1JefjFe7SQ5OgyyYF_eG5N1t79ZdOU4GlOXrfp6qk-SRW9QGXVZyrfwprWIoiRMtrqEWqEbAKEznMRJWGE0T_CpPDMdlp5BU8/s1600/screenshot1-o365tab.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="499" data-original-width="1076" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjoPqyIRXuBS6WPHO_MmTTCDbDVd6s3Xj1FXq0J_39sTQ1JefjFe7SQ5OgyyYF_eG5N1t79ZdOU4GlOXrfp6qk-SRW9QGXVZyrfwprWIoiRMtrqEWqEbAKEznMRJWGE0T_CpPDMdlp5BU8/s1600/screenshot1-o365tab.PNG" /></a></div>
<br />
After running the Hybrid Configuration Wizard, you must schedule an outage and perform an IISReset on your Exchange 2016 CAS Servers. After doing an iisreset you will find that the Office 365 tab works as expected.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-9248980361885136672019-05-08T23:15:00.001-07:002019-05-08T23:15:11.926-07:00Exchange 2010 and Exchange 2016 co-existance Free/Busy Issues<div dir="ltr" style="text-align: left;" trbidi="on">
I have a lab environment containing Office 365, Exchange 2016 and Exchange 2010. Free busy is not working from O365 --> 2010 or Exchange 2016 --> 2010.<br />
<br />
The Autodiscover record points all EWS requests to Exchange 2016 Web Services Virtual Directory for the Availability Service.<br />
<br />
The Availability Service on the Exchange 2016 server is failing to lookup requests on Exchange 2010 mailboxes.<br />
<br />
It is also important to note, the 2016 server is the one setup in Hybrid with O365, so it is responsible for looking up all Availability requests on-premises.<br />
<br />
After doing some research into the issue, I identified that the InternalNLBBypass URL on the Exchange 2010 server must point and resolve directly to the Exchange 2010 server. It must not be set to $null or point to the Availability Service on Exchange 2016 (in my lab that being mail.avantlab.com.au).<br />
<br />
Exchange 2016 Web Services Virtual Directory:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjadBnJhJbfpjyu1LXwXTGfLs8P7wCfVrw8hjuFA6J8VvTU5iVVpVEeU9WeiC3vrKh154Bn0weYincsBfsqegzC_9qxztpyfOZIPzpmjrRShvz7y6THdsW71xcWIU3j4DtaxhQu6mFIodA/s1600/webservicesvd-2016.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="547" data-original-width="917" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjadBnJhJbfpjyu1LXwXTGfLs8P7wCfVrw8hjuFA6J8VvTU5iVVpVEeU9WeiC3vrKh154Bn0weYincsBfsqegzC_9qxztpyfOZIPzpmjrRShvz7y6THdsW71xcWIU3j4DtaxhQu6mFIodA/s1600/webservicesvd-2016.png" /></a></div>
<br />
Exchange 2010 Virtual Directory:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwXB_dsCEYn7qv51TbDrRHHXItkIblVjTGUZpSLHU7cCZGgycoBK-B9pUdGY4v4Iw2ffuRWxY0DkbXfjl41kya9HjiYGHFaTu52-m_hjoeqhPKtM3O_abHY1kiHVGzO21F7VL7FM-3vvw/s1600/webservicesvd-2010.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="489" data-original-width="925" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwXB_dsCEYn7qv51TbDrRHHXItkIblVjTGUZpSLHU7cCZGgycoBK-B9pUdGY4v4Iw2ffuRWxY0DkbXfjl41kya9HjiYGHFaTu52-m_hjoeqhPKtM3O_abHY1kiHVGzO21F7VL7FM-3vvw/s1600/webservicesvd-2010.png" /></a></div>
<br />
As soon as setting the InternalNLBBypassURL to point directly at Exchange 2010, this resolved the issue.<br />
<br />
See my lab all working:<br />
<br />
<ul>
<li>Arya is in Office 365</li>
<li>Jon is on Exchange 2010</li>
<li>Bran is on Exchange 2016</li>
</ul>
And yes, they are all Game of Thrones characters :)<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6OsE1nrz5fFj7ycwX5sRDK7U5Jg4hWTPUiL6h5DICYdcJ1jJNyZ-wSkjc7MX3E32yVkVE5infPIEKpYZtBsPLs56WI6-xRRtzM68yLxEUCCIz89JHXhedwOCC1qElcYBEHCbKynuH1bI/s1600/freebusyworking.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="247" data-original-width="1060" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg6OsE1nrz5fFj7ycwX5sRDK7U5Jg4hWTPUiL6h5DICYdcJ1jJNyZ-wSkjc7MX3E32yVkVE5infPIEKpYZtBsPLs56WI6-xRRtzM68yLxEUCCIz89JHXhedwOCC1qElcYBEHCbKynuH1bI/s1600/freebusyworking.PNG" /></a></div>
<br />
I blogged this one as I could not find much information online regarding this!</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-45699827051476700742019-04-28T06:08:00.000-07:002019-04-28T06:10:59.269-07:00Cisco Router messed up SMTP TLS with Office 365<div dir="ltr" style="text-align: left;" trbidi="on">
Mail routing from Office 365 to an on-premise Exchange Server was working successfully.<br />
<br />
Mail flow from the on-premises Exchange Server to Office 365 was failing.<br />
<br />
Email in the queue was generating:<br />
<br />
LastError : 451 5.7.3 STARTTLS is required to send mail<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi12RWtlmx-Hy8m0vlKkPuQCHyDPjdrUkhDOiEzRbEzfJxMJ2pXxKifei8ukdnpumdGJqPRq7xkdpTvS1SMIVYIsB3orMnKdLs5M2AVk6gfJivFBMc08klmlQ9DjajsW119VBSglJYcGAI/s1600/lasterror.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="111" data-original-width="472" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi12RWtlmx-Hy8m0vlKkPuQCHyDPjdrUkhDOiEzRbEzfJxMJ2pXxKifei8ukdnpumdGJqPRq7xkdpTvS1SMIVYIsB3orMnKdLs5M2AVk6gfJivFBMc08klmlQ9DjajsW119VBSglJYcGAI/s640/lasterror.PNG" width="640" /></a></div>
<br />
I had a valid SMTP certificate bound to with Enable-ExchangeCertificate and my Send Connector to Office 365 was TLS enabled - yet we had a TLS error.<br />
<br />
This was caused by a Cisco Router 1941 with SMTP inspect causing issues.<br />
<br />
The router has the following line in the config:<br />
<br />
"ip inspect name CBAC smtp"<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUEWwpFZEHtvlceu-xF8x_nlgwuD67XklXVPEMn2ZxsdPAvKpGDjM1beHC57vGyshxrbOYDEn8RpNLHUTPO-XV9JsmXlj7cJx9_qPwsxTPR5G9hoKxQX6Mdqpn9MOACWDf5u_pgQ4uTw0/s1600/ipinspect.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="264" data-original-width="309" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjUEWwpFZEHtvlceu-xF8x_nlgwuD67XklXVPEMn2ZxsdPAvKpGDjM1beHC57vGyshxrbOYDEn8RpNLHUTPO-XV9JsmXlj7cJx9_qPwsxTPR5G9hoKxQX6Mdqpn9MOACWDf5u_pgQ4uTw0/s1600/ipinspect.PNG" /></a></div>
<br />
After removing this line with "no ip inspect name CBAC smtp" mail flow started working successfully.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-79257222116566451362018-12-09T20:42:00.000-08:002018-12-09T23:28:50.889-08:00Microsoft causing issues for on-premises Exchange Customers<div dir="ltr" style="text-align: left;" trbidi="on">
Microsoft is causing issues for on-premises customers running Exchange to try and push customers to move to their servers in Office 365. After the release of 16.0.6741.2017, the Click 2 Run (C2R) version of the Outlook client for the PC is prioritising O365 for Autodiscover queries above all other Autodiscover methods (SCP, HTTPS root domain etc).<br />
<br />
This causes problems for customers who aren't using O365 for mail service, especially if either of these conditions are true:<br />
<br />
1. The user has a mailbox in the O365 service which is not being used. This can occur if the user has inadvertently had an Exchange license assigned.<br />
<br />
2. The user has a personal Office subscription but has used their business email address to configure it.<br />
<br />
The issue which users experience is they are prompted for Authentication, when the users enter their details the login fails as it's effectively requesting authentication against the O365 service.<br />
<br />
This behavior also breaks the experience for existing profiles, not just newly created ones.<br />
<b><br /></b>The “workaround” we have is to add a registry change to end users PC to bypass the O365 endpoints. From this article:<br />
<br />
<a href="https://support.microsoft.com/en-gb/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under">https://support.microsoft.com/en-gb/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under </a><br />
<br />
This property needs to be set to a DWORD value of 1: ExcludeExplicitO365Endpoint<br />
<br />
This needs to be done on each computer running Outlook. For managed devices on a Corporate Network we can push this out with management tools such as SCCM or Group Policy Preferences but for non-managed devices this is a huge overhead for IT staff dealing with end user support and the issues experienced.<br />
<br />
This workaround is hard to manage, client specific, and will need to be reverted if the customer ever does in fact move to O365 so that the Direct Connect method can work again.<br />
<br />
The process of how Autodiscover is configured on Exchange Servers is documented on the following link and now even if we have setup Autodiscover correctly, by default Outlook clients will have issues setting up Outlook profiles.<br />
<br />
<a href="https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/autodiscover-for-exchange">https://docs.microsoft.com/en-us/exchange/client-developer/exchange-web-services/autodiscover-for-exchange</a><br />
<br />
The feedback of removing this feature for Outlook Profiles configured against an on-premises Exchange Server has been provided to Microsoft from numerous frustrated IT Professionals. Microsoft's response to this was as follows:<br />
<span style="color: red;"><br /></span><span style="color: red;"><b>We cannot fulfill this request as we will continue to optimize for the Office 365 experience. The supported implementation of Autodiscover is documented here, https://support.microsoft.com/en-us/help/3211279. Any ongoing changes and improvements will be documented in the article. We appreciate your feedback and take every request with consideration, whether we can move forward with it or not.</b></span><br />
<b><span style="color: red;">-Outlook Team</span></b><br />
<br />
Here are some facts:<br />
<ul style="text-align: left;">
<li>There are still more on-premises customers running Exchange then customers in Office 365.</li>
<li>Customers on-premise pay good money via various Microsoft licensing programs to utilise these products.</li>
<li>Not all customers will migrate to the cloud - there will always be customers who want to keep intellectual property on-premises instead of moving to a shared public cloud environment.</li>
<li>Making changes such as the above which will cause issues to millions and millions of on-premises customers is <u>not acceptable</u>.</li>
</ul>
Due to the various complaints coming in from the community, after posting the above statement, Microsoft IMMEDIATELY closed comments preventing their customers from venting further frustration. For more on this please see:<br />
<br />
<a href="https://outlook.uservoice.com/forums/322590-outlook-2016-for-windows/suggestions/36052099-stop-prioritizing-o365-for-autodiscover?tracking_code=bcd47b537c1d87aa7fa3220e75bd96a2">https://outlook.uservoice.com/forums/322590-outlook-2016-for-windows/suggestions/36052099-stop-prioritizing-o365-for-autodiscover?tracking_code=bcd47b537c1d87aa7fa3220e75bd96a2</a><br />
<br />
One would hope that these on-premises authentication requests hitting Microsoft's O365 servers are just authentication requests, and Microsoft are not keeping these credentials. If they were, this would be a directory harvesting exercise to the likes we have never seen before.<br />
<br />
As a consultant who has specialized in Microsoft technologies for a long time - i'm very disturbed and appalled by the companies actions. Microsoft get paid good money either way (if the customer is on-premises or in the cloud) and it is up to the customer to make a decision on where they want to store their intellectual property!</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-69533980831309399362018-10-24T06:34:00.001-07:002018-10-25T01:12:05.597-07:00Pressure mounting from Microsoft on Skype for Business Usage<div dir="ltr" style="text-align: left;" trbidi="on">
Everyone in the IT Community knows by 2018 that Microsoft's primary vision is to no longer to make software for on-premises usage but to focus on their cloud portfolio and moving customers intellectual property (documents, email, data) who use Microsoft applications into Microsoft owned datacentre. Many companies have made the migration to Azure and Office 365 over recent years.<br />
<br />
It was surprising to many of us that on the 1st of October, 2018 - It was announced that all new Office 365 customers under 500 seats would no longer receive access to Skype for Business. This news was posted here:<br />
<br />
<a href="https://support.microsoft.com/en-au/help/4465277/microsoft-teams-now-the-primary-client-for-meetings-and-calling">https://support.microsoft.com/en-au/help/4465277/microsoft-teams-now-the-primary-client-for-meetings-and-calling</a><br />
<u><span style="color: #000120;"></span></u><br />
The Microsoft Teams client was officially launched only 14 March 2017 and ever since the launch, Microsoft has been mounting pressure for Skype for Business to go end of life. It has only been a year and a bit since Microsoft are now making Microsoft Teams the only client of choice for businesses under 500 seats in Office 365 removing the option.<br />
<br />
There are still a few things that I personally do not like about this new collaboration client such as the Interface and Features.<br />
<br />
Skype for Business gives users the familiar "MSN Messenger" style layout, slick, clean and made primarily for instant messaging, presence and voice/video calls. Teams is a completely different layout like in my screenshot below.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-HDUMBlA47k8C2BM9k1DzpXlto3KyrEp7PkiZI9Vz9MEBhR15dAyYqedHWWC3hvr7ZwZdjjH2LylSDOuwHTvgnwlhPJdvWVqxHYVTpjbrZ5sM_djJQoNoLIUWMdgFIzuNeagTeMl_-j0/s1600/teamsclient.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="760" data-original-width="1389" height="350" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-HDUMBlA47k8C2BM9k1DzpXlto3KyrEp7PkiZI9Vz9MEBhR15dAyYqedHWWC3hvr7ZwZdjjH2LylSDOuwHTvgnwlhPJdvWVqxHYVTpjbrZ5sM_djJQoNoLIUWMdgFIzuNeagTeMl_-j0/s640/teamsclient.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Microsoft Teams also has a file section on the left side pane allowing users to easily access data in One Drive or SharePoint Sites and allows multiple users to collaborate on the documents and chat real time about works. This however assumes that companies store all their documents in a cloud service. Some companies still do not upload documents and data to a public cloud service provider and only want to utilise Office 365 for instant messaging and collaboration without uploading sensitive information to the cloud. The Files collaboration feature may be something that some clients do not want as part of an Enterprise instant messaging application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Skype for Business is also heavily utilised by companies to perform simple desktop sharing to allow users to collaborate on works. Microsoft Teams can also do this but you need to be in a Teams Meeting for this functionality to be available. This is something that has annoyed many users and has been a feature request which Microsoft has ignored for a while and is all over the forums.<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://techcommunity.microsoft.com/t5/Microsoft-Teams-AMA/When-will-desktop-sharing-be-available-in-Teams/td-p/120507">https://techcommunity.microsoft.com/t5/Microsoft-Teams-AMA/When-will-desktop-sharing-be-available-in-Teams/td-p/120507</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Whilst Microsoft Teams is some cool software, one thing which I have always liked in the IT world is freedom, the ability to have the option to choose the best tool for the task. I personally don't like being forced to use a product or solution which is the new flavour of the month. Nor do I like how some companies are forcing companies to adopt a cloud solution when not all businesses want to store intellectual property in a public datacentre for various business reasons. All businesses should have the freedom to adopt technology as they feel fit.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-85136999442761775912018-09-13T05:23:00.000-07:002018-09-13T05:23:50.666-07:00Azure AD Application Proxy Overview, Deployment Process and Limitations<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
One of my customers came to me enquiring about publishing some on-premises applications through the cloud using Azure AD Application Proxy. This feature of Azure is relatively new and there is currently limited documentation about this available online. I put some time aside to learn the technology and get a deep understanding on how the technology works.</div>
<div>
<br /></div>
<div>
In this article I will be running through a high level overview of how Azure AD Application Proxy works and then go through a step by step for a basic deployment of Azure AD Application Proxy to publish Outlook Web App.<br />
<br />
<b><u><span style="color: #073763; font-size: x-large;">Azure AD Application Proxy Overview</span></u></b></div>
<div>
<b></b><u></u><span style="font-size: large;"></span><span style="color: #073763;"></span><span style="font-size: x-large;"></span><br /></div>
<div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Application Proxy is essentially a reverse proxy solution which is hosted completely in the Microsoft Azure cloud that allows companies to provide secure remote access to on-premises web based applications. Traditionally companies needed to setup client side VPN connections or use demilitarized zones to provide secure remote access to on-premises web applications - especially for some web applications which may not be built secure for direct publishing to the Internet. There are numerous security benefits for using </span><span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Application Proxy such as leveraging rich authorization controls and security analytics in Azure, two factor authentication, DDOS protection, no inbound connections to your internal network and much more. I'm not going to go into all the security benefits of Azure AD Application Proxy in this article but you can do some further reading on the Microsoft website about this here:</span></div>
<div>
<br /></div>
<div>
<a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-security">https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-security</a></div>
<div>
<br />
It is important to mention, Azure AD Application Proxy is regional based. Microsoft will automatically select the Azure Datacentre to host this service for you based on the country you specify when signing up to Microsoft Azure. When you enable Application Proxy, the Application Proxy service instances for your tenant are chosen or created in the same region as your Azure AD tenant, or the closest region to it.<br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
I have put together a high level overview of how Azure AD Application Proxy works below which I will be going through below (click to enlarge).<br />
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXYvdXBMx7HRJ3UWsBZzH4uKAA02bdVk96C-ZooL-Sf0CX154LXpzv0tlCoV3iilYmg2YMnLUqrgA1MxH9YX5GH5x-t9wN37cmrvqAEB-leD2IjyzglOAY40Vk2t0tWMNfenhWKzWyYaI/s1600/Azure+Proxy+Applications.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="744" data-original-width="1037" height="459" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgXYvdXBMx7HRJ3UWsBZzH4uKAA02bdVk96C-ZooL-Sf0CX154LXpzv0tlCoV3iilYmg2YMnLUqrgA1MxH9YX5GH5x-t9wN37cmrvqAEB-leD2IjyzglOAY40Vk2t0tWMNfenhWKzWyYaI/s640/Azure+Proxy+Applications.png" width="640" /></a></div>
<div>
<br /></div>
<div>
Without going too deep, there are essentially four components that make Azure AD Application Proxy work:<br />
<ul style="text-align: left;">
<li>Azure AD Application Proxy Apps</li>
<li><span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Connectors</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></li>
<li>Connector Groups</li>
<li>Backend Applications</li>
</ul>
I will cover each of these below.<br />
<br />
<br />
<span style="font-size: large;"><b><u>Azure AD Application Proxy Apps</u></b></span><br />
<b></b><u></u><br />
Azure AD Application Proxy Apps sit in Microsoft Azure along side all your Software as a Service (SaaS) that you have published through Azure AD. The primary difference between Application Proxy applications and standard Web Based Cloud applications, is Proxy Apps will redirect you to the server on-premises.<br />
<br />
In Microsoft Azure, you can see the Application Proxy Applications with all your other Enterprise Applications. Simply login to https://portal.azure.com and select Azure Active Directory --> Enterprise Applications.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZIyxBxcxENCqOBiIdD2JxARf7DQOOshk7A5Hg1ai27QdNndj2iRCp7ODiMHNfAIRFU_KS2y_uDadF69lWNDG_XenPg_WZl2WpGbKiIX6t2PgFAyMWnvf93GOwqZvp3mKd124lpUu8PtY/s1600/azureadscreenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="724" data-original-width="835" height="554" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZIyxBxcxENCqOBiIdD2JxARf7DQOOshk7A5Hg1ai27QdNndj2iRCp7ODiMHNfAIRFU_KS2y_uDadF69lWNDG_XenPg_WZl2WpGbKiIX6t2PgFAyMWnvf93GOwqZvp3mKd124lpUu8PtY/s640/azureadscreenshot.png" width="640" /></a></div>
<br />
When we open the Enterprise Applications, we can see an Azure AD Application Proxy application I created which sits along with all my other SaaS applications that I have associated with this Azure AD Tenancy.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiv6qeyfjSPlYsus9d2_q83AN44R73aNtTQcejeEbl-XAq5oXa8QItAG6U-UT7Ikr3j2T0KMj4UguHVXiJzwf7umLP4rsSgT1il9JRDWXnvrPswoVR9C57fz_AbG4fB8-jEHs2ykUPlTY/s1600/avantlabenterpriseapps.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="662" data-original-width="896" height="472" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiv6qeyfjSPlYsus9d2_q83AN44R73aNtTQcejeEbl-XAq5oXa8QItAG6U-UT7Ikr3j2T0KMj4UguHVXiJzwf7umLP4rsSgT1il9JRDWXnvrPswoVR9C57fz_AbG4fB8-jEHs2ykUPlTY/s640/avantlabenterpriseapps.png" width="640" /></a></div>
<br />
Users can access the application directly by going directly to the Application Home Page URL or by logging into their application portal where all their SaaS applications are published. This portal is under:<br />
<br />
<b></b><a href="http://myapps.microsoft.com/">http://myapps.microsoft.com</a><br />
<br />
As you see my test user user1@avantlab.com.au has only been presented with a few applications:<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdzakLRm3F_D1IvjrRVCMoyreeK0mC-_65_SAL2Q57BPf7q-yHDtGbopeQoNPtUjE0jta2BDAYvyGwQV-zeO5M8OJfQXbKoMATSkwFDR1yJQDJ_WtxknryuDFO7eJwb2i9CFvciGA4Wk/s1600/myapps.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="269" data-original-width="745" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEdzakLRm3F_D1IvjrRVCMoyreeK0mC-_65_SAL2Q57BPf7q-yHDtGbopeQoNPtUjE0jta2BDAYvyGwQV-zeO5M8OJfQXbKoMATSkwFDR1yJQDJ_WtxknryuDFO7eJwb2i9CFvciGA4Wk/s1600/myapps.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Connectors</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
Connectors facilitate traffic flow from the Azure AD cloud to your on-premises applications. They are services which are installed on servers on your internal network running Server 2012 R2 or Server 2016.<br />
<br />
Connectors are stateless and hold no configuration data on the machine apart from settings needed to connect to the Azure AD cloud service and its authentication certificate required for authenticating itself against the cloud. They automatically update their configuration information every few minutes from the cloud.<br />
<br />
When installed on an on-premises server, the connector will simply show as services in the Windows MMC console.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBWcyEvsJKv0ObnvRCqj3lwNfrxQPQw45VZCwiMALLi2If9u664uJqPgdM0Q-OPDohuQFAQ4lp4rvz3kJhwQt3Ft7aRY0W4YFYLEdydmAunYW5quZEF2Kq3xs2M-eCK95EOlioxvZuVbM/s1600/azureadconnectors.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="223" data-original-width="836" height="170" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBWcyEvsJKv0ObnvRCqj3lwNfrxQPQw45VZCwiMALLi2If9u664uJqPgdM0Q-OPDohuQFAQ4lp4rvz3kJhwQt3Ft7aRY0W4YFYLEdydmAunYW5quZEF2Kq3xs2M-eCK95EOlioxvZuVbM/s640/azureadconnectors.PNG" width="640" /></a></div>
<br />
All connectors do not require any inbound firewall or Network Address Translation (NAT) rules publishing the connectors to the Internet. They only initiate outbound connections to Azure creating a stateless connection to the cloud which is used to receive inbound application requests. You can move the member servers running these connectors to different datacentres or public IP addresses, and because they are creating outbound connections it will not disrupt the on-premises web applications they publish.<br />
<br />
As the Connectors do not require any inbound ports open from the Internet, they do not need to be located within a Demilitarized Zone and can go directly on servers on your internal network. It is recommended deploying the connectors as close to your servers as possible to minimise latency.<br />
<br />
Connectors can service multiple Azure AD Proxy Applications on your internal network and can be made fully redundant.<br />
<br />
For production environments, it is always recommended to have multiple (at least two) Application Proxy Connectors on an on-premises environment to provide high availability to published on-premises applications.<br />
<br />
Microsoft Azure automatically maintains the on-premises connectors not only the configuration, but updates. Provided the "Microsoft AAD Application Proxy Connector Updater" service is running, your connectors will be automatically updated and patched. If you have multiple connectors on your environment associated with a connector group, updates will only target one connector at a time in the group to prevent downtime to your environment. We will talk about connector groups next.<br />
<br />
Lastly it is important to mention, Connectors can run on member servers that are not domain joined however if you want Single Sign-On (SSO) working for applications that use Integrated Windows Authentication, they need to be setup on domain joined servers. I will be showing you how to deploy Windows Integrated Authentication for an Azure AAD Application Proxy connector later in this post.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Connector Groups</span><br />
<br />
All Connectors are associated with a Connector Group in Azure. If you do not first define a Connector Group, all connectors you create will get assigned to a "Default" Connector Group.<br />
<br />
A few key things to take away from Connector Groups:<br />
<ul style="text-align: left;">
<li>Every AAD Proxy App you create must be assigned to one Connector Group (one to one relationship)</li>
<li>One Connector Group can contain Many Connectors (one to many relationship)</li>
<li>One Connector Group can service many applications (one to many relationship).</li>
</ul>
<div>
Connector Groups ensure on-premises application requests are load balanced across all on-premises Connectors in the group. No configuration is done to setup load balancing between the connectors, this is done all automatically after the connectors are installed.</div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
For most companies, only one Connector Group will be required with a few connectors as this will look after all your internal applications. But why would you want to create multiple Connector Groups? There is a few reasons.<br />
<ul style="text-align: left;">
<li>Multiple Datacentres</li>
<li>Network Isolation</li>
<li>IaaS Deployments</li>
<li>Multi-Forest Deployments</li>
<li>Multiple Companies in a Single Azure AD Tenant</li>
</ul>
<u></u><br />
<b><u>Multiple Datacentres</u></b><br />
<b></b><u></u><br />
If you have multiple datacentres, you will most likely want to have a separate connector group with connectors in each datacentre. This is to ensure latency is minimised between the connector and the application to provide the best experience for the users.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Network Isolation</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
If you have any network isolation between applications on your internal network such as Access Control Lists or Network Segmentation, you will want to ensure separate connector groups are created for each segment. Remember the connectors associated with the connector group need internal connectivity to the application published.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Infrastructure as a Service Deployments</span><br />
<br />
If you have any member servers in an IaaS cloud running internal web applications, you will most likely want to put connectors in the IaaS tenancy to minimise latency and a separate connector group.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Multi-Forest Deployments</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
If you have multiple on-premise Active Directory forests, you want a connector group for each Active Directory forest so that Kerberos Constrained Delegation works correctly for each forest.<br />
<b></b><u></u><br />
<b><u>Multiple Companies for a single Azure AD Tenancy</u></b><br />
<b></b><u></u><br />
Some IT Departments for parent companies may run the on-premises networks for many child companies which are associated against a single Azure Tenancy. You will want a connector group for each child company as they will most likely each have their own Active Directory forest.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Backend Applications</span><br />
<br />
Backend applications are the on-premises products you wish to publish to the cloud via Azure AD Application Proxy. I displayed in my diagram Exchange or SharePoint, but you can also publish other applications from Microsoft or third party vendors - as long as the entire application is web based.<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Application proxy Access Workflow</span><br />
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><b></b><u></u><span style="font-family: "times new roman";"></span><span style="font-size: large;"></span><br />
Before I get stuck into going through the steps for configuring Azure AD Application Proxy, I want to quickly touch base on the 6 steps which occur when a user accesses an application published in Azure AD Application Proxy. This is taken from TechNet but is important to understand.<br />
<div>
<ol style="text-align: left;">
<li>The user accesses the application through the Application Proxy service and is directed to the Azure AD sign-in page to authenticate.</li>
<li>After a successful sign-in, a token is generated and sent to the client device.</li>
<li>The client sends the token to the Application Proxy service, which retrieves the user principal name (UPN) and security principal name (SPN) from the token, then directs the request to the Application Proxy connector.</li>
<li>If you have configured single sign-on, the connector performs any additional authentication required on behalf of the user.</li>
<li>The connector sends the request to the on-premises application. </li>
<li>The response is sent through Application Proxy service and connector to the user.</li>
</ol>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMz67uBn9_EGe2oQuqIL_4ssFiSa3yHCpjn_UDHC9KqsMzgNFm7kTfZO5T6Di_f5Wz8KC3egivTvxTHpj8VR6OAKNemGndLDryxMhIa-BxOgTRtUqDQRh1KrvLv_I58967fvbK1M8a0wE/s1600/accessworkflow.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="229" data-original-width="629" height="230" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMz67uBn9_EGe2oQuqIL_4ssFiSa3yHCpjn_UDHC9KqsMzgNFm7kTfZO5T6Di_f5Wz8KC3egivTvxTHpj8VR6OAKNemGndLDryxMhIa-BxOgTRtUqDQRh1KrvLv_I58967fvbK1M8a0wE/s640/accessworkflow.png" width="640" /></a></div>
</div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
<br />
<div style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<div style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">
<b style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><u style="margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;"><span style="color: #073763; font-size: x-large; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px;">Azure AD Application Proxy Deployment How-To</span></u></b></div>
</div>
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br />
I have gone through and documented the steps for publishing Exchange 2016 on-premises Outlook Web App via Azure AD Application Proxy so you get an understand what is involved in setting up this technology. In this deployment I have a single connector which is installed on my Exchange 2016 server in a default connector group.<br />
<br />
For a production deployment, you will want to ensure the connectors are installed on dedicated servers and that you have more then one connector server for redundancy.<br />
<br />
In this lab deployment also is using Password Hash Synchronisation between the on-premises environment and Azure AD. If your company does not want to store your user password hashes in Azure AD, you can also use Passthrough Authentication with the Azure AD Connect tool.<br />
<br />
Before we start configuring the Azure Application Proxy, you need to have Azure AD Connect setup and synchronising. You will most likely already have this in place, but if you have never done this before, I have documented the steps. Its very straight forward!<br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Setting up Azure AD Connect for Password Hash Synchronisation</span><br />
<br />
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">First of all download the Azure AD Connect tool from:</span><br />
<br />
<a href="https://www.microsoft.com/en-us/download/details.aspx?id=47594">https://www.microsoft.com/en-us/download/details.aspx?id=47594</a><br />
<br />
Once the tool is downloaded, run it and accept Microsoft's End User Licensing Agreement (EULA).<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRRQJoSNsVgh8s4MxBLOpObaYeSjeA4WOxXnLTZbJ7WbAhEQVMinjwduoYb2_i9p4p0Vnf_YzeKuv1vt_6SRDHc2tHsdDKWTgHWdOfJ3DGxzkeBSzrt4MdrFFpznaF06RUbpuFPoXg6cY/s1600/01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="621" data-original-width="878" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjRRQJoSNsVgh8s4MxBLOpObaYeSjeA4WOxXnLTZbJ7WbAhEQVMinjwduoYb2_i9p4p0Vnf_YzeKuv1vt_6SRDHc2tHsdDKWTgHWdOfJ3DGxzkeBSzrt4MdrFFpznaF06RUbpuFPoXg6cY/s640/01.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUCErQYJSGLU0dCCm_-9doaJkkCy4DhMt9JtUhhFDZboWbWyAftw6rM3_Nh_uHSE3SErzVCl0Vx6ccZk5wkEXPCkrf7S0JokjMXI-kgJF5XYvE5NY8xls2ua2yjzgdmGZEQ8tvk38q_o/s1600/02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="616" data-original-width="877" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYUCErQYJSGLU0dCCm_-9doaJkkCy4DhMt9JtUhhFDZboWbWyAftw6rM3_Nh_uHSE3SErzVCl0Vx6ccZk5wkEXPCkrf7S0JokjMXI-kgJF5XYvE5NY8xls2ua2yjzgdmGZEQ8tvk38q_o/s640/02.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
When you get to this screen you will be asked if you want to use Password Hash Synchronisation or Passthrough Authentication. If your company does not want user passwords in Azure AD, you need to use Passthrough authentication. For this lab I'm using Password Hash Synchronisation.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I have also enabled Azure Active Directory Seamless Single Sign-On (Azure AD Seamless SSO) which provides single sign-on to Azure AD services by sending the Kerberos requests directly through to Azure AD using a Computer Account AZUREADSSOACC. If you want to understand how Azure AD Seamless SSO works, please refer to these articles here:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso">https://docs.microsoft.com/en-us/azure/active-directory/connect/active-directory-aadconnect-sso</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigfsTAt4St6H0Nbz7jFvSZYHw_jbZQKhIXqPwE6EB9poFUDZdcInv2ZyNVmUwxOY3JvPa2a_dZZv06e_zjUtAod6J285pda0tEwma9-terlGPxuwewvhou88ZaGoBvE8yC6QNwU_cLbok/s1600/03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="877" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEigfsTAt4St6H0Nbz7jFvSZYHw_jbZQKhIXqPwE6EB9poFUDZdcInv2ZyNVmUwxOY3JvPa2a_dZZv06e_zjUtAod6J285pda0tEwma9-terlGPxuwewvhou88ZaGoBvE8yC6QNwU_cLbok/s640/03.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter an account with Azure AD Global Administrator rights into the wizard to connect to Azure AD.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs96iNnYiCq04ReA6kx4Ie-DDVoaD2R6mtGGKWd7PQFAvXicuNHUoQx17jdTOTvn9FCdvYpCCz-eiEXZXqQad7cf-LAWxomhe58ut9dKaUqM5BY5EJ-CwYyN7HvMo83km8q4s5-XwtFm0/s1600/04.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="879" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs96iNnYiCq04ReA6kx4Ie-DDVoaD2R6mtGGKWd7PQFAvXicuNHUoQx17jdTOTvn9FCdvYpCCz-eiEXZXqQad7cf-LAWxomhe58ut9dKaUqM5BY5EJ-CwYyN7HvMo83km8q4s5-XwtFm0/s640/04.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the Active Directory forests you want to synchronise. The tool can synchronise multiple forests to Azure AD.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPawOcjTaQG0UdIytmEyckoMKZ7i5r42lFrvBSY_mtxFja5bOkG_na-x5irjM98qzKa_X_VN25GV_Rw_-nFau8mEEjLtTLYfOkCPwx3QB0j2kr7zVpJqhyQoMVXQHCcI_qLp9UBc-XfwE/s1600/07.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="880" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPawOcjTaQG0UdIytmEyckoMKZ7i5r42lFrvBSY_mtxFja5bOkG_na-x5irjM98qzKa_X_VN25GV_Rw_-nFau8mEEjLtTLYfOkCPwx3QB0j2kr7zVpJqhyQoMVXQHCcI_qLp9UBc-XfwE/s640/07.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the on-premises attribute you want Azure AD to use as the username. I ususally make this the userPrincipalName of the on-premises accounts, and I make sure the UPN is the users email address. This can be done by setting up a UPN Suffix in Active Directory Domains and Trusts and assigning the UPN on each user account to match the UPN Suffix.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Users in my test lab have the following UPN suffixes:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
user1@avantlab.com.au</div>
<div class="separator" style="clear: both; text-align: left;">
user2@avantlab.com.au</div>
<div class="separator" style="clear: both; text-align: left;">
user3@avantlab.com.au etc.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA6ilHcHkG16poaWDM51ucrdT0_FL9z9lp6R_DvlO_mt23Evf3hRwH1CF-pgf9Xgovyig3DejnL8dfDspyhhLXlm7QcJFrEjEwREvsGjx_cOOYSIorbghT6njLukQUhMf_2llfPZ0A2Xc/s1600/08.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="879" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgA6ilHcHkG16poaWDM51ucrdT0_FL9z9lp6R_DvlO_mt23Evf3hRwH1CF-pgf9Xgovyig3DejnL8dfDspyhhLXlm7QcJFrEjEwREvsGjx_cOOYSIorbghT6njLukQUhMf_2llfPZ0A2Xc/s640/08.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You can synchronise sub organisational units or the entire domain. In this lab I'm synchronising the entire domain structure.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2qo6saQQb0Fdafwl9GxBJgX8l5em-VG4pXLsHpQXihjMVR_APwR_QRSL3BpS-EU6IceB4BGuKb6Q5jZXzc80DChibHXxRYPkZsklpjdW8ZHUxLE3haOCqvFi37mR-GnRGR8R4MdqQI8c/s1600/09.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="880" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2qo6saQQb0Fdafwl9GxBJgX8l5em-VG4pXLsHpQXihjMVR_APwR_QRSL3BpS-EU6IceB4BGuKb6Q5jZXzc80DChibHXxRYPkZsklpjdW8ZHUxLE3haOCqvFi37mR-GnRGR8R4MdqQI8c/s640/09.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Azure was configured to manage the source anchor (the unique identifier) between users on premises and in Azure AD. If you have a complex network with a lot of users you will need to think about what attribute you want to use as the source anchor.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-evZC2wyWANZ949Q1GpDh_54th7WIrrBYnEAHL7F4CDlCov2p0K4_2j8DOkymFXOzfBOnTPANxkMOepNCq5oHVwoJkvmbdScKqjuZ8fEbQjH_O4L7EdGLi2D3nTjmvxpbldAMrZguCG8/s1600/10.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="618" data-original-width="881" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg-evZC2wyWANZ949Q1GpDh_54th7WIrrBYnEAHL7F4CDlCov2p0K4_2j8DOkymFXOzfBOnTPANxkMOepNCq5oHVwoJkvmbdScKqjuZ8fEbQjH_O4L7EdGLi2D3nTjmvxpbldAMrZguCG8/s640/10.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We are not filtering any users in this lab, we are synchronising everything.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimeWmo6qTLQBdDOmnKe7qHy82kAIgSAcf2oHpa_f9y1EvG7ZZlWAwhFmYu_Vvs0DSdficz3HDzSxIU-iK3mIYEHIdetgsrPqdYxzeyAbploUiDu8ENdhafqxFof2l5ooOgOsU_REZYl9U/s1600/11.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="880" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEimeWmo6qTLQBdDOmnKe7qHy82kAIgSAcf2oHpa_f9y1EvG7ZZlWAwhFmYu_Vvs0DSdficz3HDzSxIU-iK3mIYEHIdetgsrPqdYxzeyAbploUiDu8ENdhafqxFof2l5ooOgOsU_REZYl9U/s640/11.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
No additional features were need in this lab environment for Azure AD Application Proxy. You may need additional features for other requirements.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhygUNmi2C2b7B1VgbBmjxC89bdg2KeJcYiZfr7cdiNYZKWmOaipSlw4oaAXd5eacqm751hrwwcob2SYD2R3xZMksJqbwcRRMC8OovHuISIm0mQqFE4s71oKJrPgVNnRA-UF6hmIorjlMM/s1600/12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="881" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhygUNmi2C2b7B1VgbBmjxC89bdg2KeJcYiZfr7cdiNYZKWmOaipSlw4oaAXd5eacqm751hrwwcob2SYD2R3xZMksJqbwcRRMC8OovHuISIm0mQqFE4s71oKJrPgVNnRA-UF6hmIorjlMM/s640/12.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You need to make sure your domain is verified in the Azure Portal by adding a TXT record to your public DNS.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghLeF8ZZiDci7pbCEPqHqxaa3lU4NWtePrFKH1ilji-6kAyBUok0vlvXeR8yDh6YwoOZNUyvm5xlV7l1-OB-JU6pgz74gNC_tw9oYoJkOfTj5hC1oIz6Ra6FUlBsvj0TcoxIEmU0Uz-qQ/s1600/13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="632" data-original-width="1078" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghLeF8ZZiDci7pbCEPqHqxaa3lU4NWtePrFKH1ilji-6kAyBUok0vlvXeR8yDh6YwoOZNUyvm5xlV7l1-OB-JU6pgz74gNC_tw9oYoJkOfTj5hC1oIz6Ra6FUlBsvj0TcoxIEmU0Uz-qQ/s640/13.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The wizard will show if its verified.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuDXAThZxyqAcuFJX_qxkQ7hLuXjAeg0a9al4xl7jNjpY5s9nEDWV-ac0YD-khItUN8eMS1xY7PcL346Kx5NaiLkRFYw1CBFB-wHwOc6IXUHf8SyXxBdQ97FjSfvUYhuBx8cCd0gmhIDY/s1600/14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="620" data-original-width="883" height="448" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjuDXAThZxyqAcuFJX_qxkQ7hLuXjAeg0a9al4xl7jNjpY5s9nEDWV-ac0YD-khItUN8eMS1xY7PcL346Kx5NaiLkRFYw1CBFB-wHwOc6IXUHf8SyXxBdQ97FjSfvUYhuBx8cCd0gmhIDY/s640/14.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Enter Domain Admin credentials for an account on-premises which is required for <span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Seamless SSO. You will want to use a service account for this with a super complex password.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnBc_oCXAa54RdVMShbwuoXXoiKXKAUFUPoFdLr1QucSYSQl-pEfmzI22bTGI6ubg-D8FPf9HljEjH1N7cVOCkA4Gk5ujQ2I1UGY38f1qvnH3a1h_hXIFbtef_EggQ1zo1xJGU83GgGgQ/s1600/15.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="880" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnBc_oCXAa54RdVMShbwuoXXoiKXKAUFUPoFdLr1QucSYSQl-pEfmzI22bTGI6ubg-D8FPf9HljEjH1N7cVOCkA4Gk5ujQ2I1UGY38f1qvnH3a1h_hXIFbtef_EggQ1zo1xJGU83GgGgQ/s640/15.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Kick off an initial synchronisation once the wizard is finished.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYzR8fBd0uN5TyBZrfoeuAXHSwidNW4F_5FITY7UWw68a4Iais-i43xwjQHp-MYCyMDH9VRWyNHBk-mja_uOvZ48RFSmtYH_457OHcX5PUgcp0RTQA4bCmOWSkNiz9B9pwTw_iCv1xd8M/s1600/16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="619" data-original-width="880" height="450" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYzR8fBd0uN5TyBZrfoeuAXHSwidNW4F_5FITY7UWw68a4Iais-i43xwjQHp-MYCyMDH9VRWyNHBk-mja_uOvZ48RFSmtYH_457OHcX5PUgcp0RTQA4bCmOWSkNiz9B9pwTw_iCv1xd8M/s640/16.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will see the wizard created the AZUREADSSOACC for <span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Seamless SSO.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvbmBUjz1ZBUrgbYgd0S4NSi7PQDZjsXuSN0YthEd7eeDWPAt9mBJDaMlt4C5XESdrfGhlBLPlIkkYKZ-aXEQHjAZXjehmb_7UtmH3DyWMfcnt-iSB_RsxaIVdpA8eMR8wtXP_lUbx6c4/s1600/17.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="442" data-original-width="698" height="404" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvbmBUjz1ZBUrgbYgd0S4NSi7PQDZjsXuSN0YthEd7eeDWPAt9mBJDaMlt4C5XESdrfGhlBLPlIkkYKZ-aXEQHjAZXjehmb_7UtmH3DyWMfcnt-iSB_RsxaIVdpA8eMR8wtXP_lUbx6c4/s640/17.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Close the wizard.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6EqoQpEawgqFadm3GpuF2_5V6gWdy9RdmXR6fHk_7_np2PJdTKsKa7W2Kkso20p1VGks8DvaxsVv4pRwmUJAJjYTl0Dahyphenhyphenu4v2uJ3K0oObcy5CfdYN0gNoQ3UMh2Lo72XebctHPG4z40/s1600/18.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="623" data-original-width="879" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6EqoQpEawgqFadm3GpuF2_5V6gWdy9RdmXR6fHk_7_np2PJdTKsKa7W2Kkso20p1VGks8DvaxsVv4pRwmUJAJjYTl0Dahyphenhyphenu4v2uJ3K0oObcy5CfdYN0gNoQ3UMh2Lo72XebctHPG4z40/s640/18.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b><u><span style="font-family: "times new roman"; font-size: large;">Upgrading Azure AD</span></u></b></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><b></b><u></u><span style="font-family: "times new roman";"></span><span style="font-size: large;"></span><br /></div>
<div class="separator" style="clear: both; text-align: left;">
By default your Azure AD subscription will be "Azure AD Free" which can run Microsoft Office 365. In order to use Azure AD Application Proxy you must be running at least "Azure AD Basic", "Azure AD Premium P1" or "Azure AD Premium P2".</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For a comparison between the various flavours of Azure AD, please see the following Microsoft website:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://azure.microsoft.com/en-us/pricing/details/active-directory/">https://azure.microsoft.com/en-us/pricing/details/active-directory/</a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you upgrade from Azure AD Free to a higher flavour, you will need to wait 24 hours for the changes to take effect within Azure.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Setting up Azure AD Application Proxy</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
The following steps need to be taken to setup Azure AD Application Proxy.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Navigate to Azure AD --> Enterprise Applications.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTFLsy1wRDMN8x9Cx8WJooWYjQaRcUc3DIqZaqlp9EGbvQT9l_iv5hpJ9SatbS1t4H8Xyc3v1Uk3z0wpC1Z4vyI0-pa_PJKsnx0Z9ivsJQreEAyUUUUG8-JyrOzNvD7LHMc0aBB_lpQG0/s1600/19.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="828" data-original-width="781" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTFLsy1wRDMN8x9Cx8WJooWYjQaRcUc3DIqZaqlp9EGbvQT9l_iv5hpJ9SatbS1t4H8Xyc3v1Uk3z0wpC1Z4vyI0-pa_PJKsnx0Z9ivsJQreEAyUUUUG8-JyrOzNvD7LHMc0aBB_lpQG0/s640/19.png" width="602" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="color: #000120;">Select New Application</span></div>
<div class="separator" style="clear: both; text-align: left;">
<u></u><span style="color: #000120;"></span><i></i><i></i><u></u><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI6y3plYzsFrPKqxkgggSXA6oMYvhkUvM0sBHIUmakAcsbv9MDpNj7adZIwQoQzwvtx1LBCzmyenSKKcfdq4592iZxd3t1oIT1YblVdUsMnfBJhrUITUTtBTpJmVuFU1m_jnn8k5IhAzI/s1600/21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="613" data-original-width="1155" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiI6y3plYzsFrPKqxkgggSXA6oMYvhkUvM0sBHIUmakAcsbv9MDpNj7adZIwQoQzwvtx1LBCzmyenSKKcfdq4592iZxd3t1oIT1YblVdUsMnfBJhrUITUTtBTpJmVuFU1m_jnn8k5IhAzI/s640/21.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select On-premises application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwQBQGjJyzmpl8JfmeHyMz63bBEuxgOZL_gj5lnWNh4-0OdwOxUxyUhL7TBQtCHJztWXzkpS1khVFqBKcBYHFa4S4vYIccEDaedfOQ1AQv39lkYQykONvaUIFOS8vcW81xI7YM5tvHXlg/s1600/22.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="586" data-original-width="1107" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwQBQGjJyzmpl8JfmeHyMz63bBEuxgOZL_gj5lnWNh4-0OdwOxUxyUhL7TBQtCHJztWXzkpS1khVFqBKcBYHFa4S4vYIccEDaedfOQ1AQv39lkYQykONvaUIFOS8vcW81xI7YM5tvHXlg/s640/22.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
If you haven't already upgraded from Azure AD Free you will get this warning.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsFSqAKkXeEJCbndVDQGhX6fV8mmdbgmDawRRtAPSZLNnTxlOlXIJsyfl4DRtEAHXNEv-LC-1zkt4Avj-S83Ftp0On_WxgvgpEqlSSyyfAWbnoojC0n5iXwHE75191NJHaO-2IvktQSBE/s1600/23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="600" data-original-width="1168" height="328" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhsFSqAKkXeEJCbndVDQGhX6fV8mmdbgmDawRRtAPSZLNnTxlOlXIJsyfl4DRtEAHXNEv-LC-1zkt4Avj-S83Ftp0On_WxgvgpEqlSSyyfAWbnoojC0n5iXwHE75191NJHaO-2IvktQSBE/s640/23.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click the link and select Free Trial next to Azure AD Premium for lab purposes. If your running a business, you will need to procure Azure AD Basic or higher before proceeding.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaEoMejFb6PkyK-aj_mH2InN9hnxLKKKi1xMsZa8JZfwHtuPnpfBQqOwUZ9hMeQbxJkUjn0XvCYg7IGXsoa_75HBD6-CI3Sen_DlIo_m0QMkS-7YwKDQ_lyEZj-h47iRX1aitbxY0EN_c/s1600/24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="767" data-original-width="1462" height="334" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhaEoMejFb6PkyK-aj_mH2InN9hnxLKKKi1xMsZa8JZfwHtuPnpfBQqOwUZ9hMeQbxJkUjn0XvCYg7IGXsoa_75HBD6-CI3Sen_DlIo_m0QMkS-7YwKDQ_lyEZj-h47iRX1aitbxY0EN_c/s640/24.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Activate the Azure AD Premium P2 trial in the lab and wait 24 hours for the activation to complete.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMGIqCmnYU3LlT6mCWpBjmQWPyQzbtvWw8Jd1q-VocqFAKbMHn5qumCdRar_0qyuxoM7leOzwrQkDZFYiHZNwICl4g-iaWRn9CeBNVe7xD9ezNFMdfb9KlqVatmrjQMVKQ2oJ0bL-3lzA/s1600/25.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="713" data-original-width="898" height="508" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMGIqCmnYU3LlT6mCWpBjmQWPyQzbtvWw8Jd1q-VocqFAKbMHn5qumCdRar_0qyuxoM7leOzwrQkDZFYiHZNwICl4g-iaWRn9CeBNVe7xD9ezNFMdfb9KlqVatmrjQMVKQ2oJ0bL-3lzA/s640/25.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next download the Application Proxy Connector application to install on the member servers.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGwCi83ccydl8PEZ4Ncwk2w7ur6lLdy0IZb-wWOpPI6S9O-HfiZvU7b3LlTw6e9vxZLSvvJJ0TQTYSh6reuE0atE6ZlW3tXXLZzXweqRyz6vfQAHujLb-9fdc9wGOhiWNL3_LJzRrS0ec/s1600/26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="562" data-original-width="1169" height="306" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhGwCi83ccydl8PEZ4Ncwk2w7ur6lLdy0IZb-wWOpPI6S9O-HfiZvU7b3LlTw6e9vxZLSvvJJ0TQTYSh6reuE0atE6ZlW3tXXLZzXweqRyz6vfQAHujLb-9fdc9wGOhiWNL3_LJzRrS0ec/s640/26.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
You will need to agree to a license agreement before download can commence.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHQ3FLGSd1ruKf8Y5Z5ZN7vywomSZ4jcM2YAZGgrzW0CA_UvyHFtuHT4AQ5TdtkgWvMxXrUaFJ5Riw9ZEXO0P0As0QBmZIEr3-uWom_q3Wi9kS1ED4i0ORalURBclQkX_QuAFAA8z3UQ0/s1600/27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="381" data-original-width="850" height="286" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHQ3FLGSd1ruKf8Y5Z5ZN7vywomSZ4jcM2YAZGgrzW0CA_UvyHFtuHT4AQ5TdtkgWvMxXrUaFJ5Riw9ZEXO0P0As0QBmZIEr3-uWom_q3Wi9kS1ED4i0ORalURBclQkX_QuAFAA8z3UQ0/s640/27.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Make sure you run the setup on a Server 2012 R2 or Server 2016 computer. In my lab to minimise the amount of virtual machines I have dedicated to this exercise, I installed the connector directly on an Exchange 2016 server. For production deployments you should deploy the connector on a dedicated server and have more then one for redundancy.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click through the steps below.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-bBZsjhSUF4kS3Kq0gTNtQxObOAf6i0sVW5l7DSRlYUs_1HBkckex4opoacaNEF-SUJCrjWZMCMhnGFCl_9nR5k8mo9wLUe3AVigqT8dvAHxr8JPXMyPordBfwjgihq6pd7vz5C1qdp4/s1600/28.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="348" data-original-width="496" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-bBZsjhSUF4kS3Kq0gTNtQxObOAf6i0sVW5l7DSRlYUs_1HBkckex4opoacaNEF-SUJCrjWZMCMhnGFCl_9nR5k8mo9wLUe3AVigqT8dvAHxr8JPXMyPordBfwjgihq6pd7vz5C1qdp4/s400/28.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Sign-in to your Azure AD Tenancy with an Azure AD Global Tenancy account when prompted.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMjt6pff6ODPoUSMMAxhDXje7-lqgHbLPgQihc_xTa6w0dArW6O98k1t79tcQ3QmuTa8XS7zMLPN4BUWmQE8Ryur9xQ14trUjBRhndIzQ4nozXQX4-WugBl8tw2rZBMjq8LKSqz30Fmw/s1600/29.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="541" data-original-width="564" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieMjt6pff6ODPoUSMMAxhDXje7-lqgHbLPgQihc_xTa6w0dArW6O98k1t79tcQ3QmuTa8XS7zMLPN4BUWmQE8Ryur9xQ14trUjBRhndIzQ4nozXQX4-WugBl8tw2rZBMjq8LKSqz30Fmw/s400/29.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Let the tool install and connect to Azure AD.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuD8z9FW6Dpy1cQfZoFvsR_3S6ACZMQlma3Z6wIJnfHpu0n083vdUKpVgJR3fnm-cwZII0eCCrWWEiNQwNv_tr2QetfOVWuYwN21QvsjwzoDbCVN-D7978wclJ8mG4KSAGQAG3wQmkAY/s1600/30.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="346" data-original-width="498" height="277" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMuD8z9FW6Dpy1cQfZoFvsR_3S6ACZMQlma3Z6wIJnfHpu0n083vdUKpVgJR3fnm-cwZII0eCCrWWEiNQwNv_tr2QetfOVWuYwN21QvsjwzoDbCVN-D7978wclJ8mG4KSAGQAG3wQmkAY/s400/30.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Click close when it was successful.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvWFKmKsSNsmGRDW1K7hxfrs2RR7H4pMtYoPMsKqM8JjaAtxZAdre-PwBgfZ4D5Hf5LTHnb_CyeV0fz_tv6Ehhn-6U1PTTjs6a1EgK6TKca6s5CqIc4D27075WjCdlq2XwZsjRoxORdko/s1600/31.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="347" data-original-width="498" height="278" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjvWFKmKsSNsmGRDW1K7hxfrs2RR7H4pMtYoPMsKqM8JjaAtxZAdre-PwBgfZ4D5Hf5LTHnb_CyeV0fz_tv6Ehhn-6U1PTTjs6a1EgK6TKca6s5CqIc4D27075WjCdlq2XwZsjRoxORdko/s400/31.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Notice on my Exchange 2016 server, it added the following two services:</div>
<ul style="text-align: left;">
<li><div class="separator" style="clear: both; text-align: left;">
Microsoft AAD Application Proxy Connector</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Microsoft AAD Application Proxy Connector Updater</div>
</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM7oxJDuIxYRRxv4DbZCjEK0dS9-aHT7yGpYFKYTOvIU7GQMpfguEm_1iT2LOETmo3alKGpYfjb29O5kYKTenTGiTvOgyDPMkIoj6KfzBam_zXEIsZfVz6FgRQGgCadCDgdA05lq2QC88/s1600/32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="542" data-original-width="828" height="418" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjM7oxJDuIxYRRxv4DbZCjEK0dS9-aHT7yGpYFKYTOvIU7GQMpfguEm_1iT2LOETmo3alKGpYfjb29O5kYKTenTGiTvOgyDPMkIoj6KfzBam_zXEIsZfVz6FgRQGgCadCDgdA05lq2QC88/s640/32.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After the connector is installed, go back to Azure AD and add the on-premises application.</div>
<ul style="text-align: left;">
<li><div class="separator" style="clear: both; text-align: left;">
Give the application a name, this is what users will see in the myapps.microsoft.com portal.</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Enter the Internal URL of the application. This is the FQDN of the web based application on your internal network.</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Select a DNS name for the service, you can use a Microsoft domain or lab purposes or your own domain which you will need to take care of the DNS changes yourself. As this is a lab I just used the Microsoft msappproxy.net domain.</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Under Pre-Authentication you can select from Azure Active Directory or Passthrough Authentication. Azure Active Directory requires the password hashes to exist in Azure AD.</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
As we did not create a connector group it will just use the Default group. For production deployments I recommend you create a Connector Group first and give it a descriptive name such as the datacentre/location where the connectors will exist.</div>
</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkTGuYab3-J2BUdd_S6Hp2x6RauxZYCXFXk2ygGXPI0rlCjnxNwdzsr6VQNP0NM8dLK5TUAwE4Grqxw638Ulub_1BRwbx3Hxx_X6sbnKVCHjYGeURqtr4U-_gWs8ZC2iWlfr6MSFPtu8w/s1600/33.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="778" data-original-width="1160" height="428" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhkTGuYab3-J2BUdd_S6Hp2x6RauxZYCXFXk2ygGXPI0rlCjnxNwdzsr6VQNP0NM8dLK5TUAwE4Grqxw638Ulub_1BRwbx3Hxx_X6sbnKVCHjYGeURqtr4U-_gWs8ZC2iWlfr6MSFPtu8w/s640/33.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTVirVxPdbmX0u8tlW2d1iuUf-clQJDtF3DlYA_tX-kEmk3EwS9ZBiFvRYMfWSxJDv4gmE2nH7juZZesPUue6e-WHW8DYFG7o8ZZleNzIVmzdAfN1RxO1HtTJ0KxJ0toUyxJeXJn0Dwy8/s1600/34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="854" data-original-width="938" height="582" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTVirVxPdbmX0u8tlW2d1iuUf-clQJDtF3DlYA_tX-kEmk3EwS9ZBiFvRYMfWSxJDv4gmE2nH7juZZesPUue6e-WHW8DYFG7o8ZZleNzIVmzdAfN1RxO1HtTJ0KxJ0toUyxJeXJn0Dwy8/s640/34.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After you create the application, you will need to go into the properties of it and assign a couple of users the ability to access the application through Azure AD. This is done through Users and Groups.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2FyZOmkxMpygMzRrzA3pD9NhyphenhyphenYoioyJHmuihscllJgV-4uigLcfv2dZmRi1a8YLVMsRnlIsqwS9Od7Q9wYEVo2zBULsWJ617mVfR-8mwRCnqVC9QSPuK-AX3u6zCCKD_X5vHQ24jfptg/s1600/38.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="705" data-original-width="841" height="536" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi2FyZOmkxMpygMzRrzA3pD9NhyphenhyphenYoioyJHmuihscllJgV-4uigLcfv2dZmRi1a8YLVMsRnlIsqwS9Od7Q9wYEVo2zBULsWJ617mVfR-8mwRCnqVC9QSPuK-AX3u6zCCKD_X5vHQ24jfptg/s640/38.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Lastly we need to setup Single Sign-on. This ensures once a user signs into Azure AD through https://myapps.microsoft.com or going directly to the external facing URL of the application, they automatically get logged into the application and don't require signing in twice. There are many Single Sign-on methods for Azure AD Application proxy including:</div>
<ul style="text-align: left;">
<li><div class="separator" style="clear: both; text-align: left;">
Password-based Sign-on</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Linked Sign-on</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Integrated Windows Authentication</div>
</li>
<li><div class="separator" style="clear: both; text-align: left;">
Header-based Sign-on</div>
</li>
</ul>
<div>
If you would like an overview of each of these, refer to the following website:</div>
<div>
<br /></div>
<div>
<a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-single-sign-on">https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-single-sign-on</a></div>
<div>
<br /></div>
<div>
For Exchange Server, we used Integrated Windows Authentication for Outlook Web App as this is best for Exchange. By default, Exchange is setup to use Forms based authentication for the web apps so we need to change this before configuring Azure AD.<br />
<br />
As you see below I changed my Exchange Virtual Directories and restarted IIS so that we are using Windows Integrated Authentication for both ECP and OWA. Forms based authentication is now disabled.</div>
<div>
<br /></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<img border="0" data-original-height="522" data-original-width="565" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjnp0noYiLUErltdcvShZh2pgtN8FyDBOSByRM8zxe8PDhRsGcbLla8sjCs5CNhMCi3Pwz0j6OVkaM2V_GSaxIL3O8jeXDoL7PdSQnPMf3I5fjarc1Muz2u1a5X2n9LadevstGpkoeDJPA/s400/39.PNG" width="400" /></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<br /></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Next we need to configure Kerberos Constrained Delegation on the servers running the connectors. Find the member server computer objects in Active Directory Users and Computers for your Connector machines and go to the Delegation Tab. You will need to enable Advanced Features in Active Directory Users and Computers to see this.</span></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Under Delegation, enter the computer objects for all your servers which you want to setup delegation for. These are the servers running applications. You can add multiple web servers here... Exchange, SharePoint and any other web servers you have internally that you want to publish.</span></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
The screenshot is off putting because the Connector and the Application are both on the same server, hence why it was delegated to itself.</div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<br /></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
For more information on Kerberos Constrained Delegation with Azure AD Application Proxy please refer to the following article:</div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div bp.blogspot.com="" class="separator" imageanchor="1" o-se3h-3i="" qleqk_0yqy5lagmnkfln6c2mpfhagclcbgas="" s1600="" style="margin-left: 1em; margin-right: 1em;" tu="" vdrnoa9rams="">
<a href="https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd">https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/application-proxy-configure-single-sign-on-with-kcd</a></div>
</div>
</div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8x1pGVWkFNVaqEslkh4rfrHTnAtueDD31qEQt_ALRKlPKGwoWyGtfzC0Zo8EZN8B3CJ44_xI7CrEo8Rg0J10aI7l4-LTHUq42JCLjChmWMbcvI_vUZimSDG2sGOKc_1CULYqKmXCnMs/s1600/35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="552" data-original-width="600" height="588" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU8x1pGVWkFNVaqEslkh4rfrHTnAtueDD31qEQt_ALRKlPKGwoWyGtfzC0Zo8EZN8B3CJ44_xI7CrEo8Rg0J10aI7l4-LTHUq42JCLjChmWMbcvI_vUZimSDG2sGOKc_1CULYqKmXCnMs/s640/35.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Once Active Directory is setup, configure the Internal Application SPN of your internal server. This is generally going to be:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>http/fqdn-of-internal-app</b></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Select the login identity we configured earlier in Azure AD Connect, which was User Principal Name.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglLciPv5kFeOv9djk0ZQ-e6EljLiTjolMetPYt8gJqUaynTDzoAfU-LGoRJYg3fC7YXfSOF2_xftd1KPhcW-xDMb2rLuFqOVg_lExvPKwyfbrLArKQxU5LACnohUJA_phAzWwPFisql3o/s1600/36.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="716" data-original-width="927" height="494" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglLciPv5kFeOv9djk0ZQ-e6EljLiTjolMetPYt8gJqUaynTDzoAfU-LGoRJYg3fC7YXfSOF2_xftd1KPhcW-xDMb2rLuFqOVg_lExvPKwyfbrLArKQxU5LACnohUJA_phAzWwPFisql3o/s640/36.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Next navigate to the public facing URL of your published application. In my lab its:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
https://exchange-avantlab.msappproxy.net</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<i>FYI: If your reading this a month later, I properly repurposed my lab and the address no longer exists.</i></div>
<div class="separator" style="clear: both; text-align: left;">
<i></i><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0IoxsMxoDG6uDoZWaMtpJu9er2syF_THjle5c9Zfr6Ihv9zAuPnUqpau4rG5eskjR8-WzFUeump2NsCJM9v2sVmSPCBoFHFj_YcRDuyQPwu8gZCB4CNFpflAUTBRmwIN_A_9uaUIHrjg/s1600/37.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="344" data-original-width="443" height="310" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0IoxsMxoDG6uDoZWaMtpJu9er2syF_THjle5c9Zfr6Ihv9zAuPnUqpau4rG5eskjR8-WzFUeump2NsCJM9v2sVmSPCBoFHFj_YcRDuyQPwu8gZCB4CNFpflAUTBRmwIN_A_9uaUIHrjg/s400/37.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
After signing in to the application, we see that we are automatically passed through to Exchange OWA on-premises without being prompted for credentials again.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkqXhb6G7_ljmiaHne09QMLZ-9UxyIfJpyuS1B21IpLwG7zYu5P8FNXAy54xfTylHtZflsQ63pFHMlAWx8ZvIMgQSuNQ8-HycSq6sWwVXvwE0fC0WU1DgJXMhuhev95i5ZMkcO25cs7SM/s1600/40.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="609" data-original-width="999" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjkqXhb6G7_ljmiaHne09QMLZ-9UxyIfJpyuS1B21IpLwG7zYu5P8FNXAy54xfTylHtZflsQ63pFHMlAWx8ZvIMgQSuNQ8-HycSq6sWwVXvwE0fC0WU1DgJXMhuhev95i5ZMkcO25cs7SM/s640/40.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: #073763; display: inline; float: none; font-family: "times new roman"; font-size: 32px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Azure AD Application Proxy Limitations</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
Azure AD Application Proxy is a new feature in Azure which offers customers basic reverse proxy functionality to publish on-premises applications through the cloud. Whilst reviewing the product and setting it up in my lab, there currently are a few limitations which I believe will act as show stoppers for some companies looking to implement. These limitations may be addressed in the future by Microsoft and I have submitted this feedback to the Azure AD product team - so fingers crossed.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Limitation 1: On-Premises Load Balancers are Still Required!</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Azure AD Application Proxy has great load balancing between the Azure service stack in the cloud and the on-premises connectors. Load is distributed evenly across all connectors associated with a connector group.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The connectors however have no capability of distributing load across application servers in a web farm. You are only able to configure a single FQDN on your internal network which represents your web application address. This is shown in the following screenshot:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZKjerRpg9Y3A2lcZTbRMGd35y5rxXnOMZS4teaUXrlMCcWdRFTY3QsXvson_2ADKjn-OKYQ0MTQR8ii70Y2VAA0SP5s2ZwtLZchijGSplI6oGmXz6h8l8ydv_Q3Z-Ue5XIyvq04DsPQg/s1600/41.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="484" data-original-width="678" height="456" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiZKjerRpg9Y3A2lcZTbRMGd35y5rxXnOMZS4teaUXrlMCcWdRFTY3QsXvson_2ADKjn-OKYQ0MTQR8ii70Y2VAA0SP5s2ZwtLZchijGSplI6oGmXz6h8l8ydv_Q3Z-Ue5XIyvq04DsPQg/s640/41.PNG" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><br /></span></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Many of my customers have server farms for important applications which need to be published. The only way you can do this is by deploying an on-premises load balancing solution and advertising a Virtual IP address which the Azure AD Application Proxy connectors connect to.</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Most leading load balancers such as F5 BIG-IP, KEMP, Barracuda Networks, Citrix NetScaler and many others also provide the reverse proxy functionality and are often more powerful then the functionality offered in Azure AD Application Proxy. Of course there are free on-premises load balancing solutions such as Network Load Balancing or Application Request Routing (Microsoft IIS feature) but these are very limited and I would not recommend for production use.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What would be a great feature addition is if the connectors could handle this and perform basic health monitoring of application service endpoints and distribute load across the web farm.</div>
<div class="separator" style="clear: both; text-align: left;">
<b></b><i></i><u></u><sub></sub><sup></sup><strike></strike><br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Limitation 2: No way to handle different authentication methods within a Web Application</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
Some web applications have different authentication methods for each virtual directory. A good example of this is Microsoft Exchange which I published, each of the virtual directory's have different authentication settings which Azure AD Application Proxy cannot accommodate.<br />
<br />
Below is a list of virtual directories on an Exchange 2016 frontend website. I configured the ECP and OWA virtual directories to use Integrated Windows Authentication however if I try and establish an ActiveSync connection from a mobile phone to exchange-avantlab.msappproxy.net it will fail, as the Microsoft-Server-ActiveSync virtual directory uses basic authentication over SSL.<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwYqR0GdbBoFJbULS2wYv81VrJUv53EojAoFBrD6ZXu0Mi9l7xfhREfuxoVqqvRlmijsrvp1U7vg4qWlAzYPOZtp8l4eVO9HjrFY6nSwIiXlDLszR-yqUByqzLY7UPMVidMbVPq_PIqk/s1600/42.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="362" data-original-width="292" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhXwYqR0GdbBoFJbULS2wYv81VrJUv53EojAoFBrD6ZXu0Mi9l7xfhREfuxoVqqvRlmijsrvp1U7vg4qWlAzYPOZtp8l4eVO9HjrFY6nSwIiXlDLszR-yqUByqzLY7UPMVidMbVPq_PIqk/s400/42.PNG" width="322" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
To get around this, it would be possible to create multiple Azure AD Application Proxy Apps for each virtual directory with separate SSO configuration, but a painful approach. It is also possible to configure Autodiscover to return different public FQDN's on the ExternalURL setting for each of the virtual directories listed below.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
The workaround will work but it is not ideal!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="background-color: transparent; color: black; display: inline; float: none; font-family: "times new roman"; font-size: 24px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Limitation 3: No way to limit/restrict Application Sub Directories</span></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Almost every reverse proxy solution I have worked with on the market have a way of restricting access to some components of the application through the proxy - but not Azure AD Application Proxy!</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
For example a company may want to allow all applications internally, but block EWS and PowerShell virtual directories remotely from the Internet.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<b>[ALLOW]</b> https://exchange-avantlab.msappproxy.net/owa<br /><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[ALLOW] </b></span>https://exchange-avantlab.msappproxy.net/microsoft-active-sync<br /><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[ALLOW] </b></span>https://exchange-avantlab.msappproxy.net/oab</div>
<div class="separator" style="clear: both; text-align: left;">
<span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[ALLOW]</b> </span><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">https://exchange-avantlab.msappproxy.net/ews</span><br /><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[ALLOW] </b></span>https://exchange-avantlab.msappproxy.net/autodiscover<br /><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[BLOCK]</b> </span>https://exchange-avantlab.msappproxy.net/powershell<br /><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;"><b>[BLOCK]</b> </span><span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: black; display: inline !important; float: none; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">https://exchange-avantlab.msappproxy.net/ecp</span><br /></div>
<div class="separator" style="clear: both; text-align: left;">
With Azure AD Application Proxy there is no way to do this, publishing an application through Azure AD will always publish the entire application.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<span style="-webkit-text-stroke-width: 0px; background-color: transparent; color: #073763; display: inline !important; float: none; font-family: "times new roman"; font-size: 32px; font-style: normal; font-variant: normal; font-weight: 700; letter-spacing: normal; orphans: 2; text-align: left; text-decoration: underline; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">Final Thoughts</span><b></b><i></i><u></u><sub></sub><sup></sup><strike></strike></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
I believe Azure AD Application Proxy is a fantastic low cost method for securely publishing on-premise services to the Internet. For customers already using the Azure stack to provide users access to applications via the https://myapps.microsoft.com portal, this allows the customer to add additional on-premises applications to users through the same familiar interface.</div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Azure AD Application Proxy is new technology and some of the limitations which I would like to see in the product may come in the near future.</div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
<br /></div>
<div class="separator" style="-webkit-text-stroke-width: 0px; background-color: transparent; clear: both; color: black; font-family: Times New Roman; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; letter-spacing: normal; margin-bottom: 0px; margin-left: 0px; margin-right: 0px; margin-top: 0px; orphans: 2; text-align: left; text-decoration: none; text-indent: 0px; text-transform: none; white-space: normal; word-spacing: 0px;">
Thanks for reading and I hope this post was useful.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-91161807379487158742018-09-05T00:08:00.002-07:002018-09-05T00:08:16.718-07:00Changing a Custom Domain from AD FS to Password Sync in Azure<div dir="ltr" style="text-align: left;" trbidi="on">
In my test lab tenancy avantlab.onmicrosoft.com I needed to convert a domain avantlab.com.au from using AD FS to PasswordSync. The AD FS infrastructure i had setup no longer existed and i needed to re-purpose the lab.<br />
<br />
There is no way of achieving this using the Azure Portal that i could see - and i could not find any documentation online on how to do this.<br />
<br />
To achieve this change you must connect to your Azure AD Tenancy via PowerShell with:<br />
<br />
<div class="MsoNormal">
<span lang="EN-AU"><b>Connect-MsolService</b></span></div>
<br />
If we run a <b>Get-MsolDomain</b> we see that avantlab.com.au is in a federated state and redirecting me to a AD FS portal which no longer exists.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU9wWQQkmGozwrajG5J0OG6fxZRvT9lV75EwnK_mB_fEMxlRYNdaFJCAyeEoZun6MqvdJYw8u1D3Vu940L7jSS2BkkRevTnAtt4cXvz3biVthOU-5A6CKDsenCUL0xevWS21WSJuDm2Cg/s1600/getmsoldomain1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="122" data-original-width="418" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgU9wWQQkmGozwrajG5J0OG6fxZRvT9lV75EwnK_mB_fEMxlRYNdaFJCAyeEoZun6MqvdJYw8u1D3Vu940L7jSS2BkkRevTnAtt4cXvz3biVthOU-5A6CKDsenCUL0xevWS21WSJuDm2Cg/s1600/getmsoldomain1.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
After you have enabled Password Sync in the Azure AD Connect tool and synchronised the on-premises accounts to AzureAD, you can then set avantlab.com.au back to a Managed domain.<br />
<br />
To do this use the following command:<br />
<br />
<b>Set-MsolDomainAuthentication -DomainName avantlab.com.au -Authentication Managed</b><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmf9_Rs_Ko2O4PISple4NiGnwfMC5sOI_PQfmqUS50Qyy27i_vqOj8Pz-9sswWFntbRU4c9dZCjDGfDpTaOlil6gaURpPBRUyBgh_qMyplDf1wAHksZ_M0MrwZOdfu0Ow6gQypqwvZTfM/s1600/setmsoldomainauthentication.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="76" data-original-width="795" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmf9_Rs_Ko2O4PISple4NiGnwfMC5sOI_PQfmqUS50Qyy27i_vqOj8Pz-9sswWFntbRU4c9dZCjDGfDpTaOlil6gaURpPBRUyBgh_qMyplDf1wAHksZ_M0MrwZOdfu0Ow6gQypqwvZTfM/s1600/setmsoldomainauthentication.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
We can now see that its in a managed state:</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3ZurDldvb51Ssb-Ty4TXWS44OJh9ME_nvGU0BcGAjSYcjDX3N_sevmyLzQvJNoBuO8nJbR1JY5YrFYNJFPzBPfJPUrLsR_X_iIZkU4TVVt9nG9Z5fnNR7gfdtgudkyhGna0l45xA6oO0/s1600/setmsoldomain2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="116" data-original-width="411" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3ZurDldvb51Ssb-Ty4TXWS44OJh9ME_nvGU0BcGAjSYcjDX3N_sevmyLzQvJNoBuO8nJbR1JY5YrFYNJFPzBPfJPUrLsR_X_iIZkU4TVVt9nG9Z5fnNR7gfdtgudkyhGna0l45xA6oO0/s1600/setmsoldomain2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
If you wait a few minutes, you will now notice signing into services will authenticate in Azure AD and you will no longer be redirected back to an AD FS portal.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-33492897427057427662018-08-14T01:17:00.002-07:002018-08-14T01:17:51.756-07:00Limiting Login Restrictions to Azure AD to Regions<div dir="ltr" style="text-align: left;" trbidi="on">
I was running a cloud enablement workshop today for a customer to lay out the options of providing SaaS applications an Identity Provider for SAML2 or OATH2 authentication. We went through the various options, AD FS, Azure AD, Passthrough and third party providers.<br />
<br />
One of the questions that was asked was "Is it possible to limit the Azure AD Regions which a users password hash is synchronised to" - when using Azure AD Connect and Password Hash Synchronisation.<br />
<br />
My immediate answer to that question was "No".<br />
<br />
The Azure AD architecture has write instances and many "read only" instances in Data Centres all over the world. It is designed so that any datacentre or country can be lost and identity information will remain available, hence all Azure AD data is in all Azure Datacentres around the globe.<br />
<br />
For more information on Azure AD architecture, see the following articles which are good reads:<br />
<br />
<a href="https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-architecture">https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-architecture</a><br />
<br />
<a href="https://cloudblogs.microsoft.com/enterprisemobility/2014/09/02/azure-ad-under-the-hood-of-our-geo-redundant-highly-available-distributed-cloud-directory/">https://cloudblogs.microsoft.com/enterprisemobility/2014/09/02/azure-ad-under-the-hood-of-our-geo-redundant-highly-available-distributed-cloud-directory/</a><br />
<br />
Whilst the user password hashes will be replicated to all Azure datacentres around the globe, it is possible to restrict which countries or regions can authenticate against Azure AD.<br />
<br />
This is done through a feature called "Conditional Access" using Location conditions. For example it is possible for a company to lock down their users in their Azure Tenancy so that only Australian (people connecting from an Australian IP address) can make authentication attempts against Azure AD.<br />
<br />
For more information on this feature please read:<br />
<br />
<a href="https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition">https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/location-condition</a></div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-82348739404898169592018-08-08T22:49:00.005-07:002018-08-08T22:49:33.919-07:00PowerShell List Local Administrators on all servers<div dir="ltr" style="text-align: left;" trbidi="on">
I needed to list all Local Administrators on all servers at a company as part of a report.<br />
<br />
I could not find a good PowerShell script which queried the server to see if it was online, then send a WMI query to enumerate the Local Administrators.<br />
<br />
Here is a copy of the script I put together<br />
<br />
<br />
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="color: orangered; font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";">$serverlist</span><span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"> <span style="color: darkgrey;">=</span> <span style="color: blue;">Get-Content</span> <span style="color: blueviolet;">C:\Users\clint-b\serverlist.txt</span><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<br /></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="color: darkblue; font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";">foreach</span><span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"> (<span style="color: orangered;">$server</span> <span style="color: darkblue;">in</span> <span style="color: orangered;">$serverlist</span>)<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>{<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$ipAddress</span> <span style="color: darkgrey;">=</span>
<span style="color: orangered;">$pingStatus</span><span style="color: darkgrey;">.</span>ProtocolAddress;<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: darkgreen;"># Ping the computer</span><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$pingStatus</span> <span style="color: darkgrey;">=</span>
<span style="color: blue;">Get-WmiObject</span> <span style="color: navy;">-Class</span>
<span style="color: blueviolet;">Win32_PingStatus</span> <span style="color: navy;">-Filter</span>
<span style="color: darkred;">"Address = '</span><span style="color: orangered;">$server</span><span style="color: darkred;">'"</span>;<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: darkblue;">if</span>(<span style="color: orangered;">$pingStatus</span><span style="color: darkgrey;">.</span>StatusCode <span style="color: darkgrey;">-eq</span>
<span style="color: purple;">0</span>)<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>{<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: blue;">Write-Host</span> <span style="color: navy;">-ForegroundColor</span>
<span style="color: blueviolet;">Green</span> <span style="color: darkred;">"Ping
Reply received from </span><span style="color: orangered;">$server</span><span style="color: darkred;">."</span>;<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$server</span> <span style="color: darkgrey;">|</span> <span style="color: blue;">Out-File</span> <span style="color: navy;">-NoClobber</span> <span style="color: navy;">-Append</span> <span style="color: blueviolet;">C:\Users\clint-b\localadmins.txt</span>
<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$admins</span> <span style="color: darkgrey;">=</span> <span style="color: blue;">Gwmi</span> <span style="color: blueviolet;">win32_groupuser</span>
<span style="color: navy;">–computer</span> <span style="color: orangered;">$server</span><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$admins</span> <span style="color: darkgrey;">=</span> <span style="color: orangered;">$admins</span> <span style="color: darkgrey;">|</span><span style="color: blue;">?</span> {<span style="color: orangered;">$_</span><span style="color: darkgrey;">.</span>groupcomponent <span style="color: darkgrey;">–like</span>
<span style="color: darkred;">'*"Administrators"'</span>} <o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: orangered;">$admins</span> <span style="color: darkgrey;">|</span><span style="color: blue;">?</span> {<span style="color: orangered;">$_</span><span style="color: darkgrey;">.</span>groupcomponent <span style="color: darkgrey;">–like</span>
<span style="color: darkred;">'*"Administrators"'</span>} <span style="color: darkgrey;">|</span> <span style="color: blue;">fl</span> <span style="color: blueviolet;">*PartComponent*</span> <span style="color: darkgrey;">|</span>
<span style="color: blue;">Out-File</span> <span style="color: navy;">-NoClobber</span>
<span style="color: navy;">-Append</span> <span style="color: blueviolet;">C:\Users\clint-b\localadmins.txt</span>
<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>}<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: darkblue;">else</span><o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>{<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span><span style="color: blue;">Write-Host</span> <span style="color: navy;">-ForegroundColor</span>
<span style="color: blueviolet;">Red</span> <span style="color: darkred;">"No
Ping Reply received from </span><span style="color: orangered;">$server</span><span style="color: darkred;">."</span>;<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>}<o:p></o:p></span></div>
<div class="MsoNormal" style="background: white; line-height: normal; margin-bottom: .0001pt; margin-bottom: 0in; mso-layout-grid-align: none; text-autospace: none;">
<span style="font-family: "Lucida Console"; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-family: "Lucida Console";"><span style="mso-spacerun: yes;"> </span>} <o:p></o:p></span></div>
<br /><br />
In order to use this script you will need to put together a text file which has all the servers/workstations you want to query. I used DSQUERY to make this text file but you can use numerous tools.<br />
<br />
The text file must have the hostname of each member server on a separate line like:<br />
<br />SERVER1<br />
SERVER2<br />
SERVER3<br />
<br />
Under the Out-File section, specify the location of where you want the data to be stored.</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-30306909718941404462018-08-06T22:56:00.003-07:002018-08-06T22:56:40.325-07:00Forcefully Reseeding an Exchange Server on Exchange 2010<div dir="ltr" style="text-align: left;" trbidi="on">
One of our customers had an Exchange 2010 DAG with databases on two servers. One of the databases could not be mounted. Before calling us, the customer removed one of the servers as a database copy. So we only had one server with one copy of the Mailbox Database.<br />
<br />
We attempted to re-add the other server as a DAG Member after the customer removed it with the following command:<br />
<br />
<b>Add-MailboxDatabaseCopy -Identity "MAILBOXDATABASE" -MailboxServer "EXHANGESERVER"</b><br />
<br />
The DB was created, however the seed fails. This can be caused by real-time anti-virus on Exchange servers without the appropriate exclusions in place or a corrupt transaction log / or inconsistent transaction log checkpoint file.<br /><br />
To fix this we forced the seed using the following procedure:<br />
<br />
<br />
<ol style="text-align: left;">
<li>We dismounted the active database.</li>
<li>We suspended the passive copy (if active)</li>
<li>We deleted the<b> EDB and Log Files</b> from the Passive Server. (You can move these to a different location as an alternative).</li>
<li>We checked the Active Server was in a clean shutdown state - see <a href="https://clintboessen.blogspot.com/2010/09/flush-transaction-logs-in-exchange.html">https://clintboessen.blogspot.com/2010/09/flush-transaction-logs-in-exchange.html</a></li>
<li>Once we know the Active Server database was in a clean shutdown, we cleared all transaction logs only from the production server by moving the logs to a temp folder.</li>
<li>We then re-mounted the Active Server database. This database needed a force mount (<b>Mount-Database DatabaseName -Force</b>)</li>
<li>Lastly we forcefully updated the passive server with the following command:</li>
</ol>
<div>
<b>Update-MailboxDatabaseCopy -Identity "MAILBOXDATABASE\EXCHANGESERVER" -DeleteExistingFiles</b></div>
<div>
<b><br /></b></div>
<div>
The PowerShell window will show a progress bar of the reseed progress.</div>
<div>
<br /></div>
<div>
Hope this post has been helpful.</div>
<br />
<br />
<br /></div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-75627106905561286782018-08-06T22:17:00.003-07:002018-08-06T22:17:42.077-07:00Troubleshooting Account Lockout's<div dir="ltr" style="text-align: left;" trbidi="on">
I often get asked by customers for assistance with troubleshooting account lockout issues, where a user constantly gets locked out but IT doesn't know how they are getting locked out or what device they are being locked out from.<br />
<div>
<br /></div>
<div>
Diagnosing account lockout issues can be a difficult task as you need to look at the audit logs on the domain controller for which the user attempted the failed authentication request. For companies without audit collection software (software which pulls audit logs from multiple servers in a central place) this can be a difficult task. There are many enterprise auditing products on the market such as Snare, Splunk, Tripwire, ManageEngine or even Microsoft ACS which is part of System Centre Operations Manager.</div>
<div>
<br /></div>
<div>
<div>
For companies without an enterprise auditing product, Microsoft has made a simple tool called Account Lockout Status (LockoutStatus.exe) which is free which just looks at invalid password attempts. This tool queries the audit logs on all domain controllers. This tool can be downloaded from the following location:</div>
<div>
<br /></div>
<div>
<a href="https://www.microsoft.com/en-gb/download/details.aspx?id=15201">https://www.microsoft.com/en-gb/download/details.aspx?id=15201</a></div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtmQ4VxnB7pkemmZ7YCJuPOhknB6ufJQHBVLgV4xtIaV1_VS5aLbTGHbr_B4oOMEym2dz7ZqqLG0daUQA20dPn2-0npmQrGKiTXkIf2w9K6lhAo9HojqEyIVzV6m02VtNfCZhZDH56gj0/s1600/loginincorrect.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="165" data-original-width="839" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtmQ4VxnB7pkemmZ7YCJuPOhknB6ufJQHBVLgV4xtIaV1_VS5aLbTGHbr_B4oOMEym2dz7ZqqLG0daUQA20dPn2-0npmQrGKiTXkIf2w9K6lhAo9HojqEyIVzV6m02VtNfCZhZDH56gj0/s1600/loginincorrect.png" /></a></div>
<div>
<br />
If we look on Bentley-DC Security Logs we can see the unsuccessful login occurred from AT-LT-03.<br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEzxCltwwrFd6chEFCMLAmr_S1BMDL0SCnh1NDAA6ucmIhF6XKyHza4_GsIUyK_sWFFZzqMn8vezAmrEr_3KVhmQZswd3We5ZncAcad0UJG7d3G1wODmQRjVgFg0KbY-ohpIXkkFU8u7Q/s1600/loginincorrect.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="446" data-original-width="641" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEzxCltwwrFd6chEFCMLAmr_S1BMDL0SCnh1NDAA6ucmIhF6XKyHza4_GsIUyK_sWFFZzqMn8vezAmrEr_3KVhmQZswd3We5ZncAcad0UJG7d3G1wODmQRjVgFg0KbY-ohpIXkkFU8u7Q/s1600/loginincorrect.png" /></a></div>
<br />
Hope this post has been helpful.</div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0tag:blogger.com,1999:blog-3920347219421157797.post-4006162917066517852018-07-26T02:00:00.001-07:002018-07-26T02:00:10.557-07:00Excluding TEMP Directory from User Profile Disks in Remote Desktop Services<div dir="ltr" style="text-align: left;" trbidi="on">
I had a customer with a line of business application attempting to open PDF files on a Server 2016 RD Session Host with User Profile Disks configured.<br />
<ul style="text-align: left;">
<li>When a user attempts to open a PDF document within the application, they get an Access Denied Error.</li>
<li>When a user attempts to open a PDF document of a standard file share, the document opens correctly.</li>
</ul>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3RptfHW2KPbG4xm6P7aJC6nYuVHYHzuN_Hgsbghu41AtDT_Q8mldeRMcVxv8D0f8vbpX_m2AXOzPx3yRnWB13I3g3N8rgXqB0T5rUpzZPrPoofQVn4vgr83E4HV1w2o6NQ-DvRyDsBj8/s1600/accessdenied.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="162" data-original-width="508" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi3RptfHW2KPbG4xm6P7aJC6nYuVHYHzuN_Hgsbghu41AtDT_Q8mldeRMcVxv8D0f8vbpX_m2AXOzPx3yRnWB13I3g3N8rgXqB0T5rUpzZPrPoofQVn4vgr83E4HV1w2o6NQ-DvRyDsBj8/s1600/accessdenied.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I used Microsoft Sysinternals process monitor to view what was happening. The application was dumping the PDF document to the %TEMP% folder which was in the Profile Disk. This was generating an Access Denied event.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCIkq75d0qrGUVyZTJ4aPDGmLhOM4_x19RzW-tqIOH8XTFArETDdy8Zby6fvwfpEsq6J-4_9S0DG56cTmoDRxaM7-8PAg2cmAaTbFAYut_Umy_vp7yjakVOG4AdSYCTjfwqa1pWldKYGM/s1600/processmonitor.PNG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="334" data-original-width="1045" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCIkq75d0qrGUVyZTJ4aPDGmLhOM4_x19RzW-tqIOH8XTFArETDdy8Zby6fvwfpEsq6J-4_9S0DG56cTmoDRxaM7-8PAg2cmAaTbFAYut_Umy_vp7yjakVOG4AdSYCTjfwqa1pWldKYGM/s1600/processmonitor.PNG" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
During troubleshooting, I mounted one of the User Profile Disks and granted "EVERYONE" Full Control to AppData\Local\Temp folder as a test, unmounted the disk and got the user to login.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
What I noticed was any changes to NTFS permissions on a UPD get reset back to default by RDS automatically upon user login. Only the User, Administrators and SYSTEM have full control to all files/folders within a User Profile Disk.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
I then looked at excluding the TEMP directory from the User Profile Disk as there is a way of adding Exclusions in the GUI. There seems to be a known issue with excluding folders from user profile disks, this feature doesn’t seem to work and there are many threads about it.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both;">
I tried the following formats:</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
%TEMP%</div>
<div class="separator" style="clear: both;">
AppData\Local\Temp</div>
<div class="separator" style="clear: both;">
\AppData\Local\Temp</div>
<div class="separator" style="clear: both;">
%userprofile\AppData\Local\Temp</div>
<div class="separator" style="clear: both;">
<br /></div>
<div class="separator" style="clear: both;">
All had no effect.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGJwo28_Oq4DFekDdIg9sEKluku3QMLj7IEjLQ9bSmQQUAqx5gujoQNuj9zQ8JMlquc9gOGIbVwdTcx0qM8qwv3GoW66Un3q6639T5wSYc9aPiSE30uTvtKvzzpj0CgPKiVMfJQme2BOU/s1600/excludefoldersfromuserprofiledisk.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="593" data-original-width="735" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGJwo28_Oq4DFekDdIg9sEKluku3QMLj7IEjLQ9bSmQQUAqx5gujoQNuj9zQ8JMlquc9gOGIbVwdTcx0qM8qwv3GoW66Un3q6639T5wSYc9aPiSE30uTvtKvzzpj0CgPKiVMfJQme2BOU/s1600/excludefoldersfromuserprofiledisk.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
As a workaround, Instead of selecting <b>"Store all user settings and data on the user profile disk"</b>, I selected <b>"Store only the following folders on the user profile disk"</b>. I then selected all folders which selects the entire user profile apart from the AppData and Favorites directory.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvhg2dEyJcf5J-j4Svec7yOHhgo-3RgAU9wQQ6Q2WCdH_8xffqbcxXUeS4aEpmAtSDSsMqs8cwege-nEhTQoUchJDfak6Ih13Uid2Na94CfZvhLsC7ryk5P9ymwRQ2PwELYUk6DXCyyY/s1600/excludefoldersfromuserprofiledisk2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="593" data-original-width="735" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfvhg2dEyJcf5J-j4Svec7yOHhgo-3RgAU9wQQ6Q2WCdH_8xffqbcxXUeS4aEpmAtSDSsMqs8cwege-nEhTQoUchJDfak6Ih13Uid2Na94CfZvhLsC7ryk5P9ymwRQ2PwELYUk6DXCyyY/s1600/excludefoldersfromuserprofiledisk2.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="MsoNormal">
As you can see the AppData doesn’t have a redirect icon on
it, all other folders in the profile do.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0mfvaiZCv_G0OEYiM0Lrpuj7GdbgSISd7Bkm_Hs_nQ29ke3KK7FR2b03aM28XN5f_ZGJbAij1ijqeOHZx7qJyg-FouBPVEAGYehH0i2r4Ot5d0uP9z1R70btmd76RRJyLp0oZoBLSZ8Y/s1600/excludefoldersfromuserprofiledisk3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" data-original-height="488" data-original-width="778" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0mfvaiZCv_G0OEYiM0Lrpuj7GdbgSISd7Bkm_Hs_nQ29ke3KK7FR2b03aM28XN5f_ZGJbAij1ijqeOHZx7qJyg-FouBPVEAGYehH0i2r4Ot5d0uP9z1R70btmd76RRJyLp0oZoBLSZ8Y/s1600/excludefoldersfromuserprofiledisk3.png" /></a></div>
<div class="separator" style="clear: both; text-align: left;">
After making this change, this fixed my issue with the line of business application not being able to open PDF documents with Adobe Reader </div>
</div>
<div class="blogger-post-footer"><p>
Feel free to email me clint@kbomb.com.au if you have any questions about this post.
</p></div>Clint Boessenhttp://www.blogger.com/profile/11156487394562821934noreply@blogger.com0