Exchange Server fix logon error

In Exchange 2013 and 2016 after an upgrade you might get the following error after logging in. The URL with the error will look like this: owa/auth/errorFE.aspx?httpCode=500

Cause

This issue occurs if the Exchange Server Open Authentication (OAuth) certificate is expired, not present, or not configured correctly.

How to solve

To check the status of your existing OAuth certificate, run the following command in the Exchange Management Shell:

(Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

If the command returns an error (like above), or the certificate has expired, use the steps below to create and deploy a new OAuth certificate to the Exchange server.

STEP 1: Create a new OAuth certificate by running the following command:

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

STEP 2: Set the new certificate for server authentication. To do this, run the following commands, please make sure to add the thumbprint from above to the commands below.

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)
Set-AuthConfig -PublishCertificate
Set-AuthConfig -ClearPreviousCertificate

To apply all changes you will need to restart the following services:

  • Microsoft Exchange Service Host Service
  • World Wide Web Publishing Service

After this be patient, it takes up more than 3 hours to start working again. Depending on the number of domains.

Azure OMI Vulnerability

Microsoft has released multiple security updates in last Patch Tuesday. One off them fixes a high risk vulnerability (CVE-2021-38647) Also know as OMIGOD. This vulnerability can be used remotely, so exploitation is expected soon.

This flaw doesn’t directly affect Windows at all, because it’s a bug in Microsoft’s open source Open Management Infrastruture (OMI) tool that is designed for Linux in general, and for Azure-hosted Linux servers in particular. However, a lot of resources in Azure do use it

A brief overview

Simplified, OMI is Microsoft’s Linux based answer to WMI, that sysadmins use to keep managing their Windows Networks.

Like WMI, the OMI code runs as a priviliged process on your servers so that sysadmins, and system administration software, can query and control what’s going on, such as enumerating processes, kicking off utility programs, and checking up on system configuration settings.

Unfortunately, cyber criminals love WMI/OMI like we sysadmins do.

Sadly, OMIGOD is an OMI bug that, in theory, offers criminals the same sort of distributed power over your Linux servers…

Continue reading “Azure OMI Vulnerability”

Renewed my Azure Solutions Architect Expert certification

Today I had to renew my Azure Solutions Expert certification. This was a first time I had to do that. By going to your certification profile you can do a online exam with just 26 questions with numerous things that have been changed in the past year.

I have to say this is a nice way of renewing, and made me think and search and update my Azure knowledge.

How to install and setup AD Connect (Manual)

In this manual I am going to explain how to install and setup a connection between on-premise Active Directory and Azure AD.

Wat zijn Azure AD Connect en Connect Health? | Microsoft Docs

Pre-requisites:

STEP 1: First we will need to install AD connect. Run the setup wizard and follow the steps, this is an easy process. After installation the configuration wizard starts, and this is where it gets interesting.

STEP 2: Let’s go through the wizard, first agree with the license terms and click Continue. Feel free to actually read the license terms 🙂

Continue reading “How to install and setup AD Connect (Manual)”

Ethical hacking training at HBO Drechtsteden

Today I had the honors to do another workshop Ethical hacking together with Erik Loef. It is always good to share your knowledge, and help other people with their work, now and in the future. I hope that these students will embrace what they have learned, and that they will apply this newly obtained knowledge at their (future) employers.

No alternative text description for this image

In memoriam – Nelleke den Boer

You might have noticed that it’s quiet on 2azure.nl. On the 19th of November my wife got very ill, with unknown brain damage she was hospitalized in the Erasmus University Medical Center. But despite all efforts she passed away on the 6th of December 2019 in the age of 29.

She was my soulmate in everything. Caring for me, for our children, and always interested in other people. Such a lovely wife. You are always in my heart.

Nelleke den Boer – Brouwer | 06-01-1990 – 06-12-2019

Update Exchange Online Global Address List (GAL)

There are situations where you would like to enforce an update of the Exchange Global Address list (GAL) in Office 365. With a few steps this can easily be done!

Requirements:

Exchange Online EXO V2 module, install using: Import-Module -Name ExchangeOnlineManagement

STEP 1: First we will need to make sure that our admin account has the correct permissions. Go to the Exchange Online Admin center, and then to permissions – admin roles and click on the + sign to add a new role

We will now create a new role group. Give it the name Address List Management and assign the role Address lists, and make sure to add the administrator account as a member. Click Save when ready.

Continue reading “Update Exchange Online Global Address List (GAL)”

Azure Data Share in Preview

Microsoft has announced a new service: Azure Data Share. It is a new data service for sharing data across organizations. This can be used to easily share big files and data with external organisations instead of using FTP or other data sharing services.

Azure Data Share, view of sent shares in the Azure portal

Read the Microsoft official announcement for more information:
https://azure.microsoft.com/en-us/blog/announcing-preview-of-azure-data-share/

Watch the video to learn more about Azure data share:
https://channel9.msdn.com/Shows/Azure-Friday/Share-data-simply-and-securely-using-Azure-Data-Share/player?format=ny

Security & Ethical Hacking hands-on labs

Today I have given a hands on lab with Erik Loef on security and ethical hacking. We had created 5 different labs for the 21 participants to learn them more about security. This way we allowed them to think as a hacker, find out weaknesses in the system, and how to take measures against hackers. We did create the following 5 labs:

  • Wifi hacking (retrieve logindetails from end users by using a roque access point)
  • Create your own virus
  • Exploit a backdoor in Windows
  • Hack a webserver
  • From user to domain admin in 15 minutes

All sessions where created to learn about security. With Azure and Office 365 we do our outmost best to secure your environment. I hope to give you more information in the near future how to improve security in Azure and Office 365.

Azure AD Domain Services an option or not?

Frequently I get the question, how are we going to manage our legacy Azure IaaS servers? Should we deploy domain controllers? or should we setup a VPN connection with our on-premise environment?

Before we can start answering these questions we will need to learn more about AD DS.

Azure AD Domain Services provides managed domain services such as domain join, group policy, LDAP, Kerberos/NTLM authentication that are the same as traditional domain controllers. You can consume these domain services without the need for you to deploy, manage, and patch domain controllers in the cloud. Azure AD Domain Services integrates with your existing Azure AD tenant, thus making it possible for users to log in using their corporate credentials. The AD DS is available in a VNet of your choice.

Azure AD Domain Services Overview

AD DS works with cloud-only or synced with on-premise AD. Important to know is that Password hash synchronization is mandatory for hybrid organizations to use Azure AD domain services. This requirements is because users credentials are needed in the managed domain to authenticate using NTML or Kerberos.

Continue reading “Azure AD Domain Services an option or not?”

Outlook 2016 search not working

Recently I was notified by a customer that Outlook search wasn’t working anymore as expected (Search not working at all, or missing results). After some searching I found out that this was caused by a Windows 10 Update where a shared DLL was updated: KB4467684

In the the end there is a quick fix by running a simple command that repairs the effected MSWB7.dll file.: sfc/scannow (run as administrator)

Continue reading “Outlook 2016 search not working”

Azure AD exclude user from password experation policy

Connect to Azure AD with PowerShell:

Connect-azuread

Now we would like to get an overview of all users, run the following command:

Get-azureAduser

If you have the UserPrincipalName or email address we might shorten the list to just that single user bij adding a filter:

Get-AzureADUser -ObjectId <UserPrincipleName> 

Next task is to link the default password policy without a password expiration to this user. Run the following command:

Set-AzureADUser -ObjectId <UserPrincipalName> -PasswordPolicies DisablePasswordExpiration

Once this has been completed, verify if the policy has been set correctly with the following command:

Get-AzureADUser -ObjectId <UserPrincipalName> | fl UserPrincipalName,passwordpolicies