Categories
2007 2010 2013 crm exchange

CRM Router and Exchange 2010

To configure the CRM Email Router with Exchange 2010 you need to do the following. Not all of these points are clearly documented on the internet.

  1. Create a mailbox (CRM_Router@domain.com)
  2. Set password never to expire
  3. Ensure that the mailbox is not hidden from the address list
  4. Login to above mailbox
  5. Enable impersonation with the following Exchange Management Shell commandNew-ManagementRoleAssignment –Name: “ApplicationImpersonation-CRM Router” -User: “CRM_Router@domain.com” –Role:”ApplicationImpersonation”
  6. [Optional] See http://blogs.msdn.com/b/crm/archive/2009/12/21/how-to-configure-microsoft-dynamics-crm-4-0-e-mail-router-on-premise-with-microsoft-exchange-server-2010.aspx for EMS commands to limit the scope of the CRM_Router user account
  7. Configure the CRM Email Router as per http://snackbox.microsoft.com/pages/snackdetail.aspx?itemId=152&userId=&caid=&csId=%257b4c712394-1373-4d8e-b85e-369111823def%257d%2540%257b4a9965c4-db36-4193-9e83-32347ea3b0f1%257d
  8. Ensure that CRM_Router@domain.com is a CRM System Administrator level account.
Categories
2007 2010 2013 ADFS ADFS 2.0 certificates exchange exchange online https hybrid IAmMEC ISA Server 2006 mcm Office 365 SSL tmg

Changing ADFS 2.0 Endpoint URL for Office 365

If you are configuring single sign-on for Office 365 then you will need a server running Active Directory Federation Services 2.0 (ADFS 2.0). When you install this you are asked for a URL that acts as an endpoint for the ADFS service, which if you are publishing that endpoint through a firewall such as TMG needs to be on a mutually trusted certificate as either the subject name or alternative subject name.

The documentation uses sts.yourdomain.com which means you need to have this as a valid name of the certificate. I use StartCom SSL, which provide cheap certificates (approx. $100 for as many certificates as you like), but to change a certificate to add an additional alternative subject name requires revoking the current cert, and that comes at additional cost.

So I have a certificate with lots of name on it for my domain, just not sts.mydomain.com so I set about changing the endpoint in ADFS 2.0

Firstly open the ADFS 2.0 administrative console and select the root note:

image

Click Edit Federation Service Properties in the Action Pane and modify the three values on the General tab:

image

After clicking OK, restart the AD FS 2.0 Windows Service.

After the restart, create a new Token-Signing Certificate and Token-Decrypting Certificate. These are self signed certificates. To allow you to add these you need to turn off automatic certificate rollover if enabled. This can be done from PowerShell using Set-ADFSProperties –AutoCertificateRollover $false and this cmdlet is available in Windows PowerShell Modules in the Administrative Tools menu.

To update Office 365 start the Microsoft Online Services Module for Windows PowerShell, installed as part of the Office 365 rich co-existence process. In this PowerShell window type Update-MsolFederatedDomain –DomainName yourFederatedDomain.com. You will also need to login to Office 365 in this window first (Connect-MsolService) and set PowerShell with the name of the ADFS server (Set-MsolADFSContext –Computer ADFS_ServerName). Type Get-MsolFederatedDomain –DomainName yourFederatedDomain.com to ensure that the returned URL’s and certificates are correct.

Now its time to update the TMG rule, or create a new one. The listener in TMG must have the same third party certificate and be for HTTPS with the Public Name matching the certificate subject/subject alternative name and the Path value set to /adfs/*. The To page needs to be set with the same URL and internal IP address of the ADFS 2.0 server.

image

And that should be it – after the Update-MsolFederatedDomain –DomainName yourFederatedDomain.com has completed both sides of the federation trust are aware of the certificate change and automatic login to http://outlook.com/yourFederatedDomain.com should work.

Categories
2007 2010 2013 exchange IAmMEC mcm

.DLL Errors and Blackberry Enterprise Server

During a configuration of Blackberry Enterprise Server today I found that I was getting .DLL errors when trying to create a MAPI profile on the BES Server (v5.0.2) when running IEMSTest.

Well it was not the usual stuff – it ended up being the alias that had been assigned to the BESAdmin account. The policy at the company where I am installing Exchange 2010 is last_first@domain.com, but the BESAdmin account does not have a first or last name and so got an email address of _9c73@domain.com, and so though I could login in OWA, I could not do a MAPI login (IEMSTest or Outlook – because the alias was not BESAdmin as they default to).

Once I changed the SMTP Address to BESAdmin@domain.com then it all worked fine.

Categories
2007 2010 2013 exchange exchange online IAmMEC mcm mcsm

Random Chinese Characters in Exchange 2010 SP1 Emails

I have been sent a few emails from a client that start like this:

格tml> 格ead> 猼tyle㰾!– .hmmessage P { margin:0px; padding:0px } body.hmmessage { font-size: 10pt; font-family:Tahoma } –>⼼style> ⼼head> 㰊body class=’hmmessage’>

The HTML characters repeat throughout the message, but not on every message, though those sent from Hotmail are typically affected (but it is not always Hotmail).

The problem is due to the email having character encoding in the charset META tag that differs from the character encoding in the MIME part and a HTML disclaimer having been added. When Exchange 2010 SP1 adds the HTML disclaimer it re-encodes the message and this results in a corrupt message because the wrong character set information is read.

The fix for this has been documented in KB969129, which refers to Exchange 2007, but the same fix is true for Exchange 2010 SP1.

The fix is to add the DisableDetectEncodingFromMetaTag attribute to EdgeTransport.exe.config. This file can be found at \Program Files\Microsoft\Exchange Server\V14\bin and can be opened in Notepad. Make a backup of the file before you change it and then add to the area of the file the following

 

After you save the config file you need to restart the Microsoft Exchange Transport service for the setting to take effect.

Categories
2003 2007 activesync exchange mobile phones pki

Enabling ActiveSync on a Sony P1i with a GoDaddy Certificate

GoDaddy issued certificates are not trusted by the Sony P1i phone and so if you are using a GoDaddy issued digital certificate for ActiveSync on one of these phones you will be prompted to accept the certificate at each sync. As this kills the purpose of push email sync you will want to stop the prompt.

You do this by installing the GoDaddy trusted root certificate. On any Windows computer that works when connecting to a website protected with your GoDaddy certificate run mmc.exe and add the Certificates snap-in, selecting the local user option. Browse to Trusted Root Certification Authorities and click on the Certificates node. Find and right-click the Go Daddy Class 2 Certification Authority and choose All Tasks > Export. Export the certificate as a DER encoded binary X.509 (.CER) file to a folder on that computer.

Email that file to the owner of the Sony P1i and sync the phone to download their email (confirming the prompt that we want to remove). Open the email and download the attachment. Once the attachment is downloaded (which might involve syncing again and confirming the certificate prompt) open the attachment. The phone will install the certificate into its certificate store. No more prompts!

Categories
2007 Outlook

Blogger Blogs in Outlook – Incorrect Dates

This has been obvious to me for a while – whenever I viewed this blog in Outlook 2007 via the common RSS feed store, the dates were all incorrect and so new posts appeared at random within the list.

I finally found a fix yesterday – the post was based upon ATOM technology and not RSS technology. I have therefore changed the subscribe link on the site to add ?alt=rss to the end of the link.

If you subscribe to this blog please delete it from your feed store in IE 7 and resubscribe at http://reidablog.blogspot.com/feeds/posts/default?alt=rss.

Categories
2007 exchange

Exchange Server 2007 Rollup Update 5

The latest version of the Exchange 2007 update is Update Rollup 5 for Exchange Server 2007 – this can be downloaded from here (64 bit and 32 bit versions now available).

Microsoft plan to do these releases rather than issue hotfixes as the method of engineering Exchange has changed since the previous versions, and KB937194 describes why this is. Each update rollup contains all the previous updates, so you only need to deploy this patch and not any earlier patches as well.

If you have not yet installed Exchange 2007 yet, copy this patch to the Update folder on your installation point and it will get slipstreamed into the installation automatically upon running Setup.

Note that unlike updates #1 and #2, a 32bit version of this update is available so this update can be applied to test and virtual computer systems and labs.

Categories
2007 2008 exchange

Exchange 2007 Clustering on Windows 2008

I have just spent an hour or three installing two Windows 2008 Enterprise Edition boxes to create an Exchange 2007 SCC cluster using Microsoft Virtual Server 2005 R2 to create the environment.

But I did not get that far, as Windows Server 2008 Failover Clustering shared storage requires SAS (Serial SCSI) or iSCSI and not traditional SCSI (Parallel SCSI). Microsoft Virtual Server 2005 R2 only emulates IDE (not supported for clusters anyway) or Parallel SCSI. So I could not create a failover cluster with shared storage tonight.

I will install the iSCSI target that I have and try again in a few weeks.

Categories
2003 2007 active directory error exchange kerberos virtual pc virtual server

ERROR_REPLICA_SYNC_FAILED_THE TARGET PRINCIPAL NAME IS INCORRECT

This rather imposing message is found if you try to force replication between to Active Directory Domain Controllers when one of the controllers machine account password is out of sync with the password as stored on the other domain controller.

I have seen this a number of times on Virtual PC or Virtual Server Active Directory deployments with more than one DC in the virtual environment.

So, how do you fix it:

  1. On the DC that is broken (the one that when using replmon reports the error above) set the Kerberos Key Distribution Center Service to manual and stop the service.
  2. From a command prompt on the broken DC enter the following:
    netdom resetpwd /s:name_of_working_DC /ud:domain\user /pd:*
    where domain\user is an administrator of the domain in the domain_name\user_name format. You will be prompted to enter your password.
  3. Upon pressing Enter, if the command fails then restart the broken DC and repeat the above command (this restart clears the Kerberos ticket cache and so clears the broken credential attempts that it has stored).
  4. Upon successful completion of the command in step 2 restart the broken DC. You must do this even if done already in step 3.
  5. Check that replication is working, and if so restart the Kerberos Key Distribution Center Service and set the service back to automatic.

This is a summary of Microsoft Knowledgebase Article 325850, with some more specific detail mentioned.

Categories
2007 exchange hotfix update

Update Rollup # For Exchange Server 2007

Blog updated 22nd February 2008

As Microsoft plan to release Update Rollups for Exchange Server 2007 every six to eight weeks (see KB937194), I will use this blog entry to list the current latest update:

The latest version of the Exchange 2007 update is Update Rollup 6 for Exchange Server 2007 – this can be downloaded from here (64 bit and 32 bit versions now available).

Microsoft plan to do these releases rather than issue hotfixes as the method of engineering Exchange has changed since the previous versions, and KB937194 (see earlier) describes why this is. Each update rollup contains all the previous updates, so you only need to deploy this patch and not any earlier patches as well.

If you have not yet installed Exchange 2007 yet, copy this patch to the Update folder on your installation point and it will get slipstreamed into the installation automatically upon running Setup.

Note that unlike updates #3, #4 and #5, a 32bit version of this update is not currently available.

Categories
2007 certificates exchange iis microsoft pkcs powershell web

Creating Subject Alternative Name Certificates with Microsoft Certificate Server

A new feature in digital certificates is the Subject Alternative Name property. This allows you to have a certificate for more than one URI (i.e. www.c7solutions.com and www.c7solutions.co.uk) in the same certificate. It also means that in web servers such as IIS you can bind this certificate to the site and use up only one IP address.

A number of commercial companies now sell certificates with the Subject Alternative Name field set, but this article describes how to use the Exchange Server 2007 command line to create certificate requests for other web sites that can be uploaded to Microsoft Certificate Server (which does not support this property in its own web pages) to create certificates for web servers such as IIS (which also do not support this property in the requests that they make).

The command that you need to run is via PowerShell, and specifically via the Microsoft Exchange Server 2007 extensions to PowerShell. So start up the Microsoft Management Shell and enter the following (replacing your domain names as indicated:

New-ExchangeCertificate -GenerateRequest:$true -Path c:\newCert.req -DomainName www.domain.com,sales.domain.com,support.domain.com -PrivateKeyExportable:$true -FriendlyName “My New Certificate” -IncludeAcceptedDomains:$false -Force:$true

The DomainName property is set to each URL that you want the certificate to be valid for, with the first value in the string being the value for the Subject field and all the values each being used in the Subject Alternative Name field.

Once you have executed the command above you will have a file with the name set in the Path property. This file can be opened in Notepad and used in Microsoft Certificate Services:

  1. Browse to your Microsoft Certificate Services URL and click Request a certificate
  2. Click advanced certificate request
  3. Click submit a certificate…
  4. Copy and paste the entire text of the certificate request from notepad into the Saved Request field on this page and select Web Server as the Certificate Template. Click Submit.
  • With a default installation the Web Server template value will not be present and that needs to be enabled by your Certificate Services administrator for your user account
  • With the default installation of Certificate Services, the certificate will now be ready to download. Click Download certificate (or Download Certificate Chain if the end server does not trust your issuer) to save your certificate to the computer.
  • Install the certificate on to the same computer that you issued the request from (this is a very important step), and then you can export the certificate and import it on your web server or firewalls.

To install the certificate, run the Import-ExchangeCertificate powershell command on the same computer as the request was issued from (this is a very important, it must be on the same computer). This is a simpler command to run that the creation of the request above.

The syntax of this command is (where the filename is the name of the file downloaded above):

Import-ExchangeCertificate c:\newCert.cer

To export the certificate to your web server or firewall you need to open the local computer certificate store in the Microsoft Management Console – run mmc, add a snap-in and choose Certificates, Computer account. You will find your certificates under the Personal store. You can right-click these certificates and export them (with the private key) to a .pfx file. This file can then be imported using the MMC tool on the web server or firewall ready for importing using an mmc with the certificates/computer account snap-in load into it.

Categories
2007 exchange powershell upgrade

Exchange Management Shell

I need a place to store useful Powershell commands for the administration of Exchange Server 2007, so I thought I would add them here:

Upgrading Exchange Organisation
Place Replicas of Public Folders on New Exchange Server

get-publicfolder -recurse Set-PublicFolder -Replicas:”server\public folder
database”,”server\public folder store (server)”

Enable ActiveSync Policy for Windows Mobile 2003 Smartphones and Pocket PC’s

New-ActiveSyncMailboxPolicy “Windows Mobile 2003 Users” -AttachmentsEnabled:$false -DevicePasswordEnabled:$false -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$false -DeviceEncryptionEnabled:$false -AllowNonProvisionableDevices:$true -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$false -UNCAccessEnabled:$false

Enable ActiveSync Policy for Windows Mobile 5 Smartphones and Pocket PC’s

New-ActiveSyncMailboxPolicy “Windows Mobile 5 Users” -AttachmentsEnabled:$true -DevicePasswordEnabled:$true -AlphanumericDevicePasswordRequired:$false -PasswordRecoveryEnabled:$true -DeviceEncryptionEnabled:$false -MinDevicePasswordLength:4 -MaxInactivityTimeDeviceLock:00:15:00 -MaxDevicePasswordFailedAttempts:8 -AllowNonProvisionableDevices:$false -AllowSimpleDevicePassword:$false -DevicePasswordExpiration:unlimited -WSSAccessEnabled:$true -UNCAccessEnabled:$true

Set ActiveSync Policy Against All Users for a Given Policy

get-mailbox Set-CASMailbox -ActiveSyncMailboxPolicy:”Name Of Policy

Categories
2007 2010 2013 exchange

P1 and P2 Headers in SMTP

P1 = the value on the MAIL FROM command of the SMTP connection (the message envelope) as defined in RFC 821.
P2 = the email address in the message body as defined in RFC 822. These include the FROM, REPLY TO and SENDER fields

For example, the following SMTP command sequence describes where P1 and P2 are used:

HELO server
MAIL FROM this_is@my_p1_address.com
RCPT TO: recipient@domain.com
DATA
FROM: this_is@my_p2_address.com
TO: recipient@domain.com
SUBJECT: This is a blog on P1 and P2

This is the text of the message
.

The MAIL FROM value should be your email address, but it does not have to be (ie one of the reasons why spam is so prevalent)
The FROM: header should match this, but this value is what is displayed in the email in Outlook (and other clients). The P1 address is used for routing and not display.

If the connection to an Exchange Server is anonymous then the P2 address will contain the display name and the email address, but if it is an authenticated connection then the P2 email address will be resolved to the value in the address book and this value will be displayed.