Category: Uncategorized



Error :
Encountered error during federation passive request.

Exception details:
Microsoft.IdentityServer.RequestFailedException: MSIS7065: There are no registered protocol handlers on path /adfs/ls/idinitatedsignon.aspx to process the incoming request.
at Microsoft.IdentityServer.Web.PassiveProtocolListener.OnGetContext(WrappedHttpListenerContext context)

Solution:

1) Check the SPN on the service account (In my case it is a GMSA)

GMSA screenshot

2) Check if your service account has rights on the certificate

Permission

 


My new post published on the MEA GBS Blog about Group Managed Service Accounts in Windows Server 2012 R2.

http://blogs.technet.com/b/meagbs/archive/2015/06/01/webcast-video-group-managed-service-accounts.aspx


Temporarily disable WinRE when taking a system image backup

Note WinRE will be disabled in the backup image. Therefore, you have to enable it after you do a system recovery from this image.

1.Right-click the Start button, and then click Command Prompt (Admin) to open an elevated Command Prompt window.
2.Disable WinRE by running the following command:
reagentc /disable
3.Run the system image backup function.
4.Enable WinRE by running the following command:
reagentc /enable


Today a Customer asked me this Question. After placing a considerable amount of thaught I came up with this Answere

1) Based on my experience, we cannot prevent users from deleting emails from his own Inbox. The SELF account must have the Full Access permission on the mailbox.

As a workaround (not actually a workaround but another scenario to achieve this through reviewer permission), you may create another mailbox account (e.g. bob) for the user (e.g. administrator), and then grant bob Reviewer permission on both the mailbox level and Inbox level. Like below:

After that, bob can open the administrator’s Inbox in Outlook via File -> Open -> Other User’s Folder, and he can only view the emails.This seems to be the only way to achieve your specific objective.

Hope this is helpful for someone.


A human is as complex of a machine as one can ever imagine. Packaged in one body under one skin, this complex machine does the greatest multi-tasking such deftly that the human mind itself cannot even think of. This multi-tasking sometimes runs faster than what it is designed for – or shall it be said, what capacity it is allowed to work at.

Once these boundaries are crossed, the brain starts functioning in its very unique way where there are different phases making a switch in functioning. It is like when two or more people are functioning inside one body – one pack carrying people inside, how is this one pack suppose to manage it? But the human body is manufactured to bare the burden of what tests the man is capable of putting it through.

This is the time when the man develops a Multiple Personality Disorder. The person suffering from multiple personality disorder is consistently passing through hallucinations and thinks himself to be somebody else or creates another personality that is in total contrast to his own. He totally frees himself from the confines of his own and whatever wrong or crime he commits he blames it on the imaginary personality that he had created in his own head. This disorder is mostly caused by some trauma or is a result of some unpleasant situation that he has suffered through in his life. Such a patient can become violent and very unpredictable.

Not a lot of scientific elements might be discussed here but what’s more important is the psyche of the multiple personality disorder’s victim and it is under particular consideration here.

The brain being such an organ which formulates and designs another world of customized choice if the reality hits too hard to it. Being a doctor when you are a nurse or rich when you are poverty stricken. Desirable is what one does not get and is the most desired of all.

Silence, sympathy, demon, psycho –  these all personality traits can exist in one person. Such a fit of a combination they can make that one meeting might just not be enough to judge all together.

Great vastness of mind and thoughts is needed to reach the level of emotions an MPD victim faces each and every moment in most cases. When the reverie becomes a part of reality, both the reverie of thoughts and the reality fight to take over each other. This fight is fought in the mind of the MPD victim and it is neither won nor lost by any. This nuisance that is created then results in the transition from one personality to the other. Here another brawl begins where the different personalities embedded in the mono – soul fight for their conquerance over the mono – frame.

It is these wars raged within oneself which bring in and take away the phases of transforming personalities which bring the victim to torments and hence steering them away from what’s known as normal or sanity.


Exchange 2007 and Delivery Restriction : In Exchange 2007 there was a feature of Delivery Restriction in which an Exchange administrator can setup that a User A cannot Send email to a Distribution Group named “All Users”. Thus this Rule  only allowed for explicitly setting restrictions on distribution lists with the options to "Accept messages from", "Reject messages from" or "Require that all users are authenticated".

With Exchange 2010 and Email Moderation now You can Setup All your users to send email to the Distribution List but have Designated Moderators to Monitor Or Approve/Reject Emails send to those Lists.

Thus the decision is taken by a human being rather than being automated through fixed white/black listing settings

Note: This Feature is a purely a Feature of “Exchange 2010”. Thus in a coexistence Scenario of Exchange 2010 and Exchange 2007 we must send a message first to Exchange 2010 Hub Transport Server first because if the Exchange 2010 Hub Transport Server would not Receive the Email and Exchange 2007 Hub Transport Serer would Receive the email than the Hub Transport Server would expand the distribution list and bypass Moderation.

Now for example you want that when you Managers sent an Email to the Distribution Lists those have Moderation Enabled on them. Than while creating the Email Moderation Rule you can exclude the “Managers group” from this Email Moderation Rule


Today On Microsoft’s Social Forums I was asked this Question a couple of times so I planned to write a Blog Post on this

Let us first start with Understanding that Why do we even need to Enable Proxying.

Let us Assume that we have 3 Active Directory Sites (Site A, B and C)and On Every Sites I have Exchange 2010 Installed.(Client Access Server is what we are focusing on)

Only My Site A is Internet Facing while on Site B and C “I dont want them to be Published to the Internet”

So far So good “fazalmkhan.com/owa is my URL for CAS Published on Site A”

So that Means that any of my Clients in Site A. B or C Would use the above URL type the User ID and password(Eg the user is in Site B) and than the CAS Would Proxy the Request to the CAS Server in Site B and User would be able to Access its Email.

Note: CAS in Site A would be Set to Form Based Authentication While the CAS in Site B and C would be set to Windows Integrated Authentication.

How Client Access Servers Work:

The following steps describe what happens when a messaging client connects to the Client Access server:

1. If the client connects from the Internet using a non-MAPI connection, then the client connects to the Client Access server using the client protocol. Only the
protocol ports for client connections must be available on the external firewall.
2. If the client connects from the internal network using Office Outlook configured as a MAPI client, then the client connects to the Client Access
server using MAPI RPC connections.
3. The Client Access server connects to a Microsoft Active Directory® directory service domain controller by using Kerberos to authenticate the user. Internet
Information Services (IIS) or the RPC Client Access service on the Client Access server performs the authentication. The Client Access server uses a
Lightweight Directory Access Protocol (LDAP) request to a global catalog server to locate the Mailbox server that manages the user’s mailbox.
4. The Client Access server connects to the Mailbox server using a MAPI RPC to submit messages to the mailbox database, or to read messages.

Note: Proxying is supported for clients that use Outlook Web App, Exchange ActiveSync, and Exchange Web Services

Client Access protocols for redirection and proxying

Protocol

Client Access server to Mailbox server communication supported between Active Directory sites

Redirection supported between Client Access servers

Proxying supported between Client Access servers

Comments

Outlook Web App

No

Yes

Yes

Must have a Client Access server in each Active Directory site to use Outlook Web App.

Exchange ActiveSync

No

No (unnecessary)

Yes

Must have a Client Access server in each Active Directory site to use Exchange ActiveSync.

Exchange Web Services

No

No

Yes

Must have a Client Access server in each Active Directory site to use Exchange Web Services.

Availability service (used by Office Outlook 2007)

No

No (unnecessary)

Yes

Must have a Client Access server in each Active Directory site to use the Availability service.

Outlook Anywhere (RPC over HTTP)

Yes, with RPC

No

Not applicable

Not applicable

WebDAV and Exchange 2000 Server or Exchange 2003

Yes, over HTTP

No

Not applicable

Not applicable

POP3 and IMAP4

No

No

No

POP3 and IMAP4 clients must access a Client Access server in the same Active Directory site as their mailbox.


In Microsoft Exchange Server 2010, header firewall is a mechanism that removes specific header fields from inbound and outbound messages. Computers that are running Exchange 2010 that have the Hub Transport server role or the Edge Transport server role installed insert custom X-header fields into the message header.

Lets have a Closer look at this.

Server1, Server2 and Server3

When an Email is send from Server1 to Server3. Let us Assume it Went From Server1 to Server 2 and than to Server3

So Each Server’s which received the Email would ADD a RECEIVED header at the beginning of message header with a TimeStamp.

Here are headers from a message received from Dell. (Unnecessary headers removed).

(Errors By the Help of Bharat)

Received: from smtp.easydns.com (205.210.42.52) by exchange.somedomain.com
(192.168.2.171) with Microsoft SMTP Server id 8.1.240.5; Mon, 19 May 2008
03:12:46 -0700
Received: from mh.dell.m0.net (mh.dell.m0.net [209.11.164.66]) by
smtp.easydns.com (Postfix) with ESMTP id 647C222914 for ;
Mon, 19 May 2008 06:14:46 -0400 (EDT)
Received: from [192.168.138.130] ([192.168.138.130:57330]
helo=fc13a1.dc1.prod) by oms1.dc1.prod (ecelerity 2.1.1.24 r(19486)) with
ESMTP id 3B/AF-18306-11351384 for ; Mon, 19 May 2008
03:14:41 -0700</ME@SOMEDOMAIN.COM>
Message-ID: <14154167762.1211192081379@delivery.net>
Date: Mon, 19 May 2008 03:14:41 -0700
From: Dell Small Business
Reply-To:
To:
Subject: $429 desktop, plus new laptops. Hurry and shop now.
Errors-To: dell@smallbusiness.dell.com
Return-Path: dell@smallbusiness.dell.com</ME@SOMEDOMAIN.COM></DELL@SMALLBUSINESS.DELL.COM></DELL@SMALLBUSINESS.DELL.COM>/ME@SOMEDOMAIN.COM

So Most Companies Don’t want the Names to be Published to People who Receive there emails.

Get-SendConnector "Connector Name" | Remove-ADPermission -AccessRight ExtendedRight -ExtendedRights "ms-Exch-Send-Headers-Routing" -user "NT AUTHORITY\Anonymous Logon"

More on this Can be Found here

http://technet.microsoft.com/en-us/library/bb232136.aspx


Have a look at the Article by the Exchange Team.

  • Adding the flexibility to provision a user’s Personal Archive to a different mailbox database from their primary mailbox.
  • New server side capabilities so you can import historical e-mail data from .PST files, directly into Exchange, as well as IT pro controls to enable delegate access to a user’s Personal Archive.
  • SP1 updates the Exchange Management Console with new tools to create Retention Policy Tags
  • Made several improvements to the Multi-Mailbox Search features
  • Support access to a user’s Personal Archive with Outlook 2007.
  • Long running operations, such as attaching a very large file, will not block the rest of the OWA experience
  • Users will also be able to share their calendars to anonymous viewers via the web
  • In SP1, you’ll be able to add Web-Ready Document Viewing of IRM-protected documents as well and you’ll be able to do so in Safari on a Mac as well as in Firefox or IE on a PC.
  • Updated EAS capabilities also enable support for send-as, support for notifying the user if their device has been placed on block or quarantine by their admin, full implementation of conversation view including the ability to sync only unique parts of messages.

Last but not the Least

  • SP1 will bring several new management UI enhancements to enable a number of management tasks in the Exchange Management Console (EMC) and Exchange Control Panel (ECP). Here’s a taste:
  • Create/configure Retention Tags + Retention Policies in EMC
  • Configure Transport Rules in ECP
  • Configure Journal Rules in ECP
  • Configure MailTips in ECP
  • Provision and configure the Personal Archive in ECP
  • Configure Litigation Hold in ECP & EMC
  • Configure Allow/Block/Quarantine mobile device policies in ECP
  • RBAC role management in ECP
  • Configure Database Availability Group (DAG) IP Addresses and Alternate Witness Server in EMC
  • Recursive public folder settings management (including permissions) in EMC

http://msexchangeteam.com/archive/2010/04/07/454533.aspx


We are normally asked on the Microsoft Exchange 2010 Social Forum.

When should we be using Subscriber Access Number and When should we be using Auto Attendant.

We can call Subscriber Access Number to access the caller’s own Exchange mailbox via Outlook Voice Access or leave a voice mail to other Exchange users.

As to Auto Attendant, it can be used to guide the caller to locate different departments/locations of a company. For example, a company has many departments, such as finance, HR, IT and etc. Then, you can configure the Auto Attendant to guide the caller with a customized greeting, like “To contact finance department, please press 1. To contact IT department, please press 2.” In this way, the caller does not need to remember the extension of each department while the Auto Attendant can guide the caller.

Now let us take an example, the Subscriber Access Number set on the Dial Plan is 2000 and the Pilot Identifier set on Auto Attendant is 3000. When a caller calls 2000, the Subscriber Access Number serves and the caller will hear “Welcome to Microsoft Exchange …”. However, if  caller calls 3000, the Auto Attendant serves. The caller will hear “Welcome to Microsoft Exchange Auto Attendant …”.

http://technet.microsoft.com/en-us/library/bb397228.aspx

Here is a Nice Diagram which gets you going on Subscriber Access part.