Archive

Posts Tagged ‘Certificates’

One Liner: Add Trusted Root Cert Authorities to Edge Servers

September 19th, 2015 5 comments

Chris Hayward (@WeakestLync) wrote a great blog post with a neat & easy way to add trusted root certificates for your edge servers. Of course, everything in Lync and Skype for Business uses certificates, so ensuring you have all of the certificates is crucial for federation with other organizations.

Once I saw Chris’s method, I, of course, thought that PowerShell could do this as well. Voila, a one-liner to do it. This example uses the same list from Chris’s blog post, and suppresses the output so you can use it your provisioning scripts.

'https://comodo.com', 'https://digicert.com', 'https://www.entrust.net', 'https://geotrust.com', 'https://www.globalsign.com', 'https://godaddy.com', 'https://www.symantec.com', 'https://thawte.com', 'https://wisekey.com' | ForEach-Object {$null = Invoke-WebRequest -Uri $_}

This method essentially just cycles through each item in the array, and does a web request for each. As each web request is completed, any new certificates are automatically added to the trusted root cert store. Usually, some of these already exist, so don’t be surprised if the total certificate count doesn’t increase by the same number of items in the array.

The Case of the Disappearing ‘Publish To GAL’ Button

September 24th, 2011 21 comments

While planning a rebranding effort for a client as part of a massive divestiture, we looked at how the end-user S/MIME certs would get handled once their workstations were migrated to a new forest/domain. Outlook has a nice feature built-in to publish existing certificates to the GAL. This makes it easy for users to send encrypted messages to coworkers without having to first send a digitally signed message back and forth. This is quite important to this particular client due to trade secrets and regulatory compliance.

To see the button, open Outlook, go to the Backstage, then Options>Trust Center>Trust Center Settings>E-mail Security. You can see the Publish to GAL button:

The button is visible regardless of whether the user actually has a certificate installed.

However, some users were not seeing the button, as seen below:

It turns out that in Outlook 2010, if a user has multiple MAPI accounts configured in the same Outlook profile, the button erroneously disappears. Multiple MAPI accounts is a key feature in Outlook 2010, and is real handy for people who want access to different accounts, say for administrative use, or for work and private email accounts. Outlook even supports having dedicated S/MIME certificates for each account.

I reported the issue to Microsoft, and a bug report has been created. Hopefully, this will be resolved with a hotfix soon. This isn’t the only issue I’ve found with multiple email accounts in Outlook 2010. The archiving feature takes messages from ALL of the accounts, and puts them in the SAME archive .pst file. Not good.

Update Rollup 3 (UR3) for Exchange Server 2007 SP3 Released

March 8th, 2011 No comments

Microsoft has released the following update rollup for Exchange Server 2007:

  • Update Rollup 3 for Exchange Server 2007 SP3 (2492691)

If you’re running Exchange Server 2007 SP3, you need to apply Update Rollup 3 for Exchange 2007 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 3:

  1. 2498066 “Insufficient system resources exist to complete the requested service” error message when you try to extend database files in an Exchange Server 2007 environment
  2. 2497679 A meeting request may not open correctly after you disable the “Display sender’s name on messages” option in the EMC of Exchange Server 2007 SP2 or SP3
  3. 2493529 Event ID 1160 is logged and the Microsoft Exchange Information Store service randomly stops responding on an Exchange Server 2007 server
  4. 2492384 A meeting response status from an external attendee may be incorrect if you send the meeting request from an Exchange Server 2007 environment
  5. 2490788 A calendar synchronization times out when you use ActiveSync to synchronize with an Exchange Server 2007 mailbox on a mobile device
  6. 2489898 An item is removed unexpectedly from a public folder in an Exchange Server 2007 environment
  7. 2480197 The “Require SSL” setting is unexpectedly unselected on the RPC virtual directory on an Exchange Server 2007 server
  8. 2479939 The “ScheduleOnlyDuringWorkHours” property of a resource mailbox may not function as expected in an Exchange Server 2007 environment
  9. 2477139 DTMF inputs are not accepted by a UM auto attendant while the greeting message is playing in an Exchange Server 2007 environment
  10. 2470759 The “Test-Replicationhealth” cmdlet fails on a stretched cluster in an Exchange Server 2007 SP3 CCR environment
  11. 2461537 The Microsoft.Exchange.Search.ExSearch.exe process consumes 100% CPU after you apply Update Rollup 1 or Update Rollup 2 for Exchange Server 2007 SP3 on the passive node of a SCC
  12. 2457838 “554 5.6.0” NDR message when you send an email message to an Exchange Server 2007 mailbox from a Macintosh computer
  13. 2450078 The sent time in an email message body is incorrect when you reply or forward the email message by using an EWS application in an Exchange Server 2007 environment
  14. 2448291 “Object has been corrupted and it is in an inconsistent state” warning message when you view a transport rule on an Exchange Server 2007 SP3 server
  15. 2445129 The W3WP.exe process may crash when a WebDAV client connects to an Exchange Server 2007 server
  16. 2418993 The Edgetransport.exe process crashes when you close a Telnet session before you receive an SMTP banner in an Exchange Server 2007 environment
  17. 2410330 The EdgeTransport.exe process crashes if the pipeline tracing feature is enabled together with a redirect transport rule in an Exchange Server 2007 environment
  18. 2408435 “Computer account for ‘SMTPSVC/’ not found in Active Directory.” error message in an Exchange Server 2007 environment
  19. 2394853 The returned URL is incorrect when you use the WebDAV “X-MS-ENUMATTS” method to enumerate an attachment in an Exchange Server 2007 environment
  20. 2294143 Duplicate read receipts are sent when using a POP3 client or an IMAP4 client in an Exchange Server 2007 environment
  21. 2267661 Some body parts of a message are displayed as attachments when an Exchange Server 2007 user sends the message by using a third-party mail client
  22. 2032592 VSS backup fails on a passive node of an Exchange Server 2007 CCR cluster and Event ID 2034 is logged
  23. 982714 The values of total items that are returned by running the “Export-ActiveSyncLog” cmdlet on an Exchange Server 2007 server are incorrect
  24. 979338 Fax communication sessions are dropped by an Exchange Server 2007 Unified Messaging server
  25. 955480 A meeting request is stamped as Busy instead of Tentative when it is sent from an external user to an Exchange Server 2007 user

Download the rollup here. Microsoft has announced that Update Rollup 4 for Exchange Server 2007 SP3 is scheduled for May 2011.

Microsoft also announced that there are no plans to release further updates for Exchange Server 2007 SP2. Customers are advised to upgrade to SP3.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

Also, the installer and Add/Remove Programs text is only in English – even when being installed on non-English systems.

Note to Forefront users:

If you don’t disable Forefront before installing a rollup or service pack, and enable afterwards, you run the risk of Exchange related services not starting. You can disable Forefront by going to a command prompt and navigating to the Forefront directory and running FSCUtility /disable. To enable Forefront after installation of a UR or SP, run FSCUtility /enable.

Exchange Server 2010 SP1 Is Now Available

August 31st, 2010 No comments

Microsoft has released Service Pack 1 (SP1) for Exchange Server 2010. See the Release Notes for Exchange 2010 SP1 for more information, including a list of known issues.

The 522MB download is just like RTM – a full install package. Existing installations can be upgraded, as new installs can be completed with the Service Pack integrated.

What’s New in Exchange 2010 SP1 has a comprehensive list of the changes and enhancements, including:

New Deployment Functionality

  1. During an Exchange 2010 SP1 installation, you can now select a new option to install the required Windows roles and features for each selected Exchange 2010 SP1 server role. For more information, see New Deployment Functionality in Exchange 2010 SP1.

Client Access Server Role Improvements

  1. Federation Certificates
  2. Exchange ActiveSync
  3. SMS Sync
  4. Server-Side Information Rights Management Support
  5. Outlook Web App Improvements
  6. Reset Virtual Directory
  7. Client Throttling Policies

Improvements in Transport Functionality

  1. MailTips access control over organizational relationships
  2. Enhanced monitoring and troubleshooting features for MailTips
  3. Enhanced monitoring and troubleshooting features for message tracking
  4. Message throttling enhancements
  5. Shadow redundancy promotion
  6. SMTP failover and load balancing improvements
  7. Support for extended protection on SMTP connections
  8. Send connector changes to reduce NDRs over well-defined connections

Permissions Functionality

  1. Database scope support
  2. Active Directory split permissions
  3. Improved user interface

Exchange Store and Mailbox Database Functionality

  1. With the New-MailboxRepairRequest cmdlet, you can detect and repair mailbox and database corruption issues.
  2. Store limits were increased for administrative access.
  3. The Database Log Growth Troubleshooter (Troubleshoot-DatabaseSpace.ps1) is a new script that allows you to control excessive log growth of mailbox databases.
  4. Public Folders client permissions support was added to the Exchange Management Console (EMC).

Mailbox and Recipients Functionality

  1. Calendar Repair Assistant supports more scenarios than were available in Exchange 2010 RTM.
  2. Mailbox Assistants are now all throttle-based (changed from time-based in Exchange 2010 RTM).
  3. Internet calendar publishing allows users in your Exchange organization to share their Outlook calendars with a broad Internet audience.
  4. Importing and exporting .pst files now uses the Mailbox Replication service and doesn’t require Outlook.
  5. Hierarchical address book support allows you to create and configure your address lists and offline address books in a hierarchical view.
  6. Distribution group naming policies allow you to configure string text that will be appended or prepended to a distribution group’s name when it’s created.
  7. Soft-delete of mailboxes after move completion.

High Availability and Site Resilience Functionality

  1. Continuous replication – block mode
  2. Active mailbox database redistribution
  3. Enhanced datacenter activation coordination mode support
  4. New and enhanced management and monitoring scripts
  5. Exchange Management Console user interface enhancements
  6. Improvements in failover performance

Messaging Policy and Compliance Functionality

  1. Provision personal archive on a different mailbox database
  2. Import historical mailbox data to personal archive
  3. Delegate access to personal archive
  4. New retention policy user interface
  5. Support for creating retention policy tags for Calendar and Tasks default folders
  6. Opt-in personal tags
  7. Multi-Mailbox Search preview
  8. Annotations in Multi-Mailbox Search
  9. Multi-Mailbox Search data de-duplication
  10. WebReady Document Viewing of IRM-protected messages in Outlook Web App
  11. IRM in Exchange ActiveSync for protocol-level IRM
  12. IRM logging
  13. Mailbox audit logging

Unified Messaging Server Role Improvements

  1. UM reporting
  2. UM management in the Exchange Control Panel
  3. Cross-Forest UM-enabled mailbox migration
  4. Outlook Voice Access improvements
  5. Caller Name Display support
  6. Test-ExchangeUMCallFlow cmdlet
  7. New UM Dial Plan wizard
  8. Office Communications Server “14” Support
  9. Secondary UM dial plan support
  10. UM language packs added
  11. Call answering rules improvements
  12. Unified Communications Managed API/speech platform improvements
  13. UM auto attendant update

Audit Logging Improvements

  1. Improvements in administrator audit logging
  2. New mailbox audit logging

Support for Coexistence with Exchange Online

  1. Migration of UM-enabled mailboxes
  2. IRM support for coexistence
  3. Remote Mailboxes
  4. Transport

Support for Multi-Tenancy

Upgrade from Exchange 2010 RTM to Exchange 2010 SP1 includes details you should know before upgrading, as well as how to upgrade including upgrading DAG members.

Equally important is Exchange 2010 Prerequisites, which details which hotfixes you need to install before doing a clean install of Exchange 2010 SP1, or when upgrading an RTM installation. Be prepared, as several of the 2008 R2 hotfixes require a reboot.

Download the Service Pack here.

Update Rollup 3 (UR3) for Exchange Server 2007 SP2 Released

March 18th, 2010 No comments

Microsoft has released the following update rollup for Exchange Server 2007:

  • Update Rollup 3 for Exchange Server 2007 SP2 (979784)

If you’re running Exchange Server 2007, you need to apply Update Rollup 3 for Exchange 2007 SP2 to address the issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running.

Here is a list of the fixes included in update rollup 3:

  1. 976108 “451 4.4.0 DNS Query Failed” status message in an Exchange Server 2007 Edge Transport server
  2. 976460 Later updates do not match a calendar item that an Exchange Server 2007 user updates by using Exchange ActiveSync on a mobile device
  3. 977179 You receive an “0x800423f0” error message when you perform system state backups on the passive node of Windows Server 2008-based Exchange Server 2007 CCR clusters
  4. 977531 An external recipient misses the last occurrence of a recurring meeting request or a recurring appointment that is sent from an Exchange Server 2007 user
  5. 977923 The Edgetransport.exe process crash when it process meeting requests in Exchange Server 2007
  6. 978137 The subject of a confirmation message is garbled for certain languages when a remote device wipe operation is performed in Exchange Server 2007
  7. 978200 The sender address of a forwarded meeting request does not include “on behalf of” as expected in an Exchange Server 2003 organization and an Exchange Server 2007 organization mixed environment
  8. 978253 A SSL certificate validation error is generated on an Exchange Server 2007 server when you run any test commands after you run the Test-SystemHealth command
  9. 978469 A mailbox that was moved from an Exchange Server 2007 server to an Exchange Server 2010 server cannot be accessed by using Outlook
  10. 978517 The Microsoft Exchange Information Store service stops responding on an Exchange Server 2007 server
  11. 978521 The synchronization and the reconciliation between Microsoft Office Outlook and a BlackBerry mobile device fails when a mailbox is moved around between two Exchange Server 2007
  12. 978528 The Microsoft Exchange Information Store service crashes on a Microsoft Exchange Server 2007 server when a user tries to access a specific calendar item
  13. 978832 Read items are marked incorrectly as unread items in an Exchange Server 2007 public folder
  14. 979055 A delegate cannot save three settings of Resource Settings for an Exchange Server 2007 resource mailbox in OWA
  15. 979170 You receive an error message when you use ExBPA to schedule a scan on an Exchange Server 2007 SP2 server
  16. 979219 The store.exe process hangs on an Exchange Server 2007 server

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

 

Update Rollup 4 (UR4) for Exchange 2007 SP1 Released

October 7th, 2008 No comments

Microsoft has released the following update rollup for Exchange Server 2007:

  • Update Rollup 4 for Exchange Server 2007 SP1 (952580)

If you’re running Exchange Server 2007 SP1, you need to apply Update Rollup 4 for Exchange 2007 SP1 to address the security issues listed below.

Remember, you only need to download the latest update for the version of Exchange that you’re running. RTM updates can’t be installed on SP1 and vice versa.

Rollup 4 for Exchange Server 2007 SP1 supersedes the following:

  1. 945684 Update Rollup 1 for Exchange Server 2007 Service Pack 1
  2. 948016 Update Rollup 2 for Exchange Server 2007 Service Pack 1
  3. 949870 Update Rollup 3 for Exchange Server 2007 Service Pack 1

Here is a list of the fixes included in rollup 4:

  1. 942649 Description of the commands that support the UseRusServer option that is imported in Update Rollup 4 for Exchange Server 2007 Service Pack 1
  2. 944831 You cannot configure Exchange Server 2007 so that the simple display name appears in outgoing messages
  3. 945854 A meeting reminder is still active when you configure Outlook to send no reminders to an Exchange Server 2007 user
  4. 945870 TAB symbols may be converted incorrectly to spaces in Exchange Server 2007
  5. 948896 Certificates that contain wildcard characters may not work correctly on an Exchange 2007 Service Pack 1-based server
  6. 948897 An attachment incorrectly appears as the body of the e-mail message in an Exchange Server 2007 environment
  7. 948923 Users do not receive information in DSN messages in Exchange Server 2007 with Service Pack 1
  8. 949512 An embedded message is removed from the attachment list on Exchange Server 2007 if the embedded message subject ends with .com, .exe, or any other blocked extension
  9. 949782 An In-Policy request that is forwarded to delegate appears as an Out-Of-Policy request if a user submits an In-Policy meeting request against a room mailbox of Exchange Server 2007
  10. 949858 The provisioning process is unsuccessful when you use Identity Lifecycle Manager (ILM) 2007 to provision user objects to an Exchange Server 2007 resource forest
  11. 949926 Error when you use an IMAP4 client or a POP3 client to log on to a delegate mailbox of Exchange Server 2007: “800cccd1”
  12. 950076 After you move a mailbox from Exchange Server 2003 to Exchange Server 2007 Service Pack 1, you cannot edit rules in Outlook Web Access
  13. 950081 Error message when users use an SMTP client to send e-mail messages in Exchange Server 2007 Service Pack 1: “454 4.7.0 Temporary authentication failure”
  14. 950138 You are prompted for your credentials three times and you receive an error message when you use the Outlook Anywhere feature to connect to an Exchange Server 2007 Service Pack 1-based server that is running Windows Server 2008
  15. 950198 You can enable AfterConversion snapshot for all messages if pipeline tracing and Content Conversion Tracing are enabled
  16. 950235 The IMAP4 or POP3 worker process may stop responding on an Exchange 2007 CAS role when you use an IMAP4 client or a POP3 client to connect the Exchange 2007 CAS role to your mailbox
  17. 950409 The reminder is triggered earlier than expected when an Exchange Server 2007 server receives an iCalendar meeting request message over an SMTP server
  18. 950622 Messages are converted to a very small font size in Outlook Web Access and in Outlook 2003 when you use Exchange Server 2007
  19. 950976 Event ID 115 may be logged intermittently on a computer that is running Exchange Server 2007 with Service Pack 1
  20. 951067 Event ID 7034 may be logged in the Application log in Exchange Server 2007 when an MAPI application tries to access a mailbox in a certain way
  21. 951156 The message body of appointments is garbled after you use a mobile device to synchronize appointments that were created in Outlook Web Access on Exchange 2007
  22. 951251 A MAPI application does not work correctly if Exchange 2007 is installed on a Windows Server 2008 server
  23. 951594 The W3svc log reports the incorrect number of attachments on an Exchange Server 2007 server that has deployed Exchange ActiveSync Service (EAS)
  24. 951747 An error occurs when you use the Export-mailbox or Restore-mailbox command to migrate certain mailboxes on Exchange Server 2007: “error code -1056749164”
  25. 951864 Some users must enter their credentials when they access rights-protected messages even though you have deployed the Rights Management Services (RMS) prelicensing agent on an Exchange Server 2007 Service Pack 1-based server
  26. 952152 The Autodiscover service for ActiveSync in an Exchange 2007 environment does not work for users in sites that do not have the ExternalURL property set
  27. 952250 You encounter a long delay for each mailbox when you run the “Move-Mailbox” or “Set-Mailbox” command on an Exchange Server 2007 computer
  28. 952682 Log file drives on the SCR target may eventually fill up and cause replication failure in Exchange Server 2007 Service Pack 1
  29. 952924 Error message when Exchange users try to access public folders that are hosted on Exchange Server 2003 by using Outlook Web Access for Exchange Server 2007: “Outlook Web Access is unable to open public folders”
  30. 953312 The “Open Message In Conflict” button is not available in the conflict notification message for Exchange Server 2007 users
  31. 954058 You can change the method for transfer encoding after you apply Update Rollup 5 for Exchange Server 2007 Service Pack 1
  32. 954205 Event ID 1113 is logged in the Application log on a Unified Messaging (UM) server when users contact the UM server by using secured connections
  33. 954237 The IMAP service crashes intermittently on Exchange 2007, and Event ID 5000 is logged
  34. 955208 Event ID 5000 occurs when the Exchange IMAP4 worker process crashes intermittently in Exchange Server 2007
  35. 956775 CopyItem and MoveItem Operations in Exchange Web Services can return the Item ID after you install Update Rollup 4 for Exchange Server 2007 Service Pack 1
  36. 957133 Description of improvements in functionality that occur in Exchange Web Services operations after you install Update Rollup 4 for Exchange Server 2007 Service Pack 1

Download the rollup here.

Installation Notes:

If you haven’t installed Exchange Server yet, you can use the info at Quicker Exchange installs complete with service packs and rollups to save you some time.

Microsoft Update can’t detect rollups for Exchange 2010 servers that are members of a Database Availability Group (DAG). See the post Installing Exchange 2010 Rollups on DAG Servers for info, and a script, for installing update rollups.

Update Rollups should be applied to Internet facing Client Access Servers before being installed on non-Internet facing Client Access Servers.

If you’re installing the update rollup on Exchange servers that don’t have Internet access, see “Installing Exchange 2007 & 2010 rollups on servers that don’t have Internet access” for some additional steps.

PowerShell Script to Set All AutoDiscover Related Virtual Directories to Use a Single Domain Name

October 1st, 2008 No comments

I’ve updated the Set-AllVDirs.ps1 script that streamlines the process of setting the virtual directory paths for various web services including Offline Address Book, AutoDiscover, Unified Messaging, and Exchange Web Services. If you’re using a single name certificate in place of a Subject Alternative Name certificate, this script walks you through the process of changing each of the URLs.

See the script at The Exchange 2007 Wiki page here.

ISA 2006 SP1 Released – Now Supports SAN Certificates!

July 3rd, 2008 No comments

Not really Exchange related, per se, but Microsoft has released Service Pack 1 for Internet Security and Acceleration (ISA) 2006. The one feature that was greatly anticipated by those using Exchange 2007 is support for Subject Alternative Name certificates.

Previously, ISA 2006 could only support the common name (CN), or the first alternative name in a SAN cert. Now, we can leverage all of the names in the cert.

See KB article 943462 for more information on the service pack and the download page to grab the bits.