Windows Server 2016 ADFS SSO with Chrome, Firefox and other user agents

Out of the box Windows Server 2016 Active Directory Federation Services does not allow users running chrome to seamless sign on experience like Internet Explorer. Thankfully there are two simple changes that can be made to enable this functionality.

Open Powershell on one of the ADFS servers as administrator and check the list of existing WIASupportedUserAgents:

PS C:\Windows\system32> Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents
MSAuthHost/1.0/In-Domain
MSIE 6.0
MSIE 7.0
MSIE 8.0
MSIE 9.0
MSIE 10.0
Trident/7.0
MSIPC
Windows Rights Management Client
MS_WorkFoldersClient
=~Windows\s*NT.*Edge


The easiest way to add the additional agents is with the following command, I’ve added Chrome, Mozilla/5.0 and Edge/12.

Set-AdfsProperties -WIASupportedUserAgents ((Get-ADFSProperties | Select -ExpandProperty WIASupportedUserAgents) + “Chrome” + "Mozilla/5.0" + "Edge/12")


There was a time before where you did need to disable the ExtendedProtectionTokenCheck for chrome to work, as of writing August 2017 this is no longer the case. Restart the ADFS service and you should be in business!

Exchange 2016 and CRM Online Email Server Profile Sync Errors

While attempting to setup a Exchange Server (Hybrid) email server profile for CRM online. At the step when testing & enabling mailboxes you may get the following error in the alerts detailed description:

System.Net.WebException: The request failed with HTTP status 401: Unauthorized.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
at System.Web.Services.Protocols.SoapHttpClientProtocol.EndInvoke(IAsyncResult asyncResult)
at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeServiceBinding.EndFindFolder(IAsyncResult asyncResult)
at Microsoft.Crm.Asynchronous.EmailConnector.GetInboxFolderHierarchyStep.EndCall()
at Microsoft.Crm.Asynchronous.EmailConnector.ExchangeIncomingEmailProviderStep.EndOperation()

This error is caused because the EWS virtual directory in exchange does not have Basic Authentication enabled in Exchange 2016 CU2. Enable this and then retry the test. It will now complete without any problems.

SharePoint 2013 and One-Way Forest Trusts

Hello Everyone,

Simple fix for a environment where you have a one way forest trust between an environment that hosts a SharePoint site and several other forests where you would like to use those accounts to login to the site. After establishing required trusts and domain settings the only SharePoint setting that needs to be updated is the people picker. The people picker only looks up naively to the local forest. The steps to get this working are as follows:

1. Create service accounts in each other forest that will be used to
2. Execute the following command, you will need to adjust it for your environment in this sample i’m adding 3 forests.

stsadm -o setproperty -url https://intranet.cotoso.com -pn peoplepicker-searchadforests -pv "forest:ad.acme.com,acme\sp_adtrust,password; forest:northwinds.local,northwinds\sp_adtrust,password; forest:ad.microsoft.com,microsoft\sp_adtrust,password"

Note: you always need to add ALL the domains if your updating just one it will override the ones saved. So make sure to include existing ones if your just adding one.

Exchange EventID 9646 , Mapi Session Exceeded

As users mailboxes grow or they add additional accounts to the same outlook instance such as shared mailboxes or old employees. The number of folders that the user has open from that session can exclude the number of folders allowed by exchange per session. This can cause very weird behavior, missing emails, lost calendar appointments as outlook is not able to sync every folder that is open. Here is an example of the error from the MSExchangeIS service:

Mapi session “{GUID}: /o=First Organization/ou=Exchange Administrative Group (ORGID)/cn=Recipients/cn=James Bond” exceeded the maximum of 500 objects of type “objtFolder”.

Fixing the error is easy, increase the maximum number of objects that MAPI allows:

1. Open the Regedit and navigate to
   1. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\MSExchangeIS
2. Create a new key(Folder)
   1. MaxObjsPerMapiSession
3. Create two new dwords
   1. objtFolder
   2. objtFolderView
4. Populate the values with number that will suit your needs, 750. Make sure to switch the DWORDS base to decimal otherwise the values will be very high.

Optional – If you need to force the values. Restart the information store service that will reset user connections in a non-DAG environment. Otherwise the store will pickup the changes in a period of time, sometimes the MAPI connection(outlook) will need to be closed and reopened as well.

Active Directory Stale Account Management

Recently had a client that would like to automate stale account management without investing in a full blown identity management solution. Here is the script I came up with.

• Gets users that have not logged in 90 days
• Counts and sends email to administrator of accounts that where disabled
• Sets user description with date of disabled as well as that it was disabled by the script
• Finally it disables the accounts

There are more elegant solutions and scripts feel free to improve as you wish.

function sendMail{

#Set Date
$90Days = (get-date).adddays(-90)

#get Users before or equal to that date & enabled
$todisable = Get-ADUser -SearchBase "OU=Users,DC=contoso,DC=com" -filter {(lastlogondate -le $90days) -AND (enabled -eq $True)} -Properties lastlogondate

#count the users
$count = $todisable.count

#edit the description
$todisable | Set-ADUser -replace @{description="$($_.description) Disabled By Stale User Script $(get-date -format d) "}

#disable the accounts
$todisable | Disable-ADAccount

#SMTP server name
$smtpServer = "exch.contoso.com"

#Creating a Mail object
$msg = new-object Net.Mail.MailMessage

#Creating SMTP server object
$smtp = new-object Net.Mail.SmtpClient($smtpServer)

#Email structure
$msg.From = "script@contoso.com"
$msg.ReplyTo = "script@contoso.com"
$msg.To.Add("brent@contoso.com")
$msg.subject = "Stale User Script has Disabled $count Accounts"
$msg.IsBodyHtml = $True
$msg.body = $todisable | Select-object name,DistinguishedName,LastLogonDate | ConvertTo-Html -Head $style | out-string
#Sending email
$smtp.Send($msg)

}
sendmail


I used some information from here http://blogs.msdn.com/b/rkramesh/archive/2012/03/16/sending-email-using-powershell-script.aspx for the mail information.

How to Manage Site Permissions – SharePoint 2010

SharePoint default site permissions are controlled by 3 groups that are created when the site is created.

 Site Name Owners Group – This is the “superadmin” “Sysadmin” group, these permissions should only be given out to users that need to make permission or system changes

Site Name Members Group – This group is the read/write user group. This group has the ability to edit, create, delete and view content on the site.

Site Name Visitors Group – The members of this group can only consume content, view and read. They have no access to change or modify files.

Permissions by default can only be edited by members of the owners group. When you are a member of the owners group can select site settings > site permissions from the ribbon.

Once you have selected this you are now on the permissions screen. Click on the group name you would like to add members to.

Now click new, add users to the group.

Enter names separated with semi-colons or click the address book to search from the company directory. Select if you would like SharePoint will send a message letting them know that they have access. You’re Done! The users you enter will now be displayed in the group list!

Lync Server Access Edge service Won’t Start

Recently had an out of the blue Lync edge server failed to start the critical  Lync Server Access Edge service, it would log the following error in the system log:


Event ID 7024

The Lync Server Access Edge service terminated with the following service-specific error:
%%3286774275

Looking in the Lync Server log you get a better description of the actual error.


Event ID 12290
The evaluation period has expired.

The evaluation period for Microsoft Lync Server 2013 has expired. Please upgrade from the evaluation version to the fully licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.
Cause: The evaluation period for Microsoft Lync Server 2013 has expired.
Resolution:
Please upgrade from the evaluation version to the licensed version of the product. Look at help for Setup.exe to learn how to upgrade from evaluation version to the licensed version.

Simple fix is to update the license on the system. To do this open Lync Powershell and browse to the installation directory \Setup\AMD64\Setup. From there execute the upgrade command

msiexec.exe /fvomus server.msi EVALTOFULL=1 /qb

Then start the service. You can use the Get-CSServerVersion to confirm the license has been updated.

Ref:
http://support.microsoft.com/kb/2468019

Update SQL 2005 32-bit to SQL 2008 R2 64-bit

I recently helped a customer with a complex transition of a SQL server running a very old 32 bit SQL 2005 to 2008 R2 64 bit. There was the requirement to ensure that all server information was maintained during the migration (Name, Security, Jobs etc). This also had to take place on the same box. The following was the procedure that I followed. I’m not providing full details so if your unsure about a step Google it and I’m sure you will find what you need.

Do this in a lab first! Clone the SQL server and test! I cannot stress this enough.

1. Confirm the current version of the SQL Server. (mine was 9.5.00 SP4)
2. Record the Names of the SQL server System Databases as well as its Data and Files.
3. Download, Relevant service packs for the system and have install files ready. (SQL 64 install, SP4 64, SQL 2008 r2, SQL 2008 r2 CU or SPs)
4. Make sure all users, applications, and services are totally off the system
5. Make backups of ALL databases, Ensure Master, Model and MSDB are also completed
6. Uninstall SQL 2005 32-Bit, to make the instance name available as the server name was the default instance.
7. Install SQL 2005 64-bit
8. Install SQL 2005 64-bit SP4
9. Start the SQL server in Single user mode, add -m; to the start-up parameters
10. Restore the Master
    Enter SQLCMD

    
RESTORE DATABASE master FROM DISK = ‘Z:\SQLServerBackups\master.bak’ WITH REPLACE;

    GO
    (Server will stop, remove the -m from step 8 and start server)

11. Now the tricky part, the previous master database had references to the 32-bit path program files(x86) for the system databases we need to fix this.
12. Launch SQL service in recovery mode.(SQL\Bin\Sqlserv.exe –f –t3608
13. Fix the path for mssqlsystemresource, MSDB, and Model Databases as the SQL service will not start looking to the old locations. (NOTE: You need to adjust this path for your system in the data below, and depending on the names you recorded in step one update this command for each database.)
14. Enter SQL CMD and alter the paths.
    ALTER DATABASE msdb MODIFY FILE (NAME=data, FILENAME= 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdb.mdf');

    GO

    ALTER DATABASE msdb MODIFY FILE (NAME=LOG, FILENAME= 'C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Data\msdblog.ldf');

    GO

15. Repeat these commands for the model and mssqlsystemresource databases.
16. You should now be able to start the SQL server in normal mode. (control-c the cmd window and it will ask to shutdown the SQL server, start the SQL server from services. If you get errors check the event log > applications for errors, they will likely be databases you missed to update the path.)
17. Attach you user databases
18. Start the SQL Server 2008 R2 Install and follow the upgrade process.

Congratulations your now running SQL server 2008 R2. From here I applied some service packs and CU’s and completed by testing.

If you need to fall back, uninstall everything and install SQL 2005 32-bit, restore the backups for the master DB original in single user mode and then do the others, followed by attaching the databases.

IE11 and Sharepoint 2010 Problems

Surprise Surprise(remember 9 & 2003), IE11 is released and it won’t work with SharePoint 2010 regardless of the version (December 19, 2013). The cause is due to the changes in IE11 compatibility mode (MSDN details).

Initial thoughts are to hard code the version from 8 to 9, (<meta http-equiv=”X-UA-Compatible” content=”IE=8″/>)

in the master page and this alleviates some problems(Infopath Forms now work(previous error was: Critical Error: Object doesn’t support this property or method addeventlistener)) but it creates more as well(Users can’t be added to sites(System.InvalidOperationException: Namespace prefix ‘xsd’ is not defined.).

Based upton my trial and error today I would recommend until MS released a CU, the farm running is a 2010 Enterprise with all standard features and items in use.

Add this javascript to the master page just above the body close tag.

<script language=”javascript”>
/* IE11 Fix for SP2010 */
if (typeof(UserAgentInfo) != ‘undefined’ && !window.addEventListener) {
UserAgentInfo.strBrowser=1; }
</script>

Sources:

• http://social.msdn.microsoft.com/Forums/en-US/8a6ca7f7-3e4d-4210-a5a6-caa2e1c06cc3/infopath-form-page-object-doesnt-support-this-property-or-method-addeventlistener-in-ie-11?forum=sharepointcustomizationprevious
• http://www.markadrake.com

SharePoint 2010 & Best IE Settings

I’ve been experimenting with what should really be a simple setting in GPO’s to eliminate the need for users to logon or experience user interruptions with service when using SharePoint. This is my findings of what works best:

1. Assign the sites into the “Intranet Zone” my root site URL
2. Adjust the “Intranet Zone” to low
3. Adjust the “Intranet Zone” Logon Option to Automatic logon with current user name and password

All these settings can be found in the GPO Here: