Office 365: Rich coexistence failure because DirSync cannot write back to local AD

DirSync makes it very easy to populate all user account etc from the internal AD to Office 365. Error during exporting and syncing user data are reported via emails, so you can follow up on that.
For rich coexistence DirSync writes certain attributes back to AD, e.g proxyaaddresses.
Errors are not reported and you have to find them in the DirSync's "unofficial" UI.

If you see there "Insufficient access rights to perform the operation.” then the user MSOL_AD_SYNC does not have permissions to write those attributes.
This can happen because you assigned permissions on the user level and you have disabled the "include inheritable permissions from this object's parent" option.

From there you have two options; enable the option to use inheritance or add the permissions manually to each account.

Office 365: Off-boarding a mailbox

On-boarding a mailbox to Office 365 is a quite simple to do with the Exchange Management Console. But how to off board a mailbox. So you might ask why should I do that, well just to be prepared, just in case you have to.

First create a powershell session to O365:
$cred365= Get-Credential
$CloudSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred365 -Authentication Basic -AllowRedirection -WarningAction SilentlyContinue
Import-PSSession $CloudSession -Prefix 365

Now run the move request:
New-365MoveRequest -Outbound -Identity 'user@domain.com' -RemoteHostName mail.domain.com -TargetDeliveryDomain domain.com -RemoteCredential $credOnP -RemoteTargetDatabase 'Mailbox Database 041637xxxx'


Afterwards you can find the new move request in EMC under your Office 365 tenant in "Move requests".

Office 365 DirSync 64bit based on FIM 2010

Office 365 for 64bit servers (2008 and 2008 R2) is here.

http://community.office365.com/en-us/w/sso/555.aspx


Still best practice is to have at least one of those servers for a setup with federated identities and Exchange rich-coexistence:
- ADFS server (plus ADFS proxy oder TMG or similar)
- DirSync server
- Exchange 2010 Hybrid server

btw: If you try to install DirSync 64bit on a Windows 2008 R2 DC you will see this message.

And it has still the same "scary" error about MSOLCoExistence registry key. Run the config wizard with elevated rights.

Error: Access to the registry key 'HKEY_LOCAL_MACHINE\Software\Microsoft\MSOLCoExistence' is denied.

Do I need a OCSP responder?

OCSP - Online Certificate Status Protocol

I was thinking about the question, why and when should I add OCSP for a PKI. And I see a lot of points why smaller organizations might not have a need for OCSP and large companies not necessarily.

- with Windows 2008 R2 OCSP uses the CRL as data set. So you must issued fresh CRLs more often.
- if you do not revoked certificates or have a alternative method to block access to your service, e.g. disable the user account in AD, then OCSP is only overhead. Review your revocation policy, if you dont have one - create one!
- Might not all of your clients "speak" OCSP (e.g. Windows 2000 and Windows XP)
- Check network connectivity from all your potential clients to the OCSP server, your clients talk on each certificate check back to OCSP. This can cause latency issues for your applications
- For e.g. Cisco concentrators you do not need to publish the OCSP path to all certificates, you can configure the OCSP path on the concentrator.
- Most clients cache the CRL locally, so if the CRL distribution point is not available for a short time, lets say 4 hours when your CRL validity is 2 weeks, still most of your systems would work without any issue. If you rely only on OCSP then make it high available.
- think also about additional license cost, operational costs and support

OCSP is a great improvement in environments with a high number of revokes, what means you have larger CRLs (in size). Unfortunately it is not easy to say when OCSP makes sense and when not, it highly depends how applications check for revocation status.

And OCSP is not a simple replacement for CRLs, it gives you more capabilities to manage certificate revocation. So it is more a logical extension of a PKI.

[Update] Google disables CRL and OCSP checks in the next Chrome version http://www.imperialviolet.org/2012/02/05/crlsets.html

---------------------------
Note 1: You can use 3rd party OCSP responder or clients as well to overcome Windows OCSP limitations.
Note 2: On Windows 2008 R2 Server Enterprise Edition is needed for each OCSP server installation.

Office 365 password change for webmail-only remote users

Recently a question came across my mind about password change for remote users if they are only use OWA.
So might they work from home with their personal computer. A password change is then not enforced and a password change via CTRL-ALT-DEL will not change the AD password.

In a setup with federated identities those users will still see a URL for password change in OWA, but they cant access it. And of course they do not have a password on O365 at all (may a very long random password as we know it from Smart Card only users).   So my idea was to search for a option to define a alternative URL, but no luck. MS Online confirmed that there is no option today to define such an URL.

Okay, so what. Let's go and a grab the IISADMPWD from Windows 2003 IIS and tell the user the new URL to change the password.I would like to have them changed their password every 43 days (or whatever) . IISADMPWD works, even it is not supported anymore, also with IIS 7. But I found one catch. If you are using a ADFS proxy server, which is usually not a domain member and located highly protected in a DMZ, then IISADMPWD cannot be used to change the AD passwords.
So might I can extend IISADMPWD with an web service running on the ADFS server. Lets see if I get this done before end of this year.

Office 365 limits - Exchange online vs Exchange on-premise

I like Office 365 and I encourage every organization to at least consider it seriously.
So none of my points is against Office 365 but I think a few things should be known. All is public information, but hard to get a comprehensive view.
I know that I am limited: in time, in money, in material, in knowledge, get allowance, etc. pp.
So your on-premise Exchange setup has limits to, mailbox size, size of an email, size of attachments, number of recipients in one email and so on. Some are set by an administrator, others are predefined or are technical limitations. And your smart users have probably already figured out how to work around. :-)

Notes:
- Cloud services features and available resources are changing frequently. So take that list as an start point, but not as a final and complete list.
- And by the nature of cloud services you give up (good or not) a lot of your administrative burden and permissions.
- And some limitations are less important if you still have a on-premise Exchange, e.g. for fax gateway integration, Blackberry BES
- Before you start a pilot or start the migration take some time to write up a service description of your on-premise messaging environment with all the different views: end-user, mobile end-user, administrators, auditors, change management
- All information is in regards to Office 365 E plans (http://www.microsoft.com/en-us/office365/buy-midsize-enterprise.aspx?WT.z_O365_ca=Buy_how-to-get_en-us#fbid=9hDlNaUhDNH)


Features:
- No public folders available and cloud users do not have access to on-premise public folders
- No delegation access between cloud users and on-premise users
- No S/MIME support in OWA, even not you install the SMIME ActiveX control manually
- S/MIME certificates are not synchronized to O365 via Dirsync, OL GAL export works but is a unmanaged and end-user driven tasks
- Access to O365 Exchange is over HTTP RPC and web services, if you have a MAPI only application that will not work with O365
- OWA 2003 cannot access free/busy information from cloud users
- ActiveSync does not support certificate based authentication
- Exchange 2003 organization must be in native mode, not in mixed mode for Hybrid server setup


Exchange related:
- More network bandwidth for Internet access
- Groups with over 15.000 members not sync
- Dynamic groups ignored
- 25 GB storage limit for each mailbox, wit E Plan 2 users can store more data in personal archive
- You cannot move mail box items larger than 25 MB to O365.

- Inbox folder: 20,000 items
- Sent Items folder: 20,000 items
- Deleted Items folder: 20,000 items
- Calendar: 5,000 items
- Contacts: 5,000 items
- Message limit 25 MB (OWA 10MB)
- Size of a single mailbox item ??

Lync related:
- Lync Online does not work with room-based conferencing systems
- must have a different SIP domain (real coexistence is not available)


SharePoint related:
- 20.000 user limit (hope to see that increased soon)
- no federation search




Find more at
http://community.office365.com/en-us/f/183/p/1541/5095.aspx
http://www.microsoft.com/download/en/details.aspx?id=13602

Office 365 magic auto logon to webmail

The standard way to logon to Office 365 Outlook (webmail) is via https://login.microsoftonline.com. Than you type the username (MS Online ID) and if you are configured with a federated identity the password field will grayed out and you will see another "button" to proceed to login via your ADFS server logon, where you might have to type the same username again. Technically nothing wrong with that, I just think it is to complicated for users to do this all the time.

So first I was thinking to write a webpage what is using integrated or basic authentication for user authentication and performs then a look up in Active Directory to get the UPN and etc. Create the login URL including the MS Online ID . STOP. Way to complex thinking. At the end I analyzed a bookmark to O365 webmail and voila after I few modifications and shortening

I came up with

https://www.outlook.com/owa/?exsvurl=1%24&delegatedOrg=ServiceDomain&ll-cc=en-US&realm=FedDomain

ServiceDomain is e.g. cryptolive.onmicrosoft.com

FedDomain is e.g. crypto-live.org

Now you can create a desktop shortcut or a start menu entry or add it as a link on a portal or add this via GPO to all your users favorite bookmarks or ....

[Update: Even much easier to just access https://outlook.com/crypto-live.org]

Office 365 and UPN

What if...the UPN suffix in your AD does not match with the registered domain in Office 365? E.g. ad.local does not match to crypto-live.org.
Might you want start with a small group of users, might a trial. And you do not want change the UPNs for your 1000, 25.000 or 300.000 users? Why would I care about the number of users if it is just a pilot for now?
In this post I am speaking about federated identities in Office 365. Technically means that, that you have a directory synchronisation (dirsync) and a federation server (ADFS) for authentication services.

Federated identities do not have passwords on Office 365 system itself, all authentication is provided by the companies Active Directory credentials via ADFS, also for IMAP etc. see my other post.
It is important to know that the actual dirsync setup will sync all objects with e-mail address and all security groups to Office 365. The sync has only a basic filter. Changing the dirsync configuration is not support from MS Online. At least not for now.
So what to do? Changing the UPN is risky in larger organizations. Might you can live with unsupported dirsync and wait till the Online team is providing documentation how to deal with UPN changes.

Dirsync is based on ILM 2007 and the dirsync install includes also the management console to modify the management agents. You need only to modify the attribut flow for UPN on the Source AD MA. You can change it to read from mail and write to UPN in the ILM metaspace. Virtually you can use any attribut in AD as long as it is a valid logon name in Office 365.
So dirsync syncs per default a UPN with lutz@AZ to Office 365. And Office 365 says: ooops, I do not know that identity and creates a online id lutz@cryptolive.onmicrosoft.com. Besides that is a really ugly id (and way to long for users) ADFS does not know how to find the corrosponding user account in AD. Okay claim rules are your friend, but wait...

E-mail addresses became an identity factor in the last years. Before e-mail address where changed like other people changing clothes (metaphor alarm!). Seriously if you exchange data today with Dropbox or on GoogleApps the identity key is the e-mail address (a have a post about this as well). That is also true for MS Rights Management Services. So e-mail is a good attribut to use for the identity, just make sure that all your e-mail addresses (mail attribute) are unique. AD does not enforce that and it is not to complicated to change the e-mail address.
Dirsync is changed but the user can still not logon to Office 365. Not yet. We need first to modify the claim rule from UPN to email via ADFS 2.0 MMC.

We can logon now! With any browser or Outlook. Not rocket design but close :-)

 

Office 365 IMAP and POP3 authentication

I was wondering how the authentication for IMAP and POP3 is working in a Office 365 federated scenaria with Dirsync and ADFS. Because the passwords never leave the on-premise Active Directory.
So in the Google world I need to install a PCNS service to grab all passwords on the next password change and sync the passwords over to Google Apps..
I think Microsoft is doing this in a smarter way. If you login via IMAP to O365 you need to type in username (MS Online ID) and password. Then O365 performs a logon to the ADFS server. Easy thing, great job, Microsoft!

RMS protection on the Mac OS with MS Office 2011

If you have a Macbook or iMac or Miniserver (I get one for me too) then might you are interested to see that you can consume and create RMS protected documents on your preferred OS as well. I think that is the first non-Windows platform support for RMS from Microsoft. I published a few screenshots here:

http://www.prorms-alliance.org/home/featured/rms-and-mac-office-2011

Outlook connection issues with Exchange 2010 mailboxes because of the RPC encryption requirement

With Exchange 2010 RTM Microsoft enabled the RPC encryption on the server side, so users had to enable that in their Outlook profile as well, what is the case with Outlook 2007 and 2010, but not with Outlook 2003.
So might Microsoft got so many complains from Outlook 2003 users (or administrators) that they decided to make RPC encryption optional on the Exchange Server side again.
How odd is this?!

source: http://support.microsoft.com/kb/2006508

Wildcard vs. CN certificates or how to reduce the pain of management of SSL certificates

If you use reverse proxy, e.g. with Apache or Microsoft ISA Server/TMG 2010 you might already ran into one of those:
- some certificates are public signed, others are from the internal CA
- validity of certificates is from 1 year to 3 years, and nobody knows why not all are good for 3 years
- every certificate has a another validity start date and expiration date
- it is exhausting to renew certificates with Subject Alternative names
- each web site or ssl listerner has its own certificate
- no (semi)-automatic certificate renew process

May you can run this with 5 web sites in this way, but what if you have 20,40,180 and more websites on your reverse proxy.

So what?
- Request next time only 2048bit RSA certificates
- Secure internal-only and external-facing websites with public certificates
- Don't buy certificates on a daily basis, get  as many as you can from one public CA. Makes troubleshooting much easier.
- Request one wildcard certificate, so instead of www.domain.com use *.domain.com
- Wildcard certificates do not work with all services, if so use at least SAN entries
- Buy/request certificates for 3 year instead of 1 year
- Renew certificates in a bulk, e.g. every January and start the renew process early
- create a script with openssl or a certreq.inf file
e.g. a inf file to request a certificate from a internal Windows CA

[NewRequest]
Subject="CN=win4012.crypto-live.org"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
SMIME = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = CMC


[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2


[RequestAttributes]
CertificateTemplate = CLWebServer ;Omit line if CA is a stand-alone CA
SAN="dns=win4012.crypto-live.org&dns=cl4000.crypto-live.org"



And here we are with the batch file, to complete this post.

echo ================  >> certreq.log
certreq -f -NEW win4012.inf win4012.csr >> certreq.log
CertReq -f -Submit -f -config "win4011.crypto-live.org\AAA Crypto Live 4000" win4012.csr win4012.cer  >> certreq.log
CertReq -accept win4012.cer  >> certreq.log

Forefront Identity Manager 2010 R2 beta available

If you were ever interested what the next version of FIM would be, it is an R2 version.

btw my favorite was FIM V.next ;-)

The GA is planned for first half of 2012. To highlight:

- web based password reset

- Outlook 2010 support

From the beta release notes I couldn`t find to much about the certificate management in FIM 2010 R2. If there is   something new I will post it as soon I have the beta running. Beta is public available, so go and try it by yourself.

http://blogs.technet.com/b/forefront/archive/2011/08/01/key-improvements-in-forefront-identity-manager-r2.aspx


Beta test on Certificate Management:
- same schema extensions as before
- still needs IIS 6 management compatibility
- no news on CA modules
...so nothing new here at all.

Testing IPv6

The other day I configured a IPv6 address as tunnel via Hurricane Eletric http://www.tunnelbroker.net. Everything went smooth with my Apple Airport.

I got all IPs and a screenshot for my Airport from HE. Btw: my current internet provider is Cox. Cox does not offer IPv6 testing for residential services yet.
Afterwards I tested IPv6 connectivity with http://test-ipv6.com/
Other sites where you can see your fresh IPv6 address are:
- http://www.opendns.com/
- http://www.heise.de/netze/tools/ip/

Office365 - Step by step

- Apply online for Office365 Beta for Enterprises at http://g.microsoftonline.com/0BXPS00EN/1130?OfferId=B07A1127-DE83-4a6d-9F85-2C104BDAE8B4&dl=ENTERPRISEPACK&culture=en-us&Country=US, fill in your data and you are ready to go in a few minutes.

- Logon to https://login.microsoftonline.com/ with your new admin account

Info: If you have only one admin and you lost the password you can request for password reset at https://portal.microsoftonline.com/Support/NewSignupServiceRequest.aspx


- add your real domain name to Office365. You must have access to the DNS settings of your domain. That is the way how Office365 checks your domain ownership. It can take a while till your new DNS settings are published and replicated to all internet DNS servers. Microsoft says it can take up to 72 hours before the update is propagated properly. In our case it was 24h, others were ready in 15 minutes.

- NEXT: Configure Single Sign-On with AD Federation Services
Note: Run this from your AD FS Server
Go and download the Powershell Online Services to this machine needs internet access.

Microsoft Online Services Sign-In Assistent
http://office.microsoft.com/en-us/word-help/redir/XT102098593.aspx?CTT=5&origin=HA102065466


Microsoft Online Services Module for Windows PowerShell
http://g.microsoftonline.com/0BD00en-US/126
 
After you have installed both packages run "Microsoft Online Services Module for Windows PowerShell" from Start Menu.



Set-ExecutionPolicy RemoteSigned

$cred = Get-Credential

Connect-MsolService -Credential $cred

convert-MSOLDomainToFederated -DomainName crypto-live.org

Set-MsolAdfscontext -Computer win4011


 
- Install and configurea Directory Sync
You cannot create users in O365 for Single Sign-On from the web interface. You need the Dirsync tool to sync your AD users to the O365.
 
Go to your O365 Admin Web


Admin Overview/Users/Active Directory synchronization: Set up

Activate Active Directory synchronization

Dirsync requires:

1) .Net framework 3.5 http://download.microsoft.com/download/2/0/e/20e90413-712f-438c-988e-fdaa79a8ac3d/dotnetfx35.exe
Hint: run dotnetfx35.exe /q for silent installation

2) Powershell (comes with 2008)
servermanagercmd -install Powershell

DO NOT install DirSync on your ADFS server. Since Nov 2011 you have the option to run DirSync on 32 bit or on 64bit OS. 32 bit runs on Windows 2003 and 2008, 64bit on Windows 2008 and 2008 R2.


Now download DirSync 32bit from http://g.microsoftonline.com/0BX10en/216

Or DirSync 64bit from https://bposast.vo.msecnd.net/dirsync/prod64/dirsync.exe


Start dirsync and have a Enterprise admin near you.

Note: If you ave more than 10.000 objects tell this in a ticket to Microsoft to increase the limit of directory imports on their side.


Note: If you have more than 50.000 objects to sync tell this Microsoft as well and install Dirsync with a full SQL server, e.g. SQL Server 2008 R2. Dirsync comes with the express version of SQL 2008 R2 and has a database limit of 10GB.



How to setup dirsync for more than 50.000 users:

- dirsync /fullsql - start powershell (I use always an elevated prompt) - Add-PSSnapin Coexistence-Install - $cred = Get-Credential ; creds of your dirsync service account - Install-OnlineCoexistenceTool –UseSQLServer –SqlServer  sqlservername -SqlServerInstance dirsync -ServiceCredential $cred –Verbose ; make sure you have the SQLServerInstance specified - Run Config Wizard from the start menu, now you need your Enterprise Admin :-)

CryptoLive in the Cloud with Microsoft Office365

Crypto Live is joining the Office365 beta

See what Microsoft Office365 can do for you:
http://www.microsoft.com/en-us/office365

ProRMS Alliance - Rights Management

I am proud to announce a new group for data security methods, the ProRMS Alliance. Right Management overcomes a lot of restrictions and problems we had in the past and today with traditionell data encryption. It adds two more layers, usage and identity. So the data owner has full control even she has sent the document out to someone on the internet.

http://www.prorms-alliance.org/

Generate certificate request for SCOM

SCOM uses certificates for mutual authentication between agent and server for standalone machines or machines in a different Active Directory.

1.  Get your Root CA certificate as a file and import to the Trusted Root Authorities store, if not already done.

2. Create a file named scom.inf:

Hint: If your agent machine not in AD please configure the computer full name with domain name, e.g. server1.crypto-live.org

[NewRequest]

Subject="CN="

Exportable=TRUE

KeyLength=1024

KeySpec=1

KeyUsage=0xf0

MachineKeySet=TRUE

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1

OID=1.3.6.1.5.5.7.3.2

Both OIDs needed for server and client authentication.3.  Create a new certificate request file hostname.csr:

CertReq.exe -New -f scom.inf .csr

4. If not already done, make a copy of the Web Server certificate template and call it "SCOM Machine". Ensure key must be exportable and extended usage must include client authentication and server authentication. Assign access rights for your user accounts and assign the "SCOM Machine" certificate template to the Certification Authority.

4.  Submit the request to your CA.

5.  Download the certificate to a file .cer


6.  Import the certificate into certificate store :

CertReq.exe -accept NewCertificate.cer

7. Run momcertimport.exe to tell the SCOM agent the new certificate.

Not just another screenshot tool - Greenshot

Greenshot is a great screenshot tool. I like:
- easy to select a region, current window or screen
- automatic saving to a folder with numbering (tons of options)
- image formats: png, jpeg, gif or bmp
- easy to highlight text or add notes
- use Print Screen key, so easy to remember hotkeys :-)
- under GPL, can be used free of charge

http://getgreenshot.org/

WSUS Cleanup

Windows Update Service is a great tool to manage and distribute patches from Microsoft with your organization.

There is a GUI based way to do it. But there is a great tool available from the CodePlex website http://wsus.codeplex.com/releases/view/17612 to run it as a regular maintenance scheduled task.

It will save you disk space and can also remove orphaned computer entries.

Microsoft has a patch day once a month on the second Tuesday. Some patches will come during the month too.

So please sync first your WSUS with Microsoft and run e.g. once a month the WSUS Cleanup tool.