Brightmail does not deliver email to Distribution group members

The Story

Note: This article assumes you have Brightmail Gateway

When you try to send an email to a particular Exchange Distribution group Group@domain.com the result is either users don’t exist or you might get the following error if you test with Microsoft Test connectivity online tool.

Error:

The server returned status code 554 – Transaction failed. The server response was: 5.7.1 Delivery not authorized

Other related errors

‘554 5.7.1: You are not allowed to connect’

clip_image001

Cause:

Because the group has been cached in the Symantec gateway with its old members, The result could be an error that users don’t exist or delivery is not authorized.

Solution:

To solve this problem, You need to go to Brightmail gateway Administration > Directory Integration and click on your AD Directory > Advanced and hit on Clear Cache.

This would cleared the cached group and take the most recently updated group and its members.

This should resolve the problem.

clip_image002

How to clear the DDS cache in Messaging Gateway

https://knowledge.broadcom.com/external/article?legacyId=tech132131

How to bypass NET::ERR_CERT_INVALID on Chrome

Locked out of accessing my firewall

After I changed my Antivirus software I used to access a remote firewall publicly on the internet. This firewall has a local selfsigned certificate that no web browser trusts.

Although I added the root certificate to my root store but still none of the browsers would allow me to access it and result in the below error:

Your connection is not private
Attackers might be trying to steal your information from myapp.domain.com (for example, passwords, messages, or credit cards). Learn more
NET::ERR_CERT_INVALID
myapp.domain.com normally uses encryption to protect your information. When Brave tried to connect to myapp.domain.com this time, the website sent back unusual and incorrect credentials. This may happen when an attacker is trying to pretend to be myapp.domain.com, or a Wi-Fi sign-in screen has interrupted the connection. Your information is still secure because Brave stopped the connection before any data was exchanged.

You cannot visit myapp.domain.com right now because the website sent scrambled credentials that Brave cannot process. Network errors and attacks are usually temporary, so this page will probably work later.

On Chrome

image

On Firefox

image

I searched the web for many work arounds but none of them almost worked including this one which says you can use “Thisisunsafe” or “badidea” on chrome but it did not work.

https://medium.com/@dblazeski/chrome-bypass-net-err-cert-invalid-for-development-daefae43eb12

Using Fiddler

Since I use fiddler to sniff packets and troubleshoot issues on my computer, I remembered that Fiddler has the feature of decrypting traffic (MITM). Fiddler inserts its own root certs and force the traffic to go through it first which makes all the websites trusted even in the case of this error ::ERR_CERT_INVALID

Solution:

So to make this work even temporarily so you can access whatever page you lost access to. All you have to do is:

  • Install Fiddler
  • Let Fiddler Decrypt traffic: To do this go to Tools> Options > HTTPS and select “Capture HTTPS Connects and Decrypt Traffic”
  • Accept and import the root certificates.
  • Click Ok
  • Start Capturing traffic by clicking on the left corner icon image

image

  • Now try to browse the page you couldn’t access previously and you’ll get a prompt to accept its certificate. Click Yes if you’re sure of the page and continue.

image

Here we go, I got back access to my Pfsense but notice you’ll only be able to access the URL if the capturing is on.

The moment you turn Capturing off the page will not be accessible again.

clip_image001

Skype for Business IM integration with Exchange 2016 OWA–Part 2

This article is a completion of Part 1, Click here to go to Part 1

Configuration Steps – Part 2

7. On Exchange: Enable OWA VD Instant Messaging
8. On Exchange: Enable Messaging on OWA Policy
9. On Exchange: Create Enterprise Application for Skype Pool.
10. On Exchange: Create new SettingOverride for Skype for Business.
11- Generate a new Certificate for Exchange IM
12. Assign the newly imported certificate to IIS Exchange Back End site
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
15. Troubleshooting methods

    7- On Exchange Server: Enable OWA VD Instant Messaging

    Part of enabling IM integration between Exchange and SfB is to enable OWA Virtual Directory to allow this. The below cmdlet does the job for you on all your Exchange Servers

    From Exchange, Launch Exchange Management and run the following cmdlet

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb

    8- On Exchange: Enable Messaging on OWA Policy

    Run the following to enable Messaging for Owa Policy

    Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb[1]

    9- On Exchange: Create Enterprise Application for Skype Pool.

      From Exchange Management shell Run the following cmdlet

      Cd $exscripts

      .\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://sbg-pool01.domain.com/metadata/json/1” -ApplicationType Lync

      The AuthMetadataUrl is going to be your local Skype for Business Pool URL. This URL should work in your Exchange server without any Certificate error. Meaning that the certificate assigned to your Skype for Business pool should already be imported to Exchange Servers to trust this URL.

      image_thumb[14]

        If your previous configuration is correct then you should see the “The Configuration has Succeeded” Message.

          10- On Exchange: Create new SettingOverride for Skype for Business.

          Notes:

          • To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory forest, don’t use the Server parameter.

          New-SettingOverride -Name “<UniqueOverrideName>” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=<Skype server/pool  name>”,”IMCertificateThumbprint=<Certificate Thumbprint>”) -Reason “<DescriptiveReason>” [-Server <ServerName>]

          The Thumbprint you use here will define if whether IM will work or not as this what secures the communication between Exchange and Skype. If you use the wrong certificate your Integration will fail and users wont be able to login to IM through OWA.

          11- Generate a new Certificate for Exchange IM

          IMPORTANT NOTE:

          In order for IM in OWA to work the certificate you will generate must have its common name set as mail.domain.com to match the configuration.

          Using Digicert tool on Exchange Server I will generate the CSR of the new certificate

          Click on Create CSR

          image_thumb[15]

          Choose SSL certificate type and make sure you choose Mail.domain.com as CN

          In the SANs type all of the involved servers (Skype for Business Frontends, Mailbox servers in FQDN and in Hostnames as in the screenshot below). and click on Generate

          image_thumb[16]

          • Go to your CA Server’s CertSRV URL and copy the CSR code there to generate the new certificate.
          • Import the new certificate to the current server, then export it in PFX format and import it to all the Exchange Servers you’re planning to use.

          image_thumb[18]

          • After importing the certificate I will verify that I can see the private key

          image_thumb[19]

          Click on the Details and copy the Thumbprint or from MMC right click the certificate > Properties give it a friendly name e.g. (IM) and then from Exchange Management shell you can copy the Thumbprint directly.

          Get-ExchangeCertificate | select thumbprint,friendlyName

          image_thumb[20]

          Now use the previous script to create the setting Override for OwaServer.

          Things you can change are in bold “Name, IM Servername Value, and the Thumbprint value”.

          New-SettingOverride -Name “IM Override” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=SBG-Pool01.domain.com“,”IMCertificateThumbprint= 28E4B1BA0F2FCB1535AF199F02A64EFC78367F2D“) -Reason “Configure IM”

          image_thumb[21]

          If you enter the server parameter to use a single server you can change that by using. Note that you must not use FQDN but rather only the server’s hostname.

          Get-SettingOverride | Set-SettingOverride -Server sbg-mx01,sbg-mx02

          image_thumb[22]

          This should generate an event ID 112 on Exchange servers involved in the deployment.

          clip_image001[9]_thumb

            12. Assign the newly imported certificate to IIS Exchange Back End site

            Once the certificate is in the server store, You will be able to easily find in from IIS and bind it to the Exchange Back End site.

            This is the most crucial step to get IM to work in OWA. Don’t worry about breaking up Exchange Sites or Powershell. If you have added Exchange Servers Hostnames and FQDNs in this certificate then you should be good.

            • Now Launch IIS
            • Click on Exchange Back End
            • Select Binding
            • Click on the 444 port and edit
            • Select the newly generated certificate that has the mail.domain.com as CN. (This certificate must also have all Exchange Servers hostnames and FQDNs set as SANs)

            image_thumb[23]

            image_thumb[24]

            Make sure you change the backend cert to the new on all the involved Exchange Servers.

            13. On Exchange: Restart the WebAppPool

            Restart-WebAppPool MSExchangeOWAAppPool

            image_thumb[25]

              14. Log out and sign back in to OWA to Check

              Log out of OWA and back in and check if you are able to Login to IM . It should normally sign you in automatically but in case of an error then you should see it.

              image_thumb[29]

              In case of an error you should see the following.

              image_thumb[27]

              If it works then you should see the presence

              image_thumb[28]

              15. Troubleshooting Methods

              If you follow the above steps correctly then it should work especially when applying the right certificate for your Exchange Back End IIS part however if you face an error then you should do the following steps to troubleshoot the error

              • Set the Eventlog for Instant Messaging on Exchange from Low to High

              Set-EventLogLevel -Identity “sbg-mx01\MSExchange OWA\InstantMessage” -Level High

              image_thumb[30]

              • Look in the following path for errors

              C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

              • Check the Healthset of the OWA Instant Messaging.

              Get-ServerHealth -HealthSet OWA.Protocol.Dep -Server sbg-mx01 | Format-Table Name, AlertValue –Auto

              image_thumb[31]

              Get-MonitoringItemIdentity -Server sbg-mx01 -Identity OWA.Protocol.Dep | Format-Table Identity,ItemType,Name -Auto

                image_thumb[32]

                Ref

                https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019

                https://docs.microsoft.com/en-us/exchange/high-availability/managed-availability/health-sets?view=exchserver-2019

                Skype for Business IM integration with Exchange 2016 OWA–Part 1

                The Story

                A good and detailed documentation is everything we need to implement any kind of project especially if it’s an integration between two different servers that perform different roles.

                And with PKI involved the complications multiply thus a good article write up is what we need.

                Previously I have tried a test lab with Skype for Business 2015/2019 IM Integration with Exchange 2016/2019 and the result was a complete failure and endless search for what’s missing to get IM to work from OWA?

                image

                ERROR

                Upon completion of the steps mentioned in Microsoft’s Official documentation and after restarting Exchange IIS or OWAAppPool you will see this when you try to login to OWA with your user

                There’s a problem with instant messaging. Please try again later.

                image

                MS Official Documentation

                In their Official documentation Microsoft says that the certificate in question must be trusted by all the servers involved meaning Skype for Business Frontend and Mailbox Servers.

                Meanwhile this is true, it still would not get the IM to login/work although it might drop the initialize event ID 112 in the event log.

                clip_image001

                Here is what MS says about the certificate.

                Exchange and Skype for Business integration requires server certificates that are trusted by all of the servers involved. The procedures in this topic assume that you already have the required certificates. For more information, see Plan to integrate Skype for Business Server 2015 and Exchange. The required IM certificate thumbprint refers to the Exchange Server certificate assigned to the IIS service.

                REF URL: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019#what-do-you-need-to-know-before-you-begin

                image

                Step by Step Deployment

                To do things the way that should get this to work, I will detail steps one by one so we can be sure to get the positive results we are all waiting for when dealing with Exchange and Skype for Business.

                Exchange IM URL 1: mail.domain.com

                Skype for Business Pool FQDN: SBG-Pool01.domain.com

                Autodiscover URL : Autodiscover.Domain.com

                Prerequisites

                1. For Default and Web Service Internal, Your Skype for Business Frontend Server/Pool must use a certificate that is generated from an internal CA which you can use later to generate Exchange’s IM Certificate.
                2. UCMA must be installed (Doesn’t matter if version 4 or 5) both are supposed to work with Exchange 2016.
                3. Local Certification Authority must already be deployed in the domain.

                Configuration Steps – Part 1

                1. On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover
                2. On SfB: Get-CsSite to see what is the current site ID.
                3. On Exchange: Check AutodiscoverServiceInternalURI
                4. On SfB: Create new Partner
                5. On SfB: Create new Trusted Application Pool
                6. On SfB: Create new Trusted Application ID

                Configuration Steps – Part 2

                7. On Exchange: Enable OWA VD Instant Messaging
                8. On Exchange: Enable Messaging on OWA Policy
                9. On Exchange: Create Enterprise Application for Skype Pool.
                10. On Exchange: Create new SettingOverride for Skype for Business.
                11- Generate a new Certificate for Exchange IM
                12. Assign the newly imported certificate to IIS Exchange Back End site
                13. On Exchange: Restart the WebAppPool
                14. Log out and sign back in to OWA to Check
                15. Troubleshooting methods

                Prerequisites

                1- Update or Create Server Default and Web Service Internal Certificate for SfB Pool servers

                The certificate installed on the Skype for Business Pool Frontend servers must be generated from a local Certification Authority which can be trusted by Exchange Server services.

                The Certificate generated for Skype for Business pool as in the below screenshot is generated from my CA and includes the names of the servers:

                • Skype for Business Pool
                • Skype for Business Frontend FQDNs
                • Exchange Servers
                • Autodiscover FQDN
                • Lyncdiscover.domains.com
                • Lyncdiscoverinternal.domains.com
                • sip.domains.com
                • meet.domains.com
                • dialin.domain.com
                • External.domain.com

                image

                image

                2- UCMA must be installed

                On both Exchange and Skype for Business servers I already have UCMA 4.0 version installed, but if you don’t have it or have an older version then you can’t continue without it.

                image

                3- Make sure you have a Local Certification Authority deployed in your domain.

                Configuration Steps – Part 1

                1- On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover

                For Skype for Business Server to find Exchange Autodiscover Service point and to be able to authenticate servers we’ll be using the below cmdlet

                This enables both servers to authenticate and share information when needed and without user’s interference.

                Set-CsOauthConfiguration -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc

                image

                image

                Ref:

                https://docs.microsoft.com/en-us/powershell/module/skype/set-csoauthconfiguration?view=skype-ps

                2- On SfB: Get-CsSite to see what is the current site ID.

                Getting a site ID will be useful for later use to setup the Trusted Application Pool.

                On Skype for Business Management shell. Type the following

                Get-CsSite

                So the Site ID is 1. I will keep this for later use

                image

                3- On Exchange: Check AutodiscoverServiceInternalURI

                Specify the AutodiscoverServiceInternalURI for internal Autodiscover service. Make sure it points to your public URL and certificate not the internal one otherwise your users will get a certificate error through Outlook and might cause IM chat not to work.

                The Cmdlet would be

                Get-ClientAccessService | Set-ClientAccessService –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

                image

                4- On SfB: Create new Partner Application

                On Skype for Business Server, Launch Management Shell and use this cmdlet to add Exchange as a trusted Application to the SfB topology.

                New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl “https://autodiscover.domain.com/autodiscover/metadata/json/1

                image

                5- On SfB: Create new Trusted Application Pool

                New-CsTrustedApplicationPool -Identity mail.domain.com -Registrar sbg-pool01.domain.com -Site 1 -RequiresReplication $false

                image

                6- On SfB: Create new Trusted Application ID

                From SfB Management Shell run the following cmdlet .

                New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn mail.domain.com -Port 5199

                image

                Finally

                clip_image001[4]

                Click on the link below for Part 2

                Skype for Business IM integration with Exchange 2016 OWA–Part 2

                an Exchange mailbox was mistakenly migrated over another user’s object used by another user

                The Story

                If you ever used Prepare moverequest command to migrate a user and forgot to use ADMT to rewrite user’s properties with the old attributes. You might have used ADMT again to rewrite the properties.

                If you use ADMT you will need to exclude all Exchange Attributes from the source since its already copied using Prepare-move request script however, in some cases some people do make mistakes and you might have came through the same mistake my colleague  have done during one of these extremely complicated Cross forest Migrations where you’d prepare a CSV files through PowerShell and names wouldn’t match Sam accounts.

                Don’t Panic

                If however, you forgot again to exclude the Exchange attributes while using ADMT then you most likely wont see the user in the Target forest which will cause to panic thinking the user is gone .. But no the user is not gone don’t panic.

                When you look for the user’s mailbox on the target forest after the move request is completed you’ll get an error reporting the user can’t be found

                image

                Solution

                To fix the problem you’ll need to change to attributes only for this migrated user. (In the target forest after user mailbox move is completed).

                The attributes are

                msExchRecipientDisplayType    1073741824
                msExchRecipientTypeDetails    128

                The wrong Attributes are as following.

                image

                You will need to fix them to look like the following

                image

                Once you apply the change you’ll need to wait for a minute or few depending on your AD replication speed.
                The problem will be then solved

                image

                Onboarding Linux Client (DEEPIN) to Microsoft Azure Threat protection ATP using ubuntu repository

                Installing Microsoft Azure Threat Protection (ATP) on Linux Devices

                While playing with ATP on some windows devices, I was in the mood of trying the new Deepin 20 desktop flavor which is a famous Chinese Linux OS based system.

                Microsoft doesn’t indicate anywhere that installation of ATP on a Linux client is possible but Linux server is mentioned in the official ATP installation documents.

                How to Install?

                After I installed the Deepin OS, I was really impressed by the new beautiful Linux design so I plan to use it and have it secure with ATP.

                image

                Prerequisites:

                1. Configure the Linux software repository for Ubuntu and Debian
                2. Application Installation
                3. Download the onboarding Package
                4. Client Config

                1-Configure the Linux software repository for Ubuntu and Debian

                You will need to install the required libraries, install Gpg, apt-transport-https and update repository metadata using the following commands one by one.

                • sudo apt-get install curl

                image

                • sudo apt-get install libplist-utils

                image

                image

                • sudo mv ./microsoft.list /etc/apt/sources.list.d/microsoft-ubuntu.list
                • sudo apt-get install gpg

                image

                image

                image

                After successfully installing all the libraries, I will go ahead and install the application

                2- Application Installation

                From the Linux client Terminal using sudo power user run the following script

                sudo apt-get install mdatp

                image

                Once finished, You can go back to the ATP portal and download the Linux Onboarding package on the linux server/client you want to onboard

                3- Download the onboarding Package

                Since I am doing a single deployment not bulk, then I will go to the Microsoft Defender Security Center’s setting page and download the Linux package from the device management section.

                image

                The steps for the onboarding is already mentioned on that page so after you download the script you’ll know exactly what to do next.

                The file is 9kb python in size

                image

                Copy the file to your Linux Desktop

                image

                4- Client Config

                From the terminal type in chmod a+x MicrosoftDefenderATPOnBoardingLinuxServer.py and hit enter

                Note: python must be installed on this linux dervice.

                Then type python /MicrosoftDefenderATPOnBoardingLinuxServer.py

                image

                This will run pretty quick and will assign your Linux server/client with your Organization ID.

                To see the Organization ID type:

                mdatp –health orgId

                image

                Few minutes later you’ll be able to see the installation completion and the status through this command

                Check if WDATP is functioning as expected

                mdatp –health healthy

                image

                Check if WDATP agent is enabled

                mdatp –health realTimeProtectionEnabled

                image

                Let’s check on our ATP portal and see if the machine is showing there.

                Note: It might take 5-15 mins to update the definitions of WDATP when onboarding.

                image

                Running a detection Test:

                curl -o ~/Downloads/eicar.com.txt https://www.eicar.org/download/eicar.com.txt

                image

                In few seconds the file has disappeared

                image

                Checking for threats

                mdatp –threat –list –pretty

                image

                Let’s see this on the ATP Portal

                image

                image

                This is just a test malware not a real one therefore it wont harm your machine at all.

                Hope this helps you with your deployments

                Ref:

                https://docs.microsoft.com/en-us/windows/security/threat-protection/microsoft-defender-atp/linux-install-manually

                Deepin 20 Beta version

                https://www.deepin.org/en/2020/04/15/deepin-20-beta/

                Microsoft Exchange 2010 SP3 Link HACKED

                Update: Microsoft replied to me and fixed the link. see screenshot below

                WATCH Microsoft Exchange URL Hacked

                If you have Exchange 2010 SP3 and planning to download the latest Rollup , Google will take you to the following link

                https://www.microsoft.com/en-us/download/details.aspx?id=100910

                Once you click on that link to download the RollUp update, You might want to check the system requirements links and that would list two main links

                image

                The Exchange 2010 Prerequisites link will first redirect you to this URL which has an expired certificate.

                http://www.microsoftpinpoint.com/

                And that will then redirect you to this link (Seems to be a Chinese website)

                http://123.wo80.com/

                Luckily the antivirus managed to catch and block this page however, on any server that’s not running any antivirus this would certainly infect the server.

                Phishing Alert!

                image

                image

                Video here

                Contacting Microsoft

                After I got in contact with Microsoft about the issue. Microsoft replied stating they have informed their security team and fixed the issue.

                Azure RDWEB page is blank when accessing it with authorized users

                Blank page on RDWeb for users

                When you have finished deploying Azure WVD machines and added those machines in the correct hosts you might fall into this error by a chance and not easily be able to understand or see it.

                clip_image001[4]

                During the creation of Host Pools and AppGroups you might want to create your own fancy Host pool names and app group names, This is something normal but not when you want to use Azure WVD.

                What Happens?

                When you create an app group name other than the ones already existing (Desktop Application Group) you have to make sure that you would type this group name into the ARM Template since while deploying the VMs and typing the template would choose the default Application Group Name.

                image

                Error 1

                The connection to the remote PC was lost. This might be because of a network connection problem. If this keeps happening, ask your admin or tech support for help.

                clip_image001[6]

                clip_image002

                Error 2

                User is assigned to the wrong Application Group

                add-RdsAppGroupUser : The specified UserPrincipalName is already assigned to a RemoteApp AppGroup in the specified HostPool.

                ActivityId: feb39a7b-b74f-49d3-a100-1fc22ec66454

                Powershell commands to diagnose the failure:

                Get-RdsDiagnosticActivities -ActivityId feb39a7b-b74f-49d3-a100-1fc22ec66454

                At line:4 char:1

                + add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Hos …

                + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

                + CategoryInfo : FromStdErr: (Microsoft.RDInf…RdsAppGroupUser:AddRdsAppGroupUser) [Add-RdsAppGroupUser], RdsPowerShellException

                + FullyQualifiedErrorId : UpnAlreadyHasRemoteAppAssignment,Microsoft.RDInfra.RDPowershell.AppGroupUser.AddRdsAppGroupUser

                clip_image003

                Solution:

                Remove the user from the other application group and add him to the one where you have your RdsSessionHost that you would like your users to access.

                Connect to Azure-AD first and run the following command, Make sure you specify the AppGroupName that you want to remove your users from and the AD Group that’s relevant to those users.

                foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

                {

                Write-Output $UPN

                Remove-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop App Group” -UserPrincipalName $UPN

                }

                clip_image004

                Add the Users again and see what happens

                foreach($UPN in (Get-AzureADGroupMember -ObjectId ((Get-AzureADGroup | Where-Object DisplayName -Like “WVDUsers”).ObjectId)).UserPrincipalName)

                {

                Write-Output $UPN

                Add-RdsAppGroupUser -TenantName cagriandMoh10ly -HostPoolName WVD-Host-Pool01 -AppGroupName “Desktop Application Group” -UserPrincipalName $UPN

                }

                clip_image005

                Refresh the RDWEB Page and see if you can access your host

                clip_image006

                clip_image007

                The same desktop came back since we are using FSLogix profile container

                clip_image008

                VM fails to join Domain during Azure Windows Virtual desktop deployment

                Azure Windows Virtual Desktop

                WVD or Azure Virtual Desktop has become popular these days during the COVID-19 Virus where everyone started working from home. Companies wanting to adapt to the situation started deploying WVD and so I started to test this feature to keep up with the technology around.

                Deployment

                I tried using different scenarios during the deployment of Azure WVD, I am going to list them down and explain where did I get my problem exactly.

                1- Deploying using Azure Gallery VM.

                2- Deploying using a VM Image (This scenario)

                3- Deploying using uploaded VM.

                My first deployment was using Azure Gallery and in that deployment the machine was deployed without an issue although the domain error has occurred.

                In the second Scenario, When you try to use the Github link that has the ARM template

                clip_image001

                Error 1

                {

                “status”: “Failed”,

                “error”: {

                “code”: “ResourceDeploymentFailure”,

                “message”: “The resource operation completed with terminal provisioning state ‘Failed’.”,

                “details”: [

                            {

                “code”: “VMExtensionProvisioningError”,

                “message”: “VM has reported a failure when processing extension ‘joindomain’. Error message: \”Exception(s) occured while joining Domain ‘moh10ly.local’\”\r\n\r\nMore information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

                            }

                        ]

                    }

                }

                Error 2

                clip_image001[6]

                {“code”:”DeploymentFailed”,”message”:”At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.”,”details”:[{“code”:”Conflict”,”message”:”{\r\n \”status\”: \”Failed\”,\r\n \”error\”: {\r\n \”code\”: \”ResourceDeploymentFailure\”,\r\n \”message\”: \”The resource operation completed with terminal provisioning state ‘Failed’.\”,\r\n \”details\”: [\r\n {\r\n \”code\”: \”VMExtensionProvisioningError\”,\r\n \”message\”: \”VM has reported a failure when processing extension ‘dscextension’. Error message: \\\”DSC Configuration ‘CreateHostPoolAndRegisterSessionHost’ completed with error(s). Following are the first few: PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: User is not authorized to query the management service.\\nActivityId: ef602cd9-7efd-474d-bc70-ccfd340ecb08\\nPowershell commands to diagnose the failure:\\nGet-RdsDiagnosticActivities -ActivityId ef602cd9-7efd-474d-bc70-ccfd340ecb08\\n PowerShell DSC resource MSFT_ScriptResource failed to execute Set-TargetResource functionality with error message: WVD-Host-Pool01 Hostpool does not exist in CagriandMoh10ly Tenant The SendConfigurationApply function did not succeed.\\\”\\r\\n\\r\\nMore information on troubleshooting is available at https://aka.ms/VMExtensionDSCWindowsTroubleshoot \”\r\n }\r\n ]\r\n }\r\n}”}]}

                Solution:

                Original Setting

                clip_image001[10]

                Change To

                1. Domain to join needs to reflect your Active Directory domain not AD Connect Public Domain.
                2. The Credentials must be for a domain user that has the privileges’ to join any PC to the domain

                clip_image001[8]

                The Tenant Admin UPN must reflect a user who is allowed to Create a WVD tenant

                image

                After this, In the Tenant Admin UPN or Application ID use one of the Tenant creator account and you’ll get the below result.

                Don’t forget to change the Virtual Network’s DNS to point to your DNS Server whether it is on Azure or On-premises network which must have VPN to access if there.

                clip_image001[12]

                clip_image001[14]

                clip_image002

                https://docs.microsoft.com/en-us/azure/virtual-desktop/tenant-setup-azure-active-directory

                https://docs.microsoft.com/en-us/azure/virtual-desktop/troubleshoot-set-up-issues

                ADFS and wAP trust breaks with 500 Internal Server error

                Error code

                Yesterday my colleague sent me a message informing me that ADFS is not working. When I tried to login to Office 365 Portal page with a federated domain’s user I got a 500 Internal Server Error.

                When it occurs:

                If you are using Office 365 with ADFS Integration in place, You might get this error when trying to authenticate your users to login to Office 365 or any of its services.

                image

                WAP Server

                In this environment I am using WAP Proxy server behind ADFS and when installing this I configured a trust using a Public Certificate but for some reason this trust was broken.

                image

                Investigation and Solution:

                After investigating the WAP proxy it seems it had couple of problems:

                1- Could not resolve ADFS server name on WAP Server.

                • In my environment where we are using Sentinel, We have isolated the primary DC in the environment and due to this the WAP server could not reach to the DNS Server. I solved this by pointing the machine to the secondary DC and add the ADFS hostname to the host file.

                2- The Web Application Proxy Service would not start.

                • The errors related to the service not starting in the event viewer were all pointing to a certificate thumbprint which didn’t even exist in the WAP’s personal store.

                Event Viewer Errors

                There were couple of errors related to the certificate and Service issue, Event ID 224, Event ID 12025, Event ID 7023 and Event ID 224.

                The one which mostly got my attention was the 224:

                The federation server proxy configuration could not be updated with the latest configuration on the federation service.

                Retrieval of proxy config data from federation server using trust certificate with thumbprint failed with status code unauthorized. The remote server returned an error code 401.

                clip_image001

                Resolution:

                From WAP server’s fire up PowerShell as an admin and list the certificate you have got on your Personal store and match the ThumbPrints of the certificate in the error to make sure it exists or not.

                Even if the certificate exists you will still need to re-establish trust with ADFS to make sure WAP can connect to ADFS without an issue.

                Dir Cert:\localmachine\my

                This should show the certificates you have got on your store.

                image

                Now pick up the valid Public certificate which you want to use for the trust and use the below command to establish the trust

                Install-WebApplicationProxy –CertificateThumbprint “Enter Certificate ThumbPrint here” –FederationServiceName “ADFS Public FQDN Here”

                image

                After few moments you should see that WAP services went back to normal and you can now login your users to Office 365 portal through ADFS.

                image

                clip_image001[6]