Phishing attempt by “Microsoft”

By admin on September 27th, 2013

I have been asked by a number of people lately about the following email from verifications@email-domain-administration.com:

Attention;
In compliance with the email upgrade instructions from Microsoft Corporation and your email domain host, all unverified email accounts would be suspended for verification.
To avoid suspension of your email account, and also to retain all email contents, please perform a one time automatic verification by completing the online verification form.
Please CLICK HERE for the online verification form.
As a confirmation of complete and successful verification, you shall be automatically redirected to your email web page.
Please do this for all your email accounts.
Thank you.
Email Support Team.
© 2013 Microsoft Corporation.

NO – this is not from Microsoft!

NO – your account will not be suspended (not because of this anyway)!

YES – You will get in trouble (probably) if you do respond and fill in the form.

I have said it before and I say it again, if you have not called Microsoft, they won’t call you! And they will NEVER ask for you credentials.

Importing certificate in Exchange 2013 from Exchange 2010

By admin on June 29th, 2013

I very often hear comments like “I don’t like certificates” and realizes that if you are not working with “certs” all day long it might be a hassle to get all the stuff you need in the right place. So I thought I give you some of my experiences with certificates and then a little “how to import” them.

The best way to think of what host names that should be in a cert (for Exchange) is to find out what names you are using for your different services. Below you see a table of all services in Exchange 2013 that could need a certificate.

Service Internal URL External URL
Autodiscover Autodiscover.mailmasterlab.se Autodiscover.mailmasterlab.se
Exchange Web Services cas.mailmasterlab.se mail.mailmasterlab.se
Active Sync cas.mailmasterlab.se mail.mailmasterlab.se
Outlook Web App cas.mailmasterlab.se mail.mailmasterlab.se
Offline Address Book cas.mailmasterlab.se mail.mailmasterlab.se
Exchange Control Panel cas.mailmasterlab.se mail.mailmasterlab.se
Outlook Anywhere cas.mailmasterlab.se mail.mailmasterlab.se
  • I filled in typical values that could be valid in a split DNS scenario but you should find your own values!
  • And to be clear, it’s not a huge thing to change a value (URL) as long as you have Autodiscover setup properly, your clients will get your new configuration and use that.
  • To have a certificate to import I will start by export a certificate from Exchange 2010. This could be done via Exchange Management Shell or a GUI but to make things crystal clear I will show you a GUI-based way.
  • First lets open up a MMC on a server when you have the certificate.
  • Add the snap-in for Certificates
  • Select “Computer account”
  • Select “Local computer”
  • Navigate to Personal, Certificates
  • Then you should see something similar to the screenshot below (It’s possible you have more entries than me)
  • Select the certificate you need, right click on it, go to All tasks and select Export
  • It’s critical that you select “Yes, export the private key”
  • Choose the format you like to export your certificate to:
  • In Windows 2012 you can set permissions to a group or user but in older versions of Windows you won’t have this option so I go for Password.
  • Choose a file name and save your certificate.
  • Hit next and finish and your cert is exported. With that we can import it in Exchange 2013.
  • Open up your favorite browser on your Exchange 2013 server and enter the address https:\localhost/ecp
  • That will take you to the Exchange Admin Center logon page.
  • If you experience a sad face and “something went wrong” it’s most likely because you have not moved the mailbox you just logged on to to Exchange 2013.
  • Don’t worry about that and change the URL to https:\localhost/ecp?ExchClientVer=15 and you should see the EAC.
  • Navigate to Servers and then Certificate and hit the three dots… Go for import certificate
  • Enter the UNC path to where you exported the certificate and enter the password
  • Choose the servers you want to import the certificate to
  • Now your certificate is imported but it’s not yet assigned to any services so lets do that as well!
  • Mark your certificate and click edit (the pencil icon)
  • Go to Services and select the services you like to use the cert for
  • it’s likely that you will be presented with a Warning about overwriting the current certificate, click yes
  • That’s it, happy SSL!

Error in Exchange 2013 Certificate Wizard

By admin on June 18th, 2013

Update: This issue have been fixed in CU2

As part of an Exchange 2013 deployment I used the Exchange Admin Center, EAC, to create a request a new certificate today. The whole process of doing that is described in numerous places on the web (like here) so I wont go into details about that but I will mention a fact that came as a bit of a surprise to me….

After all the “hard work” with getting all namespaces correct the only part left was to enter the details of the customer. In this part you type in information about Organization name, Department, where you are located and so on. Normally this doesn’t present a huge challenge for me but when I for the second time got the request file back from the certificate provider telling me to enter the organization name correct I asked my self if I had gone totally bananas… But as I soon discovered the wizard in Exchange 2013 actually switches two fields… What you enter in “Organization name” will in the request file be presented in  “Department name” and vice versa.

So in the example below (picture taken from Digicert link above), “Your Company Inc” would in the request end up in the department feels and “IT” where your organization name should have been.

This error is present in Exchange 2013 RTM and CU1 but the team over in Redmond know about the issue so I expect this to be fixed in future releases.

So what is the real impact of this problem? I would say very little besides the fact that some certificate provider, like my customers today, maybe won’t issue a certificate if the check all the details carefully. Once you have your cert, even if it has the two fields mixed up, it will work just as expected so no huge issue but something to be aware about.

Update: I forgot to mention that this issue won’t happen if you generate your request from Exchange Management Shell! Thanks for the reminder Dave! And while I’m thanking I should say a thank you to TRUSTZONE as well who twice rejected our requests, wouldn’t have seen this other ways.

Happy 443!

Exchange 2013 OWA users logged out within 5 minutes

By admin on May 30th, 2013

A great friend and fellow MVP, Anders Olsson, wrote a blog about how users in Outlook Web App get’s logged out after 5 minutes. Since Anders writes in Swedish we thought it would be a good idea to publish it in English as well so here it is.

More and more organizations are upgrading their Exchange solutions to Exchange 2013. Many of these organizations uses a Forefront Threat Management Gateway, TMG, to secure the messaging solution. In most cases this works perfectly well but some have ran into issues with dropped sessions after 5 minutes. This is a known problem when TMG and Exchange 2013 are communicating but it only affects a few customers and we have not yet found the common ground for these issues. Microsoft has not yet released a official fix for this but TMG has a feature that can be used to solve the problem.

Session timeout is normally based on a user choice when logging on. In the Forms based authentication form a user can choose between Public or private computer witch results in 10 or 360 minutes session timeout.

These timeout values can be set via “Advanced Form Options from Forms on each listener in TMG.

Changing the value of these settings has proven not to work for customers with these issues.

The solution to this problem is a feature in TMG called Credential Caching. From Advanced (Authentication Options) on the listener you will find Client Credentials Caching. The feature has a self explanatory name, it caches the credentials for a certain time and the default value is 300 seconds, witch of course is out 5 minutes. By changing this value we can raise the time clients stays logged on.

You should NOT change the timeout value if you don’t experience this specific issue!

More information about how to publish Exchange 2013 with TMG can be found on the Exchange Team blog.

Update Rollup 6 for Exchange 2010 SP2

By admin on February 12th, 2013

Today Microsoft released Update Rollup 6 for Exchange Server 2010 Service Pack 2. I have installed it on two servers without any issues but I suggest you test all updates in your lab before you install.

Download: Update Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164)

A detailed description of fixes:

Update Rollup 6 for Exchange Server 2010 SP2 addresses the vulnerabilities that are described in Microsoft Security Bulletin MS13-012

This update also resolves the following issues:

  • 2489941 The "legacyExchangeDN" value is shown in the "From" field instead of the "Simple Display Name" in an email message in an Exchange Server 2010 environment

  • 2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment

  • 2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment

  • 2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment

  • 2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment

  • 2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment

  • 2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server

  • 2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server

  • 2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment

  • 2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment

  • 2760999 "The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain" error message when you use the Hybrid Configuration wizard in an Exchange Server

  • 2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment

  • 2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server

  • 2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment

  • 2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment

  • 2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment

  • 2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment

  • 2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment

  • 2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment

  • 2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment

  • 2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment

  • 2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server

  • 2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment

  • 2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later

  • 2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server

  • 2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment

  • 2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization

  • 2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment

  • 2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes

  • 2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment

  • 2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2

Update Rollup 10 for Exchange 2007 SP 3

By admin on February 12th, 2013

Today Microsoft released Update Rollup 10 for Exchange Server 2007 Service Pack 3. I have not yet installed it on any servers and I suggest you test all updates in your lab before you install.

A detailed description of fixes:

Update Rollup 10 for Exchange Server 2007 SP3 addresses the vulnerabilities that are described in Microsoft Security Bulletin MS13-012. 

This update also resolves the issue that is described in the following Microsoft Knowledge Base article:

2783779

A hidden user is still displayed in the Organization information of Address Book in OWA in an Exchange Server 2007 environment

Update Rollup 10 for Exchange Server 2007 SP3 also includes new daylight saving time (DST) updates for Exchange Server 2007 SP3. For more information about DST, go to the following Microsoft website:

Download: Update Rollup 10 for Exchange Server 2007 Service Pack 3

Released: Update Rollup 4 for Exchange Server 2010 Service Pack 2

By admin on August 14th, 2012

Update Rollup 4 for Exchange Server 2010 Service Pack 2 has been released and I already downloaded and installed it on a multi role server without issues. The only issue right now is that KB2706690 that describes all changes seems to be unavailable at the moment, but I guess that will be fixed soon.

Download Update Rollup 4 for Exchange Server 2010 Service Pack 2 here