As part of an Exchange 2013 deployment I used the Exchange Admin Center, EAC, to create a request a new certificate today. The whole process of doing that is described in numerous places on the web (like here) so I wont go into details about that but I will mention a fact that came as a bit of a surprise to me….
After all the “hard work” with getting all namespaces correct the only part left was to enter the details of the customer. In this part you type in information about Organization name, Department, where you are located and so on. Normally this doesn’t present a huge challenge for me but when I for the second time got the request file back from the certificate provider telling me to enter the organization name correct I asked my self if I had gone totally bananas… But as I soon discovered the wizard in Exchange 2013 actually switches two fields… What you enter in “Organization name” will in the request file be presented in “Department name” and vice versa.
So in the example below (picture taken from Digicert link above), “Your Company Inc” would in the request end up in the department feels and “IT” where your organization name should have been.
This error is present in Exchange 2013 RTM and CU1 but the team over in Redmond know about the issue so I expect this to be fixed in future releases.
So what is the real impact of this problem? I would say very little besides the fact that some certificate provider, like my customers today, maybe won’t issue a certificate if the check all the details carefully. Once you have your cert, even if it has the two fields mixed up, it will work just as expected so no huge issue but something to be aware about.
Update: I forgot to mention that this issue won’t happen if you generate your request from Exchange Management Shell! Thanks for the reminder Dave! And while I’m thanking I should say a thank you to TRUSTZONE as well who twice rejected our requests, wouldn’t have seen this other ways.
Happy 443!
A great friend and fellow MVP, Anders Olsson, wrote a blog about how users in Outlook Web App get’s logged out after 5 minutes. Since Anders writes in Swedish we thought it would be a good idea to publish it in English as well so here it is.
More and more organizations are upgrading their Exchange solutions to Exchange 2013. Many of these organizations uses a Forefront Threat Management Gateway, TMG, to secure the messaging solution. In most cases this works perfectly well but some have ran into issues with dropped sessions after 5 minutes. This is a known problem when TMG and Exchange 2013 are communicating but it only affects a few customers and we have not yet found the common ground for these issues. Microsoft has not yet released a official fix for this but TMG has a feature that can be used to solve the problem.
Session timeout is normally based on a user choice when logging on. In the Forms based authentication form a user can choose between Public or private computer witch results in 10 or 360 minutes session timeout.
These timeout values can be set via “Advanced Form Options from Forms on each listener in TMG.
Changing the value of these settings has proven not to work for customers with these issues.
The solution to this problem is a feature in TMG called Credential Caching. From Advanced (Authentication Options) on the listener you will find Client Credentials Caching. The feature has a self explanatory name, it caches the credentials for a certain time and the default value is 300 seconds, witch of course is out 5 minutes. By changing this value we can raise the time clients stays logged on.
You should NOT change the timeout value if you don’t experience this specific issue!
More information about how to publish Exchange 2013 with TMG can be found on the Exchange Team blog.
Today Microsoft released Update Rollup 6 for Exchange Server 2010 Service Pack 2. I have installed it on two servers without any issues but I suggest you test all updates in your lab before you install.
Download: Update Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164)
A detailed description of fixes:
Update Rollup 6 for Exchange Server 2010 SP2 addresses the vulnerabilities that are described in Microsoft Security Bulletin MS13-012
This update also resolves the following issues:
-
2489941 The "legacyExchangeDN" value is shown in the "From" field instead of the "Simple Display Name" in an email message in an Exchange Server 2010 environment
-
2717453 You cannot move or delete a folder by using Outlook in online mode in an Exchange Server 2010 environment
-
2733608 Corrupted Japanese DBCS characters when you send a meeting request or post a reply to a posted item in a public folder in an Exchange Server 2010 environment
-
2734635 Folder-associated information (FAI) items are deleted when you run the New-InboxRule cmdlet or change Inbox rules in an Exchange Server 2010 environment
-
2737046 AutoPreview feature does not work when you use Outlook in online mode in an Exchange Server 2010 environment
-
2741117 High CPU utilization by Microsoft Exchange Replication service on Client Access servers in an Exchange Server 2010 environment
-
2746030 Incorrect ExternalURL value for EWS is returned by an Exchange Server 2010 Client Access server
-
2750188 Exchange Service Host service crashes when you start the service on an Exchange 2010 server
-
2751417 Synchronization fails if you sync an external device to a mailbox through EAS in an Exchange Server 2010 environment
-
2751581 OAB generation fails with event IDs 9126, 9330, and either 9338 or 9339 in an Exchange Server 2010 environment
-
2760999 "The signup domain ‘org’ derived from ‘<TenantDomainName>.org’ is not a valid domain" error message when you use the Hybrid Configuration wizard in an Exchange Server
-
2776259 Msftefd.exe process crashes if an email attachment has an unexpected file name extension or no file name extension in an Exchange Server 2010 environment
-
2779387 Duplicated email messages are displayed in the Sent Items folder in a EWS-based application that accesses an Exchange Server 2010 Mailbox server
-
2783586 Name order of a contact is displayed incorrectly after you edit the contact in an Exchange Server 2010 environment
-
2783631 User-Agent field is empty when you run the Get-ActiveSyncDeviceStatistics cmdlet in an Exchange Server 2010 SP2 environment
-
2783633 You cannot move or delete an email message that is larger than the maximum receive or send size in an Exchange Server 2010 environment
-
2783649 Private appointment is visible to a delegate in an Exchange Server 2010 environment
-
2783771 Mailbox on a mobile device is not updated when EAS is configured in an Exchange Server 2010 environment
-
2783772 Edgetransport.exe process crashes after a journal recipient receives an NDR message in an Exchange Server 2010 environment
-
2783776 You cannot perform a cross-premises search in a mailbox in an Exchange Server 2010 hybrid environment
-
2783782 Error message when you use Scanpst.exe on a .pst file in an Exchange Server 2010 environment
-
2784081 Store.exe process crashes if you add certain registry keys to an Exchange Server 2010 Mailbox server
-
2784083 Week numbers in the Outlook Web App and Outlook calendars are mismatched in an Exchange Server 2010 environment
-
2784093 SCOM alerts and event ID 4 in an Exchange Server 2010 SP2 organization that has Update Rollup 1 or later
-
2784566 Exchange RPC Client Access service crashes on an Exchange Server 2010 Mailbox server
-
2787023 Exchange Mailbox Assistants service crashes when you try to change a recurring calendar item or publish free/busy data in an Exchange Server 2010 environment
-
2793274 A new option is available that disables the PermanentlyDelete retention action in an Exchange Server 2010 organization
-
2793278 You cannot use the search function to search for mailbox items in an Exchange Server 2010 environment
-
2793279 Exchange Server 2010 does not restart when the Microsoft Exchange Replication service freezes
-
2793488 Internet Explorer freezes when you connect to the OWA several times in an Exchange Server 2010 environment
-
2810616 Email message delivery is delayed on a Blackberry mobile device after you install Update Rollup 4 for Exchange Server 2010 SP2
Today Microsoft released Update Rollup 10 for Exchange Server 2007 Service Pack 3. I have not yet installed it on any servers and I suggest you test all updates in your lab before you install.
A detailed description of fixes:
Update Rollup 10 for Exchange Server 2007 SP3 addresses the vulnerabilities that are described in Microsoft Security Bulletin MS13-012.
This update also resolves the issue that is described in the following Microsoft Knowledge Base article:
A hidden user is still displayed in the Organization information of Address Book in OWA in an Exchange Server 2007 environment
Update Rollup 10 for Exchange Server 2007 SP3 also includes new daylight saving time (DST) updates for Exchange Server 2007 SP3. For more information about DST, go to the following Microsoft website:
Download: Update Rollup 10 for Exchange Server 2007 Service Pack 3
Update Rollup 4 for Exchange Server 2010 Service Pack 2 has been released and I already downloaded and installed it on a multi role server without issues. The only issue right now is that KB2706690 that describes all changes seems to be unavailable at the moment, but I guess that will be fixed soon.
Download Update Rollup 4 for Exchange Server 2010 Service Pack 2 here
Last week Microsoft published Microsoft Security Advisory (2737111), in short it says that in Outlook Web Access in Exchange 2007 and Exchange 2010 it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file.
The workaround for this issue if to disable Web Ready Document Viewing on the Outlook Web App virtual directory. But if you have applied a Outlook Web App Mailbox Policy and assigned that to users the workaround described won’t be enough. As you can read in Understanding Outlook Web App Mailbox Policies it clearly states that:
“When an Outlook Web App mailbox policy is applied to a mailbox, it will override the settings of the virtual directory.”
Effectively this means that if you disable Web Ready Document Viewing on the Outlook Web App virtual directory your users who has an Outlook Web App Mailbox Policy assigned might still be affected by this issue. The default value for Web Ready Document Viewing is set to enabled so if you haven’t specifically turned it off users are affected. To check if you have any users with an assigned OWA Mailbox Policy run the following command in Exchange Management Shell:
Get-CASMailbox –Resultsize Unlimited | Where {$_.OWAMailboxPolicy –ne $null}
To disable Web Ready Document Viewing for all OWA Mailbox Policies run:
Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False
Update: This issue is solved in Update Rollup 4 for Exchange Server 2010 Service Pack 2
Last week Microsoft published Microsoft Security Advisory (2737111), in short it says that it is possible under certain conditions for the vulnerabilities to allow an attacker to take control of the server process that is parsing a specially crafted file.
The workaround for this issue if to disable Web Ready Document Viewing on the Outlook Web App virtual directory. But if you have applied a Outlook Web App Mailbox Policy and assigned that to users the workaround described won’t be enough. As you can read in Understanding Outlook Web App Mailbox Policies it clearly states that:
“When an Outlook Web App mailbox policy is applied to a mailbox, it will override the settings of the virtual directory.”
Effectively this means that if you disable Web Ready Document Viewing on the Outlook Web App virtual directory your users who has an Outlook Web App Mailbox Policy assigned might still be affected by this issue. The default value for Web Ready Document Viewing is set to enabled so if you haven’t specifically turned it off users are affected. To check if you have any users with an assigned OWA Mailbox Policy run the following command in Exchange Management Shell:
Get-CASMailbox –Resultsize Unlimited | Where {$_.OWAMailboxPolicy –ne $null}
To disable Web Ready Document Viewing for all OWA Mailbox Policies run:
Get-OWAMailboxPolicy | Set-OWAMailboxPolicy -WebReadyDocumentViewingOnPublicComputersEnabled:$False -WebReadyDocumentViewingOnPrivateComputersEnabled:$False
