PrivateKeyMissing when running Enable-ExchangeCertificate

24. July 2009 by Myke.

Enable-ExchangeCertificate : The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:27
+ Enable-ExchangeCertificate <<<< -Thumbprint XXXXXXXXX -Services “IIS”

The above error is a result of a glitch with Exchange 2007. This issue does not happen all the time as it is completely random, but when it does happen no certificate can be installed or removed through the Exchange Management Shell (EMS). For whatever reason it may be, the system forgets where it placed the Private Key or the certificate store is damaged.

Repair Damaged Certificate Store:

1) Open MMC (Microsoft Management Console) to the Certificate Manager (Certificates Snap-in) for the Local Computer account.
2) Double-Click on the recently imported certificate (It will be missing the golden key).
3) Go to the Details tab.
4) Click on the Serial Number field and copy down that number. (Leave window open)
5) Open up the command prompt (DOS Prompt — CMD.exe)
6) Type: certutil -repairstore my “SerialNumber”( SerialNumber is that what was copied down in step 4.)
7) After running the command, go back to the MMC and right-click Certificates and select “Refresh”.
One should now see the golden key associated with the certificate.
9) Double-check in the Exchange Power Shell with: Get-ExchangeCertificate

Alternatively if the above does not work try the following:
Note: Follow these steps if running Windows Server 2008 only

1) Open MMC (Microsoft Management Console) to the Certificate Manager for the Local Computer account. (Certificates Snap In)
2) Look in the Personal section of the Certificate Manager and there should be icon(s) without a little golden key. (Those with the key have the private key bonded to them.)
3) Delete the icons without the golden key.
4) Go back to the EMS.
5) Run the Import-ExchangeCertificate and Enable-ExchangeCertificate in one line like so: [ Import-ExchangeCertificate -Path c:\exchange.comodo.com.crt | Enable-ExchangeCertificate -Services “SMTP, IMAP, IIS, POP” ]
*** Please modify the command according to your needs. ***

Posted in Security, Exchange, Microsoft | 1 Comment »

EMC 2007 - Access is denied (2147024891) Error

6. April 2009 by admin.

Something I noticed today while working on some issues one of our guys had with using the EMC for Exchang 2007. He kept getting an access denied error when trying to do anything in the EMC. The messages went something like this:

——————————————————–
Microsoft Exchange Error
——————————————————–
The following error(s) were reported while loading topology information:
Get-OWAVirtualDirectory
Failed
Error:
Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied.
HResult = -2147024891.
Access is denied.
Directory Path: IIS://mailboxserver.genericcompany.com/W3SVC/1/ROOT/Exchange
Detail:
server name: mailboxserver.genericcompany.com
local machine name: XPWORKSTATION
local machine fqdn: XPWORKSTATION.genericcompany.com
Access is denied.Kind of an irritating message actually. There were some other ones as well referring to the CAS server, etc.. etc.. but you get the point.The solution? heh, easy as can be actually.* From “Start”->”Run” type in ‘ dcomcnfg ‘ and hit “Enter”
* From the Component Services Console, expand “Component Services” -> “Computers”
* Right click on “My Computer” and select “Properties”
* On the “Default Properties” tab, find the Default Impersonation Level and change it from “Identify” to “Impersonate”That should do it.

Mirrored on: http://travis.sarbin.net/2009/04/06/emc-2007-access-is-denied-2147024891-error

Posted in Exchange | 2 Comments »

Exchange 2003 ActiveSync w/ SSL and/or forms-based authentication.

30. March 2009 by admin.

Probably one of the most common complaints when someone is deploying Exchange  and the organization has Windows Mobile Phones that they would like to sync up with the Exchange server is the puzzling “Why won’t this just work?” question that plagues system administrators. Usually this is following the flagging the option to use forms-based authentication. While the solution is out there, sometimes folks don’t know exactly why or where the problem is originating so they have a hard time finding it. Well, hopefully this little paragraph describing the problem will allow some search engine somewhere to allow someone, somewhere to locate this solution easier. That and it’s always good to just have this one handy in your local arsenal of tools that Myke and I are comprising. So. Adding to our list of ‘ oh yeah, that’s how I fixed that ‘ articles… here’s how to resolve why Microsoft ActiveSync will not work any Exchange installation where SSL and/or forms-based authentication has been enabled out of the box.  Keep in mind these changes should be made to the server with the mailboxes on them, not a front-end server. Also something worth noting is that if you have an SBS2003 installation, these options should already be set. If they are not or you are having problems with ActiveSync, run through these instructions to check and ensure that they are all present. If they are, perhaps your problem isn’t in authentication or contacting the server, but something a little easier to address.
**This method will involve creating a new virtual directory from a copy of the original to handle related requests. If you are not comfortable with registry changes or IIS settings, you may not want to try this.

Disable forms-based authentication on the Exchange server you are about to modify.

1. Open Exchange Manager.
2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

Create a secondary virtual directory and configure ActiveSync to communicate with it.

1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is as follows:

   Web Sites\Default Web Site\Exchange

3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import , click Exchange, and then click OK.A dialog box will appear that states that the “virtual directory already exists.”
8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.
9. Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.
12. Make sure that only the following authentication methods are enabled, and then click OK:
    • Integrated Windows authentication
    • Basic authentication
13. On the Directory Security tab, under IP address and domain name restrictions, click Edit.
14. Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
16. Click OK, and then close the IIS Manager.
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

19. Right-click Parameters, click to New, and then click String Value.
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.
21. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.
23. Restart the IIS Admin service. To do this, follow these steps:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. In the list of services, right-click IIS Admin service, and then click Restart.

To re-enable forms-based communcation, you may do the following:

1. Open Exchange Manager.
2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, click to select the Enable Forms Based Authentication check box, and then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

Hopefully this will help you out. If not, send your error along to one of us and we’ll see if we have a solution. If we do, we’ll post it up.
Mirrored on: http://travis.sarbin.net/2009/03/29/exchange-2003-activesync-w-ssl-andor-forms-based-authentication

Posted in Exchange | 2 Comments »

Multiple Exchange 2007 Servers + ISA 2006 + ActiveSync

25. March 2009 by admin.

Anyone who has tried to set that up knows what I’m talking about. I actually got this all figured out a couple months ago but failed to make a post about how I did it, so today I found myself trying to remember what I did while trying to fix one of our other sites. So this time, I’m going to post it up.

The surprisingly common error you see when you setup ISA 2006 with Exchange 2007 and try to access ActiveSync manually is the following:

501 - Header values specify a method that is not implemented.

This is a good error actually, it means ActiveSync should be working fine, however, if your ISA server points to a EX2007 Client Access Server (CAS) which then proxies to other CAS servers in your environment, you may get a message like the following when trying to access a mailbox in another internal site:

405 - HTTP verb used to access this page is not allowed.

At that point you start to question your sanity and your skills on Google as you can’t seem to figure out for the life of you why after all that work of making sure the configurations matched up on all your servers did it now not work? You can access the local CAS server directly and pick up the 501 but whenever you try to hit ActiveSync through the CAS Proxy it seems to just bomb on you.

Assuming the above is true and you can indeed connect to it directly, try looking at a few settings. In IIS Manager, look at the properties for ‘ Microsoft-Server-ActiveSync ‘ under your Default Web Site (or non-Default) and check on your settings for Handler Mappings and Authentication. You should have the following:

• Handler Mappings - Make sure the OptionsVerbHandler is configure for ‘All verbs’ not just ‘OPTIONS’
• Authentication - Make sure all Authentication options are disabled except for ‘ Basic Authentication ‘ and ‘ Windows Authentication’

If you’ve configured those settings, make sure your Proxy CAS and Target CAS are both running the same Exchange rollup version and reboot them. It should be working now.

Hopefully this will help some poor soul out there.

Mirrored on http://travis.sarbin.net/2009/03/25/multiple-exchange-2007-servers-isa-2006-activesync

Posted in Exchange | No Comments »

Spam rules the Email world in 2008

30. January 2009 by Myke.

Sexual performance enhancers and pharmaceuticals were the most common subjects used by spam in 2008

GLENDALE, Calif., Jan. 28, 2009 ” PandaLabs, Panda Security’s malware analysis and detection today revealed the results from its analysis on 430 million email messages from 2008 and discovered that only 8.4 percent of messages that reached companies were legitimate. Some 89.88 percent of messages were spam, while 1.11 percent were infected with some type of malware. This data has been compiled after the analysis by TrustLayer Mail, the clean mail managed service from Panda Security.

Only January 2008 witnessed levels of spam below 80 percent. The amount of spam fluctuated throughout the year, peaking in the second quarter at 94.27 percent of all mail reaching companies.

With respect to infected messages in 2008, the Netsky.P worm was the most frequently detected malicious code. This type of malware activates automatically when users view the infected message through the Microsoft Office Outlook preview pane. It does this by exploiting a vulnerability in Internet Explorer that allows automatic execution of email attachments. The exploit of this vulnerability was detected by PandaLabs as Exploit/iFrame and was the third most frequently detected type of malware in emails by TrustLayer Mail.

“The fact that these two malicious codes often act in unison explains the high number of detections of both,” said Luis Corrons, Technical Director of PandaLabs. “Cyber crooks often launch several strains of malware with each exploit to increase the chances of infection, so even if users whose systems are up-to-date are immune to the exploit, they could still fall victim to infection by the worm if they run the attachment.”

The Rukap.G backdoor Trojan, designed to allow attackers to take control of a computer, and the Dadobra.Bl Trojan were also among the most prevalent malicious code.

Top Malware in email Netsky.P.worm Bck/Rukap.G Exploit/iFrame Trj/Dadobra.BL Generic Malware Trj/Downloader.PSJ Trj/SpamtaLoad.DO Trj/Downloader.PWR Bck/Haxdoor.PL Trj/Spamtaload.DZ

“For companies, spam is more than just a nuisance. It consumes bandwidth, wastes employees’ time and can even cause system malfunctions. In the end, it all results in a loss of productivity,” adds Luis Corrons.

Much of this spam was circulated by the extensive network of zombie computers controlled by cyber-crooks. A zombie is a computer infected by a bot, a type of malware allowing cyber criminals to control infected systems. Frequently, these computers are used as a network to drive malicious actions such as the sending of spam. Just in the last three months of the year, 301,000 zombie computers were being put into action every day.

Spam subjects in 2008

With respect to the different types of spam in circulation, 32.25 percent of spam in 2008 was related to pharmaceutical products with sexual performance enhancers accounting for 20.5 percent.

Spam relating to the economic situation also grew significantly throughout 2008. False job offers and fraudulent diplomas accounted for 2.75 percent of all junk mail in the year, while messages promoting mortgages and fake loans were responsible for 4.75 percent.

Spam promoting fake brand products, such a swatches, was responsible for 16.75 percent of the total. This last category nevertheless, dropped from 21 percent in the first half of the year to 12.5 percent in the last six months. To view an entire breakdown of the variety of spam subjects that PandaLabs discovered, please access the data here: http://www.flickr.com/photos/panda_security/3234535186/

About PandaLabs Since 1990, its mission has been to detect and eliminate new threats as rapidly as possible to offer our clients maximum security. To do so, PandaLabs has an innovative automated system that analyzes and classifies thousands of new samples a day and returns automatic verdicts (malware or goodware). This system is the basis of collective intelligence, Panda Security’s new security model which can even detect malware that has evaded other security solutions. Currently, 94 percent of malware detected by PandaLabs is analyzed through this system of collective intelligence. This is complemented through the work of several teams, each specialized in a specific type of malware (viruses, worms, Trojans, spyware, phishing, spam, etc), working 24/7 to provide global coverage. This translates into more secure, simpler and more resource-friendly solutions for clients. More information is available in the PandaLabs blog: http://www.pandalabs.com and the Panda Security website: www.pandasecurity.com/usa.

Posted in Spam, Internet, Security, Exchange | No Comments »

Customize/Create Outlook Web Access 2007 Themes

27. August 2008 by Myke.

OWA 2007 comes stock with 4 themes but if you require more or want to make a Corporate based theme, use these instructions.

A theme in OWA is a collection of media (e.g. .GIF and .WAV files) and .CSS files. These files are installed in folders under in the vroot under ‘version\themes’.

Out of the box, we ship with three themes: blue “Seattle Sky” (folder name ‘base’) and black “Carbon Black” (folder name ‘1′) and a mountain image “Olympic Sunrise” (folder name ‘2′). Customers can add more themes by creating new folders and adding their own customized files.

We recommend here that you optimize your theme by changing only the logo, top banner area and the selection highlights so the theme will have less potential for destabilization and bugs. Using very bright or very light dark for the selection colors and the top banner are not advised - try to use subtle or primary colors for the banner area and medium-hued colors for the selection/highlight colors. If you want to use darker or very light colors, you’ll need to also adjust the text for the appropriate level of contrast and the best legibility by testing on various monitors at different resolutions.

The base theme

The base theme lives under ‘themes\base’ and it contains all of the themeable files. Any other themes are built by overriding files in the base theme.

Say for example the base theme is made of files A, B, C and D. I can create a new theme by changing say, C and D, and leaving A and B untouched. Thus for the new theme, C and D will come from the new theme folder, while A and B will come from the base theme.

What’s in a theme folder

The two most important types of files in a theme folder are icons (GIF files) and styles (CSS files). Specifically, premium.css is the style sheet file for Premium OWA (the OWA Light client is not themeable).

Premium.css can be edited to change things like colors, gradients and font styles.

The GIF files can be edited to change any icons in the UI. Keep in mind that the sizes of the images should not be changed.

This is an improvement over Titanium, where only a handful of GIFs could be themed (the logo and a couple of others), and only the colors in the .CSS file could be changed.

How to install a theme

Create a new folder under version\themes (e.g. “themes\viayoga”).

Copy the files from the base theme that you will want to alter for your new theme. If for example, you want to change the logo, then copy ‘logop.gif’ from ‘themes\base’ to ‘themes\viayoga. The viayoga folder at this point will contain only one file. If you also want to change some of the styles, then copy premium.css. You can do this with any files in the base theme. As they are copied to the new theme folder, the theming engine will pull the modified files from the ‘viayoga’ folder while still using the unchanged files from the ‘base’ theme.

You can give a name to the theme in two ways:

Adding a file called themeinfo.xml and specifying the name in it (see below).

Leave it like this, and the name will come from the folder name (in this case, “viayoga”).

Restart IIS so OWA automatically picks up the new theme.

Themeinfo.xml

The syntax of this optional file is very simple:

<theme displayname=”theme name“/>

If present, the value of the displayname attribute is used as the name of the theme.

The themes we ship with contain a macro like this:

<theme displayname=”$$_BASE_$$”/>

…which we use internally to map to localized strings.

How to create themes

First, start by setting up the theme without changing any files. Create a new folder under themes (call it ‘test theme’), then copy premium.css, logopt.gif, logopb.gif and nbbkg.gif (the files for the top banner “brand bar”) to begin with, which are probably the first files that you will be editing for your theme.

Changing the top banner can be done most easily using a solid color or a vertical gradient similar to what is already in place. Your custom nbbkg.gif (repeating background image) can be any width but must remain the same height.

If you want to include a more complex or interesting image as your background, be sure to create the right and left edges as a mirror so that the strip meets when it repeats and appears as a single image so it will work on a variety of screen resolutions. Or, you can create one long image for the target width you’d like to support.

Looking at these files in an image editing tool, you can see that logopt.gif and logopb.gif are the top and bottom of the OWA logo including a background, and nbbkg.gif is a gif that repeats as the background.

We split the images up so that we can add “Connected to Microsoft Exchange” as a live text string that can be localized into different languages. You can create one image and remove this string by editing the style sheet. Simply add “display:none” to the tdLogoB class, then save your image as one piece, 238 x 49 pixels, and edit the height of the image here:

}

td.tdLogoT

{

width:238;

height:49;

background:url(”logopt.gif”) no-repeat

}

td.tdLogoB

{

vertical-align:top;

height:16;

padding-left:42;

font-size:7pt;

font-family:tahoma;

color:#EEEEEE;

background:url(”logopb.gif”) no-repeat;

display:none;

}

Example theme

As an example, we created a theme for a Seattle yoga company that provides yoga retreats and surfing lessons in Mexico (yes, you should go!).

We removed the “Connected to…” string by editing the style sheet as shown above. You can see how it looked before and after editing the style sheet and adjusting the images slightly. The background image is simply filled with a solid, bold color. The resulting background image - nbbkg.gif - only needs to be 1 pixel wide.

Changing colors and other styles in premium.css is the tricky part:

Use an image editing tool like PhotoShop or PainShop Pro to take screenshots and sample colors that you want to change. For instance, to change the yellow color of the selected module in the secondary navigation:

First, obtain the html RGB values (#RRGGBB) for that yellow: that value is #FFEFB2.

Then look for this in premium.css:

/* NavBar buttons selection color */

a.nbHiLt

{

background-color:#FFEFB2;

}

Here’s where the tricky part comes. In debug builds, we know this is the color because in most cases we have a comment above the style. As an OWA dev, we also have access to the sources so we can verify this is the color we want. For people without access or familiarity with the source code, this is a trial and error process: guess if this is the right style by the name of the class (which is relatively hard, because our names are shortened and not too easy to decipher unless you are an OWA dev), then apply the change, refresh your browser and see if you are lucky.

Continue changing the colors until the theme is starting to look right to you. For some pieces of the interface, there are two values specified for each end of a gradient, when a lighter color blends into a darker color. These work best with lighter hues of colors.

When creating your theme, you may find a color and want to do a straight find and replace action on the entire style sheet file. Be careful when doing this. For the areas defined as gradients (Find = “gradient” to see all the instances of these) you might accidentally change all the light grays to your new highlight color. Try saving and refreshing your build with your new theme selected in Options > General Settings > Appearance in order to make sure you’ve changed only the intended elements.

We don’t recommend changing the colors of the red and yellow informational messages that appear at the top of the message forms, alerting users to potentially harmful content, phishing attacks, viruses and blocked or missing content. We call these “infobars” (non-phishing are yellow:#FFEFB2 ) and “error infobars” (errors and phishing alerts are light red:#FFAEB9). There is also an infobar for meeting conflicts on meeting invitations:

/* Non-phishing infobar messages */

div#divIB div#dvExp, div#divIB div#dvInf, div#divIB div#dvExpErr, div#divIB div#dvErr,

div#divIB div#dvJnkMl

{

margin:2 0;

padding:1 3;

background-color:#FFEFB2;

border:solid 1 #FDD981;

}

/* Phishing */

div#divIB div#dvPhsh

{

padding:1 3;

background-color:#FFAEB9;

border:solid 1 #FF99CC;

Main Selection Colors

Selection in mail list is probably one of the most important highlight colors. This is the color over the selected message which tells users what item they are currently reading. There is a primary color to indicate focus and a secondary highlight color that is slightly lighter to show selection when the focus moves away from the item, like the currently selected folder or the current day in the Calendar. For each theme, these two colors are the same color that we use for the primary and secondary highlight colors.

Shown below, the primary color is on the left, the secondary color on the right. You can see the difference is quite subtle.

In the premium.css style sheet, this highlight in the mail list is specified as:

tr.sel, tr.srsel, tr.lrsel

{

background-color: #FFEFB2;

color:#000000;

}

tr.shdw, tr.srshdw, tr.lrshdw

{

background-color:#F8F0D2;

Icons

In order to change icons, the process is quite similar, find out which icon it is you want to change in your theme, copy it to your theme folder and then change it there. Then verify the change in the product with your new theme name selected. We use .gif files with transparent backgrounds. Make sure to keep the image sizes unchanged.

Customize the Logon Screen

To customize the logon (and log off) screen, update the images and the background color to create a custom look. You can create your own custom look and feel by updating the image files that create the logon screen. Note that the logon screen cannot be customized per theme since the user needs to enter their credentials and be authenticated prior to accessing their own user settings (theme selection) for each session. Therefore, you’ll need to directly manipulate the files in the base folder starting with the style sheet “logon.css” and the images that create the border and the main logo for the screen.

The screen is made up of several images for the border top, bottom, sides and also includes repeating images and corners for expansion. The images that create the logon screen are:

lgnbotl.gif

lgnbotm.gif

lgnbotr.gif

lgnexlogo.gif

lgnleft.gif

lgnright.gif

lgntopl.gif

lgntopm.gif

lgntopr.gif

To create a new look and feel, using a solid color is easiest since the screen uses the same collection of images for several screens and resizes horizontally and vertically based on the contents for each screen: logon, language selection (shown on the first logon per mailbox), and the log off screen that’s shown each time the user presses the Log Off button.

Before changing the images, you can make a backup of the image files in case you need to revert your changes to the original configuration. Start by opening the Microsoft Outlook Web Access logo (lgntopl.gif):

…and change it to your own company logo:

Here is a general idea of how all of the new image files will fit together on the logon screen:

Logon Screen: background color

Editing the logon.css is necessary if you want to change font styles and other colors, including the background color that exists behind the controls in the middle of the screen. Currently the background color is specified as #7F90B1. For our custom logon for Via Yoga, we need to replace this with orange #E48310 for the area behind the controls that is not colored by the other images.

Logon Screen: active text color

The active text color on the existing OWA logon screen is yellow: #F8D328 since that stood out best on the blue background as a secondary font color. We’ll want to change this for Via Yoga, but we still want the primary white text to come into focus first so we’ll leave all that text white. We’ll change the active text to the same blue used elsewhere in this theme to indicate that something is active or “clickable.” That blue RGB value is #266CBC. Do a find and replace to make this color change in the logon.css.

Logon Screen: final details

After logging off, this is looking pretty good, but the lines used to separate text and form elements are hard to see in the existing gray #A9AAC4. Open the logon.css file and find that color value. Change it to something a little lighter than your background but darker than the text so that the text still stands out as the most important information on the screen. We replaced the gray with a light orange RGB value #FFC279.

Voila - looks good:

posted by: Myke Reinhold
Info credit: Jorge Pereira and DJ Schwend

Posted in Exchange, Microsoft | No Comments »

Applying Managed Folder Mailbox Policies via LDAP Filters

27. August 2008 by Myke.

In Exchange 2003 Mailbox Manager Policies could be applied to subsets of mailboxes using LDAP filters the same way Recipient Policies were applied. 

In Exchange 2007 this behavior changed.  Mailbox Manager Policies are now called Managed Folder Mailbox Polices and they are assigned on a per user level.  This new methodology allows more granularity and eliminates some of the confusion about which policy is being applied. 

However, in some cases the ability to apply these policies via LDAP filters is desired and the change is cumbersome.  If you prefer the filtered method for applying policies, you can write a script using the PowerShell function below:

functionApply-FilteredManagedFolderMailboxPolicies ($LDAPFilter, $ManagedFolderMailboxPolicy){      $root = [ADSI]”      $searcher = New-ObjectSystem.DirectoryServices.DirectorySearcher($root)      $searcher.Filter = $LDAPFilter      $searcher.PageSize = 500      $users = $searcher.findall()      foreach ($user in $users){            $UserDN = [String] $user.properties.distinguishedname            if ($UserDN -notlike “*SystemMailbox*”){                  $mailbox = get-mailbox $UserDN                  if ($mailbox.RecipientTypeDetails -ne “LegacyMailbox”){                        write-host “Updating: $UserDN”                        Set-Mailbox -Identity:$UserDN-ManagedFolderMailboxPolicy:$ManagedFolderMailboxPolicy-ManagedFolderMailboxPolicyAllowed:$true                  }            }      }}

This function will search your current domain for user accounts that match the supplied LDAP filter.  For each user returned, the account is checked to ensure that the mailbox is hosted on an Exchange 2007 server and will set the Managed Folder Mailbox Policy as desired.

Combining with the LDAP filters you have already created for your existing Mailbox Manager Policies, you can easily write a script to apply the appropriate policies via filters.

#Usage:#Apply-FilterdManagedFolderMailboxPolicies $LDAPFilter $PolicyName 

# Default PolicyApply-FilteredManagedFolderMailboxPolicies “(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) ))))” $null 

 

# Delete after 180 days policyApply-FilteredManagedFolderMailboxPolicies “(&(&(&(& (mailnickname=*) (| (&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*))) )))(objectCategory=user)(memberOf=CN=Delete After 180 Days,CN=Users,DC=domain,DC=com)))” “180 day policy” 

When writing the script, remember that the precedence of your policies should be lowest to highest.  The first policy you should apply should be your default policy (or $null if you don’t want one) and the last policy should be your most restrictive filter with the highest precedence.

In this example, the default action is to no assign policy.  The “180 day policy” is applied to the members of the “Delete After 180 Days” group.

When using groups to apply policies it is important to remember that there must be a default policy in your script so that once a user is removed from the defined group, the existing policy applied will be updated to the default policy.

About LDAP Filters

To get the LDAP filters used with existing Mailbox Manager policies simply open the policy and copy the text in the Filter Rules:textbox.   Paste this filter encompassed in quotes into your script and you will be good to go.

If you want to manually create your own LDAP search string you can use the information at Creating an LDAP Search String to get you started.

If you prefer the GUI method open Active Directory Users and Computers, right-click the Saved Queries folder, select New, and Query. Click the Define Query box and select Users, Contacts, and Groups from the drop down box. On the Advanced tab select the attribute you would like to use from the filter from the Field box.  At the very minimum you should add the following filters to start:

User: E-Mail Address                 Starts with          *

User:Exchange Home Server      Starts with          *

Scheduling the Script

To ensure user policies are updated correctly based upon the filters, you must schedule this script to run sometime before the Managed Folder Assistant runs on the servers.  Therefore as the assistant runs daily at 5am, the script should run daily at 3am.

posted by: Myke Reinhold
Info credit: Nick Smith

Posted in Exchange, Microsoft | No Comments »

Exchange 2007 SP1 ActiveSync issues

27. August 2008 by Myke.

ActiveSync Default Policy

Exchange 2007 RTM would allow you to assign ActiveSync policies on a per user level.  Exchange 2007 SP1 added the ability to define an ActiveSync policy as a default policy for all users.  You can read more about this and other changes to ActiveSync in SP1 on the “What’s New for Exchange ActiveSync Mailbox Policies in Exchange Server 2007 SP1?” post on the Exchange team blog.

However, if your environment does not utilize ActiveSync policies you should be aware that the default policy will be applied to all users after upgrading to SP1.  The default policy is pretty vanilla and would not really impose any configuration changes on mobile devices.  However, users will be prompted to apply required security settings before syncing.  The following Exchange Management Shell command can be used to prevent the default policy from being applied to all users, thus preventing the prompt on mobile phones.

Set-ActiveSyncMailboxPolicy Default -IsDefaultPolicy:$false

**Note: Each time a CAS server is upgraded this policy will be re-enabled as the default.

Load Balancer SSL Offloading

If you have multiple CAS servers and are using SSL offloading on your hardware load balancers you should be aware that installing SP1 will re-enable the SSL requirement at the root level of the “Default Web Site”. This will likely prevent the ‘http listener’ form detecting that your CAS servers are available and OWA access will be unavailable.

To resolve this, edit secure communications on the Directory Security tab of the “Default Web Site”.  Uncheck the Require secure channel (SSL)checkbox.

**Note: The option is also re-enabled when running the Enable-ExchangeCertificate cmdlet to apply a new certificate to IIS.

posted by: Myke Reinhold
info collected at: Nick’s Unified Communications and Scripting Blog

Posted in Exchange, Microsoft | No Comments »

Secure mobile devices in Exchange 2003

31. July 2008 by admin.

The device security policies are configured within the same place as the other mobile device related settings, and that is under the Property page of the Mobile Services object in the Exchange System Manager.  When you click the Device Security button you get to the page where you configure the different Device Security Settings.

As the device security settings are global, it’s rather important you know the exact purpose of each setting. I’ve therefore listed all of them with a description in the table below.

Device Security Setting	Description
Enforce password on device	Activates the device password policy. None of the device security settings will work before the feature has been enabled.
Minimum password length (characters)	Enable this option to specify the required length of the user’s device password. The default setting is 4 characters. You can specify a password length of 4 to 18 characters.
Require both numbers and letters	Enable this option if you want to require that users choose a password with both numbers and letters. This option is not selected by default.
Inactivity time (minutes)	Enable this option to specify if you want your users to log on to their devices after a specified number of minutes of inactivity. This option is not selected by default. If selected, the default setting is 5 minutes.
Wipe device after failed (attempts)	Enable this option to specify if you want the device memory wiped after multiple failed logon attempts. This option is not selected by default. If selected, the default setting is 8 attempts.
Refresh settings on the device (hours)	Enable this option to specify how often you want to send a provision request to devices. This option is not selected by default. If selected, the default setting is every 24 hours.
Allow access to devices that do not fully support password settings	Select this option if you want to allow devices that do not fully support the device security settings to be able to synchronize with Exchange Server. This option is not selected by default. If this option is not selected, devices that do not fully support device security settings (for example, devices that do not support provisioning) will receive a 403 error message when they attempt to synchronize with Exchange Server.

In addition to the settings in the table, there’s also an Exceptions button (see Figure 3.) After clicking this button you can specify the users who you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list can be useful if you have specific trusted users (or perhaps managers!) of whom you do not need to require device security settings.

Be sure you don’t configure a device security policy that is too strict, as this could end up with frustrated users erasing their devices all the time. Also remember a user in some situations could have problems contacting the IT department if his device has just been erased. Users are already used to four-digit numbers (among other things from their credit cards) so requiring a four-digit number would in most situations be a good idea. Actually the best solution would be to use a four-digit number in combination with a reasonably configured wipe device after failed attempts setting to make sure you don’t become unpopular.

So where are all the device security settings stored? Almost all the values configured under the device security settings page are stored in Active Directory, more specifically in an attribute called msExchOmaExtendedProperties, which can be found under CN=Outlook Mobile Access,CN=Global Settings,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com using a tool such as ADSI Edit.

If you select the msExchOmaExtendedProperties attribute and click the Edit button you get to the screen shown in Figure 5 below.

 

As you can see, all the device security related values are stored in a string prefixed PolicyData. The values are encoded between the <wap-provisioningdoc> tags. Because this is nothing else than a XML blob, you have the possibility of provisioning your own custom policies by specifying the required values in an XML format similar to this one. It would have been nice to be able to set these policies per user via the GUI but for now the only way to configure these settings on a per user basis is to configure the msExchOmaExtendedPropertiesattribute on each user, but that’s not exactly a friendly method is it? Good thing is I’ve heard Microsoft will make it possible to configure these settings per user, using GPOs or a similar approach; the bad thing is this won’t be before Exchange 12 RTMs.

When you have configured and enabled the device security settings on the server, the dialog box shown below will appear on the device during the next synchronization with the server.

After clicking OK you need to specify and confirm the PIN or password you want to use. The PIN or password needs to be entered every time the device is unlocked or after you have issued a cold reset. If an incorrect password is entered, perhaps because one of your kids was playing with the device or if you forgot to lock the keypad while the device was in your pocket, you’ll get a message similar to the one below:

The password you typed is incorrect. Please try again. 1/5 attempts have been made.

This of course depends on how many allowed attempts you have specified under Wipe device after failed option in your Device Security Settings (refer back to Figure 2).

After the second failed attempt you’ll be notified that several incorrect passwords have been entered. In order to confirm the login attempt is not due to accidental button presses, you’re asked to enter A1B2C3 or something similar (depends on how the mobile provider configured this in the specific build). When you have entered these characters you’ll once again have the option of specifying your device password. Should you for some reason manage to enter it incorrectly once again, you’re faced with the incorrect password dialog box again. Before the last available attempt you’ll be informed that all information on the device will be erased after the next unsuccessful password attempt. An erase (similar to a local wipe) will clear out all memory on the device, i.e. the device will be reset back to its factory defaults. Bear in mind though that data on the storage card in the device will remain intact. You can argue whether this is a good design decision or not, personally I think this is a major security risk factor, especially because you can configure the device to store e-mail message attachments on the storage card!

Note:
If you know for a fact that a device has been lost or stolen, you can also initiate a remote wipe to the device, a remote wipe wipes the device immediately. We’ll talk more about this possibility in part 3 of this article series.

If you want to change your PIN or password, you do so by clicking Start > Settings > Lock.

You’ll now need to enter your current PIN or password in order to access the change password feature, when you have done so, you’ll get to the screen shown below.

It’s also interesting to note that a locked device that is connected to a PC using a USB cable won’t be accessible either, instead you’ll be faced with the dialog box shown below.

Posted by: Travis Sarbin
Tested by: Myke Reinhold

Posted in Exchange, Microsoft | No Comments »