Exchange online – Outlook having issues

If you have issues in connecting to your office 365 mailbox through your outlook, or some of the users complaining issues with their outlook, then you are not alone.

Seems there are few customers affected with Exchange online services, Microsoft is working on it.


Update – Although the issue  is not completely resolved, some of the customer reported that it is working now.

Azure MFA is not working

If you have issues with Azure MFA, then you are likely affected due to issue caused by Microsoft.  Please check your message center in office 365 to confirm or call Microsoft.


This has been resolved completely. If you still face issues then it’s time to log it with Microsoft


We are back with MFA issue again.  MS is working

VJ

NPS Extension for MFA – All you need to know

NPS extension for MFA helps to make use of Azure MFA for on VPN connectivity.  Although the documentation from Microsoft is straight forward to explain how that work and how to configure, we don’t have much information online.

Let’s assume that you have a Radius server as

  1. Lab-DCRadius.
  2. Cisco-Asa

console1

 

  • I have configured Cisoco-ASA to use lab-DCRadius. On NPS server, I have configured CiscoASA as Radius client to access connection
  • Test the VPN using Cisco AnyConnect to LabVPN.Lab.com

From the following diagram, illustrate the flow.  (The above said registry keys play the role of transferring the secondary Auth to Azure MFA)

flow

Once you confirm that VPN is working,

Install the NPS extension from here, there are 2 version 1.0.1.16 & 1.0.1.20 (1.0.1.21 is available but on request to Microsoft)

To make sure Azure MFA accept the request from the NPS server,

Once you install it you have to run the script that comes with the NPS extension

  • Run Windows PowerShell as an administrator.
  • Change directories.
  • cd “C:\Program Files\Microsoft\AzureMfa\Config”
  • Run the PowerShell script created by the installer.

.\AzureMfaNpsExtnConfigSetup.ps1

  • Sign in to Azure AD as an administrator.
  • PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.
  • PowerShell shows a success message when the script is finished.

 

What this does is it

  1. Sets the registry with a some values
  2. Creates a self-signed certificate on your server and uploade the certificate on Azure.

To verify check the following registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa

tempsnip

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\

reg

To verify the certificate,

Local Certificate

  1. Open MMC -> File- > Add/Remove Snap-in-> Certificate -> Local Computer, Click Ok
  2. Navigate to Certificates -> Personal – >Certificates

You will find a certificate with the tenant Id.

  1. Go to the properties of the certificate, under details tab, look for Thumbprint, Copy it somewhere.
  2. Now open Azure module for Windows PowerShell
  3. Run the command in the screenshot

msol

  1. Copy the value in to a notepad and save it as .cer (if you have more than one cert, you might see more values. You have to copy each one of them in to a separate file and save it as .cer)
  2. Now open the save .cer file.
  3. Now under details tab, look for Thumbprint property.

Computer these 2 thumbprint and make sure they matches.

Gotchas

  1. What if registration fails – This usually happens either if your AD account doesn’t have access to local certificate store or Azure portal (GA admin is the requirement to upload the cert)
  2. How do I disable MFA on one of the NPS server to test it?
  • You can disable the MFA on NPS server.  This is essential to find out when you are troubleshooting to narrow down which NPS server is having the issue. To disable the MFA on a NPS server without de-registering it,
  • Navigate to the registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serevice\AuthSrv\Parameters, Empty the following key values
    • AuthorizationDLLs
    • ExtentionDLL
  • This will stop the NPS to look for Secondary Auth
  1. How to renew the certificate when it expires
  • The certificate usually has 2 years of validity.  You can renew it by simply running AzureMfaNpsExtnConfigSetup.PS1

Known issue.

Recently, I have seen the ver. 1.0.1.20 is causing performance issue.  There is a newer version which fixes the problem 1.0.1.21.

Exclaimer for Office 365 – Update

Most of my customer use Exclaimer.  Eversince Office 365 started rolling out, Excliamer started Cloud signature to support Office365 customers.

If you have used on-prem Exclaimer signature manager (Exchange Edition) in the past, you must have come across Policy Tester which used to be very handy in troubleshooting.

policytester

This policy tester was missing in the Exclaimer Cloud.  This made troubleshooting really difficult,

But Exclaimer seem to have taken the feedback and brought this feature to the cloud as well.  It is called “Signature Rules Tester”

CloudExclaimer

https://cloudsupport.exclaimer.com/hc/en-us/articles/360008007993-What-is-the-Signature-Rules-Tester-

VJ

 

Monitoring ADFS through AAD Connect Health Agent

The AAD Connect comes with a Health Agent which monitors the AAD Connect and logs in to Azure AD.

The events can be viewed from portal.office.com and Choose Azure Active Directory. Under Manage -> Choose Azure AD Connect.

On the right pane, under Health and Analytics -> Click Azure Active Directory Connect HealthScreen Shot 2018-08-17 at 13.24.27

Now that we know how AAD Connect is being monitored by AAD Connect Health Agent, the same agent can also be used to monitor ADFS server and ADFS-Proxy server as well.

To do so,

  1. Download the AAD Connect Health Agent from https://www.microsoft.com/en-us/download/details.aspx?id=48261
  2. Run the setup, make sure you are installing ADFS agent.Screen Shot 2018-08-17 at 12.56.02
  3. It will prompt you to “Configure now”.  Click on it.
  4. You will see the followingCapture

Make sure you have enabled auditing on ADFS server to capture those events on Azure portal.

To do so,

  1. Open windows powershell on ADFS server,
  2. Run the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

3. Open AD FS management console, Click on “Edit Federation Service Properties”, Under Event tab, check all the events.

adfs console

Once you’ve done that, you can see events will start showing up on Azure Active Directory Connect Health

Of course you can monitor lot of events.  To know more,

https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs

VJ

 

.Net framework update causes AAD Connect to crash or CPU goes up to 100%

A recent .Net frame work update is causing the AAD Connect server to crash or the CPU utilization goes up to 100%

Go to Task manager and check the list of processes,

If MIcrosoft.Online.Reporting.MonitoringAgent.Startup is consuming high CPU or

If you have the following update,

KB4338420

Windows Server 2008

KB4338606

Windows Server 2008 R2

KB4054542

Windows Server 2012

KB4054566

Windows Server 2012 R2

KB4054590

KB4338814

KB4338419

KB4338605

KB4345418

General

Then update your Azure AD Connect Health Agent as soon as possible to avoid or stop a major issue in your infrastructure.

Use following link to know how to update them,

https://docs.microsoft.com/en-gb/azure/active-directory/connect-health/active-directory-aadconnect-health-agent-install#download-and-install-the-azure-ad-connect-health-agent

Reference: https://support.microsoft.com/en-gb/help/4346822/high-cpu-issue-in-azure-active-directory-connect-health-for-sync

 

Cannot add new connectors – AADConnect

AAD Connect is very flexible when the organization expands but at the sametime we should make sure the AAD Connect is up-to-date to coupe with the changes.

One of the incident that I’ve encounter may help others.

Issue : Cannot add new connectors to AAD Connect

I wanted to add a new forest to sync up to the Azure AD. All these users are going to be in the same office 365 Tenant.

Symptoms:

When i add the connector (Microsoft way – Using AAD Connect wizard), I get the following error

E_MMS_SCHEMA_CLASS_NOT_FOUND

When i check the logs,

schema

Troubleshooting:

  • Ports
    • Checked the ports to see if the domain is reachable
    • Made sure the domain name is resolved to the right ip’s
  • The schema made be feel that, the service account doesn’t have rights on the forest that is being added
    • Checked the permisisons –  it is all good
    • Changed the permission to Domain admin
  • Adding new connector
    • Added a new connector manually (click the new connector from Synchronization service console)
    • Pointed to the forest
    • When i did the right-click and “Search Connector space”, i can see all the objects from the domain (it wont sync anyway as the sync rule wont get populated, if you use “Create” connector)

At this point, i understood that it is not a problem with the forest that i’m trying to add.

I ran the wizard without adding the connector, i got the same error.  So this proves that there is an issue with the existing connector.

Resolution:

I ran refresh schema on all the existing connector.  I found one of the connector had a schema changes which wasn’t picked up by the AAD Connect (One of the forest administrator installed Exchange server in their infrastructure)

tempsnip

After refreshing the schema, i ran the wizard, it went like a charm.