Monthly Archives: November 2014

Office 365 - Renew your certificates (on-premise ADFS) alert

Symptom: After you replace your SSL certificates on your ADFS servers you continue to receive the following alert inside of the Office 365 portal.

Renew your certificates
One of your on-premises Federation Service certificates is expiring.  Failure to renew the certificate and update trust properties within XX days will result in a loss of access to all Office 365 services for all users.  Update now

Office 365 - Alert - Renew your certificates

Solution: This error can be caused if any of the three primary SSL Certificates that are required to federate to an external identity are nearing their experation date (Service Communications, Token-decrpting, and Token-signing).

Verify which SSL certificate is about to expire

  1. Login to your primary ADFS server
  2. Open up Server Manager
    Server 2012 R2 - Server Manager
  3. Select Tools -> AD FS Management
    Server Manager - Tools - AD FS Management
  4. Under AD FS expand Service and select Certificates
    AD FS Management Console - AD FS - Service - Certificates
  5. Verify if any certificates are set to expire
    1. Note: In this case, you can see the Token-decrypting and Token-signing certificates are set to expire soon

Replace the expir(ed)(ing) certificates

Unfortunately, I don't currently have a tutorial on the processes behind replacing each certificate.  The process for replacing each certificate is a tad different.  Here are a few articles that might help you:

Replacing the Service Communication certificate: http://blogs.technet.com/b/tune_in_to_windows_intune/archive/2013/11/13/replace-certificates-on-adfs-3-0.aspx

Replacing the token-signing and token-decrypting certificates can be found here: http://social.technet.microsoft.com/wiki/contents/articles/2554.ad-fs-2-0-how-to-replace-the-ssl-service-communications-token-signing-and-token-decrypting-certificates.aspx#Replacing_the_Token-Signing_certificate

Update the federated trust with Office 365

  1. Once your certificates are not nearing their experation date, open up the Windows Azure Active Direcotry Module for Windows PowerShell as an administrator
    1. Note: Installation instructions and the download for this can be found here: http://technet.microsoft.com/en-us/library/jj151815.aspx
      Windows Azure Active Directory Module for Windows PowerShell
  2. Execute the following command
    1.  Connect-MsolService
      Windows Azure Active Directory Module for Windows PowerShell - Connect-MsolService

      1. Note: Enter in your Office 365 administrator credentials on this step
  3. Execute the following command
    1. Update-MsolFederatedDomain -DomainName mydomain.com -SupportMultiDomain
      Windows Azure Active Directory Module for Windows PowerShell - Connect-msolservice - update-msolfederateddomain

      1. Note: Replace mydomain.com with your federated domain.  If you have multiple domains you are federating with Office 365, add the optional -SupportMultiDomain paramter as well

[Tutorial] Deploying a reverse proxy for Lync Server 2013

In this tutorial we will go over deploying a reverse proxy for Lync Server 2013.  The original method for deploying a reverse proxy was to use Microsoft's product ForeFront TMG (Threat Management Gateway), however shortly after the release of Lync Server 2013, TMG was discontinued.  In turn, a few tutorials have popped up on how to achieve this using Apache and IIS, but there wasn't an official recommendation on what to use until Server 2012 was released.

Per Microsoft's documentation, we can use IIS with an additional extension called Application Request Routing to achieve this task: http://technet.microsoft.com/en-us/library/gg398069.aspx

Details on the IIS Application and Request Routing extension can be found here: http://www.iis.net/downloads/microsoft/application-request-routing

Side note, much of this guide is largely based on an older technet article published here, which has some additional fine details on how exactly IIS is working to proxy the requests: http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx

This tutorial will go over installation instructions from start to finish for Server 2012 and Server 2012 R2.  I have attached the links on how to get Server 2008 and Server 2008 R2 prepped, so you can continue the tutorial once the IIS Application Request Routing extension has been installed.

Download Prerequisite Software

  1. Windows Server 2012 R2
    1. Download IIS Application Request Routing (ARR): http://www.microsoft.com/web/gallery/install.aspx?appid=ARRv3_0
  2. Windows Server 2012
    1. Download (don't install yet) Hotfix for Microsoft Application Request Routing Version 2.5 for IIS7 (KB 2732764) (x64)
    2. Download IIS Application Request Routing (ARR): http://www.microsoft.com/web/gallery/install.aspx?appid=ARRv2_5
  3. Windows Server 2008 and 2008 R2
    1. Ensure you have IIS v7.X installed; instructions on how to do this can be found here: http://www.iis.net/learn/install/installing-iis-7/installing-iis-7-and-above-on-windows-server-2008-or-windows-server-2008-r2
    2. Install Application Request Routing version 2
      1. Instructions can be found here: http://www.iis.net/learn/extensions/installing-application-request-routing-(arr)/install-application-request-routing-version-2

Install IIS for Server 2012 and Server 2012 R2

  1. Please follow my tutorial here: http://jackstromberg.com/2014/11/tutorial-how-to-install-iis-on-server-2012-and-server-2012-r2/

Installing IIS Application Request Routing (ARR) 3

  1. Run the ARRv3_0.exe application as an administrator
    ARRv3_0 - Run as administrator
  2. Click Install
    Web Platform Installer 5.0 - Aplication Request Routing 3.0 - Cart

    1. Note:  The cart for the v3.0 installer is shown above.  If you are running version 2.5, you will see 2 items needed for install.  Version 3, only needs one.  This is okay.
      Web Platform Installer 5.0 - Aplication Request Routing 2.5 - Cart
  3. Click I Accept
    Web Platform Installer 5.0 - Aplication Request Routing 3.0 - I Accept
  4. Click Finish
    Web Platform Installer 5.0 - Aplication Request Routing 3.0 - Finish
  5. Click Exit
    Web Platform Installer 5.0 - Aplication Request Routing 3.0 - Exit

Configuring IIS for SSL

  1. Open up Internet Information Services (IIS) Manager
    Server Manager - Tools - Internet Information Services IIS Manager
  2. Select your server and double click on Server Certificates
    LyncRP - Internet Information Services IIS Manager - Home - Server Certificates
  3. Generate or Import your SSL Certificate trusted by a public CA (VeriSign, GoDaddy, etc.)
    1. Note: Generation of this certificate is outside the scope of this tutorial.  This SSL certificate should be the UCC certificate that allows for SAN addresses such aslync, meet, dialin, lyncdiscover, etc.
      LyncRP - Internet Information Services IIS Manager - Server Certificates
  4. Expand your server, expand Sites, select Default Web Site, select Bindings...
    LyncRP - Internet Information Services IIS Manager - Sites - Default Web Site - Bindings
  5. Click on Add...
    LyncRP - Internet Information Services IIS Manager - Sites - Default Web Site - Bindings - Add
  6. Select https, and choose your SSL certificate you imported in the previous step, click OK
    LyncRP - Internet Information Services IIS Manager - Sites - Default Web Site - Bindings - Add - https
  7. Click Close
    LyncRP - Internet Information Services IIS Manager - Sites - Default Web Site - Bindings - Add - Close

Create Server Farms

  1. Select Server Farms and then click on Create Server Farm...
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm
  2. Enter in the Server farm name and click Next
    1. Note: We will end up creating farm names for each externally published URL.  This can be lync, dialin, meet, etc, order will not matter. For the sake of this tutorial, I am going to use lync first.
      LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Server Farm Name
  3. Enter the Server address (same as farm name before), click Advanced Settings..., expand applicationRequestRouting
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Add Server
  4. Change the httpPort to 8080 and httpsPort to 4443 and click Add
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Add Server - applicationRequestRouting Ports
  5. Click Finish
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Add Server - applicationRequestRouting Ports - Finish
  6. Click Yes on the Rewrite Rules dialog
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Add Server - applicationRequestRouting Ports - Finish - Rewrite Rules Dialog
  7. Repeat steps 1-6 for dialin, meet, and lyncdiscover
    LyncRP - Internet Information Services IIS Manager - Server Farms - meet-dialin-lyncdiscver
  8. For your Lync Web Apps server (lyncwac), continue repeat steps 1-6, however ensure you use ports 80 and 443 instead of 8080 and 4443.  This is needed to communicate properly with the WAC server.
    LyncRP - Internet Information Services IIS Manager - Server Farms - Create Server Farm - Add Server - lyncwacLyncRP - Internet Information Services IIS Manager - Server Farms - meet-dialin-lyncdiscver-lyncwac

Configure IIS Caching, Proxy Timeouts, and Routing Rules

For each of the server farms we created, repeat the following steps:

  1. Select a Server Farm and double click on Caching
    LyncRP - Internet Information Services IIS Manager - Server Farms - Caching
  2. Uncheck Enable disk cache and click Apply
    LyncRP - Internet Information Services IIS Manager - Server Farms - Caching - Uncheck Enable disk cache
  3. Select the same Server Farm object and double click on Proxy
    LyncRP - Internet Information Services IIS Manager - Server Farms - Proxy
  4. Change the Time-out (seconds) from 30 seconds to 600 and click Apply
    1. Note: This is needed to prevent the Lync Web Apps server from timing out unexpectedly.  Microsoft recommends this setting to be 200, but this isn't long enough for iOS clients.  Increasing this to 600 will fix the issue where iOS clients prompt with the following error message "Your server configuration has changed. Please restart Lync.".LyncRP - Internet Information Services IIS Manager - Server Farms - Proxy - Time-out 200
  5. Select the same Server Farm object and double click on Routing Rules
    LyncRP - Internet Information Services IIS Manager - Server Farms - Routing Rules
  6. Uncheck Enable SSL offloading and click Apply
    LyncRP - Internet Information Services IIS Manager - Server Farms - Routing Rules - Uncheck Enable SSL offloading

Configure IIS URL Rewrites

  1.  Select your IIS Server and double click on URL Rewrite
    LyncRP - Internet Information Services IIS Manager - URL Rewrite
  2. Go through and Remove all of the non _SSL Inbound Rules
    LyncRP - Internet Information Services IIS Manager - URL Rewrite - Remove - Non-SSL
    The result should look like this:
    LyncRP - Internet Information Services IIS Manager - URL Rewrite - Remove - Non-SSL - Removed
  3. Select a rule and click on Add... underneath the Conditions actions pane
    LyncRP - Internet Information Services IIS Manager - URL Rewrite - Add
  4. Enter {HTTP_HOST} for the Condition input and enter role.* for your Pattern
    1. Where role is meet, dialin, lyncdiscover, etc.
      LyncRP - Internet Information Services IIS Manager - URL Rewrite - Add - HTTP_HOST
  5. Repeat steps 3-4 for each SSL rule for a result like this
    LyncRP - Internet Information Services IIS Manager - URL Rewrite - Rules

That should be it! 🙂

[Tutorial] How to install IIS on Server 2012 and Server 2012 R2

Here is a tutorial on how to install IIS on Server 2012 and Server 2012 R2.  The installation process for this is very straight forward and does not differ much from Server 2008 R2.  This guide will only go over the basic install, additional configuration of IIS is outside the scope of this tutorial.  Before beginning, you can choose to install IIS via PowerShell or the GUI.  Either option will result with the exact same configuration.

PowerShell

  1. Open an elevated PowerShell console
    Server 2012 - PowerShell - Run as Administrator
  2. Execute the following command
    1. Install-WindowsFeature -Name Web-Server, Web-Mgmt-Tools
      PowerShell - Install-WindowsFeature -Name Web-Server Web-Mgmt-Tools

      1. Note: Web-Mgmt-Tools is optional, but in most instances added to get the Internet Information Services (IIS) Manager GUI snap-in to manage IIS

GUI

  1. Open Server Manager
    Server Manager
  2. Click on Manage - Add Roles and Features
    Server 2012 - Manage - Add Roles and Features
  3. Click Next > on the Before You Begin screen
    Add Roles and Features Wizard - Before you begin
  4. Click Next > on the Installation Type screen
    Add Roles and Features Wizard - Select installation type
  5. Click Next > on the Server Selection screen
    Add Roles and Features Wizard - Confirm installation selections - Restart the destination server automatically if required
  6. Select Web Server (IIS) from the list on Server Roles and click on the Add Features button once prompted.  Click Next >
    Add Roles and Features Wizard - Add features that are required for web server iis
    Add Roles and Features Wizard - Server Roles - Web Server IIS
  7. Click Next > on the Features screen
    Add Roles and Features Wizard - Features - Default
  8. Click Next > on the Web Server Role (IIS) screen
    Add Roles and Features Wizard - Web Server Role IIS
  9. Click Next > on the Role Services screen
    Add Roles and Features Wizard - Web Server Role IIS - Role Services
  10. Click Install on the Confirmation screen
    Add Roles and Features Wizard - Web Sever Role - Confirmation

[Tutorial] How to change the asset tag on a Surface Pro 3

Scenario: When logging into the UEFI BIOS, you can see the asset tag's current value set as 0, but are unable to change it.

Solution: To change the asset tag on a Surface Pro 3, you must download a utility by Microsoft.

Note: Before beginning, please ensure you are using UEFI firmware version 3.9.150.0 or later

  1. Download a copy of the Surface Pro 3 Asset Tag CLI Utility from here (Surface Asset Tag.zip):
    https://www.microsoft.com/en-us/download/details.aspx?id=46703
  2. Extract the files from the zipped folder
  3. Open up an elevated command prompt
    Elevated Command Prompt
  4. Navigate to the folder you extracted the Surface Pro 3 Asset Tag CLI utility to
    Surface pro 3 AssetTag Directory
  5. Execute the following command
    1. AssetTag.exe -s ENTERYOURASSETTAGHERE
      AssetTag set Surface Pro 3
       

       

      1. Note: The asset tag can be up to 36 characters long. Valid characters include A-Z, a-z, 0-9, period and hyphen.
  6. Reboot the machine for the changes to take effect

 

About the tool

The utility comes with a readme on additional functionality.  This is copied directly from the Surface Pro 3 Asset Tag README.txt file for convience:

This tool gets or sets the proposed Asset Tag, which will be applied on next reboot.

The current Asset Tag is an SMBIOS setting which can be queried via WMI:
(Get-WmiObject -query "Select * from Win32_SystemEnclosure").SMBiosAssetTag

Get proposed asset tag:
AssetTag -g

Clear proposed asset tag:
AssetTag -s

Set proposed asset tag:
AssetTag -s ABc-45.67

Valid values:
The asset tag can be up to 36 characters long.
Valid characters include A-Z, a-z, 0-9, period and hyphen.

PowerShell script demonstrating way to get proposed value and interpret errors.
Note that stout contains the Asset Tag and stderr contains error messages.

AssetTag -g > $asset_tag 2> $error_message
$asset_tag_return_code = $LASTEXITCODE
$asset_tag = $asset_tag.Trim("`r`n")

if ($asset_tag_return_code -eq 0) {
Write-Output ("Good Tag = " + $asset_tag)
} else {
Write-Output (
"Failure: Code = " + $asset_tag_return_code +
"Tag = " + $asset_tag +
"Message = " + $error_message)
}

Update: Microsoft has posted official documentation on these steps here: https://docs.microsoft.com/en-us/surface/assettag

Cisco AnyConnect - Windows 8 - The VPN client driver encountered an error. Please restart your computer or device, then try again error

Symptom: You receive the following error when trying to establish a connection with the Cisco AnyConnect client on Windows 8 x64.

Cisco AnyConnect VPN Client - The VPN client driver encountered an error.  Please restart your computer or device then try again error

Solution:

Option 1: PowerShell Method

  1. Go to the Windows 8 Start screen, search for PowerShell, Run as an Administrator
    Windows 8 - Search - powershell - run as administrator
  2. Execute the following powershell command
    1. Set-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Services\vpnva -Name DisplayName -Value ‘Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64‘
      PowerShell-Set-vpnva-DisplayName-Cisco-AnyConnect-VPN
  3. Exit and reopen the Cisco AnyConnect Program

Option 2: Registry Editor GUI Method

  1. Go to the Windows 8 Start screen, search for regedit, right click Run as administrator
    Windows 8 - Search - regedit - Run as administrator
  2. Navigate to the following registry key
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnva
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva
  3. Double cick on the DisplayName value and replace the value with Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva - DisplayName - Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64
    HKEY_LOCAL_MACHINE-System-CurrentControlSet-Services-vpnva - DisplayName - Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64 - regedit
  4. Exit and reopen the Cisco AnyConnect VPN client