Office 365 [Solved] – Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization

Hello folks,

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

In one of our Migration projects from on-premises exchange to Exchange online (Office 365), we enabled Directory Synchronization using AD Connect tool, All on-premises users was synchronized to Azure AD successfully.

After enabling Hybrid Configuration wizard, we migrated a lot of mailboxes without any issues, few number of mailboxes failed to be migrated and showed below error (From office 365 portal, Migration Batch Details):

aa2

 

The error says:

“Migration Permanent Exception: You can’t use the domain because it’s not an accepted domain for your organization –> You can’t use the domain because it’s not an accepted domain for your organization”

Now. let’s understand why this error appear:

Assume you are the owner of AzureDummies.com domain, all email in the format of emailaddress@AzureDummies.com, in order to migrate these mailboxes to office 365 (Exchange online) you should prove for office 365 tenant that you are the real owner of the domain AzureDummies.com and this make sense, Imagine that there is no need to prove the ownership then anyone can create emails in office 365 using any public domain name which is impossible to be allowed.

In our case, our domain already verified in office but still we faced the same error for some mailboxes, when we checked the failed on-premises mailboxe (Email Address Attribute) we something similar to below:

aa1

from above snapshot, the blue arrow is the primary email address for this mailbox and use the same domain which was verified in office 365, but we can notice that the same mailbox have another alias end with different domain (Red Arrow) which is not verified in office 365 which is the main cause of this issue.

To solve the issue we have two options, the first one is to remove the alias and resync the object using AD Connect to update the attribute in Azure AD, in that case the user will not be able to receive emails using the alias.

the second option is to verified the alias domain in office 365 and re-migrate the mailbox again, and this is what we did 🙂

 

About Blogger …

 

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

Secure terminal Services (RDP) using Azure Multi-factor Authentication (MFA) – Part 2

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin

Hello Everyone,

In First article of this series we discussed the general concept of Azure Multi-Factor Authentication and how it’s work

In second part of this series we went more deeper in the technical aspects of the implementation of Azure MFA by taking an example of how to secure your remote desktop connection through Azure Multi-Factor authentication and we prepared the azure tenant and the Azure MFA provider.

In this part, we will continue our demo of integrating remote desktop connection (RDP) with Azure MFA by installing the Azure MFA server in the same server we need to secure it.

in this demo we have a server called Secure-Server with windows server 2008 r2 joined to the domain, we need to secure the remote desktop connection to it by installing the MFA server in it.

In this demo, I assumed that the MFA provider is already prepared, for more information read our previous article.

so let’s start the installation of the MFA:

Just to remind you, the below three snapshots show you how to download the MFA setup and generate the credentials which we explained in the previous article :

9

10

11

12

Now after the download of MFA completed, double click in the setup file, choose the installation path and click Next:

13

wait a seconds for the installation to complete:

14

once the installation finish click Finish:

15

A new Wizard will appear as below, Click Next:

16

Now enter the Email and Password credentials which we obtained before from the MFA provider, if you forget how to obtain it please read our previous post, if the credentials expired you can re-generate it again, once you fill the required information click Next:

21

Now, MFA server will try to communicate with Azure MFA Provider as below:

22

Ops, we received an error message as shown below ” Unable to communicate with the Multi-factor Authentication POP, The Multi-factor Authentication server could not be activated … etc“, this error is normal if you use an proxy to access internet, in this case you must verify three things if you use a proxy server:

1- Your proxy is set correctly in the server (in IE browser).
2- Run CMD as administrator, write the following command:
netsh winhttp import proxy source=ie
3-  MFA server must be able to communicate on port 443 outbound to the following:

  • https://pfd.phonefactor.net
  • https://pfd2.phonefactor.net
  • https://css.phonefactor.net

If outbound firewalls are restricted on port 443, the following IP address ranges will need to be opened:

IP Subnet Netmask IP Range
134.170.116.0/25 255.255.255.128 134.170.116.1 – 134.170.116.126
134.170.165.0/25 255.255.255.128 134.170.165.1 – 134.170.165.126
70.37.154.128/25 255.255.255.128 70.37.154.129 – 70.37.154.254

If you are not using Azure Multi-Factor Authentication Event Confirmation features and if users are not authenticating with the Multi-Factor Auth mobile apps from devices on the corporate network the IP ranges can be reduced to the following:

IP Subnet Netmask IP Range
134.170.116.72/29 255.255.255.248 134.170.116.72 – 134.170.116.79
134.170.165.72/29 255.255.255.248 134.170.165.72 – 134.170.165.79
70.37.154.200/29 255.255.255.248 70.37.154.201 – 70.37.154.206

23

After we set a proxy rules, I tried another time to activate the MFA as below:

24

finally, its verified successfully, Now the wizard will ask you to create new MFA group or choose existing one, since it’s first MFA server to be deployed, give any meaningful name for the new group as below, also note that the group used to manage more than MFA servers and enable replication between the servers if there is a need, Click Next:

25

Uncheck enable replication between servers option and click Next:

26

Now, you can select what application need to integrate it with Azure MFA, the last option is remote desktop, you can select it and click Next, but in our demo we will click cancel to configure the remote desktop from the MFA console, click Cancel.

27

Now, go to star menu and click on Multi-Factor Authentication Server icon:

28

Azure MFA server is loading as below:

29

After a while the console appear, this is the MFA server console that you can manage the MFA setup, in the status option it display that the server Secure-Server.demo.lab is online which is the same server we need to secure the RDP connection on it and the MFA server at the same time:

30

Also if you go to the Azure MFA provider manage page, click on Server Status option you will see the server is online as below:
31

Now back to the MFA server console, go to windows authentication, check “Enable Windows Authentication” option as below, then click Add button:
32

Choose the server name and terminal services as an application option, check the “Enable” option, now if you will apply all users in AD to use MFA check the “Require Multi-Factor Authentication user match” option, if not leave it uncheck as below, click OK:

33

The MFA is configured to secure the RDP in that server, it mentioned that the server need to be restarted to take the effect, click OK and wait before restart to continue the configuration:

34

As shown below, the server appear in the console:
35

Now go to Users icon to add the users you need to apply MFA authentication on them, click in Import from Active Directory button as below:

36

choose the users you need and click Import as below:

37

The users successfully imported as below, click OK:

38

the new users appear in the console, there is a warning icon beside each user, this warning because the user must enabled for MFA manual, by default when you import the user it will be not enabled for MFA automatically, double click in any user:

39

fill the required information as below:
-Country Code.
-Phone.
– choose MFA to be phone call, Text Message or mobile app … etc. we will choose for this demo a phone call option.
-check the enabled option.
Finally, Click Apply:

40

note after we check the enable option the warning icon disappear, do the same for all users you need:

41

after I prepared all users, the users appear in the console without the warning icon, to test the configuration choose any user and click the test button:

42

provide the password and click test:

43

wait a while:

44

Now, the user should receive a call, if he end the call the authentication will be refused because it will considered that another person try to use his/her credentials, if the user click (#) he/she confirm that he is the one trying to access the server:

45

After I clicked (#), the test completed as belwo:

46

Now, after I restarted the machine to take effect, I try to access the server remotely as below:

47

I tried to login with the administrator user:

48

Now the welcome page start:

49

during the login and within the welcome page  I received a call from Microsoft MFA, I answered the call and end it direct:

50 - Copy

Because I end the call and didn’t press the (#) key, the login process failed as below:
52

I tried to login again with the same user: 53

I received another call from Microsoft MFA, but this time I press (#) key:

54

Because I press the (#) key I confirmed for Microsoft that I am the same person who try to login now, so I successfully login to the server as below:

55 56

So in this article we tried to demonstrate how to install the MFA server and integrate it with the remote desktop connection (RPD).

In next part we will show you how to customize the MFA setup by using Fraud alert, changing the received call voice, generate a reports … etc.

Stay tuned 🙂

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

 

Understanding the Importance of MRS Proxy in Hybrid deployment Model – Office 365

Hello office 365 Admins,

Ahmad Yasin

In one of the projects we worked on, we had an exchange 2013 servers and we tried to set up the hybrid configuration wizard (HCW) in order to migrate mailboxes to office 365, as usual we installed AD Connect and synced users to Azure active directory.

All HCW prerequisites was met such as verifying the domain, Public Certificate … etc. we started the hybrid configuration wizard but unfortunately the wizard completed with a warning as below:

HCW8078: Migration Endpoint could not be created.
Microsoft.Exchange .Migration.MigrationServerConnectionFailedException
“The connection to the server mail.mydomain.edu.jo could not be completed.”
Microsoft.Exchange.MailboxReplicationService.RemoteTransientException:
The Call to ‘https://mail.mydomain.edu.jo/EWS/MRSProxy.svc’ failed. Error Details:
The Http Request was forbidden with client authentication schema ‘Negotiate’. –>
The remote server returned an error :(403) forbidden.

new error AA

First of all, let’s start our troubleshooting by access the URL mentioned in the error details which is in red color to see if we can access the URL using the browser, so if I try to access the URL it will ask me for credential, once I entered any domain user I receive the below response:

error AA
So from Above response we can notice that something wrong happened while trying to access the URL which cause the Hybrid configuration wizard to notify us by a warning.

before we fix the error let’s demonstrate why HCW trying to access this URL while configuring the Hybrid deployment !

MRS Proxy stands for mailbox replication service proxy which is used for cross forest mailbox move and remote move migration between on premise exchange and exchange online (Office 365), which means that this service is using while exchange requested to initiate the Migration process, In exchange 2013 this service is included in the mailbox servers and during the cross forest and remote migration the client access server act as a proxy for incoming move request for the mailbox server, the ability for client access server to accept the move request is disabled by default to reduce the attack surface, to allow it to accept the incoming move request you should enable the MRS proxy endpoint.

So even the wizard show a warning not failure, if you decide not to fix the warning the Migration request will be failed when you try to move a mailbox to office 365 ( Exchange online).

So to enable the MRS proxy in exchange 2013, login to the ECP page, go to servers -> Virtual directories and double click in EWS virtual directories as below:

4

Once you open the virtual directory, check the enable MRS proxy Endpoint option then click save:

5

If you have more than one client access server, be sure to enable the MRS proxy in all servers.

if you need to use exchange PowerShell to enable it execute the below command (replace the server name with your CAS server):

Set-WebServicesVirtualDirectory -Identity “MyCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true

For Exchange 2010, you can enable it using below command (replace the server name with your CAS server):

Set-WebServicesVirtualDirectory -Identity “MYCASSErver\EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyMaxConnections 50

Once you enable it, I prefer to reset the iis by execute below command using CMD:

iisreser /force

Once you finish the Migration it’s highly recommended to disable MRS to reduce the attack surface of your organization.

After that you can run the hybrid configuration wizard, In My case it was a strange story since when I checked the MRS Proxy it was enabled, so to solve my problem I disabled it and re-enabled it Again, once I did this I tried to access the URL again and I got something similar to below result:

6

Finally, I ran the hybrid configuration wizard and it was completed successfully and the Migration of mailboxes went smoothly.

About Blogger …

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also holds many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn.

 

 

 

 

 

 

AD Connect objects deletion threshold – office 365

Hello Office 365 Admins,

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

while we are working in one project to Migrate exchange 2013 to office 365 (Exchange online), we started to sync the users to azure active directory using AD Connect tool, for some reasons unfortunately we synced around 3000 users to azure active directory by Mistake, so we tried to exclude the un-correct OU’s by do OU’s filtering in AD Connect and force the sync again in order to delete these objects from azure active directory, but again unfortunately these users still appear and have a synced status in Azure AD even we excluded it from the filtering.

so we decided to look to the event viewer logs in the AD Connect server, after reading the logs we found the below error appear in the logs as below:

Source : Directory Synchronization, Event ID:  906

Description: unable to process this synchronization cycle in azure active directory because the object deletion threshold was met or exceed

new error

So AD Connect have a threshold for deletion object to prevent accidental delete a bulk of objects by mistake, so it’s try to help you to prevent delete a large number of objects by mistake.

this threshold equal to 500 objects as stated in Microsoft articles, so by default you cannot delete 500 or more objects in one shot but if you have a case like me and you need to delete more than this number at same time you can simply disable this feature from azure AD PowerShell using below command:

Disable-ADSyncExportDeletionThreshold

error2

to learn how to connect to office 365 PowerShell, follow this link: https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

 

after the deletion complete we recommend to re-enable this feature using PowerShell using below command:

Enable-ADSyncExportDeletionThreshold

that’s All 🙂

 

About Blogger …

 

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

 

 

Windows Integration with RSA Security Analytics using WinRM over HTTPS – Step by Step Guide

Hello RSA Admins,

As most of you know, integrating the windows event source with RSA security analytics is not that easy “straight forward”, or it’s hard to do it from the first time without any error, that’s because the integration depends on the windows configuration in the first place, and the windows vary from an infrastructure to another, mainly the error you’ll get is WINRM errors, certificate issues and HTTPS listener creation problems.

In this article I will show a new integration methodology, and not the one that RSA shows in their docs.

I am going to do it completely from the certificate creation till the logs received in the RSA SA, in a few steps.

1- Run MMC, Ctrl+m and add the certificate management, and select Computer Account, and Next.
1

2- Select Local Computer and finish:

2

3- Under certificates- Personal, right click and select Request New Certificate…

3

4-  Next, Next, and Select Web Server, and click on More information is required….

4

5- Under Subject tab, select for the Subject Name Type: Common Name, and in the Value: Type the event source FQDN, and select add.

5

6- Under General Tab, type the FQDN in the friendly name field.

6

7- Under Private Key tab, Key Options, select Make Private key exportable, and Allow private key to be archived, Apply -> OK -> Enroll.

7

8- View Certificate, and copy the Thumbprint.

8

9- Copy the winrmconfig.ps1 to the C: directory and run the following command on the PowerShell as administrator,

Command 1- Set-ExecutionPolicy Unrestricted à Y

Command 2- Powershell -File winrmconfig.ps1 -Action enable -ListenerType https -Port 5986 -User rsa@sts.services.local -ThumbPrint ac4c1fa34a1285ffa41f6aa3b84f00cc79dd7ac6

Where: -Action enable: to enable the listener, -User: a domain user with normal privilege to run the service, -ThumbPrint: is the certificate thumbprint that we copy before.

 

And here is the magic happen 😉

9

10- Now go to RSA LogCollector, View, Config, Event Source tab.

Select Windows, and Kerberos Realm Configuration.

10

11- Add event source name to the KDC Host Name, not FQDN, and save.

11

12- Change to windows -config, and make sure that the Authorization Method set to Negotiate, and the user name is what we used in the script.

12

13- Now add a new Source, and test the connection 😉

13

14- Check out if the logs were received.

14

That’s All, Done 🙂

 

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil is a Technology Expert Engineer and publisher at AzureDummies blog. He also hold many certificates in VMWARE, RSA Security, EMC and Dell.
Amin is currently working in Specialized Technical Services Company (STS).

 

451 5.7.3 STARTTLS is required to send mail Error – office 365

Hello Office365 Admins,

Ahmad Yasin

while I am working in one of my customer site to migrate mailboxes to office 365 (Exchange online), I faced an issue in the mail flow from local on premise exchange to migrated mailboxes in the cloud, when I checked the queue I noticed that the emails stuck in the queue with below error:

450 4.4.101 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was <endpoint>’.

I did some search and I found a Microsoft article says: to solve this issue you should Remove the TLSCertificateName and TLSDomainCapabilities properties from the receive connector on the hybrid server: https://support.microsoft.com/en-us/kb/2989382

I did the above steps in the article but unfortunately the issue didn’t resolved in my case.

the exchange topology in the site is:

  1. Two Exchange 2010 client access servers.
  2. Two Exchange 2010 Mailbox Servers.
  3. One Exchange 2010 Edge server.
  4. CISCO ASA Firewall.

Now, while I am trying to telnet mydomain.mail.protection.outlook.com on port 25 from the edge server I receive a stars (220 ***********************************************************) as below:

4

The result:

5

Once you receive a result like above this means that the SMTP inspection is enabled in the firewall and as you know this feature make a lot of issues in the mail flow usually, so I asked the the Network team to disable the SMTP Inspection in the CISCO ASA, once it’s disabled all mail flow worked like a Magic 🙂

 

About blogger …

Ahmad Yasin

Ahmad Yasin (MCSA office 365, MCSE, Messaging, Azure certified)

 

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

Certificates disappear from the RSA SA GUI, but still available on the LogDecoder.

Hello RSA Admins,

while I am try to upload a certificate in my Lab, I noticed that the Certificates disappear from the SA GUI suddenly, but still available on the LogDecoder.

Most likely, this will happen if we uploaded a certificate to the RSA LogDecoder/Collector, that has the “subject” field empty when it was originally generated from the certificate authority. Uploading such certificates will mess up the SA appliance GUI, any new uploaded certificate will not apeare on the GUI, and deleting these certificates from the LogDecoder/Collector appliance using the CLI will not help, or solve the problem, as these certificates will remain existed on the system in a deferent path that you will not find easily, the best practice is to delete it from the LogDecoder/Collector using the GUI commands” this way will delete it from the system completely, as discussed below” not the CLI commands.

If it is happened and you deleted it using the CLI, follow the below step-by-step to solve this issue.

By the way, RSA says it’s a bug in the system and it was solved in new releases starting from 10.5.2, and if you were standing on a previous versions and tried to upgrade the system to a new versions hoping this will solve the problem, please do not do it as you will waste your time 😉

First of all, I will show you that if the system is infected, the new uploaded certificates will not appear in the GUI but still available on the system.

And here is the error you will get if you tail  the /var/log/messages

Caused by: com.rsa.netwitness.carlos.transport.TransportException: No such node (certs).

  1. Go to Administration -> Services -> Log Collector -> View -> Config. To upload the new certificate.1 go to administration
  2. Go to Settings -> Certificates.2 go to settings

3- Select + Add Cert:

3 select + add cert

4- Browse and select your new cert:

4 Browse and select

5- Save, and as you can see it give you “Certificate was added successfully” but does not appear on the GUI ;).

5 save and

6- If you noticed, the system is on the new version 10.6 and it’s not there, coz the system is already infected.

6 if you noticed

7- All uploaded certificates are stored in /etc/netwitness/ng/truststore/ on the logcollector.

7 all uploaded

If you do not know which one is the wrong certificates and you deleted all these certificates, using the CLI, this will not help, and you must know the certificate name in order to delete it from the GUI.

Anyway here is the path of the certificates that messed up the system.

8- at /etc/netwitness/ng/logcollector/runtime/certificatemap

8 cat

9-now as we find the certificate and its name. we should delete it correctly from the GUI, to do so, follow below steps.“op=delete name=amin” and Send.It will show you in the Response Output that the user admin has deleted certificate ‘amin.’ o to Administration -> Services -> Log Collector -> View -> Explore -> logcollection -> Properties for logdecoder – Log Collector, and select “certmgmt” and in the Parameters type:

9

10- Now check out the path again, there will be no certificate. 😉

10

11- Do this before: stop nwlogcollector / start nwlogcollector

11

12- Stop/start jettysrv on the SA appliance.

12

13- now upload a new certificate, and it will be there for you my friend.

13

14- enjoy it 😉

14

About Blogger …

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil is a Technology Expert Engineer and publisher at AzureDummies blog. He also hold many certificates in VMWARE, RSA Security, EMC and Dell.
Amin is currently working in Specialized Technical Services Company (STS).

 

 

How to reset lockbox Password in RSA Security analytics Step by Step

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Hello RSA Admins,

In this topic we will discuss in details how to reset RSA security analytics Lockbox password, so here we go

 

Connect to the Log Collector appliance via SSH as the root user.

1

Change directory to /etc/netwitness/ng/vault/ with the following command: cd /etc/netwitness/ng/vault

2

Make a new directory to backup the existing lockbox with the following command: mkdir old

3

Move the existing lockbox files to that directory with the following command: mv -vi lockbox lockbox.FCD lockbox.bak  lockbox.bak.FCD old

4

Log in to the RSA Security Analytics UI and navigate to Administration -> Services

5

Select the Log Collector Service and click on View -> Config

6

Click on the Settings tab.

7

Leave the “Old Lockbox Password” field blank and enter a new password in the “New Lockbox Password” field.

8

Finally, Apply.

Please note that all stored passwords for the event sources will need to be re-entered after the new lockbox is created. So before do such a procedure, make sure that you got all the needed passwords 😉

 

About Blogger …

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil (VMware VCP-DCV, VCPC, VTSP, RSA Security Analytics)

Amin Khalil is a Technology Expert Engineer and publisher at AzureDummies blog. He also hold many certificates in VMWARE, RSA Security, EMC and Dell.
Amin is currently working in Specialized Technical Services Company (STS).

Find Amin at LinkedIn.

Exchange 2013/2010 – 421 4.4.2 Connection dropped due to SocketError

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Hello Exchange Experts,

couple of my customers have an exchange 2013 servers reported that they faced a strange issue in their exchange servers.

Some of sent emails for specific domains stuck in the queue shown an error as below:

‘400 4.4.7 Message delayed’ – Remote Server at Customerdomain.com (xxx.xxx.145.250) returned ‘441 4.4.1 Error encountered while communicating with primary target IP address: “421 4.4.2 Connection dropped due to SocketError.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was xxx.xxx.145.250:25′

Our Network team tried to check the firewall (Cisco ASA and Fortigate) by adding these specific domains to the white list, turn off SMTP inspection and stop AV and antispam in the firewall but no any solution solved the problem from the firewall side.

Now we re-think to solve the issue from the exchange servers side, I found that we can solve this issue from SMTP connector, as you know SMTP connectors are used primarily to connect to other mail systems or to define additional options for an SMTP Internet gateway. SMTP connectors can also be used to connect a routing group to another routing group internally, but an SMTP connector is generally not recommended for doing so. Essentially, SMTP connectors allow you to designate an isolated route for messages to flow either to a specific domain or over the Internet.

So, to solve this issue we forced the send connector which using to rout emails to internet to use HELO command by run -ForceHELO parameter as below:

Set-SendConnector “(connector name)” -ForceHELO $true

After executed the above command, the error in the queue change to be as below:

#501″FQDN” is invalid or DNS says does not exist

Now, to solve above error, Open Exchange 2013 ECP and follow below path:

Mail Flow -> Send Connector -> double click in the connector -> choose scoping tab

Now you will see that the FQDN is empty as below:

1

Just add your FQDN such as mail.yourdomain.com as below, then click Save:

2

If you have exchange 2010 you can do this by go to:

Organization Management -> Hub Transport -> Send Connector -> Double click in the connector and set the value as below:

3

After set this value, the message go out of the queue immediately after Restart the transport service, Again don’t forget to restart the transport service.

About Blogger…

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

 

 

 

 

Customize Azure Multi-factor Authentication – Part 1

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Hello All,

In First part of Azure MFA series, we discussed the general concept of Azure MFA and how you can integrate it with your systems based on your requirements.

In the second and Third part, we implemented a real MFA scenario to secure the remote desktop access to servers (RDP).

In this part we will discuss how to customize Azure MFA sound.

so let’s start this part to show you how to customize the calls voice; custom voice messages allow you to use your own recordings or greetings with multi-factor authentication. These can be used in addition to or to replace the Microsoft records.

First of All, you should have created an Azure MFA provider as we did in previous part, login to your azure tenant and open MFA provider by navigate to:

If you have an office 365 subscription only, you can enable MFA for users without the need for Azure MFA provider, but in this case you cannot do any MFA customization, so to use MFA customization you should have Azure MFA Provider.

Active Directory -> MULTI-FACTOR AUTH PROVIDER -> Click in your provider

1

after you open MFA provider, click in Manage:

2

The main page of MFA provider will appear as below:

3

From configure options in the left pane, click on setting, the setting page will appear as below, to add your custom voice, click in New Voice Message:

4

Since this is the first time, you need to upload your custom voice first, click in Manage Sound Files as below:

5

The sound page will appear, click in Upload Sound Files as below:

6

Click in Choose File to select your custom voice then fill any description for the file and click Upload as below:

7

The Size of custom voice should not exceed 5 MB and must have WAV or MP3 format, Also it’s recommended the length of voice to be less than 20 seconds.

As appear below, the file uploaded successfully, now click in back button as below:

8

Now, choose the language of your custom voice, Message Type and the sound file which we just upload and click create as appear below:

9

Finally, below is the list of message types and it’s meaning:

Greeting (Standard) : Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.

Retry (Standard): Thank you for using the Microsoft’s sign-in verification system. Please press the pound key to finish your verification.

Fraud Greeting (Standard): Thank you for using Microsoft’s sign-in verification system. Please press the pound key to finish your verification. If you did not initiate this verification, someone may be trying to access your account.  Please press zero pound to submit a fraud alert.  This will notify your company’s IT team and block further verification attempts.

Greeting (PIN) : Thank you for using Microsoft’s sign-in verification system.  Please enter your PIN followed by the pound key to finish your verification.

Retry (PIN): Thank you for using Microsoft’s sign-in verification system.  Please enter your PIN followed by the pound key to finish your verification.

Fraud Greeting (PIN): Thank you for using Microsoft’s sign-in verification system.  Please enter your PIN followed by the pound key to finish your verification. If you did not initiate this verification, someone may be trying to access your account.  Please press zero pound to submit a fraud alert.  This will notify your company’s IT team and block further verification attempts.

Authentication Successful: Your sign in was successfully verified. Goodbye.

Authentication Denied: I’m sorry, we cannot sign you in at this time. Please try again later.

Verification Denied Retry: Verification denied.

Activation Greeting (Standard): Thank you for using the Microsoft’s sign-in verification system.  Please press the pound key to finish your verification.

Activation Retry (Standard): Thank you for using the Microsoft’s sign-in verification system.  Please press the pound key to finish your verification.

Activation Greeting (PIN): Thank you for using Microsoft’s sign-in verification system.  Please enter your PIN followed by the pound key to finish your verification.

Activation Retry (PIN): Thank you for using Microsoft’s sign-in verification system.  Please enter your PIN followed by the pound key to finish your verification.

Extension Prompt: Thank you for using Microsoft’s sign-in verification system.  Please press pound key to continue.

Extension Prompt Before Digits: Thank you for using Microsoft’s sign-in verification system.  Please transfer this call to extension …

Extension Prompt After Digits: If already at this extension, press the pound key to continue.

Fraud Reported: If you did not initiate this verification, someone may be trying to access your account.  Please press 1 to submit a fraud alert.  This will notify your company’s IT team and block further verification attempts.

Fraud Confirmation: A fraud alert has been submitted.  To unblock your account, please contact your company’s IT help desk.

In Next Parts, we will discuss Azure MFA reporting, Caching, Fraud Alerts …etc. So Stay tuned 🙂

About Blogger …

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).
Find Ahmad at Facebook and LinkedIn

Exchange 2013 Hybrid Configuration wizard – subtask checkprereqs execution failed

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Hello All,

I worked with one of the customer to deploy Hybrid setup between exchange 2013 and office 365.

The customer have two Exchange 2013 servers multi-roles, and after we synchronized local Active directory with azure AD using AD Connect we tried to enable hybrid configuration wizard.

once we enabled hybrid configuration wizard we faced the error below:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites

Deserialization fails due to one SerializationException: 

Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType

ser error

The customer have an exchange 2013 CU5, according to Microsoft article, this is a known error in this version of exchange and you should upgrade your exchange server to the latest cumulative update (CU), till the date of this article the latest CU is CU11, you can download it from here: https://www.microsoft.com/en-us/download/details.aspx?id=50366

After we upgraded the exchange servers, the hybrid configuration wizard worked and the error disappeared.

Reference for this know issue: https://support.microsoft.com/en-us/kb/2988229

About Blogger…

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin (MCSA office 365, MCSE : Messaging, Azure Certified)

Ahmad Yasin in a Microsoft Cloud Engineer and the Owner & publisher of AzureDummies blog. He also hold many certificates in office 365 and windows azure including Developing Microsoft Azure Solutions, Implementing Microsoft Azure Infrastructure Solutions and MCSA office 365.
Ahmad is currently working in Specialized Technical Services Company (STS).

Find Ahmad at Facebook and LinkedIn.