All posts by jaapwesselius

Webinar: Top 5 Exchange hybrid considerations

This Thursday (May 16th) I’ll be doing a webinar on the Top 5 Exchange Hybrid Considerations with Jeff Guillet, MVP and MCM and well known for this ExPTA blogs.

The webinar will be hosted by Nicole Silva from Enow Software and will take approx 35 minutes, there is Q&A at the end and also the possibility to ask questions using a chat window during the call.

Topics are:

  • Identities.
  • Synchronization.
  • Authentication.
  • En two more 🙂

There are still a few seats left, you can register on the Enow website: https://enow.software/2WbwIQJ

Prepopulate mobile phone for multi-factor authentication

I am working with a customer where we want to enable multi-factor authentication for their users as a measure to secure their environment. But when you enable MFA and a user logs on for the first time, the user has to enter his mobile phone number, even if the mobile phone number is populated in on-premises Active Directory and synchronized to Azure Active Directory (which is default).

additional security verification

When you check the user account in the Azure AD portal, you can see that the mobile phone number is synchronized, but the authentication phone number is empty.

authentication contact info

This is not a desired solution, if a user can set a new mobile phone during logon, a malicious user can do this as well. A typical user will logon shortly after the MFA is set, but especially when doing bulk changes this might not be the case. And when a user account that is MFA enabled, but hasn’t set the authentication phone property is compromised you’re screwed.

Out of the box there’s no easy way to prepopulate the authentication phone number. The authentication phone number is not store in on-premises Active Directory, it’s an Azure AD property. The property to control the strong authentication is called StrongAuthenticationMethods and you can set this using PowerShell. When you set this, the authentication phone number is still prepopulated, but when the mobile phone number is synchronized, this is used in the first place.

To set this StrongAuthenticationMethods property you can use the following PowerShell commands:

Connect MsolService 
$UserPrincipalName = "j.brown@exchangelabs.nl"
$SMS = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$SMS.IsDefault = $true
$SMS.MethodType = "OneWaySMS"
$Phone = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationMethod
$Phone.IsDefault = $false
$Phone.MethodType = "TwoWayVoiceMobile"
$PrePopulate = @($SMS, $Phone)
Set-MsolUser -UserPrincipalName $UserPrincipalName -StrongAuthenticationMethods $PrePopulate

Now when the user logs on for the first time with MFA enabled, he’s presented the enter code dialog box, without having to enter a mobile number first.

we texted your phone

If you do this, and the mobile phone number is not set in on-premises Active Directory, MFA will still try to use the mobile phone number, but nothing will happen as shown in the following screenshot:

we are having trouble verifying your account

Since there’s no mobile phone number to use, and no option to add this anymore directly by the user you’re stuck here (until the mobile phone number is added to on-premises Active Directory of course).

Note. If you want to enable MFA using PowerShell, you can use the following commands (and maybe combine them with the commands mentioned earlier):

$Strong = New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$Strong.RelyingParty = "*"
$Strong.State = "Enabled"
$MFA = @($Strong)
Set-MsolUser -UserPrincipalName j.smith@exchangelabs.nl -StrongAuthenticationRequirements $MFA

More information

Exchange Hybrid TLS negotiation failed with error NoCredentials

Recently I ran the Hybrid Configuration Wizard in an Exchange 2016 and Exchange 2019 environment. There were also two Edge Transport servers in this environment. One Exchange 2016 CU12 Edge Transport server is used for internet communication, one Exchange 2019 CU1 Edge Transport server (running on Windows 2019 Server Core) is used for hybrid communication. This server was selected in the Hybrid Configuration Wizard, proper certificate was selected etc. and the Hybrid Configuration Wizard finished successfully.

When the wizard finished the Receive Connector on the Edge Transport server was modified for hybrid mail flow. Validating the Send Connector from Exchange Online to Exchange on-premises revealed no issues, the test message was successfully sent and received in my mailbox.

But message flow from Exchange on-premises to Exchange Online was not working and mail was stuck in the Queue on the Edge Transport server. Looking at the Queue it seems there’s a time-out issue since it says:

LastError : [{LED=451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed out};{MSG=};{FQDN=exchangelabsnl-mail-onmicrosoft-com.mail.protection.outlook.com}; {IP=104.47.10.36};{LRT=5/2/2019 6:32:14 AM}]

421 4.4.1 connection timed out

It is not a firewall issue, I can use Telnet to connect on port 25 and send a message to myself (which arrives in the junk mail folder, but it arrives).

Opening the Send Connector protocollog file (enable in on the outbound connector first) shows a different error. When trying to execute the TLS handshake it fails with TLS negotiation failed with error NoCredentials.

TLS Negotiation failed with error NoCredentials

This is strange since the same certificate is used by the Receive Connector (you can check this using https://checktls.com and entering the FQDN of the Exchange server holding the Receive Connector).

The “TLS negotiation failed with error NoCredentials” looks like a private key issue with the certificate (according to Microsoft kb article KB4495258) but PowerShell shows it does have a private key:

Has Private Key

When going back to the protocol logfile you can see the certificate thumbprint in the data field, and this thumbprint didn’t match the thumbprint of the certificate that Get-ExchangeCertificate returned.

Certificate Thumbprint

But, Get-ExchangeCertificate only returns certificates that have a private key, if there isn’t a private key nothing is returned.

When opening the certificate store using PowerShell using the following commands:

CD Cert:
Cd LocalMachine
Set-Location my
Get-ChildItem

All certificates in the store are shown, and when checking the certificate with the thumbprint we got from the protocol log, this one does not have a private key:

Check private key

That explains the NoCredentials error messages. Use the following command to remove the wrong certificate:

Get-ChildItem | ?{$_.Thumbprint -like “B79*”} | Remove-Item

After restarting the Transport service cross-premises mail flow works again.

The main question is of course how this happened. I’m not sure, but I do remember requesting several certificates at the same time (a few weeks ago) and there were a few errors. I didn’t pay too much attention to this since everything seemed to work fine. But in the end it turned out to be not the case, and I didn’t notice in the first place because of inbound SMTP working fine. Sigh…. 😊

 

Implement Azure AD two-factor authentication for users

Recently one of my customers had a user’s account compromised. Because the user had a weak password (name of the local soccer team followed by a sequential number) his account was compromised using a password spray attack.

One way (of many) to avoid this is to use multi-factor authentication (MFA). Besides a regular username and password, MFA uses another authentication option, like a text message, an app on your mobile device or an ‘app password’ when the other two options cannot be used for some reason.

Note. MFA is available in three versions. There’s an MFA for admin accounts (MFA for admin accounts), there’s a full version as part of the Azure AD Premium subscription and there’s a lightweight version part of all Office 365 business subscriptions called the Multi-Factor Authentication for Office 365. This version can only be used with Office 365 services and is the one I used for this blog.

MFA Requirements

Before you start with implementing MFA in your environment, make sure your Office 365 tenant and your devices meet the following criteria.

Office 2016 clients support MFA natively using Active Directory Authentication Library (ADAL), the same is true for browsers. Not all Office 365 tenants have ADAL functionality enabled by default, especially the older tenants have not. To check if your tenants support this, open the Exchange Management Shell for Exchange Online and enter the following command:

Get-OrganizationConfig | Format-Table name, *OAuth*

If it returns False as shown in the screenshot below (I have an older tenant) you can use the following command to enable it on an organization level:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$true

OAuth2ClientProfileEnabled

The same should is true for Skype for Business Online clients. To check the ADAL support in your tenant, open a Skype for Business Online PowerShell command and execute the following command:

Get-CsOAuthConfiguration | select *client*

If it’s not enabled (as shown in the following screenshot) you can use the following command to enable it:

Set-CsOAuthConfiguration -ClientAdalAuthOverride Allowed

Set-CsOAuthConfiguration

For older apps, or apps that do not support MFA through ADAL, you can use an AppPassword. This is a special password, especially for the device you work on. You can only use the AppPassword on this specific device, and not on any other device. For other devices you need to have an additional AppPassword. An AppPassword is created the first time you use MFA on a device which will be shown later in this blog.

For mobile device I strongly recommend installing the Microsoft Authenticator to help you make authentication life a bit easier. The MFA information is stored on this specific device and is only available on this specific machine. The Microsoft Authenticator is available via the App Store on your device.

Enable MFA

To enable MFA for cloud accounts, open the Microsoft Online Portal (https://portal.office.com) and logon using the tenant admin account. Select Active Users, but before you select any user click on the More drop-down box and select Multifactor Authentication Setup as shown in the following screenshot:

Enable Azure MFA

In the next window, select the user you want MFA to enable for and click enable in the right pane. In the confirmation box click enable multi-factor auth.

In the same Window you can also change the service settings as shown below:

service settings

In the service settings, you can change variables like whether or not to have users create AppPasswords, what authentication options can be used and the timeframe to remember MFA authentications:

allow users to create app passwords

Make sure the Allow users to create app passwords to sign in to non-browser apps radio button is checked. At the same time have a look at the Allow users to remember multi-factor authentication on devices they trust option. Using this option, you can set the number of days before the user has to use MFA again for authentication. In the mean time the device is trusted and MFA is not needed.

Using MFA on your clients

After enabling MFA and you logon to for example OWA an additional pop-up is presented where additional information is requested. The mobile phone number is already in Active Directory and thus prepopulated, and a text message is sent to this number.

30 days OWA

After entering the validation code you are officially logged on. The last step is that an AppPassword is presented, you can use this AppPassword on this device for application that do not support the Microsoft MFA (through ADAL).

When Outlook 2016 is started an additional pop-up is shown where the validation code has to be entered. Since the MFA is remembered for 30 days you won’t see this again the upcoming 4 weeks (and two days 😊).

The same is true for OneDrive for Business and Skype for Business clients, they need to authenticate as well. My work laptop is Azure AD joined, and the advantage here is that I only need to logon once, and need to enter the SMS authentication only once since both tokens are stored on the device.

When enabling MFA as shown below it is enforced on mobile device as well. I have an iPhone with iOS 12.2 and this supports MFA natively. The next time the device needs to authenticate (can take some time after enabling MFA) a validation code is sent to the device. This can be a bit challenging since you need to enter this code on the device itself. The Microsoft Authenticator (or any authenticator) can help you here, especially if you have multiple profiles with multiple (MFA enabled) mailboxes.

The next 30 days (or whatever timeframe you’ve entered) you won’t get the MFA validation challenge, unless you change the password, then the MFA is triggered, and you need to authenticate again. Remember that the token is stored on the local device, so if you want to check your email on another device you have a authenticate using MFA on that device as well. And this is what will frustrate the bad guys in Nigeria (screenshot below shows where out attacker was hiding) since they don’t have access to your device, so even with a weak password (still not recommended!) you should be much safer.

Nigeria-attack

Summary

You can use Multi Factor Authentication as an additional measure against hackers that want to use user credentials to access your environment. Since an additional authentication method is needed, it is much more difficult to get access to your environment for the bad guys. Since they don’t have access to the mobile device it’s hardly impossible to misuse the mailbox.

The next logical step would be to implement a password less authentication, but that’s for a future blog 😊

More information

An error occurred trying to connect the WSUS server

You might not expect a WSUS blog post on a site maintained by an Exchange consultant, but there are still customers using Exchange servers on-premises, and these need to be patched as well (and so are the clients of course).

After installing and a new WSUS server running on Windows 2016 I quickly ran into an annoying issue after configuring the WSUS server and downloading the updates. The console would no longer connect and generated a ‘Connection Error’ popup saying “An error occurred trying to connect the WSUS server. This error can happen for a number of reasons. Check connectivity with the server. Please contact your network administrator if the problem persists.”

Error Connection Error

When you click the copy error to clipboard button the following is copied:

The WSUS administration console was unable to connect to the WSUS Server via the remote API.
Verify that the Update Services service, IIS and SQL are running on the server. If the problem persists, try restarting IIS, SQL, and the Update Services Service.
The WSUS administration console has encountered an unexpected error. This may be a transient error; try restarting the administration console. If this error persists, Try removing the persisted preferences for the console by deleting the wsus file under %appdata%\Microsoft\MMC\.

If IISRESET was executed, it runs again for some time, but then the issue happens again. When looking at the IIS console when this error occurs it turns out that the WsusPool was stopped as can be seen in the following screenshot:

WSUS App Pool

Starting the WsusPool solves the problem temporarily, but after some time it stops again. And again… and again…

It turns out to be a private memory issue in the WsusPool which seems to be depleted quickly. It is possible to assign more memory, but since I have no clue how much memory to assign I changed the setting to ‘0’ (1,843,200 KB is default) so the WsusPool can use anything it needs.

WSUS App Pool advanced settings

After changing the private memory limit for the WsusPool the error no longer occurs.