6. April 2009 by admin.

Something I noticed today while working on some issues one of our guys had with using the EMC for Exchang 2007. He kept getting an access denied error when trying to do anything in the EMC. The messages went something like this:

——————————————————–
Microsoft Exchange Error
——————————————————–
The following error(s) were reported while loading topology information:
Get-OWAVirtualDirectory
Failed
Error:
Unable to create Internet Information Services (IIS) directory entry. Error message is: Access is denied.
HResult = -2147024891.
Access is denied.
Directory Path: IIS://mailboxserver.genericcompany.com/W3SVC/1/ROOT/Exchange
Detail:
server name: mailboxserver.genericcompany.com
local machine name: XPWORKSTATION
local machine fqdn: XPWORKSTATION.genericcompany.com
Access is denied.Kind of an irritating message actually. There were some other ones as well referring to the CAS server, etc.. etc.. but you get the point.The solution? heh, easy as can be actually.* From “Start”->”Run” type in ‘ dcomcnfg ‘ and hit “Enter”
* From the Component Services Console, expand “Component Services” -> “Computers”
* Right click on “My Computer” and select “Properties”
* On the “Default Properties” tab, find the Default Impersonation Level and change it from “Identify” to “Impersonate”That should do it.

Mirrored on: http://travis.sarbin.net/2009/04/06/emc-2007-access-is-denied-2147024891-error

Posted in Exchange | 3 Comments »

30. March 2009 by admin.

Probably one of the most common complaints when someone is deploying Exchange  and the organization has Windows Mobile Phones that they would like to sync up with the Exchange server is the puzzling “Why won’t this just work?” question that plagues system administrators. Usually this is following the flagging the option to use forms-based authentication. While the solution is out there, sometimes folks don’t know exactly why or where the problem is originating so they have a hard time finding it. Well, hopefully this little paragraph describing the problem will allow some search engine somewhere to allow someone, somewhere to locate this solution easier. That and it’s always good to just have this one handy in your local arsenal of tools that Myke and I are comprising. So. Adding to our list of ‘ oh yeah, that’s how I fixed that ‘ articles… here’s how to resolve why Microsoft ActiveSync will not work any Exchange installation where SSL and/or forms-based authentication has been enabled out of the box.  Keep in mind these changes should be made to the server with the mailboxes on them, not a front-end server. Also something worth noting is that if you have an SBS2003 installation, these options should already be set. If they are not or you are having problems with ActiveSync, run through these instructions to check and ensure that they are all present. If they are, perhaps your problem isn’t in authentication or contacting the server, but something a little easier to address.
**This method will involve creating a new virtual directory from a copy of the original to handle related requests. If you are not comfortable with registry changes or IIS settings, you may not want to try this.

Disable forms-based authentication on the Exchange server you are about to modify.

1. Open Exchange Manager.
2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, clear the Enable Forms Based Authentication check box, and then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

Create a secondary virtual directory and configure ActiveSync to communicate with it.

1. Start Internet Information Services (IIS) Manager.
2. Locate the Exchange virtual directory. The default location is as follows:

   Web Sites\Default Web Site\Exchange

3. Right-click the Exchange virtual directory, click All Tasks, and then click Save Configuration to a File.
4. In the File name box, type a name. For example, type ExchangeVDir. Click OK.
5. Right-click the root of this Web site. Typically, this is Default Web Site. Click New, and then click Virtual Directory (from file).
6. In the Import Configuration dialog box, click Browse, locate the file that you created in step 4, click Open, and then click Read File.
7. Under Select a configuration to import , click Exchange, and then click OK.A dialog box will appear that states that the “virtual directory already exists.”
8. Select the Create a new virtual directory option. In the Alias box, type a name for the new virtual directory that you want Exchange ActiveSync and Outlook Mobile Access to use. For example, type exchange-oma. Click OK.
9. Right-click the new virtual directory. In this example, click exchange-oma. Click Properties.
10. Click the Directory Security tab.
11. Under Authentication and access control, click Edit.
12. Make sure that only the following authentication methods are enabled, and then click OK:
    • Integrated Windows authentication
    • Basic authentication
13. On the Directory Security tab, under IP address and domain name restrictions, click Edit.
14. Click the option for Denied access, click Add, click Single computer and type the IP address of the server that you are configuring, and then click OK twice.
15. Under Secure communications, click Edit. Make sure that Require secure channel (SSL) is not enabled, and then click OK.
16. Click OK, and then close the IIS Manager.
17. Click Start, click Run, type regedit, and then click OK.
18. Locate the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MasSync\Parameters

19. Right-click Parameters, click to New, and then click String Value.
20. Type ExchangeVDir, and then press ENTER. Right-click ExchangeVDir, and then click Modify.NoteExchangeVDir is case-sensitive. If you do not type ExchangeVDir exactly as it appears in this article, ActiveSync does not find the key when it locates the exchange-oma folder.
21. In the Value data box, type the name of the new virtual directory that you created in step 8. For example, type /exchange-oma. Click OK.
22. Quit Registry Editor.
23. Restart the IIS Admin service. To do this, follow these steps:
    1. Click Start, click Run, type services.msc, and then click OK.
    2. In the list of services, right-click IIS Admin service, and then click Restart.

To re-enable forms-based communcation, you may do the following:

1. Open Exchange Manager.
2. Expand Administrative Groups, expand the first administrative group, and then expand Servers.
3. Expand the server container for the Exchange Server 2003 server that you will be configuring, expand Protocols, and then expand HTTP.
4. Under the HTTP container, right-click the Exchange Virtual Server container, and then click Properties.
5. Click the Settings tab, click to select the Enable Forms Based Authentication check box, and then click OK.
6. Close Exchange Manager.
7. Click Start, click Run, type IISRESET/NOFORCE, and then press ENTER to restart Internet Information Services (IIS).

Hopefully this will help you out. If not, send your error along to one of us and we’ll see if we have a solution. If we do, we’ll post it up.
Mirrored on: http://travis.sarbin.net/2009/03/29/exchange-2003-activesync-w-ssl-andor-forms-based-authentication

Posted in Exchange | 2 Comments »

25. March 2009 by admin.

Anyone who has tried to set that up knows what I’m talking about. I actually got this all figured out a couple months ago but failed to make a post about how I did it, so today I found myself trying to remember what I did while trying to fix one of our other sites. So this time, I’m going to post it up.

The surprisingly common error you see when you setup ISA 2006 with Exchange 2007 and try to access ActiveSync manually is the following:

501 - Header values specify a method that is not implemented.

This is a good error actually, it means ActiveSync should be working fine, however, if your ISA server points to a EX2007 Client Access Server (CAS) which then proxies to other CAS servers in your environment, you may get a message like the following when trying to access a mailbox in another internal site:

405 - HTTP verb used to access this page is not allowed.

At that point you start to question your sanity and your skills on Google as you can’t seem to figure out for the life of you why after all that work of making sure the configurations matched up on all your servers did it now not work? You can access the local CAS server directly and pick up the 501 but whenever you try to hit ActiveSync through the CAS Proxy it seems to just bomb on you.

Assuming the above is true and you can indeed connect to it directly, try looking at a few settings. In IIS Manager, look at the properties for ‘ Microsoft-Server-ActiveSync ‘ under your Default Web Site (or non-Default) and check on your settings for Handler Mappings and Authentication. You should have the following:

• Handler Mappings - Make sure the OptionsVerbHandler is configure for ‘All verbs’ not just ‘OPTIONS’
• Authentication - Make sure all Authentication options are disabled except for ‘ Basic Authentication ‘ and ‘ Windows Authentication’

If you’ve configured those settings, make sure your Proxy CAS and Target CAS are both running the same Exchange rollup version and reboot them. It should be working now.

Hopefully this will help some poor soul out there.

Mirrored on http://travis.sarbin.net/2009/03/25/multiple-exchange-2007-servers-isa-2006-activesync

Posted in Exchange | 1 Comment »

24. January 2009 by admin.

Now, when I say “pesky annoyance” I mean down right frustrating. Say your thumbnails won’t work on your xbox 360 when viewing items thrown out over media sharing and you’ve got this wonderful errors blasting around your event log:

Log Name:      System
Source:        Microsoft-Windows-DistributedCOM
Event ID:      10016
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID
{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
 to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20) from address LocalHost (Using LRPC). This security permission can be modified using the Component Services administrative tool.

Now, just think about how tech-savvy you really are. You know what’s up. You’re going to go find out what application this is by finding the AppID in the registry then head over to Component Services and go fix this up, right? You start “dcomcnfg” and you browse over to “Thumbnail Cache Out of Proc Server” and try to modify it… no love. Greyed out options and all you’ve just been denied by your trusty operating system. You know you’re and administrator but behold, you’ve been given the finger by Windows.

No worries.

Someone, somewhere decided that they would make a security consideration here and grant only “Trustedinstaller” full control permission instead of Administrators. How dare they huh? To fix this up, do the following:

    1. Open Registry Editor and browse over to ‘HKEY_LOCAL_MACHINE\SOFTWARE\CLASSES\AppID\{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}’
    2. Right click on the {AB8902B4-09CA-4BB6-B78D-A8F59079A8D5} key and choose “Permissions…”
    3. Just as you would a file, take ownership and assign it to ‘Administrators’ then go back and grant ‘Administrators’ the ‘full control’ permission.
    4. Restart dcomcnfg and modify away.

Once you’ve made your modifications and granted Local Activation permissions to NETWORK SERVICE, you should eliminate those errors.

This trick can be applied to ANY CLISD you can’t modify in Component Services DCOM Configuration.

Posted in Registry | No Comments »

8. August 2008 by admin.

So, I’m not sure if any of you have run into this (if I were a betting man I’d say yes) but the latest round of malware distribution is taking the net by storm in the form of fake CNN news items. You may notice some items in your inbox that have the following subject line:

“CNN.com Daily Top 10” & “CNN Alerts: My Custom Alert”

 While opening the mail doesn’t actually do anything to your system, following the links can set you up for disaster. Once clicked the link will take you to a fake cnn.com page that will prompt you for an install of a viewer. Typically flashupdate.exe; get_flash_update.exe and watchmovie.mpg.exe. Once installed it leaves your systems open to a variety of issues.

 Be on the lookout people. As usual, don’t install things you don’t know about, don’t install stuff you think you’ve already installed and if you’re in any way confused. Click cancel and email or call your IT support.

–

Also something to be aware of. There has been a rash of similar type installations being prompted on social networking sites such as myspace.com and facebook.com. The same rules as above apply. Be smart, be safe!

–

 post mirrored on: travis.sarbin.net

Edit to post by Myke Reinhold:

This message comes as if it was sent from a random generated user email address, not the typical CNN.com address. The spam or malspam email comes from the email address Harjinder-lkpn@321facets.com. By the email address alone, it should raise a red flag but with a catchy title like “CNN.com Daily Top 10″, many computer users may over-look the domain that it comes from. CNN would never use some unprofessional email address such as the one listed above. Obviously they would use a CNN.com domain or variation of CNN.com.

The website that you may be redirected to from this malicious email looks like it attempts to load a flash video. It stops you dead in your tracks only to display a notification that you have an incorrect version of the Flash player through a message that says “Video ActiveX Object Error. Your browser cannot play this video file.” The error prompts you to download and install a new version of Flash if it is clicked on. This is where it gets exciting. The so-called “flash download” is a malicious Trojan downloader called Trojan-Downloader.Agent.EL. This file first comes as a harmless get_flash_update.exe executable file until it is accessed.

Trojan-Downloader.Agent.EL Details
The Trojan-Downloader.Agent.EL infection has the ability to install other malware onto an infected machine such as the rogue anti-spyware program Antivirus XP 2008. It may go onto create executable files found in the directory %System%\cbevtsvc.exe while creating a new service CbEvtSvc file. The registry of the infected system is also modified in addition to a direct IP address connection is made to a report host via TCP/IP for port number 443. The MD5 is defined as “dabb5a9b431c88c77281bcf1158a9879″ for this specific infection.
A Trick to Avoid “CNN.com Daily Top 10″ Message for Outlook Users
Some email messages in Outlook and other web-based mail clients messages initially show up as a series of broken images such as in the “CNN.com Daily Top 10″ message. Many times you will choose to load the images which will enable the website link for when you click on the image. In other words, it will redirect you to the designated site automatically once an image is clicked on. If you choose to bypass or disable image loading, then it will prevent the web links from being active. In this case the “CNN.com Daily Top 10″ message would not be very effective in spreading malware because the embedded image link is not followed.

Recommended Outlook Rule
We know that Outlook cannot block every spam message or send bogus messages to your junk mail folder every time so we suggest manually creating an Outlook rule to help catch messages like the “CNN.com Daily Top 10″. You can simply create an Outlook rule to look for the specific text in the senders name and move the message containing it to your junk email folder.   To create an Outlook Rule, you must access the “Rules and Alerts” option within Outlook and add the proper text needed so that it may send emails that meet your criteria to the junk email folder. The image below is an example of this rule being created.

Outlook 2007 recommended rule
Because the current “CNN.com Daily Top 10″ bogus message has been effective in creating havoc over the Internet, we look for other variations of this message to strike again. Creating an Outlook Rule may only go so far in protecting you but it is one step in the right direction to help keep you safe from malicious messages. There is no guarantee that an Outlook rule will block all future emails that are variations of “CNN.com Daily Top 10″ spam email. Also, you may end up blocking legitimate emails from CNN.com in some instances.
Please Note: CNN is not a part of or affiliated with this particular threat nor does CNN operate the website in question. The malicious messages are being sent from random email accounts from infected computers. It is advisable that you keep this infection in mind if you encounter CNN emails.

Posted in Security | No Comments »

31. July 2008 by admin.

The device security policies are configured within the same place as the other mobile device related settings, and that is under the Property page of the Mobile Services object in the Exchange System Manager.  When you click the Device Security button you get to the page where you configure the different Device Security Settings.

As the device security settings are global, it’s rather important you know the exact purpose of each setting. I’ve therefore listed all of them with a description in the table below.

In addition to the settings in the table, there’s also an Exceptions button (see Figure 3.) After clicking this button you can specify the users who you want to be exempt from the settings that you have configured in the Device Security Settings dialog box. This exceptions list can be useful if you have specific trusted users (or perhaps managers!) of whom you do not need to require device security settings.

Be sure you don’t configure a device security policy that is too strict, as this could end up with frustrated users erasing their devices all the time. Also remember a user in some situations could have problems contacting the IT department if his device has just been erased. Users are already used to four-digit numbers (among other things from their credit cards) so requiring a four-digit number would in most situations be a good idea. Actually the best solution would be to use a four-digit number in combination with a reasonably configured wipe device after failed attempts setting to make sure you don’t become unpopular.

So where are all the device security settings stored? Almost all the values configured under the device security settings page are stored in Active Directory, more specifically in an attribute called msExchOmaExtendedProperties, which can be found under CN=Outlook Mobile Access,CN=Global Settings,CN=Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com using a tool such as ADSI Edit.

If you select the msExchOmaExtendedProperties attribute and click the Edit button you get to the screen shown in Figure 5 below.

As you can see, all the device security related values are stored in a string prefixed PolicyData. The values are encoded between the <wap-provisioningdoc> tags. Because this is nothing else than a XML blob, you have the possibility of provisioning your own custom policies by specifying the required values in an XML format similar to this one. It would have been nice to be able to set these policies per user via the GUI but for now the only way to configure these settings on a per user basis is to configure the msExchOmaExtendedPropertiesattribute on each user, but that’s not exactly a friendly method is it? Good thing is I’ve heard Microsoft will make it possible to configure these settings per user, using GPOs or a similar approach; the bad thing is this won’t be before Exchange 12 RTMs.

When you have configured and enabled the device security settings on the server, the dialog box shown below will appear on the device during the next synchronization with the server.

After clicking OK you need to specify and confirm the PIN or password you want to use. The PIN or password needs to be entered every time the device is unlocked or after you have issued a cold reset. If an incorrect password is entered, perhaps because one of your kids was playing with the device or if you forgot to lock the keypad while the device was in your pocket, you’ll get a message similar to the one below:

The password you typed is incorrect. Please try again. 1/5 attempts have been made.

This of course depends on how many allowed attempts you have specified under Wipe device after failed option in your Device Security Settings (refer back to Figure 2).

After the second failed attempt you’ll be notified that several incorrect passwords have been entered. In order to confirm the login attempt is not due to accidental button presses, you’re asked to enter A1B2C3 or something similar (depends on how the mobile provider configured this in the specific build). When you have entered these characters you’ll once again have the option of specifying your device password. Should you for some reason manage to enter it incorrectly once again, you’re faced with the incorrect password dialog box again. Before the last available attempt you’ll be informed that all information on the device will be erased after the next unsuccessful password attempt. An erase (similar to a local wipe) will clear out all memory on the device, i.e. the device will be reset back to its factory defaults. Bear in mind though that data on the storage card in the device will remain intact. You can argue whether this is a good design decision or not, personally I think this is a major security risk factor, especially because you can configure the device to store e-mail message attachments on the storage card!

Note:
If you know for a fact that a device has been lost or stolen, you can also initiate a remote wipe to the device, a remote wipe wipes the device immediately. We’ll talk more about this possibility in part 3 of this article series.

If you want to change your PIN or password, you do so by clicking Start > Settings > Lock.

You’ll now need to enter your current PIN or password in order to access the change password feature, when you have done so, you’ll get to the screen shown below.

It’s also interesting to note that a locked device that is connected to a PC using a USB cable won’t be accessible either, instead you’ll be faced with the dialog box shown below.

Posted by: Travis Sarbin
Tested by: Myke Reinhold

Posted in Exchange, Microsoft | No Comments »

18. July 2008 by admin.

At Homerun we deal with multiple vendors and products.  Within this Blog we will talk about issues we encounter along with there resolutions.  We will also talk about the products we use and how well they work.  We will also allow vendors to discuss their products here.  We hope you enjoy this site as much as we enjoy building it.

Posted in Uncategorized | No Comments »