The ACE doesn’t exist on the object

When attempting to remove permissions from Exchange server mailbox using Exchange Management Shell… Powershell

Remove-MailboxPermission -identity….

You get the following error

WARNING: Can’t remove the access control entry on the object… because the ACE doesn’t exist on the object.

There is abundance of articles on the Internet on to deal with this… mostly confusing and convoluted.

The easiest way we’ve succeeded in resolving this issue is be removing the mailbox from the user and adding it again.  That doesn’t mean you will delete anything..

In Exchange 2013 Admin Center if you go to that user under Recipient and then Mailboxes then disable the user (that will remove the mailbox from the user profile).  You can then go back to and select “connect a mailbox” and connect that mailbox back to the same user account.  This way you will have reset permissions on the mailbox to default.   Issue was resolved for us this easy way.

 

Windows Server 2016 Evaluation fails to activate 0xc004f050

If you are running a Windows Server 2016 standard 180 days evolution copy that you downloaded off Microsoft Website and try to activate the installation with a product key that you purchased for Microsoft Server 2016, you might get an error message saying that it can’t activate, or that you entered a product key that can’t be used to activate Windows with error 0xc004f050, here how you can activate it.

Go to Command Line and type:

Dism /online /Set-Edition:ServerStandard /AcceptEula /ProductKey:xxxxx-xxxxx-xxxxx-xxxx-xxxxx

Where xxxxx-xxxxx-xxxxx-xxxx-xxxxx is the product key you purchased

Press Enter.

Process might get stuck at 10% for a little while, give it time. After it is done, you will be asked to reboot. Windows will be all good and permanently activated after it comes back up.

SonicWALL – Can not access the appliance for Security. Please contact administrator

When you try to access SonicWALL SMA (Secure Mobile Appliance) using NetExtender you get

“SonicWALL – Can not access the appliance for Security. Please contact administrator”

Resolution:

Make sure you type the domain correctly in the NetExtender and with the right case.

The domain is Case Sensitive.  So if your domain on the SMA is configured as Domain1.com, then you need to enter as is; Domain1.com, NOT domain1.com or Domain1.Com

Can’t RDP to Windows 7 machine – Remote Desktop

Can’t remote desktop into a Windows 7 – RDP

Run registry editor, regedit, and make sure PortNumber under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-TCP

is 3389 in Decimal

 

httpCookies httpOnlyCookies=”true” requireSSL=”true” – PCI vulnerability

If you have a Microsoft Exchange Server running OWA that failed a PCI vulnerability scan because of the following:

<httpCookies httpOnlyCookies=”true” requireSSL=”true”/>

Here what we can do to remediate it on the Windows server.

Schedule a brief downtime for the Exchange Server while IIS restarts below.

Launch IIS on the Exchange server, go to Default Web Site, expand and click on “owa” Virtual Directory

On the right and under Management, double click on Configuration Editor.

On the bottom make sure you click on “Features view” as opposed to “Content View“.  On the top click on the drop-down after “Section“.  Select “system.web” and expand it then select “httpCookies“.

Change both httpONLYCookies and RequireSSL to True

Restart IIS by going to command line and typing IISReset

Disabling TLS 1.0 Windows Server 2008-2012 – Exchange – PCI 3.1 Scan

 

If you have to comply to recent PCI standards, a PCI scan on your Exchange server might reveal that it’s no longer compliant because TLS 1.0 is still enabled on it and you need to disable TLS 1.0 to pass test.  This applies to Exchange 2010, 2013 and 2016.  Not sure about 2007…

Tried the following on two implementations and had no issues.  Has been running fine for a while.

To pass PCI 3.1 test you need to disable TLS 1.0 on Windows server.  If you disable it, Outlook on Windows 7/8 machines will not work, it will show disconnected.  You might not be able to delete items, Auto-discover won’t work….This applies to Outlook on Windows server 2008, 2008 r2 and 2012.

In short this is what this article will have you do, you will have to disable TLS on the Windows server running exchange (done through registry setting – the tool below will do it for you), make sure your Windows 7/8 has a certain update installed, that came out in 2016 (obtained through Windows Updates) and it also applies to servers 2008 and 2012.  The update adds support for TLS 1.1 and 1.2 but doesn’t enable them automatically, and lastly make changes to the registry on those client machines to enable TLS 1.1 and 1.2.  Very straight forward as will explain below.

Windows 10 clients don’t need any updates or changes since TLS 1.1 and 1.2 is supported and enabled out of the box.

Here are the details:

Before you start:

1- Apply latest Windows updates to Windows server including Updates for Exchange server.  As of this article, Cumulative Update 20 (CU 20) for Exchange 2013 is available.  You don’t need to be at CU 20, but I usually cover all bases in case I overlook updates.

2- You should update Windows 7/8 machines and Server 2008, 2008 R2 and Server 2012 – Windows Updates.  There is an update that came out in 2016 that added support for TLS 1.1 and TLS 1.2 – chances are you do already have it unless you never updated Windows or never checked.

http://catalog.update.microsoft.com/v7/site/search.aspx?q=kb3140245

3- As always have a good back up of your server..

Action:

Disable TLS 1.0 on the Windows server running Exchange.  There is a tool called IISCrypt, download it.

https://www.nartac.com/Products/IISCrypto

Run it on the Exchange server.  Under Templates choose PCI 3.1.  Apply and reboot your Exchange.  Now Exchange has TLS 1.0 disabled and if you run the PCI 3.1 scan you should pass on TLS 1.0

BUT with disabling TLS 1.0 on that server, you won’t be able to remote/RDP into it from Windows 7/8 machines (You will however be able to do that from Windows 10 machines) Outlook on Windows 7/8 machine won’t connect.  To make it work do the following:

Copy the following text (marked in bold) into a notepad and save it as something like “EnableTLS1.1-1.2.reg“.

 

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
“DisabledByDefault”=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
“DisabledByDefault”=dword:00000000

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
“DefaultSecureProtocols”=dword:00000A00  

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]
“DefaultSecureProtocols”=dword:00000A00  

 

Double click on this file on the Windows 7/8 machines and it should add all necessary registry keys to enable TLS 1.1 and 1.2.

Reboot Windows 7/8.  Outlook should work normally now.

You don’t need to do anything for Windows 10 machines.

You might have issues with older smart phones and Email.

Make sure you don’t have any third party applications that communicate with Exchange with TLS 1.0.  Look for applications updates.  Consult third party support.

 

Duo Two Factor Authentication -Microsoft Routing and Remote Access (RRAS) Server.

Setting up Duo Two Factor Authentication with Microsoft Routing and Remote Access (RRAS) Server:

We installed the Duo Proxy on a separate server than the Microsoft RRAS server. We couldn’t get it to work on the same server. When we ran it on the same server, we were getting errors like the following:

“The connection was prevented because of a policy configured on your RAS/VPN server. Specifically, the authentication method used by the server to verify your username and password may not match the authentication method configured in your connection profile. Please contact the Administrator of the RAS server and notify them of this error.”

RRAS Server is Windows Server 2012 R2.  In our case RRAS happened to be a Domain Controller (doesn’t have to be – but made things easier).

RRAS was already configured and working for VPN client.  People were VPN/PPTP to it but we wanted to implement Duo two factor authentication to add another layer of security to VPN.

Clients were remoting into the RRAS server using Microsoft PPTP client that is built into Windows machine (could be working using SSTP or L2TP).

By the way we didn’t have to do anything with Windows Network Policy Server NPS. NPS had no role in this kind of setup.

On the Duo portal we chose to protect Microsoft RRAS server. You could find it in the list of Application to protect.

The Duo proxy final config file authproxy.cfg looked like the following:

——————-

[ad_client]
host=10.10.10.10   (This is the IP address of the Domain Controller not the RRAS server – But happened to be the RRAS server in our case)
service_account_username=DuoUser  (Created this user in the domain for Duo to use)
service_account_password=Password123  (Password for the DuoUser)
search_dn=DC=LocalDomain,DC=com  (Our local Windows domain was called LocalDomain.com)
security_group_dn=CN=DuoVPNUsers,OU=Company,DC= LocalDomain,DC=com (Created a Windows Security Group in AD called DuoVPNUsers and stored it inside an OU called Company – We created the OU and called it that name “Company”. VPN’d users Windows accounts need to be added to this security group. We placed DuoVPNUsers group and DuoUser inside the Company OU – We intend to be placing VPN users inside that OU).

[radius_client]
host=10.10.10.10  (This is the RRAS server IP)
secret=PickASecretPasswordHere  (This is kind of a password that will be used between the RRAS and the Duo Proxy. Make something up.  Use complex passwords for security)

[radius_server_auto]
ikey=xxxxxxxxxxxxxx (This is obtained from the Duo Portal)
skey=yyyyyyyyyyyyyyy (This is obtained from the Duo Portal)
api_host=zzzzzzz.duosecurity.com (This is also obtained from the Duo portal)
radius_ip_1=10.10.10.10 (This is the IP address of RRAS Server)
radius_secret_1= PickASecretPasswordHere  (matches the one above)
client=ad_client
port=1812
pass_through_all=true
allow_concat=true

——————

Open Routing and Remote Access on the RRAS server. Right-click on the Server and choose Properties. Go to the 2nd tab that is called Security, and under Authentication Provider choose Radius Authentication (change it from Windows Authentication). Click Configure. Click Add
Server name would be the IP address of the server where the duo proxy software is installed. In our case it was 10.10.10.40.
Time out change to 60 secs so you would have enough time to respond to the Duo pushed messages.
Shared Secret is the secret/password that you used in the authproxy.cfg file.  Must match.
Port 1812 – this is the default and should match the one in authproxy.cfg under [radius_server_auto] section. Click OK to add it.

Also under the Security tab click on Authentication Method. Make sure “Unencrypted password (PAP)” is checked off.  This should match the one you have in the property of the VPN connection on the client Windows machine (the machines that you and your clients use to VPN in), under Security, PAP is also checked off for authentication under “Allow these protocols” Make sure Microsoft CHAP Version 2 (MS-CHAP v2) is Unchecked off. Checking off Challenge Handshake Authentication Protocol CHAP (not v2) seemed to work too.

If you find this article helpful, please click to like our Facebook page below so we can keep on adding quality hands-on articles.

 

Scan to network share SMB not working – Windows Updates

After applying one of Jan 2018 Windows updates to windows servers 2012 and could be 2008, scanning to network shares SMB fails from Network printers/copiers, the scan user gets locked out at times.

We’ve had issues with different kind of copiers like Canon iR3035, imageRUNNER 6275 and image RUNNER advance iR-ADV4235.

One full week of troubleshooting the culprit was Windows update KB4056896 that came  out in Jan 2018 and added mores security to SMB.

Solution:

Uninstall Update.

Exchange server Mailboxes size report 2010 2013 2016

Exchange Server Mailboxes size report 2010 2013 2016

 

Create a C:\Temp1 directory.

Obtain Mailbox Database name from the Microsoft Exchange Console that would look like “Mailbox Database XXXXXXXXXXX”

Using Exchange PowerShell (Run as Admin) , type the following:

Get-MailboxStatistics -Database   “Mailbox Database XXXXXXXXXXX”  | Select DisplayName, ItemCount, TotalItemSize | Sort-Object TotalItemSize -Descending | Export-CSV C:\temp1\mailBox-Size.csv

 

That will generate a csv report saved in C:\Temp1.

If you find this article helpful, please click to like our facebook page below so we can keep on adding quality hands-on articles.

Exchange 2013 Cumulative Update CU 18 Fails – Certificate

When trying to install Exchange 2013 Cumulative Update 18 or others, update terminates with the following error:

—————
The following error was generated when “$error.Clear();
Install-ExchangeCertificate -services IIS -DomainController $RoleDomainController
if ($RoleIsDatacenter -ne $true -And $RoleIsPartnerHosted -ne $true)
{
Install-AuthCertificate -DomainController $RoleDomainController
}
” was run: “System.Security.Cryptography.CryptographicException: The certificate is expired.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Management.SystemConfigurationTasks.InstallExchangeCertificate.InternalProcessRecord()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

———————

This occurs when you have an expired SSL Certificate.

Open Manage Computer Certificates (you can search for it), under Personal and under Trusted Root Certification Authorities, look for any certificate that you might have installed in the past and that has expired.  You can sort by expiration date to easily find it.  Delete that certificate.

Go back and try to install the Cumulative Update again and I will restart from the stage at which it terminated.

After done and when you open the exchange Admin Center, it might open a blank page, go to IIS and make sure the frontend and backend sites are bound to an SSL certificate