Skip Ribbon Commands
Skip to main content

Xadean's Empirical Musing

:

Quick Launch

Xadean's contribution to the consulting community through sharing his anthology of lesson's learned and technical insights.
April 11
Check-In Multiple Files/Folders Simultaneously

I see a bunch of folders under our team site that were created by other users that are empty.  This happens because all the content in the folders are checked-out by the user(s); therefore, no other users are able to see them.  Here are instructions on how to check-in ALL of the content in single action.

 

  • Go to Site Settings by clicking on the gear icon located in between the alert bell and help question mark icons in the upper left-hand corner of the page next to your name.

  • under Site Administration section (which is on the 3rd from the top in the left column), select "Content and Structure" (5th from the bottom in that section's list).

  • At the first page there is a list of the files with a "default view" in the toolbar on the right section. Drop this down and choose "Checked out to me". Navigate to the folder where the files you wish to check in are located.

     

  • This will list all of the files checked out to you within the site and subsites you are in.  Click on the multiple selections icon to check the boxes next to all checked out content or alternatively you can check the checkboxes individually to select your items and in the actions drop down choose check in.  You'll be prompted one time for the comment to check the file(s) in with, so be sure you want to replicate that comment across all selected items for the Version History.  Once you click on the "OK" button, all the content will be checked-in and other users will be able to view what you have uploaded.

February 10
Fail to Migrate On-Prem Exchange Mailbox to Online

Environment

  • Office 365 – Exchange Online (All users' mailboxes homed)
  • On-Prem Exchange with hybrid configuration enabled
  • On-Prem Active Directory (AD)
  • Directory Synchronization (AD Connect)
  • Active Directory Federation Services (AD FS)

Error Encountered

After running the "Migrate to Exchange Online" wizard and selecting all the default actions, encounter the following error after selecting the configured Mailbox Replication Service (MRS) Proxy:

 

"Error: The connection to the server 'owa.biztechfusion.com' could not be completed".

 

Cause

The only thing that had changed in the environment prior to experiencing this issue was SSL certificates throughout the infrastructure had been changed for on-prem Exchange, ADFS, and MSFT Online Federation. This catalyzing event was the root cause.

Resolution

Add a new Migration Endpoint and associate an administrator with the appropriate privileges. Note that you will be unable to delete existing migration endpoints that are associated to migration batch jobs that have previously ran. Therefore, you must delete those associated migration batch jobs first in order to remove any existing migration endpoints. Once you have created the new migration endpoint, you will be able to select it in the migration batch task. After doing this, I was able to successful migrate on-prem user mailboxes to online.

February 04
Dynamics CRM 2016 SP1 An Error Has Occurred When Trying to Log On to Organization

Environment:

  • Dynamics CRM 2016 service pack 1 deployed on Windows 2012 R2 Server (domain joined)
  • AD FS on domain joined Windows 2012 R2 Server
  • Web Application Proxy (WAP) installed on workgroup Server in DMZ 

Error Encountered: Seeing the following error in the Application event logs on the Dynamics CRM Server:

n error has occurred.

Try this action again. If the problem continues, check the Microsoft Dynamics CRM Community for solutions or contact your organization's Microsoft Dynamics CRM Administrator. Finally, you can contact Microsoft Support.

+ System

- Provider

[ Name] ASP.NET 4.0.30319.0

- EventID 1309

[ Qualifiers] 32768

 

Level 3

 

Task 3

 

Keywords 0x80000000000000

 

- TimeCreated

 

[ SystemTime] 2017-02-04T01:51:56.000000000Z

 

EventRecordID 1796646

 

Channel Application

 

Computer <Dynamics CRM Server FQDN)

 

Security

 

 

- EventData

 

3005

An unhandled exception has occurred.

2/3/2017 8:51:56 PM

2/4/2017 1:51:56 AM

d557250f37594d2792c72671e17ce5e3

26

4

0

/LM/W3SVC/1/ROOT-4-131306320864190376

Full

/

C:\Program Files\Microsoft Dynamics CRM\CRMWeb\

<Dynamics CRM Server Name>

 

1488

w3wp.exe

DOMAIN\CRMAPPSERV

SecurityTokenException

ID4175: The issuer of the security token was not recognized by the IssuerNameRegistry. To accept security tokens from this issuer, configure the IssuerNameRegistry to return a valid name for this issuer. at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

https://auth.biztechfusion.com:443/default.aspx

/default.aspx

10.1.20.53

 

False

 

DOMAIN\CRMAPPSERV

537

BIZTECH\CRMAPPSERV

False

at System.IdentityModel.Tokens.SamlSecurityTokenHandler.ValidateToken(SecurityToken token) at System.IdentityModel.Services.TokenReceiver.AuthenticateToken(SecurityToken token, Boolean ensureBearerToken, String endpointUri) at System.IdentityModel.Services.WSFederationAuthenticationModule.SignInWithResponseMessage(HttpRequestBase request) at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at Microsoft.Crm.Authentication.Claims.CrmFederatedAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

 

Cause: Any changes to certificates in the AD FS farm.

Symptoms: Cannot login to CRM

Resolution: Each time there are any certificate changes in the AD FS farm, the following prescribed steps must be performed again:

On the Dynamics CRM Server:

  • Open the Deployment Manager
  • Re-run Configure Claims-Based Authentication accepting the current populated data including the appropriate SSL certificate.
  • Re-run Configure Internet-Facing Deployment accepting the current populated data.
  • Run iisreset.
  • Run "Restart-Service Adfssrv" from Windows Powershell.

On the ADFS Server

  • Open AD FS management console.
  • Under Trust Relationships, Relying Party Trusts, right-click on both CRM listings and then click "Update From Federation Metadata".
  • Run iisreset from elevated command prompt.
  • Run "Restart-Service adfssrv" from Windows Powerhsell.
February 04
AD FS “Bad Request” Error After Updating Token-Decrypting and Token-Signing Certificates

Environment:

  • Active Directory Federation Service (AD FS) role configured on Windows 2012 R2 Active Directory Directory Services (AD DS) Domain Controller (DC)
  • WAP 2012 R2 (not domain joined)
  • Office 365 tenant subscription w/ on-premises AD synchronizing a federated domain

 

Error: When trying to authenticate to Office 365, getting a "bad request" error message after entering credentials in AD FS FBA form.

 

Cause: Experienced the preceding error after certificate changes in the AD FS farm.

 

Symptoms:

  • AD FS service (adfssrv) hangs in starting state when an AD Group Managed Service account is assigned 'Log On As' (Reference AD Grp Managed Svc Accounts: https://itconnect.uw.edu/wares/msinf/ous/gmsa/).
    • The resolution to get the AD FS service to start is to change the Microsoft Key Distribution Service (KdsSvc) from Manual (Trigger Start) to Automatic (Trigger Start) with the following command from an elevated command prompt:

      sc triggerinfo kdssvc start/networkon

       

  • Able to authenticate to test URL (https://adfs.contoso.com/adfs/ls/idpinitiatedsignon.aspx), but not to O365.

 

Resolution: Need to update ws-fed after any certificate changes in AD FS farm using the following prescribed steps.

Open Windows PowerShell and execute these commands:

Add-PSSnapin Microsoft.Adfs.Powershell

 

#PS command to re-enable AutoCertificateRollover

Set-AdfsProperties -AutoCertificateRolover $true

 

#PS command to verify properties

Get-AdfsProperties

 

# PS command to immediately generate new self-signed certifactes

Update-AdfsCertificate -Urgent

 

#CMD prompt command to query kdssvc service

sc qtriggerinfo kdssvc

 

#CMD prompt command to change the kdssvc to automatic and trigger on network connection

sc triggerinfo kdssvc start/networkon

 

# To update ws-fed after changing ADFS certificates

When using Windows Azure Active Directory Module for Windows PowerShell, run the following command:

 

connect-MsolService

 

Update-MsolFederatedDomain -DomainName contoso.com (replace contoso.com with your federated domain name)

Get-MsolFederationProperty -DomainName contoso.com

February 03
WAP 2012 R2 Showing Failed Operation Status

Environment:

  • Active Directory Federation Service (AD FS) role configured on Windows 2012 R2 Active Directory Directory Services (AD DS) Domain Controller (DC)
  • WAP 2012 R2 (not domain joined)
  • Office 365 tenant subscription w/ on-premises AD synchronizing a federated domain

 

Error: Under the Remote Access Management console on the WAP Server, Operation Status node shows Web Application Proxy and Web Application Proxy Core as failed while AD FS Proxy status is working. Also, the following error message is observed in the event logs:

Component : Web Application Proxy Core

RemoteAccessServer : <SERVERNAME>

HealthState : Error

Heuristics : {Id: 1002, ErrorDesc: Web Application Proxy: Web Application Proxy service is down., ErrorCause:

An unknown error had occured, ErrorResoln: Please refer to TechNet library in

http://technet.com/ServiceWAP, OperationStatus: Unknown error, Status: Error}

TimeStamp : <DATE & TIME OCCURED>

 

Cause: Experienced the preceding error after certificate changes in the AD FS farm.

 

Symptoms:

  • AD FS authentication form does not appear when opening a published URL. Web browser displays a nondescript error.

 

Resolution: Need to refresh the Web App Proxy / Core configuration by issuing the following PowerShell commands on the WAP Server:

Get-ChildItem -Path Cert:\LocalMachine\My | Select Subject, FriendlyName, Thumbprint | fl

Install-WebApplicationProxy -CertificateThumbprint '<THUMBPRINT OBTAINED FROM PREVIOUS PS COMMAND OUTPUT>' -FederationServiceName 'adfs.contoso.com' (change 'adfs.contoso.com' to your specific STS URL)

Restart-Service adfssrv

October 23
Outlook 2016 Continuously Prompting for Password with AD FS 2012 R2, Web Application Proxy, and Office 365

Environment:

All users hosted on Exchange Online as part of Office 365 tenant subscription. Users are synchronized from on-premises Active Directory using Azure AD Connect. AD FS is implemented with Web Application Proxy. Users are using Outlook 2016 external to the corporate network.

 

Issue Description:

After launching the Outlook 2016 desktop client, users are continuously prompted to enter username/password.

 

Resolution:

Open Registry Editor by running "regedit".

Go to the following hive:

  • Exit Outlook
  • [HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover]
    You must add these registry entries:

    "ExcludeScpLookup"=dword:00000001
    "ExcludeHttpsAutodiscoverDomain"=dword:00000001
    "ExcludeHttpsRootDomain"=dword:00000001
    "ExcludeSrvLookup"=dword:00000001
    "ExcludeHttpRedirect"=dword:00000000
    "ExcludeSrvRecord"=dword:00000001

  • Open File Explorer and browse to "C:\Users\<USERNAME>\AppData\Local\Microsoft\Outlook" (change <username> part to your specific settings) and delete the "[GUID] – Autodiscover.xml" files. Mine looked like this: "1f219c7c0fb9d245803b3872cb4da4ab – Autodiscover.xml".
  • Launch Outlook again.

The username/password prompts should cease.

 

October 21
IFD CRM 2016 with ADFS and WAP 2012 R2 Authentication Error

Configuration

  • Dynamics CRM 2016 service pack 1 deployed on Windows 2012 R2 Server (domain joined)
  • AD FS on domain joined Windows 2012 R2 Server
  • Web Application Proxy (WAP) installed on workgroup Server in DMZ

Issue

Unable to access the IFD URL https://OrgName.domain.com which results in the following error:

 

An error occurred has error occurred. Contact your administrator for more information.

Error details • Activity ID. 000000000000-0000-4aOO-0080000000cf —relying party trust.

CRM Claims Relying Party • Error time: Thu, 20 Oct 2016 20:09:25 GMT Cookie: enabled User agent string: Mozilla/5.O (compatible; MSIE 10.0,' Windows NT 100, WOW64; Trident/7.O; Touch; .NET4.OC; .NET4.OE: .NET CLR 2050727; .NET CLR 3.0.30729: .NET CLR 3.5.30729; InfoPath.3; AcanoClient)

 

Summary of Resolution:

Certificate renewal would require publishing of the identifiers on the WAP server as well.

The identifiers required on the WAP servers are:

https://adfs.domain.com

https://dev.domain.com

https://auth/domain.com

https://org.domain.com

https://org1.domain.com etc

  • We were unable to browse the URL from outside the network. https://biztechfusioncrm.biztechfusion.com
  • We disabled IFD and claims based authentication from the deployment manager and performed an IIS reset
  • We identified that upon browsing the internal URL https://crm.biztechfusion.com/biztechfusioncrm  we received 3 prompts and it failed with the error , 401 Unauthorized.
  • We navigated to the IIS, Microsoft Dynamics CRM website, configuration editor, make the UseAppPoolCredentials as TRUE.
  • Perform an IISRESET.
  • Browse the URL (Organization form the deployment manager) on SSL and checked whether it is successful or not. Once it is successful we performed the following steps.
  • In Deployment Manger re-configure Claims- Based Authentication. Verify whether the ADFS federation metadata URL is accessible.
  • In ADFS management console in ADFS server, update the corresponding Federation Metadata URLs on the internal relying party trust. Restart the ADFS services.
  • Do an IISreset on CRM Web Server and ADFS server. Browse Org URL internally and check whether it is browsing successfully or not. Once it is successful perform the following steps
  • In Deployment Manger re-configure IFD.
  • In ADFS management console in ADFS server, update the corresponding Federation Metadata URLs on the External relying party trust. Restart the ADFS services
  • Do an IISreset on CRM Web Server and ADFS server.
  • Tried to access CRM from outside the network, it still failed with the same error: An error occurred has error occurred. Contact your administrator for more information.
    Error details • Activity ID. 000000000000-0000-4aOO-0080000000cf —relying party trust.
    CRM Claims Relying Party • Error time: Thu, 20 Oct 2016 20:09:25 GMT Cookie: enabled User agent string: Mozilla/5.O (compatible; MSIE 10.0,' Windows NT 100, WOW64; Trident/7.O; Touch; .NET4.OC; .NET4.OE: .NET CLR 2050727; .NET CLR 3.0.30729: .NET CLR 3.5.30729; InfoPath.3; AcanoClient) , we shall consider the case as resolved and good to close.
  • We added the identifiers as Pass Through on the ADFS WAP proxy server https://adfs.domain.com , https://dev.domain.com , https://auth/domain.com and published these  URLS and performed an IISRESET.
  • We then tried to access CRM URL from outside the network, we were successfully able to browse.

 

September 20
Partner Application and OAuth Configuration between Skype for Business On-premises and Exchange Online
March 08
Using Wireshark to Debug a VoIP Call

Step 1. Install Wireshark on Lync Mediation Server.

Step 2: Launch Wireshark and start a capture.

Step 3. Click on "Telephony" drop-down ​menu and select VoipCalls option.

March 08
Enable Inheritance on AD User Accounts to Allow Administrator of Other Domain Admins in Lync Control Panel

Issue:  You need to enable permission inheritance on other Domain Admins AD user accounts (or a specific group of accounts) while administering users in the Lync (or Skype for Business) Control Panel.

Background: Enabling inheritance on AD accounts typically required one to check the "include inheritable permissions…" checkbox on the 'Security Tab > Advanced' screen in ADUC on every user account one at a time.  

Solution using Powershell:

1) Open a PowerShell prompt (Run as administrator) on a Domain Controller. Then perform the following PowerShell commands:

Import-Module ActiveDirectory

   

$users = Get-ADUser -ldapfilter "(objectclass=user)" -searchbase "ou=users,dc=company,dc=com"

 

ForEach ($user in $users)

{

    # Binding the users to DS

    $ou = [ADSI]("LDAP://" + $user)

    $sec = $ou.psbase.objectSecurity

   

    if ($sec.get_AreAccessRulesProtected())

    {

        $isProtected = $false ## allows inheritance

        $preserveInheritance = $true ## preserver inhreited rules

        $sec.SetAccessRuleProtection($isProtected, $preserveInheritance)

        $ou.psbase.commitchanges()

        Write-Host "$user is now inherting permissions";

    }

    else

    {

        Write-Host "$User Inheritable Permission already set"

    }

}

 

REFERENCE: http://enterpriseit.co/microsoft-active-directory/enable-inheritance-ad-user-accounts/

 

1 - 10Next
 

 Image Viewer

 
 

 About this blog

 
About this blog
Welcome to Xadean's contribution to the consulting community through sharing his anthology of lesson's learned and technical insights.