Category Archives: Troubleshooting

Publishing ADFS 2.0 using Threat Management Gateway 2010

Another option for publishing ADFS 2.0 to the internet is to use TMG 2010 as a proxy. This method will replace an ADFS 2.0 Proxy server.

ADFS Proxy services are used for external users to authenticate with their domain credentials and are essential for user access to Office 365 while not having access to the local domain controller.

The process below guides you through setting up TMG 2010 to publish/proxy ADFS traffic from the internet to the local ADFS 2.0 server. This assumes that you have your internal ADFS infrastructure setup and connected to Office 365 already.

  1. Open TMG Management Console

     

  2. Expand Forefront TMG

     

  3. Right Click Firewall Policy

     

  4. Click New

     

  5. Click Web Site Publishing Rule…


     

  6. Add a descriptive name for your rule

     

  7. Click Next

     

  8. Select Allow, on Actions to take when rule conditions are met

     

  9. Click Next

     

  10. Select Publish a single Web site or load balancer

    This option will work for a single ADFS server and an ADFS Farm that is load balanced

     

  11. Click Next

     

  12. Select User SSL to connect to the published Web server or server farm

     

  13. Click Next

     

  14. Enter your internal ADFS Server Farm name.


     

  15. Click Next

     

  16. Enter the path for ADFS

    /adfs/*

     

  17. Check Forward the original host header instead…


     

  18. Click Next

     

  19. Enter your publicly resolvable name for the ADFS site.


     

  20. Click Next

     

  21. Select Web Listener, click New…

     

  22. Add a descriptive name for your web listener


     

  23. Click Next

     

  24. Select Require SSL secured connections with clients


     

  25. Click Next

     

  26. Select your External Network, or Select the IP address on which you want to listen for the ADFS traffic.


     

  27. Click Next

     

  28. Click Select Certificate


     

  29. Select the public certificate

    This is the same certificate that we used on the internal ADFS servers. I exported the certificate and imported it onto the TMG server

     

  30. Click Select


     

  31. Click Next

     

  32. Select HTML Form Authentication

     

  33. Select Windows (Active Directory) to validate client credentials


     

  34. Click Next

     

  35. Uncheck Enable SSO for Web sites published with this Web listener


     

  36. Click Next

     

  37. Click Finish

     

  38. Now that the Web listener is setup, Click Next

     

  39. Select NTLM authentication


     

  40. Click Next

     

  41. Remove All Authenticated Users

     

  42. Add All Users


     

  43. Click Next

     

  44. Click Finish

     

Now that the Rule and Web Listener are setup, we need to make some modifications.

  1. Right click the ADFS rule and select Configure HTTP

     

  2. Uncheck Verify normalization

     

  3. Uncheck Block high bit characters


     

  4. Click OK

     

  5. One handy option that we can use with TMG is password changes and password expiry notifications. To enable this we need to edit the web listener

     

  6. Right click the ADFS rule and select properties

     

  7. Click the Listener tab

     

  8. Click Properties

     

  9. Click Forms Tab

     

  10. Check Allow users to change their passwords

     

  11. Check Remind users that their passwords will expire…


     

  12. Click OK

     

  13. Click OK

     

  14. Apply the changes to TMG and allow some time for the configuration to update


 

Test the logon process

  1.  

  2. Enter your credentials

     

  3. Click sign in at….


     

  4. Enter the UPN account name and password


     

  5. Click Log On

 

This is how the users will see a password change notification

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Use Windows PowerShell to Manage Office 365

Use Windows PowerShell to Manage Office 365. Make sure that you are using the PowerShell version that you downloaded from the download section in the Admin Portal.

 

  1. Right click the shortcut to ‘Microsoft Online Services Module for Windows PowerShell’ from the desktop and select “Run as Administrator…”

     

  2. Set the Execution Policy for the local server to Remote Signed
    1. Set-ExecutionPolicy –ExecutionPolicy RemoteSigned

     

  3. Set your credential Variable
    1. $cred=Get-Credential

     

  4. Enter the Username and password for the global admin account on Office 365 when prompted

     

  5. Connect to Microsoft Online Services with the credential variable set previously

     

  6. Connect-MsolService – Credential $cred


A list of all the commands can be found here:

http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh125002.aspx

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

SharePoint Web Part Page Maintenance – SharePoint Online

I recently ran into the issue where I made some changes to a web part on my BLOG and I was not able to view the page anymore. Since I was not able to view the page, I wasn’t able to fix or remove the web part.

I posted a question on the Microsoft Community Forum and was shown a way to edit the fix the webpart.

ERROR

There is a way to edit Web Parts on Pages that throw errors – you just add ?contents=1 to the end of the URL and SharePoint gives you the Web Part Maintenance version of the page.

 

Based on my BLOG URL, I went here: http://office365support.ca/blog/default.aspx?contents=1

 

Then you can delete whichever Web Part you last edited and then hopefully the page will run as per normal.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Custom Views Makes for Easier User Management – Microsoft Online Portal

Custom Views Makes for Easier User Management – Microsoft Online Portal

Managing a small amount of users in the MOP (Microsoft Online Portal) can be very simple. It’s when you get to have hundreds or thousands of accounts that things get crazy. Microsoft has done a great job of letting you get control over this and create custom views or filters to weed out the users that you don’t need to see.

Just above the list of Users you will see a “View:” drop down menu. Here is where you can select, create, edit and delete the views for the user accounts.

By default Microsoft has included a number of useful filters.


We can also take this one step further and create our own custom filter to create a view that works for us. This is done simply by selecting “New view”

In the example below, I created a view of Synchronized users with an active license.


Selecting this view shows the results of the filters that we saved.

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Directory Synchronization – Filtering OUs to Synchronize to Office 365

With Office 365 being adapted for larger companies, most of them only want to synchronize the accounts from a certain OU. This is now possible with the newest version of Directory Synchronization. Microsoft released a new 64bit version of DirSync back in November of 2011. The new version is based on Forefront Identity Manager 2010 and this is the product that will allow us to filter OUs. Generally when I setup companies, I will create an OU in Active Directory where all the accounts being used by Office 365 will reside. This way I can filter out all the other OUs and only synchronize the ones identified as being cloud accounts. This was a feature that was lacking in previous versions of Directory Synchronization and it’s a welcome addition to most of my customers.

The best case scenario is to implement filtering before it synchronizes with Office 365 for the first time. When prompted at the end of the Microsoft Online Services Directory Synchronization Configuration setup, uncheck the “Synchronize Directories Now” before you click Finish

If you already have Microsoft Online Services Directory Synchronization installed, you simply uninstall the previous version and install the newest version to get this feature. You will be able to setup filtering, but you will have to manually clear all the old non active accounts from Office 365.

Open FIM 2010 – Depending on the version installed, use one of the paths below.

C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe 

or

C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe

Click Management Agents

 

Right click SourceAD or Active Directory Connector

 

Click Properties


 

Select Configure Directory Partitions

 

Click the Containers… button


 

Enter the Directory Sync Service Account or another domain account with the correct permissions, when prompted (clear the MSOL_AD_Sync account)

 

Click OK


 

Select the OUs that you want to synchronize with Office 365.


 

Click OK

 

Wait for an automatic synchronization to run or force a manual synchronization

Now you see only the users in the Office365SupportLab.com OU are synchronized with Office 365.


 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN

Office 365 Prompting for Credentials when using Single Sign-On (ADFS and Directory Sync are Installed)

This is a common issue and one over looked by most administrators. Users complaining that they are still being prompted for credentials when accessing services from Office 365. This should not happen if you have ADFS and Directory Synchronization in place.

To remedy the issue, simply add the ADFS Server Farm address (sts.domain.com) to the trusted sites in the Local Intranet zone in Internet Explorer. This will allow IE to pass your local credentials to the webpage as needed.

  1. Open Internet Explorer

     

  2. Click on the gear icon in the top right corner

     

  3. Select Internet Options

     

  4. Click Security Tab

     

  5. Click Local Intranet

     

  6. Click Sites

     

  7. Click Advanced

     

  8. Add your ADFS Server Farm name (sts.domain.com)

     

  9. Click Add

     

  10. Click Close

 

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me

Remote Wipe Phones Connected to Exchange Online

I had a first chance the other day, to do something that I have often wondered how well it worked. We I can now say that this feature is really cool and works really well.

A client of mine called in a panic, because his phone has been stolen. He had some sensitive data on the phone and wanted to know if there was a way to track the phone. I offered him a better solution, wipe the device so that all the data is gone. He probably wasn’t getting his phone back and he has all the data backed up, he was happy to use this feature. Since I was on the road, I was able to talk him through the process.

This can be used by both the administrator and the user of the device.

By the user:

  1. Login to OWA (http://www.outlook.com/domainname.com)
  2. Click Options (top right)
  3. Click See all options…
  4. Click Phone (Left hand side)
  5. Select your Device
  6. Click Wipe Device

At this point you will get a few more prompts making sure that you want to wipe the device.

By the Administrator:

  1. Login to the MOP (http://portal.microsoftonline.com)
  2. Open the ECP (Exchange Control Panel)
  3. Find and Double Click the user, to open the Properties
  4. Expand Phone & Voice Features
  5. Double Click Exchange ActiveSync
  6. Select the Device
  7. Click Wipe Device

At this point you will get a few more prompts making sure that you want to wipe the device.

Thanks for visiting and reading my posts. I am always looking for more ideas. Please comment or email me with what you would like to see.

Kelsey Epps

Office 365 MVP

Email Me Follow me on Twitter Connect with me on LinkedIN Facebook Me