PointBridge Blogs - Erik Enger

Exchange 2010 Play-on-Phone

By: Erik Enger Posted: December 28, 2009 at 11:35 PM

This is just a quick heads up on the Play-on-Phone feature in Exchange 2010. I was testing several of the new UM features in my lab and one that had me scratching my head was Play-on-Phone which allows a UM user to play messages at their internal extension or any number they choose, providing the dialing rules and policies are in place to allow that. This is a useful feature for connections that might not provide audio functions, such as a kiosk or corporate desktop. This is also useful when privacy is needed. Users can simply click on the button and dial their internal or external extension and have the messages played over the phone.

In Exchange 2007 OWA, for example, you would normally see the Play-on-Phone button located at the top of the preview pane and would simply click on this button to initiate dialing a number. Well, in Exchange 2010 things have changed slightly. Aside from the virtual UnifiedMessaging directory being deprecated in 2010 in lieu of the EWS virtual directory, the Play-on-Phone feature only seems to be available when you open the message instead of just previewing it. I confirmed this with another professional who also saw this behavior in their lab. This seems to only affect OWA clients. The fat Outlook client still displays the Play-on-Phone in the preview window.

In the OWA preview pane there is no more Play-on-Phone button available.

Opening the message in OWA reveals the Play-on-Phone button.

I don’t know how many people may be used to this particular feature but I thought it might be useful to know that administrators and support staff may need to update their instructions and notify users of this cosmetic change for OWA users. I’m not quite sure why MS decided to make this change but perhaps this was by popular demand as do some of their feature enhancements that make their way into final release of the product.

There are quite a few great new features in Exchange 2010 UM like call answering rules, rights management for voicemail messages and voicemail message preview. One note about voicemail preview is that if the voice connection isn’t clear or Exchange doesn’t quite understand the words spoken in the message, the preview text can be incorrect and potentially confusing or even embarrassing. My test message in the voicemail sample above was supposed to read, “Hi Ryan, it’s Erik. Give me a call.” Not a major problem considering this was a test but far from the message I left.

Exchange 2010 Federation (well, half-way there for now)

By: Erik Enger Posted: December 17, 2009 at 10:11 AM

2
Comments

Federation is certainly a welcome and interesting feature in Exchange 2010. Being able to share calendar information with other organizations will greatly improve collaboration efforts, especially with shops leveraging both on-premise and Exchange Online services for their information workers. There is a modest amount of information on this feature and how to set it up in the form of TechNet articles, blogs and even a webcast. I read through the available material and webcast set out to try and demo this feature for this blog but ran into a roadblock.

The roadblock I’m referring to has to do with certificates. After reading through the TechNet article you’ll find a link to the CAs you can use for Federation.

CA Certificate Friendly Name	Thumbprint
Comodo	NA
Digicert Global Root CA	083B:E056:9042:46B1:A175:6AC9:5991:C74A
Digicert High Assurance EV Root CA	91 8d a5 e4 99 c1 5f 7c 62 75 b1 24 fe de 53 35 7c 34 bd 36
Entrust.net CA (2048)	801D 62D0 7B44 9D5C 5C03 5C98 EA61 FA44 3C2A 58FE
Entrust Secure Server CA	99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Go Daddy Secure Certification Authority	‎7c46 56c3 061f 7f4c 0d67 b319 a855 f60e bc11 fc44

After going through the steps in the articles to get this set up I was hit with this error in the New Federation Trust wizard.

“InvalidManagementCertificate: Certificate not valid for this operation”

I was baffled by this one. Everything checked out with my certificate according to the information below. What was wrong?

Certificate Requirements for Federation

To establish a federation trust, you must procure and install an X.509 certificate on the Exchange 2010 server used to create the trust. The certificate is used only to sign and encrypt delegation tokens. The certificate must meet the following requirements:

Trusted certification authority The certificate must be signed by a trusted certification authority (CA). For a list of trusted CAs, see Trusted Root Certification Authorities for Federation Trusts.
Subject key identifier The certificate must have a subject key identifier field. Most X.509 certificates issued by commercial certification authorities have a subject key identifier.
CryptoAPI cryptographic service provider (CSP) The certificate must use a CryptoAPI CSP. Certificates that use Cryptography Next Generation (CNG) providers aren't supported for federation. If you use Exchange to create a certificate request, a CryptoAPI provider is used. For more information, see Cryptography.
RSA signature algorithm The certificate must use RSA as the signature algorithm.
Exportable private key The private key used to generate the certificate must be exportable. You can specify that the private key of a certificate be exportable when you create the certificate request using the New Certificate wizard in the EMC, or the New-ExchangeCertificate cmdlet in the Shell.
Current certificate The certificate must be current. You can't use an expired or revoked certificate to create a federation trust.
Enhanced key usage The certificate must include the enhanced key usage (EKU) type Client Authentication (1.3.6.1.5.5.7.3.2). This usage type is intended for the purpose of proving your identity to a remote computer. If you use Exchange tools to generate the certificate request, this usage type is included by default.

I tried a couple other things thinking it was something wrong with my Exchange setup, firewall, etc. Finally I started searching for similar issues on blogs and forums. There was nothing so I decided to post on the Exchange 2010 forum hoping someone has seen this. I did get a rather quick response and after a couple of exchanges I was presented with this list of CAs that can be used for federation posted on the MSDN site.

CA Certificate Friendly Name	Issued To
Entrust	Entrust.net Secure Server Certification Authority
Go Daddy	Go Daddy Class 2 Certification Authority
Network Solutions	Network Solutions Certification Authority
VeriSign	Class 3 Public Primary Certification Authority
VeriSign	VeriSign Trust Network
VeriSign	VeriSign Class 3 Public Primary Certification Authority - G5

As you can see, quite different. I decided to take a chance and purchased one of the certs from a CA on the MSDN list. This worked! Although I had to go to the time and expense of getting another cert I was at least able to establish federation with the MFG (Microsoft Federation Gateway). This is frustrating to find out this was the problem all along due to some contradictory information posted by Microsoft. My hope, however, is that more CAs will be added to the working list so customers like me don’t have to purchase new ones just to prove a point.

So now, you’ve been warned! :-)

Exchange 2010 Multi-Mailbox Searching

By: Erik Enger Posted: December 15, 2009 at 4:36 PM

4
Comments

One of the improved features in Exchange 2010 is multi-mailbox searching. While you could do this to a degree in Exchange 2007 it usually required too many rights to delegate it to a compliance officer and the searches had to be run from PowerShell so it was often problematic for the user to perform these searches on their own and too burdensome for the administrator to do it on behalf of the user. The normal Exchange search you’re used to doing is still available in case of other requirements like removing an email from everyone’s mailbox (i.e. virus, inappropriate content, etc). This blog focuses on the e-discovery aspect in Exchange 2010.

In 2010 things are much improved when it comes to e-discovery. With Microsoft’s use of RBAC in 2010 you can delegate this control rather easily. Adding someone to the new Discovery Management group is all it takes to get started.

You also want to think about the target mailbox for these searches. Typically you’ll want to dedicate this type of activity to dedicated mailboxes and even databases if you’re a large company. A copy of each message matching your search criteria will end up in this mailbox even if it’s temporary so make sure you have enough resources available to store this data. For this example I’ll be using the default search mailbox that’s created when installing Exchange 2010. You’ll want to delegate control of this mailbox to the compliance officer so they will be able to open the mailbox and view the collected data.

Accessing the multi-mailbox search by the delegated individual is done by opening OWA and clicking on the Options button in the upper right corner.

This brings up the new Exchange Control Panel (ecp) in which you can perform a host of operations previously unavailable in 2007. For now we’ll focus on the e-discovery stuff. Once in the control panel, select the “My Organization” from the “Select what to manage” drop-down box.

This brings up another set up tabs for managing users, groups and reporting. For now, select the Reporting tab and click New… to create a new search.

This pops up another window allowing you to define your search criteria. At a minimum you’ll need to define your search name, mailbox scope and target mailbox. Actually you are going to want to narrow your search considerably to avoid unnecessarily long searches which might not give you what you want in addition to overburdening the system. For my test I entered some keywords to look for in the emails. I also turned on logging and the option to send you an email for additional information. Once you’re happy with the search, click on Save.

The search immediately begins and you can see the progress in the search window.

When your search has completed, you’ll receive an email similar to this one. Notice that the search partially succeeded. This is due to some of the mailboxes being on an Exchange 2007 database. If you click on the hyperlink in the message it will open the target discovery mailbox in an OWA window. You could also open the target mailbox in Outlook if that is preferred.

From here you’ll be able to view the messages collected. Expand the folders to drill down and view the messages found in your search. You’ll be able to act on these messages to further filter, categorize and narrow down your search to end up with only the ones you want.

When you’re finished with your search and want to remove it from your saved searches, please note that this will also remove the collected messages from the target discovery search mailbox. You will receive this warning if you attempt this.

While the e-discovery search feature in Exchange 2010 may not be as robust as some third party products it is still a nice alternative to having nothing at all and it’s much better than it was in 2007.

Mass password resets in BPOS

By: Erik Enger Posted: November 21, 2009 at 9:26 AM

1
Comment

Following on from mass BPOS account activations you can now perform mass password resets with the latest Microsoft Online Services Migration Tools. The PowerShell script below will read in a list of BPOS accounts and reset the password. The two fields you need in the CSV file are the email address and desired password. See the BPOS password requirements before establishing a new password. In the script below you can choose not to force the user to change the password you assign to them by changing the value of “-ChangePasswordOnNextLogon:$true” to “-ChangePasswordOnNextLogon:$false”.

To run this you must have admin privileges in BPOS and you must have the MSOL Migration Tools installed locally. Save this text with a PowerShell extension (i.e. massPwdChg.ps1) and open a Migration Command Shell and run the command by typing “.\massPwdChg.ps1”. Make sure the paths in the script exist or change them to suit your needs (i.e. “C:\Migration” and “C:\Migration\ScriptLogs”). The input file is assumed to be massPwdChg.csv.

Here’s a sample CSV file format:

name,mail,passwd
”Test Account”,Testaccount@contoso.com,P@ssw0rd

# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009

# NAME: massPwdChg.ps1

# AUTHOR: Erik Enger , PointBridge

# DATE  : 11/03/2009

# COMMENT: Use this script to perform a mass password change of BPOS accounts

# Note: This script requires the Microsoft Exchange Transporter snapin

# Modify the default PowerShell profile to add the Quest Snap-In

#        c:\windows\system32\windowspowershell\v1.0\profile.ps1

#        add-pssnapin Microsoft.Exchange.Transporter

# ==============================================================================================

cls

# Get the login ID for the BPOS admin account

write-host 'Enter the username for the MS Exchange Online admin (i.e. admin@contoso.com): '

$bposlogin = Read-Host

# Get the password for the BPOS admin account in a secure fashion (display * for password)

write-host 'Enter the password for the MS Exchange Online admin (i.e. admin@contoso.com): ' -foregroundcolor yellow -BackgroundColor darkmagenta

$bpospwd = read-host -assecurestring

Write-Host

# Form the BPOS encrypted credential information and store it in a variable to be passed to upcoming commands

$bposcred = new-object -typename System.Management.Automation.PSCredential -argumentlist $bposlogin, $bpospwd

Write-Host

write-host "`n`n`n"

"************************************************************************************************"

import-csv c:\migration\massPwdChg.csv | foreach {

## Start a Transcript

$file="C:\Migration\ScriptLogs\"

$file+= $_.name +"-massPwdChg.log"

"************************************************************************************************"

Start-Transcript -Path $file -NoClobber:$false

Write-Host "Resetting BPOS password for:" $_.name

Date

"************************************************************************************************"

# Set the password and prompt for change on next logon

Set-MSOnlineUserPassword -Identity $_.mail -Password $_.passwd -ChangePasswordOnNextLogon:$true -Credential $bposcred -Verbose

## Stop the log

Date

Stop-Transcript

"************************************************************************************************"

Write-Host `n`n`n

Mass account activations in BPOS

By: Erik Enger Posted: November 18, 2009 at 12:39 AM

1
Comment

Bulk account activations are now available with the latest Microsoft Online Services Migration Tools. If you're like me performing this in the past was a pain since you had to activate the accounts through the web portal which allowed you to activate only a handful of accounts at a time and collecting the passwords for delivery to the users was excruciating too. We now have a solution!

The PowerShell script below will read in a list of BPOS accounts and activate them in BPOS. The fields you need in the CSV file are the email address, desired password, location and mailbox size. See the BPOS password requirements before establishing a password.

To run this you must have admin privileges in BPOS and you must have the MSOL Migration Tools installed locally. Save this text with a PowerShell extension (i.e. massActivate.ps1) and open a Migration Command Shell and run the command by typing “.\massActivate.ps1”. Make sure the paths in the script exist or change them to suit your needs (i.e. “C:\Migration” and “C:\Migration\ScriptLogs”). The input file is assumed to be massActivate.csv. Also, replace the parameter SubscriptionIDs with the value of your BPOS subscription. You can find this value by running this cmdlet:

Get-MSOnlineSubscription

The script might take a while to complete, depending on the number of accounts you are activating so please be patient.

Here’s a sample CSV file format:

name,mail,passwd,location,mbxsize

TestAccount,Testaccount@contoso.com,P@ssw0rd,US,5368709120

# ==============================================================================================
#
# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009
#
# NAME: massActivate.ps1
#
# AUTHOR: Erik Enger , PointBridge
# DATE : 11/03/2009
#
# COMMENT: Use this script to mass activate BPOS accounts
#
# Note: This script requires the Microsoft Exchange Transporter snapin
# Modify the default PowerShell profile to add the Quest Snap-In
#
# c:\windows\system32\windowspowershell\v1.0\profile.ps1
#
# add-pssnapin Microsoft.Exchange.Transporter
# ==============================================================================================

# Get the login ID for the BPOS admin account
write-host 'Enter the username for the MS Exchange Online admin (i.e. admin@contoso.com): '
$bposlogin = Read-Host

# Get the password for the BPOS admin account in a secure fashion (display * for password)
cls
write-host 'Enter the password for the MS Exchange Online admin (admin@contoso.com): ' -foregroundcolor yellow -BackgroundColor darkmagenta
$bpospwd = read-host -assecurestring
Write-Host

# Form the BPOS encrypted credential information and store it in a variable to be passed to upcoming commands
$bposcred = new-object -typename System.Management.Automation.PSCredential -argumentlist $bposlogin, $bpospwd
Write-Host

write-host "`n`n`n"

# Get number of available licenses
$totalseats=Get-MSOnlineSubscription -Credential $bposcred
$usedseats=Get-MSOnlineSubscription -Credential $bposcred
$freeseats=$totalseats.TotalSeats-$usedseats.UsedSeats
Write-Host "The number of availble seats in your BPOS subscription is: " $freeseats

# Count number of accounts you're trying to activate in BPOS
$nCount=import-csv c:\migration\massActivate.csv
$licenseCount=$nCount.count
Write-Host "You are trying to activate " $licenseCount " new accounts."
$nCount=""
Write-Host `n`n

if($licenseCount -gt $freeseats) {
Write-Host "You do not have enough free licenses to activate all of the objects in your input file. Please purchase additional licenses or remove objects from the activation list. This script will now exit." -foregroundcolor red -BackgroundColor darkmagenta
exit
}

# If there are enough free BPOS licenses, prompt the user to continue with activation process
# Create choices list
$yes = new-Object System.Management.Automation.Host.ChoiceDescription "&Yes",""
$no = new-Object System.Management.Automation.Host.ChoiceDescription "&No",""
$choices = [System.Management.Automation.Host.ChoiceDescription[]]($yes,$no)

#Now to prompt the user and get a result
$caption = "Proceed with mass activation..."
$message = "Do you wish to proceed activating these new accounts?"

$result = $host.ui.PromptForChoice($caption,$message,$choices,0)

if($result -eq 0) {
Write-Host "You answered YES. Proceeding with mass activation. You will be notified when it's complete."
"************************************************************************************************"

import-csv c:\migration\massActivate.csv | foreach {

## Start a Transcript
$file="C:\Migration\ScriptLogs\"
$file+= $_.name +"-massActivate.log"
"************************************************************************************************"
Start-Transcript -Path $file -NoClobber:$false
Write-Host "Starting a Migration for:" $_.name
Date
"************************************************************************************************"
Enable-MSOnlineUser -Identity $_.mail -Password $_.passwd -SubscriptionIDs "abcd1234-123a-456b-c789-d123ef0f12e3" -UserLocation $_.location -MailboxQuotaSize:$_.mbxsize -Credential $bposcred -Verbose
## Stop the log
Date
Stop-Transcript
"************************************************************************************************"
write-host `n`n`n
}

# Get final number of available licenses
$totalseats=Get-MSOnlineSubscription -Credential $bposcred
$usedseats=Get-MSOnlineSubscription -Credential $bposcred
$freeseats=$totalseats.TotalSeats-$usedseats.UsedSeats
Write-Host "Now the number of available seats in your BPOS subscription is: " $freeseats

}
if($result -eq 1) {
Write-Host "You answered NO. Exiting script now."
exit
}

Quick Launch
View All Site Content

About Erik Enger

‭(Hidden)‬ Admin Links

Tag Cloud

External Links

Quick Launch View All Site Content

About Erik Enger

‭(Hidden)‬ Admin Links

Tag Cloud

External Links

Quick Launch
View All Site Content