2021-02-09

IT/TECH: Office 365 / Microsoft 365 - Outlook stucks in redirect loop and everything you found isn't working... you might have shot yourself in your foot...

 Epilogue

Today I wasted about 4h to figure out why I couldn't login to https://outlook.office.com respective https://outlook.office365.com nor I was able to connect to https://outlook.office365.com/ecp or its new version https://admin.exchange.microsoft.com/.

The ladder both at least did let me in from time to time - browser and computer independent.. .even on Linux I was rejected or not... absolutely erratic. Same with the user experience URIs, which did work - same browsers as with my Windows device - at least under Linux.

I tried much of the things, the web was willing to offer by searching it and was close to give up. I even did turn off all security measurements and started the good old Wireshark but nothing really led me to the solution - which I will not further keep away from you :)

A Solution

When I did setup O365 I was not happy by just adding some roles to my account, I just added all roles - why not, for setup I didn't want to fall short nor wanted to be the Global Administrator before establishing MFA.

I than found 

We have a similar issue where user may receive redirect error when trying to sign in Outlook. The potential cause is: When there are too many roles that the user belongs to, the size of JWT token is bigger than 4K. OWA reuses JWT token data for OpenId Connect authentication. Because of the JWT size, the overall cookie length exceeds 4K, some browsers may not set the cookie.

 

For this case, please kindly confirm with your admin, try to sign in Office 365 admin center to checking all roles you already own and remove the un-needed roles. If you’re Office 365 global admin, in admin center, check current roles assigned to you and unassign all the other admin roles in the M365 admin center. Wait for a while for changes to take effect and test issue again.

at Microsoft Answers: Repeating redirects detected. Scroll down, I here cited the last answer above already, however, you might want to thank Anna Ma MSFT for this solution, if this helps you to overcome the here described issue - I did so and herewith again: 

Thank you Anna Ma MSFT.

 

Aftermath

Despite the fact that Microsoft Exchange Online Team might want to expand the error message to e.g. "Cookie not found" or something like that and not the five or six different, misleading error messages, I again found a point speaking against Cookies - modern browsers do deliver alternative solutions; and here I don't need to write about GDPR compliance or related stuff.

Nearly 20 years ago I showed in a quite complex Netscape & Internet Explorer supporting JavaScript Web-project - nowadays you would use one of these nice frameworks - with a quite challenging interface (the designer was allowed what he believed is cool, modern, ...) that Cookies are of no use (at that time). We stored data up to 10MB and more by using other ways (which does work differently still today). Which was ridiculous too - but that's another story.

2020-06-09

IT/TECH: OPNsense deny default rule problems

Forword
Moving from psSense to OPNsense does create a learning curve and a number of unexpected problems - at least this is my experience.

Therefore I'll post now from time to time the one or other 'highlight' that I found and potential solutions to them, at least the ones I found.

Situation
I recently installed OPNsense from scratch on a new machine, a number of interfaces, two WAN interfaces, some LAN and WiFi interfaces.

After doing the basic installation - which is quite fast and easy - I found that no traffic went through the added interfaces, except for the initial LAN.

More, and surely not helpful, I just found [..] deny default route [..] in the Firewall: Log Files: Live View. E.g. DNS queries that haven't yet been blocked are denied. Even on each interface I installed IPv4 and IPv6 allow everything rules and expected that they just work.

After researching a while forth and back, I found that none of the articles in both, OPNsense forum and elsewhere in the net, didn't help. E.g. Firewall: Diagnostics: States Reset and clicking Reset didn't help.

Potential solution / My solution
So after trying around and thinking everything through and since this is now the 5th or 6th time I (re-)install OPNsense I tried the following:
  1. Firewall: Diagnostics: States Reset - do the full reset thing
  2. Opening an SSH connection to the Firewall
  3. Choosing "11) Reload all services"
And guess what, that did the thing.

Epilogue
With pfSense I never had issues like this, but others... With OPNsense I found now a number of situations, e.g. this one in which I found this process helps.

Yet, I haven't found out why this is (the often) needed process to get OPNsense do what it should, however, I hope that this helps other newbies to OPNsense if they come across such a problem.

2020-05-30

IT/TECH: Exchange Online (O365) & PowerShell: Access denied and other stupid failures... or how-to use Exchange Online Powershell V2 module without IE

THIS IS GOING TO BE REVIEWED and written more in detail as soon as I find some time, however, it may be of any help until than - and if it is just that I remember where to go ;)

If you, like me, fighting some Microsoft decisions when it comes to using an on-premise domain and integrate it afterwards you decided to just go with Azure-AD / Office 365 without on-premise, you will sooner or later come to a point where you potentially need to access Exchange Online with PowerShell.

If you, like me, also decided to get rid of IE wherever possible, you will figure out that you get Access Denied errors and other, strange issues when accessing O365 Exchange from PowerShell.

Sooner or later you'll realize that opening Office 365 Exchange Admin Center (https://portal.office.com -> Admin -> Exchange Admin Center) and here clicking on Hybrid -> and than configure below the Exchange Online PowerShell Module the next problem arises: No Internet Explorer, no success. You cannot install the module without IE successful - at least not according to all right now existing documentation if you search the way I did.

So either you open the module via IE which might work directly on a non-core-Windows server but is not really feasible or you'll find the following page https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell-v2/exchange-online-powershell-v2?view=exchange-ps and here we go: Install and maintain the Exchange Online PowerShell V2 module.

If you are following https://docs.microsoft.com/en-us/office365/troubleshoot/active-directory/duplicate-attributes-prevent-dirsync to fix your current issues, you just need to adopt the commands to the current ones.

You also may want to consult https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/mfa-connect-to-exchange-online-powershell?view=exchange-ps if you are using MFA to get the session from the ladder link working.

a) Connect-EXOPSSession -UserPrincipalName chris@contoso.com -DelegatedOrganization fabrikam.onmicrosoft.com 
b) $SessionExO = GetPSSession
c) Import-PSSession $sessionExO -prefix:Cloud

and than you can go on.

2020-03-20

LifeStyle: Wie toedlich ist das Coronavirus? Ueberarbeitete Version


Fuer all diejenigen die nach wie vor der Meinung sind das Corona ein Scherz ist, fuer den Buergermeister Berlins der der Meinung ist das Ausgangssperren unnoetig sind und diejenigen, wenigen, die sich einfach informieren moechten.



Es sei vermerkt, das ist eine von vielen, moeglichen Quellen - ich empfehle die Suche im Englischen, z.B. aktuelle Berichte italienischer Mediziner, quasi frisch von der "Corona Front". Aber auch etliche chinesische Wissenschaftler haben, vor Beginn der Propaganda Aufarbeitung Chinas, aber auch jetzt noch diverse Veroeffentlichungen in Englisch verbreitet die selbst fuer den 'normalen' Menschen verstaendlich genug sind um zu kapieren was Corona bedeutet und weshalb jeder gefragt ist zu handeln - und nicht abzuwarten dass der Staat uns alle reglementiert.

Was ich mehr fuerchte als Corona ist die Durchsetzung einer allgemeinen Quarantaene - das wird denjenigen, die latent gegen Demokratie und Bildung sind, Tuer und Tor oeffnen; hoffen wir das Ihnen ebenso wie denjenigen die das ermoeglichen, der notwendige Grips fehlt.

2019-10-28

IT/TECH: Windows Deployment Services (WDS) do not work and fails with "The Following Client failed TFTP" or similar

If you, like I did in the past weeks, find the following or a similar error, the solution maybe far easier than you believe:
The Following Client failed TFTP
Download: Filename: boot\x64\wdsmgfw.efi
ErrorCode: 1460
This error maybe easily resolved. Check whether or not your NICs use Jumbo Frames of whatever size. If so, for this server, specifically, for the NICs responsible for the WDS service, turn Jumbo Frames simply off.

After trying really everything, including re-installation of the whole system, I finally found the one thing I always do (use max. Jumbo Frames) I shouldn't have done with this system.

However @microsoft, the error message is 'missleading' - actually not helping, so much is for sure.

2019-05-19

IT/TECH: SYSPRP Package [..] was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.

It may be that I am the only one running in this stupid problem due to my own 'fooliness', the problem however fills the one or other forum.

What happened

  • Created a Windows (10, v1809) image for deployment (with all needed pre-installed software due to the lack of SCCM or similar tools and since network speed and capacity is not a problem (yet), ...)
  • For a number of reasons I decided to activate the Administrator user to do this instead of using the 'interim' one I did setup in first place.
    • I also deleted the user in "Computer Management"
  • Of course, at a certain point, a sysprep /oobe /generalize /shutdown needed to be run
  • The unexpected result:

    The error: SYSPRP Package [..] was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image was the result.

The solution is as easy as simple...

  1. Delete the user profile in the computers in Control Panel\All Control Panel Items\System\Advanced system settings\User Profiles 
  2. reboot
done and solved, at least for my issue.

Note

All powershell [...] Remove-AppXPackage [...] haven't worked for me nor it seems they are somehow leading into a helpful image state from my point of view. However, you may want to try them as well.
PS
Sorry for the short and not really inspired explanation and elaboration on this error and its potential solution... I hope it is understandable and solves your issue even in this short form.

2016-10-30

IT/TECH: A stupid bug in Windows Server 2016 with Roaming User Profiles or a by design trouble maker?

I am sure this is not the only bug in Windows 2016,  but one you might stumble upon especially in mixed Windows version environments with roaming profiles. However I am not sure whether or not it is a bug or a "by design" decision made - but not well enough documented.

According to TechNet: Deploy Roaming User Profiles  separating profiles for each version of Windows can be done via GPO by adding  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ProfSvc\Parameters\UseProfilePathExtensionVersion with 1.

As the article states, this is working for Windows 10, 2012, 2012R2, 8.x and 7, 2008, 2008R2 and Vista... on might - as I did - expect that due to its code-share Windows 10 == Windows 2016 in its behavior and Microsoft just 'forgot' to add Windows 2016 to the recently updated document; more about this in a moment.

We installed Windows 2016 in a production ready domain with Windows 2012 R2 domain functional level and deployed a Windows 2016 functional level domain as well. Lazy admins do lazy things, I am (in an Admin role) often lazy which is why I shouldn't 'play' the Admin... but more important for this bug, I did create a GPO rule and did attach it to the root of the domain. It works like a charm for all Windows 8.x / 10 / 2012R2 clients but with Windows 2016 the result is strange. Which user ever using a roaming profile and wants to login locally, can't do that.

There is NO helpful error message in the event log, the only message that explains why you are logged in with a temporary profile is that there wasn't enough disk space ... which in our case wasn't true at all.

After trying around a bit, I found that disabling the GPO creating the Roaming Profile Version did do the trick. This is domain functional level independent!

In our case, the work around to this is quite easy since we already organize servers, workstation and mobile devices in different organizational units, servers are even 'classified' - so much for the lazy admin. For now we placed the GPO just in the organization unit(s) for workstations and mobile devices and not on a global domain level neither on server organizational units in which Windows 2016 servers (will) appear.

However, it is unclear for me whether this is a 'by design' issue or a bug... I'll update this note as soon as I have more information.

2016-06-03

IT-Tech: Exchange (2016) 550 5.7.60 SMTP; Client does not have permissions to send as this sender

Introduction

You might come across the above issue when you setup a new system that should use your Exchange server as mail-relay. You may wonder how this (the error) could happen, invest several hours in research and funny or not, you'll find only Office 365 'solutions' - and some programming related.

All in all - you might not find a solution that is the one for you.

A potential solution...

... might be as simple and stupid - and make you maybe banging your head against the wall, as I considered afterwards - just to cross-check whether the FROM-Email is the same Email-address - or in the pool of Email addresses, which have been configured for the account you are using to send your Emails.

At least if all your attempt to solve the issue failed, it might be right the moment to double check what you - and I - should have checked first ;-)

2015-10-02

IT/Tech: Problems with Windows Update Errors: 80072ee2 and / or 80200056 before you try whatever you find

Introduction

From time to time I wonder why developers - to whom I belonged for a very long time as well - do not know how to handle errors a way users do understand. And potentially themselves do as well.

The above mentioned errors and a potential fast solution.

Coming across the above errors or others after installing Windows 8.x, Windows Server 2012(R2), Windows 10 or Windows Server 2016 (or however it is going to be named later) it could be the case that you simply forgot to activate Windows or that it doesn't activate itself. If this isn't the case this solution here won't help you, you need to go on in your search for a solution.

If you installed find activation is missing, the solution is simple:
  1. Login with the Administrator account - you might want to try an 'Admin' account but this way it is safe. In other words, activate the local Administrator account if you haven't done so in your Windows Clients... in Server, the account is activated by default.
  2. Make sure you have a valid IP and can access the Internet - you might want to open a web page, e.g. this one here ;o) If you don't have a valid connection, please fix this first. Than retry the update without going on with 3. - if Windows Update works, you are done; if not, go on with three.
  3. If you have a working Internet connection, open CMD (command prompt) and enter

    slmgr /ipk Y-O-U-R Windows Key
  4. Wait  for the confirmation box.
  5. Now enter

    slmgr /ato
  6. After the confirmation, your Windows is activated - if not confirmed, something went wrong. Since I haven't observed this by now, likely you missed the error message when entering the Windows Key or something else went wrong - since I haven't experienced this by now, I am sorry but I am of no help. You might want to have a look in the Event Viewer...
  7. Windows Update is now - you don't need to reboot by the way - ready to go, installation should work.

If not - again me and this article are of no help and I am sorry that I wasted your time.

IT/Tech: Upgrading from Exchange 2013 to Exchange 2016... a first experience

Introduction

As an early adopter - who admittedly I am - I played around with Exchange 2016 previews over time. However, I left the production system Exchange 2013 CU 8 since it worked pretty well, and over playing around with Exchange 2016 I kind of oversaw Exchange 2013 meanwhile got CU 9 and CU 10.

Since I didn't find any good how-to for upgrading from 2013 to 2016, and since I didn't want to go through the entire chain in my virtual playground, I decided to upgrade the less hurting production system to Exchange 2016. Despite I obviously ignored the work of the Technet team and their Exchange 2016 article chain. Of course I should have read through several of the Exchange Team Blog articles by now as well ;x)

RTFM is really a good idea... but as I said, this is going to be a hands-on - not recommended - installation description, serious but unconventional and only good if you just harm yourself if it doesn't work out ;)

This is what I experienced the way down the road.

A blind start

I know, I know, never do something without having others experienced all the problems... but since I am seasoned in terms of Microsoft products and problems and more than this - I am not a full time admin and the worse I could kill is my own, private production system, I thought in my spare time playing around is not the worse to do - so others can see what might happen, or not...

After extracting the ISO and than extracting the EXE the first surprise was that Exchange 2016 felt like installing Exchange CU XYZ, despite the first surprise was that it told me to install CU 10 minimal for Exchange 2013 server. I can remember that I read during the beta phase something like CU 8 is minimum... well, since I can not find this article anymore, it might be fiction anyways.

First learning: Exchange 2013 CU 10 is minimal requirement for installing Exchange 2016. Which can be downloaded directly from Microsoft.

I am not going into the installation of Exchange 2013 CU 10 because I am sure most of you did install a number of CU's before. And as I guess, most of you asked themselves for the thousands of thousands of time why the heck the installation wizard developers couldn't make this "Readiness Checks" at the beginning of the installation instead ages later... the classical:
Error: A reboot from a previous installation is pending. Please restart the system and then rerun Setup. For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.RebootPending.aspxappeared in my case... no need to mention that this did cost already 10 min on my machine AND more important, it will cost 10 more minutes after reboot... and yes, this time it was my fault, I did have a real reboot pending I forgot :|

However, if you are sure you don't need it, just read the article mentioned in the error message and just delete the registry entries (on your own risk, of course). From my experience, the retry is working without any reboot necessary after registry change.
A short note to Microsoft: PLEASE change this behavior.. in all your wizards, it's annoying and not everyone is running your servers on super-high-end-high-speed machines as you may noticed already ;o)

The Exchange 2016 installation

After installation Exchange 2013 CU 10... which took ages on my machine I finally can start Exchange 2016 installation. As mentioned, I extracted the ISO and the EXE meanwhile.




Well, well, well... I should have read the error messages entirely when I started the Exchange 2016 setup first time ... you won't believe it but you can't do an In-Place upgrade :x - Am I taken wrong or was this possible so far - it's a long time ago I upgraded Exchange 2010 to Exchange 2013.
As a matter of fact, no one can say the Microsoft developers have no fun at work... the retry button (see blue circle above) in this dialog is cynical, isn't it - I wonder if they trace how often one is clicking on it in the here given situation ;)

And again: Why can't the Readiness check be done in first place - on my machine, this took again about 15 minutes... 


Exchange 2016 installation - 3rd approach :(

Admitted - one approach is on me since I missed to read the Readiness Check Errors all together.. I should have done so. However, now let's summarize the current situation so far.
  • Exchange CU 10 is the minimal version Exchange 2013 has to have to be upgraded.
  • DO NOT try to do an In-Place upgrade.
  • Microsoft should place the Readiness Check to the beginning of the Wizard, not in the middle of no-where !
 more to come as soon as I proceed... now first I've to find a system I can continue on :(
Since I am either to stupid to search the right way to find information about how to upgrade to Exchange 2016 from Exchange 2013... I'll give up for the moment.
As it looks by now, the upgrade path is to install Exchange 2016 on a separate machine and than move the mailboxes... I neither found something about this nor tried it so far, however - that's going to be what I'll try to do over this weekend (CW 40). If there is no one until than telling me a better way.

I did decide to setup a Virtual machine - however, the running gag with the Readiness Checks is ongoing:
If I would have read on below the Powershell part in the mailbox server prerequisites section, I might would have saved again some time by recognizing the two links mentioning .NET Framwork 4.5.2 and Microsoft Unified Communication API 4.0, Core Runtime 64-bit which of course! need to be installed prior to the Exchange 2016 installation... 
Conclusion: Either you give yourself the time or you better don´t install Exchange 2016 while you are working on important stuff... or in short: This article shows how to NOT do it in production environments...
 At least, you do not need to do my mistakes - if you read before act ;-)

After the installation of .NET 4.5.2 (first, it was the first in order and I didn´t want to loose even more time so guessed) and the Unified Communication API, I finally hope for the best and start - again - my Exchange 2016 Server attempt.

The good news, installation is fast and no reboot is needed (whew). And I just found out, here, the retry button is no joke, you can install both preliminaries without stopping the Exchange 2016 installation.

A sign of light:

And since I did want to install everything with the help of the Wizard, thank you Microsoft for doing this for me (bow). I hope it is working out... Since I am running everything of Hyper-V, I see that the main AD-Controller is also under stress - and the progress bar is moving... yep, that´s looking good, very good... and the installation is working. The AD is prepared and Exchange 2013 still working? Yes - again good news.

Meanwhile the setup went through, no further problems - great... I now try to login as Domain Administrator... this looks good as well... interesting side note: I updated the new Windows Server 2012 R2 installation entirely before I started the installation of Exchange 2016 - now the Windows Update Routine finds another 11 mandatory and 2 optional updates... well I'll go for them and than let's see what happens.

As of by now, Exchange 2016 calls itself Version 15.1 (Build 225.42), while my parallel Exchange 2013 installation after CU 10 calls itself Version 15.0 (Build 1130.7)... I'll check and potentially write about further findings either in this article as an update or nothing. I am sure the specialized resources in the net will soon come up with better, more detailed and way more helpful articles than this one.

I'll than try to install Exchange 2016 'the right' way and see if this takes on the same Hyper-V server also ages.

Last and least I am still seeking a solution for an in place update - I can not think about (many) arguments speaking against it. And not everyone is - as I am are - ridiculous enough to run Exchange in Hyper-V even for many people, not for a view 8-)