Saturday, April 29, 2017

SfB Hybrid setups: Remember to renew your OAuth certs with Online workloads, after updating your on-prem OAuth cert

Renewed my SfB on-prem OAuth cert and started getting these errors

Log Name:      Lync Server
Source:        LS Storage Service
Event ID:      32050
Storage Service had an OAuth STS request failure.
#CTX#{ctx:{traceId:2107372237, activityId:"db71b116-b4ea-430f-958f-12662b997bd4"}}#CTX#
Recv RST response, failed, sts=https://accounts.accesscontrol.windows.net/092a1ba4-a4fe-4172-970e-7ab3035e7c94/tokens/OAuth/2, resource=00000002-0000-0ff1-ce00-000000000000/autodiscover-s.outlook.com@domain.com, ex=The remote server returned an error: (401) Unauthorized….

You will also notice that the Test-CsExStorageConnectivity command fails (Test-CsExStorageConnectivity -SipUri Test_User@domain.com)


Renew OAuth with new Cert

1.  Export the new OAuth cert from MMC>Certificates on FE using BASE-64 without private key

2. Create a session with SfB online + MSOL 
$msolcred = get-credential admin@domain.com
$session = New-CsOnlineSession -Credential $msolcred -OverrideAdminDomain "domain.onmicrosoft.com"
Import-PSSession $session -AllowClobber_
Connect-MsolService -credential $msolcred

3.  Import and assign cert 
$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate
$certificate.Import("C:\temp\Oauth_2017.cer")
$binaryValue = $certificate.GetRawCertData()
$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

3.  Get current KeyIDs for Certs (enter 0 for ReturnKeyValues)
Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000  #Lync
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000  #Exchange
get-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000
get-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000

5.  Use the KeyIDs (that you got from above step) to remove current certs
Remove-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -KeyIds @("00000000-0000-0000-0000-000000000000")
Remove-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -KeyIds @("00000000-0000-0000-0000-000000000001")

6.  Assign new cert
New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue
New-MsolServicePrincipalCredential -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue

7.  Make sure your edge servers are replicated (OAuth uses federation via them) 
Get-CsManagementStoreReplicationStatus | ft
Invoke-CsManagementStoreReplication

8.  Verify
Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000

Get-MsolServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 | select serviceprincipalnames -ExpandProperty serviceprincipalnames
Get-MsolServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 | select serviceprincipalnames -ExpandProperty serviceprincipalnames

Test-CsExStorageConnectivity –SipUri lync_tester1@domain.com # SfB on-prem user
Test-CsExStorageConnectivity –SipUri lync_tester2@domain.com # SfB online user

Cleared Log event (OAuth successful) 
Log Name:      Lync Server
Source:        LS Storage Service
Event ID:      32052
Task Category: (4006)
Description:
OAuth STS was properly configured for Storage Service.
#CTX#{ctx:{traceId:1596246623, activityId:"77278542-b703-4f56-9655-9f40fe99c04b"}}#CTX#
GetAppToken succeeded for request with sts=https://accounts.accesscontrol.windows.net/092a1ba4-a4fe-4172-970e-7ab3035e7c94/tokens/OAuth/2


Additional (verbose) references:


Tuesday, April 4, 2017

Mouse without Borders - Problem Installing: Mouse without Borders requires the .NET Framework 2.0 or 4.0

I love using MwB to reduce the clutter on my desk by using just 1 keyboard and mouse to control multiple PCs. 

Every so often an update comes out and it complains about the .Net version even though you are running a later version of the framework. 

Googling does not provide a solution easily, but all you need to do is to run the installer using elevated privileges. 


Error message : Mouse without Borders requires the .NET Framework 2.0 or 4.0



It's a Microsoft Garage work (side projects by MS employees) that solves my problem really well. Check it out...

Download site - http://www.microsoft.com/en-ca/downl....aspx?id=35460
Community site - https://getsatisfaction.com/mouse_without_borders

Wednesday, March 1, 2017

Office C2R updates for Feb 2017 released

The February release of the Office 365 Deferred Channel for Office 2016 is now available - Version 1609 (Build 7369.2118).

Current Release + FRDC updates have been released too. Those are @ Version 1701 (Build 7766.2060).

ChannelVersionBuildRelease date
Current
1701
7766.2060
February 23, 2017
First Release for Deferred
1701
7766.2060
February 22, 2017
Deferred
1609
7369.2118
February 22, 2017
https://technet.microsoft.com/en-us/library/mt592918.aspx






Friday, February 17, 2017

Duplicate entry for dial-in conferencing information with latest FRDC release

Creating a new Skype meeting by a user homed on a SfB on-prem pool, creates a duplicate entry for the dial-in conferencing number. The same version works fine for users homed on Skype Online though.


Seems to be happening in the latest release of Office 2016 C2R update - First Release for Deferred Channel (1609 Build 7369.2102) that was released on Jan 10th.







Probably a bug. Have a ticket open with support to find out.

On-prem SfB servers are not at the latest Feb 2017 level, so perhaps there is a fix for this in there. Is anybody else also seeing this?

Thursday, January 5, 2017

Dec 2016/ Jan 2017 updates for Lync 2013/SfB 2015 and SfB 2016 clients


Release Date
Version #
Type
Jan 2017
16.0.4483.1000
SfB 2016
Jan 2017
15.0.4893.1000
Lync 2013/SfB 2015
Dec 2016
16.0.4471.1000
SfB 2016
Dec 2016
15.0.4885.1000
Lync 2013/SfB 2015


Thursday, November 10, 2016

O365 Click to Run versions

Month
Current Release
First Release Deferred
Deferred
Jan-16
1511 (Build 6366.2062)
1509 (Build 6001.1054)
-
Feb-16
1601 (Build 6568.2025)
1509 (Build 6001.1061)
1509 (Build 6001.1061)
Mar-16
1602 (Build 6741.2021)
1602 (Build 6741.2021)
1509 (Build 6001.1068)
Apr-16
1603 (Build 6769.2040)
1602 (Build 6741.2026)
1509 (Build 6001.1073)
May-16
1604 (Build 6868.2067)
1602 (Build 6741.2042)
1509 (Build 6001.1078)
Jun-16
1605 (Build 6965.2063)
1605 (Build 6965.2063)
1602 (Build 6741.2048)
Jul-16
1606 (Build 7070.2033)
1605 (Build 6965.2069)
1602 (Build 6741.2056)
Aug-16
1607 (Build 7167.2047)
1605 (Build 6965.2076)
1602 (Build 6741.2063)
Sep-16
1608 (Build 7341.2035)
1605 (Build 6965.2084)
1602 (Build 6741.2071)
Oct-16
1609 (Build 7369.2038)
1609 (Build 7369.2038)
1605 (Build 6965.2092)
Nov-16
1609 (Build 7369.2055)
1609 (Build 7369.2055)
1605 (Build 6965.2105)
Dec-16
1611 (Build 7571.2075)
1609 (Build 7369.2095)
1605 (Build 6965.2115)
Jan-17

1609 (Build xxx)
1605 (Build xxx)
Feb-17

161x (Build xxx)
1609 (Build xxx)
Mar-17

161x (Build xxx) 
1609 (Build xxx)
Apr-17

 161x (Build xxx)
1609 (Build xxx)
May-17

 161x (Build xxx)
1609 (Build xxx)


Office 365 client update channel releases - https://technet.microsoft.com/en-
us/office/mt465751

Friday, October 14, 2016

Issues with GlobalSign public certs

What a mess!!!

If you use public certs from Globalsign, be aware of the issue that started yesterday with their CRLs.

We had to go in and update ALL our external-facing servers with the new Intermediate Cert they provided.

More details here - http://downloads.globalsign.com/acton/fs/blocks/showLandingPage/a/2674/p/p-008f/t/page/fm/0


Tips:

We use public certs on our SfB FEs too, and the same cert is also used for OAuth. We ended up removing and reapply the cert (from the SfB Wizard) so that it replicates out to the other servers and pools.

You need to remove the old Intermediate cert from the store. Search the Computer as well as the User stores and make sure you get rid of the old Intermediate one, else it will stay latched to the chain.


Can get the Intermediate cert from here -  https://support.globalsign.com/customer/portal/articles/2599710-ocsp-revocation-errors---troubleshooting-guide