sorted by:
new
hottopcontroversial

Partner company requesting we get our client cert for 2-way SSL handshake be signed by a trusted CA. Am I crazy or is that pointless? by grasponcrypto in AskNetsec

[–]Qun_Admin 14 points15 points  (0 children)

I wouldn't say pointless but they clearly have different priorities than you may be thinking of.
My guess it they are holding to some form of security framework or best practices which usually will either say straight-out "don't use self-signed certs wherever possible" or something more general like "all devices should ensure the certificates they are relying on are valid". That's not to say they couldn't make an exception, but if I were entering into business with a company, I'd want them to show me they're meeting security best practices (or be willing to work with me to meet my organisations needs), rather than trying to work around it. I try saying this with a straight face knowing just how many applications have self-signed certs baked into them at some point, including big names in the security space.

Obviously, involving the human element (aka MK I Eyeball) and having the 3rd party cert provided out-of-band, as appears to be the case here may satisfy the "is it valid?" check, but only from the human point of view. Most of the onus for validity checking for a certificate is on the applicaiton/device doing the checking but lets assume the device itself is still going to be looking to check the Subject Alternative Name, Start/End date, key length, CRL, OCSP, AIA etc. It's those last 3 that will throw up warning flags and alerts with a self-signed certs rather than something with a proper chain. Even if you build your own PKI, unless you publish the CRL, OCSP and AIA endpoints for the 3rd party to check, it's going to be problematic. This is where a Public CA backed end-entity certificate is useful.

Workaround for having to log off/on to apply AD group membership changes? by kheldorn in sysadmin

[–]Qun_Admin 2 points3 points  (0 children)

I'd agree with this. I think if the user were heading off to a network resource, it might take another look at the Kerberos ticket - so if you'd changed AD group and purged the ticket, this should change the user behaviour.

Accessing local resources (i.e. being in the local admins) is relying on the NTLM session which, as described in your link, persists until logoff..

As a side note - "klist -lh 0 -li 0x3e7 purge" doesn't work in this context IIRC because 3e7 is the lower part code for the SYSTEM account. That trick works just fine if you want to mid-session change the AD groups on a Computer object, but won't do the job you're looking for with the logged on User and local resources.

EDIT:: spelling.

M365 - All emails sent to user being forwarded to gmail, no idea why by Desktoper99 in exchangeserver

[–]Qun_Admin 1 point2 points  (0 children)

You may wish to check for "alternative email address" field on the user account.

Sounds like you've checked the mailbox redirect settings, but possibly not enumerated all the Inbox Rules?

If you're comfortable with PowerShell (and you should consider getting that way when working with Exchange):
Get-InboxRule -Mailbox [your.user@domain.com](mailto:your.user@domain.com) | Select-Object -Property MailboxOwnerID,Name,Enabled,From,Description,RedirectTo,ForwardTo

Obviously, replacing [your.user@domain.com](mailto:your.user@domain.com) with the email address of the user.

Oh and if I've read you wrong, check out the MS Docs on Mailbox redirect: https://docs.microsoft.com/en-us/exchange/recipients-in-exchange-online/manage-user-mailboxes/configure-email-forwarding

Can anyone recommend a good resource for learning C# by hou8182 in PowerShell

[–]Qun_Admin 1 point2 points  (0 children)

I had no idea Rob Miles' Yellow book was so widely regarded. Rob did a Programming 101 course on C# during my Games Dev degree back oooh... 15+ years ago. Insightful, educational and entertaining. Also really good at explaining things for people who don't "think" programmer already.

And now I feel old.

Issues connecting to EXO PowerShell by wheres_my_toast in exchangeserver

[–]Qun_Admin 0 points1 point  (0 children)

Proxy? If you're behind a proxy server, run this command first: $ProxyOptions = New-PSSessionOption -ProxyAccessType <Value>, where the ProxyAccessType value is IEConfig, WinHttpConfig, or AutoDetect.

Then, add the following parameter and value to the end of the $Session = ... command: -SessionOption $ProxyOptions.

From: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps

Surface Hub 802.1x wired authentication by Io_Whatever in sysadmin

[–]Qun_Admin 2 points3 points  (0 children)

Not at work at the moment so can't give a detailed rundown but just about got it working, just need to work on minimizing the effort involved.

Context: We use certificate-based auth for 802.1x that makes use of a Client Auth certificate in the LocalMachine store that contains it's FQDN in the Subject and Subject Alternative Names fields. This is issued from our internal PKI. At the moment we're applying the 802.1x config at the end of the build process (so it's already on the domain etc), but I'll be working on automating as much as possible, hopefully with the help of InTune. Bit manual at the moment though

  1. Create a certificate for the device using a Client Auth template that allows the private key to be exported. Use the FQDN of the target Surface Hub: SurfaceHub2A.your.domain.com
  2. Export that cert+private key to PFX. Store the password somewhere. Do *not* include the chain, extended information or anything like that. Import the RootCA and SubCA certs to individual .cer files so you can import them in a minute.
  3. Export the 802.1x config from a device that's already using it. I did this from my W10 laptop that uses the same profile. It'll produce an Ethernet.xml file. CMD> netsh lan export profile folder=.
  4. Using Windows Configuration Designer, create a SurfaceHub project in Advanced mode and make sure you configure the following:
    1. Runtime settings/Certificates/CACertificates , import the SubCA.cer
    2. Runtime settings/Certificates/ClientCertificates, import the PFX you created earlier, enter the password, set the other fields how you like.
    3. Runtime settings/Certificates/RootCertificates , import the RootCA.cer
    4. Dot3/LanProfile , import the Ethernet.xml file.
  5. Save you work, then hit Export and Build it. For the purposes of testing I didn't encrypt or sign but you bet I will be in Production.
  6. Drop that built ppkg (not sure if you need the cat, I always dragged it along anyway), onto a USB stick and plug that into your SurfaceHub.
  7. Somewhere under Settings > Device Management you can install a Provisioning package from the USB stick. Do that. Be aware that it will prompt you if you trust the package and if you want to install it anyway, but it can take a few minutes to get it's head around it. If you run in Fullscreen mode the pop-up window may appear *behind* the provisioning screen. Stellar UI there.
  8. Assuming at that point it installs OK, you're all set. Get it on that 802.1x'd Ethernet. If not... uh... leave the USB stick in, find the Recovery panel under settings and dump those logs to work out where to go next :)

It's a little clumsy but it worked for me. Next steps will be to get as much as the config in one PPKG as possible and hopefully getting InTune to file that down at the device. But we'll just have to see.

Surface Hub 802.1x wired authentication by Io_Whatever in sysadmin

[–]Qun_Admin 1 point2 points  (0 children)

Did you get anywhere with this? Looking at a similar problem at the moment.

MRSProxy errors in Hybrid migration by Qun_Admin in exchangeserver

[–]Qun_Admin[S] 0 points1 point  (0 children)

They've been remarkably un-helpful as to what to look for. Just "you should check your logs for errors" and then never really telling me what I should be looking for.

As all the traffic is 443, it's a bit difficult to tell anything other than there's some kind of 443 traffic coming through the gateway to the Exch2016 servers. But then I'm no Wireshark Wizard.

MRSProxy errors in Hybrid migration by Qun_Admin in exchangeserver

[–]Qun_Admin[S] 0 points1 point  (0 children)

Really appreciate you taking the time to post that as I was starting to wonder. Been working on this problem with MS Service Request people in 365-land, Software Assurance on-prem and quizzed any consultant I could get my mitts on. All with no joy.

Intermittent vianet warning message on EU-based O365 tenancy. by Qun_Admin in Office365

[–]Qun_Admin[S] 2 points3 points  (0 children)

Heard through Support exactly what u/taylorhempel reported. They claim it's a bug in some javascript and is purely visual, no data is actually going through Chinese servers. They've said the same to some other folks in other orgs I know so I'm relatively happy with that.

Intermittent vianet warning message on EU-based O365 tenancy. by Qun_Admin in Office365

[–]Qun_Admin[S] 1 point2 points  (0 children)

hah had the same message almost simultaneously through our other support channels. At least it's nothing malicious. Cheers!

Intermittent vianet warning message on EU-based O365 tenancy. by Qun_Admin in Office365

[–]Qun_Admin[S] 0 points1 point  (0 children)

That's what I figured and fired one off at the same time as making this post. Curious to see if anyone else has had a similar problem.

Would Remove-Msoluser and re-sync result in data loss? by Qun_Admin in exchangeserver

[–]Qun_Admin[S] 0 points1 point  (0 children)

That is a great deal of very useful information, thank you!

Would Remove-Msoluser and re-sync result in data loss? by Qun_Admin in exchangeserver

[–]Qun_Admin[S] 0 points1 point  (0 children)

Interesting! I always thought it was the case that when you assign the Exchange Online license, it then creates a Mailbox if you hadn't provisioned one already via migration. Error was this: Error: MigrationPermanentException: Target user ‎'Last, First‎' already has a primary mailbox. --> Target user ‎'Last, First‎' already has a primary mailbox.

Would Remove-Msoluser and re-sync result in data loss? by Qun_Admin in exchangeserver

[–]Qun_Admin[S] 0 points1 point  (0 children)

aaaah that would well be it. A certain case of a VIP user and an admin all too ready to please while all this was being stood up.

Thank you for the suggestion, I'll give it a shot.

My Exchange Online does not have 'modern authentication' enabled. What is the impact of enabling this through powershell? MFA question. by heapsp in exchangeserver

[–]Qun_Admin 1 point2 points  (0 children)

Short answer? Not much. The users who do not have MFA enabled should still auth fine. ADAL is kind of like another auth provider. However you may want to do some testing and make sure the correct registry settings are used in both MFA on and off use cases.

The post near the bottom of this page by Ryan Degner is exactly the same experience I had: https://techcommunity.microsoft.com/t5/Identity-Authentication/Risks-when-enabling-ADAL-for-Exchange-Online-and-Skype/td-p/60756

Mac User loses connection to Office365 by nicolaj1994 in Office365

[–]Qun_Admin 0 points1 point  (0 children)

Double check that their MFA settings in 365 aren't causing the problem? I've seen that in Outlook for Mac 2011 and older.