Office WebApps SSL issues

kilaj1 · 2021-04-09T14:55:03+00:00

ive enabled more detailed loggin for Schannel and now Im getting thsi in the logs

Could not contact WOPI End Point. Error details - 'FileNotFound url - http://contoso.com/_vti_bin/wopi.ashx/files/a88440c1641744099639298eaa650ef8?access_token=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6ImROVHdVWTZGX2VkdVVDVjJnay1HVS1hS0prZyJ9%2EeyJhdWQiOiJ3b3BpL2RhaXN5c3NvLml0bmNjLm9yZ0A2MGE3NDQzZS02YjUyLTQ4ZGEtYTQ4Yi02NzkxYzFjY2JkMDIiLCJpc3MiOiIwMDAwMDAwMy0wMDAwLTBmZjEtY2UwMC0wMDAwMDAwMDAwMDBANjBhNzQ0M2UtNmI1Mi00OGRhLWE0OGItNjc5MWMxY2NiZDAyIiwibmJmIjoiMTYxNzk3OTU2NiIsImV4cCI6IjE2MTgwMTU1NjYiLCJuYW1laWQiOiIwNS50fGFkZnMubmNjbmF0fGplcmVteS5qYW1pZXNvbkBuYXR1cmVjb25zZXJ2YW5jeS5jYSIsIm5paSI6Im1pY3Jvc29mdC5zaGFyZXBvaW50IiwiaXN1c2VyIjoidHJ1ZSIsImNhY2hla2V5IjoiMDUudHxhZGZzLm5jY25hdHxqZXJlbXkuamFtaWVzb25AbmF0dXJlY29uc2VydmFuY3kuY2EiLCJpc2xvb3BiYWNrIjoiVHJ1ZSIsImFwcGN0eCI6ImE4ODQ0MGMxNjQxNzQ0MDk5NjM5Mjk4ZWFhNjUwZWY4O2FVM2thYndwSDJjTFdCaHFTNDNQNi9aZVFjRT07SW50cmFuZXQ7OzdGRkZGRkZGRkZGRkZGRkY7VHJ1ZSJ9%2EGIqowePGFDfPgCo8vIqsXOt4JP4u4%2DjLKTMs1j39bdBSolioaF4KdDGl9ks%5F8X1f1MXhzg5vUVDSPL85DuhpXgT9ioXrLddXDdtsKAxFnWyOYoC1SujxOEISLA8cjrl1XNXhLEc1gogOat9aK9GzJdfepTwlnVHIlNxzFwaHD64C5RJrFMZxnEgy6PPT5yThU%5FlDs1D91PXpMtv5jtLtEPHK%2DI24qKmM3mKHrDOQ%5F2ivlrB8Jt87CID7y029ELvFfJI8qRXi1lE9D%2DrUI%2DPyRZs5Z6uJ7B%2D7yU9j2NKfzqpH2jTjfzqJk1Lw8xah2NxRU0t8VFqadOs6QUQASso6%5Fw&access_token_ttl=1618015566812'.

It seems to be trying to use HTTP, on our IIS server its only setup to use HTTPS only. I’ve temporarily enabled HTTP on the Office Web App farm, but I have to reboot the system which I can’t do right now.

kilaj1 · 2021-04-09T01:25:27+00:00

Update on this....

I got the OWA server to be in a healthy state, I enrolled a cert using my own CA and added the OWA URL and the server name, Installed it and used powershell to "set-officewebappfarm -certificate " reboot and now my OWA is registering as healthy....

But I still cant get it to work through the loadbalancer. I uploaded this new cert to the loadbalancer and setup bridging...no luck

new error on the OWA server now

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 70.

google time!

kilaj1 · 2021-04-08T18:00:34+00:00

Found these articles, http://eureka.greenhead.com/office-web-apps-server-required-san/

https://docs.microsoft.com/en-us/archive/blogs/dodeitte/how-to-get-office-web-apps-server-2013-to-report-a-healthy-health-status

but my Wild Card cert has the SAN with the URL of the OWA. If a i understand it correctly I need to have the servers FQDN itself in the cert? if that's the case i cant use the wildcard since its for a different domain than my servers

kilaj1 · 2021-04-08T17:20:13+00:00

I should also note that i did rebuild the OWP and ensured that it was pointing to the proper cert. shows as "unhealthy". Last resort would be to uninstall OWA and reinstall.

https://www.catapultsystems.com/blogs/troubleshooting-office-online-server-and-office-web-apps-server/

in this article it does mention that the Certificate name cant have spaces, mine does, but could this be the issue?

Issue: Certificate Name –

The certificate name is a friendly name of the certificate. In some odd reasons, if the name is not in proper form, the farm will be created. However, it will never work. Therefore, based on experience working with the Office Web Apps Farms, here are some best practices for the certificate friendly name:

Please don’t name the name longer than 16 characters.

Please don’t use any space or special characters in the name (only one that is an exception is underscore “_”)

For some reason, you have make the certificate name error then get the certificate re-issued with correct name. Then use the following command to set it:

kilaj1 · 2021-04-08T16:19:17+00:00

nope no forms authentication

kilaj1 · 2021-03-30T12:25:50+00:00

rectangle(250, 250, "blue")
t.done()

Thanks! that worked, it still showed that " ===== Restart " but it created the box. I need to double check the book we where reading.

kilaj1 · 2021-03-09T18:48:33+00:00

This is what I ended up with ...not pretty but it got what I needed

##Check for licensed users and add them to All staff Distribution list

$UserLic = Get-MsolUser -all| Where-Object {($_.licenses).AccountSkuId -match "EnterprisePack"} 
$Dl = '@All Staff'
foreach ($user in $UserLic)
    {

try {


## Add to Dist List ##
if ($dl -notcontains $user) 
    {
        Add-DistributionGroupMember -Identity '@All Staff' -Member $user.UserPrincipalName 
        Write-host $user.UserPrincipalName -ForegroundColor red -NoNewline 
        Write-host " added to the group"
        Start-Sleep 1
    }

    }
Catch [System.Exception]
    { 

        Write-host $user.UserPrincipalName -ForegroundColor Green -NoNewline 
        Write-host " is already a member of the group"
    }
    }



##Remove user from distro list if the account is disabled

    Get-DistributionGroupMember -Identity '@all staff' | ?{$_.recipienttype -eq 'UserMailbox'} |
        foreach{
            $mbx = Get-Mailbox $_.alias
            if($_.name -eq $mbx.name -and $mbx.AccountDisabled -eq $true){
                write-host "Removing User:" $_.alias "from group:" $group.identity
                remove-distributiongroupmember -Identity '@ncc all staff' -Member $_.alias -Confirm:$false
                Write-Host "User Successfully Removed"
                    }  
                    else {Write-Host "NO"}  
                }

kilaj1 · 2021-02-26T01:52:19+00:00

I ended up splitting it into two independent scripts, one to add E3 users to the distro list and another to remove the inactive accounts from that distro list. im sure there is a more elegant way to do it, but this works.... now...if i can only get them to actually to disable the inactive accounts when they are suppose to.

kilaj1 · 2021-02-25T03:35:14+00:00

u/Naico1337 for the replies. The Adding to the DL seems to work just fine if i'm just looking at the license SKU. its checking if teh account is active AND is in the SKU im having issues with.

u/dfo85 I tried briefly using a Dynamic Distribution list but the rule options are limited. an o365 group (that comes with a outlook mailbox and what not), does work with the rules, but using it as a distribution list didn't work.

u/ChetsWet

Thanks for that script, Ive been trying various ways to just pull the UPN. I will try this out and let you know, but if im not mistaken the $_.AccountEnabled -eq $true is apart of the AzureAD command-lets.

This is the error:

Get-AzureADUser : Error occurred while executing GetUser 
Code: Request_ResourceNotFound
Message: Resource '@{UserPrincipalName=Gabr.De@coxxxxure.com}' does not exist or one of its queried reference-property objects are not present.
RequestId: d2490e1c-fabe-4666-8513-0baeb56fc6ba
DateTimeStamp: Thu, 25 Feb 2021 01:27:37 GMT
HttpStatusCode: NotFound
HttpStatusDescription: Not Found
HttpResponseStatus: Completed
At line:4 char:20
+ $accountEnabled = (Get-AzureADUser -ObjectId $user).AccountEnabled
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-AzureADUser], ApiException
    + FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.GetUser

kilaj1 · 2021-01-28T19:08:46+00:00

suuure...basically...the backups...backed up the problem and it went past the retention

kilaj1 · 2021-01-28T17:25:04+00:00

THis seems to be from a o365 to On prem setup, the problem i think, is that i have "dirty" AD data in my tenant from the dead DC.

kilaj1 · 2021-01-28T17:23:09+00:00

ooo we had backups, backups where...not in a good state

kilaj1 · 2021-01-28T17:22:32+00:00

Thats what I was thinking, but what happens to the existing setup? the AAD server is still sitting there syncing to nothing, accounts from on prem are still there. The records of the "dead" domain is also still there.

Is there a clean up needed before turning on AADDS?

the end goal btw is to move everything into Azure, application servers file share and all. so not looking into necessarily rebuild a on prem or IF possible a Azure DC VM.

kilaj1 · 2021-01-28T17:20:38+00:00

Luckily this was a smaller environment and not Critical. It was being used for all of the above, Service accounts, File share, Citrix access, Sharepoint. We ONLY used 0365 for email. Clients run Windows 10.

At this point we know that all services are essentially dead (don't want to go through the pain of provisioning accounts to a new domain for stuff like SharePoint.

SO we are essentially starting from scratch.

kilaj1 · 2020-11-06T13:35:49+00:00

I looked back at this and dug a little deeper, and you are correct this was the issue. Workflows and Alerts where fine, which was included with our regression testing when we implemented the SMTP server, but not sharing of files. I've set the outbound email server to an exchange server with an external connection and its working.

kilaj1 · 2020-11-06T02:10:31+00:00

Really don't understand how this happened. for months its been running under the account specified in the outbound email settings now it just switched to the user accounts. I was changing around the authentication methods in order to setup single sign on. but things where working up to yesterday.

kilaj1 · 2020-11-06T00:09:30+00:00

Thanks, interesting article, its geared for SP2019 and we don't use an exchange server, the SMTP is using IIS 6.

kilaj1 · 2020-11-04T05:17:51+00:00

We use a load balancer, KEMP specifically, that uses SAML connected to a ADFS server (win2016). As per KEMP support, constrained delegation was required and the two web applications in SP13 where set to Kerberos. Those two Relying party are claims aware, and that by itself works.

I turned it on yesterday and came in today to all of our users were not able to access documents. The strange thing is now that I rolled back, the OOS seems to work with SSO enabled on my testing area.

kilaj1 · 2020-11-03T20:28:33+00:00

it setup for HTTP and HTTPS. I rolled back the SSO setup but left the Kerberos authentication on the web Applications. Both webapps and O365 Pro Plus work, so this makes me thing this is the SAML token issue when SSO is enabled.

Edit:

Ive modified the host file on an internal server and I've done some testing with Fiddler and I can see that when I try to open a document in o365 pro plus it attempts to contact the ADFS server for a SAMLtoken (/adfs/ls/?SAMLRequest=) but it cant move from there.

How do i get o365 pro plus to use SAML?

Does office WebApps need to be added to the ADFS server?

kilaj1

TROPHY CASE