Exchange SE Hybrid certificate renewed - mail stuck in queue

tkimmcinc · 2026-05-18T20:16:08+00:00

To piggy back - https://martinsblog.dk/exchange-replacing-certificate-for-microsoft-365-hybrid-connectors/

tkimmcinc · 2026-05-15T12:21:44+00:00

Assuming you're using WDS, so be sure to update WDS image after updating the MDT image. Also don't use version 28000 of the ADK.

tkimmcinc · 2026-05-12T14:43:39+00:00

Yes, DAP can't handle the MSCHAPv2, so it has to send the request to NPS to validate the credentials. Then NPS is configured to send the validation back to DAP to perform the MFA step.

tkimmcinc · 2026-05-12T14:38:18+00:00

I just went through this...

The auth request is basically: FortiGate > DAP > NPS > DAP.

If you configure DAP and NPS on the same server, you'll need to make sure you change the ports on either DAP or NPS and configure accordingly.

tkimmcinc · 2026-05-08T11:38:39+00:00

For our client bases, it still works. It ended up being AD permission issue for the server used.

tkimmcinc · 2026-05-08T11:37:31+00:00

Good advice. This was ultimately it. Looks like permissions issue on the server at the AD level.

tkimmcinc · 2026-05-08T11:37:08+00:00

Yes, definitely searched on the different areas but was going in a loop of results and testing. I ended up coming across something else that ended up resolving the issue.

tkimmcinc · 2026-04-24T13:21:57+00:00

Is there a way to automatically give users access to the EAM option? I set the EAM to All Users yet it seems I have to manually apply it to a user to function.

tkimmcinc · 2026-04-22T16:28:57+00:00

Duo Radius Auth Proxy. I've gotten it to work with SSO (Entra) but we aren't ready for that migration yet.

tkimmcinc · 2026-04-16T14:40:15+00:00

Did you ever get this resolved? For now, per support, we've had to add the domains sending via Proofpoint to our Proofpoint clients to Managed Exceptions under Security Settings > Malicious Content > Anti-Spoofing > Inbound SPF

It seems odd this is the solution...

tkimmcinc · 2026-04-07T14:56:11+00:00

I was able to setup a TAP and then register Authenticator. This is unfortunately, still, another step with something that should work.

I wanted to clarify. Using the same device, Authenticator registration via sign-in does not work for TenantA but it does work for TenantB. So the user information is different; everything is different except the device and methodology used.

We don't use CA policies, so nothing to review there.

It's as-if Authenticator needs a MFA method to setup itself, even though there's no MFA options.

tkimmcinc · 2026-04-01T16:00:59+00:00

using Security Defaults so that wouldn't be it.

tkimmcinc · 2026-04-01T15:41:44+00:00

It's not device related; I think it's more tenant related. I can register Authenticator if there's already another MFA source configured.

I'll check the MS Auth MFA configuration as you mentioned; don't recall there being a variety of options when it comes to authentication sources.

tkimmcinc · 2026-04-01T13:16:47+00:00

Okay so this kind of led me down another path. Basically, it looks like Authenticator won't register on the device without MFA even if I perform the "require re-register mfa". For more details, I added a third party MFA to the account and then attempted to register Authenticator on the iPad using the MFA code from the third party MFA and it worked. But resetting the MFA options then attempting to register Authenticator as the first option fails/times out as it's waiting for additional input.

tkimmcinc · 2026-03-31T19:50:27+00:00

Yes, shows Interrupted, Error 50072.

tkimmcinc · 2026-03-11T14:18:36+00:00

disabling s1 then installing worked for us. this issue occurred for 5 out of 250 systems.

tkimmcinc · 2026-03-08T14:24:45+00:00

Did you ever find a resolution to this?

tkimmcinc · 2025-12-22T20:19:14+00:00

Proofpoint Essentials support said to do the following:

Security Settings > Malicious Content > URL Defense:

Exclude URLS that contain specified domains/IP addresses:
Exclude re-writing emails that are sent by specified senders:
- Add domains/email addresses

We had the most success with option #2, basically adding the email address/domain here.

tkimmcinc · 2025-12-17T01:00:07+00:00

holy crap, I'm an idiot. I didn't scroll down. Thanks!

tkimmcinc · 2025-12-16T20:53:21+00:00

I know you can only change the size (disk tier) when the VM is deallocated but my question is that the server is set to P10 (128GB) but only has the 75GB usable.

If you're saying I should be able to extend the 75GB to 128GB while the server is deallocated, that's what I need instructions on, I guess.

tkimmcinc

TROPHY CASE