Thanks, Microsoft – CredSSP error when connecting to a terminal server

Halp ! My RDP connection can no longer connect.

Imagine doing your Windows updates, like a good boy, when suddenly you get this nice little error.

An authentication error has occurred.
The function requested is not supported.
Remote computer : <insert remote desktop server name>

This could be due to CredSSP encryption oracle remediation.
For more information, see https://go.microsoft.com/fwlink/?linkid=866660

What happened ?

Microsoft has patched a security thingie, recently on all recent server OS’es.
Every good citizen, using the default Remote Desktop software, has a big chance to be screwed.

Quick fix –>

Create a DWORD registry entry as follows :

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] “AllowEncryptionOracle”=dword:00000002

Even more “lazy mode” –>

Download and unzip credssp file.

Doubleclick the REG file after unzipping.

No matter which solution you’ve chosen, reboot the client PC.

Self-signed server certificate has expired (usually in SBS environment)

If you’re born before 1990 (and if you’re in IT), you probably grew up with self-signed certificates.
They give you a lovely fake feeling of security, but more than that, they will give users and the IT department horrible stress to configure.
In “days of olde” (early 2000’s), an Exchange server was able to run over http traffic and a certificate was absolutely not required.

Times have changed and so have security protocols. It’s ill-advised to use a self-signed certificate nowadays, as it is equally ill-advised to use a .local domain anymore on your domain controller.

That being said, there’s a couple of ways to fix an expired self-signed certificate on a Windows SBS server. (read first, perform later, you’ll see why)

Lazy mode

aka ‘fix my network’

Open the SBS console, go to the ‘network’ menu and select the ‘Connectivity’ tab.

Click ‘Fix my network’ and deselect everything except the certificate error, after this wizard stops scanning.

The usual Next-Next-Next will follow and according to Microsoft, you’re good to go.

HOWEVER…

There’s a couple of things that can go wrong here :

  • Your certificate contains a custom entry referring to a domain name or subdomain name that wasn’t originally added in the SBS wizard.

    You’ll need to perform the manual method for renewing a certificate. See below.

  • Your Exchange webmail (https://your_mail_server_ip/owa/) still gives a certificate error, stating your certificate’s still expired.

    In this case, your IIS needs to be reminded of the fact that he should use the newly created certificate.

Somewhat easy mode

  1. Start the ExMngmtnShell (Exchange Management Shell) as Administrator
  2. type Get-ExchangeCertificate to list the installed certificates
  3. Match the certificate to the expired certificate (using subject the name and services) from the Console then copy the associated thumbprint
  4. Type Get-ExchangeCertificate –Thumbprint INSERTTHUMBPRINTHERE | New-ExchangeCertificate | Enble-ExchangeCertificate -services pop,imap,smtp,iis
  5. Type Y to renew the certificate
  6. Restart SBS2008/2011 Console or restart server.
  7. Profit.

Like-a-bawz-mode

Beautifully explained on http://www.petenetlive.com/KB/Article/0000535, so no need to repeat what Pete already wrote.
The main idea here is to use the IIS built-in Certification Authority (certsrv), while manually defining all entries needed in the certificate.

It’s still relatively easy, but requires a lot of steps.

Of all three mentioned methods, this last one is most likely to succeed.

 

 

Sources :

  • http://www.petenetlive.com/KB/Article/0000535
  • https://serverfault.com/questions/526221/renewing-sbs2011-exchange-self-signed-certificate-w-o-changing-home-page-in-ie
  • My own meandering experience

Office 365 Migration (1) – food for thought before you start

Obligatory blah blah

Office 365 logo

Having to give daily support on this (I can say ‘amazing’) product, I’ve decided to write a couple of mini-guides on migrating you current mail environment to an Office 365 as well as related topics.

Some screenshots are taken from http://www.itpromentor.com/ , a website by Alex Fields, who is a great technical blogger, so I gladly link back to his site.

 

Seeing as teaching new techniques to human beings is always about helping people remember the ‘why’ in order to better understand the ‘how’, I’ll try to get into a bit more detail in every piece of the explanation and guides.

Before starting out, I’m going to give a tiny commercial heads-up on Office 365 products (no, I’m not sponsored by Microsoft in any kind).
If you’re a business user and you use Outlook ‘like a bawz‘, but hate all the fuss and the inability to easily interact with all your colleagues and customers, this is the thing for you.
O365, as I’ll be calling the product from now on (it types faster), starts low-cost at just ‘mail in the cloud’, but can go as far as cloud authentication and co-authoring documents, following up on workflows depending on the content of a file etc. etc.

I’m not going to play the devil’s advocate and give you a full lowdown on why you shouldn’t use Google For Business, as this product has its own amazing features as well. Heck, I even use it myself, for my own domain name. Aaaaannnd just to prove my point : co-authoring a document is still easier in Google Suite (which is the other/newer name for Google For Business).

 

The concept

YESIf you’ve been living under a rock or you’re not into IT fashion words, I’d love to give you a small recap on the entire concept of O365.

Financially, there are two sides to this idea :

  •  as a reseller, you’re guaranteed a small recurring fee per month/year for all your customers that you deliver onto the platform. Preferably using a Microsoft CSP to help you out. Do not expect to get rich overnight. O365 as a business model requires you to sell the product as your own, adding extra value to the product, which brings us to the second financial side…
  • as an end-user or business-owner, what stops you from taking out your credit card and just paying Microsoft directly the same amount you would probably pay your IT partner, were he to just sell you the product, is the extra value and direct support you can get from him.
    I think we can all agree that in Microsoft’s eyes you are a small fry. Yes, even you, business-owner with 50 E3 accounts. This relates especially to the first-line support calls you will receive from a call-centre in Casablanca or Islamabad.
    O365 requires less but still sufficient support as if you’d be running your own data- or Exchange-server. Keep this in mind when making the purchase.
    – Will you install your own Active Directory from scratch ?
    – Are you up to configuring your own send and receive connectors ?
    – Do you have a plan in mind to perfectly set up your file structure in the cloud ?If all three questions can be answered with a ‘YES’, then hesitate no more and get your credit card out, surf https://portal.microsoftonline.com and figure it out yourself.
    Google will be your friend in this journey.
    The basic setup can be a bit overwhelming, but Microsoft has made managing your O365 environment relatively easy when you use only the web-interface.

 

Now that we’ve passed the money barrier, let’s talk practical specifics.

A general misconception (and I can totally understand the confusion here) is that O365 is a box you can buy in the local IT-minded supermarket.
It’s probably a misconception, BECAUSE THERE IS AN ACTUAL BOX YOU CAN BUY.

A wild bunch of Office 365 boxes in their natural state : unopened

We have to thank the lovely product managers at Microsoft for this confusing product naming here.
No, the actual products I’ll be talking about, are subscription-based products with names such as Business Premium (confused already ?), Exchange Plan 1, Office 365 E3, ProPlus etc.
The product name ‘Azure’ will be thrown around a lot too.

As a user, you’ll be paying Microsoft either directly or indirectly for a cloud-based solution that hosts your files, mail, calendar, without the hassle of maintaining your own physical server.
Other advantages include an always up-to-date version of Microsoft Office, an online collaboration platform (yes I’m talking about Sharepoint), a communication tool (Microsoft Teams, which used to be Lync/Skype for Business) and tons more.

The aforementioned Azure will also net you a true cloud server, if you’re in the running for something more than the default solution. As short-sighted as this very brief summary of Azure is, this post doesn’t really shed much light on Microsoft Azure.
Let’s say that calling it a ‘cloud server’ is an insult 🙂

 

DON’T PANIC

If you’re still reading this and haven’t run away in total disgust of either having to resell or having to use a Microsoft cloud product please keep an eye open for the next post on Office 365.
Also, that other fashion word, ‘Powershell’ : you’ll be hearing it a lot in advanced trainings.
Embrace it, don’t fear it.
If what you read in the above lines gives you the same feeling as watching a TV test signal, also don’t worry too much. Powershell is just a way of typing commands, just like good old DOS.
Plus you don’t HAVE to use it. It just helps with advanced management tasks.

There’s tons of online help available. Microsoft also allows you to play around in a 30-day trial environment.

Last but not least : ‘no stress’.
Happy reading.

Also : read onward here 

Creating a catch-all address on an Exchange 2013/2016/O365 mail environment

*incoming wall of text*

Seeing as Office 365 is such a hype right now, I decided to create a catch-all address for a customer of ours on his personal Exchange Server 2013.

=== Still to do, because lazy –> add pictures for more attractiveness 🙂 ===

According the t3h intarwebz, this is supposed to be easy.
Unfortunately one only gets half the info when having to configure this.
A couple of trial-and-error moments later, the following checklist lead to the result needed (also applicable in an Office 365 environment btw)

  1. Go to https://your_server/ecp/ (or https://outlook.office365.com/ecp/) and choose ‘mail flow’ in the left column.
  2. Go to the ‘accepted domains’ menu on top and make sure the domain to which the catch-all address is to be assigned, is set as domain type ‘internal relay’.
    I will explain why.
    In a next step we will create a server-side mail rule for the catch-all mailbox. In order for a NDR to not appear when we send a mail, we need to make sure the domain is set to ‘internal relay’. This causes mail rules to be executed before the server actually checks if the mailbox exists, thus enabling a filter possibility.
  3. Next, we want to create a mailbox in which we’ll drop all the catch-all mails (unless you already have a user or shared mailbox set up to receive this, of course)
    I’m not going to go in a lot of detail on this, as this is rather basic stuff on an Exchange Server (left menu ‘recipients’, top menu ‘mailboxes’, blah blah…)
  4. Not always optional (especially not literally doable in O365) –> restart your Microsoft Exchange Transport service on your Windows server. (if you have the classic white-paper setup with a front- and backend server, restart the service on both servers)