Steve Goodman's Exchange Blog
22Apr/120

Exchange 2010 SP2 Hybrid Wizard resets OWA Redirect URL to Tenant Domain

Background

When you run the Hybrid Configuration wizard even in a tenant that uses Federated login, you might find that even if you’ve chosen only one of your federated domains, the redirect URL to Office 365 is set to your tenant domain (onmicrosoft.com) rather than the federated domain you chose in the wizard or would prefer to use:

image

If you’ve not this before, this results in the end use having to enter their User Principal Name at the Microsoft Online Services login page, before being redirected back to the ADFS services:

image

So the first thing you might do is the following to set your TargetOWAURL to the correct value:

Set-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" -TargetOwaURL:https://outlook.com/owa/federateddomain

image

This results in the smoother (or even super-smooth if you check out my previous article) experience where the end use is redirect straight to AD FS login.

The Problem

If you need to update the Hybrid Configuration – for example to add or change IP addresses of External Transport Server IP addresses, update the certificate or add/remove Hub Transport or Client Access Servers, then you’ll re-run the Hybrid Configuration Wizard.

image

A seemingly innocuous change to an IP address for outbound SMTP servers that doesn’t affect the organization relationship itself will result in the Redirect URL for OWA being set back to the tenant domain resulting in the scenario outlined above.

So, just bear that in mind when you need to re-run the Hybrid Configuration wizard.. It’s simple to deal with by ensuring your reconfigure your TargetOWAURL, just make sure you don’t forget Smile

Steve

Tagged as: , , , , No Comments
21Apr/120

Updated–Getting info about ActiveSync, EWS and WebDAV clients from Exchange 2007 and 2010

imageLast year, I wrote a script for pulling out information from Exchange 2007 log files on Windows Server 2003 to detail information about EWS, ActiveSync and WebDAV clients. The purpose of this script was primarily to make it easy to find out about client you need to test before moving to Exchange 2010.

I’ve been meaning for a while to make an update to the script, as one issue with original version is that is was aimed only at Windows 2003 servers – and naturally there are a fair few Windows 2008 and 2008 R2 servers running Exchange Server 2007. The script is also useful when checking out what’s in the current environment before migrating to Office 365, so it’s applicable to Exchange 2010 as well.

So, I’m pleased to say that I’ve finally updated the script to support Windows 2008, 2008 R2, and also tested the script against Exchange 2007 and 2010 logfiles.

As with the previous version, it’s a little slow on larger log files, taking an hour or so for a 500MB log file and for log files of around 3GB each it can take around 6 hours.. So a future Log Parser Studio version might be in order.

Visit the original article for the updated script

Tagged as: , , , , No Comments
19Apr/120

DiscoverySearchMailbox in an Exchange 2007/Office 365 Hybrid environment causes DirSync errors

Whilst working on an Office 365-Exchange 2007 hybrid environment, you may experience errors similar to those shown below from the Directory Synchronization Error Report email and in Forefront Identity Manager:

Identity

Error Description

DiscoverySearchMailbox {D919BA05-46A6-415f-80AD-7E09334BB852}@exchangelabs.co.uk

Unable to update this object in Microsoft Online Services, because the attribute Username is not valid. Update the value in your local Active Directory.

image

Why does this happen?

This is because as part of building your Hybrid environment, you’ll introduce Exchange 2010 servers into your environment as your Hybrid co-existence servers, running both the Client Access, Hub Transport but not the Mailbox role. When running the pre-requisite Active Directory Preparation a Discovery Search Mailbox, used in Exchange 2010 for storing the results of multi-mailbox searches.

In an full Exchange 2010 – Office 365 hybrid environment you won’t see this issue, because DirSync filters out any Discovery Mailboxes within the organization by checking (amongst other things) the mxExchMailboxTypeDetails attribute and if it’s set to the hexadecimal value 0x20000000, it will not exclude it from synchronization:

image

However the reason why it isn’t included within an Exchange 2007 hybrid environment is because the mailbox is never enabled – Discovery Search mailboxes do not exist in Exchange 2007. So as a “standard” user object, DirSync attempts to export it.

Correcting the issue in your Exchange 2007 Hybrid environment

Unfortunately, it’s not possible to enable the Discovery Search mailbox with the correct type from either the Exchange 2007 management console (you’ll just enable it as a normal mailbox) or the Exchange 2010 Hybrid Servers (you don’t have Exchange 2010 mailbox servers).

What you can do though is simply delete the Discovery Search Mailbox from the Users container of Active Directory.

Once deleted, synchronization will complete without an error about the Discovery Search Mailbox.. And that’s all there is to it until you decide to migrate your Exchange 2007 environment to Exchange 2010…

Re-creating the Discovery Search Mailbox if you install Exchange 2010 Mailbox Servers into your Hybrid environment.

If you need to re-create the Discovery Search Mailbox at a later date, it’s fairly straightforward – all you need to do is re-run the AD preparation for Exchange 2010. Let’s just walk through that process:

Locate the Exchange 2010 Service Pack 2 media and run the following command:

setup.com /PrepareAD

image

If at this point you have Exchange 2010 mailbox servers and wish to enable this as a proper Discovery Search Mailbox, first, check you can find the Discovery Search user from an Exchange 2010 Management Shell:

Get-User DiscoverySearchMailbox*

image

Assuming a single user is returned, simply enable it using the Enable-Mailbox cmdlet with the –Discovery parameter:

Get-User DiscoverySearchMailbox* | Enable-Mailbox –Discovery

image

And at this point, because you’ve got Exchange 2010 mailbox servers and enabled the Discovery Search Mailbox correctly (which will set the msExchRecipientTypeDetails attribute in Active Directory) you won’t see any DirSync errors either.

Steve

Tagged as: , , , , , No Comments
17Apr/125

Enabling Silent OWA Redirection for Office 365 Hybrid

image

As part of a Hybrid deployment of Exchange Server 2010 and Office 365, you’ll be faced with a few challenges if you want to keep a single Outlook Web App URL for your end users.

If you’re using Windows Authenticated Login against Exchange and AD FS then you’ll already have avoided multiple login prompts; and if you’re using Forms Based Authentication for both I’ll be covering the TMG setup necessary to configure the same single sign on you’ll see in the videos here in a future article. (based in part by a post Michel De Rooij pointed me to here).

The other challenge that I really wanted to get a solution for, and get feedback from others on, is the landing page shown above where the end user needs to click-through the “Use the following link to open this mailbox with the best performance” page. What I wanted was a solution that avoided that step entirely.

Now, it’s not necessary to do this if you are happy for users to update their own bookmarks, and concerns about users seeing a non-company domain can be avoided by following the steps in this article by Timothy Heeney which shows you how to setup a separate vanity Office 365 URL like “http://cloud.company.com/owa” by using CNAME records.

However if you have a large user base that will be mixed between on-premise and Office 365, then keeping a single OWA URL will be very desirable. For example, a large University may have user documentation with the URL specified, lab computers with standard bookmarks, and the possibility that users may move between on-premises and Office 365 as they move between different courses or roles. It might only be an extra click, but if you add up that extra 5 seconds across tens of thousands of users logging into OWA per day and it starts to add up..

If you’re not familiar with the process, here’s a quick demo of the current “out of the box” experience, optimised using TMG for forms-based single sign-on:

Unable to display content. Adobe Flash is required.
OWA Standard Sign-in to Office 365

As you can see it’s good – but it’s not great. It’s not got the “wow” factor that makes a hybrid deployment feel like a single organization.

The redirect page itself does serve other purposes, so it’s not like we can just get rid of it. It’s used by Exchange itself if you have an environment with multiple internet facing sites, unless you use the SP2 feature for silent redirection between sites. So we can’t just do away with the redirection page altogether – we need to take into account where it might be used elsewhere.

Another issue that’s been highlighted to me (thanks BR!) is that the default non-SSL link generated through the Hybrid Wizard is in the form http://outlook.com/owa/federateddomain rather than it’s SSL equivalent – so using this (or the vanity URL mentioned above) could generate browser warnings regarding redirection to a insecure link. Therefore the link we redirect to must be in the form https://outlook.com/owa/federatedomain. This can be changed easily though, by editing the Organization Relationship like so:

Set-OrganizationRelationship "On Premises to Exchange Online Organization Relationship" -TargetOwaURL:https://outlook.com/owa/federateddomain

image

Once this is changed, we should be ready to enable the silent OWA redirection in Exchange itself, by editing the casredirect.aspx file within OWA.

Before we begin – it’s important to understand that this is unsupported by Microsoft, and it probably never will be. Therefore, you’ll need to test this in your own environment, and be prepared to replace the original casredirect.aspx file in the event of any issues; you’ll also need to check and if needed, re-implement this after application of update rollups or service packs. That said, so far I can’t see a reason why this would cause any issues and part of the point of this post is to gain some feedback from the community as to any other downsides.

So now you know why you shouldn’t do this – let’s look at how to do it..! You’ll find the casredirect.aspx file within the OWA directory, typically in the following path within the Exchange install directory:

C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\owa\

Edit the casredirect.aspx file directly above the <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> tag and add the following lines:

<%
if (RedirectionUrl.Contains("https://outlook.com/owa")) {
    Response.Redirect(RedirectionUrl);
    Response.End();
}
%>

This should look like this in the actual file itself:

image

What does this do? Well, it’s pretty straightforward – before any content is rendered, the Redirection URL is checked to ascertain if it contains the https://outlook.com/owa URL (note the HTTPS!), and if so, issue a redirect to Office 365. For any other Redirection URLs, the page will render normally.

Let’s take a look at how it works in practice:

Unable to display content. Adobe Flash is required.
OWA Silent Redirection to Office 365

 

As you can see it’s fairly simple to implement, and provides a clean login consistent with on-premises Outlook Web App when combined with other SSO methods. Let me know what you think in the comments…

Steve

Tagged as: , , , 5 Comments
 « Newer Entries  Older Entries »

More from StevieG.org

Order your copy of iPhone with Exchange Server 2010 - Business Integration and Deployment today!

Find Me On…



Important Notice

Posts on this site not endorsed by or the views of my employer and any advice, scripts and other info are provided as-is and without warranty. This site is not affiliated with Microsoft in any way.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Categories

Recent Posts

Top posts

Blogroll