Configuration

SharePoint Online & Sign-In Acceleration – SSO for SPO

Posted on

SPO

For those using SharePoint Online, you may have noticed that it does not provide the same home realm discovery that Exchange Online does, with Home Realm discovery meaning the services knows what domain/upn is being used and leveraging that authentication type for the user (Managed/Online versus Federated/ADFS).  SharePoint Online support now supports Sign-In Acceleration, which allows SPO to understand whether a browsing user is a Federated user and send to https://login.microsoftonline.com, with a directive that instructs login.microsoftonline.com to then forward the authentication request on to their ADFS deployed endpoint (i.e. https://sts.contoso.com).

Note – To enable this for your Office 365 tenant, please log a support case for this request and they can fulfill your request!

Explanation

Once auto-acceleration is enabled, the SPO authentication process works as follows:

  1. The user navigates to https://contoso.sharepoint.com in their web browser.
  2. SharePoint receives the request and detects that auto-acceleration is enabled for this tenant by leveraging the domain name in the domain.sharepoint.com URL being used to access SPO.
  3. The user is then sent to login.microsoftonline.com with extra information in the URL (a whr tag). This tag indicates to AAD that it is safe to accelerate the user directly to the ADFS endpoint, login.contoso.com.
  4. Once there, the user may enter their credentials and sign-in. In the case of domain-joined machines, the user will be signed in immediately based on browser settings for SSO.

This effectively allows SPO to provide home realm discovery and SSO for users, like Exchange Online does today and will make your SPO users much more happy, reducing the authentication prompts and requests for UPNs/Passwords.

Replacing ADFS 2.0 Secure Communications Certificate – “The Certificate Cannot Be Processed”

Posted on Updated on

For all Office 365 Active Directory Federation Services (ADFS) administrators, you may find that your ADFS “Secure Communications” certificate has expired and needs to be replaced or you need to replace the certificate and having issues replacing.  Many times administrators will start with an internal Certificate Authority (CA) cert and later upgrade to a public certificate, in order to support users with Outlook or other rich applications.

Whatever the reason, there are a few things you need to think about when performing this task:

  1. The Active Directory Federation Services MMC (UI) can be used to set the “Secure Communications” certificate by doing the following:
    1. Expand the ADFS –> Service –> Certificates node and right-click the certificates folder and select: Set Service Communications certificate option, which sets the certificate applied to your IIS default website as the secure communications certificate for use in ADFS.
      1. Note – You will be presented with all viable certificates in the Local Machine –> Personal –> Certificates store.
    2. Select the proper certificate presented and click OK

Note – I attempted this in my lab environment, however I had to rekey my certificate and the old certificate had been revoked.  Because of this, I believe the above steps failed with the following error, which forced me to use PowerShell to set the proper certificate while clearing out my old certificate.

Attempt to Set Secure Communications Certificate

set-secure_comms

Steps to Resolve

  1. Remove the old certificate from the Local Machine –> Personal –> Certificates store
  2. Import new certificate using IIS –> Import Certificate
    1. Place into the Local Machine –> Personal –> Certificate store
  3. Manage Certificates –> Manage Private Keys –> Grant read (I gave the ADFS AppPool identity Full Access)
  4. Launch PowerShell
    1. Add-PSSnapin Microsoft.ADFS.PowerShell
    2. Set-ADFSCertificate –CertificateType Secure-Communications –Thumbprint “e3 r 45 d4 5t 7u 8i 3e”
      1. Note:  Turns out the –CertificateType string is NOT enclosed in quotations while –Thumbprint is.  I had this backwards and the error states that “-CertificateTYpe is invalid”.  This is wrong, it was which string was wrapped in quotes.
          • Error Message if you enclose the wrong string in quotations:
            1. adfs_invalid_certType
        1. Example using PowerShell 3.0 ISE, which is an outstanding tool for working in PowerShell
          • set-secure_communications-success
  5. Restart IIS and ADFS Services
    1. IISReset
    2. ADFS 2.0 Service Restart
  6. Launch the ADFS 2.0 MMC –> Services –> Certificates and verify that the new certificate is listed
  7. Launch the Microsoft Online Windows PowerShell and update the Microsoft Federation Gateway with the new certificate and thumbprint
    1. Download and install Online PowerShell: https://portal.microsoftonline.com/IdentityFederation/IdentityFederation.aspx
    2. Launch and connect to Microsoft Online Services:  connect-MSOLService
      1. Note: Enter your online Global Admin credentials
    3. Update MFG with new certificate information:
      1. Update-MSOLFederatedDomain -DomainName <domainName.com>
    4. Check that the new certificate information, such as Thumbprint has been uploaded into the cloud:
      1. Get-MSOLFederationProperty -DomainName <domainName.com>

AND TEST…you should be set and ready to go!

Preparing PCs for Use in Lync Online 365

Posted on

For admins who must update their client PCs with the Lync 2010 client, they have questions regarding how the existing BPOS Office Communications Online (OCO) registry settings will be managed and possibly cause connection problems with the Lync client.  Since BPOS manually configures Outlook, Communicator and other applications, Communicator is hard-coded to point to BPOS OCO for connectivity.

Managing IM Client Connection Settings

  1. Use the O365 Desktop Setup tool, which deletes these manually configured BPOS OCO registry entries and sets the client to use automatic configuration.
    1. This option assumes the Lync AutoDiscover DNS records are in place.
  2. Don’t use the O365 Desktop Setup tool, and edit these registry keys manually to point to the O365 Lync Online servers.
    1. You would point the internal and external server to sipdir.online.lync.com:443

Maintaining Email Connectivity for BES Devices Over the BPOS Transition Weekend

Posted on Updated on

Many BES users have asked how they can maintain email connectivity over the BPOS Transition Weekend, which moves BPOS tenants into Office 365.  Due to users Mailbox, at some point during the weekend, moving out of BPOS and into Office 365 the BES device mail configuration will stop working, in the same way ActiveSync devices will.  This is because the BPOS mailbox is no longer available and mobile devices cannot automatically pick up this move, which requires ActiveSync and BES devices to reconfigure their devices to point to Exchange Online 365 messaging services.

However BES devices, typically, will use RIMs Onboarding Wizard, which is an automated approach to backup the device, wipe, restore content and configure the device for use in RIMs BlackBerry Business Cloud Services (BBCS).  To learn more about RIMs Onboarding Wizard and how this should be used during your phone configuration to use BBCS, please click here:

Office 365 Help & RIMs Web Desktop Managerhttp://onlinehelp.microsoft.com/en-us/office365-enterprises/ff637599.aspx

To keep your BES device up and running with email over the Transition Weekend, you can use these steps to keep your phone connected.  Note that once you as an Office 365 user are created and activated with RIMs BBCS environment, your RIM user will be transitioned from the BlackBerry Internet Service (BIS) to full BBCS, so there is no need to reconfigure your device manually, as you will use the Onboarding Wizard to backup, wipe, restore and reconfigure the device.

Steps to use BlackBerry Internet Service BIS Over Transition Weekend

  1. Make sure you have changed your BPOS password using either the Company Portal or Sign-In Client (SIC)
  2. Once changed attempt to login to the Office 365 Portal to verify you can login with your BPOS credentials, using your newly changed password
    1. Login to: https://portal.microsoftonline.com
      1. Username:  BPOS account
      2. Password:  Newly changed password
      3. Note the Outlook link at the top of the Microsoft Online Portal
        1. Click this link to determine whether your mailbox is not accessible within Office 365
          1. During the Transition weekend your mailbox and others will be moved from BPOS into Office 365.  There is no way to know exactly when this will occur, so you should check the Microsoft Online Portal from time to time, starting sometime ~Saturday afternoon of your Transition Weekend.  Once your mailbox is accessible via OWA, you can proceed with configuring your BES device to connect and use RIMs BlackBerry Internet Service (BIS).  BIS provides connectivity between your BES device and your Office 365 mailbox.
            1. Once your online administrator configures you for the BlackBerry Business Cloud Service (BBCS), your BIS device configuration can be left as you will use RIMs Onboarding Wizard, which will backup, wipe, restore and reconfigure your phone.
            2. Once you are connected and logged into your Office 365 Mailbox via Outlook Web Access (OWA), you can proceed with the following steps.

Integrate a Microsoft® Outlook® Web Access Email Address Using the Email Setup Application from the BlackBerry® Smartphone:

  1. Open Email Settings on the BlackBerry smartphone (for BlackBerry Device Software 6.0 and higher open Setup and choose Email Accounts
  2. Click Set up Internet email account. (not Enterprise email account) Any existing email accounts will remain active
  3. Choose Other from the list of options
  4. Enter the O365 Email Address and Email Password, then click Continue

Integrate a Microsoft Outlook Web Access Email Address Using the Web Login for BlackBerry Internet Service:

  1. Go to the wireless service provider’s BlackBerry Internet Service website and log in to the BlackBerry Internet Service account
  2. Click Set Up Email
  3. Complete the Email address and Email Password, and select Next
  4. Select provide additional settings
  5. Select Microsoft Exchange (using Microsoft ® Outlook Web Access), complete the required fields, and select Next

Additional Information

During advanced integration of a Microsoft Exchange Server 2010 account with BlackBerry Internet Service, any mailbox name can be typed in the Mailbox Name field and the account will associate successfully.

The Exchange Web Services (EWS) protocol introduced in Microsoft Exchange Server 2007 does not use the mailbox name. The EWS protocol uses the HTTP authenticated user. The BlackBerry Internet Service user interface does not currently differentiate between different versions of Outlook Web Access (OWA), so the Mailbox Name field is still displayed even though it is not used for Microsoft Exchange Server 2007 or Microsoft Exchange Server 2010 accounts.

BlackBerry Internet Service will still function correctly with Microsoft Exchange Server 2007 or Microsoft Exchange Server 2010 accounts, even if an incorrect mailbox name is used.