vrijdag 16 augustus 2013

Microsoft Office 365 Federation Metadata Update automation with ADFS Certificate Rollover

Hi, due to circumstances at home I’ve been away for a while.
But I’m planning to resume blogging.
First of all I know I want to point out that anyone who is using ADFS with auto certificate rollover should use this script. I know it’s been around for a while but I noticed it’s not well known among administrators.
So what does the script actually do?
Well, it creates a scheduled task which will automate the update of the Microsoft Office 365 federation metadata. The federation metadata contains certificate validity information for token-signing and token-decrypting and had to be updates with each change to one of the certificates..
When Auto Certificate rollover is enabled for ADFS, the ADFS service creates a new secondary certificate 20 days prior to expiration of the primary certificate. 5 days before expiration the primary and secondary certificates are switched and the new certificate goes live. The time in between is called the grace period
It is critical the federation metadata is updated prior to the end data of the grace period. If it is not this will result in the loss of access to all Office 365 services.
Source :  http://technet.microsoft.com/nl-nl/library/jj933264.aspx#BKMK_GracePeriod
To prevent this from happening the script was created, this will automate the update task so there will be no manual intervention when the certificates are updated.

The script can be downloaded from the Microsoft Gallery. Make sure you check the gallery on a regular base because it does get updated from time to time.
http://gallery.technet.microsoft.com/scriptcenter/Office-365-Federation-27410bdc
To execute this tool successfully:
  • You must make sure that you have installed the latest version of the Microsoft Online Services Module for Windows PowerShell
  • You need to have a functioning AD FS 2.0 Federation Service
  • You need to have access to Global Administrator credentials for your Office 365 tenant
  • You need to have at least one verified domain in the Office 365 tenant must be of type 'Federated'
  • This tool must be executed on a writable Federation Server
  • The currently logged on user must be a member of the local Administrators group
  • The Microsoft Online Services Module for Windows PowerShell must be installed. You can download the module from http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652560.aspx
What I recommend is to create a service account for the update task that will have a non expiring password. In my case I created the svc_update_metadata account which had a non expiring password. This account had admin permissions within ADFS and Local admin permissions on the ADFS box.
To create the scheduled task I logged on with the service account on the machine because the task is created with the logged on user. 
After you download the tool  onto your internal ADFS server, you need to right-click on it and unblock it. Otherwise you will get errors like “the script is not digitally signed. The script will not execute on the system.”
Also, if you get an error that “Failed MSOL credential validation.” it is because you are running the script in the regular Windows Powershell or ADFS PowerShell module.  You need to make sure you run this in the window “Microsoft Online Services Module for Windows PowerShell” that looks like this on the desktop:
image_6
Run the installation script as follows.
image_8

It is recommended to also use a non expiring service account in Office 365 the entering the MSOL credentials. These credentials are stored in the credentials vault in Windows and need to be changed everytime the password is changed.
image_4
Once the script is run there will be a scheduled task in the task scheduler.
image
The schedule can be adjusted to your needs, but I ( and also Microsoft ) recommend to update metadata at least once a week.
A cool feature is that the script discovers all federeted domains within your tenant and will add this to the update script every time it is run. It also adds the –Supportmultipledomain switch when the command initially fails.
A logfile is written to the following folder:
image
The logfile will show the  result for each domain name discoved for both the internal ADFS and Office 365.
In the results below the certificate has already been updates so there is no “nexttokensigningcertificate” known in the internal ADFS log. Office 365 defaults back to the “old” certificate which is shown in the “nexttokensigningcertificate”
Internal:
image
Office 365
image
And at the end it will show if the update works with or without the –supportmultipledomain switch and if the update had succeeded.
image
Hope this will help you in automating renewals in your Single Sign On solution.

woensdag 27 maart 2013

Whats new in Lync 2013 Mobile client

The beginning of this month Microsoft released the new 2013 mobile client.
The client is available for the following platforms:

[clients%255B3%255D.png]

The server backend must have the February 2013 (CU1) updates installed.
These can be downloaded at http://support.microsoft.com/kb/2809243

Below you will find a feature list for Lync 2013 mobile clients on different platforms.

[2013features1%255B3%255D.png]

[2013features2%255B3%255D.png]

[2013features3%255B3%255D.png]

Below is my handson with the Lync 2013 client for Iphone.
The start screen and options menu.

IMG_2174IMG_2175

It’s now possible to start audio / video calls over Wifi or 3G.
In the options menu is an option to require Wi-fi for audio / video calls.
I recommend selecting this to reduce bandwith usage and reduce cellular costs. You can also disable photo’s to reduce bandwith usage.

The contact list and contact card.
From the card you can initiate chat, audio call, video call or email.

IMG_2173blurIMG_frankblur

When clickin the call button you can initiate a call.
When initiating a Lync call the client automatically dials the number or creates a peer to peer session. Within the Lync 2010 mobile client the server always called back to initiate a call.

IMG_2180blurIMG_frankblur[7]

The chat and video calling functionality.

IMG_frankblurIMG_2185blur

Also new is when you are added to a response group, the response group call will also ring on your phone and you have the ability to pickup this call on your mobile.
The keypad still looks the same.

IMG_frankblurIMG_2176

The voicemail is also available from the client and you have the ability to delete of call back.

IMG_2177

Whats new in Lync 2013 Mobile client

The beginning of this month Microsoft released the new 2013 mobile client.
The client is available for the following platforms:

[clients%255B3%255D.png]

The server backend must have the February 2013 (CU1) updates installed.
These can be downloaded at http://support.microsoft.com/kb/2809243

Below you will find a feature list for Lync 2013 mobile clients on different platforms.

[2013features1%255B3%255D.png]

[2013features2%255B3%255D.png]

[2013features3%255B3%255D.png]

Below is my handson with the Lync 2013 client for Iphone.
The start screen and options menu.

IMG_2174IMG_2175

It’s now possible to start audio / video calls over Wifi or 3G.
In the options menu is an option to require Wi-fi for audio / video calls.
I recommend selecting this to reduce bandwith usage and reduce cellular costs. You can also disable phot’s to reduce bandwith usage.

The contact list and contact card.
From the card you can initiate chat, audio call, video call or email.

IMG_2173blurIMG_frankblur

When clickin the call button you can initiate a call.
When initiating a Lync call the client automatically dials the number or creates a peer to peer session. Within the Lync 2010 mobile client the server always called back to initiate a call.

IMG_2180blurIMG_frankblur[7]

The chat and video calling functionality.

IMG_frankblurIMG_2185blur

Also new is when you are added to a response group, the response group call will also ring on your phone and you have the ability to pickup this call on your mobile.
The keypad still looks the same.

IMG_frankblurIMG_2176

The voicemail is also available from the client and you have the ability to delete of call back.

IMG_2177

donderdag 17 januari 2013

Invalid column name MPResourceElementId Operations manager 2012 SP1

We have a 3 server Operations manager environment to monitor our customers.
Last week I started upgrading the servers to System Center SP1.

First I created back-ups of all the databases and VM’s.
( OperationsManager, OperationsManagerDW, Reporting )

After that I started upgrading the first management server.
The upgrade of the first management server went OK, this upgraded the server and Operations Manager databases. Great, everything was still working.

When upgrading the second server, the setup showed me an error upgrading the database.
Wait, wasn’t this already upgraded? I restored the VM and started over, this time successfull.
After testing I realized it did not work as expected.

When viewing task status and alerts the console started giving me all kind of errors.
” Invalid column name ProgresValue”  and “ Invalid Clumn name “MPResourceElementId” .

 

At the time of the install, there was nothing to be found on the internet about this error.
So I restored the VM’s and Databases as I did not have the time to troubleshoot.
Fortunately, now there is!

Yesterday J.C. Hornbeck posted the solution on technet blogs.

A quote :

“As all the management servers share the same database, these changes only need to be made when installing the Service Pack on the very first server you install to. When you run the Service Pack 1 installation it communicates with the database to determine if this is the first installation, and then decides if it needs to run a SQL update script or not.

This means that you need to be patient with your installation and wait for the first management server to have Service Pack 1 installed before beginning the next installation. If you don’t then the SQL script will run again and issues may occur. It is very early on in the Service Pack installation process that the management server checks to see if the DB has already been upgraded, so do not be tempted to tee up your other management servers and run through the initial wizard while you wait for the first server to install because by then it will be too late.”

So I was a little impatient.

He also provides a solution if you were impatient like me Glimlach.

To get this resolved, do the following:

“ 1. Stop all OpsMgr services that access the DB (the System Center Data Access Service, the System Center Management Service and the System Center Configuration Service on all Management Servers).

2. Run the following SQL commands:

USE OperationsManager
IF EXISTS (SELECT * FROM sysindexes where [name] = 'idx_StateDatabaseTimeModified' AND id = object_id(N'[dbo].[State]'))
DROP INDEX [idx_StateDatabaseTimeModified] ON [dbo].[State]

3. Next run the build_mom_db.sql script from the Service Pack Setup directory against the OperationsManager DB.

4. Finally, restart all of the OpsMgr services.”


The above solution is provided by J.C. Hornbeck, knowledge Engineer @ Microsoft.

Source : http://blogs.technet.com/b/momteam/archive/2013/01/16/patience-is-a-virtue-with-the-system-center-2012-operations-manager-sp1-installation.aspx