Technical Exchange bLog

 I was trying to log in with Smart card (Yubico in my case) but server could not log me in and returned the error: An untrusted certification authority was detected while processing the domain controller certificate used for authentication additional information be available in the system event log. Please contact your administrator. Checked the certificate store and required certificates were in the store. In my case Root CA and Intermediate CA certificates. When I ran the command  certutil -viewstore -enterprise NTAuth in the elevated PowerShell window I got no certificates. Therefore, I exported the intermediate certificate from the store (certmgr.msc), put it in the C:\TEMP path and ran: certutil -enterprise -addstore ntauth "C:\TEMP\intermediate.cer" After that I was able to sign in with smart card. Whay certificate was not propagated through domain is still a mystery :) 

 If you are using Microsoft's Azure Backup server to backup your Exchange you might want to use notifications if anything goes wrong with it. In the Options window when you enter credentials for the sending account it keeps failing to send test E-mail saying wrong username and password (error 2013).  The problem is that this account needs to have local admin rights on the Azure backup machine.  Yeah, don't ask why.

We had a problem where M365 users could not retreive Free/Busy information from on-premise Exchange server. Hybrid setup was run and everything was working fine except this. After research I found out that TargetSharingEpr is the way to look at. There are many sites out there that are pointing to the same setting but only Set-OrganizationRelationship is used to change the value. The problem is, this value is available for two commands: Set-IntraOrganizationConnector Set-OrganizationRelationship While we changed the value in  Set-OrganizationRelationship it didn't work until we changed the value in  Set-IntraOrganizationConnector too. By default it should work with just  TargetAutodiscoverEpr but for us it didn't. Finally we ran this command on Intra Organization Connector which is used from Cloud to On-prem:  Set-IntraOrganizationConnector -TargetSharingEpr   https://mail.domain.com/ews/exchange.asmx And it worked.

If you have a problem with Microsoft Teams not showing Calendar for users that have on-prem mailbox then you missed some of the steps in making a hybrid. To be honest, sometimes it is not very easy and clear what exactly you have to do. In my setup I am running Exchange 2019 on Windows 2019 server. 1 . First step is to run Microsoft Office Hybrid Configuration Wizard This step is necessary even if you ran AD Connect and selected Exchange Hybrid. Go through the Wizard and when you finish, it will tell you you need to configure OATH manually as it is not part of the Wizard (in year 2020) 2. Follow all the steps on https://docs.microsoft.com/en-us/exchange/configure-oauth-authentication-between-exchange-and-exchange-online-organizations-exchange-2013-help For me step 8. was not necessary as I am running Exchange 2019. After successful implementation of OATH connection Calendar will be immediately available to Teams users. Test connection with: ON-PREM Ex

If you are using Citrix Netscaler as load balancer in front of Exchange 2019 server you must know this: Microsoft Exchange 2019 is secured by default and allows only TLS 1.2. Therefore default schannel settings are as follows (using IISCrypto tool from Nartac Software): While Citrix Netscaler offers following Cipher Suites: TLS_RSA_WITH_AES_256_CBC_SHA TLS_RSA_WITH_AES_128_CBC_SHA TLS_DHE_RSA_WITH_AES_256_CBC_SHA TLS_DHE_RSA_WITH_AES_128_CBC_SHA TLS_DHE_DSS_WITH_AES_256_CBC_SHA TLS_DHE_DSS_WITH_AES_128_CBC_SHA TLS_RSA_WITH_DES_CBC_SHA TLS_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT_WITH_RC2_CBC_40_MD5 TLS_DHE_DSS_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT1024_WITH_DES_CBC_SHA TLS_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA TLS_DHE_RSA_WITH_DES_CBC_SHA TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA TLS_RSA_EXPORT1024_WITH_RC2_CBC_56_MD5 TLS_DH_anon_WITH_DES_CBC_SHA TLS_DH_anon_WITH_AES_128_CBC_SHA TLS_DH_anon_WITH_AES_256_CBC_SHA TLS_DH_anon_EXPORT_WITH_DES40_CBC_SHA Now, you will fi

When you try to enable DKIM in O365 you get yellow warrning line saying you need to provide two DNS records. What you need to do is copy those two names from that yellow line and create CNAME record in external DNS: Hostname :selector1._domainkey (THIS IS ALWAYS THE SAME FOR EVERY TENANT) Points to address or value : **selector1-**._domainkey.YourTenantName.onmicrosoft.com ( You paste first of the copied values here ) TTL : 3600 Hostname :selector2._domainkey (THIS IS ALWAYS THE SAME FOR EVERY TENANT) Points to address or value : **selector2-**._domainkey.YourTenantName.onmicrosoft.com ( You paste second  of the copied values here ) TTL : 3600 In Windows DNS you would do: Which later looks like: