CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Issue:

CRM 2013 and ADFS 2.2: Requested Authentication Method is not supported on the STS

Event ID: 364

Encountered error during federation passive request.

Protocol Name:
wsfed

Exception details:
Microsoft.IdentityServer.Service.Policy.PolicyServer.Engine.InvalidAuthenticationTypePolicyException: MSIS7102: Requested Authentication Method is not supported on the STS.
at Microsoft.IdentityServer.Web.Authentication.GlobalAuthenticationPolicyEvaluator.EvaluatePolicy(IList`1 mappedRequestedAuthMethods, AccessLocation location, ProtocolContext context, HashSet`1 authMethodsInToken, Boolean& validAuthMethodsInToken)

 

Cause/Problem:

We could not find an official Microsoft article stating this but I believe ADFS Server does not allow to be directly published on the Internet because of the potential security reasons, therefore all requests should go through ADFS Proxy (Web Application Proxy).

Note that ADFS Server and Web Application Proxy cannot be installed on the same host.

Resolution:

Install and configure Web Application Proxy.

ADFS and WAP Network Diagram

Configure that all external HTTPS requests from sts.domain.com are redirected to Web Application Proxy (192.168.0.3) and not ADFS Server.

Make sure ADFS and WAP server locally resolves sts.domain.com to ADFS Server (192.168.0.2). To do so configure Split-DNS, point-to-point DNS or manually write hosts (recommended) on ADFS and WAP server.
File: %SystemRoot%\System32\Drivers\etc\hosts

192.168.0.2 sts.domain.com

Connect to ADFS server, open AD FS Management and create CRM IFD Relying Party rule. Follow Microsoft Dynamics CRM 2011 Configuring Claims-based Authentication article.

Try to access https://crm.domain.com externally.

DRUPAL 7: Webform doesn’t send emails via SMTP Gateway out

Issue:

Drupal 7 Webform could not send emails out via SMTP Gateway

Cause/Problem:

I have this modules enabled in my drupal 7 site:

  • Mail System
  • Mime Mail
  • Smtp Authentication

I have configured Mail system to “format” mails with MIME Mail and “mail” with SMTP Authentication. This configuration is set as site-wide default class.

It works fine for register user email, but when send mail with webforms it doesn’t use that configuration (It sends emails with a local smtp).

How can I make webform take mail system configuration?

Resolution:

The Problem is that by default webform send emails out via mail(). To fix it we have to assign a smtp class to webform. To do so follow step by step quide:

Use three modules:

 

  1. Try to send out test email via SMTP module.
  2. Try send email via HTML module => under HTML emails right top corner “Send Test”

 

If both works than there needs to be setup new Class for webform which will communicate with SMTP

Go to Mail System (admin/config/system/mailsystem)

Create new settings

Select “webform module” and click “save”

Under new class select format() = HtmlMailSystem and under mail() select SmtpMailSystem class

Hit “save” again

 

Now you should be able to see “Webform Module Class” click on it and select HTMLMailSystem_SmtpMailSystem

Once again hit save and that’s it.

drupal 7
webform
SMTP Gateway
webform email
.some{
 color:red
}

 

CRM 2013: Cannot connect to Microsoft Dynamics CRM for Tablets

Issue:

You may receive the following error:

Apple iPad:

We’re sorry, Your server is not available or does not support this application

Windows 8.1 RT:

Windows Authentication window pops up.

Windows Authentication pop-up

Cause/Problem:

Incorrect permissions on the Web Application IIS server, OAuth provider not configured and client apps not registered.

Resolution:

Make sure your certificate is trusted by the client device. If you’re using self-signed certificate, install Root CA to the device.

Test your Internet-Facing Deployment to work in a browser without certificate warnings. To be able to successfully connect to a CRM deployment, you will need to run a Repair of Microsoft Dynamics CRM Server 2013 installation on the Web Application Server role where IIS service is installed. Open Program and Features, select Microsoft Dynamics CRM Server 2013 and Click Repair. Map installation media and wait for an operation to finish.

Repair Microsoft Dynamics CRM

Configure the OAuth provider on Microsoft Dynamics CRM server

Start a PowerShell window and execute the following script:

Import-Module "C:\Program Files\Microsoft Dynamics CRM\Tools\Microsoft.Crm.PowerShell.dll"
$fedurl = Get-CrmSetting -SettingType ClaimsSettings
$fedurl.FederationProviderType = 1
Set-CrmSetting $fedurl

Register the client apps

The mobile client apps for the Apple iPad and Windows 8 tablets and phone must be registered with AD FS.

Log on to the ADFS server and execute the PowerShell script:

Add-AdfsClient -ClientId ce9f9f18-dd0c-473e-b9b2-47812435e20d `
-Name "Dynamics CRM Mobile Companion" `
-RedirectUri ms-app://s-1-15-2-2572088110-3042588940-2540752943-3284303419-1153817965-2476348055-1136196650/, ms-app://s-1-15-2-1485522525-4007745683-1678507804-3543888355-3439506781-4236676907-2823480090/, urn:ietf:wg:oauth:2.0:oob

Try to connect with your tablet again.

For more information download Microsoft Dynamics CRM 2013 Implementation Guide.

Windows Server: The service cannot be started, either because it is disabled or it has no enabled devices associated with it

Issue:

Win32: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.
Windows could not start the <service> on Local Computer. Error 1068: The dependency service or group failed to start.

 

The service cannot be started, either because it is disabled or because it has no enabled devices associated with it.

Cause/Problem:

IP Helper and VMware Tools services cannot be started.

Resolution:

Make sure Windows Management Instrumentation service is started and have startup type Automatic. To do so, open Services (services.msc) and find Windows Management Instrumentation service, double click it and change startup type to Automatic.

IIS 7+: HTTP Error 403.13 – Forbidden: Your client certificate was revoked, or the revocation status could not be determined

Issue:

HTTP Error 403.13 – Forbidden

Your client certificate was revoked, or the revocation status could not be determined.

If your webserver cannot contact certificate revocation (CRL) server or your certificate was revoked you will receive an error 403.13.

Cause/Problem:

N/A

Resolution:

Make sure your revocation list is accessible via LDAP or HTTP or disable revocation checks.

Open Registry Editor and navigate to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters\SslBindingInfo\<SSL Binding>

Add DWORD key: DefaultSslCertCheckMode with value 1

Restart your server.

Exchange Server 2013: 404 – File or directory not found

Issue:

404 – File or directory not found.

The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

I have two Exchange 2013 servers, one is playing as a Client Access Server (CAS) where the other as a Database Availability Group (DAG). I have been configuring multiple OWA Virtual Directories using PowerShell, adding and removing virtual sites when suddenly above error occurred.

Meaning of the error is actually very clear, something is missing, something got deleted. I could see OWA virtual directory is there but somehow I couldn’t open OWA interface from anywhere. What is going on!? Maybe .NET doesn’t parse the code? Application pool doesn’t have sufficient permissions? Tried to reset virtual directory, didn’t solve the problem nor did reinstall of the Exchange CAS server. Hm… Let’s take a step back, maybe there’s no issues on the CAS server.

It wasn’t! After a deep digging with the Firebug I discovered DAG server also contains virtual directories. When I opened the IIS console I could see OWA virtual directory is missing under the “Exchange Back End” site.

404 File or directory not found

Cause/Problem:

N/A

Resolution:

New-OwaVirtualDirectory -WebSiteName "Exchange Back End" -Server <DAG>

This PowerShell script solved the problem.

SharePoint 2013: Keeps asking for credentials

Issue:

SharePoint keeps asking for credentials when accessing site with public IP address. After many attempts IIS returns HTTP 401.1 – Unauthorized: Logon Failed

Event ID: 6037
The program w3wp.exe, with the assigned process ID 8260, could not authenticate locally by using the target name HTTP/portal.celoxgroup.com.au. The target name used is not valid. A target name should refer to one of the local computer names, for example, the DNS host name.

Try a different target name.

 

Cause/Problem:

This problem occurs when IIS website uses Windows Integrated authentication and has a host header mapped to the local IP address. This is by security design to help prevent attacks to the server and authentication fails if the FQDN does not match the local computer name.

Resolution:

Add host headers to BackConnectionHostNames registry key to allow specific FQDN:

  • Open Registry Editor and navigate to HKLM\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0
  • Add new Multi-String Value and name it BackConnectionHostNames
  • In the Value data box type all host names located on the local server
  • Restart IIS

More information on Microsoft Article KB896861.

Moodle 2.X bulk suspend users userbulksuspend

Issue:

Not the best practice so please use it as quick fix to build your own bulk suspend operation under “Bulk user actions”.

We need to modify few files

  • lang/en/moodle.php
  • admin/user/user_bulk.php
  • admin/user/user_bulk_forms.php

And create a new custom file called “user_bulk_suspend.php”

Cause/Problem:

N/A

Resolution:

  • add drop down item “Suspend Users”

So first thing first: admin/user/user_bulk.php holds “Bulk user actions” page where you can find drop down menu with functions like: confirm, send a message, delete…. to add a new drop down item we need to modify “user_bulk.php” file.

add new case under case 8 add this line => case 9:

redirect($CFG->wwwroot.'/'.$CFG->admin.'/user/user_bulk_suspend.php');
  • rename ugly [[suspend]] item to friendly form such as “Suspend Users”

You should be able to see a new drop down item such as “[[suspend]]” to rewrite the name to let’s say “Suspend Users” we need to modify second file “lang/en/moodle.php” which holds all messages. Add thisline.

$string['suspend'] = 'Suspend users';
  • add a logic into drop down menu

Add a logic to the drop down menu – place this code:

if (has_capability('moodle/user:update', $syscontext)) {
            $actions[9] = get_string('suspend');
        }
under “class user_bulk_action_form” located in “user_bulk_forms.php”
  • and grand final lets add our custom bulk operation
    Create a new file called user_bulk_suspend.php and place this code into it
<?php
/**
* script for bulk user suspend operations
* Custom module created by Celox Group www.celoxgroup.com.au
*/
 
require_once('../../config.php');
require_once($CFG->libdir.'/adminlib.php');
 
$confirm = optional_param('confirm', 0, PARAM_BOOL);
 
require_login();
admin_externalpage_setup('userbulk');
require_capability('moodle/user:update', get_context_instance(CONTEXT_SYSTEM)); //user:delete
 
$return = $CFG->wwwroot.'/'.$CFG->admin.'/user/user_bulk.php';
 
if (empty($SESSION->bulk_users)) {
    redirect($return);
}
 
echo $OUTPUT->header();
 
if ($confirm and confirm_sesskey()) {
 
    list($in, $params) = $DB->get_in_or_equal($SESSION->bulk_users);
    $rs = $DB->get_recordset_select('user', "id $in", $params);
    foreach ($rs as $user) {
        if (!is_siteadmin($user) and $USER->id != $user->id and $user->suspended != 1) {
            //unset($SESSION->bulk_users[$user->id]);
$user->suspended = 1;
            $user->timemodified = time();
$DB->set_field('user', 'suspended', $user->suspended, array('id'=>$user->id));
            $DB->set_field('user', 'timemodified', $user->timemodified, array('id'=>$user->id));
session_kill_user($user->id);
            events_trigger('user_updated', $user);
        } else {
            echo $OUTPUT->notification(get_string('deletednot', '', fullname($user, true)));
        }
    }
    $rs->close();
    session_gc(); // remove stale sessions
    redirect($return, get_string('changessaved'));
 
} else {
    list($in, $params) = $DB->get_in_or_equal($SESSION->bulk_users);
    $userlist = $DB->get_records_select_menu('user', "id $in", $params, 'fullname', 'id,'.$DB->sql_fullname().' AS fullname');
    $usernames = implode(', ', $userlist);
    echo $OUTPUT->heading(get_string('confirmation', 'admin'));
    $formcontinue = new single_button(new moodle_url('user_bulk_suspend.php', array('confirm' => 1)), get_string('yes'));
    $formcancel = new single_button(new moodle_url('user_bulk.php'), get_string('no'), 'get');
    echo $OUTPUT->confirm(get_string('suspendcheckfull', '', $usernames), $formcontinue, $formcancel);
}
 
echo $OUTPUT->footer();

 

Now you should be able to perform bulk suspend action

Exchange 2013: Error – Exception has been thrown by the target of an invocation.

Issue:

Exchange 2013 CU2 Error

 

Cause/Problem:

Error when you try to install Microsoft Exchange Server 2013 Cumulative Update 2. In an ExchangeSetup log you can find the following:

[08.15.2013 11:51:07.0535] [0] [ERROR] Exception has been thrown by the target of an invocation.
[08.15.2013 11:51:07.0535] [0] [ERROR] The type initializer for 'Microsoft.Exchange.Data.Directory.Globals' threw an exception.
[08.15.2013 11:51:07.0535] [0] [ERROR] The service cannot be started, either because it is disabled or because it has no enabled devices associated with it. (Exception from HRESULT: 0x80070422)

 

Resolution:

That’s right, Exchange Setup for some reason disables all MS Exchange services which result an error in case you launch setup again. Start Exchange services and try to run setup again.

Make sure as well Windows Management Instrumentation and IP Helper services are started and have startup type Automatic.