Sep 232016
 

There’s quite a few of us that started off deploying Small Business Server (SBS2008, SBS2011) environments back in the day, loving the handy all-in-one package taking care of everything from Active Directory and Exchange, to disaster recovery and business continuity. However, some of these old environments are starting to catch up with us. I wanted to open a discussion on a big issue I had a couple years ago in one of my first migrations from SBS 2008, to Windows Server 2012 R2 with the Essentials Experience role installed, with Exchange Server 2013.

As most of you know, SBS comes packaged to push “.local” domains on initial domain configuration. This used to be considered best practice, and most of us even configured .local’s on non-SBS environments. This has never really posed any problems for us I.T. guys, except for a few configuration considerations when setting up Outlook clients, DNS, etc…

Now if you’re like me, another thing I always configured, was user accounts that didn’t match e-mail addresses. An example would be “John Doe”, with the username of “JohnD”, and the e-mail address of “John@contoso.com”. Also, our buddy John Doe would have a AD UPN JohnD@internaldomain.local (this was automatically populated on user setup)

User’s Name: John Doe

SAM Account Name: INTERNALDOMAIN\JohnD

Username: JohnD

AD UPN: JohnD@internaldomain.local

E-mail Address: John@contoso.com

 

I always liked this as it provided some protection if the users password ever got compromised (in a phishing attack, fake e-mail logon page, etc…), as the password could not actually authenticate when using the e-mail address as a username (the username was never actually provided in the attack, only e-mail).

Now let’s flash forward to this migration from SBS 2008, to Windows Server 2012 R2 with Essentials Experience, and throw Exchange 2013 in to the mix. Right off the bat, everything is working fine, Outlook 2010 is working great, Outlook 2013 is working great. Then BAM, Outlook 2016 comes out!

Outlook 2016 does not allow manual or custom configuration of Exchange accounts. They do this for “reliability” and ease of configuration. This means that you HAVE to have autodiscover setup, and working fluidly. No more manual configuration. Internally inside of the LAN this is all automatic if you configured Exchange properly, but you will have to configure autodiscover externally.

Internally on the LAN, Outlook 2016 clients have absolutely no issues, and authentication is working fine (no password prompts). However, when configuring external users, while you can eventually get it configured, the user is constantly prompted for credentials on every Outlook start.

On these password prompts, you’ll notice it’s authenticating for the users e-mail address. In this example, it’s asking for “John@contoso.com” and you enter: “INTERNALDOMAIN\JohnD” and their password, it work for the session, but keeps prompting on every fresh Outlook start.

I did massive amounts of research and seriously I could not come across one article that actually provided all the information I needed, it almost seemed as if this problem was specific to this single environment. Of course, this makes me think I have something configured incorrectly, and I literally spend forever searching for information, checking my VirtualDirectories on my Exchange server, checking logs, wasting tons and tons of time.

Finally after checking my configurations 6-10 times each and spending weeks, I realized it had nothing to do with anything configured incorrectly.

Outlook 2016 does all the configuration automatically, and expects to find everything it needs via auto discover. Putting it simple, the user’s UPN must match their e-mail address.

This means we have to change John Doe’s Active Directory UPN to match his e-mail address. The SAMAccountName still remains the same, so his login to his computer will not change, however after the change he will now be able to log in both with INTERNALDOMAIN\JohnD and John@contoso.com.

First we have to add the UPN suffix (which is the actual e-mail address domain name) to the Active Directory Domain and Trusts. Instructions are available here: https://support.microsoft.com/en-us/kb/243629

After adding your e-mail domain to the UPN suffix list. When you go in to “Active Directory Users and Computers”, and view a user’s properties, you’ll notice in the UPN section, you can drop it down and change it from internaldomain.local, to contoso.com (using my example domains). You can also change the username inside of the UPN.

 

Essentially for Johny boy, his AD properties window now looks like:

User Logon Name:

John@contoso.com (we changed the name, and chose the external domain in the drop down to the right)

User logon name (pre-Windows 2000):

INTERNALDOMAIN\ JohnD (we left this the way it was)

 

John can now login either using “INTERNALDOMAIN\JohnD” or “John@contoso.com”. As far as John is concerned we haven’t changed anything and he still logs in using the same format he always has, totally unaware of any changes.

Surprise surprise, autodiscover is now fully functioning for this user. Not only for easy configuration on mobile devices (iPhones, Windows Phones, etc…), but he can now load up Outlook 2016 away from the LAN on the Internet, type in his e-mail address, password, and BAM he’s good to go!

I am a little bit unsettled in the fact that the e-mail address now becomes a fully accepted username on the domain (for security reasons), but I guess we’re stuck with that!

 

In short, our problem is:

  1. Username doesn’t match e-mail (JohnD username, John@contoso.com email)
  2. Running Outlook 2016 and forced to use auto-discover, repeated password prompts
  3. Running .local domain internally, while using different domain externally

In Short, to fix this:

  1. Add UPN Suffix to Active Directory
  2. Change users properties so that UPN matches e-mail address, DO NOT CHANGE the old DOMAIN\Username setting

Other Considerations:

  1. Password prompts on Outlook clients can mean a whole bunch of different problems totally unrelated to this configuration and issue. Always fully diagnose the issue and confirm the issue before applying fixes. Password prompts can mean authentication problems, problems with Exchange’s virtualdirectories, issues with autodiscover, issues with certificate configuration, etc…
  2. If this is your specific issue, you can write a script to run through and update the UPNs on all the accounts. I generally don’t like scripts touching user accounts, so I’m slowly rolling out these changes per user when upgrading them to Outlook 2016. Doing this one by one as we upgrade, allows us to make sure that none of their mobile devices are affected by the UPN change.
  3. Since we are changing UPNs, this could have a major effect on any 3rd party applications that integrate with Active Directory that use UPNs. Always test, and make sure you don’t break any integration points to your 3rd party applications or line of business systems.

 

Feb 272016
 

I was one of the lucky few who were able to pre-order a Microsoft Lumia 950XL when orders were first available. I received it late 2015, and absolutely love it. I’ve been a Microsoft Insider (on the Fast Insider Build track), and I’ve been keeping up to date with testing new firmware, software, etc…

Today, I’m writing to talk about a new platform called “Continuum”. Microsoft developed this as part of the Windows 10 landscape for mobile devices. To describe Continuum in one simple short sentence: Continuum provides a desktop like Windows experience with your phone.

No, the desktop experience does not render on the phone screen itself, but when connecting to a Microsoft Display dock, or Miricast wireless projection device, Continuum provides you with a full screen “Windows-like” environment where you can run Windows 10 universal apps, Microsoft Outlook, Word, PowerPoint, etc…

Desktop and Start Menu on Continuum

Desktop and Start Menu on Continuum

This essentially turns your phone in to a fully functional computer, allowing you to connect peripherals such as keyboards, mice, USB drives, printers, the list goes on… This is the ultimate tool for the road warrior, you can hook up to any display (or TV), keyboard and mouse (or use the phone screen as a track pad), and edit word documents on the fly, surf the internet with a full screen browser, or Remote Desktop (RDP) in to your corporate computer. Another awesome capability is to use the Microsoft Wireless Display adapter on a projector for presentations to wireless stream PowerPoint presentations from your phone to the projector.

Word New Document on Continuum

 

Word on Continuum

Word on Continuum

 

Excel on Continuum

Excel on Continuum

 

Now here is where things get interesting! I always hear about new technologies, and while most are gimmicks, I find that Continuum is something that can very much be used regularly in real world scenarios, benefiting those who use it.

For most corporate mobile users, they often rely on their mobile laptops to check e-mail (Outlook), work on documents (Word, Excel) while most of their other work is actually performed through Remote Desktop, Remote Desktop Services, some other terminal services based remote access solution, or even PCoIP access to virtualized desktops. These remote solutions enable access to a companies LoB (Line of Business) applications, which could be for sales, inventory management, CRM, ERP, SAP, you name it!

In order to access a Terminal Services Server (Remote Desktop Server), or a Virtualized Desktop, you need a basic device that can connect to these services.

Here comes Continuum to save the day. No longer is a laptop required, or the licensing that comes along with it. You now have the entire Microsoft Office suite, an LTE hotspot, VPN client, and a fully functional Remote desktop client in your pocket that you can access anytime.

Server list on Continuum

Server list on Continuum

Active RDP session using Continuum

Active RDP session using Continuum

I loaded up the “Remote Desktop (Preview)” app on my phone to test it out. Right now we are using the Preview as it fully supports Windows 10 for mobile both on the phone display, and inside of Continuum. I’m able to connect to my corporate VPN remotely (using the phone’s VPN client), and initialize a Remote Desktop connection to my work computer. I am now completely using my work computer remotely, using any application, and even routing sounds back to my display on Continuum. The uses for this are endless.

I have to say I’m very impressed. With this technology just being released, it performs surprisingly well. Believe it or not, I’m actually writing this blog post using Microsoft Edge on Continuum using my Microsoft Lumia 950XL. All while the phone is still available and can be used separately, as long as the Continuum link remains open.

I think there is going to be some interesting times ahead, and I’m hoping that companies like VMWare develop a VMWare View client for Windows 10 as Continuum could be a perfect PCoIP client for a virtualized desktop.

I’ve attached some extra screenshots below, and a few links providing information on Microsoft Continuum and the Microsoft Lumia 950XL running Windows 10 for Mobile.

 

Screenshots of actual use:

 

Pictures of Devices:

 

Informational Links:

Continuum
https://www.microsoft.com/en-ca/windows/Continuum

Microsoft, on Continuum for phone
http://windows.microsoft.com/en-ca/windows-10/getstarted-continuum-mobile

Microsoft Lumia 950 XL
https://www.microsoft.com/en/mobile/phone/lumia950-xl-dual-sim/

Microsoft Display Dock
https://www.microsoft.com/en/mobile/accessory/hd-500/

Microsoft Wireless Display Adapter
https://www.microsoft.com/hardware/en-ca/p/wireless-display-adapter

Windows Continuum for Phones (Provided by Youtube: Windows)