Showing posts with label Proxy. Show all posts
Showing posts with label Proxy. Show all posts

26 April 2023

Set-FederationTrust - "Unable to connect to the remote server"

Below are all the steps required to renew the "Exchange Delegation Federation" certificate.

By following the steps in the "Learn" document on https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help eveuthing should work fine. But if you still use a proxy you could see this:

This is the part where I was trying to get the certificate activated but wasn't allowed through the proxy:

Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Show quick reference guide: QuickRef
VERBOSE: Connecting to sr-xxxxx.domain.lan.
VERBOSE: Connected to sr-xxxxx.domain.lan.
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint CE7AB8B6603427556C825A1122E270E74F7B177A -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a22a6478-3923-408c-88f2-a54aa5db0f70,TimeStamp=25-4-2023 13:44:24] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>
[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c55ed676-399a-46ca-adca-13c851055ff4,TimeStamp=25-4-2023 15:13:47] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the
domains configured for Federation before publishing the new certificate.
The new hash-value should be replaced with the OrgNextCertificate proof value output generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederatedDomainProof -DomainName domain.nl


RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgNextPrivCertificate
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Proof      : XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX

RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgPrivCertificate
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Proof      : XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>netsh winhttp clear proxy
The following command was not found: winhttp clear proxy.
[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>$Servers = Get-ExchangeServer; $Servers | foreach {Get-ExchangeCertificate -Server $_ | Where {$_.Services -match 'Federation'}} | Format-List Identity,Thumbprint,Services,Subject


Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=80e9b8ef-a09d-4128-a7c9-533951782758,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 12503763,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a311f800-dc09-4efa-8ceb-ecd97b6f5965,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 9671FFC8,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan



[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Creating a new session for implicit remoting of "Set-FederationTrust" command...
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:34:59] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>$webclient=New-Object System.Net.WebClient
[PS] C:\windows\system32>$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:35:22] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:35:57] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:36:47] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  http://proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:40:27] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan




[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:40:53] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  (none)

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:43:46] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080 bypass-list="*.microsoftonline-p.com"

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  *.microsoftonline-p.com

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=2f6f2f77-9d84-4029-b860-3274731a42b7,TimeStamp=26-4-2023 07:45:04] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Stop-Service -Name WinHttpAutoProxySvc -Force
Stop-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be stopped due to the following error: Cannot open WinHttpAutoProxySvc service on computer '.'.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand

Stop-Service : Collection was modified; enumeration operation may not execute.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Stop-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.StopServiceCommand

[PS] C:\windows\system32>Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
Set-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be configured due to the following error: Access is denied
At line:1 char:1
+ Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

[PS] C:\windows\system32>whoami
domain\Username
[PS] C:\windows\system32>
[PS] C:\windows\system32>
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList "10.*;*.domain.lan"
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.*;*.domain.lan" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Microsoft.Exchange.Data.Fqd
n]". Error: "Failed to convert 10.*;*.domain.lan from System.String to Microsoft.Exchange.Data.Fqdn. Error: Error while converting string '10.*;*.domain.lan' to result type Microsoft.Exchange.Data.Fqdn: "1
0.*;*.domain.lan" isn't a valid SMTP domain."
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @{"10.*","*.domain.lan","*.microsoftonline-p.com"}
>> ^C
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("10.*","*.domain.lan","*.microsoftonline-p.com")
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.* *.domain.lan *.microsoftonline-p.com" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Mic
rosoft.Exchange.Data.Fqdn]". Error: "Cannot convert value "10.*" to type "Microsoft.Exchange.Data.Fqdn". Error: ""10.*" isn't a valid SMTP domain.""
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("domain.lan","microsoftonline-p.com")
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/ {domain.lan, microsoftonline-p.com}


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c3dd4e8e-34bc-402a-9cdb-3cf6ca994637,TimeStamp=26-4-2023 07:56:54] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan
And here I added the following domains "domains.live.com" & "www.msftconnecttest.com" to the bypass list on the proxy: 




[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains configured for
Federation. The new hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederationTrust | Format-List *priv*


OrgPrivCertificate     : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
OrgNextPrivCertificate :
OrgPrevPrivCertificate : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX



[PS] C:\windows\system32>Test-FederationTrust -UserIdentity user@domain.nl


Begin process.

STEP 1 of 6: Getting ADUser information for user@domain.nl...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for user@domain.nl...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.


Validating current configuration for FYDIBOHF25SPDLT.domain.nl...


Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationMetadata
Type       : Error
Message    : Unable to retrieve federation metadata from the security token service.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.



[PS] C:\windows\system32>
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null -InternetWebProxyBypassList $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------
Posted by at No comments:
Labels: , ,
Location:Utrecht Utrecht, Netherlands

08 September 2017

Install-Module - unable to resolve package source 'https //www.powershellgallery.com/api/v2/'

Trying to install a PowerShell module behind a proxy?
Chances are you're getting this error:

unable to resolve package source 'https://www.powershellgallery.com/api/v2/'

Turns out it isn't allowed through your proxy server, run this in your PowerShell session and try again:

$webclient=New-Object System.Net.WebClient
$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[Net.ServicePointManager]::SecurityProtocol = "tls12"

Now every command you run is sent and allowed through the proxy.
Posted by at 41 comments:
Labels: , , ,
Location:Utrecht Utrecht, Netherlands

18 August 2017

PowerShell behind Authenticating proxy



I've seen this at my work a few to many times.
Certain command's just don't get through or something errors out with strange unidentifiable reasons.

Not all command in PowerShell will go through the proxy, IE will pass this on using Windows Integrated Authentication but the .NET Webclient used by PowerShell doesn't appear to do this.

How to get past this? Copy/paste this in your PowerShell windows and all your commands go through your proxy.

$wc = New-Object System.Net.WebClient
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.DownloadString('http://microsoft.com')

You could add this to your profile to load at startup:

New-item –type file –force $profile            
Notepad $profile
Paste in Notepad: 

$wc = New-Object System.Net.WebClient
$wc.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
$wc.DownloadString('http://microsoft.com')
Save the Notepad Microsoft.PowerShellISE_profile.ps1 file

There is a request on Connect to have this looked at by the PowerShell team.
https://connect.microsoft.com/PowerShell/feedback/details/754102/a-cmdlet-to-create-a-proxy-configuration-settings-object
Posted by at No comments:
Labels: , ,
Location:Utrecht Utrecht, Netherlands

28 June 2017

Connect-EXOPSSession behind proxy

With the new Exchange Online Remote PowerShell Module you can connect to Exchange Online with MFA enabled on your account.
But what if you are behind a proxy and are unable to connect?
Chances are that there is one process that goes directly to the internet:





When trying to connect you get the error below:
This PowerShell module allows you to connect to Exchange Online service.            
            
To connect, use: Connect-EXOPSSession -UserPrincipalName your UPN            
            
To get additional information, use: Get-Help Connect-EXOPSSession            
            
PS C:\Users\> Connect-EXOPSSession -UserPrincipalName username@yourtenant.onmicrosoft.com            
New-ExoPSSession : Connecting to remote server outlook.office365.com failed with the following error message : WinRM ca            
nnot complete the operation. Verify that the specified computer name is valid, that the computer is accessible over the            
 network and that a firewall exception for the WinRM service is enabled and allows access from this computer. By defau            
lt the WinRM firewall exception for public profiles limits access to remote computers within the same local subnet. Fo            
r more information, see the about_Remote_Troubleshooting Help topic.            
At C:\Users\username\AppData\Local\Apps\2.0\CCA4XODV.QGQ\BBNHW64J.DHE\micr..tion_c3bce3770c238a49_0010.0000_a5ac7e7ccec31            
8ba\CreateExoPSSession.ps1:179 char:22            
 PSSession = New-ExoPSSession -UserPrincipalName $UserPrincipalName -C ...            
                ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~            
     CategoryInfo          : ResourceUnavailable: (:) [New-ExoPSSession], PSRemotingTransportException            
     FullyQualifiedErrorId : System.Management.Automation.Remoting.PSRemotingDataStructureException,Microsoft.Exchang            
   e.Management.ExoPowershellSnapin.NewExoPSSession

We have to force all traffic through the proxy, the easiest way to do this is with netsh:

Check current settings for the PowerShell session:
netsh winhttp show proxy

 Current WinHTTP proxy settings:

 Direct access (no proxy server).

Set the proxy server:
netsh winhttp set proxy proxy.domain.lan:8080

 Current WinHTTP proxy settings:

 Proxy Server(s) :  proxy.domain.lan:8080
Bypass List     :  (none)

Reset to no proxy server settings:
netsh winhttp reset proxy

 Current WinHTTP proxy settings:

 Direct access (no proxy server).
Posted by at No comments:
Labels: , , ,
Location:Utrecht Utrecht, Netherlands

14 March 2017

Skype Online authenticating proxy - 407 Proxy Authentication Required

When trying to sign in to Skype Online from the Skype for Business (2015) Control panel sitting behind an authenticating proxy you may receive the following:


You need to setup your proxy to allow the nececsary sites to be accessed without authentication.
Going through your proxy log you can see what sites are connected to.
These are the once that where accessed at my site. 

*.online.lync.com
*.microsoftonline.com
*.microsoftonline-p.net
*.microsoftonline-p.com
*.windows.net
*.office365.com
signup.microsoft.com

 Yours could be different, there are quite a lot of sites and ip addresses linked with Skype Online, Office365 and Exchange Online as you can see here:

Office-365-URLs-and-IP-address-ranges

After allowing all these sites through your proxy you should be able to login to Skype Online with your tenant ID.


Posted by at No comments:
Labels: , ,
Location:Utrecht Utrecht, Netherlands
Subscribe to: Posts (Atom)