Thursday, November 29, 2007

Implementing IMAP over SSL on Exchange

Last night, I put in IMAP over SSL for the first time. It was surprisingly easy.

More or less, it went like this:
Open up port 993 on the firewall to your Exchange server.
Make sure the IMAP service is set to automatic.
Then go to the Properties of the IMAP virtual server:
ESM -> Servername -> Protocols -> IMAP4 -> Default IMAP Virtual Server
Go to the Access tab
Hit Certificate -> Assign existing certificate -> and then you choose your SSL certificate (same one you have for OWA)

Then you need to turn off regular IMAP by requiring secured connections. Go to the properties of the Default IMAP Virtual Server and click on the Access tab. Click on Communication. Check the box for Require Secure Channel.

And really that was it. Then I was able to connect to IMAP over SSL. Of course client configurations are necessary, but that's relatively easy.

Installing a Turbo SSL Certificate from Godaddy on an SBS box

This is from my own notes (combined with Godaddy's) on how to install a Godaddy Turbo SSL Certificate on a Windows SBS box.

buy certificate from godaddy.com web site

log in to godaddy site

click on My Account

Under My Products, click on "Manage SSL Certificates"

Click "Set up Certificate"

Select certificate you purchased

Click "activate account"

if you've created a cert before with this account, log in, if not, create a new SSL account with a more secure 8 character password and the same username

click "request certificate"

Select certiticate again and click "request certificate"

Create your CSR request for IIS using these instructions:
# Go to Internet Information Services (IIS) Manager on your Exchange server
# Go to Servername -> Web sites -> Default web site . . . and Right mouse-click to select Properties.
# Click the "Directory Security" tab.
# Click the "Server Certificate." button (located in the "Secure communications" area)
# Click "Next" in the Welcome to the "Web Server Certificate Wizard" window.
# Remove the existing certificate
# Click the "Server Certificate." button (located in the "Secure communications" area)
# Click "Next" in the Welcome to the "Web Server Certificate Wizard" window.
# Select "Create a new certificate"; then click "Next."
# Select "Prepare the request now, but send it later" and click "Next."
# In the "Name and Security Settings" window, fill in the name field for the new certificate; then select the bit length (1,024 or higher). Click Next.
# For organization unit, you can put in "na" without quotes
# Verify the information in the request and click "Next."
# On the "Completing the Web Server" screen, click "Finish."
# Open the generated CSR file; then, using a plain-text editor, such as Windows Notepad, copy and paste the CSR into the online enrollment form.

godaddy will send an email to the administrative contact for the domain and if approved, the certificate will be sent via email.


then when you have the email with the link to the certificate, follow these instructions:

Installing SSL Certificate and the Intermediate Certificate Bundle (gd_iis_intermediates.p7b)

Before you install your issued SSL certificate you must download and install our intermediate certificate bundle (gd_iis_intermediates.p7b)on your Web server. You may also download the bundle from the repository.

Once you have downloaded and saved the certificate bundle, please follow the instructions below to install it.

Installing Intermediate Certificate Bundle (gd_iis_intermediates.p7b):

1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2. In the Management Console, select File; then "Add/Remove Snap In."
3. In the Add/Remove Snap-In dialog, select Add.
4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5. Choose Computer Account; then click Next and Finish.
6. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
8. Right-click on Intermediate Certification Authorities and choose All Tasks; then click Import.
9. Follow the wizard prompts to complete the installation procedure.
10. Click Browse to locate the certificate file (gd_iis_intermediates.p7b).
11. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next.
12. Click Finish.

Installing SSL Certificate

1. Select the Internet Information Service console within the Administrative Tools menu.
2. Select the Web site (host) for which the certificate was made.
3. Right mouse-click and select Properties.
4. Select the Directory Security tab.
5. Select the Server Certificate option.
6. The Welcome to the Web Server Certificate Wizard windows opens. Click OK.
7. Select Process the pending request and install the certificate. Click Next.
8. Enter the location for the certificate file at the Process a Pending Request window. The file extension may be .txt or .crt instead of .cer (search for files of type all files).
9. When the correct certificate file is selected, click Next.
10. Verify the Certificate Summary to make sure all information is accurate. Click Next.
11. Select Finish.

NOTE: If the Go Daddy root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder. Please follow the instructions below to do this:

1. Select Run from the start menu; then type mmc to start the Microsoft Management Console (MMC).
2. In the Management Console, select File; then "Add/Remove Snap In."
3. In the Add/Remove Snap-In dialog, select Add.
4. In the Add Standalone Snap-in dialog, choose Certificates; then click the Add button.
5. Choose Computer Account; then click Next and Finish.
6. Close the Add Standalone Snap-in dialog and click OK on the Add/Remove Snap-in dialog to return to the main MMC window.
7. If necessary, click the + icon to expand the Certificates folder so that the Trusted Root Certification Authorities folder is visible..
8. Expand the Trusted Root Certification Authorities folder.
9. Double-click the Certificates folder to show a list of all certificates.
10. Find the Go Daddy Class 2 Certification Authority certificate.
11. Right-click on the certificate and select Properties.
12. Select the radio button next to Disable all purposes for this certificate.
13. Click OK.

NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.

Monday, November 26, 2007

Control F5 to refresh and reload

Interesting tidbit I learned today about clearing the cache on a page. You can press Control F5 and it will reload a page an all its component parts:

http://blog.httpwatch.com/2007/10/19/using-ctrlf5-in-ie-7/

Wednesday, November 21, 2007

Revision data removed error in Word 2002 and Word 2003

It had been a while since I came across this error, but I just did, and I had to dig deep to remember the very simple solution.

Sometimes when a document is passed between Word 2002 and Word 2003 and track changes are used, you get this weird "revision - data removed" error. And then you can't open the document in Word 2002. But you can this weird window when opening the document in Word 2003.




















I don't know what the user does necessarily to cause this (because I have lots of users exchanging documents between Word 02 and Word 03 with track changes) - but when you see it, the simple fix is to select all and past the entire document into a new blank document. And then resave it. Whatever code that is causing the problem is eliminated.

Saturday, November 17, 2007

Making the Intelligent Message Filter (IMF) download updates.

  1. Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Exchange
  2. Add a key of “ContentFilterState” and give it a DWORD value of 1.

Thursday, November 15, 2007

Outlook 2007 crashing because of Acrobat add-in

I had an issue with Outlook checking its data file each time it opened, so I researched it and found it was Outlook not closing properly. Anyway, lots of opinions pointed to the PDFMOutlook add-in from Adobe Acrobat. I tried to disable the add-in from:

Tools | Trust-Center | Add-ins

but it gave me an error, so I went here and changed the LoadBehavior from 3 to 0 from the PDFMOutlook add-in:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Outlook\Addins

disable autotune on vista for better network performance

I have found network performance awful with Vista. To make matters worse, it tells you the transfer speed while it's copying data on your network. How in the hell I am getting 500 KB/s transfer speed on a 100 Mb/s wired network?

I read that you can run this command:
netsh int tcp set global autotuninglevel=disable

and it will disable autotune which is the cuplrit here. As with most things, I found a great description at Daniel Petri's site:

netsh int tcp set global autotuninglevel=disable

update - Vista does copy files slowly, but after this I noted that it was copying over the wireless and not the wired connection. I'll never understand why, but some computers have the wireless connection prioritized above a wired connection. My next blog post will be about how to switch those settings.

Wednesday, November 7, 2007

Slow performance on a Vista computer after you establish a VPN connection

I've had complaints from some of my Vista users about speed of network connections over PPTP VPNs.

Here is a KB article from Microsoft about that issue:

http://support.microsoft.com/kb/934202

Vista Business from an OEM vendor that does not let you rename files or folders on network drives

Cause : Possibly the way the OEM vender packaged the OS.

Resolution : Create the parameters key in the following location :

HKLM/system/currentcontrolset/services/csc/parameters

Then within the parameters key, create a DWORD Value named FormatDatabase with a value of 1 (hex) then reboot the machine.

A slightly less esoteric solution is to disable offline folder caching.
The OEM version seems to come with it enabled, but not configured.
Disable it.
Reboot.


Go to the control panel, open the "offline files" control, disable or enable as you wish and then reboot.

Here is a screen shot of the error:












Microsoft covers this issue here:
http://support.microsoft.com/kb/934160

Tuesday, November 6, 2007

Connecting a Mac to a Windows 2003 file server (update)

After I finished yesterday's post, I thought about the File Services/Server for Macintosh. That is to enable the Mac to see the UAM volume via AFP, which is not helpful. I want the user to see the actual shares that the regular PC users see.

And then I came across this:
http://allinthehead.com/retro/218/accessing-a-windows-2003-share-from-os-x

It talks about the change you need to make to the Windows server to allow SMB access, which is of course what we want. I guess the reason that I was able to make it work in Windows 2000 and not able to make it work in Windows 2003 is this requirement for digitally sign communications.

I haven't tried this out yet, but I will be able to this afternoon and not update this post if it is successful.

Monday, November 5, 2007

Connecting a Mac to a Windows 2003 file server

In the last couple of months, I've had the displeasure of trying to attempt to connect two Macs to Windows 2003 servers. No success either time. This is a record of what I've tried and what I think.

Let's start with where I started - a typical Windows 2003 server (in each case the AD controlled by an SBS 2003 box). No modifications for Macs at all.

You can try connecting via AFP (Apple Filing Protocol), but you can't connect. If you choose go -> Connect to Server and just put in the IP address or type AFP://123.123.123.123 - it won't be able to get to the server. If you try to connect via cifs://123.123.123.123 or smb://123.123.123.123 - it will give you a login screen with username, password, and domain/workgroup - but when you put in your info, it says that your login info is no correct. Interestingly enough, in the servers security event log (in my experience today at least) says that the user was authenticated successfully. And if you put in invalid credentials, the security event log will see your invalid login attempt and say so in the security event log.

So that's where we start. The first thing I tried was adding File Services for Macintosh:
http://technet2.microsoft.com/windowsserver/en/library/6f3ef0f8-b358-43b0-bbd3-6fbeba43d4d61033.mspx?mfr=true

But what that gets you is the ability to connect to the Microsoft UAM volume on the server using AFP, not any worthwhile shares which is what you probably want to get to. So that is no good.

One thing I came across was a reference to authentication type. Right click on My Computer. Go to manage. Right click on Shared folders from Computer Management/System Tools/Shared Folders. Choose "Configure File Server for Macintosh." In the Security section under Enable Authentication, the drop down box has "Microsoft Only" by default. Switch it to "Apple Clear Text or Microsoft" and hit Apply. Then restart the File Server for Macintosh service.

Unfortunately, for me, this did not help in today's issue. I'm still getting an error on the Mac when I - and error when I input the login credentials on the Mac, I get the error from the Mac about credentials being invalid - though the security event log still says that the login succeeded.

So my temporary solution has been to set up FTP for the Mac users - which works in the short term, but I'd love to get this solved.

One other thing I tried was this:
http://www.macdevcenter.com/pub/a/mac/2003/12/09/active_directory.html

It added the Mac to domain. But even still, Go -> Connect to Server - it still doesn't connect.

You would think that everything you'd need would be here:
http://technet2.microsoft.com/windowsserver/en/library/04ee8e17-bd60-4a9f-bd8a-eb5d4e2cfec01033.mspx?mfr=true

It was written in January 2005, so it must take Server 2003 into account. I will play more with this tomorrow.

Increasing the size of the private information store

  1. On the computer that is running Exchange Server, open a registry editor such as Regedit.exe or RegEdt32.exe.
  2. Navigate to: HKLM\ System\ CurrentControlSet\ Services\ MSExchangeIS\ ServerName\ Private-
  3. Right-click MailboxStoreGUID, point to New, and then click DWORD Value.
  4. For the new DWORD value, type Database Size Limit in Gb.
Double-click Database Size Limit in Gb. In Value data, type an appropriate value for maximum database size in GB (decimal value - less than 75). Click OK.

Also can be seen here:

Saturday, November 3, 2007

Adding a Vista PC to an NT 4 domain

1. SRVMGR.EXE on the PDC and add the computer name of the Vista PC.

2. On Vista PC run, secpol.msc then Under Local Policies > Security Options, Change the following two settings

- Domain Member: Digitally Encrypt sign secure channel data (always) - change to disabled

- Network Security: LAN Manager authentication level - change to "Send LM and NTLM - use NTLMv2 session security if negoitated"

Thursday, November 1, 2007

Inserting sounds and media into PowerPoints

By default, all files over 100 KB are linked and not embedded. To increase the limit to greater than 100 KB:

Tools -> Options -> General Tab

You cannot embed MP3 files, only WAV, AU, and AIFF files.