Exchange Server Authentication Failure Bad GPO

Had an issue with Exchange 2016 CU14 not allowing users to login, but administrators could login just fine.

Turns out the policies on the server were corrupted, and a full reset needed to be done to fix the issue.

Move Exchange Computer account to OU with Blocking Inherritance

RUN: RD /S /Q “%WinDir%\System32\GroupPolicyUsers”
RUN: RD /S /Q “%WinDir%\System32\GroupPolicy”
RUN: GPupdate /force
RUN: secedit /configure /cfg %windir%\inf\defltbase.inf /db defltbase.sdb /verbose

TEST you can connect to OWA ECP Outlook…  it should work 🙂

Move your Exchange server Back to its normal out, then execute “gpupdate /force”

Confirm it still works, if not fix your Group Policies.

Maybe its this problem?

1.Click on Start/Run type secpol.msc.

2.Click OK

3.Expand Local Policies -> Click on User Rights Assignment

4.In the right pane double click Access this computer from the network.

5.Click Add user or Group ->Type in Authenticated Users (by default only Administrators is entered)

6.Click Ok -> Click Ok

That should do it. You may need to reboot.

Centos 7 Add Space VLM

First check to see if you need to add a new Virtual Disk, or if you can just increase the current Virtual disk

Login to the VM and look at this command

fdisk -l

If you already have 4 separate Partitions, you will need to add a New Virtual Disk, Otherwise you can increase the current size, and we’ll add a new LVM Partition to the new space thats added.

Make Linux Find the new space

You NEED to do this as the Root user. So ‘sudo su -‘

If you expanded the existing disk

echo 1 > /sys/block/sda/device/rescan

If you added a new disk

ls /sys/class/scsi_host/

Depending on what your host is, adjust the next command as needed

echo “- – -” > /sys/class/scsi_host/host0/scan

Create the new Parition

Once the rescan is completed, verify you see the new disk, or the new size

fdisk -l

Now we will go into fdisk for the disk that needs the changes, either the free space on the original disk, or the new blank disk

fdisk /dev/sda

enter ‘n’ to create a new partition

enter ‘p’ for a primary partition

enter the partition number that is one higher then the current highest one

First cylinder should default to the first available one in free space

Last Cylinder should default to the last available one in the free space

Now you need to tell it what type of partition it is

enter ‘t’

enter the partition number you just created (eg 4)

the Hex code for VLM is ‘8e’ you can verify that by entering ‘L’

enter ‘q’ to wright the configuration to the disk

Rescan partition table for linux to find the updates

partprobe -s

Sometimes that doesn’t work and you need to do

partx -v -a /dev/sda

Check your work

fdisk -l

You should now see an additional partition you just made (eg /dev/sda4)

Create the Physical Logical Volume

Note, i’ll be using /dev/sda4, be sure to use the correct one you made

pvcreate /dev/sda4

You should see it was created, now find our your Volume Group name


Now add the Physical volume to the Volume Group

vgextend cl /dev/sda4

Check your work


Now you can extend your Logical Volume (eg var) to use the space thats available on the new Physical volume you added. Use lvdisplay to see what the name is.

lvextend /dev/cl/var /dev/sda4

Extend the File system

Assuming your using XFS:

xfs_growfs /dev/mapper/cl-var

If your using EXT:

resize2fs /dev/mapper/cl-var

Setup JIRA with Reverse Proxy with SSL on backend

Its really simple, but Atlassian make it sound more complicated then it needs to be.

First thing you want to make the Tomcat process that Jira uses to only run on a self signed SSl cert, so all communication is encrypted.

Run this as root
/opt/atlassian/jira/jre/bin/keytool  -genkey -alias tomcat -keyalg RSA -validity 1095
When asked, set the password to “changeit” without quotes

This will make a .keystore file in root’s home directory.
Move it to where jira can get to it easily.
mv /root/.keystore /opt/atlassian/jira/

make sure Jira is stopped
Now its time to Exit the server.xml
nano /opt/atlassian/jira/conf/server.xml

Find the original port 8080 connector section and commend it out by surrounding it in
<!--   -->

Create a New Connector

            <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxHttpHeaderSize="8192" SSLEnabled="true"
              maxThreads="150" minSpareThreads="25"
              enableLookups="false" disableUploadTimeout="true"
              acceptCount="100" scheme="https" secure="true"
              proxyName="" proxyPort="443"
              clientAuth="false" sslProtocol="TLS" useBodyEncodingForURI="true"

Change your proxyName value to what it would be on your front end. Jira needs to know this so when it serves the page up it has correct links.

Start Jira, make sure there are no errors

Check your server on https://ipaddress:8443 and make sure it hosts the page correctly.
Then you can set your IIS or Apache Proxy to point to https://ipaddress:8443 and you can then serve as needed

Sharepoint Incoming Email

Start here:

1. Check that the document library and contact is set to allow from all senders (network scanners were not regarded as authenticated users)
2. Check the size limits on the SharePoint send connector (Exchange -> Hub Transport -> Send Connectors -> Properties -> Maximum message size (KB))
3. Check the size limits on SMTP receiver on SharePoint (IIS 6 Mgr -> Properties on SMTP Virtual Server -> Messages tab -> Limit message size, Limit session size)
4. Turn off SharePoint reading RTF documents from Exchange (Exchange -> Hub Transport -> Remote Domains -> Format of original message sent as attachment to journal report: -> Exchange rich-text format -> Never use)
5. Check for potential mail routing problems (Exchange -> Hub Transport -> Accepted Domains -> Add domain for INTERNAL RELAY) – we noticed a couple of times the scanned mail tried to go external through our mail gateway – this was the last 1% of our problems.

Tips from:

IIS 7.5 Hardening – A rating on SSL Labs

A Basic Reg file is all you need.
This was tested on a Server 2008R2 with all the latest patches

This Disables all old protocols (Only TLS1.0, 1.1, and 1.2 are enabled)
Be Careful, as this will Disable SSL3.0 which is used by the previous Standard SMTP:587 and you will need to migrate everyone to use TLS SMTP, which can be set to any port as you wish, but exchange likes port 25 for TLS.

Its probably best to do this one step at a time, and reboot after each step to see what you may have broke. (backup software, all webpages, sql server, smtp, webmail, etc, etc

First you need to Configure all your Protocols
Continue reading “IIS 7.5 Hardening – A rating on SSL Labs”