Error 456 for Exchange Online autodiscover

If some of your Office 365 users are receiving an error 456 when trying to connect to Exchange autodiscover, then multifactor authentication could be the culprit!

To see if your users are experiencing this issue, have them go to https://testconnectivity.microsoft.com and run the “Outlook Autodiscover” test using their own credentials. If the result is a failure, save the whole results to HTML and do a search for “456” in the saved HTML document.

Specifically, you are looking for this error: –

An HTTP 456 Unauthorized response was received from the remote Unknown server. This indicates that the user may not have logged on for the first time, or the account may be locked. To logon, go to http://portal.microsoftonline.com.

This could mean that you have multifactor authentication “enforced” at the account level, rather than via specific scenarios such as those available for Conditional Access. As autodiscover does not know how to handle multifactor authentication, and the account itself has multifactor authentication enforced, the service is unable to be used by the affected account.

The resolution is to disable the user for multifactor authentication and then have them re-setup and use conditional access rules to require multifactor authentication instead for the required services.

SMTP error from remote mail server after end of data: 550 Action not taken

Have you set up a new mail server, configured DKIM and SPF correctly, but for some reason you still have email being intermittently rejected when forwarding to Gmail and other services with messages that are unhelpful like: –

SMTP error from remote mail server after end of data: 550 Action not taken

If that’s the case, you may need to set up a DNS PTR record for your mail server’s IP address. It appears that, depending on the circumstances of the forwarded email and the domain performing the forwarding, this step is crucial to ensure smooth email forwarding delivery.

Of course, you should ensure that the PTR record IP address and hostname match what you see in the SMTP header.

Update 31st Oct 2018:

Since writing this article a few days ago, I encountered some further issues with reliable mail delivery, specifically through Exim on cPanel.

Normally, when configuring forwarding, you should also enable SRS (Sending Rewriting Scheme), which adds additional information to the mail headers to inform the receiving MTA that the email has been forwarded and “signed” by the forwarding MTA (in my case, Exim on a cPanel/centOS installation).

While this was enabled in the Exim config, I did not realise that it wasn’t actually operating correctly.

Below is what you SHOULD see when SRS is operating correctly (forwarding to a Gmail account): –

Received-SPF: pass (google.com: domain of srs0=lu0ygv=nl=senderoriginaldomain.com=senderfirstpartemail@yourforwardingdomain.com designates <your MTA IP> as permitted sender) client-ip=<your MTA IP>;
Authentication-Results: mx.google.com;
dkim=pass header.i=@yourforwardingdomain.com header.s=default header.b=HnochmZG;
dkim=pass header.i=@senderoriginaldomain.com header.s=default header.b=C8B9JAt8;
spf=pass (google.com: domain of srs0=lu0ygv=nl=senderoriginaldomain.com=senderfirstpartemail@yourforwardingdomain designates <your MTA IP> as permitted sender) smtp.mailfrom=”SRS0=Lu0yGv=NL=senderoriginaldomain=senderfirstpartemail@yourforwardingdomain.com”;

Here’s what it looks like WITHOUT SRS (again, forwarding to a Gmail account): –

Received-SPF: fail (google.com: domain of senderfirstpartemail@senderoriginaldomain.com does not designate <your MTA IP> as permitted sender) client-ip=<your MTA IP>;
Authentication-Results: mx.google.com;
spf=fail (google.com: domain of senderfirstpartemail@senderoriginaldomain.com does not designate <your MTA IP> as permitted sender) smtp.mailfrom=senderfirstpartemail@senderoriginaldomain.com;
dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=senderoriginaldomain.com

As you can see, in the SRS example, the sender information is modified to include information about the forwarding domain (i.e. your domain) so that it is clear that your MTA is not trying to forge or spoof the original sender’s domain.

In my case, SRS was turned on properly, however it seems that the cPanel archiving functionality was somehow breaking this on the version of cPanel that I was running. As a workaround, I will be disabling email archiving to ensure that SRS is applied to my forwarded messages and applying any cPanel updates as they are released that will hopefully resolve the issue.

Final Update 3rd November 2018:

Further to my last update, it seems that I had another factor contributing to this issue – Namecheap (my previous provider) had been intercepting my SMTP traffic through the use of a transparent SMTP proxy of some description (they were not forthcoming with information).

It seems that this was also causing mail delivery issues that were causing the likes of Gmail and Microsoft to return 550 back to my server after transmitting messages.

After unsuccessfully attempting to persuade Namecheap to allow me to bypass this technology, I have moved to a new VPS provider and my emails are again being delivered perfectly.

OneDrive stuck forever “processing changes”

Seems like there are plenty of reports of OneDrive getting stuck in a “processing changes” state, and just as many suggestions on how to fix it.

The usual fixes, such as checking/resetting folder permissions, running onedrive.exe /reset, unlinking and relinking my account, etc. did not fix the issue in my case.

Turns out that for some reason it was getting stuck on some old temporary/lock files, which is surprising considering they are years old and didn’t seem to be causing my problems until today (although I did apply a large number of Windows Updates recently, after unpacking this computer from a box it had been in since I moved house.

To track down these files, I looked for the “syncing” icon on the folders and drilled down the directory tree until I was as far as I could go. The icon I mean, is this: –

Once I had located the folder that was hanging up OneDrive, I changed the Windows Explorer view settings to show me hidden and system files, and there I found my responsible ~filename.tmp file, that had the “syncing” icon next to it (without hidden and system files being shown, it looked like all of the other files were syncing, which made it confusing as to why that folder had the icon rather than a green tick).

In my case, the file was years old, so I wasn’t worried about data loss – I simply deleted it and OneDrive has since changed to “up to date”.

It’s also possible that the Office co-authoring settings might have been causing or contributing to the problem (see below for screenshot of that setting), but I didn’t want to play around with it in case I ended up with issues again.

If this doesn’t work for you, or you don’t have these files, check out this article  on Windowsreport which covers a number of other scenarios and potential fixes.

Example Arduino code for debouncing and long pressing buttons

I’ve recently been playing around with Arduino, and put together a code snippet that I am running on an ESP8266 WiFi module.

It’s very basic, and just registers button presses of more than 50ms, but less than 5000ms as a normal/short press, and anything over 5000ms as a long press.

This can be handy when you have a limited number of buttons (e.g. only one) and you want to provide different options for using that button (short press and long press) and also want to ensure that the button is debounced (electrical “noise” is filtered out to avoid spurious button presses being registered).

Below is the code, which can be adapted to suit your purpose.

const int buttonPin = 0; // input button pin number
const unsigned long longPressThreshold = 5000; // the threshold (in milliseconds) before a long press is detected
const unsigned long debounceThreshold = 50; // the threshold (in milliseconds) for a button press to be confirmed (i.e. not "noise")

unsigned long buttonTimer = 0; // stores the time that the button was pressed (relative to boot time)
unsigned long buttonPressDuration = 0; // stores the duration (in milliseconds) that the button was pressed/held down for

boolean buttonActive = false; // indicates if the button is active/pressed
boolean longPressActive = false; // indicate if the button has been long-pressed

void setup() {
pinMode(buttonPin, INPUT); // set the button pin as an input

// Start serial debugging
Serial.begin(115200);
Serial.println();
Serial.println("Serial debugging started");
}

void loop() {

// if the button pin reads LOW, the button is pressed (negative/ground switch)
if (digitalRead(buttonPin) == LOW)
{
// mark the button as active, and start the timer
if (buttonActive == false)
{
buttonActive = true;
buttonTimer = millis();
}

// calculate the button press duration by subtracting the button time from the boot time
buttonPressDuration = millis() - buttonTimer;

// mark the button as long-pressed if the button press duration exceeds the long press threshold
if ((buttonPressDuration > longPressThreshold) && (longPressActive == false))
{
longPressActive = true;
Serial.print("Long press detected: ");
Serial.println(buttonPressDuration);
}
}

// button either hasn't been pressed, or has been released
else
{
// if the button was marked as active, it was recently pressed
if (buttonActive == true)
{
// reset the long press active state
if (longPressActive == true)
{
longPressActive = false;
}

// we either need to debounce the press (noise) or register a normal/short press
else
{
// if the button press duration exceeds our bounce threshold, then we register a short press
if (buttonPressDuration > debounceThreshold)
{
Serial.print("Short press detected: ");
Serial.println(buttonPressDuration);
}

// if the button press is less than our bounce threshold, we debounce (i.e. ignore as noise)
else
{
Serial.print("Debounced: ");
Serial.println(buttonPressDuration);
}
}

// reset the button active status
buttonActive = false;
}
}
}

Azure directory synchronisation fails with “Invalid namespace”

Issue

Azure directory synchronisation fails, and in the Application event log on the system running Azure directory synchronisation, an “Invalid namespace” message is registered.

Symptoms

In the “Directory Integration” section of Azure AD, the “Last sync” date is older than the last scheduled sync time. Additionally, an “Invalid namespace” message is registered in the Application event log on the system running Azure directory synchronisation software and the “Synchronization Service Manager” software (miisclient.exe) shows that the tasks are no longer running as per the history.

Cause

This is caused by the de-registration of the “MicrosoftIdentityIntegrationServer” WMI namespace.

Resolution

Re-register the WMI namespace by locating the mmswmi.mof file and executing the following command: –

mofcomp mmswmi.mof

How to quickly delete a folder when Windows says the path is too long

If you’ve ever had a folder that won’t delete because Windows says “the path is too long”, you’ve probably felt the frustration of trying many different methods in vain.

Luckily, if you’re running a modern version of Windows (which everyone should be), you’ll have robocopy, which can help you out in this case.

To delete that pesky folder, follow these steps: –

  • Create a new blank folder called whatever you like (for example, “DeleteMe”)
  • Open up a command prompt (depending on the folder you’re trying to delete, you may need to run as an administrator)
  • Run robocopy using the example below, assuming that the folder you are trying to delete is called “C:\PeskyFolder” and the blank folder you created is called “C:\DeleteMe”

robocopy “C:\DeleteMe” “C:\PeskyFolder” /e /mir

The above command will “copy” everything out of “C:\DeleteMe” and “paste” it into “C:\PeskyFolder” overwriting any existing contents… Which in this case, deletes the entire contents of the folder.

When it’s done, simply delete the folder itself.

OneDrive/SkyDrive not syncing

I had a recent issue where Microsoft’s OneDrive (formerly SkyDrive) was not syncing changes to their cloud. I noticed there was no Windows service that I could restart, so I just tried a PC restart to see what would happen.

In the system tray, hovering over the OneDrive icon shows that “OneDrive is starting…”, but never moved on from that state (still hours later). A manual sync didn’t seem to work, neither did cancelling and retrying the sync.

Here is the solution that worked for me to kick OneDrive into gear: –

  • As an Administrator, open a command prompt (Win + R, type cmd, and press CTRL + SHIFT + enter)
  • Run “skydrive /shutdown” (notice that internally the executable is still called “skydrive.exe”)
  • Notice that the system tray icon disappears (you may need to hover over it for it to disappear)
  • Run “skydrive”

The system tray icon should re-appear and this time when hovering over it, it should tell you its sync progress

Adding template information to a non-Windows CSR

If you’ve ever tried to issue a certificate from a Windows CA using a CSR that was generated on a non-Windows system, you’ve probably come across the following error: –

The request contains no certificate template information.

0x80094801 (-2146875391)

Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.

This is because the Windows CA is expecting some additional information (the CertificateTemplate attribute) in the CSR, which non-Windows systems do not include.

Fortunately, you can add this information to an existing CSR file using the certreq.exe tool, by running the following command on your CA: –

certreq -submit -attrib “CertificateTemplate:WebServer” “mycsr.txt” “mycert.txt”

The parameter substitutions in the above command should be obviously, but to clarify, the “CertificateTemplate” should specify an existing certificate template that your CA is aware of (in many cases, this would just be “WebServer”) and the mycsr.txt and mycert.txt are your input CSR file and output certificate file, respectively.

It’s also important to note that you need the appropriate permissions to issue certificates from your chosen certificate template. This includes running the command as an administrator if you have UAC enabled.

Troubleshooting MBAM 2.0 deployment

If you’ve deployed the MBAM 2.0 agent to a workstation, but it’s not prompting the logged in user to encrypt their drive, there are a couple of things to note.

  • Check the “Reports” node in the MBAM web console – this will give you information as to the cause of the problem (under the “Compliance Status Details” column)
  • If the “Reports” node in the MBAM web console isn’t displaying the machine you’re looking for, you can lower the reporting threshold on the client and rebuild the database cache using the following steps: –
  1. Set HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ClientWakeupFrequency and HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\StatusReportingFrequency both to “1” (this cannot be set lower than “90” via Group Policy)
  2. Set HKLM\Software\Microsoft\MBAM\NoStartupDelay to “0” (this key will probably not exist unless you’ve manually created it before – it should be a DWORD)
  3. Restart the MBAMAgent service on the client
  4. On the MBAM server, open SQL Management Studio, expand the “SQL Server Agent” node, expand “Jobs” and run the “CreateCache” job
  5. Refresh the MBAM web console and check out the “Reports” node to check the status of the machine
  • If the “Compliance Status Details” column contains “System Partition not available or large enough”, you will need to run the BitLocker drive preparation utility as follows: –

    • %windir%\System32\bdehdcfg.exe -target default -size 350
  • Be sure to restart the machine after running this utility and then follow the above steps again to force the client to report in and rebuild the database cache

Unable to access shares on a Windows Server 2012 machine

I wrote an article back in November last year about disabling Secure Negotiate on Windows 8 clients and Windows 2012 Servers when using third-party storage that doesn’t support this mechanism.

If you’ve implement the RequireSecureNegotiate registry key to your servers, you may find that you are unable to access shares on these servers and getting errors such as “Access is denied” or “The specified network name is no longer available.”

Chances are, you need to ensure that this key has been set on all 2008/2012 machines in your environment to ensure that they are all communicating the same way.