Error 456 for Exchange Online autodiscover

If some of your Office 365 users are receiving an error 456 when trying to connect to Exchange autodiscover, then multifactor authentication could be the culprit!

To see if your users are experiencing this issue, have them go to https://testconnectivity.microsoft.com and run the “Outlook Autodiscover” test using their own credentials. If the result is a failure, save the whole results to HTML and do a search for “456” in the saved HTML document.

Specifically, you are looking for this error: –

An HTTP 456 Unauthorized response was received from the remote Unknown server. This indicates that the user may not have logged on for the first time, or the account may be locked. To logon, go to http://portal.microsoftonline.com.

This could mean that you have multifactor authentication “enforced” at the account level, rather than via specific scenarios such as those available for Conditional Access. As autodiscover does not know how to handle multifactor authentication, and the account itself has multifactor authentication enforced, the service is unable to be used by the affected account.

The resolution is to disable the user for multifactor authentication and then have them re-setup and use conditional access rules to require multifactor authentication instead for the required services.

OneDrive stuck forever “processing changes”

Seems like there are plenty of reports of OneDrive getting stuck in a “processing changes” state, and just as many suggestions on how to fix it.

The usual fixes, such as checking/resetting folder permissions, running onedrive.exe /reset, unlinking and relinking my account, etc. did not fix the issue in my case.

Turns out that for some reason it was getting stuck on some old temporary/lock files, which is surprising considering they are years old and didn’t seem to be causing my problems until today (although I did apply a large number of Windows Updates recently, after unpacking this computer from a box it had been in since I moved house.

To track down these files, I looked for the “syncing” icon on the folders and drilled down the directory tree until I was as far as I could go. The icon I mean, is this: –

Once I had located the folder that was hanging up OneDrive, I changed the Windows Explorer view settings to show me hidden and system files, and there I found my responsible ~filename.tmp file, that had the “syncing” icon next to it (without hidden and system files being shown, it looked like all of the other files were syncing, which made it confusing as to why that folder had the icon rather than a green tick).

In my case, the file was years old, so I wasn’t worried about data loss – I simply deleted it and OneDrive has since changed to “up to date”.

It’s also possible that the Office co-authoring settings might have been causing or contributing to the problem (see below for screenshot of that setting), but I didn’t want to play around with it in case I ended up with issues again.

If this doesn’t work for you, or you don’t have these files, check out this article  on Windowsreport which covers a number of other scenarios and potential fixes.

Azure directory synchronisation fails with “Invalid namespace”

Issue

Azure directory synchronisation fails, and in the Application event log on the system running Azure directory synchronisation, an “Invalid namespace” message is registered.

Symptoms

In the “Directory Integration” section of Azure AD, the “Last sync” date is older than the last scheduled sync time. Additionally, an “Invalid namespace” message is registered in the Application event log on the system running Azure directory synchronisation software and the “Synchronization Service Manager” software (miisclient.exe) shows that the tasks are no longer running as per the history.

Cause

This is caused by the de-registration of the “MicrosoftIdentityIntegrationServer” WMI namespace.

Resolution

Re-register the WMI namespace by locating the mmswmi.mof file and executing the following command: –

mofcomp mmswmi.mof

How to quickly delete a folder when Windows says the path is too long

If you’ve ever had a folder that won’t delete because Windows says “the path is too long”, you’ve probably felt the frustration of trying many different methods in vain.

Luckily, if you’re running a modern version of Windows (which everyone should be), you’ll have robocopy, which can help you out in this case.

To delete that pesky folder, follow these steps: –

  • Create a new blank folder called whatever you like (for example, “DeleteMe”)
  • Open up a command prompt (depending on the folder you’re trying to delete, you may need to run as an administrator)
  • Run robocopy using the example below, assuming that the folder you are trying to delete is called “C:\PeskyFolder” and the blank folder you created is called “C:\DeleteMe”

robocopy “C:\DeleteMe” “C:\PeskyFolder” /e /mir

The above command will “copy” everything out of “C:\DeleteMe” and “paste” it into “C:\PeskyFolder” overwriting any existing contents… Which in this case, deletes the entire contents of the folder.

When it’s done, simply delete the folder itself.

OneDrive/SkyDrive not syncing

I had a recent issue where Microsoft’s OneDrive (formerly SkyDrive) was not syncing changes to their cloud. I noticed there was no Windows service that I could restart, so I just tried a PC restart to see what would happen.

In the system tray, hovering over the OneDrive icon shows that “OneDrive is starting…”, but never moved on from that state (still hours later). A manual sync didn’t seem to work, neither did cancelling and retrying the sync.

Here is the solution that worked for me to kick OneDrive into gear: –

  • As an Administrator, open a command prompt (Win + R, type cmd, and press CTRL + SHIFT + enter)
  • Run “skydrive /shutdown” (notice that internally the executable is still called “skydrive.exe”)
  • Notice that the system tray icon disappears (you may need to hover over it for it to disappear)
  • Run “skydrive”

The system tray icon should re-appear and this time when hovering over it, it should tell you its sync progress

Adding template information to a non-Windows CSR

If you’ve ever tried to issue a certificate from a Windows CA using a CSR that was generated on a non-Windows system, you’ve probably come across the following error: –

The request contains no certificate template information.

0x80094801 (-2146875391)

Denied by Policy Module 0x80094801, The request does not contain a certificate template extension of the CertificateTemplate request attribute.

This is because the Windows CA is expecting some additional information (the CertificateTemplate attribute) in the CSR, which non-Windows systems do not include.

Fortunately, you can add this information to an existing CSR file using the certreq.exe tool, by running the following command on your CA: –

certreq -submit -attrib “CertificateTemplate:WebServer” “mycsr.txt” “mycert.txt”

The parameter substitutions in the above command should be obviously, but to clarify, the “CertificateTemplate” should specify an existing certificate template that your CA is aware of (in many cases, this would just be “WebServer”) and the mycsr.txt and mycert.txt are your input CSR file and output certificate file, respectively.

It’s also important to note that you need the appropriate permissions to issue certificates from your chosen certificate template. This includes running the command as an administrator if you have UAC enabled.

Troubleshooting MBAM 2.0 deployment

If you’ve deployed the MBAM 2.0 agent to a workstation, but it’s not prompting the logged in user to encrypt their drive, there are a couple of things to note.

  • Check the “Reports” node in the MBAM web console – this will give you information as to the cause of the problem (under the “Compliance Status Details” column)
  • If the “Reports” node in the MBAM web console isn’t displaying the machine you’re looking for, you can lower the reporting threshold on the client and rebuild the database cache using the following steps: –
  1. Set HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\ClientWakeupFrequency and HKLM\Software\Policies\Microsoft\FVE\MDOPBitLockerManagement\StatusReportingFrequency both to “1” (this cannot be set lower than “90” via Group Policy)
  2. Set HKLM\Software\Microsoft\MBAM\NoStartupDelay to “0” (this key will probably not exist unless you’ve manually created it before – it should be a DWORD)
  3. Restart the MBAMAgent service on the client
  4. On the MBAM server, open SQL Management Studio, expand the “SQL Server Agent” node, expand “Jobs” and run the “CreateCache” job
  5. Refresh the MBAM web console and check out the “Reports” node to check the status of the machine
  • If the “Compliance Status Details” column contains “System Partition not available or large enough”, you will need to run the BitLocker drive preparation utility as follows: –

    • %windir%\System32\bdehdcfg.exe -target default -size 350
  • Be sure to restart the machine after running this utility and then follow the above steps again to force the client to report in and rebuild the database cache

Unable to access shares on a Windows Server 2012 machine

I wrote an article back in November last year about disabling Secure Negotiate on Windows 8 clients and Windows 2012 Servers when using third-party storage that doesn’t support this mechanism.

If you’ve implement the RequireSecureNegotiate registry key to your servers, you may find that you are unable to access shares on these servers and getting errors such as “Access is denied” or “The specified network name is no longer available.”

Chances are, you need to ensure that this key has been set on all 2008/2012 machines in your environment to ensure that they are all communicating the same way.

Unable to open the Operations Manager 2012 SP1 console after restoring the database

Recently I restored the OperationsManager database for an Operations Manager 2012 SP1 environment. For background, the environment consists of two management servers and a database server, all running Windows Server 2012 and the database server also running SQL 2012.

The backup and restore was performed through the SQL Management Studio using disk-based backups to a .bak file. The restore was performed to a different location using mount points which split the user database, system database, temp database and logs onto different volumes.

Before the backup was performed, all Operations Manager related services were stopped on the management servers, and after the database was restored all services were started successfully. When trying to access the console, however, I received the following message: –

Execution of user code in the .NET Framework is disabled. Enable “clr enabled” …

Additionally, the following events were logged on the management servers: –

Event ID: 26319, Source: OpsMgr SDK Service

An exception was thrown while processing GetFoldersByCriteria for session ID uuid:bf0e0661-c7d6-4af4-9d0a-836bd398b5d0;id=5.

Exception message: The creator of this fault did not specify a Reason.

Full Exception: System.ServiceModel.FaultException`1[Microsoft.EnterpriseManagement.Common.UnknownDatabaseException]: The creator of this fault did not specify a Reason. (Fault Detail is equal to Execution of user code in the .NET Framework is disabled. Enable “clr enabled” configuration option.

Could not use view or function ‘dbo.fn_FoldersView’ because of binding errors.).

And…

Event ID: 33333, Source: DataAccessLayer

Data Access Layer rejected retry on SqlError:

Request: FoldersByCriteria — (LanguageCode1=ENU), (LanguageCode2=), (Id0=2e75d26b-7431-9af4-ee9d-456536676ba4)

Class: 16

Number: 4413

Message: Could not use view or function ‘dbo.fn_FoldersView’ because of binding errors.

Following the error message’s advice to enable “clr enabled”, I executed the following query on our Operations Manager database server: –

sp_configure ‘Show advanced options’, 1;

GO

RECONFIGURE;

GO

sp_configure ‘Clr enabled’, 1;

GO

RECONFIGURE;

GO

You should receive the following query output: –

Configuration option ‘show advanced options’ changed from 0 to 1. Run the RECONFIGURE statement to install.

Configuration option ‘clr enabled’ changed from 0 to 1. Run the RECONFIGURE statement to install.

Now you should be able to open your Operations Manager console!

The Windows Server Backup console crashes when trying to connect to another server

If you’re trying to remotely configure Windows Server Backup on another machine (maybe because it’s running Server Core), you may find that the MMC snap-in for Windows Server Backup crashes when trying to use the “Connect To Another Server…” option. In this case, an error may occur stating the MMC has detected an error in a snap-in and will unload it.

I have found that this may occur when only the Windows Server Backup console is installed, but not the Windows Server Backup feature itself (which the snap-in appears to rely on).

In order to resolve this, simply install the Windows Server Backup feature on the machine that you wish to run the Windows Server Backup console from.