The Intune Exchange Connector Workflow and Gotchas

Hello readers!

In this post I want to talk about some of the Intune on-premise Exchange Connector gotchas and how the communication flow works. 

What is the Exchange Connector?

The Intune Exchange Connector is a piece of software that you download from the Intune portal and install on your Exchange server. Specifically the CAS role if you still have seperated roles. Installation instructions can be found here.

https://docs.microsoft.com/en-us/intune/exchange-service-connector-configure

Please note that the section on the 'Service to Service' connector should be ignored. That feature is being deprecated and was honestly never needed in the first place.

I dont want to go over installation, the Microsoft document does a decent job of that and its fairly self explanatory. I do want to touch on the communication flow. It looks something like this,

For iOS, and Knox devices there are 2 routes. Either you install the company portal first, or you try to add an EAS account first. We will go over the adding an EAS account scenario.

1. End user adds thier EAS account to their mobile device
2. After some time the Intune connector will sync the EAS record up to Intune
3. If the EAS record gets synced up and there is no corresponding MDM record the Intune Connector will set the device from allowed to blocked
4. The end user will recieve an email asking them to enroll into Intune
5. The end user enrolls the device into Intune and creates an MDM record
6. The EAS record and MDM record merge to become a EAS/MDM record in the Intune console
7. The connector will do another sync and check that the record is merged. If so it will remove the device from blocked back to allow

Where this process gets tricky though is for non-Samsung Androids. For some reason, and this may change with Android Enterprise, when a regular Android device enrolls into Intune it does not report its Active-Sync ID. They way we get around this is by using the link in the email notification we receive on the device that says we've been blocked. This link contains our EAS ID and will communicate that to the Intune Service. Without this link our EAS record will never merge with the MDM record when enrolled.

This also makes it tricky to use any type of non native email client as these clients create their own EAS record but can never create an MDM record to match to. The MDM record is always owned by the device not by the email clients on it, if that makes sense. Long story short you have to use the native mail clients when doing this or you have to create an exception for certain platforms.

I will say it again, non-Samsung Android devices have to enroll via the email notification!!! Just going to the app store and getting the company portal app will not work. Enrolling using the app before you receive the email notification will not work.

Here is where the gotchas come in to play. There are two main ones that I want to cover. 

When setting up the connector it asks you to enter a notification account. You need to enable that and MAKE SURE THAT ACCOUNT HAS A MAILBOX!

Without a mailbox the end user will never receive the email asking them to enroll with the link that contains their EAS ID. 

Second gotcha is that this service relies heavily on the Autodiscover service. Very heavily. If your Autodiscover is not healthy then this process will fail. One specific example of this when working through this in my lab was that I did not have an internal DNS record for Autodiscover.rollerlabs.com. This is because internal Outlook clients do not use the DNS record to find AutoD, they use the internal URI that is set within Exchange. I never had a need for an actual internal DNS record before. 

The connector was reliant upon that to find the Exchange server, even though you specify in the connector what your server name is, it will still look at AutoD.

Once I added the internal AutoD record I was able to receive the enroll now email.

This is just an image pulled out of a search but it lets you see the format of the expected email. Please note that the activate/enroll email with link that contains your EAS ID is not the same as the email generated by the exchange server that tells you your device has been blocked. The activate link will come from the Notification account.

Hope this is helpful to someone out there. Is anyone still using Exchange on premise anymore? Hello? Bueller?

Exchange Online Certificate Based Authentication

Hey guys!


Today I want to build upon the last post surrounding Intune and certificate services. Once we get the certificates onto the devices the next step is to configure our services to accept certs as a form of authentication. 

I want to talk about configuring Exchange Online in this post and some caveats when setting that up. 

Per usual I dont want to spell out a guide for everyone. Those can be found in a multitude of places. There is a good one here.

https://blogs.technet.microsoft.com/messagingblogs/2017/02/16/certificate-based-authentication-o365/

What I do want to talk about are some of the gaps that this guide didnt cover. 

First thing is the intermediary. In a best practice PKI deployment you should have a Root and an Int certificate. I would publish both certificates and CRLs to Azure AD using the guide above. When you deploy the Int cert be sure you change the powershell from this

Get-AzureADTrustedCertificateAuthority

$Cert=Get-Content -Encoding byte "Location of Root CA CER file"

$New_CA=New-Object -TypeName Microsoft.Open.AzureAD.Model.CertificateAuthorityInformation

$New_CA.AuthorityType=0

$New_CA.TrustedCertificate=$Cert

$New_CA.crlDistributionPoint="CRL Distribution URL"

New-AzureADTrustedCertificateAuthority -CertificateAuthorityInformation $New_CA


To this "$New_CA.AuthorityType=1" this will specify the cert we upload as the Int.

I reccomend putting the Int cert on the devices we deploy as well as accepting it for authentication in AzureAD

The next little gotcha they don't mention is that ADFS certificate based auth goes over a different port. It goes over port 49443 so make sure you aren't blocking that port coming into the WAPS.

And last but not least make sure that you configure ADFS to accept cert based auth. In ADFS 2016 its a little checkbox under authentication types.

Exchange upgrades and forgotten servers

Hello Everyone! 

Got a guest post from a colleague of mine today. Erick Purkins is a Microsoft consultant out of the Houston Texas area and he did a write up of a recent issue he saw. Enjoy.

--------------------------------------------------------------------------------------

I just wanted to share an experience and issue with everyone this morning.

I am currently working with a customer to upgrade their Exchange 2010 infrastructure to Exchange 2016. During our discussions, we talked about correct service pack levels and OS’s required, etc. One thing I didn’t think to talk about was “FAILED EXCHANGE SERVERS”. Just curious if anyone brings this up?

This is important because during the installation of their first 2016 server I received a rather odd error.

It was the “Update-RmsSharedIdentity -ServerName $RoIeNetBIOSName was run: "Microsoft.ExchangeData.DataVaIidationException: Database is mandatory on UserMaiIbox.” That led me to the issue.

Apparently at one time or another they had an Exchange server go belly up. Instead of fixing the issue they turned it off and forgot about it, eventually having someone go in and remove the server through ADSI.

Now normally this wouldn’t have been much cause for alarm, but after reviewing the error message and a little google-fu I realized they had no arbitration mailboxes and this was what the error referred to.

• So How did I fix this issue?

First, I reviewed how to recreate Arbitration mailboxes. Something I have done before but not in a while.

https://social.technet.microsoft.com/wiki/contents/articles/5317.recreate-and-enable-missing-arbitration-user-accounts-and-mailboxes-in-exchange-server-2010.aspx

• OK seems easy, right? Wrong.

Since I had previously run the Exchange 2016 setup it had ran /prepareAD and updated the schema. So I could not run the Exchange 2010 SP3 with /PrepareAD to recreate the mailboxes.

• Where to next? I guess I’ll have to use the Exchange 2016 Media.

I hope you’ll never have to do this but with Setup.exe there is a /mode switch which you can use to remove a failed Exchange install. This is the only way, you cannot remove the install through add/remove programs. The command looks like this “Setup.exe /mode:uninstall /iacceptexchangeserverlicenseterms”  

Learn more at: https://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.InstallWatermark.aspx 

or use setup.exe /?

After successfully removing the Exchange installation I removed the AD objects associated with Arbitration mailboxes and re-run Setup.exe /prepareAD. All the correct mailboxes were recreated in the Default Users container as they are supposed to.

• Now it’s time to enable those mailboxes…

After recreating the mailboxes with the Exchange 2016 Media I followed what I would normally do and re-enable them through the shell. Okay new error, WTH? You mean to tell me I can only do this through the Exchange 2016 Shell, but I haven’t gotten a server even installed yet. Now we have a Chicken or the egg situation.

• Do we try and install Exchange 2016 again? You Feeling Lucky?

That was the only thing I could think of to do and the internet was no help with that question. So I ran setup again and prayed to the Microsoft gods while crossing everything and holding every lucky charm I could find.

Must have been the lucky rabbits foot, because this time around we were successful at installing Exchange 2016.

After rebooting the server all arbitration mailboxes appear on the new Exchange server.  

• Moral of the story

Talk to your customers about failed or improperly decommissioned servers. Double check your arbitration mailboxes prior to any upgrade. It may just save you a few hours of Google-fu. Also, always keep a lucky rabbits foot close at hand. 

Sites and Microsoft Exchange Active Directory Topology Service

Ran into a weird issue today. The services on my labs Exchange server stopped working. When you try to restart them they error out with the following.

Now checking the dependencies shows that most Microsoft Exchange Services rely on the Microsoft Exchange Active Directory Service. No problem I think so I go to start that service and then I get this error.

After searching for a while and not finding a solution that fixed my issue I began to retrace my steps of what I did in my environment from when Exchange was working and when it went down. One of the things I was doing was deploying an empty test site on my DC.

Now I dont know why an empty test site that was not linked to anything broke my service, but it did. Once I deleted this test site and the test link I was able to start the Microsoft Exchange Active Directoy Topology Service.

Who knew ¯\_(ツ)_/¯.