
We moved!
Hi dear reader,
The new WP website is here :
http://www.makak.ch
Hi dear reader,
The new WP website is here :
Here is a precise list of what is on S4B Updates.
Latest Skype for business update download :
http://www.microsoft.com/en-us/download/details.aspx?id=48865 |
Do not forget to run the Install-CsDatabase cmdlet!
Cumulative Update | S4B Server Version | Date Released | Associated KB | Security bulletin | Updates | Server to Apply | Resolutions |
RTM | 6.0.9319.0 | RTM | NA | All S4B Servers | |||
CU 1 | 6.0.9319.55 | June 2015 | 3061059 | All S4B Servers | |||
CU 2 | 6.0.9319.72 | September 2015 | 3061064 | MS15-104 | Core Components UCMA 5.0 Front End Server and Edge Server Conferencing Server Web Components Server Web Conferencing Server Mediation Server Call Park Service Backup Service Central Management Server Windows Fabric Bandwidth Policy Service Conferencing Attendant Response Group Service |
All S4B Servers | Windows 10 users who use Edge can’t join a meeting from Skype for Business Web App. |
Here are a few prerequisites needed for each Skype for business server installation:
ON EACH SERVER
Windows PowerShell 3.0 Download
Microsoft .NET Framework 4.5 Download
Windows Identity Foundation
Remote Server Administration Tools
FRONTEND SERVER
Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client
DIRECTOR SERVER
Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client
PERSISTENT CHAT SERVER
Add-WindowsFeature MSMQ
I will tried to give some key point you must to accomplish to configure your Netscaler. KCD for Kerberos Constraint Delegation can authenticate your user using service account to deliver TGT. This TGT will be use for SSO and to authenticate the user to the backend server (e.g. : Exchange or web server).
Prepare Netscaler and Service Account
To start this configuration some prerequisite must be implement before you start configuration :
This Service Account must be correctly configure.
Create your service account like normal user using Active Directory tool. Once your user is setup you must configure the SPN and generate keytab file. This keytab file will be use to upload configuration to the Netscaler. This is the simple way to setup KCD on the Netscaler.
Script like this (.bat) can be generate by the Netscaler in KCD tab :
@echo off set kcdusername=myusername set kcdpassword=mypassword echo %kcdusername% ktpass -out c:\temp\my.keytab /princ HTTP/myservice.mydomain.local /pass %kcdpassword% /mapuser MYDOMAIN\%kcdusername% /ptype KRB5_NT_PRINCIPAL
Once you have this script you must use to a CMD into your Domain Controller with sufficient right to launch it and set the service account.
You can check directly after if the configuration is correct.
On the second capture, you must add HOST and HTTP (host is clearly not mandatory if you use only HTTP).
Setup KCD into the Netscaler
After you configure the KCD account to your LDAP, you must configure AAA vserver. For this you must follow this step :
1 – add KCD account to the Netscaler
2 – Create a session policy (or Traffic policy bound globally)
First, setup the profile
Second, setup the policies :
3 – Configure your AAA vServer, in my example I using the same I used for LDAP authentication. So you juste need to add your Session profile.
4 – Traffic policies You must bind globally but be aware about priority and what you applied it, used regular expression !
You can use the following expression to match the URL :
HTTP.REQ.HOSTNAME.CONTAINS("myserver.mydomain.com")
Third configure your Loadbalancing Server
No much thing to know (bind to your vServer your AAA vserver). The only thing your need to be carreful :
When you create the server, used FQDN and don’t used IP address ! if not you can have this kind of problem and unable to connect to your backend server after LDAP authentication :
Tue Apr 28 08:37:29 2015 nskrb.c[1239]: ns_kgetcred cache file /var/krb/tgs_test_MYDOMAIN_LOCAL_10.10.10.100_mydomain.local does not exist Tue Apr 28 08:37:30 2015 nskrb.c[1299]: ns_kgetcred krb5_get_creds returned -1765328371, svcname HTTP/10.10.10.100@MYDOMAIN.LOCAL, impersonate str NULL, deleg /var/krb/s4u_test_MYDOMAIN.LOCAL_myserver.mydomain.com_MYDOMAIN.LOCAL outcache /var/krb/tgs_test_MYDOMAIN.LOCAL_10.10.10.100_MYDOMAIN.LOCAL Tue Apr 28 08:37:30 2015 nskrb.c[1301]: ns_kgetcred krb5_get_creds returned –1765328371
Troubleshooting
Two thing to know for troubleshoot KCD to the Netscaler.
First you will use LDAP authentication on primary authentication so you can troubleshoot it with this command (in SSH session on your active Netscaler) :
shell cat /tmp/aaaa.debug
Second LDAP seems to be work but nothing happen like expect. Try this following command it is a special command to troubleshoot Kerberos :
shell cat /tmp/nskrb.debug
The implementation of Netscaler can sometimes be a bit technical. If you add strong authentification needs with double factor, then you have a nice challenge!
You need to ask yourself the good questions first to deploy a strong authentification solution by certificate via Netscaler in order to avoid loosing time and getting the necessary details at the right time:
Then the implementation is simple and looks like the standard methodology of a AAA vserver setup and an application published by Netscaler.
Security - AAA - Policies > Authentication - Basic Policies - CERT
Create a new server with value :
Two Factor = On User Name Field = Needs to correspond to the username present in the certificate
Create a simple policy :
Server = the server's name used before Expression = ns_true
Your authentication’s type is created. Do not forget that the LDAP must also be configured to be able to configure it my way.
Then it is necessary to create a traffic policy to avoid problems of double authentification on your websites. Values are quite easy.
Single Sign On = On Enable Persistent Cookie = Check (validate that you need them).
The final thing to do is to create the server AAA. Nothing is complicated but you need to be careful to three things.
1 – The bind of LDAP and CERT :
They must be both configured in primary (CERT and LDAP) but with different priorities : CERT = 100 LDAP1 = 110 LDAP2 = 120
2 – The root certificate bound to the AAA vserver :
In the CA Certificate part. Your root certificate must be bound at this place.
3 – The process to get the certificate for authentification :
Dans les SSL Parameters n’oubliez pas de configurer le champ Client Certificate.
Do not forget to configure the Client Certificate field in the SSL Parameters .
Client Certificate = Mandatory
If the setup is correct then you can reach your server. After the client certificate, the username field will be automatically filled in and cannot be modified.
For the troubleshooting : the SSH and the Netscaler shell will give you the necessary details :
shell cat /tmp/aaaa.debug
Since Lync Server 2013, there is a new prerequisite on the Lync Servers for Exchange 2013 interconnection: This will allow you to use :
Windows Identity Foundation
“It’s a new extension to the Microsoft .NET Framework that makes it easy for developers to enable advanced identity capabilities in the .NET Framework applications.” This feature has been created to support server to server authentication. It is used by asp.net and Windows Communication Foundation applications. (In our situation, by Lync server 2013 and Exchange Server 2013) In order to configure Oauth, you must do two things:
Please note : “It should also be pointed out that you do not need to use server-to-server authentication: server-to-server authentication is not required in order to deploy Lync Server 2013. If Lync Server 2013 does not need to communicate with other servers (such as Exchange 2013) then server-to-server authentication is not needed.” Source Also note that “your Lync Server 2013 default certificate can also be used as the OAuthTokenIssuer certificate” Source
There is two ways to install the WIF : Windows Server 2008 R2 Install with the Windows Identity Foundation (KB974405) installer. Windows Server 2012 Server Manager Go to Add Roles and Features Wizard, select Features. Select Windows Identity Foundation 3.5 from the list. Click Next, then click Install. Powershell
Add-WindowsFeature Windows-Identity-Foundation
Once WIF has been installed you can run Deployment Wizard and Assign the Lync default certificate to Oauth certificate.
Description of Windows Identity Foundation (http://support.microsoft.com/kb/974405/en-us) Microsoft TechNet – Lync Server 2013 (http://technet.microsoft.com/en-us/library/gg398616.aspx)
I needed a precise list of what is on Lync Updates so I managed to insert every useful data in one table.
As well, I give you a simple script which allows you to get the CU version on the Lync Server actually deployed.
Latest update download :
http://www.microsoft.com/en-us/download/details.aspx?id=36820 |
Do not forget the Install-CsDatabase cmdlet if you install the Cumulative Update from October.
Security Update5.0.8308.927September 20153080353Update for Web Components Server
Cumulative Update | Lync Server Version | Date Released | Associated KB | Updates | Server to Apply |
CU 1 | 5.0.8308.291 | February 2013 | 2781547 | Address Book Web Query service ABS databases location policy |
|
CU 2 | 5.0.8308.420 | July 2013 | 2819565 | Update for Persistent Chat server Update for Conferencing server Update for Unified Communications Managed API 3.0 Workflow APIs |
|
CU 3 | 5.0.8308.556 | October 2013 | 2881684 | Update for Mediation server Update for Conferencing Announcement Update for Call Park Service |
|
CU 4 | 5.0.8308.577 | January 2014 | 2910244 | Update for Backup Service Update for Central Management Server |
|
CU 5 | 5.0.8308.738 | August 2014 | 2937310 | Update for Windows Fabric Update for Web Conferencing server Update for Administrative Tools |
|
CU 6 | 5.0.8308.815 | September 2014 | 2987510 | Update for Conferencing Attendant Update for Core Components Update for Web Components server Update for Unified Communications Managed API 4.0, Core Runtime 64-bit Update for Standard or Enterprise Edition server (Front End Servers and Edge Servers) |
|
CU 7 | 5.0.8308.831 | October 2014 | 3001616 | Update for IM | |
CU 8 | 5.0.8308.834 | November 2014 | 3010032 | Update for | |
CU 9 | 5.0.8308.857 | December 2014 | 3018158 | Update for | |
CU 10 | 5.0.8308.871 | February 2015 | 3031061 | Update for Conference Service Update for Conference Service |
|
CU 11 | 5.0.8308.887 | May 2015 | 3051949 | Update for URL filter policy (“http://” not filtered) | |
CU 12 | 5.0.8308.920 | July 2015 | 3066655 | Update for XMPP Gateway Update for XMPP Proxy Update for Application Host Update for Audio Test service Update for Core Management Server Update for Backup Service Update for Unified Communications Managed API 4.0 Runtime Update for web components server Update for core components Update for Call Park service Update for Conferencing Announcement Update for Conferencing Attendant Update for Mediation Server Update for Administrative Tools Update for Web Conferencing server Update for UCMA 3.0 Workflow APIs Update for Conferencing Server Update for Persistent Chat Update for Bandwidth Policy service Update for Reponse Group Service |
Standard Edition server Enterprise Edition – front-end server and back-end server Edge server stand-alone Mediation server Director server Persistent Chat front-end server Administration Tools |
Security Update | 5.0.8308.927 | September 2015 | 3080353 – MS15-104 | Update for Web Components Server |
## This script will be updated soon function Get-CsCUVersion{ [String]$Servers=$env:COMPUTERNAME+"."+$env:USERDNSDOMAIN $version=(Get-CsManagementStoreReplicationStatus -ReplicaFqdn $Servers).productversion #Lync server 2010 CU List if ($version -like "4.0.7577.108"){return $version="Lync 2010 CU1 January 2011 - $($version)"} if ($version -like "4.0.7577.137"){return $version="Lync 2010 CU2 April 2011 - $($version)"} if ($version -like "4.0.7577.166"){return $version="Lync 2010 CU3 July 2011 - $($version)"} if ($version -like "4.0.7577.183"){return $version="Lync 2010 CU4 November 2011 - $($version)"} if ($version -like "4.0.7577.190"){return $version="Lync 2010 CU5 February 2011 - $($version)"} if ($version -like "4.0.7577.199"){return $version="Lync 2010 CU6 June 2012 - $($version)"} if ($version -like "4.0.7577.203"){return $version="Lync 2010 CU7 October 2012 - $($version)"} if ($version -like "4.0.7577.216"){return $version="Lync 2010 CU8 March 2013 - $($version)"} if ($version -like "4.0.7577.217"){return $version="Lync 2010 CU9 July 2013 - $($version)"} if ($version -like "4.0.7577.223"){return $version="Lync 2010 CU10 October 2013 - $($version)"} if ($version -like "4.0.7577.225"){return $version="Lync 2010 CU11 January 2014 - $($version)"} if ($version -like "4.0.7577.230"){return $version="Lync 2010 CU12 April 2014 - $($version)"} if ($version -like "4.0*"){return $version="Lync 2010 - $($version)"} #Lync server 2013 CU List if ($version -like "5.0.8308.291"){return $version="Lync 2013 CU1 February 2013 - $($version)"} if ($version -like "5.0.8308.420"){return $version="Lync 2013 CU2 July 2013 - $($version)"} if ($version -like "5.0.8308.556"){return $version="Lync 2013 CU3 October 2013 - $($version)"} if ($version -like "5.0.8308.577"){return $version="Lync 2013 CU4 January 2014 - $($version)"} if ($version -like "5.0.8308.738"){return $version="Lync 2013 CU5 August 2014 - $($version)"} if ($version -like "5.0.8308.815"){return $version="Lync 2013 CU6 September 2014 - $($version)"} if ($version -like "5.0*"){return $version="Lync 2013 - $($version)"} }
When you look for a simple way to get all Lync Server topology, you probably will do a Get-CsPool command. But here, you don’t see the sites and the output is not coming in a easily readable way.
The script below will let you Show all information at once.
Get-MCsPool will show you your infrastructure in an easy way :
Communication Server versions tested | |
Office Communication Server 2007 | – |
Microsoft Lync Server 2010 | OK |
Microsoft Lync Server 2013 | OK |
function Get-MCsPool{ foreach ($site in Get-Cssite){ Write-Host "Site : " $site.Displayname "( " -NoNewline -ForegroundColor Green if ($site.Description -notlike ""){ Write-Host $site.Description")" -foregroundcolor Green }else{ Write-Host "No description" -foregroundcolor DarkRed -NoNewline Write-Host " )" -foregroundcolor Green } $pools = $site | select -ExpandProperty pools foreach ($pool in $pools){ $boolDiscovered = $false [array]$ServerType = "" Write-Host "Pool : " $pool -ForegroundColor Cyan -NoNewline $services = Get-CsPool $pool | select -ExpandProperty services #Get all services from the current pool If ($Site.ParentSite -ne $Null){ #SBA if ($services.count -ge 2){ $ServerType += "Survivable Branch Appliance" $boolDiscovered = $true }else{ $ServerType += " PSTN Gateway " $boolDiscovered = $true } }else{ #NO SBA $PoolComputersCount = (get-cspool $pool | select -ExpandProperty computers ).count #Get the computer numbers in a pool if ($PoolComputersCount -ge 2){ #POOL SERVERS (If there is 2 or more computers $findOut = $services -match '.*Registrar:([a-zA-Z]).*' if ($findOut) { $ServerType += "Enterprise Edition Pool" $boolDiscovered = $true } $findOut = $services -match '.*PersistentChatService:([a-zA-Z]).*' if ($findOut) { $ServerType += "Persistent Chat Pool" $boolDiscovered = $true } $findOut = $services -match '.*TrustedApplicationPool:([a-zA-Z]).*' if ($findOut) { $ServerType += "Trusted Application Pool" $boolDiscovered = $true } $findOut = $services -match '.*EdgeServer:([a-zA-Z]).*' if ($findOut) { $ServerType += "EDGE Pool" $boolDiscovered = $true } }else{ #STANDALONE SERVERS (Only one computer) $findOut = $services -match '.*Registrar:([a-zA-Z]).*' if ($findOut) { $Registrar = $findOut -replace "Registrar:","" $ServerType += "Standard Edition Pool" $boolDiscovered = $true } $findOut = $services -match '.*PstnGateway:([a-zA-Z]).*' if ($findOut) { $ServerType += "PSTN Gateway" $boolDiscovered = $true } $findOut = $services -match '.*EdgeServer:([a-zA-Z]).*' if ($findOut) { $ServerType += "EDGE Server" $boolDiscovered = $true } $findOut = $services -match '.*MonitoringServer:([a-zA-Z]).*' if ($findOut) { $ServerType += "Monitoring Server" $boolDiscovered = $true } $findOut = $services -match '.*ArchivingServer:([a-zA-Z]).*' if ($findOut) { $ServerType += "Archiving Server" $boolDiscovered = $true } $findOut = $services -match '.*WacServer:([a-zA-Z]).*' #Lync 2013 if ($findOut) { $ServerType += "Office Web Apps Server" $boolDiscovered = $true }else{ $findOut = $services -match '.*WacService:([a-zA-Z]).*' #Lync 2010 if ($findOut) { $ServerType += "Office Web Apps Server" $boolDiscovered = $true } } $findOut = $services -match '.*TrustedApplicationPool:([a-zA-Z]).*' if ($findOut) { $ServerType += "Trusted Application Server" $boolDiscovered = $true } $findOut = $services -match '.*FileStore:([a-zA-Z]).*' if ($findOut) { $ServerType += "File Server" $boolDiscovered = $true } $findOut = $services -match '.*ApplicationDatabase:([a-zA-Z]).*' if ($findOut) { $ServerType += "SQL Server" $boolDiscovered = $true } $findOut = $services -match '.*PersistentChatServer:([a-zA-Z]).*' if ($findOut) { $ServerType += "Persistent Chat Server" $boolDiscovered = $true } }#End pool or no pool }#end sba or no sba if (!$boolDiscovered){ #If the variable is false, it means the service is unknown Write-Host " (N/A)" -ForegroundColor Gray -NoNewline }else{#If the variable is true, it means the service was discovered foreach ($type in $ServerType){ if ($type -notlike ""){ if (($type -like "*Edition*") -or ($type -like "Survivable*")){ #For the main pools, Write in Yellow Write-Host " ["$type" ]" -ForegroundColor Yellow -NoNewline }else{ Write-Host " ["$type" ]" -ForegroundColor DarkCyan -NoNewline #For the normal service types, write in darkcyan } } } } Write-Host "" #Add a return after each line }#Close Pools foreach }#Close Site foreach }#Close Get-MCsPool function
This post will explain the Unified Contact Store on Microsoft Lync 2013 and Exchange 2013 deployments.
This is a feature who will share the contacts between all the Microsoft Office products. In fact, it will store all contact information in Exchange 2013 and make it available for :
This makes the contacts available globally in the organization.
You must be running Microsoft Lync Server 2013 and Exchange 2013.
I will explain the process of creating an Oauth partnership with Exchange 2013 in my next post.
Ensure you get all the prerequisites before activating.
In order to test it, create a User Policy that you will assign to you before enabling everyone :
New-CsUserServicesPolicy -Identity "UserSvcPolicy-UCSEnabled" -UcsAllowed $True Grant-CsUserServicesPolicy -Identity "JohnDoeAdmin" -PolicyName "UserSvcPolicy-UCSEnabled"
After you see everything is working fine, you can activate UCS for all users, you only need to change the Global User Service Policy using PowerShell:
Set-CsUserServicesPolicy -Identity global -UcsAllowed $True
On outlook 2013, got to Contacts and verify you have the Lync Contacts folder as in the picture :
On Lync Client, check the Lync Configuration Information page (Pres Ctrl and right click the Lync icon, then go to Configuration Information).
It may be an entry named Contact List Provider. It may have changed to UCS instead of Lync Server.
I just read that source code of MS-DOS and Word were released today.
This is a good thing to better understand how it all started at Microsoft!
Here are the articles :