Case of the missing Outlook SSO

If you’re in IT you certainly know this scenario: There’s something in your environment you just can’t get to work the way you want, you’ve spent countless hours reading documentation, googled community forums and fiddled endlessly with settings in order to make it work. It’s not a showstopper and there is a workaround or even just a single prompt that only shows up every once in a while so you can’t justify powering through the issue until it is done, but you return to it every so often. Then it happens, you’re on a completely unrelated thing and reading through docs or configuring settings and then you stumble upon it, a small textbox that explains your issue and how to fix it.

This just happened to me. I’ve been trying to get SSO (Single Sign On) to work for our corporate PCs but haven’t had any luck whatsoever in years of trying. No matter what I did, we always still got prompted to enter credentials for Outlook and Skype for Business. Today I learned why:

Like many organizations, we’re using Office 365. We also use AzureAD Connect to sync our on-premises Active Directory to the Microsoft Cloud and have set it to enable SSO for our users – which works really well for everything but Outlook. The issue of logging in to Skype for Business went away when we migrated to the newer Teams client but Outlook remained a thorn in my side – one I just couldn’t get myself to figure out.
Lately, we have been trying to roll out Microsoft’s Security Defaults for our AzureAD environment and activating Multi-Factor Authentication (MFA) for all our users. The issue I ran into here was that when I enabled the AzureAD Security Defaults, none of my users were able to log in to Outlook on their PCs anymore. Searching through docs for this put me on the right track: For some reason, our Outlook installs were using Legacy Authentication. Some Google-Fu put me on to registry keys I was supposed to add to Enable modern authentication in Outlook – to no avail.
Careful reading of the docs however put me on to the source of my pain:

As we’ve been using Office 365 for a long time, this was us! Mind you, all documentation available on the web is (of course…) written agains the current defaults, which have modern authentication turned on.
Quickly jumping into Powershell solves this:

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Import-PSSession $Session -DisableNameChecking

Set-OrganizationConfig -OAuth2ClientProfileEnabled $true

Remove-PSSession $Session

That’s it. Once I set this, Single Sign On to Outlook just worked. MFA just worked. And I have one less thing on the to-do list that I’ve been visiting over and over for years.

-Jan

Related Post

Issues preparing for upgrade to SCVMM 1801Issues preparing for upgrade to SCVMM 1801

I just ran into a small hickup upgrading my System Center Virtual Machine Manger 2016 to the new version 1801. I wasn’t able to find any documented cases of anyone running into this so here we go:

The upgrade to SCVMM 1801 actually requires uninstalling SCVMM 2016. This failed on my installation just at the point where I was clicking on the “Remove features” button in the setup dialog.

In C:\ProgramData\VMMLogs\SetupWizard.log I found the following entry:

11:52:28:Uncaught Exception: Threw Exception.Type: Microsoft.VirtualManager.Utils.CarmineException, Exception.Message: Unable to detect cluster configuration of the node.
Ensure that the user has permissions to detect cluster node configuration.
11:52:28:StackTrace: at Microsoft.VirtualManager.Setup.ClusterServiceHelper.get_IsAClusterNode()
 at Microsoft.VirtualManager.Setup.AddRemoveComponentsPage.EnterPage()
 at Microsoft.VirtualManager.SetupFramework.PageNavigation.WaitEnterSet(Page page)
 at Microsoft.VirtualManager.Setup.AddRemovePage.RemoveComponent_Click(Object sender, RoutedEventArgs e)
 at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
 at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
 at System.Windows.Controls.Primitives.ButtonBase.OnClick()
 at System.Windows.Controls.Button.OnClick()
 at System.Windows.Controls.Primitives.ButtonBase.OnMouseLeftButtonUp(MouseButtonEventArgs e)
 at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
 at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
 at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
 at System.Windows.UIElement.ReRaiseEventAs(DependencyObject sender, RoutedEventArgs args, RoutedEvent newEvent)
 at System.Windows.UIElement.OnMouseUpThunk(Object sender, MouseButtonEventArgs e)
 at System.Windows.RoutedEventArgs.InvokeHandler(Delegate handler, Object target)
 at System.Windows.RoutedEventHandlerInfo.InvokeHandler(Object target, RoutedEventArgs routedEventArgs)
 at System.Windows.EventRoute.InvokeHandlersImpl(Object source, RoutedEventArgs args, Boolean reRaised)
 at System.Windows.UIElement.RaiseEventImpl(DependencyObject sender, RoutedEventArgs args)
 at System.Windows.UIElement.RaiseTrustedEvent(RoutedEventArgs args)
 at System.Windows.Input.InputManager.ProcessStagingArea()
 at System.Windows.Input.InputManager.ProcessInput(InputEventArgs input)
 at System.Windows.Input.InputProviderSite.ReportInput(InputReport inputReport)
 at System.Windows.Interop.HwndMouseInputProvider.ReportInput(IntPtr hwnd, InputMode mode, Int32 timestamp, RawMouseActions actions, Int32 x, Int32 y, Int32 wheel)
 at System.Windows.Interop.HwndMouseInputProvider.FilterMessage(IntPtr hwnd, WindowMessage msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
 at System.Windows.Interop.HwndSource.InputFilterMessage(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
 at MS.Win32.HwndWrapper.WndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam, Boolean& handled)
 at MS.Win32.HwndSubclass.DispatcherCallbackOperation(Object o)
 at System.Windows.Threading.ExceptionWrapper.InternalRealCall(Delegate callback, Object args, Int32 numArgs)
 at System.Windows.Threading.ExceptionWrapper.TryCatchWhen(Object source, Delegate callback, Object args, Int32 numArgs, Delegate catchHandler)
 at System.Windows.Threading.Dispatcher.LegacyInvokeImpl(DispatcherPriority priority, TimeSpan timeout, Delegate method, Object args, Int32 numArgs)
 at MS.Win32.HwndSubclass.SubclassWndProc(IntPtr hwnd, Int32 msg, IntPtr wParam, IntPtr lParam)
 at MS.Win32.UnsafeNativeMethods.DispatchMessage(MSG& msg)
 at System.Windows.Threading.Dispatcher.PushFrameImpl(DispatcherFrame frame)
 at System.Windows.Application.RunDispatcher(Object ignore)
 at System.Windows.Application.RunInternal(Window window)
 at Microsoft.VirtualManager.Setup.Program.UiRun()
 at Microsoft.VirtualManager.Setup.Program.Main()

So what this means is that the setup is unsuccessfully trying to determine whether SCVMM is installed in a clustered setup. Which mine is not. Has never been.

The solution is to actually *install* the Windows Feature Failover Clustering. This way the check can run and setup will continue. There is no need to actually configure clustering.

ThinkPad X1 Carbon (34602SG) – First impressionsThinkPad X1 Carbon (34602SG) – First impressions

It’s been a while since I had any interesting tech that I was actually able to write about. Today, that changed with the arrival of the brand-new Lenovo ThinkPad X1 Carbon. For the international audience, I will write this and maybe a few follow-up articles in English as opposed to German.

WP_000096

Specs wise, it’s pretty standard with the 3rd gen Core i5 3427U processor, 8GB of RAM and 256GB SSD. The Ericsson WWAN card is included, the USB 10/100 Mbit/s Ethernet adapter is not. I’ll have to check if and when I can expect delivery of that. I did not order from Lenovo directly, so I will have to go through my dealer for that. Anyway, enough has been written about the specs and parts in other places.

WP_000097

Because I haven’t seen any other shots of a final system board, I included my own. As you can see, the RAM is soldered to the board. Opened up, more than half the system is taken up by its battery. Just to make clear: This was “just for fun”, there were no build issues whatsoever with my model that would have necessitated opening up the system. As far as build quality is concerned, this machine easily beats any one of the older ThinkPad models I owned or worked with. For the record: X21, T42p, T60p, T61, T400, T400s, T500, T410, T510, T420, X220, T430. Yes, I know that’s a lot but I spent quite a while in recent years supporting a fleet of ThinkPads for my last employer.

The X1 Carbon has probably the stiffest base I’ve ever experienced on a laptop. There’s less give than I have in my 11” MacBook Air (2011) which is impressive, considering the X1 has a much larger chassis that could bend. Lenovo did change the color finish on the bezel and palm rest surrounding the keyboard. It is now much closer to the soft-touch finish normally found on the display cover. Oddly enough, I prefer its texture and softness to that of the new all-glass touchpad. Now, the latter is a big improvement to the touchpads found previously on ThinkPads (even the newer ones that started to be introduced with T400s). Its somehow not quite as smooth as you would expect from a glass touchpad – something of a problem for me as I have dry skin and I noticed it had something of a sandpaper effect on my fingertips. For those who absolutely have to use a touchpad: The ones build by Apple are still the top of the crop. This being a ThinkPad however, there’s still the good-old TrackPoint and it hasn’t changed a bit.

The LCD screen is of the TN persuasion and it’s a pretty good one. Colors are vivid and the contrasts are excellent to my eyes. Other people have noted the LCD grid. The effect indeed is noticeable if you have really good vision and you’re looking at a mostly white screen (e.g. MS Word). I mostly just noticed it because I read about it and looked for it. In regular use with what I’d call an ergonomic distance between your eyes and the screen it’s much harder to see, certainly if you don’t have perfect eyesight like me. The resolution is still spot on, 1600 by 900 on a 14” screen is the sweet spot for me. It’s enough to enable some multitasking on the road while keeping the machine portable. For serious work I still recommend a 24” or larger external screen.

I can’t say I spent too much time with the stock Windows installation. It’s not as bad as other PCs I’ve seen (HP, Sony) but it’s probably not worth keeping if you are the least bit technical and know how to install Windows and drivers. It’s a long shot from the Microsoft signature builds. Anyway, I wasn’t going to have Windows 7 on this machine anyway and progressed to installing Windows 8 Professional RTM on it:

WP_000102

Here’s a couple of pointers that might help you avoid some of the stumbling blocks I met:

  • If you’re going to install Windows 8 on this machine, put the setup files on a USB stick formatted with FAT32 (UEFI won’t boot the installer off NTFS).
  • Download all the drivers for the X1 Carbon from the Lenovo Beta site here except for Video and WWAN. Install these drivers first!
  • Now download the SCCM driver bundle for Windows 7 here. Also download the Intel Smart Connect drivers here. Unpack and point device manager to these folders to install drivers for all the remaining unrecognized devices.
  • Don’t install beta Intel HD graphics drivers, use the update drivers function in device manager and have Windows pull new drivers off Windows Update
  • The Windows built-in driver for the Intel 6205 WLAN card has a wrong default setting: It doesn’t have 802.11n mode enabled. If you don’t enable that in device properties, you will likely only see 54Mbit/s connections. Newer drivers from Intel aren’t available yet but should be out along with drivers for Intel Wireless Display by October 26th. Wireless antenna performance is great though, as I have come to expect from a ThinkPad. Full signal on the 5GHz band where my Mac struggles to keep a connection.
  • I didn’t manage to get the WWAN card to work using the beta driver for Windows 8, the Windows 7 driver however worked perfectly.

Some general early impressions about system performance and such:

  • It’s very quick to boot and shut down running Windows 8. Resume from stand-by is nearly instantaneous.
  • Battery runtime for me seems to be around 5 hours right now with the power profile set to balanced, the display at around half its maximum brightness, WLAN and WWAN enabled. This includes time when the system was still syncing data from my SkyDrive and Exchange mailbox in Outlook, indexing and me installing all the little tools I like to have at the ready. Given that we’re still very early as far as driver support for Windows 8 goes (and that I believe Lenovo’s Power Manager still has some extra tricks that are not yet available), I’m pretty happy with that. Recharging the battery using rapid charge takes care of remaining worries.
  • As a touch typist and die-hard ThinkPad enthusiast, the new keyboard is easy to get used to. I still miss the 7th-row key placements and keys like “pause” but it’s something you get used to pretty quickly. Key feel and responsiveness is nice and key travel is better than any other Ultrabook (or Macbook) I’ve tried before. I especially like how the keyboard on the X1 Carbon is a part of the bezel. It’s a much cleaner and nicer visual look which I found distracting on the T430.
  • You might want to keep credit cards away from the bottom left corner of the base. That’s where you find the magnet keeping the lid closed.

That’s it for my early thoughts. The X1 Carbon for me is the perfect workhorse computer right now. I don’t need computationally intensive applications on a daily basis (that’s what servers and desktops are for!) and I appreciate the portability. I’ll probably buy a second power supply and I’m seriously considering the USB 3.0 dock.

Otherwise this computer is what I always thought the Macbook Air should have been: Black, no-nonsense, non-glare, non-shiny, all serious, with a great keyboard and a little red dot right smack-dab in the middle where it belongs.

-Jan

Fixing Windows Admin Center ‘Can’t verify whether “cluster_name” is online’Fixing Windows Admin Center ‘Can’t verify whether “cluster_name” is online’

So you’re trying to add your Hyper-Converged Cluster to Windows Admin Center and it’s giving you the “Can’t verify whether “cluster_name” is online” treatment. You’ve checked DNS, upgraded WAC/Honolulu and tested installing it on multiple servers and workstations. Nothing helped. I have good news! for you:

I ran into this immediately after Project Honolulu became public and have been banging my head continuously. Here’s what to do:

Check the Event Viewer\Applications and Services Logs\Microsoft-ServerMangementExperience for the following entry:

400 - CimException: The xsi:type attribute (p1:MSCluster_Property_Node_PrivateProperties) does not identify an existing class.

This indicates your that WAC is connecting fine to your cluster but is running into an issue where it’s missing some cluster property.

I’ll have to give props to Robert Hochmayr here as he pointed me to the solution:

There are two private properties that are set on the cluster and its nodes which through some combination of events (like adding nodes to the cluster at a later point in time) are missing from nodes. You can find out by running the following PowerShell command on one of your S2D cluster nodes:

get-clusternode | Get-ClusterParameter

The output will look something like this:

Object Name Value Type
------ ---- ----- ----
S2D-01 S2DCacheBehavior 88 UInt64
S2D-01 S2DCacheDesiredState 2 UInt32
S2D-03 S2DCacheDesiredState 2 UInt32
S2D-03 S2DCacheBehavior 88 UInt64

Note that this was a four node cluster.. Nodes S2D-02 and S2D-04 are missing!

Off to the registry to fix it:

At HKLM\Cluster\Nodes\x\Parameters there should be two entries for the above cluster parameters. On my systems, the full registry key Parameters was missing from nodes 1 and 4 (go figure…). I added them *on each host* by running the following command lines:

REG ADD HKEY_LOCAL_MACHINE\Cluster\Nodes\1\Parameters /f /v  "S2DCacheBehavior" /t REG_QWORD /d "88"
REG ADD HKEY_LOCAL_MACHINE\Cluster\Nodes\1\Parameters /f /v "S2DCacheDesiredState" /t REG_DWORD /d "2"
REG ADD HKEY_LOCAL_MACHINE\Cluster\Nodes\4\Parameters /f /v  "S2DCacheBehavior" /t REG_QWORD /d "88"
REG ADD HKEY_LOCAL_MACHINE\Cluster\Nodes\4\Parameters /f /v "S2DCacheDesiredState" /t REG_DWORD /d "2"

Checking I now get the correct PowerShell output:

get-clusternode | Get-ClusterParameter

Object Name Value Type
------ ---- ----- ----
S2D-01 S2DCacheBehavior 88 UInt64
S2D-01 S2DCacheDesiredState 2 UInt32
S2D-02 S2DCacheBehavior 88 UInt64
S2D-02 S2DCacheDesiredState 2 UInt32
S2D-03 S2DCacheBehavior 88 UInt64
S2D-03 S2DCacheDesiredState 2 UInt32
S2D-04 S2DCacheBehavior 88 UInt64
S2D-04 S2DCacheDesiredState 2 UInt32

Once this was added I was immediately able to add the cluster to Windows Admin Center. No reboots or service restarts were needed.

-Jan