I thought i start of the new year to learn how Git works and publish my first project on Github for easier version control and sharing capabilities.
This project is my take on Two-Tier PKI environment using Active Directory Certificate Services (ADCS).
The configuration is pretty simple. It consist of two servers, virtual or physical doesn’t matter. One is used for Root/Offline Certification Authority (CA) and the other one is for Enterprise/Subordinate CA.
The installation procedure and scripts is available on the Github repository.
DISCLAIMER: This script is published on “As Is” basis. I will not take any responsibility for any damage this script might do to your production or test server environment. Please ensure that you test this properly in a non-production environment before running or scheduling the script in a production environment.
Help section for the installation scripts below:
Today I installed two new Exchange 2016 servers at one of my customers. They are going to migrate from a classic Exchange 2010 CAS+Mailbox setup.
When I tried to login at the ECP when the first Exchange server was up and running I was thrown out directly in a matter of seconds.
The first thing I did was to create a completely new Active Directory User with only the Organization Management group as permission, no mailbox either.
That didn’t solve the problem. The next step was to reset the OWA and ECP Virtual Directories (
New-OWAVirtualDirectory) but as I expected no success.
How to Reset Client Access Virtual Directories
So I turned to my favorite search engine and stumbled upon this Technet thread.
In short the problem is related to the signing of the certificate used by the Exchange IIS Service.
The signing is done with “Microsoft Software Key Storage Provider” which makes the login to loop back. To make it work you need a certificate signed by “Microsoft RSA SChannel Cryptographic Provider”.
The solution is to request a certificate with signing mechanism “Microsoft RSA SChannel Cryptographic Provider”. A more complete deep dig for this is already done by Jason Slaughter at Microsoft, “The One With The FBA Redirect Loop“.
Another nice thing I found while searching was how to change the display language on a EAC Administrator account who does not have mailbox.
Add ?mkt=EN-us after ECP. Example: https://mail.contoso.com/ecp?mkt=EN-us