Random password prompts with users running Windows Phone / Mobile Active Sync for Exchange through ISA 2006 or TMG Reverse Proxy

form options

So I recently came across an issue where some end users were getting prompted for their password when running a Windows Phone device (Android and Apple devices seem immune).  The client had recently had an Office 365 hybrid configuration completed and where using ISA / TMG as a reverse proxy to authenticate to their local infrastructure for external users. Their move to a hybrid deployment required some changes to the way they had TMG setup (adding another web listener and re-configuring some rules).

Judging from the password prompt, I quickly gathered that the issue was around a web listener, so opening up their one for Exchange, the listener used forms based authentication, so I went to the Forms tab and hit Advanced to see what options had been enabled or disabled.  I could see that Apply session timeout to non-browser clients was enabled. After disabling this option and applying the changes, ActiveSync clients stopped prompting users for their passwords and the sessions remained active even after the timeout value expired.

How to Fix being unable to add, edit or delete domain controllers in the Domain Controllers Computer Set on Microsoft TMG or ISA 2006

TMG-EditSystemPolicyThere seems to be a bug in Microsoft’s TMG (Threat Management Gateway) / ISA 2006 (Internet Security and Acceleration Server) that once installed and configured, prevents an administrator from modifying the entries in the Domain Controllers Computer Set.  This Computer set is used in a number of System Policies and if you ever do an IP address change of a DC contained in this group (which is what I needed to do), it needs to be changed for things to continue to function correctly.  Firstly, we will need to get into the Registry to verify the GUID of the Computer Set (be default it is generally {F77C3B63-0DD8-440B-9921-A9341533A9C6}).  Navigate to HKLM\Software\Microsoft\Fpc\Storage\Array-Root\Arrays\{GUID}\RuleElements\ComputerSets and find the Domain Controllers computer set and note down the GUID.

Now we need to start-up ADSI Edit on the TMG / ISA machine.  Connect to localhost on port 2171 with the Naming Context CN=FPC2. Expand to the following CN=FPC2, CN=Array-Root, CN=Arrays, CN={3E5A92A0-0C54-4BD5-A8EB-1A0F1E77FF79}, CN=RuleElements, CN=ComputerSets.  Locate the GUID we found before and right-click and select properties.  Now under the Attribute Editor find msFPCPrefined attribute and set it from True to False.

Restart the TMG / ISA Console (no need to restart any services) and you should now be able to go into the Domain Controllers Computer Set and perform changes as required.

Setting up an SPN and fixing the cannot verify the service principal name error when installing ForeFront Endpoint Protection

We are currently in the process of trailing Forefront Endpoint Security along with our SCCM Deployment.  So after a few weeks of tweaking we have got our systems center deployment to a level where we are happy with it, it was time to begin installing and testing Forefront.

After beginning our installing and answering a few questions the setup begins to validate some per-requisites. Apart from having reporting services installed and configured on a SQL Server you also need to have the service account for SQL Server to be publishing its existence via a Service Principal Name or SPN. If the account doesn’t have a valid SPN entry then you will receive the following message during the per-requisites check of the Forefront setup.

Setup cannot verify the service principal name (SPN) for this account.
Ensure that there is a single valid SPN entry for this account in the
Active Directory Domain Services.

So how do we go about adding an SPN entry. We will use sqlservice as our user account. We can either do this via ADSIedit or the command prompt. Open up an elevated command prompt and enter the following command:

setspn -a MSSQLSvc/sqlserver.fqdn domain\sqlservice

with MSSQLSvc being the protocol, sqlserver the name of the Server hosting SQL Services along with your fully qualified domain name and finally the account you wish to add the SPN entry for. To check that you have successfully added the spn you can do the following:

setspn -l domain\sqlservice

which will list the account along with SPNs being advertised for that particular account.

The quicker way would be to run ADSIedit, find the account you wish to add the SPN for, right click and go properties and then under the attribute editor. From there navigate down the list until you find servicePrincipalName and click edit. You can then enter the SPN in the same format as above, which is:

MSSQLSvc/sqlserver.fqdn

And there you have it, you can continue to install Forefront without any issues so long as you meet the other requirements of the setup.