Configuring Azure Multifactor Authentication with Exchange 2013 SP1
Thanks to Raymond Emile from Microsoft COX, the guy responded to me instantly and hinted me around the OWA + basic Auth, Thanks a lot Ray…
In case you missed it, Azure has a very cool new feature called Azure multifactor authentication, using MFA in Azure you can perform multifactor for Azure apps and for on-premise apps as well.
In this blog, we will see how to configure Azure Cloud MFA with Exchange 2013 SP1 on premise, this will be a long blog with multiple steps done at multiple levels, so I suggest to you to pay a very close attention to the details because it will be tricky to troubleshoot the config later.
here are the highlevel steps:
- Configure Azure AD
- Configure Directory Sync.
- Configure multifactor Authentication Providers.
- Install/Configure MFA Agent on the Exchange server.
- Configure OWA to use basic authentication.
- Sync Users into MFA agent.
- Configure users from the desired login type.
- Enroll users and test the config.
so let us RNR:
Setting up Azure AD/MFA:
Setting up Azure AD/MFA is done by visiting https://manage.windowsazure.com , here you have 2 options (I will list them because I had them both and it took me a while to figure it out):
- If you have never tried azure, you can sign up for a new account and start the configuration.
- If you have Office 365 enterprise subscription, then you will get Azure AD configured, so you can sign in into Azure using the same account in Office 365 and you will find Azure AD configured for you (I had this option so I had to remove SSO from the previous account and setting it up again).
Once you login to the portal, you can setup Azure AD by clicking add:
Since I had Office 365 subscription, It was already configured, so if you click on the directory, you can find list of domains configured in this directory:
If you will add a new domain, click on add and add the desired domain, you will need to verify the domain by adding TXT or MX record to prove you domain ownership, once done you will find the domain verified and you can configure it, the following screenshots illustrates the verification process:
Once done, go to Directory Integration and choose to activate directory integration:
One enabled, download the dirsync tool on a computer joined to the domain:
Once installed, you will run through the configuration wizard which will ask you about the azure account and the domain admin account to configure the AD Sync:
Once done, you can check the users tab in Azure AD to make sure that users are sync’d to Azure successfully:
If you select a user, you can choose to Manage Multifactor Authentication
you will be prompt to add a multifactor authentication provider, the provider essentially controls the licensing terms for each directory because you have per user or per authentication payment, once selected you can click on manage to manage it:
Once you click manage, you will be taken to the phonefactor website to download the MFA agent:
click on downloads to download the MFA agent, you will install this agent on:
- A server that will act as MFA agent and provides RADIUS or windows authentication from other clients or
- Install the agent on the Exchange server that will do the authentication (frontend servers).
Since we will use Exchange, you will need to install this agent on the Exchange server, once install you will need to activate the server using the email and password you acquired from the portal:
Once the agent installed, it is time to configure the MFA Agent.
Note: the auto configuration wizard won’t work, so skip it and proceed with manual config.
Another note: FBA with OWA won’t work, also auto detection won’t work, so don’t waste your time.
Configuring the MFA Agent:
I need to stress on how important to follow the below steps and making sure you edit the configuration as mentioned or you will spend hours trying to troubleshoot the errors using useless error codes and logs, the logging still poor in my opinion and doesn’t provide much information for debugging.
the first step is to make sure the you have correct name space and ssl certificate in place, typically you will need users to access the portal using specific FQDN, since this FQDN will point to the Exchange server so you will need to publish the following:
- Extra directories for MFA portal, SDK and mobile app.
- or Add a new DNS record and DNS name to the ssl certificate and publish it.
In my case, I chose to use a single name for Exchange and MFA apps, I chose https://mfa.arabcloud.tv, MFA is just a name so it could be OWA, mail or anything.
SSL certificate plays a very important role, this is because the portal and mobile app speaks to SDK over SSL (you will see that later) so you will need to make sure that correct certificate in place as well as DNS records because the DNS record must be resolvable internally.
once the certificate/DNS issue is sorted, you can proceed with the install, first you will install the user portal, users will use this portal to enrol as well as configuring their MFA settings.
From the agent console, choose to install user portal:
It is very important to choose the virtual directory carefully, I highly recommend changing the default names because they are very long, in my case I chose using MFAPORTAL as a virtual directory.
once installed, go the user portal URL and enter the URL (carefully as there is no auto detection or validation method), and make sure to enable the required options in the portal (I highly recommend enabling phone call and mobile app only unless you are in US/EU country then you can enable text messages auth as well, it didn’t work with me because the local provider in Qatar didn’t send the reply correctly).
Once done, Proceed with SDK installation, again, I highly recommend changing the name, I chose MFASDK
Once installed, you are ready to proceed with the third step, installing the mobile app portal, to do this browse to the MFA agent installation directory, and click on the mobile app installation, also choose a short name, I chose MFAMobile
Once Installed, you will have to do some manual configuration in the web.config files for the portal and the mobile app.
You will have to specify SDK authentication account and SDK service URL, this configuration is a MUST and not optional.
to do so, first make sure to create a service account, the best way to do it is to fire you active directory users and computers management console, find PFUP_MFAEXCHANGE account and clone it.
Once cloned, open c:\intepub\wwwroot\<MFAportal Directory> and <MFA Mobile App Directory> and edit their web.config files as following:
For MFA portal:
For MFA mobile App:
Once done, you will need to configure the MFA agent to do authentication for IIS.
Configure MFA to do authentication from IIS:
To configure MFA agent to kick for OWA, you will need to configure OWA to do basic authentication, I searched on how to do FBA with MFA, but I didn’t find any clues (if you have let me know).
Once you configured OWA/ECP virtual directories to do basic authentication, go to the MFA agent , from there go to IIS Authentication , HTTP tab, and add the OWA URL:
Go to Native Module tab, and select the virtual directories where you want MFA agent to do MFA authentication (make sure to configure it on the front end virtual directories only):
Once done….you still have one final step which is importing and enrolling users…
to import users, go to users, select import and import them from the local AD, you can configure the sync to run periodically:
Once imported, you will see your users, you can configure your users with the required properties and settings to do specific MFA type, for example to enable phone call MFA, you will need to have the users with the proper phone and extension ( if necessary):
You can also configure a user to do phone app auth:
Once all set, finally, you can enrol users.
Users can enrol by visiting the user portal URL and signing with their username/password, once signed they will be taken to the enrolment process.
for phone call MFA, they will receive a call asking for their initial PIN created during their configuration in MFA, once entered correctly, they will be prompted to enter a new one, once validated the call will end.
in subsequent logins, they will receive a call asking them to enter their PIN, once validated successfully, the login will be successful and they will be taken into their mailbox.
in mobile app, which will see here, they will need to install a mobile app on their phones, once they login they can scan the QR code or enter the URL/Code in the app:
Once validated in the app, you will see a screen similar to this:
Next time when you attempt to login to OWA, the application will ask you to validate the login:
Once authentication is successful, you will see:
and you will be taken to OWA.
Final notes:
again, this is the first look, I think there are more to do, like RADIUS and Windows authentication which is very interesting, also we can configure FBA by publishing OWA via a firewall or a proxy that does RADIUS authentication + FBA which will work.
I hope that this guide was helpful for you.
Configuring Dynamic Access Controls and File Classification-Part4-#winservr 2012 #DAC #microsoft #mvpbuzz
Part1: The Windows Server 2012 new File Server–part 1- Access Condition http://goo.gl/9miY1
Part2: The Windows Server 2012 new File Server–part 2- Install AD RMS http://goo.gl/dRHro
Part3: The new file server part3 using file classification & AD RMS: http://goo.gl/A4JlC
In previous parts we have walked through the new file server features and permissions wizard, Data Classification, AD RMS installation and File Classification and AD RMS integration, in the final part of this series we will take about how to implement a new feature of Active Directory called claim based authentication and utilize it for something called Dynamic Access Control.
but wait a minute, what is the claim based authentication, from this reference: http://www.windowsecurity.com/articles/First-Look-Dynamic-Access-Control-Windows-Server-2012.html
Claims-based authentication relies on a trusted identity provider. The identity provider authenticates the user, rather than every application doing so. The identity provider issues a token to the user, which the user then presents to the application as proof of identity. Identity is based on a set of information that, taken together, identifies a particular entity (such as a user or computer). Each piece of information is referred to as a claim. These claims are contained in the token. The token as a whole has the digital signature of the identity provider to verify the authenticity of the information it contains.
Windows Server 2012 turns claims into Active Directory attributes. These claims can be assigned to users or devices, using the Active Directory Administrative Center (ADAC). The identity provider is the Security Token Service (STS). The claims are stored inside the Kerberos ticket along with the user’s security identifier (SID) and group memberships.
Once the data has been identified and tagged – either automatically, manually or by the application – and the claims tokens have been issued, the centralized policies that you’ve created come into play.
Now you can turn user’s attribute whatever they are, into security controls, now we have the power to control the access to files and set the permissions to files using attributes, we no longer controlled by group permissions only.
With that in mind, you can set the permissions on the files based on department attributes, connecting machine, location or any other attribute in Active Directory and you don’t have to create specific groups for that, also the permissions will be set on the fly, not only that, but you can set the permissions not based on the user’s properties but also based on the device the user is using, you can set the permissions to full control from corporate devices, but readonly from kiosk or non-corporate devices.
Not only that, but you can also include the attributes of the resources that is being accessed in the permissions equation, so you want “on the fly” to examine the resource classification and allow only specific users with specific attributes to access the resource (so files classified of country classification “Egypt” will be accessed by only users who are in country “Egypt” for example).
Dynamic Access Control (DAC) is a new era for permissions, I am blown by the power of DAC and how flexible it is, mixed with AD RMS you can have ultimate control on data within your corporate.
Lab Setup:
We will use the steps described here in this TechNet article: http://technet.microsoft.com/en-us/library/hh846167.aspx#BKMK_1_3 , the steps here are illustration of the steps, and prior parts of the blog series (part 1 to 3) are used as foundation to demonstrate the final environment:
Implementation steps:
the first ting to configure is the claim type, claim types represents what are the data queried in the user/device/resource attribute and then used in the permission evaluation, you want to query about the country, you create a claim type for that, you want to use department you create a claim type for that.
In our Lab we will create a claim type of Department and Country:
to create a claim type open the AD Administrative Center and go to Claim Types, and from the menu select new:
Create a new claim for Department :
and for Country :
In the Country, Supply suggested values (to specify values for the claims as Egypt and Qatar):
Note: By defaults claims are issues to users, if you want to issue it for computers you must select that on the claim
Create a new reference resource property for Claim Country:
Now got to Resource Properties and enable the department claim;
Now let us create a Central Access Rule, This rule will include the template permissions that will be applied when the claims are matched with the rules defined in the CAR:
In the rule, specify the security principle you want to use, in this demo we will grant access to Finance Admins full control and Finance Execs read only access, and this will be applied to all files “resources” that is classified in the Finance Department, we can also go with devices claims and specify the country of this device or any other property that we can to query about the device:
The Final rules will be :
Now create a Central Access Policy that will be applied using GPO to all file servers and the Administrator can select and apply them on individual folders:
In the CAP, include the finance data rule:
No you need to apply this CAP using GPO and make it available to file servers, now create a GPO and link it to the file servers OU:
In the Group Policy Management Editor window, navigate to Computer Configuration, expand Policies, expand Windows Settings, and click Security Settings.
Expand File System, right-click Central Access Policy, and then click Manage Central access policies.
In the Central Access Policies Configuration dialog box, add Finance Data, and then click OK.
You need now to allow the Domain Controllers to issue the Claims to the users, this is done by editing the domain controllers GPO and specify the claims settings:
Open Group Policy Management, click your domain, and then click Domain Controllers.
Right-click Default Domain Controllers Policy, and then click Edit.
In the Group Policy Management Editor window, double-click Computer Configuration, double-click Policies, double-clickAdministrative Templates, double-click System, and then double-click KDC.
Double-click KDC Support for claims, compound authentication and Kerberos armoring. In the KDC Support for claims, compound authentication and Kerberos armoring dialog box, click Enabled and select Supported from the Options drop-down list. (You need to enable this setting to use user claims in central access policies.)
Close Group Policy Management.
Open a command prompt and type gpupdate /force
.
Testing the Configuration:
Going to the file server, and clicking on our finance data file, we can now find the data classification that we specific in the Claims:
Now let us classify the data as Finance Department.
Note: In order to allow DAC permissions to go into play, allow everyone NTFS full control permissions and then DAC will overwrite it, if the user doesn’t have NTFS permissions he will be denied access even if DAC grants him access.
Now checking the permissions on the folder:
going to the Central Policy tab and applying the Finance Data Policy:
now let us examine the effective permissions:
for the Finance Admins:
If the user has no claims (so he is a member of the group but not in the finance department and is not located in Egypt) he will be denied access:
Now, let us specify that he is from Finance Department, no luck, Why?!
This is because he must access the data from a device that has claim type country Egypt:
Now test the Finance Execs Permissions and confirm it is working.
You can test applying this rule also when the following condition is set, and wee what happens:
Note: the above rule will grant use access when his department matches the file classification department, so you can have a giant share from mix of departments and permissions will be granted to files based on users’ departments.
Conclusion:
Mixing DAC with AD RMS and file classification is a powerful mix that helps organizations with the DLP dilemma, and with Windows Server 2012 organization has total control for the first time on the files and data within the files. please try the lab and let me know your feedback
Join me at the next event, Microsoft private cloud using Hyper-v and System Center hosted by Microsoft MEA Academic Center
Next Wednesday, I will be speaking at one of the Microsoft MEA Academic Center events, In this event I will speak about the Private Cloud concepts and patterns, then delving on the Private Cloud Architecture using Microsoft Hyper-v and System Center then moving to the Private/Cloud user case and future innovations possibility.
from the event description:
In this session we will explore the cloud concepts and principles setting the ground for the cloud knowledge, then taking extra steps on how to build the private cloud using Windows Server 2012 and System center and finalizing
by integration and extensibility options of private, public and hybrid cloud and use cases.
I have built this session on top of the amazing session by Tom Schinder “Private Cloud Concepts and Patterns”, I believe that this session is the most important session in 2012, not because it contains valuable information but because it clearly defines what is the cloud, its architecture and the principles and concepts, then delving to the actual implementation and use case.
You Can Join us using the following Link:
https://join.microsoft.com/meet/b-amshad/F9CLHSSD
I will be waiting for you.
Mahmoud
Automate patch & restart management in the #datacenter using #Microsoft Orchestrator and #wsus #sysctr #automation #mvpbuzz
Introduction:
I have been working on a very interesting task next week for our cloud which is patch management automation.
One of the challenges we face as service provider or cloud provider if you are not a service provider is the patch management within our infrastructure and the cloud.
for years there have been tools and applications that can push updates from vendors to our servers; WSUS and SCCM are great examples of those, but there has been a missing part of the puzzle.
What about the restart management for those Servers/Application, how do we manage the relationship between servers patches, restart and restart order, let us take a deeper look to that.
Suppose that you have a typical infrastructure; this could be based on the cloud or not, This infrastructure consists of the following:
- 2 Domain Controllers.
- 1 SQL cluster; 2 Nodes.
- 2 IIS Front-End Servers running a web application.
- 2 TMG 2010 servers.
suppose that you use WSUS/SCCM, specified restart schedule and approved the updates, and waiting for servers restart, you have 2 options here:
- if you had all the servers using single restart option; this means that all servers will reboot in the same time.
- configure multiple scheduling based on OU/GPO, servers will restart based on schedules for different roles which is fine.
In the first option IIS servers will usually restart faster than SQL cluster; their web application might not start because SQL is not running, IIS serves might restart before the Domain Controllers, and might find the required credentials needed to start the web applications and same for SQL clusters that might reboot before DC and the SQL cluster fails, at the end of the day; who knows?!
the second option is cool, however you will have a larger maintenance window, you don’t know when servers will finish rebooting so you will have to wait and assign 30 minutes for DC reboot for example, then another 30 minutes then SQL servers reboot…etc, but this hurts your SLA and increases your maintenance window.
The Solution:
Somehow, you know your infrastructure requirements, so you know the restart order and priority for your servers, you need to have this relationship mapping first before anything else; as this will be the foundation.
You don’t need a fancy visio diagram or relationship table, all what you need is a simple table saying for example:
Server Name | Restart Order |
Server1 | 1 |
Server2 | 2 |
and this is an example,you can go as much complex as you want.
later you can use System Center Orchestrator to automate your patching and restart based on the relationship you defined, this is a very effective way to save your life and time, Orchestrator can interpret your restart order, force servers that needs restart to restart in the order you specified in the schedule you need or you can kick the hall process manually it doesn’t make a difference.
The How:
Disclaimer: use this article at your own risk, the solution described here is not the complete one, you need to do further testing, customization and modification to be enterprise ready, the scripted, files and workflows here are provided AS-IS without any warranty.
Building the blocks: In this section we explore the high-level architecture of the solution and its components and then we proceed with its implementation.
The requirements is very simple, we are using WSUS to deploy updates to servers, we have a restart order as the above table for example we want to restart our servers according to the above restart order.
The Lab Setup: I am running 1 Domain Controller that also hosts my WSUS server, 1 Orchestrator Server running SQL 2008 and Orchestrator, 4 Servers running Windows 2008 (srv1, srv2, srv3,srv4).
The restart order for servers is as following:
Server Name | Restart Order |
srv1 | 1 |
srv2 | 3 |
srv3 | 4 |
srv4 | 2 |
I mapped this restart order in a simple SQL Database configured as the following:
The Runbooks Architecture:
The Orchestrator has 3 RBs defined to achieve what we want:
- the first RB is the launcher, it queries the the database using the following simple query: (use test select hostname from restartordertbl order by restartorder), it queries the table and retrieve the server names and order them with their restart order.
- the RB then writes the servers with their restart priority to a text file, it will be used by a later RB to query server names from that text file (you can write you own script to step that in SQL or csv file, I used text file for simplicity).
- the RB sets counters of no. of rows returned, the the incremental counter used in looping and invokes the Core RB.
- the Core RB is the core RB for this environment, it gets the counters, compare them if they are not equal it knows that it needs to loop and then proceeds with reading from the text file.
- you need to know that the link between the compare value action and append line action (the link with the purple color ) performs the actual decision it allows the RB to proceed only if the value is false which means the values are not equal and stops if the values are equal which means the loop is completed or there is no servers returned by the query.
- it executes the following powershell script to know if the server is pending reboot or not (
$baseKey = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey(“LocalMachine”, “\`d.T.~Ed/{A7DF762F-4857-4114-9AD9-AD7FE15F7148}.LineText\`d.T.~Ed/”)
$key = $baseKey.OpenSubKey(“Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\”)
$subkeys = $key.GetSubKeyNames()
$key.Close()
$baseKey.Close()
If ($subkeys | Where {$_ -eq “RebootPending”})
{
throw “updates”
}
Else
{
})
the scripts queries the pending reboot status of the machine, if the machine is pending reboot then it will break throwing an error, if not it will complete correctly.
- The Link between the run powershell action and the restart action (in red color) allows the RB to take the restart path only of the powershell result is failed which is caused by the break event as the server in this case will be pending restart. if not it will take the other path (the green link) which means that server is not pending restart and starts the “Counter Increaser” RB.
- the counter increaser RB is the simplest one, it simply increases the incremental counter and invokes the Core RB looping again.
Things to note:
- in order to loop in Orchestrator you can’t loop within the RB, you need to use another RB for that this is why I have the Counter Increaser RB.
- the powershell could restart the machine, but that didn’t work for me so I used the restart action.
- you can check the link behaviour by selecting a link and click properties.
- Things that needs improvement:
This is a test RBs, we use different RBs in production that meets our specific environment, you will need to modify that above RPs to do:
- Server checking if the server online or not.
- the RBs does restart directly, you will need to include sleep time and restart check to make sure that server completed its restart before proceed with the other restart.
- make the process parallel and maybe restart servers that are not related to others directly.
- send notification to administrator or customer.
- run post restart checks to make sure that server completed the reboto and services started successfully.
- maybe integrate that with SCSM and go with approvals and workflows from there.
you can go epic with this foundation, be dynamic in servers query and database names this can go endless, use this RBs as your foundation and add more and more blocks to meet your infrastructure and customers’ goals, also feel free to comment or ask question I will be glad to do so.
attached below the working RBs they include every thing, make sure to check each step and read description thoroughly, you can download them from https://skydrive.live.com/embed?cid=6B566FD2C47B21C4&resid=6B566FD2C47B21C4%21130&authkey=AB25TJ854Zc4IT0
until later time and happy Eid
Mahmoud
No More local names in the certificate starting November 2015 #MsExchange #Lync #ucoms #lync2010 #Microsoft Part1
Starting November 2015 all public domains providers will prohibit the use of invalid domain names, this is because internal servers names are common and could be falsified and end server connection can’t be assured, you can read more about it here
http://www.digicert.com/internal-names.htm
and
http://www.networking4all.com/en/ssl+certificates/faq/change+san+issue/
The reason that is given for the change is that the internal server names are not unique and therefore easy to falsify. With common names like server01 or webmail, the end user is never sure if it is actually dealing with the right party or with a malicious.
The changing legislation for SSL Certificates shall start on 1 November 2015. This means, from that date, the invalid Fully-Qualified Domain Names (hereafter called FQDN) will no longer be accepted at the standard of the CA/Browser Forum and after that date such certificates may no longer be issued. All certificates issued after 1 November 2015 and meet this qualification will be revoked upon discovery.
Users who are requesting a certificate on an invalid FQDN with an expiration date after 1 November 2015 should remember that their certificates will be revoked after 1 November 2015. After this date, no SAN SSL Certificate with a reserved IP address or internal server name will be issued either.
you can download the new certificate requirement for the cabforum here http://www.cabforum.org/Baseline_Requirements_V1.pdf
What does that means:
if you are running your domain using an invalid name (.local or .dom) you might face some issues depending on your configuration, the most commonly affected applications by this changes are Microsoft Exchange and Microsoft Lync servers.
for years we have been using the UCC certificate which allowed us to include internal server names along within the public certificate which offered a simplified configuration, I do believe that this change will require massive changes in the Exchange and Lync infrastructure to support this change.
For Microsoft Exchange:
Depending on your configuration you might need to do some changes in your infrastructure to support this change, let us divide the configuration as following:
1- Your Active Directory domain name is domain.com or other valid domain names:
if your Active Directory domain is running domain.com name or other valid domain names, then most probably your changes are minimal, the only catch here if your users are accessing OWA using https://mail or https://Exchange internally for end users simplicity, this will not be supported or working anymore and you will need to work with your end-users to fix that.
2- your Active Directory domain is domain.local (or other invalid name):
oooh baby, you will have fun, because of how internal and external URLs in Exchange are functioning you will need to do more than just a new certificate request for your servers, but again it depends on how you configured your Exchange servers:
For a single Active Directory site deployment:
If your Internal URLs for Exchange Webservices uses External names, then you are fine, but if you are running a single Website for OWA, OAB and other webservices functionality, you will have to consider 2 solutions:
- Change the internal names of the vDirectories to include public domain names (.com or .net for example) this will require creating the correct DNS zones in Active Directory (domain.<valid domain>) and configure the entries in that DNS zone to map to the correct internal and external IPs (some services will point to internal IPs like Exchange webservices and some will point to External IPs like your website for example), you might also require some changes in the certificate to include the new names or purchase a new certificate to accommodate the new names.
- Create a new website on the Exchange and split the traffic between the External website and the internal website, for the new website you will need to include the correct names (either internal and External) and configure a new IP for the CAS servers, using host headers with OWA and ECP currently breaks OWA/ECP thus you will need to assign your CAS servers new IP, and configure the websites to listen on its corresponding IPs and configure publishing rules to publish the new configuration (this also depends on your network infrastructure and firewall configuration).
- External Names and its certificate will need to be revisited to issue the correct names in the certificate, I am not sure whether old certificate will be revoked or kept as-is, but if they will be kept until they are revoked and never re-issues then you can skip this step.
- You might need to check you NLB configuration if it is there to include a new NLB IP for the internal Names.
For a Multi Active Directory site deployment:
again it depends on your configuration, and this might be a little tricky because or redirection and proxying, I have tried to simplify it but I couldn’t as there are various factors and configurations but here are some guidelines:
- Document how you are doing OWA and webservices right now, also how your are doing your proxy or redirect configuration.
- External Names and its certificate will need to be revisited to issue the correct names in the certificate, I am not sure whether old certificate will be revoked or kept as-is, but if they will be kept until they are revoked and never re-issues then you can skip this step.
- Internal Names will need to be checked and either re-mapped to names that includes valid external domains and this will require DNS and certificate changes as I stated above.
- Internal names that will be kept internal will need to use their own website, new IPs and Certificate which might be re-issued, also you might want to re-visit your NLB configuration, also you will need to check you NLB configuration.
- you will need to revisit your InternalNLBBypassUrl , the recommendation is not to change it from the internal server name and for the time being I don’t have another recommendations, and until then and if you do Proxy across the sites you might stuck with the new website option
in part 2 we will see how the change affects Lync 2010.
Invitation for Windows 8 Metro Style Development using HTML5 & java script–Arabic Speaker #Egypt #Microsoft
HTML5 is the next wave for standards aiming at transforming standard web technologies into a great application development platform. Windows 8 is the first OS to integrate HTML5 as a first class development platform.
In this session we will explore how to take advantage of new HTML5 features like Enhanced Layout, CSS3 Transitions and Animations, and Touch Support, beside introducing how to integrate with the rich WinRT API like Enhanced UI Controls, HW Device Support, and Store Integration.
Please join us at the “Windows 8 Metro Style Development using HTML5 & java script”, to learn more about these guiding principles.
Date: Tuesday July 10th, 2012
Time: 10:00 AM – 3:00 PM
Session: “Windows 8 Metro Style Development using HTML5 & java script”
Speaker: Yasser Makram
Venue: Microsoft building – Smart Village
Now, you can join the session online through the below links:
Note: please make sure that you are using good internet connection
Join online meeting
https://join.microsoft.com/meet/azzae/88CNPVBK
Join by Phone
+20235393330
July 2012 #mvpbuzz #Microsoft
below the list of MEA MVPs for July 2012:
Renewed MVPs
Influencer |
Technical Expertise |
Country/Region |
Mustafa Acungil |
SQL Server |
Turkey |
Alon Fliess |
Visual C++ |
Israel |
Pnina Zinger |
Project |
Israel |
Aviv Liberman |
Visio |
Israel |
Tarek Majdalani |
Forefront |
Kuwait |
Muhammad Imran Khawar Bodla |
SharePoint Server |
Pakistan |
Hakan Uzuner |
Directory Services |
Turkey |
Gokhan Senyuz |
Enterprise Security |
Turkey |
Shay Levy |
PowerShell |
Israel |
Ockert Johannes du Preez |
Visual Basic |
South Africa |
Muhammad Umair |
Visual Basic |
Saudi Arabia |
Gail Shaw |
SQL Server |
South Africa |
Ali Tahiri |
Visual Studio ALM |
Morocco |
Michael (Micky) Avidan |
Excel |
Israel |
Baki Onur Okutucu |
Windows Expert-IT Pro |
Turkey |
Adil Ahmed Mughal |
Visual C# |
Pakistan |
Alex Golesh |
Silverlight |
Israel |
Yaron Naveh |
Connected System Developer |
Israel |
Dylan Haskins |
Dynamics CRM |
South Africa |
Bechir Gharbi |
System Center Configuration Manager |
Tunisia |
Meir Dudai |
SQL Server |
Israel |
Ahmet Sertay Halka |
Connected System Developer |
Turkey |
Josh Reuben |
Technical Computing |
Israel |
Ronen Chenn |
SQL Server |
Israel |
Idan Plotnik |
Forefront |
Israel |
Mustafa Kara |
System Center Cloud and Datacenter Management |
Turkey |
Burak Batur |
SharePoint Server |
Turkey |
New MVPs
Influencer |
Technical Expertise |
Country/Region |
Serkan Varoglu |
Exchange Server |
Bermuda |
Yaniv Totshvili |
Exchange Server |
Israel |
Retired MVPs
Sadly, we had to say goodbye to the following MVPs this cycle, but they stay on our watch list for possible nominations in the future.
Influencer |
Technical Expertise |
Country/Region |
Ediz Ozturk |
System Center Configuration Manager |
Turkey |
Peter Willmot |
SQL Server |
South Africa |
Khalil ur Rehman Khan |
SharePoint Server |
Pakistan |
Erbug Kaya |
Expression Blend |
Turkey |
Mina Nagy |
Lync |
Egypt |
Alaa Ajweh |
App-V |
Jordan |
Fatih Karaalioglu |
System Center Cloud and Datacenter Management |
Turkey |
In addition, Turkish SQL Server MVP Turgay Sahtiyan is retired due to his recent employment at Microsoft MEA as a Senior Premier Field Engineer.