SuperTekBoy

Practical Help for Exchange & Office 365

Outlook Solutions

Office Activations fails ‘We are unable to connect right now.’

By 4 Comments

Share
Tweet
Share

When trying to activate (or sign in to) Microsoft Office with your Office 365 enterprise credentials, you may receive the following error. You may receive this error despite having internet access and being able to access other Office 365 resources.

Office Signin - We are unable to connect right now. Please check your network and try again later.
We are unable to connect right now. Please check your network and try again later.

Alternatively, you may receive this error.

Sorry, we are having some temporary server issues.

These errors are due to the Office suite (M365 Apps) believing it has no connection to the internet. The Office suite uses Windows to determine if it is connected to the internet. If Windows does not believe it is connected to the internet, you may see an exclamation symbol in your system tray over the network connection icon. Selecting the network connection icon may indicate that the connection has ‘Limited Access’ or ‘No Internet.’

Are the connection URLs blocked?

Despite this error showing in Office, this is a Windows problem. Several things could make Windows think it has “Limited Internet” or “No Internet.” Some culprits could include a misconfigured VPN, a web proxy intercepting or blocking traffic incorrectly, or restricted location awareness settings.

To determine if this is a VPN or web proxy issue, see if you can navigate to the following URL – http://www.msftconnecttest.com/connecttest.txt. Windows 10 attempts to connect to this URL, retrieve the TXT file, and confirm its content. You can plug this URL into your web browser to see if you can access that file. You should see a response stating “Microsoft Connection Test.”

Microsoft Connection Test URL accessed by Windows 10 Network Location Awareness service

If you don’t get this response, or you get an error accessing this page, make sure that any web proxies or firewalls do not block msftconnecttest.com (over port 80) in your environment.

If this test is successful, Windows 10 then attempts to resolve dns.msftncsi.com via DNS lookup. Note that this URL will not return any response in a browser. But you should confirm a firewall or web proxy does not block this URL.

For more information on what URLs Windows 10 uses to check network connectivity, plus registry keys to confirm the NCSI probe has not been disabled, check this article: An Internet Explorer or Edge window opens when your computer connects to a corporate network or a public network

[Read more…] about Office Activations fails ‘We are unable to connect right now.’

Office Activation fails ‘This feature has been disabled by your administrator.’

By Leave a Comment

Share
Tweet
Share

When trying to activate (or sign in to) Microsoft Office with your Office 365 enterprise credentials, you may receive the following error.

Office Activation - This feature has been disabled by your administrator
This feature has been disabled by your administrator.

This error is likely a result of a group policy.

To check this, open Group Policy Management Console (GPMC). From the GPMC, expand your domain name (e.g., skaro.local) and Group Policy Objects.

Select your policy that is managing the Office suite and click the Settings tab. Expand User Configuration (Enabled) > Policies > Administrative Templates > Microsoft Office 2016 > Miscellaneous. If you see a setting named Block signing into Office that is Enabled, this is the culprit.

Group Policy - Block signing into Office Group Policy Management Console

Note: If you do not see this setting, I recommend checking all group policies currently applied to the impacted user. You can get this by running GPRESULT from a command prompt on your impacted user’s computer.

[Read more…] about Office Activation fails ‘This feature has been disabled by your administrator.’

Outlook 2013: Your account is in a bad state

By Leave a Comment

Share
Tweet
Share

Starting November 1st, 2021, only Outlook 2013 SP1 (build 15.0.4971.1 and greater) will be able to connect to Microsoft 365 services. This means older Outlook 2013 builds, and Outlook 2010 and earlier will not connect to Microsoft 365. This new requirement goes hand in hand with the deprecation of basic auth, requiring Outlook 2013 SP1 (build 15.0.4753.1 and greater). Microsoft is deprecating basic auth on October 1st, 2022.

That said, if you are already blocking legacy auth for Outlook clients (or you are reading this post after October 1st, 2022), you may receive the following error when trying to sign in to your Office 365 account with Outlook 2013 or any other Office suite product. In addition, your Outlook 2013 client might not be able to connect to your Office 365 mailbox either.

When signing in to your Office 365 account via File > Office Account > Sign In from any Office suite product, you receive the following error.

Your account is in a bad state. Please sign-in to this account online to address the issue.
Your account is in a bad state. Please sign-in to this account online to address the issue

Alternatively, you may first see the error below which can then lead to the error above when you click the Fix me button.

Account Error: There are problems with your account. To fix them, please sign in again.
There are problems with your account. To fix them, please sign in again.
[Read more…] about Outlook 2013: Your account is in a bad state

Workaround: Replying to a message with an invalid S/MIME digital signature fails

By 6 Comments

Share
Tweet
Share

If you received a message with an invalid or untrusted S/MIME digital signature, you might have problems replying to that message with Outlook on the Web (OWA).

The inability to reply is not necessarily a bad thing as it might indicate an impersonation attempt. Impersonation is where a bad actor pretends to be someone you know, often for financial gain. A common example of impersonation is a bad actor pretending to be a CEO asking their company accountant to wire money to the bad actor’s bank account.

So, if you see a failed digital signature, it is a good time to pause and determine if the sender really is who they say they are through other verified mechanisms (e.g., call them on a trusted phone number). Then validate if they are aware of the digital signature issue to see if they are already working to resolve it.

If using a product like Office 365, you can also check if the message has failed any impersonation checks. For example, are safety tips in OWA warning that you don’t typically receive mail from this sender with that email address.

The screenshot below provides an example of a message received in OWA where the S/MIME digital signature is not considered valid or trusted. Clicking the click here link gives us some additional insight into the error. We can see OWA does not trust this certificate because it has a broken certificate chain, more than likely caused by a missing or expired intermediary cert.

The digital signature on this message isn't valid or trusted OWA

When attempting to reply to this message in OWA, you may receive the following error.

This message can't be sent right now. Please try again later.
This message can't be sent right now. Please try again later.
[Read more…] about Workaround: Replying to a message with an invalid S/MIME digital signature fails

Former Calendar Delegate still receives meeting notifications

By 9 Comments

Share
Tweet
Share

Calendar delegation allows a user to manage someone else’s calendar on their behalf. For example, an assistant could be granted delegator rights to their manager’s calendar. Through delegation, the assistant has the right to add, edit, or delete items from their manager’s calendar. A delegate can also be granted the ability to view items marked as private. Aside from calendar permissions, the delegate can receive meeting invites on behalf of the delegator and respond to those invites (accept, decline, tentative, propose new time).

When an assistant no longer needs to access their manager’s calendar, they can be removed as a delegate. Either the manager can do this via the Outlook client or an Exchange administrator by using PowerShell. When their delegation rights have been removed, all access to the calendar is revoked. In addition, meeting invites are no longer sent to the delegate to accept or decline.

It is possible that even when the delegate permissions have been revoked, the assistant could still unexpectantly receive items sent to their manager. In this article, we look at a couple of possible areas that could be forwarding these items to the former delegate.

Let’s get started!

Verify the user is no longer a delegate

The first item to confirm is whether the delegate rights have been properly removed. To do this, connect to Exchange PowerShell and run the following command.

 C:\> Get-MailboxFolderPermission -Identity river.song@xyz.com:\Calendar

FolderName            User                  AccessRights
----------            ----                  ------------
Calendar              Default               {AvailabilityOnly}
Calendar              Rory Williams         {Editor}

In the example above, we are checking the calendar permissions for the user River Song. We use the Get-MailboxFolderPermission command for this purpose. The Identity parameter is a combination of the delegator’s email address and the folder in question. In this case, the calendar folder. You can also use this command against any other folder in the mailbox. In our example, we want to see if River Song’s former assistant, Amy Pond, still has any rights to River’s calendar.

The example output returns two entries. The first is for a user named Rory Williams. We see Rory Williams has editor rights to River’s calendar. We also see a user named Default. Default is the default permission users receive if they have not been granted explicit permissions. In the example above, Rory Williams would receive editor rights to River’s calendar, whereas all other users will only see River’s free/busy information (availability only). Amy Pond is not identified in this output, so she should only receive free/busy information. In this example, Amy is not a delegate.

If the output had returned Amy Pond as a user, we could remove those rights using the Remove-MailboxFolderPermission. For example, to remove all of Amy’s permissions from River’s calendar folder, we would issue the following command.

 C:\> Remove-MailboxFolderPermission -Identity river.song@xyz.com:\Calendar 
-User amy.pond@xyz.com
[Read more…] about Former Calendar Delegate still receives meeting notifications

RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online

By 4 Comments

Share
Tweet
Share

I have had a few projects now where one of the security requirements for Office 365 was to implement a conditional access policy that blocked legacy authentication (also known as basic auth). What this block does is enforce modern authentication for all clients. Any clients not using modern authentication will be denied access to all Office 365 resources.

In each of these projects, these security policies were enforced prior to moving any mailboxes to Exchange Online. In each case we ran into the same two symptoms:

  • The Outlook client (which supported modern authentication) failed to reconfigure after a mailbox migration to Exchange Online
  • Any on-premises users with permissions to a migrated mailbox were now getting a continuous basic authentication prompt

How the conditional access policy was configured

In all cases, the conditional access policy was scoped to all users and all cloud apps.

Conditional Access Policy - Block Legacy Authentication (Basic)

Conditions scoped under Client Apps were set to include Mobile apps and desktop clients with a subitem of Other clients. No other conditions were set. The access control was to Block access.

Conditional Access Policy - Block Legacy Authentication (Basic) 2

Note: “Other clients” includes clients that use basic/legacy authentication, and do not support modern authentication. Reference: Conditional Access: Conditions

After we migrated a mailbox and Outlook failed to reconfigure (continuous legacy auth prompts) we could see the failure under Azure AD Sign-Ins. Oddly our Outlook client (Office ProPlus) which supported modern authentication was being blocked due to legacy authentication.

Azure AD Sign-Ins Conditional Access Failure RPC over HTTP
[Read more…] about RPC/HTTP & Block Legacy Auth may prevent Outlook reconfiguration after migrating to Exchange Online