Wednesday, 12 November 2014

Voice mail in Outlook 2013 won't Play on Phone

We have users who are trialling Office 365 for their email but use an on-premise Lync 2013 phone system. When they get a voice mail in their Outlook 2013 (with and without SP1), there is a Play on Phone option that is meant to ring their phone and play the voice mail.
However, when they click on that, the following error pops up.
The Microsoft Exchange Unified Messaging service cannot be contacted to play messages on your phone. Try again later. If this problem continues, contact your Exchange administrator or support organisation.
Being that I administer our Exchange 2010, I got lumped with finding out why it wasn't working. It took a while to check certificates etc between Lync servers, the UM servers, CAS boxes and the O365 end points and they all looked fine. There was no error messages in any server logs either.

Interestingly, if I did the same "Play on phone" action from the Office 365 Outlook Web interface it worked meaning that at least from off site, the certificates were fine and everything was talking. After another look at the client with Wireshark, I noticed that there was no network traffic when you click the button which lead me to looking at the Outlook client. Testing a few hotfixes later and it seems that KB2880477 is the answer.

There is no mention of the issue in that KB but the version of the Outlook 2013 SP1 add-in "Microsoft Exchange Add-in"'s  UmOutlookAddin.dll changed from 15.0.4569.1503 to 15.0.4629.1000 and the Play on Phone now works.

Wednesday, 23 July 2014

Changing the Federation Service name in ADFS 3.0

I was configuring a Windows Server 2012 R2 server with ADFS to talk to Office 365 and set it up with the wrong name ( instead of the desired Easy I thought, I'll just go and change it in the ADFS config and test it. Nope, that didn't work. Ok, I'll Google it. Nope, NOTHING about changing the Federation Service name in ADFS 3.0 (as at March 2014).

So, how I fixed it (in my mythical domain).

  • In the AD FS mmc tool, on the right is the "Edit Federation Service Properties" and change the FS name and identifier.
  • Add the new DNS name to point to the same IP address as the
  • Update the certificate that it uses. Powershell and run "Update-ADFSCertificate". This will generate the new token-decrypting certificate and token-signing certificate that you can see in the MMC (under AD FS -> Service -> Certificates). The certificate is still the primary.
  • In the gui, notice that you can't change the primary and secondary around yet. In the powershell, run "set-ADFSProperties -AutoCertificateRollover $false".
  • In the gui again, change the new to be the primary and delete the old certificates in both sections.
  • In powershell, run "set-ADFSProperties -AutoCertificateRollover $true"
  • In ADUC, change the SPN value on the ADFS farm service account from "host/" to "host/"
  • In the Powershell again, type "get-ADFSSslCertificate" and this should show three certificates, two for the hostname and one for localhost. Copy the CertificateHash and use it here "set-ADFSSslCertificate -thumbprint <CertificateHash>. Run the get-ADFSslCertificate again and there should be 5 certificates now, one for localhost, two for the old name and two for the new name. This must be done on each server in the farm.
  • In the mmc, change the Device Registration Service identifier too (AD FS -> Trust Relationships -> Relying Party Trusts).
  • Restart the ADFS service.
That should be about it. Test it by going to "" and seeing if you can log in. If not, check that the ADFS farm service account has read rights to the user account you are trying.

In hindsight, deleting the farm, wiping the farm server and restarting from scratch would have been about as easy.

Edited  20150908 to change the set-ADFSProperties certificate rollover, thanks anonymous commenter!