How to Install Universal Media Server UMS on Ubuntu in Headless mode

Updated for Ubuntu 14.04

Universal Media Server is a fork off the very useful PS3 Media Server. And although the PS3MS was a great solution, it did have some shortcomings, especially with certain file formats or file containers. I tried UMS and loved it. It is easy to install and, at least for now, streams and transcodes every media file I have to support playback on any device including the PS3 and the sony SMP-N200 I use on other TVs.

So, working with any Ubuntu 14.04 server, here is my step by step to get UMS installed and working.

First you must have Java 7 JRE installed on the server. OpenJava will not work.

apt-get install software-properties-common
apt-get update
apt-get install openjdk-7-jre openjdk-7-headless

With Java installed, we now need to add some other pre-reqs:

apt-get install mediainfo dcraw vlc-nox mplayer mencoder

I’m going to use the /opt directory for the install. Then we download the latest UMS package from sourceforge. You can check the UMS webpage to find the latest version. As I write this, the latest is 5.2.3. After the download is complete, unpack the file with tar. I create a softlink using /opt/ums so that when we need to upgrade, we can just point the softlink to the new directory while not touching the config files that we will be using in /etc/ later on.

cd /opt
tar -xvzf UMS-5.2.3-Java7.tgz
ln -s /opt/ums-5.2.3 ums
rm UMS-5.2.3-Java7.tgz

Next we need to create the init.d script to auto start the app when the server boots, as well as have better control over the service.
We will create /etc/init.d/ums.

nano /etc/init.d/ums

Copy the following into the new file:

# Provides:          ums
# Required-Start:    $local_fs $remote_fs $network
# Required-Stop:     $local_fs $remote_fs $network
# Default-Start:     2 3 4 5
# Default-Stop:      0 1 6
# Short-Description: Starts UMS program.
# Description:       Java Upnp Media Server dedicated to PS3

#set -x

# Author: Papa Issa DIAKHATE <>
DESC="Universal Media Server"
UMS_START=1 # Wether to start or not UMS ver at boot time.
DODTIME=30  # Time to wait for the server to die, in seconds.
            # If this value is set too low you might not
            # let the program to die gracefully and 'restart' will not work

test -x $DAEMON || exit 1

# Load the VERBOSE setting and other rcS variables
. /lib/init/

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.0-6) to ensure that this file is present.
. /lib/lsb/init-functions

# Include ums defaults if available
if [ -f "/etc/default/$NAME" ] ; then
        . /etc/default/$NAME

# May we run the init.d script ?
[ $UMS_START = 1 ] || exit 1

# Some color codes
txtred=$'\e[0;31m' # Red
txtylw=$'\e[0;33m' # Yellow
txtrst=$'\e[0m'    # Text Reset
    echo >&2 -e ""$txtylw"Warning:$txtrst $1"
    pid=`pgrep -f 'java .*ums.jar.*'`
    running && { warnout "$NAME is already running !"; exit 0; }
    echo "Starting $DESC : $NAME"
    UMS_PROFILE="$UMS_PROFILE" start-stop-daemon --start --quiet --background --oknodo \
        --exec $DAEMON -- $DAEMON_OPTS

    running || { warnout "$NAME is NOT running !"; exit 0; }   
    local countdown="$DODTIME"
    echo -e "Stopping $DESC : $NAME \c "
    kill -9 $pid
    while running; do
        if (($countdown >= 0)); then
            sleep 1; echo -n .;
    # If still running, then try to send SIGINT signal
    running && { \
        echo >&2 "Using kill -s SIGINT instead"; \
        echo >&2 "If you see this message again, then you should increase the value of DODTIME in '$0'."; \
        kill -2 $pid; \

    if [ -e "/usr/share/ums/debug.log" ]; then
    while [ $count -ge 1 ]
    if [ -e "/usr/share/ums/debug.log.$count" ]; then
        mv "/usr/share/ums/debug.log.$count" "/usr/share/ums/debug.log.$plus"
    if [ -e "/usr/share/ums/debug.log" ]; then
        mv "/usr/share/ums/debug.log" "/usr/share/ums/debug.log.1"

    return 0
    running || { warnout "$NAME is NOT running !"; exit 0; }   
    echo "Stopping $DESC : $NAME"
    kill -9 $pid
    if [ -e "/usr/share/ums/debug.log" ]; then
    while [ $count -ge 1 ]
    if [ -e "/usr/share/ums/debug.log.$count" ]; then
   mv "/usr/share/ums/debug.log.$count" "/usr/share/ums/debug.log.$plus"
    if [ -e "/usr/share/ums/debug.log" ]; then
   mv "/usr/share/ums/debug.log" "/usr/share/ums/debug.log.1"
    echo -n " * $NAME is "
    ( running || { echo "NOT running "; exit 0; } )
    ( running && { echo "running (PID -> $(echo $pid))"; exit 0; } )
case "$1" in

        echo "Usage: $SCRIPTNAME {start|stop|force-stop|restart|force-restart|reload|force-reload|status}"
        exit 1

Now add execute permissions to the script and add the UMS script to update-rc.d

chmod +x /etc/init.d/ums
update-rc.d ums defaults

A sample conf file that you could use is at /opt/ums/UMS.conf and could be copied into /etc/UMS.conf and edited to fit your needs. It has all the configurable options and is probably more than most will need. You should also copy in the WEB.conf file as well to handle web streams if you use that functionality. (Thanks Wolfgang Hochweller)

cp /opt/ums/UMS.conf /etc/
cp /opt/ums/WEB.conf /etc/

Configuration is done to the /etc/UMS.conf file. At the very least you will want to add the location of the media to share.

folders=/mnt/media/tv, /mnt/media/movies, /mnt/media/music 

Pay attention to the following items, especially for those hosts with multiple NICs.


Now start UMS:yty

service ums start

That’s it, it should be running and advertising itself as UPNP/DLNA on the local network.

Install Couchpotato on Ubuntu Server

Couchpotato is an automatic NZBD downloader. Very similar to SickBeard in that it will watch newsgroups for NZBD files, download the NZBD, and hand the file off to SABNzbd, other download utility, or save it off to a directory so that the system can download the media.

In this example, I have a Linux server running SABNzbd. If you don’t have this setup, have a look here:
The goal here is to have couchpotato pull watch for and pull the nzbd, hand it off to SABnzbd, and let the server download the file.

I like to keep these “all in one” apps in /opt/.

 cd /opt

If you don’t already have Git installed, you will need that:

 apt-get install git-core

Grab the source from git.

 git clone

Once the GIT clone is complete, you should have a /opt/CouchPotatoServer directory.

Since I don’t want to run couchpotato as root, I am going to change the user it runs under. I already had a user called ‘nzbd’ from the previous SABnzbd/Sickbeard installations, so I’m going to use that since it would already have permissions to write out the nzbd files to the correct directories for SAB.

Here lets change the permissions on the new CouchPotato Directory.

 chown -R nzbd:root CouchPotatoServer/

Next, copy the init script out to /etc/init.d/ and make it executable.  Copy the Defaults file into /etc/default

cp /opt/CouchPotatoServer/init/ubuntu /etc/init.d/couchpotato
chmod +x /etc/init.d/couchpotato
cp /opt/CouchPotatoServer/init/ubuntu.default /etc/default/couchpotato

Edit the /etc/default/couchpotato file and edit the path and user as needed.   If you are using my tutorials, I have a common account called nzbd for all Download applications that use SABnzbd.

nano /etc/default/couchpotato

# path to app
# user

And finally, add it to start automatically.

# update-rc.d couchpotato defaults

With the Install completed, open up a browser and connect to the linux host on port 5050 to access couchpotato’s config page.

Since this is a new install, we don’t need to import a data.db. If you have one, Enter the location of the data.db here.

Here we add an id/pw to the couchpotato website. I always add one to all my sites. You can also change the default port if you wanted. I left it at the default of 5050.

Here you can specify the nzbd download app you are using. In this example, we use SABnzbd. So I check the box next to SAB and enter the information.
1) SAB host, I’m running on localhost:8080
2) SAB api key. This is found in the SAB webpage -> config -> general. Copy and paste the API key from the API key field.
3) Add a category. I used ‘movies’.

This is where you add in the information on your news provider. Whatever service you have, check the box and fill in to info required. The API keys for these services can be found on that service’s website under your account logon. Copy and paste the API key if needed.

Couchpotato will move and rename files for you after a complete download. Fill in the fields as needed. In my example, I am moving items:

FROM    /home/nzbd/Downloads/complete/
TO      /mnt/media/movies

Leave everything else as default.

Add movies to your wanted list
I love this little feature. Add the +Couchpotato link to your browser and as you browse IMDB or other sites, you can add the movie directly to your couchpotato want-list.

That’s it. Open up your browser, point it to your host on 5050, and start adding items.

If you enter a search item and nothing pops up, restart couchpotato on the server to kick it into gear.

Block the Win 10 style Data Gathering from Windows 7/8/Server2008

Microsoft Windows 10 has some pretty intrusive data gathering built into the operating system.   It collects anonymous and not-so-anonymous data from users of the Operating System.   Today, MS released 4 Optional Updates to bring the Win 10 Style Telemetry and Data Gathering to previous versions of Windows.

The 4 updates are:


MS Fanboys will claim there’s nothing personal that MS takes… but I say, do you really trust them?
People will claim ios and android already do this… but I say, why give them anything about your self at all if you can avoid it?
Many say we already post about ourselves online in social media… For those of us who don’t, I say don’t apply these updates .

To block them, you simply hide the updates in Windows Update.
Got to the Control Panel -> Windows Updates or START -> Search -> Windows Update

Select Optional Updates
Block win 7 Data gathering 1

Right Click each of the 4 updates and select ‘Hide Updates’
Block win 7 Data gathering 2

Hit OK and that’s it. Gone until MS tries to sneak it in again down the road.

Another option is to use this OpenSource Program to disable the tracking:

Lastly, If you already installed the KBs, you can uninstall them directly from the “Programs and Features” in Control Panel.

StrongSwan Ipsec VPN for Remote Users with Certificate Based Authentication

This is a working strongswan ipsec config that can be used for a roadwarrior setup for remote users utilizing certificate based authentication instead of id/pw.

This is a pure IPSEC with ESP setup, not L2tp.
This is not 2 factor, it is cert only.

To get started:

sudo apt-get install strongswan

You need is a CA that is capable of registering AltNames in a cert. OpenSSL can do this easily. I used this guide to setup the basic openssl CA.

Once the CA is ready and you have generated your ca cert and ca private key, you next need to create a cert for the ipsec host and a cert for the end user.

For the Server:
Since I need the Alt Names in the certs, make a copy of /etc/ssl/openssl.cnf to be used for the Server.

cp /etc/ssl/openssl.cnf /etc/ssl/openssl-for-server.cnf
# Extension copying option: use with caution. copy_extensions = copy [ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=@alt_names [alt_names] DNS.1 = DNS.2 =

Now, using Openssl, create the request for the server, fill in the details of the req as needed, then sign the request.

openssl req -new -nodes -out ipsechost-req.pem -keyout private/ipsechost-key.pem -config /etc/ssl/openssl-for-server.cnf
openssl ca -config /etc/ssl/openssl-for-server.cnf -out ipsechost-cert.pem -in ipsechost-req.pem

Copy the certs to the correct locations for strongswan to use.

cp cacert.pem /etc/ipsec.d/cacerts
cp ipsechost-cert.pem /etc/ipsec.d/certs
cp private/ipsechost-key.pem /etc/ipsec.d/private/

Stongswan is configured using the /etc/ipsec.conf and /etc/ipsec.secrets files.
This is a very simple config that will work for providing access to remote users:
Edit /etc/ipsec.conf

# /etc/ipsec.conf - strongSwan IPsec configuration file
config setup

conn %default

conn common
        left=IP_OF_IPSEC_HOST          # Ip of the host
        leftcert=ipsechost-cert.pem    # the cert we just created and copied  # the Alt name in the Cert we just created
        leftsubnet=      # The internal subnet the remote user wants to access
        right=%any                     # Connections can come from anywhere
        rightsourceip=   # Use this pool of IPs to assign to these inbound connections

conn ikev2

Edit the /etc/ipsec.secrets file

: RSA ipsechost-key.pem

Restart/Reload IPsec.

ipsec restart

I like to watch logs just to be sure there are no errors:

tail -f /var/log/syslog /var/log/auth.log

Next we create a client cert. We need another copy of the openssl config file for user requests since the Alt Name changes from DNS to Email.

cp /etc/ssl/openssl-for-server.cnf /etc/ssl/openssl-for-users.cnf
[ v3_req ] # Extensions to add to a certificate request basicConstraints = CA:FALSE keyUsage = nonRepudiation, digitalSignature, keyEncipherment subjectAltName=email:copy #[alt_names] #DNS.1 = #DNS.2 =

Create the request, fill in the details as needed for the user especially the email address, and Sign the request. The email address specified in the request prompts will be used in the cert for the Alt name and in the config for the user’s side of the tunnel.

openssl req -new -nodes -out user1-req.pem -keyout private/user1-key.pem -config /etc/ssl/openssl.cnf 
openssl ca -config /etc/ssl/openssl-for-users.cnf -out user1-cert.pem -in user1-req.pem 

You need to copy the user1-cert.pem, user1-key.pem, and the cacert.pem to the user’s machine. We will need these file to complete the VPN.

On the User’s Side:

sudo apt-get install strongswan

Copy the files into the proper directories
user1-cert.pem to /etc/ipsec.d/certs
user1-key.pem to /etc/ipsec.d/private
cacert.pem to /etc/ipsec.d/cacerts

Edit the client side ipsec.conf. This is a working config:

conn %default

conn roadwarrior
     leftsourceip=%config                # This will take an IP from the ip pool on server
     leftcert=ipsecuser1-cert.pem        # The user cert we copied in      # This is the email included in the Alt Name in the user cert
     leftfirewall=yes   # The location of the host, FQDN or IP # the Altname used by the ipsec host
     rightsubnet=          # the subnet on the servers side you want to access. 

Edit the ipsec.secrets file

: RSA ipsecuser1-key.pem

On the client, issue an “ipsec restart” and it should attempt to build the tunnel with that you are done.

Use “ipsec statusall” to get details on the tunnels. From the server, a healthy tunnel looks like this:

Security Associations (1 up, 0 connecting):
       ikev2[11]: ESTABLISHED 3 minutes ago, HOST_IP[]...REMOTE_IP[]
       ikev2[11]: IKEv2 SPIs: 49c4512b56436e5b_i 6276554588ce1803_r*, public key reauthentication in 50 minutes
       ikev2[11]: IKE proposal: AES_CBC_128/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_2048
       ikev2{9}:  INSTALLED, TUNNEL, ESP in UDP SPIs: cd1e015f_i cd3cb1c1_o
       ikev2{9}:  AES_CBC_128/HMAC_SHA1_96, 0 bytes_i, 0 bytes_o, rekeying in 12 minutes

Use “ipsec listall” for details on the host’s certs and configs. Here we want to be sure Alt Names are good, and the CA and certs are loaded correctly.

List of X.509 End Entity Certificates:
  subject:  "C=US, ST=NY, O=OpenPeak, OU=IT,,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    10:03
  validity:  not before Mar 18 20:44:25 2015, ok
             not after  Nov 24 20:44:25 2028, ok 
  pubkey:    RSA 2048 bits, has private key
  keyid:     10:15:77:ae:2e:a4:e8:3f:cc:1f:6d:a9:d9:80:bd:9f:41:fb:63:e5
  subjkey:   3f:0c:bf:01:2f:c7:16:be:d4:83:5c:76:81:56:a9:f1:3a:84:b4:5f
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

List of X.509 CA Certificates:

  subject:  "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  issuer:   "C=US, ST=NY, L=NY, O=mydomain, OU=IT, CN=ipsecserver-ca,"
  serial:    db:e9:16:e0:44:a3:57:83
  validity:  not before Mar 18 15:49:45 2015, ok
             not after  Mar 15 15:49:45 2025, ok 
  pubkey:    RSA 2048 bits
  keyid:     18:47:07:92:b8:3d:a0:bb:88:bf:27:2b:4d:0b:a7:79:8b:c1:1b:ba
  subjkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c
  authkey:   b7:61:d7:32:19:65:c3:10:1a:43:23:27:bc:46:29:e5:ff:df:03:1c

Note that if you want to enable 2 factor with this, change the openssl request for the Clients to omit the -nodes option. This will prompt you for a password during the certificate creation that must be entered every time the client wants to connect.

Windows 2008 R2 Server Windows update unknown error

I’m putting this out there for anyone else. For the last 3 months I had a windows 2008 R2 server that would not apply windows updates. “An unknown error has occurred” is all I would get.

This was fixed today. The cause seemed to be an Disk Filter applied to the Local System Disk. I had never heard of this before today.

The command FLTMC lists out the Filter names on the disk. This is from a working server. I don’t know if yours will match exactly.


Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

Now when my server was in an error condition, this listing had an additional entry with the highest ‘Altitude’ value.


Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
CpsFsJnl                                0       429999.999999    0
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

This filter was the cause of my issue. This was a remnant of a Symantec CPS (continuous protection server) installation that was supposedly uninstalled years ago. It apparently left this filter installed and active on the server. It must have been dormant there for years until a windows update or something caused the error condition.

The filer is an system file called cpsfsjnl.sys and a quick search found it buried in the Program Files Directory. I deleted the file (after making a backup just in case). I also exported then deleted the following registry entries:


I rebooted the server, checked FLTMC to be sure the CpsFsJnl was no longer listed, and then ran the Windows updates.

So, bottom line, in my case, Symantec CPS left a Virtual Disk Filter on the server that caused the error condition. Removing it fixed Windows updates.

Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Using Postfix to Relay messages to an ISP Email Server

Since my ISP blocks port 25, preventing me from running my own in-house email, I relay all my in-house emails and notifications generated from various components though the ISP email servers. This allows me to have internal components send messages to my in house server on 25 and those messages are relayed out to the ISP for delivery.

This setup works on Ubuntu 12.04 and 14.04

nano /etc/postfix/

Add the following (obviously replace the domain names and IP ranges with your own.)

myhostname = server.mydomain.local
alias_maps = hash:/etc/aliases
alias_database = hash:/etc/aliases
myorigin = /etc/mailname
mydestination =, localhost
relayhost = []:587
mynetworks = [::ffff:]/104 [::1]/128
mailbox_size_limit = 0
recipient_delimiter = +
inet_interfaces = all

#fix for some isp configs being stupid.
smtp_discard_ehlo_keyword_address_maps = hash:/etc/postfix/busted-servers
smtp_connection_cache_on_demand = no
smtp_discard_ehlo_keywords = pipelining,silent-discard

### Relay client Auth
smtp_sasl_auth_enable = yes
smtp_sasl_security_options =
smtp_sasl_password_maps = hash:/etc/postfix/sasl_passwd

Next we need to give the server the credentials it needs to perform the relay.
Create the password file:

nano /etc/postfix/sasl_passwd

Add the following line for your ISP.


Create the mailname file and change what is there

Echo >> /etc/mailname

Change permissions and run the mapping command.

Chmod 600 sasl_passwd
Postmap hash:/etc/postfix/sasl_passwd

That’s it. Send some test messages to your internal server and it should get delivered.

Installing SCEP using Microsoft NDES

SCEP (Simple Certificate Enrollment Protocol) is a standard solution for admins wishing to deploy certificates to devices with little interaction and no manual uploading/downloading of cert files between systems. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP. NDES and SCEP are essentially 2 labels for the same service. This is really just my braindump from working with SCEP over the last few months.

Alot of this page is derived from the the Microsoft Whitepaper Microsoft SCEP Implementation.

To begin, you will need a few things.
1) A working MS Domain with healthy AD.

2) A Microsoft Certificate Authority.
You can setup either a Standalone or Enterprise CA. Since most of my work was with MS, this example is for an Enterprise CA.

3) A 2008 or 2012 Enterprise or DataCenter Server.
This is for the install of NDES. NDES will not install on a Standard Server. Also, Ndes can not be installed to the same server that holds a Certificate authority.

With those ready to go, here’s how to get NDES installed.

Setup NDES Accounts in AD
NDES needs 2 accounts on the Domain. You need an Admin account for installation and interaction with the GUI. You need a service account to run the service and request/enroll certificates.

1) Create NDES_Admin. Assign it to the Enterprise Admin Group in the Domain (this membership can be removed after installation). Assign it to the local Adminstrator Group on the NDES host.
2) Create NDES_ServiceAccount. Assign it to the IIS_IUSRS group on the NDES host.

Duplicate the Certificate Templates
In the Certificate Authority(CA) we need to create the Certificate templates that will be used by NDES.

  • Open the Certificate Authority MMC
  • On the left, expand the CA. Right click on the Templates Folder and select Manage. This will open the Template Mgmt folder.
  • Locate the Exchange Enrollment Agent (Offline Request), right click and Duplicate the template.
  • When prompted, select the server level. I used 2008 Enterprise on a 2008 host and 2012 on a 2012 host. Both worked fine, I don’t know the differences between the 2.
  • In the Template Dialogue, Make the name NDES Exchange Enrollment Agent (Offline Request)
  • In the Template Security Tab, Assign Permissions for the NDES_Admin Account and grant it Read and Enroll rights.
  • Click OK to save and exit this Template.
  • We need to do the same thing for CEP Encryption Template (Duplicate, name it NDES CEP Encryption, and assign NDES_Admin the Read and Enroll Rights.
  • Last, we need to do the same thing for the IPSEC (Offline Request), name it NDES IPSEC (Offline Request), assign NDES_Admin AND NDES_ServiceAccount the Read and Enroll Rights.
  • Close the Templates MMC

Publish The Certificates
Back at the CA, we need to publish the new Templates we just created into the CA for use.

  • Right click the Tempates folder in the CA.
  • Pick New then Certificate Template to Issue.
  • Select the 3 NDES… certificates we just created and click OK to publish.

Once done, the 3 NDES certs should appear in the list of usable certificate templates in the CA windows.

Assign Permissions on the CA
Next we need to add Read and Request permissions for the NDES_Service Account to the CA

  • From the left side panel in Certificate Authority MMC, right click the CA name, and select Properties
  • Click on the security tab.
  • Add NDES_Service Account and assign it Read and Request Certificate rights.
  • Hit ok and close it

Install NDES
Now we are done with the CA and certificate work, we can move on to the installation of NDES on the ndes host.

  • Log in to the NDES box using the NDES_Admin account created earlier.
  • Open Server Manager from the Start menu.
  • In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
  • Click Next on the Before You Begin screen in the Add Roles Wizard.
  • Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
  • Click Next on the Introduction screen.
  • On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
  • In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
  • On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
  • Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
  • In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
  • On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
  • On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
  • Click Next on the Web Server (IIS) introduction screen.
  • Accept the defaults on the Select Role Services screen by clicking Next.
  • Click Install on the Confirm Installation Selections screen.
  • Click Close on the Installation Results screen.

Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.

  • Open regedit from the Search programs and files box on the Start menu.
  • In the left pane of Registry Editor, navigate to the following registry key: HKLMSoftwareMicrosoftCryptographyMSCEP.
  • You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
  • Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
  • Type the following two commands to restart IIS:
  • net stop w3svc net start w3svc

  • Close the command prompt.

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.


Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website.


Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete


Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.


Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird


Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.


Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.


That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Prevent Users from changing Pictures in Exchange 2013

Yes, in Exchange 2013, users were given the ability to edit their user pictures that is stored in the LDAP for display on their profile across Microsoft’s suite of products.

Seems like a harmless function right? Microsoft is so desperate to be viewed as a ‘cool social media like product’ that users will take advantage of the customizable settings. Well, if left unchecked, the user photos quickly become a mixture of Kittens, logos, TV characters, and borderline raunchy images. No good, especially since users have NO IDEA that these images might be viewed by outside entities. Highly unprofessional!!!

So the Goal here is to allow the use of Photos that the Admin or a security person can upload into LDAP, let users view the photos, but keep users from changing the photo.

The only way I’ve found to do this is by using a mailbox policy.

Open up a powershell session on exhcange 2013 and run the following.
1st we set list the mailbox policies and set the option to enable photos to False.
2nd we apply the policy to all mailboxes.

Get-OWAMailboxPolicy | set-owamailboxpolicy -setphotoenabled:$false
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

To test, sign into OWA as a user and check the 2 spots where users can change photos and ensure the options to edit photos are gone.
1) Under the Photo in the main display.
2) User User’s profile options in the ‘My account’ page.

NOTE: Be aware, that the last time I updated a Cumulative Upgrade, these settings reverted back to the default behavior and I had to re-apply the mailbox policy.