Toggle menu
Toggle personal menu
Not logged in
Your IP address will be publicly visible if you make any edits.

System Center Service Manager:Exchange Connector: Difference between revisions

From sysadminafterdark docs
No edit summary
No edit summary
 
(26 intermediate revisions by the same user not shown)
Line 1: Line 1:
[[Category:System Center Service Manager|Exchange Connector]]
[[Category:System Center Service Manager|Exchange Connector]]
== History ==
== History ==
The [[System Center Service Manager:Exchange Connector]] is a first party, Microsoft developed connector not included in the the default installation of System Center. It can be downloaded, along with Microsoft's white paper deployment procedure from Microsoft's [https://www.microsoft.com/en-us/download/details.aspx?id=101579 System Center Service Manager Connector 4.1 for Exchange] portal. It enables systems administrators to connect Microsoft Exchange and [[Cloud: Office 365]] mailboxes to Service Manager to enable incidents to be received via electronic mail.
The [[System Center Service Manager:Exchange Connector]] is a first party, Microsoft developed connector for [[System Center Service Manager:System Center Service Manager]] not included in the the default installation of System Center. It can be downloaded, along with Microsoft's white paper deployment procedure from Microsoft's [https://www.microsoft.com/en-us/download/details.aspx?id=101579 System Center Service Manager Connector 4.1 for Exchange] portal. It enables systems administrators to connect Microsoft Exchange and [[Cloud: Office 365]] mailboxes to Service Manager to enable incidents to be received via electronic mail.


== Deployment ==
== Deployment ==
Installing the Service Manager Exchange Connector is fairly straightforward. Follow the below steps to install the dynamic link libraries and corresponding management packs:
# Download the necessary files from Microsoft's [https://www.microsoft.com/en-us/download/details.aspx?id=101579 System Center Service Manager Connector 4.1 for Exchange] portal.
# Run the exe to extract the files to your specified location, or the default location of C:\System Center Service Manager Connector 4.1 for Exchange.
# Copy and paste all of the .dll and .mpb files to the root of your System Center Service Manager installation directory. In my case, this is located at D:\Program Files\Microsoft System Center\Service Manager.
## NOTE: This must be done on the server. Additionally, if you are utilizing the console on a workstation computer, step #3 must be completed on the workstation computer. Importing the management pack on workstation computers is not necessary once completed on the server.
# Once the files are copied to the correct installation directory, launch the System Center Service Manager Console as an administrator.
# Click the Administration tab, then click Management Packs. On the right sidebar, under "Management Packs", click Import.
# Drop the file type selector to MPB files and navigate to your Service Manager installation directory. find the file "ServiceManager.ExchangeConnector.mpb", select it and open it.
# A wizard will appear to import the management packs. Click Import. This takes about a minute to import.
# Once the management pack has been successfully imported, click Connectors under Administration, then click Create Connector. You will notice an option to create an Exchange Connector is now available.
The management pack is now successfully imported and available for use. Please refer to the Post-Install Configuration section for creating an Exchange Connector.


==Post-Install Configuration ==
==Post-Install Configuration ==
The Post-Install Configuration and relevant sections enables systems administrators to setup a [[Cloud:Office365]] email service account, connect it to Service Manager, and harden it against abuse. Please note that if you are utilizing [[Cloud:Office365]] rather than an on-prem exchange server, YOU MUST have [[Authentication: Microsoft Entra Cloud Sync]] setup and syncing the email account to Entra ID.
=== Configure an Office 365 Service Email Account ===
# Login to the Microsoft Office 365 as a global administrator.
# On the sidebar, click Users, then click Add User.
## On the Basics tab, give your helpdesk service account a name and username. I am using sysadminafterdark help desk and the email helpdesk [at] this domain . com.
## Generate a strong password and store it in your password manager. Uncheck "Require this user to change their password when they first sign in".
## Click Next.
# On the Product licenses tab, I assigned a Microsoft Business Basic license because we only require email for this account. If it asks you to buy a license, do so.
# Click Next on the Optional Settings tab. This account requires no admin permissions.
# On the Finish tab, review your changes, then click Finish adding.
An Office 365 email service account has been created so end users and bots can email notifications to the helpdesk for processing.
=== Configure Entra ID Service Account Permissions ===
# Open a browser and navigate to Azure Active Directory admin center, and login with a global administrator account.
# Select Azure Active Directory in the left-hand navigation, and then select App registrations under Manage.
# Select New registration. On the Register an application page, set the values as follows:
## Name: System Center Service Manager Exchange Connector
## Supported account types: Select Accounts in this organizational directory only (single tenant)
## Redirect URI: Public client (mobile & desktop), then set the URI to urn:ietf:wg:oauth:2.0:oob
# Click register, then record the values of the tenant id and client id as we will need them later during setup.
# Select API permissions in the left-hand navigation under Manage, then Click APIs my organization uses
# In the search box, type "office 365" and check EWS.AccessAsUser.All under EWS.
# Select Grant admin consent for org and accept the consent dialog.
# Under Authentication, Advanced Settings, ensure Allow Public Client Flows is set to Yes.
=== Connect An Office 365 Email Account To Service Manager ===
I will be the first to admit this took a lot of trial and error to setup and troubleshoot. Please ensure your Service Manager Server is on the latest release (very important as it enables OAuth authentication) and [[System Center Service Manager:Disable Outdated Crypto]] has been ran on the server and rebooted.
# Open the Service Manager console and navigate to Administration, Connectors.
# Click Create Connector, and then, in the Task pane, click Exchange. Perform the following steps on each page:
## On the Welcome page, click Next.
## On the General Page
### Name: HelpDesk Exchange Connector
### Description: HelpDesk Exchange Connector
### Enter one or more active directory forests (Not domains)...This prompt is wrong! Type in your domain, for example sysadminafterdark.com
### Ensure all checkboxes are checked. Make sure you read them to understand what they do!
# On the Server connection page
## Make sure Exchange Online is checked. Paste in your Tenant and Client ID's you saved earlier.
## Ensure auto discover is checked.
## Create a new Run As account
### Display Name: HelpDesk Email Exchange Connector
### Description: HelpDesk Email Exchange Connector
### Account: Windows Account
### Username: sysadminafterdark.com\helpdesk (Substitute your own data in. DOMAIN.TLD\ADUser. It MUST be in this format!)
### Password: Type in the password.
### Domain: Select the on-prem AD domain.
### Click ok.
### Click test connection and type in the password again. The connection should be successful. If it's not, be sure to check event viewer for errors. Logs are saved to Applications and Services Logs > Operations Manager (Yes, Yes, that's not a typo!)
# On the Parsing Keywords page, all keywords should be auto populated. Click Next.
# On the Routing and Schedule page, select the following:
## Work Item Template: Default Incident Template
## Incident Template: Default Incident Template
## Service Request Template: Default Service Request Template
## Polling interval sets the time the mailbox is checked for new messages. The default of 300 is fine. Click Next
# On the Confirmation page, double check your configuration, then click create.
=== Check Functionality ===
# Send an email to the account that was setup above.
# In the time you set as the Polling Interval, the email should appear as a ticket under Work items, Service Request Fulfillment, All Open Service Requests.
# Be sure to check for a successful sync under Administration, Connectors, then look at the connector status.
# If the sync has not run, or the Status is failed, Open up event viewer and navigate to Applications and Services Logs > Operations Manager (Yes, Yes, that's not a typo!). I am VERY serious about this - enough to break the fourth wall and address the reader directly. There may be a couple of DLLS you need to update via NUGET or some permissions issues you need to resolve. PLEASE READ THE LOGS!
== Troubleshoot ==
This section is dedicated to odd Event Viewer errors I experienced during deployment. Resolving all of these errors enabled the connector to run successfully.
=== Microsoft.Identity.Client.dll Needs Updated to Version 4.38.0.0 ===
# Open a web browser and navigate to the [https://www.nuget.org/packages/Microsoft.Identity.Client/4.38.0 NUGET download page].
# On the right hand sidebar, click download package.
# Unzip the file with 7-zip or similar software.
# Navigate to the Service Manager installation directory and backup the old dll by renaming it to something else, for example, changing the extension to .bak.
# Drag and drop the new DLL into the folder.
# Reboot the server to ensure the new DLL is loaded. Ensure the error message has gone away.
=== Service Manager Workflow Account Needs Log on as a Service Rights ===
# Launch Local Security Policy on the Service Manager server.
# Expand Local Policy and select User Rights Assignment. In the right pane, right-click Log on as a service and select Properties.
# Add your Service Manager Workflow Account to the list, apply the changes, then reboot the server.
=== Exchange Connector - One or more errors occurred ===
# Please run the documented script to [https://docs.sysadminafterdark.com/System_Center_Service_Manager:Disable_Outdated_Crypto disable outdated crypto]. On the dialogue box, choose the "Enable" option.
# Reboot the server.
=== The Exchange Connector could not run because the workflow account does not have privileges===
# Open Local Security Policy from the Start menu.
# Navigate to Local Policies > User Rights Assignment and locate the Logon as a service policy.
# Double click on the policy and add the SM Workflow account.
# Reboot the server to finalize the delegation.
== Status ==
The System Center Exchange Connector has successfully been pushed to sysadminafterdark production. If you require further help, please contact me via X.com or my [https://forum.sysadminafterdark.com forum].

Latest revision as of 00:01, 25 July 2024

History

The System Center Service Manager:Exchange Connector is a first party, Microsoft developed connector for System Center Service Manager:System Center Service Manager not included in the the default installation of System Center. It can be downloaded, along with Microsoft's white paper deployment procedure from Microsoft's System Center Service Manager Connector 4.1 for Exchange portal. It enables systems administrators to connect Microsoft Exchange and Cloud: Office 365 mailboxes to Service Manager to enable incidents to be received via electronic mail.

Deployment

Installing the Service Manager Exchange Connector is fairly straightforward. Follow the below steps to install the dynamic link libraries and corresponding management packs:

  1. Download the necessary files from Microsoft's System Center Service Manager Connector 4.1 for Exchange portal.
  2. Run the exe to extract the files to your specified location, or the default location of C:\System Center Service Manager Connector 4.1 for Exchange.
  3. Copy and paste all of the .dll and .mpb files to the root of your System Center Service Manager installation directory. In my case, this is located at D:\Program Files\Microsoft System Center\Service Manager.
    1. NOTE: This must be done on the server. Additionally, if you are utilizing the console on a workstation computer, step #3 must be completed on the workstation computer. Importing the management pack on workstation computers is not necessary once completed on the server.
  4. Once the files are copied to the correct installation directory, launch the System Center Service Manager Console as an administrator.
  5. Click the Administration tab, then click Management Packs. On the right sidebar, under "Management Packs", click Import.
  6. Drop the file type selector to MPB files and navigate to your Service Manager installation directory. find the file "ServiceManager.ExchangeConnector.mpb", select it and open it.
  7. A wizard will appear to import the management packs. Click Import. This takes about a minute to import.
  8. Once the management pack has been successfully imported, click Connectors under Administration, then click Create Connector. You will notice an option to create an Exchange Connector is now available.

The management pack is now successfully imported and available for use. Please refer to the Post-Install Configuration section for creating an Exchange Connector.

Post-Install Configuration

The Post-Install Configuration and relevant sections enables systems administrators to setup a Cloud:Office365 email service account, connect it to Service Manager, and harden it against abuse. Please note that if you are utilizing Cloud:Office365 rather than an on-prem exchange server, YOU MUST have Authentication: Microsoft Entra Cloud Sync setup and syncing the email account to Entra ID.

Configure an Office 365 Service Email Account

  1. Login to the Microsoft Office 365 as a global administrator.
  2. On the sidebar, click Users, then click Add User.
    1. On the Basics tab, give your helpdesk service account a name and username. I am using sysadminafterdark help desk and the email helpdesk [at] this domain . com.
    2. Generate a strong password and store it in your password manager. Uncheck "Require this user to change their password when they first sign in".
    3. Click Next.
  3. On the Product licenses tab, I assigned a Microsoft Business Basic license because we only require email for this account. If it asks you to buy a license, do so.
  4. Click Next on the Optional Settings tab. This account requires no admin permissions.
  5. On the Finish tab, review your changes, then click Finish adding.

An Office 365 email service account has been created so end users and bots can email notifications to the helpdesk for processing.

Configure Entra ID Service Account Permissions

  1. Open a browser and navigate to Azure Active Directory admin center, and login with a global administrator account.
  2. Select Azure Active Directory in the left-hand navigation, and then select App registrations under Manage.
  3. Select New registration. On the Register an application page, set the values as follows:
    1. Name: System Center Service Manager Exchange Connector
    2. Supported account types: Select Accounts in this organizational directory only (single tenant)
    3. Redirect URI: Public client (mobile & desktop), then set the URI to urn:ietf:wg:oauth:2.0:oob
  4. Click register, then record the values of the tenant id and client id as we will need them later during setup.
  5. Select API permissions in the left-hand navigation under Manage, then Click APIs my organization uses
  6. In the search box, type "office 365" and check EWS.AccessAsUser.All under EWS.
  7. Select Grant admin consent for org and accept the consent dialog.
  8. Under Authentication, Advanced Settings, ensure Allow Public Client Flows is set to Yes.

Connect An Office 365 Email Account To Service Manager

I will be the first to admit this took a lot of trial and error to setup and troubleshoot. Please ensure your Service Manager Server is on the latest release (very important as it enables OAuth authentication) and System Center Service Manager:Disable Outdated Crypto has been ran on the server and rebooted.

  1. Open the Service Manager console and navigate to Administration, Connectors.
  2. Click Create Connector, and then, in the Task pane, click Exchange. Perform the following steps on each page:
    1. On the Welcome page, click Next.
    2. On the General Page
      1. Name: HelpDesk Exchange Connector
      2. Description: HelpDesk Exchange Connector
      3. Enter one or more active directory forests (Not domains)...This prompt is wrong! Type in your domain, for example sysadminafterdark.com
      4. Ensure all checkboxes are checked. Make sure you read them to understand what they do!
  3. On the Server connection page
    1. Make sure Exchange Online is checked. Paste in your Tenant and Client ID's you saved earlier.
    2. Ensure auto discover is checked.
    3. Create a new Run As account
      1. Display Name: HelpDesk Email Exchange Connector
      2. Description: HelpDesk Email Exchange Connector
      3. Account: Windows Account
      4. Username: sysadminafterdark.com\helpdesk (Substitute your own data in. DOMAIN.TLD\ADUser. It MUST be in this format!)
      5. Password: Type in the password.
      6. Domain: Select the on-prem AD domain.
      7. Click ok.
      8. Click test connection and type in the password again. The connection should be successful. If it's not, be sure to check event viewer for errors. Logs are saved to Applications and Services Logs > Operations Manager (Yes, Yes, that's not a typo!)
  4. On the Parsing Keywords page, all keywords should be auto populated. Click Next.
  5. On the Routing and Schedule page, select the following:
    1. Work Item Template: Default Incident Template
    2. Incident Template: Default Incident Template
    3. Service Request Template: Default Service Request Template
    4. Polling interval sets the time the mailbox is checked for new messages. The default of 300 is fine. Click Next
  6. On the Confirmation page, double check your configuration, then click create.

Check Functionality

  1. Send an email to the account that was setup above.
  2. In the time you set as the Polling Interval, the email should appear as a ticket under Work items, Service Request Fulfillment, All Open Service Requests.
  3. Be sure to check for a successful sync under Administration, Connectors, then look at the connector status.
  4. If the sync has not run, or the Status is failed, Open up event viewer and navigate to Applications and Services Logs > Operations Manager (Yes, Yes, that's not a typo!). I am VERY serious about this - enough to break the fourth wall and address the reader directly. There may be a couple of DLLS you need to update via NUGET or some permissions issues you need to resolve. PLEASE READ THE LOGS!

Troubleshoot

This section is dedicated to odd Event Viewer errors I experienced during deployment. Resolving all of these errors enabled the connector to run successfully.

Microsoft.Identity.Client.dll Needs Updated to Version 4.38.0.0

  1. Open a web browser and navigate to the NUGET download page.
  2. On the right hand sidebar, click download package.
  3. Unzip the file with 7-zip or similar software.
  4. Navigate to the Service Manager installation directory and backup the old dll by renaming it to something else, for example, changing the extension to .bak.
  5. Drag and drop the new DLL into the folder.
  6. Reboot the server to ensure the new DLL is loaded. Ensure the error message has gone away.

Service Manager Workflow Account Needs Log on as a Service Rights

  1. Launch Local Security Policy on the Service Manager server.
  2. Expand Local Policy and select User Rights Assignment. In the right pane, right-click Log on as a service and select Properties.
  3. Add your Service Manager Workflow Account to the list, apply the changes, then reboot the server.

Exchange Connector - One or more errors occurred

  1. Please run the documented script to disable outdated crypto. On the dialogue box, choose the "Enable" option.
  2. Reboot the server.

The Exchange Connector could not run because the workflow account does not have privileges

  1. Open Local Security Policy from the Start menu.
  2. Navigate to Local Policies > User Rights Assignment and locate the Logon as a service policy.
  3. Double click on the policy and add the SM Workflow account.
  4. Reboot the server to finalize the delegation.

Status

The System Center Exchange Connector has successfully been pushed to sysadminafterdark production. If you require further help, please contact me via X.com or my forum.