Certificate mismatch Outlook Anywhere
Hi,
When connecting an Outlook 2013 client to Exchange 2013 I am getting a certificate mismatch error.
SSL Certificate is for the external name (exch.domain.com) has no SAN's and Outlook is looking for servername.local.
I have configured all virtual directories for Exchange to use the above url (exch.domain.com) for internal and external access.
Have a local DNS record resolving the external name (exch.domain.com) to the internal IP of the exchange server.
Operating a single public IP using ARR and Windows Server 2012 Essentials
Have set up a SRV record in DNS for autodiscovery.
Outlook Anywhere in the ECP is configured to NTLM authentication
In Outlook, the advanced connection properties I was getting authentication prompts until I added https://exchange.domain.com as a proxy server.
Any help would be appreciated thanks.
I am having the same issue with my Outlook 2013 clients.
All virtual directories are set to the mail.company.com. The Godaddy certificate is for mail.company.com and is used for the SMTP, IIS, POP3, IMAP services.
The client gives a security alert about the certificate name for servername.company.com not matching the certificate mail.company.com. The client account settings show the server as a
[email protected] and the Exchange proxy settings as mail.company.com and connect using SSL only with msstd:mail.company.com for the principal name.
Doing a Connection status check on the Outlook, it shows the Proxy server of mail.company.com and server name as the
[email protected] for Exchange Directory and Exchange Mail.
I have tried putting the server name in the virtual directory internal url's but it still isn't working correctly.
I had used a cert form our internal CA for testing and am still using it for the UM and UMCallRouter functions, although the SMTP, IMAP, POP3 are still checked for it.
Outlook functions fine after clearing the Security Alert.
Not sure what I am missing. Thanks for any help.
Similar Messages
-
Wildcard certificate in Outlook Anywhere
I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
is unable to connect to the proxy server. (Error Code 0)".
I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
Why I could not switch certificate to wildcard?Hi,
If you have done the following changes:
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
Get-ExchangeCertificate | Select CertificateDomains,Services,Status
If the Wildcard certificate is not assigned with IIS service, please
use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
http://support.microsoft.com/kb/923575
Thanks,
Winnie Liang
TechNet Community Support -
Exchange 2013 2007 co-existence Outlook Anywhere issues
Sorted out all other issues (apart from a SSO issue- another thread) . Activesync, autodiscover etc all working- but Outlook Anywhere does not work for Exchange 2007 external mailboxes. It does work for 2013 mailboxes internally and externally-
and 2007 mailboxes internally.
Exchange 2013 SP1. Exchange 2007 Sp3 RU10. Legacy namespace is in use and on certificate. Outlook Anywhere IIS Authentication is set to Basic and NTLM on both 2007 and 2013 servers. Outlook Anywhere external client authentication is set to Basic.
Any sugestions what to look at next?Tony,
I apologize for the stupid question, but was Outlook Anywhere working on Exchange 2007 before you started the upgrade?
When you open command prompt on Exchange 2007 and ping the Exchange 2007 internal FQDN or NetBIOS name, do you get an IPv4 address or you get the IPv6 one?
Step by Step Screencasts and Video Tutorials -
Default Outlook Anywhere Connections
I'm using an Exchange 2013 SP1 environment with almost no customization. Only 2 servers exists - one holding CAS+MBX, and a second one being an MBX. No DAGs, balancers, etc. Mapi over HTTP is not enabled. The default self-signed certificates are used
(no new certificate was installed, nor any self-signed certificate manually installed on any server/client). A mailbox is provisioned on a database located on the first server. Outlook is configured for the corresponding user on a client machine and started.
Everything works just fine, with the 'Outlook Connection status' window showing 2 Exchange Directory + 2 Exchange Mail connections. Authentication is NTLM. Ports for all 4 connections are 6001 - which hint that Outlook Anywhere is indeed used.
From time to time, the familiar "Security Alert" comes up warning about the self-signed certificate, but this is usually traced in my experience to the various services Outlook is using, that are running on HTTPS (OAB, EWS, Availability...).
Here we find that in Exchange 2013 "Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere". Then
here it's stated that "Outlook Anywhere won't work with a self-signed certificate on the Client Access server". I remember the latter being true against Exchange 2010
instances, but seems not to be the case in Exchange 2013 anymore. Unless I'm missing something, from the standpoint of a default installation, the 2 articles contradict each other.
Second issue - even though Outlook is set for "Negotiate" in its Security setting, it looks like the Kerberos preferred option is never chosen. Would it have to do with the self-signed certificate and Outlook Anywhere ?First article says "[...]In Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere.[...]". A simple Exchange 2013 SP1 setup, using defaults - including the built-in self-signed certs
- can be reached with no problems with a regular Outlook client. Since RPC over TCP is now defunct, and MAPI over HTTP isn't enabled (it's a regular installation, hence this feature is disabled) it can only be Outlook Anywhere being used by the Outlook client
to connect to the vanilla Exchange 2013 SP1 installation. Hence we can conclude that Outlook Anywhere works by default.
Second article comes around and says "[...] Outlook Anywhere won't work with a self-signed certificate on the Client Access server.[...]". Yet this is contrary to what I'm experiencing - since Outlook Anywhere is working (what other method of connecting
is left, right ? plus even the connections over :6001 in the Connection Status window hint at this) and there hasn't been any CA-emitted certificate installed on that stock CAS server.
So either the sentence in the second article is flat wrong (ONLY for 2013, Exchange 2010 NEEDS trusted certs), or it's missing a clause. Am I missing something ?
Hi,
Yes, Outlook Anywhere is enabled by default. Because all Outlook connectivity from Internal and External are using Outlook Anywhere.
For your second question, "[...] Outlook Anywhere won't work with a self-signed certificate on the Client Access server.[...]". Based on my knowledge, the Self-signed certificate which is installed with Exchange 2013 installation is not issued
by any CA. It is issued by the Exchange server.
Outlook Anywhere won't work with a self-signed certificate on the Client Access server because there would be a certificate untrusted issue on every user's clients. If you don't install the untrusted certificate in your trusted root certificate store on
the client computer, the client will be always prompted for the certificate error even through you can work with Exchange services after clicking Yes when the Security Alert asking you “Do you want to proceed”.
Regards,
Winnie Liang
TechNet Community Support -
Trial SAN Certificate & Outlook Anywhere (RPC over HTTP) test fail
I am testing exchange 2013 where autodiscover pass while performing Outlook Anywhere (RPC over HTTP) connectivity test failed with invalid SSL certifiate . I am only using self certifiate .do any one idea if any CA provding SAN certificate trial basis.
Don't forget to mark helpful or answer
connect me :-
http://in.linkedin.com/in/satya11
http://facebook.com/satya.1000Hi,
Agree with the above suggestion, ExRCA test cannot pass with self-signed certificate. And to ensure Outlook Anywhere work well , we need to install the self-signed certificate on all clients machines.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
(I'll upload screen captures if needed once my account gets verified)
I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
My setup:
ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
But it does not work. The proxy will give me an error each time, like that:
HTTP 544 RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
HTTP 635 HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
HTTP 123 HTTP/1.0 503 RPC Error: 6ba
My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
Thanks!Hi,
Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Exchange 2013 - How to configure Outlook Anywhere with certificate based authentication?
Hello,
is it possible to secure Outlook Anywhere in Exchange 2013 with certficate based authentication?
I found documentation to configure CBA for OWA and ActiveSync, but not for Outlook Anywhere.
We would like to secure external access to the mailboxes via Outlook by using CBA.
Thanks a lot in advance!
Regards,
AndréHi,
Let’s begin with the answer in the following thread:
http://social.technet.microsoft.com/Forums/en-US/e4b44ff0-4416-44e6-aa78-be4c1c03f433/twofactor-authentication-outlook-anywhere-2010?forum=exchange2010
Based on my experience, Outlook client only has the following three authentication methods:Basic, NTML, Negotiate. And for more information about Security for Outlook Anywhere, you can refer to the following article:
http://technet.microsoft.com/en-us/library/bb430792(v=exchg.141).aspx
If you have any question, please feel free to let me know.
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Angela Shi
TechNet Community Support -
Infrastructure
2x Domain Controler with local IP with domain.local name Domain has split DNS for local and external IPs
2x Exchange 2013 servers with local IP and external IP with domain.com name
2x Webservers running IIS with local IP and external IP
Both external IPs for webserver and exchange are different.
Both Exchange servers respond to name email.domain.com both internaly and externaly. Internal and external virtual directories are set to email.domain.com address. Outlook providers are set to email.domain.com
I have trusted computer outside the domain and it is using Outlook 2013. It has installed my CA certificate. This Outlook is showing Security alert about certificate. The certificate from alert comes from webserver. I need it to use only one certificate
from exchange server. How to do that? I looked for Autodiscover settings and outlook anywhere. What am I missing?Hi,
Please run the following command to check the Certificate configuration in your Exchange server:
Get-ExchangeCertificate | fl
Make sure the certificate which includes email.domain.com has been assigned with IIS service. Also conform if the issue only happens to specific users such as all external users or internal users. In the problematic client side, please run the Test E-mail
AutoConfiguration tool to check the service URLs in the Results tab and find out which service is using the mismatched namespace. To run this tool, please do:
Open Outlook - press CTRL key - right click on the Outlook icon from right bottom corner taskbar - Test Email AutoConfiguration. Put your email address - uncheck use guessmart and secure guessmart authentication - click Test to check your Autodiscover service.
Additionally, please run the following command to configure your Outlook Anywhere:
Set-OutlookAnywhere -Identity "Exch13\Rpc (Default Web Site)" -InternalHostname email.domain.com -ExternalHostname email.domain.com -InternalClientAuthenticationMethod Ntlm -ExternalClientAuthenticationMethod Basic -ExternalClientsRequireSsl
$True -InternalClientsRequireSsl $true
Here is a article about how to troubleshooting certificate issue:
https://social.technet.microsoft.com/Forums/en-US/fa78799b-5c55-4c71-973b-0e186612ff6f/checklist-for-exchange-certificate-issues?forum=exchangesvrgeneral
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support -
Outlook Anywhere, Office 2013 + Exchange 2013 freezes
Hi.
I'm pulling my hair out with this problem as it seems to make no sense.
I have a client using outlook 2013 through outlook anywhere to their new server running Exchange 2013. when outlook is opened it seems to work for about 10 mins or so then after that if you go to send an email it freezes and says it trying to contact the
server. you wait for 10 mins then it works again for a while.
I've changed the timeout settings on the server and everything, they are currently experiencing this in their Spanish office which connects back to the UK.
No if they dial up the vpn ( no settings changed at all) and run outlook, it all works perfectly..... No one in the UK office (about 10 users) have any issues its only the 2 people in Spain, and one of them uses the laptop in the UK office that they have
in Spain with no issues.
I have a CA certificate from slls so not using a self certified one. however its not a wildcard so I haven't set-up on the external domain dns and instead just manually enter the settings (which works fine)
Its almost as if after 10 mins some connection drops but then takes ages to reconnect again.
There are a lot of schannel errors appearing on the machines which suggests they are looking at the wrong ports for connection on a couple of attempts, but the questions is why? and whether this has anything to do with the OA problem.
If anyone has some fresh ideas or any thoughts i would be very grateful as this is driving me round the bend, and i have 2 other clients who have a very similar set-up but have no issues.
Router Spanish side is a Comcast router and UK side is a draytek 2820
Exchange is running on Server 2012 with both the CA and Mailbox roles on the same server.
heeeellp before I go bald :)Hi,
Please have the users in Spain open Outlook, go to FILE
-> Account Settings -> Account Settings -> Double click the account name ->
More Settings -> Connection tab -> Select
Connect to Microsoft Exchange using HTTP, and click Exchange Proxy Settings, tick
On slow networks, connect using HTTP first, then connect using TCP/IP
-> OK.
We can also have the users in Spain test the connectivity to Exchange via Remote Connectivity Analyzer to find if there's any error.
https://testconnectivity.microsoft.com/
Regards,
Melon Chen
TechNet Community Support -
Access to Outlook Anywhere does not work
Good evening,
I recently installed an Exchange Server 2013 CAS / MB.
Until now, the server presented a few errors (mainly in the
event log) that does not seem to significantly influence functionality.
This week I published the server on the Internet and verified various malfunctions
related to the access from outside.
In particular from outside:
1 - OWA does not work with Windows integrated authentication, it works with the Forms based authentication;
2 - Outlook Anywhere does not work from internet.
I've done a lot of research and testing without success.
With regard to the first issue (which is not a priority but can relate to second one)
add that in Firefox I get a first authentication request. If
I enter credentials it ask again for identical authentication (repeatly), if I cancel it shows a second one that instead allows me access (are slightly different).
I assume that the first is the integrated Windows application and the second is basic authentication.
Internet Explorer shows me only the first authentication request and if I cancel shows blank page.
The problem is
priority 2:
Outlook connects without problems on LAN network, the Internet
seems to download the correct information
(autodiscover), but then does not connect
to the server (connection to Microsoft Exchange is unavailable).
If you manually edit the settings,
auto-configuration server returns as
a [email protected]. If I change
manually the server (and proxy settings
http), the result does not change.
- Setting information -
The server is installed
in the LAN network and is exposed on the Internet through
a firewall (Pat on port 443, et al. not 80)
on a public address.
The public and private DNS have been configured with a
host record (A) and two
CNAME (webmail and autodiscover).
The internal Outlook clients connect
with autodiscover and HTTPS /
NTLM / SSL (Outlook connectivity
status).
IMAP, SMTP, POP, ActiveSync function.
Exchange remote connectivity analizer retrieves Autodiscover information but doesn't pass test for RPC/HTTP access (it discard accesson
port 443 and try port 80, SPF isn't configured).
The navigation to the url
https://proxyexternalURL/rpc/rpcproxy.dll has the same behaviour like problem 1.
Test-OutlookConnectivity returns unmanaged error ('WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the probe result for invoke now request id -- and probe workdefinition id --').
Errors in eventviewer: 5011 - WAS (one time), 139 - MSExchange OWA (some not ripetitive), 3028 - MSExchangeApplicationLogic (every 6 hours), 106 - MSExchange common (many during working hour), 65535 - application (some at nighttime 00.00 - 03.00 a.m.), 1006
- MSExchangeDiagnostic (every 30 min), 6002 - MSExchange Mid-Tier Storage (about every 5 minutes), 5 - MSExcahnge Workload Management (one time).
Ask for further information.
- Cmdlet and Autodiscover output -
Get-OutlookAnywhere | fl name,*auth*,*ssl*,*host*
Name : Rpc (Default Web site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalHostname : webmail.name_domain.test
InternalHostname : webmail.name_domain.test
Get-OutlookProvider | ft -autosize
Name Server CertPrincipalName TTL
EXCH msstd:webmail.name_domain.test 1
EXPR msstd:webmail.name_domain.test 1
WEB
1
Get-AutodiscoverVirtualDirectory | fl name,*auth*,*url*
Name : Autodiscover (Default Web site)
InternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
ExternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
LiveIdNegotiateAuthentication : False
WSSecu.testyAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : True
AdfsAuthentication : False
InternalUrl :
ExternalUrl :
Get-MapiVirtualDirectory | fl name,*auth*,*url*
Name : mapi (Default Web site)
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
ExternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalUrl : https://webmail.name_domain.test/mapi
ExternalUrl : https://webmail.name_domain.test/mapi
Autodiscover.xml
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>user</DisplayName>
<LegacyDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e4c0c18c8f214afbb5152bb08823179d-user</LegacyDN>
<AutoDiscoverSMTPAddress>user@name_domain.test</AutoDiscoverSMTPAddress>
<DeploymentId>d60c71c9-3740-404c-a38c-aa24e6105432</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<Protocol>
<Type>EXCH</Type>
<Server>72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</Server>
<ServerDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</ServerDN>
<ServerVersion>73C082C8</ServerVersion>
<MdbDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>webmail.name_domain.test</PublicFolderServer>
<AD>DC2.name_domain.test</AD>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
<EwsPartnerUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>LAN</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.name_domain.test/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Basic">https://webmail.name_domain.test/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
</Account>
</Response>
</Autodiscover>
Get-OwaVirtualDirectory | fl name,*auth*,*url*
Name : owa (Default Web Site)
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Basic}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl : https://webmail.name_domain.test/
ExternalUrl : https://webmail.name_domain.test/Follow the results of the test
Outlook Anywhere (RPC over HTTP).
Has been used an account for which
outlook anywhere works. The account
for which the outlook anywhere does not work is
an administrative account and therefore
can not be used in the test.
Autodiscovery returns the
same result for both mailbox.
I'm testing RPC/HTTP connectivity.
Testing RPC over HTTP has not been exceeded.
Test steps
Microsoft connectivity Analyzer is attempting to test the Autodiscover service for user_test@domain_name.test.
Test the Autodiscover service has not been exceeded.
Test steps
I'm trying to contact the Autodiscover service with each method available.
I was not able to contact the Autodiscover service with no method.
Test steps
I'm trying to test the possible URL for the Autodiscover service https://domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.www
I'm testing the TCP port 443 on the host domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Remote certificate subject: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test issuer: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name,
L = city, S = state, C = test.
I am validating the certificate name.
I could not validate the certificate name.
More info about this issue and how to resove it
The host name domain_name. testing does not match any name found on the certificate and server = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test.
I'm trying to test the possible URL for the Autodiscover service https://autodiscover.domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 443 on the host autodiscover. domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server autodiscover. domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Other details
Remote certificate subject: CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test issuer: CN = domain_name-DC1-CA, DC = domain_name, DC = test.
I am validating the certificate name.
I validated the certificate name.
Other details
I found the host name autodiscover. domain_name. test in the voice of the alternative name of the certificate object.
Elapsed time: 1 ms.
I am validating the reliability of certificates.
I was not able to validate the reliability of the certificate.
Test steps
Microsoft connectivity Analyzer is attempting to generate certificate chains to a certificate CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test.
I failed to build a certificate chain for the certificate.
Other details
Failed to generate the certificate chain.
May be missing the required intermediate certificates.
I'm trying to contact the Autodiscover service using the HTTP redirect method.
I was not able to contact the Autodiscover service using the HTTP redirect method.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 80 on the host autodiscover. domain_name. tests to check that is open and listening.
The specified port is blocked, is not listening or doesn't produce the expected response.
More info about this issue and how to resove it
I encountered a network error while communicating with the remote host.
I'm trying to
find the
SRV DNS record _audiscover._tcp.domain_name.test.
I failed to find
the SRV record of the
Autodiscover service
in DNS.
Some clarifications:
1 - xxx.yyy.zzz.www and xxx.yyy.zzz.kkk
are two static public addresses
of which only the latter exposes Exchange services;
2 - The certificate
*. Domain_name.test is not related
to Exchange services;
3 -I imported the certificate
of the issuing CA on the standalone test PC to validate the certificate.
3- The port 80 is not open and are not published SRV records.
Best regards. -
Exchange 2010 Autodiscovery & Outlook Anywhere kind of but really not working
This is driving me nuts. We have a single Exchange Server 2010 running (everything is on one box). It works fine internally (all Outlook clients can see and grab the login info from the user login). OWA works from outside, mail delivers nicely. My problems
all seem to stem around some mysterious problem in autodiscover and outlook anywhere.
Our domain is internally like this: mycompany2.com and outside like this: mycompanyllc.com
So the mail server inside looks like server1.mycompany2.com and outside: mail.mycompanyllc.com - from what I can see it's all set up correctly in both.
I've run the connectivity analyzer and apart from a minor certificate warning ('Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled) it passes every test on the site for EAS and Outlook Anywhere
(and for good measure I ran everything, all green checks!). Autodiscover works in the test, everything gets found and pointed to the right place.
When I have a user that wants to configure Outlook 2010 or 2013 outside
the org. they start the wizard, type their name, their email, their password. The server or user can't be found and no matter what they do it won't find it. If you go in and manually configure the
internal server name, domain, username you can connect. It just won't set it up automatically. The odd thing is, in the analyzer the autodiscovery XML is found and downloaded fine, all the server name info and detail is displayed.
In Outlook 2013, both Exchange and EAS connection doesn't work even though phones can be set up through EAS (although they require the same kind of manual setup--autodiscover doesn't seem to work even though it keeps telling me everything
is fine).
I'm at wits end, all the tests show it's working, but in the real world the server can't be found. It's right on the DNS servers, it's right in the tests, it responds correctly manually. I'd love users to be able to set up their own mail without a 10 page
printout of all the manual settings. It's all relatively late model hardware, Outlook 2010 or 2013, and a fully patched up to date Exchange 2010 server. Anyone have an idea?
Curt Kessler - FLCWe don't use TMG we use a WatchGuard Firewall and it is configured to allow all traffic to this server (that's why manual works fine with Outlook and OWA).
When I run the get-autodiscovervirtualdirectory it returns my internal server under the Server, and nothing more, so this possibly could be it?? I'm definitely not good at IIS at all, I would need guidance to investigate that further...
This is my EXRCA results, the first fail is because it tests the root of mydomain.com rather than mail.mydomain.com which is a different server. I've replaced some names for security purposes:
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for
[email protected].
Autodiscover was tested successfully.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://mydomain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name franklinlc.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 76.79.142.101
Testing TCP port 443 on host franklinlc.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server franklinlc.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=apps.franklinlc.com, OU=Domain Control Validated, O=apps.franklinlc.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale,
S=Arizona, C=US.
Validating the certificate name.
Certificate name validation failed.
<label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl02_ctl01_tmmArrow">Tell
me more about this issue and how to resolve it</label>
Additional Details
Host name franklinlc.com doesn't match any name found on the server certificate CN=apps.franklinlc.com, OU=Domain Control Validated, O=apps.franklinlc.com.
Attempting to test potential Autodiscover URL https://autodiscover.mydomain.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.mydomain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 76.xx.xx.xx this is the mail server IP address
Testing TCP port 443 on host autodiscover.franklinlc.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.mydomain.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.franklinlc.com, OU=Domain Control Validated, O=mail.mydomain.com, Issuer: SERIALNUMBER=xxxxxxxxxxxxx, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale,
S=Arizona, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.mydomain.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 9/28/2012 10:20:20 PM, NotAfter = 9/28/2015 10:20:20 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.mydomain.com/AutoDiscover/AutoDiscover.xml for user [email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Curt Kessler</DisplayName>
<LegacyDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Curt Kessler</LegacyDN>
<DeploymentId>14a1e263-943a-4609-865c-ba22802e45aa</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>FLC5.internaldomainname.com</Server>
<ServerDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=FLC5</ServerDN>
<ServerVersion>7383807B</ServerVersion>
<MdbDN>/o=mydomain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=FLC5/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.mydomain.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://mail.mydomain.com/OAB/9c85c0c4-48f4-4aa8-99b2-f640651b130a/</OABUrl>
<UMUrl>https://mail.mydomain.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>FLC5.internaldomainname.com</PublicFolderServer>
<AD>PRIME.internaldomainname.com</AD>
<EwsUrl>https://mail.mydomain.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://flc5.internaldomainname.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.mydomain.com</Server>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.mydomain.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://mail.mydomain.com/OAB/9c85c0c4-48f4-4aa8-99b2-f640651b130a/</OABUrl>
<UMUrl>https://mail.mydomain.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://mail.mydomain.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.mydomain.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Ntlm, Fba, WindowsIntegrated">https://flc5.internaldomainname.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.mydomain.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.mydomain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
I've replaced my public domain with mydomain.com and my internal domain with internaldomainname.com, and hidden the IP, but everything else is the same. The tests all pass
Curt Kessler - FLC -
Outlook Anywhere Prompts for Credentials only for Outlook 2010, not Outlook 2013
I'm having a heck of a time with this one. We have Exchange 2010 on premise, with our filtering through EOP. Clients that are using Outlook 2010 Professional Plus are continuously getting prompted for credentials when off network and relying
on Outlook Anywhere.
I've read many threads about configuring credential manager appropriately for the internal domain and our external domain. I can get them to authenticate just fine, and email flows, but they continue to be prompted everytime they connect again.
Here is the kicker: When I install Outlook 2013 on the same computer, outlook anywhere functions just fine, no problems, no authentication prompt.
Like I said I have read a plethera of articles and threads about this, I have gone through all settings on Exchange, our edge server, our firewall, our certificate. The MSSTD string matches our "Issued To" string. NTLM authentication
is configured on both the client and the server. Appropriate settings are configured on the firewalls.
Anyone know why Outlook 2010 would have this problem, but not Outlook 2013 on the same computer, same user, same mailbox database?
Thanks in advance!!!I'd still Echo Ed's original question.
Do you have Outlook 2010 patched up? At this time you need to be on SP1, and SP2 by October the 14th.
Also I expect you to have a recent update ontop of that as well.
http://blogs.technet.com/b/rmilne/archive/2014/04/14/office-2010-sp2_1320_-do-you-need-to-upgrade_3f00_.aspx
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem
Hi
I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
machines with internal certificates only.
I have the following infrastructure setup:
ISA 2006 SP1 - Server 2003 R2 / SP2
-Allows UDP 4500/500 and TCP 443
-Hosted on VMWare ESXi 5
Test laptop - Windows 7
External Firewall static NAT's from a public IP to ISA server and allows the following:
UDP 4500/500
Protocol 50/51
IPSEC policy configured on the ISA server:
-IP Filter List = DMZ IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
IPSEC policy configured on the Windows 7 Test Laptop:
-IP Filter List = External (public) IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
So far the following works:
I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server.
If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server. I note the following:
-HTTPS is denied with no rule (an allow rule is present)
-Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
-The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
-The event log shows main mode and quick mode as successful.
-The IPSEC monitor shows SA's for quick mode and main mode.
If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received. I guess this is part of AH. I have tried the following:
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
-Disable the following in the ISA server registry and reboot:
RSS
SecurityFilters
TCPA
TCPChimney
-Disable Chimney Offload via Netsh command
-Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
-Switching to an E1000 NIC and disabling all offload options and rebooting
-Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
-Run a wireshark trace - cannot see anything useful
-Checked oackley log - cannot see anything useful
I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
I would really appreciate if anyone has any suggestions?
Many Thanks
StevenHi,
Glad to hear that. I'll mark it as answer. Thank you.
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
Autodiscover and Outlook Anywhere return http status 401
Hi, I'm having issues with Autodiscovery (externally) and Outlook Anywhere for some users on our Exchange 2010 (SP3, RU2) setup. Just for information, we have Exchange servers at two AD sites (same forest / domain) with each site having 2 combined client
access / hub transport servers and 3 mailbox servers (with 2 stretched DAG's across both sites). Site A is internet facing, but site B isn't.
Autodiscovery
Internally, it's working fine (using the Test E-mail AutoConfiguration option within Outlook 2010). But externally (using the Microsoft TestConnectivity site), autodiscovery fails, returning the following:
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
+Additional Details
Elapsed Time: 1783 ms.
+ Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
for user [email protected].
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
+Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your
full User Principal Name (UPN).
Headers received:
Content-Type: text/html
Server: Microsoft-IIS/7.5
WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.company.com"
The odd thing is, if I browse to the autodiscover file location (externally), then I'm prompted for credentials. When I enter the same credentials that I input into the Microsoft connectivity analyser, I do actually get the correct https status 600 response.
Also, within EMS, when I run "Test-OutlookWebServices" on Client Access servers in site B, I see the following results...
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id : 1104
Type : Error
Message : The certificate for the URL https://ExchServer.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate
needs
to have a subject of ExchServer.domain.local, but the subject that was found is webmail.Company.com. Consider correcting service discovery,
or installing a correct SSL certificate.
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id : 1113
Type : Error
Message : When contacting https://ExchServer.domain.local:443/autodiscover/autodiscover.xml received the error The remote server returned
an error:
(500) Internal Server Error.
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id : 1123
Type : Error
Message : The Autodiscover service couldn't be contacted.
However - I can't see where Exchange has pulled the "...domain.local" address from for Autodiscovery. Both Get-AutodiscoveryVirtualDirectory and Get-ClientAccessServer both report the correct URLs/URIs with the FQDN of Company.Com (which are on
the GoDaddy certificate we use both internally and externally).
Outlook Anywhere
Whether my issues with Outlook Anywhere are related to Autodiscover, I'm not sure. Users who's mailbox is located at Site A (internet facing) are fine, and Outlook Anywhere works great. But users who's mailbox is at Site B, can't use Outlook Anywhere (Starting
Outlook in RPCDiag mode shows that it tries to connect, and sometimes establishes a connection for a couple of seconds, then disconnects completely).
Running "Test-OutlookConnectivity -Protocol:http" on a Client Access server at Site B, passes all but the last scenario (Mailbox::Logon), which throws up the following error:
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
ServiceEndpoint : ExchServer.domain.local
Id : MailboxLogon
ClientAccessServer : ExchServer.domain.local.ad.local
Scenario : Mailbox::Logon.
ScenarioDescription :
PerformanceCounterName : Mailbox: Logon latency
Result : Failure
Error :
UserName : ad.local\extest_a91a4b4076f24
StartTime : 14/01/2014 16:33:27
Latency : -00:00:00.0010000
EventType : Error
LatencyInMillisecondsString : -1.00
Identity :
IsValid : True
Testing Outlook Anywhere using Microsoft RCA throws up the error:
RPC Proxy can't be pinged.
An HTTP 401 error was received...
Any help is greatly appreciated. Let me know if I've missed any info!
Thanks
TonyHi Guys,
My first chance today to respond!
Firstly - thanks for all the information. I really appreciate it.
Well, the good news is that Outlook Anywhere is now working at Site B. It looks like a combination of disabling Outlook Anywhere at Site B (thanks
Jon), and then being patient and allowing replication to do its stuff (thanks Rhoderck).
However RCA is still showing ‘Failed’ with the following error. If it helps to have the full output, please let me know. Just for info, I chose
the option to test using autodiscovery (rather than manually enter it), which passed fine.
Attempting to ping RPC proxy webmail.company.com.
RPC Proxy can't be pinged.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password.
If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN). Headers received: Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate,NTLM X-Powered-By: ASP.NET Date: Tue, 21 Jan
2014 09:55:41 GMT Content-Length: 58
Elapsed Time: 1063 ms.
RPCProxy - ValidPorts
Thanks for the 'SoundTrackOfMyLife' link... that looks to be almost identical to my scenario (with the exception of the Kemp LoadMasters). Following
through the troubleshooting, my CAS servers at Site A (Internet Facing) are showing the registry key 'ValidPorts' as...
SiteB-ExchCasSvr01:593;SiteB-ExchCasSvr01:49152-65535
So - should this be...
SiteB-ExchMbxSvr01:6001-6002;SiteB-ExchMbxSvr01:6004;SiteB-ExchMbxSvr01.domain.local:6001-6002;SiteB-ExchMbxSvr01.domain.local:6004;
i.e. I only add ports 6001,6002 and 6004 for mailbox servers only? If so, which sites mailbox servers should I put in here?
SSL Off Loading
We've only really implemented SSL Offloading on the advice from Kemp (it's built in to their Exchange 2010 template). Apparently, the advantage
is the LoadMasters have a dedicated hardware processor for decryption/encryption of SSL traffic, thus taking the load off the Exchange servers. Exactly how much of a load this would normally be for our Exchange servers is unknown. We've followed Kemp's documentation
on unchecking 'Require SSL' for the IIS directories on Site A, and also configured Outlook Anywhere with SSL Offloading through the EMC. This was required as the Kemp's are not re-encrypting traffic to the CAS servers (which are on the same site / LAN
segment), and we're not a bank... so don't need encryption between the LoadMasters and the client access servers.
However, Site B (non internet facing) has 'Require SSL' enabled on IIS directories, since (I guess) traffic is encrypted when performing CAS-CAS
proxying?
I am, as ever, open to suggestions on this design... since our original design was to use TMG for reverse proxy. It was only the end-of-life issue
with TMG, and the fact that we opted for the Kemp LoadMasters (which offered ESP as a replacement to TMG) that swung us down this path.
ESP and SSO are implements on the LoadMaster at Site A (internet facing), which is (was!) not the problem site.
Thanks again for your time and assistance guys. We’re almost there!
Tony -
Outlook is not connecting through Workgroup Machine over internet using Outlook Anywhere
users can connect successfully using outlook anywhere over internet if machine are on domain, well problem with workgroup machine that are not connecting over the internet as outlook keep prompting password well i have configured outlook Anywhere with
default negotiate authentication as well as ssl offloading is checked and using same name for internal and external urls. also have valid 3rd party certificate configured on server.
Talha Faraz MalikHi,
Step 1 :In addition to that , please use remote connectivity analyzer to check outlook anywhere in internet .
From that we came to know the exact error .
Step 2: Most of the organisations are having an ISA or TMG firewall to create web published rules for exchange services .In case if you have you need to check the rule created for outlook anywhere is properly configured or not.
If you have such kind of firewall's ,You can test the OA rule by using the option test rule in ISA or TMG firewall .
Most probably you can able to find out the exact cause with the help of EXRCA.
Please reply me if you have any queries.
Regards
S.Nithyanandham
Maybe you are looking for
-
Belkin Router Firewall Settings - Need Help Please
Hi I'm new to Apple and love the machine, but I am having a problem with the firewall on my router. Let me explain the setup, then the problem... I have the following in my home network: 1 hp desktop running Windows XP Media Center Edition, SP3 (Prof
-
I can't import my cds onto itunes
whenever i import my cds onto itunes.... the songs are all messed up and i'm pretty sure that my cds aren't the problem... the time for the songs are all messed up.... for example... one of the song's time would be 798:4354523948595 and i no that tha
-
I just bought an I phone and was playing Scrabble when an advertisement popped up and I tried to go back to the game and now I can't use any of my apps because whenever I touch one they shake and have an X on them. What did I do?
-
Downloading and installing PE7 templates
Using Adobe's &$*#&$(&%$ downloader/installer, I get to the point where the installer seems to be trying to unpack the template files, at which point, it crashes, with a message along the lines of "you don't have the rights to this folder and/or ther
-
Cross-Company Intransit Inventory Reporting
Hello All, We have implemented the business content cube 0IC_C03 for Inventory Management. Now, we have a high priority need to include cross-company intransit inventory which was missing from the business content. There is a help document, "How to