Outlook Anywhere breaks when changing Internal Auth Method to NTLM

I have an Exchange 2013 environment that I'm migrating to from Exchange 2007, and many of our Outlook clients are still 2007, which means they can't save passwords by default. We have OA published through TMG's for machines on 4 separate domains to
connect into the mail servers, which all reside on one domain. We published this rule with Basic auth, and we've been happy, so we config'ed Exchange 2013 the same way.
Since all clients use OA to connect to Exchange 2013, our Outlook 2007 clients are now being prompted for creds every single time they open outlook. When I try to change the internalclientauthenticationmethod to NTLM, it fixes the cred challenge for
domain members, but it breaks OA even though the externalclientauthenticationmethod is still Basic. The internal and external host names are the same. It's just the auth methods that differ, and both auth methods are set in IISAuthenticationMethods.
Checking an Outlook client's proxy settings show NTLM. If manually switched to Basic, it'll work until Autodiscover switches it back to NTLM. The weird thing is that testconnectivity.microsoft.com tests come back no problem when using autodiscover
and basic. Is Outlook just not smart enough to do that?
I'd attempt to use Negotiate on both, but I've read that's incompatible with Exchange 2007, and I'll users for a while trying to connect to resource mailboxes and public folders on Exchange 2007. Is there a way to get to this to work? If it can't
work this way, why do they even bother having separate auth methods?
Thanks!

Thanks. That's what I was afraid of.
I've seen the article. We want to do preauth for OA, so we'd need to hack at it.
Alternatively, create a separate external host name and ensure the internal host name is not resolvable on the Internet. That will ensure external Outlook users will use the external name and the external auth.
Twitter!:
Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.
Yes. Thanks. That's what I was figuring. The problem with that is that our internal host name is the same external name that provides the entry point for EAS and EWS for a large number of users, so I'd have to rearchitect everything with the
majority of our mobile devices already using that. It's simply not going to happen. I'll have to hack a bit to figure out a way to make it work. I suppose I could use legacywebmail.domain.com, which is a SAN on the cert we use for Exchange
and will now be unused during the migration, as the internal name and make it unresolvable externally. It's just ugly since Outlook clients will see that in proxy settings. I like things neat.
Funny how with the introduction of internal/external hostnames and auth methods, that our Exchange 2007 environment is now setup the same way I'd want our 2013 setup (same hostnames internally and externally resolvable - NTLM internal/Basic external), and
it works fine.

Similar Messages

Exchange 2010 - Outlook Anywhere trying to connect to internal server name first before connecting to proxy server

Hello,
I have an Exchange 2010 question which I will post in the Exchange 2013 section since the Ask a question button in the legacy Exchange Servers section of technet takes me back to the part of Technet where I can only ask questions regarding Exchange 2013.
If someone can point me to a part where I can place a question in an Exchange 2010 forum please let me know.
We have Exchange 2010 setup with a CAS array listening to outlook.internaldomain.com
We have TMG 2010 setup with a rule for Outlook Anywhere, the rule listens to mail.externaldomain.com and traffic that meets this rule is let through to outlook.internaldomain.com.
When I fire up my laptop, which is connected to the internet, and start Outlook and let it configure my profile through autodiscover it sets it up correct and fills the Outlook profile with a servername stating outlook.internaldomain.com and a proxyserver
to be used stating mail.externaldomain.com. After initial setup when my Outlook starts it almost immediatly prompts me for a username and a password so this is working fine.
At the office we have an internal network segment where DHCP is servicing the connecting clients and giving them our internal DNS servers because they need connection to some other network segments which are not available to the internet. This network segment
does not have access to our internal Exchange environment but has full access to the internet. Clients in this network segment do want to use Outlook so using Outlook Anywhere for them is the logical way to go. When I connect my laptop to this network segment
I get handed an IP address and our internal DNS servers, when I start Outlook it takes about two minutes before a the credential prompt pops up and another 2 to 6 minutes after entering credentials before it says all folders are in sync. This is quite long
and our clients find this unacceptable.
I started testing what might be going on here and I have found that when I manually enter external DNS servers the Outlook password prompt will popup in seconds and all is working as expected so it seems Outlook is trying to connect to the internal servername
when using our internal DNS servers (which can resolve outlook.internalnetwork.com) instead of directly going to the proxy server which is to be used for Outlook Anywhere.
When I start a network monitor trace my thoughts are confirmed because when I am connected to the internal network segment OUTLOOK.EXE first tries to connect to outlook.internaldomain.com, it almost immediately gets a response stating that this route is
inaccessible but OUTLOOK.EXE keeps on trying to connect untill some sort of time out is reached (somewhere around two minutes) after which it connects to mail.externaldomain.com and Outlook shows the credential prompt.
So to round it up, when connected to DNS servers that can resolve the internal servername Outlook tries to connect to the internal servername in stead of the external name, Outlook does not reckognize the answer from the network that the internal route is
not acessible (or it does but does nothing with this information).
Has anybody experienced this behaviour in Outlook?
Does anyone have a solution in where I can force Outlook to connect to it's proxyserver and disregard the internal servername?

Thank you for your reply.
The client computers that are experiencing the issues are not domain joined, the only reason I can think of why this is occurring is because the DNS servers are able to resolve the internal hostname of the server, but I would expect Outlook to always use
the proxy server that has been set in the configuration of the Outlook profile. Or at least acknowledging the answer that the initially tried route is inaccessible and immediately continue to the proxy server.
For setting the same hostname for internal and external use, we use different namespaces internally and externally, do you mean setting the external hostname on the CAS array for internal use ? Wouldn't that push all internal communication to the internet
and to the outside interface of the TMG where the server is published with that hostname ?

Exchange 2010 , ARR, Outlook Anywhere

I am trying to use ARR v3.0 on Server 2012-R2 to publish Exchange OWA,EWS etc
The server has 1 x NIC and sits in the companies DMZ.
Everything is working EXCEPT Outlook Anywhere.
Outlook Anywhere is working correctly internally
Microsoft Remote Connectivity Analyser reports an RPC Ping failure, everything else is fine.
"Attempting to ping RPC endpoint 6001 ( Exchange Information Store )
" The attempt to ping the endpoint failed An RPC error was thrown by the RPC Runtime process. Error 1818
RPCPing from the ARR box fails, RPCping from an internal server is OK ( 6001 )
I was hoping for a little insight into this issue, any advice gladly taken.
Remote Outlook client reports a logon error when trying to connect, auto discover is working correctly.

Hi,
Before we go further, I’d like to confirm if you have made the following change:
Under the IIS root in the ARR home, open Request Filtering
Under the Actions pane, click Edit Feature Settings...
Increase the Maximum allowed content length to 2147483648 (2GB):
Thanks,
Angela Shi
TechNet Community Support

ISA 2006 with IPSEC and NAT - Publishing Outlook Anywhere - TCP Checksum Dropped 0xc0040031 problem

Hi
I am looking to publish Outlook Anywhere, with IPSEC configured as per (http://www.microsoft.com/en-us/download/confirmation.aspx?id=23708) to lock down Outlook Anywhere to
machines with internal certificates only.
I have the following infrastructure setup:
ISA 2006 SP1 - Server 2003 R2 / SP2
-Allows UDP 4500/500 and TCP 443
-Hosted on VMWare ESXi 5
Test laptop - Windows 7
External Firewall static NAT's from a public IP to ISA server and allows the following:
UDP 4500/500
Protocol 50/51
IPSEC policy configured on the ISA server:
-IP Filter List = DMZ IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
IPSEC policy configured on the Windows 7 Test Laptop:
-IP Filter List = External (public) IP of ISA server, source port any, destination port 443
-Filter Action = Negotiate Security, Integrity Only
-Authentication Methods = Certifciate Authority, internal enterprise CA selected
So far the following works:
I have a port listener running on the ISA server to mimic Exchange (just to keep things simple to begin with).
If I unassign the IPSEC policies, I can telnet from an external network on the test laptop successfully to the external IP of the ISA server.
If I assign the IPSEC policies, I cannot telnet from an external network on the test laptop to the external IP of the ISA server. I note the following:
-HTTPS is denied with no rule (an allow rule is present)
-Result Code = 0xc0040031 FWX_E_BAD_TCP_CHECKSUM_DROPPED
-The ISA log shows IKE Client and IPSEC NAT-T client traffic as successful.
-The event log shows main mode and quick mode as successful.
-The IPSEC monitor shows SA's for quick mode and main mode.
If I google the error code I gather it relates to the TCP checksum being calculated by the ISA server disagreeing with the actual checksum received. I guess this is part of AH. I have tried the following:
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the ISA server under services\IPSEC and reboot.
-Add the AssumeUDPEncapsulationContextOnSendRule = 2 on the Windows 7 Laptop under services\PolicyAgent and reboot.
-Disable the following in the ISA server registry and reboot:
RSS
SecurityFilters
TCPA
TCPChimney
-Disable Chimney Offload via Netsh command
-Disable all Offload options on VMXNET 3 driver advanced settings and rebooting
-Switching to an E1000 NIC and disabling all offload options and rebooting
-Upgrading E1000 drivers from base version (2002 driver) to intels later version (2008), rebooting and disabling all offload options.
-Run a wireshark trace - cannot see anything useful
-Checked oackley log - cannot see anything useful
I still cannot get the 443 traffic to successfully connect without the FWX_E_BAD_TCP_CHECKSUM_DROPPED error and have run out of google articles.
I would really appreciate if anyone has any suggestions?
Many Thanks
Steven

Hi,
Glad to hear that. I'll mark it as answer. Thank you.
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.

Exchange 2013 2007 co-existence Outlook Anywhere issues

Sorted out all other issues (apart from a SSO issue- another thread) . Activesync, autodiscover etc all working- but Outlook Anywhere does not work for Exchange 2007 external mailboxes. It does work for 2013 mailboxes internally and externally-
and 2007 mailboxes internally.
Exchange 2013 SP1. Exchange 2007 Sp3 RU10. Legacy namespace is in use and on certificate. Outlook Anywhere IIS Authentication is set to Basic and NTLM on both 2007 and 2013 servers. Outlook Anywhere external client authentication is set to Basic.
Any sugestions what to look at next?

Tony,
I apologize for the stupid question, but was Outlook Anywhere working on Exchange 2007 before you started the upgrade?
When you open command prompt on Exchange 2007 and ping the Exchange 2007 internal FQDN or NetBIOS name, do you get an IPv4 address or you get the IPv6 one?
Step by Step Screencasts and Video Tutorials

Configuring Cisco ASA 5520 for Outlook Anywhere - Exchange 2007

I have enable and configured our Exchange 2007 for Outlook Anywhere. When I try to get Outlook from home to connect it fails. We have an Cisco ASA 5520 firewall at work, is there something I need to setup on the device? We want to allow users from
home to connect via their Outlook clients from home. OWA is working from the outside... Help please...

Hi,
Make sure that the required ports are allowed over he device. The users can access through port 25/443 etc. and should be opened. Better, to go for a test at www.testconnectivity.microsoft.com
Regards from ExchangeOnline.in|Windows Administrator Area | Skype:[email protected]

Changing Outlook Anywhere from NTLM to Basic Auth (remote users having issues)

Hello All:
We have a terrible vendor that is implementing our transition to Office 365. They told us we had to change the Client Auth method on the CAS to Basic (from NTLM) and all that might occur is for users to enter their creds and click "Remember my credentials".
Not the case.
We tested internally & on cell phones - everything went unnoticed. Then peeps from the outside started getting prompted for their UN/PW. Even when they put in their valid creds & check the box, no dice. Reboots, checking Outlook client for the proxy
settings (which are now set to Basic) sometimes does, sometimes doesn't work. We are baffled as to where we force the setting (which they've received in Outlook), so the road warriors start working.
Any feedback would be greatly appreciated.
Thanks.

Hi,
Please confirm whether the issue only happens to your external Outlook Anywhere users in Exchange 2010.
Please run the following command to check your Outlook Anywhere configuratioon:
Get-OutlookAnywhere | fl
Confirm that the ClientAuthenticationMethod parameter and IISAuthenticationMethod are both set to Basic. If this is any changes, please run:
Set-OutlookAnywhere -Identity “E14-01\Rpc (Default Web Site)” -ClientAuthenticationMethod Basic -SSLOffloading $False -ExternalHostName mail.domain.com -IISAuthenticationMethods Basic
Then restart IIS service by using running IISReset from a command prompt window.
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support

Changing Outlook Anywhere internal URL disconnects XP clients

Good morning,
I am supposed to change the internal Outlook Anywhere hostname for an Exchange installation:
recent internal hostname: webmail.contoso.com
future internal hostname: webmail.contoso.local
The external hostname for OA is not set, because OA should not be available from external.
Now I made a test changing the internal hostname as follows:
generate a new Exchange certificate with subject name "webmail.contoso.local"
Set-OutlookAnywhere -InternalHostname webmail.contoso.local -InternalClientsRequireSSL:$True
Afterwards I made some tests on several clients:
Windows 7: working fine, it takes some time but Outlook updates its profile to the new internal OA name and connects to the mailbox
Windows XP: Outlook profile is not updated automatically, if I update it manually, Outlook hangs when starting and still tries to establish 1 connection to the old OA internal hostname
Does anyone of you have an idea how to solve this? I appreciate your suggestions, thank you very much. :-)
Sebastian

Hello,
Have you updated the host name on the certificate from “webmail.contoso.com” to “webmail.contoso.local”?
Run “Connection Status” on both Windows 7 and Windows XP and see if they connect to different DC. If so, check the DC replication issue.
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support

Auth Package in Outlook Anywhere AutoDiscover is coming in incorrectly

Let me describe our situation and environment:
We have Exchange 2013 running in a 2008r2 level domain and are using Outlook Anywhere / AutoDiscovery to configure non-domain joined clients (this situation will change later, but our current priority is getting the Exchange server running and worrying and
joining machines to the domain afterwards). I had tried some configuration changes, which ultimately did not work, and I rolled back those changes. On the ECP under Servers -> Servers -> My Exchange Server -> Outlook AnyWhere, there is
a box that lets you choose between NTLM, Basic, and Negotiate authentication. Exchange 2013 default is negotiate, which was working initially. After rolling back my changes, however, my clients get repeated password prompts, and their passwords
are rejected, if I have Outlook Anywhere authentication set to negotiate. It works fine if I keep it set on NTLM.
Under Servers -> Virtual Directories -> AutoDiscover (Default Website) -> Authentication, the boxes for Basic Authentication and Integrated Windows Authentication are checked. These are the default values if I remember correctly.
Even when I have my Outlook Anywhere authentication set to Negotiate, I have a section of code in the AutoDiscover XML file that Outlook pulls that looks like this:
<Type>EXPR</Type>
<Server>exchange.mycompany.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
My research tells me that EXPR controls Outlook Anywhere (RPC over HTTP). The AuthPackage seems to be incorrect here. It's still giving me NTLM instead of Negotiate. When I change Outlook Anywhere's authentication back to NTLM, everything
works (after giving the server about fifteen minutes or so to update).
What is the problem here? Why does the autodiscover return the wrong auth package for Outlook Anywhere? Is there a time delay between changing the authentication for Outlook Anywhere and Exchange updating my Outlook clients so that their settings
match? I know that if I go into an Outlook client that is getting prompted for a password after Outlook Anywhere authentication has been changed to Negotiate, I can manually adjust their Exchange Proxy Server settings and get it to work, but I really
want the AutoDiscover to simply deliver the correct auth package to begin with.
I don't mind using NTLM authentication; it works. But I really need to know WHY this is happening and what to do to fix it. Today, it may not matter, but it may matter in the future as network topology changes, and I will be expected to have
the answer.
To further clarify:
When I run Get-OutlookAnywhere | fl name, *, my internal and external Client Authentication Methods are set to Negotiate, but I still get the entry I showed above in the AutoDiscover XML file that specifies NTLM.

Outlook ignores the EXPR/EXCH values when connected to Exchange 2013 for autodiscovery, rather it dynamically builds the EXHTTP values based on the AutoD server settings and uses those instead. You should reference those ExHTTP settings when you
look at the autodiscover results
Twitter!:
Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.
I also have the following bit of code in the autodiscover file
<Type>EXHTTP</Type>
<Server>mail.mycompany.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
This would seem to be the EXHTTP you were referencing. Again, this value is coming out as NTLM after I change my Outlook Anywhere Authentication method in ECP to Negotiate. Why? Is there a delay between changing that setting in ECP and when
it starts showing up in AutoDiscover queries? If so, what is that delay and how can I change it or force it to update immediately? Or is it that the setting in ECP does not change the auto discover setting and it has to be changed elsewhere?
If that's the case, what do I change, and where do I change it, to alter what autodiscover puts in for AuthPackage in the above snippet of code?

Some Outlook clients getting internal FQDN of newly installed Exchange 2013 CAS server as Outlook Anywhere Proxy address

Hello Folks,
I have this problem and is making me crazy if anyone have any idea please shed some light on this:-
1. Working Outlook 2010 and 2013 clients with webmail.xyz.com as Outlook Anywhere proxy address.
2. Installed new Exchange 2013 server (server02)with CAS and Mailbox role, Exchange install wizard finished and server is rebooted.
3. Server came up online started changing internal and external FQDN's of Virtual Directories and Outlook Anywhere to webmail.xyz.com
4. As soon as Fqdn's changed some outlook clients create support request that Outlook suddenly white's out and after reopening it is giving error cannot connect to exchange. upon checking Clients Exchange Proxy address is set to http://server02.xyz.com,
even though OA/OWA/ECP/OAB/EWS/Autodiscover/ActiveSync FQDN's Point to webmail.xyz.com, on all servers if i create new outlook profile for same user it picks up correct settings through autodiscover and connects fine, this is happening to about 20% of outlook
clients every time i am introducing new Exchange 2013 server in Organization. we have around 2000 users and planning on installing 4 exchange servers to distribute load and everytime changing outlook profile of close to 150-200 users is not possible.
Any help is greatly appreciated.
Thanks
Cool

Here are the EXCRA results
Here IP (x.x.x.x) returned is my Load Balancer IP (Webmail.xyz.com).
Connectivity Test Successful with Warnings
Test Details
 Testing Outlook connectivity.
 The Outlook connectivity test completed successfully.
 Additional Details
 Elapsed Time: 9881 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
 Autodiscover was tested successfully.
 Additional Details
 Elapsed Time: 2063 ms.
 Test Steps
 Attempting each method of contacting the Autodiscover service.
 The Autodiscover service was tested successfully.
 Additional Details
 Elapsed Time: 2063 ms.
 Test Steps
 Attempting to test potential Autodiscover URL https://xyz.com:443/Autodiscover/Autodiscover.xml
 Testing of this potential Autodiscover URL failed.
 Additional Details
 Elapsed Time: 186 ms.
 Test Steps
 Attempting to resolve the host name xyz.com in DNS.
 The host name couldn't be resolved.
 Tell me more about this issue and how to resolve it
 Additional Details
 Host xyz.com couldn't be resolved in DNS InfoNoRecords.
Elapsed Time: 186 ms.
 Attempting to test potential Autodiscover URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml
 Testing of the Autodiscover URL was successful.
 Additional Details
 Elapsed Time: 1876 ms.
 Test Steps
 Attempting to resolve the host name autodiscover.xyz.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: x.x.x.x
Elapsed Time: 338 ms.
 Testing TCP port 443 on host autodiscover.xyz.com to ensure it's listening and open.
 The port was opened successfully.
 Additional Details
 Elapsed Time: 173 ms.
 Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Additional Details
 Elapsed Time: 318 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.com on port 443.
 The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 Additional Details
 Remote Certificate Subject: CN=webmail.xyz.com, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US.
Elapsed Time: 219 ms.
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name autodiscover.xyz.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
 Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,.
 One or more certificate chains were constructed successfully.
 Additional Details
 A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 36 ms.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
 Potential compatibility problems were identified with some versions of Windows.
 Additional Details
 The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
 Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
 Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.
Elapsed Time: 289 ms.
 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
 Additional Details
 Elapsed Time: 756 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml for user [email protected].
 The Autodiscover XML response was successfully retrieved.
 Additional Details
 Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Test Exch1</DisplayName>
<LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1</LegacyDN>
<DeploymentId>4ec753c9-60d9-4c05-9451-5b24e2d527a7</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>[email protected]</Server>
<ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]</ServerDN>
<ServerVersion>73C0834F</ServerVersion>
<MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>webmail.xyz.com</PublicFolderServer>
<AD>DC-03.domain.xyz.com</AD>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>Default-First-Site-Name</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
</Account>
</Response>
</Autodiscover>HTTP Response Headers:
request-id: 9d325a80-f1fd-4496-ac48-2be6bb782c28
X-CalculatedBETarget: Server01.domain.xyz.com
X-DiagInfo: Server01
X-BEServer: Server01
Persistent-Auth: true
X-FEServer: Server01
Content-Length: 11756
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Mon, 25 Aug 2014 19:12:25 GMT
Set-Cookie: X-BackEndCookie=S-1-5-21-1293235207-2459173341-1304346827-14544=u56Lnp2ejJqBypqcnsfJx5nSy8ucnNLLnJzP0sfKz8/Sy5nHmsiamZrMyZrLgYHPxtDNy9DNz87L387Gxc7Nxc3J; expires=Thu, 25-Sep-2014 00:12:26 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 756 ms.
 Autodiscover settings for Outlook connectivity are being validated.
 The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.
 Additional Details
 Elapsed Time: 0 ms.
 Testing RPC over HTTP connectivity to server webmail.xyz.com
 RPC over HTTP connectivity was verified successfully.
 Additional Details
 HTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 7817 ms.
 Test Steps
 Attempting to resolve the host name webmail.xyz.com in DNS.
 The host name resolved successfully.
 Additional Details
 IP addresses returned: x.x.x.x
Elapsed Time: 107 ms.
 Testing TCP port 443 on host webmail.xyz.com to ensure it's listening and open.
 The port was opened successfully.
 Additional Details
 Elapsed Time: 180 ms.
 Testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Additional Details
 Elapsed Time: 303 ms.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.xyz.com on port 443.
 The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
 Additional Details
 Remote Certificate Subject: CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 224 ms.
 Validating the certificate name.
 The certificate name was validated successfully.
 Additional Details
 Host name webmail.xyz.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
 Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Test Steps
 The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,
 One or more certificate chains were constructed successfully.
 Additional Details
 A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 34 ms.
 Analyzing the certificate chains for compatibility problems with versions of Windows.
 Potential compatibility problems were identified with some versions of Windows.
 Additional Details
 The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
 Testing the certificate date to confirm the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
 Checking the IIS configuration for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates isn't configured.
Elapsed Time: 298 ms.
 Testing HTTP Authentication Methods for URL https://webmail.xyz.com/rpc/[email protected]:6002.
 The HTTP authentication methods are correct.
 Additional Details
 The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLMHTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 296 ms.
 Attempting to ping RPC proxy webmail.xyz.com.
 RPC Proxy was pinged successfully.
 Additional Details
 Elapsed Time: 454 ms.
 Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
 The endpoint was pinged successfully.
 Additional Details
 The endpoint responded in 0 ms.
Elapsed Time: 1007 ms.
 Testing the MAPI Address Book endpoint on the Exchange server.
 The address book endpoint was tested successfully.
 Additional Details
 Elapsed Time: 2177 ms.
 Test Steps
 Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
 The endpoint was pinged successfully.
 Additional Details
 The endpoint responded in 906 ms.
Elapsed Time: 918 ms.
 Testing the address book "Check Name" operation for user [email protected] against server [email protected].
 The test passed with some warnings encountered. Please expand the additional details.
 Tell me more about this issue and how to resolve it
 Additional Details
 The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption. The Microsoft Connectivity Analyzer will attempt the Address Book test again with encryption.
NSPI Status: 2147746050
Elapsed Time: 825 ms.
 Testing the address book "Check Name" operation for user [email protected] against server [email protected].
 Check Name succeeded.
 Additional Details
 DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 433 ms.
 Testing the MAPI Referral service on the Exchange Server.
 The Referral service was tested successfully.
 Additional Details
 Elapsed Time: 1808 ms.
 Test Steps
 Attempting to ping the MAPI Referral Service endpoint with identity: [email protected]:6002.
 The endpoint was pinged successfully.
 Additional Details
 The endpoint responded in 953 ms.
Elapsed Time: 949 ms.
 Attempting to perform referral for user /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1 on server [email protected].
 We got the address book server successfully.
 Additional Details
 The server returned by the Referral service: [email protected]
Elapsed Time: 858 ms.
 Testing the MAPI Address Book endpoint on the Exchange server.
 The address book endpoint was tested successfully.
 Additional Details
 Elapsed Time: 626 ms.
 Test Steps
 Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
 The endpoint was pinged successfully.
 Additional Details
 The endpoint responded in 156 ms.
Elapsed Time: 154 ms.
 Testing the address book "Check Name" operation for user [email protected] against server [email protected].
 Check Name succeeded.
 Additional Details
 DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 472 ms.
 Testing the MAPI Mail Store endpoint on the Exchange server.
 We successfully tested the Mail Store endpoint.
 Additional Details
 Elapsed Time: 555 ms.
 Test Steps
 Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
 The endpoint was pinged successfully.
 Additional Details
 The endpoint responded in 234 ms.
Elapsed Time: 228 ms.
 Attempting to log on to the Mailbox.
 We were able to log on to the Mailbox.
 Additional Details
 Elapsed Time: 326 ms.

Outlook Anywhere: internal working, external not

Hi,
I posted a similar question relating to home users and authentication
here, but this question is different
I am in co-existence with Ex2010 and about to start moving mailboxes onto Ex2013. I already have a few test mailboxes on Ex2013. I am running through a final check list of items to test but before I point my internal and external DNS to Ex2013 I am simulating
this from a laptop by changing the hosts file. Everything is working fine with the exception of users outside my network who use Outlook Anywhere.
This is what I know...
Internally Outlook works fine for mailboxes on both Ex2010 and Ex2013, as does access to public folders, etc
If I create a new mail profile for a mailbox user already on Ex2013, Outlook connects fine.
If I create a new mail profile for a mailbox user on Ex2010, autodiscover works and fills in the fields, but Outlook cannot logon. I get "The action cannot be completed. The connection to Microsoft Exchange is unavailable. Outlook must be online or
connected to complete this action."
If I edit my hosts file and point back to Ex2010 CAS then the mail profile will be created successfully and Outlook opens. Changing the hosts file back again breaks Outlook.
Here are my settings:
Ex2010
ExternalHostname: webmail.company.co.uk
InternalHostname: {empty}
ExternalClientAuthenticationMethod: Ntlm
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: {Basic, Ntlm}
ExternalClientsRequireSSL: True
InternalClientsRequireSSL: False
Ex2013
ExternalHostname: webmail.company.co.uk
InternalHostname: webmail.company.co.uk
ExternalClientAuthenticationMethod: Ntlm
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: {Basic, Ntlm, Negotiate}
ExternalClientsRequireSSL: True
InternalClientsRequireSSL: True
Get-OutlookProvider
EXCH: CertPrincipalName: msstd:webmail.company.co.uk
EXPR: CertPrincipalName: msstd:webmail.company.co.uk
In IIS...
Ex2010
RPC (Default Web Site) - Authentication
Basic Authentication = enabled
Windows Authentication = enabled
Authentication Providers order:
1. NTLM
2. Negotiate
Ex2013
RPC (Default Web Site) - Authentication
Basic Authentication = enabled
Windows Authentication = enabled
Authentication Providers order:
1. Negotiate
2. NTLM
So, Ex2013 appears to not be proxying connections to Ex2010 mailboxes when outside my network. As mentioned, internally this setup works fine. And connecting to mailboxes on Ex2013 (so no proxying) also works fine.
Some settings, such as Ex2010 InternalHostname and the order of authentication providers in IIS are different between the two servers. Would this make a difference?
Q. Should I have an explicit entry in 'InternalHostName' on Ex2010?
Q. On Ex2013 I have tried putting NTLM above Negotiate, which did not make a difference, and also reverted back automatically after a few minutes.
Many thanks for any comments and suggestions

Hi Off2work,
My setup is fairly simple. A single all-in-one Ex2010 server and single all-in-one Ex2013 server.
I am using a Sonicwall NSA 3500. Setup with NAT rules for port 443 to Ex2010 server. Not using reverse proxy or TMG.
99% of mailboxes are still on Ex2010.
Internal DNS (for webmail.company.co.uk) points to internal IP of Ex2010
External DNS (for webmail.company.co.uk) points to external IP on Sonicwall.
Its worth mentioning that internal Outlook users are currently using RPC, not Outlook Anywhere (RPC over HTTP). I'm yet to turn this on. It does work however as I have tested it.
External users (non-domain) are obviously using RPC over HTTP from Outlook Anywhere.
What I am doing is 'simulating' pointing webmail.company.co.uk to Ex2013. I have a laptop I am testing this from. I can simulate this on the LAN by editing the hosts file. Users with mailboxes on Ex2010 can create Outlook profiles and access their mailboxes.
Same for users on Ex2013 - it works fine.
To simulate this from outside the LAN I have the laptop connect from a known external IP and I setup a custom NAT rule to forward to Ex2013. From 'outside', users with mailboxes on Ex2013 can create a profile fine. Users with mailboxes on Ex2010 cannot.
The autodiscover part works and fills in the fields, but the Outlook cannot logon to the mailbox. I get the message shown on my very first post.
From my untrained point of view, this appears to be an authentication issue when the Ex2013 server is proxying to the Ex2010 server.
To answer your other questions, I never setup a CAS Array in 2010 as I only had 1 server. I now read this would have been advised. Still the output for your command returns (from Ex2010)
DB1 Ex2010.company.local
DB2 Ex2010.company.local
etc
etc
As mentioned, current internal Outlook users are using RPC so connect to this address. When I enable RPC over HTTP they will connect to webmail.company.co.uk
One question, in Ex2013, in IIS, for Windows Authentication > Providers, I have Negotiate above NTLM. How do I switch this around so it matches Ex2010? I can do it manually, but it keeps reverting back.
Thanks very much.

Outlook Anywhere proxy changed from Basic to NTLM for external users

I have a Exchange 2013 environment that is also running Exchange 2010 coexistence (migrating). What is happening is autodiscover is handing out NTLM for the proxy settings and not basic. However when it is using NTLM we seem to get the password prompt over
and over. If I manually changed it to Basic then it works fine, but when autodiscover goes again it changes back to NTLM and prompts that the Administrator made a change and you need to restart Outlook.
I checked Outlook Anywhere and all my servers have Basic set for external users and NTLM set for internal.
I only have a few mailboxes on 2013 and 2010 mailboxes seem not to have a problem.
Here is an output for Outlook Anywhere on all six servers:
Identity : CAS01\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : CAS02\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : CAS03\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : EXCH2K13-01\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Identity : EXCH2K13-02\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Identity : EXCH2K13-03\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Hi,
Please refer to the following KB to set the Outlook Anywhere settings on Exchange Server 2013 Client Access servers:
http://support.microsoft.com/en-us/kb/2834139
If it doesn’t work with the resolution above, please do the following checking in ADSI Edit:
1. In Adsiedit, expand Configuration-->CN=Services -> CN=Microsoft Exchange -> CN=domain -> CN=Administrative Groups -> CN=Exchange Administrative Group -> CN=Databases.
2. Right-click the listed database > Properties.
3. Check whether the msExchHomePublicMDB value is set to an available value. Please change the value to <not set>.
4. Click OK.
Then check whether the issue persists.
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support

Change Outlook Anywhere Authentication

Hello experts,
We have an Exchange 2010 environment and all clients are connecting using Outlook Anywhere. By All I mean all clients inside the network, outside the network, domain joined, so all.
Following is the Authentication settings on Outlook Anywhere.
ClientAuthenticationMethod : Basic
IISAuthenticationMethods : {Basic}
I want to change all users to use NTLM, so no more password prompts. I want to reduce the impact because we have more than 10k clients. Based on my understanding, I am planning below approach. Any suggestion will be appreciated.
1. Change the IISAuthenticationMethods to have both Basic & NTLM using set-outlookanywhere command. This will allow clients to use both Basic & NTLM and we can do tests from all locations if its working without any issue.
2. Chang the ClientAuthenticationMethod to NTLM, so Autodiscover will update all existing and new clients to use NTLM.
3. Modify any GPO if in place to change the Outlook authentication to NTLM.
Anything else which need to be taken care of. Many thanks for any suggestions in advance.
-V
-V

Hi,
To make Outlook client use NTLM authentication, I recommend you use the command set-outlookanywhere to change the authentication method. Because the Outlook Anywhere configuration in the Outlook client side will be updated by Autodiscover service every time
we open Outlook.
And we can run the following command: get-outlookanywhere | set-outlookanywhere -IISAuthenticationMethods basic,Ntlm –
ClientAuthenticationMethod NTLM
Best regards,
Angela Shi
TechNet Community Support

How to put a page break when a value changes

Hi there, I am very new to BI Publisher. I realize this is a really SIMPLE question, but I can't seem to find a CLEAR answer.
I have a set of data that I have a repeating group for in my RTF template and it works great. But I want to have a page break each time one of the values changes and I cannot figure out how.
here is the xml
<?xml version="1.0" encoding="UTF-8" ?>

<PIR05>
<LIST_G_ITEM_NO>
<G_ITEM_NO>
<PAGE_NO>0</PAGE_NO>
<ITEM_NO>4242301</ITEM_NO>
<ITEM_DESC1>13MM Aries Cell Assembly</ITEM_DESC1>
<LOT_NO>123</LOT_NO>
<LOT_DESC>4242301</LOT_DESC>
<SUBLOT_NO />
<LOCATION>2IRE</LOCATION>
<GRADE_CODE>NONE</GRADE_CODE>
<ITEM_UM>Each</ITEM_UM>
<ITEM_UM2 />
<LINE_NO>614</LINE_NO>
<COUNT_NO>614</COUNT_NO>
<P_ITEMUM2LABEL />
<P_ITEMUM2DASH />
<F_ITEMUM2>1</F_ITEMUM2>
<P_CSITEMUM2_LABEL />
<P_CSITEMUM2_DASH />
</G_ITEM_NO>
- <G_ITEM_NO>
<PAGE_NO>0</PAGE_NO>
<ITEM_NO>4242301</ITEM_NO>
<ITEM_DESC1>13MM Aries Cell Assembly</ITEM_DESC1>
<LOT_NO>1232</LOT_NO>
<LOT_DESC>4242301</LOT_DESC>
<SUBLOT_NO />
<LOCATION>2IRE</LOCATION>
<GRADE_CODE>NONE</GRADE_CODE>
<ITEM_UM>Each</ITEM_UM>
<ITEM_UM2 />
<LINE_NO>615</LINE_NO>
<COUNT_NO>615</COUNT_NO>
<P_ITEMUM2LABEL />
<P_ITEMUM2DASH />
<F_ITEMUM2>1</F_ITEMUM2>
<P_CSITEMUM2_LABEL />
<P_CSITEMUM2_DASH />
</G_ITEM_NO>
<G_ITEM_NO>
<PAGE_NO>0</PAGE_NO>
<ITEM_NO>4242301</ITEM_NO>
<ITEM_DESC1>13MM Aries Cell Assembly</ITEM_DESC1>
<LOT_NO>562354</LOT_NO>
<LOT_DESC>4242301</LOT_DESC>
<SUBLOT_NO />
<LOCATION>WOR RECV</LOCATION>
<GRADE_CODE>NONE</GRADE_CODE>
<ITEM_UM>Each</ITEM_UM>
<ITEM_UM2 />
<LINE_NO>603</LINE_NO>
<COUNT_NO>603</COUNT_NO>
<P_ITEMUM2LABEL />
<P_ITEMUM2DASH />
<F_ITEMUM2>1</F_ITEMUM2>
<P_CSITEMUM2_LABEL />
<P_CSITEMUM2_DASH />
</G_ITEM_NO>
</LIST_G_ITEM_NO>
<WHSE_DESC>OPM INVENTORY ORG</WHSE_DESC>
<CS_NODATA>617</CS_NODATA>
<CYCLE_NO>000000014</CYCLE_NO>
</PIR05>
I want the g_item_no (repeating group) to have a page break each time LOCATION changes.

You can declare two variables, to hold the previous and current LOCATION values and break the page when it differs.
Or just before your end-for-each, have this code.
<?if:position()!=1 and position()!=last() and LOCATION!=following::LOCATION[1]?><xsl:attribute name="break-before">page</xsl:attribute><?end if?>
Ensure that its placed in a form field.
This will have a page break when LOCATION changes.

TS3999 In the last week when changing text notes in outlook appointments or all day events, the changes appear on my pc screen, iphone & ipad but when I print the changes are not there, the old text prints that has been deleted

In the last week when changing test notes in Outlook appointments or all day events, the changes appear on my PC, Iphone & Ipad, but when I print my calendar they do not print. I get the old text or deleted text from the printer copy of my calendar. What is going on?

Thanks Sig. The information is here: Anything useful stand out?
Battery Information:
Model Information:
Serial Number:    9G1130CJVD3MA
Manufacturer:    DP
Device Name:    bq20z451
Pack Lot Code:    0000
PCB Lot Code:    0000
Firmware Version:    0201
Hardware Revision:    0002
Cell Revision:    0158
Charge Information:
Charge Remaining (mAh):    5663
Fully Charged:    Yes
Charging:    No
Full Charge Capacity (mAh):    5663
Health Information:
Cycle Count:    59
Condition:    Normal
Battery Installed:    Yes
Amperage (mA):    261
Voltage (mV):    12574
System Power Settings:
AC Power:
System Sleep Timer (Minutes):    10
Disk Sleep Timer (Minutes):    10
Display Sleep Timer (Minutes):    10
Wake on AC Change:    No
Wake on Clamshell Open:    Yes
Wake on LAN:    Yes
Current Power Source:    Yes
Display Sleep Uses Dim:    Yes
Battery Power:
System Sleep Timer (Minutes):    10
Disk Sleep Timer (Minutes):    10
Display Sleep Timer (Minutes):    2
Wake on AC Change:    No
Wake on Clamshell Open:    Yes
Display Sleep Uses Dim:    Yes
Reduce Brightness:    Yes
Hardware Configuration:
UPS Installed:    No
AC Charger Information:
Connected:    Yes
ID:    0x0100
Wattage (W):    60
Revision:    0x0000
Family:    0x00ba
Serial Number:    0x00262704
Charging:    No

Outlook Anywhere breaks when changing Internal Auth Method to NTLM

Similar Messages

Maybe you are looking for