Outlook anywhere now showing disconnected

I have multiple remote users that are not domain members. They connect via Outlook Anywhere on either Outlook 2007 or 2010. All of a sudden they can no longer connect to Exchange. I was able to fix the problem by recreating their Outlook profile, but
after a couple hours they connections all reverted back to a disconnected state. When I close Outlook and open it again I am prompted for username and password. No matter what I enter (even a bad password) the box goes away when I press ok and
Outlook says disconnected.
When I go to testconnectivity.Microsoft.com everything passes. Also, when I hold ctrl and right click on the Outlook system tray icon and go to connection status, the box is completely empty.
Any help would be very appreciated. Thanks.

Hi,
Have you added the cert to their trusted local store on the client?.
The clients using Outlook Anywhere have to to trust the certificate issued by the Internal CA.
If you have external clients, its highly recommend to use a 3rd party certificate authority to avoid issues.
If the client machine does not trust the certificate that is being presented it will fail to connect.
So if you are using self signed or self issued certificates you will need to deploy them to each client machine.
Hope this helps!
Thanks.
Niko Cheng
TechNet Community Support

Similar Messages

Changing Outlook Anywhere internal URL disconnects XP clients

Good morning,
I am supposed to change the internal Outlook Anywhere hostname for an Exchange installation:
recent internal hostname: webmail.contoso.com
future internal hostname: webmail.contoso.local
The external hostname for OA is not set, because OA should not be available from external.
Now I made a test changing the internal hostname as follows:
generate a new Exchange certificate with subject name "webmail.contoso.local"
Set-OutlookAnywhere -InternalHostname webmail.contoso.local -InternalClientsRequireSSL:$True
Afterwards I made some tests on several clients:
Windows 7: working fine, it takes some time but Outlook updates its profile to the new internal OA name and connects to the mailbox
Windows XP: Outlook profile is not updated automatically, if I update it manually, Outlook hangs when starting and still tries to establish 1 connection to the old OA internal hostname
Does anyone of you have an idea how to solve this? I appreciate your suggestions, thank you very much. :-)
Sebastian

Hello,
Have you updated the host name on the certificate from “webmail.contoso.com” to “webmail.contoso.local”?
Run “Connection Status” on both Windows 7 and Windows XP and see if they connect to different DC. If so, check the DC replication issue.
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support

Outlook and OWA shows disconnected intermittently while on corporate wi-fi

Hello All,
We have exchange 2013 Std on-premises with Service pack1. When users connect from LAN and Datacard they able to connect to outlook and access OWA and when from office wi-fi network outlook shows disconnected and not able access OWA as well but internet works
fine. this issue happening intermittently with office wi-fi.
Regards,
Aayan

Hi Aayan,
From your description, when users connect from LAN and Datacard they are able to access Outlook and OWA, then there is nothing wrong with Exchange server side. In your case, this disconnected issue only occurs when you use wifi network, I recommend you check
your network when using wifi.
Hope this can be helpful to you.
Best regards,
Amy Wang
TechNet Community Support

Outlook Anywhere does not show http in test email auto-config under protocol

Hi,
It seems simple to configure/enable Outlook Anyway but I am unable to get it works in my environments.
Background
1. Add feature for RPC over http
2. Enable Outlook Anywhere for all CAS
3. Properties CAS -> Outllo Anywhere -> mail.abc.com (External host name) with NTLM authentication
4. Set-OutlookProvider EXPR -CertPricipalName msstd:mail.abc.com
5. Configure Outlook client -> Connection tab -> Outlook Anywhere -> Select "Connect to Microsoft Exchange using HTTP
6. Under Exchange Proxy Settings
-> Connection settings https://mail.abc.com
-> Select "Connect using SSL only" and "Only connect to proxy servers that have this principal name in their cert" with msstd:mail.abc.com
7. Select both "On fast network" and "On slow network"
8. Under Proxy authentication settings -> NTLM Authentication
Anything I have missing? How to test internally?
P/S: I am having E2010 SP3 RU2 with Outlook 2010
Please advise. Thanks.
Kelvin Teang

The root cause is MAPIBlockOutlookRpcHttp = True
It was working fine after I executed
Get-Mailbox –Identity
"username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$False
Kelvin Teang

Autodiscover and Outlook Anywhere return http status 401

Hi, I'm having issues with Autodiscovery (externally) and Outlook Anywhere for some users on our Exchange 2010 (SP3, RU2) setup. Just for information, we have Exchange servers at two AD sites (same forest / domain) with each site having 2 combined client
access / hub transport servers and 3 mailbox servers (with 2 stretched DAG's across both sites). Site A is internet facing, but site B isn't.
Autodiscovery
Internally, it's working fine (using the Test E-mail AutoConfiguration option within Outlook 2010). But externally (using the Microsoft TestConnectivity site), autodiscovery fails, returning the following:
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
+Additional Details
   Elapsed Time: 1783 ms.
   + Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL   https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
for user [email protected].
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
  +Additional Details
  An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you    are attempting to log onto an Office 365 service, ensure you are using your
full User Principal Name (UPN).
  Headers received:
  Content-Type: text/html
  Server: Microsoft-IIS/7.5
  WWW-Authenticate: Negotiate,NTLM,Basic realm="autodiscover.company.com"
The odd thing is, if I browse to the autodiscover file location (externally), then I'm prompted for credentials. When I enter the same credentials that I input into the Microsoft connectivity analyser, I do actually get the correct https status 600 response.
Also, within EMS, when I run "Test-OutlookWebServices" on Client Access servers in site B, I see the following results...
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id         : 1104
Type       : Error
Message    : The certificate for the URL https://ExchServer.domain.local/autodiscover/autodiscover.xml is incorrect. For SSL to work, the certificate
needs
              to have a subject of ExchServer.domain.local, but the subject that was found is webmail.Company.com. Consider correcting service discovery,
             or installing a correct SSL certificate.
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id         : 1113
Type       : Error
Message    : When contacting https://ExchServer.domain.local:443/autodiscover/autodiscover.xml received the error The remote server returned
an error:
(500) Internal Server Error.
RunspaceId : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
Id         : 1123
Type       : Error
Message    : The Autodiscover service couldn't be contacted.
However - I can't see where Exchange has pulled the "...domain.local" address from for Autodiscovery. Both Get-AutodiscoveryVirtualDirectory and Get-ClientAccessServer both report the correct URLs/URIs with the FQDN of Company.Com (which are on
the GoDaddy certificate we use both internally and externally).
Outlook Anywhere
Whether my issues with Outlook Anywhere are related to Autodiscover, I'm not sure. Users who's mailbox is located at Site A (internet facing) are fine, and Outlook Anywhere works great. But users who's mailbox is at Site B, can't use Outlook Anywhere (Starting
Outlook in RPCDiag mode shows that it tries to connect, and sometimes establishes a connection for a couple of seconds, then disconnects completely).
Running "Test-OutlookConnectivity -Protocol:http" on a Client Access server at Site B, passes all but the last scenario (Mailbox::Logon), which throws up the following error:
RunspaceId                  : 5c80ec49-f6f8-4f7a-ae63-4ed61a3c966e
ServiceEndpoint             : ExchServer.domain.local
Id                          : MailboxLogon
ClientAccessServer          : ExchServer.domain.local.ad.local
Scenario                    : Mailbox::Logon.
ScenarioDescription         :
PerformanceCounterName      : Mailbox: Logon latency
Result                      : Failure
Error                       :
UserName                    : ad.local\extest_a91a4b4076f24
StartTime                   : 14/01/2014 16:33:27
Latency                     : -00:00:00.0010000
EventType                   : Error
LatencyInMillisecondsString : -1.00
Identity                    :
IsValid                     : True
Testing Outlook Anywhere using Microsoft RCA throws up the error:
RPC Proxy can't be pinged.
An HTTP 401 error was received...
Any help is greatly appreciated. Let me know if I've missed any info!
Thanks
Tony

Hi Guys,
My first chance today to respond!
Firstly - thanks for all the information. I really appreciate it.
Well, the good news is that Outlook Anywhere is now working at Site B. It looks like a combination of disabling Outlook Anywhere at Site B (thanks
Jon), and then being patient and allowing replication to do its stuff (thanks Rhoderck).
However RCA is still showing ‘Failed’ with the following error. If it helps to have the full output, please let me know. Just for info, I chose
the option to test using autodiscovery (rather than manually enter it), which passed fine.
Attempting to ping RPC proxy webmail.company.com.
RPC Proxy can't be pinged.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password.
If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN). Headers received: Content-Type: text/html Server: Microsoft-IIS/7.5 WWW-Authenticate: Negotiate,NTLM X-Powered-By: ASP.NET Date: Tue, 21 Jan
2014 09:55:41 GMT Content-Length: 58
Elapsed Time: 1063 ms.
RPCProxy - ValidPorts
Thanks for the 'SoundTrackOfMyLife' link... that looks to be almost identical to my scenario (with the exception of the Kemp LoadMasters). Following
through the troubleshooting, my CAS servers at Site A (Internet Facing) are showing the registry key 'ValidPorts' as...
SiteB-ExchCasSvr01:593;SiteB-ExchCasSvr01:49152-65535
So - should this be...
SiteB-ExchMbxSvr01:6001-6002;SiteB-ExchMbxSvr01:6004;SiteB-ExchMbxSvr01.domain.local:6001-6002;SiteB-ExchMbxSvr01.domain.local:6004;
i.e. I only add ports 6001,6002 and 6004 for mailbox servers only? If so, which sites mailbox servers should I put in here?
SSL Off Loading
We've only really implemented SSL Offloading on the advice from Kemp (it's built in to their Exchange 2010 template). Apparently, the advantage
is the LoadMasters have a dedicated hardware processor for decryption/encryption of SSL traffic, thus taking the load off the Exchange servers. Exactly how much of a load this would normally be for our Exchange servers is unknown. We've followed Kemp's documentation
on unchecking 'Require SSL' for the IIS directories on Site A, and also configured Outlook Anywhere with SSL Offloading through the EMC. This was required as the Kemp's are not re-encrypting traffic to the CAS servers (which are on the same site / LAN
segment), and we're not a bank... so don't need encryption between the LoadMasters and the client access servers.
However, Site B (non internet facing) has 'Require SSL' enabled on IIS directories, since (I guess) traffic is encrypted when performing CAS-CAS
proxying?
I am, as ever, open to suggestions on this design... since our original design was to use TMG for reverse proxy. It was only the end-of-life issue
with TMG, and the fact that we opted for the Kemp LoadMasters (which offered ESP as a replacement to TMG) that swung us down this path.
ESP and SSO are implements on the LoadMaster at Site A (internet facing), which is (was!) not the problem site.
Thanks again for your time and assistance guys. We’re almost there!
Tony

Problem using Outlook Anywhere out of the office

Hello,
I have a problem getting my Microsoft Outlook (2007) to connect to my Exchange Server when i'm out of the office local network.
outlook Anywhere is enabled on the server, and everything is set correctly on the client.
I have ran outlook connectivity analyzer tool and this is what I got.
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Additional Details
Elapsed Time: 777 ms.
Test Steps
Attempting to resolve the host name mail.DOMAIN in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: IPP ADDRESS
Elapsed Time: 14 ms.
Testing TCP port 443 on host mail.DOMAIN to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 253 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 508 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.DOMAIN on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 472 ms.
I am sure we have a SSL certificate installed "one generated locally which means not one that's been bought", but it shows errors about being expired only when I'm at the office "local network", now that i'm out of the office i don't even
get the error anymore nor the login popup window and connectivity status to exchange server is "Disconnect"
how can I fix this? where to obtain an SSL, assuming that's why I'm unable to connect to exchange server.
could it be my Microsoft exchange proxy settings? I'm using mail.domain and msstd:mail.domain and basic authentication "exactly like in the exchange server settings"
-I'm able to connect to exchange on my iPhone/Android successfully.
Thank you in advance
Nouf
*i have tried uploading an image but i get this message, though I haven't received any confirmation email.
Body text cannot contain images or links until we are able to verify your account.

You must have a properly installed cert issued from a trusted CA for Outlook Anywhere to work.
The phone devices you mention historically have not done a good job of certificate validation which is why they connect but Outlook and Windows will verify that the cert is who it claims to be.
Read this:
http://exchangepedia.com/2007/08/outlook-anywhere-and-exchanges-self-signed-certificate.html
And follow the link in it to obtain a cert from a trusted CA.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter:   LinkedIn:
  Facebook:
  XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Troubleshoot connectivity issues Outlook Anywhere - Exchange 2013

Hi there,
As part of our Exchange 2010 -> 2013 migration we've transitioned CAS to Exchange 2013 2 weeks ago. Some 50 mailboxes have been moved to exchange 2013. Moving mailboxes for everyone is scheduled the 2nd week of july . Because our current version of Outlook
is 2007 (migration to 2013 is due thissummer) we've configured NTLM authentication for OA.
Exchange setup: 8 Multirole (CAS/MBX) virtual (VMware) Servers: each 4 cores, 24 Gb memory (reserved) : Windows 2012 SP1, Exchange 2013 SP1 (15.0.847.4030)
Right now we're facing client connectivity issue's: Outlook Anywhere clients are continiously losing connection with exchange, some people (outllook 2007/exc. 2007) report every minute or worse.... Moving the mailboxes of affected people results in
less problems: Sometimes no disconnects for 10 to 30 minutes, then reconnects every minute for some time.
We've already set the timeout for the oa-pool in our network proxy (riverbed steelapp) to 20 minutes and the minimum keep alive on the 2013 servers to 120 seconds which improved Oultook 2013 clients; before I experienced reconnects every minute, after every
10 to 30 minutes (with periods of reconnects every minute)
testconnectivity.microsoft.com gives positive results (apart from a nspi warning about server side encryption)
testing with rpcping according to
http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx gives some interesting results:
I've tested all (8) CAS 2013 servers over ports 6001, 6002 and 6003; each 100 rpcpings with a for loop: every response was either about 500 ms or about 21 Seconds ?!?
How can we furher troubleshoot the reason of the long reply time. Eventlogs (and SCOM with exchange 2013 MP) show no relevant events or alerts.
Part of the output of a rpcping
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {59b56c7f-af5d-4836-b701-92070f674de6}
Completed 1 calls in 452 ms
2 T/S or 452.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {1197cd5e-c79d-4659-b598-3134c335b103}
Completed 1 calls in 468 ms
2 T/S or 468.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {0cbaef91-ec96-402e-aa00-4913e2be1c51}
Completed 1 calls in 483 ms
2 T/S or 483.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {525717e5-441b-4a8e-8398-dc86d38852c7}
Completed 1 calls in 21450 ms
0 T/S or 21450.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {408d806d-ed5a-4f96-8c3c-2446a1d48ad8}
Completed 1 calls in 21497 ms
0 T/S or 21497.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {3b441a9f-7606-4106-850f-fccb7c0f1bb1}
Completed 1 calls in 21497 ms
0 T/S or 21497.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {bf994811-8528-433f-b532-f29d347fce5b}
Completed 1 calls in 21590 ms
0 T/S or 21590.000 ms/T
RPCPing v6.0. Copyright (C) Microsoft Corporation, 2002-2006
RPCPing set Activity ID: {ddb5248b-82aa-4586-b2f7-9c04c9922034}
Completed 1 calls in 577 ms
1 T/S or 577.000 ms/T
Summary of all servers (test this morning)
Server
Port
# >20.0001
Server1
6001
32/100
Server1
6002
27/100
Server1
6004
0/100
Server2
6001
47/100
Server2
6002
0/100
Server2
6004
37/100
Server3
6001
0/100
Server3
6002
0/100
Server3
6004
41/100
Server4
6001
0/100
Server4
6002
29/100
Server4
6004
42/100
Server5
6001
69/100
Server5
6002
48/100
Server5
6004
69/100
Server6
6001
0/100
Server6
6002
0/100
Server6
6004
1/100
Server7
6001
0/100
Server7
6002
1/100
Server7
6004
1/100
Server8
6001
0/100
Server8
6002
0/100
Server8
6004
0/100
I've repeated above test this afternoon: All test resulted in about 40-60 (of 100) replies >20 seconds

We've changed a timeout setting in the Steelapp virtual server (old: 10 sec; new: disabled) the connections between Outlook and Exchange are, when established, very stable (almost no failed request anymore)
However there still existst a conectivity issue:
The 8 Exchange 2013 servers are placed in 2 different Active Directory sites (4 servers in each site) and I have found that a cross site rpcping consequently takes more than 20 seconds (with the loadbalancer bypassed ! !) where a rpcping on the
same AD-site takes 200-300 miliseconds...
rpcping -t ncacn_http -o RpcProxy=Host-in-site-A -P "user,domain,password" -H 2 -F 3 -a connect -u 10 -v 3 -s RpcProxy=Host-in-site-B -I "user,domain,password" -e 6001 => 20+ seconds
rpcping -t ncacn_http -o RpcProxy=Host-in-site-A -P "user,domain,password" -H 2 -F 3 -a connect -u 10 -v 3 -s RpcProxy=Host-in-site-A -I "user,domain,password" -e 6001 => 200 miliseconds
rpcping -t ncacn_http -o RpcProxy=Host-in-site-B -P "user,domain,password" -H 2 -F 3 -a connect -u 10 -v 3 -s RpcProxy=Host-in-site-B -I "user,domain,password" -e 6001 => 200 miliseconds
rpcping -t ncacn_http -o RpcProxy=Host-in-site-B -P "user,domain,password" -H 2 -F 3 -a connect -u 10 -v 3 -s RpcProxy=Host-in-site-A -I "user,domain,password" -e 6001 => 20+ seconds
The same tests with our Exchange 2010 CAS and MBX (NO multirole) shows fast (300 ms.) with every combination. The servers are both on the same networks in each site
We've already started talking with the network guy's: There should be no rules between both networks.
OWA, Autodiscover, EAS all work fine.
How or where to troubleshoot this slow response between two AD site's ??

Access to Outlook Anywhere does not work

Good evening,
I recently installed an Exchange Server 2013 CAS / MB.
Until now, the server presented a few errors (mainly in the
event log) that does not seem to significantly influence functionality.
This week I published the server on the Internet and verified various malfunctions
related to the access from outside.
In particular from outside:
1 - OWA does not work with Windows integrated authentication, it works with the Forms based authentication;
2 - Outlook Anywhere does not work from internet.
I've done a lot of research and testing without success.
With regard to the first issue (which is not a priority but can relate to second one)
add that in Firefox I get a first authentication request. If
I enter credentials it ask again for identical authentication (repeatly), if I cancel it shows a second one that instead allows me access (are slightly different).
I assume that the first is the integrated Windows application and the second is basic authentication.
Internet Explorer shows me only the first authentication request and if I cancel shows blank page.
The problem is
priority 2:
Outlook connects without problems on LAN network, the Internet
seems to download the correct information
(autodiscover), but then does not connect
to the server (connection to Microsoft Exchange is unavailable).
If you manually edit the settings,
auto-configuration server returns as
a [email protected]. If I change
manually the server (and proxy settings
http), the result does not change.
- Setting information -
The server is installed
in the LAN network and is exposed on the Internet through
a firewall (Pat on port 443, et al. not 80)
on a public address.
The public and private DNS have been configured with a
host record (A) and two
CNAME (webmail and autodiscover).
The internal Outlook clients connect
with autodiscover and HTTPS /
NTLM / SSL (Outlook connectivity
status).
IMAP, SMTP, POP, ActiveSync function.
Exchange remote connectivity analizer retrieves Autodiscover information but doesn't pass test for RPC/HTTP access (it discard accesson
port 443 and try port 80, SPF isn't configured).
The navigation to the url
https://proxyexternalURL/rpc/rpcproxy.dll has the same behaviour like problem 1.
Test-OutlookConnectivity returns unmanaged error ('WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the probe result for invoke now request id -- and probe workdefinition id --').
Errors in eventviewer: 5011 - WAS (one time), 139 - MSExchange OWA (some not ripetitive), 3028 - MSExchangeApplicationLogic (every 6 hours), 106 - MSExchange common (many during working hour), 65535 - application (some at nighttime 00.00 - 03.00 a.m.), 1006
- MSExchangeDiagnostic (every 30 min), 6002 - MSExchange Mid-Tier Storage (about every 5 minutes), 5 - MSExcahnge Workload Management (one time).
Ask for further information.
- Cmdlet and Autodiscover output -
Get-OutlookAnywhere | fl name,*auth*,*ssl*,*host*
Name                               : Rpc (Default Web site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
SSLOffloading                      : True
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
ExternalHostname                   : webmail.name_domain.test
InternalHostname                   : webmail.name_domain.test
Get-OutlookProvider | ft -autosize
Name   Server CertPrincipalName                     TTL
EXCH           msstd:webmail.name_domain.test        1
EXPR            msstd:webmail.name_domain.test        1
WEB
    1
Get-AutodiscoverVirtualDirectory | fl name,*auth*,*url*
Name                          : Autodiscover (Default Web site)
InternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
ExternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
LiveIdNegotiateAuthentication : False
WSSecu.testyAuthentication      : True
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : False
OAuthAuthentication           : True
AdfsAuthentication            : False
InternalUrl                   :
ExternalUrl                   :
Get-MapiVirtualDirectory | fl name,*auth*,*url*
Name                          : mapi (Default Web site)
IISAuthenticationMethods      : {Basic, Ntlm, Negotiate}
InternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
ExternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalUrl                   : https://webmail.name_domain.test/mapi
ExternalUrl                   : https://webmail.name_domain.test/mapi
Autodiscover.xml
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>user</DisplayName>
      <LegacyDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e4c0c18c8f214afbb5152bb08823179d-user</LegacyDN>
      <AutoDiscoverSMTPAddress>user@name_domain.test</AutoDiscoverSMTPAddress>
      <DeploymentId>d60c71c9-3740-404c-a38c-aa24e6105432</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <MicrosoftOnline>False</MicrosoftOnline>
      <Protocol>
        <Type>EXCH</Type>
        <Server>72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</Server>
        <ServerDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</ServerDN>
        <ServerVersion>73C082C8</ServerVersion>
        <MdbDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>webmail.name_domain.test</PublicFolderServer>
        <AD>DC2.name_domain.test</AD>
        <ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
        <EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
        <EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
        <EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
        <EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
        <EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
        <EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
        <EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
        <EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
        <EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
        <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
        <OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
        <ServerExclusiveConnect>off</ServerExclusiveConnect>
        <CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>webmail.name_domain.test</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
        <EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
        <EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
        <EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
        <EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
        <EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
        <EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
        <EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
        <EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
        <EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
        <EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
        <EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
        <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
        <OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
        <ServerExclusiveConnect>on</ServerExclusiveConnect>
        <CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
        <EwsPartnerUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsPartnerUrl>
        <GroupingInformation>LAN</GroupingInformation>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.name_domain.test/</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
        <External>
          <OWAUrl AuthenticationMethod="Basic">https://webmail.name_domain.test/</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
          </Protocol>
        </External>
      </Protocol>
      <Protocol>
        <Type>EXHTTP</Type>
        <Server>webmail.name_domain.test</Server>
        <SSL>On</SSL>
        <AuthPackage>Ntlm</AuthPackage>
        <ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
        <EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
        <EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
        <EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
        <EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
        <EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
        <EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
        <EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
        <EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
        <EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
        <EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
        <EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
        <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
        <OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
        <ServerExclusiveConnect>On</ServerExclusiveConnect>
        <CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
      </Protocol>
      <Protocol>
        <Type>EXHTTP</Type>
        <Server>webmail.name_domain.test</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
        <EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
        <EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
        <EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
        <EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
        <EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
        <EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
        <EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
        <EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
        <EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
        <EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
        <EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
        <EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
        <EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
        <OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
        <OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
        <ServerExclusiveConnect>On</ServerExclusiveConnect>
        <CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
      </Protocol>
    </Account>
</Response>
</Autodiscover>
Get-OwaVirtualDirectory | fl name,*auth*,*url*
Name                          : owa (Default Web Site)
ClientAuthCleanupLevel        : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication           : True
WindowsAuthentication         : False
DigestAuthentication          : False
FormsAuthentication           : True
LiveIdAuthentication          : False
AdfsAuthentication            : False
OAuthAuthentication           : False
ExternalAuthenticationMethods : {Basic}
Url                           : {}
SetPhotoURL                   :
Exchange2003Url               :
FailbackUrl                   :
InternalUrl                   : https://webmail.name_domain.test/
ExternalUrl                   : https://webmail.name_domain.test/

Follow the results of the test
Outlook Anywhere (RPC over HTTP).
Has been used an account for which
outlook anywhere works. The account
for which the outlook anywhere does not work is
an administrative account and therefore
can not be used in the test.
Autodiscovery returns the
same result for both mailbox.
I'm testing RPC/HTTP connectivity.
Testing RPC over HTTP has not been exceeded.
Test steps
Microsoft connectivity Analyzer is attempting to test the Autodiscover service for user_test@domain_name.test.
Test the Autodiscover service has not been exceeded.
Test steps
I'm trying to contact the Autodiscover service with each method available.
I was not able to contact the Autodiscover service with no method.
Test steps
I'm trying to test the possible URL for the Autodiscover service https://domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.www
I'm testing the TCP port 443 on the host domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Remote certificate subject: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test issuer: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name,
L = city, S = state, C = test.
I am validating the certificate name.
I could not validate the certificate name.
More info about this issue and how to resove it
The host name domain_name. testing does not match any name found on the certificate and server = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test.
I'm trying to test the possible URL for the Autodiscover service https://autodiscover.domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 443 on the host autodiscover. domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server autodiscover. domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Other details
Remote certificate subject: CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test issuer: CN = domain_name-DC1-CA, DC = domain_name, DC = test.
I am validating the certificate name.
I validated the certificate name.
Other details
I found the host name autodiscover. domain_name. test in the voice of the alternative name of the certificate object.
Elapsed time: 1 ms.
I am validating the reliability of certificates.
I was not able to validate the reliability of the certificate.
Test steps
Microsoft connectivity Analyzer is attempting to generate certificate chains to a certificate CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test.
I failed to build a certificate chain for the certificate.
Other details
Failed to generate the certificate chain.
May be missing the required intermediate certificates.
I'm trying to contact the Autodiscover service using the HTTP redirect method.
I was not able to contact the Autodiscover service using the HTTP redirect method.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 80 on the host autodiscover. domain_name. tests to check that is open and listening.
The specified port is blocked, is not listening or doesn't produce the expected response.
More info about this issue and how to resove it
I encountered a network error while communicating with the remote host.
I'm trying to
find the
SRV DNS record _audiscover._tcp.domain_name.test.
I failed to find
the SRV record of the
Autodiscover service
in DNS.
Some clarifications:
1 - xxx.yyy.zzz.www and xxx.yyy.zzz.kkk
are two static public addresses
of which only the latter exposes Exchange services;
2 - The certificate
*. Domain_name.test is not related
to Exchange services;
3 -I imported the certificate
of the issuing CA on the standalone test PC to validate the certificate.
3- The port 80 is not open and are not published SRV records.
Best regards.

Client side disabling of Outlook anywhere in Outlook 2013

Hi
Our admins recently had to disable external access for Outlook while keeping ActiveSync for Mobile Clients working. This was done by placing the autodiscover service (autodiscover.ourexternaldomain.com) behind a TMG with two factor authentication, and also
putting our mail.ourexternaldomain.com behind the same TMG. So, Outlook from outside the network can't connect anymore (it will show you the login/pass prompt but what it wants is the two factor credentials, not your domain credentials.. so essentially you
can't connect anymore), and mobile client still work.
In addition, they've disabled the "Outlook anywhere" options (specifically, "Connect to Microsoft Exchange using HTTP" is not only grayed out, it is forced disabled) by GPO.
Unfortunately, that doesn't work for the handful that's already using Outlook 2013. There, even when the "Connect to Microsoft Exchange using HTTP" option is unchecked, the client will query autodiscover.ourexternaldomain.com, and eventually gets
the response containing not only the EXCH protocol (which contains the internal urls), but also the EXPR protocol containing the public urls. That in turn re-enables "Connect to Microsoft Exchange using HTTP", so now clients, even when inside the
organization will try to access the mail.ourexternaldomain.com which is behind the TMG, resulting in perpetual login prompts being displayed (the login actually comes from the TMG, not Exchange).
So, is there a way to force disable "Connect to Microsoft Exchange using HTTP" for Outlook 2013, preferably without changing anything on Exchange and the GPO. I guess I'm looking for the registry key that is set for outlook 2010. I checked up on
the GPO for Outlook 2010 and it seems it sets HKCU/Software/Policies/Microsoft/Office/14.0/Outlook/RPC/ProxyServerFlags = 0. Doing the same for Outlook 2013 (so using the Office/15.0/Outlook/RPC key) results in outlook no longer being able to connect altogether.
When I manually remove the checkbox and restart Outlook, it first connects using the internal url, then after getting autodiscover it sets the checkbox "Connect to Microsoft Exchange using HTTP" again, and since the external url can be resolved
from inside the network, I get the password prompts again even from inside the corporate network.
Is there a registry key combination that keeps outlook connecting but never using the http proxy?

Hi Stephan,
How about the suggestion from Ed.
Feel free to contact me if there is any update.
Thanks
Mavis
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Mavis Huang
TechNet Community Support

Wildcard certificate in Outlook Anywhere

I tried to fix a bit our Outlook Anywhere and set certificate for my EXPR provider to "msstd:*.domain.com" (I use *.domain.com certificate for exchange). But all Outlook clients after restart show error: "There
is a problem with the proxy server's security certicate. The name on the security certificate is invalid or does not match the name of the target site owa.domain.com. Outlook
is unable to connect to the proxy server. (Error Code 0)".
I set EXPR provider to "msstd:owa.domain.com" (my exchange server address) and all works fine now.
Why I could not switch certificate to wildcard?

Hi,
If you have done the following changes:
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.domain.com
Please follow Ed’s suggestion to make sure the Wildcard certificate assigned with IIS service. We can run the following command to get more information about your certificates:
Get-ExchangeCertificate | Select CertificateDomains,Services,Status
If the Wildcard certificate is not assigned with IIS service, please
use the Enable-ExchangeCertificate cmdlet and specify IIS services. Additionally, here is a related KB about this issue:
http://support.microsoft.com/kb/923575
Thanks,
Winnie Liang
TechNet Community Support

Default Outlook Anywhere Connections

I'm using an Exchange 2013 SP1 environment with almost no customization. Only 2 servers exists - one holding CAS+MBX, and a second one being an MBX. No DAGs, balancers, etc. Mapi over HTTP is not enabled. The default self-signed certificates are used
(no new certificate was installed, nor any self-signed certificate manually installed on any server/client). A mailbox is provisioned on a database located on the first server. Outlook is configured for the corresponding user on a client machine and started.
Everything works just fine, with the 'Outlook Connection status' window showing 2 Exchange Directory + 2 Exchange Mail connections. Authentication is NTLM. Ports for all 4 connections are 6001 - which hint that Outlook Anywhere is indeed used.
From time to time, the familiar "Security Alert" comes up warning about the self-signed certificate, but this is usually traced in my experience to the various services Outlook is using, that are running on HTTPS (OAB, EWS, Availability...).
Here we find that in Exchange 2013 "Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere". Then
here it's stated that "Outlook Anywhere won't work with a self-signed certificate on the Client Access server". I remember the latter being true against Exchange 2010
instances, but seems not to be the case in Exchange 2013 anymore. Unless I'm missing something, from the standpoint of a default installation, the 2 articles contradict each other.
Second issue - even though Outlook is set for "Negotiate" in its Security setting, it looks like the Kerberos preferred option is never chosen. Would it have to do with the self-signed certificate and Outlook Anywhere ?

First article says "[...]In Exchange 2013, Outlook Anywhere is enabled by default, because all Outlook connectivity takes place via Outlook Anywhere.[...]". A simple Exchange 2013 SP1 setup, using defaults - including the built-in self-signed certs
- can be reached with no problems with a regular Outlook client. Since RPC over TCP is now defunct, and MAPI over HTTP isn't enabled (it's a regular installation, hence this feature is disabled) it can only be Outlook Anywhere being used by the Outlook client
to connect to the vanilla Exchange 2013 SP1 installation. Hence we can conclude that Outlook Anywhere works by default.
Second article comes around and says "[...] Outlook Anywhere won't work with a self-signed certificate on the Client Access server.[...]". Yet this is contrary to what I'm experiencing - since Outlook Anywhere is working (what other method of connecting
is left, right ? plus even the connections over :6001 in the Connection Status window hint at this) and there hasn't been any CA-emitted certificate installed on that stock CAS server.
So either the sentence in the second article is flat wrong (ONLY for 2013, Exchange 2010 NEEDS trusted certs), or it's missing a clause. Am I missing something ?
Hi,
Yes, Outlook Anywhere is enabled by default. Because all Outlook connectivity from Internal and External are using Outlook Anywhere.
For your second question, "[...] Outlook Anywhere won't work with a self-signed certificate on the Client Access server.[...]". Based on my knowledge, the Self-signed certificate which is installed with Exchange 2013 installation is not issued
by any CA. It is issued by the Exchange server.
Outlook Anywhere won't work with a self-signed certificate on the Client Access server because there would be a certificate untrusted issue on every user's clients. If you don't install the untrusted certificate in your trusted root certificate store on
the client computer, the client will be always prompted for the certificate error even through you can work with Exchange services after clicking Yes when the Security Alert asking you “Do you want to proceed”.
Regards,
Winnie Liang
TechNet Community Support

Outlook Anywhere, NTLM, TMG, password prompt but cancels works?

I've managed to get NTLM authentication working with TMG and Exchange 2010 (Make sure you switch your Application Pool for the RPC app over to a local system!). We also run Lync.
So here is the thing. I log into a domain laptop with cached credentials and then connect to a Verizon access point. Now Lync connects automatically no password needed. Then I open Outlook which connects no problem no password needed!
Awesome that is what I wanted. Then after about 30 seconds......password prompt. If I enter the password everything is good. If I click cancel the little need password icon is displayed down at the bottom of outlook. I click on that and outlook reconnects
without me ever having to enter a password.
I have been watching the log on the TMG server and I don't see anything odd going on other than and occasional Status 64 The specified network name is no longer available error which I understand from other posts is by design.
It's not a show stopper by any means but I just don't understand what is going on here. Anyone have any ideas?

Hello,
Firstly, please test Outlook Anywhere in an internal environment:
On a internal outlook client, check on “on fast networks, connect using http first, then connect using TCP/IP”.
If the issue does not work, the issue is related to the TMG, you may need to inquiry on the TMG forum for more accurate suggestions.
Thanks,
Simon Wu
Exchange Forum Support
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]

Outlook Anywhere Issues and Questions

Exchange 2013 with 2 member DAG using round robin DNS. We seem to be having issues with exchange users on the local LAN. External users are working fine. We get:
I believe this is a autodiscover/CA error because external users are working fine. The active copy server has the following for outlook anywhere settings:
external users use hostname: oa.domain.tld
internal users use hostname: mail.domain.tld
Passive copy server has the following settings for outlook anywhere:
external users is blank
internal users has the server hostname.domain.tld
The settings on both the active and passive should be the same correct?
Now the CA; we have a godaddy cert and it is installed on the active server. However, on the passive server it is not installed. The godaddy cert should be installed on the passive copy server correct?

Exchange 2013 with 2 member DAG using round robin DNS. We seem to be having issues with exchange users on the local LAN. External users are working fine. We get:
I believe this is a autodiscover/CA error because external users are working fine. The active copy server has the following for outlook anywhere settings:
external users use hostname: oa.domain.tld
internal users use hostname: mail.domain.tld
Passive copy server has the following settings for outlook anywhere:
external users is blank
internal users has the server hostname.domain.tld
The settings on both the active and passive should be the same correct?
Now the CA; we have a godaddy cert and it is installed on the active server. However, on the passive server it is not installed. The godaddy cert should be installed on the passive copy server correct?
The cert needs to be installed on the CAS role servers.
I installed the godaddy cert and it does show in the certificates mmc. However, in ECP it still shows "pending request" and yes, I clicked on "complete" and completed the steps. Does it matter if the friendly name is exactly the same as
the friendly name on the active copy server? How about the outlook anywhere settings? Should they be the same as the active copy server?

Outlook Anywhere Loosing connection : Outlook Event id 26 and Exchange IIS HTTPERR Log : Connection_Dropped_List_Full at the same time

Hi,
I have a Windows 2008R2 Updated / Exchange 2010 SP3 Rollup 7 (Role CAS,HUB,MBX) with only external users connection : ActiveSync, EWS, OWA, Outlook Anywhere.
4 processors and 24Go of memory are allocated to the Exchange server VM (VMWare).
Netscaller is used as reverse proxy in DMZ.
There is around 500 users connecting with Outlook Anywhere to Exchange. Users are using Outlook 2010 or 2013 with last updates and cache mode enabled (owner mailbox and delegations). Users are location all around the world (around 50 sites). So no users
is domain integrated.
Users are complaining about disconnection, and Outlook freeze (Outlook is not responding). This happened at any point of time during the day, and for different kind of actions (Outlook is just open, Try to press Send button, try to press Transfer button).
The freeze happened randomly for users. I have seen the problem, and Outlook sometimes freeze during few seconds, sometimes during 5 minutes without any reason. (no file copy, no action asked...)
I noticed that freeze are matching with the Outlook event id 26 on the workstation (Connection to the Microsoft Exchange Server has been lost. Outlook will restore the connection when possible). Also, at the same time, I can see around 200 lines in
the IIS HTTPERR Log (Exchange Server : C:\Windows\System32\LogFiles\HTTPERR) the following lines:
2014-11-20 10:39:43 NETSCALLERIP PORT EXCHANGEIP 443 HTTP/1.1 RPC_OUT_DATA /rpc/rpcproxy.dll?EXCHANGEFQDN:6004 - 1 Connection_Dropped_List_Full MSExchangeOutlookAnyWhere
2014-11-20 10:39:43 NETSCALLERIP PORT EXCHANGEIP 443 HTTP/1.1 RPC_OUT_DATA /rpc/rpcproxy.dll?EXCHANGEFQDN:6001 - 1 Connection_Dropped_List_Full MSExchangeOutlookAnyWhere
What has been already checked :
Check IOPS: seems to be normal
Check Processor consumption: seems to be normal
Netscaller TimeOut = 8h
Bandwidth where the server is hosted : more than enough
Bandwidth of client internet connection : Traffic do not increase when the problem happen
Firewall TimeOut : seems to be ok
Firewall Protocol Filter : seem to be ok
Workstation MTU : Ok : ping -l -f 1472 = Ok, so best MTU = 1500 (1472+28)
Outlook Profile : Clean Up OST, sync of all folders, download address book.
wireshark on workstation : nothing seems to be wrong but difficult to analyse, so I maybe missed something.
Configuration change on Exchange :
HKLM\Software\Policies\Microsoft\Windows NT\RPC\MinimumConnectionTimeout = 120
Disable throttling Policy
Adsiedit, change Max Memory alloc for ESE : msExchESEParamCacheSizeMax = 327680 (around 10GB) msExchESEParamCacheSizeMin = 131072 (around 4GB
Adsiedit, change Min Memory alloc for ESE : msExchESEParamCacheSizeMin = 131072 (around 4GB)
Host file : add hostname and FQDN of Exchange Server
Disable IPV6 : HKLM\System\CurrentControlSet\services\TCPIP6\Parameters\DisabledComponents = HEX 0xffffffff
IIS : system.applicationHost : webLimits : minBytesPerSecond = 0
Create dedicated IIS AppPool MSExchangeOutlookAnyWhere for /RPC and /RPCWithCert
AppPool MSExchangeOutlookAnyWhere : Regular Time Interval (minutes) : 0
AppPool MSExchangeOutlookAnyWhere : Queue Length : 20000 (Should be the solution but not working)
netsh int tcp set global chimney=disabled
netsh int tcp set global rss=disabled
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort = 65534
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime : 300000
HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaxConcurrentAPI = 150
IIS machine.config : <system.web> : requestQueueLimit="65535"
Microsoft.Exchange.RpcClientAccess.Service.exe.config <add key=”LoggingTag” value=”ConnectDisconnect, Logon, Failures, ApplicationData, Warnings, Throttling”/>
Uninstall All agents (except Backup Agent)
Uninstall Antivirus
Will be done tonight :
Exchange and DCs : HKLM\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\MaxConcurrentAPI = 100
Exchange IIS : Increase AppPool MSExchangeOutlookAnyWhere Queue Length to 40000
Exchange : decrease HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\KeepAliveTime to 60000
You're welcome if you have any idea.
Thanks.
Jo.

Hi,
Thanks for your answer. Here are my comments :
1. Disable IPv6 then restart your Exchange server
Already done since the install of Exchange.
2. Confirm if there is any NLB device in your environment, please remove NLB firm client server
There is only one Exchange server in the Org. So no NLB installed on the server (NLB is used on the Netscaller used as a reverse proxy). In Addition, the article apply for Windows 2008, or the server is installed with Windows 2008 R2.
3. If there is a proxy server configured in IE, please uncheck it
I guess you are talking on the client side. There is no proxy on the client side, Outlook Anywhere connect directly to the internet.
4. Collect more error logs in Event Viewer in Exchange and collect the IIS logs in
folder “c:\inetpub\logs\logfiles\W3SVC1”
the error I reported in the description is from IIS, and always appear when end users report a problem. In W3SVC1 file, there is also errors, but those one appear even if Outlook clients are working fine. So I cannot isolate any specific
error. The most common from W3SVC1 log are :
2014-11-25 08:02:17 EXCHANGEIP POST /autodiscover/autodiscover.xml - 443 - NETSCALLERIP Microsoft+Office/15.0+(Windows+NT+6.1;+Microsoft+Outlook+15.0.4667;+Pro)
401 1 2148074254 0
2014-11-25 08:02:17 EXCHANGEIP POST /EWS/Exchange.asmx - 443 - NETSCALLERIP Mac_OS_X/10.9.5+(13F34)+CalendarAgent/176.2
401 1 2148074254 0
2014-11-25 08:02:18 EXCHANGEIP POST /EWS/Exchange.asmx - 443 - NETSCALLERIP Microsoft+Office/14.0+(Windows+NT+6.1;+Microsoft+Outlook+14.0.7128;+Pro)
401 1 2148074254 0
Regards,
Jo.

Windows 8.1 pro pptp vpn does not show disconnect option

I just installed Windows 8.1 PRO on my PC.
Formatted it, installed right from scratch.
Once I created my login, I then created a connection to my office VPN server.
Office VPN server is a ISA server which allows PPTP based VPN.
Well, I am able to connect and do everything that I want.
But I dont see a DISCONNECT option at all.
The metro interface after the connection is made also does not show status as "connected". It shows "connect" instead.
If you go to network and sharing center and then into adapter settings you can see you VPN connection. but the "status" column does not show "connected" but instead shows the same name of the vpn connection as seen in the "Name"
column!!
Right clicking that active connection does not show "disconnect", but shows "connect/disconnect".
Then I realized that after double clicking that VPN connection you can then see the status window, where a disconnect button does exists and clicking that does disconnect the VPN.
But this is crazy.
Why do we now have to go so deep, just to disconnect!
This never happens in windows 7, windows 7 with SP1, Windows 8
This is new to Windows 8.1
Anyone else seen this? Is there a solution ?
konkani

I just installed Windows 8.1 PRO on my PC.
Formatted it, installed right from scratch.
Once I created my login, I then created a connection to my office VPN server.
Office VPN server is a ISA server which allows PPTP based VPN.
Well, I am able to connect and do everything that I want.
But I dont see a DISCONNECT option at all.
The metro interface after the connection is made also does not show status as "connected". It shows "connect" instead.
If you go to network and sharing center and then into adapter settings you can see you VPN connection. but the "status" column does not show "connected" but instead shows the same name of the vpn connection as seen in the "Name" column!!
Right clicking that active connection does not show "disconnect", but shows "connect/disconnect".
Then I realized that after double clicking that VPN connection you can then see the status window, where a disconnect button does exists and clicking that does disconnect the VPN.
But this is crazy.
Why do we now have to go so deep, just to disconnect!
This never happens in windows 7, windows 7 with SP1, Windows 8
This is new to Windows 8.1
Anyone else seen this? Is there a solution ?
konkani
BUMP!
konkani

Outlook anywhere now showing disconnected

Similar Messages

Maybe you are looking for