Outlook anywhere testconnectivity error RPC 6004 (NSPI Proxy Interface)

Greetings, community!
We have next Exchange configuration:
Exchange Server 2007 (With last RU) on Windows Server 2008R2. All roles, except Edge, are on this server.
So, we have published OWA, ActiveSync successfully through ISA Server 2004. Testconnectivity tells us that all is correct and it's true)
But we have strange problem with RPC over HTTPS:
Testconnectivity tells us:
RPC 6004 (NSPI Proxy Interface) and RPC_S_SERVER_UNAVAILABLE (0x6ba) in the details.
We have already use all receipts from http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx and http://www.tech-archive.net/Archive/Exchange/microsoft.public.exchange.setup/2004-07/1151.html articles.
Enabling expert auditing of NSPI Proxy on Exchange server shows warning when Testconnectivity try to connect:
NSPI Proxy listener thread (ID: 0xfec) could not connect to the server on transport . The winsock subsystem returned error code:[0xRpc/HTTP].
RPCPING utility tells us:
Exception 1722 (0x000006BA)
Number of records is: 2
ProcessID is 6696
System Time is: 2/8/2014 13:27:0:552
Generating component is 14
Status is 0x6BA, 1722
Detection location is 1398
Flags is 0
NumberOfParameters is 2
Long val: 0x4
Long val: 0x6ba
ProcessID is 6696
System Time is: 2/8/2014 13:27:0:552
Generating component is 13
Status is 0x6BA, 1722
Detection location is 1418
Flags is 0
NumberOfParameters is 0
Out DC controllers are listening 6004 port. And Exchange server successfully connect with DC with information message:
NSPI Proxy successfully connected to the NSPI Service on server DC.FQDN.NAME at endpoint 6004 on RPC protocol sequence ncacn_http.
Additional information:
Outlook 2003/2007/2010 can't connect to our Exchange through RPC/HTTPS. But Outlook 2013 do it without any problems!
I don't know where I can continue to dig)

Hi, Sathish!
Thank you for reply.
Service is started and IPv6 is disabled. Do you mean SRV-record for autodiscover? We don't use it for external users. We publish Autodiscover same way as Owa and it works correct (interconnectivity).
I enable Expert level audit for NSPI Proxy and there is error:
Source: MSExchangeSA
EventID: 9040
NSPI Proxy encountered an error while receiving a packet. The target Domain Controller or the network or a client might be down. The winsock subsystem returned the error:[0x2746]. The circuit that received this error is being closed.
But DC is online and available. I'll reboot server tonight because I think there is a little trouble after disabling additional NIC.

Similar Messages

Migrating to 2013 from 2007 with Outlook Anywhere disabled

Hello
I'm in the middle of a migration from 2007 With Outlook anywhere disabled.
After I installed 2013 I added the external url to both inside and outside url's on CliantAccess, o-anywhere url and Virtual catalogs.
When I configured the External Access domain on the 2013 it also added this on the external url's on the 2007 server. On the 2007 server i manuelly changed the external url's to the Legacy name which is mail.domain.com. The New server is webmail.domain.com
both internally and externally. The servers real name is xxmail.domain.internal
After this, when I configure an Outlook Client With a user on the old server With autodiscover it configures it With Outlook anywhere, not mapi, but With the external name of the New server, webmail.domain.com under http Proxy settings. When I then
moved this user to the New server it stopped working in Outlook.
Is the best approch to enable Outlook anywhere on the 2007 server before migrating the users or can I og from mapi/rpc to rpc over http in 2013 without Outlook problems?
Regards

Hi,
Firstly, I’d like to explain, all users in Exchange 2013 use Outlook Anywhere. The information of Exchange proxy settings tab is automatically updated by Autodiscover.
I recommend you the following troubleshooting:
1. Check the Autodiscover configuration on both Exchange 2007 and Exchange 2013 servers:
Get-clientaccessserver |fl autodiscoverserviceinternaluri
2. Check if there is any DNS entry about the legacy name points to Exchange 2007 IP address.
3. Check if you can logon OWA with both Exchange 2007 and Exchange 2013 server.
Best regards,
Angela Shi
TechNet Community Support

Outlook anywhere settings, in Autodiscover?

So in Outlook, I got all my Outlook Anywhere settings configured, great! But where do I go to edit them on the server?
I don't have a GPO for any of this and I gather Outlook Anywhere is configured in Autodiscover? Is it EMS?

First, run set-outlookprovider -identity EXPR -Server servername and get-outlookanywhere |fl command in EMS. This command will let you know about the configuration of Outlook. You can edit the Outlook Anywhere configuration by using the custom installation
wizard. Autodiscover is simply the best way for managing Outlook configurations.
Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect
You can run this powershell command to make connection with the Outlook Anywhere using TCP/IP.
You can easily change the OutlookProviderFlags to change/edit the Outlok anywhere seetings e.g. you can set the value to ServerExclusiveConnect or to None to clear the flag
Hi Blake - can you change the first line to be get-outlook provider -identity EXPR ? Its currently at "set-"
Not sure if I'd be recommending the serverExclusiveConnect option off the bat, most customers I see do not leverage that.   Do they want to do OA internally too? I don't see that mentioned above
The OutlookProviderFlags parameter specifies that Outlook 2010 clients should connect using RPC over HTTP (Outlook Anywhere) before trying RPC over TCP connections. This increases the speed at which Outlook 2010 clients will connect when clients
are primarily accessing Exchange over the Internet. The value can be set to
ServerExclusiveConnect or to None to clear the flags. For Outlook 2010 clients that access Exchange over both organization intranets and the Internet, the recommended value is
None, which is also the default setting.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter:   LinkedIn:
  Facebook:
  XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

Troubleshooting for RPC over https (Outlook Anywhere) connection issue

RPC over https (ROH), well known as Outlook Anywhere, is more frequently used. Even in Exchange 2013, Outlook no longer connects CAS server via MAPI.
In this thread, we will discuss about the troubleshoot checklist about the RPC over https (Outlook Anywhere) connection issue. In order to make it more logical, I’d like to divide the whole troubleshooting to the following processes:
1. Client side to CAS side
2. CAS side to MBX side
[Issues between Client side to CAS side]
In Exchange 2013, Outlook Anywhere is enabled by default. Different from this, Outlook Anywhere in Exchange 2007 and 2010 need to be manually enabled. Thus, please firstly check if the RPC over HTTP component has been installed:
Click Start, and then click Control Panel.
Double-click Programs and Features.
In the left pane of Server Manager, click Features.
In the right pane, click Add Features.
Check if the RPC over HTTP component has been selected.
If the ROH connectivity issue only happens on certain users, the property MAPIBlockOutlookRpcHTTP can be checked:
Get-CASMailbox name | fl MAPIBlockOutlookRpcHttp
2. Confirm if Exchange server is blocked. Ping the Exchange server FQDN on client machine and confirm if it can return the proper IP address.
3. Check if the RPC Proxy server is responding correctly:
rpcping -t ncacn_http -s ExchServer -o RpcProxy=RPCProxyServer -P "user,domain,*" -I "user,domain,*" -H 2 -u 10 -a connect -F 3 -v 3 -E -R none
If 200 code returns, the test is successful.
4. Check if Outlook Anywhere host names are added in the certificate:
To get host names, the following command can be used: get-outlookanywhere |fl *hostname
5. To use the Shell to test Outlook Anywhere connectivity, use the
Test-OutlookConnectivity cmdlet.
[Issues between CAS side to Mailbox side][RZ1]
A. Check if it can connect to store’s port:
RpcPing –t ncacn_http –s ExchangeMBXServer -o RpcProxy=RpcProxyServer -P "user,domain,password" -I "user,domain,password" -H 1 –F 3 –a connect –u 10 –v 3 –e 6001
If it returns as following: Completed 1 calls in 60 ms 16 T/S or 60.000 ms/T, it means the RPC Ping Utility test succeeds.
B. Check if it can Connect to DsProxy Service:
RpcPing –t ncacn_http –s ExchangeMBXServer -o RpcProxy=RpcProxyServer -P "user,domain,password" -I "user,domain,password" -H 2 –F 2 –a connect –u 10 –v 3 –e 6004
If it returns as following: Completed 1 calls in 60 ms 16 T/S or 60.000 ms/T, it means the RPC Ping Utility test succeeds.
C. Check the following registries:
[Disable the auto update]
1).Open Regedit and navigate to:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeServiceHost\RpcHttpConfigurator\RpcHttpConfigurator
2).Set the PeriodicPollingMinutes value to 0.
[Check the RpcProxy ValidPorts]
1).On the RPC proxy server, start Registry Editor (Regedit).
2). In the console tree, locate the following registry key:
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy
3). In the details pane, right-click the ValidPorts subkey, and then click Modify.
4). In Edit String, in the Value data box, type the following information:
ExchangeServer :6001-6002; ExchangeServerFQDN :6001-6002; ExchangeServer :6004; ExchangeServerFQDN :6004
Note:
ExchangeServer is the NetBIOS name of your Exchange server. ExchangeServerFQDN is the fully qualified domain name (FQDN) of your Exchange server. If the FQDN that is used to access the server from the Internet differs from the internal FQDN, you must use
the internal FQDN.
[Check the 6004 port settings in registry]
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: HTTP Port
Value type: REG_DWORD
Value data: 0x1772 (Decimal 6002)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeSA\Parameters
Value name: Rpc/HTTP NSPI Port
Value type: REG_DWORD
Value data: 0x1774 (Decimal 6004)
D. Check if the RPC ports are used by other applications instead of Exchange by using : netstat –o
Then it will return all active TCP connections and the process ID (PID) for each connection.
After that, please check the application based on the PID on the Processes tab in Windows Task Manager and confirm if it’s Exchange server.
Additionally, ExRCA is a perfect tool to test the whole connection between client side and Mailbox side:
https://testconnectivity.microsoft.com/
1. On the ExRCA website, under Microsoft Office Outlook Connectivity Tests, select Outlook connectivity, and then select Next at the bottom of the page.
2. Enter the required information on the next screen, including email address, domain and user name, and password.
3. Choose whether to use Autodiscover to detect server settings or to manually specify server settings.
4. Accept the disclaimer, enter the verification code, and then select Verify.
5. Select Perform Test.
<Resource for reference>
How does Outlook Anywhere work (and not work):
http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx
How to use the RPC Ping utility to troubleshoot connectivity issues with the Exchange over the Internet feature in Outlook 2007 and in Outlook 2003:
http://support.microsoft.com/kb/831051
Test Outlook Anywhere Connectivity:
http://technet.microsoft.com/en-us/library/ee633453(v=exchg.150).aspx
[RZ1]It’s part, please re-layout
Please click to vote if the post helps you. This can be beneficial to other community members reading the thread.

I've just restored the M11 to Windows XP with the disks provided and Outlook Anywhere connected without issue. As strange as it sounds, this looks to be isolated to this particular model of laptop and Windows 7.
I've used the same Enterprise copy of Windows 7 and Office on a variety of laptops and pc's and none have come across this problem. The only commonality I can see is the hardware and OS.
Aftery trying to troubleshoot this unsuccessfully with Microsoft tech support for a few hours, they eluded to the fact that this +could+ be a hardware related problem. (driver, adapter properties, etc)

Some Outlook clients getting internal FQDN of newly installed Exchange 2013 CAS server as Outlook Anywhere Proxy address

Hello Folks,
I have this problem and is making me crazy if anyone have any idea please shed some light on this:-
1. Working Outlook 2010 and 2013 clients with webmail.xyz.com as Outlook Anywhere proxy address.
2. Installed new Exchange 2013 server (server02)with CAS and Mailbox role, Exchange install wizard finished and server is rebooted.
3. Server came up online started changing internal and external FQDN's of Virtual Directories and Outlook Anywhere to webmail.xyz.com
4. As soon as Fqdn's changed some outlook clients create support request that Outlook suddenly white's out and after reopening it is giving error cannot connect to exchange. upon checking Clients Exchange Proxy address is set to http://server02.xyz.com,
even though OA/OWA/ECP/OAB/EWS/Autodiscover/ActiveSync FQDN's Point to webmail.xyz.com, on all servers if i create new outlook profile for same user it picks up correct settings through autodiscover and connects fine, this is happening to about 20% of outlook
clients every time i am introducing new Exchange 2013 server in Organization. we have around 2000 users and planning on installing 4 exchange servers to distribute load and everytime changing outlook profile of close to 150-200 users is not possible.
Any help is greatly appreciated.
Thanks
Cool

Here are the EXCRA results
Here IP (x.x.x.x) returned is my Load Balancer IP (Webmail.xyz.com).
Connectivity Test Successful with Warnings
Test Details
    Testing Outlook connectivity.
    The Outlook connectivity test completed successfully.
       Additional Details
    Elapsed Time: 9881 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
    Autodiscover was tested successfully.
       Additional Details
    Elapsed Time: 2063 ms.
       Test Steps
       Attempting each method of contacting the Autodiscover service.
    The Autodiscover service was tested successfully.
       Additional Details
    Elapsed Time: 2063 ms.
       Test Steps
       Attempting to test potential Autodiscover URL https://xyz.com:443/Autodiscover/Autodiscover.xml
    Testing of this potential Autodiscover URL failed.
       Additional Details
    Elapsed Time: 186 ms.
       Test Steps
       Attempting to resolve the host name xyz.com in DNS.
    The host name couldn't be resolved.
       Tell me more about this issue and how to resolve it
       Additional Details
    Host xyz.com couldn't be resolved in DNS InfoNoRecords.
Elapsed Time: 186 ms.
    Attempting to test potential Autodiscover URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml
    Testing of the Autodiscover URL was successful.
       Additional Details
    Elapsed Time: 1876 ms.
       Test Steps
       Attempting to resolve the host name autodiscover.xyz.com in DNS.
    The host name resolved successfully.
       Additional Details
    IP addresses returned: x.x.x.x
Elapsed Time: 338 ms.
    Testing TCP port 443 on host autodiscover.xyz.com to ensure it's listening and open.
    The port was opened successfully.
       Additional Details
    Elapsed Time: 173 ms.
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
       Additional Details
    Elapsed Time: 318 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       Additional Details
    Remote Certificate Subject: CN=webmail.xyz.com, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US.
Elapsed Time: 219 ms.
    Validating the certificate name.
    The certificate name was validated successfully.
       Additional Details
    Host name autodiscover.xyz.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,.
    One or more certificate chains were constructed successfully.
       Additional Details
    A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 36 ms.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
       Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
       Additional Details
    The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn't detected.
       Additional Details
    Accept/Require Client Certificates isn't configured.
Elapsed Time: 289 ms.
    Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
    The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
       Additional Details
    Elapsed Time: 756 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml for user [email protected].
    The Autodiscover XML response was successfully retrieved.
       Additional Details
    Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Test Exch1</DisplayName>
<LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1</LegacyDN>
<DeploymentId>4ec753c9-60d9-4c05-9451-5b24e2d527a7</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>[email protected]</Server>
<ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]</ServerDN>
<ServerVersion>73C0834F</ServerVersion>
<MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>webmail.xyz.com</PublicFolderServer>
<AD>DC-03.domain.xyz.com</AD>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>Default-First-Site-Name</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
</Account>
</Response>
</Autodiscover>HTTP Response Headers:
request-id: 9d325a80-f1fd-4496-ac48-2be6bb782c28
X-CalculatedBETarget: Server01.domain.xyz.com
X-DiagInfo: Server01
X-BEServer: Server01
Persistent-Auth: true
X-FEServer: Server01
Content-Length: 11756
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Mon, 25 Aug 2014 19:12:25 GMT
Set-Cookie: X-BackEndCookie=S-1-5-21-1293235207-2459173341-1304346827-14544=u56Lnp2ejJqBypqcnsfJx5nSy8ucnNLLnJzP0sfKz8/Sy5nHmsiamZrMyZrLgYHPxtDNy9DNz87L387Gxc7Nxc3J; expires=Thu, 25-Sep-2014 00:12:26 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 756 ms.
    Autodiscover settings for Outlook connectivity are being validated.
    The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.
       Additional Details
    Elapsed Time: 0 ms.
    Testing RPC over HTTP connectivity to server webmail.xyz.com
    RPC over HTTP connectivity was verified successfully.
       Additional Details
    HTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 7817 ms.
       Test Steps
       Attempting to resolve the host name webmail.xyz.com in DNS.
    The host name resolved successfully.
       Additional Details
    IP addresses returned: x.x.x.x
Elapsed Time: 107 ms.
    Testing TCP port 443 on host webmail.xyz.com to ensure it's listening and open.
    The port was opened successfully.
       Additional Details
    Elapsed Time: 180 ms.
    Testing the SSL certificate to make sure it's valid.
    The certificate passed all validation requirements.
       Additional Details
    Elapsed Time: 303 ms.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.xyz.com on port 443.
    The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       Additional Details
    Remote Certificate Subject: CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 224 ms.
    Validating the certificate name.
    The certificate name was validated successfully.
       Additional Details
    Host name webmail.xyz.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
    Certificate trust is being validated.
    The certificate is trusted and all certificates are present in the chain.
       Test Steps
       The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,
    One or more certificate chains were constructed successfully.
       Additional Details
    A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 34 ms.
    Analyzing the certificate chains for compatibility problems with versions of Windows.
    Potential compatibility problems were identified with some versions of Windows.
       Additional Details
    The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
    Testing the certificate date to confirm the certificate is valid.
    Date validation passed. The certificate hasn't expired.
       Additional Details
    The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
    Checking the IIS configuration for client certificate authentication.
    Client certificate authentication wasn't detected.
       Additional Details
    Accept/Require Client Certificates isn't configured.
Elapsed Time: 298 ms.
    Testing HTTP Authentication Methods for URL https://webmail.xyz.com/rpc/[email protected]:6002.
    The HTTP authentication methods are correct.
       Additional Details
    The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLMHTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 296 ms.
    Attempting to ping RPC proxy webmail.xyz.com.
    RPC Proxy was pinged successfully.
       Additional Details
    Elapsed Time: 454 ms.
    Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 0 ms.
Elapsed Time: 1007 ms.
    Testing the MAPI Address Book endpoint on the Exchange server.
    The address book endpoint was tested successfully.
       Additional Details
    Elapsed Time: 2177 ms.
       Test Steps
       Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 906 ms.
Elapsed Time: 918 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    The test passed with some warnings encountered. Please expand the additional details.
       Tell me more about this issue and how to resolve it
       Additional Details
    The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption. The Microsoft Connectivity Analyzer will attempt the Address Book test again with encryption.
NSPI Status: 2147746050
Elapsed Time: 825 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    Check Name succeeded.
       Additional Details
    DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 433 ms.
    Testing the MAPI Referral service on the Exchange Server.
    The Referral service was tested successfully.
       Additional Details
    Elapsed Time: 1808 ms.
       Test Steps
       Attempting to ping the MAPI Referral Service endpoint with identity: [email protected]:6002.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 953 ms.
Elapsed Time: 949 ms.
    Attempting to perform referral for user /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1 on server [email protected].
    We got the address book server successfully.
       Additional Details
    The server returned by the Referral service: [email protected]
Elapsed Time: 858 ms.
    Testing the MAPI Address Book endpoint on the Exchange server.
    The address book endpoint was tested successfully.
       Additional Details
    Elapsed Time: 626 ms.
       Test Steps
       Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 156 ms.
Elapsed Time: 154 ms.
    Testing the address book "Check Name" operation for user [email protected] against server [email protected].
    Check Name succeeded.
       Additional Details
    DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 472 ms.
    Testing the MAPI Mail Store endpoint on the Exchange server.
    We successfully tested the Mail Store endpoint.
       Additional Details
    Elapsed Time: 555 ms.
       Test Steps
       Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
    The endpoint was pinged successfully.
       Additional Details
    The endpoint responded in 234 ms.
Elapsed Time: 228 ms.
    Attempting to log on to the Mailbox.
    We were able to log on to the Mailbox.
       Additional Details
    Elapsed Time: 326 ms.

Outlook Anywhere losing proxy settings, Autodiscover issue?

I have Exchange Server 2010 in Small Business Server 2011. I have several remote clients that are not part of the SBS domain, but they use Outlook Anywhere to connect to Exchange.
We originally started with a self-signed and eventually added a GoDaddy SSL certificate. Some of the remote clients lose the settings for Outlook Anywhere randomly. The proxy checkbox is unchecked and the MSSTS settings have all disappeared.
I investigated this and it seems to point to autodiscover. Our DNS is hosted externally so I created an A-Host record at Netowork Solutions called autodiscover and resolved it to the static IP address of the server. When I did this the remote
clients started to get certificate security warnings.
Next I tried to create a CNAME called _autodiscover for mail.mydomain.com and this didn't work either, certificate security erros
Is my Outlook Anywhere issue an 'autodiscover' problem and if it is, what amI doing wrong? Here are some additional details:
Self-signed certificate is mail.mydomain.com. GoDaddy Class 2 certificate authority has identified this site as mail.mydomain.com. The connection to the server is encrypted.

Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Additional Details
Elapsed Time: 3221 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for
[email protected].
Autodiscover was tested successfully.
Additional Details
Elapsed Time: 3219 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Additional Details
Elapsed Time: 3218 ms.
Test Steps
Attempting to test potential Autodiscover URL
https://pickardconstruction.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 835 ms.
Test Steps
Attempting to resolve the host name pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 464 ms.
Testing TCP port 443 on host pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 164 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 205 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server pickardconstruction.com on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 156 ms.
Attempting to test potential Autodiscover URL
https://autodiscover.pickardconstruction.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 609 ms.
Test Steps
Attempting to resolve the host name autodiscover.pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 222 ms.
Testing TCP port 443 on host autodiscover.pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 185 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 200 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.pickardconstruction.com on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 151 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The Autodiscover service was successfully contacted using the HTTP redirect method.
Additional Details
Elapsed Time: 1770 ms.
Test Steps
Attempting to resolve the host name autodiscover.pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 21 ms.
Testing TCP port 80 on host autodiscover.pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 100 ms.
The Microsoft Connectivity Analyzer is checking the host autodiscover.pickardconstruction.com for an HTTP redirect to the Autodiscover service.
The redirect (HTTP 301/302) response was received successfully.
Additional Details
Redirect URL:
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml HTTP Response Headers: Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Length: 0 Content-Type: application/xml Date: Fri, 28 Feb 2014 01:49:00 GMT Location:
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635 PHP/5.3.21
Elapsed Time: 184 ms.
Attempting to test potential Autodiscover URL
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
Testing of the Autodiscover URL was successful.
Additional Details
Elapsed Time: 1463 ms.
Test Steps
Attempting to resolve the host name cpanelemaildiscovery.cpanel.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.74.124.130, 208.74.124.133, 208.74.125.50, 208.74.125.51, 208.74.123.82
Elapsed Time: 109 ms.
Testing TCP port 443 on host cpanelemaildiscovery.cpanel.net to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 135 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 358 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server cpanelemaildiscovery.cpanel.net on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.cpanel.net, OU=Domain Control Validated, O=*.cpanel.net, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,
C=US.
Elapsed Time: 278 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
The host name that was found, cpanelemaildiscovery.cpanel.net, is a wildcard certificate match for common name *.cpanel.net.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.cpanel.net, OU=Domain Control Validated, O=*.cpanel.net.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 30 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root =
[email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/18/2011 6:11:10 PM, NotAfter = 10/18/2016 5:19:12 AM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 349 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Additional Details
Elapsed Time: 509 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml for user
[email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings XML response: <?xml version="1.0"?> <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User> <DisplayName>[email protected]</DisplayName> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>IMAP</Type> <Server>have02b.have1.com</Server>
<Port>993</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <SSL>on</SSL> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName> </Protocol> <Protocol> <Type>SMTP</Type> <Server>have02b.have1.com</Server> <Port>465</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort>
<SSL>on</SSL> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <AuthRequired>on</AuthRequired> <LoginName>[email protected]</LoginName> </Protocol> </Account> </Response>
</Autodiscover> HTTP Response Headers: Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Length: 1362 Content-Type: text/xml Date: Fri, 28 Feb 2014 01:49:02 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.5
Perl/v5.8.8
Elapsed Time: 509 ms.
Autodiscover settings for Outlook Anywhere are being validated.
The Microsoft Connectivity Analyzer wasn't able to validate Outlook Anywhere Autodiscover settings.
Tell me more about this issue and how to resolve it
Additional Details
The EXCH provider section is missing from the Autodiscover response.
Elapsed Time: 0 ms.

Server Name VS Outlook Anywhere Proxy Server and the behaviour I should expect when using SAN certificates...

(I'll upload screen captures if needed once my account gets verified)
I have a basic (as in freshly installed single exchange server 2010 SP3) Exchange Server installation. I've setup Outlook Anywhere. I've also setup a SAN (SubjectAltName) certificate.
My setup:
ex01.eci.XXXX.XX = is the server name and also the CN of my SAN certificate
mail.eci.XXXX.XX = an A record I've setup to access my exchange server. It is also a subjectAltName in my SAN certificate
When setting up Outlook, I enter the server name and specify the Outlook Anywhere proxy server in the Outlook Anywhere section. This works fine and I connect to my exchange server using RPC over HTTPS.
Now, I was under the impression that specifying SANs in the certificate would allow me to enter the SAN alt name (mail.eci.XXXX.XX) in the field reserved for the Server Name, in Outlook..
But it does not work. The proxy will give me an error each time, like that:
HTTP   544   RPC_IN_DATA /rpc/rpcproxy.dll?mail.eci.XXXX.XX:6002 HTTP/1.1 , NTLMSSP_NEGOTIATE
HTTP   635   HTTP/1.1 401 Unauthorized , NTLMSSP_CHALLENGE (text/html)
HTTP   123   HTTP/1.0 503 RPC Error: 6ba
My question is: is this the behaviour I should expect? Or should I be able to specify the SAN alt name in the Server Name in Outlook?
Thanks!

Hi,
Firstly, I’d like to explain, the server name tab should be filled with your mailbox server name in the process of configuring Exchange 2010 account.
And the Outlook Anywhere proxy server is configured at the server side and cannot be randomly defined at the client side. To check it, we can run: get-outlookanywhere |fl externalhostname
Thus, it’s an expected behavior that we would get error if we randomly enter name in the server name tab when we configure an account. If I misunderstand your meaning, please feel free to let me know.
Additionally, Autodiscover service can help us automatically complete the configuration of the Outlook account. And how about the result if you use the Autodiscover to automatically configure the account?
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

Outlook is unable to connect to the proxy server.(Error Code 10)

Hi,
I had problems with RPC proxy, I was trying to setup cutover migration.
So I read somewhere that i need to change the certprincipalname with Set-Outlookprovider.
But after this change my outlook was not working anymore
The settings before the change were:
Name Server CertPrincipalName TTL
EXCH
1
EXPR
1
WEB
1
So I set this back to the original (above) but this didn't helped...
Outlook 2013 and Exchange 2013
There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site mail.abc-company.com.
Outlook is unable to connect to the proxy server.(Error Code 10)

Hi,
Please make sure the mail.abc-company.com is included in your Exchange certificate which has been assigned with IIS service.
If possible, please run the following command for double check:
Get-ExchangeCertificate | FL
For Autodiscover service, please run
Test E-mail AutoConfiguration to check if the connection is successful in Log tab and confirm the other services URL can use proper namespace in Results tab for request access.
If the Autodiscover service fails, please create a SRV record with mail.abc-company.com for Autodiscover service to have a try:
http://support2.microsoft.com/kb/940881/en-us
Regards,
Winnie Liang
TechNet Community Support

Outlook is unable to connect to the proxy server. (Error code 0)

Hello,
I have just commenced a Exchange 2007 SP3 to Exchange 2013 SP1 migration following the following guide: http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx
As per the above guide, my 2007 environment is now known as legacy.company.com and my 2013, webmail.company.com.
I'm using the same certificate on both boxes and it has the names autodiscover.company.com, webmail.company.com and legacy.company.com. All that seems to be working fine.
OWA is functioning perfectly, hitting https://webmail.company.com will pass the user off to https://legacy.company.com if the mailbox is on 2007. Alongside this, Outlook also has no issues connecting to 2007 mailboxes with the client proxy settings
being reconfigured to https://legacy.company.com automatically.
My problem comes when a mailbox is migrated to 2013. OWA functions fine and presents the mailbox but Outlook is unable to connect, presenting the error:
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site webmail.company.com.
Outlook is unable to connect to the proxy server. (Error Code 0)
If I modify the Outlook client's settings and disable "Only connect to proxy servers that have this principal name in their certificate: msstd:webmail.company.com", Outlook connects and functions fine.
I'm at a loss and have tried everything I can think and find on google. Any suggestions would be greatly appreciated.

Hi,
Please refer to the following article :
http://support.microsoft.com/kb/923575
Cause:
This issue may occur if one or more of the following conditions are true:
The connection to the server requires a certification authority (CA).
You have not trusted the certification authority at the root.
The certificate may be invalid or revoked.
The certificate does not match the name of the site.
A third-party add-in is preventing access.
Solution:
To examine the certificate, follow these steps:
In Microsoft Internet Explorer, connect to the RPC server or to the secure server. For example, type
https://www.<var>server_name</var>.com/rpc in the Address bar of the Web browser, and then press ENTER.
Note The <var>server_name</var> placeholder references the RPC server name or the secure server name.
Double-click the padlock icon that is located in the lower-right corner of the Web browser.
Click the Details tab.
Note the information in the following fields:
Valid to
The Valid to field indicates the date until which the certificate is valid.
Subject
The data in the Subject field should match the site name.
Hope this helps!
Thanks.
Niko Cheng
TechNet Community Support

Outlook is unable to connect to the proxy server.(Error Code 10) when users opened Outlook 2010

Hi All
Exchange Server - 2013 CU2 (Windows 2012 Standard)
AD Server - 2003 R2 SP2
exchange-svr01.domain.com - internal name
mail.company.net - external name
When users opened Outlook 2010, they will encountered
"There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site exchange-svr01.domain.com.
Outlook is unable to connect to the proxy server.(Error Code 10)"
I also used the Microsoft Remote Connectivity Analyzer to test RPC/HTTP connectivity.
The RPC/HTTP test completed successfully.
    Validating the certificate name.
    Certificate name validation failed.
     Host name company.net doesn't match any name found on the server certificate CN=AMAZONA-U59HG9G.
Testing SSL mutual authentication with the RPC proxy server.
    The test passed with some warnings encountered.
The certificate common name company.net doesn't match the mutual authentication string provided mail.company.net; however, a match was found in the subject alternative name extension.
please help.

Hi PS CL
[PS] C:\Windows\system32>Get-OutlookAnywhere
RunspaceId                         : c457e8aa-a0f3-4a0f-aa02-9eff24d02821
ServerName                         : exchange-svr01
SSLOffloading                      : True
ExternalHostname                   : mail.company.net
InternalHostname                   : exchange-svr01.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://exchange-svr01.domain.COM/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 712.22)
Server                             : exchange-svr01
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web
                                     Site),CN=HTTP,CN=Protocols,CN=exchange-svr01,CN=Servers,CN=Exchange
Administrative
                                     Group (FYDIBOHF23SPDLT),CN=Administrative
Groups,CN=domain,CN=Microsoft
                                     Exchange,CN=Services,CN=Configuration,DC=domain,DC=COM
Identity                           : exchange-svr01\Rpc (Default Web Site)
Guid                               : 33c3cb74-e490-487d-844c-4072334089a1
ObjectCategory                     : domain.COM/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 8/17/2013 10:14:55 AM
WhenCreated                        : 6/25/2013 1:47:50 PM
WhenChangedUTC                     : 8/17/2013 2:14:55 AM
WhenCreatedUTC                     : 6/25/2013 5:47:50 AM
OrganizationId                     :
OriginatingServer                  : ADserver.domain.COM
IsValid                            : True
ObjectState                        : Changed

Exchange 2013 & Exchange 2007 Co-exist - Problems with Outlook anywhere proxy

Hi,
Got EX13 and EX07 in co-exist. Pointed all the external URL to EX13. ActiveSync proxies to 2007 and OWA redirects to legacy url with SSO. Working perfectly!
But with Outlook Anywhere it does not work. Mailboxes on EX13 works good, but not for EX07 user.
Error message from MRCA:
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server "internalFQDN ofbackend EX07 server"
The RPC_S_SERVER_UNAVAILABLE error (0x6ba) was thrown by the RPC Runtime process.

Hi,
We need to change the Authenticaion on the Outlook Anywhere to NTLM
Set-OutlookAnywhere -Identity "xxx\Rpc (Default Web Site)" –InternalHostName mail.domain.com
-InternalClientsRequireSsl $True -ExternalHostName mail.domain.com
-ExternalClientsRequireSsl $True -InternalClientAuthenticationMethod NTLM
-ExternalClientAuthenticationMethod NTLM -IISAuthenticationMethods
Basic, NTLM, Negotiate
Please first backup the Outlook Anywhere settings then do the above changes.
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support

Outlook Anywhere proxy changed from Basic to NTLM for external users

I have a Exchange 2013 environment that is also running Exchange 2010 coexistence (migrating). What is happening is autodiscover is handing out NTLM for the proxy settings and not basic. However when it is using NTLM we seem to get the password prompt over
and over. If I manually changed it to Basic then it works fine, but when autodiscover goes again it changes back to NTLM and prompts that the Administrator made a change and you need to restart Outlook.
I checked Outlook Anywhere and all my servers have Basic set for external users and NTLM set for internal.
I only have a few mailboxes on 2013 and 2010 mailboxes seem not to have a problem.
Here is an output for Outlook Anywhere on all six servers:
Identity : CAS01\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : CAS02\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : CAS03\Rpc (Default Web Site)
ExchangeVersion : 0.10 (14.0.100.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm}
Identity : EXCH2K13-01\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Identity : EXCH2K13-02\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Identity : EXCH2K13-03\Rpc (Default Web Site)
ExchangeVersion : 0.20 (15.0.0.0)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Hi,
Please refer to the following KB to set the Outlook Anywhere settings on Exchange Server 2013 Client Access servers:
http://support.microsoft.com/en-us/kb/2834139
If it doesn’t work with the resolution above, please do the following checking in ADSI Edit:
1. In Adsiedit, expand Configuration-->CN=Services -> CN=Microsoft Exchange -> CN=domain -> CN=Administrative Groups -> CN=Exchange Administrative Group -> CN=Databases.
2. Right-click the listed database > Properties.
3. Check whether the msExchHomePublicMDB value is set to an available value. Please change the value to <not set>.
4. Click OK.
Then check whether the issue persists.
Regards,
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
Winnie Liang
TechNet Community Support

Intermittent proxy error "There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server "

Hi all,
From time to time (at least once a day), the following message pops up on the user's screen:
"There is a problem with the proxy server's security certificate. Outlook is unable to connect to the proxy server . Error Code 80000000)."
If we click "OK" it goes away and everything continues to work although sometimes Outlook disconnects. It is quite annoying...
Any ideas?
Thank you in advance

Hi,
For the security alert issue, I'd like to recommend you check the name in the alert windows, and confirm if the name is in your certificate.
Additionally, to narrow down the cause, when the Outlook client cannot connect again, I recommand you firstly check the connectivity by using Test E-mail AutoConfiguration. For more information, you can refe to the following article:
http://social.technet.microsoft.com/Forums/en-US/54bc6b17-9b60-46a4-9dad-584836d15a02/troubleshooting-and-introduction-for-exchange-20072010-autodiscover-details-about-test-email?forum=exchangesvrgeneral
Thanks,
Angela Shi
TechNet Community Support

Exchange 2010 - Outlook Anywhere trying to connect to internal server name first before connecting to proxy server

Hello,
I have an Exchange 2010 question which I will post in the Exchange 2013 section since the Ask a question button in the legacy Exchange Servers section of technet takes me back to the part of Technet where I can only ask questions regarding Exchange 2013.
If someone can point me to a part where I can place a question in an Exchange 2010 forum please let me know.
We have Exchange 2010 setup with a CAS array listening to outlook.internaldomain.com
We have TMG 2010 setup with a rule for Outlook Anywhere, the rule listens to mail.externaldomain.com and traffic that meets this rule is let through to outlook.internaldomain.com.
When I fire up my laptop, which is connected to the internet, and start Outlook and let it configure my profile through autodiscover it sets it up correct and fills the Outlook profile with a servername stating outlook.internaldomain.com and a proxyserver
to be used stating mail.externaldomain.com. After initial setup when my Outlook starts it almost immediatly prompts me for a username and a password so this is working fine.
At the office we have an internal network segment where DHCP is servicing the connecting clients and giving them our internal DNS servers because they need connection to some other network segments which are not available to the internet. This network segment
does not have access to our internal Exchange environment but has full access to the internet. Clients in this network segment do want to use Outlook so using Outlook Anywhere for them is the logical way to go. When I connect my laptop to this network segment
I get handed an IP address and our internal DNS servers, when I start Outlook it takes about two minutes before a the credential prompt pops up and another 2 to 6 minutes after entering credentials before it says all folders are in sync. This is quite long
and our clients find this unacceptable.
I started testing what might be going on here and I have found that when I manually enter external DNS servers the Outlook password prompt will popup in seconds and all is working as expected so it seems Outlook is trying to connect to the internal servername
when using our internal DNS servers (which can resolve outlook.internalnetwork.com) instead of directly going to the proxy server which is to be used for Outlook Anywhere.
When I start a network monitor trace my thoughts are confirmed because when I am connected to the internal network segment OUTLOOK.EXE first tries to connect to outlook.internaldomain.com, it almost immediately gets a response stating that this route is
inaccessible but OUTLOOK.EXE keeps on trying to connect untill some sort of time out is reached (somewhere around two minutes) after which it connects to mail.externaldomain.com and Outlook shows the credential prompt.
So to round it up, when connected to DNS servers that can resolve the internal servername Outlook tries to connect to the internal servername in stead of the external name, Outlook does not reckognize the answer from the network that the internal route is
not acessible (or it does but does nothing with this information).
Has anybody experienced this behaviour in Outlook?
Does anyone have a solution in where I can force Outlook to connect to it's proxyserver and disregard the internal servername?

Thank you for your reply.
The client computers that are experiencing the issues are not domain joined, the only reason I can think of why this is occurring is because the DNS servers are able to resolve the internal hostname of the server, but I would expect Outlook to always use
the proxy server that has been set in the configuration of the Outlook profile. Or at least acknowledging the answer that the initially tried route is inaccessible and immediately continue to the proxy server.
For setting the same hostname for internal and external use, we use different namespaces internally and externally, do you mean setting the external hostname on the CAS array for internal use ? Wouldn't that push all internal communication to the internet
and to the outside interface of the TMG where the server is published with that hostname ?

Trial SAN Certificate & Outlook Anywhere (RPC over HTTP) test fail

I am testing exchange 2013 where autodiscover pass while performing Outlook Anywhere (RPC over HTTP) connectivity test failed with invalid SSL certifiate . I am only using self certifiate .do any one idea if any CA provding SAN certificate trial basis.
Don't forget to mark helpful or answer
connect me :-
http://in.linkedin.com/in/satya11
http://facebook.com/satya.1000

Hi,
Agree with the above suggestion, ExRCA test cannot pass with self-signed certificate. And to ensure Outlook Anywhere work well , we need to install the self-signed certificate on all clients machines.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support

Outlook anywhere testconnectivity error RPC 6004 (NSPI Proxy Interface)

Similar Messages

Maybe you are looking for