Publish Exchange 2013 OWA + Active Sync + Outlook Anywhere using TMG 2010
We plan to publish our new Exchange 2013 SP1 servers (3 in DAG) outside corporate network using TMG 2010. I am looking for some guide how to do it in the proper way. What I found is little old and does not take into consideration Exchange 2013
SP1
http://blogs.technet.com/b/exchange/archive/2012/11/21/publishing-exchange-server-2013-using-tmg.aspx
Any advice how to publish Exchange 2013 OWA using form-based authentication and how to use Kerberos Constrained Delegation?
Hi,
The blog below describes some scenarios about publishing Exchange. You could have a look the Scenario 2.
Exchange publishing after TMG/UAG
http://dizdarevic.ba/ddamirblog/?p=168
Note: Microsoft provides third-party contact information to help you find technical support. This contact
information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information
Best Regards,
Joyce
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place.
Similar Messages
-
Hello Folks,
I have this problem and is making me crazy if anyone have any idea please shed some light on this:-
1. Working Outlook 2010 and 2013 clients with webmail.xyz.com as Outlook Anywhere proxy address.
2. Installed new Exchange 2013 server (server02)with CAS and Mailbox role, Exchange install wizard finished and server is rebooted.
3. Server came up online started changing internal and external FQDN's of Virtual Directories and Outlook Anywhere to webmail.xyz.com
4. As soon as Fqdn's changed some outlook clients create support request that Outlook suddenly white's out and after reopening it is giving error cannot connect to exchange. upon checking Clients Exchange Proxy address is set to http://server02.xyz.com,
even though OA/OWA/ECP/OAB/EWS/Autodiscover/ActiveSync FQDN's Point to webmail.xyz.com, on all servers if i create new outlook profile for same user it picks up correct settings through autodiscover and connects fine, this is happening to about 20% of outlook
clients every time i am introducing new Exchange 2013 server in Organization. we have around 2000 users and planning on installing 4 exchange servers to distribute load and everytime changing outlook profile of close to 150-200 users is not possible.
Any help is greatly appreciated.
Thanks
CoolHere are the EXCRA results
Here IP (x.x.x.x) returned is my Load Balancer IP (Webmail.xyz.com).
Connectivity Test Successful with Warnings
Test Details
Testing Outlook connectivity.
The Outlook connectivity test completed successfully.
Additional Details
Elapsed Time: 9881 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for [email protected].
Autodiscover was tested successfully.
Additional Details
Elapsed Time: 2063 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Additional Details
Elapsed Time: 2063 ms.
Test Steps
Attempting to test potential Autodiscover URL https://xyz.com:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 186 ms.
Test Steps
Attempting to resolve the host name xyz.com in DNS.
The host name couldn't be resolved.
Tell me more about this issue and how to resolve it
Additional Details
Host xyz.com couldn't be resolved in DNS InfoNoRecords.
Elapsed Time: 186 ms.
Attempting to test potential Autodiscover URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml
Testing of the Autodiscover URL was successful.
Additional Details
Elapsed Time: 1876 ms.
Test Steps
Attempting to resolve the host name autodiscover.xyz.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Elapsed Time: 338 ms.
Testing TCP port 443 on host autodiscover.xyz.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 173 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 318 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.xyz.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.xyz.com, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US.
Elapsed Time: 219 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.xyz.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 36 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 289 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Additional Details
Elapsed Time: 756 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.xyz.com:443/Autodiscover/Autodiscover.xml for user [email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Test Exch1</DisplayName>
<LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1</LegacyDN>
<DeploymentId>4ec753c9-60d9-4c05-9451-5b24e2d527a7</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>[email protected]</Server>
<ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]</ServerDN>
<ServerVersion>73C0834F</ServerVersion>
<MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/[email protected]/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>webmail.xyz.com</PublicFolderServer>
<AD>DC-03.domain.xyz.com</AD>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<EwsPartnerUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>Default-First-Site-Name</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.xyz.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.xyz.com</Server>
<ASUrl>https://webmail.xyz.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://webmail.xyz.com/ews/exchange.asmx</OOFUrl>
<OABUrl>https://webmail.xyz.com/OAB/6a6a06ad-4717-4636-bd98-0b4fa3aaf4a5/</OABUrl>
<UMUrl>https://webmail.xyz.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<EwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.xyz.com/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.xyz.com/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=domain.xyz.com</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=domain.xyz.com</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=domain.xyz.com</EcpUrl-sms>
<EcpUrl-photo>PersonalSettings/EditAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=domain.xyz.com</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=domain.xyz.com</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&Title=<Title>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmCreating>
<EcpUrl-tmEditing>?rfr=olk&ftr=TeamMailboxEditing&Id=<Id>&exsvurl=1&realm=domain.xyz.com</EcpUrl-tmEditing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=domain.xyz.com</EcpUrl-extinstall>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
</Protocol>
</Account>
</Response>
</Autodiscover>HTTP Response Headers:
request-id: 9d325a80-f1fd-4496-ac48-2be6bb782c28
X-CalculatedBETarget: Server01.domain.xyz.com
X-DiagInfo: Server01
X-BEServer: Server01
Persistent-Auth: true
X-FEServer: Server01
Content-Length: 11756
Cache-Control: private
Content-Type: text/xml; charset=utf-8
Date: Mon, 25 Aug 2014 19:12:25 GMT
Set-Cookie: X-BackEndCookie=S-1-5-21-1293235207-2459173341-1304346827-14544=u56Lnp2ejJqBypqcnsfJx5nSy8ucnNLLnJzP0sfKz8/Sy5nHmsiamZrMyZrLgYHPxtDNy9DNz87L387Gxc7Nxc3J; expires=Thu, 25-Sep-2014 00:12:26 GMT; path=/Autodiscover; secure; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 756 ms.
Autodiscover settings for Outlook connectivity are being validated.
The Microsoft Connectivity Analyzer validated the Outlook Autodiscover settings.
Additional Details
Elapsed Time: 0 ms.
Testing RPC over HTTP connectivity to server webmail.xyz.com
RPC over HTTP connectivity was verified successfully.
Additional Details
HTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 7817 ms.
Test Steps
Attempting to resolve the host name webmail.xyz.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Elapsed Time: 107 ms.
Testing TCP port 443 on host webmail.xyz.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 180 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 303 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server webmail.xyz.com on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05, Issuer: CN=VeriSign Class 3 Secure Server CA - G3, OU=Terms of use at https://www.verisign.com/rpa (c)10, OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 224 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name webmail.xyz.com was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=webmail.xyz.com, OU=Terms of use at www.verisign.com/rpa (c)05,
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=VeriSign Class 3 Public Primary Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized use only", OU=VeriSign Trust Network, O="VeriSign,
Inc.", C=US.
Elapsed Time: 34 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature
isn't enabled.
Elapsed Time: 5 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 1/3/2013 12:00:00 AM, NotAfter = 11/16/2015 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 298 ms.
Testing HTTP Authentication Methods for URL https://webmail.xyz.com/rpc/[email protected]:6002.
The HTTP authentication methods are correct.
Additional Details
The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic, Negotiate, NTLMHTTP Response Headers:
request-id: 835acf95-78b7-40ae-b232-117318d1577e
Server: Microsoft-IIS/8.5
WWW-Authenticate: Basic realm="webmail.xyz.com",Negotiate,NTLM
X-Powered-By: ASP.NET
X-FEServer: Server01
Date: Mon, 25 Aug 2014 19:12:26 GMT
Content-Length: 0
Elapsed Time: 296 ms.
Attempting to ping RPC proxy webmail.xyz.com.
RPC Proxy was pinged successfully.
Additional Details
Elapsed Time: 454 ms.
Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 0 ms.
Elapsed Time: 1007 ms.
Testing the MAPI Address Book endpoint on the Exchange server.
The address book endpoint was tested successfully.
Additional Details
Elapsed Time: 2177 ms.
Test Steps
Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 906 ms.
Elapsed Time: 918 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
The test passed with some warnings encountered. Please expand the additional details.
Tell me more about this issue and how to resolve it
Additional Details
The address book Bind operation returned ecNotSupported. This typically indicates that your server requires encryption. The Microsoft Connectivity Analyzer will attempt the Address Book test again with encryption.
NSPI Status: 2147746050
Elapsed Time: 825 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
Check Name succeeded.
Additional Details
DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 433 ms.
Testing the MAPI Referral service on the Exchange Server.
The Referral service was tested successfully.
Additional Details
Elapsed Time: 1808 ms.
Test Steps
Attempting to ping the MAPI Referral Service endpoint with identity: [email protected]:6002.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 953 ms.
Elapsed Time: 949 ms.
Attempting to perform referral for user /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1 on server [email protected].
We got the address book server successfully.
Additional Details
The server returned by the Referral service: [email protected]
Elapsed Time: 858 ms.
Testing the MAPI Address Book endpoint on the Exchange server.
The address book endpoint was tested successfully.
Additional Details
Elapsed Time: 626 ms.
Test Steps
Attempting to ping the MAPI Address Book endpoint with identity: [email protected]:6004.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 156 ms.
Elapsed Time: 154 ms.
Testing the address book "Check Name" operation for user [email protected] against server [email protected].
Check Name succeeded.
Additional Details
DisplayName: Test Exch1, LegDN: /o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=add423106fbb47d5bf237462f52b8dab-Test Exch1
Elapsed Time: 472 ms.
Testing the MAPI Mail Store endpoint on the Exchange server.
We successfully tested the Mail Store endpoint.
Additional Details
Elapsed Time: 555 ms.
Test Steps
Attempting to ping the MAPI Mail Store endpoint with identity: [email protected]:6001.
The endpoint was pinged successfully.
Additional Details
The endpoint responded in 234 ms.
Elapsed Time: 228 ms.
Attempting to log on to the Mailbox.
We were able to log on to the Mailbox.
Additional Details
Elapsed Time: 326 ms. -
Exchange 2013 - How to configure Outlook Anywhere with certificate based authentication?
Hello,
is it possible to secure Outlook Anywhere in Exchange 2013 with certficate based authentication?
I found documentation to configure CBA for OWA and ActiveSync, but not for Outlook Anywhere.
We would like to secure external access to the mailboxes via Outlook by using CBA.
Thanks a lot in advance!
Regards,
AndréHi,
Let’s begin with the answer in the following thread:
http://social.technet.microsoft.com/Forums/en-US/e4b44ff0-4416-44e6-aa78-be4c1c03f433/twofactor-authentication-outlook-anywhere-2010?forum=exchange2010
Based on my experience, Outlook client only has the following three authentication methods:Basic, NTML, Negotiate. And for more information about Security for Outlook Anywhere, you can refer to the following article:
http://technet.microsoft.com/en-us/library/bb430792(v=exchg.141).aspx
If you have any question, please feel free to let me know.
Thanks,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Angela Shi
TechNet Community Support -
Exchange 2013 2007 co-existence Outlook Anywhere issues
Sorted out all other issues (apart from a SSO issue- another thread) . Activesync, autodiscover etc all working- but Outlook Anywhere does not work for Exchange 2007 external mailboxes. It does work for 2013 mailboxes internally and externally-
and 2007 mailboxes internally.
Exchange 2013 SP1. Exchange 2007 Sp3 RU10. Legacy namespace is in use and on certificate. Outlook Anywhere IIS Authentication is set to Basic and NTLM on both 2007 and 2013 servers. Outlook Anywhere external client authentication is set to Basic.
Any sugestions what to look at next?Tony,
I apologize for the stupid question, but was Outlook Anywhere working on Exchange 2007 before you started the upgrade?
When you open command prompt on Exchange 2007 and ping the Exchange 2007 internal FQDN or NetBIOS name, do you get an IPv4 address or you get the IPv6 one?
Step by Step Screencasts and Video Tutorials -
Exchange 2013 how to disable outlook anywhere
Hi Team,
I have migrated some mailboxes from Exchange 2010 to 2013. But i want to restrict some users to use outlook anywhere.
How can i do this?
Also, Some outlook 2010 clients are not able to open outlook after migrating to Exchange 2013. Please help.
Thanks.
Regards, Sunny Kewalramani.Hi,
Firstly, I'm afraid that we cannot disable Outlook Anywhere for certain users only when they use OA externally. And if the property MAPIBLOCKOutlookRpcHttp of a user is set to true, the user cannot access Exchange server both internally and externally.
Thanks,
Angela Shi
TechNet Community Support -
Publishing Exchange 2013 Outlook Web App with Forefront TMG 2010
Hello guys,
I have published Exchange 2013 via TMG 2010 with pre-authentication. Since this is the first time I am doing it- I want to ask experts for the explanations:).
When I configure Active Sync on mobile, I just type the password and it's starts syncing after 20 sec.
When I use browser and trying to login using TMG logon screen, after I enter credentials (if they were not wrong), I get exchange 2013 logon screen ( because my password was checked by DC's).
I have customized TMG tamplate to Exchange 2013 tamplate, but it did not help- I have two logon screens.
Is it possible to configure TMG for showing only one logon screen ( without disabling pre-authentication) ? Does it work this way?
Did I miss something?Hi,
Please try to enable FBA for external and internal OWA 2010 users by the methods in the blog below.
There are several ways to accomplish this:
Have internal users pointed to the internal interface of the Forefront TMG and utilize the forms-based authentication logon page offered by Forefront TMG.
Deploy Forefront UAG instead of Forefront TMG. Forefront UAG allows you to have FBA enabled on both the Exchange 2010 Client Access Servers and on the Forefront UAG solution itself.
Publish Exchange 2010 to the Internet using Forefront TMG but do not configure pre-authentication. This way the users need to go through the Forefront TMG solution, but will authenticate directly against the Exchange 2010 Client Access servers.
Configure an additional OWA and ECP virtual directory on the Exchange 2010 Client Access Servers.
Reference:http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/enabling-forms-based-authentication-external-internal-owa-2010-users-exchange-2010-published-using-forefront-tmg-2010-part1.html
Then check the blog
- Creating a custom Forefront TMG 2010 OWA FBA logon page
Note:
Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
Best Regards,
Joyce
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
Exchange 2007 SP3 + Active Sync + OWA
I am curious if this can be done:
We want OWA to say use https://webmail.xyz.com
Then we want say use: https://activesync.xyz.com to be exclusively for active sync NOT web mail.
So if someone set sup their device and it asks for exchange server: webmail.xyz.com that only has exclusive rights to OWA, not active sync.
If someone setups their device with activesync.xyz.com then they just go through active sync and NOT OWA.
Can this be done with Exchange 2007 SP3, and the reason we are looking into this is for security reasons.
I need help to find out if this can be done.
Right now we have webmail.xyz.com configured for both OWA & active sync.
thanksCan you give me some details on this has to be done, do I have to create another URL for say active sync and keep the OWA URL.
Then get a certificate for the Active Sync URL?
Thanks -
Exchange server with active sync in outlook for mac
I am currently using windows7 machine and installed outlook in it. The outlook is configured with exchange server2013 with active sync protocol. Everything works fine. Now, i planning to purchase a new mac book, and want to install office for mac 2011
in it. I want to know that, can i configure my exchange server2013 with active sync in that.Outlook is not using ActiveSync, not Office for Mac uses it. Outlook is using MAPI (over HTTPs) to connect to Exchange Server, while ActiveSync is used only by mobile devices (such as smartphones and tablets) and by Windows Mail client. And for the Office
2011 for Mac, it uses EWS to connect to Exchange. I can confirm that it works fine.
Please mark as helpful if you find my contribution useful or as an answer if it does answer your question. That will encourage me - and others - to take time out to help you. Thank you! Damir -
Exchange 2013 OWA IM to federated users
Hi I configured Exchange 2013 OWA IM for Lync server and everything is working fine except that I can't IM federated Lync users when the conversation is initiated from OWA. When I start an IM conversation from the federated user to my OWA, everything is
working fine. Also the replies arrive then! So it must be something with initiating the session. I don't have issues with federated users form normal Lync desktop clients or mobile clients.
In the lync logs I notice the following when starting the conversation from OWA:
1027;reason="Cannot route this type of SIP request to or from federated partners";
I also notice there's a KB2977259 (http://support.microsoft.com/kb/2977259) that discusses similar things but I'm not working with contacts like that and I guess they don't mean that you have to do this for every federated contact a Lync user has.
Does somebody else also experience this issue?
Update: following this KB I tried to add a new outlook contact in owa and add my sip address as "sip:[email protected]". When doing this it actually work to IM this federated user. But this is actually a workaround you can't expect your users
to implement. I can't believe nobody else has issues with this.Hi DS_Kevin,
Please post a little more log information. It seems that IM from OWA can’t locate the federated user’s SIP address without the sip prefix.
Best Regards,
Lisa Zheng
Lisa Zheng
TechNet Community Support -
Exchange 2013 owa integration with ADFS and cooexistance with exchange 2007
Team,
I have successfully integrated adfs 3.0 and Exchange 2013 owa and ecp. However, we have a coexistence environment with exchange 2007. When you access owa, which then redirects you to adfs, sign-in, and then get redirected back to owa. If your
mailbox is still within exchange 2007, you get a blank login page. If you mailbox is in exchange 2013 then you successfully get the owa page for 2013. The problem is that all exchange 2007 mailbox users get blank pages at login. So I have determined
that exchange 2013 cas is not doing the service location lookup on the mailbox to determine if a redirect to the legacy owa address is needed. Is there a configuration setting that I might be missing? Or does the integration with adfs and owa not support
the much needed mailbox lookup for a coexistance environment? A side note: if we enable FBA with owa, both login scenarios work just fine (legacy and new 2013). The legacy namespace has been created, and applied to the exchange 2007 urls.Hi,
Try using AD FS claims-based authentication with Outlook Web App and EAC
http://technet.microsoft.com/en-us/library/dn635116(v=exchg.150).aspx
Thanks,
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected]
Simon Wu
TechNet Community Support -
Publish Exchange 2013 using UAG 2010 Sp4
Hi,
We need to publish Exchange 2013 through UAG 2010. But we are not getting any dedicated link for UAG 2010 to publish Exchange 2013. we have UAG 2010 with SP4.
Is there any Step by step UAG 2010 configuration link to publish Exchange 2013?
Thanks
jitenderHi Jitender,
Based on my knowledge, publishing Exchange 2013 with UAG 2010 is similar with publishing Exchange 2010.
I find a related Blog and Guid for your reference:
1. Publishing Exchange Server 2010 with Forefront UAG and TMG
http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx
2. Publishing Exchange Server 2010 with Forefront Unified Access Gateway 2010 and Forefront Threat Management Gateway 2010
http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=8946
Please also notice the System requirement of both Exchange 2013 and UAG 2010.
System Requirement
Exchange 2013
http://technet.microsoft.com/en-us/library/aa996719(v=exchg.150).aspx
UAG 2010 SP4
Supported Operating System
Windows Server 2008 R2
Servers running Forefront UAG and SP4 require the following:
• Windows Server 2008 R2 Standard, Windows Server 2008 R2 Enterprise, or Windows Server 2008 R2 DataCenter.
• Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2
Thanks
Mavis Huang
TechNet Community Support -
Exchange 2013 OWA internal only
Hi all,
Does anyone know how to restrict Exchange 2013 OWA for internal only, but can't impact Exchange ActiveSync service?
I guess IP Address and Domain Restrictions can make it, but it may impact ActiveSync.
Any good solution?
Thank,
IanHi,
Based on my research, we can install the CAS and Mailbox roles in separate two servers. Then we can create new website with a unique IP and only adding ActiveSync to that website. That would give us a website hosted on the box that served the ActiveSync
devices but nothing else, leaving the OWA open for internal access. The firewall would point to this website/IP on the CAS. We could also create a virtual directory under there for /OWA and /Exchange which would serve up the generic ““this service is no longer
available, please contact the help desk” message as the default webpage
http://blogs.technet.com/b/messaging_with_communications/archive/2011/05/02/how-to-block-owa-for-external-users.aspx
Thanks,
Angela Shi
TechNet Community Support -
How to configure Exchange 2013 OWA with Single Sign On
Hi All ,
How to configure Exchange 2013 OWA with Single Sign On ?
Thanks .Hi,
From your description, I am not quite sure what you really want to achieve. Could you explain it furthermore? If you need to set up Exchange 2013 OWA single sign on with Exchange 2010, here is a helpful thread for your reference.
Exchange 2013 OWA Single Sign on with Exchange 2010
https://social.technet.microsoft.com/Forums/en-US/2899ebfc-8622-4cdc-8d77-d76b607618f7/exchange-2013-owa-single-sign-on-with-exchange-2010?forum=exchangesvrdeploy
If that is not your case, please feel free to tell me.
Best regards,
If you have feedback for TechNet Subscriber Support, contact
[email protected]
Amy Wang
TechNet Community Support -
Exchange 2013 - OWA "Something Went Wrong", Out of office in Outlook "Server unavailable"
Hi,
We have a new deployment of Exchange 2013 CU2 V2 running on a Windows 2012 server. Everything has been running without issues and then without any real clue to why, we are now getting an issue where OWA says "Something Went Wrong" after processing
your login, (it appears to process the login as if I type in incorrect details it tells me the password/username is wrong).
At the same time we have also lost the ability to run the Out Of Office in Outlook which comes back saying the server is not available and we can't seem to share calendars correctly either. (Can set Out Of Office via the Management Shell without issues).
When running a Get-Serverhealth on the OWA.Protocol it tells me the OWASelfTestMonitor is unhealthy.
I've tried re-creating the OWA, EWS Virtual Directorys and also the autodiscover but with no effect. I've also restarted the server.
Outlook 2013 and mobile phones are working fine on the server and the Exchange Admin Centre is also working without issues.
I am getting tempted to apply CU2 again to see if this sorts it but don't really like doing this on a server with 50 live users on it...
In the eventlog I can see lots of the 2 errors listed below which seems to line up. (System Log and Application Log seem to be clear of other errors or warnings.)
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 04/11/2013 11:25:00
Event time (UTC): 04/11/2013 11:25:00
Event ID: 2fcdb9112c794b63a9ea9577a23e4603
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT/owa-411-130280378905273269
Trust level: Full
Application Virtual Path: /owa
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\owa\
Machine name: SERVERNAME (I altered this for post)
Process information:
Process ID: 9648
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: HttpException
Exception message: '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.
Lots more code.......
AND
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 04/11/2013 11:24:24
Event time (UTC): 04/11/2013 11:24:24
Event ID: 2586a044b2d74b97a1095aec478bf4ae
Event sequence: 2
Event occurrence: 1
Event detail code: 0
Application information:
Application domain: /LM/W3SVC/2/ROOT/EWS-668-130280378564324526
Trust level: Full
Application Virtual Path: /EWS
Application Path: C:\Program Files\Microsoft\Exchange Server\V15\ClientAccess\exchweb\EWS\
Machine name: SERVERNAME (I have changed this for post)
Process information:
Process ID: 9840
Process name: w3wp.exe
Account name: NT AUTHORITY\SYSTEM
Exception information:
Exception type: HttpException
Exception message: '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.
lots more data...Hi Angela,
I can't see any re-directions on the website and have certainly not set any intentionally. I did try installing the Remote Web Gateway on the server and then found that it doesn't work on an exchange box and removed it but the server was working after
this.
The HTTP Redirect in Default Web Site is not showing anything set and the same for the Back End.
The bindings on the default site all look normal with;
http 80 127.0.0.1
https 443 127.0.0.1
http 80 *
http 443 *
The same is mirrored in the Exchange Back End site but with ports 81 and 444.
Running the Outlook auto configure just using Autodiscover all looks good with the URLs listed all pointing to (http)://mail.mydomain.co.uk/whatever... and the log says Autodiscover to (https)://mail.mydomain.co.uk/Autodiscover/Autodiscover.xml Suceeded
(0x00000000)
But, if I type in the OOF address of (https)://mail.mydomain.co.uk/EWS/exchange.asmx I get a login prompt but once user details are entered I then get;
'.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.
Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.
Exception Details: System.Xml.XmlException: '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.
Source Error:
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[XmlException: '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.]
System.Xml.XmlTextReaderImpl.Throw(String res, String[] args) +163
System.Xml.XmlTextReaderImpl.ParseRootLevelWhitespace() +7572550
System.Xml.XmlTextReaderImpl.ParseDocumentContent() +62
System.Xml.XmlReader.ReadToFollowing(String name) +112
Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitHelper.ReadKillBitXmlContent(XmlReader reader, Int32& refreshRate) +185
Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitHelper.TryReadKillBitFile(Int32& refreshRate, DateTime& lastModifiedTime) +710
Microsoft.Exchange.Data.ApplicationLogic.Extension.KillBitTimer.Start() +202
Microsoft.Exchange.Services.Global.Application_Start(Object sender, EventArgs e) +975
[HttpException (0x80004005): '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.]
System.Web.HttpApplicationFactory.EnsureAppStartCalledForIntegratedMode(HttpContext context, HttpApplication app) +12864205
System.Web.HttpApplication.RegisterEventSubscriptionsWithIIS(IntPtr appContext, HttpContext context, MethodInfo[] handlers) +175
System.Web.HttpApplication.InitSpecial(HttpApplicationState state, MethodInfo[] handlers, IntPtr appContext, HttpContext context) +304
System.Web.HttpApplicationFactory.GetSpecialApplicationInstance(IntPtr appContext, HttpContext context) +404
System.Web.Hosting.PipelineRuntime.InitializeApplication(IntPtr appContext) +475
[HttpException (0x80004005): '.', hexadecimal value 0x00, is an invalid character. Line 1, position 1.]
System.Web.HttpRuntime.FirstRequestInit(HttpContext context) +12880948
System.Web.HttpRuntime.EnsureFirstRequestInit(HttpContext context) +159
System.Web.HttpRuntime.ProcessRequestNotificationPrivate(IIS7WorkerRequest wr, HttpContext context) +12722137
Really wishing I had installed Exchange 2010 at this point!! Just can't see why its not working :( -
I am trying to connect my exchange email to my iPhone without using active sync. I am able to connect it to the Mac mail program on my MacBook pro with out ay issues. Can this be done on the iPhone? Please instruct.
Hi,
I have a similar issue, just purchased Iphone4, can't get my enterprise emails because i get the typical "Unable to verify" message. My It guys (which are totally unfamiliar with Iphone because we are a blackberry-organisation ) tried to create an acoount on my iphone with no succes, afterwards they said that our email application is not compatible with iphone and that "we will upgrade it but don't know when".
After googeling (without understanding much ) i found that:
Active Sync is needed for Iphone to get emails, Active Sync works only with Microsoft Exchange SP2.
We have Microsoft Exchange 2003 RTM (6.5.6944.3) so no SP1, no SP2.
Is this the issue why we can't get it work? If yes, is there any other way to get my emails without this ActiveSync?
(we have OWA in case this is usefull).
Thanks a lot!
Maybe you are looking for
-
Numbers and pages are not working.. need help
hello i been chatting with Genius Bar team today earlier on, we heve got to the stage when we created Test User profile and figured that Numbers andPages are running in it, it suppose to mean that the is a way to fix those applications settings in or
-
How do i save a sound attachment from a text message
How do I save a sound from a text message on my iphone 4s?
-
Saved as tax form PDF shift to the right
I copied PDFs of tax forms from the IRS web site. I then filled them out in Preview mode and tried to save these files on my hard drive. When I did the copy of the pdf shifted to the right and erased part of the document on the far right side. How ca
-
I tunes problem driving me mad - please help
Hi, I've just got a new laptop and have installed i-tunes on it. I have copied all my music to the hard drive from my previous computer and i-tunes has has automatically placed all of the music in the i-tunes library. The problem is that for some rea
-
When I try and purchase apps a msg pops "...problem with a purchase and no longer will support paypal". When I try and change my billing info in the store I am unable. I cannot do anything until this problem solved. I cancelled a recurring charge