SSL/MSSTD settings Outlook anywhere
All,
just want to raise a question, as I noticed a strange behaviour.
I have Exchange 2013 with Outlook Anywhare configured in this way:
So external and internal hostname is the same, SSL required only from external.
Internal connection works just fine and Outlook doesn't set the flag and the MSSTD setting for SSL.
Externally, If I setup from scratch, it's working as well, and the msstd is flagged and setup.
Problems begin when I migrate mailboxes from an Exchange 2010 in coexistance, which will be decomissioned in the future. After migration, user's Outlook (connected from external AND not domain-joined) was properly reconfigured BUT for the msstd setting
which was missing.
As result the Outlook connection was totally flickering, up and down every now and then plus keep "connecting" for the directory service.
Setting up the msstd setting manually, everything is fine.
Now, we know that in EX2013 the Autodiscovery behaviour has changed:
http://support.microsoft.com/kb/2754898/en-us
Practically, it will try always the internal first host name first, regardless where you're connecting from.
I was wondering if: since the hostname is the same for both internal and external, would this lead autodiscovery in misinterpret the configuration (InternalClientRequireSSL is set to $False) and left the configuration unflagged in Outlook?
And, if so, why on migrated mailboxes only ?
Any suggestion, answer and comment will be hughly appreciated!
Thanks!
In the Autodiscover.xml that is returned to the client, there is
two EXHTTP sections with settings. Outlook will try the first block (internalSettings) and in your case it will be successfull since you are using the same name for both internal- and externalhostname. So with that, SSL will not be required.
Example:
<Type>EXHTTP</Type>
<Server>mail.domain.com</Server>
<SSL>Off</SSL>
<AuthPackage>Ntlm</AuthPackage>
<Type>EXHTTP</Type>
<Server>mail.domain.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
Personally, I always configure the same name for both internal- and externalhostname, use the authentication method NTLM AND
InternalClientsRequireSSL=True.
Not a good idea to disable Outlook Anywhere on Exchange 2010 when running in co-existence.
Can you also confirm that autodiscover is pointing to your Exchange 2013 Server?
Martina Miskovic
Hi Martina,
thanks for the clear answer! I had kind-of the same idea, wodering if Exchange could possibly mess up using the same name - sort of bug.
I'll try to set for both internal and external to require SSL.
I'm not clear, however, how set the authentication. NTLM only? NTLM + Basic + Negotiate? And same auth method for both int and ext? Ultimately, how would you setup the IISAuthenticationMethods?
Ah! What whoud you mean by: "confirm that autodiscover is pointing to your Exchange 2013 Server?"
Thanks in advance!
Ale.
Similar Messages
-
Exchange 2007 - Outlook Anywhere problems after installing new SSL cert
*** Original thread posted on wrong forum ***
Hi all,
Exchange 2007 environment (2x CAS, ISA2006). Not much familiar with Exchange.
Problem: 20-odd machines off the domain use Outlook Anywhere (XP with Outlook 2010). AUthentication pop-up and not able to connect.
Company has recently changed its name and we have to renewed the SSL cert. Previous SSL cert. was issued to: webmail.oldcompname.co.uk (several SANs on that cert., including internal server names).
Applied for a new UCC SSL cert issued to: newcompanyname.com (also includes webmail.newcompanyname.com ; autodiscover.newcompanyname.com + old SANs).
The setting on those machines point the proxy to the following:
Https://webmail.oldcompname.co.uk (which is fine since it is in the cert and can be accessed)
Only connect to proxy servers that have this principal name in their cert.:
msstd:webmail.oldcompname.co.uk (I believe this is the problem since the new UCC SSL cert. was issued to newcompanyname.com).
Browsing technet + internet it seems that I need to look into OutlookProvider EXPR.
When I run Get-OutlookProvider everything is blank (I believe I should be concerned to EXPR only for Outlook Anywhere).
I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com
My only concern is whether this might break something else in the Exchange environment, especially as we have 100+ users on smartphones connecting via SSL on webmail.oldcompname.co.uk
Is it save to run this command? Do I need to re-start IIS? Do I need to look into any settings on ISA2006?
Comments/help are much appreciated.
RegardsHi,
According to the description, I found that we re-new a SSL certificate.
"I am thinking of running: Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:newcomanyname.com"
Just do it. Then remove the old certificate on ISA server and install a new one.
Found a similar thread for your reference:
Renewal of SSL certificate in exchange 2007 with ISA 2006
http://social.technet.microsoft.com/Forums/exchange/en-US/25770038-8491-470a-92fa-8ae50674b7a6/renewal-of-ssl-certificate-in-exchange-2007-with-isa-2006
Hope it is helpful
Thanks
Mavis
Mavis Huang
TechNet Community Support -
Exchange msstd: setting in outlook connection for Outlook Anywhere
I currently have the Exchange Provider for EXPR set to $null, however I still seem to get msstd:mail.mydomain.com set in my Outlook connection string setting on all machines. Where is this setting coming from? We do push the Outlook Anywhere settings
via GPO and have the ProxyServer string defined set to mail.mydomain.com. The flags are set to ensure SSL is defined on the connection.
We are in the process of moving from Exchange 2007 to Echange 2013. Will it be a problem moving from a UCC cert with a friendly name of mail.mydomain.com to a wild card SSL cert on the 2013 servers with *.mydomain.com set, if the
"connect to proxy servers that have this principal name in their certificate is selected? I'm concerned that msstd:mail.mydomain.com does not match msstd:*.mydomain.com?
Thanks in advanceHi,
We can run the following command to set with Ed’s suggestion:
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:*.mydomain.com
Regards,
Winnie Liang
TechNet Community Support -
Outlook 2011 Outlook anywhere settings won't stick
We recently enabled Outlook Anywhere on our EX2010 Std server. When we tried testing with our Outlook 2011 for
Mac clients we can get AutoDiscover to work both externally and internally. The problem is AutoDiscover always puts the EWS URL to the internal one and not the external one. Externally it works for the initial session and then all subsequent session try contacting
the internal URL. Is there any way to stop that behavior or should I use the same External URL for the internal URL in EWS?We have, here is a break down of all our settings:
[PS] E:\scripts>Get-AutodiscoverVirtualDirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\Autodiscover (Default Web Site)
InternalUrl :
https://mail.voxmedica.net/Autodiscover/Autodiscover.xml
ExternalUrl :
https://webmail.voxmedica.com/Autodiscover/Autodiscover.xml
[PS] E:\scripts>Get-WebServicesVirtualDirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\EWS (Default Web Site)
InternalUrl :
https://mail.voxmedica.net/EWS/Exchange.asmx
ExternalUrl :
https://webmail.voxmedica.com/ews/exchange.asmx
[PS] E:\scripts>Get-oabvirtualdirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\OAB (Default Web Site)
InternalUrl : http://mail.voxmedica.net/OAB
ExternalUrl : https://webmail.voxmedica.com/OAB
[PS] E:\scripts>Get-owavirtualdirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\owa (Default Web Site)
InternalUrl : https://mail.voxmedica.net/owa
ExternalUrl : https://webmail.voxmedica.com/owa
[PS] E:\scripts>Get-ecpvirtualdirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\ecp (Default Web Site)
InternalUrl : https://mail.voxmedica.net/ecp
ExternalUrl : https://webmail.voxmedica.com/ecp
[PS] E:\scripts>Get-activesyncvirtualdirectory | fl identity,InternalURL,ExternalURL
Identity : MAIL\Microsoft-Server-ActiveSync (Default Web Site)
InternalUrl :
https://mail.voxmedica.net/Microsoft-Server-ActiveSync
ExternalUrl :
https://webmail.voxmedica.com/Microsoft-Server-ActiveSync
[PS] E:\scripts>Get-clientaccessserver | fl identity,AutoDiscoverServiceInternalUri
Identity : MAIL
AutoDiscoverServiceInternalUri :
https://mail.voxmedica.net/Autodiscover/Autodiscover.xml
Here is the XML log from WIN7 running Outlook 2010 (can't seem to copy the results or regular log)
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Creative Freelance01</DisplayName>
<LegacyDN>/o=Email/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=Creative Freelance01</LegacyDN>
<AutoDiscoverSMTPAddress>[email protected]</AutoDiscoverSMTPAddress>
<DeploymentId>c2ed12a3-7b97-45d5-b139-b57027ef78b5</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>MAIL.voxmedica.net</Server>
<ServerDN>/o=Email/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MAIL</ServerDN>
<ServerVersion>738180DA</ServerVersion>
<MdbDN>/o=Email/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=MAIL/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>MAIL.voxmedica.net</PublicFolderServer>
<AD>DC02.voxmedica.net</AD>
<ASUrl>https://mail.voxmedica.net/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://mail.voxmedica.net/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.voxmedica.net/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://mail.voxmedica.net/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://mail.voxmedica.net/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>http://mail.voxmedica.net/OAB/7923cd72-96a7-4ace-b3eb-3a3ca0fa305c/</OABUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.voxmedica.com</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://webmail.voxmedica.com/ews/exchange.asmx</ASUrl>
<EwsUrl>https://webmail.voxmedica.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://webmail.voxmedica.com/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx></EcpUrl-mt>
<EcpUrl-ret>?p=organize/retentionpolicytags.slab&exsvurl=1</EcpUrl-ret>
<EcpUrl-sms>?p=sms/textmessaging.slab&exsvurl=1</EcpUrl-sms>
<OOFUrl>https://webmail.voxmedica.com/ews/exchange.asmx</OOFUrl>
<UMUrl>https://webmail.voxmedica.com/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.voxmedica.com/OAB/7923cd72-96a7-4ace-b3eb-3a3ca0fa305c/</OABUrl>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://mail.voxmedica.net/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://mail.voxmedica.net/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.voxmedica.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.voxmedica.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover> -
Outlook Anywhere losing proxy settings, Autodiscover issue?
I have Exchange Server 2010 in Small Business Server 2011. I have several remote clients that are not part of the SBS domain, but they use Outlook Anywhere to connect to Exchange.
We originally started with a self-signed and eventually added a GoDaddy SSL certificate. Some of the remote clients lose the settings for Outlook Anywhere randomly. The proxy checkbox is unchecked and the MSSTS settings have all disappeared.
I investigated this and it seems to point to autodiscover. Our DNS is hosted externally so I created an A-Host record at Netowork Solutions called autodiscover and resolved it to the static IP address of the server. When I did this the remote
clients started to get certificate security warnings.
Next I tried to create a CNAME called _autodiscover for mail.mydomain.com and this didn't work either, certificate security erros
Is my Outlook Anywhere issue an 'autodiscover' problem and if it is, what amI doing wrong? Here are some additional details:
Self-signed certificate is mail.mydomain.com. GoDaddy Class 2 certificate authority has identified this site as mail.mydomain.com. The connection to the server is encrypted.Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Additional Details
Elapsed Time: 3221 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for
[email protected].
Autodiscover was tested successfully.
Additional Details
Elapsed Time: 3219 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Additional Details
Elapsed Time: 3218 ms.
Test Steps
Attempting to test potential Autodiscover URL
https://pickardconstruction.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 835 ms.
Test Steps
Attempting to resolve the host name pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 464 ms.
Testing TCP port 443 on host pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 164 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 205 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server pickardconstruction.com on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 156 ms.
Attempting to test potential Autodiscover URL
https://autodiscover.pickardconstruction.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 609 ms.
Test Steps
Attempting to resolve the host name autodiscover.pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 222 ms.
Testing TCP port 443 on host autodiscover.pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 185 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 200 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.pickardconstruction.com on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 151 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The Autodiscover service was successfully contacted using the HTTP redirect method.
Additional Details
Elapsed Time: 1770 ms.
Test Steps
Attempting to resolve the host name autodiscover.pickardconstruction.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 205.204.84.106
Elapsed Time: 21 ms.
Testing TCP port 80 on host autodiscover.pickardconstruction.com to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 100 ms.
The Microsoft Connectivity Analyzer is checking the host autodiscover.pickardconstruction.com for an HTTP redirect to the Autodiscover service.
The redirect (HTTP 301/302) response was received successfully.
Additional Details
Redirect URL:
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml HTTP Response Headers: Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Length: 0 Content-Type: application/xml Date: Fri, 28 Feb 2014 01:49:00 GMT Location:
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml Server: Apache/2.2.23 (Unix) mod_ssl/2.2.23 OpenSSL/0.9.8e-fips-rhel5 mod_auth_passthrough/2.1 mod_bwlimited/1.4
FrontPage/5.0.2.2635 PHP/5.3.21
Elapsed Time: 184 ms.
Attempting to test potential Autodiscover URL
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml
Testing of the Autodiscover URL was successful.
Additional Details
Elapsed Time: 1463 ms.
Test Steps
Attempting to resolve the host name cpanelemaildiscovery.cpanel.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 208.74.124.130, 208.74.124.133, 208.74.125.50, 208.74.125.51, 208.74.123.82
Elapsed Time: 109 ms.
Testing TCP port 443 on host cpanelemaildiscovery.cpanel.net to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 135 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 358 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server cpanelemaildiscovery.cpanel.net on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=*.cpanel.net, OU=Domain Control Validated, O=*.cpanel.net, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona,
C=US.
Elapsed Time: 278 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
The host name that was found, cpanelemaildiscovery.cpanel.net, is a wildcard certificate match for common name *.cpanel.net.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=*.cpanel.net, OU=Domain Control Validated, O=*.cpanel.net.
One or more certificate chains were constructed successfully.
Additional Details
A total of 2 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Elapsed Time: 30 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root =
[email protected], CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network.
Elapsed Time: 4 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/18/2011 6:11:10 PM, NotAfter = 10/18/2016 5:19:12 AM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 349 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
The Microsoft Connectivity Analyzer successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Additional Details
Elapsed Time: 509 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL
https://cpanelemaildiscovery.cpanel.net/autodiscover/autodiscover.xml for user
[email protected].
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings XML response: <?xml version="1.0"?> <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User> <DisplayName>[email protected]</DisplayName> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>IMAP</Type> <Server>have02b.have1.com</Server>
<Port>993</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <SSL>on</SSL> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <AuthRequired>on</AuthRequired>
<LoginName>[email protected]</LoginName> </Protocol> <Protocol> <Type>SMTP</Type> <Server>have02b.have1.com</Server> <Port>465</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort>
<SSL>on</SSL> <DomainRequired>off</DomainRequired> <SPA>off</SPA> <AuthRequired>on</AuthRequired> <LoginName>[email protected]</LoginName> </Protocol> </Account> </Response>
</Autodiscover> HTTP Response Headers: Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Length: 1362 Content-Type: text/xml Date: Fri, 28 Feb 2014 01:49:02 GMT Server: Apache/2.2.17 (Unix) mod_ssl/2.2.17 OpenSSL/0.9.8e-fips-rhel5 mod_perl/2.0.5
Perl/v5.8.8
Elapsed Time: 509 ms.
Autodiscover settings for Outlook Anywhere are being validated.
The Microsoft Connectivity Analyzer wasn't able to validate Outlook Anywhere Autodiscover settings.
Tell me more about this issue and how to resolve it
Additional Details
The EXCH provider section is missing from the Autodiscover response.
Elapsed Time: 0 ms. -
Incorrect Outlook Anywhere Settings
Hi
We are using Exchange 2013 and everything seems to be working ok. However, if I look at any of our Outlook clients (2007 & 2010) there seems to be incorrect information in the Exchange Proxy Settings under the advanced account settings.
For some reason the Use this URL to connect to my proxy server for Exchange box is populated with the server name of our CAS server. I've checked on the Exchange 2013 admin centre and the internal and external hostnames for Outlook Anywhere are correct
but the setting in Outlook is always set to the server name.
I've even tried going into Outlook and manually amending the setting but as soon as I restart Outlook the setting automatically changes back. Am I missing something or is there another place where this setting could be picked up from?
Many thanks for your help.Hi,
As far as I know, Outlook Exchange Proxy Settings dialog box always displays the internal host name as the Proxy server in an Exchange Server 2013 environment:
http://support.microsoft.com/kb/2754898/en-US
Thus, I’d like to confirm if the server name is the internal host name.
If you have any question, please feel free to let me know.
Thanks,
Angela Shi
TechNet Community Support -
Outlook anywhere settings, in Autodiscover?
So in Outlook, I got all my Outlook Anywhere settings configured, great! But where do I go to edit them on the server?
I don't have a GPO for any of this and I gather Outlook Anywhere is configured in Autodiscover? Is it EMS?First, run set-outlookprovider -identity EXPR -Server servername and get-outlookanywhere |fl command in EMS. This command will let you know about the configuration of Outlook. You can edit the Outlook Anywhere configuration by using the custom installation
wizard. Autodiscover is simply the best way for managing Outlook configurations.
Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect
You can run this powershell command to make connection with the Outlook Anywhere using TCP/IP.
You can easily change the OutlookProviderFlags to change/edit the Outlok anywhere seetings e.g. you can set the value to ServerExclusiveConnect or to None to clear the flag
Hi Blake - can you change the first line to be get-outlook provider -identity EXPR ? Its currently at "set-"
Not sure if I'd be recommending the serverExclusiveConnect option off the bat, most customers I see do not leverage that. Do they want to do OA internally too? I don't see that mentioned above
The OutlookProviderFlags parameter specifies that Outlook 2010 clients should connect using RPC over HTTP (Outlook Anywhere) before trying RPC over TCP connections. This increases the speed at which Outlook 2010 clients will connect when clients
are primarily accessing Exchange over the Internet. The value can be set to
ServerExclusiveConnect or to None to clear the flags. For Outlook 2010 clients that access Exchange over both organization intranets and the Internet, the recommended value is
None, which is also the default setting.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Outlook Anywhere settings in a Exchange 2013 coexistence scenario with Exchange 2007
I have exchange 2013 and 2007 set up in a coexist environment. At the moment, the few mailboxes I am testing on Exchange 2013 are getting multiple pop ups in outlook and cannot connect to items like Public Folders on 2007. I found an article
that told me to change the authentication method from Negotiate to NTLM and that broke some of my Lync 2013 compatibility issues on users on exchange 2007 (ie conversation history and they got outlook integration errors.) I would like someone to confirm
if the change I am about to make from doing research will help me in my situation.
Current Setup:
Exchange 2007 OA CAS Settings
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod: NTLM
IISAuthenticationMethods : {Basic, Ntlm}
Exchange 2013 OA CAS Settings
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod: Negotiate
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
New Settings I am considering based on research:
Exchange 2007 OA CAS Settings
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod: Basic
IISAuthenticationMethods : {NTLM}
Exchange 2013 OA CAS Settings
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod: Basic
IISAuthenticationMethods : {Basic}
Will this work and eliminate my popups?Hi,
The following TechNet article indicates that:
“In order to support access for Outlook Anywhere clients whose mailboxes are on legacy versions of Exchange, you will need to make some changes to your environment which are documented in the steps within the
Exchange Deployment Assistant. Specifically,
you will need to enable Outlook Anywhere on your legacy Client Access servers and enable NTLM in addition to basic authentication for the IIS Authentication Method.”
Client Connectivity in an Exchange 2013 Coexistence Environment
http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx
As for the Autodiscover service, please make sure the Autodiscover.domain.com is pointed to your Exchange 2013 in Internal and External DNS. For more detailed information about Exchange 2013 coexistence with Exchange 2007, please refer to:
http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-3-step-by-step-exchange-2007-to-2013-migration.aspx
Regards,
Winnie Liang
TechNet Community Support -
Domain joined laptops have outlook anywhere settings forced through group policy.
Running gpresult command shows correct group policy are applied.
GPO: Outlook Offsite Settings
Folder Id: Software\Policies\Microsoft\Office\12.0\Outlook\RPC\ProxyServerName
Value: 119, 0, 101, 0, 98, 0, 109, 0, 97, 0, 105, 0, 108, 0, 46, 0, 105, 0, 101, 0, 99, 0, 109, 0, 97, 0, 105, 0, 108,
0, 46, 0, 99, 0, 111, 0, 109, 0, 0, 0
State: Enabled
Outlook in safe mode shows no change.
Exchange server 2010.
What can be disabling this?
Thank you for your time.Hi,
You are using Outlook 2013, right?
However, "Folder Id: Software\Policies\Microsoft\Office\12.0\Outlook\RPC\ProxyServerName" implies it's the setting for Outlook 2007.
As for Outlook 2013, it should be 15.0 instead of 12.0.
Please confirm that and change the settings to try again.
Regards,
Melon Chen
TechNet Community Support -
Access to Outlook Anywhere does not work
Good evening,
I recently installed an Exchange Server 2013 CAS / MB.
Until now, the server presented a few errors (mainly in the
event log) that does not seem to significantly influence functionality.
This week I published the server on the Internet and verified various malfunctions
related to the access from outside.
In particular from outside:
1 - OWA does not work with Windows integrated authentication, it works with the Forms based authentication;
2 - Outlook Anywhere does not work from internet.
I've done a lot of research and testing without success.
With regard to the first issue (which is not a priority but can relate to second one)
add that in Firefox I get a first authentication request. If
I enter credentials it ask again for identical authentication (repeatly), if I cancel it shows a second one that instead allows me access (are slightly different).
I assume that the first is the integrated Windows application and the second is basic authentication.
Internet Explorer shows me only the first authentication request and if I cancel shows blank page.
The problem is
priority 2:
Outlook connects without problems on LAN network, the Internet
seems to download the correct information
(autodiscover), but then does not connect
to the server (connection to Microsoft Exchange is unavailable).
If you manually edit the settings,
auto-configuration server returns as
a [email protected]. If I change
manually the server (and proxy settings
http), the result does not change.
- Setting information -
The server is installed
in the LAN network and is exposed on the Internet through
a firewall (Pat on port 443, et al. not 80)
on a public address.
The public and private DNS have been configured with a
host record (A) and two
CNAME (webmail and autodiscover).
The internal Outlook clients connect
with autodiscover and HTTPS /
NTLM / SSL (Outlook connectivity
status).
IMAP, SMTP, POP, ActiveSync function.
Exchange remote connectivity analizer retrieves Autodiscover information but doesn't pass test for RPC/HTTP access (it discard accesson
port 443 and try port 80, SPF isn't configured).
The navigation to the url
https://proxyexternalURL/rpc/rpcproxy.dll has the same behaviour like problem 1.
Test-OutlookConnectivity returns unmanaged error ('WARNING: An unexpected error has occurred and a Watson dump is being generated: Failed to find the probe result for invoke now request id -- and probe workdefinition id --').
Errors in eventviewer: 5011 - WAS (one time), 139 - MSExchange OWA (some not ripetitive), 3028 - MSExchangeApplicationLogic (every 6 hours), 106 - MSExchange common (many during working hour), 65535 - application (some at nighttime 00.00 - 03.00 a.m.), 1006
- MSExchangeDiagnostic (every 30 min), 6002 - MSExchange Mid-Tier Storage (about every 5 minutes), 5 - MSExcahnge Workload Management (one time).
Ask for further information.
- Cmdlet and Autodiscover output -
Get-OutlookAnywhere | fl name,*auth*,*ssl*,*host*
Name : Rpc (Default Web site)
ExternalClientAuthenticationMethod : Basic
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalHostname : webmail.name_domain.test
InternalHostname : webmail.name_domain.test
Get-OutlookProvider | ft -autosize
Name Server CertPrincipalName TTL
EXCH msstd:webmail.name_domain.test 1
EXPR msstd:webmail.name_domain.test 1
WEB
1
Get-AutodiscoverVirtualDirectory | fl name,*auth*,*url*
Name : Autodiscover (Default Web site)
InternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
ExternalAuthenticationMethods : {Basic, WSSecu.testy, OAuth}
LiveIdNegotiateAuthentication : False
WSSecu.testyAuthentication : True
LiveIdBasicAuthentication : False
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : False
OAuthAuthentication : True
AdfsAuthentication : False
InternalUrl :
ExternalUrl :
Get-MapiVirtualDirectory | fl name,*auth*,*url*
Name : mapi (Default Web site)
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
ExternalAuthenticationMethods : {Basic, Ntlm, Negotiate}
InternalUrl : https://webmail.name_domain.test/mapi
ExternalUrl : https://webmail.name_domain.test/mapi
Autodiscover.xml
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>user</DisplayName>
<LegacyDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=e4c0c18c8f214afbb5152bb08823179d-user</LegacyDN>
<AutoDiscoverSMTPAddress>user@name_domain.test</AutoDiscoverSMTPAddress>
<DeploymentId>d60c71c9-3740-404c-a38c-aa24e6105432</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<MicrosoftOnline>False</MicrosoftOnline>
<Protocol>
<Type>EXCH</Type>
<Server>72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</Server>
<ServerDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test</ServerDN>
<ServerVersion>73C082C8</ServerVersion>
<MdbDN>/o=organization_name/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=72036b30-a4d4-4b42-9c39-445bd04c23a6@name_domain.test/cn=Microsoft Private MDB</MdbDN>
<PublicFolderServer>webmail.name_domain.test</PublicFolderServer>
<AD>DC2.name_domain.test</AD>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>off</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>on</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
<EwsPartnerUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsPartnerUrl>
<GroupingInformation>LAN</GroupingInformation>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://webmail.name_domain.test/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Basic">https://webmail.name_domain.test/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Ntlm</AuthPackage>
<ASUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/EWS/Exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/EWS/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
<Protocol>
<Type>EXHTTP</Type>
<Server>webmail.name_domain.test</Server>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<ASUrl>https://webmail.name_domain.test/ews/exchange.asmx</ASUrl>
<EwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EwsUrl>
<EmwsUrl>https://webmail.name_domain.test/ews/exchange.asmx</EmwsUrl>
<EcpUrl>https://webmail.name_domain.test/ecp/</EcpUrl>
<EcpUrl-um>?rfr=olk&p=customize/voicemail.aspx&exsvurl=1&realm=name_domain.test</EcpUrl-um>
<EcpUrl-aggr>?rfr=olk&p=personalsettings/EmailSubscriptions.slab&exsvurl=1&realm=name_domain.test</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?rfr=olk&exsvurl=1&IsOWA=<IsOWA>&MsgID=<MsgID>&Mbx=<Mbx>&realm=name_domain.test</EcpUrl-mt>
<EcpUrl-ret>?rfr=olk&p=organize/retentionpolicytags.slab&exsvurl=1&realm=name_domain.test</EcpUrl-ret>
<EcpUrl-sms>?rfr=olk&p=sms/textmessaging.slab&exsvurl=1&realm=name_domain.test</EcpUrl-sms>
<EcpUrl-publish>customize/calendarpublishing.slab?rfr=olk&exsvurl=1&FldID=<FldID>&realm=name_domain.test</EcpUrl-publish>
<EcpUrl-photo>PersonalSettings/E.testAccount.aspx?rfr=olk&chgPhoto=1&exsvurl=1&realm=name_domain.test</EcpUrl-photo>
<EcpUrl-tm>?rfr=olk&ftr=TeamMailbox&exsvurl=1&realm=name_domain.test</EcpUrl-tm>
<EcpUrl-tmCreating>?rfr=olk&ftr=TeamMailboxCreating&SPUrl=<SPUrl>&.testle=<.testle>&SPTMAppUrl=<SPTMAppUrl>&exsvurl=1&realm=name_domain.test</EcpUrl-tmCreating>
<EcpUrl-tmE.testing>?rfr=olk&ftr=TeamMailboxE.testing&Id=<Id>&exsvurl=1&realm=name_domain.test</EcpUrl-tmE.testing>
<EcpUrl-extinstall>Extension/InstalledExtensions.slab?rfr=olk&exsvurl=1&realm=name_domain.test</EcpUrl-extinstall>
<OOFUrl>https://webmail.name_domain.test/ews/exchange.asmx</OOFUrl>
<UMUrl>https://webmail.name_domain.test/ews/UM2007Legacy.asmx</UMUrl>
<OABUrl>https://webmail.name_domain.test/OAB/e66d9a4a-6ed2-4512-b72f-522381524dd9/</OABUrl>
<ServerExclusiveConnect>On</ServerExclusiveConnect>
<CertPrincipalName>msstd:webmail.name_domain.test</CertPrincipalName>
</Protocol>
</Account>
</Response>
</Autodiscover>
Get-OwaVirtualDirectory | fl name,*auth*,*url*
Name : owa (Default Web Site)
ClientAuthCleanupLevel : High
InternalAuthenticationMethods : {Basic, Fba}
BasicAuthentication : True
WindowsAuthentication : False
DigestAuthentication : False
FormsAuthentication : True
LiveIdAuthentication : False
AdfsAuthentication : False
OAuthAuthentication : False
ExternalAuthenticationMethods : {Basic}
Url : {}
SetPhotoURL :
Exchange2003Url :
FailbackUrl :
InternalUrl : https://webmail.name_domain.test/
ExternalUrl : https://webmail.name_domain.test/Follow the results of the test
Outlook Anywhere (RPC over HTTP).
Has been used an account for which
outlook anywhere works. The account
for which the outlook anywhere does not work is
an administrative account and therefore
can not be used in the test.
Autodiscovery returns the
same result for both mailbox.
I'm testing RPC/HTTP connectivity.
Testing RPC over HTTP has not been exceeded.
Test steps
Microsoft connectivity Analyzer is attempting to test the Autodiscover service for user_test@domain_name.test.
Test the Autodiscover service has not been exceeded.
Test steps
I'm trying to contact the Autodiscover service with each method available.
I was not able to contact the Autodiscover service with no method.
Test steps
I'm trying to test the possible URL for the Autodiscover service https://domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.www
I'm testing the TCP port 443 on the host domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Remote certificate subject: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test issuer: E = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name,
L = city, S = state, C = test.
I am validating the certificate name.
I could not validate the certificate name.
More info about this issue and how to resove it
The host name domain_name. testing does not match any name found on the certificate and server = it_staff@domain_name.test, CN = * domain_name. test, OU = it staff, O = domain_name, L = city, S = state, C = test.
I'm trying to test the possible URL for the Autodiscover service https://autodiscover.domain_name.test/AutoDiscover/AutoDiscover.xml
The test of this potential URL for the Autodiscover service has not been exceeded.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 443 on the host autodiscover. domain_name. tests to check that is open and listening.
The door has been opened properly.
I'm testing the validity of your SSL certificate.
The SSL certificate has not exceeded one or more validation controls.
Test steps
Microsoft connectivity Analyzer is attempting to obtain the SSL certificate from the remote server autodiscover. domain_name. test on port 443.
Microsoft connectivity Analyzer got the remote SSL certificate.
Other details
Remote certificate subject: CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test issuer: CN = domain_name-DC1-CA, DC = domain_name, DC = test.
I am validating the certificate name.
I validated the certificate name.
Other details
I found the host name autodiscover. domain_name. test in the voice of the alternative name of the certificate object.
Elapsed time: 1 ms.
I am validating the reliability of certificates.
I was not able to validate the reliability of the certificate.
Test steps
Microsoft connectivity Analyzer is attempting to generate certificate chains to a certificate CN = webmail. domain_name. test, OU = it staff, O = domain_name, L = city, S = city, C = test.
I failed to build a certificate chain for the certificate.
Other details
Failed to generate the certificate chain.
May be missing the required intermediate certificates.
I'm trying to contact the Autodiscover service using the HTTP redirect method.
I was not able to contact the Autodiscover service using the HTTP redirect method.
Test steps
I'm trying to resolve the host name autodiscover. domain_name. DNS test.
I was able to resolve the host name.
IP addresses are returned: xxx.yyy.zzz.kkk
I'm testing the TCP port 80 on the host autodiscover. domain_name. tests to check that is open and listening.
The specified port is blocked, is not listening or doesn't produce the expected response.
More info about this issue and how to resove it
I encountered a network error while communicating with the remote host.
I'm trying to
find the
SRV DNS record _audiscover._tcp.domain_name.test.
I failed to find
the SRV record of the
Autodiscover service
in DNS.
Some clarifications:
1 - xxx.yyy.zzz.www and xxx.yyy.zzz.kkk
are two static public addresses
of which only the latter exposes Exchange services;
2 - The certificate
*. Domain_name.test is not related
to Exchange services;
3 -I imported the certificate
of the issuing CA on the standalone test PC to validate the certificate.
3- The port 80 is not open and are not published SRV records.
Best regards. -
Certificate mismatch Outlook Anywhere
Hi,
When connecting an Outlook 2013 client to Exchange 2013 I am getting a certificate mismatch error.
SSL Certificate is for the external name (exch.domain.com) has no SAN's and Outlook is looking for servername.local.
I have configured all virtual directories for Exchange to use the above url (exch.domain.com) for internal and external access.
Have a local DNS record resolving the external name (exch.domain.com) to the internal IP of the exchange server.
Operating a single public IP using ARR and Windows Server 2012 Essentials
Have set up a SRV record in DNS for autodiscovery.
Outlook Anywhere in the ECP is configured to NTLM authentication
In Outlook, the advanced connection properties I was getting authentication prompts until I added https://exchange.domain.com as a proxy server.
Any help would be appreciated thanks.I am having the same issue with my Outlook 2013 clients.
All virtual directories are set to the mail.company.com. The Godaddy certificate is for mail.company.com and is used for the SMTP, IIS, POP3, IMAP services.
The client gives a security alert about the certificate name for servername.company.com not matching the certificate mail.company.com. The client account settings show the server as a
[email protected] and the Exchange proxy settings as mail.company.com and connect using SSL only with msstd:mail.company.com for the principal name.
Doing a Connection status check on the Outlook, it shows the Proxy server of mail.company.com and server name as the
[email protected] for Exchange Directory and Exchange Mail.
I have tried putting the server name in the virtual directory internal url's but it still isn't working correctly.
I had used a cert form our internal CA for testing and am still using it for the UM and UMCallRouter functions, although the SMTP, IMAP, POP3 are still checked for it.
Outlook functions fine after clearing the Security Alert.
Not sure what I am missing. Thanks for any help. -
Exchange 2010+Outlook Anywhere+Windows XP not working together
Hello,
We have Exchange 2010 installed on Server 2008 R2. CAS/Hub/mailbox roles on same server. Outlook Anywhere is enabled and using a Go Daddy signed certificate for OWA. Now my problem is that Windows XP (w SP3) PC's that are not located inside domain and
shoud use Outlook Anywhere cannot connect to that service. Outlook version is 2007 SP2. On the other hand, that same user can connect from a Windows 7 pc what is also located outside domain without problems. On XP pc windows keeps asking for password repeatedly,
on W7 pc it asks it and accepts and logs the user in and connects it to his mailbox. I have read numerous posts about this kind of issue, put so far none of them helped me. The certificate is issued to mail.domainname.ee and autodiscover.domainname.ee. The
internal name of the server is excha.domainname.ee, external name is mail.domainname.ee. Also I used the Set-OutlookProvider cmdlet to set EXPR to msstd:mail.domainname.ee and also tried msstd:excha.domainname.ee this change did not have any effect on XP pc.
What is wrong in XP and Outlook 2007 combination not being able to connect to Echange 2010?I was suffering from a very similar issue. The one major difference for me is that I was using a wildcard ssl certificate for "*.contoso.com" which was not matching with the server name of owa.contoso.com.
Behaviour definitely seemed to only manifest with Windows XP on the open internet (not domain joined or internal) trying to use either Outlook 2007 or 2010 to connect to our internal Exchange 2010 server via RPC over HTTPS. Autodiscover was successful
but user would be repeatedly prompted for their credentials but they would never match.
The key changes that seemed to fix this for us were to make these updates -
Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com
alternatively if you dont care whether the proxy server name exactly matches your ssl cert you can do this (not recommended) -
Set-OutlookProvider EXPR -CertPrincipalName none
These commands manipulate the Microsoft Exchange Proxy Settings under the Outlook Anywhere options under the connection tab of your mail profile. In particular the field labeled "Only connect to proxy servers that have this principal name in their
certificate"
Also, to force RPC over HTTPS and never try and timeout on TCP/IP connection (which cannot work through the firewall) -
Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect
This should click the checkbox for "On fast networks, connect using HTTP first, then connect using TCP/IP"
This should then allow autoconfigure to work fine when setting up your mail profile. If you want to check the settings page you should have something that looks like this -
Finally, please note that Autodiscover settings are updated periodically not instantly. I believe it is something like every 15m or so. As such, make the changes above and then wait for at least 15-30mins before making any other changes.
I ended up chasing my tail and then some complete red-herring *seemed* to fix the problem. It was actually something that I had changed 20mins before! -
Outlook Anywhere does not show http in test email auto-config under protocol
Hi,
It seems simple to configure/enable Outlook Anyway but I am unable to get it works in my environments.
Background
1. Add feature for RPC over http
2. Enable Outlook Anywhere for all CAS
3. Properties CAS -> Outllo Anywhere -> mail.abc.com (External host name) with NTLM authentication
4. Set-OutlookProvider EXPR -CertPricipalName msstd:mail.abc.com
5. Configure Outlook client -> Connection tab -> Outlook Anywhere -> Select "Connect to Microsoft Exchange using HTTP
6. Under Exchange Proxy Settings
-> Connection settings https://mail.abc.com
-> Select "Connect using SSL only" and "Only connect to proxy servers that have this principal name in their cert" with msstd:mail.abc.com
7. Select both "On fast network" and "On slow network"
8. Under Proxy authentication settings -> NTLM Authentication
Anything I have missing? How to test internally?
P/S: I am having E2010 SP3 RU2 with Outlook 2010
Please advise. Thanks.
Kelvin TeangThe root cause is MAPIBlockOutlookRpcHttp = True
It was working fine after I executed
Get-Mailbox –Identity
"username" | Set-CASMailbox -MAPIBlockOutlookRpcHttp:$False
Kelvin Teang -
Problem using Outlook Anywhere out of the office
Hello,
I have a problem getting my Microsoft Outlook (2007) to connect to my Exchange Server when i'm out of the office local network.
outlook Anywhere is enabled on the server, and everything is set correctly on the client.
I have ran outlook connectivity analyzer tool and this is what I got.
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Additional Details
Elapsed Time: 777 ms.
Test Steps
Attempting to resolve the host name mail.DOMAIN in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: IPP ADDRESS
Elapsed Time: 14 ms.
Testing TCP port 443 on host mail.DOMAIN to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 253 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 508 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.DOMAIN on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 472 ms.
I am sure we have a SSL certificate installed "one generated locally which means not one that's been bought", but it shows errors about being expired only when I'm at the office "local network", now that i'm out of the office i don't even
get the error anymore nor the login popup window and connectivity status to exchange server is "Disconnect"
how can I fix this? where to obtain an SSL, assuming that's why I'm unable to connect to exchange server.
could it be my Microsoft exchange proxy settings? I'm using mail.domain and msstd:mail.domain and basic authentication "exactly like in the exchange server settings"
-I'm able to connect to exchange on my iPhone/Android successfully.
Thank you in advance
Nouf
*i have tried uploading an image but i get this message, though I haven't received any confirmation email.
Body text cannot contain images or links until we are able to verify your account.You must have a properly installed cert issued from a trusted CA for Outlook Anywhere to work.
The phone devices you mention historically have not done a good job of certificate validation which is why they connect but Outlook and Windows will verify that the cert is who it claims to be.
Read this:
http://exchangepedia.com/2007/08/outlook-anywhere-and-exchanges-self-signed-certificate.html
And follow the link in it to obtain a cert from a trusted CA.
Cheers,
Rhoderick
Microsoft Senior Exchange PFE
Blog:
http://blogs.technet.com/rmilne
Twitter: LinkedIn:
Facebook:
XING:
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose. -
Exchange 2007 to 2013 Migration Outlook Anywhere keeps asking password
Hi all,
i'm migrating an Exchange 2007 Server with all roles installed on a Windows Server 2008 R2 to 2 Exchange 2013 SP1 Servers (1 Cas and 1 Mailbox) installed on Windows Server 2012 R2.
I installed Exchange 2007 SP3 RU13 for coexistance and everything was ok until i switched to the new 2013 CAS.
After that the client using Outlook Anywhere started asking for password.
I configured the Outlook Anywhere with these settings:
Exchange 2007:
OA Hostname mail.domain.com
Client Authentication NTLM
IISAuthenticathion Basic, NTLM
SSL Required True
Exchange 2013
OA Hostname mail.domain.com
Client Authentication NTLM (Both internal and external)
IISAuthentication Basic, NTLM
SSL Required True (both internal and external)
Before switching to 2013 Cas everything works smoothly and the Outlook clients receive NTLM as HTTP Proxy authentication.
After switching to 2013 Cas, test users migrated on 2013 Mailbox Server are ok, but Outlook users on Exchange 2007 Server get Basic as HTTP Proxy authentication and continue asking for credentials.
In the Exchange 2007 server i configured the host file to resolve servername and servername.domain.local with the ipv4 address to avoid issues regarding IPv6 with OA in Exchange 2007.
Using Microsoft Connectivity Test i receive the error "RPC Proxy can't be pinged - The remote server returned an error:
(500) Internal Server Error"
Any Ideas?
Thanks for your HelpRun this and post the result
https://testconnectivity.microsoft.com/
Cheers,
Gulab Prasad
Technology Consultant
Blog:
http://www.exchangeranger.com Twitter:
LinkedIn:
Check out CodeTwo’s tools for Exchange admins
Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.
Maybe you are looking for
-
How do i find out who is visiting my site
Hi How do i find out who is visiting my site (free service) I don't want to know how many, I want to know WHO is visiting my site on a daily basis and what search terms they are using. How can I get this info from google webmaster tools or my adwords
-
Computer reads itunes but itunes doesn't
when i plug my ipod into the usb the screen goes into a do not disconnect screen and the computer recognizes the new device in the usb but itunes wont recognize that the ipod is in and thus wont update
-
Iphoto Library disappeared after upgrade
I have upgraded my iMac to Yosemite and have been using iPhoto fine since then (although it is a bit slow), yesterday iPhoto crashed the computer, after several restarts the computer was ok, but iPhoto wouldn't load and then said it needed to be upg
-
SCOM Alerting : How to change displayed "Has value" number on email to user
Our end users who receive these alerts want to see only a whole number value for Logical Disk with a counter % Free Space Presently the alert fires -email is sent and the out put that is displayed for "has a value" displays 12.8447532653809 Users wa
-
File has been modified and will not be repaired?
When running Repair Disk Permissions on my 10.6 boot drive, I received the following error: Warning: SUID file "System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/MacOS/ARDAg ent" has been modified and will not be repaired. Is this ba