stacystyles
asked on
Outlook Anywhere failing at Mutual Authentication Principle Name Authentication
I have an Exchange 2010 Server and when I run the remote exchange tester I get the following:
Everything passes except the Mutual name Authentication. How do I change this in Exchange?
ExRCA is testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to test Autodiscover for dstyles@acuotech.com
Autodiscover was tested successfully.
Test Steps
ExRCA is attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential AutoDiscover URL https://acuotech.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.48.82
Testing TCP Port 443 on host acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name acuotech.com does not match any name found on the server certificate CN=cab.acuotech.com, OU=AcuoXMD Quality Assurance, O=Acuo Technologies, L=Oakdale, S=Minnesota, C=US
Attempting to test potential AutoDiscover URL https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.47.241
Testing TCP Port 443 on host autodiscover.acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname autodiscover.acuotech.com in Certificate Subject Alternative Name entry
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Successfully Retrieved AutoDiscover Settings by sending AutoDiscover POST.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml for user dstyles@acuotech.com
The Autodiscover XML response was successfully retrieved.
Additional Details
AutoDiscover Account Settings
XML Response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Darren Styles</DisplayName>
<LegacyDN>/o=Acuo Technologies/ou=First Administrative Group/cn=Recipients/cn=dar
<DeploymentId>604ec500-e30
</User>
<Account>
<AccountType>email</Accoun
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>Exchange.acuotech.
<ServerDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ServerVersion>7380827F</S
<MdbDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://exchange.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<PublicFolderServer>Exchan
<AD>Harley.acuotech.com</A
<EwsUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://exchange.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.acuotech.com<
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://mail.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://mail.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<SSL>On</SSL>
<AuthPackage>Basic</AuthPa
<EwsUrl>https://mail.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<Internal>
<OWAUrl AuthenticationMethod="Basi
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba"
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
Autodiscover settings for Outlook Anywhere are being validated.
Outlook Anywhere Autodiscover Settings validated
Attempting to resolve the host name mail.acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.47.241
Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname mail.acuotech.com in Certificate Subject Alternative Name entry
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
Testing Http Authentication Methods for URL https://mail.acuotech.com/rpc/rpcproxy.dll
The HTTP authentication methods are correct.
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
SSL mutual authentication with the RPC proxy server is being tested.
Verification of mutual authentication failed.
Tell me more about this issue and how to resolve it
Additional Details
The certificate common name acuotech.com, doesn't validate against Mutual Authentication string provided msstd:mail.acuotech.com
Everything passes except the Mutual name Authentication. How do I change this in Exchange?
ExRCA is testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
Attempting to test Autodiscover for dstyles@acuotech.com
Autodiscover was tested successfully.
Test Steps
ExRCA is attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential AutoDiscover URL https://acuotech.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.48.82
Testing TCP Port 443 on host acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name acuotech.com does not match any name found on the server certificate CN=cab.acuotech.com, OU=AcuoXMD Quality Assurance, O=Acuo Technologies, L=Oakdale, S=Minnesota, C=US
Attempting to test potential AutoDiscover URL https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.47.241
Testing TCP Port 443 on host autodiscover.acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname autodiscover.acuotech.com in Certificate Subject Alternative Name entry
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Successfully Retrieved AutoDiscover Settings by sending AutoDiscover POST.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml for user dstyles@acuotech.com
The Autodiscover XML response was successfully retrieved.
Additional Details
AutoDiscover Account Settings
XML Response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Darren Styles</DisplayName>
<LegacyDN>/o=Acuo Technologies/ou=First Administrative Group/cn=Recipients/cn=dar
<DeploymentId>604ec500-e30
</User>
<Account>
<AccountType>email</Accoun
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>Exchange.acuotech.
<ServerDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ServerVersion>7380827F</S
<MdbDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Confi
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://exchange.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<PublicFolderServer>Exchan
<AD>Harley.acuotech.com</A
<EwsUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://exchange.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.acuotech.com<
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://mail.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://mail.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<SSL>On</SSL>
<AuthPackage>Basic</AuthPa
<EwsUrl>https://mail.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<Internal>
<OWAUrl AuthenticationMethod="Basi
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba"
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
Autodiscover settings for Outlook Anywhere are being validated.
Outlook Anywhere Autodiscover Settings validated
Attempting to resolve the host name mail.acuotech.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 173.11.47.241
Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname mail.acuotech.com in Certificate Subject Alternative Name entry
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
Testing Http Authentication Methods for URL https://mail.acuotech.com/rpc/rpcproxy.dll
The HTTP authentication methods are correct.
Additional Details
Found all expected authentication methods and no disallowed methods. Methods Found: Basic
SSL mutual authentication with the RPC proxy server is being tested.
Verification of mutual authentication failed.
Tell me more about this issue and how to resolve it
Additional Details
The certificate common name acuotech.com, doesn't validate against Mutual Authentication string provided msstd:mail.acuotech.com
also run and post results
get-outlookprovider expr | fl
take a look at this article too
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
get-outlookprovider expr | fl
take a look at this article too
https://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
ASKER
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here is what I get.
Untitled2.jpg
Untitled2.jpg
set-outlookprovider expr -certprincipalname msstd:acuotech.com
I've found a solution to the mysterious automatic setting of the "mutal authentication" checkbox, also know as "Only connect to proxy servers that have this principal name in their certificate". It will get set to msstd:servername if you leave the CertPrincipalName blank. When you have mutliple CAS servers, this check box will screw with your users, and you get a box asking for your credentials.
The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:
>Set-OutlookProvider EXPR -Server 'site1cas01.company.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null
This sets the proxy CertPrincipalName to none, and then removes the server setting from the OutlookProvider, so mutliple servers can be used. Once you set this to 'none', Outlook autodiscover will no longer check that stupid checkbox anymore.
I'm posting this here in hopes that all of my weeks of pain and suffering can be used to help all the others I've found on the internet with this same problem.
The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:
>Set-OutlookProvider EXPR -Server 'site1cas01.company.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null
This sets the proxy CertPrincipalName to none, and then removes the server setting from the OutlookProvider, so mutliple servers can be used. Once you set this to 'none', Outlook autodiscover will no longer check that stupid checkbox anymore.
I'm posting this here in hopes that all of my weeks of pain and suffering can be used to help all the others I've found on the internet with this same problem.
Admin_AaenMaas THANK YOU!! This was driving me insane. Your solution did the trick for my XP + Outlook 2007/2010 clients constantly getting prompted for credentials and unable to connect to E2K13 CAS with E2K7 server co-existence. Some simple migration documentation as to this effect would have been nice Microsoft...
make sure that anonymous is disabled plus basic and windows integrated enabled