Kris Coady
asked on
Outlook clients not working with internal Exchange 2013 server
Good morning experts,
We're having some trouble connecting Outlook clients to a new Exchange 2013 server. When setting-up Outlook for the first time the autodiscover works fine in detecting the server name (fs1.domain.local) and username. But after completing the configuration we get strange errors ranging from:
"Cannot open your default e-mail folder" to "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete".
This is the same when we ignore autodiscover and fill in all of the details by hand. We've tried setting up Outlook to connect to RPC via HTTP and tried all of the included verifications methods (NTLD, Basic, Negotiate) all without success
The Exchange WebApp works fine for all users in the domain. Also, when setting up the Exchange accounts in Apple Mail or the Mail App for iOS everything works fine.
Any help with this problem would be greatly appreciated
Thanks in advance,
Kris
We're having some trouble connecting Outlook clients to a new Exchange 2013 server. When setting-up Outlook for the first time the autodiscover works fine in detecting the server name (fs1.domain.local) and username. But after completing the configuration we get strange errors ranging from:
"Cannot open your default e-mail folder" to "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete".
This is the same when we ignore autodiscover and fill in all of the details by hand. We've tried setting up Outlook to connect to RPC via HTTP and tried all of the included verifications methods (NTLD, Basic, Negotiate) all without success
The Exchange WebApp works fine for all users in the domain. Also, when setting up the Exchange accounts in Apple Mail or the Mail App for iOS everything works fine.
Any help with this problem would be greatly appreciated
Thanks in advance,
Kris
ASKER
None, this is a new domain and Exchange installation.
Have you checked the secure communication tick bot in outlook i mentioned above? If i remember its not automatically ticked in some versions of outlook (pre 2007 i think) but you didnt mention a version, but all exchange servers post 2007 need this by default.
ASKER
I'm sorry, I forgot to mention the clients are all Outlook 2007 (latest service packs and updates). We've tried enabling and disabling security settings. All without any success.
do all clients have a default gateway on the same subnet as the exchange server?
ASKER
Yes, all clients look to the Exchange Server as DNS and DHCP server and all have the router's IP-address as gateway.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
We had seen the certificate requirements and currently only have self-signed certificates installed. But I find it hard to believe that Outlook can not connect to an internal Exchange server without a trusted third party certificate.
Had anyone else had any experience with this?
Had anyone else had any experience with this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Here's the screenshot you asked for.
I've tried creating some self-signed certificates since the screenshot but can't seem to get it to work any better than beforehand.
I've tried creating some self-signed certificates since the screenshot but can't seem to get it to work any better than beforehand.
and you have set up the Outlook anywhere URL's to match the addresses used in the SAN or Wildcard certificate?
ASKER
Yes,
external url: mail.domain.com
internal url: servername.domain.local
The Outlook clients are setup to use internal url: servername.domain.local (which is also what they receive from the autodiscover)
external url: mail.domain.com
internal url: servername.domain.local
The Outlook clients are setup to use internal url: servername.domain.local (which is also what they receive from the autodiscover)
Just an idea, but I wonder if the problem is not exchange/outlook specific, but if there is a basic communication problem between the windows machines and the server. Can you ping the servers from the client and clients from the server (by IP address AND name) and receive the expected replies? Have you tried stopping the firewall service on the clients?
ASKER
Thanks for the reply.
Communication seems to be fine between the machines. Tried leaving and rejoining the domain which all seems to work fine. Also pinging the server from the client returns the correct ipv4 address. This is the same pinging from the server to the clients.
Communication seems to be fine between the machines. Tried leaving and rejoining the domain which all seems to work fine. Also pinging the server from the client returns the correct ipv4 address. This is the same pinging from the server to the clients.
The self signed certificates generated by Exchange are not supported for use with Outlook Anywhere or ActiveSync. As Exchange 2013 ONLY uses Outlook Anywhere for connectivity then you are in an unsupported configuration. Outlook will fail to connect if there are issues with the SSL certificate.
Considering that Exchange 2013 is so heavily web based, spend the money and get the required SSL certificate. $60/year it will cost you.
Simon.
Considering that Exchange 2013 is so heavily web based, spend the money and get the required SSL certificate. $60/year it will cost you.
Simon.
ASKER
Thanks for the tip. We're going to purchase a certificate for public access to the OWA and ECP soon.
In other news: We managed to fix the problems. The trick is NOT to create a self-signed certificate from within the ECP. These are the steps we took to get the whole thing to work:
- Log in to the ECP and navigate to Servers > Certificates
- Click on + and choose "Create a request for a certificate from a certification authority"
- Choose a friendly name for the certificate, I used "internal"
- Make sure the wildcard checkbox is enabled and fill in the root domain. I chose "servername.domain.local" (which is the same domain name as is specified in the Outlook Anywhere settings for internal use).
- Choose the server where you would like to store the certificate request
- Fill in all of the information required for the certificate
- Choose the location where you want to save the certificate
- The new certificate will now be visible in the ECP and should have the status "Pending"
- Open up the Certification Authority app
- Select the server and go to Actions > All tasks > Submit new request
- Navigate to and import the new .req file
- Click on 'Pending requests' in the menu on the left
- Select the pending certificate request and go to Actions > All tasks > Issue
- Go to 'Issued requests' and select the new certificate
- Click on Actions > All tasks > Export Binary Data
(here's the point when I started to wonder why all of these functions don't just have a few dedicated buttons)
- Choose "Binary Certificate" and select the option "save binary data to a file"
- Give the certificate a unique name and add the .cer extension
- Navigate back to the certificate section of the ECP
- Select the pending certificate request and click on "complete"
- Enter the location of the .cer file and click on complete
- Open the completed certificate and assign at least the following services: IIS, SMTP
After completing these steps all of the Outlook clients worked straight away.
Don't forget to make sure the Certificate Authority is a trusted CA within your domain by adding the root certificate to the default domain policy (or a policy of choice)
In other news: We managed to fix the problems. The trick is NOT to create a self-signed certificate from within the ECP. These are the steps we took to get the whole thing to work:
- Log in to the ECP and navigate to Servers > Certificates
- Click on + and choose "Create a request for a certificate from a certification authority"
- Choose a friendly name for the certificate, I used "internal"
- Make sure the wildcard checkbox is enabled and fill in the root domain. I chose "servername.domain.local" (which is the same domain name as is specified in the Outlook Anywhere settings for internal use).
- Choose the server where you would like to store the certificate request
- Fill in all of the information required for the certificate
- Choose the location where you want to save the certificate
- The new certificate will now be visible in the ECP and should have the status "Pending"
- Open up the Certification Authority app
- Select the server and go to Actions > All tasks > Submit new request
- Navigate to and import the new .req file
- Click on 'Pending requests' in the menu on the left
- Select the pending certificate request and go to Actions > All tasks > Issue
- Go to 'Issued requests' and select the new certificate
- Click on Actions > All tasks > Export Binary Data
(here's the point when I started to wonder why all of these functions don't just have a few dedicated buttons)
- Choose "Binary Certificate" and select the option "save binary data to a file"
- Give the certificate a unique name and add the .cer extension
- Navigate back to the certificate section of the ECP
- Select the pending certificate request and click on "complete"
- Enter the location of the .cer file and click on complete
- Open the completed certificate and assign at least the following services: IIS, SMTP
After completing these steps all of the Outlook clients worked straight away.
Don't forget to make sure the Certificate Authority is a trusted CA within your domain by adding the root certificate to the default domain policy (or a policy of choice)
Glad to hear that you solved your problem. Thanks for letting us know how you did it!
I am having this same issue where outlook clients cannot access email from outside, but mac, IOS, and Android can. I renewed my certificate recently and I wonder if this has something to do with it? I am using Exchange 2010 SP1 and clients are Outlook 2007 and 2010. My certificate seems valid. How can I get to the "ECP" to check certificate settings there?
When I go to ECP, I don't see the server Heading. I only get the following as seen in the snippet.
Exchange-ECP.JPG
Exchange-ECP.JPG
i do all that do Vergezogt_
not work yet :(
not work yet :(
HI,
I am facing some issue outlook connect with exchange, from domain network no issue but form public network unable to connect with exchange,
Your cooperation highly appreciated
I am facing some issue outlook connect with exchange, from domain network no issue but form public network unable to connect with exchange,
Your cooperation highly appreciated
ASKER
Have you setup your Outlook anywhere settings properly?
Is port 443 forwarded from the router to your Exchange server?
Is port 443 forwarded from the router to your Exchange server?
Yes ,
we have some phone devices is working only MAC
we have some phone devices is working only MAC
ASKER
I believe Mac and iOS use IMAP instead of MAPI to connect to Exchange. Is it possible to connect through IMAP by manually adding the connection in an Outlook client?
Try looking through the Exchange connectivity event logs in the Event Viewer to see for possible connection issues. Also, check the 'Application' event logs on the client computers to see if there's any connectivity issues being reported by Outlook.
Try looking through the Exchange connectivity event logs in the Event Viewer to see for possible connection issues. Also, check the 'Application' event logs on the client computers to see if there's any connectivity issues being reported by Outlook.
To clarify please, are you saying that the MACs WILL connect to exchange within the domain, but will not connect when outside of the domain?
Have you made sure that all communication between outlook and exchange is encrypted? (under security tab of more options) and have you tested with always prompt for credentials ticked?