traviskrings
asked on
Outlook Anywhere will not connect for some users
We are working on migrating from Exchange 2003 to Exchange 2007 and just have a small number of pilot mailboxes moved over. All of the sudden about 3 users out of the 10 or so that would use Outlook Anywhere cannot connect. They all have Outlook 2007, and they just repeatedly get prompted for credentials. I do not know of anything that has changed recently other than some windows updates that might have gotten installed.
My troubleshooting seems to point to this being a problem per computer not per user. Some of the users have Windows XP and some have Vista. All windows vista computers work, and XP is mixed. Some work and some don't. For the computers that do not work it does not seem to matter what user logs in, the problem still happens. On my computer I have no issues. I had a user that is having the issue on their computer log into my computer, which created a brand new profile and everything worked. I went to their computer and did the same thing and I had the problem then. The sure seems to point to it being a per computer problem. People with the problem have tried updating Outlook 2007 to the latest SP, also making sure they are fully up to date from windows update. None of that seems to matter.
All of our external Exchange traffic is coming through the Exchange 2007 SP1 HUB/CAS servers, and I have not heard any complaints from the users getting proxied back to their Exchange 2003 mailboxes, and we have a lot of them using Outlook Anywhere. It seems that the problem is only for people that have mailboxes on Exchange 2007 mailbox server. The prompt from Outlook is coming from the mailbox server, but if they keep entering credentials it sometimes will prompt from an Exchange 2003 mailbox server, probably because they have some shared mailboxes or calendars configured in their outlook profile that reside on an Exchange 2003 server.
I am having a hard time finding a common problem between the people not working. I had 3 people identified with the problem, and this morning one of them seemed to start working without making any changes, but the 2 left are persistent, and it does not seem to matter who logs in to their computer and tries.
I was able to find some failure audits on the CAS server for a person having the issue, saying it was an unknown username or pw, but obviously it is correct because they can come over to another computer and it works just fine for them.
Any help or ideas would be greatly appreciated.
My troubleshooting seems to point to this being a problem per computer not per user. Some of the users have Windows XP and some have Vista. All windows vista computers work, and XP is mixed. Some work and some don't. For the computers that do not work it does not seem to matter what user logs in, the problem still happens. On my computer I have no issues. I had a user that is having the issue on their computer log into my computer, which created a brand new profile and everything worked. I went to their computer and did the same thing and I had the problem then. The sure seems to point to it being a per computer problem. People with the problem have tried updating Outlook 2007 to the latest SP, also making sure they are fully up to date from windows update. None of that seems to matter.
All of our external Exchange traffic is coming through the Exchange 2007 SP1 HUB/CAS servers, and I have not heard any complaints from the users getting proxied back to their Exchange 2003 mailboxes, and we have a lot of them using Outlook Anywhere. It seems that the problem is only for people that have mailboxes on Exchange 2007 mailbox server. The prompt from Outlook is coming from the mailbox server, but if they keep entering credentials it sometimes will prompt from an Exchange 2003 mailbox server, probably because they have some shared mailboxes or calendars configured in their outlook profile that reside on an Exchange 2003 server.
I am having a hard time finding a common problem between the people not working. I had 3 people identified with the problem, and this morning one of them seemed to start working without making any changes, but the 2 left are persistent, and it does not seem to matter who logs in to their computer and tries.
I was able to find some failure audits on the CAS server for a person having the issue, saying it was an unknown username or pw, but obviously it is correct because they can come over to another computer and it works just fine for them.
Any help or ideas would be greatly appreciated.
ASKER
We have already tried creating new Outlook profiles and it doesn't make a difference. We have also tried creating a new windows profile and it does not make a difference. A user that does not have any issues on their computer can log into one of the affected user's computers and then they have the same issue. These users are all on the same Mailbox server, and the majority of them don't have any issues with Outlook Anywhere. I did check the Registry and they are all present in that key.
I don't know if this is a coincidence but the issue seemed to present itself shortly after we installed some windows security updates to the servers, and also the latest HP Proliant support pack. I don't see how that would cause an issue like this but I thought I would mention it.
The troubleshooting so far really seems to point to something going on with these specific workstations, and not the the user account or specific mailbox.
I don't know if this is a coincidence but the issue seemed to present itself shortly after we installed some windows security updates to the servers, and also the latest HP Proliant support pack. I don't see how that would cause an issue like this but I thought I would mention it.
The troubleshooting so far really seems to point to something going on with these specific workstations, and not the the user account or specific mailbox.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Everyone that has Vista is working fine, the only people not working are on Windows XP, but it is not all Windows XP users. I do not have a large sampling of users so I cannot guarantee that this problem could not be present on Vista, just not on the 3 vista machines I have to work with. Exchange servers are running Windows 2008, but IPv6 was already disabled because of a bug with Outlook Anywhere and IPv6. I checked and I just have windows and basic authentication enabled on those virtual directories.
Also, the problem seems to be very consistent to the machine. If the client works it works all of the time no matter what the user is, and if the client doesn't work it fails 100% of the time no matter what the user is. That really makes it seem like there is something on the clients that is causing this or at least something changed on the client that is making it not correctly pass the credentials.
Also, the problem seems to be very consistent to the machine. If the client works it works all of the time no matter what the user is, and if the client doesn't work it fails 100% of the time no matter what the user is. That really makes it seem like there is something on the clients that is causing this or at least something changed on the client that is making it not correctly pass the credentials.
The kernal mode authentication is found on the Windows authentication. Eg: select autodiscover-->Authenticat
ASKER
OK, it is enabled, but I am not going to disable it in my production environment unless there is some specific evidence that it could cause a problem. It says it is best practice to leave it. What would turning this off do, given that the majority of people seem to be working fine.
ASKER
Also, I have verified that from the same computer that nobody can connect to their Exchange 2007 mailbox with outlook anywhere we can log in as a user with a mailbox still on Exchange 2003 and it works just fine. All of the traffic is coming through the Exchange 2007 SP1 CAS servers.
ASKER
I had another user create a new local user and log in, and then create a new oultook profile to their mailbox, and it worked. Logging back in to their domain profile it still doesn't work. I think I mentioned before that this didn't seem to work but I may have misunderstood the other user, I performed these steps in person.
Could there be something with the way the credentials are passed when logged into a domain windows profile vs. a local profile?
Could there be something with the way the credentials are passed when logged into a domain windows profile vs. a local profile?
Yes when the user is logged in the logon happens over Kerberos. I had resolved a couple of Outlook Anywhere issues with disabling the kernel mode authentication as we have noticed most of the time it gives problems but sometimes it works so might be in your case. I can assure you that disbaling the kernel mode will not effect any other feature or functionality.
Also try this have another user login to the client machine and that would create a new domain profile and then try creating the Outlook profile.
Also try this have another user login to the client machine and that would create a new domain profile and then try creating the Outlook profile.
ASKER
If another user logs in with their brand new domain profile it does not work for them either. but if you create a local windows account and then set up an outlook profile for the user it works.
I have engaged Microsoft Support but nothing has come of it yet. We can see in network traces comparing when it works to when it doesn't that the SSL negotiation seems to be getting reset on the scenario that does not work. From what they showed me in the packet traces they don't even think the credentials are being passed into the Exchange server because the SSL handshakes are not completing.
Any other input would be great, and if I have any more developments from working with MS I will post them.
I have engaged Microsoft Support but nothing has come of it yet. We can see in network traces comparing when it works to when it doesn't that the SSL negotiation seems to be getting reset on the scenario that does not work. From what they showed me in the packet traces they don't even think the credentials are being passed into the Exchange server because the SSL handshakes are not completing.
Any other input would be great, and if I have any more developments from working with MS I will post them.
ASKER
The problem was the kernel mode authentication. After disabling that and doing an iisreset it started working. I wanted to note another thing that we found after disabling kernel mode authentication though. If the client was windows XP, and the "connect only if certificate has this principal name" setting was set in Outlook, it wouldn't connect. If you uncheck that it worked. I found that by default that setting in Exchange 2007 in blank, which makes it fill that setting in with the same name as your Outlook Anywhere name by default when an outlook profile is created. I ran the "Set-OutlookProvider EXPR -CertPrincipalname:none" command to change that field to none, and now when you set up an outlook profile it does not use that setting.
i have tried the solutions but this did not work for me anything else on this
Are you using a wildcard SSL cert or just a single domain cert for your SBS server? This could be an SSL cert issue. On the SBS server, go to https://localhost/autodiscover/autodiscover.xml and check out the name on the cert.
Try ceating a new Outlook Profile for those users on their Machine. Try ceating a new Windows Profile and then try creating a new Outlook Profile.
On the CAS/HUB server check the Valid ports registry that would be
HKEY_LOCAL_MACHINE\Softwar
Mailbox:6001-6002;Mailbox.
Imran