Solved

Outlook Anywhere will not connect for some users

Posted on 2009-05-06
13
1,011 Views
Last Modified: 2012-08-14
We are working on migrating from Exchange 2003 to Exchange 2007 and just have a small number of pilot mailboxes moved over.  All of the sudden about 3 users out of the 10 or so that would use Outlook Anywhere cannot connect.  They all have Outlook 2007, and they just repeatedly get prompted for credentials.  I do not know of anything that  has changed recently other than some windows updates that might have gotten installed.  

My troubleshooting seems to point to this being a problem per computer not per user.  Some of the users have Windows XP and some have Vista.  All windows vista computers work, and XP is mixed.  Some work and some don't.  For the computers that do not work it does not seem to matter what user logs in, the problem still happens.  On my computer I have no issues.  I had a user that is having the issue on their computer log into my computer, which created a brand new profile and everything worked.  I went to their computer and did the same thing and I had the problem then.  The sure seems to point to it being a per computer problem.  People with the problem have tried updating Outlook 2007 to the latest SP, also making sure they are fully up to date from windows update.  None of that seems to matter.

All of our external Exchange traffic is coming through the Exchange 2007 SP1 HUB/CAS servers, and I have not heard any complaints from the users getting proxied back to their Exchange 2003 mailboxes, and we have a lot of them using Outlook Anywhere.  It seems that the problem is only for people that have mailboxes on Exchange 2007 mailbox server.  The prompt from Outlook is coming from the mailbox server, but if they keep entering credentials it sometimes will prompt from an Exchange 2003 mailbox server, probably because they  have some shared mailboxes or calendars configured in their outlook profile that reside on an Exchange 2003 server.

I am having a hard time finding a common problem between the people not working.  I had 3 people identified with the problem, and this morning one of them seemed to start working without making any changes, but the 2 left are persistent, and it does not seem to matter who logs in to their computer and tries.

I was able to find some failure audits on the CAS server for a person having the issue, saying it was an unknown username or pw, but obviously it is correct because they can come over to another computer and it works just fine for them.

Any help or ideas would be greatly appreciated.
0
Comment
Question by:traviskrings
13 Comments
 
LVL 6

Expert Comment

by:ikshf143
Comment Utility
Hi,

Try ceating a new Outlook Profile for those users on their Machine. Try ceating a new Windows Profile and then try creating a new Outlook Profile.
On the CAS/HUB server check the Valid ports registry that would be
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy and see if you have the entry for the Mailbox server for Valid Ports. It would be like
Mailbox:6001-6002;Mailbox.domain.com:6001-6002;Mailbox:6004;Mailbox.domain.com:6004;

Imran
0
 

Author Comment

by:traviskrings
Comment Utility
We have already tried creating new Outlook profiles and it doesn't make a difference.  We have also tried creating a new windows profile and it does not make a difference.  A user that  does not have any issues on their computer can log into one of the affected user's computers and then they have the same issue.  These users are all on the same Mailbox server, and the majority of them don't have any issues with Outlook Anywhere.  I did check the Registry and they are all present in that key.

I don't know if this is a coincidence but the issue seemed to present itself shortly after we installed some windows security updates to the servers, and also the latest HP Proliant support pack.  I don't see how that would cause an issue like this but I thought I would mention it.  

The troubleshooting so far really seems to point to something going on with these specific workstations, and not the the user account or specific mailbox.
0
 
LVL 6

Accepted Solution

by:
ikshf143 earned 500 total points
Comment Utility
If these worktations are windows visat then try disabling Ipv6 and also if the Exchage servers are on Windows 2008 then Disable IPv6 from there as well for Both CAS and Mailbox servers. If Windows is 2008 on Exchange Servers then Diable Kerrnal Mode Authentication on Autodiscover, EWS, and OAB VDirs.
0
 

Author Comment

by:traviskrings
Comment Utility
Everyone that has Vista is working fine, the only people not working are on Windows XP, but it is not all Windows XP users.  I do not have a large sampling of users so I cannot guarantee that this problem could not be present on Vista, just not on the 3 vista machines I have to work with.  Exchange servers are running Windows 2008, but IPv6 was already disabled because of a bug with Outlook Anywhere and IPv6.  I checked and I just have windows and basic authentication enabled on those virtual directories.

Also, the problem seems to be very consistent to the machine.  If the client works it works all of the time no matter what the user is, and if the client doesn't work it fails 100% of the time no matter what the user is.  That really makes it seem like there is something on the clients that is causing this or at least something changed on the client that is making it not correctly pass the credentials.

0
 
LVL 6

Expert Comment

by:ikshf143
Comment Utility
The kernal mode authentication is found on the Windows authentication. Eg: select autodiscover-->Authentication-->Windows Authentication-->Advanced Settings and uncheck Kernal Mode authentication.
0
 

Author Comment

by:traviskrings
Comment Utility
OK, it is enabled, but I am not going to disable it in my production environment unless there is some specific evidence that it could cause a problem.  It says it is best practice to leave it.  What would turning this off do, given that the majority of people seem to be working fine.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:traviskrings
Comment Utility
Also, I have verified that from the same computer that nobody can connect to their Exchange 2007 mailbox with outlook anywhere we can log in as a user with a mailbox still on Exchange 2003 and it works just fine.  All of the traffic is coming through the Exchange 2007 SP1 CAS servers.
0
 

Author Comment

by:traviskrings
Comment Utility
I had another user create a new local user and log in, and then create a new oultook profile to their mailbox, and it worked.  Logging back in to their domain profile it still doesn't work.  I think I mentioned before that this didn't seem to work but I may have misunderstood the other user, I performed these steps in person.  

Could there be something with the way the credentials are passed when logged into a domain windows profile vs. a local profile?
0
 
LVL 6

Expert Comment

by:ikshf143
Comment Utility
Yes when the user is logged in the logon happens over Kerberos. I had resolved a couple of Outlook Anywhere issues with disabling the kernel mode authentication as we have noticed most of the time it gives problems but sometimes it works so might be in your case. I can assure you that disbaling the kernel mode will not effect any other feature or functionality.
Also try this have another user login to the client machine and that would create a new domain profile and then try creating the Outlook profile.
0
 

Author Comment

by:traviskrings
Comment Utility
If another user logs in with their brand new domain profile it does not work for them either.  but if you create a local windows account and then set up an outlook profile for the user it works.

I have engaged Microsoft Support but nothing has come of it yet.  We can see in network traces comparing when it works to when it doesn't that the SSL negotiation seems to be getting reset on the scenario that does not work.  From what they showed me in the packet traces they don't even think the credentials are being passed into the Exchange server because the SSL handshakes are not completing.

Any other input would be great, and if I have any more developments from working with MS I will post them.
0
 

Author Comment

by:traviskrings
Comment Utility
The problem was the kernel mode authentication.  After disabling that and doing an iisreset it started working.  I wanted to note another thing that we found after disabling kernel mode authentication though.  If the client was windows XP, and the "connect only if certificate has this principal name" setting was set in Outlook, it wouldn't connect.  If you uncheck that it worked.  I found that by default that setting in Exchange 2007 in blank, which makes it fill that setting in with the same name as your Outlook Anywhere name by default when an outlook profile is created.  I ran the "Set-OutlookProvider EXPR -CertPrincipalname:none" command to change that field to none, and now when you set up an outlook profile it does not use that setting.  
0
 

Expert Comment

by:prudog
Comment Utility
i have tried the solutions but this did not work for me anything else on this
0
 

Expert Comment

by:puryear-it
Comment Utility
Are you using a wildcard SSL cert or just a single domain cert for your SBS server? This could be an SSL cert issue. On the SBS server, go to https://localhost/autodiscover/autodiscover.xml and check out the name on the cert.
0

Featured Post

Are your corporate email signatures appalling?

Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now