Solved

Outlook Anywhere will not connect for some users

Posted on 2009-05-06
13
1,013 Views
Last Modified: 2012-08-14
We are working on migrating from Exchange 2003 to Exchange 2007 and just have a small number of pilot mailboxes moved over.  All of the sudden about 3 users out of the 10 or so that would use Outlook Anywhere cannot connect.  They all have Outlook 2007, and they just repeatedly get prompted for credentials.  I do not know of anything that  has changed recently other than some windows updates that might have gotten installed.  

My troubleshooting seems to point to this being a problem per computer not per user.  Some of the users have Windows XP and some have Vista.  All windows vista computers work, and XP is mixed.  Some work and some don't.  For the computers that do not work it does not seem to matter what user logs in, the problem still happens.  On my computer I have no issues.  I had a user that is having the issue on their computer log into my computer, which created a brand new profile and everything worked.  I went to their computer and did the same thing and I had the problem then.  The sure seems to point to it being a per computer problem.  People with the problem have tried updating Outlook 2007 to the latest SP, also making sure they are fully up to date from windows update.  None of that seems to matter.

All of our external Exchange traffic is coming through the Exchange 2007 SP1 HUB/CAS servers, and I have not heard any complaints from the users getting proxied back to their Exchange 2003 mailboxes, and we have a lot of them using Outlook Anywhere.  It seems that the problem is only for people that have mailboxes on Exchange 2007 mailbox server.  The prompt from Outlook is coming from the mailbox server, but if they keep entering credentials it sometimes will prompt from an Exchange 2003 mailbox server, probably because they  have some shared mailboxes or calendars configured in their outlook profile that reside on an Exchange 2003 server.

I am having a hard time finding a common problem between the people not working.  I had 3 people identified with the problem, and this morning one of them seemed to start working without making any changes, but the 2 left are persistent, and it does not seem to matter who logs in to their computer and tries.

I was able to find some failure audits on the CAS server for a person having the issue, saying it was an unknown username or pw, but obviously it is correct because they can come over to another computer and it works just fine for them.

Any help or ideas would be greatly appreciated.
0
Comment
Question by:traviskrings
13 Comments
 
LVL 6

Expert Comment

by:ikshf143
ID: 24316633
Hi,

Try ceating a new Outlook Profile for those users on their Machine. Try ceating a new Windows Profile and then try creating a new Outlook Profile.
On the CAS/HUB server check the Valid ports registry that would be
HKEY_LOCAL_MACHINE\Software\Microsoft\Rpc\RpcProxy and see if you have the entry for the Mailbox server for Valid Ports. It would be like
Mailbox:6001-6002;Mailbox.domain.com:6001-6002;Mailbox:6004;Mailbox.domain.com:6004;

Imran
0
 

Author Comment

by:traviskrings
ID: 24316700
We have already tried creating new Outlook profiles and it doesn't make a difference.  We have also tried creating a new windows profile and it does not make a difference.  A user that  does not have any issues on their computer can log into one of the affected user's computers and then they have the same issue.  These users are all on the same Mailbox server, and the majority of them don't have any issues with Outlook Anywhere.  I did check the Registry and they are all present in that key.

I don't know if this is a coincidence but the issue seemed to present itself shortly after we installed some windows security updates to the servers, and also the latest HP Proliant support pack.  I don't see how that would cause an issue like this but I thought I would mention it.  

The troubleshooting so far really seems to point to something going on with these specific workstations, and not the the user account or specific mailbox.
0
 
LVL 6

Accepted Solution

by:
ikshf143 earned 500 total points
ID: 24316853
If these worktations are windows visat then try disabling Ipv6 and also if the Exchage servers are on Windows 2008 then Disable IPv6 from there as well for Both CAS and Mailbox servers. If Windows is 2008 on Exchange Servers then Diable Kerrnal Mode Authentication on Autodiscover, EWS, and OAB VDirs.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:traviskrings
ID: 24316928
Everyone that has Vista is working fine, the only people not working are on Windows XP, but it is not all Windows XP users.  I do not have a large sampling of users so I cannot guarantee that this problem could not be present on Vista, just not on the 3 vista machines I have to work with.  Exchange servers are running Windows 2008, but IPv6 was already disabled because of a bug with Outlook Anywhere and IPv6.  I checked and I just have windows and basic authentication enabled on those virtual directories.

Also, the problem seems to be very consistent to the machine.  If the client works it works all of the time no matter what the user is, and if the client doesn't work it fails 100% of the time no matter what the user is.  That really makes it seem like there is something on the clients that is causing this or at least something changed on the client that is making it not correctly pass the credentials.

0
 
LVL 6

Expert Comment

by:ikshf143
ID: 24317066
The kernal mode authentication is found on the Windows authentication. Eg: select autodiscover-->Authentication-->Windows Authentication-->Advanced Settings and uncheck Kernal Mode authentication.
0
 

Author Comment

by:traviskrings
ID: 24317175
OK, it is enabled, but I am not going to disable it in my production environment unless there is some specific evidence that it could cause a problem.  It says it is best practice to leave it.  What would turning this off do, given that the majority of people seem to be working fine.
0
 

Author Comment

by:traviskrings
ID: 24318509
Also, I have verified that from the same computer that nobody can connect to their Exchange 2007 mailbox with outlook anywhere we can log in as a user with a mailbox still on Exchange 2003 and it works just fine.  All of the traffic is coming through the Exchange 2007 SP1 CAS servers.
0
 

Author Comment

by:traviskrings
ID: 24319701
I had another user create a new local user and log in, and then create a new oultook profile to their mailbox, and it worked.  Logging back in to their domain profile it still doesn't work.  I think I mentioned before that this didn't seem to work but I may have misunderstood the other user, I performed these steps in person.  

Could there be something with the way the credentials are passed when logged into a domain windows profile vs. a local profile?
0
 
LVL 6

Expert Comment

by:ikshf143
ID: 24320428
Yes when the user is logged in the logon happens over Kerberos. I had resolved a couple of Outlook Anywhere issues with disabling the kernel mode authentication as we have noticed most of the time it gives problems but sometimes it works so might be in your case. I can assure you that disbaling the kernel mode will not effect any other feature or functionality.
Also try this have another user login to the client machine and that would create a new domain profile and then try creating the Outlook profile.
0
 

Author Comment

by:traviskrings
ID: 24366535
If another user logs in with their brand new domain profile it does not work for them either.  but if you create a local windows account and then set up an outlook profile for the user it works.

I have engaged Microsoft Support but nothing has come of it yet.  We can see in network traces comparing when it works to when it doesn't that the SSL negotiation seems to be getting reset on the scenario that does not work.  From what they showed me in the packet traces they don't even think the credentials are being passed into the Exchange server because the SSL handshakes are not completing.

Any other input would be great, and if I have any more developments from working with MS I will post them.
0
 

Author Comment

by:traviskrings
ID: 24390023
The problem was the kernel mode authentication.  After disabling that and doing an iisreset it started working.  I wanted to note another thing that we found after disabling kernel mode authentication though.  If the client was windows XP, and the "connect only if certificate has this principal name" setting was set in Outlook, it wouldn't connect.  If you uncheck that it worked.  I found that by default that setting in Exchange 2007 in blank, which makes it fill that setting in with the same name as your Outlook Anywhere name by default when an outlook profile is created.  I ran the "Set-OutlookProvider EXPR -CertPrincipalname:none" command to change that field to none, and now when you set up an outlook profile it does not use that setting.  
0
 

Expert Comment

by:prudog
ID: 33551716
i have tried the solutions but this did not work for me anything else on this
0
 

Expert Comment

by:puryear-it
ID: 34606683
Are you using a wildcard SSL cert or just a single domain cert for your SBS server? This could be an SSL cert issue. On the SBS server, go to https://localhost/autodiscover/autodiscover.xml and check out the name on the cert.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
An analysis of the phishing scam that has been affecting Google users, along with steps to take for protection, as well as what to do if you receive one of the emails.
how to add IIS SMTP to handle application/Scanner relays into office 365.
Many of my clients call in with monstrous Gmail overloading issues with Outlook. A quick tip is to turn off the All Mail and Important folders from synching. Here is a quick video I made to show you how to turn off these and other folders in Gmail s…

778 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question