Exchange 2007 Out of Office and SSL errors

totalimpact
totalimpact used Ask the Experts™
on
SBS2008 Exchange 2007 SP1, all latest ms updates

On local Outlook 2007 clients the Out of Office feature fails with the following error:
"Your out of office settings cannot be displayed, because the server is currently unavailable. Try again later."
Works fine in OWA.

I ran this: Test-OutlookWebServices | fl

Id      : 1013
Type    : Error
Message : When contacting https://remote.mydomain.com/Rpc received the error The server committed a protocol violation. Section=ResponseStatusLine

Id      : 1017
Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://remote.mydomain.com/Rpc. The elapsed time was 20 milliseconds.

I am pretty sure it is due to the self-signed SSL cert that doesnt match the domain name, so I built a new cert using EMS, and listed all possible Subject Alternative Names on the cert. I enabled it on IIS,POP,IMAP. Outlook clients then started getting a security alert when opened:
"The name on the security certificate is invalid or does not match the name on the site."

So I compared the original cert to my new one and noticed the following under the SAN field:
"Other Name:
     DS Object Guid=04 10 fb 57 df bb e3 e9 47 40 be 3c 81 cd f2 8a 0d cb
DNS Name=SVR-1.mydomain.local"

The first part is not in my new cert, and I am not sure how to specify "Other Name: DS Object..." as a New-ExchangeCertificate parameter, I think this is why my new cert fails.

Anyways I tested the Availability service using https://www.testexchangeconnectivity.com and with my new cert it still comes back with a failure (although it passes all Autodiscovery tests), here is the Availability test error:

"Ensuring that the test mailbox folder is empty and accessible
  Failed to confirm the folder is accessible and empty
   Additional Details
  Request failed. The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel."  
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Run TestEmailautoconfiguration from Outlook 2007 machine and see if you getting the correct URL for OOF.

Post result if possible.

Make sure You have SAN certificate.

Depending upon the result from TestEmailautoconfiguration , we can move futher .so please run the test and let us know the result.
Commented:
Hi,

What is the output of Test Email Auto-Configuration (Ctrl-Right click Outlook Icon in system tray and select Test Email Auto-Configuration , fill-in email and password and uncheck "Use guessmart" and "Secure Guessmart Authentication" , click Test)
Also refer following on Outlook AutoDiscovery:
http://www.exchange-genie.com/2007/07/exchange-2007-autodiscover-service-part-1/

Author

Commented:
I have already tried that exchangegenie guide.

Outlook test fails, it is using valid DNS names that resolve both publicly and internally to my server (i created mydomain.com zone on my windows server and added the cname for autodiscover on both the .com and .local, my internal domain is .local). Attached is a screen shot of the Outlook test.

I ran a couple of tests in powershell, tried to clean up the output, here they are, the 2nd failing terribly:

[PS] C:\Windows\System32>Test-ActiveSyncConnectivity
CasServer  MailboxServer Scenario        Result  Latency(MS) Error
---------  ------------- --------        ------  ----------- -----
myserver      myserver       Options         Success      127.01
myserver       myserver       FolderSync      Success      312.03
myserver       myserver       First Sync      Success      348.03
myserver       myserver       GetItemEstimate Success      283.03
myserver       myserver       Sync Data       Success      119.01
myserver       myserver       Ping            Success      1048.4
myserver       myserver       Sync Test Item       Success      106.01

[PS] C:\Windows\System32>Test-OutlookWebServices |fl
Id      : 1007
Type    : Information
Message : Testing server myserver.mydomain.local with the published name
          https://remote.mydomain.com/EWS/Exchange.asmx & https://remote.mydomain
          .com/EWS/Exchange.asmx.
Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover
           URL on this object is https://remote.mydomain.com/Autodiscover/Autod
          iscover.xml.
Id      : 1005
Type    : Error
Message : When accessing https://remote.mydomain.com/Autodiscover/Autodiscover.
          xml the error "RemoteCertificateNameMismatch:CN=remote.mydomain.com,
          OU=Main Office, O=mydomain, L=San Diego, S=California, C=US" was repo
          rted.
Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://remote.mydomain.com
          /Autodiscover/Autodiscover.xml.
Id      : 1016
Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://remote.mydomain
          .com/EWS/Exchange.asmx. The elapsed time was 24 milliseconds.
Id      : 1015
Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://remote.recep
          t.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1016
Type    : Success
Message : [EXPR]-Successfully contacted the AS service at https://remote.mydomain
          .com/EWS/Exchange.asmx. The elapsed time was 39 milliseconds.
Id      : 1015
Type    : Success
Message : [EXPR]-Successfully contacted the OAB service at https://remote.recep
          t.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1014
Type    : Success
Message : [EXPR]-Successfully contacted the UM service at https://remote.mydomain
          .com/UnifiedMessaging/Service.asmx. The elapsed time was 18 millise
          conds.
Id      : 1013
Type    : Error
Message : When contacting https://remote.mydomain.com/Rpc received the error Th
          e server committed a protocol violation. Section=ResponseStatusLine
Id      : 1017
Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://remote.r
          ecept.com/Rpc. The elapsed time was 15 milliseconds.

TestAutoconfig.JPG
Success in ‘20 With a Profitable Pricing Strategy

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Above picture shows that the autodiscover has failedbut it doesnt show entire logs.

If in the Result Tab you dont get any URL for any services that means autodiscover has failed and without autodiscover OOF will not work.

Please post again show the result tab instead of logs.

Author

Commented:
Results tab only shows "Autodiscover was unable to detect your settings"

When I created the new account it used auto discover and entered all the info automatically.

I am sure it is related to the ssl cert, please see the output from Powershell tests above.
see this article and create valid certificate :
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

If you have self signed certificate make sure the URL for these services are set correctly:
http://support.microsoft.com/kb/940726

Author

Commented:
ok - now we are getting somewhere, this article best describes my problem http://support.microsoft.com/kb/940726

I followed the instructions there, but my problem is still there. When opening Outlook I get the cert error that the name on the certificate is invalid or does not match the name on the site.

The article above is for exchange in general - I am running SBS2008, which has all the IIS sites listed under the a virtual directory called "SBS Web Applications" instead of "Default Website", I changed the commands from the above article to match this, they were excepted, I recycled the app pool, and even restarted IIS, but my Outlook test still fails.

Lets assume my domain is ACME, and my servers internal name is EXCH1 (that info is not true of course)

I am using self signed certificates using remote.acme.com for the site, I have also added SANs for the following DNS names:
autodiscover.acme.com
exch1.acme.local
exch1

(all names above are listed in windows DNS, and the .com names are all publicly known as well).
My users know to use the remote web workplace with the url remote.acme.com (so thats what I used for the ssl cert).

I ran the commands in the article above to change all the URIs to remote.acme.com.
for instance one of the commands would be:
Set-WebServicesVirtualDirectory -Identity "EXCH1\EWS (SBS Web Applications)" -InternalUrl https://remote.acme.com/ews/exchange.asmx

I ran all the commands there, even the one at the bottom
When Outlook pops up the cert error I am able to view the cert, the thumbprint matches what I have on my SBS virtual directory (where autodiscovery virtual dir can be found), and all my SANs are listed.

I feel like I am almost there, but maybe there is something specific to the way SBS assigns the IIS virtual directories or something like that.
OutlookCerterror.JPG
Ok.....SAN should be
exch1.acme.local
exch1
remote.acme.com
autodiscover.acme.com
acme.com

acme.com, autodiscover.acme.com and remote.acme.com should be resolved externally.

If the internal users are using remote.acme.com URL it should be resolved internally as well.

You need to set autodiscoverUrl

Get-ClientAccessServer |fl
And check what is the AutodiscoverinternalUri set to

Please set it to

Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://exch1.acme.local/autodiscover/autodiscover.xml

Open "https://exch1.acme.local/autodiscover/autodiscover.xml" from client machine and it should open without certificate warning and should give you error 600 invalid request.

If you get the certificate warning on client machine please export and import the certificate on the client machine.

Accordingly set the internal URL for OAB, EWS and web services and make sure you export and install selfsigned certificate in each client machine as it is self SSL.

That article works for SBS as well just need to replace Default Web Site with SBS Web Applications.


Author

Commented:
Getting closer - I did all that  as you noted, and changed the Uris to point to exch1.acme.local, and now Outlook opens without any warnings, but Send/Receive fails with error:
Task (my email) reported errpr )0x8004010f): 'The operation failed. An object cannot be found.'

and outlook connectivity test still fails autodiscovery.

I can open the site "https://exch1.acme.local/autodiscover/autodiscover.xml"  and it asks me for username/password, and replies with error 600 just like you said.

Get-ClientAccessServer |fl shows AutoDiscoverServiceInternalUri :
https://exch1.acme.local/autodiscover/autodiscover.xml 

One odd thing I noted now - somehow the SSL cert is bound to both the Default Website and SBS Web Applications - which of course causes the Default website to shutdown since 443 cant listen on both IPs.

Everything else looks straight - not sure why its not working.

Author

Commented:
I ran Test-OutlookWebServices |Fl and everything passes except:
Id      : 1013
Type    : Error
Message : When contacting https://remote.acme.com/Rpc received the error
            The server committed a protocol violation. Section=ResponseStatusLine

Id      : 1017
Type    : Error
Message : [EXPR]-Error when contacting the RPC/HTTP service at https://remote.acme.com/Rpc.
            The elapsed time was 14 milliseconds.

Most of the other items show my internal domain name (.local)

Author

Commented:
I noticed I am still getting mail in outlook, even though send receive shows as failed - just as a note.

Author

Commented:
ok, so I found a major flaw here, and im not sure how to correct it - it seems exchange thinks the rpc directory is under the default website, but its really in the SBS Web Applications virtual dir -
get-outlookanywhere |fl
WARNING: IIS://EXCH1.acme.local/W3SVC/1/ROOT/Rpc was not found.
Please make sure you have typed it correctly.


ServerName                 : EXCH1
SSLOffloading              : False
ExternalHostname           : remote.acme.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic, Ntlm}
MetabasePath               : IIS://EXCH1.acme.local/W3SVC/1/ROOT/R
                             pc
Path                       :
Server                     : EXCH1
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=
                             EXCH1,CN=Servers,CN=Exchange Administrati
                             ve Group (FYDIBOHF23SPDLT),CN=Administrative Group
                             s,CN=First Organization,CN=Microsoft Exchange,CN=S
                             ervices,CN=Configuration,DC=acme,DC=local
Identity                   : EXCH1\Rpc (Default Web Site)
Guid                       : 5b2ba1c6-e936-41d3-9998-1d1c14be8e98
ObjectCategory             : acme.local/Configuration/Schema/ms-Exch-Rpc-Ht
                             tp-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                             Directory}
WhenChanged                : 1/3/2010 3:42:08 PM
WhenCreated                : 1/3/2010 3:42:08 PM
OriginatingServer          : EXCH1.acme.local
IsValid                    : True

I tried Set-OutlookAnywhere, but I dont know the syntax to just specify the dir.
Sorry for delay response... i have very limited time to post now days
Ok so the cert error has gone away good !!!

The error that you getting while doing send and receive is for OAB.

Follow these steps:

Make sure Your exchange 2007 Mailbox server is OAB generating Server.

Go to
C:\program file >microsoft >exchange >ExchangeOAB >guid value
and make sure you have 1 XML and daily LZX files.

On CAS server restart microsoft exchange File distribution service

Go to IIS > SBS Web Applications> under OAB see if you have the folder with the same guid value.

Make sure you have following authentication set in IIS:

1)Autodiscover: Basic and Integrated authentication   SSL Optional
2) OAB : Integrated authentication                             NO SSL

Go to C:\program file >microsoft >exchange >Clien access >OAB
Check if there is the folder with the same guid.

And Authenticated users should have atleast read permission on OAB folder.

Author

Commented:
What about the RPC issue - exchange thinks its under the Default Web Server when its really under SBS Web Applications.

So I did all you said, the only thing not matching your requirements was that OAB was set to both Basic auth and Integrated, and ssl was required there. Everything else was as it should.

My outlook tests still fail the same as the pic attached above.

Author

Commented:
I try to correct this, but get failure:
Set-OutlookAnywhere -ClientAuthenticationMethod Basic

cmdlet Set-OutlookAnywhere at command pipeline position 1
Supply values for the following parameters:
Identity: exch1\rpc <SBS Web Applications>
Set-OutlookAnywhere : The operation could not be performed because object
'exch1\rpc <SBS Web Applications>' could not be found on domain controller
'exch1.receptos.local'.
At line:1 char:20
+ Set-OutlookAnywhere  <<<< -ClientAuthenticationMethod Basic

Author

Commented:
Does anyone have any ideas on this? Or should I post a new question more specific to this error?

Author

Commented:
Can this be changed using ADSIedit??
Accept the Answer ID:26482047

i had prvided the resaon for why it is not working and also the solution for the same.

Author

Commented:
All I can say is that Narayan fixed my SAN, however, a problem still remains, Outlook still does not complete a Send/Receive properly, and this error response when running PS command:

 Test-OutlookWebServices |Fl
Id      : 1013
Type    : Error
Message : When contacting https://remote.acme.com/Rpc received the error
            The server committed a protocol violation. Section=ResponseStatusLine

I would be willing to provide partial points, and close the question (only to open a new question specifically for the error above).
Outlook anywhere is a deifferent issue all together, as initail issue was OOF which was caused by non fuctioning Autodiscover which was fixed by having valid certificate.

the good way to check the outlook anywhere would be using testexchangeconnectivity.com

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial