jetli87
asked on
Exchange 2010 Outlook Anywhere not working
Need help with configuring Outlook Anywhere.
I have the certs setup and went through typical setup, but is not working.
I have a UCC Cert with the following domain names:
outlook.company.com ==> for outlookanywhere
email.company.com ==> owa
autodiscover.company.com
all three names are configured on ExchGateway.company.local which is the CAS/HUB Role.
set all configs via
enable-outlookwhere
set-outlookprovider
and tested via testexchangeconnectivity.c
test results intermittently work.
I have the certs setup and went through typical setup, but is not working.
I have a UCC Cert with the following domain names:
outlook.company.com ==> for outlookanywhere
email.company.com ==> owa
autodiscover.company.com
all three names are configured on ExchGateway.company.local which is the CAS/HUB Role.
set all configs via
enable-outlookwhere
set-outlookprovider
and tested via testexchangeconnectivity.c
test results intermittently work.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
endital1097
Will be online tonite if not resolved
ASKER
ok, everything isn't working because my autodiscover is not configured properly.
I had ran the test locally on the network and it works fine, but obviously remote it doesn't so that has been throwing me off.
Here's the result of autodiscover test:
I had ran the test locally on the network and it works fine, but obviously remote it doesn't so that has been throwing me off.
Here's the result of autodiscover test:
Attempting to test Autodiscover for exch2010@company.com
Testing Autodiscover failed.
Test Steps
ExRCA is attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential AutoDiscover URL https://company.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name company.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 74.s.x.149
Testing TCP Port 443 on host company.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
The certificate name is being validated.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name company.com does not match any name found on the server certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com
Attempting to test potential AutoDiscover URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 74.x.x.158
Testing TCP Port 443 on host autodiscover.company.com to ensure it is listening and open.
The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
The certificate name is being validated.
Successfully validated the certificate name
Additional Details
Found hostname autodiscover.company.com in Certificate Subject Alternative Name entry
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.
The certificate date is being confirmed to ensure the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
Certificate is valid: NotBefore = 9/8/2010 2:07:56 AM, NotAfter = 9/8/2012 2:07:56 AM"
The IIS configuration is being checked for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates not configured.
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user exch2010@starpointproperties.com
Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.company.com in DNS.
Host successfully resolved
Additional Details
IP(s) returned: 74.x.x.158
Testing TCP Port 80 on host autodiscover.company.com to ensure it is listening and open.
The port was opened successfully.
Checking Host autodiscover.company.com for an HTTP redirect to AutoDiscover
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page.
ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method.
Failed to contact AutoDiscover using the DNS SRV redirect method.
Test Steps
Does your cert include either
Domain.com
Autodiscover.domain.com
Domain.com
Autodiscover.domain.com
your error is here
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
401 usually means user/pass incorrect
did you try to use user@domain.com or domain\user ?
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
401 usually means user/pass incorrect
did you try to use user@domain.com or domain\user ?
ASKER
tried both methods user@domain and domain\user.
For sure the userpass is fine...If I vpn and run the same test, all is well.
The firewall is configured with the right accesslist: allowing incoming on ports 80 & 443 directed internally to the CAS/Hub Server.
All external DNS entries are pointed the pub IP which is configured for NAT on the firewall.
For sure the userpass is fine...If I vpn and run the same test, all is well.
The firewall is configured with the right accesslist: allowing incoming on ports 80 & 443 directed internally to the CAS/Hub Server.
All external DNS entries are pointed the pub IP which is configured for NAT on the firewall.
ASKER
yes, forgot to mention autodiscover is included on cert.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
dude @ you are still on mobile.
jetli87 - who hosts your DNS
do they support SRV records ?
autodiscover.domain.com > where does it point to ?
jetli87 - who hosts your DNS
do they support SRV records ?
autodiscover.domain.com > where does it point to ?
Cert contains autodiscover so is there anA record in DNS for it
@endital1097 @sunnyc7
guys look at the report all is working fine the SANs are fine and the IP are fine it is just failing at
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
guys look at the report all is working fine the SANs are fine and the IP are fine it is just failing at
ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml
Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
akhater point
I was reading from jetli's previous question.
shouldnt it be
https://mail.domain.com/AutoDiscover/AutoDiscover.xml
I was reading from jetli's previous question.
shouldnt it be
https://mail.domain.com/AutoDiscover/AutoDiscover.xml
Not externally
Is basic authentication enabled
Is basic authentication enabled
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
jim I think we did that @jetli's last case - basic and NTLM enabled through set-outlookanywhere.
jetli87 please confirm
set-outlookanywhere | fl
IISauthentication field - is it basic or basic, ntlm
jetli87 please confirm
set-outlookanywhere | fl
IISauthentication field - is it basic or basic, ntlm
I am out guys.
Akhater your ball.
Jim - get a break.
Akhater your ball.
Jim - get a break.
ASKER
Sorry, stepped out...will get back to everyone in an hour.
ASKER
so from the outside, autodiscover.company.com/A
will not resolve, though i know it's not dns because autodiscover.company.com goes to IIS page.
internally, the link request for username/password and I tried the test user credentials via upn or domain/user and can't login...
IIS Authentication = NTLM
will not resolve, though i know it's not dns because autodiscover.company.com goes to IIS page.
internally, the link request for username/password and I tried the test user credentials via upn or domain/user and can't login...
IIS Authentication = NTLM
from outside autodiscover.company.com/a
however entering a user/pass should let you login and this is your problem
however entering a user/pass should let you login and this is your problem
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Quick question, ran
get-autodiscovervirtualdir
InternalUrl & External Url are Null - should there be a setting there?
get-autodiscovervirtualdir
InternalUrl & External Url are Null - should there be a setting there?
ASKER
and basicauthentication is already set to true
yes they should be NULL it is normal.
can you give me the password of your test user so I can do some tests ?
can you give me the password of your test user so I can do some tests ?
ok... make sure there is only basic and Windows authentication sleceted in Autodiscover virtual directoy and there is no Annonymous authentication sleceted ... do it from IIS manager and see if you have options for basic and windows authentication if you do not have them then please install pre-requisite.
If above things are in place please remove autodiscover virtual directory and the re-create it.
get-autodiscovervirtualdir
new-autodiscovervirtualdir
and again set the authentication tyoe like i mentioned.
then try to browse
https://localhost/autodiscover/autodiscover.xml
though u get cert erro just proceed with credentials and you should get error code 600 invalid
if you get that it should work from outside aswell
revert.
If above things are in place please remove autodiscover virtual directory and the re-create it.
get-autodiscovervirtualdir
new-autodiscovervirtualdir
and again set the authentication tyoe like i mentioned.
then try to browse
https://localhost/autodiscover/autodiscover.xml
though u get cert erro just proceed with credentials and you should get error code 600 invalid
if you get that it should work from outside aswell
revert.
when you tried it from the outside you did try https://autodiscover.domain.com/autodiscover/autodiscover.xml
can you post the results for
Get-AutodiscoverVirtualDir
can you post the results for
Get-AutodiscoverVirtualDir
ASKER
ok whatever happened, autodiscover test is succeeding right now...Going through other tests.
cool
:) good to know
it was my return :)
ASKER
ok so https-rpc is sorta working now.
I had to apply the below for the test to complete successful for on auto config
set-outlookprovider expr -certifedprincipalname "msstd:email.company.com"
now what's the correct config on outlook? I can't get it work.
exchange server = outlook.company.com
on Exchange Proxy: outlook.company.com
Authenticatoin = ntlm
when i do checkname, i get prompted for username/pass and I've tried both upn and user/domain but it errors out.
I had to apply the below for the test to complete successful for on auto config
set-outlookprovider expr -certifedprincipalname "msstd:email.company.com"
now what's the correct config on outlook? I can't get it work.
exchange server = outlook.company.com
on Exchange Proxy: outlook.company.com
Authenticatoin = ntlm
when i do checkname, i get prompted for username/pass and I've tried both upn and user/domain but it errors out.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
nevermind, got it to work...changed exchange server to local CAS DNS name.
Since you have autodiscover there is nothing to configure in outlook it should pick up the config alone
ASKER
last question, for login credentials on outlookanywhere, does Exchange 2010 accept either UPN or domain/user method?
or can you specify somewhere?
i used UPN and it worked ok.
or can you specify somewhere?
i used UPN and it worked ok.
Both should work
ASKER
is there a way to specify/restrict the login method?
remove the upn logon name within ad, otherwise no
ASKER
thanks for everyone's help.
will assign points shortly.
will assign points shortly.
have a great weekend
Wow. this is resolved. Just came back home.
Stuck in a traffic jam for 1.5 hrs and crossed 2 miles :(
Stuck in a traffic jam for 1.5 hrs and crossed 2 miles :(
ASKER
Responses didn't directly resolved the issue but help lead me to fix it on my own.