Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1284
  • Last Modified:

Exchange 2010 Outlook Anywhere not working

Need help with configuring Outlook Anywhere.

I have the certs setup and went through typical setup, but is not working.

I have a UCC Cert with the following domain names:
outlook.company.com ==> for outlookanywhere
email.company.com ==> owa
autodiscover.company.com

all three names are configured on ExchGateway.company.local which is the CAS/HUB Role.

set all configs via
enable-outlookwhere
set-outlookprovider
and tested via testexchangeconnectivity.com

test results intermittently work.
0
jetli87
Asked:
jetli87
  • 14
  • 11
  • 9
  • +2
5 Solutions
 
AkhaterCommented:
go to https://www.testexchangeconnectivity.com/ and run the test paste the results
0
 
endital1097Commented:
Will be online tonite if not resolved
0
 
jetli87Author Commented:
ok, everything isn't working because my autodiscover is not configured properly.

I had ran the test locally on the network and it works fine, but obviously remote it doesn't so that has been throwing me off.

Here's the result of autodiscover test:


 Attempting to test Autodiscover for exch2010@company.com 
  Testing Autodiscover failed. 
   Test Steps 
   ExRCA is attempting each method of contacting the Autodiscover service. 
  The Autodiscover service couldn't be contacted successfully by any method. 
   Test Steps 
   Attempting to test potential AutoDiscover URL https://company.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed. 
   Test Steps 
   Attempting to resolve the host name company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.s.x.149 
 
 Testing TCP Port 443 on host company.com to ensure it is listening and open. 
  The port was opened successfully. 
 ExRCA is testing the SSL certificate to make sure it's valid. 
  The SSL certificate failed one or more certificate validation checks. 
   Test Steps 
   The certificate name is being validated. 
  Certificate name validation failed. 
   Tell me more about this issue and how to resolve it 
   Additional Details 
  Host name company.com does not match any name found on the server certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com 
 
 
 
 
 
 Attempting to test potential AutoDiscover URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed. 
   Test Steps 
   Attempting to resolve the host name autodiscover.company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.x.x.158 
 
 Testing TCP Port 443 on host autodiscover.company.com to ensure it is listening and open. 
  The port was opened successfully. 
 ExRCA is testing the SSL certificate to make sure it's valid. 
  The certificate passed all validation requirements. 
   Test Steps 
   The certificate name is being validated. 
  Successfully validated the certificate name 
   Additional Details 
  Found hostname autodiscover.company.com in Certificate Subject Alternative Name entry 
 
 Certificate trust is being validated. 
  The test passed with some warnings encountered. Please expand the additional details. 
   Additional Details 
  Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information. 
 
 The certificate date is being confirmed to ensure the certificate is valid. 
  Date validation passed. The certificate hasn't expired. 
   Additional Details 
  Certificate is valid: NotBefore = 9/8/2010 2:07:56 AM, NotAfter = 9/8/2012 2:07:56 AM" 
 
 
 
 The IIS configuration is being checked for client certificate authentication. 
  Client certificate authentication wasn't detected. 
   Additional Details 
  Accept/Require Client Certificates not configured. 
 
 ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs. 
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent. 
   Test Steps 
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user exch2010@starpointproperties.com 
  Failed to obtain AutoDiscover XML response. 
   Additional Details 
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown 
  
 ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method. 
  The attempt to contact Autodiscover using the HTTP Redirect method failed. 
   Test Steps 
   Attempting to resolve the host name autodiscover.company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.x.x.158 
 
 Testing TCP Port 80 on host autodiscover.company.com to ensure it is listening and open. 
  The port was opened successfully. 
 Checking Host autodiscover.company.com for an HTTP redirect to AutoDiscover 
  ExRCA failed to get an HTTP redirect response for Autodiscover. 
   Additional Details 
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page. 
 
 
 ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method. 
  Failed to contact AutoDiscover using the DNS SRV redirect method. 
   Test Steps 
 
 
 
 
 

Open in new window

0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
endital1097Commented:
Does your cert include either
Domain.com
Autodiscover.domain.com
0
 
AkhaterCommented:
your error is here  

A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

401 usually means user/pass incorrect

did you try to use user@domain.com or domain\user ?
0
 
jetli87Author Commented:
tried both methods user@domain and domain\user.

For sure the userpass is fine...If I vpn and run the same test, all is well.

The firewall is configured with the right accesslist:  allowing incoming on ports 80 & 443 directed internally to the CAS/Hub Server.

All external DNS entries are pointed the pub IP which is configured for NAT on the firewall.
0
 
jetli87Author Commented:
yes, forgot to mention autodiscover is included on cert.
0
 
AkhaterCommented:
from outside try to open https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml


what is the reply after you enter user/pass ?
0
 
sunnyc7Commented:
dude @ you are still on mobile.

jetli87 - who hosts your DNS
do they support SRV records ?
autodiscover.domain.com > where does it point to ?
0
 
endital1097Commented:
Cert contains autodiscover so is there anA record in DNS for it
0
 
AkhaterCommented:
@endital1097 @sunnyc7

guys look at the report all is working fine the SANs are fine and the IP are fine it is just failing at

ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml 
  Failed to obtain AutoDiscover XML response.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
0
 
sunnyc7Commented:
akhater point
I was reading from jetli's previous question.

shouldnt it be
https://mail.domain.com/AutoDiscover/AutoDiscover.xml
0
 
endital1097Commented:
Not externally

Is basic authentication enabled
0
 
AkhaterCommented:
if they autodiscover is not setup using SRV records it will indeed be https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml 

jetli87 please try to open  https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml  and enter username/pass what is the result
0
 
sunnyc7Commented:
jim I think we did that @jetli's last case - basic and NTLM enabled through set-outlookanywhere.

jetli87 please confirm

set-outlookanywhere | fl
IISauthentication field - is it basic or basic, ntlm
0
 
sunnyc7Commented:
I am out guys.
Akhater your ball.
Jim - get a break.
0
 
jetli87Author Commented:
Sorry, stepped out...will get back to everyone in an hour.
0
 
jetli87Author Commented:
so from the outside, autodiscover.company.com/AutoDiscover/AutoDiscover.xml

will not resolve, though i know it's not dns because autodiscover.company.com goes to IIS page.

internally, the link request for username/password and I tried the test user credentials via upn or domain/user and can't login...

IIS Authentication = NTLM

0
 
AkhaterCommented:
from outside autodiscover.company.com/autodiscover/autodiscover.xml does prompt for a user/pass however i don't know the pass to test it

however entering a user/pass should let you login and this is your problem
0
 
AkhaterCommented:
open EMS and run

get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -basicauthentication $true

and run the testexchangeconnectivity again
0
 
jetli87Author Commented:
Quick question, ran

get-autodiscovervirtualdirectory | fl

InternalUrl & External Url are Null - should there be a setting there?
0
 
jetli87Author Commented:
and basicauthentication is already set to true
0
 
AkhaterCommented:
yes they should be NULL it is normal.

can you give me the password of your test user so I can do some tests ?
0
 
Narayan_singhCommented:
ok... make sure there is only basic and Windows authentication sleceted in Autodiscover virtual directoy and there is no Annonymous authentication sleceted ... do it from IIS manager and see if you have options for basic and windows authentication if you do not have them then please install pre-requisite.

If above things are in place please remove autodiscover virtual directory and the re-create it.

get-autodiscovervirtualdirectory | remove-autodiscovervirtualdirectory

new-autodiscovervirtualdirectory

and again set the authentication tyoe like i mentioned.

then try to browse
https://localhost/autodiscover/autodiscover.xml
though u get cert erro just proceed with credentials and you should get error code 600 invalid
if you get that it should work from outside aswell

revert.
0
 
endital1097Commented:
when you tried it from the outside you did try https://autodiscover.domain.com/autodiscover/autodiscover.xml

can you post the results for
Get-AutodiscoverVirtualDirectory | fl *Authen*
0
 
jetli87Author Commented:
ok whatever happened, autodiscover test is succeeding right now...Going through other tests.
0
 
Narayan_singhCommented:
cool
0
 
AkhaterCommented:
:) good to know
0
 
endital1097Commented:
it was my return :)
0
 
jetli87Author Commented:
ok so https-rpc is sorta working now.

I had to apply the below for the test to complete successful for on auto config

set-outlookprovider expr -certifedprincipalname "msstd:email.company.com"

now what's the correct config on outlook?  I can't get it work.

exchange server = outlook.company.com
on Exchange Proxy: outlook.company.com
Authenticatoin = ntlm

when i do checkname, i get prompted for username/pass and I've tried both upn and user/domain but it errors out.
0
 
endital1097Commented:
exchange server is your cas server associated with your mailbox database
get-mailboxdatabase | fl name,rpc*

the proxy is
get-outlookanywhere | fl exter*

authentication = basic
0
 
jetli87Author Commented:
nevermind, got it to work...changed exchange server to local CAS DNS name.

0
 
AkhaterCommented:
Since you have autodiscover there is nothing to configure in outlook it should pick up the config alone
0
 
jetli87Author Commented:
last question, for login credentials on outlookanywhere, does Exchange 2010 accept either UPN or domain/user method?

or can you specify somewhere?

i used UPN and it worked ok.
0
 
AkhaterCommented:
Both should work
0
 
jetli87Author Commented:
is there a way to specify/restrict the login method?
0
 
endital1097Commented:
remove the upn logon name within ad, otherwise no
0
 
jetli87Author Commented:
thanks for everyone's help.

will assign points shortly.
0
 
endital1097Commented:
have a great weekend
0
 
sunnyc7Commented:
Wow. this is resolved. Just came back home.
Stuck in a traffic jam for 1.5 hrs and crossed 2 miles :(
0
 
jetli87Author Commented:
Responses didn't directly resolved the issue but help lead me to fix it on my own.
0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 14
  • 11
  • 9
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now