Link to home
Create AccountLog in
Avatar of jetli87
jetli87

asked on

Exchange 2010 Outlook Anywhere not working

Need help with configuring Outlook Anywhere.

I have the certs setup and went through typical setup, but is not working.

I have a UCC Cert with the following domain names:
outlook.company.com ==> for outlookanywhere
email.company.com ==> owa
autodiscover.company.com

all three names are configured on ExchGateway.company.local which is the CAS/HUB Role.

set all configs via
enable-outlookwhere
set-outlookprovider
and tested via testexchangeconnectivity.com

test results intermittently work.
ASKER CERTIFIED SOLUTION
Avatar of Akhater
Akhater
Flag of Lebanon image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Will be online tonite if not resolved
Avatar of jetli87
jetli87

ASKER

ok, everything isn't working because my autodiscover is not configured properly.

I had ran the test locally on the network and it works fine, but obviously remote it doesn't so that has been throwing me off.

Here's the result of autodiscover test:


 Attempting to test Autodiscover for exch2010@company.com 
  Testing Autodiscover failed. 
   Test Steps 
   ExRCA is attempting each method of contacting the Autodiscover service. 
  The Autodiscover service couldn't be contacted successfully by any method. 
   Test Steps 
   Attempting to test potential AutoDiscover URL https://company.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed. 
   Test Steps 
   Attempting to resolve the host name company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.s.x.149 
 
 Testing TCP Port 443 on host company.com to ensure it is listening and open. 
  The port was opened successfully. 
 ExRCA is testing the SSL certificate to make sure it's valid. 
  The SSL certificate failed one or more certificate validation checks. 
   Test Steps 
   The certificate name is being validated. 
  Certificate name validation failed. 
   Tell me more about this issue and how to resolve it 
   Additional Details 
  Host name company.com does not match any name found on the server certificate CN=mail.company.com, OU=Domain Control Validated, O=mail.company.com 
 
 
 
 
 
 Attempting to test potential AutoDiscover URL https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed. 
   Test Steps 
   Attempting to resolve the host name autodiscover.company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.x.x.158 
 
 Testing TCP Port 443 on host autodiscover.company.com to ensure it is listening and open. 
  The port was opened successfully. 
 ExRCA is testing the SSL certificate to make sure it's valid. 
  The certificate passed all validation requirements. 
   Test Steps 
   The certificate name is being validated. 
  Successfully validated the certificate name 
   Additional Details 
  Found hostname autodiscover.company.com in Certificate Subject Alternative Name entry 
 
 Certificate trust is being validated. 
  The test passed with some warnings encountered. Please expand the additional details. 
   Additional Details 
  Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information. 
 
 The certificate date is being confirmed to ensure the certificate is valid. 
  Date validation passed. The certificate hasn't expired. 
   Additional Details 
  Certificate is valid: NotBefore = 9/8/2010 2:07:56 AM, NotAfter = 9/8/2012 2:07:56 AM" 
 
 
 
 The IIS configuration is being checked for client certificate authentication. 
  Client certificate authentication wasn't detected. 
   Additional Details 
  Accept/Require Client Certificates not configured. 
 
 ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs. 
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent. 
   Test Steps 
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml for user exch2010@starpointproperties.com 
  Failed to obtain AutoDiscover XML response. 
   Additional Details 
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown 
  
 ExRCA is attempting to contact the Autodiscover service using the HTTP redirect method. 
  The attempt to contact Autodiscover using the HTTP Redirect method failed. 
   Test Steps 
   Attempting to resolve the host name autodiscover.company.com in DNS. 
  Host successfully resolved 
   Additional Details 
  IP(s) returned: 74.x.x.158 
 
 Testing TCP Port 80 on host autodiscover.company.com to ensure it is listening and open. 
  The port was opened successfully. 
 Checking Host autodiscover.company.com for an HTTP redirect to AutoDiscover 
  ExRCA failed to get an HTTP redirect response for Autodiscover. 
   Additional Details 
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body is: You do not have permission to view this directory or page. 
 
 
 ExRCA is attempting to contact the Autodiscover service using the DNS SRV redirect method. 
  Failed to contact AutoDiscover using the DNS SRV redirect method. 
   Test Steps 
 
 
 
 
 

Open in new window

Does your cert include either
Domain.com
Autodiscover.domain.com
your error is here  

A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown

401 usually means user/pass incorrect

did you try to use user@domain.com or domain\user ?
Avatar of jetli87

ASKER

tried both methods user@domain and domain\user.

For sure the userpass is fine...If I vpn and run the same test, all is well.

The firewall is configured with the right accesslist:  allowing incoming on ports 80 & 443 directed internally to the CAS/Hub Server.

All external DNS entries are pointed the pub IP which is configured for NAT on the firewall.
Avatar of jetli87

ASKER

yes, forgot to mention autodiscover is included on cert.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
dude @ you are still on mobile.

jetli87 - who hosts your DNS
do they support SRV records ?
autodiscover.domain.com > where does it point to ?
Cert contains autodiscover so is there anA record in DNS for it
@endital1097 @sunnyc7

guys look at the report all is working fine the SANs are fine and the IP are fine it is just failing at

ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.company.com/AutoDiscover/AutoDiscover.xml 
  Failed to obtain AutoDiscover XML response.
   Additional Details
  A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown
akhater point
I was reading from jetli's previous question.

shouldnt it be
https://mail.domain.com/AutoDiscover/AutoDiscover.xml
Not externally

Is basic authentication enabled
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
jim I think we did that @jetli's last case - basic and NTLM enabled through set-outlookanywhere.

jetli87 please confirm

set-outlookanywhere | fl
IISauthentication field - is it basic or basic, ntlm
I am out guys.
Akhater your ball.
Jim - get a break.
Avatar of jetli87

ASKER

Sorry, stepped out...will get back to everyone in an hour.
Avatar of jetli87

ASKER

so from the outside, autodiscover.company.com/AutoDiscover/AutoDiscover.xml

will not resolve, though i know it's not dns because autodiscover.company.com goes to IIS page.

internally, the link request for username/password and I tried the test user credentials via upn or domain/user and can't login...

IIS Authentication = NTLM

from outside autodiscover.company.com/autodiscover/autodiscover.xml does prompt for a user/pass however i don't know the pass to test it

however entering a user/pass should let you login and this is your problem
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jetli87

ASKER

Quick question, ran

get-autodiscovervirtualdirectory | fl

InternalUrl & External Url are Null - should there be a setting there?
Avatar of jetli87

ASKER

and basicauthentication is already set to true
yes they should be NULL it is normal.

can you give me the password of your test user so I can do some tests ?
ok... make sure there is only basic and Windows authentication sleceted in Autodiscover virtual directoy and there is no Annonymous authentication sleceted ... do it from IIS manager and see if you have options for basic and windows authentication if you do not have them then please install pre-requisite.

If above things are in place please remove autodiscover virtual directory and the re-create it.

get-autodiscovervirtualdirectory | remove-autodiscovervirtualdirectory

new-autodiscovervirtualdirectory

and again set the authentication tyoe like i mentioned.

then try to browse
https://localhost/autodiscover/autodiscover.xml
though u get cert erro just proceed with credentials and you should get error code 600 invalid
if you get that it should work from outside aswell

revert.
when you tried it from the outside you did try https://autodiscover.domain.com/autodiscover/autodiscover.xml

can you post the results for
Get-AutodiscoverVirtualDirectory | fl *Authen*
Avatar of jetli87

ASKER

ok whatever happened, autodiscover test is succeeding right now...Going through other tests.
:) good to know
it was my return :)
Avatar of jetli87

ASKER

ok so https-rpc is sorta working now.

I had to apply the below for the test to complete successful for on auto config

set-outlookprovider expr -certifedprincipalname "msstd:email.company.com"

now what's the correct config on outlook?  I can't get it work.

exchange server = outlook.company.com
on Exchange Proxy: outlook.company.com
Authenticatoin = ntlm

when i do checkname, i get prompted for username/pass and I've tried both upn and user/domain but it errors out.
SOLUTION
Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account
Avatar of jetli87

ASKER

nevermind, got it to work...changed exchange server to local CAS DNS name.

Since you have autodiscover there is nothing to configure in outlook it should pick up the config alone
Avatar of jetli87

ASKER

last question, for login credentials on outlookanywhere, does Exchange 2010 accept either UPN or domain/user method?

or can you specify somewhere?

i used UPN and it worked ok.
Both should work
Avatar of jetli87

ASKER

is there a way to specify/restrict the login method?
remove the upn logon name within ad, otherwise no
Avatar of jetli87

ASKER

thanks for everyone's help.

will assign points shortly.
have a great weekend
Wow. this is resolved. Just came back home.
Stuck in a traffic jam for 1.5 hrs and crossed 2 miles :(
Avatar of jetli87

ASKER

Responses didn't directly resolved the issue but help lead me to fix it on my own.