Outlook Anywhere failing at Mutual Authentication Principle Name Authentication

I have an Exchange 2010 Server and when I run the remote exchange tester I get the following:

Everything passes except the Mutual name Authentication.  How do I change this in Exchange?


ExRCA is testing RPC/HTTP connectivity.
 The RPC/HTTP test failed.
 Test Steps
 Attempting to test Autodiscover for dstyles@acuotech.com
 Autodiscover was tested successfully.
 Test Steps
 ExRCA is attempting each method of contacting the Autodiscover service.
 The Autodiscover service was tested successfully.
 Test Steps
 Attempting to test potential AutoDiscover URL https://acuotech.com/AutoDiscover/AutoDiscover.xml
 Testing of this potential Autodiscover URL failed.
 Test Steps
 Attempting to resolve the host name acuotech.com in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 173.11.48.82

Testing TCP Port 443 on host acuotech.com to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The SSL certificate failed one or more certificate validation checks.
 Test Steps
 The certificate name is being validated.
 Certificate name validation failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 Host name acuotech.com does not match any name found on the server certificate CN=cab.acuotech.com, OU=AcuoXMD Quality Assurance, O=Acuo Technologies, L=Oakdale, S=Minnesota, C=US





Attempting to test potential AutoDiscover URL https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml
 Testing of the Autodiscover URL was successful.
 Test Steps
 Attempting to resolve the host name autodiscover.acuotech.com in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 173.11.47.241

Testing TCP Port 443 on host autodiscover.acuotech.com to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname autodiscover.acuotech.com in Certificate Subject Alternative Name entry

Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Additional Details
 The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

ExRCA is attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 Successfully Retrieved AutoDiscover Settings by sending AutoDiscover POST.
 Test Steps
 Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.acuotech.com/AutoDiscover/AutoDiscover.xml for user dstyles@acuotech.com
 The Autodiscover XML response was successfully retrieved.
 Additional Details
 AutoDiscover Account Settings
XML Response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Darren Styles</DisplayName>
<LegacyDN>/o=Acuo Technologies/ou=First Administrative Group/cn=Recipients/cn=darren</LegacyDN>
<DeploymentId>604ec500-e309-4fe1-b296-fe7e7729c149</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>Exchange.acuotech.com</Server>
<ServerDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE</ServerDN>
<ServerVersion>7380827F</ServerVersion>
<MdbDN>/o=Acuo Technologies/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGE/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://exchange.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>Exchange.acuotech.com</PublicFolderServer>
<AD>Harley.acuotech.com</AD>
<EwsUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://exchange.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
<EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.acuotech.com</Server>
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://mail.acuotech.com/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://mail.acuotech.com/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
<EwsUrl>https://mail.acuotech.com/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://mail.acuotech.com/ecp</EcpUrl>
<EcpUrl-um>?p=customize/voicemail.aspx&amp;exsvurl=1</EcpUrl-um>
<EcpUrl-aggr>?p=personalsettings/EmailSubscriptions.slab&amp;exsvurl=1</EcpUrl-aggr>
<EcpUrl-mt>PersonalSettings/DeliveryReport.aspx?exsvurl=1&amp;IsOWA=&lt;IsOWA&gt;&amp;MsgID=&lt;MsgID&gt;&amp;Mbx=&lt;Mbx&gt;</EcpUrl-mt>
<EcpUrl-sms>?p=sms/textmessaging.slab&amp;exsvurl=1</EcpUrl-sms>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://exchange.acuotech.com/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://exchange.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba">https://mail.acuotech.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.acuotech.com/EWS/Exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>









Autodiscover settings for Outlook Anywhere are being validated.
 Outlook Anywhere Autodiscover Settings validated
Attempting to resolve the host name mail.acuotech.com in DNS.
 Host successfully resolved
 Additional Details
 IP(s) returned: 173.11.47.241

Testing TCP Port 443 on host mail.acuotech.com to ensure it is listening and open.
 The port was opened successfully.
ExRCA is testing the SSL certificate to make sure it's valid.
 The certificate passed all validation requirements.
 Test Steps
 The certificate name is being validated.
 Successfully validated the certificate name
 Additional Details
 Found hostname mail.acuotech.com in Certificate Subject Alternative Name entry

Certificate trust is being validated.
 The certificate is trusted and all certificates are present in the chain.
 Additional Details
 The Certificate chain has be validated up to a trusted root. Root = E=info@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O="ValiCert, Inc.", L=ValiCert Validation Network

The certificate date is being confirmed to ensure the certificate is valid.
 Date validation passed. The certificate hasn't expired.
 Additional Details
 Certificate is valid: NotBefore = 9/10/2010 6:05:59 PM, NotAfter = 9/9/2013 2:08:54 PM"



The IIS configuration is being checked for client certificate authentication.
 Client certificate authentication wasn't detected.
 Additional Details
 Accept/Require Client Certificates not configured.

Testing Http Authentication Methods for URL https://mail.acuotech.com/rpc/rpcproxy.dll
 The HTTP authentication methods are correct.
 Additional Details
 Found all expected authentication methods and no disallowed methods. Methods Found: Basic

SSL mutual authentication with the RPC proxy server is being tested.
 Verification of mutual authentication failed.
  Tell me more about this issue and how to resolve it
 Additional Details
 The certificate common name acuotech.com, doesn't validate against Mutual Authentication string provided msstd:mail.acuotech.com
stacystylesAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

endital1097Commented:
check the authentication settings for the rpc vdir
make sure that anonymous is disabled plus basic and windows integrated enabled
0
endital1097Commented:
also run and post results
get-outlookprovider expr | fl

take a look at this article too
http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_3704-Troubleshooting-Outlook-Certificate-Errors.html
0
stacystylesAuthor Commented:
Windows Integrated was not enabled and now is.  Here are the results.



Untitled.jpg
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

endital1097Commented:
check your certificate for subject names and the get-autodiscoveryvirtualdirectory results (in article)
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stacystylesAuthor Commented:
Here is what I get.
Untitled2.jpg
0
endital1097Commented:
set-outlookprovider expr -certprincipalname msstd:acuotech.com
0
Admin_AaenMaasCommented:
I've found a solution to the mysterious automatic setting of the "mutal authentication" checkbox, also know as "Only connect to proxy servers that have this principal name in their certificate". It will get set to msstd:servername if you leave the CertPrincipalName blank. When you have mutliple CAS servers, this check box will screw with your users, and you get a box asking for your credentials.

The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:

>Set-OutlookProvider EXPR -Server 'site1cas01.company.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null

This sets the proxy CertPrincipalName to none, and then removes the server setting from the OutlookProvider, so mutliple servers can be used. Once you set this to 'none', Outlook autodiscover will no longer check that stupid checkbox anymore.

I'm posting this here in hopes that all of my weeks of pain and suffering can be used to help all the others I've found on the internet with this same problem.
0
CoSmismgrCommented:
Admin_AaenMaas THANK YOU!! This was driving me insane. Your solution did the trick for my XP + Outlook 2007/2010 clients constantly getting prompted for credentials and unable to connect to E2K13 CAS with E2K7 server co-existence. Some simple migration documentation as to this effect would have been nice Microsoft...
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.