Solved

Outlook Anywhere 2007 - always get prompted for credentials and cannot connect ?

Posted on 2011-02-20
14
566 Views
Last Modified: 2012-08-13
Hi All,

I'm trying to publish my Exchange Server 2007 SP1 Outlook Anywhere feature, but how come I can only reach the stage where my Outlook client get prompted for credentials and can never login ?

I've made sure that the url in https is the same as my Activesync as well since we are already opening port 443 and SSL - SAN certificate already got:
activesync.domain.com
autodiscover.domain.com

Any help please ?

Thanks
0
Comment
Question by:jjoz
  • 7
  • 4
  • 2
  • +1
14 Comments
 
LVL 13

Accepted Solution

by:
Mohamed ElManakhly earned 250 total points
ID: 34937042
have you installed the Client certificate on the machine connecting to the exchange server ?
are you using Basic authentication ?

if you are publishing on ISA Server make sure you follow the below article for configuring ISA Server to Publish outlook anywhere Service.
http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.html
0
 
LVL 1

Author Comment

by:jjoz
ID: 34937059
have you installed the Client certificate on the machine connecting to the exchange server ?

Oh, I didn't know about that ? I assume that this is the same certificate as the one that I use with my OWA (Thawte) so I don't install it.

I'm using Forefront TMG 2010 so is that still relevant ?
0
 
LVL 1

Author Comment

by:jjoz
ID: 34937065
but then I get this error from my browser if i go to the activesync.domain.com/rpc:

Technical Information (for support personnel)

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34937108
Fix it internally then externally...

The SAN certificate should has the following names :

mail.domain.com ( where mx points to mail.domain.com)
autodiscover.doamin.com
server-name ( net-bios name, for example server2)

How did you configure outlook anywhere on the server side ?

0
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 34937111
i see , yes it's the same certificate no need for additional one.

and yes the configuration for the ISA Server in this article are still valid for the TMG Server.please verify it
http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.html
0
 
LVL 1

Expert Comment

by:trial1982
ID: 34937114
By posting this , I do hope that it will lead you in finding your answers. I'm trying to lead you.

1. What is the architechure of your exchange setup?

2. What is the url of owa and url used to publish and enable outlook anywhere?

3. What is the common name of the public certificate?

4. Have you imported the public certificate to your TMG2010?

5. Have you created the web listener for outlookanywhere correctly to match the certificate?

6. Please test using https://www.testexchangeconnectivity.com and tell us errors shown
0
 
LVL 1

Author Comment

by:jjoz
ID: 34939494
here's the result guys,

does that means I need to register the autodiscover.domain.com in my ISP and ask them to have SRV entry as well ?
Testing RPC/HTTP connectivity.
 	The RPC/HTTP test failed.
 	
	Test Steps
 	
	ExRCA is attempting to test Autodiscover for bigboss@domain.com.
 	Testing Autodiscover failed.
 	
	Test Steps
 	
	Attempting each method of contacting the Autodiscover service.
 	The Autodiscover service couldn't be contacted successfully by any method.
 	
	Test Steps
 	
	Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
 	Testing of this potential Autodiscover URL failed.
 	
	Test Steps
 	
	Attempting to resolve the host name domain.com in DNS.
 	The host name resolved successfully.
 	
	Additional Details
 	IP addresses returned: 203.5.75.110
	Testing TCP port 443 on host domain.com to ensure it's listening and open.
 	The specified port is either blocked, not listening, or not producing the expected response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	A network error occurred while communicating with the remote host.
Exception details:
Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 203.5.75.110:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()
	Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
 	Testing of this potential Autodiscover URL failed.
 	
	Test Steps
 	
	Attempting to resolve the host name autodiscover.domain.com in DNS.
 	The host name couldn't be resolved.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	Host autodiscover.domain.com couldn't be resolved in DNS Exception details:
Message: The requested name is valid, but no data of the requested type was found
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
.
	Attempting to contact the Autodiscover service using the HTTP redirect method.
 	The attempt to contact Autodiscover using the HTTP Redirect method failed.
 	
	Test Steps
 	
	Attempting to resolve the host name autodiscover.domain.com in DNS.
 	The host name couldn't be resolved.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	Host autodiscover.domain.com couldn't be resolved in DNS Exception details:
Message: The requested name is valid, but no data of the requested type was found
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
.
	Attempting to contact the Autodiscover service using the DNS SRV redirect method.
 	ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
 	
	Test Steps
 	
	Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
 	The Autodiscover SRV record wasn't found in DNS.
 	 Tell me more about this issue and how to resolve it

Open in new window

0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 34940451
yes brother , you need to have :

1- (A) Record mail.company.com
2- (MX) Record that point to mail.company.com
3- (CNAME) Record for autodicover.company.com that points to the IP address used for publishing the autodiscover (Probably the same IP of the above 'A' record mail.company.com).
4- i would recommend also to create a (PTR) Record for mail.company.com
0
 
LVL 23

Assisted Solution

by:Suliman Abu Kharroub
Suliman Abu Kharroub earned 250 total points
ID: 34940979
@M-Manakhly:
>>"3- (CNAME) Record for autodicover.company.com that points to the IP address used for publishing the autodiscover (Probably the same IP of the above 'A' record mail.company.com)."

CName could not point to ip address, only to hostname. so A record is more suitable for auto-discovery.

Auto discover uses on of these methods to work the right way:
1. SCP ( service connection point) only for domain joined pcs. simply, client machine asks active directory about auto-discovery service..
2.A record (autodiscover.domain.com).
3.srv record.

http://technet.microsoft.com/en-us/library/bb332063(EXCHG.80).aspx

I recommend to create the A record which it he easiest way.

and as "M-Manakhly" said: create a ptr record is a very important to mail server. ( to prevent listing on spam list).
0
 
LVL 13

Expert Comment

by:Mohamed ElManakhly
ID: 34941047
@ Sulimanw thanks for the correction mate
0
 
LVL 1

Author Comment

by:jjoz
ID: 34975465
ok, here's the update after running the test-outlookwebservices on my CAS server, I don't know why it gets error HTTP 500 even on my browser using https as well ?

is it supposed to be happening ?
Id        Type Message                                                       
  --        ---- -------                                                       
1003 Information About to test AutoDiscover with the e-mail address Administrator@domain.com.                                                    
1007 Information Testing server Excas02-VM.domainad.com with the published name https://Excas02-vm.domainad.com/EWS/Exchange.asmx & .      
1019 Information Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://Excas02-VM.domainad.com/Autodiscover/Autodiscover.xml.                               
1006 Information The Autodiscover service was contacted at https://Excas02-VM.domainad.com/Autodiscover/Autodiscover.xml.                   
1016     Success [EXCH]-Successfully contacted the AS service at https://Excas02-vm.domainad.com/EWS/Exchange.asmx. The elapsed time was 46 milliseconds.                                                 
1015     Success [EXCH]-Successfully contacted the OAB service at https://Excas02-vm.domainad.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.                                                 
1014     Success [EXCH]-Successfully contacted the UM service at https://Excas02-vm.domainad.com/UnifiedMessaging/Service.asmx. The elapsed time was 0 milliseconds.                                      
1016 Information [EXPR]-The AS is not configured for this user.                
1015 Information [EXPR]-The OAB is not configured for this user.               
1014 Information [EXPR]-The UM is not configured for this user.                
1013       Error When contacting https://mailsync.domain.com/Rpc received the error The remote server returned an error: (500) Internal Server Error.                                                   
1017       Error [EXPR]-Error when contacting the RPC/HTTP service at https://mailsync.domain.com/Rpc. The elapsed time was 31 milliseconds.                                                            
1006     Success The Autodiscover service was tested successfully.             
1021 Information The following web services generated errors.                  
                     Contacting server in EXPR                                 
                 Please use the prior output to diagnose and correct the errors

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35090594
yes, I have now added Autodiscover as CNAME to my ExCAS02 server in both external and internal DNS server, however this is now the final boss to defeat:

Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	[b]Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication[/b].

Open in new window


Any idea of what might be the case of this problem ?

Should I make all authentication basic in both Exchange CAS, IIS 7.0 and TMG 2010 ?
0
 
LVL 1

Author Comment

by:jjoz
ID: 35091819
Here are the settings of the Virtual directories that I have set at the moment:

OWA works internally
Activesync works both ways
OutlookAnywhere totally broken ?
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

"WebServicesVirtualDirectory"
Server      Identity                           InternalNLBBypassUrl                               InternalUrl                                        ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                           --------------------                               -----------                                        ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\EWS (Default Web Site)         https://ExCAS02.domainad.com/ews/exchange.asmx https://ExCAS02.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS03 ExCAS03\EWS (Default Web Site)         https://ExCAS03.domainad.com/ews/exchange.asmx https://ExCAS03.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS02-DR ExCAS02-DR\EWS (Default Web Site)   https://ExCAS02-DR.domainad.com/ews/exchange.asmx https://ExCAS02-DR.domainad.com/EWS/Exchange.asmx               {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True

"OabVirtualDirectory"
Server      Identity                           InternalUrl                         ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                           -----------                         ----------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\OAB (Default Web Site)         http://ExCAS02.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS03 ExCAS03\OAB (Default Web Site)         http://ExCAS03.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS02-DR ExCAS02-DR\OAB (Default Web Site)   http://ExCAS02-DR.domainad.com/OAB              {WindowsIntegrated}           {WindowsIntegrated}          

"ActiveSyncVirtualDirectory"
Server      Identity                                                   InternalUrl                                                  ExternalUrl                                                MobileClientCertificateAuthorityURL BasicAuthEnabled WindowsAuthEnabled ClientCertAuth InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                                                   -----------                                                  -----------                                                ----------------------------------- ---------------- ------------------ -------------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS02.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                False               True         Ignore {}                            {}                           
ExCAS03 ExCAS03\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS03.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}                           
ExCAS02-DR ExCAS02-DR\Microsoft-Server-ActiveSync (Default Web Site)   https://ExCAS02-DR.domainad.com/Microsoft-Server-ActiveSync  https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35091927
and here's the IIS 7 on Windows Server 2008 settings:
Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window

0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now