Link to home
Start Free TrialLog in
Avatar of jjoz
jjozFlag for Australia

asked on

Outlook Anywhere 2007 - always get prompted for credentials and cannot connect ?

Hi All,

I'm trying to publish my Exchange Server 2007 SP1 Outlook Anywhere feature, but how come I can only reach the stage where my Outlook client get prompted for credentials and can never login ?

I've made sure that the url in https is the same as my Activesync as well since we are already opening port 443 and SSL - SAN certificate already got:
activesync.domain.com
autodiscover.domain.com

Any help please ?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Mohamed ElManakhly
Mohamed ElManakhly
Flag of Egypt image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jjoz

ASKER

have you installed the Client certificate on the machine connecting to the exchange server ?

Oh, I didn't know about that ? I assume that this is the same certificate as the one that I use with my OWA (Thawte) so I don't install it.

I'm using Forefront TMG 2010 so is that still relevant ?
Avatar of jjoz

ASKER

but then I get this error from my browser if i go to the activesync.domain.com/rpc:

Technical Information (for support personnel)

Error Code: 403 Forbidden. The server denied the specified Uniform Resource Locator (URL). Contact the server administrator. (12202)
Avatar of Suliman Abu Kharroub
Fix it internally then externally...

The SAN certificate should has the following names :

mail.domain.com ( where mx points to mail.domain.com)
autodiscover.doamin.com
server-name ( net-bios name, for example server2)

How did you configure outlook anywhere on the server side ?

i see , yes it's the same certificate no need for additional one.

and yes the configuration for the ISA Server in this article are still valid for the TMG Server.please verify it
http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.html
Avatar of trial1982
trial1982

By posting this , I do hope that it will lead you in finding your answers. I'm trying to lead you.

1. What is the architechure of your exchange setup?

2. What is the url of owa and url used to publish and enable outlook anywhere?

3. What is the common name of the public certificate?

4. Have you imported the public certificate to your TMG2010?

5. Have you created the web listener for outlookanywhere correctly to match the certificate?

6. Please test using https://www.testexchangeconnectivity.com and tell us errors shown
Avatar of jjoz

ASKER

here's the result guys,

does that means I need to register the autodiscover.domain.com in my ISP and ask them to have SRV entry as well ?
Testing RPC/HTTP connectivity.
 	The RPC/HTTP test failed.
 	
	Test Steps
 	
	ExRCA is attempting to test Autodiscover for bigboss@domain.com.
 	Testing Autodiscover failed.
 	
	Test Steps
 	
	Attempting each method of contacting the Autodiscover service.
 	The Autodiscover service couldn't be contacted successfully by any method.
 	
	Test Steps
 	
	Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
 	Testing of this potential Autodiscover URL failed.
 	
	Test Steps
 	
	Attempting to resolve the host name domain.com in DNS.
 	The host name resolved successfully.
 	
	Additional Details
 	IP addresses returned: 203.5.75.110
	Testing TCP port 443 on host domain.com to ensure it's listening and open.
 	The specified port is either blocked, not listening, or not producing the expected response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	A network error occurred while communicating with the remote host.
Exception details:
Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 203.5.75.110:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()
	Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
 	Testing of this potential Autodiscover URL failed.
 	
	Test Steps
 	
	Attempting to resolve the host name autodiscover.domain.com in DNS.
 	The host name couldn't be resolved.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	Host autodiscover.domain.com couldn't be resolved in DNS Exception details:
Message: The requested name is valid, but no data of the requested type was found
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
.
	Attempting to contact the Autodiscover service using the HTTP redirect method.
 	The attempt to contact Autodiscover using the HTTP Redirect method failed.
 	
	Test Steps
 	
	Attempting to resolve the host name autodiscover.domain.com in DNS.
 	The host name couldn't be resolved.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	Host autodiscover.domain.com couldn't be resolved in DNS Exception details:
Message: The requested name is valid, but no data of the requested type was found
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Dns.GetAddrInfo(String name)
at System.Net.Dns.InternalGetHostByName(String hostName, Boolean includeIPv6)
at System.Net.Dns.GetHostAddresses(String hostNameOrAddress)
at Microsoft.Exchange.Tools.ExRca.Tests.ResolveHostTest.PerformTestReally()
.
	Attempting to contact the Autodiscover service using the DNS SRV redirect method.
 	ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
 	
	Test Steps
 	
	Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
 	The Autodiscover SRV record wasn't found in DNS.
 	 Tell me more about this issue and how to resolve it

Open in new window

yes brother , you need to have :

1- (A) Record mail.company.com
2- (MX) Record that point to mail.company.com
3- (CNAME) Record for autodicover.company.com that points to the IP address used for publishing the autodiscover (Probably the same IP of the above 'A' record mail.company.com).
4- i would recommend also to create a (PTR) Record for mail.company.com
SOLUTION
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
@ Sulimanw thanks for the correction mate
Avatar of jjoz

ASKER

ok, here's the update after running the test-outlookwebservices on my CAS server, I don't know why it gets error HTTP 500 even on my browser using https as well ?

is it supposed to be happening ?
Id        Type Message                                                       
  --        ---- -------                                                       
1003 Information About to test AutoDiscover with the e-mail address Administrator@domain.com.                                                    
1007 Information Testing server Excas02-VM.domainad.com with the published name https://Excas02-vm.domainad.com/EWS/Exchange.asmx & .      
1019 Information Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://Excas02-VM.domainad.com/Autodiscover/Autodiscover.xml.                               
1006 Information The Autodiscover service was contacted at https://Excas02-VM.domainad.com/Autodiscover/Autodiscover.xml.                   
1016     Success [EXCH]-Successfully contacted the AS service at https://Excas02-vm.domainad.com/EWS/Exchange.asmx. The elapsed time was 46 milliseconds.                                                 
1015     Success [EXCH]-Successfully contacted the OAB service at https://Excas02-vm.domainad.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.                                                 
1014     Success [EXCH]-Successfully contacted the UM service at https://Excas02-vm.domainad.com/UnifiedMessaging/Service.asmx. The elapsed time was 0 milliseconds.                                      
1016 Information [EXPR]-The AS is not configured for this user.                
1015 Information [EXPR]-The OAB is not configured for this user.               
1014 Information [EXPR]-The UM is not configured for this user.                
1013       Error When contacting https://mailsync.domain.com/Rpc received the error The remote server returned an error: (500) Internal Server Error.                                                   
1017       Error [EXPR]-Error when contacting the RPC/HTTP service at https://mailsync.domain.com/Rpc. The elapsed time was 31 milliseconds.                                                            
1006     Success The Autodiscover service was tested successfully.             
1021 Information The following web services generated errors.                  
                     Contacting server in EXPR                                 
                 Please use the prior output to diagnose and correct the errors

Open in new window

Avatar of jjoz

ASKER

yes, I have now added Autodiscover as CNAME to my ExCAS02 server in both external and internal DNS server, however this is now the final boss to defeat:

Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	[b]Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication[/b].

Open in new window


Any idea of what might be the case of this problem ?

Should I make all authentication basic in both Exchange CAS, IIS 7.0 and TMG 2010 ?
Avatar of jjoz

ASKER

Here are the settings of the Virtual directories that I have set at the moment:

OWA works internally
Activesync works both ways
OutlookAnywhere totally broken ?
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

"WebServicesVirtualDirectory"
Server      Identity                           InternalNLBBypassUrl                               InternalUrl                                        ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                           --------------------                               -----------                                        ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\EWS (Default Web Site)         https://ExCAS02.domainad.com/ews/exchange.asmx https://ExCAS02.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS03 ExCAS03\EWS (Default Web Site)         https://ExCAS03.domainad.com/ews/exchange.asmx https://ExCAS03.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS02-DR ExCAS02-DR\EWS (Default Web Site)   https://ExCAS02-DR.domainad.com/ews/exchange.asmx https://ExCAS02-DR.domainad.com/EWS/Exchange.asmx               {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True

"OabVirtualDirectory"
Server      Identity                           InternalUrl                         ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                           -----------                         ----------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\OAB (Default Web Site)         http://ExCAS02.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS03 ExCAS03\OAB (Default Web Site)         http://ExCAS03.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS02-DR ExCAS02-DR\OAB (Default Web Site)   http://ExCAS02-DR.domainad.com/OAB              {WindowsIntegrated}           {WindowsIntegrated}          

"ActiveSyncVirtualDirectory"
Server      Identity                                                   InternalUrl                                                  ExternalUrl                                                MobileClientCertificateAuthorityURL BasicAuthEnabled WindowsAuthEnabled ClientCertAuth InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                                                   -----------                                                  -----------                                                ----------------------------------- ---------------- ------------------ -------------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS02.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                False               True         Ignore {}                            {}                           
ExCAS03 ExCAS03\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS03.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}                           
ExCAS02-DR ExCAS02-DR\Microsoft-Server-ActiveSync (Default Web Site)   https://ExCAS02-DR.domainad.com/Microsoft-Server-ActiveSync  https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}

Open in new window

Avatar of jjoz

ASKER

and here's the IIS 7 on Windows Server 2008 settings:
Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window