Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Failed Client Certificate in outlook Anywhere 2007 with Exchange 2007 SP1 through TMG 2010

Posted on 2011-03-08
10
Medium Priority
?
1,615 Views
Last Modified: 2012-05-11
Hi,

I have successfully published Exchange Activesync using TMG 2010 and OWA internally only but somehow when I tried to publish the Outlook Anywhere it failed ( as can be seen from the https://www.testexchangeconnectivity.com )

Settings:
IIS 7 settings, I have unchecked the require SSL and "Ignore" the client certificate

Exchange CAS settings:
ServerName                 : ExCAS02-VM
SSLOffloading              : True
ExternalHostname           : activesync.domain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://ExCAS02-VM.domainad.com/W3SVC/1/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : ExCAS02-VM
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=ExCAS02-VM,CN=Servers,CN=Exchange Administrative.......
Identity                   : ExCAS02-VM\Rpc (Default Web Site)
Guid                       : 59873fe5-3e09-456e-9540-f67abc893f5e
ObjectCategory             : domainad.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 18/02/2011 4:31:54 PM
WhenCreated                : 18/02/2011 4:30:27 PM
OriginatingServer          : ADDC01.domainad.com
IsValid                    : True

Test-OutlookWebServices settings:
1013 Error When contacting https://activesync.domain.com/Rpc received the error The remote server returned an error: (500) Internal Server Error.
1017 Error [EXPR]-Error when contacting the RPC/HTTP service at https://activesync.domain.com/Rpc. The elapsed time was 0 milliseconds.

environment:
Windows Server 2008 (HT-CAS)
Exchange Server 2007 SP1
TMG 2010 Standard
Outlook 2007 client SP2.

Any kind of help would be greatly appreciated.

Thanks.
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
Comment
Question by:jjoz
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 2
10 Comments
 
LVL 16

Accepted Solution

by:
Bruno PACI earned 1800 total points
ID: 35076268
Hi,

Error 500 obtained when trying to access a published OWA / ActiveSync / OutlookAnywhere page is usually due to a misconfigured SSL certificate on the internal Exchange server.

To verify this point, you should make a test from your TMG server:

1) at first, on the TMG server, add a temporary access rule to allow HTTS protocol from "localhost" (TMG server) to internal network. This will permit to make the test from the TMG server.
2) in TMG take a look at your OutlookAnywhere publishing rule and in the tab "To" not the name of the internal Exchange server you mentioned.
2) open IE on the TMG server. Make sure IE is not configured to use a proxy.
3) In IE type the URL "HTTPS://exchangeserver.domain.local/rpc" (where "exchangeserver.domain.loca" is the name of your internal Exchange server as your mentioned it in the publishing rule).
4) If certificates are well configured between TMG and the internal Exchange server you should not have a certificate security alert. The page will not open and you'll have an error message saying the page can not be reached but before that you must not see any certificate security alert.

If there is a certificate security alert then ensure that all the following are ok:

1) the SSL certificate used on the Exchange server by IIS default web site must contains a name that perfectly matches the server name you used in the publishing rule (exchangeserver.domain.local).
2) the root certificate of the certification authority that issued the SSL certificate used by IIS on the Exchange server must be installed on the TMG server as a "Trusted Root Certification Authority".
3) if the SSL certificate used by IIS on the Exchaneg server is the self-signed certificate that Exchange generates during installation then you should export the certificate in a .CER file, copy this file on TMG and import it in the "Trusted Root Certification Authority" container so that TMG will trust the self-signed certificate.

Have a good day.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35076815
Hm... when I type "HTTPS://exchangeserver.domain.local/rpc" it ask for credentials, and then after successfully typed I got into OWA ?
0
 
LVL 8

Assisted Solution

by:praveenkumare_sp
praveenkumare_sp earned 200 total points
ID: 35077567
so ur  "HTTPS://exchangeserver.domain.local/rpc" is actually pointed to OWA

just try to set up Outlook Anywhere on a machine connected to a domain and test whether its working fine
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 1

Author Comment

by:jjoz
ID: 35077727
that is from internal, we don't publish OWA externally.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35084021
what is the url u use for setting the Outlook anywhere account
0
 
LVL 1

Author Comment

by:jjoz
ID: 35088596
it is the ExCAS02.domain.com the Exchange CAS server address, or the same server address that is used bythe Activesync (which works both internal and externally), somehow it doesn't work for this OA in and externally.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35089201
still got the error after adding the autodiscover.domain.com as the A record to pointto the TMG 2010 external interface with publicIP address.
A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:443
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 	Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 	
	Test Steps
 	
	ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user Myusername@domain.com
 	ExRCA failed to obtain an Autodiscover XML response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	An HTTP 403 error was received because ISA Server denied the specified URL.
	
Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
 	The specified port is either blocked, not listening, or not producing the expected response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
		A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:80
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35089361
ok, the TMG 2010 has been reconfigured according to this blog post: http://clintboessen.blogspot.com/2010/10/autodiscover-issue-with-isa2006-or.html

however now the only remaining problem is still regarding Client certificate ?
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35091832
FYI:
I manage to grab the Virtual Directories setting from powershell which works for the following scenario:

Exchange Activesync - work both ways (expected)
Outlook Web Access - only internal (expected)
Outlook Anywhere - totally broken ?
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

"WebServicesVirtualDirectory"
Server      Identity                           InternalNLBBypassUrl                               InternalUrl                                        ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                           --------------------                               -----------                                        ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\EWS (Default Web Site)         https://ExCAS02.domainad.com/ews/exchange.asmx https://ExCAS02.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS03 ExCAS03\EWS (Default Web Site)         https://ExCAS03.domainad.com/ews/exchange.asmx https://ExCAS03.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS02-DR ExCAS02-DR\EWS (Default Web Site)   https://ExCAS02-DR.domainad.com/ews/exchange.asmx https://ExCAS02-DR.domainad.com/EWS/Exchange.asmx               {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True

"OabVirtualDirectory"
Server      Identity                           InternalUrl                         ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                           -----------                         ----------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\OAB (Default Web Site)         http://ExCAS02.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS03 ExCAS03\OAB (Default Web Site)         http://ExCAS03.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS02-DR ExCAS02-DR\OAB (Default Web Site)   http://ExCAS02-DR.domainad.com/OAB              {WindowsIntegrated}           {WindowsIntegrated}          

"ActiveSyncVirtualDirectory"
Server      Identity                                                   InternalUrl                                                  ExternalUrl                                                MobileClientCertificateAuthorityURL BasicAuthEnabled WindowsAuthEnabled ClientCertAuth InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                                                   -----------                                                  -----------                                                ----------------------------------- ---------------- ------------------ -------------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS02.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                False               True         Ignore {}                            {}                           
ExCAS03 ExCAS03\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS03.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}                           
ExCAS02-DR ExCAS02-DR\Microsoft-Server-ActiveSync (Default Web Site)   https://ExCAS02-DR.domainad.com/Microsoft-Server-ActiveSync  https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35091930
and the following is he IIS 7.0 setting
Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window

0

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A couple of months ago we ran into an issue that necessitated re-creating our Edge Subscriptions. However, when we attempted to execute the command: New-EdgeSubscription -filename C:\NewEdgeSub_01.xml we received an error indicating that the LDAP se…
I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question