Solved

Failed Client Certificate in outlook Anywhere 2007 with Exchange 2007 SP1 through TMG 2010

Posted on 2011-03-08
10
1,589 Views
Last Modified: 2012-05-11
Hi,

I have successfully published Exchange Activesync using TMG 2010 and OWA internally only but somehow when I tried to publish the Outlook Anywhere it failed ( as can be seen from the https://www.testexchangeconnectivity.com )

Settings:
IIS 7 settings, I have unchecked the require SSL and "Ignore" the client certificate

Exchange CAS settings:
ServerName                 : ExCAS02-VM
SSLOffloading              : True
ExternalHostname           : activesync.domain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://ExCAS02-VM.domainad.com/W3SVC/1/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : ExCAS02-VM
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=ExCAS02-VM,CN=Servers,CN=Exchange Administrative.......
Identity                   : ExCAS02-VM\Rpc (Default Web Site)
Guid                       : 59873fe5-3e09-456e-9540-f67abc893f5e
ObjectCategory             : domainad.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 18/02/2011 4:31:54 PM
WhenCreated                : 18/02/2011 4:30:27 PM
OriginatingServer          : ADDC01.domainad.com
IsValid                    : True

Test-OutlookWebServices settings:
1013 Error When contacting https://activesync.domain.com/Rpc received the error The remote server returned an error: (500) Internal Server Error.
1017 Error [EXPR]-Error when contacting the RPC/HTTP service at https://activesync.domain.com/Rpc. The elapsed time was 0 milliseconds.

environment:
Windows Server 2008 (HT-CAS)
Exchange Server 2007 SP1
TMG 2010 Standard
Outlook 2007 client SP2.

Any kind of help would be greatly appreciated.

Thanks.
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
Comment
Question by:jjoz
  • 7
  • 2
10 Comments
 
LVL 16

Accepted Solution

by:
PaciB earned 450 total points
Comment Utility
Hi,

Error 500 obtained when trying to access a published OWA / ActiveSync / OutlookAnywhere page is usually due to a misconfigured SSL certificate on the internal Exchange server.

To verify this point, you should make a test from your TMG server:

1) at first, on the TMG server, add a temporary access rule to allow HTTS protocol from "localhost" (TMG server) to internal network. This will permit to make the test from the TMG server.
2) in TMG take a look at your OutlookAnywhere publishing rule and in the tab "To" not the name of the internal Exchange server you mentioned.
2) open IE on the TMG server. Make sure IE is not configured to use a proxy.
3) In IE type the URL "HTTPS://exchangeserver.domain.local/rpc" (where "exchangeserver.domain.loca" is the name of your internal Exchange server as your mentioned it in the publishing rule).
4) If certificates are well configured between TMG and the internal Exchange server you should not have a certificate security alert. The page will not open and you'll have an error message saying the page can not be reached but before that you must not see any certificate security alert.

If there is a certificate security alert then ensure that all the following are ok:

1) the SSL certificate used on the Exchange server by IIS default web site must contains a name that perfectly matches the server name you used in the publishing rule (exchangeserver.domain.local).
2) the root certificate of the certification authority that issued the SSL certificate used by IIS on the Exchange server must be installed on the TMG server as a "Trusted Root Certification Authority".
3) if the SSL certificate used by IIS on the Exchaneg server is the self-signed certificate that Exchange generates during installation then you should export the certificate in a .CER file, copy this file on TMG and import it in the "Trusted Root Certification Authority" container so that TMG will trust the self-signed certificate.

Have a good day.
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
Hm... when I type "HTTPS://exchangeserver.domain.local/rpc" it ask for credentials, and then after successfully typed I got into OWA ?
0
 
LVL 8

Assisted Solution

by:praveenkumare_sp
praveenkumare_sp earned 50 total points
Comment Utility
so ur  "HTTPS://exchangeserver.domain.local/rpc" is actually pointed to OWA

just try to set up Outlook Anywhere on a machine connected to a domain and test whether its working fine
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
that is from internal, we don't publish OWA externally.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
Comment Utility
what is the url u use for setting the Outlook anywhere account
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 1

Author Comment

by:jjoz
Comment Utility
it is the ExCAS02.domain.com the Exchange CAS server address, or the same server address that is used bythe Activesync (which works both internal and externally), somehow it doesn't work for this OA in and externally.
0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
still got the error after adding the autodiscover.domain.com as the A record to pointto the TMG 2010 external interface with publicIP address.
A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:443
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 	Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 	
	Test Steps
 	
	ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user Myusername@domain.com
 	ExRCA failed to obtain an Autodiscover XML response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	An HTTP 403 error was received because ISA Server denied the specified URL.
	
Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
 	The specified port is either blocked, not listening, or not producing the expected response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
		A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:80
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
ok, the TMG 2010 has been reconfigured according to this blog post: http://clintboessen.blogspot.com/2010/10/autodiscover-issue-with-isa2006-or.html

however now the only remaining problem is still regarding Client certificate ?
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
FYI:
I manage to grab the Virtual Directories setting from powershell which works for the following scenario:

Exchange Activesync - work both ways (expected)
Outlook Web Access - only internal (expected)
Outlook Anywhere - totally broken ?
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

"WebServicesVirtualDirectory"
Server      Identity                           InternalNLBBypassUrl                               InternalUrl                                        ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                           --------------------                               -----------                                        ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\EWS (Default Web Site)         https://ExCAS02.domainad.com/ews/exchange.asmx https://ExCAS02.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS03 ExCAS03\EWS (Default Web Site)         https://ExCAS03.domainad.com/ews/exchange.asmx https://ExCAS03.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS02-DR ExCAS02-DR\EWS (Default Web Site)   https://ExCAS02-DR.domainad.com/ews/exchange.asmx https://ExCAS02-DR.domainad.com/EWS/Exchange.asmx               {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True

"OabVirtualDirectory"
Server      Identity                           InternalUrl                         ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                           -----------                         ----------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\OAB (Default Web Site)         http://ExCAS02.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS03 ExCAS03\OAB (Default Web Site)         http://ExCAS03.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS02-DR ExCAS02-DR\OAB (Default Web Site)   http://ExCAS02-DR.domainad.com/OAB              {WindowsIntegrated}           {WindowsIntegrated}          

"ActiveSyncVirtualDirectory"
Server      Identity                                                   InternalUrl                                                  ExternalUrl                                                MobileClientCertificateAuthorityURL BasicAuthEnabled WindowsAuthEnabled ClientCertAuth InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                                                   -----------                                                  -----------                                                ----------------------------------- ---------------- ------------------ -------------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS02.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                False               True         Ignore {}                            {}                           
ExCAS03 ExCAS03\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS03.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}                           
ExCAS02-DR ExCAS02-DR\Microsoft-Server-ActiveSync (Default Web Site)   https://ExCAS02-DR.domainad.com/Microsoft-Server-ActiveSync  https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
Comment Utility
and the following is he IIS 7.0 setting
Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window

0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Join & Write a Comment

Learn to move / copy / export exchange contacts to iPhone without using any software. Also see the issues in configuration of exchange with iPhone to migrate contacts.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now