Solved

Failed Client Certificate in outlook Anywhere 2007 with Exchange 2007 SP1 through TMG 2010

Posted on 2011-03-08
10
1,599 Views
Last Modified: 2012-05-11
Hi,

I have successfully published Exchange Activesync using TMG 2010 and OWA internally only but somehow when I tried to publish the Outlook Anywhere it failed ( as can be seen from the https://www.testexchangeconnectivity.com )

Settings:
IIS 7 settings, I have unchecked the require SSL and "Ignore" the client certificate

Exchange CAS settings:
ServerName                 : ExCAS02-VM
SSLOffloading              : True
ExternalHostname           : activesync.domain.com
ClientAuthenticationMethod : Basic
IISAuthenticationMethods   : {Basic}
MetabasePath               : IIS://ExCAS02-VM.domainad.com/W3SVC/1/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : ExCAS02-VM
AdminDisplayName           :
ExchangeVersion            : 0.1 (8.0.535.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=ExCAS02-VM,CN=Servers,CN=Exchange Administrative.......
Identity                   : ExCAS02-VM\Rpc (Default Web Site)
Guid                       : 59873fe5-3e09-456e-9540-f67abc893f5e
ObjectCategory             : domainad.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 18/02/2011 4:31:54 PM
WhenCreated                : 18/02/2011 4:30:27 PM
OriginatingServer          : ADDC01.domainad.com
IsValid                    : True

Test-OutlookWebServices settings:
1013 Error When contacting https://activesync.domain.com/Rpc received the error The remote server returned an error: (500) Internal Server Error.
1017 Error [EXPR]-Error when contacting the RPC/HTTP service at https://activesync.domain.com/Rpc. The elapsed time was 0 milliseconds.

environment:
Windows Server 2008 (HT-CAS)
Exchange Server 2007 SP1
TMG 2010 Standard
Outlook 2007 client SP2.

Any kind of help would be greatly appreciated.

Thanks.
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
Comment
Question by:jjoz
  • 7
  • 2
10 Comments
 
LVL 16

Accepted Solution

by:
Bruno PACI earned 450 total points
ID: 35076268
Hi,

Error 500 obtained when trying to access a published OWA / ActiveSync / OutlookAnywhere page is usually due to a misconfigured SSL certificate on the internal Exchange server.

To verify this point, you should make a test from your TMG server:

1) at first, on the TMG server, add a temporary access rule to allow HTTS protocol from "localhost" (TMG server) to internal network. This will permit to make the test from the TMG server.
2) in TMG take a look at your OutlookAnywhere publishing rule and in the tab "To" not the name of the internal Exchange server you mentioned.
2) open IE on the TMG server. Make sure IE is not configured to use a proxy.
3) In IE type the URL "HTTPS://exchangeserver.domain.local/rpc" (where "exchangeserver.domain.loca" is the name of your internal Exchange server as your mentioned it in the publishing rule).
4) If certificates are well configured between TMG and the internal Exchange server you should not have a certificate security alert. The page will not open and you'll have an error message saying the page can not be reached but before that you must not see any certificate security alert.

If there is a certificate security alert then ensure that all the following are ok:

1) the SSL certificate used on the Exchange server by IIS default web site must contains a name that perfectly matches the server name you used in the publishing rule (exchangeserver.domain.local).
2) the root certificate of the certification authority that issued the SSL certificate used by IIS on the Exchange server must be installed on the TMG server as a "Trusted Root Certification Authority".
3) if the SSL certificate used by IIS on the Exchaneg server is the self-signed certificate that Exchange generates during installation then you should export the certificate in a .CER file, copy this file on TMG and import it in the "Trusted Root Certification Authority" container so that TMG will trust the self-signed certificate.

Have a good day.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35076815
Hm... when I type "HTTPS://exchangeserver.domain.local/rpc" it ask for credentials, and then after successfully typed I got into OWA ?
0
 
LVL 8

Assisted Solution

by:praveenkumare_sp
praveenkumare_sp earned 50 total points
ID: 35077567
so ur  "HTTPS://exchangeserver.domain.local/rpc" is actually pointed to OWA

just try to set up Outlook Anywhere on a machine connected to a domain and test whether its working fine
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 1

Author Comment

by:jjoz
ID: 35077727
that is from internal, we don't publish OWA externally.
0
 
LVL 8

Expert Comment

by:praveenkumare_sp
ID: 35084021
what is the url u use for setting the Outlook anywhere account
0
 
LVL 1

Author Comment

by:jjoz
ID: 35088596
it is the ExCAS02.domain.com the Exchange CAS server address, or the same server address that is used bythe Activesync (which works both internal and externally), somehow it doesn't work for this OA in and externally.
0
 
LVL 1

Author Comment

by:jjoz
ID: 35089201
still got the error after adding the autodiscover.domain.com as the A record to pointto the TMG 2010 external interface with publicIP address.
A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:443
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
 	Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 	
	Test Steps
 	
	ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user Myusername@domain.com
 	ExRCA failed to obtain an Autodiscover XML response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
 	An HTTP 403 error was received because ISA Server denied the specified URL.
	
Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
 	The specified port is either blocked, not listening, or not producing the expected response.
 	 Tell me more about this issue and how to resolve it
 	
	Additional Details
		A network error occurred while communicating with the remote host.
		Exception details:
		Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 1.2.3.4:80
		Type: System.Net.Sockets.SocketException
		Stack trace:
		at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
		at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35089361
ok, the TMG 2010 has been reconfigured according to this blog post: http://clintboessen.blogspot.com/2010/10/autodiscover-issue-with-isa2006-or.html

however now the only remaining problem is still regarding Client certificate ?
Checking the IIS configuration for client certificate authentication.
 	Client certificate authentication was detected.
 	
	Additional Details
 	Accept/Require client certificates were found. Set the IIS configuration to Ignore Client Certificates if you aren't using this type of authentication.

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35091832
FYI:
I manage to grab the Virtual Directories setting from powershell which works for the following scenario:

Exchange Activesync - work both ways (expected)
Outlook Web Access - only internal (expected)
Outlook Anywhere - totally broken ?
"OutlookAnywhere"
Server      Identity                           SSLOffloading ClientAuthenticationMethod IISAuthenticationMethods
------      --------                           ------------- -------------------------- ------------------------
ExCAS02 ExCAS02\Rpc (Default Web Site)          True                      Basic {Basic}                 
ExCAS03 ExCAS03\Rpc (Default Web Site)          True                      Basic {Basic}                 

"AutodiscoverVirtualDirectory"
Server      Identity                                    InternalUrl ExternalUrl InternalAuthenticationMethods    ExternalAuthenticationMethods    BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                                    ----------- ----------- -----------------------------    -----------------------------    ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS03 ExCAS03\Autodiscover (Default Web Site)                                 {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True
ExCAS02-DR ExCAS02-DR\Autodiscover (Default Web Site)                           {Basic, Ntlm, WindowsIntegrated} {Basic, Ntlm, WindowsIntegrated}                True                False                  True

"WebServicesVirtualDirectory"
Server      Identity                           InternalNLBBypassUrl                               InternalUrl                                        ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods BasicAuthentication DigestAuthentication WindowsAuthentication
------      --------                           --------------------                               -----------                                        ----------- ----------------------------- ----------------------------- ------------------- -------------------- ---------------------
ExCAS02 ExCAS02\EWS (Default Web Site)         https://ExCAS02.domainad.com/ews/exchange.asmx https://ExCAS02.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS03 ExCAS03\EWS (Default Web Site)         https://ExCAS03.domainad.com/ews/exchange.asmx https://ExCAS03.domainad.com/EWS/Exchange.asmx                     {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True
ExCAS02-DR ExCAS02-DR\EWS (Default Web Site)   https://ExCAS02-DR.domainad.com/ews/exchange.asmx https://ExCAS02-DR.domainad.com/EWS/Exchange.asmx               {Ntlm, WindowsIntegrated}     {Ntlm, WindowsIntegrated}                   False                False                  True

"OabVirtualDirectory"
Server      Identity                           InternalUrl                         ExternalUrl InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                           -----------                         ----------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\OAB (Default Web Site)         http://ExCAS02.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS03 ExCAS03\OAB (Default Web Site)         http://ExCAS03.domainad.com/OAB                 {WindowsIntegrated}           {WindowsIntegrated}          
ExCAS02-DR ExCAS02-DR\OAB (Default Web Site)   http://ExCAS02-DR.domainad.com/OAB              {WindowsIntegrated}           {WindowsIntegrated}          

"ActiveSyncVirtualDirectory"
Server      Identity                                                   InternalUrl                                                  ExternalUrl                                                MobileClientCertificateAuthorityURL BasicAuthEnabled WindowsAuthEnabled ClientCertAuth InternalAuthenticationMethods ExternalAuthenticationMethods
------      --------                                                   -----------                                                  -----------                                                ----------------------------------- ---------------- ------------------ -------------- ----------------------------- -----------------------------
ExCAS02 ExCAS02\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS02.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                False               True         Ignore {}                            {}                           
ExCAS03 ExCAS03\Microsoft-Server-ActiveSync (Default Web Site)         https://ExCAS03.domainad.com/Microsoft-Server-ActiveSync     https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}                           
ExCAS02-DR ExCAS02-DR\Microsoft-Server-ActiveSync (Default Web Site)   https://ExCAS02-DR.domainad.com/Microsoft-Server-ActiveSync  https://Activesync.domain.com/Microsoft-Server-ActiveSync                                                 True              False       Required {}                            {}

Open in new window

0
 
LVL 1

Author Comment

by:jjoz
ID: 35091930
and the following is he IIS 7.0 setting
Autodiscover
	Authentication Enabled: Basic, Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Microsoft-Server-ActiveSync
	Authentication Enabled: Windows
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Rpc
	Authentication Enabled: Basic
	SSL Settings: (None checked)
		Client Certificates: Ignore

RpcWithCert
	Authentication Enabled: (None Enabled)
	SSL Settings: Require SSL, Require 128-bit SSL
		Client Certificates: Ignore

Open in new window

0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
A safe way to clean winsxs folder from your windows server 2008 R2 editions
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question