?
Solved

Outlook Anywhere for Exchange 2007

Posted on 2011-04-19
23
Medium Priority
?
468 Views
Last Modified: 2012-05-11
We just replaced our SBS 2003 server with an SBS 2008 server. I seem to be having issues getting Outlook anywhere working. The exchange server appears to have a valid, self signed cert issued to it. When I try to connect an Outlook 2007 client to Outlook Anywhere, it will prompt for a username and password but it will never accept the credentials I enter - not even the admin credentials. Finally it tells me that the connection to microsoft exchange is unavailable. I can login to OWA from the workstation fine and I've also installed the cert from OWA. Any help would be appreciated.
0
Comment
Question by:StarfishTech
  • 7
  • 5
  • 4
  • +3
23 Comments
 
LVL 13

Accepted Solution

by:
connectex earned 400 total points
ID: 35429092
Since you using the self-issued certificate, you must install it on the client. If you use a 3rd party SSL certificate you won't have this issue. If you choose to go the 3rd party certificate way, it's recommended you choose a UCC 5 domain certificate.

-Matt-
0
 

Author Comment

by:StarfishTech
ID: 35429107
We did install the cert on the client. We went to the OWA site from the client and installed the cert off the OWA site.
0
 
LVL 15

Assisted Solution

by:JBond2010
JBond2010 earned 400 total points
ID: 35429118
You may also need to check the permissions on the Exchange Virtual Directories in IIS.
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 
LVL 13

Expert Comment

by:connectex
ID: 35429125
Can you post a snapshot of the HTTP over RPC settings?
0
 
LVL 60

Assisted Solution

by:Cliff Galiher
Cliff Galiher earned 400 total points
ID: 35429133
You cannot install the cert from the OWA site. A significant change from SBS 2003 to SBS 2008 is that SBS now uses its own CA so the certificate is technically not "self signed" ...it is signed by an internal CA.

When you "install" the certificate from the OWA site, you are *not* installing the signing root authority, so the certificate remains untrusted because the chain is untrusted. You must install the root cert into the trusted authorities store for everything to work as expected.

Fortunately with SBS 2008, Microsoft has included an installer to make this a one-click affair.

http://blogs.technet.com/b/sbs/archive/2008/09/30/how-do-i-distribute-the-sbs-2008-self-signed-ssl-certificate-to-my-users.aspx

-Cliff
0
 
LVL 12

Assisted Solution

by:serchlop
serchlop earned 400 total points
ID: 35429146
You have to install the certificate in the client computer opening a mmc console.

Start  - Run - MMC - Add or Remove Snapin - Certificates - You have to select computer account - The in list select trusted authorities - Left click Install Certificate - Select The Cert file

After that when you open Iexplore for the owa page, should not show an alert.

Then You can config Outlook Anywhere.

What you do when add a certificate in IExplore is to install for user, not for computer account.
0
 
LVL 12

Expert Comment

by:serchlop
ID: 35429157
Therefore you have to enter username in domain\username form to get this work.

And I suggest that you add the autodiscover.yourdomain.local or autodiscover.yourdomain.com to your dns to avoid outlook prompt for usernam/password.
0
 
LVL 8

Assisted Solution

by:databoks
databoks earned 400 total points
ID: 35429233
you have to buy a UCC with the following included.

your remote workplace, servername, servername.domainname.local, sites, autodiscover.domain.com

dont mess with the Exchange manangement shell.. You have  to generate the Cert Request from Exchange and import it using Exchange Management Shell.

You also have to create a A record in your external DNS named autodiscover.domain.com pointing to your exchange servers external IP address.

However when you added this, you might still get a login box but only once they open outlook. go to the IIS-> SBS Web Applications  => select Authentication> enable kernal authentication.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35429261
...some of the advice here is option/can be easier, but start by properly installing the internal cert package, get your system working as expected, then if you want to go with a more robust deployment (configuring autodiscover, UCC certs, etc) you can do so. None of those are by any means required though, and what you have going on right now is a *basic* configuration flaw that none of those will fix.

-Cliff
0
 

Author Comment

by:StarfishTech
ID: 35429268
ok, well I seem to be in better shape. I installed the correct certificate and I can tell it is correct because when I browse the owa site from the client, I no longer get the warning. However, when I go to configure the outlook profile, I get as far as checking the name where it asks me to login with credentials and I can't get any further. It just keeps prompting me for credentials.
0
 
LVL 8

Expert Comment

by:databoks
ID: 35429306
You have to create a autodiscover.domain.com to solve this. You cannot get around it as far as i know.

0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35429318
Alright, lets see where things are hanging up (no use guessing.)

Head to www.testexchangeconnectivity.com and use its tests. They have a test for Outlook Anywhere which *can* use autodiscover or can use manual configuration. Try both and see where the tests hang up. Ideally I'd like to see the manual configuration pass, and if not, *get* it to pass, then you can move on to working out any remaining autodiscover issues (does not necessarily require an autodiscover.domain.com record)

-Cliff
0
 

Author Comment

by:StarfishTech
ID: 35429319
OK, can I get the specifics on creating the autodiscover.domain.com?
0
 
LVL 8

Expert Comment

by:databoks
ID: 35429331
You have to go to your external dns and make a A Record called autodiscover.domain.com pointing to your external Exchange Server.

Go to myip.dk to get your external IP.
0
 
LVL 12

Expert Comment

by:serchlop
ID: 35429334
0
 
LVL 12

Expert Comment

by:serchlop
ID: 35429342
Here a MS doc
http://support.microsoft.com/kb/940881

And another
http://www.rackspace.com/apps/support/portal/1218

You can verify your configuration for many settings in https://www.testexchangeconnectivity.com/

You can check autodiscover, outlook anywhere, etc.
0
 

Author Comment

by:StarfishTech
ID: 35429531
Ok, I've gone to our external DNS hosting and created an SRV record that looks like so:

_autodiscover._tcp.domain.com

I will wait for it to propagate and try again.
0
 

Author Comment

by:StarfishTech
ID: 35430173
Just tried again. Setup a new profile on the client PC. When i went to "check name" it prompted me for a password. It didn't accept the clients credentials but it DID accept the admin credentials and then resolved the server name and mailbox. However, once I attempted to launch outlook and access the mailbox, it wouldn't accept any credentials - it just kept prompting me.
0
 
LVL 60

Expert Comment

by:Cliff Galiher
ID: 35430584
Like I said earlier, auto discover, while nice, is a secondary concern. Use the site already mentioned to get details of the failure. I also recommend creating a test account for these tests.

-Cliff
0
 
LVL 8

Expert Comment

by:databoks
ID: 35430895
try go to www.exchangeconnectivity.com  and choose the Autodiscover test. Fill in the information and run it. Then tell us what the exact error you are getting.

0
 

Author Comment

by:StarfishTech
ID: 35432467
OK, here is the entire log from the RPC/Outlook anywhere test on the test site.

Testing RPC/HTTP connectivity.
  The RPC/HTTP test failed.
   Test Steps
   ExRCA is attempting to test Autodiscover for user@domain.com.
  Testing Autodiscover failed.
   Test Steps
   Attempting each method of contacting the Autodiscover service.
  The Autodiscover service couldn't be contacted successfully by any method.
   Test Steps
   Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name domain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x
 Testing TCP port 443 on host domain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
 
 
 Attempting to test potential Autodiscover URL https://autodiscover.domain/AutoDiscover/AutoDiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name autodiscover.domain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x
 Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: Authentication failed because the remote party has closed the transport stream.
Type: System.IO.IOException
Stack trace:
at System.Net.Security.SslState.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest)
at System.Net.Security.SslState.ProcessAuthentication(LazyAsyncResult lazyResult)
at System.Net.Security.SslStream.AuthenticateAsClient(String targetHost)
at Microsoft.Exchange.Tools.ExRca.Tests.SSLCertificateTest.PerformTestReally()
 
 
 
 
 Attempting to contact the Autodiscover service using the HTTP redirect method.
  The attempt to contact Autodiscover using the HTTP Redirect method failed.
   Test Steps
   Attempting to resolve the host name autodiscover.domain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: x.x.x.x
 Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
  The port was opened successfully.
 ExRCA is checking the host autodiscover.domain.com for an HTTP redirect to the Autodiscover service.
  ExRCA failed to get an HTTP redirect response for Autodiscover.
   Additional Details
  A Web exception occurred because an HTTP 400 - BadRequest response was received from Unknown.
 
 
 
 Attempting to contact the Autodiscover service using the DNS SRV redirect method.
  ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
   Test Steps
   Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
  The Autodiscover SRV record was successfully retrieved from DNS.
   Additional Details
  The Service Location (SRV) record lookup returned host mail.domain.com.
 
 Attempting to test potential Autodiscover URL https://mail.domain.com/Autodiscover/Autodiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name mail.domain.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 70.62.x.x
 
 Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The SSL certificate failed one or more certificate validation checks.
   Test Steps
   Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.domain.com was found in the Certificate Subject Common name.
 
 Certificate trust is being validated.
  Certificate trust validation failed.
   Additional Details
  The certificate chain couldn't be built. You may be missing required intermediate certificates.
 
 
 
 
 
 
 
 
 
 
 
 
 
0
 

Author Comment

by:StarfishTech
ID: 35434422
We ended up having to do a repair on the network and also there were some SSL settings issues on one of the RPC virtual directories in IIS. Thanks for everyones help. A lot of helpful information in this thread!
0
 
LVL 8

Expert Comment

by:databoks
ID: 35436434
I am glad that your problems is fixed.


Please make sure to include the IIS as a backup source also in your backup plan.

0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Exchange administrators are always vigilant about Exchange crashes and disasters that are possible any time. It is quite essential to identify the symptoms of a possible Exchange issue and be prepared with a proper recovery plan. There are multiple…
Upgrading from older Exchange server to the latest Exchange server can be tiresome, error-prone and risky, without being a seasoned exchange server administrators. It can become even problematic if you're an organization that runs on tight timeline…
This video discusses moving either the default database or any database to a new volume.
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…
Suggested Courses
Course of the Month7 days, 19 hours left to enroll

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question