cannot connect iphones or rpc over http

I have just migrated from Exchange 2003 to 2010, applied rollup 5 for sp1, But cannot connect my iphones or outlook clients using rpc over http.

Here are my results from testexchange .com :

Please let me know is anyone can assist.

Attempting the Autodiscover and Exchange ActiveSync test (if requested).  Testing of Autodiscover for Exchange ActiveSync failed.  
       Test Steps
              Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
              Test Steps
              Attempting to test potential Autodiscover URL https://mail.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
              Test Steps
              Attempting to resolve the host name mail.com in DNS.
       The host name resolved successfully.
              Additional Details
       IP addresses returned: x.x.x.x

       Testing TCP port 443 on host mail.com to ensure it's listening and open.
       The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
              Test Steps
              ExRCA is attempting to obtain the SSL certificate from remote server mail.com on port 443.
       ExRCA wasn't able to obtain the remote SSL certificate.
              Additional Details
       The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.





       Attempting to test potential Autodiscover URL https://autodiscover.mail.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
              Test Steps
              Attempting to resolve the host name autodiscover.mail.com in DNS.
       The host name resolved successfully.
              Additional Details
       IP addresses returned: x.x.x.x

       Testing TCP port 443 on host autodiscover.mail.com to ensure it's listening and open.
       The port was opened successfully.
       Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
              Test Steps
              ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.mail.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
              
removed      

       Validating the certificate name.
       The certificate name was validated successfully.







             Additional Details
       Host name autodiscover.mail.com was found in the Certificate Subject Alternative Name entry.

       Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
              Test Steps
              ExRCA is attempting to build certificate chains for certificate CN=exchange.mail.com, OU=Domain Control Validated, O=exchange.mail.com.
       One or more certificate chains were constructed successfully.
              Additional Details
       A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.

       Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
              Additional Details
       ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.



       Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
              Additional Details
       The certificate is valid. NotBefore = 12/26/2011 8:21:57 PM, NotAfter = 12/26/2014 8:21:57 PM



       Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
              Additional Details
       Accept/Require Client Certificates isn't configured.

       Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
              Test Steps
              ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.mail.com/AutoDiscover/AutoDiscover.xml for user user@mail.com.
       ExRCA failed to obtain an Autodiscover XML response.
              Additional Details
       An HTTP 500 response was returned from Unknown.





       Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
              Test Steps
              Attempting to resolve the host name autodiscover.mail.com in DNS.
       The host name resolved successfully.
              Additional Details
       IP addresses returned: x.x.x.x

       Testing TCP port 80 on host autodiscover.mail.com to ensure it's listening and open.
       The port was opened successfully.
       ExRCA is checking the host autodiscover.mail.com for an HTTP redirect to the Autodiscover service.
       ExRCA failed to get an HTTP redirect response for Autodiscover.
              Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: You do not have permission to view this directory or page.



Attempting to contact the Autodiscover service using the DNS SRV redirect method.  ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.  
       Test Steps
              Attempting to locate SRV record _autodiscover._tcp.mail.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
         Tell me more about this issue and how to resolve it



Thanks,
Glenn
asibizAsked:
Who is Participating?
 
asibizAuthor Commented:
I am wanting to lock this relay connector down so that it can only send authenticated email, not open without authentication.


Thanks,
Glenn.
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
first of all you have to solve the problem of SSL certificate you must have SSL certificate that have these names :
mail.domain.com
exchangeServer.localdomain.local
autodiscover.domain.com
domain.com

then please run the following commands and post the results here :

get-autodiscovervirtualdirectory |fl
get-clientaccessserver |fl
get-outlookanywhere |fl

note : if you need quick and further help i can do it for you remotely just go to my profile and post me email , i have too many cases like this and have solved them..


anyway wish to you good luck .. regards

Maen Abu-Tabanjeh
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
also there SRV record missing from domain management you need to add it in Domain management -> DNS -> new Record -> SRV record with these details :
type : _tcp
name : autodiscover.domain.com
ip address : your remote IP address.
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
asibizAuthor Commented:
I have setup and installed a 6 doamin cert that covers all of the mentioned domains.

Below are the results from the 3 EMC commands minus the indetifying parts obviously.




from:
C:\Windows\system32>get-autodiscovervirtualdirectory |fl

RunspaceId                    : 278f7a7d-03d9-4888-ab5e-e821a76a18a2
Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic}
ExternalAuthenticationMethods : {Basic}
LiveIdSpNegoAuthentication    : False
WSSecurityAuthentication      : False
LiveIdBasicAuthentication     : False
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : False
MetabasePath                  : IIS://My-Exchange_server.mymail.local/W3SVC/1/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
Server                        : My-Exchange_server
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.10 (14.0.100.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=My-Exchange_server,CN=Servers,CN=Exc
                                hange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ASI Business,C
                                N=Microsoft Exchange,CN=Services,CN=Configuration,DC=mymail,DC=local
Identity                      : My-Exchange_server\Autodiscover (Default Web Site)
Guid                          : a9e863c4-200a-464d-817a-cd7837152793
ObjectCategory                : mymail.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 11/23/2011 4:09:29 PM
WhenCreated                   : 11/23/2011 4:09:16 PM
WhenChangedUTC                : 11/23/2011 10:09:29 PM
WhenCreatedUTC                : 11/23/2011 10:09:16 PM
OrganizationId                :
OriginatingServer             : mydomain.mymail.local
IsValid                       : True

from:
get-clientaccessserver |fl


RunspaceId                           : 278f7a7d-03d9-4888-ab5e-e821a76a18a2
Name                                 : My-Exchange_server
Fqdn                                 : My-Exchange_server.mymail.local
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : My-Exchange_server
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://My-Exchange_server.mymail.local/Autodiscover/Autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {Default-First-Site}
AlternateServiceAccountConfiguration :
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=My-Exchange_server,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=A
                                       dministrative Groups,CN=ASI Business,CN=Microsoft Exchange,CN=Services,CN=Config
                                       uration,DC=mymail,DC=local
Identity                             : My-Exchange_server
Guid                                 : 4393ee1c-f8c6-4b95-8049-ed7a6c8e2de9
ObjectCategory                       : mymail.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 12/26/2011 2:33:27 PM
WhenCreated                          : 11/23/2011 4:04:22 PM
WhenChangedUTC                       : 12/26/2011 8:33:27 PM
WhenCreatedUTC                       : 11/23/2011 10:04:22 PM
OrganizationId                       :
OriginatingServer                    : mydomain.mymail.local

From:get-outlookanywhere |fl


WARNING: Warning: "Rpc (Default Web Site)" was not found. Please ensure that the RPC over HTTP Proxy feature has been
added to server "My-Exchange_server".


RunspaceId                 : 278f7a7d-03d9-4888-ab5e-e821a76a18a2
ServerName                 : My-Exchange_server
SSLOffloading              : False
ExternalHostname           : exchange.mymail.com
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods   : {Ntlm}
MetabasePath               : IIS://My-Exchange_server.mymail.local/W3SVC/1/ROOT/Rpc
Path                       :
Server                     : My-Exchange_server
AdminDisplayName           :
ExchangeVersion            : 0.10 (14.0.100.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=My-Exchange_server,CN=Servers,CN=Exchange Admini
                             strative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ASI Business,CN=Microsoft Exc
                             hange,CN=Services,CN=Configuration,DC=mymail,DC=local
Identity                   : My-Exchange_server\Rpc (Default Web Site)
Guid                       : 2c826839-1e56-4c5e-8e9d-648ef65d6484
ObjectCategory             : mymail.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 12/25/2011 7:54:39 PM
WhenCreated                : 12/25/2011 7:54:39 PM
WhenChangedUTC             : 12/26/2011 1:54:39 AM
WhenCreatedUTC             : 12/26/2011 1:54:39 AM
OrganizationId             :
OriginatingServer          : mydomain.mymail.local
IsValid                    : True


The RPC over HTTP proxy feature was not installed but now has been installed

Now the results are:

RunspaceId                 : 910415d8-31f4-4ca7-a460-8ff7a5180545
ServerName                 : My-Exchange_server
SSLOffloading              : False
ExternalHostname           : exchange.mymail.com
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods   : {Ntlm}
MetabasePath               : IIS://My-Exchange_server.mymail.local/W3SVC/1/ROOT/Rpc
Path                       : C:\Windows\System32\RpcProxy
Server                     : My-Exchange_server
AdminDisplayName           :
ExchangeVersion            : 0.10 (14.0.100.0)
Name                       : Rpc (Default Web Site)
DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=My-Exchange_server,CN=Servers,CN=Exchange Admini
                             strative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=ASI Business,CN=Microsoft Exc
                             hange,CN=Services,CN=Configuration,DC=mymail,DC=local
Identity                   : My-Exchange_server\Rpc (Default Web Site)
Guid                       : 2c826839-1e56-4c5e-8e9d-648ef65d6484
ObjectCategory             : mymail.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                : 12/25/2011 7:54:39 PM
WhenCreated                : 12/25/2011 7:54:39 PM
WhenChangedUTC             : 12/26/2011 1:54:39 AM
WhenCreatedUTC             : 12/26/2011 1:54:39 AM
OrganizationId             :
OriginatingServer          : mydomain.mymail.local
IsValid                    : True


when you mention the srv record are you saying add this to my local dns or to the dns management for our domain with our hosting company??



Thanks,
Glenn

0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
autodiscover was not configured sucessfully run the following command :


set-autodiscovervirtualdirectory -identity "Autodiscover (default web site)" -internalURl https://exchangeServerName.localdomain.local/autodiscover/autodiscover.xml -externalURL https://autodiscover.domain.com/autodiscover/autodiscover.xml


then check on your domain mangement if there is SRV record exist , go to domain control panel then domain management and add SRV record and mention before .. also please run the following command and post the results here :

get-exchangecertificate

0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
also run :

set-outlookanywhere -ServerName "My-Exchange_server" -ClientAuthenticationMethod $basic,$Ntlm
-IISAuthenticationMethods   $basic,$Ntlm
0
 
asibizAuthor Commented:
1st ran with no erros

2nd ran with result:

Thumbprint                                Services   Subject
----------                                --------   -------
08861CA38FAA674109E6531F51B1C896B90F4604  ...WS.     CN=myexchangeserver.mydomain.com, OU=Domain Control Validated, O=exchange...

Third command ran with the following error:
set-outlookanywhere -ServerName asi-exch01 -ClientAuthenticationMethod $basic,$Ntlm
-IISAuthenticationMethods   $basic,$Ntlm

"Cannot process argument transformation on parameter 'ClientAuthenticationMethod'. Cannot convert null to type "Microsof
t.Exchange.Data.Directory.SystemConfiguration.AuthenticationMethod" due to invalid enumeration values. Specify one of t
he following enumeration values and try again. The possible enumeration values are "Basic, Digest, Ntlm, Fba, WindowsIn
tegrated, LiveIdFba, LiveIdBasic, WSSecurity, Certificate, NegoEx, MaxValidValue, Misconfigured".
    + CategoryInfo          : InvalidData: (:) [Set-OutlookAnywhere], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-OutlookAnywhere"

I am not getting this part :"then check on your domain mangement if there is SRV record exist , go to domain control panel then domain management and add SRV record and mention before .. also please run the following command and post the results here :"

Setup the srv record on internal dns or external with domain host ?

Thanks,
Glenn



0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok , for SRV record setup on external domain host.
now run on powershell :

set-exchangecertificate -thumbprint "08861CA38FAA674109E6531F51B1C896B90F4604" -services IIS , POP,SMTP,IMAP

then run exchange test connectivity
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
also check in IIS -> default website -> windows-active-sync-server virtual directory is exist
0
 
asibizAuthor Commented:
I should be clear, all of my non-iphone devices are working with activesync.  All android devices are fine.

and also: error with set -exchangecertificate string..

The term 'set-exchangecertificate' is not recognized as the name of a cmdlet, function, script file, or operable progra
m. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:24
+ set-exchangecertificate <<<<  -thumbprint "08861CA38FAA674109E6531F51B1C896B90F4604" -services IIS , POP,SMTP,IMAP
    + CategoryInfo          : ObjectNotFound: (set-exchangecertificate:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

Thanks,
Glenn

0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
this command for previous outlookanywhere :

Set-OutlookAnywhere -Identity "Rpc (Default Web Site)" -ClientAuthenticationMethod:NTLM

and for exchange certificate its :
enable-exchangecertificate -thumbprint "08861CA38FAA674109E6531F51B1C896B90F4604" -services IIS , POP,SMTP,IMAP

now add srv record and retest the server with exchange connectivity test and post results

note you need to restart IIS by running command

issreset
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
again you need to set basic authentication for outlook anywhere , you can do it from EMC -> Client access -> right click on the server -> outlookanywhere , set the authentication to basic.
in IIS check the RPC and Autodiscover virtualdirectories have no redirect
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
then follow my question here :

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_27466046.html

and try testexchangeconnectivity
0
 
asibizAuthor Commented:
1st command result: The command completed successfully but no settings of 'My Exchange Server\Rpc (Default Web Site)' have been modified.

2nd command result: [PS] C:\Windows\system32>enable-exchangecertificate -thumbprint "08861CA38FAA674109E6531F51B1C896B90F4604" -services IIS
 , POP,SMTP,IMAP  with no errors

In EMC for outlookanywhere : set auth to basic.

RPC and Autodiscover virtual directories have no redirect .
iisreset command executed.

I cannot add an srv record at this time. I do understand the questions that the domain host portal is asking:

Service
Protcol = _tcp
Name
Priority
Weight
Port = _443
TArget
TTl = 1 hour

Some of this I know the answer to, other parts i just don;t get..and the domain host was no help when i called them for support.




0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok about srv record just focus on
Name =autodiscover.domain.com
Target= your exchange real ip address.
Reboot exchange,wait 15 mins and try testexchangeconnectivity post results here, i will check in the morning its 2:30 am in amman i feel sleepy catch u later and wish to you good luck.

Regards
Maen abu-tabanjeh
0
 
asibizAuthor Commented:
thanks for your help, I will begin working on this more tomorrow, as it is 6:44 CST USA..



0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
so is there any update?
0
 
asibizAuthor Commented:
most tasks are working now except: internal applications that use smtp do not work when SMTP Authentication is enable, but will send email without the settings.

Any ideas??

Thanks,
Glenn
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
what is internal application Glenn, i can not understand
0
 
asibizAuthor Commented:
i am using a third party program called eautomate, it sends notifications internally and externally via smtp.

I can send messages as log as I do not use smtp authentication which requires uers/pass.

Thanks,
Glenn
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
you need to create new SMTP connector , go to organization Configuration -> hub transport -> right click then new smtp connector -> type name and select custom -> next -> on address space -> click add then on addresses enter * -> next -> on network settings select route mail through this smart host -> add -> add IP address of the application Server (the server have application) IP -> set authentication to None -> next -> new

and restart Exchange services and try to send
0
 
asibizAuthor Commented:
Thanks,

I will be trying this once i finish a web meeting with another third party..


Glenn.
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
well glenn , wish to you good luck
0
 
asibizAuthor Commented:
I want a connector that requires authentication, this was nothing within my network can send without authenticationg first.

To set it up with NO auth would be a security risk.


Glenn
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
its depends on settings of your 3rd party tools if there is option to add more settings on SMTP settings
0
 
asibizAuthor Commented:
just for clarity>

Application ( eautomate ) sends email via smtp thru excahnge server.

Current outbound settings in the application smtp settings are sending with no authentication thru the exchange server.

when i try to set the application settings to Authenticate within the app, email will not send.


Thanks,
Glenn
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
ok , go to EMC -> server configuration -> Hub Transport -> double click on Default  ( on receive connector) then tab permission group , tick :
anonymous users.
exchange users.
exchange servers.
legacy exchange servers.

then restart exchange services and try
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
yes lock relay and set anonymous users so you will be able to send mail through your application ..
0
 
Maen Abu-TabanjehNetwork Administrator, Network ConsultantCommented:
Done ... so what difference between offering remote assistant or Hire me??
some of cases required to work on it remotely to understand it , and resolve , for me too many problems i have resolved them remotely and posted the solution step-by-step
0
 
asibizAuthor Commented:
the solution was to run an emc shell script to enable anonymous smtp auth from within our ip range only
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.