Solved

Outlook clients not working with internal Exchange 2013 server

Posted on 2013-01-15
25
21,743 Views
1 Endorsement
Last Modified: 2016-09-21
Good morning experts,

We're having some trouble connecting Outlook clients to a new Exchange 2013 server. When setting-up Outlook for the first time the autodiscover works fine in detecting the server name (fs1.domain.local) and username. But after completing the configuration we get strange errors ranging from:
"Cannot open your default e-mail folder" to "The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete".
This is the same when we ignore autodiscover and fill in all of the details by hand. We've tried setting up Outlook to connect to RPC via HTTP and tried all of the included verifications methods (NTLD, Basic, Negotiate) all without success

The Exchange WebApp works fine for all users in the domain. Also, when setting up the Exchange accounts in Apple Mail or the Mail App for iOS everything works fine.

Any help with this problem would be greatly appreciated
Thanks in advance,
Kris
1
Comment
Question by:Vergezogt_
  • 10
  • 6
  • 3
  • +4
25 Comments
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38777705
What version of exchange did the mailboxes reside on before 2013?

Have you made sure that all communication between outlook and exchange is encrypted? (under security tab of more options) and have you tested with always prompt for credentials ticked?
0
 

Author Comment

by:Vergezogt_
ID: 38777708
None, this is a new domain and Exchange installation.
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38777715
Have you checked the secure communication tick bot in outlook i mentioned above? If i remember its not automatically ticked in some versions of outlook (pre 2007 i think) but you didnt mention a version, but all exchange servers post 2007 need this by default.
0
 

Author Comment

by:Vergezogt_
ID: 38777728
I'm sorry, I forgot to mention the clients are all Outlook 2007 (latest service packs and updates). We've tried enabling and disabling security settings. All without any success.
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38777737
do all clients have a default gateway on the same subnet as the exchange server?
0
 

Author Comment

by:Vergezogt_
ID: 38777743
Yes, all clients look to the Exchange Server as DNS and DHCP server and all have the router's IP-address as gateway.
0
 
LVL 6

Accepted Solution

by:
CaptainGiblets earned 500 total points
ID: 38777756
Have you followed step 4 in this guide?

http://technet.microsoft.com/library/jj218640(EXCHG.150)

Exchange 2013 no longer uses RPC over TCP to connect clients, it uses HTTPS now so you need a trusted certificate to be able to set up outlook clients.
0
 

Author Comment

by:Vergezogt_
ID: 38777774
We had seen the certificate requirements and currently only have self-signed certificates installed. But I find it hard to believe that Outlook can not connect to an internal Exchange server without a trusted third party certificate.
Had anyone else had any experience with this?
0
 
LVL 6

Assisted Solution

by:CaptainGiblets
CaptainGiblets earned 500 total points
ID: 38777793
it doenst have to be a 3rd party certificate, however as it is a self signed one you may need to manually add the certificate to the trusted list on your clients.

Open the Exchange Administration Center in your web browser and navigate to Servers -> Certificates. Can you post a screenshot of your certificates?
0
 

Author Comment

by:Vergezogt_
ID: 38778113
Here's the screenshot you asked for.
Exchange 2013 certificates
I've tried creating some self-signed certificates since the screenshot but can't seem to get it to work any better than beforehand.
0
 
LVL 6

Expert Comment

by:CaptainGiblets
ID: 38778139
and you have set up the Outlook anywhere URL's to match the addresses used in the SAN or Wildcard certificate?
0
 

Author Comment

by:Vergezogt_
ID: 38778306
Yes,
external url: mail.domain.com
internal url: servername.domain.local

The Outlook clients are setup to use internal url: servername.domain.local (which is also what they receive from the autodiscover)
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 3

Expert Comment

by:YorkshireLeo
ID: 38778938
Just an idea, but I wonder if the problem is not exchange/outlook specific, but if there is a basic communication problem between the windows machines and the server. Can you ping the servers from the client and clients from the server (by IP address AND name) and receive the expected replies? Have you tried stopping the firewall service on the clients?
0
 

Author Comment

by:Vergezogt_
ID: 38781832
Thanks for the reply.
Communication seems to be fine between the machines. Tried leaving and rejoining the domain which all seems to work fine. Also pinging the server from the client returns the correct ipv4 address. This is the same pinging from the server to the clients.
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 38783074
The self signed certificates generated by Exchange are not supported for use with Outlook Anywhere or ActiveSync. As Exchange 2013 ONLY uses Outlook Anywhere for connectivity then you are in an unsupported configuration. Outlook will fail to connect if there are issues with the SSL certificate.

Considering that Exchange 2013 is so heavily web based, spend the money and get the required SSL certificate. $60/year it will cost you.

Simon.
0
 

Author Comment

by:Vergezogt_
ID: 38783217
Thanks for the tip. We're going to purchase a certificate for public access to the OWA and ECP soon.

In other news: We managed to fix the problems. The trick is NOT to create a self-signed certificate from within the ECP. These are the steps we took to get the whole thing to work:

- Log in to the ECP and navigate to Servers > Certificates
- Click on + and choose "Create a request for a certificate from a certification authority"
- Choose a friendly name for the certificate, I used "internal"
- Make sure the wildcard checkbox is enabled and fill in the root domain. I chose "servername.domain.local" (which is the same domain name as is specified in the Outlook Anywhere settings for internal use).
- Choose the server where you would like to store the certificate request
- Fill in all of the information required for the certificate
- Choose the location where you want to save the certificate
- The new certificate will now be visible in the ECP and should have the status "Pending"
- Open up the Certification Authority app
- Select the server and go to Actions > All tasks > Submit new request
- Navigate to and import the new .req file
- Click on 'Pending requests' in the menu on the left
- Select the pending certificate request and go to Actions > All tasks > Issue
- Go to 'Issued requests' and select the new certificate
- Click on Actions > All tasks > Export Binary Data
(here's the point when I started to wonder why all of these functions don't just have a few dedicated buttons)
- Choose "Binary Certificate" and select the option "save binary data to a file"
- Give the certificate a unique name and add the .cer extension
- Navigate back to the certificate section of the ECP
- Select the pending certificate request and click on "complete"
- Enter the location of the .cer file and click on complete
- Open the completed certificate and assign at least the following services: IIS, SMTP

After completing these steps all of the Outlook clients worked straight away.

Don't forget to make sure the Certificate Authority is a trusted CA within your domain by adding the root certificate to the default domain policy (or a policy of choice)
0
 
LVL 3

Expert Comment

by:YorkshireLeo
ID: 38783244
Glad to hear that you solved your problem. Thanks for letting us know how you did it!
0
 

Expert Comment

by:ADSBIT
ID: 39135683
I am having this same issue where outlook clients cannot access email from outside, but mac, IOS, and Android can.  I renewed my certificate recently and I wonder if this has something to do with it?  I am using Exchange 2010 SP1 and clients are Outlook 2007 and 2010.  My certificate seems valid.  How can I get to the "ECP" to check certificate settings there?
0
 

Expert Comment

by:ADSBIT
ID: 39135707
When I go to ECP, I don't see the server Heading.  I only get the following as seen in the snippet.
Exchange-ECP.JPG
0
 

Expert Comment

by:xleon77
ID: 41432616
i do all that do Vergezogt_
not work yet :(
0
 

Expert Comment

by:Anthony Raja
ID: 41808162
HI,

I am facing some issue outlook connect with exchange, from domain network no issue but form public network unable to connect with exchange,

Your cooperation highly appreciated
0
 

Author Comment

by:Vergezogt_
ID: 41808168
Have you setup your Outlook anywhere settings properly?
Is port 443 forwarded from the router to your Exchange server?
0
 

Expert Comment

by:Anthony Raja
ID: 41808176
Yes ,
 we have some phone devices is working only MAC
0
 

Author Comment

by:Vergezogt_
ID: 41808182
I believe Mac and iOS use IMAP instead of MAPI to connect to Exchange. Is it possible to connect through IMAP by manually adding the connection in an Outlook client?
Try looking through the Exchange connectivity event logs in the Event Viewer to see for possible connection issues. Also, check the 'Application' event logs on the client computers to see if there's any connectivity issues being reported by Outlook.
0
 
LVL 3

Expert Comment

by:YorkshireLeo
ID: 41808455
To clarify please, are you saying that the MACs WILL connect to exchange within the domain, but will not connect when outside of the domain?
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Junk folder 23 111
shadow copies 7 16
Error 450 sending internal mail 6 18
Can’t delete a file 14 84
If you don't know how to downgrade, my instructions below should be helpful.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
In this Micro Tutorial viewers will learn how they can get their files copied out from their unbootable system without need to use recovery services. As an example non-bootable Windows 2012R2 installation is used which has boot problems.
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

23 Experts available now in Live!

Get 1:1 Help Now