Solved

Exchange 2010 Hybrid Deployment with Office 365 - Outlook Authentication

Posted on 2013-11-06
12
2,858 Views
Last Modified: 2013-11-06
We have a hybrid deployment with ADFS and DirSync working as it should.

Internally everything works to go to the portal and use Outlook.

Problem is, when I migrate a user to the cloud, Outlook (2010 Professional Plus SP2) will not connect to the Office 365 box.  It keeps saying the username or password is incorrect.

If I go to the portal, the authentication works perfectly internally.  So I am wondering where I may be going wrong here.  Why won't outlook connect to the mailbox with the credentials supplied?

I have run the desktop setup also from the portal and that doesnt help anything.

Microsoft Sign-on assistant is installed on the computer.
0
Comment
Question by:considerscs
  • 6
  • 6
12 Comments
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Most likely an autodiscover issue.Run the Autodiscover test from https://aka.ms/rca and compare it with the local test from Outlook (to run it hold the CTRL key while right-clicking on Outlook's icon in the tray, select Test E-Mail Autoconnectivity). If needed, modify the registry settings, as explained here:

http://support.microsoft.com/kb/2212902

You should also make sure you have all the latest Outlook updates on the machine:

http://community.office365.com/en-us/wikis/manage/562.aspx

App Data folder redirection can also cause problems with this on 2010 client, but 2013 should be fine.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
Outlook is still pointing to the on-premise exchange server after migration.  It will not update itself to the new location.

I have all the latest updates as stated in my previous post.

I have tried all these registry keys before and it does not work.

I have googled everything under the sun and nothing helps at all.  I cannot seem to really find where this is going wrong at.

For my autodiscover record, since it is a hybrid deployment, my understanding is that my external record still points to the on-premise exchange server and it will do the pointing to the cloud.  Is that correct?
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
What is the targetaddress of the mailbox? Should be user@domain.mail.onmicrosoft.com, the so-called routing domain.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
yes that is the target address for the user, but even when putting that into the username field it will not authenticate.

Authenticates fine with user@domain.com in the web portal.  Just not on Outlook 2010.

I cannot find my server address in Office365 to try and manually plug in the settings to see if it will work then.
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
This is where Autodiscover gets to using the Outlook test autoconfiguration wizard when it start prompting for a username and password and at that point will not go any further.

"Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml starting"

At that point it states https status = 401
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
You authenticate with the UPN, not the targetaddress.

Get the full transcript from https://aka.ms/rca, kinda hard to guess like this.

Test on a non-domain joined machine if possible, also with Outlook 2013. Also delete any stored credentials in the credentials manager.

If anything else fails, you can change the UPN of the user to be domain.onmicrosoft.com, but that's a last resort.
0
Are end users causing IT problems again?

You’ve taken the time to design and update all your end user’s email signatures, only to find out they’re messing up the HTML, changing the font and ruining the imagery. What can you do to prevent this? Find out how you can save your signatures from end users today.

 
LVL 1

Author Comment

by:considerscs
Comment Utility
I have tested externally from a non-domain joined pc and it doesnt work either.  Will not connect no matter what UPN I use.

the https://aka.ms/rca doesnt work.

I ran autodiscovery test with Microsoft analyzer.

This test was run with autodiscover.domain.com pointing to autodiscover.outlook.com

This is the main error I get.

      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Additional Details
       
Elapsed Time: 554 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user office365@domain.com.
       The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
       
      Additional Details
       
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 944d66f9-d08c-487b-b054-66066b1c0b5b
X-DiagInfo: BY2PRD0611CA003
Content-Length: 58
Content-Type: text/html
Date: Wed, 06 Nov 2013 17:22:59 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-Powered-By: ASP.NET
Elapsed Time: 554 ms.
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Oh sorry, always forget it's without the s, http://aka.ms/rca :)

Do the test again, from the Office 365 tab and using the user@domain.onmicrosoft.com credentials. Just to make sure the actual mailbox is fine.

From the above output it seems that it is redirecting you correctly, although the actual redirect is not shows. Let's assume everything is okay there, means that Autodiscover is actually OK.

So the next suspect is AD FS. Anything fancy you have done with the AD FS, like restricting IPs? Do you have the endpoint added to local sites in IE security settings? See this article for more details:

http://support.microsoft.com/kb/2466333
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
Yes I do have the ADFS sites in local sites in IE.

I only have one static outside IP address for where both the ADFS and on-premise exchange is located.  Port 443 goes to the on-premise exchange box.  How can I get around this so ADFS will work.  i would prefer not to use a proxy if possible.

Here is the results from user@domain.onmicrosoft.com - same result

      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user user@domain.onmicrosoft.com.
       The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
       
      Additional Details
       
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 2592ec73-7961-47fa-8f99-8946870acda0
X-DiagInfo: BY2PRD0712CA004
Content-Length: 0
Cache-Control: private
Date: Wed, 06 Nov 2013 17:46:08 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 865 ms.
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
They are both listening on 443, how do you publish it? Let me put it this way: are users able to login to the AD FS from outside of the corporate network? Because this is exactly what is happening here, Exchange Online 'proxies' the credential request from Outlook to the AD FS server.

Run the SSO test from the RCA.Also, what about the certificate?

You can also retest autodiscover with non-federated user, to make sure we are matching the symptoms in that article
0
 
LVL 1

Author Comment

by:considerscs
Comment Utility
They are not able to log in from the outside no.  Inside going to the portal ADFS works as expected.

How can I get around both servers listening on 443?  I have a static firewall rule to forward 443 to the exchange on-premise so that outside devices can work.

Non-federated user tests out fine on autodiscover.

The SSO fails as I do not have ADFS published to the world due to the lack of knowing what to do on port 443 between ADFS and Exchange.
0
 
LVL 38

Accepted Solution

by:
Vasil Michev (MVP) earned 500 total points
Comment Utility
OK so that explains the issue then.

How is your AD FS set up? Single instance, farm? What is the namespace there? Do you have a valiud CA certificate for it?

AD FS is really easy to setup in VMs as a farm, so I suggest you take that road. With at least one (two preferable) proxies to handle the external requests (or alternatively, some kind of reverse proxy).

If certificate is the problem, you can always get one for free from Comodo or startssl.com. For publishing AD FS over the firewall, you can find some guides on the web, I know for sure there are few for doing this on TMG. AD FS proxy is not really a requirement, but you will need to configure your firewall instead if you do not want to spin new machines as AD FS proxies.

Might be a good idea to start new question for this, to clean up all the irrelevant information above. Just describe your environment in detail so other experts can help you, I'm not much of a firewall guy.
0

Featured Post

Free Trending Threat Insights Every Day

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

Local Continuous Replication is a cost effective and quick way of backing up Exchange server data. The following article describes the steps required to configure Local Continuous Replication. Also, the article tells you how to restore from a backup…
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
This Experts Exchange lesson shows how to use VBA to loop through rows in Excel.  In order to sort, filter, and use database features, there needs to be a value in each column for every row. When data arrives with values missing, code to copy values…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now