Exchange 2010 Hybrid Deployment with Office 365 - Outlook Authentication
We have a hybrid deployment with ADFS and DirSync working as it should.
Internally everything works to go to the portal and use Outlook.
Problem is, when I migrate a user to the cloud, Outlook (2010 Professional Plus SP2) will not connect to the Office 365 box. It keeps saying the username or password is incorrect.
If I go to the portal, the authentication works perfectly internally. So I am wondering where I may be going wrong here. Why won't outlook connect to the mailbox with the credentials supplied?
I have run the desktop setup also from the portal and that doesnt help anything.
Microsoft Sign-on assistant is installed on the computer.
Internally everything works to go to the portal and use Outlook.
Problem is, when I migrate a user to the cloud, Outlook (2010 Professional Plus SP2) will not connect to the Office 365 box. It keeps saying the username or password is incorrect.
If I go to the portal, the authentication works perfectly internally. So I am wondering where I may be going wrong here. Why won't outlook connect to the mailbox with the credentials supplied?
I have run the desktop setup also from the portal and that doesnt help anything.
Microsoft Sign-on assistant is installed on the computer.
ASKER
Outlook is still pointing to the on-premise exchange server after migration. It will not update itself to the new location.
I have all the latest updates as stated in my previous post.
I have tried all these registry keys before and it does not work.
I have googled everything under the sun and nothing helps at all. I cannot seem to really find where this is going wrong at.
For my autodiscover record, since it is a hybrid deployment, my understanding is that my external record still points to the on-premise exchange server and it will do the pointing to the cloud. Is that correct?
I have all the latest updates as stated in my previous post.
I have tried all these registry keys before and it does not work.
I have googled everything under the sun and nothing helps at all. I cannot seem to really find where this is going wrong at.
For my autodiscover record, since it is a hybrid deployment, my understanding is that my external record still points to the on-premise exchange server and it will do the pointing to the cloud. Is that correct?
What is the targetaddress of the mailbox? Should be user@domain.mail.onmicroso
ASKER
yes that is the target address for the user, but even when putting that into the username field it will not authenticate.
Authenticates fine with user@domain.com in the web portal. Just not on Outlook 2010.
I cannot find my server address in Office365 to try and manually plug in the settings to see if it will work then.
Authenticates fine with user@domain.com in the web portal. Just not on Outlook 2010.
I cannot find my server address in Office365 to try and manually plug in the settings to see if it will work then.
ASKER
This is where Autodiscover gets to using the Outlook test autoconfiguration wizard when it start prompting for a username and password and at that point will not go any further.
"Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml starting"
At that point it states https status = 401
"Autodiscover to https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml starting"
At that point it states https status = 401
You authenticate with the UPN, not the targetaddress.
Get the full transcript from https://aka.ms/rca, kinda hard to guess like this.
Test on a non-domain joined machine if possible, also with Outlook 2013. Also delete any stored credentials in the credentials manager.
If anything else fails, you can change the UPN of the user to be domain.onmicrosoft.com, but that's a last resort.
Get the full transcript from https://aka.ms/rca, kinda hard to guess like this.
Test on a non-domain joined machine if possible, also with Outlook 2013. Also delete any stored credentials in the credentials manager.
If anything else fails, you can change the UPN of the user to be domain.onmicrosoft.com, but that's a last resort.
ASKER
I have tested externally from a non-domain joined pc and it doesnt work either. Will not connect no matter what UPN I use.
the https://aka.ms/rca doesnt work.
I ran autodiscovery test with Microsoft analyzer.
This test was run with autodiscover.domain.com pointing to autodiscover.outlook.com
This is the main error I get.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Additional Details
Elapsed Time: 554 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user office365@domain.com.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 944d66f9-d08c-487b-b054-66
X-DiagInfo: BY2PRD0611CA003
Content-Length: 58
Content-Type: text/html
Date: Wed, 06 Nov 2013 17:22:59 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-Powered-By: ASP.NET
Elapsed Time: 554 ms.
the https://aka.ms/rca doesnt work.
I ran autodiscovery test with Microsoft analyzer.
This test was run with autodiscover.domain.com pointing to autodiscover.outlook.com
This is the main error I get.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Additional Details
Elapsed Time: 554 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user office365@domain.com.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 944d66f9-d08c-487b-b054-66
X-DiagInfo: BY2PRD0611CA003
Content-Length: 58
Content-Type: text/html
Date: Wed, 06 Nov 2013 17:22:59 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-Powered-By: ASP.NET
Elapsed Time: 554 ms.
Oh sorry, always forget it's without the s, http://aka.ms/rca :)
Do the test again, from the Office 365 tab and using the user@domain.onmicrosoft.co
From the above output it seems that it is redirecting you correctly, although the actual redirect is not shows. Let's assume everything is okay there, means that Autodiscover is actually OK.
So the next suspect is AD FS. Anything fancy you have done with the AD FS, like restricting IPs? Do you have the endpoint added to local sites in IE security settings? See this article for more details:
http://support.microsoft.com/kb/2466333
Do the test again, from the Office 365 tab and using the user@domain.onmicrosoft.co
From the above output it seems that it is redirecting you correctly, although the actual redirect is not shows. Let's assume everything is okay there, means that Autodiscover is actually OK.
So the next suspect is AD FS. Anything fancy you have done with the AD FS, like restricting IPs? Do you have the endpoint added to local sites in IE security settings? See this article for more details:
http://support.microsoft.com/kb/2466333
ASKER
Yes I do have the ADFS sites in local sites in IE.
I only have one static outside IP address for where both the ADFS and on-premise exchange is located. Port 443 goes to the on-premise exchange box. How can I get around this so ADFS will work. i would prefer not to use a proxy if possible.
Here is the results from user@domain.onmicrosoft.co
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user user@domain.onmicrosoft.co
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 2592ec73-7961-47fa-8f99-89
X-DiagInfo: BY2PRD0712CA004
Content-Length: 0
Cache-Control: private
Date: Wed, 06 Nov 2013 17:46:08 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 865 ms.
I only have one static outside IP address for where both the ADFS and on-premise exchange is located. Port 443 goes to the on-premise exchange box. How can I get around this so ADFS will work. i would prefer not to use a proxy if possible.
Here is the results from user@domain.onmicrosoft.co
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover-s.outlook.com/Autodiscover/Autodiscover.xml for user user@domain.onmicrosoft.co
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Headers received:
RequestId: 2592ec73-7961-47fa-8f99-89
X-DiagInfo: BY2PRD0712CA004
Content-Length: 0
Cache-Control: private
Date: Wed, 06 Nov 2013 17:46:08 GMT
Server: Microsoft-IIS/7.5
WWW-Authenticate: Basic Realm=""
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Elapsed Time: 865 ms.
They are both listening on 443, how do you publish it? Let me put it this way: are users able to login to the AD FS from outside of the corporate network? Because this is exactly what is happening here, Exchange Online 'proxies' the credential request from Outlook to the AD FS server.
Run the SSO test from the RCA.Also, what about the certificate?
You can also retest autodiscover with non-federated user, to make sure we are matching the symptoms in that article
Run the SSO test from the RCA.Also, what about the certificate?
You can also retest autodiscover with non-federated user, to make sure we are matching the symptoms in that article
ASKER
They are not able to log in from the outside no. Inside going to the portal ADFS works as expected.
How can I get around both servers listening on 443? I have a static firewall rule to forward 443 to the exchange on-premise so that outside devices can work.
Non-federated user tests out fine on autodiscover.
The SSO fails as I do not have ADFS published to the world due to the lack of knowing what to do on port 443 between ADFS and Exchange.
How can I get around both servers listening on 443? I have a static firewall rule to forward 443 to the exchange on-premise so that outside devices can work.
Non-federated user tests out fine on autodiscover.
The SSO fails as I do not have ADFS published to the world due to the lack of knowing what to do on port 443 between ADFS and Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
http://support.microsoft.com/kb/2212902
You should also make sure you have all the latest Outlook updates on the machine:
http://community.office365.com/en-us/wikis/manage/562.aspx
App Data folder redirection can also cause problems with this on 2010 client, but 2013 should be fine.