Solved

Outlook Anywhere not working- Testing SSL mutual authentication with the RPC proxy server.

Posted on 2014-01-21
19
949 Views
Last Modified: 2014-01-24
Hello All and thank you in advance.

I cannot make Outlook anywhere on exchange 2010 to work.

on the connectivity test everything is passing and I'm getting the below warning;

	Testing SSL mutual authentication with the RPC proxy server.
 	The test passed with some warnings encountered. Please expand the additional details.
 	 	
	Additional Details
 	
The certificate common name ulooptics.com doesn't match the mutual authentication string provided outlook.ulooptics.com; however, a match was found in the subject alternative name extension.
Elapsed Time: 1 ms.


I followed a few different articles such as

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26502771.html

and I ran the following command with now luck.

The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:

>Set-OutlookProvider EXPR -Server 'outlook.ulooptics.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null


Please see below a few more details for my exchnage configuration:

CertificateDomains : {ulooptics.com, www.ulooptics.com, server.proton.local, outlook.ulooptics.com, autodiscover.proton
                     .local, autodiscover.ulooptics.com}
CertificateRequest :



[PS] C:\Windows\system32>Get-ClientAccessServer server | fl

AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri : https://server.proton.local/Autodiscover/Autodiscover.xml


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx



[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl *Url

InternalUrl : http://server.proton.local/OAB
ExternalUrl : https://outlook.ulooptics.com/OAB


[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl *Url

InternalUrl :
ExternalUrl :


[PS] C:\Windows\system32>Get-OutlookAnywhere | fl External*

ExternalHostname : outlook.ulooptics.com
0
Comment
Question by:jamescarson69
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 4
  • +1
19 Comments
 
LVL 12

Expert Comment

by:SreRaj
ID: 39799257
Hi,

Did you try setting CertPrincipalName to outlook.ulooptics.com? I feel ideally it should be pointing to OA hostname. You could try the following command

Set-OutlookProvider EXPR -CertPrincipalName "msstd:outlook.ulooptics.com"
0
 

Author Comment

by:jamescarson69
ID: 39799290
Hello SreRaj,

Apologies I forgot to mention that I have tried that too unfortunately.

I actually ran it again last night and this is how is configured at the moment but it didn't work.
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 39799678
As per the following article, this issue should get fixed after setting CertPrincipalName.

http://technet.microsoft.com/en-us/library/dd439371(v=exchg.80).aspx

After setting CertPrincipalName, please try restarting the Client Access Servers and see if you are able to connect successfully.

Also, the following article says this problem exists in Windows XP clients and by Windows Vista RTM clients. What is the client version you are receiving the error on?

http://technet.microsoft.com/en-us/library/hh849187(v=exchg.80).aspx
0
Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

 

Author Comment

by:jamescarson69
ID: 39799691
Hello SreRaj,

Thank you for coming back to me.

Unfortunately I restarted the server last night just to make sure and nothing happened.

I have tried 3 different windows 7 and Outlook 2010 / 2013.
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39802301
What's your certificate's common name?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39802908
Hello,

The mutual authentication string must match the common name on your certificate. In your case, that is ulooptics.com. That hostname must point to your Exchange server and you must run:

Set-OutlookProvider EXPR -CertPrincipalName "msstd:ulooptics.com"

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39802933
Hello jjmck,

Thank you for the help but still same issue after I ran the command.
0
 
LVL 24

Accepted Solution

by:
Mohammed Hamada earned 250 total points
ID: 39802943
Your Certificate's common name must match the outlook anywhere's FQDN. so in this case you will need to generate a new certificate with CN outlook.ulooptics.com

If the certificate will be used internally for outlook clients, you will need to also include all your exchange server's internal FQDN names as SANs inside the certificate.

btw, You should configure your outlook anywhere's Authentication to NTLM
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39802945
The DNS entry for ulooptics.com doesn't point to the same IP as outlook.ulooptics.com. They should be both pointing at your Exchange server.

-JJ
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39802952
jjmck, ofcourse the ulooptics.com is not pointing to the exchange server because it's pointing to the webserver.

The certificate need to have the CN as outlook.ulooptics.com
0
 

Author Comment

by:jamescarson69
ID: 39802956
Thank you! I will make the changes now and will update you asap.
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 250 total points
ID: 39802991
You are going to have trouble generating a new certificate because you can no longer get commercial certificates with private DNS zones like .local. You are going to have to redesign you DNS infrastructure to accommodate this. You will either need to use split-DNS (the most common way to setup Exchange) or you will need to register a new domain to use internally.

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39803011
Yeah this is exactly what I was thinking now because when I tried to generate a new SSL a few days ago godaddy wouldn't allow me any entry with .local.

Any chance you can point me to a good how to article about split dns?
0
 
LVL 24

Expert Comment

by:Mohammed Hamada
ID: 39803026
James, for split brain dns all you need to do is create another forward zone with your external domain in your DNS (ulooptics.com)

Create all your external records in it and point it to your internal DNS records.

for instance create A record where outlook.ulooptics.com points to exchange01.ulooptics.local

autodiscover.ulooptics.com points to CAS01.ulooptics.local

and so on.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803034
Split-dns is fairly easy to setup. You just need to create a new AD integrated zone on you AD DNS server for ulooptics.com. You would then recreate all your records from the public zone but with the internal IPs of your servers. The caveat is that you now have two distinct zones to manage. When you add, modify or delete a record on one zone, you need to do the same on the other.

If your firewall allow you to use your external IPs internally, you may not even need split-dns.

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39803163
Thank you both for all the help!

So when I issue the new certificate do  i also have to change all the internal urls of the exchange to match the externals?

For example:

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803169
Yes. If you are using split-dns, your internal and external urls will be the same.

-JJ
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
You need to know the location of the Office templates folder, so that when you create new templates, they are saved to that location, and thus are available for selection when creating new documents.  The steps to find the Templates folder path are …
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question