Outlook Anywhere not working- Testing SSL mutual authentication with the RPC proxy server.

Hello All and thank you in advance.

I cannot make Outlook anywhere on exchange 2010 to work.

on the connectivity test everything is passing and I'm getting the below warning;

	Testing SSL mutual authentication with the RPC proxy server.
 	The test passed with some warnings encountered. Please expand the additional details.
	Additional Details
The certificate common name ulooptics.com doesn't match the mutual authentication string provided outlook.ulooptics.com; however, a match was found in the subject alternative name extension.
Elapsed Time: 1 ms.

I followed a few different articles such as


and I ran the following command with now luck.

The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:

>Set-OutlookProvider EXPR -Server 'outlook.ulooptics.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null

Please see below a few more details for my exchnage configuration:

CertificateDomains : {ulooptics.com, www.ulooptics.com, server.proton.local, outlook.ulooptics.com, autodiscover.proton
                     .local, autodiscover.ulooptics.com}
CertificateRequest :

[PS] C:\Windows\system32>Get-ClientAccessServer server | fl


AutoDiscoverServiceInternalUri : https://server.proton.local/Autodiscover/Autodiscover.xml

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx

[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl *Url

InternalUrl : http://server.proton.local/OAB
ExternalUrl : https://outlook.ulooptics.com/OAB

[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl *Url

InternalUrl :
ExternalUrl :

[PS] C:\Windows\system32>Get-OutlookAnywhere | fl External*

ExternalHostname : outlook.ulooptics.com
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.


Did you try setting CertPrincipalName to outlook.ulooptics.com? I feel ideally it should be pointing to OA hostname. You could try the following command

Set-OutlookProvider EXPR -CertPrincipalName "msstd:outlook.ulooptics.com"
jamescarson69Author Commented:
Hello SreRaj,

Apologies I forgot to mention that I have tried that too unfortunately.

I actually ran it again last night and this is how is configured at the moment but it didn't work.
As per the following article, this issue should get fixed after setting CertPrincipalName.


After setting CertPrincipalName, please try restarting the Client Access Servers and see if you are able to connect successfully.

Also, the following article says this problem exists in Windows XP clients and by Windows Vista RTM clients. What is the client version you are receiving the error on?

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

jamescarson69Author Commented:
Hello SreRaj,

Thank you for coming back to me.

Unfortunately I restarted the server last night just to make sure and nothing happened.

I have tried 3 different windows 7 and Outlook 2010 / 2013.
Mohammed HamadaSenior IT ConsultantCommented:
What's your certificate's common name?
Jamie McKillopIT ManagerCommented:

The mutual authentication string must match the common name on your certificate. In your case, that is ulooptics.com. That hostname must point to your Exchange server and you must run:

Set-OutlookProvider EXPR -CertPrincipalName "msstd:ulooptics.com"

jamescarson69Author Commented:
Hello jjmck,

Thank you for the help but still same issue after I ran the command.
Mohammed HamadaSenior IT ConsultantCommented:
Your Certificate's common name must match the outlook anywhere's FQDN. so in this case you will need to generate a new certificate with CN outlook.ulooptics.com

If the certificate will be used internally for outlook clients, you will need to also include all your exchange server's internal FQDN names as SANs inside the certificate.

btw, You should configure your outlook anywhere's Authentication to NTLM

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jamie McKillopIT ManagerCommented:
The DNS entry for ulooptics.com doesn't point to the same IP as outlook.ulooptics.com. They should be both pointing at your Exchange server.

Mohammed HamadaSenior IT ConsultantCommented:
jjmck, ofcourse the ulooptics.com is not pointing to the exchange server because it's pointing to the webserver.

The certificate need to have the CN as outlook.ulooptics.com
jamescarson69Author Commented:
Thank you! I will make the changes now and will update you asap.
Jamie McKillopIT ManagerCommented:
You are going to have trouble generating a new certificate because you can no longer get commercial certificates with private DNS zones like .local. You are going to have to redesign you DNS infrastructure to accommodate this. You will either need to use split-DNS (the most common way to setup Exchange) or you will need to register a new domain to use internally.

jamescarson69Author Commented:
Yeah this is exactly what I was thinking now because when I tried to generate a new SSL a few days ago godaddy wouldn't allow me any entry with .local.

Any chance you can point me to a good how to article about split dns?
Mohammed HamadaSenior IT ConsultantCommented:
James, for split brain dns all you need to do is create another forward zone with your external domain in your DNS (ulooptics.com)

Create all your external records in it and point it to your internal DNS records.

for instance create A record where outlook.ulooptics.com points to exchange01.ulooptics.local

autodiscover.ulooptics.com points to CAS01.ulooptics.local

and so on.
Jamie McKillopIT ManagerCommented:
Split-dns is fairly easy to setup. You just need to create a new AD integrated zone on you AD DNS server for ulooptics.com. You would then recreate all your records from the public zone but with the internal IPs of your servers. The caveat is that you now have two distinct zones to manage. When you add, modify or delete a record on one zone, you need to do the same on the other.

If your firewall allow you to use your external IPs internally, you may not even need split-dns.

jamescarson69Author Commented:
Thank you both for all the help!

So when I issue the new certificate do  i also have to change all the internal urls of the exchange to match the externals?

For example:

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx
Jamie McKillopIT ManagerCommented:
Yes. If you are using split-dns, your internal and external urls will be the same.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.