Solved

Outlook Anywhere not working- Testing SSL mutual authentication with the RPC proxy server.

Posted on 2014-01-21
19
873 Views
Last Modified: 2014-01-24
Hello All and thank you in advance.

I cannot make Outlook anywhere on exchange 2010 to work.

on the connectivity test everything is passing and I'm getting the below warning;

	Testing SSL mutual authentication with the RPC proxy server.
 	The test passed with some warnings encountered. Please expand the additional details.
 	 	
	Additional Details
 	
The certificate common name ulooptics.com doesn't match the mutual authentication string provided outlook.ulooptics.com; however, a match was found in the subject alternative name extension.
Elapsed Time: 1 ms.


I followed a few different articles such as

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26502771.html

and I ran the following command with now luck.

The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:

>Set-OutlookProvider EXPR -Server 'outlook.ulooptics.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null


Please see below a few more details for my exchnage configuration:

CertificateDomains : {ulooptics.com, www.ulooptics.com, server.proton.local, outlook.ulooptics.com, autodiscover.proton
                     .local, autodiscover.ulooptics.com}
CertificateRequest :



[PS] C:\Windows\system32>Get-ClientAccessServer server | fl

AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri : https://server.proton.local/Autodiscover/Autodiscover.xml


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx



[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl *Url

InternalUrl : http://server.proton.local/OAB
ExternalUrl : https://outlook.ulooptics.com/OAB


[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl *Url

InternalUrl :
ExternalUrl :


[PS] C:\Windows\system32>Get-OutlookAnywhere | fl External*

ExternalHostname : outlook.ulooptics.com
0
Comment
Question by:jamescarson69
  • 6
  • 5
  • 4
  • +1
19 Comments
 
LVL 12

Expert Comment

by:SreRaj
ID: 39799257
Hi,

Did you try setting CertPrincipalName to outlook.ulooptics.com? I feel ideally it should be pointing to OA hostname. You could try the following command

Set-OutlookProvider EXPR -CertPrincipalName "msstd:outlook.ulooptics.com"
0
 

Author Comment

by:jamescarson69
ID: 39799290
Hello SreRaj,

Apologies I forgot to mention that I have tried that too unfortunately.

I actually ran it again last night and this is how is configured at the moment but it didn't work.
0
 
LVL 12

Expert Comment

by:SreRaj
ID: 39799678
As per the following article, this issue should get fixed after setting CertPrincipalName.

http://technet.microsoft.com/en-us/library/dd439371(v=exchg.80).aspx

After setting CertPrincipalName, please try restarting the Client Access Servers and see if you are able to connect successfully.

Also, the following article says this problem exists in Windows XP clients and by Windows Vista RTM clients. What is the client version you are receiving the error on?

http://technet.microsoft.com/en-us/library/hh849187(v=exchg.80).aspx
0
 

Author Comment

by:jamescarson69
ID: 39799691
Hello SreRaj,

Thank you for coming back to me.

Unfortunately I restarted the server last night just to make sure and nothing happened.

I have tried 3 different windows 7 and Outlook 2010 / 2013.
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39802301
What's your certificate's common name?
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39802908
Hello,

The mutual authentication string must match the common name on your certificate. In your case, that is ulooptics.com. That hostname must point to your Exchange server and you must run:

Set-OutlookProvider EXPR -CertPrincipalName "msstd:ulooptics.com"

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39802933
Hello jjmck,

Thank you for the help but still same issue after I ran the command.
0
 
LVL 23

Accepted Solution

by:
Mohammed Hamada earned 250 total points
ID: 39802943
Your Certificate's common name must match the outlook anywhere's FQDN. so in this case you will need to generate a new certificate with CN outlook.ulooptics.com

If the certificate will be used internally for outlook clients, you will need to also include all your exchange server's internal FQDN names as SANs inside the certificate.

btw, You should configure your outlook anywhere's Authentication to NTLM
0
What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39802945
The DNS entry for ulooptics.com doesn't point to the same IP as outlook.ulooptics.com. They should be both pointing at your Exchange server.

-JJ
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39802952
jjmck, ofcourse the ulooptics.com is not pointing to the exchange server because it's pointing to the webserver.

The certificate need to have the CN as outlook.ulooptics.com
0
 

Author Comment

by:jamescarson69
ID: 39802956
Thank you! I will make the changes now and will update you asap.
0
 
LVL 37

Assisted Solution

by:Jamie McKillop
Jamie McKillop earned 250 total points
ID: 39802991
You are going to have trouble generating a new certificate because you can no longer get commercial certificates with private DNS zones like .local. You are going to have to redesign you DNS infrastructure to accommodate this. You will either need to use split-DNS (the most common way to setup Exchange) or you will need to register a new domain to use internally.

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39803011
Yeah this is exactly what I was thinking now because when I tried to generate a new SSL a few days ago godaddy wouldn't allow me any entry with .local.

Any chance you can point me to a good how to article about split dns?
0
 
LVL 23

Expert Comment

by:Mohammed Hamada
ID: 39803026
James, for split brain dns all you need to do is create another forward zone with your external domain in your DNS (ulooptics.com)

Create all your external records in it and point it to your internal DNS records.

for instance create A record where outlook.ulooptics.com points to exchange01.ulooptics.local

autodiscover.ulooptics.com points to CAS01.ulooptics.local

and so on.
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803034
Split-dns is fairly easy to setup. You just need to create a new AD integrated zone on you AD DNS server for ulooptics.com. You would then recreate all your records from the public zone but with the internal IPs of your servers. The caveat is that you now have two distinct zones to manage. When you add, modify or delete a record on one zone, you need to do the same on the other.

If your firewall allow you to use your external IPs internally, you may not even need split-dns.

-JJ
0
 

Author Comment

by:jamescarson69
ID: 39803163
Thank you both for all the help!

So when I issue the new certificate do  i also have to change all the internal urls of the exchange to match the externals?

For example:

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx
0
 
LVL 37

Expert Comment

by:Jamie McKillop
ID: 39803169
Yes. If you are using split-dns, your internal and external urls will be the same.

-JJ
0

Featured Post

Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

Join & Write a Comment

Suggested Solutions

ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now