• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1002
  • Last Modified:

Outlook Anywhere not working- Testing SSL mutual authentication with the RPC proxy server.

Hello All and thank you in advance.

I cannot make Outlook anywhere on exchange 2010 to work.

on the connectivity test everything is passing and I'm getting the below warning;

	Testing SSL mutual authentication with the RPC proxy server.
 	The test passed with some warnings encountered. Please expand the additional details.
 	 	
	Additional Details
 	
The certificate common name ulooptics.com doesn't match the mutual authentication string provided outlook.ulooptics.com; however, a match was found in the subject alternative name extension.
Elapsed Time: 1 ms.


I followed a few different articles such as

http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/Q_26502771.html

and I ran the following command with now luck.

The answer is to set the CertPrincipalName to "none". (Not blank or Null). The command are:

>Set-OutlookProvider EXPR -Server 'outlook.ulooptics.com' -CertPrincipalName none
>Set-OutlookProvider EXPR -Server $null


Please see below a few more details for my exchnage configuration:

CertificateDomains : {ulooptics.com, www.ulooptics.com, server.proton.local, outlook.ulooptics.com, autodiscover.proton
                     .local, autodiscover.ulooptics.com}
CertificateRequest :



[PS] C:\Windows\system32>Get-ClientAccessServer server | fl

AutoDiscoverServiceInternalUri

AutoDiscoverServiceInternalUri : https://server.proton.local/Autodiscover/Autodiscover.xml


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx



[PS] C:\Windows\system32>Get-OabVirtualDirectory | fl *Url

InternalUrl : http://server.proton.local/OAB
ExternalUrl : https://outlook.ulooptics.com/OAB


[PS] C:\Windows\system32>Get-AutodiscoverVirtualDirectory | fl *Url

InternalUrl :
ExternalUrl :


[PS] C:\Windows\system32>Get-OutlookAnywhere | fl External*

ExternalHostname : outlook.ulooptics.com
0
jamescarson69
Asked:
jamescarson69
  • 6
  • 5
  • 4
  • +1
2 Solutions
 
SreRajCommented:
Hi,

Did you try setting CertPrincipalName to outlook.ulooptics.com? I feel ideally it should be pointing to OA hostname. You could try the following command

Set-OutlookProvider EXPR -CertPrincipalName "msstd:outlook.ulooptics.com"
0
 
jamescarson69Author Commented:
Hello SreRaj,

Apologies I forgot to mention that I have tried that too unfortunately.

I actually ran it again last night and this is how is configured at the moment but it didn't work.
0
 
SreRajCommented:
As per the following article, this issue should get fixed after setting CertPrincipalName.

http://technet.microsoft.com/en-us/library/dd439371(v=exchg.80).aspx

After setting CertPrincipalName, please try restarting the Client Access Servers and see if you are able to connect successfully.

Also, the following article says this problem exists in Windows XP clients and by Windows Vista RTM clients. What is the client version you are receiving the error on?

http://technet.microsoft.com/en-us/library/hh849187(v=exchg.80).aspx
0
What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

 
jamescarson69Author Commented:
Hello SreRaj,

Thank you for coming back to me.

Unfortunately I restarted the server last night just to make sure and nothing happened.

I have tried 3 different windows 7 and Outlook 2010 / 2013.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
What's your certificate's common name?
0
 
Jamie McKillopCommented:
Hello,

The mutual authentication string must match the common name on your certificate. In your case, that is ulooptics.com. That hostname must point to your Exchange server and you must run:

Set-OutlookProvider EXPR -CertPrincipalName "msstd:ulooptics.com"

-JJ
0
 
jamescarson69Author Commented:
Hello jjmck,

Thank you for the help but still same issue after I ran the command.
0
 
Mohammed HamadaSenior IT ConsultantCommented:
Your Certificate's common name must match the outlook anywhere's FQDN. so in this case you will need to generate a new certificate with CN outlook.ulooptics.com

If the certificate will be used internally for outlook clients, you will need to also include all your exchange server's internal FQDN names as SANs inside the certificate.

btw, You should configure your outlook anywhere's Authentication to NTLM
0
 
Jamie McKillopCommented:
The DNS entry for ulooptics.com doesn't point to the same IP as outlook.ulooptics.com. They should be both pointing at your Exchange server.

-JJ
0
 
Mohammed HamadaSenior IT ConsultantCommented:
jjmck, ofcourse the ulooptics.com is not pointing to the exchange server because it's pointing to the webserver.

The certificate need to have the CN as outlook.ulooptics.com
0
 
jamescarson69Author Commented:
Thank you! I will make the changes now and will update you asap.
0
 
Jamie McKillopCommented:
You are going to have trouble generating a new certificate because you can no longer get commercial certificates with private DNS zones like .local. You are going to have to redesign you DNS infrastructure to accommodate this. You will either need to use split-DNS (the most common way to setup Exchange) or you will need to register a new domain to use internally.

-JJ
0
 
jamescarson69Author Commented:
Yeah this is exactly what I was thinking now because when I tried to generate a new SSL a few days ago godaddy wouldn't allow me any entry with .local.

Any chance you can point me to a good how to article about split dns?
0
 
Mohammed HamadaSenior IT ConsultantCommented:
James, for split brain dns all you need to do is create another forward zone with your external domain in your DNS (ulooptics.com)

Create all your external records in it and point it to your internal DNS records.

for instance create A record where outlook.ulooptics.com points to exchange01.ulooptics.local

autodiscover.ulooptics.com points to CAS01.ulooptics.local

and so on.
0
 
Jamie McKillopCommented:
Split-dns is fairly easy to setup. You just need to create a new AD integrated zone on you AD DNS server for ulooptics.com. You would then recreate all your records from the public zone but with the internal IPs of your servers. The caveat is that you now have two distinct zones to manage. When you add, modify or delete a record on one zone, you need to do the same on the other.

If your firewall allow you to use your external IPs internally, you may not even need split-dns.

-JJ
0
 
jamescarson69Author Commented:
Thank you both for all the help!

So when I issue the new certificate do  i also have to change all the internal urls of the exchange to match the externals?

For example:

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl *Url

InternalNLBBypassUrl : https://server.proton.local/ews/exchange.asmx
InternalUrl          : https://server.proton.local/EWS/Exchange.asmx
ExternalUrl          : https://outlook.ulooptics.com/ews/exchange.asmx
0
 
Jamie McKillopCommented:
Yes. If you are using split-dns, your internal and external urls will be the same.

-JJ
0

Featured Post

NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

  • 6
  • 5
  • 4
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now