Solved

Exchange - autodiscover /  outlook connection

Posted on 2014-09-18
33
1,755 Views
Last Modified: 2014-09-19
We recently upgraded to exchange 2013 and are having issues with outlook connecting.   If you open up Outlook it just says "disconnected".   I changed the settings to use  Outlook Anywhere, and I get prompted for a username and password, but it doesn't take the credentials and continues to prompt me.   OWA and ActiveSync are working with no issues.  I also tried to create a new mail profile, but get "An encrypted connection to your mail server is not available" after typing in the credentials.   I tried the unencrypted option as well with no luck.

We are using Outlook 2007 and 2010.   We also have a few other exchange 2010 servers in the mix.

I have tried adjusting the IIS settings on the server with regards to ssl certificates and authentication and have ran multiple PS commands.    I have tried to dig through IIS and event viewer logs, but can't seem to find anything.      The only error that I can produce is "The autodiscover response did not return a URL for Exchanges Web Services" when running the "Test-OutlookWebServices....." command.


I am not sure if this is an issue with autodiscover, certificates, or possibly something pointing to the wrong server, etc..

Thanks.
0
Comment
Question by:tiptechs
  • 16
  • 15
  • 2
33 Comments
 
LVL 8

Expert Comment

by:tshearon
ID: 40331452
On your CAS servers check the EWS virtual directory permissions are set to Anonymous, Basic, and Windows auth and Autodiscover virtual directory permissions are Anonymous and Windows Auth. Also make sure your EWS URL and URIs are correct.
0
 
LVL 8

Expert Comment

by:tshearon
ID: 40331458
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40331460
Since you have 2007 and 2010 servers in the mix, I want to ask a few questions.

On which server is the mailbox housed or does this happen for all users?
Did you install your current certificate on the Exchange 2013 server and to which services did you assign it (IIS, SMTP, POP, IMAP)?
Did you modify your dns records to point to the Exchange 2013 server and in the case of the 2007 server did you create a legacy dns record?

-saige-
0
 

Author Comment

by:tiptechs
ID: 40331478
The servers are 2013 and one 2010.  Outlook is 2007 and 2010

tshearon,   the authentication settings were correct for both virtual directories.   how can I confirm the URLs for EWS?
0
 

Author Comment

by:tiptechs
ID: 40331491
Here is a little more info.  Actually the 2010 server is out of the mix.

mail1 & mail2 are both 2013 servers and setup in a dag.   mail1 is the primary so to speak.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40331543
You can view each url if you open the ECP and go to the Servers section.  Select the 'virtual directories' link and click on the edit option (the pencil icon) for each one.  They will have the internal (and if supported) external urls for each.

You could also use powershell:

Get-WebServicesVirtualDirectory | fl

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40331546
Follow-up question.  Does this issue happen on both of the Outlook clients.  If so have you attempted to use outlook /rpcdiag?

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40331568
Also could your verify that the thumbprint for your Exchange certificate and http certificate for port 444 match?

In a command prompt type netsh http show sslcert and find the Certificate hash for IP:port 0.0.0.0:444.  Validate that it matches the thumprint for your Exchange certificate that is bound to the IIS service.

-saige-
0
 

Author Comment

by:tiptechs
ID: 40331619
Thanks Saige.

It is occurring on both clients.   Also, I attempted the outlook /rpcdiag and that didn't work.  I will get the details on the rpcdiag shortly.

I will also double check the urls in the admin page and the certificate and update you.

Thanks again.
0
 

Author Comment

by:tiptechs
ID: 40332709
The certificate hash's do match.   I also confirmed the EWS urls are there.  If I put the internal url for EWS in the browser it says a "service was created" and shows a page with code on it.

I ran the outlook /rpcdiag and it instantly shows connecting and outlook opens up prompting me for the credentials.  I put the credentials in and it pops right back up like I typed in the wrong pw.
0
 

Author Comment

by:tiptechs
ID: 40332767
I also ran this from the server and getting the following.

[PS] C:\Windows\system32>Test-OutlookConnectivity -ProbeIdentity "OutlookRpcCTPProbe" -MailboxID user@domain.com
WARNING: An unexpected error has occurred and a Watson dump is being generated: Could not find assembly or object type
associated with monitor identity 'Outlook\OutlookRpcCtpProbe'. Please ensure that the given monitor identity exists on
the server.
Could not find assembly or object type associated with monitor identity 'Outlook\OutlookRpcCtpProbe'. Please ensure
that the given monitor identity exists on the server.
    + CategoryInfo          : NotSpecified: (:) [Test-OutlookConnectivity], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.Exchange.Management.Tasks.TestOutlookConnecti
   vity
    + PSComputerName        : mail1.domain.com

[PS] C:\Windows\system32> Test-OutlookConnectivity -ProbeIdentity "OutlookSelfTestProbe"
WARNING: An unexpected error has occurred and a Watson dump is being generated: Object reference not set to an instance
 of an object.
Object reference not set to an instance of an object.
    + CategoryInfo          : NotSpecified: (:) [Test-OutlookConnectivity], NullReferenceException
    + FullyQualifiedErrorId : System.NullReferenceException,Microsoft.Exchange.Management.Tasks.TestOutlookConnectivit
   y
    + PSComputerName        : mail1.domain.com

[PS] C:\Windows\system32>
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40332790
Have you checked to see if this is relevant?

http://support.microsoft.com/kb/2962915

-saige-
0
 

Author Comment

by:tiptechs
ID: 40332851
I am never making the connection to exchange within outlook.


On the Watson error, I did run the new-TestCasConnectivityUser script, but that didn't seem to change anything.

[PS] C:\Exchange 2013\Scripts>.\new-TestCasConnectivityUser.ps1
Please enter a temporary secure password for creating test users. For security purposes, the password will be changed r
egularly and automatically by the system.
Enter password: *********
Create test user on: mail1.domain.com
Click CTRL+Break to quit or click Enter to continue.:
UserPrincipalName: extest_f129cf97e73a4@domain.com
WARNING: Please update UseDatabaseQuotaDefaults to false in order for mailbox quotas to apply.
WARNING: The command completed successfully but no settings of 'domain.com/Users/extest_f129cf97e73a4' have been
modified.

You can enable the test user for Unified Messaging by running this command with the following optional parameters : [-UM
DialPlan <dialplanname> -UMExtension <numDigitsInDialplan>] . Either None or Both must be present.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40332865
What is the output of the Get-OutlookAnywhere cmdlet?

-saige-
0
 

Author Comment

by:tiptechs
ID: 40332866
Not sure if this is where my issue is.

[PS] C:\Windows\System32>Test-OutlookWebServices -ClientAccessServer mail1.domain.com
Unable to find the client accesss monitoring user. Please run C:\Exchange
2013\Scripts\New-TestCasConnectivityUser.ps1. Exception:
Microsoft.Exchange.Monitoring.CasHealthStorageErrorException: An error occurred while trying to access mailbox
mail2.domain.com, on behalf of user domain.com\extest_f129cf97e73a4
 Additional information:
 [Microsoft.Exchange.Data.Storage.WrongServerException]: The user and the mailbox are in different Active Directory
sites..
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40332889
Just saw a forum post that said this person resolved the Test-OutlookWebServices issue with this by running the new-TestCasConnectivityUser.ps1 twice in a row (without deleting the mailbox).

http://social.technet.microsoft.com/Forums/lync/en-US/b4a9e8b4-b905-49e2-b8f8-cdf8b4fd8df3/scripts-not-finding-the-client-access-monitoring-user

-saige-
0
Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

 

Author Comment

by:tiptechs
ID: 40332910
Thanks Saige.  That didn't seem to work.  Tried it a few times and it keeps saying "no settings have been modified" when running the script and same error when running the test.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40332931
How about the output for the Get-OutlookAnywhere cmdlet?

-saige-
0
 

Author Comment

by:tiptechs
ID: 40332971
Here is the Get-OutlookAnywhere


[PS] C:\Exchange 2013\Scripts>Get-OutlookAnywhere





RunspaceId                         : d4f9140f-ee61-4562-a2a2-d49a7baebe13
ServerName                         : mail2
SSLOffloading                      : True
ExternalHostname                   : mail.domain.com
InternalHostname                   : mail2.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://mail2.domain.com/W3SVC/1/ROOT/Rpc
Path                               : C:\Exchange 2013\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 995.29)
Server                             : T-MAIL1
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=mail2,CN=Servers,CN=Exchange
                                     Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                     Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Identity                           : mail2\Rpc (Default Web Site)
Guid                               : e7575aa6-a99b-4957-a1f9-2f7b134cf4dd
ObjectCategory                     : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 9/9/2014 1:32:57 PM
WhenCreated                        : 9/1/2014 9:51:47 PM
WhenChangedUTC                     : 9/9/2014 5:32:57 PM
WhenCreatedUTC                     : 9/2/2014 1:51:47 AM
OrganizationId                     :
OriginatingServer                  : dc.domain.com
IsValid                            : True
ObjectState                        : Changed

RunspaceId                         : d4f9140f-ee61-4562-a2a2-d49a7baebe13
ServerName                         : mail1
SSLOffloading                      : False
ExternalHostname                   : mail.domain.com
InternalHostname                   : mail.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Negotiate
IISAuthenticationMethods           : {Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://mail1.domain.com/W3SVC/1/ROOT/Rpc
Path                               : c:\Exchange 2013\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 995.29)
Server                             : mail1
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=mail1,CN=Servers,CN=Exchange
                                     Administrative Group (FYDIBOHF23SPDLT),CN=Administrative
                                     Groups,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com
Identity                           : mail1\Rpc (Default Web Site)
Guid                               : 5aa92478-660a-4829-8410-0da04db25291
ObjectCategory                     : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 9/18/2014 12:23:54 PM
WhenCreated                        : 9/13/2014 3:21:19 PM
WhenChangedUTC                     : 9/18/2014 4:23:54 PM
WhenCreatedUTC                     : 9/13/2014 7:21:19 PM
OrganizationId                     :
OriginatingServer                  : dc.domain.com
IsValid                            : True
ObjectState                        : Changed




The task wasn't able to connect to IIS on the server 'mail3.domain.com'. Make sure that the server exists and
can be reached from this computer: The RPC server is unavailable.
    + CategoryInfo          : ReadError: (mail3\Rpc (Default Web Site):ADObjectId) [Get-OutlookAnywhere], IISNot
   ReachableException
    + FullyQualifiedErrorId : [Server=mail1,RequestId=7d0804fe-5ee2-420d-aa7f-ae30d21cf78e,TimeStamp=9/19/2014 3:41:45
    PM] [FailureCategory=Cmdlet-IISNotReachableException] D5AF7AAC,Microsoft.Exchange.Management.SystemConfigurationT
  asks.GetRpcHttp
    + PSComputerName        : mail1.domain.com


The above is an old server that failed, but is still listed.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40332996
AD has orphaned entries for the failed server as it was not properly removed from the domain.

mail2 has InternalClientAuthenticationMethod : Ntlm
while mail1 has InternalClientAuthenticationMethod : Negotiate

mail2 also has IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
while mail1 has IISAuthenticationMethods           : {Negotiate}

For frame of reference because I see where you are removing the servernames.

Mail2 is ? (Exchange x)
Mail1 is ? (Exchange x)

Also, is the Common Name on the Certificate mail.domain.com or is it something else?

-saige-
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40333000
Nevermind on the versions, these are obvisously Exchange 2013.  I browsed over the lines stating the version, silly me.

-saige-
0
 

Author Comment

by:tiptechs
ID: 40333012
Np.  I appreciate the help .  So the next step should be to make the authentication methods on both servers the same ?
0
 

Author Comment

by:tiptechs
ID: 40333028
The common name is mail.domain.com
0
 
LVL 32

Accepted Solution

by:
it_saige earned 500 total points
ID: 40333046
Change mail2's InternalClientAuthenticationMethod to Negotiate.

Change mail1's IISAuthenticationMethods to Basic, NTLM, Negotiate.

Then run through Microsoft Office Outlook Connectivity Tests in the Remote Connectivity Analyzer (https://testconnectivity.microsoft.com/).

Please provide the results of the Connectivity and Autodiscover tests.

-saige-
0
 

Author Comment

by:tiptechs
ID: 40333061
Saige, should I change these authentication methods via PS or through IIS?
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40333078
PowerShell, the cmdlets will handle the IIS changes.

Make sure you do an iisreset after you make your changes.

-saige-
0
 

Author Comment

by:tiptechs
ID: 40333086
I changed the methods via PS.


[PS] c:\Exchange 2013\Scripts>Set-OutlookAnywhere -Identity "mail1\rpc (Default Web Site)" -IISAuthenticationMethods Basic,NTLM,Negotiate
[PS] c:\Exchange 2013\Scripts>Set-OutlookAnywhere -Identity "mail2\rpc (Default Web Site)" -InternalClientAuthenticati
onMethod Negotiate


Tried outlook again, with no luck.


Ran the exchange connectivity test and got the below error:

Testing HTTP Authentication Methods for URL https://mail.domain.com/rpc/rpcproxy.dll?mail.domain.com:6002.
  The HTTP authentication test failed.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40333095
When you run the connectivity test, you can save the results to an HTML file.  Can you rerun the connectivity test, save the results and upload them?

-saige-
0
 

Author Comment

by:tiptechs
ID: 40333104
I reset IIS on both servers.  Outlook connected for about 30 seconds and then went to disconnected.   It is no longer prompting me for the password.

I ran the outlook / exchange connectivity test again and the test came back successful this time.
0
 

Author Comment

by:tiptechs
ID: 40333109
I setup a new outlook profile and that all went through.  It is now showing "preparing outlook for first use.."

Will let you know once that finishes up.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40333133
Also check your PublicFolderMigration states:

Get-OrganizationConfig | Select PublicFoldersLockedforMigration, PublicFolderMigrationComplete

-saige-
0
 

Author Comment

by:tiptechs
ID: 40333232
Saige,  Outlook is now working.   Thanks.  

I ran the public folders command and got False for PublicFoldersLockedForMigration and PublicFolderMigrationComplete.
0
 
LVL 32

Expert Comment

by:it_saige
ID: 40333277
Glad you got it all sorted out.  You will have to get the orphaned exchange server removed from the domain.  I'm not certain how Exchange 2013 would handle this, but you might be able to get Exchange installed onto a computer that uses the same server name using the settings within AD to rebuild the Exchange configuration.  Once that is done then you can complete the public folder migration and then remove the old server.

http://ripusudan.wordpress.com/2012/10/09/how-to-customize-ms-office-2010-installation-using-oct/

Ultimately though, I do not know what the state of the Exchange 2010 server is (was) when it went down and I do not know what your current data recovery strategy encompasses (and whether or not you can simply restore a virtual machine with your Exchange 2010 server's image/vhd or backup).

-saige-
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now