Solved

External clients cannot connect to Outlook Anywhere

Posted on 2014-10-30
20
3,537 Views
1 Endorsement
Last Modified: 2014-11-02
I have a feeling I have not added the correct domains to my SSL cert for Exchange 2010.  External clients are unable to connect to outlook anywhere.  In external outlook, I get a prompt for username and password but I continue to be prompted for username and password even after entering correct credentials.   I can successfully navigate to  https://domain.com/rpc/rpcproxy.dll from an external browser and login successfully(blank page is loaded).  Any help would be greatly appreciated!
1
Comment
Question by:raduk
  • 11
  • 3
  • 3
  • +2
20 Comments
 
LVL 19

Expert Comment

by:strivoli
ID: 40415126
Please use this site to test your connectivity: https://testconnectivity.microsoft.com/
0
 
LVL 1

Author Comment

by:raduk
ID: 40415140
results are as follows:


The Autodiscover service couldn't be contacted successfully by any method.

Testing of this potential Autodiscover URL failed.

The host name resolved successfully.

The port was opened successfully.

The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.

The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

When installing the cert i followed this http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
0
 
LVL 19

Expert Comment

by:strivoli
ID: 40415150
Can you access OWA also known as "Outlook Web App"?
0
 
LVL 1

Author Comment

by:raduk
ID: 40415152
yes, i've never had any trouble accessing owa
0
 
LVL 19

Expert Comment

by:strivoli
ID: 40415153
OK. Even from outside? Do you confirm you access OWA with SSL (does the URL start with https://...)?
Furthermore... is the certificate private (you created the certificate) or public (you bought a certificate from a CA)?
0
 
LVL 1

Author Comment

by:raduk
ID: 40415160
I used to have a self signed cert for OWA.  just today i installed a certificate that i purchased from rapidssl and owa no longer uses a self-signed cert.  yes, i can access owa fine from the outside and the cert is not self-signed.
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40415956
Microsoft Test connectivity and Autodiscover overview will let you know it will try to use one of the following formats Depending on whether you've configured the Autodiscover service, the Autodiscover service URL will be either

              https://<smtp-address-domain>/autodiscover/autodiscover.xml

              https://autodiscover.<smtp-address-domain>/autodiscover/autodiscover.xml

Where ://<smtp-address-domain> is the primary SMTP domain address.


What they don't say is that this hardly will work... why???:

First method:

Most of the time your "smtp domain address" is where your main website is regardless if you host it in house or not, it might be in another server or site so "mycompanyaddress.com/autodiscover/autodiscover.xml" will never be discover because the autodiscover virtual directory is on the exchange server site and not in your company main site.

Second Method:

You must include autodiscover.mycompanyaddress.com in your ISP DNS search.  Also, you have create a binding on your site to accept the name, after all most likely you used mail, webmail, email or something else to name your server access; If you don't it will never find the server either.

So if you don't do any of this either you  create the users' profile manually, where you will have to set the server's name, the proxy server name, username, etc. or include all of the above.

This for some is not bad at all and actually is kind of more secure because you will have to define the authentication method and know the name of the server.  The most used form is "mail.domain_name.com".

One extra consideration, OWA from outside the organization will work because you'll type: mail.domain_name.com/owa but for the proxy you need only mail.domain_name.com so you must have a redirection in place for this name to go for the first one, ideally forcing SSL.

Good Luck
0
 
LVL 1

Author Comment

by:raduk
ID: 40416200
Even if I type in the IP address of the exchange server in an external outlook client, it will not authenticate with the server.  Shouldn't typing in the IP address bypass the dns issues you listed?
0
 
LVL 11

Expert Comment

by:hecgomrec
ID: 40416407
No... exchange need you to type the DNS you provided in the configuration... this is what you have in your SSL
0
 
LVL 1

Author Comment

by:raduk
ID: 40416528
Hecgomrec, what do you mean by 'type in the DNS you provided in the configuration'?  Sorry but I'm not following you here.
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 2

Expert Comment

by:Jasvindar Singh
ID: 40416534
Solution 1:
If you have SSL Certificate with multiple URL's, OWA URL and autodiscover.domain.com then,

Make sure, HOST A record - autodiscover.domain.com is pointing to your CAS server in public DNS.
For e.g. both your OWA and Autodiscover Host A record should point to same IP Address.

Solution 2:
If you have SSL Certificate which contains only OWA URL then,

In your external DNS zone, remove any HOST (A) or CNAME records for the Autodiscover service.
Use the following parameters to create a new SRV record:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.contoso.com       - This should be your OWA URL

Very good article which would clear all your doubts related to Autodiscover+Outlook Anywhere
http://support.microsoft.com/kb/940881
0
 
LVL 1

Author Comment

by:raduk
ID: 40416566
owa is accessed by going to mail.domain.com/owa
i have a public dns A record pointing mail.domain.com to my cas server.  owa works fine with this A record.
I also have an A record for autodiscover.domain.com pointing to the same cas server.  Outlook anywhere does not work with in this scenerio.  I believe my SSL cert includes autodiscover.domain.com(is there a way to check this?)

for solution 2, where am i creating this DNS record?  On my internal DNS server or public dns server?  I thought SRV records were only made on internal DNS servers.
0
 
LVL 1

Author Comment

by:raduk
ID: 40416630
in my dns forward lookup zones on the domain controller i have msdcs.domain.local and domain.local.  i tried adding an srv record to both of these lookup zones and was still unable to get autodiscover working =(
0
 
LVL 30

Accepted Solution

by:
Gareth Gudger earned 500 total points
ID: 40417736
Hey raduk,

I would take a look at this article.
http://supertekboy.com/2014/05/27/designing-a-simple-name-space-for-exchange-2010/

It will step you through configuring your cert, all exchange URLs and all DNS configuration both external and internal. Step by step with screenshots along the way. Good check list if you are already part way through as well.
0
 
LVL 1

Author Comment

by:raduk
ID: 40418680
OK Gareth that helped in getting all of my URL's set properly.  Now it seems that my certificate is failing verification because its saying that autodiscover.domain.com doesn't match any name on my certificate when I'm positive I added that URL in the cert request.

 IS there any GET command in powershell to view the URLS that are listed in my cert?  Is there a way to add URLS to the cert if they aren't already there or would I need to purchase a new one?  

I feel as though I'm close to getting this figured out.  The reason I'm trying to get Outlook Anywhere set up is so I can do a cutover migration to office 365 and never have to deal with the on-premises Exchange server again.
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40418686
Hey Raduk,

Easiest way is to go to OWA in your Web Browser. For internet explorer click the Padlock icon in the Address Bar and View Certificate.

From there click the Details tab. Then scroll down and select Subject Alternative Name. You should see all names that are on your cert.
0
 
LVL 1

Author Comment

by:raduk
ID: 40418692
Gareth,

I didn't see the padlock in IE for some reason but Firefox had it.  When I view the value for certificate subject alt name it says

Not Critical
DNS Name: mail.domain.com

I'm assuming that mail.domain.com is the only domain listed here even though when i set up this cert I did something very similar to this only with my urls  http://exchangeserverpro.com/wp-content/uploads/2010/05/certificate006.png

I will try to contact the SSL provider and see if they can reissue another cert with the correct domains unless you suggest something else.

Thanks!
0
 
LVL 1

Author Comment

by:raduk
ID: 40418761
OK I have gotten a multi-domain cert from here https://www.namecheap.com/security/ssl-certificates/multi-domain.aspx

The Remote connectivity analyzer succeeds with autodiscovery now but with 1 warning

Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
       
      Additional Details
       
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

I'm not exactly sure what this means but what matters is that I still am unable to connect to my exchange server from outside of the organization.  I'm attemping to use outlook 2007 and attempting to connect to mail.domain.com using NTLM auth.  I keep getting prompted for username and password and have tried domain/username and just username with my password with no luck.  Any additional help would be greatly appreciated.
0
 
LVL 1

Author Comment

by:raduk
ID: 40418782
OK i got it sorted. When configuring Outlook 2007 for outlook anywhere, after selecting 'Exchange Server'  for the email server, on the first page where it asks you to provide the 'Microsoft Exchange Server:' you need to input the INTERNAL hostname of your exchange server(ie EXCHANGE.domain.local) before you go to 'more settings' and configure the outlook anywhere proxy settings.  Once this was done all was well for and outlook anywhere is working fine.  Thanks for all of your help!
0
 
LVL 30

Expert Comment

by:Gareth Gudger
ID: 40418880
Awesome.
0

Featured Post

Wish Marketing would stop bothering you?

Is your marketing department constantly asking for new email signature updates? Are they requesting a different design for every department? Do they need yet another banner added? Don’t let it get you down! There is an easy way to manage all of these requests...

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
To efficiently enable the rotation of USB drives for backups, storage pools need to be created. This way no matter which USB drive is installed, the backups will successfully write without any administrative intervention. Multiple USB devices need t…
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now