External clients cannot connect to Outlook Anywhere

I have a feeling I have not added the correct domains to my SSL cert for Exchange 2010.  External clients are unable to connect to outlook anywhere.  In external outlook, I get a prompt for username and password but I continue to be prompted for username and password even after entering correct credentials.   I can successfully navigate to  https://domain.com/rpc/rpcproxy.dll from an external browser and login successfully(blank page is loaded).  Any help would be greatly appreciated!
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Please use this site to test your connectivity: https://testconnectivity.microsoft.com/
radukAuthor Commented:
results are as follows:

The Autodiscover service couldn't be contacted successfully by any method.

Testing of this potential Autodiscover URL failed.

The host name resolved successfully.

The port was opened successfully.

The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.

The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.

When installing the cert i followed this http://exchangeserverpro.com/configure-an-ssl-certificate-for-exchange-server-2010/
Can you access OWA also known as "Outlook Web App"?
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

radukAuthor Commented:
yes, i've never had any trouble accessing owa
OK. Even from outside? Do you confirm you access OWA with SSL (does the URL start with https://...)?
Furthermore... is the certificate private (you created the certificate) or public (you bought a certificate from a CA)?
radukAuthor Commented:
I used to have a self signed cert for OWA.  just today i installed a certificate that i purchased from rapidssl and owa no longer uses a self-signed cert.  yes, i can access owa fine from the outside and the cert is not self-signed.
Microsoft Test connectivity and Autodiscover overview will let you know it will try to use one of the following formats Depending on whether you've configured the Autodiscover service, the Autodiscover service URL will be either



Where ://<smtp-address-domain> is the primary SMTP domain address.

What they don't say is that this hardly will work... why???:

First method:

Most of the time your "smtp domain address" is where your main website is regardless if you host it in house or not, it might be in another server or site so "mycompanyaddress.com/autodiscover/autodiscover.xml" will never be discover because the autodiscover virtual directory is on the exchange server site and not in your company main site.

Second Method:

You must include autodiscover.mycompanyaddress.com in your ISP DNS search.  Also, you have create a binding on your site to accept the name, after all most likely you used mail, webmail, email or something else to name your server access; If you don't it will never find the server either.

So if you don't do any of this either you  create the users' profile manually, where you will have to set the server's name, the proxy server name, username, etc. or include all of the above.

This for some is not bad at all and actually is kind of more secure because you will have to define the authentication method and know the name of the server.  The most used form is "mail.domain_name.com".

One extra consideration, OWA from outside the organization will work because you'll type: mail.domain_name.com/owa but for the proxy you need only mail.domain_name.com so you must have a redirection in place for this name to go for the first one, ideally forcing SSL.

Good Luck
radukAuthor Commented:
Even if I type in the IP address of the exchange server in an external outlook client, it will not authenticate with the server.  Shouldn't typing in the IP address bypass the dns issues you listed?
No... exchange need you to type the DNS you provided in the configuration... this is what you have in your SSL
radukAuthor Commented:
Hecgomrec, what do you mean by 'type in the DNS you provided in the configuration'?  Sorry but I'm not following you here.
Jasvindar SinghOffice 365 AdministratorCommented:
Solution 1:
If you have SSL Certificate with multiple URL's, OWA URL and autodiscover.domain.com then,

Make sure, HOST A record - autodiscover.domain.com is pointing to your CAS server in public DNS.
For e.g. both your OWA and Autodiscover Host A record should point to same IP Address.

Solution 2:
If you have SSL Certificate which contains only OWA URL then,

In your external DNS zone, remove any HOST (A) or CNAME records for the Autodiscover service.
Use the following parameters to create a new SRV record:
Service: _autodiscover
Protocol: _tcp
Port Number: 443
Host: mail.contoso.com       - This should be your OWA URL

Very good article which would clear all your doubts related to Autodiscover+Outlook Anywhere
radukAuthor Commented:
owa is accessed by going to mail.domain.com/owa
i have a public dns A record pointing mail.domain.com to my cas server.  owa works fine with this A record.
I also have an A record for autodiscover.domain.com pointing to the same cas server.  Outlook anywhere does not work with in this scenerio.  I believe my SSL cert includes autodiscover.domain.com(is there a way to check this?)

for solution 2, where am i creating this DNS record?  On my internal DNS server or public dns server?  I thought SRV records were only made on internal DNS servers.
radukAuthor Commented:
in my dns forward lookup zones on the domain controller i have msdcs.domain.local and domain.local.  i tried adding an srv record to both of these lookup zones and was still unable to get autodiscover working =(
Gareth GudgerSolution ArchitectCommented:
Hey raduk,

I would take a look at this article.

It will step you through configuring your cert, all exchange URLs and all DNS configuration both external and internal. Step by step with screenshots along the way. Good check list if you are already part way through as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
radukAuthor Commented:
OK Gareth that helped in getting all of my URL's set properly.  Now it seems that my certificate is failing verification because its saying that autodiscover.domain.com doesn't match any name on my certificate when I'm positive I added that URL in the cert request.

 IS there any GET command in powershell to view the URLS that are listed in my cert?  Is there a way to add URLS to the cert if they aren't already there or would I need to purchase a new one?  

I feel as though I'm close to getting this figured out.  The reason I'm trying to get Outlook Anywhere set up is so I can do a cutover migration to office 365 and never have to deal with the on-premises Exchange server again.
Gareth GudgerSolution ArchitectCommented:
Hey Raduk,

Easiest way is to go to OWA in your Web Browser. For internet explorer click the Padlock icon in the Address Bar and View Certificate.

From there click the Details tab. Then scroll down and select Subject Alternative Name. You should see all names that are on your cert.
radukAuthor Commented:

I didn't see the padlock in IE for some reason but Firefox had it.  When I view the value for certificate subject alt name it says

Not Critical
DNS Name: mail.domain.com

I'm assuming that mail.domain.com is the only domain listed here even though when i set up this cert I did something very similar to this only with my urls  http://exchangeserverpro.com/wp-content/uploads/2010/05/certificate006.png

I will try to contact the SSL provider and see if they can reissue another cert with the correct domains unless you suggest something else.

radukAuthor Commented:
OK I have gotten a multi-domain cert from here https://www.namecheap.com/security/ssl-certificates/multi-domain.aspx

The Remote connectivity analyzer succeeds with autodiscovery now but with 1 warning

Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

I'm not exactly sure what this means but what matters is that I still am unable to connect to my exchange server from outside of the organization.  I'm attemping to use outlook 2007 and attempting to connect to mail.domain.com using NTLM auth.  I keep getting prompted for username and password and have tried domain/username and just username with my password with no luck.  Any additional help would be greatly appreciated.
radukAuthor Commented:
OK i got it sorted. When configuring Outlook 2007 for outlook anywhere, after selecting 'Exchange Server'  for the email server, on the first page where it asks you to provide the 'Microsoft Exchange Server:' you need to input the INTERNAL hostname of your exchange server(ie EXCHANGE.domain.local) before you go to 'more settings' and configure the outlook anywhere proxy settings.  Once this was done all was well for and outlook anywhere is working fine.  Thanks for all of your help!
Gareth GudgerSolution ArchitectCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.