Solved

Outlook Anywhere authentication fails against new exchange 2010 server

Posted on 2014-12-16
6
134 Views
Last Modified: 2014-12-29
We have just moved Exchange 2010 to upgraded hardware however Outlook Anywhere connections are still dependent on the old server for authentication.

We have installed Exchange on the new server and moved all of the mailboxes into a database on the new server.  
I have updated the server name on the database to the new server for RPC and any other instance where the old server name was listed.  
I have updated the URLs to the new server for OWA, OAB etc.  
FW ports and DNS have been updated to the new server.
Connectors have been duplicated.
Outlook Anywhere is enabled.
Server passes exchange connectivity tests (with both servers online).

However when I shut the old server down internal Outlook clients connect, OWA works, Activesync works but Outlook clients from off-site are repeatedly prompted for password and will not connect.  When checking Outlook connectivity the server Outlook is connecting to is listed as the new server name.  It seems the new server is proxying some aspect of Outlook Anywhere authentication over to the old server.

I have read a brief post saying that a CAS array would solve this issue however I do not see why an array would be necessary when all I want is one server active.

Is there perhaps a setting in AD which needs manually configured?

Thanks,
0
Comment
Question by:YMartin
  • 3
  • 3
6 Comments
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40503065
Primary reason for authentication issues with Outlook Anywhere have nothing to do with authentication, but the SSL certificate. Do you have a trusted SSL certificate in place?
The second most common reason is trying to use NTLM authentication and it is broken by the firewall. Basic will always work, although will generate an authentication prompt even for clients on the domain.

CAS array would have nothing to do with this, because that is for RPC traffic only. Ideally you would have had a CAS array in place from the start, because it makes it very easy to move between servers, but isn't the issue here.

Have you run an Autodiscover test to see what is being returned to the client?

Simon.
0
 
LVL 1

Author Comment

by:YMartin
ID: 40503361
Thanks Simon,

Had copied the same cert (wildcard) to the new server and connectivity tool approves of the cert.

I ran Outlook auto configuration test and it succeeds.

I just stopped all Exchange services on the old server and am unable to reproduce the problem with Outlook.  Also connectivity tests check out OK.  It seems as if it takes several hours of the server being offline/stopped for Outlook to have password issues.  When I last shut down the server I tested right after shutting down and there were no problems.  However the next day it was endless password boxes.  Brought Exchange services back up and restart Outlook and started working just fine.  I'll keep trying and see what happens.  Perhaps I will get some clue in test results when it next fails.

Outlook seems to be doing something every 2-6 hours which fails if the other server is offline/stopped.  
I did download OAB updates without issue.

Thanks,
0
 
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 40509738
I wonder if this is DNS.
You remove the old machine and the DNS records expire or something like that and then the client starts connecting to another server for certain information, throwing authentication prompts. This isn't something I have seen myself so you need to start looking outside of Exchange.

Although I don't subscribe to the "shutdown services/server and see what breaks" method when it comes to Exchange. Exchange expects the server to be there and there are certain behaviours that kick in only when the old server has gone away completely - so has been removed from the domain correctly via add/remove programs. Those do not happen with the services stopped or server powered off because Exchange knows it should be there.

Simon.
0
Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 1

Author Comment

by:YMartin
ID: 40513145
Thanks Simon,

The only clue I had found on this was that the connection status of Outlook was showing the old server name for some of the connections and the new one for others.  Manually changing the server name in the mail CPL seems to have worked.  Most clients updated to the new server automatically and others had to be done manually. It looks like it took several days for all of the clients to update.
0
 
LVL 63

Accepted Solution

by:
Simon Butler (Sembee) earned 500 total points
ID: 40514545
If you had removed the old server correctly, then it would probably have not taken as long. The clients would have been forced through a full Autodiscover process at an earlier date.

Simon.
0
 
LVL 1

Author Closing Comment

by:YMartin
ID: 40521852
Thanks.
0

Featured Post

Do email signature updates give you a headache?

Are you constantly making changes to email signatures? Are the images not formatting how you want them to? Want high-quality HTML signatures on all devices, including on mobiles and Macs? Then, let Exclaimer solve all your email signature problems today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes – formerly IBM Notes – is an email client application, while IBM Domino (earlier Lotus Domino) is an email server. The client possesses a set of features that are even more advanced as compared to that of Outlook. Likewise, IBM Domino is…
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
This Experts Exchange video Micro Tutorial shows how to tell Microsoft Office that a word is NOT spelled correctly. Microsoft Office has a built-in, main dictionary that is shared by Office apps, including Excel, Outlook, PowerPoint, and Word. When …

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

26 Experts available now in Live!

Get 1:1 Help Now