Solved

Exchange 2013 and Outlook clients not connecting

Posted on 2015-02-03
4
242 Views
Last Modified: 2015-02-18
I have a new Windows 2012 server that I have installed Exchange 2013 on.  We moved email from GoDaddy to the internal server. Mail flows properly, I can login to OWA, I can connect with iPhones and Androids, I can connect to Outlook if they are in the office or if they connect to the VPN but Outlook will not connect if the users are outside the office.

I ran the Microsoft connectivity test and below is the results.  We are using a self-signed certificate (which should be fine for this small client).

Test Steps
        
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca.

       Testing Autodiscover failed.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 619 ms.

        
Test Steps
        
Attempting to resolve the host name kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.


 
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 246 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 189 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
        
Additional Details
       The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.






 
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 662 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.


 
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 137 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 258 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        
Additional Details
       Remote Certificate Subject: CN=kineticor-fs1.kineticor.local, Issuer: CN=kineticor-fs1.kineticor.local.
Elapsed Time: 169 ms.


 
Validating the certificate name.
       The certificate name was validated successfully.
        
Additional Details
       Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.


 
Certificate trust is being validated.
       Certificate trust validation failed.
        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor.local.
       A certificate chain couldn't be constructed for the certificate.
         Tell me more about this issue and how to resolve it

        
Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor.local
Elapsed Time: 42 ms.








 
Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.


 
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 68 ms.


 
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
       The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
        
Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.




 
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
       The Autodiscover SRV record wasn't found in DNS.
         Tell me more about this issue and how to resolve it

        
Additional Details
       Elapsed Time: 166 ms.









Any help on figuring this out would be greatly appreciated as I am lost.
0
Comment
Question by:WildEagle
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
Comment Utility
First, in order to connect remotely you require a 3rd party certificate, this is why your connectivity test is failing. Also you need to create a cname record for autodiscover.mail.com pointing to mail.domain.com.

Both of these names need to be identified as DNS names within your UCC/SAN cert. Once you have your cert you will need to import the cert into all of your CAS servers in your Exchange environment.

You will then need to enable the cert (on each individual server) using the powershell command below...

Enable-ExchangeCertificate -thumbprint xxxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"

Open in new window


You then need to update all of your external and internal URL (virtual directories) for mail.domain.com. You will also need to create a DNS record internally (split dns) for mail.domain.com and point it to your CAS server or Load Balanced IP (if you are load balancing CAS)

Once all of the above have been completed you should have passed the tests on the connectivity test externally.

Will.
0
 

Author Comment

by:WildEagle
Comment Utility
Hi,

  Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.

Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.

Any other ideas?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
Comment Utility
Self Signed can be done, but not sure why you would go this route as SSL certs a dirt cheap. Unless you have a Internal root CA which is issuing the certs you are going to run into certificate issues. You will also need to make sure that the self signed cert is on all machines connecting.

Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
        The Autodiscover SRV record wasn't found in DNS.

Do you have the SRV records created in your exteranal DNS?

Also what are your External URL's set to on your CAS Server? Are they set to mail.domain.com.....?

Will.
0
 

Author Closing Comment

by:WildEagle
Comment Utility
After the SRV record finally took with GoDaddy it seems things are connecting properly now.
0

Featured Post

Too many email signature changes to deal with?

Are you constantly being asked to update your organization's email signatures? Do they take up too much of your time? Wouldn't you love to be able to manage all signatures from one central location, easily design them and deploy them quickly to users. Well, you can!

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now