Exchange 2013 and Outlook clients not connecting
I have a new Windows 2012 server that I have installed Exchange 2013 on. We moved email from GoDaddy to the internal server. Mail flows properly, I can login to OWA, I can connect with iPhones and Androids, I can connect to Outlook if they are in the office or if they connect to the VPN but Outlook will not connect if the users are outside the office.
I ran the Microsoft connectivity test and below is the results. We are using a self-signed certificate (which should be fine for this small client).
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca
Testing Autodiscover failed.
Additional Details
Elapsed Time: 1776 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Additional Details
Elapsed Time: 1776 ms.
Test Steps
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 619 ms.
Test Steps
Attempting to resolve the host name kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 246 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 189 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 662 ms.
Test Steps
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 137 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 258 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=kineticor-fs1.kineticor
Elapsed Time: 169 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor
A certificate chain couldn't be constructed for the certificate.
Tell me more about this issue and how to resolve it
Additional Details
The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor
Elapsed Time: 42 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Additional Details
Elapsed Time: 166 ms.
Test Steps
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 68 ms.
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Additional Details
Elapsed Time: 166 ms.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.kinetic
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
Additional Details
Elapsed Time: 166 ms.
Any help on figuring this out would be greatly appreciated as I am lost.
I ran the Microsoft connectivity test and below is the results. We are using a self-signed certificate (which should be fine for this small client).
Test Steps
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca
Testing Autodiscover failed.
Additional Details
Elapsed Time: 1776 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Additional Details
Elapsed Time: 1776 ms.
Test Steps
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 619 ms.
Test Steps
Attempting to resolve the host name kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 246 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 189 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
Additional Details
The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 662 ms.
Test Steps
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 137 ms.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Additional Details
Elapsed Time: 258 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=kineticor-fs1.kineticor
Elapsed Time: 169 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.
Certificate trust is being validated.
Certificate trust validation failed.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor
A certificate chain couldn't be constructed for the certificate.
Tell me more about this issue and how to resolve it
Additional Details
The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor
Elapsed Time: 42 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Additional Details
Elapsed Time: 166 ms.
Test Steps
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 68 ms.
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Additional Details
Elapsed Time: 166 ms.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.kinetic
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
Additional Details
Elapsed Time: 166 ms.
Any help on figuring this out would be greatly appreciated as I am lost.
ASKER
Hi,
Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.
Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.
Any other ideas?
Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.
Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.
Any other ideas?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
After the SRV record finally took with GoDaddy it seems things are connecting properly now.
Both of these names need to be identified as DNS names within your UCC/SAN cert. Once you have your cert you will need to import the cert into all of your CAS servers in your Exchange environment.
You will then need to enable the cert (on each individual server) using the powershell command below...
Open in new window
You then need to update all of your external and internal URL (virtual directories) for mail.domain.com. You will also need to create a DNS record internally (split dns) for mail.domain.com and point it to your CAS server or Load Balanced IP (if you are load balancing CAS)
Once all of the above have been completed you should have passed the tests on the connectivity test externally.
Will.