Solved

Exchange 2013 and Outlook clients not connecting

Posted on 2015-02-03
4
306 Views
Last Modified: 2015-02-18
I have a new Windows 2012 server that I have installed Exchange 2013 on.  We moved email from GoDaddy to the internal server. Mail flows properly, I can login to OWA, I can connect with iPhones and Androids, I can connect to Outlook if they are in the office or if they connect to the VPN but Outlook will not connect if the users are outside the office.

I ran the Microsoft connectivity test and below is the results.  We are using a self-signed certificate (which should be fine for this small client).

Test Steps
        
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca.

       Testing Autodiscover failed.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 619 ms.

        
Test Steps
        
Attempting to resolve the host name kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.


 
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 246 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 189 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
        
Additional Details
       The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.






 
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 662 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.


 
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 137 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 258 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        
Additional Details
       Remote Certificate Subject: CN=kineticor-fs1.kineticor.local, Issuer: CN=kineticor-fs1.kineticor.local.
Elapsed Time: 169 ms.


 
Validating the certificate name.
       The certificate name was validated successfully.
        
Additional Details
       Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.


 
Certificate trust is being validated.
       Certificate trust validation failed.
        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor.local.
       A certificate chain couldn't be constructed for the certificate.
         Tell me more about this issue and how to resolve it

        
Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor.local
Elapsed Time: 42 ms.








 
Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.


 
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 68 ms.


 
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
       The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
        
Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.




 
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
       The Autodiscover SRV record wasn't found in DNS.
         Tell me more about this issue and how to resolve it

        
Additional Details
       Elapsed Time: 166 ms.









Any help on figuring this out would be greatly appreciated as I am lost.
0
Comment
Question by:WildEagle
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40587712
First, in order to connect remotely you require a 3rd party certificate, this is why your connectivity test is failing. Also you need to create a cname record for autodiscover.mail.com pointing to mail.domain.com.

Both of these names need to be identified as DNS names within your UCC/SAN cert. Once you have your cert you will need to import the cert into all of your CAS servers in your Exchange environment.

You will then need to enable the cert (on each individual server) using the powershell command below...

Enable-ExchangeCertificate -thumbprint xxxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"

Open in new window


You then need to update all of your external and internal URL (virtual directories) for mail.domain.com. You will also need to create a DNS record internally (split dns) for mail.domain.com and point it to your CAS server or Load Balanced IP (if you are load balancing CAS)

Once all of the above have been completed you should have passed the tests on the connectivity test externally.

Will.
0
 

Author Comment

by:WildEagle
ID: 40587763
Hi,

  Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.

Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.

Any other ideas?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 500 total points
ID: 40587819
Self Signed can be done, but not sure why you would go this route as SSL certs a dirt cheap. Unless you have a Internal root CA which is issuing the certs you are going to run into certificate issues. You will also need to make sure that the self signed cert is on all machines connecting.

Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
        The Autodiscover SRV record wasn't found in DNS.

Do you have the SRV records created in your exteranal DNS?

Also what are your External URL's set to on your CAS Server? Are they set to mail.domain.com.....?

Will.
0
 

Author Closing Comment

by:WildEagle
ID: 40617216
After the SRV record finally took with GoDaddy it seems things are connecting properly now.
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Marketers need statistics and metrics like everybody else needs oxygen. In this article we explain how to enable marketing campaign statistics for Microsoft Exchange mail.
MS Outlook is a world-class email client application that is mainly used for e-communication globally.  In this article, we will discuss the basic idea about MS Outlook, its advanced features, and types of MS Outlook File formats.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question