[2 days left] What’s wrong with your cloud strategy? Learn why multicloud solutions matter with Nimble Storage.Register Now

x
?
Solved

Exchange 2013 and Outlook clients not connecting

Posted on 2015-02-03
4
Medium Priority
?
354 Views
Last Modified: 2015-02-18
I have a new Windows 2012 server that I have installed Exchange 2013 on.  We moved email from GoDaddy to the internal server. Mail flows properly, I can login to OWA, I can connect with iPhones and Androids, I can connect to Outlook if they are in the office or if they connect to the VPN but Outlook will not connect if the users are outside the office.

I ran the Microsoft connectivity test and below is the results.  We are using a self-signed certificate (which should be fine for this small client).

Test Steps
        
The Microsoft Connectivity Analyzer is attempting to test Autodiscover for administrator@kineticor.ca.

       Testing Autodiscover failed.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
        
Additional Details
       Elapsed Time: 1776 ms.

        
Test Steps
        
Attempting to test potential Autodiscover URL https://kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 619 ms.

        
Test Steps
        
Attempting to resolve the host name kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 50.62.236.1
Elapsed Time: 183 ms.


 
Testing TCP port 443 on host kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 246 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 189 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer wasn't able to obtain the remote SSL certificate.
        
Additional Details
       The certificate couldn't be validated because SSL negotiation wasn't successful. This could have occurred as a result of a network error or because of a problem with the certificate installation.
Elapsed Time: 163 ms.






 
Attempting to test potential Autodiscover URL https://autodiscover.kineticor.ca:443/Autodiscover/Autodiscover.xml

       Testing of this potential Autodiscover URL failed.
        
Additional Details
       Elapsed Time: 662 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 266 ms.


 
Testing TCP port 443 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 137 ms.


 
Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
        
Additional Details
       Elapsed Time: 258 ms.

        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.kineticor.ca on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
        
Additional Details
       Remote Certificate Subject: CN=kineticor-fs1.kineticor.local, Issuer: CN=kineticor-fs1.kineticor.local.
Elapsed Time: 169 ms.


 
Validating the certificate name.
       The certificate name was validated successfully.
        
Additional Details
       Host name autodiscover.kineticor.ca was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 1 ms.


 
Certificate trust is being validated.
       Certificate trust validation failed.
        
Test Steps
        
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=kineticor-fs1.kineticor.local.
       A certificate chain couldn't be constructed for the certificate.
         Tell me more about this issue and how to resolve it

        
Additional Details
       The certificate chain didn't end in a trusted root. Root = CN=kineticor-fs1.kineticor.local
Elapsed Time: 42 ms.








 
Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to resolve the host name autodiscover.kineticor.ca in DNS.
       The host name resolved successfully.
        
Additional Details
       IP addresses returned: 96.53.15.106
Elapsed Time: 17 ms.


 
Testing TCP port 80 on host autodiscover.kineticor.ca to ensure it's listening and open.
       The port was opened successfully.
        
Additional Details
       Elapsed Time: 68 ms.


 
The Microsoft Connectivity Analyzer is checking the host autodiscover.kineticor.ca for an HTTP redirect to the Autodiscover service.
       The Microsoft Connectivity Analyzer failed to get an HTTP redirect response for Autodiscover.
        
Additional Details
       An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response:
HTTP Response Headers:
X-FEServer: KINETICOR-FS1
Content-Length: 0
Date: Tue, 03 Feb 2015 20:45:38 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Elapsed Time: 79 ms.




 
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
        
Additional Details
       Elapsed Time: 166 ms.

        
Test Steps
        
Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
       The Autodiscover SRV record wasn't found in DNS.
         Tell me more about this issue and how to resolve it

        
Additional Details
       Elapsed Time: 166 ms.









Any help on figuring this out would be greatly appreciated as I am lost.
0
Comment
Question by:WildEagle
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 53

Expert Comment

by:Will Szymkowski
ID: 40587712
First, in order to connect remotely you require a 3rd party certificate, this is why your connectivity test is failing. Also you need to create a cname record for autodiscover.mail.com pointing to mail.domain.com.

Both of these names need to be identified as DNS names within your UCC/SAN cert. Once you have your cert you will need to import the cert into all of your CAS servers in your Exchange environment.

You will then need to enable the cert (on each individual server) using the powershell command below...

Enable-ExchangeCertificate -thumbprint xxxxxxxxxxxxxxxxxxxxx -services "pop,imap,smtp,iis"

Open in new window


You then need to update all of your external and internal URL (virtual directories) for mail.domain.com. You will also need to create a DNS record internally (split dns) for mail.domain.com and point it to your CAS server or Load Balanced IP (if you are load balancing CAS)

Once all of the above have been completed you should have passed the tests on the connectivity test externally.

Will.
0
 

Author Comment

by:WildEagle
ID: 40587763
Hi,

  Thanks for the response, unless this is something brand new in Microsoft Exchange 2013 (which Microsoft says you don't need a 3rd party certificate) I have never done anything but self signed certificates for any of my clients and they all work with RPC over HTTPS for Outlook to work.

Secondly I do have a cname setup to point autodiscover to the external IP address of the server with the DNS provider and also have the internal DNS split so that I have the .local and the .ca domains setup and pointed correctly to the server.

Any other ideas?
0
 
LVL 53

Accepted Solution

by:
Will Szymkowski earned 1500 total points
ID: 40587819
Self Signed can be done, but not sure why you would go this route as SSL certs a dirt cheap. Unless you have a Internal root CA which is issuing the certs you are going to run into certificate issues. You will also need to make sure that the self signed cert is on all machines connecting.

Attempting to locate SRV record _autodiscover._tcp.kineticor.ca in DNS.
        The Autodiscover SRV record wasn't found in DNS.

Do you have the SRV records created in your exteranal DNS?

Also what are your External URL's set to on your CAS Server? Are they set to mail.domain.com.....?

Will.
0
 

Author Closing Comment

by:WildEagle
ID: 40617216
After the SRV record finally took with GoDaddy it seems things are connecting properly now.
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I don't pretend to be an expert at this, but I have found a few things that are useful. I hope that sharing them here will help others, so they will not have to face some rather hard choices. Since I felt this to be a topic of enough importance and…
This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

649 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question