Announcement

Collapse
No announcement yet.

Outlook anywhere to exchange 2010 will not connect

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Outlook anywhere to exchange 2010 will not connect

    Hi

    Just wondering if i could get some help or advice on what to try to get outlook anywhere working. I'm connecting outlook 2010 to exchange 2010.

    Users logon to a terminal server & can get mail via their outlook account on the apps server ok. They can also logon & get mail via owa & activesync.

    Ive configured a few exchange 2007 servers with outlook anywhere no problem, but this is my first 2010 server with outlook anywhere & I'm stumped.

    I have created a nat rule pointing 443 to the exchange server. Created a 3rd party cert that works. Enabled outlook anywhere. The clients connecting will not be part of the domain, so I am using basic authentication.

    I use the same config a far as I can see on my other exchange boxes, but when I go to authenticate outlook it comes up with the username & password prompt as normal, but the combination that I use with owa doesn't work in outlook. What gives?

    Exchange connectivity tester doesn't work, but then again, it doesn't work with my other exchange boxes either & their outlook anywhere clients work.

  • #2
    Re: Outlook anywhere to exchange 2010 will not connect

    Do you mean https://www.testexchangeconnectivity.com/ doesn't work?
    If it doesn't work on other systems you are using, then, being blunt, you must be doing something wrong on all servers that you manage.
    I trust that tool 100%, I have never seen it fail to tell me what was wrong and when corrected, pass all of the tests. It is one of the best tools Microsoft have developed for troubleshooting.

    My first response with Outlook Anywhere questions is always to use that site to test the server with. It will tell you what is wrong and where to correct things.
    Outlook Anywhere usually fails for one of two reasons - autodiscover isn't setup correctly (people still think autodiscover is an optional configuration, it is not), or an issue with the SSL certificate, such as with the names that are (not) on the certificate.

    Otherwise your question is very light on information that can be used to assist with troubleshooting.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Outlook anywhere to exchange 2010 will not connect

      Do you mean https://www.testexchangeconnectivity.com/ doesn't work?
      Yes.

      If it doesn't work on other systems you are using, then, being blunt, you must be doing something wrong on all servers that you manage.
      Ok, I assumed that since it worked on my other exch and had read various posts on the net that others also experience the same thing, that it must have been just another one of those tools, that werent entirely accurate. After all, if it says it fails, yet my clients can connect on other exchange, then what gives?

      Outlook Anywhere usually fails for one of two reasons - autodiscover isn't setup correctly (people still think autodiscover is an optional configuration, it is not)
      I imagine, this is a contributing factor. It seems to work internally, but not externally. Ive never really found good information on how to get that working.

      I have a 3rd party cert that says "mail.mydomain.com". Cert tests show its ok & when I log on via owa, I don't get a certificate warning.

      The exchange connectivity tester has a field that says "manually specify server settings", so I assumed autodiscover was not a definite requirement.

      I'm happy to get it going but havn't had much success. Have you got a good article on it? I am not sure whether I create a public dns record that points to the same ip as my "mail.mydomain.com" record?

      Here is the exchange connectivity results.



      Testing RPC/HTTP connectivity.
      The RPC/HTTP test failed.

      Test Steps

      Attempting to resolve the host name mail.mydomain.com in DNS.
      The host name resolved successfully.

      Additional Details
      Testing TCP port 443 on host mail.mydomain.com to ensure it's listening and open.
      The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
      The certificate passed all validation requirements.

      Test Steps
      Checking the IIS configuration for client certificate authentication.
      Client certificate authentication wasn't detected.

      Additional Details
      Testing HTTP Authentication Methods for URL https://mail.mydomain.com/rpc/rpcproxy.dll.
      The HTTP authentication methods are correct.

      Additional Details
      Testing SSL mutual authentication with the RPC proxy server.
      Mutual authentication was verified successfully.

      Additional Details
      Attempting to ping RPC proxy mail.mydomain.com
      RPC Proxy was pinged successfully.

      Additional Details
      Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server d85-0-ensg110.d85.com.au.
      The attempt to ping the endpoint failed.
      Tell me more about this issue and how to resolve it

      Additional Details
      The RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC Runtime process.


      I can telnet to that port from the LAN, but not the WAN. I thought I only needed 443 on the firewall to forward to the exchange?
      Last edited by mobius2011; 27th June 2012, 22:16.

      Comment


      • #4
        Re: Outlook anywhere to exchange 2010 will not connect

        This what the logs say in event viewer when I try to connect with the user.

        Log Name: Security
        Source: Microsoft-Windows-Security-Auditing
        Date: 28/06/2012 7:11:27 AM
        Event ID: 4625
        Task Category: Logon
        Level: Information
        Keywords: Audit Failure
        User: N/A
        Computer: D85-0-ENSG110.D85.COM.AU
        Description:
        An account failed to log on.

        Subject:
        Security ID: NULL SID
        Account Name: -
        Account Domain: -
        Logon ID: 0x0

        Logon Type: 3

        Account For Which Logon Failed:
        Security ID: NULL SID
        Account Name: john.smith
        Account Domain: d85

        Failure Information:
        Failure Reason: Domain sid inconsistent.
        Status: 0xc000006d
        Sub Status: 0xc000019b

        Process Information:
        Caller Process ID: 0x0
        Caller Process Name: -

        Network Information:
        Workstation Name: BY2PQORCALWB04
        Source Network Address: 65.55.150.160
        Source Port: 0

        Detailed Authentication Information:
        Logon Process: NtLmSsp
        Authentication Package: NTLM
        Transited Services: -
        Package Name (NTLM only): -
        Key Length: 0

        This event is generated when a logon request fails. It is generated on the computer where access was attempted.

        The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.

        The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).

        The Process Information fields indicate which account and process on the system requested the logon.

        The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.

        The authentication information fields provide detailed information about this specific logon request.
        - Transited services indicate which intermediate services have participated in this logon request.
        - Package name indicates which sub-protocol was used among the NTLM protocols.
        - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
        Event Xml:
        <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
        <System>
        <Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-A5BA-3E3B0328C30D}" />
        <EventID>4625</EventID>
        <Version>0</Version>
        <Level>0</Level>
        <Task>12544</Task>
        <Opcode>0</Opcode>
        <Keywords>0x8010000000000000</Keywords>
        <TimeCreated SystemTime="2012-06-27T21:11:27.565806400Z" />
        <EventRecordID>7478</EventRecordID>
        <Correlation />
        <Execution ProcessID="584" ThreadID="1188" />
        <Channel>Security</Channel>
        <Computer>D85-0-ENSG110.D85.COM.AU</Computer>
        <Security />
        </System>
        <EventData>
        <Data Name="SubjectUserSid">S-1-0-0</Data>
        <Data Name="SubjectUserName">-</Data>
        <Data Name="SubjectDomainName">-</Data>
        <Data Name="SubjectLogonId">0x0</Data>
        <Data Name="TargetUserSid">S-1-0-0</Data>
        <Data Name="TargetUserName">mikta.jaswal</Data>
        <Data Name="TargetDomainName">d85</Data>
        <Data Name="Status">0xc000006d</Data>
        <Data Name="FailureReason">%%2314</Data>
        <Data Name="SubStatus">0xc000019b</Data>
        <Data Name="LogonType">3</Data>
        <Data Name="LogonProcessName">NtLmSsp </Data>
        <Data Name="AuthenticationPackageName">NTLM</Data>
        <Data Name="WorkstationName">BY2PQORCALWB04</Data>
        <Data Name="TransmittedServices">-</Data>
        <Data Name="LmPackageName">-</Data>
        <Data Name="KeyLength">0</Data>
        <Data Name="ProcessId">0x0</Data>
        <Data Name="ProcessName">-</Data>
        <Data Name="IpAddress">65.55.150.160</Data>
        <Data Name="IpPort">0</Data>
        </EventData>
        </Event>

        Comment


        • #5
          Re: Outlook anywhere to exchange 2010 will not connect

          Outlook uses Autodiscover constantly. It isn't just the configuration of Outlook, it is also the availability service (Out of Office and Free/Busy information).

          A single name certificate can only be used if your external DNS provider supports SRV records - otherwise you need to use a UCC certificate.

          With regards to Outlook Anywhere, it should be simply a matter of enabling the feature. Nothing else.

          Therefore I would suggest you reinstall the feature.
          Disable Outlook Anywhere in Exchange. Wait for the event log entry that reports it is disabled.
          Then remove the RPC Proxy through Windows.
          Run IIS RESET.
          Reinstall the RPC Proxy component.
          Then re-enable the Outlook Anywhere in Exchange. Wait for the event log entry to appear in the event viewer and test again.

          Ideally you should get autodiscover to work correctly.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Outlook anywhere to exchange 2010 will not connect

            A single name certificate can only be used if your external DNS provider supports SRV records - otherwise you need to use a UCC certificate.
            Ok, I bought just a standard SSL not a UCC. So if i bought a UCC, I could create 2 domain names on the cert

            mail.mydomain.com + autodiscover.mydomain.com, both pointing to the same address, is that how its done?

            My external dns provider does support SRV records, so can I just create a record with the options they mention below?



            Name: autodiscover
            Do not enter a fully qualified name. Name will automatically be added to parent domain.
            ttl 3600
            Priority
            Weight
            Port 443
            Target ip address that mail.mydomain.com points to?


            Regarding the autodiscover on port 6100. Do I need 6100 forwarded on my firewall?

            I will try what you suggest below as well though.

            Comment


            • #7
              Re: Outlook anywhere to exchange 2010 will not connect

              These are the instructions for using the SRV record method:
              http://support.microsoft.com/kb/940881

              You MUST ensure that you do not have a wildcard in your external DNS so that autodiscover.example.com does not resolve.

              Only port 443 needs to be open to the internet, no other ports. Port 6001 and others are used internally. The whole point of this feature is that it runs over the standard HTTPS port only.

              Simon.
              --
              Simon Butler
              Exchange MVP

              Blog: http://blog.sembee.co.uk/
              More Exchange Content: http://exchange.sembee.info/
              Exchange Resources List: http://exbpa.com/
              In the UK? Hire me: http://www.sembee.co.uk/

              Sembee is a registered trademark, used here with permission.

              Comment


              • #8
                Re: Outlook anywhere to exchange 2010 will not connect

                These are the instructions for using the SRV record method:
                ok, I followed that & auto discover seems to work now. But outlook anywhere still fails.

                I uninstalled outlook anywhere & rpc over http & reinstalled them, but the problem remains. I think the main problem maybe what the logs are alluding to.

                It keeps saying that the user doesnt exist.

                Event ID: 4625
                Task Category: Logon
                Level: Information
                Keywords: Audit Failure
                User: N/A
                Computer: D85-0-ENSG110.D85.COM.AU
                Description:
                An account failed to log on.

                Subject:
                Security ID: NULL SID
                Account Name: -
                Account Domain: -
                Logon ID: 0x0

                Logon Type: 3

                Account For Which Logon Failed:
                Security ID: NULL SID
                Account Name: john.smith
                Account Domain: d85

                Failure Information:
                Failure Reason: Domain sid inconsistent.

                It's like AD is seeing a completely different account or details to what is being presented. Or it sees the name and even though the name exists & I can authenticate with it using owa & active sync, it sees it as something else when I type it in via outlook anywhere.

                Comment


                • #9
                  Re: Outlook anywhere to exchange 2010 will not connect

                  In the log below it mentions

                  Detailed Authentication Information:
                  Logon Process: NtLmSsp
                  Authentication Package: NTLM
                  Transited Services: -
                  Package Name (NTLM only):

                  But I have chosen basic in on Exch10. Why would it say that? Also in outlook I configured basic.

                  Comment


                  • #10
                    Re: Outlook anywhere to exchange 2010 will not connect

                    SID errors usually indicate a problem with the machine account, rather than the user account. Has this machine been built from a clone or anything?

                    The basic authentication is only from the client to IIS. The part from IIS to Windows itself will be in another format.

                    Simon.
                    --
                    Simon Butler
                    Exchange MVP

                    Blog: http://blog.sembee.co.uk/
                    More Exchange Content: http://exchange.sembee.info/
                    Exchange Resources List: http://exbpa.com/
                    In the UK? Hire me: http://www.sembee.co.uk/

                    Sembee is a registered trademark, used here with permission.

                    Comment


                    • #11
                      Re: Outlook anywhere to exchange 2010 will not connect

                      SID errors usually indicate a problem with the machine account, rather than the user account. Has this machine been built from a clone or anything?
                      Yes it has. I saw a bunch of posts elsewhere where people didnt run a sysprep, but I did actually run a sysprep.

                      Maybe somehow it didn't work, or was interrupted, or some other thing?

                      Am I best to cut my losses & start a new VM & run sysprep all over again? If I run it now, I imagine it will royally screw the server wont it?

                      Comment


                      • #12
                        Re: Outlook anywhere to exchange 2010 will not connect

                        Another post I saw described my problem exactly, but didn't resolve it.

                        Outlook Anywhere rejects correct login and writes Event 4625 in Security log

                        http://www.experts-exchange.com/Soft..._25813572.html

                        Comment


                        • #13
                          Re: Outlook anywhere to exchange 2010 will not connect

                          Originally posted by mobius2011 View Post
                          Yes it has. I saw a bunch of posts elsewhere where people didnt run a sysprep, but I did actually run a sysprep.

                          Maybe somehow it didn't work, or was interrupted, or some other thing?

                          Am I best to cut my losses & start a new VM & run sysprep all over again? If I run it now, I imagine it will royally screw the server wont it?
                          If you run it now, then you are going to break Exchange.
                          I see little point in using images these days, particularly for production machines. When I can install a fresh copy of Windows 2008 R2 from an ISO in toa VM in less than 15 minutes, the time saving is minimal.

                          I would suggest that you build a new VM and migrate across, then remove the original.

                          Simon.
                          --
                          Simon Butler
                          Exchange MVP

                          Blog: http://blog.sembee.co.uk/
                          More Exchange Content: http://exchange.sembee.info/
                          Exchange Resources List: http://exbpa.com/
                          In the UK? Hire me: http://www.sembee.co.uk/

                          Sembee is a registered trademark, used here with permission.

                          Comment


                          • #14
                            Re: Outlook anywhere to exchange 2010 will not connect

                            Thinking back on it, I'm sure I ran sysprep, but I can't be certain I ticked the generalize button. This error seems to indicate I didn't.

                            I would suggest that you build a new VM and migrate across, then remove the original.
                            It's not in production as yet and the PDC is on another server. So I guess the only issue is the cert, otherwise I can pretty much delete & re-create from new.

                            Comment


                            • #15
                              Re: Outlook anywhere to exchange 2010 will not connect

                              Originally posted by mobius2011 View Post
                              Thinking back on it, I'm sure I ran sysprep, but I can't be certain I ticked the generalize button. This error seems to indicate I didn't.



                              It's not in production as yet and the PDC is on another server. So I guess the only issue is the cert, otherwise I can pretty much delete & re-create from new.
                              Errr no.
                              You cannot do that with Exchange. Exchange is heavily integrated with the AD. You need to remove Exchange correctly, otherwise you will have a huge mess on your hands. Due to the SID errors there is no gurantee that any other measure, such as a reinstall with the recoverserver switch will work.

                              Either migrate to another Exchange server and uninstall, or attempt to undo the Exchange installation. The former may well be easier.

                              Simon.
                              --
                              Simon Butler
                              Exchange MVP

                              Blog: http://blog.sembee.co.uk/
                              More Exchange Content: http://exchange.sembee.info/
                              Exchange Resources List: http://exbpa.com/
                              In the UK? Hire me: http://www.sembee.co.uk/

                              Sembee is a registered trademark, used here with permission.

                              Comment

                              Working...
                              X