No announcement yet.

Another Outlook Anywhere thread. Please help

  • Filter
  • Time
  • Show
Clear All
new posts

  • Another Outlook Anywhere thread. Please help

    Hi Guys,

    After banging my head against a brick wall all day today, and spending hours on Google I need some expert advice please!

    SBS2008 with Exchange 2007, Self Signed cert - it's all a very simple setup.
    Outlook Anywhere works for people who have machines joined to the domain - internally on the network, as well as road warriors.
    PC's that have not joined the domain (external office) will not work.

    The self signed cert is as correct as a self signed cert can be, and the testexchangeconnectivity website's autodiscover test passes perfectly.
    The Outlook anywhere test fails with the security chain error on the cert.

    This is for a small business with only a few employees that are all trusted, so we are hoping to perservere with the self signed cert. I don't believe this is the issue anyway, however correct me if I'm wrong.

    I have also exported this certificate, and have imported this onto both the client machine, and the server, storing the cert in "Trusted People".

    I configure Outlook 2010 using autodiscover, I just punch in the name, email address and password, I get a green tick on "Establish network connection", I then get a green tick on "Search for [email protected] server settings" but then on the "Log on to server" section I get a username/password prompt, and then a failure with the all too familiar "The action cannot be completed. The connection to Microsoft Exchange is unavailable blah blah".

    Manual method I enter the Exchange proxy settings, basic authentication (as set in Exchange) and I get a login prompt. No matter how I format the username - with domain, without, full email addy etc - I get the big not connected error.

    There has to be something I'm not seeing - I feel like I'm so close to cracking this, but now losing sight of the forrest through the trees.

    Hopefully someone here can assist me with this,



  • #2
    Re: Another Outlook Anywhere thread. Please help

    If the cert isn't "valid" then it will fail. Outlook doesn't give you the option to accept the failure like IE does.

    A self signed cert isn't trusted by default on any machine whereas public certificates are. This is because their root level certificates are already in the OS/applications that you use. If you want your self signed cert to work you need to put your root certificate into the trusted root certificate authorities container (depending on how you signed your cert you may find it is the same certificate as the one you are using). If you open an MMC and then certificates/local computer you can see the existing certs (like verisign, thawte etc). There is no difference between you adding yours and you cert working and using a cert from one of these publishers apart from the extra work adding yours to each machine. Obviously publishing a secure webpage and then asking external clients to trust your cert isn't a suitable way to go so this is why people buy the trusted root supplied certificates.
    You also need to make sure your self signed cert is valid externally, i.e. it is for a fqdn that has a DNS record externally. This would be something like rather than outlook or outlook.internaldomain.local.

    Bearing in mind the public certs are reasonably cheap you would be better going down that route really though. Pretty sure Sembee has indicated before a great supplier to use although I don't know them off the top of my head.

    Probably nothing to worry about as well but any cert below a 1024 bit key length is no longer valid in Microsoft OS anymore but it is highly likley yours is above this.

    Please read this before you post:

    Quis custodiet ipsos custodes?


    • #3
      Re: Another Outlook Anywhere thread. Please help

      The self-signed certificate isn't supported for Outlook Anywhere as I recall, however that's not to say it won't work as I have plenty of customers using it on SBS networks.

      I think your certificate is in the wrong store and that's the issue, it should be in the Trusted Root Certifcation Authorities store for the Local Computer account. You shouldn't need to do anything with the certificate on the server, the SBS Wizards will do that for you.
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      Cruachan's Blog


      • #4
        Re: Another Outlook Anywhere thread. Please help

        Ok, I have imported the certificate into the correct store, unfortunately no dice.
        I have also disabled, then re-enabled Outlook anywhere using the certificate common name, waited for the Event log to confirm OA is up again (took 20 minutes) and re-tested without joy.
        I can browse to the OWA without any certificate warnings.
        Also I can configure my iPhone with the Exchange details which verify and work no problem.

        When I configure Outlook manually, checking each setting to ensure they match the server, I get a logon prompt when I hit "check name". I enter the details (and have tried all variations including domain\name, name, [email protected] etc) and the correct password, to then see that blasted "must be on line" message.

        I have also re-created the virtual directories to ensure they are set correctly, checking internal/external domain names etc.

        This is going to drive me mad, or to shell out for a Microsoft Professional incident. Hope someone here has some further thoughts!

        Thanks so far anyway.


        • #5
          Re: Another Outlook Anywhere thread. Please help

          Just to be clear (because my last post wasn't!) you removed the certificate on a client, and then re-imported it into Trusted Root Certification authorities?

          As a test, if the certificate is in the correct store and is trusted, then from a client if you browse to the Remote Web App page ( by default) you won't get a certificate warning. If you do get the warning, the certificate still isn't trusted and Outlook Anywhere won't work. Neither will Remote Web App (you won't be able to connect to a machine), but that's neither here nor there at the moment.
          BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
          Cruachan's Blog


          • #6
            Re: Another Outlook Anywhere thread. Please help

            Correct, I removed the cert from the client PC first, then re-imported.
            I can now browse to their OWA site without any certificate warning.
            I have also checked kernel mode authentication under EWS, which was not enabled, and have run the iisreset /noforce after everything.