none
Exchange 2013 Configuration Issue

    Question

  • We have deployed infrastructure as follows:

    Active Directory 2012 X 2 (Single Forest, Single Domain)
    Exchange 2013 Infrastructure is as follows:
    Exchange 2013 HubCas in Array (2 Nodes)
    Exchange 2013 Mailbox Server in DAG (2 Nodes)

    We have 5 accepted mail domain

    Client environment:
    XP, Windows 7, Windows 8 and MAC Machines
    Mail  Clients
    Outlook 2007 SP3 + Small Update
    Outlook 2010 SP1 + Small Update

    On Premise Certificate Authority server installed for Exchange Certificate

    Working scenarios are as follows:
    Internal Domain users are connected to exchange using above mail clients
    Non Domain users within same network are also connected but using HUB CAS Server name, Initial user authentication we need to give Active directory server IP to verify the user. Then change the server name in Outlook to outlook 2007 or 2010.

    Domain Users are able to send and receive mails, non domain users within same network are able to send and receive mails but they receive error for OAB.

    External users are able to use OWA with their respective login ID
    Same external users when they use Outlook to to connect to Exchange using External mail domain are unable to login.

    The Server Authentication on HUB CAS we are using IS NTLM.
    IF we change this authentication to Basic or Negotiate on HUBCAS, (domain based internal and non domain based), either XP or Windows 7 machine will not be able to authenticate on domain and will prompt password in loop.

    We changed Settings in ISS (Default website --> Auto Discover, OAB, EWS, RPC  [Authentication --> Basic --> Enable]
    After those changes now all domain and non domain Internal users are able to login without any issues.

    Users outside domain and Network are still unable to use OUTLOOK. (Internet)

    If anyone can help will be highly appreciated as we are in the final stage of the project and need to close on immediate basis.

    Thanks & Regards,

    Santosh


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Sunday, August 18, 2013 1:41 PM

All replies

  • Hi

    Do you external users install your domain's root certificate into their PCs trusted root authorities?  It would probably be easier to use a 3rd party certificate to allow these users to connect to Outlook Anywhere.

    Steve

    Sunday, August 18, 2013 1:51 PM
  • We have used this same scenario for other installation with internal CA Server it has working.

    Where as we have installed certificate chain it is installed, after that when we open OWA we do not see error of certificate on the browser. 

    Normally the authentication on HUBCAS we have to use Basic authentication, but if we change from NTLM to Basic. The domain and internal XP or Windows 7 either of them will not work and will prompt username password to logon to domain.

    Regards,

    Santosh


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Sunday, August 18, 2013 1:55 PM
  • Please can anyone reply to my request its urgent.

    Regards,

    Santosh


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Sunday, August 18, 2013 2:18 PM
  • Can anyone help us on the above issue i am stuck with the project it's quite urgent or lease please let me know if I need to post this in some other forum. Regards Santosh

    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Tuesday, August 20, 2013 6:02 AM
  • Hi,

    Okay, you mentioned that you're receiving errors when performing various things, can you provide details of the errors?

    For connectivity issues, are you able to try the Test Exchange Connectivity tool available here: https://www.testexchangeconnectivity.com

    Please provide any errors you're receiving using that tool. I would assume that you're using Outlook Anywhere for external users to connect to Outlook, so therefor I would suggest running the Outlook Anywhere test.


    MCITP Ent. Messaging | MCTS | MCSA | MCP
    http://www.camm.id.au (blog)

    Tuesday, August 20, 2013 6:17 AM
  • I tried all the test within this link.

    Using this link if I do Autodiscover it gives me error cannot authenticate on server, I tried using Basic, NTLM both, still the result is same. But if I do only discover all test are passed.

    I have changed (earlier it was only NTLM)

    Set-OutlookAnywhere -Identity 'EXhubcas01\Rpc (Default Web Site)' -IISAuthenticationMethods Basic,NTLM
    Set-OutlookAnywhere -Identity 'EXhubcas02\Rpc (Default Web Site)' -IISAuthenticationMethods Basic,NTLM

    All other desktops within network (DOmain and non Domain) are working.
    All the MAC Systems, Iphone, Blackberry other Smart Phones are working.

    Only the Outlook clients using RCP over HTTP are unable to authenticate over domain, Even I tried to use Iphone APP called ASTEST, even that app shows connection OK, SSL name not valid as it is Internal CA certified certificate. And lastly fails to authenticate user.

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Tuesday, August 20, 2013 7:45 AM
  • This is the error we get while doing autodiscover.

    Certificate trust is being validated.
      Certificate trust validation failed.
     
    Test Steps
     
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.abc.com, OU=abc, O=IT, L=xyz, S=LC, C=SA.
      A certificate chain couldn't be constructed for the certificate.
     
    Additional Details
      The certificate chain couldn't be built. You may be missing required intermediate certificates.

     
    The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.abc.com, OU=abc, O=IT, L=xyz, S=location, C=AC.
      A certificate chain couldn't be constructed for the certificate.
     
    Additional Details
      The certificate chain couldn't be built. You may be missing required intermediate certificates.

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.


    • Edited by sandavenu Tuesday, August 20, 2013 7:59 AM
    Tuesday, August 20, 2013 7:58 AM
  • Hi,

    Can you run the following Exchange Management Shell  command, and see if the CertPrincipalName matches one of the subjects on the certificate name you're using to deliver Outlook Anywhere?

    get-outlookprovider | select Name,CertPrincipalName


    MCITP Ent. Messaging | MCTS | MCSA | MCP
    http://www.camm.id.au (blog)

    Tuesday, August 20, 2013 10:15 AM
  • When I run this command I get this output:

    [PS] C:\Windows\system32>Get-OutlookProvider

    Name                          Server                        CertPrincipalName             TTL
    ----                          ------                        -----------------             ---
    EXCH                                                                                      1
    EXPR                                                                                      1
    WEB                                                                                       1

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Tuesday, August 20, 2013 10:18 PM
  • Hi,

    What is the value of ExternalHostname when you perform the Get-OutlookProvider command? Is the hostname a subject in the certificate you're using?


    MCITP Ent. Messaging | MCTS | MCSA | MCP
    http://www.camm.id.au (blog)

    Wednesday, August 21, 2013 5:22 AM
  • Hi,

    Can you also verify whether or not the tickbox "Only connect to proxy servers with that have this principal name" is ticked in your Outlook settings, and what the value is.. If it is ticked, are you sure that the certificate that is hosting OA has this subject name?


    MCITP Ent. Messaging | MCTS | MCSA | MCP
    http://www.camm.id.au (blog)

    Wednesday, August 21, 2013 5:25 AM
  • 'get-outlookanywhere | fl externalhostname' was the command which gave the output as externalhostname.

    but the subject in certificate is different than the externalhostname.

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Wednesday, August 21, 2013 6:19 PM
  • Yes it is ticked

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Wednesday, August 21, 2013 6:31 PM
  • Hi,

    Does the subject match the certificate, if it does not, Outlook will not connect over OutlookAnywhere.


    MCITP Ent. Messaging | MCTS | MCSA | MCP
    http://www.camm.id.au (blog)

    Wednesday, August 21, 2013 10:10 PM
  • IF we create the subject to match the certificate, domain users using XP shows outlook disconnected.

    Regards,

    Santosh


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Thursday, August 22, 2013 5:52 AM
  • Just to update on more important information is, our internal domain and one of external domain both are same. Internal domain is abc.com and external domain is abc.com. Where as abc.com we have not yet changed MX record. When we change the certificate name to the active MX record local domain XP machines does not authenticate outlook. Could this also be an issue?

    Regards,


    Santosh Dave Head of Infrastructure Technology & Services Elite Technologies Middle East Kingdom of Bahrain, Manama.

    Thursday, August 22, 2013 6:08 AM