Outlook prompting for password and domain\username after migration from 2010 single server to 2010 DAG server for users, but not administrators
-
Tuesday, May 15, 2012 6:48 PM
When mailboxes migrated from an exchange 2010SP2 server with all roles (cas,hub,mailbox) to a DAG set of exchange 2010sp2 (one in each site, cas server in other site also) all outlook users are prompted for username and password (full username domain\username) first time, then password each time after. Administrators are seamless and not asked/prompted for anything. Outlook web access and activesync work fine after moves
I'm trying to get all the users off the all roles server to the DAGs, then I will remove the mailbox role from the all roles server leaving it a CAS server...I am perplexed. None of the logs show any errors, and if I move the mailbox back to the all roles server, it resumes working perfectly?? All replication is fine, stores are good, haven't done public folders yet on the 2 DAG servers.
All server 2008r2 packed to current, exhange 2010 SP2...
Site A Site B
All roles server Cas1 CAS Server Cas2
DAG server Dag1 DAG server Dag2
All Replies
-
Tuesday, May 15, 2012 7:46 PMWhat versions of outlook are you using? how do you have outlook users connecting ? rpc over http? and when the users get the pop up for a username and pass is this the old profile in outlook or did you create a new profile for the new dag connection? which CAS server are the users connecting when moved to the new config CAS2 or CAS1? Are you using a certificate that is different from your all roles CAS box when connecting to DAG? just a lil more info from you and I'm sure I will have more questions? say cert? client outlook ver, profiles for connectivity to servers, same fqdn or different, etc ,,, oh post some event logs of client machine and exchange for dialog pop up.
MSP Provider (Network,Hardware,Software,WAN/LAN,Exchange,WiFi,Cisco Controllers/Routers/Switches/AP Autonomous/LWAPP)
-
Tuesday, May 15, 2012 7:51 PM
Outlook 2007 and Outlook 2010
When thy launch outlook, it askes for password to the cas server, then askes for username/password for the DAG server. Afterward it asks for password every time, but outlook functions properly.
These are all inside clients using outlook rpc (no outlook anywhere or rpc over https)
All users are connecting to CAS1, which is in the same site as DAG1 where I moved the mailboxes to. Admin users encounter no errors, but regular users get the 2 prompts first time, then password after. I have not installed public certs on the DAG servers, but the original has a SANB cert for autodiscover, legacy, web, etc.
-
Wednesday, May 16, 2012 5:51 PM
OK how about you post some get statements for us
Test-OutlookWebServices -ClientAccessServer "servername"
Test-OutlookConnectivity -Protocol:Http -GetDefaultsFromAutoDiscover:$true -verbose
Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl name,*alter*
Im sure you know you have to create the alternateserviceaccount for The array of servers in your DAG. Which resolves all fqdn's to a load balanced DAG. Now after that you have to have the certificate include All SPN's you use for all servers clients access. This Cert is then installed to each exchange box as well.
command to see if there is already a SPN associated to the above
Setspn -q -f exchangeMDB/outlook.corp.contoso.com
The following command provides an example of how to set the SPNs on the shared ASA credential. The setspn command with this syntax must be run once for every target SPN that you identify.
Setspn -S exchangeMDB/outlook.corp.contoso.com contoso\newSharedServiceAccountName$
then verify the command worked
Setspn -L contoso\newSharedServiceAccountName$
lets test connectivity
Test-OutlookConnectivity -Identity administrator -MailboxCredential $c -Protocol tcp
If your Outlook client that's configured to use only Kerberos authentication can't connect.Configure Outlook to use NTLM authentication only, and then verify connectivity. If a connection can't be made, verify that the Client Access server array is available or that network connectivity is stable. IF NTLM connectivity is successful, but Kerberos is not, verify that the SPNs aren't registered on any other account besides the alternate service account. Make sure that the Exchange SPNs are registered on the account used by the shared alternate service account by using the setSPN query command as described earlier in this topic. Make sure that the password is coordinated between all Client Access servers and Active Directory. To do this, run the script in attended mode and have it generate a new password. Make sure that the Microsoft Exchange Address Book service is running on your Client Access servers. If authentication still isn't successful, make sure that the virtual directories for the services you want to access with Kerberos have Integrated Windows authentication enabled. You can use the Get-VirtualDirectory cmdlets to verify the authentication methods.
so Get back to me when you have checked these and please post results......
Cheers!
MSP Provider (Network,Hardware,Software,WAN/LAN,Exchange,WiFi,Cisco Controllers/Routers/Switches/AP Autonomous/LWAPP)
-
Wednesday, May 16, 2012 6:24 PM
When I run this command on DAG1 server: Test-OutlookWebServices -ClientAccessServer "servername"
This is the result:
WARNING: An unexpected error has occurred and a Watson dump is being generated: The operation couldn't be performed
because 'CAS1.contoso.com' couldn't be found. (this happens no matter what server name I put in there, just name or fqdn)When I run this command on any exchange server:
Test-OutlookConnectivity -Protocol:Http -GetDefaultsFromAutoDiscover:$true -verbose
Here is the result:
[PS] C:\Windows\system32>Test-OutlookConnectivity -Protocol:Http -GetDefaultsFromAutoDiscover:$true -verbose
Parameter set cannot be resolved using the specified named parameters.
+ CategoryInfo : InvalidArgument: (:) [Test-OutlookConnectivity], ParameterBindingException
+ FullyQualifiedErrorId : AmbiguousParameterSet,Test-OutlookConnectivityWhen I run this command on DAG1 server: Get-ClientAccessServer -IncludeAlternateServiceAccountCredentialStatus | fl name,*alter*
This is the result:
Name : CAS1
AlternateServiceAccountConfiguration : Latest: <Not set>
Previous: <Not set>Name : CAS2
AlternateServiceAccountConfiguration : Latest: <Not set>
Previous: <Not set>
.png)
