Outlook Anywhere - prompt for credentials
-
Friday, April 09, 2010 12:33 AM
Environment is as follows:
Exchange 2007 SP2 (RU2)
Outlook 2007 SP2
I have configured two laptops for Outlook Anywhere. One belongs to the same Windows domain as the Exchange server (and users) and the other is in a workgroup. When connecting to Outlook Anywhere remotely with the workgroup laptop I can get in to the mailbox with no issues. When trying with remotely with the domain-joined laptop (logged in with cached credentials) I get prompted for credentials for connecting to the mailbox server. If I submit the credentials I just get prompted again after a few seconds. I know the credentials are fine because I am using the same account/mailbox on both machines.
Test-email Autoconfiguration looks the same on both machines.
Any idea on how to get past this or to troubleshoot further?
Alexei
Answers
-
Tuesday, June 01, 2010 8:51 PM
I think I may have found the answer to this one. The difference between the two machines was the domain laptop was running XP while the workgroup laptop was running Win7. It looks like the Win7 machine can work with any of the SAN names whereas the XP machine can only work with the name that matches the Certificate Principal Name, as described below.
- Outlook on Windows XP or earlier operating systems The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere.
Source: http://technet.microsoft.com/en-us/library/dd351044.aspx
Alexei
- Marked As Answer by Allen SongMicrosoft Contingent Staff, Moderator Wednesday, June 02, 2010 1:50 AM
- Outlook on Windows XP or earlier operating systems The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere.
All Replies
-
Friday, April 09, 2010 3:09 AM
Ok, it seems I have found a workaround.
The CAS server is running with a 3rd party SAN certificate with the following info:
- Issued To: mail.company.com
- Subject: CN=mail.company.com
- Subject Alternative Names: mail.company.com, webmail.company.com, autodiscover.company.com, legacy.company.com
The Outlook client setting for "Only Connect to proxy servers that have this principal name in their certificate" was set to":
- msstd:webmail.company.com (i.e. one of the SAN names and not the primary name)
When I changed the "Only Connect to proxy servers that have this principal name in their certificate" to:
- msstd:mail.company.com (i.e. the name that matches the "Issued to" on the cert)
...the problem went away.
So, all good and a learning experience for me. However, what I still fail to understand is why the settings were both the same on the two laptops, but the workgroup laptop worked perfectly (and still does) with the value set to msstd:webmail.company.com. The domain-joined laptop only works when the value is changed to msstd:mail.company.com. I'd be keen to hear an explanation if anyone has one???
Alexei
-
Wednesday, April 14, 2010 3:38 AMModerator
Hi,
It's weird. Outlook will not connect if the MSSTD pushed out by AutoDiscover does not match the "Issued To" name on the certificate. Did you confirm the connection was HTTPS not TCP/IP for the workgroup labtop?
Thanks
Allen
-
Thursday, April 15, 2010 2:22 AM
Hi allen
> Did you confirm the connection was HTTPS not TCP/IP for the workgroup labtop?
Yes, the workgroup machine is connecting over the Internet to the CAS server.
Alexei
-
Tuesday, June 01, 2010 8:51 PM
I think I may have found the answer to this one. The difference between the two machines was the domain laptop was running XP while the workgroup laptop was running Win7. It looks like the Win7 machine can work with any of the SAN names whereas the XP machine can only work with the name that matches the Certificate Principal Name, as described below.
- Outlook on Windows XP or earlier operating systems The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere.
Source: http://technet.microsoft.com/en-us/library/dd351044.aspx
Alexei
- Marked As Answer by Allen SongMicrosoft Contingent Staff, Moderator Wednesday, June 02, 2010 1:50 AM
- Outlook on Windows XP or earlier operating systems The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere.
.png){kind=spacer}
