locked
Use same certificate internally as externally RRS feed

  • Question

  • We have an exchangeserver called "Exchange" joined to the domain "example.com". We also have our public domain called "example.com". 

    We have a certificate (used for smtp, imap, IIS and pop) for "mail.example.com". Everything works great from the outside. However, when on the inside, when a user starts exchange for the first time, outlook uses "exchange.example.com" which results in a mismatch to the certificate. 

    I have followed the instructions on http://support.microsoft.com/kb/940726 to change autodiscovery to match the certificate. However, when running Outlook 2007 it still attemppts the internal server name which of course does not match the server certificate and results in an error. 

    Running the command Test-OutlookWebServices | FL results in: 

    Id         : 1104
    Type       : Error
    Message    : The certificate for the URL https://exchange.example.com/autodiscover/autodiscover.xml is incorrect. F
                 or SSL to work, the certificate needs to have a subject of exchange.example.com, instead the subject f
                 ound is mail.example.com. Consider correcting service discovery, or installing a correct SSL certifi
                 cate.

    Is there any additional actions needed to remove exchange.example.com from autodiscovery (internally)?

    Regards,

    Jonas

    Tuesday, July 17, 2012 2:15 PM

Answers

  • Hi,
    I would delete the certificate with Thumbprint: B1AE9*
    Exampel: Remove-ExchangeCertificate -Thumbprint B1AE97449D72878C4F74669850F07918975F882F

    Only confusing to have certicates that are not in use. At least that is what I think.


    And since you are using a certificate that seems to have been created for something else, I recommend that you create a SRV-Record for Autodiscover in both your internal- and external DNS, if you haven't already done so.
    See: http://support.microsoft.com/kb/940881

    Without it WebServices (OOF, Availability Information and OAB Download) will not work when connecting from a non-domainjoined computer.


    Edit: btw...you have at least SP2 installed for Office 2007 right?

    Martina Miskovic


    Wednesday, July 18, 2012 8:10 AM
  • Hmm, that should have fixed your problem.

    Have you made any changes in IIS, like trying to simply the OWA URL?

    If so, do have a look at this Technet Article Simplify the Outlook Web App URL and especially the last part "Use IIS Manager to remove redirection from a virtual directory"


    Martina Miskovic

    • Marked as answer by Jonas Haglund Friday, July 20, 2012 9:55 AM
    Friday, July 20, 2012 8:25 AM
  • I have added a host record in the internal dns for mail.exmpale.com pointing to the ip of the server "exchange". Are there any additional DNS changes I have to make?

    Regards,

    Jonas

    No, that should do it (except for the SRV-Record I mentioned in my previous post)

    Please make sure that you don't have a record for autodiscover.example.com in your DNS. That would only cause problems since don't have that name in your certificate.

    Martina Miskovic

    Wednesday, July 18, 2012 8:18 AM
  • No, the above URLs is not the right one.

    Set-WebServicesVirtualDirectory -identity "EXCHANGE\EWS (Default Web Site)" -externalUrl https://mail.example.com/ews/exchange.asmx
    Get-OabVirtualDirectory -identity - "EXCHANGE\OAB (Default Web Site)" -externalurl https://mail.example.com/oab

    You might need to contact your DNS Provider and have them create the record for you.

    To test it when they/or you have created it use nslookup.
    Example:

    nslookup
    server 8.8.8.8
    set type=srv
    _autodiscover._tcp.example.com






    Martina Miskovic

    • Marked as answer by Jonas Haglund Thursday, July 19, 2012 8:23 AM
    Wednesday, July 18, 2012 9:31 AM
  • To sum things up, this was the steps neccessary to solve my problem:

    • Any redirect for OWA should be configured according to this post: http://blogs.msexchange.org/walther/2010/03/22/oab-issues-after-simplifying-the-owa-2010-url/)
    • Create a SRV record on both the internal and external DNS
      Service: _autodiscover
      Protocol: _tcp
      Port Number: 443
      Host: mail.example.com
    • Run the following commands in the Exchange shell to configure the CAS and the virtual directories:
      Set-ClientAccessServer -Identity exchange –AutodiscoverServiceInternalUri https:// mail.example.com /autodiscover/autodiscover.xml
      Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl https://mail.example.com/ews/exchange.asmx
      Set-WebServicesVirtualDirectory -identity "exchange\EWS (Default Web Site)" -externalUrl https://mail.example.com/ews/exchange.asmx
      Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl https://mail.example.com/oab
      Set-OabVirtualDirectory -identity "exchange\OAB (Default Web Site)" -externalurl https://mail.example.com/oab
      Set-OwaVirtualDirectory -Identity "exchange\owa (default Web site)" -internalurl https://mail.example.com/owa
      Set-OwaVirtualDirectory -Identity "exchange\owa (default Web site)" -externalurl https://mail.example.com/owa
      Set-EcpVirtualDirectory -Identity "exchange\ecp (default Web site)" -internalurl https://mail.example.com/ecp
      Set-EcpVirtualDirectory -Identity "exchange\ecp (default Web site)" -externalurl https://mail.example.com/ecp

    Regards,

    Jonas

    Friday, July 20, 2012 10:10 AM

All replies

  • Looks like you didnt run the last part of the doc.

    Set-ClientAccessServer –AutodiscoverServiceInternalUri https://<var>mail</var>.contoso.com/autodiscover/autodiscover.xml

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, July 17, 2012 2:25 PM
  • Ah, that is correct thank you! However after running that command (with "exchange" as -Identity), Outlook tells me "The connection to the Microsoft Exchange Server is unavailable. Outlook must be online or connected to complete this action". 

    I also don't exactly understands this part of the KB: "The original internal URLs for the Exchange components point to the internal FQDN of the server. For example, one of these URLs points to the following: https://ServerName.contoso.com/ews/exchange.asmx" What should i do to confirm this?

    I have added a host record in the internal dns for mail.exmpale.com pointing to the ip of the server "exchange". Are there any additional DNS changes I have to make?

    Regards,

    Jonas

    Tuesday, July 17, 2012 2:44 PM
  • You have something else going on if you're getting the "The connection to the Microsoft Exchange Server is unavailable" that has nothing to do with webservices or certs. Are you sure all exchange services are running? Can you log into webmail?

    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, July 17, 2012 3:07 PM
  • It appeared to be a temporary connection issue. However, I am not sure, but the outlook error message might have changed, now it is "there is a problem with the proxy server's security certificate". The outlook configuration guide goes well until all three steps have got the green check mark. Then a logon prompt appears. I enter my domain credentials, and just after that the error message appears. After I click OK outlook just tries to "Trying to connect to Microsoft Exchange" and nothing more happens.

    Are there any more settings that needs to be correct? How can I verify those?

    Thank you. 

    Jonas

    Tuesday, July 17, 2012 4:25 PM
  • A cert mismatch won't stop you from connecting unless it's trying to connect over outlook anywhere. Can you look at the outlook anywhere config and see what URL you're using, make sure it's using the mail.company.com


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Tuesday, July 17, 2012 6:03 PM
  • Well Outlook anywhere is not enabled at the moment and I would prefer to not have any certificate issue at all, neither internal or external (OWA is working as exptected). 

    Everytime I start outlokk the login prompt appears. After which the cert error appears. Afther that outlooks tries to connect without success. 

    What would be the next steps to configure or verify? The service connection point in the AD seems to be correct.

    Thank you.

    Jonas

    Wednesday, July 18, 2012 6:31 AM
  • If possible can you perform an iisreset /noforce ?

    Also test OLK autoconfig and see what urls olk is using?


    Sukh

    Wednesday, July 18, 2012 7:02 AM
  • Hi Jonas,

    Please verify that you can modifed the internalURLs and *URI on the CAS Server correctly.

    • Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl
    • Get-OabVirtualDirectory | fl Identity,internalurl,externalurl
    • Get-ClientAccessServer | fl Identity,*uri*

    Post the output here if you need help with this.


    Martina Miskovic

    Wednesday, July 18, 2012 7:35 AM
  • Thank you Martina. Below is the output. From what I can see, it looks correct:

    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity, internalurl,externalurl
    Identity    : EXCHANGE\EWS (Default Web Site)
    InternalUrl : https://mail.example.com/ews/exchange.asmx
    ExternalUrl : https://EXCHANGE.example.com/ews/exchange.asmx

    [PS] C:\Windows\system32>Get-OabVirtualDirectory | fl identity,internalurl,externalurl
    Identity    : EXCHANGE\OAB (Default Web Site)
    InternalUrl : https://mail.example.com/oab
    ExternalUrl : https://EXCHANGE.example.com/OAB

    [PS] C:\Windows\system32>Get-ClientAccessServer | fl Identity, *uri*
    Identity                       : EXCHANGE
    AutoDiscoverServiceInternalUri : https://mail.example.com/autodiscover/autodiscover.xml

    I also ran the following command but am not sure if it is relevant: 

    [PS] C:\Windows\system32>Get-Autodiscovervirtualdirectory | Fl identity,internalurl,externalurl
    Identity    : EXCHANGE\Autodiscover (Default Web Site)
    InternalUrl :
    ExternalUrl :

    Thank you,

    Jonas Haglund

    Wednesday, July 18, 2012 7:46 AM
  • Thank you Sukh, I have run iisreset /noforce but it times out. Instead i used service manager to manuall stop (takes almost a minute) and start the w3svc service. I have also restarted the server. 

    What is OLK autoconfig?

    Regards,

    Jonas

    Wednesday, July 18, 2012 7:48 AM
  • With the above settings, Im suprised that your wrote "Everything works great from the outside"

    All your ExternalURLs is wrong and you really should change them BEFORE you enable Outlook Anywhere.


    Do you have a trusted certificate from a public Issuer installed, or?

    Can you run Get-Exchangecertificate | fl and post the output?
    Please also run Test-ServiceHealth and check that all required services is running.


    Nothing wrong with the URLs for the AutodiscoverVirtualdirectory. They are not used.


    Martina Miskovic

    Wednesday, July 18, 2012 7:53 AM
  • Thank you. I will look inte the externalurls before outlook anywhere! A clarification: the OWA works without certificate issues. 

    Cert info (two default self-issued and one from USERTRUST): 

    [PS] C:\Windows\system32>Get-Exchangecertificate | fl

    AccessRules        :
    CertificateDomains : {example.com, autodiscover.example.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=example.com
    NotAfter           : 2017-07-13 10:40:43
    NotBefore          : 2012-07-13 10:40:43
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 22F0DAC54170F19D40B3E5DD06E8FB5F
    Services           : SMTP
    Status             : Valid
    Subject            : CN=example.com
    Thumbprint         : B1AE97449D72878C4F74669850F07918975F882F

    AccessRules        :
    CertificateDomains : {EXCHANGE, EXCHANGE.example.com}
    HasPrivateKey      : True
    IsSelfSigned       : True
    Issuer             : CN=EXCHANGE
    NotAfter           : 2017-07-12 12:15:35
    NotBefore          : 2012-07-12 12:15:35
    PublicKeySize      : 2048
    RootCAType         : None
    SerialNumber       : 1B7D6EC8B3DC3B9D400EFD34797A774F
    Services           : SMTP
    Status             : Valid
    Subject            : CN=EXCHANGE
    Thumbprint         : 98C4E2AA12F8170301D7ABB69C23018A85A8B1F8

    AccessRules        :
    CertificateDomains : {mail.example.com, app1.example.com, app2.example.com, app3.example.com}
    HasPrivateKey      : True
    IsSelfSigned       : False
    Issuer             : CN=USERTrust Legacy Secure Server CA, O=The USERTRUST Network, L=Salt Lake City, S=UT, C=US
    NotAfter           : 2014-09-08 01:59:59
    NotBefore          : 2012-01-12 01:00:00
    PublicKeySize      : 2048
    RootCAType         : ThirdParty
    SerialNumber       : 652E7D2F2F04B640D436B6901D8579FD
    Services           : IMAP, POP, IIS, SMTP
    Status             : Valid
    Subject            : CN=mail.example.com, OU=TRUSTZONE UC SSL, OU=Provided by TRUSTZONE, OU=Example, O=Example
                         STREET=N/A, L=City, S=CITY, PostalCode=xxxx, C=COM
    Thumbprint         : 45A9BA9BE77A6739B14F99A64ADBF9C696805888

    Thank you.

    Jonas

    Wednesday, July 18, 2012 8:02 AM
  • Hi,
    I would delete the certificate with Thumbprint: B1AE9*
    Exampel: Remove-ExchangeCertificate -Thumbprint B1AE97449D72878C4F74669850F07918975F882F

    Only confusing to have certicates that are not in use. At least that is what I think.


    And since you are using a certificate that seems to have been created for something else, I recommend that you create a SRV-Record for Autodiscover in both your internal- and external DNS, if you haven't already done so.
    See: http://support.microsoft.com/kb/940881

    Without it WebServices (OOF, Availability Information and OAB Download) will not work when connecting from a non-domainjoined computer.


    Edit: btw...you have at least SP2 installed for Office 2007 right?

    Martina Miskovic


    Wednesday, July 18, 2012 8:10 AM
  • 1.Press and hold the CTRL key and then right-click the Outlook icon in the system tray. 2.Click Test e-mail Auto Configuration. 3.In the E-mail Address box, type the alias of the affected user. 4.In the Password box, type the user’s password. 5.Click to select the Use Autodiscover check box, and then click Test. Untick both of the Guest... It should show you the URL's OLK is using. What you want to see is the mail.xxxx.x... and not the exchange server FQDN.

    Sukh

    Wednesday, July 18, 2012 8:16 AM
  • I have added a host record in the internal dns for mail.exmpale.com pointing to the ip of the server "exchange". Are there any additional DNS changes I have to make?

    Regards,

    Jonas

    No, that should do it (except for the SRV-Record I mentioned in my previous post)

    Please make sure that you don't have a record for autodiscover.example.com in your DNS. That would only cause problems since don't have that name in your certificate.

    Martina Miskovic

    Wednesday, July 18, 2012 8:18 AM
  • Thank you. I successfully removed the certificate with the command you suggested.

    This is a single server installation of Exchange 2010 on 2008 R2. 

    I created the SRV record in our internal DNS (on the DC) for the the example.com zone (under Forward lookup zones) with the following data:

    Service: _autodiscover
    Protocol: _tcp
    Port Number: 443
    Host: mail.example.com

    Now Outlook doesn't complain at all on the certificate, not on autoconfigure nor on normal use. However, when I open up the account settings, it says "Microsoft Exchange-server: EXCHANGE.example.com". Maybe that is expected? The important thing is that the connection is secure and the users are not confronted with certificate issues (unless there actually is a problem!). 

    I would say that the issue is resolved as for the internal clients. Do you agree? 

    Wednesday, July 18, 2012 8:59 AM
  • Thank you. I successfully removed the certificate with the command you suggested.

    This is a single server installation of Exchange 2010 on 2008 R2. 

    I created the SRV record in our internal DNS (on the DC) for the the example.com zone (under Forward lookup zones) with the following data:

    Service: _autodiscover
    Protocol: _tcp
    Port Number: 443
    Host: mail.example.com

    Now Outlook doesn't complain at all on the certificate, not on autoconfigure nor on normal use. However, when I open up the account settings, it says "Microsoft Exchange-server: EXCHANGE.example.com". Maybe that is expected? The important thing is that the connection is secure and the users are not confronted with certificate issues (unless there actually is a problem!). 

    I would say that the issue is resolved as for the internal clients. Do you agree? 


    Yes I agree, and I'm glad to hear that the problem is solved.

    You should see the server name in the account setting, or the name of the CAS Array if you had created one, and not the name used for webservices.

    Martina Miskovic

    Wednesday, July 18, 2012 9:10 AM
  • Thank you! Your assistance is greatly appreciated. I think the SRV record did the trick!

    Now I will go about preparing for Outlook anywhere. 

    When I visit https://mail.example.com it get redirected to https://mail.example.com/owa (configured using IIS Manager / HTTP Redirect). No certificate issues at all.

    I understand that you suggests that I should run the following commands? Is the suggested url appropriate?

    Set-WebServicesVirtualDirectory –Identity ‘EXCHANGE\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.example.com/ews/exchange.asmx

    Set-OabVirtualDirectory –Identity ‘EXCHANGE\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.example.com/oab

    Set-ClientAccessServer –Identity ‘EXCHANGE\EWS (Default Web Site)’ –ExternalUrl https://autodiscover.example.com/oab

    I should also configure an SRV record on our external DNS (outsourced). However, when adding a record to our external DNS I can only enter values for Host, Type and Destination. Type is SRV and Host is mail.exampel.com but how do i map Service, Protocol and Port Number? 

    Service: _autodiscover
    Protocol: _tcp
    Port Number: 443
    Host: mail.example.com

    Regards,

    Jonas


    • Edited by Jonas Haglund Wednesday, July 18, 2012 9:25 AM spelling
    Wednesday, July 18, 2012 9:23 AM
  • FYI If the namespace planning had been done before hand then you would have been OK.  As a minimun it;s recommened to have the autodiscover namespace in the cert.

    Bear in mind if you plan to use EAS then SRV method is going to cause issues, if not then you're ok.


    Sukh


    • Edited by Sukh828 Wednesday, July 18, 2012 9:36 AM
    Wednesday, July 18, 2012 9:31 AM
  • No, the above URLs is not the right one.

    Set-WebServicesVirtualDirectory -identity "EXCHANGE\EWS (Default Web Site)" -externalUrl https://mail.example.com/ews/exchange.asmx
    Get-OabVirtualDirectory -identity - "EXCHANGE\OAB (Default Web Site)" -externalurl https://mail.example.com/oab

    You might need to contact your DNS Provider and have them create the record for you.

    To test it when they/or you have created it use nslookup.
    Example:

    nslookup
    server 8.8.8.8
    set type=srv
    _autodiscover._tcp.example.com






    Martina Miskovic

    • Marked as answer by Jonas Haglund Thursday, July 19, 2012 8:23 AM
    Wednesday, July 18, 2012 9:31 AM
  • Unfortunately we are now experiencing problem with OWA:

    • Nothing happens when clicking on New
    • When replying or forwarding a mail, it is not possible to edit the body of the message. The subject can be changed.
    • When we try to delete a mail, the browser tells me ”invalid response from the server”.
    • Sometimes after switching between folders, the inbox appear empty (the objects are invisible). Then you have to log in or log out again. 

    I am quite sure we didn't have these problem before I started doing things as described in this thread. Could any of these configuration changes affect the OWA as described? 

    Edit: I have looked at the post ”Iphone AcvtiveSync Issues after installing Exchange 2010 SP1” but that does not seem to be the problem:
    Name                       : aa-bb.se
    DistinguishedName  : CN=aa-bb.se,CN=Accepted Domains,CN=Transport Settings,CN=aa-bb,CN=Microsoft Exchan
                                 ge,CN=Services,CN=Configuration,DC=aa-bb,DC=se
    Identity                    : aa-bb.se
    Friday, July 20, 2012 7:11 AM
  • Hi,
    One think that can affect OWA is if the URLs for ECP and EWS is not correct and you did change the EWS, right?

    Run the below commands and post the output:
    Get-OwaVirtualDirectory | ft Identity,internalurl,externalurl,*auth*
    Get-EcpVirtualDirectory | fl Identity,internalurl,externalurl,*auth*
    Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Creating a SRV-Record does not affect OWA.

    How is the post Iphone AcvtiveSync related? (I haven't read that thread)


    Martina Miskovic

    Friday, July 20, 2012 7:35 AM
  • Hi! 

    The thread i was referring to have a problem and solutions that is actually much wider than just ActiveSync and has similar but not euqal OWA symptoms. 

    Regarding EWS, I am quite sure I ran the following command: Set-WebServicesVirtualDirectory -Identity " exchange\EWS (Default Web Site)" -InternalUrl https://mail.example.com/ews/exchange.asmx

    Here is the output:

    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | ft Identity,internalurl,externalurl,*auth*
    Creating a new session for implicit remoting of "Get-OwaVirtualDirectory" command...

    Identity   InternalUr ExternalUr ClientAuth InternalAu BasicAuthe WindowsAut DigestAuth FormsAuthe LiveIdAuth ExternalA
               l          l          CleanupLev thenticati  ntication henticatio entication  ntication entication uthentica
                                             el onMethods                      n                                  tionMetho
                                                                                                                  ds
    --------   ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------- ---------
    EXCHANG... https:/... https:/...       High {Basic,...       True      False      False       True      False {Fba}

    [PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : EXCHANGE\ecp (Default Web Site)
    InternalUrl                   : https://EXCHANGE.example.com/ecp
    ExternalUrl                   : https://EXCHANGE.example.com/ecp
    InternalAuthenticationMethods : {Basic, Fba}
    BasicAuthentication           : True
    WindowsAuthentication         : False
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    ExternalAuthenticationMethods : {Fba}

    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : EXCHANGE\EWS (Default Web Site)
    InternalUrl                   : https://mail.example.com/ews/exchange.asmx
    ExternalUrl                   : https://mail.example.com/ews/exchange.asmx
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Thank you.

    Jonas


    Friday, July 20, 2012 7:46 AM
  • Made a typo for the OWA*...Can you run it again, but this time with format-list so we can see the settings :)
    Get-OwaVirtualDirectory | fl Identity,internalurl,externalurl,*auth*


    Martina Miskovic


    Friday, July 20, 2012 7:49 AM
  • Ah, sorry! Now I finally now what "fl" does :-) 

    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : EXCHANGE\owa (Default Web Site)
    InternalUrl                   : https://exchange.example.com/owa
    ExternalUrl                   : https://exchange.example.com/owa
    ClientAuthCleanupLevel        : High
    InternalAuthenticationMethods : {Basic, Fba}
    BasicAuthentication           : True
    WindowsAuthentication         : False
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    ExternalAuthenticationMethods : {Fba}

    Friday, July 20, 2012 7:54 AM
  • What you need to do is to change the URLs for OWA and ECP.
    Right now they have *exchange.example.com/* instead of *mail.example.com* and that is incorrect and is the source to your problem.


    Martina Miskovic


    Friday, July 20, 2012 7:55 AM
  • Unfortunately the problem remains unchanged. (don't know if it is neccessary but i also did a iisreset /noforce)

    Here is the updated output:

    [PS] C:\Windows\system32>Get-OwaVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : exchange\owa (Default Web Site)
    InternalUrl                   : https://mail.example.com/owa
    ExternalUrl                   : https://mail.example.com/owa
    ClientAuthCleanupLevel        : High
    InternalAuthenticationMethods : {Basic, Fba}
    BasicAuthentication           : True
    WindowsAuthentication         : False
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    ExternalAuthenticationMethods : {Fba}

    [PS] C:\Windows\system32>Get-EcpVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : exchange\ecp (Default Web Site)
    InternalUrl                   : https://mail.example.com/ecp
    ExternalUrl                   : https://mail.example.com/ecp
    InternalAuthenticationMethods : {Basic, Fba}
    BasicAuthentication           : True
    WindowsAuthentication         : False
    DigestAuthentication          : False
    FormsAuthentication           : True
    LiveIdAuthentication          : False
    ExternalAuthenticationMethods : {Fba}

    [PS] C:\Windows\system32>Get-WebServicesVirtualDirectory | fl Identity,internalurl,externalurl,*auth*

    Identity                      : exchange\EWS (Default Web Site)
    InternalUrl                   : https://mail.example.com/ews/exchange.asmx
    ExternalUrl                   : https://mail.example.com/ews/exchange.asmx
    CertificateAuthentication     :
    InternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    ExternalAuthenticationMethods : {Ntlm, WindowsIntegrated, WSSecurity}
    LiveIdSpNegoAuthentication    : False
    WSSecurityAuthentication      : True
    LiveIdBasicAuthentication     : False
    BasicAuthentication           : False
    DigestAuthentication          : False
    WindowsAuthentication         : True

    Friday, July 20, 2012 8:16 AM
  • Hmm, that should have fixed your problem.

    Have you made any changes in IIS, like trying to simply the OWA URL?

    If so, do have a look at this Technet Article Simplify the Outlook Web App URL and especially the last part "Use IIS Manager to remove redirection from a virtual directory"


    Martina Miskovic

    • Marked as answer by Jonas Haglund Friday, July 20, 2012 9:55 AM
    Friday, July 20, 2012 8:25 AM
  • Wish I didn't have to tell you this, but yes I did and didn't think of it until now. However I did at that time follow the instructions on the link you provided but for some reason interpreted the different sections in the article as alternatives, not "steps". Now I followed all of the steps and it works as it should! 

    Worth mentioning is that the step "Modify permissions on the Offline Address Book web.config file" must be done after (not before) "Use IIS Manager to remove redirection from a virtual directory" otherwise the web.config file won't exist. More info here: http://blogs.msexchange.org/walther/2010/03/22/oab-issues-after-simplifying-the-owa-2010-url/

    Thank you. Your help has been invaluable in this matter. 

    Jonas

    Friday, July 20, 2012 9:44 AM
  • To sum things up, this was the steps neccessary to solve my problem:

    • Any redirect for OWA should be configured according to this post: http://blogs.msexchange.org/walther/2010/03/22/oab-issues-after-simplifying-the-owa-2010-url/)
    • Create a SRV record on both the internal and external DNS
      Service: _autodiscover
      Protocol: _tcp
      Port Number: 443
      Host: mail.example.com
    • Run the following commands in the Exchange shell to configure the CAS and the virtual directories:
      Set-ClientAccessServer -Identity exchange –AutodiscoverServiceInternalUri https:// mail.example.com /autodiscover/autodiscover.xml
      Set-WebServicesVirtualDirectory -Identity "exchange\EWS (Default Web Site)" -InternalUrl https://mail.example.com/ews/exchange.asmx
      Set-WebServicesVirtualDirectory -identity "exchange\EWS (Default Web Site)" -externalUrl https://mail.example.com/ews/exchange.asmx
      Set-OABVirtualDirectory -Identity "exchange\oab (Default Web Site)" -InternalUrl https://mail.example.com/oab
      Set-OabVirtualDirectory -identity "exchange\OAB (Default Web Site)" -externalurl https://mail.example.com/oab
      Set-OwaVirtualDirectory -Identity "exchange\owa (default Web site)" -internalurl https://mail.example.com/owa
      Set-OwaVirtualDirectory -Identity "exchange\owa (default Web site)" -externalurl https://mail.example.com/owa
      Set-EcpVirtualDirectory -Identity "exchange\ecp (default Web site)" -internalurl https://mail.example.com/ecp
      Set-EcpVirtualDirectory -Identity "exchange\ecp (default Web site)" -externalurl https://mail.example.com/ecp

    Regards,

    Jonas

    Friday, July 20, 2012 10:10 AM
  • Good summary there Jonas!

    Seems to me that you are super ready to enable Outlook Anywhere now :)


    Martina Miskovic

    Friday, July 20, 2012 10:23 AM