locked
Exchange 2007 Outlook Anywhere - Cannot resolve name

    Question

  • We have an internal server running Windows 2008 x64 + Exchange 2007. CAS server running Windows 2003 x64 + Exchange 2007. Self-signed certificate on the CAS server. OWA works fine. Trying to set up Outlook Anywhere and having issues.

    Installed RPC over HTTP on the CAS server and checked ValidPorts under HKLM\Software\Microsoft\RPC\RpcProxy

    NETBIOSINTERNALSERVER:6001-6002;NETBIOSINTERNALSERVER:6004;FQDNINTERNALSERVER:6001-6002;FQDNINTERNALSERVER:6004

    Exchange management console:
    Server Configuration, Client Access, CAS server, Outlook Anywhere
    External host name: FQDNCASSERVER
    Basic authentication

    2007 autodiscovery is not working (don't have a CNAME for autodiscovery.email-domain.com just yet) and manual set up is not working either.
    Outlook profile is configured like this:
    Exchange server: FQDNCASSERVER
    User name: the user name ;)
    Exchange proxy settings:
    Use this URL: FQDNCASSERVER
    Only connect to proxy servers: msstd:FQDNCASSERVER
    Fast networks unchecked
    Slow networks checked
    Basic Authentication

    I tried logging in with domain\user, FQDN of the CAS server\user, NETBIOS name of the CAS server\user with no luck on any.

    This is what is in the IIS logs on the CAS
    2009-08-01 04:01:44 W3SVC1 EXTERNAL_IP RPC_IN_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 domain\user MY_IP MSRPC 200 0 0
    2009-08-01 04:01:44 W3SVC1 EXTERNAL_IP RPC_OUT_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 domain\user MY_IP MSRPC 200 0 0
    2009-08-01 04:02:25 W3SVC1 EXTERNAL_IP RPC_IN_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 FQDNCASSERVER\user MY_IP MSRPC 401 1 1326
    2009-08-01 04:02:25 W3SVC1 EXTERNAL_IP RPC_OUT_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 FQDNCASSERVER\user MY_IP MSRPC 401 1 1326
    2009-08-01 04:02:31 W3SVC1 EXTERNAL_IP RPC_OUT_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 domain\user MY_IP MSRPC 200 0 0
    2009-08-01 04:02:31 W3SVC1 EXTERNAL_IP RPC_IN_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 domain\user MY_IP MSRPC 200 0 0
    2009-08-01 04:03:06 W3SVC1 EXTERNAL_IP RPC_IN_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 NETBIOSNAMECAS\user MY_IP MSRPC 401 1 1326
    2009-08-01 04:03:06 W3SVC1 EXTERNAL_IP RPC_OUT_DATA /rpc/rpcproxy.dll FQDNCASSERVER:6004 443 NETBIOSNAMECAS\user MY_IP MSRPC 401 1 1326

    I'm sure it's something simple. I included everything I did so if I a missing anything.....let me know. Any help is appreciated!
    Saturday, August 1, 2009 4:19 AM

Answers

  • I added a CNAME for autodiscover.emaildomain.com to point to my external CAS and I also got a legit cert from GoDaddy today and it seems to be working better. I was able to get a non-domain machine outside of the network to autoconfigure.

    Now my freaking iPhone won't connect! I deleted the account, restarted the phone and created a new Exchange account. It does the autodiscover (I guess) and comes back with the INTERNAL server name. There's no way to get to that internal mailbox from the outside. I put in the external server name and the account verification fails.

    One step forward, one step back.
    • Marked as answer by Alan.Gim Monday, August 10, 2009 1:31 AM
    Monday, August 3, 2009 10:30 PM

All replies

  • Outlook Anywhere wont work with the the self-signed cert that Exchange generates during install. Once you get a valid cert, you can test here with a test account:
    https://www.testexchangeconnectivity.com/


    Saturday, August 1, 2009 11:41 AM
  • Not using the cert that Exchange generated. I generated a self-signed cert that is used for OWA and is working fine for that and ActiveSync users. I still need a legit cert for that?

    Testing RPC/HTTP connectivity
         RPC/HTTP test failed
        Test Steps
        Attempting to Resolve the host name CASFQDN in DNS.
         Host successfully Resolved
        Additional Details
         IP(s) returned: CORRECTIP
        Testing TCP Port 443 on host CASFQDN to ensure it is listening/open.
         The port was opened successfully.
        Testing SSL Certificate for validity.
         The SSL Certificate failed one or more certificate validation checks.
        Test Steps
        
        Validating certificate name
         Successfully validated the certificate name
        Additional Details
         Found hostname CASFQDN in Certificate Subject Common name
        Validating certificate trust
         Certificate trust validation failed
        Additional Details
         Certificate chain could not be built. You may be missing required intermediate certificates.
    Saturday, August 1, 2009 2:40 PM
  • And the workstation trusts that certificate?
    Regardless, I highly recommend 3rd party certificates. GoDaddy and others have relatively cheap certs and will save you time and money on trying to get external clients and devices to successfully connect.
    Saturday, August 1, 2009 2:46 PM
  • The workstations do trust the self-signed certificate....at least on the OWA side of things. I swear I have seen people who use self-signed certs for Outlook Anywhere.
    Saturday, August 1, 2009 3:40 PM
  • It should  work if the cert is in the trusted root of the workstation, however the point is that all your external clients then have to add this to their devices and workstations and everytime you renew the cert, you have to go through the same thing again, hence the recommendation by many and Microsoft to use a 3rd party certificate.
    Saturday, August 1, 2009 4:01 PM
  • So something else is amiss then. The machine I am testing this from has the certificate trusted and I don't get any errors when connecting to OWA.
    Saturday, August 1, 2009 4:14 PM
  • So, current situation is, outlook anywhere can’t work externally after we manually configured the outlook settings

    Quote: “I generated a self-signed cert”

    What exactly does this certificate come from? Is the certificate from the internal windows CA by using the Windows Servers' Certificate Services? And the machine for external testing trusts the root CA?

    Unlike Microsoft Office Outlook Web Access and Exchange ActiveSync, the default self-signed certificate that is available in Exchange 2007 Setup will not work with Outlook 2007 and Outlook 2003 clients that are using Outlook Anywhere. Instead, you must use a valid SSL certificate that is created by a certification authority (CA) that is trusted by the client computer's operating system

    -----------Refer to < How to Configure SSL for Outlook Anywhere>

    Check info:

    1.      Is there any error info when attempting to login from external machine?

    2.      Please use the “Get-ExchangeCertificate | fl” to retrieve the settings of the certificate that you used and post it at here for analyzing. You can change those sensitive names to others, but please define them

    3.      Please verify if the root has been imported on the CAS server (Method 2 in KB 927465)

    4.      Please configure the outlook anywhere in the internal machine, and see if the issue still persists

    Notes: Select both fast and slow network for using HTTPS at first

    Monday, August 3, 2009 4:42 AM
  • get-exchangecertificate | fl *

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                          em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {FQDN-OUTSIDECASE}
    CertificateRequest   :
    IisServices          : {IIS://INSIDENETBIOSNAME/W3SVC/1}
    IsSelfSigned         : False
    KeyIdentifier        : B4B100B05CF641ED5E048C54D77E4D802C57AEA8
    RootCAType           : Registry
    Services             : IMAP, POP, IIS
    Status               : Valid
    PrivateKeyExportable : True
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                          ography.Oid, System.Security.Cryptography.Oid, System.Se
                          curity.Cryptography.Oid, System.Security.Cryptography.Oi
                          d, System.Security.Cryptography.Oid, System.Security.Cry
                          ptography.Oid, System.Security.Cryptography.Oid}
    FriendlyName         : FQDN-OUTSIDECAS
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    NotAfter             : 6/15/2011 3:58:54 PM
    NotBefore            : 6/15/2009 3:58:54 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 5, 248, 48, 130, 4, 224, 160, 3, 2, 1, 2, 2, 1
                          0, 97...}
    SerialNumber         : 61780AC6000000000002
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : ADFBF2974D7052B2AB1FD8C4D22189E8946CB6D3
    Version              : 3
    Handle               : 469803472
    Issuer               : CN=FQDN-OUTSIDECAS, DC=XXX, DC=XXXXXXXX, DC=com
    Subject              : CN=FQDN-OUTSIDECAS, OU=IT, O=XXXXXX, L=XXXXXXXXX
                          , S=XX, C=US

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                          em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {FQDN-OUTSIDECAS}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 97C16EB67853C849BBF580B2E9639E3C2A612027
    RootCAType           : Registry
    Services             : IMAP, POP
    Status               : Valid
    PrivateKeyExportable : True
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                          ography.Oid, System.Security.Cryptography.Oid, System.Se
                          curity.Cryptography.Oid, System.Security.Cryptography.Oi
                          d, System.Security.Cryptography.Oid}
    FriendlyName         :
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    NotAfter             : 6/15/2019 4:04:24 PM
    NotBefore            : 6/15/2009 3:55:18 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 4, 218, 48, 130, 3, 194, 160, 3, 2, 1, 2, 2, 1
                          6, 33...}
    SerialNumber         : 21E98F470F9778B24B6D2B30914E32CA
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 7F61E7F20D5049E43108F6742CF3632530B5ADD5
    Version              : 3
    Handle               : 469804896
    Issuer               : CN=FQDN-OUTSIDECAS, DC=XXX, DC=XXXXXXXX, DC=com
    Subject              : CN=FQDN-OUTSIDECAS, DC=XXX, DC=XXXXXXXX, DC=com

    AccessRules          : {System.Security.AccessControl.CryptoKeyAccessRule, Syst
                          em.Security.AccessControl.CryptoKeyAccessRule}
    CertificateDomains   : {INSIDENETBIOSNAME, FQDN-INSIDE}
    CertificateRequest   :
    IisServices          : {}
    IsSelfSigned         : True
    KeyIdentifier        : 305B58362DB2EEADC78CD7367358B4283E38CBD3
    RootCAType           : Unknown
    Services             : None
    Status               : Valid
    PrivateKeyExportable : False
    Archived             : False
    Extensions           : {System.Security.Cryptography.Oid, System.Security.Crypt
                          ography.Oid, System.Security.Cryptography.Oid, System.Se
                          curity.Cryptography.Oid}
    FriendlyName         : Microsoft Exchange
    IssuerName           : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    NotAfter             : 6/15/2010 2:12:59 PM
    NotBefore            : 6/15/2009 2:12:59 PM
    HasPrivateKey        : True
    PrivateKey           : System.Security.Cryptography.RSACryptoServiceProvider
    PublicKey            : System.Security.Cryptography.X509Certificates.PublicKey
    RawData              : {48, 130, 3, 1, 48, 130, 1, 233, 160, 3, 2, 1, 2, 2, 16,
                           43...}
    SerialNumber         : 2B899262875E06944F0E7A2ABDD39CCC
    SubjectName          : System.Security.Cryptography.X509Certificates.X500Distin
                          guishedName
    SignatureAlgorithm   : System.Security.Cryptography.Oid
    Thumbprint           : 590674811BEF7CE51DA0945DC8989463B5887DDA
    Version              : 3
    Handle               : 469803616
    Issuer               : CN=INSSIDENETBIOSNAME
    Subject              : CN=INSSIDENETBIOSNAME



    Get-OutlookAnywhere -Server INSIDENETBIOSNAME | fl *

    ServerName                 : INSIDENETBIOSNAME
    SSLOffloading              : False
    ExternalHostname           : FQDN-OUSIDE
    ClientAuthenticationMethod : Basic
    IISAuthenticationMethods   : {Basic}
    MetabasePath               : IIS://FQDN-OUSIDE/W3SVC/1/ROOT/Rpc
    Path                       : C:\WINDOWS\System32\RpcProxy
    Server                     : INSIDENETBIOSNAME
    AdminDisplayName           :
    ExchangeVersion            : 0.1 (8.0.535.0)
    Name                       : Rpc (Default Web Site)
    DistinguishedName          : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=
                                INSIDENETBIOSNAME,CN=Servers,CN=Exchange Administrative Group (F
                                YDIBOHF23SPDLT),CN=Administrative Groups,CN=XXXXXXXX
                                X,CN=Microsoft Exchange,CN=Services,CN=Configurati
                                on,DC=XXX,DC=XXXXXXX,DC=com
    Identity                   : INSIDENETBIOSNAME\Rpc (Default Web Site)
    Guid                       : 5ba0ea74-f909-4197-9f11-3b1a47fe4930
    ObjectCategory             : INSIDEDOMAINNAME/Configuration/Schema/ms-Exch-Rpc-
                                Http-Virtual-Directory
    ObjectClass                : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
                                Directory}
    WhenChanged                : 7/31/2009 9:23:24 PM
    WhenCreated                : 7/31/2009 8:38:30 PM
    OriginatingServer          : FQDN-INSIDE-GC
    IsValid                    : True



    Test-OutlookWebServices user@emaildomain.com | fl

    Id      : 1003
    Type    : Information
    Message : About to test AutoDiscover with the e-mail address Test@EMAILDOMAIN.com .

    Id      : 1006
    Type    : Information
    Message : The Autodiscover service was contacted at https://FQDN-INSIDE-MAILBOXSERVER/autodiscover/autodiscover.xml.

    Id      : 1016
    Type    : Success
    Message : [EXCH]-Successfully contacted the AS service at https://FQDN-INSIDE-MAILBOXSERVER/EWS/Exchange.asmx. The elapsed time was 312 milliseconds.

    Id      : 1015
    Type    : Success
    Message : [EXCH]-Successfully contacted the OAB service at https://FQDN-INSIDE-MAILBOXSERVER/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.

    Id      : 1014
    Type    : Success
    Message : [EXCH]-Successfully contacted the UM service at https://FQDN-INSIDE-MAILBOXSERVER/UnifiedMessaging/Service.asmx. The elapsed time was 937 milliseconds.

    Id      : 1016
    Type    : Information
    Message : [EXPR]-The AS is not configured for this user.

    Id      : 1015
    Type    : Information
    Message : [EXPR]-The OAB is not configured for this user.

    Id      : 1014
    Type    : Information
    Message : [EXPR]-The UM is not configured for this user.

    Id      : 1017
    Type    : Success
    Message : [EXPR]-Successfully contacted the RPC/HTTP service at https://FQDN-OUSIDE-CASSERVER/Rpc. The elapsed time was 187 milliseconds.

    Id      : 1006
    Type    : Success
    Message : The Autodiscover service was tested successfully.
    Monday, August 3, 2009 8:10 PM
  • I added a CNAME for autodiscover.emaildomain.com to point to my external CAS and I also got a legit cert from GoDaddy today and it seems to be working better. I was able to get a non-domain machine outside of the network to autoconfigure.

    Now my freaking iPhone won't connect! I deleted the account, restarted the phone and created a new Exchange account. It does the autodiscover (I guess) and comes back with the INTERNAL server name. There's no way to get to that internal mailbox from the outside. I put in the external server name and the account verification fails.

    One step forward, one step back.
    • Marked as answer by Alan.Gim Monday, August 10, 2009 1:31 AM
    Monday, August 3, 2009 10:30 PM
  • I assume that the certificate below is the one from GoDaddy.

    Thumbprint           : ADFBF2974D7052B2AB1FD8C4D22189E8946CB6D3

    Services             : IMAP, POP, IIS

    Please refer to the articles below to configure Autodiscover for ActiveSync

    Understanding Exchange ActiveSync Autodiscover

    How to Configure Exchange ActiveSync Autodiscover Settings

    And about the certificate, please see the article below

    Exchange 2007 lessons learned - generating a certificate with a 3rd party CA

    More on Exchange 2007 and certificates - with real world scenario

    Tuesday, August 4, 2009 1:54 AM
  • Any update on this case? I saw that you posted anther thread, is that the same ActiveSync issue as here?

    Thursday, August 6, 2009 1:07 AM