none
Outlook Anywhere works for WIn7 & Outlook 2010 but not XP & Outlook 2007 (Exchange 2010 RRS feed

  • Question

  • Environment: Exchange Standard 2010 SP1 (Proper) running all 4 roles on a W2K8R2 server

     

    Internal DNS:

    ·         mail.voxmedica.net (A record)

    ·         webmail.voxmedica.net (CNAME)

    ·         autodiscover.voxmedica.net (CNAME)

     

    External DNS (internally this points to the same IP as the *.net records):

    ·         mail.voxmedica.com (A record)

    ·         webmail.voxmedica.com (CNAME)

    ·         autodiscover.voxmedica.com (CNAME)

     

    Certificate info

    Provider: Godaddy

    Type: Standard Multiple Domain (UCC) SSL

    CN: voxmedica.com

    Subject Alt names:

    ·         Voxmedica.net

    ·         Mail.voxmedica.net

    ·         Audtodiscover.voxmedica.net

    ·         Legacy.voxmedica.net

    ·         Mailgate.voxmedica.com

    ·         Legacy.voxmedica.com

    ·         Webmail.voxmedica.com

    ·         Autodiscover.voxmedica.com

    ·         Mail.voxmedica.com

    ·         Vpn.voxmedica.com

    ·         Iche.edu

    ·         legacy.iche.edu

     

    Internal autodiscover, OWA, Active Sync, OAB , & ECP URL: Https://mail.voxmedica.net/owa

    External autodiscover, OWA, Active Sync, OAB, & ECP URL: https://webmail.voxmedica.com/owa

     

    Problem Description:

    Outlook anywhere works fine when using Win 7 and Outlook 2010, but windows XP and Outlook 2007 hangs and never connects.

    Originally our Outlook anywhere setting were:

    External host names: webmail.voxmedica.com

    Client Authentication: NTLM

    Server: webmail.voxmedica.com

    Cert Principal Name: NULL

    In troubleshooting we changes the Cert Principal Name to msstd:voxmedica.com thinking that XP and Outlook 2007 was erroring on the Cert Name. Unfortunately it still hung and this had the side effect of disabling NTLM on the Win 7 & Outlook 2010 clients.

    We then set the server to $Null and that restored NTLM but didn’t fix the XP & Outlook 2007 issues.

    We then tried to set external and internal SRV records for _autodiscover._tcp but that didn’t help either.

    Currently Win 7 and Outlook 2010 still work but gives us a warning stating “Your account was redirected to this website for settings” and that site being the very wrong Https://webmail.voxmedica.com.voxmedica.com/autodiscover/autodiscover.xml

    At this point I’m at a loss as to what to try next in order to get XP and Outlook 2007 working with Outlook Anywhere. I’m also trying to get Outlook 2011 for Mac to work as well, but since that uses EWS I think I just need to set my external and internal URL to be the same.

    Any help trouble shooting would be greatly appreciated!

    Thursday, November 10, 2011 7:52 PM

Answers

  • With XP and Outlook Anywhere, webmail.voxmedica.com has to be the subject common name. webmail.voxmedica.com has to be repeated in the SAN list. See for instance Bharat Suneja below.

    With Windows 7, this is no requirement. As to Outlook 2011, you can use different internal and external URLs for EWS. I had this configuration with Entourage 2008 EWS, but it works often smoother with a split DNS. Do also see William M. Smith's answer in the second link.

    Bharat Suneja: If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server's certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)

    Bharat Suneja: Which name should I use as Common Name for my UC certificate?
    http://exchangepedia.com/blog/2007/08/which-name-should-i-use-as-common-name.html

    William M. Smith: Ideally, if Autodiscover is configured correctly both inside and outside your company network then anyone moving between inside and outside will be automatically directed to the correct server and mail service will continue uninterrupted.

    William M. Smith's answer here
    Outlook 2011 URL Changing when in the network and out
    http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macoutlook/outlook-2011-url-changing-when-in-the-network-and/c5a27d39-362d-4943-8f25-e55cbc972e26


    MCTS: Messaging | MCSE: S+M
    • Marked as answer by Vox Medica Tuesday, November 22, 2011 8:44 PM
    Monday, November 14, 2011 12:45 AM

All replies

  • Having the common name as the root of the domain is not something I really do as a rule. The root of the domain should be pointing at the public web site.

    Therefore first instinct would be to speak to GoDaddy about getting the certificate reissued with the common name as your preferred external name. Does the root of the domain resolve to Exchange? If not then that is probably not helping.

    Run a test account through EXRCA (http://exrca.com/) and see whether that flags anything up.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Thursday, November 10, 2011 9:48 PM
  • That’s what I was thinking (Security Certificates are not my strong suite). I was working off the assumption that my SAN Certificate needed to have my root domain (voxmedica.com) as the Common name and everything else would fall under it. Should I have made my CN my external URL for Exchange and put my root as one of the other domains that fell under it? But since you can change the Common Name Outlook anywhere looks for should it even matter?

    When I use the ExRCA to test Outlook Anywhere it works with just a warning about Root Certificates and that the first Autodiscover step  fails (voxmedica.com)  but all other Autodiscover steps pass (autodiscover.voxmedica.com, etc.)

    Analyzing the certificate chains for compatibility problems with versions of Windows.  Potential compatibility problems were identified with some versions of Windows.  

    Additional Details

     

    ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.

    Friday, November 11, 2011 2:44 AM
  • Generally, a certificate error may cause the repeated credentials prompt in Outlook side when try to connect via Outlook Anywhere, or just disconnect without any error. Besides, Outlook hangs related issue generally caused by third party addins. So I am suspecting it is not caused by certificate.

    Note that, the autodiscover related issue does not prevent Outlook from connect to Exchange server.

    I would suggest you run the test below for troubleshooting (I assume all your WinXP with Outlook 2007 encounter the same issue):

    1. Select a problematic client that is encounter the issue, start Outlook in your LAN and try to connect. Does Outlook hangs?
    2. Try to connect internally bypassing the firewall. To do this, change the local host file and point the proxy URL to the internal IP address of your proxy server. Then start Outlook via "Outlook.exe /rpcdiag", check to see if it is shown from HTTP to TCP/IP, and when does it hangs.
    3. Change the Cert Principal Name tomsstd:voxmedica.com and then try again to see if this works.
    4. Boot the affected client into Safe mode with network connection, and then try to connect internally via Outlook Anywhere to see if the issue continues.

    Hope it is helpful.

     


    Best Regards Fiona Liao E: v-fiolia@microsoft.com
    Friday, November 11, 2011 7:04 AM
    Moderator
  • You don't need to have the root of the domain in there at all, unless you have clients using the root for access to Exchange. Personally I never have the root pointing at anything private like OWA etc, even if the domain is specific to that task. The root and www are pointed at the public web site or a black hole.

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Friday, November 11, 2011 2:42 PM
  • @ Sembee
    So The CN on my SAN Cert can be any domain I own as long as one of the Alternate Names match what my external URLs are? Or is there some sort of rule as to what the CN should be?

    @Fiona_Liao
    I did run the /rpcdiag switch and on my XP/Outlook 2007 PC's they repeatedly go through the following connections

    Server Name Type
    mail.voxmedica.netDirectory
    mail.voxmedica.netReferral
    mail.voxmedica.netMail

    We have a segregated guest network (that’s how I normally test external connectivity), but for kicks I did try forcing the HOST file as well. I did not try in safe mode though, I assume that was to stop Outlook from pulling down the settings for Outlook Anywhere?

    Our Win7/Outlook 2010 Machines cycle through the same 3 connections but connects on them

    Currently our msstd is set to voxmedica.com. Also I noticed that our XP machines generate the following System Log events:

    ____________________________________________

    Event Type:Warning
    Event Category:SPNEGO (Negotiator)
    Event ID: 40960
    Date:11/11/2011
    Time:6:33:04 PM
    User:N/A
    Computer:HPL001
    Description:
    The Security System detected an attempted downgrade attack for server HTTP/mail.voxmedica.com.The failure code from authentication protocol Kerberos was "There are currently no logon servers available to service the logon request. (0xc000005e)".

    ____________________________________________

    Event Type:Warning
    Event Source:LSASRV
    Event Category:SPNEGO (Negotiator)
    Event ID: 40961
    Date:11/11/2011
    Time:6:33:04 PM
    User:N/A
    Computer:HPL001
    Description:
    The Security System could not establish a secured connection with the server HTTP/mail.voxmedica.com.No authentication protocol was available.

    ____________________________________________

    Saturday, November 12, 2011 12:38 AM
  • With XP and Outlook Anywhere, webmail.voxmedica.com has to be the subject common name. webmail.voxmedica.com has to be repeated in the SAN list. See for instance Bharat Suneja below.

    With Windows 7, this is no requirement. As to Outlook 2011, you can use different internal and external URLs for EWS. I had this configuration with Entourage 2008 EWS, but it works often smoother with a split DNS. Do also see William M. Smith's answer in the second link.

    Bharat Suneja: If the SSL client supports SANs (Subject Alternative Names) and there is a SAN extension in the server's certificate, then the client will ignore the subject common name entirely and try to match the server name to one of the names in the SAN list. (This is why you will always see the subject common name repeated in the SAN list.)

    Bharat Suneja: Which name should I use as Common Name for my UC certificate?
    http://exchangepedia.com/blog/2007/08/which-name-should-i-use-as-common-name.html

    William M. Smith: Ideally, if Autodiscover is configured correctly both inside and outside your company network then anyone moving between inside and outside will be automatically directed to the correct server and mail service will continue uninterrupted.

    William M. Smith's answer here
    Outlook 2011 URL Changing when in the network and out
    http://answers.microsoft.com/en-us/mac/forum/macoffice2011-macoutlook/outlook-2011-url-changing-when-in-the-network-and/c5a27d39-362d-4943-8f25-e55cbc972e26


    MCTS: Messaging | MCSE: S+M
    • Marked as answer by Vox Medica Tuesday, November 22, 2011 8:44 PM
    Monday, November 14, 2011 12:45 AM
  • From the above, it seems that the Kerberos authentication had been failed. you can have a reference of the following article:

     

    http://support.microsoft.com/default.aspx?scid=kb;EN-US;931192

    http://support.microsoft.com/?id=885887

     

    Meanwhile, here are the plans for you:

     

    1, set the outlook to use NTLM instead of Kerberos to have a try.

     

    2, submit a new thread in AD forum here to see whether there is Kerberos authentication issue.

     

    3, check the settings of outlook anywhere whether the authentication is using basic authentication.

     

    Hope it is helpful.  


    Best Regards Fiona Liao E: v-fiolia@microsoft.com
    Monday, November 14, 2011 11:00 AM
    Moderator
  • In additional on, it should be the same as your External PROxy address, the mail.voxmedica.com . So take a try. Thanks.


    Best Regards Fiona Liao E: v-fiolia@microsoft.com
    Monday, November 14, 2011 11:03 AM
    Moderator
  • @Jon-Alfred
    Thanks for the info! As for EWS and Outlook 2011 It looks like I wasn’t waiting around long enough. Autodiscover does kick externally and pulls down the External EWS URL, but only after a few minutes (if Outlook 2011 was closed then re-open it would switch in about a minute). Since we own the domain name we use (voxmedica.net) internally I just created the proper A records for mail, webmail, and autodiscover and had them point to the same IP's as our external domain (voxmedica.com).

    As for the SAN Cert, does this mean that XP can only work with the CN of the SAN and not any of the names in the SAN list? Also I don’t have my CN in my SAN list. So I'm assuming in order support Outlook Anywhere (or any other Exchange service requiring a cert) for any client I should change my CN to my external URL for all Exchange services and include it in the SAN list as well?


     

    @Fiona_Liao

    Thanks for the further suggestions; I think these errors probably stem from my malformed SAN cert. So once I get confirmation from Jon-Alfred about the correct way to configure my SAN cert I’ll know for sure!

    Monday, November 14, 2011 7:20 PM
  • Sorry for the confusion, let me explain it in detailed:

     

    By default, the value of the Principal attribute represents the common name (CN) of the certificate, and it appears next to Issued to on the certificate object.

     

    If the common name of the certificate does not match the URL that Analyzer used to access the resource, the tool issues a Certificate Principal Mismatch warning message. This means that users may not be able to connect to their mailboxes by using Microsoft Office Outlook® Web Access for Microsoft Exchange Server 2003, for Outlook Anywhere for Exchange Server 2007, for Exchange Server ActiveSync, or for RPC over HTTP.

     

    In this scenario, user may repeatedly be prompted for credentials when they try to connect to Exchange.

     

    That’s why we recommend the Principal name should be the same as the external URL domain name.

     

    Refer to:

    Certificate Principal Mismatch

    http://technet.microsoft.com/en-us/library/aa998424(EXCHG.80).aspx


    Best Regards Fiona Liao E: v-fiolia@microsoft.com

    Tuesday, November 15, 2011 2:29 AM
    Moderator
  • Just in order to explain this with a plain-vanilla configuration. This cert has 4 SANs:

    webmail.voxmedica.com is the subject name, issued to

    SAN list
    webmail.voxmedica.com (subject repeated)
    autodiscover.voxmedica.com for Autodiscover
    excas-1.voxmedia.net first internal CAS server
    excas-2.voxmedia.net first internal CAS server

    All Exchange services use webmail.voxmedica.com internally and externally (split DNS). This here works with XP and Outlook 2007. This does also work better with Outlook 2011 and mobile devices.

    excas-1.voxmedia.net is used for re-encrypting payload through ISA/TMG or SSL offloading on your load balancer.


    MCTS: Messaging | MCSE: S+M
    Tuesday, November 15, 2011 8:20 AM
  • Just to point out - if the certificate is from GoDaddy then they put the common name as one of the additional names.
    I have been racking my brains throughout this thread wondering why I haven't seen this issue with the common name and the SAN, and that will be why!

    Simon.


    Simon Butler, Exchange MVP
    Blog | Exchange Resources | In the UK? Hire Me.
    Tuesday, November 15, 2011 1:40 PM
  • ANy update?
    Best Regards Fiona Liao E: v-fiolia@microsoft.com
    Wednesday, November 16, 2011 6:31 AM
    Moderator
  • @ Everyone

    Thanks for all the suggestions! I fell confident that my issue is due to my improperly configured SAN cert. I plan to schedule maintenance this weekend to re-key my SAN cert so I'm not impacting webmail usage during the day. I'll report back and award points once I complete and test the re-key.

    Wednesday, November 16, 2011 3:17 PM
  • So when I went to change the Common Name (CN) on my GoDaddy SAN certificate I realized that I would need to revoke the certificate and buy a new one. So unfortunately at this time I cannot change the CN on my SAN certificate. Though I did find out that GoDaddy does put the CN at the top of the SAN list, even though it’s not listed on the GoDaddy’s SSL Certificate web panel.

    I have seen in other forum posts that as long as the MSSTD is set to the CN, XP & Outlook 2007 will work with Outlook Anywhere. In my environment that doesn’t seem to be the case. What I’m wondering is if it is possible to get a single site SSL cert for the external domain I’m using for Outlook Anywhere and continue to use the SAN Cert for all my other domains (we have 4 separate domain names so I have a mail, autodiscover, and legacy domain for each).

    Monday, November 21, 2011 5:28 PM
  • Hi,

    Thanks for your update.

    A Exchange server can have multiple certificate installed, but only one certificate can bind with a service. For example, certificate1 is binding with IIS service and certificate is binding with SMTP service.

    Both Outlook Anywhere and autodiscover are web-based services, belonged to IIS service (when we install a certificate). So you cannot add a single site SSL cert for Outlook Anywhere while using another SAN cert for internal Autodiscover service.


    Best Regards Fiona Liao E: v-fiolia@microsoft.com
    Tuesday, November 22, 2011 1:46 AM
    Moderator
  • We finally got around to reovking our current SAN certificate and created a new one with the external address of our CAS as the CN. Once applied Outlook anywhere worked for our XP cleints. Thanks to everyone for the help!
    Wednesday, February 8, 2012 6:42 PM