none
Cannot access Exchange Directory via Outlook Anywhere RRS feed

  • Question

  • On Exchange 2007 SP3 clients using Outlook cannot setup mailboxes when they are outside the company network. Autodiscover works correctly but during first run of Outlook mailbox cannot be found in global catalog

    However when VPN is connected mailbox can be setup an used later without VPN connection.

    So on I discovered that NSPI Proxy (ports 6001-6002, 6004) is configured and I can connect them on both Exchange server and domain controller.

    I've checked IIS logs and there are access denied errors on rpcproxy:

    2013-04-09 19:56:01 10.0.1.4 RPC_IN_DATA /rpc/rpcproxy.dll EXCHANGE:6004 443 - 195.93.143.155 MSRPC 401 1 2148074254 31
    2013-04-09 19:56:02 10.0.1.4 RPC_OUT_DATA /rpc/rpcproxy.dll EXCHANGE:6004 443 - 195.93.143.155 MSRPC 401 1 2148074254 109

    RPC pings also shows problems with authorization:

    rpcping.exe -t ncacn_http -o RPCProxy=mail.domain.com -P "user,domain,password" -H 2 -a connect -u 10 -v 3 -s exchange.domain.local -l "user,domain,password" -e 6004
    RPCPing v2.12. Copyright (C) Microsoft Corporation, 2002
    OS Version is: 6.2

    Exception 5 (0x00000005)
    Number of records is: 3
    ProcessID is 2072
    System Time is: 4/9/2013 20:12:45:927
    Generating component is 14
    Status is 5
    Detection location is 1392
    Flags is 0
    NumberOfParameters is 2
    Long val: 5
    Long val: 0
    ProcessID is 2072
    System Time is: 4/9/2013 20:12:45:926
    Generating component is 13
    Status is 5
    Detection location is 1427
    Flags is 0
    NumberOfParameters is 1
    Long val: 403
    ProcessID is 2072
    System Time is: 4/9/2013 20:12:45:926
    Generating component is 13
    Status is 403
    Detection location is 1417
    Flags is 0
    NumberOfParameters is 1
    Unicode string: Forbidden

    IIS site uses NTLM authentication, kernel-mode authentication is disabled.

    What else should I check to resolve that issue?

    I can't use testexchangeconnectivity.com because the certificate is signed by internal CA


    Kuba Siatkowski

    Tuesday, April 9, 2013 8:57 PM

All replies

  • Hello,

    If you use outlook anywhere to access your mailboxes, you must use a vaild ssl certificate from a CA that the client trusts or third-part certificate, and the certificate must be SAN certificate.

    You should use basic authentication for outlook anywhere.

    You also need to create a record for autodiscover on public DNS server.


    Cara Chen
    TechNet Community Support

    Wednesday, April 10, 2013 7:23 AM
    Moderator
  • Hello,
    I have SAN certificate from CA trusted by clients. Autodiscovery is configured with public DNS and can be accessed from Internet. All autodiscovery tests at testexchangeconnectivity.com are successful and Outlook clients can find Exchange server (but can't connect to the directory) so I hope that autodiscovery is configured correctly.

    Why should I use basic auth for Outlook Anywhere? I've found a lot of official configuration examples where NTLM is used


    Kuba Siatkowski

    Wednesday, April 10, 2013 8:53 AM
  • Did you find a solution to your problem? We are experiencing the exact same behavior!

    Thanks,

    Brandon

    Monday, May 6, 2013 10:26 PM
  • I know it's been ages since you asked and it's probably not valid anymore however it might be useful for others.

    DSproxy was misconfigured on domain controllers.  After configuring regarding this article http://blogs.technet.com/b/exchange/archive/2008/06/20/3405633.aspx it started to work. However keep in mind to test it using Outlook client rather then https://testconnectivity.microsoft.com/ . The web tool failed for me for some reasons (can't remember why now)


    Kuba Siatkowski

    Wednesday, May 20, 2015 9:54 AM