locked
Exchange 2010 problem with OAB after changing https binding RRS feed

  • Question

  • Please help!

    I changed port binding for https connections on Exchange 2010 server, I need this to access the server from Internet via reverse proxy on squid. After the change I noticed that new mailbox users do not appear in Global contact list in Outlook clients. From OWA I can see those new users in the address book, also I can see those users from Outlook clients which access server's address book directly.

    When I try to sync outlook client with OAB manually I get an error "(0x8004010F) cann't find object" and I also notice that during the sync client tries to establish a https connection with exchange server on port 443.

    Any suggestions how solve this situation? 

    Monday, October 17, 2011 12:44 PM

Answers

  • CAS provides services for both internal and external users. To protect the data, SSL is required. So as a overall deployment, all web-based service URLS starts from https.

    We may use Http Referral, it  allows us to redirect the client to another URL for Autodiscover. Refer to:

    http://blogs.technet.com/b/exchange/archive/2007/04/30/3402138.aspx


    Fiona
    • Proposed as answer by Fiona_Liao Wednesday, October 19, 2011 4:09 AM
    • Marked as answer by Fiona_Liao Monday, October 24, 2011 9:27 AM
    Wednesday, October 19, 2011 4:09 AM

All replies

  • Hi,

    My suggestion would be to revert the changes you made and then perform the following for your reverse proxy requirements:

    Add a new IP address to the Exchange server

    Create a new site that listens on the new IP address

    Add the required virtual directories to this new site

    Leif

    Monday, October 17, 2011 1:20 PM
  • Thank you for your reply Leif!

    I will be able to try what you suggested in couple of weeks as currently some of our top managers are on a trip so I do not want to change the network setup of the working server.

    However I found out why the client still tries to connect to port 443. It seems that it tries to get Autodiscovery settings and the binding information for that is located in serviceBindingInformation attribute in Sites and Services:

    Services>Microsoft Exchange> Organization name> Administrative group>Exchange administrative group>Servers>Servername>Protocols>Autodiscover>Servername

    I changed the  value of serviceBindingInformation attribute to include the needed port number. So now when I try to sync the OAB on the client I can see that the client connects to needed port on Exchange however syncronization still fails with the same error as I wrote above and in the logs on Exchange server I can see the following errors:

    Event id: 36888

    Source: Schannel

    Description:

    The following fatal alert was generated: 10. The internal error state is 1203.

    I tried to reboot the server, nothing changed. Everything on exchange works as before, just the OAB does not sync with client. On the exchange itself I see logs that MSExchangeFDS.exe syncronized OABs successfully. 

    Any thoughts ? Maybe there are some parametrs inside autodiscovery that should tell the clients about new https bindings?

    Tuesday, October 18, 2011 6:00 AM
  • I managed to solve my problem by reconfiguring the Autodiscover service to work via HTTP instead of HTTPS connection (cann't understand why there seemed to be a problem with SSL negotiation which prevented the service from working properly). So now the OAB is syncing fine on all clients.

    Can anyone tell me what is the drawback of such sollution??

    As I do not understand why Autodiscover service should be SSL protected and allow only HTTPS connections.

    Tuesday, October 18, 2011 6:48 PM
  • CAS provides services for both internal and external users. To protect the data, SSL is required. So as a overall deployment, all web-based service URLS starts from https.

    We may use Http Referral, it  allows us to redirect the client to another URL for Autodiscover. Refer to:

    http://blogs.technet.com/b/exchange/archive/2007/04/30/3402138.aspx


    Fiona
    • Proposed as answer by Fiona_Liao Wednesday, October 19, 2011 4:09 AM
    • Marked as answer by Fiona_Liao Monday, October 24, 2011 9:27 AM
    Wednesday, October 19, 2011 4:09 AM
  • Thank you Fiona! I found the link you provided quite usefull. I think I understand now why I had SSL related problems connecting to Autodiscover service which was running on port different than 443. Probably the servername:portnumber should be included in the certificate Subject Name to match the URL. I ll give it a try.  
    Wednesday, October 19, 2011 6:42 AM
  • My pleasure :)

    I assume the questions is resolved. let me know if you have any questions on this thread.


    Fiona
    Monday, October 24, 2011 9:28 AM
  • Yes, the question is resloved. Thank you! ))

    Monday, October 24, 2011 11:34 AM