locked
Exchange 2007 and CAS from Exchange 2010 problem RRS feed

  • Question

  • Hello,  we have Exchange 2007.  Now I installed CAS 2010.  When I try to use CAS 2010 to connect using OWA, it works internally.  When I try to login when I am outside of the firewall, it prompts me to login.  After I entered user name and password, it goes to https://externaldomainname/owa/auth.owa and gives me "page cannot be found" error.

    I am working with Microsoft for about a month now and nothing.

    Anyone has any ideas?  I changed DNS (obviously it is correct because I see 2010 OWA login page), changed Firewall and nothing.  I worked with Firewall support and they told me that packets are forwarded to the CAS 2010 server but nothing coming back.

    Anyone?
    Thank you.

    Tuesday, November 30, 2010 4:20 PM

Answers

  • Ok thanks. :) There are known issues with Droids connecting to Exchange 2010; what version of the Andriod OS is it running? It seemed most prevalent in 2.1, but I've also seen issues reported with with 2.2 as well.

    Do you currently have an ActiveSync policy that requires anything like complex passwords, password history? I ask becuase of thise post;

    http://code.google.com/p/android/issues/detail?id=9426 "We only support the basic (EAS 2.5) features in Froyo.  So if your server requires, for example, password history or expiration, or complex characters, then it won't be provisionable in Froyo.  Our goal is to provide more policy support in future versions, but for now we support - password (PIN/alpha), minimum characters, max. fails to wipe, inactivity timeout, an remote wipe."

    While I cannot advocate any particular 3rd party softtware package, Motorola device users may want to check out this post if 2.2 isn't available for your device yet; https://supportforums.motorola.com/message/203103#203103

    First make sure your account has security inheritence enabled. In Active Directory Users and Computers turn on "Advanced Features" under the View menu. Then go to the properties of your account, go to the security tab, click the Advanced button, and make sure the Inheritence checkbox is turned on. Once you make sure this is turned on, if things still aren't working you may want to contact your device manufacture or cell provider to find out if there are any updates for your device.

    Do you have any non-Droid devices you can test with? If the www.testexchangeconnectivity.com site works with your user account then it is probably a device related issue.


    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    • Proposed as answer by Allen Song Friday, December 3, 2010 9:26 AM
    • Marked as answer by Allen Song Monday, December 6, 2010 3:30 AM
    Tuesday, November 30, 2010 10:49 PM

All replies

  • Hi,

    If you are accessing Exchange 2007 mailbox through Exchange 2010 CAS then your OWA url will be redirect to Exchange 2007 CAS server.

    For e.g.: If mailbox on Ex2k7MBX and accessing through Ex 2010 CAS server https://Ex2010CAS.domain.com/owa after login credential your OWA URL will be redirect to Ex 2007 CAS server https://Ex2007CAS.domain.com/owa.

    - Mitesh Gosar| Skype:Mitesh.Gosar

    Tuesday, November 30, 2010 5:36 PM
  • What kind of firewall is in place? What are your ExternalURL values for the 2007CAS servers set to? What Auth type are the OWA vDirs for CAS2007? Is it Exchange 2010 SP1 RU1, or some older version?
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 5:51 PM
  • I will try to answer. 

    Yes, it redirects to Exchange 2007 CAS server.  When I login internally, I can see that URL changes to internal Exchange 2007 CAS server.

    We use SonicWall 4060 Pro Enhanced.  I worked with support and they are telling me that everything works correct.  I have an entry on the firewall for CAS server.  All I had to do is to change IP address for that entry.

    ExternalURL for 2007 CAS server is empty and it is setup to Integrated Windows Authentication.  2010 CAS server has external URL https://externalurl/owa and it is setup to use form-based authentication.

    Version for Exchange 2010 is 14.00.0702.000.

    I am working with Microsoft for about a month now.  The guy is telling me that everything is setup correctly.

    Any ideas?

    Thank you.

    Tuesday, November 30, 2010 6:20 PM
  • Are you trying to force a Proxy to happen instead of a normal single-sign-on redirection to a legacy URL?
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 6:23 PM
  • No, we do not use proxy.

    Thank you.

    Tuesday, November 30, 2010 6:26 PM
  • Maybe I did not answer it right.  We do not use proxy on the firewall, if this is what you are asking about.

    Thank you.

    Tuesday, November 30, 2010 6:39 PM
  • You need to specify External URL for Exchange 2007 CAS and from firewall also need to allow Ex2007 External URL.

    CAS-CAS proxy did not work with diffrent version of CAS.

     - Mitesh Gosar| Skype:Mitesh.Gosar

    • Proposed as answer by Mitesh Gosar Tuesday, November 30, 2010 10:23 PM
    Tuesday, November 30, 2010 6:41 PM
  • Does it mean I have to start using another public IP address and have the second CAS entry?

    Thank you.

    Tuesday, November 30, 2010 6:43 PM
  • You can use same public IP for Ex2007 OWA URL.

    - Mitesh Gosar| Skype:Mitesh.Gosar

    Tuesday, November 30, 2010 6:53 PM
  • May I suggest giving this article a read through? It describes proxying and redirection in Exchange 2010 depeding on what server the user's mailbox is still located on.

    http://technet.microsoft.com/en-us/library/bb310763.aspx


    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 6:59 PM
  • I will try it.  Thank you.
    Tuesday, November 30, 2010 8:11 PM
  • It works.  Thank you for your help.  One more problem.

    ActiveSync does not work now.  Any ideas how to fix it.  I did not test it before.  Was busy with OWA.

    I changed External URL setting on the ActiveSync 2007.  What else should I do?

    Thank you.

    Tuesday, November 30, 2010 9:31 PM
  • What kind of devices?

    Try the ActiveSync tests on http://www.testexchangeconnectivity.com

     Make sure whatever users aren't working have security inheritence enabled in AD on their account.


    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 9:40 PM
  • Thank you for your reply.  I tested and it shows that everything is OK but it does not forward to Exchange 2007 server. It shows that everything is OK and shows IP for Exchange 2010.

    How to enable inheritence in AD?

    Thank you.

    Tuesday, November 30, 2010 9:54 PM
  • I rerun the test again and it seems that it works for older server.  Not sure why would not it work for my phone?

    Thank you.

    Tuesday, November 30, 2010 9:58 PM
  • What kind of device is it?

    Is your user account with the mailbox a member of anything like Domain Admins, Enterprise Admins, etc....?


    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 10:00 PM
  • Domain Users.
    Tuesday, November 30, 2010 10:11 PM
  • .....and the device type? This is really important, I wouldn't ask 3 times just for fun. :) :)
    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    Tuesday, November 30, 2010 10:14 PM
  • Sorry, I missed it.  I use Verizon's Droid.
    Tuesday, November 30, 2010 10:24 PM
  • You need to specify External URL on Ex2007 ActiveSync and set Integrated Windows authentication on Ex2007 ActiveSync Virtual directory.

    - Mitesh Gosar | Skype:Mitesh.Gosar

    Tuesday, November 30, 2010 10:40 PM
  • Ok thanks. :) There are known issues with Droids connecting to Exchange 2010; what version of the Andriod OS is it running? It seemed most prevalent in 2.1, but I've also seen issues reported with with 2.2 as well.

    Do you currently have an ActiveSync policy that requires anything like complex passwords, password history? I ask becuase of thise post;

    http://code.google.com/p/android/issues/detail?id=9426 "We only support the basic (EAS 2.5) features in Froyo.  So if your server requires, for example, password history or expiration, or complex characters, then it won't be provisionable in Froyo.  Our goal is to provide more policy support in future versions, but for now we support - password (PIN/alpha), minimum characters, max. fails to wipe, inactivity timeout, an remote wipe."

    While I cannot advocate any particular 3rd party softtware package, Motorola device users may want to check out this post if 2.2 isn't available for your device yet; https://supportforums.motorola.com/message/203103#203103

    First make sure your account has security inheritence enabled. In Active Directory Users and Computers turn on "Advanced Features" under the View menu. Then go to the properties of your account, go to the security tab, click the Advanced button, and make sure the Inheritence checkbox is turned on. Once you make sure this is turned on, if things still aren't working you may want to contact your device manufacture or cell provider to find out if there are any updates for your device.

    Do you have any non-Droid devices you can test with? If the www.testexchangeconnectivity.com site works with your user account then it is probably a device related issue.


    Microsoft Premier Field Engineer, Exchange
    MCSA 2000/2003, CCNA
    MCITP: Enterprise Messaging Administrator 2010
    Former Microsoft MVP, Exchange Server
    My posts are provided “AS IS” with no guarantees, no warranties, and they confer no rights.
    • Proposed as answer by Allen Song Friday, December 3, 2010 9:26 AM
    • Marked as answer by Allen Song Monday, December 6, 2010 3:30 AM
    Tuesday, November 30, 2010 10:49 PM
  • I use HTC Incredible Droid, not Motorola.  Firmware is 2.2.

    I enabled Integrated Windows Authentication on the Virtual Directory and enabled security ingeritence.  Still the same problem.

    I tested another device and it works.  Does it mean that I will have problem with different devices?  What can I do about this?

    Thank you.

    Wednesday, December 1, 2010 5:00 PM
  • Sorry, forgot to say.  We do not use any additional security, like enforce passwords, etc.....
    Wednesday, December 1, 2010 5:03 PM
  • Yes, Itseems the problem with device.

    Wednesday, December 1, 2010 5:05 PM
  • I recreacted Active Sync Virtual Directory on Exchange 2007 server and all of my devices work. 

    Thank you for your help.

    Thursday, December 2, 2010 2:08 PM