locked
UAG 2010 SP1 and Exchange 2010 SP1 Outlook Anywhere Issues RRS feed

  • Question

  • I've recently installed and configured UAG 2010 SP1 for a small client and am having issues getting Outlook Anywhere to work properly through UAG.  I have a dedicated Exchange trunk and have each of the Exchange web apps configured as individual applications within UAG (i.e. OWA, EAS, OA, OA - Autodiscover, & OA - EWS).  I have OA configured to use Kerberos delegation.  Currently OWA, EAS, & Autodiscover are working fine through UAG but use Basic/NTLM authentication.

    OA works great when not going through UAG (on network or VPN connected).

    With the exception of the UAG 2010 SP1 changes I've followed this whitepaper for publish OA:  http://www.microsoft.com/download/en/details.aspx?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3a+MicrosoftDownloadCenter+(Microsoft+Download+Center)&id=22723#tm

    When attempting to connect with Outlook, the client sits at "Trying to connect" for a few seconds and then is in a "Disconnected" state.  During the connection attempt I receive the "KCD Protocol Transition Succeeded", "Session Started", "User Added to Session", "Application Accessed" events in the UAG Web Monitor.

    In the IIS logs of the CAS server the following events are generated (replaced DNS names and IPs):

    2011-10-04 12:21:36 10.10.1.164 RPC_IN_DATA /rpc/rpcproxy.dll VSRVEXCH2.[Internal AD DNS Domain]:6002 443 - [UAG Server IP] MSRPC 401 1 2148074254 0
    2011-10-04 12:21:36 10.10.1.164 RPC_OUT_DATA /rpc/rpcproxy.dll VSRVEXCH2.[Internal AD DNS Domain]:6002 443 - [UAG Server IP] MSRPC 401 1 2148074254 0

    2011-10-04 12:21:37 10.10.1.164 RPC_IN_DATA /rpc/rpcproxy.dll VSRVEXCH2.[Internal AD DNS Domain]:6004 443 - [UAG Server IP] MSRPC 401 1 2148074254 0

    2011-10-04 12:21:37 10.10.1.164 RPC_OUT_DATA /rpc/rpcproxy.dll VSRVEXCH2.[Internal AD DNS Domain]:6004 443 - [UAG Server IP] MSRPC 401 1 2148074254 0

    The client is using a wildcard certificate from a public CA and have configured the Outlook provider accordingly:
    [PS] C:\Windows\system32>get-outlookprovider
    Name                          Server                        CertPrincipalName             TTL
    ----                          ------                        -----------------             ---
    EXCH                                                                                      1
    EXPR                                                        msstd:*.[public domain name]           1
    WEB                                                                                       1
    They also have exchange configured to use same DNS name internally and externally owa.[Public DNS Domain] with split-DNS configured.
    Here is the outlook anywhere configuration:
    [PS] C:\Windows\system32>get-outlookanywhere | format-list
    RunspaceId                      : 4f5c6e31-310b-44b9-b72a-48683582f5d3
    ServerName                      : VSRVEXCH2
    SSLOffloading                   : False
    ExternalHostname                : owa.[Public DNS Domain]
    ClientAuthenticationMethod      : Ntlm
    IISAuthenticationMethods        : {Ntlm}
    XropUrl                         :
    MetabasePath                    : IIS://VSRVEXCH2.[Internal AD DNS Domain]/W3SVC/1/ROOT/Rpc
    Path                            : C:\Windows\System32\RpcProxy
    ExtendedProtectionTokenChecking : None
    ExtendedProtectionFlags         : {}
    ExtendedProtectionSPNList       : {}
    Server                          : VSRVEXCH2
    AdminDisplayName                :
    ExchangeVersion                 : 0.10 (14.0.100.0)
    Name                            : Rpc (Default Web Site)
    DistinguishedName               : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=VSRVEXCH2,CN=Servers,CN=Exchange Ad
                                      ministrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=First Organization,C
                                      N=Microsoft Exchange,CN=Services,CN=Configuration,[Internal AD DNS Domain]
    Identity                        : VSRVEXCH2\Rpc (Default Web Site)
    Guid                            : bb22b2c2-a4b8-453d-8d3d-5ec8e50d12a9
    ObjectCategory                  : [Internal AD DNS Domain]/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
    ObjectClass                     : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
    WhenChanged                     : 9/13/2011 12:03:36 PM
    WhenCreated                     : 9/9/2011 5:27:01 PM
    WhenChangedUTC                  : 9/13/2011 5:03:36 PM
    WhenCreatedUTC                  : 9/9/2011 10:27:01 PM
    OrganizationId                  :
    OriginatingServer               : [DC FQDN]
    IsValid                         : True
    If I run the Outlook Anywhere test from www.testexchangeconnectivity.com I get the "anonymous authentication did not fail, but anonymous is not a configured authentication method error", which prohibits any further troubleshoot with this tool.
    I've reached a dead end.  I've completely rebuilt the trunk several times and have done the same for the applications.  For the internal server name I've tried the owa.[Public DNS Domain] and the VSRVEXCH2.[Internal AD DNS Domain].  I've validated the Kerberos delegation on the UAG server computer account.  I can't find any errors in either the UAG Web Monitor logs or the CAS Windows Logs.
    Links I've already explored include:
    Any ideas or suggestions?
    Thank you in advance!

    Tuesday, October 4, 2011 1:00 PM

Answers

  • Doohhhh....

    It just dawned on me!  The CAS didn't have SPNs for http/owa!  I added http/owa.[Public DNS Domain] to the SPN list on the CAS computer account and voila!

    I'm still receiving an error on the ExRCA, but it is working anyway.

    Thanks for the second set of eyes!  Sometimes that's all it takes!

    • Marked as answer by Justin Burgod Monday, October 10, 2011 7:58 AM
    Wednesday, October 5, 2011 1:08 PM
  • You should only need the computer account SPNs; hence I would only expect to see a pair of entries for each CAS. 

    I've never had to create custom SPN entries to get it working...weird!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Justin Burgod Monday, October 10, 2011 7:58 AM
    Wednesday, October 5, 2011 1:18 PM

All replies

  • Sorry, to summarise, it only fails when using KCD?
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, October 4, 2011 2:11 PM
  • I did try changing it to Basic on one attempt, but it just continually prompted for credentials.  I assumed this was because the of the NTLM Outlook Anywhere authentication configuration on the CAS.  The client doesn't want to change that configuration, and therefore I thought I was limited to KCD only.
    Tuesday, October 4, 2011 2:52 PM
  • It is would be useful to test if it works with OA configured for with Basic on the CAS and UAG basic delegation. If so, you definitely have a problem with your KCD config.
    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, October 4, 2011 2:54 PM
  • Can you provide some screenshots of your KCD setup in AD?

    Have you looked at enabling Kerberos logging to look for problems?

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    Tuesday, October 4, 2011 3:00 PM
  • Here is a screenshot of the KCD settings on the UAG server:

    I'm going to schedule some time over the weekend to test basic authentication.

    Thanks for the guidance!

    Wednesday, October 5, 2011 12:57 PM
  • Doohhhh....

    It just dawned on me!  The CAS didn't have SPNs for http/owa!  I added http/owa.[Public DNS Domain] to the SPN list on the CAS computer account and voila!

    I'm still receiving an error on the ExRCA, but it is working anyway.

    Thanks for the second set of eyes!  Sometimes that's all it takes!

    • Marked as answer by Justin Burgod Monday, October 10, 2011 7:58 AM
    Wednesday, October 5, 2011 1:08 PM
  • You should only need the computer account SPNs; hence I would only expect to see a pair of entries for each CAS. 

    I've never had to create custom SPN entries to get it working...weird!

    Cheers

    JJ


    Jason Jones | Forefront MVP | Silversands Ltd | My Blogs: http://blog.msedge.org.uk and http://blog.msfirewall.org.uk
    • Marked as answer by Justin Burgod Monday, October 10, 2011 7:58 AM
    Wednesday, October 5, 2011 1:18 PM
  • The only thing I can think of is it may have been unique to the customer's Exchange CAS configuration.  They have split-DNS in place and have the CAS configured to use the public DNS name internally and externally.  I have only seen this Exchange configuration done before at one other customer and it was because they wanted their clients to connect via Outlook Anywhere (HTTPS) all the time (internal and external).

    The other thing I found weird is after reading your final response I check the CAS computer account again and there are no registered SPNs for http/vsrvexch2.[Internal AD DNS Domain], which is probably why when I tried recreating the trunk with the CAS name for KCD it also failed.

    I haven't had a chance to replicate the scenario in my lab, but if I get some free time I may give it a try.  Unfortunately work comes first.

    Monday, October 10, 2011 7:56 AM