locked
Problems Co-existing with Exchange 2003 during transition RRS feed

  • Question

  • I'm installing Exchange 2010.  I have an existing 2003 server.  I have the CAS and Hub Server roles implemented and am at the point where I redirect traffic to the new server and it should route to the old.  I can see it is working, but I have some problems.  I haven't tried yet directing mail to the new server.  So far just testing out the OWA interface.  When I enter the address, I get the new OWA login page.  When I enter my user name and password, it does redirect (no mailboxes on new server yet), but that's where it goes wrong.

    1. My old server does not require SSL, but the new one does.  It seems like it'd be much easier to just leave it that way for the transition period.  The redirect has httpS://...  in the link.  I'm thinking I can overcome this but wanted to mention my plan in case it looks wrong... I'm just guessing this is what does it:  One of the steps (using the Deployment Assistant) had me "configure the Exchange2003URL parameter".  I had to use the Exchange Management Shell, and I entered this:  Set-OWAVirtualDirectory -Identity "myservername\owa (Default Web Site)" -Exchange2003URL https://legacymail.mydomain.com/exchange

    So ... I'm thinking I can just do this again, but remove the "S" in HTTPS ??

    2.  The link that it redirects to, in addition to the HTTPS, is a path that is no good.  Perhaps it is supposed to be good, but it is sending me to:  https://legacymail.mydomain.com/exchweb/bin/auth/owaauth.dll.  I'm surprised by that, since as shown in the above step, I seemed to have defined the "-Exchange2003URL" to "../Exchange".  But it's taking me to this dll file.

    I see on the old server in IIS that both Exchange and ExchWeb exist under the Default Web Site.  But I just know that I've never navigated to ../ExchWeb for anything (at least not consciously).  If it's trying to get me to my 2003 OWA (I'm hoping it is, and I'm hoping it is passing the user credentials with it), that would be http://legacymail.mydomain.com/exchange.  I don't understand, and I'm pretty inexperienced with IIS, and completely inexperienced with 2010.   

    Hoping these items are easily solved. 

    Thanks for anything you can offer!


    Friday, April 29, 2011 8:31 PM

Answers

  • If the mobile device doesn't work now it may be due to the certificate.  Try running http://testexchangeconnectivity.com to test your configuration.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by tmiller112 Tuesday, May 3, 2011 5:34 PM
    Saturday, April 30, 2011 4:41 PM

All replies

  • 1.  If your Exchange 2003 server can't support SSL, then change the Exchange2003RUL to http://....

    2.  Does your Exchange 2003 server configured for forms-based authentication?  It needs to be.  If you don't want forms-based authentication on your Exchange 2003 front-end server, you could create an additional Exchange virtual directory or you could build another front-end server for the interoperability period.

    Also, on your Exchange 2003 servers, have you installed this patch: http://support.microsoft.com/?kbid=937031 and configured it to accept Integrated Authentication?  That will be required for ActiveSync to coexist.


    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
    Friday, April 29, 2011 8:55 PM
  • Thank you for the reply. This helped a lot, but introduced one new problem.

    I did not have forms based authentication configured. When I do that (http protocol, properties of Exchange Virtual Server, check box under Settings tab), it says that I then need SSL configured. So that's fine, I was only avoiding that becuase I thought it unnecessary... I've imported my certificate which was exported from the 2010 machine, and this seems to be working, in that I'm able to browse to the server via httpS with no problem.

    However, when I turn on Forms based authentication, while everything else works now (I'm properly redirected from 2010 web page, and httpS page on 2003 works), now my mobile device (droid in my case, but I'm assuming all) do not sync. I tried simply checking the box in the device for "requires secure ...". that didn't resolve.

    To your question: Yes, I did do the step of applying the hotfix in KB937031 and have the "Microsoft-Server-ActiveSync" property set to "Integrated Windows Authentication". But also still Basic authentication checked as well. However I did test unchecking basic authentication and that didn't resolve.

    Seems like I'm almost there. Can you tell what I'm missing by chance?

    Thanks very much!

    Friday, April 29, 2011 10:20 PM
  • If the mobile device doesn't work now it may be due to the certificate.  Try running http://testexchangeconnectivity.com to test your configuration.
    Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

    • Marked as answer by tmiller112 Tuesday, May 3, 2011 5:34 PM
    Saturday, April 30, 2011 4:41 PM
  • Did you follow these steps after you installed the Hotfix?

    Steps to enable Integrated Windows Authentication after you install hotfix 937031 on the Exchange 2003 back-end server

    To do this, follow these steps:
    1.Start Exchange System Manager.
    2.Expand Administrative Groups, expand Administrative_Group_Name, and then expand Servers.
    3.Expand Your_Server_Name, expand Protocols, and then expand HTTP.
    4.Expand Exchange Virtual Server, right-click Microsoft-Server-ActiveSync, and then click Properties.
    5.Click the Access tab, and then click Authentication.
    6.Click to select the Integrated Windows Authentication check box.
    7.Click OK two times. To verify that this successfully replicated to the metabase on the Exchange server, follow these steps: 1.Open the Internet Information Services (IIS) Manager under Administrative Tools.
    2.Expand the Computer, expand Web Sites, and then expand Default Web Site.
    3.Right-click Microsoft-Server-ActiveSync, and then click Properties.
    4.Click the Directory Security tab, and then select the Edit button under Authentication and access control.
    5.Verify that the Integrated Windows Authentication check box is selected.

    Note If this check box is selected, you have successfully replicated the change that was made in the Exchange System Manager to the metabase on the Exchange server.
    6.Click Cancel two times, and then exit Internet Information Services (IIS) Manager. You can now test synching with your mobile device.

    Also check your NICs and verify the Binding Order is correct.


    Thanks,
    Jeff

     


    Saturday, April 30, 2011 9:08 PM
  • Ed, I did have a problem with my certificate.  However that appears to be resolved via tools from ceriticate issuer, and the problem that forms authentication makes my mobile devices unable to sync persists.  My test at the site you referred me to indicates Test Successful with Warnings.   Everything shows passed with only this one warning (could this be the problem somehow?):   

    Testing HTTP Authentication Methods for URL https://my.server.address/Microsoft-Server-Activesync/.
    The test passed with some warnings encountered. Please expand the additional details.
    <label for="testSelectWizard_ctl12_ctl06_ctl04_tmmArrow">Tell me more about this issue and how to resolve it</label>
    Additional Details
    The following authentication methods are enabled, but they aren't allowed authentication methods for this service. Methods: Negotiate, NTLM

     

    I mentioned another observation that seems important and it speaks to Jeff's question above (Thank You Jeff):  I did run the hotfix and check the box for Integrated Windows Authentication.  I have now also confirmed it in IIS per his instructions. 

    However:  I also have "Basic Authentication" checked.  But if I uncheck that box and restart IIS, the mobile devices no longer syncs (same as when I Enable Forms Based Authentication). 

    Other observation:  Given that I don't seem to be "requiring" SSL on this 2003 server (don't see a clear indicator for that requirement as I do in the 2010 server), I was surprised to find that after adding the certificate to the old server and turning on Integrated Windows Authentication, my Windows Mobile devices will not sync unless the 'server requires SSL' box is checked on the device.  That's not the case with my Android devices.  For those it works with or without 'require SSL' checked on the device, which is what I'd expect. 

    Jeff, I only have one NIC on the machine.

    Thank you for your help here.  Hoping you see something here maybe?  Feels like I'm very close in that I am able to log on to the new server OWA and it correctly routes me to the old server where my mailbox is.  When I have the forms based authenitcation turned on, that part works perfectly, but I need to get it working with the mobile devices also before I switch my DNS to the new server and start the fun of moving mailboxes. 

    Tim

    Tuesday, May 3, 2011 4:09 PM
  • I may not be as close as I thought. I re-tested and find that even with Forms Authentication enabled, I'm still experiencing the original problem. When I activate Forms Authentication, then I log on to my new server, it tries to re-route to the old server, but the link it sends me to fails. I'm able to log on directly to my old server with forms auth set by going directly to http(with or without S)://myserver/exchange. But when going through the new server, it re-routes me to https://legacymail.mydomain.com/exchweb/bin/auth/owaauth.dll, which fails.

    I swear I had that working on Friday. Not sure what stepped me backward here, but it seems to clearly relate to my sercurity settings on the old server.

    Tuesday, May 3, 2011 4:38 PM
  • It appears that I've fixed my problem (I hope). While I did have Integrated Windows Authentication selected for the Microsoft-Server-ActiveSync directory, I did not for the Exchange vDir. That solved the problem.

    Thanks for your help!

    Tuesday, May 3, 2011 5:34 PM