none
Exchange 2010+Outlook Anywhere+Windows XP not working together RRS feed

  • Question

  • Hello,

    We have Exchange 2010 installed on Server 2008 R2. CAS/Hub/mailbox roles on same server. Outlook Anywhere is enabled and using a Go Daddy signed certificate for OWA. Now my problem is that Windows XP (w SP3) PC's that are not located inside domain and shoud use Outlook Anywhere cannot connect to that service. Outlook version is 2007 SP2. On the other hand, that same user can connect from a Windows 7 pc what is also located outside domain without problems. On XP pc windows keeps asking for password repeatedly, on W7 pc it asks it and accepts and logs the user in and connects it to his mailbox. I have read numerous posts about this kind of issue, put so far none of them helped me. The certificate is issued to mail.domainname.ee and autodiscover.domainname.ee. The internal name of the server is excha.domainname.ee, external name is mail.domainname.ee. Also I used the Set-OutlookProvider cmdlet to set EXPR to msstd:mail.domainname.ee and also tried msstd:excha.domainname.ee this change did not have any effect on XP pc. What is wrong in XP and Outlook 2007 combination not being able to connect to Echange 2010?

    Wednesday, August 4, 2010 11:19 AM

Answers

  • I have solved my problem!

    The problem actually was in my SAN certificate, mainly on the Subject Alternative Names field. Go Daddy did put on that field as 1st line not mail.domainname.ee put domainname.ee. So Exchange was presenting itself to XP machines wrongly and it seems that XP is not willing to look at next lines on a SAN certificate. Windows 7 thou does it, therefore that problem never happened on Windows 7. So after I used that command:

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:mydomain.ee"
    
    Everything worked!
    Friday, August 6, 2010 7:03 AM

All replies

  • what I can think of is that somehow the XP machines are not trusting the certificate, can you install the Root CA for godaddy and intermediate certificate on the Exchange as well as he xp machine and run windows update and try again
    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an answer
    Wednesday, August 4, 2010 11:22 AM
  • Hi,

    I think its not related but try this article maybe it could help you.

    http://support.microsoft.com/kb/933612

     

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320
    Wednesday, August 4, 2010 11:26 AM
  • what I can think of is that somehow the XP machines are not trusting the certificate, can you install the Root CA for godaddy and intermediate certificate on the Exchange as well as he xp machine and run windows update and try again
    Regards, Mahmoud Magdy Watch Arabic Level 300 Videos about Exchange 2010 here: http://vimeo.com/user3271816 Read pretty advanced Exchange stuff I post here: http://www.enowconsulting.com/ese/blog.asp, follow my blog: http://autodiscover.wordpress.com , corp blog: http://ingazat.wordpress.com and if you Liked my post please mark it as helpful and accept it as an answer

    I checked on XP machine that it has Root Certificates May update installed. Just in case I installed godaddy certificates again. No change. Outlook Web Access was/is working fine from that pc.
    Wednesday, August 4, 2010 11:50 AM
  • Hi,

    I think its not related but try this article maybe it could help you.

    http://support.microsoft.com/kb/933612

     

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320
    XP has SP3 installed and that patch won't install on it.
    Wednesday, August 4, 2010 11:51 AM
  • Hi,

    Have you tried to upgrade office to SP 3 ?

    I think your problem will be solved after this.

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320
    Wednesday, August 4, 2010 11:53 AM
  • Hi,

    Have you tried to upgrade office to SP 3 ?

    I think your problem will be solved after this.

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320

    Have not seen Office 2007 Service Pack 3, don't think it's available...
    Wednesday, August 4, 2010 11:57 AM
  • Hi,

    Sorry I thought you have Office 2003.

    Regards.

    Shafaquat Ali.


    M.C.I.T.P Exchange 2007/2010, M.C.I.T.P Windows Server 2008, M.C.T.S OCS Server 2007 R2, Phone: +923008210320
    • Proposed as answer by jack.naxin Wednesday, April 2, 2014 2:23 AM
    Wednesday, August 4, 2010 1:06 PM
  • I have solved my problem!

    The problem actually was in my SAN certificate, mainly on the Subject Alternative Names field. Go Daddy did put on that field as 1st line not mail.domainname.ee put domainname.ee. So Exchange was presenting itself to XP machines wrongly and it seems that XP is not willing to look at next lines on a SAN certificate. Windows 7 thou does it, therefore that problem never happened on Windows 7. So after I used that command:

    Set-OutlookProvider EXPR -CertPrincipalName:"msstd:mydomain.ee"
    
    Everything worked!
    Friday, August 6, 2010 7:03 AM
  • Can you reproduce the issue in other windows XP machines, outside the domain?

    Which firewall device is deployed between the internet and domain?

    Has IIS lockdown (URLScan) been installed on server?

    Have you compared the settings in the “Security” tab of mail account between windows XP and windows 7?


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    Friday, August 6, 2010 7:37 AM
    Moderator
  • Can you reproduce the issue in other windows XP machines, outside the domain?

    Which firewall device is deployed between the internet and domain?

    Has IIS lockdown (URLScan) been installed on server?

    Have you compared the settings in the “Security” tab of mail account between windows XP and windows 7?


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com


    Yes I was able to reproduce this problem on different XP machines that are located outside of domain.

    We use Checkpoint FW systems.

    No

    I compared them and they looked same, using NTLM authentication and so on.

    Friday, August 6, 2010 7:44 AM
  • Karol, you’re right.

    There’s a difference in the HTTP/RPC protocol stacks between Windows XP and Windows 7/Vista, and how they handle the RPC_HTTP_TRANSPORT_CREDENTIALS information and matching certificate subjects. When the CertPrincipalName is missing from the AutoDiscover information, Outlook defaults to msstd:<mail.domainname.ee>

    On the Windows XP (or at least Windows 2003), the client will reject the server certificate, while Windows 7/Vista will accept. It looks like Windows XP doesn’t handle wildcards certificate or “Subject” field properly. Windows 7/Vista matches mail.domainname.ee to *.domainname.ee, but XP doesn’t

    Your method will match the CertPrincipalName to the subject field, and then solve the password prompt. Brilliant, thanks for sharing!


    James Luo
    TechNet Subscriber Support (http://technet.microsoft.com/en-us/subscriptions/ms788697.aspx)
    If you have any feedback on our support, please contact tngfb@microsoft.com
    Friday, August 6, 2010 7:53 AM
    Moderator
  • From Technet :

    Outlook on Windows Vista RTM and XP or earlier operating systems:

    The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere .

     


    http://laubel.wordpress.com/
    Friday, August 6, 2010 8:11 AM
  • From Technet :

    Outlook on Windows Vista RTM and XP or earlier operating systems:

    The Windows RPC over HTTP component used for Outlook Anywhere requires that the SAN or common name of the certificate must match the Certificate Principal Name configured for Outlook Anywhere. Outlook 2007 and later versions use Autodiscover to obtain this Certificate Principal Name. To configure this value on your Exchange 2010 Client Access server, use the Set-OutlookProvider command with the -CertPrincipalName parameter. Set this parameter to the external host name that Outlook clients use to connect to Outlook Anywhere .

     


    http://laubel.wordpress.com/

    I have to disagree with you on that statement. As my situation was not solved with setting CertPrincipalName to my Exchange external URL. My Exchange external URL is mail.domainname.ee, but in Go Daddy provided SAN Certificate under Subject Alternative Names field mail.domainname.ee was on the second line therefore Windows XP did not accept it. On the 1st line was just domainname.ee and after setting CertPrincipalName to msstd:domainname.ee it started to work. And yes, I do use Outlook Autodiscover with Outlook 2007 that now works perfectly.
    Friday, August 6, 2010 8:17 AM
  • We agree.

    The Outlook Anywhere External Hostname did not match the Cert Principal Name, right ? So you need to manually set the Outlook Provider with the correct value. Of course you don't need to change your certificate.


    http://laubel.wordpress.com/
    Friday, August 6, 2010 8:36 AM
  • Yes we can agree on that, that I had to manual set the Cert Principal Name. But that Cert Principal Name I set is not my Exchange external URL, it is the URL that is the 1st one in that Certificate and in my certificate it is just the domain name not the external URL on Exchange.

    Friday, August 6, 2010 9:04 AM
  • Is there any way to solve this problem on the Outlook client end only?  I am an end user with this same issue and need to work both from an XP image as well as Win 7 image - everything works fine on my Win 7 image, but it will not work on XP.  Same connectivity setups as described above.
    Sunday, August 15, 2010 5:38 PM
  • Thanks a lot Karol

    I had the same issue also with a goDaddy cert. Now it works just fine.

     

    br

    Ralph

    Monday, May 30, 2011 1:33 PM
  • Hi Karol

    I do still have an issue. Outlook 2003 still keeps asking for username and password.

    With Outlook 2010 it works just fine.

    Any ideas?

     

    kr

    Ralph

    Wednesday, June 1, 2011 2:48 PM
  • Hi Ralph,

     

    I am sorry, but I never tried out Outlook 2003 as we do not have that version anymore.

    Theres a post in this thread that suggested to use at least Service Pack 3 for Outlook 2003, have You tried that?

     

    BR,

    Karol

    Wednesday, June 1, 2011 4:50 PM
  • Matt99hi,

    There isn't a way to do this on the client side, and I'm thinking it would be a poor strategy to persue. The issue is a limitation of XP and it's ability to process certs, yes, but the only way around it is to have the Excahnge server present itself in a manner that XP can accept. A client end fix would need to be applied to each and every client, which could quickly become a mangement nightmare. The above work-around addresses all clients in one fell swoop.

    Wednesday, June 8, 2011 12:37 PM
  • Thanks for the info, I was missing the "msstd:" part of the command. After that everything works fine.
    Thursday, September 15, 2011 1:15 PM
  • Hi and thank your for your tips. I am having the exact same problem, but cant make it to work.

    I have a Windows 2008 R2 with Exchange 2010 SP1 server.

    I have several Windows XP Pro SP3 client computers and few Windows 7 Pro.

    Only on Windows XP computers password prompts for Office 2007 persist, I´ve set as suggested the new MSSTD.

    The previous one was: msstd:owa.mydomain.com

    The new one has been set to: msstd:mydomain.com

    The customer has a GoDaddy Wildcard certificate.

    I did a gpupdate /force just in case and checked Outlook 2007 configuration to point to msstd:mydomain.com and still password is being prompt everytime.

    Any ideas?

    Thanks a lot for your help!

    Thursday, October 20, 2011 2:19 PM
  • Hi and thank your for your tips. I am having the exact same problem, but cant make it to work.

    I have a Windows 2008 R2 with Exchange 2010 SP1 server.

    I have several Windows XP Pro SP3 client computers and few Windows 7 Pro.

    Only on Windows XP computers password prompts for Office 2007 persist, I´ve set as suggested the new MSSTD.

    The previous one was: msstd:owa.mydomain.com

    The new one has been set to: msstd:mydomain.com

    The customer has a GoDaddy Wildcard certificate.

    I did a gpupdate /force just in case and checked Outlook 2007 configuration to point to msstd:mydomain.com and still password is being prompt everytime.

    Any ideas?

    Thanks a lot for your help!


    Hi!

    Check on Your certificate under Details Subject Alternative Name. Whatever is the first name after DNS Name= should be used in MSSTD. For example in my case it was that the 1st line reads DNS Name=mydomain.ee so I changed MSSTD:mail.mydomain.ee to MSSTD:mydomain.ee.

    I hope this helps!

    Best Regards,

    Karol

    Thursday, October 20, 2011 2:31 PM
  • Hi Karol, thanks for your answer. I´ve checked and the Certificate shows the following details in this order:

    DNS Name=*.DOMAIN.COM
    DNS Name=DOMAIN.COM


    Previously I had msstd:owa.domain.com configured and didnt worked. Now its set to: msstd:domain.com and doesnt work either. Should I try msstd:*.domain.com ?

    Thanks a lot!

     

    Thursday, October 20, 2011 3:20 PM
  • I would try to set msstd:*.domain.com then.

    My certificate is a Subject Alternative Name certificate where I have only few exact domain names listed.


    Thursday, October 20, 2011 4:01 PM
  • I was suffering from a very similar issue.  The one major difference for me is that I was using a wildcard ssl certificate for "*.contoso.com" which was not matching with the server name of owa.contoso.com.

    Behaviour definitely seemed to only manifest with Windows XP on the open internet (not domain joined or internal) trying to use either Outlook 2007 or 2010 to connect to our internal Exchange 2010 server via RPC over HTTPS.  Autodiscover was successful but user would be repeatedly prompted for their credentials but they would never match.

    The key changes that seemed to fix this for us were to make these updates -

    Set-OutlookProvider EXPR -CertPrincipalName msstd:*.contoso.com

    alternatively if you dont care whether the proxy server name exactly matches your ssl cert you can do this (not recommended) -

    Set-OutlookProvider EXPR -CertPrincipalName none

    These commands manipulate the Microsoft Exchange Proxy Settings under the Outlook Anywhere options under the connection tab of your mail profile.  In particular the field labeled "Only connect to proxy servers that have this principal name in their certificate"

    Also, to force RPC over HTTPS and never try and timeout on TCP/IP connection (which cannot work through the firewall) -

    Set-OutlookProvider EXPR -OutlookProviderFlags:ServerExclusiveConnect

    This should click the checkbox for "On fast networks, connect using HTTP first, then connect using TCP/IP"

    This should then allow autoconfigure to work fine when setting up your mail profile.  If you want to check the settings page you should have something that looks like this -

    OWA - Exchange Proxy settings

    Finally, please note that Autodiscover settings are updated periodically not instantly. I believe it is something like every 15m or so.  As such, make the changes above and then wait for at least 15-30mins before making any other changes.  I ended up chasing my tail and then some complete red-herring *seemed* to fix the problem.  It was actually something that I had changed 20mins before!

    • Proposed as answer by ressbari Wednesday, July 25, 2012 4:11 PM
    Wednesday, July 25, 2012 4:11 PM
  • Thank you. This really helped. Amazing how you find the post with what your are looking for after 3 hours!
    Thursday, December 13, 2012 11:40 AM
  • Hello,

    I have the same problem with Exchange 2013 CU1 on all XP with SP3 boxes (Outlook 2007 v12.0.6665.5003).

    We have also a SAN Certificate and my first entry is domain.com.

    I changed

    Set-OutlookProvider EXPR -CertPrincipalName msstd:domain.com

    Restarted IIS.

    When I try to configure Outlook I will contignously promted for username and password.

    Thanks in advance for your help.

    Regards, Dieter

    Thursday, June 27, 2013 7:52 PM
  • Hello Dieter,

    Unfortunately I don't know about Exchange 2013 (have not deployed it yet). And I doupt that I will have that same problem ever again, as all our PC's have been upgraded to at least Windows 7 and Outlook 2010. Hopefully someone else has the answer for your situation, also making a new post under Exchange 2013 forum might help You to get a faster answer.

    Best Regards,
    Karol

    Monday, July 8, 2013 11:42 AM
  • I had to set the EXPR cert principal name to msstd:*.domain.name

    This was to match the GoDaddy Wildcard cert issued to *.domain.name

    I also set the default domain name under Outlook Anywhere config so users did not have to enter domain\username in OWA, and instead can just enter their username.

    I set the auth type to negotiate on both internal and external, and used the same public URL for internal and external access.

    I created a new forward DNS zone, with associated reverse pointer, no dynamic updates allowed, with an A record pointing to internal IP of exchange server so clients can resolve external hostname while connected to LAN.

    XP clients can now auto-configure Outlook profile on Exch 2013 successfully without prompting for login :D


    Monday, October 21, 2013 9:00 PM
  • Ok, Sorry to bother u all with this some more.

    I have the issue too that outlook 2010 clients on windows xp ask for the password.

    When i do everything in a this conversation, i can connect, but after restarting outlook 2010 the setting which i put in the field

    "only connect to proxy servers that have this principal in there certificate" is changed automatically.

    I have put in : msstd:*.servername.com  (outlook working)

    it autochanges to: msstd:mailserver.servername.com   (outlook not working)

    i can change it back every time, but after closing outlook it is changed back.

    Its driving my users nuts.

    Is there anyone with the same?

    Monday, November 4, 2013 3:35 PM
  • If do it like that,what will happen if the PC out of office?Outlook will not connect with RPC over HTTP,is that right?
    Monday, March 24, 2014 8:06 AM
  • Hi,
    The solution of problem I found is:
    1. Disable Autodiscover for user - in windows profile

    To do this (Outlook 2007) I set registers:
    [HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Outlook\AutoDiscover]
    "ExcludeScpLookup"=dword:00000001
    "ExcludeHttpRedirect"=dword:00000001
    "ExcludeHttpsAutoDiscoverDomain"=dword:00000001
    "ExcludeHttpsRootDomain"=dword:00000001
    "PreferLocalXML"=dword:00000001
    "ExcludeSrvRecord"=dword:00000001

    2. Uncheck option "only connect to proxy servers that have this principal in there certificate" in connection settings
    ( I am using Basic Autentication)

    That's it. Works for me (Exch2013, Outlook2007 on WinXP)
    I hope this way could help also someone...
    Regards

    Friday, March 28, 2014 10:44 AM