OutlookAnywhere Unauthorized Access Errors
Im having an issue with OutlookAnywhere and have not found a fix for it by searching the forum. I was hoping that someone may have come across this before.
Im testing a scenario for a future install and can get everything to work but OutlookAnywhere.
My configuration:
Server1: ISTest1.istestdomain.local is my only Active Directory server with File and Print services with Windows 2008 Server
Server2: ISTest2.istestdomain.local is a member server with Windows 2008 Server and Exchange 2007 SP1
ExternalDomain: mydomain.com
External A Record exists for mail2.mydomain.com
SSL Certificate with the following domains mail2.mydomain.com, autodiscover.mydomain.com, ISTest2, ISTest2.istestdomain.local issued by a Third Party Issuer.
I can get Outlook Web Access to work inside and outside with no certificate errors
My problem appears to be authentication. With Outlook2007, the auto config only seems to connect to Autodiscover as an Administrator account but keeps prompting for credentials if I use the user account.
I can connect to https://istest2.istestdomain.local/EWS/Exchange.asmx frominside the network as the user with an XML page as a result. I cannot connect to https://mail2.mydomain.com/EWS/Exchange.asmx from the outside as the user but can as the administrator.
Test-OutlookWebServices provides the following:
[PS] C:\Windows\System32>test-outlookwebservices |fl
Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address Administrator@mail2.mydomain.com.
Id : 1007Type : InformationMessage : Testing server ISTest2.ISTestDomain.local with the published name https://istest2.istestdomain.local/EWS/Exchange.asmx & https://mail2.mydomain.com/EWS/Exchange.asmx.
Id : 1019Type : InformationMessage : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://ISTest2.ISTestDomain.local/Autodiscover/Autodiscover.xml.
Id : 1006Type : InformationMessage : The Autodiscover service was contacted at https://ISTest2.ISTestDomain.local/Autodiscover/Autodiscover.xml.
Id : 1016Type : SuccessMessage : [EXCH]-Successfully contacted the AS service at https://istest2.istestdomain.local/EWS/Exchange.asmx. The elapsed time was 499 millisecond s.
Id : 1015Type : SuccessMessage : [EXCH]-Successfully contacted the OAB service at https://istest2.istestdomain.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds .
Id : 1014Type : SuccessMessage : [EXCH]-Successfully contacted the UM service at https://istest2.istestdomain.local/UnifiedMessaging/Service.asmx. The elapsed time was 15 milliseconds.
Id : 1013Type : ErrorMessage : When contacting https://mail2.mydomain.com/EWS/Exchange.asmx received the error The request failed with HTTP status 401: Unauthorized.
Id : 1016Type : ErrorMessage : [EXPR]-Error when contacting the AS service at https://mail2.mydomain.com/EWS/Exchange.asmx. The elapsed time was 31 milliseconds.
Id : 1015Type : SuccessMessage : [EXPR]-Successfully contacted the OAB service at https://mail2.mydomain.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id : 1014Type : InformationMessage : [EXPR]-The UM is not configured for this user.
Id : 1017Type : SuccessMessage : [EXPR]-Successfully contacted the RPC/HTTP service at https://mail2.mydomain.com/Rpc. The elapsed time was 156 milliseconds.
Id : 1006Type : SuccessMessage : The Autodiscover service was tested successfully.
Id : 1021Type : InformationMessage : The following web services generated errors. As in EXPR Please use the prior output to diagnose and correct the errors.
get-webservicesvirtualdirectory |fl
InternalNLBBypassUrl : https://istest2.istestdomain.local/ews/exchange .asmxName : EWS (Default Web Site)InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}BasicAuthentication : TrueDigestAuthentication : FalseWindowsAuthentication : TrueMetabasePath : IIS://ISTest2.ISTestDomain.local/W3SVC/1/ROOT/E WSPath : C:\Program Files\Microsoft\Exchange Server\Clie ntAccess\exchweb\EWSServer : ISTEST2InternalUrl : https://istest2.istestdomain.local/EWS/Exchange .asmxExternalUrl : https://mail2.mydomain.com/EWS/Exchange.asmxAdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)DistinguishedName : CN=EWS (Default Web Site),CN=HTTP,CN=Protocols, CN=ISTEST2,CN=Servers,CN=Exchange Administrativ e Group (FYDIBOHF23SPDLT),CN=Administrative Gro ups,CN=First Organization,CN=Microsoft Exchange ,CN=Services,CN=Configuration,DC=ISTestDomain,D C=localIdentity : ISTEST2\EWS (Default Web Site)Guid : 3b937826-1404-4169-82fb-689272d41f14ObjectCategory : ISTestDomain.local/Configuration/Schema/ms-Exch -Web-Services-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchWebServices VirtualDirectory}WhenChanged : 5/19/2008 11:31:43 AMWhenCreated : 5/18/2008 6:19:06 PMOriginatingServer : ISTest1.ISTestDomain.localIsValid : True
More information added on May 23, 2008:
[PS] C:\Windows\System32>get-outlookprovider|fl
CertPrincipalName :Server :TTL : 1AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : EXCHDistinguishedName : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Firs t Organization,CN=Microsoft Exchange,CN=Services,CN=Configu ration,DC=ISTestDomain,DC=localIdentity : EXCHGuid : fb433518-bd85-46b5-a3dc-8ee7e5d583ebObjectCategory : ISTestDomain.local/Configuration/Schema/ms-Exch-Auto-Discov er-ConfigObjectClass : {top, msExchAutoDiscoverConfig}WhenChanged : 5/22/2008 9:41:53 PMWhenCreated : 5/18/2008 6:18:58 PMOriginatingServer : ISTest1.ISTestDomain.localIsValid : True
CertPrincipalName : msstd:mail2.mydomain.comServer :TTL : 1AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : EXPRDistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Firs t Organization,CN=Microsoft Exchange,CN=Services,CN=Configu ration,DC=ISTestDomain,DC=localIdentity : EXPRGuid : 1565024f-5d00-4f39-a991-93a2f941d724ObjectCategory : ISTestDomain.local/Configuration/Schema/ms-Exch-Auto-Discov er-ConfigObjectClass : {top, msExchAutoDiscoverConfig}WhenChanged : 5/22/2008 5:08:20 PMWhenCreated : 5/18/2008 6:18:58 PMOriginatingServer : ISTest1.ISTestDomain.localIsValid : True
CertPrincipalName : msstd:mail2.mydomain.comServer :TTL : 1AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : WEBDistinguishedName : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configur ation,DC=ISTestDomain,DC=localIdentity : WEBGuid : 48701d93-5079-4ed3-936d-7f484064a123ObjectCategory : ISTestDomain.local/Configuration/Schema/ms-Exch-Auto-Discov er-ConfigObjectClass : {top, msExchAutoDiscoverConfig}WhenChanged : 5/22/2008 5:08:48 PMWhenCreated : 5/18/2008 6:18:58 PMOriginatingServer : ISTest1.ISTestDomain.localIsValid : True
May 22nd, 2008 8:45am
Hi,
I would like to confirm whether we can configure RPC Over HTTP in the Internal circumstance.
If it work, the most likely cause of this issue is the firewall blocks the NTLM authentication.
So, please open IIS, right click Autodiscover, in the Directory Security, click Edit button, please uncheck the Integrated Windows authentication.
Click OK.
Then check this issue.
Thanks
Allen
Free Windows Admin Tool Kit Click here and download it now
May 26th, 2008 2:54pm
Thanks for the reply.
In IIS7, I've disabled the Authentication method for Windows Authentication. The external user now seems to authenticate to the Autodiscover and pull some Exchange settings fromoutside of the firewall. However, I still cannot connect Outlook 2007 to Outlook Anywhere. The authentication fails. Internally, I get the following at the Exchange server:
[PS] C:\Windows\System32>test-outlookwebservices |fl
Id : 1003Type : InformationMessage : About to test AutoDiscover with the e-mail address Administrator@mail2.mydomain.com.
Id : 1007Type : InformationMessage : Testing server ISTest2.ISTestDomain.local with the published name https://istest2.istestdomain.local/EWS/Exchange.asmx & https://mail2.mydomain.com/EWS/Exchange.asmx.
Id : 1019Type : InformationMessage : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://ISTest2.ISTestDomain.local/Autodiscover/Autodiscover.xml.
Id : 1013Type : ErrorMessage : When contacting https://ISTest2.ISTestDomain.local/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.
Id : 1006Type : ErrorMessage : The Autodiscover service could not be contacted.
May 26th, 2008 8:23pm
Hi,
Since in the last steps, we had unchecked the Integrated Windows authentication. Thus, that results in the 401 error came up when testing outlookwebservices. Now please first go back to the original settings (check the Integrated Windows authentication)
Now please check the authentication of the Outlook Anywhere on the Client Access Server, confirm the client authentication method is Basic authentication. Also please open IIS, find the RPC, right click it and in the Directory Security, please make sure the Basic authentication is checked.
Additionally, please also make sure the Basic authentication has been checked in OAB and EWS. Then check whether we can connect Outlook 2007 to Outlook Anywhere.
Thanks
Allen
Free Windows Admin Tool Kit Click here and download it now
May 27th, 2008 1:38pm
I changed the Autodiscovery virtural directory back to Windows Authentication.
The only virtual directory that did not have Basic Authentication selected was the OAB. I have now enabled that.
Outlook Anywhere was set for Basic as shown:
[PS] C:\Windows\System32>get-outlookanywhere
ServerName : ISTEST2SSLOffloading : FalseExternalHostname : mail2.mydomain.comClientAuthenticationMethod : BasicIISAuthenticationMethods : {Basic}MetabasePath : IIS://ISTest2.ISTestDomain.local/W3SVC/1/ROOT/RpcPath : C:\Windows\System32\RpcProxyServer : ISTEST2AdminDisplayName :ExchangeVersion : 0.1 (8.0.535.0)Name : Rpc (Default Web Site)DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN= ISTEST2,CN=Servers,CN=Exchange Administrative Grou p (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Fi rst Organization,CN=Microsoft Exchange,CN=Services ,CN=Configuration,DC=ISTestDomain,DC=localIdentity : ISTEST2\Rpc (Default Web Site)Guid : c1e060a4-da47-4644-ac7c-67b6dd79b666ObjectCategory : ISTestDomain.local/Configuration/Schema/ms-Exch-Rp c-Http-Virtual-DirectoryObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtual Directory}WhenChanged : 5/22/2008 4:13:48 PMWhenCreated : 5/22/2008 4:13:48 PMOriginatingServer : ISTest1.ISTestDomain.localIsValid : True
I still have no access with Outlook 2007.
Does the server with OutlookAnywhere enabled need to hold a global catalog? Since this is a member server, it does not.
May 27th, 2008 10:12pm
Hi,
I would like to confirm whether we can resolve the mail2.domain.com and autodiscover.mydomain.com to the expected IP address of the CAS server correctly from the external domain.
Please understand that the two address must be resolved by the external DNS so that we can configure the Outlook without any connection issue.
Thanks
Allen
Free Windows Admin Tool Kit Click here and download it now
May 29th, 2008 2:40pm
Yes. I can use both https://mail2.mydomain.com/owa and https://autodiscover.mydomain.com/owa to access Outlook Web Access. Both come up with no certificate errors.
I can also open from external, https://autodiscover.mydomain.com/autodiscover/autodiscover.xml. It opens up an XML script. However, this ONLY opens when using the administrator account. If I use a user account, it continually prompts for a username/password.
May 29th, 2008 7:35pm
At this point, I think that this is resolved. I did a few things not aligning to recommended best practices but it works.
I had read somewhere that the server that has RPC-over-HTTP-Proxy should be running on a global catalog. However, since best practices suggest that Exchange should not be running on a domain controller, I started out with a single domain controller (ISTest1) and a member server (ISTest2) both running Windows 2008 Server installing the Exchange roles on ISTest2. Things worked great until I got to the point of testing Outlook Anywhere from outside the LAN. My certificate worked and provided Outook Web Access with no problems and no certificate errors.
When connecting to the autodiscover service as a user, it failed to connect and gave authentication errors. If I used the administrator account, it would work for connecting to autodiscover. OutlookAnywhere would not work for any user.
Because of the authentication errors and the article stating that the RPC-over-HTTP-Proxy should be on a Global Catalog server, I ran DCPROMO on the member server (ISTest2). Again, this is against Best Practices because you should never run DCPROMO on a machine that already has Exchange roles installed.
Promoting the server to a domain controller solved the authenication errors with the Autodiscover site. The workstation would now grab the proper configuration as the user account. However, OutlookAnywhere would still not connect. My last effort was to uninstall/reinstall the RPC-over-HTTP-Proxy feature after the Domain Controller promotion.
This worked! Outlook 2007 will now auto configure itself and connect properly using HTTP protocols.
Free Windows Admin Tool Kit Click here and download it now
June 2nd, 2008 9:31pm