Outlook Anwhere OutlookProvider EXPR value authentication issue -- external trusted domain
This may be a tough one -- My parent company has a large forest with their own exchange servers. We are a smaller company with separate forest. The parent company has a subdomain locallyin our buildingand we have an NTLM external trust from our domain to their subdomain. We've started using their new Exchange 07 server with linked mailboxes. Everything appears fine locally.Problem is with setting upoffsiteclientsto useOutlook Anywhere. We couldn't use the parent company's centralized CAS server for our OWA/Outlook Anywhere due to some kind of Kerberos authentication problem down to our domain. Only solution from Microsoft PSS was for their root level domain (where central CAS was located) to trust our little forest -- not an option to the parent company since it would break their security model.Now to the real issue. I need to setup OWA/Outlook Anywhere through our own ISA (2006) server. OWA and Activesyc appear to be working.Problem is with Outlook Anywhere authentication. Seems the parent company has setup their infrastructre with the OutlookProvider's EXPR object set to "im.<parentcompanyname>.com". When our clients connect to "im.<OURcompanyname>.com, there's mismatch in our SAN Cert's subject name and the EXPR object.I can't do the workaround of setting the EXPR to $null since the parent company doesn't feel comfortable in changing it (translate to "don't know what that will break")1st: Is there a way to force our Exchange server to use a different value for EXPR? Maybe taking the value fromour linked domain's AD instead of the parent company's Exchange resource domain's AD.2nd: Is there a way to force Outlook 07 (in Windows XP) to ignore this mismatch, or at least use another name in the SAN other than the Subject Name?
August 21st, 2009 7:47pm
I dontthink setting it to $null on your CAS server will break anything on the parent companies end, its at least a good test as described here:http://social.technet.microsoft.com/Forums/en-US/exchangesvrgeneral/thread/ffea8c99-f206-49f9-98e9-122efcf828f0
Free Windows Admin Tool Kit Click here and download it now
August 22nd, 2009 7:00pm
Hi,Configuration tips and common troubleshooting steps for multiple forest deployment of Autodiscover service http://msexchangeteam.com/archive/2008/02/13/448127.aspxBesides,I think you may try to untick "Only Connect to proxy servers that have this principal name in their certificate" when you configure outlook anywhere.Outlook Anywhere 2007 with ISA Server 2006http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.htmlRegards,Xiu
August 24th, 2009 11:42am
Hi,Configuration tips and common troubleshooting steps for multiple forest deployment of Autodiscover service http://msexchangeteam.com/archive/2008/02/13/448127.aspxBesides,I think you may try to untick "Only Connect to proxy servers that have this principal name in their certificate" when you configure outlook anywhere.Outlook Anywhere 2007 with ISA Server 2006http://www.msexchange.org/tutorials/Outlook-Anywhere-2007-ISA-Server-2006.htmlRegards,Xiu
Yep, I believe that he has to set it to null otherwise autodiscovery will recheck that option.
Free Windows Admin Tool Kit Click here and download it now
August 25th, 2009 3:15am
Besides,I think creating SRV record may solve the certificate problem.
A new feature is available that enables Outlook 2007 to use DNS Service Location (SRV) records to locate the Exchange Autodiscover service
http://support.microsoft.com/kb/940881 Regards,Xiu
August 28th, 2009 12:28pm