enviroment: wind2003 exchange2007 ad domain:bbb.com(example) mail domain:aaa.com(example) private ca(in windows2003) certificate with alternative name:owa.aaa.com,autodiscover.aaa.com,zqsbmail.bbb.com(mail server),zqsbmail(mail server) outlook can pass second phase of three phases,during third phase the error encountered ,it indicated the exchange server is not available .but ipad2/iphone can connect to it with exchange setting,and htc mobile can connect with exchange activesync setting. the following lines are information about test of outlook autodiscover : <?xml version="1.0" encoding="utf-8"?> <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>gwr/DisplayName> <LegacyDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=guanweirong</LegacyDN> <DeploymentId>b6a3773b-84d1-430d-a48a-6649f512683c</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>zqsbmail.bbb.com</Server> <ServerDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ZQSBMAIL</ServerDN> <ServerVersion>720180F0</ServerVersion> <MdbDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ZQSBMAIL/cn=Microsoft Private MDB</MdbDN> <PublicFolderServer>zqsbmail.bbb.com</PublicFolderServer> <AD>zqsbmail.bbb.com</AD> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://owa.aaa.com/EWS/Exchange.asmx</EwsUrl> <OOFUrl>https://owa.aaa.com/EWS/Exchange.asmx</OOFUrl> <UMUrl>https://zqsbmail.bbb.com/UnifiedMessaging/Service.asmx</UMUrl> <OABUrl>http://zqsbmail.bbb.com/OAB/2e4d1a4f-4f3a-485c-8875-d719362b15ff/</OABUrl> </Protocol> <Protocol> <Type>EXPR</Type> <Server>zqsbmail</Server> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> <EwsUrl>https://owa.aaa.com/EWS/Exchange.asmx</EwsUrl> <OOFUrl>https://owa.aaa.com/EWS/Exchange.asmx</OOFUrl> <OABUrl>https://owa.aaa.com/OAB/2e4d1a4f-4f3a-485c-8875-d719362b15ff/</OABUrl> </Protocol> <Protocol> <Type>WEB</Type> <External> <OWAUrl AuthenticationMethod="Fba">http://owa.aaa.com/owa</OWAUrl> <Protocol> <Type>EXPR</Type> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> </Protocol> </External> <Internal> <OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">http://zqsbmail.bbb.com/owa</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover> any response will be appreciated.sorry for my poor english. gwl7810

Hi GWL7810, The autodiscover REsult appears to be fine, all the web-based service URLs returned successflly. I am not sure what is about "three phases", does it means you are creating new Outlook profile? If yes, please reboot the GC server, add a gateway on the problematic client computer and then try again to see if this works. If the issue continues, please provide the following information: How does the problematic client tries to connect to Exchange server? internally via LAN or external via Outlook Anywhere? Where did you run the "Test Email Autoconfiguration"? from the problematic client when Outlook is connecting, or from another client that is able to connect? what is the report in Log tab? thanks.Best Regards Fiona Liao E: v-fiolia@microsoft.com

thank in advance yes ,i am creating a new outlook profile, phase one(establishing network connection ) passed and phase two passsed but third phase (logon to server)can't pass(it pop up a window with information connecting to guanweirong@aaa.com, i input username bbb\guanweirong and password, after a while the error raised.) 1the problematic client tries to connect to Exchange server externally via Outlook Anywhere 2run the "Test Email Autoconfiguration" from the problematic client when Outlook is connecting how to export the results in log tab? any response will be appreciated.sorry for my poor english. gwl7810

Hi, Thanks for your update and clarification. It is fine for your English, I can understand it. J The external Outlook clients might failed to logon to Server when we try to configure the Outlook profile automatically. This might be caused by various factors. I would suggest you verify the certificate name first, and make sure the domain listed in Issue To field equals to your email RPC proxy external url. Meanwhile, run the test below to collect more information: 1. Please run the online test tool at: https://www.testexchangeconnectivity.com/, select “Outlook Anywhere (RPC over HTTP) and post the test result. It will help us verify if the Outlook Anywhere is setup correctly. 2. Verify the IIS log and the application log on the RCP proxy server (your internet facing CAS server), copy and paste the errors occurring at the logon failed. Thanks. Best Regards Fiona Liao E: v-fiolia@microsoft.com

thank in advance I deployed it with private ca, Can i test it at https://www.testexchangeconnectivity.com/? I can't pass the check. I generated certificate request and import it with the following commands : New-ExchangeCertificate -GenerateRequest -Path d:\cert_request.csr -SubjectName "c=CN, o=zqsbs, ou=IT, cn=owa.aaa.com" -DomainName: autodiscover.aaa.com,zqsbmail.aaa.com,zqsbmail.bbb.com,zqsbmail,owa.aaa.com -KeySize 1024 -PrivateKeyExportable: $true :autodiscover.aaa.com for autodiscover service,zqsbmail.bbb.com\zqsbmail\zqsbmail.aaa.com for mail server; owa.aaa.com for all external url;(bbb.com is AD domain and aaa.com is mail domain) Import-ExchangeCertificate -Path C:\setup\certnew.p7b Get-ExchangeCertificate Enable-ExchangeCertificate -Thumbprint 9E6B4C8BDAE835F6283DC548B81FCC55B3DADA8E -services IIS, POP, IMAP, SMTP I will review the iis log and application logs; sorry for my poor english. any response will be appreciated.gwl7810

There should be a option to "ignore certificates" when doing the tests on https://www.testexchangeconnectivity.com/ Check that box and try again Post the result in here Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog: http://www.testlabs.se/blog | Follow me on twitter: jonand82

thank for your prompt response,i did the outlook connectivity tests(outlook autodiscover) at https://www.testexchangeconnectivity.com/, there is a option to "ignore ssl" ,the test indicate that Connectivity Test Successful ,following is complete results,i superseded some senstive info. ExRCA is attempting to test Autodiscover for guanweirong@aaa.com. Autodiscover was tested successfully. Test Steps Attempting each method of contacting the Autodiscover service. The Autodiscover service was tested successfully. Test Steps Attempting to test potential Autodiscover URL https://aaa.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to test potential Autodiscover URL https://autodiscover.aaa.com/AutoDiscover/AutoDiscover.xml Testing of the Autodiscover URL was successful. Test Steps Attempting to resolve the host name autodiscover.aaa.com in DNS. The host name resolved successfully. Additional Details IP addresses returned: 210.2.28.6 Testing TCP port 443 on host autodiscover.aaa.com to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The certificate passed all validation requirements. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.aaa.com on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Validating the certificate name. The certificate name was validated successfully. Additional Details Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn't expired. Additional Details Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn't detected. Additional Details Accept/Require Client Certificates isn't configured. Attempting to send an Autodiscover POST request to potential Autodiscover URLs. ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST. Test Steps ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.aaa.com/AutoDiscover/AutoDiscover.xml for user guanweirong@aaa.com. The Autodiscover XML response was successfully retrieved. Additional Details Autodiscover Account Settings XML response: <?xml version="1.0"?> <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <User> <DisplayName>guanweirong</DisplayName> <LegacyDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=guanweirong</LegacyDN> <DeploymentId>b6a3773b-84d1-430d-a48a-6649f512683c</DeploymentId> </User> <Account> <AccountType>email</AccountType> <Action>settings</Action> <Protocol> <Type>EXCH</Type> <Server>zqsbmail.bbb.com</Server> <ServerDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ZQSBMAIL</ServerDN> <ServerVersion>720180F0</ServerVersion> <MdbDN>/o=zqsbs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=ZQSBMAIL/cn=Microsoft Private MDB</MdbDN> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> <OOFUrl>https://owa.aaa.com/EWS/Exchange.asmx</OOFUrl> <OABUrl>http://zqsbmail.bbb.com/OAB/2e4d1a4f-4f3a-485c-8875-d719362b15ff/</OABUrl> <UMUrl>https://zqsbmail.bbb.com/UnifiedMessaging/Service.asmx</UMUrl> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <PublicFolderServer>zqsbmail.bbb.com</PublicFolderServer> <AD>zqsbmail.bbb.com</AD> <EwsUrl>https://owa.aaa.com/EWS/Exchange.asmx</EwsUrl> </Protocol> <Protocol> <Type>EXPR</Type> <Server>zqsbmail</Server> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> <OOFUrl>https://owa.aaa.com/EWS/Exchange.asmx</OOFUrl> <OABUrl>https://owa.aaa.com/OAB/2e4d1a4f-4f3a-485c-8875-d719362b15ff/</OABUrl> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <EwsUrl>https://owa.aaa.com/EWS/Exchange.asmx</EwsUrl> </Protocol> <Protocol> <Type>WEB</Type> <Port>0</Port> <DirectoryPort>0</DirectoryPort> <ReferralPort>0</ReferralPort> <External> <OWAUrl AuthenticationMethod="Fba">http://owa.aaa.com/owa</OWAUrl> <Protocol> <Type>EXPR</Type> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> </Protocol> </External> <Internal> <OWAUrl AuthenticationMethod="Ntlm, WindowsIntegrated">http://zqsbmail.bbb.com/owa</OWAUrl> <Protocol> <Type>EXCH</Type> <ASUrl>https://owa.aaa.com/EWS/Exchange.asmx</ASUrl> </Protocol> </Internal> </Protocol> </Account> </Response> </Autodiscover> gwl7810

Thanks for your update. The certificate request appears fine, but a enterprise certificate might not work in Outlook Anywhere. Besides, the report appreas to be Autodiscover test but not the Outlook Anywhere test. Anyway, we recommend that you obtain a certificate from a Windows PKI or a trusted commercial third party if you will be using Outlook Anywhere. If it is not convenient, make sure the existing enterprise certificate is installed and trusted by your external client computer. Best Regards Fiona Liao E: v-fiolia@microsoft.com

I have installed the ca certificate which based on windows pki,when i explore the https://autodiscover.aaa.com/autodiscover/,it indicate the certificate is ok; thank for your prompt response gwl7810

So the ise is resolved? then you can mark the answer for the post which you feel helpful. Thanks.Best Regards Fiona Liao E: v-fiolia@microsoft.com

I mean that the installation of ca certiface had been done before i asked for help. thank for your prompt response gwl7810

It's weird,a windows will popup when phase three of creation of a profile (logon to server),the value of microsoft exchange server text is zqsbmail.bbb.com,i change it to zqsbmail than everything is ok. I review the setting of email account and find the setting of proxy server as following: connecting to my proxy server using the following url : https://zqsbmail (i thank it would be owa.aaa.com), the value of next input text is msstd:zqsbmail. sorry for my poor english,thank for your prompt response. gwl7810

Are you using the same New-ExchangeCertificate cmdlet to request the CA certificate? I test your cmdlet in my local lab and the “Issue to” value shows owa.aaa.com instead of zqsbmail. So could you run the cmdlets below and get information for me? Get-outlookanywhere “servername\Rpc (Default Web Site)” |FL >c:\OA.txt Get-clientaccessserver | fl >c:\cas.txt Get-ExchangeCertificate |fl >c:\certlog.txt Test-OutlookWebServices | fl >c:\test.txt Get-OutlookProvider |FL certprincipalname Thanks. Best Regards Fiona Liao E: v-fiolia@microsoft.com

Thank you very much. Can i mail it to v-fiolia@microsoft.com? thanksgwl7810

Sure. if you don't mind I will remove the real domain name and post our discussion/analysis in this thread. Best Regards Fiona Liao E: v-fiolia@microsoft.com

yes ,it is the same as above. the “Issue to” value shows owa.aaa.com instead of zqsbmail thanks gwl7810

By default, the Certificate principal name is null and the value next to "connecting to my proxy server using xxx" in Outlook profile represent the "Issue To" value of the certificate. Now it shows zqsbmail so I am suspecting the CAS server configuration might be incorrect.Best Regards Fiona Liao E: v-fiolia@microsoft.com

Hi Gwl7810, Thanks for updating the data. The Exchange related configuration appears to be fine except the Outlook provider. The server attribute is setup and might cause the Autodiscover service provide incorrect configuration inforation to Outlook clients. Refer to: http://technet.microsoft.com/en-us/library/cc411324(EXCHG.80).aspx Based on the curreint situation, please run cmdlet below, remove the existing Outlook profile and try again: Set-OutlookProvider ExPR-Server $null Set-OutlookProvider EXCH -Server $null Hope it is helpful. Best Regards Fiona Liao E: v-fiolia@microsoft.com

Sure. if you don't mind I will remove the real domain name and post our discussion/analysis in this thread. Best Regards Fiona Liao E: v-fiolia@microsoft.com I don't mind,you are welcomegwl7810