Re: SBS 2008, Exchange 2007 & Outlook 2007...

Okay, once again getting everyone up to speed. The SRV record has been
created and I got an updated Autodiscover log, info filtered and two
important "errors" posted below:
------------------------
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the
additional details.
Additional Details
Only able to build certificate chain when using the Root Certificate Update
functionality from Windows Update. Your server may not be properly
configured to send down the required intermediate certificates to complete
the chain. Consult the certificate installation instructions or FAQ's from
your Certificate Authority for more information.
--------------------------------
Fore issue #1, I viewed the certificate and it is issued by GoDaddy.
GoDaddy uses "intermediate" certificates that must also be installed to
resolve this warning. Here is a blog post outlining the process. Perform
this process to resolve the warning.
http://sbs.seandaniel.com/2009/02/in...ndard-ssl.html

--------------------------------
ExRCA is attempting to send an Autodiscover POST request to potential
Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request
was sent.
Test Steps
Attempting to Retrieve XML AutoDiscover Response from url
https://xxxxxxxxxxxxxxxxxxxxxx/Autod...todiscover.xml for user

Failed to obtain AutoDiscover XML response.
Additional Details
A Web Exception occurred because an HTTP 401 - Unauthorized response was
received from Unknown
-----------------------------------
Issue #2:
The URL is not returning any autodiscover info with a 401 error. This is
usually an authentication error, so what I'd recommend doing is opening IIS
via the snap-in located in Administrative tools.
Expand the sites and find the site called "SBS Web Apps"
Locate the "autodiscover" virtual directory and select it.
Click on "authentication" in the center pane under the IIS group.
There should be TWO authentication methods enabled.
Basic authentication is used for external clients. Since they operate over
SSL, the channel is still secure so the weakness of basic authentication is
mitigated and this is safe.
Windows Authentication is used by internal clients.
All other authentication methods should be DISABLED.

That should hopefully resolve the remaining issues.

--
Cliff Galiher
Microsoft has opened the Small Business Server forum on Technet! Check it
out!
http://social.technet.microsoft.com/...server/threads
Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.

On Wed, 23 Jun 2010 00:20:02 -0600, "Cliff Galiher - MVP"
<> wrote:

>Okay, once again getting everyone up to speed. The SRV record has been
>created and I got an updated Autodiscover log, info filtered and two
>important "errors" posted below:
>------------------------

Just trying to browse to his server gives me errors that the
certificate's revoked.

Maybe he has the cert installed on the CAS but not on ISA/TMG?
---
Rich Matheisen
MCSE+I, Exchange MVP

On Wed, 23 Jun 2010 17:25:11 -0400, "Rich Matheisen [MVP]"
<> wrote:

>On Wed, 23 Jun 2010 00:20:02 -0600, "Cliff Galiher - MVP"
><> wrote:
>
>>Okay, once again getting everyone up to speed. The SRV record has been
>>created and I got an updated Autodiscover log, info filtered and two
>>important "errors" posted below:
>>------------------------
>
>Just trying to browse to his server gives me errors that the
>certificate's revoked.

Which is no longer the case.

>Maybe he has the cert installed on the CAS but not on ISA/TMG?

Not sure what's changed, but it seems thaere's an awful lot of
confusion about what names are on the certificate!
---
Rich Matheisen
MCSE+I, Exchange MVP

Could be a couple of things. So now we are back on track with the
certificate (I think, I haven't checked.)

So lets make sure Outlook Anywhere works. www.testexchangeconnectivity.com

As far as the repeated credentials, have you patched up Exchange on your SBS
server? Repeated credentials could be a symptom of a conflict between an
outlook security update without the matching Exchange security update. Have
*at least* Exchange SP1 UR9 installed on the SBS server. SP2 is preferrable.
As always, have a backup.


--
Cliff Galiher
Microsoft has opened the Small Business Server forum on Technet! Check it
out!
http://social.technet.microsoft.com/...server/threads
Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.

On Thu, 24 Jun 2010 06:59:48 -0700 (PDT), Mikey <>
wrote:

[ snip ]

>SSL mutual authentication with the RPC proxy server is being tested.
> Verification of mutual authentication failed.
> Tell me more about this issue and how to resolve it
> Additional Details
> The certificate common name remote.domain.com, doesn't validate
>against Mutual Authentication string provided
>msstd:exchange.domain.com
>
>Is this basically saying that it's not finding the name
>msstd:exchange.domain.com on my certificate?

No, it's not finding "exchange.domain.com" as the certificate's CN. As
I've said before, Outlook wants you to use the CN of the certificate
in the Exchange Proxy Settings. You need to put
"msstd:remote.domain.com" into the 2nd edit box (and remote.domain.com
into the 1st edit box).

>I that's the case, do I
>need to add that name, or is this an indicator of a mismatched
>authentication setting? ON the 'tell me how to fix it' link, it talks
>about a resolution that changes the name on the cert, but I'm assuming
>it changes it on the self generated one, right? So I'm thinking that
>probably won't help me. Or, do I need to do that, request a new
>certificate, rinse lather & repeat?

Just change the server name in Outlook's "Exchange Proxy Settings"
dialog box.
---
Rich Matheisen
MCSE+I, Exchange MVP

Actually, what I said is that the connectivity test will tst *every*
possible way that outlook can "autodiscover" its settings. Sicne half of
those optiosn won't actually be enabled, failures are to be expected.

The second half of that was that you need to know which option you expect to
work and concentrate on those failures. Looking at error codes for methods
we expect to fail will be a waste of effort.

So, if you are stuck, post the complete log (edit out sensitive parts of
need be) so we can see and decipher what is an "expected" error and what
isn't.


--
Cliff Galiher
Microsoft has opened the Small Business Server forum on Technet! Check it
out!
http://social.technet.microsoft.com/...server/threads
Addicted to newsgroups? Read about the NNTP Bridge for MS Forums.

On Thu, 24 Jun 2010 07:15:35 -0700 (PDT), Mikey <>
wrote:

>On Jun 24, 8:59*am, Mikey <texan...@hotmail.com> wrote:
>> On Jun 24, 1:38*am, "Cliff Galiher - MVP" <cgali...@gmail.com> wrote:
>>
>>
>>
>>
>>
>> > Could be a couple of things. *So now we are back on track with the
>> > certificate (I think, I haven't checked.)
>>
>> > So lets make sure Outlook Anywhere works. *www.testexchangeconnectivity.com
>>
>> > As far as the repeated credentials, have you patched up Exchange on your SBS
>> > server? *Repeated credentials could be a symptom of a conflict between an
>> > outlook security update without the matching Exchange security update. *Have
>> > *at least* Exchange SP1 UR9 installed on the SBS server. SP2 is preferrable.
>> > As always, have a backup.
>>
>> > --
>> > Cliff Galiher
>> > Microsoft has opened the Small Business Server forum on Technet! *Check it
>> > out!http://social.technet.microsoft.com/...usinessserver/...
>> > Addicted to newsgroups? *Read about the NNTP Bridge for MS Forums.
>>
>> I tried the rollup 9 back in the begining. I didn't want to apply SP2
>> until the weekend, in the event there were any problems.
>> You had said earlier that it didn't matter if some parts of the test
>> fail, find one area, pick that & work it out (or something along those
>> lines!).
>> I tried the test, manually entering the info & the message that I got
>> regarding the failure was:
>>
>> SSL mutual authentication with the RPC proxy server is being tested.
>> * Verification of mutual authentication failed.
>> * *Tell me more about this issue and how to resolve it
>> * *Additional Details
>> * The certificate common name remote.domain.com, doesn't validate
>> against Mutual Authentication string provided
>> msstd:exchange.domain.com
>>
>> Is this basically saying that it's not finding the name
>> msstd:exchange.domain.com on my certificate? I that's the case, do I
>> need to add that name, or is this an indicator of a mismatched
>> authentication setting? ON the 'tell me how to fix it' link, it talks
>> about a resolution that changes the name on the cert, but I'm assuming
>> it changes it on the self generated one, right? So I'm thinking that
>> probably won't help me. Or, do I need to do that, request a new
>> certificate, rinse lather & repeat?- Hide quoted text -
>>
>> - Show quoted text -
>
>I did change the name to msstd:remote.domain.com on the client & it
>worked, but it prompts you for a password everytime you open outlook.
>The 'Always prompt for log on credentials' is NOT checked - is there a
>way to 'fix' this?
>Now, if I apply SP2 this weekend, can if mess up anything we've done
>so far?

Try this:
Get-OutlookAnywhere|fl *authen*

What do you see for authentication methods?

Have a look at "Authentication and Access Controls" on the "Rpc"
virtual directory with IIS Admin.

The authentication settings in both of those should match. What you
DON'T want to do is use the GUI in the EMC to manage the
authentication settings foe OA.
---
Rich Matheisen
MCSE+I, Exchange MVP

On Fri, 25 Jun 2010 01:16:23 -0700 (PDT), Mikey <>
wrote:

[ snip ]


>ClientAuthenticationMethod : Basic
>IISAuthenticationMethods : {Basic, Ntlm}
>
>Authentications settings in IIS were right.
>I just changed Outlook settings to remote.mydomain.com & we are in
>business baby!!!
>You guys ROCK!
>If you're ever (or are currently) in the Houston area, shots of
>Patrone are on me!

Given the domain name I'da thunk you wuz in Oklahoma!
---
Rich Matheisen
MCSE+I, Exchange MVP