Ok, yesterday I posted that I was having problems with OWA, and then figured out the answer myself. OWA is working now, 100% from what I can tell. I can log on from internal and from external using https://mail.contoso.com/exchange But, my smart phone (I am sure we have lots, but I personally have a iphone 3gs) is failing its connection. I ran the outlook remote connectivity analyzer and its failing the autodiscover. It successfully finds the external IP address for autodiscover.contoso.com (that of the 2010), it says success port 443 on host autodiscover.contoso.com, it is successful finding the ssl cert, but then it fails saying: "Host name autodiscover.contoso.com doesn't match any name found on the server certificate CN=mail.contoso.com, OU=IT, O=company, L=Place, S=Texas, C=US." But, obviously, I did include the autodiscover.contoso.com in the cert.. So, again OWA works fine but smart phones and outlook anywhere remote connectivity tests fail... Any suggestions would be appreciated.

Recheck the certificate. Perhaps you made a spelling error. Does autodiscover.contoso.com have the same IP address as mail.contoso.com? If not, be sure that it's being routed to the correct place.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Hi, Please refer to below KB and give it a try: http://support.microsoft.com/kb/927465 Hope it helps.Rowen TechNet Community Support

Ok, I have gotten a little headway but still not there yet. My company name is contoso123 but we made our internal domain name contoso.com cause it was shorter. We receive emails for both domains. In my 2003 environment we had our cert listed as mail.contoso123.com which i know is not 100% standard since our internal domain was contoso.com but it all worked just fine anyway. I guess 2010 just doesnt like that set up. So, today I just finished setting up my cert as: mail.contoso123.com with SANs: mail.contoso.com autodiscover.contoso123.com autodiscover.contoso.com legacy.contoso123.com legacy.contoso.com contoso123.com contoso.com And re-ran the connectivity test and it got farther than before but still an error at the end. Here are the results: Attempting to test potential Autodiscover URL https://autodiscover.contoso123.com/AutoDiscover/AutoDiscover.xml Testing of this potential Autodiscover URL failed. Test Steps Attempting to resolve the host name autodiscover.contoso123.com in DNS. The host name resolved successfully. Additional Details Testing TCP port 443 on host autodiscover.contoso123.com to ensure it's listening and open. The port was opened successfully. Testing the SSL certificate to make sure it's valid. The certificate passed all validation requirements. Test Steps ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.contoso123.com on port 443. ExRCA successfully obtained the remote SSL certificate. Additional Details Validating the certificate name. The certificate name was validated successfully. Additional Details Host name autodiscover.contoso123.com was found in the Certificate Subject Alternative Name entry. Certificate trust is being validated. The certificate is trusted and all certificates are present in the chain. Test Steps ExRCA is attempting to build certificate chains for certificate CN=mail.contoso123.com, OU=OU, O=company, L=Place, S=Texas, C=US. One or more certificate chains were constructed successfully. Additional Details Analyzing the certificate chains for compatibility problems with versions of Windows. Potential compatibility problems were identified with some versions of Windows. Additional Details ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled. Testing the certificate date to confirm the certificate is valid. Date validation passed. The certificate hasn't expired. Additional Details The certificate is valid. NotBefore = 1/9/2012 5:40:36 PM, NotAfter = 1/3/2013 8:10:43 AM Checking the IIS configuration for client certificate authentication. Client certificate authentication wasn't detected. Additional Details Accept/Require Client Certificates isn't configured. Attempting to send an Autodiscover POST request to potential Autodiscover URLs. Autodiscover settings weren't obtained when the Autodiscover POST request was sent. Test Steps ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.contoso123.com/AutoDiscover/AutoDiscover.xml for user user@ contoso123.com. ExRCA failed to obtain an Autodiscover XML response. <label for="testSelectWizard_ctl12_ctl06_ctl00_ctl00_ctl01_ctl04_ctl00_tmmArrow">Tell me more about this issue and how to resolve it</label> Additional Details An error message was returned from the Autodiscover service XML response: <?xml version="1.0"?> <Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a"> <Error Time="12:48:56.4114262" Id="722390025"> <ErrorCode>503</ErrorCode> <Message>Client mailboxes must be on Exchange Server 2010 or later.</Message> <DebugData /> </Error> </Response> </Autodiscover>

Autodiscover doesn't work for mailboxes on Exchange 2003.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

But, I thought that was the whole point of Outlook Anywhere and the Coexist thing was to allow users that still have their mailboxes on 2003 to be reachable using phones, outlook anywhere, etc.., that it would find the users mailboxes even on 2003 and redirect the user? Guess I am getting myself confused as to which service does what or something. Either way, I know that the outlook deployment assistent told me to install the CAS in like step 3 and then in step 4 before i have installed any other server role said check with the ExRCA outlook connectivity test and it is failing. So, I am trying to figure out what I need to do to fix that? Can you help me? Like I said in the OP, OWA over the internet is working ok, but my phone is not connecting.. Any help is appreciated.

No, the coexist thing is that Autodiscover will continue to work since Exchange 2010 proxies ActiveSync for Exchange 2003, Outlook Anywhere proxy will continue to work, and OWA will redirect to the old Exchange 2003 screen. Since Autodiscover was never in existence for Exchange 2003, it's not being added with Exchange 2010. If you want Autodiscover to work, move their mailboxes to Exchange 2010. Autodiscover only allows Outlook and mobile device clients to automatically connect to services. If mailboxes are on Exchange 2003, you'll have to manually supply all the information required for connectivity like you've always done. ExRCA was developed originally for Exchange 2007. It's not terribly useful for testing Exchange 2003 mailbox connectivity. Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Have you enabled Inegrated Windows Authentication on the Microsoft-Server-ActiveSync virtual directory in Exchange 2003 using ESM? (You need to) Download and install this hotfix first http://support.microsoft.com/?kbid=937031 If that hasn't been enabled you will see warnings in the application log on Exchange 2010. Btw, you should have added mail.contoso123.com as a SAN Name too (first one in the list if you have XP Clients) Martina Miskovic - http://www.nic2012.com/

I hugely appreciate your patience with me on this matter. I enabled Integrated Authentication in IIS6. When I tried enabling it in ESM, I found it to be grayed out. Does that hotfix take away the gray? I was hesitant to install the hotfix since it came with so many warnings and since I didnt have any of those warnings in my 2010 logs that it was talking about. I have been bitten in the past when installing "specific" hotfixes that were similar but not exact fits for my situation. So, I tried connecting with my phone again (my iphone is set to connect to https://mail.contoso123.com) but again it just "fails to connect". But, again no 1036 warnings or errors in the 2010 logs. So, again did not install the hotfix yet. Do you still think I should install the hotfix even though i dont get any 1036 errors on the server? Does the hotfix ungray the ESM MSAS so that I can activate the Integrated Authentication in there?

You have to install the hotfix Martina references to take away the gray. That is probably your problem. It's very well documented in Microsoft's upgrade procedures.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

Ok, ran the hotfix. And yes, it ungrays it and allowed me to make the change. Thanks. So, I pick up my phone, I go to the Settigns, mail settings, exchange account settings.. I basically put in my info, and it passes everything with checkmarks... so I smile. Then I close settings, open up the mailbox on my phone and click the little connect button and it again gives me an error saying "failed to connect" My account is not locked or disabled... Any ideas why my phone would pass the verification but fail the connection?

Is your account a member of any of the built-in groups, like domain admin, account operator etc? If so, then you will need to enable inheritance on your account in ADUC, before you will be able to create a partnership.Martina Miskovic - http://www.nic2012.com/

You'll have to manually enter the server name (legacy.company123.com or whatever?) and all the settings in your phone to connect.Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."

I have tried the legacy.contoso123.com on my phone to the same results (verifies in settings but does not connect). Martina, yes my account is part of the domain Admins group. Where is the inheritance that you are talking about? I have opened up my account in ADUC and can't find anywhere for my account. I also tried creating a new profile on my phone for a regular user account that is not a domain admin to the same result (verified in settigns but does not connect) so not sure if that is the issue or not.

Martina, yes my account is part of the domain Admins group. Where is the inheritance that you are talking about? I have opened up my account in ADUC and can't find anywhere for my account. You need to turn on "Advanced Features" in ADUC (View in the Toolbar) in order to see the security tab in ADUC.Martina Miskovic - http://www.nic2012.com/

Ok, so the latest update. Yesterday, I decided that I had spent enough time trying to get this part to work, so I just moved on. I got the Hub Transport and Mailbox server roles installed yesterday. I moved over a couple of test user mailbox accounts to the 2010. And now I can use smart phones to connect to those test user accounts. But, still cannot use phones to connect to the 2003 based mailboxes. So, I am just going to have to tell my people to be patient since they are all going to get moved soon anyway. Those that are on the 2003 will just have to access their stuff via OWA for a small time instead. Obviously, I must have done something wrong when implementing the RPC over HTTP on the 2003 box. But, not worth worrying about anymore. Thank you for your time and efforts to help me on this problem. I have clicked your green up buttons for your posts that were helpful, but I guess I cant really mark this question as answered.