After migration to Exchange Server 2013, curent outlook clients works well.

But when I install on new computer new Outlook and when I successfully create profile then I cant open this new outlook.

I receve this message:

"The set of folders cannot be opened. Server Microsoft Exchange is not available."

I receive this error message only on new computers with new instalation Office 2013

What is new?

I have add to this outlook some pop3 email in order to open it in another way (trik) and perform "test E-mail autoconfiguration". The resuls was absolutely same like on working client with outlook 2010. With no problm.

******

I have received only security warning. "Certificate name is not valid...."  for autodiscover.domainname.cz  But this message I receive even when I install Outlook 2010, but it works.

I am not profesional - if problm has connection with certificate - please write me step by step how to correct it.

certificate is created on my server. After client 2010 is istalled - mesage with this certifikace popup, I give View certifikate and install. And client works.  But I do not know if it has some connection with my problem with outlook.

(I have translated it from czech language.)

• Edited by fany7 Tuesday, October 29, 2013 8:57 AM

OK for certificate warning because your SAN name in certificate is not match the exchange's URL.

For the first thing I BEG YOU READ THIS ARTICLE first. http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations.aspx

If about things that you have to prepare.

After that please follow this step.

1. Set autodiscoverinternaluri for both exchange 2010 and exchange 2013 follow this command (now all flow point to Exchange 2013 right?)

Set-clientaccessserver -identity exservername -autodiscoverinternaluri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Run this command for both Exchanges. This command will tell client "where they can get the Exchange's URL"

for more information about autodiscover read this http://technet.microsoft.com/en-us/library/bb124251(v=exchg.141).aspx

2. After that we will start to set virtual directory name to match with SAN name in certificate.
2.1 Exchange2013 and Exchange2010 , run this command

set-owavirtualdirectory -identity "exchangeservername\OWA (default web site)" -internalurl https://mail.domain.com/owa -externalurl https://mail.domain.com/owa

set-ecpvirtualdirectory -identity "exchangeservername\ECP (default web site)" -internalurl https://mail.domain.com/ecp -externalurl https://mail.domain.com/ecp

set-oabvirtualdirectory -identity "exchangeservername\oab (default web site)" -internalurl https://mail.domain.com/oab -externalurl https://mail.domain.com/oab

set-webservicevirtualdirectory -identity "exchangeservername\ews (default web site)" -internalurl https://mail.domain.com/ews/exchange.asmx -externalurl https://mail.domain.com/ews/exchange.asmx

set-activesyncvirtualdirectory -identity "exchangeservername\microsoft-active-sync (default web site)" -internalurl https://mail.domain.com/microsoft-active-sync -externalurl https://mail.domain.com/microsoft-active-sync

after that you exchange 2013 will can proxy to exchange 2010 for the users that still on exchange 2010.

3. Enable outlook anywhere for 2013

****please read article about "AMBIGIOS NETWORK" before you following these command.

4. For the last  , you just request certificate that contains at least 2 name
4.1 autodiscover.domain.com

4.2 mail.domain.com

• Edited by Supawat Rungsarityotin Tuesday, October 22, 2013 6:29 PM
• Proposed as answer by Supawat Rungsarityotin Tuesday, October 22, 2013 6:29 PM

OK for certificate warning because your SAN name in certificate is not match the exchange's URL.

For the first thing I BEG YOU READ THIS ARTICLE first. http://blogs.technet.com/b/exchange/archive/2013/05/23/ambiguous-urls-and-their-effect-on-exchange-2010-to-exchange-2013-migrations.aspx

If about things that you have to prepare.

After that please follow this step.

1. Set autodiscoverinternaluri for both exchange 2010 and exchange 2013 follow this command (now all flow point to Exchange 2013 right?)

Set-clientaccessserver -identity exservername -autodiscoverinternaluri https://autodiscover.domain.com/autodiscover/autodiscover.xml

Run this command for both Exchanges. This command will tell client "where they can get the Exchange's URL"

for more information about autodiscover read this http://technet.microsoft.com/en-us/library/bb124251(v=exchg.141).aspx

2. After that we will start to set virtual directory name to match with SAN name in certificate.
2.1 Exchange2013 and Exchange2010 , run this command

set-owavirtualdirectory -identity "exchangeservername\OWA (default web site)" -internalurl https://mail.domain.com/owa -externalurl https://mail.domain.com/owa

set-ecpvirtualdirectory -identity "exchangeservername\ECP (default web site)" -internalurl https://mail.domain.com/ecp -externalurl https://mail.domain.com/ecp

set-oabvirtualdirectory -identity "exchangeservername\oab (default web site)" -internalurl https://mail.domain.com/oab -externalurl https://mail.domain.com/oab

set-webservicevirtualdirectory -identity "exchangeservername\ews (default web site)" -internalurl https://mail.domain.com/ews/exchange.asmx -externalurl https://mail.domain.com/ews/exchange.asmx

set-activesyncvirtualdirectory -identity "exchangeservername\microsoft-active-sync (default web site)" -internalurl https://mail.domain.com/microsoft-active-sync -externalurl https://mail.domain.com/microsoft-active-sync

after that you exchange 2013 will can proxy to exchange 2010 for the users that still on exchange 2010.

3. Enable outlook anywhere for 2013

****please read article about "AMBIGIOS NETWORK" before you following these command.

4. For the last  , you just request certificate that contains at least 2 name
4.1 autodiscover.domain.com

4.2 mail.domain.com

• Edited by Supawat Rungsarityotin Tuesday, October 22, 2013 6:29 PM
• Proposed as answer by Supawat Rungsarityotin Tuesday, October 22, 2013 6:29 PM
• Marked as answer by Simon_WuMicrosoft contingent staff, Moderator 5 hours 56 minutes ago

[PS] C:\Windows\system32>set-clientaccessserver -identity server3 -autodiscoverinternaluri https://autodiscover.mydomain.cz/autodiscover/autodiscover.xml
A parameter cannot be found that matches parameter name 'autodiscoverinternaluri'.
    + CategoryInfo          : InvalidArgument: (:) [Set-ClientAccessServer], ParameterBindingException
    + FullyQualifiedErrorId : NamedParameterNotFound,Set-ClientAccessServer
    + PSComputerName        : server3.galanterie.local

[PS] C:\Windows\system32>

[PS] C:\Windows\system32>get-clientaccessserver

Name
----
SERVER3

[PS] C:\Windows\system32>

[PS] C:\Windows\system32>set-owavirtualdirectory -identity "server3\OWA (default web site)" -internalurl https://mail.mydomain.cz/owa -externalurl https://mail.mydomain.cz/owa
WARNING: You've changed the InternalURL or ExternalURL for the OWA virtual directory. Please make the same change for
the ECP virtual directory in the same website.
[PS] C:\Windows\system32>set-ecpvirtualdirectory -identity "server3\ECP (default web site)" -internalurl https://mail.mydomain.cz/ecp -externalurl https://mail.mydomain.cz/ecp
[PS] C:\Windows\system32>set-oabvirtualdirectory -identity "server3\oab (default web site)" -internalurl https://mail.mydomain.cz/oab -externalurl https://mail.mydomain.cz/oab
[PS] C:\Windows\system32>set-webservicevirtualdirectory -identity "server3\ews (default web site)" -internalurl https://mail.mydomain.cz/ews/exchange.asmx -externalurl https://mail.mydomain.cz/ews/exchange.asmx
set-webservicevirtualdirectory : The term 'set-webservicevirtualdirectory' is not recognized as the name of a cmdlet, f
unction, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the p
ath is correct and try again.
At line:1 char:1
+ set-webservicevirtualdirectory -identity "server3\ews (default web site)" -inter ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (set-webservicevirtualdirectory:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

[PS] C:\Windows\system32>set-activesyncvirtualdirectory -identity "server3\microsoft-active-sync (default web site)" -internalurl https://mail.mydomain.cz/microsoft-active-sync -externalurl https://mail.mydomain.cz/microsoft-active-sync
The operation couldn't be performed because object 'server3\microsoft-active-sync (default web site)' couldn't be found
 on 'server3.galanterie.local'.
    + CategoryInfo          : NotSpecified: (:) [Set-ActiveSyncVirtualDirectory], ManagementObjectNotFoundException
    + FullyQualifiedErrorId : [Server=SERVER3,RequestId=f995cfba-2b9d-498d-92b8-85f0191fff22,TimeStamp=23. 10. 2013 7:
   09:34] B9341C8E,Microsoft.Exchange.Management.SystemConfigurationTasks.SetMobileSyncVirtualDirectory
    + PSComputerName        : server3.galanterie.local

[PS] C:\Windows\system32>

Outlook 2013 still doesnt work

https://autodiscover.mydomain.cz/autodiscover/autodiscover.xml

<?xml version="1.0" encoding="UTF-8"?> <style xmlns="http://www.w3.org/1999/xhtml">@namespace html url(http://www.w3.org/1999/xhtml); :root { font:small Verdana; font-weight: bold; padding: 2em; padding- } * { display: block; padding- } html|style { display: none; } html|span, html|a { display: inline; padding: 0; font-weight: normal; text-decoration: none; } html|span.block { display: block; } *[html|hidden], span.block[html|hidden] { display: none; } .expand { display: block; } .expand:before { content: '+'; color: red; } .collapse { display: block; } .collapse:before { content: '-'; color: red; } </style><Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"><response><Response><error id="2444957606" time="09:20:50.8952183"><Error Id="2444957606" Time="09:20:50.8952183"><errorcode><ErrorCode>600</ErrorCode></errorcode><message><Message>Invalid Request</Message></message><debugdata><DebugData/></debugdata></Error></error></Response></response></Autodiscover>

• Edited by fany7 Wednesday, October 23, 2013 7:30 AM

Hi,

In order to understand more about the issue, Id like to confirm the following questions:

1. Do you configure all problematic outlook 2013 profiles with POP3 account?
When you install Microsoft Exchange Server 2013, POP3 client connectivity isn't enabled. To enable POP3 client connectivity, you need to start two POP3 services:
http://technet.microsoft.com/en-us/library/bb124934(v=exchg.150).aspx
2. Whats your certificate version? Is it self-sighed certificate or internal CA certificate?
If its self-signed certificate or internal CA certificate, we should install both the root and CAS certificate on all the clients trust root CA store.
3. Were your external users work properly even though security warning appeared before migration to Exchange Server 2013?
only external users use Outlook Anywhere  in Exchange 2010 while both internal and external users use OA in Exchange 2013.
Check your Outlook Anywhere configuration by running: Get- OutlookAnywhere
Check your certificate by running: Get-Exchangecertificate

If you have any question, please feel free to let me know.
Thanks,
Angela

 

1 No.  I dont use pop3.  I have installed pop3 on clinet only one time for test purpose in order to open outlook.

2. I dont know. How can I test it?

3. Yes, before migration everythink worked well, with security warning

[PS] C:\Windows\system32>get-OutlookAnywhere

RunspaceId                         : 0e9009ef-e295-4c34-8615-85fac4ae22a8
ServerName                         : SERVER3
SSLOffloading                      : True
ExternalHostname                   :
InternalHostname                   : server3.internaldomain.local
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : False
InternalClientsRequireSsl          : False
MetabasePath                       : IIS://SERVER3.internaldomain.local/W3SVC/1/ROOT/Rpc
Path                               : C:\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 712.22)
Server                             : SERVER3
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=SERVER3,CN=Servers,CN=Exchange A
                                     dministrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=mydomain,CN
                                     =Microsoft Exchange,CN=Services,CN=Configuration,DC=internaldomain,DC=local
Identity                           : SERVER3\Rpc (Default Web Site)
Guid                               : 6e4b256e-7c75-4b0f-bcfb-9da88114f332
ObjectCategory                     : internaldomain.local/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 29. 8. 2013 17:53:24
WhenCreated                        : 29. 8. 2013 17:53:24
WhenChangedUTC                     : 29. 8. 2013 15:53:24
WhenCreatedUTC                     : 29. 8. 2013 15:53:24
OrganizationId                     :
OriginatingServer                  : server3.internaldomain.local
IsValid                            : True
ObjectState                        : Changed

[PS] C:\Windows\system32>get-exchangecertificate

Thumbprint                                Services   Subject
----------                                --------   -------
96A204E066B28D0AAE8EFAD5C72BFF983933EAD9  IP..S..    CN=server3
E9A0742C9B28E79B89B40654DF39A30BE7C250DC  .......    CN=WMSvc-SERVER3
4296F3CB62FBBB9D193B9346D498AF69BBC91555  IP..S..    CN=server3
6B6AAAD86A022D16F717E22CEE0C6FF43D2FF72A  ....S..    CN=Microsoft Exchange Server Auth Certificate
1FA55203348770F878C1848F7A775A5805F53DB5  IP.WS..    CN=server3

[PS] C:\Windows\system32>

Hi,

To get the certificate version, we can run : Get-Exchangecertifictae |fl

If the parameter Isselfsigned is true, it means the certificate is self-signed certificate.

And the parameter Issuer represents the organization from whom you received the certificate.

Thanks,

Angela

Hi,

According to the result of get-OutlookAnywhere, Id like to explain the following information:

1. if  we create some HW LB, we can enabled SSLOffloading on CAS.

2. You only set the internal host name with server3.internaldomain.local. as far as I know, CA will not give you any certificate for cas.domain.local. Thus, I guess you use self-signed certificate or internal CA certificate.
However, I recommend you create a SAN certificate with your external host name(mail.domain.cz)and autodiscover.domainname.cz. And please also refer to the below article to set your virtual directory :
http://support.microsoft.com/kb/940726

3. The ExternalClientsRequireSsl parameter specifies whether clients connecting via Outlook Anywhere from outside the network must use Secure Sockets Layer (SSL). I recommend change it to the default setting:true.

If you have any question, please feel free to let me know.
Thanks,
Angela

Thank you, all certificates are self-signed certificate.

Please, tell me what can I do in order to run new clients with outlook

After migration, I have only one Exchange server. All existing clients are working. But it is impossible to run new installed client.

When I install new Outlook 2010 or 2013.

" Cannot Open your default e-mail folders. Microsoft Excahnge is not available. Either there are network problems or Exchange server is down for maintenance."

but outlook clients which were configured before, work still with no problems.

• Edited by fany7 Tuesday, October 29, 2013 10:59 AM

Hi,

As what I mentioned before, for self-signed certificate, we need to install the certificate on the new clients computer.

And we can use Microsoft Management Console(MMC) to import certificate:

http://msdn.microsoft.com/en-us/library/bb950259(v=bts.10).aspx

Thanks,

Angela

I exported certificates from ECP. I have installed them to clients.

But still isnt possible open newly installed outlook clients.

• Edited by fany7 Wednesday, October 30, 2013 8:47 AM

After migration, I have only one Exchange server. All existing clients are working - no problem. But it is impossible to run newly installed outlook clients.

When I install new client Outlook 2010 or 2013. Pressing button "Check Names" in "account settings" recognise server and user name without problems.

But when I want open outlook, following message is appeared:" Cannot Open your default e-mail folders. Microsoft Excahnge is not available. Either there are network problems or Exchange server is down for maintenance."

but outlook clients which were configured before migration, still work with no problems.

• Edited by fany7 Wednesday, October 30, 2013 9:27 AM
• Merged by Simon_WuMicrosoft contingent staff, Moderator Friday, November 01, 2013 1:40 AM duplicate

please delete old one. Because I have still no good answer. And now I have attempt to define my problem better.

• Edited by fany7 Wednesday, October 30, 2013 9:33 AM

@Moderators
Can you pls merge the two threads??

@Fany7
You need to replace the self-signed certificate with a one that your clients trusts. If that is one from your own Certificate Authority or if you buy one from a Third-Party Issuer, its totally up to you.
Using the self-signed certificate is not an option.

Ok, than plaese tell me, where I find certificate from my own Certificate Authority ?

In Exchange server in ECP, I have 5 certificates. I tried to export them all from ECP and import to clients.

And still I cant run newly installed clients.

Certificates:

Services   Subject
--------   -------
IP..S..    CN=server3
.......    CN=WMSvc-SERVER3
IP..S..    CN=server3
...WS..    CN=Microsoft Exchange Server Auth Certificate
IP.WS..    CN=server3

Can you give me any advice?  Some quick solutions?  

Probably I dont understand it well.

And why old clients work without problm?

• Edited by fany7 Wednesday, October 30, 2013 10:05 AM

Read this first: Digital Certificates and SSL 

If you don't have a Certificate Authoritiy (CA) in your environment, you can install one. http://technet.microsoft.com/en-us/library/cc731183.aspx

If you need help with that, asking in the Windows Server Security Forum is a good place and there are lots of good information on the Internet if you search for it.

...but why not spend 80$/year and for a public certificate?

And for help on how to create a certificate request, install the certificate when you get it, see step 6 at: http://technet.microsoft.com/library/jj218640(EXCHG.150)

I found solution of my problm.

look at: My post Wednesday, October 23, 2013 1:15 PM

Mistake was in this certificate:

....S..    CN=Microsoft Exchange Server Auth Certificate

correct is:

 ...WS..    CN=Microsoft Exchange Server Auth Certificate

and allso server restart is neccessary.

It is bad if no expert could help me, if I have problem. Public certificate is not neccessary. You need three cerfificates (server, autodiscovery, services) per $80 = $240/year. In czech republic it is montly wage for hand worker.

• Marked as answer by fany7 2 hours 17 minutes ago
• Edited by fany7 2 hours 16 minutes ago

It is bad if no expert could help me, if I have problem. Public certificate is not neccessary. You need three cerfificates (server, autodiscovery, services) per $80 = $240/year. In czech republic it is montly wage for hand worker.

Totally up to you if you want to run something that is not supported. Like using self-signed certificate is production for example. The certificate "Microsoft Exchange Server Auth Certificate" should not be assigned the service IIS.

...and besides, you can get one certificate with mail.domain.com + autodiscover.domain.com for 80$/Year or use a certificate from your own Certificate Authoritity for free.

I found solution of my problm.

look at: My post Wednesday, October 23, 2013 1:15 PM

Mistake was in this certificate:

....S..    CN=Microsoft Exchange Server Auth Certificate

correct is:

 ...WS..    CN=Microsoft Exchange Server Auth Certificate

and allso server restart is neccessary.

It is bad if no expert could help me, if I have problem. Public certificate is not neccessary. You need three cerfificates (server, autodiscovery, services) per $80 = $240/year. In czech republic it is montly wage for hand worker.

• Marked as answer by fany7 Saturday, November 02, 2013 8:35 AM
• Edited by fany7 Saturday, November 02, 2013 8:35 AM

No, I asked to experts from microsoft in Czech Republic, and they told me, that I should use this certificate.

I am beginer and if I hear two solution, I choose easier one.

We can buy this cerfificate, ok. But who underwriting that it will work? If there is such problem, why doesnt outlook open apropriate message or warning ? 

How can client recognise if this certificate is from certificate autority and not self signed? If client isnt on the internet? I have lot of questions. If there is such problem, why doesnt outlook open apropriate message or warning ?  No message, that I need certificate, no warning. Only message, that Exchange server doesnt exist.

I am programmer in C++, I am not Exchange expert.  Reading exchange manual is very dificult for me - I dont want spent a lot of my time whith reading whole exchange manual even if I want to do some very easy operation.

And why is in your manual written something another?

"

http://technet.microsoft.com/en-us/library/dd351044(v=exchg.150).aspx

By default, the digital certificate installed on the Mailbox server or servers is a self-signed certificate. You dont need to replace the self-signed certificate on the Mailbox servers in your organization with a trusted third-party certificate. The Client Access server automatically trusts the self-signed certificate on the Mailbox server and no other configuration is needed for certificates on the Mailbox server. " For me is dificult to read manual, because in reality this statement is not valid !!!! Therefore I was here to ask, How to solve my problem - what is writteln in manual is not matched with reality nor with your advice.

• Edited by fany7 Friday, November 08, 2013 9:09 AM

Hi,

I check it on my lab which just install self-signed certificate:

When I use the tool Test E-mail AutoConfiguration on my Outlook client, it will popup a Security Alert with the message which means there is a problem with the sites security certificate. Then I click view certificate and install certificate. After that , if you run the test again, there will be no error and warning.

If Exchange server installs a CA certificate, Outlook clients wouldnt have the notice of installing certificate.

The suggestion in manual which you mentioned means that CAS server and Mailbox server trust each other because of the self-signed certificate which automatically installed on Mailbox server. There is no problem with the communication between CAS server and Mailbox server.

However, it doesnt mean that clients can connect with Exchange server. In this case, we must install the self-signed certificate on clients machines to ensure clients trust the certificate.

Thanks,

A