Exchange 2013 OutlookAnyWhere authentication issues

Hi All,
have just installed a secondary CAS/MBX and created a DAG, DBS copied ok.
Server 1 is "mail2.domain.com" and server 2 is "mail3.domain.com", mail2 has the active MDBs. (No, there's no mail1 in the system) They are on different subnets, no load balancer.
Now tuning the URLs to make things simpler for switchover and certs, trying to use "webmail.domain.com" for all URLs internal/external.
The cert contains the names webmail.domain.com and mail2.domain.com.
Setting all URLs to webmail.domain.com in OutlookAnywhere made internal Ouloook clients go bananas after a while, asking for creds indefinetly, no use in entering and/or saving creds, it kept on asking and got no connection.
I quickly set the old settings back and after abt 15 mins. things worked again, with the execption of Outlook now stating that the cert on mail3.domain.com is not valid, fair enough as that name is not on the cert, but why should Outlook now try to connect to that CAS and not before..

Eksternal Outlook and other OWA clients was not affected by the changes I made, all good there.
However, I must be missing something here, I do not want to mess this up once more, it is a live site with 3000 mailboxes.
The running - and for now working - config is summarized below, any hints? Should it not work with all URLs set to webmail.domain.com?
BTW: webmail.domain.com is registered in internal DNS with only one IP for now.

Thanks.

get-outlookanywhere:

SerializationData                  : {0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0...}
RunspaceId                         : a4a55d3b-e784-4a61-b929-40e57732dacd
ServerName                         : MAIL2
SSLOffloading                      : False
ExternalHostname                   : webmail.domain.com
InternalHostname                   : mail2.domain.com
ExternalClientAuthenticationMethod : Ntlm
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : True
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://MAIL2.domain.com/W3SVC/1/ROOT/Rpc
Path                               : E:\Exchange Server\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 1076.9)
Server                             : MAIL2
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MAIL2,CN=Servers,CN=Exchange Adm
                                     inistrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Statped,CN=Microso
                                     ft Exchange,CN=Services,CN=Configuration,DC=statped,DC=no
Identity                           : MAIL2\Rpc (Default Web Site)
Guid                               : 553829e7-13c4-4b4b-8eec-cd1dfaea63b0
ObjectCategory                     : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 19.06.2015 08:40:49
WhenCreated                        : 21.03.2014 14:05:41
WhenChangedUTC                     : 19.06.2015 06:40:49
WhenCreatedUTC                     : 21.03.2014 13:05:41
OrganizationId                     :
Id                                 : MAIL2\Rpc (Default Web Site)
OriginatingServer                  : HUS-DC-02.domain.com
IsValid                            : True
ObjectState                        : Changed

SerializationData                  : {0, 1, 0, 0, 0, 255, 255, 255, 255, 1, 0, 0, 0, 0, 0, 0...}
RunspaceId                         : a4a55d3b-e784-4a61-b929-40e57732dacd
ServerName                         : MAIL3
SSLOffloading                      : False
ExternalHostname                   :
InternalHostname                   : mail3.domain.com
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods           : {Basic, Ntlm, Negotiate}
XropUrl                            :
ExternalClientsRequireSsl          : False
InternalClientsRequireSsl          : True
MetabasePath                       : IIS://MAIL3.domain.com/W3SVC/1/ROOT/Rpc
Path                               : E:\Exchange Server\FrontEnd\HttpProxy\rpc
ExtendedProtectionTokenChecking    : None
ExtendedProtectionFlags            : {}
ExtendedProtectionSPNList          : {}
AdminDisplayVersion                : Version 15.0 (Build 1076.9)
Server                             : MAIL3
AdminDisplayName                   :
ExchangeVersion                    : 0.20 (15.0.0.0)
Name                               : Rpc (Default Web Site)
DistinguishedName                  : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=MAIL3,CN=Servers,CN=Exchange Adm
                                     inistrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Statped,CN=Microso
                                     ft Exchange,CN=Services,CN=Configuration,DC=statped,DC=no
Identity                           : MAIL3\Rpc (Default Web Site)
Guid                               : 9401aa7b-4a90-412b-a478-2dbcb31e863a
ObjectCategory                     : domain.com/Configuration/Schema/ms-Exch-Rpc-Http-Virtual-Directory
ObjectClass                        : {top, msExchVirtualDirectory, msExchRpcHttpVirtualDirectory}
WhenChanged                        : 19.06.2015 08:41:37
WhenCreated                        : 10.06.2015 16:54:02
WhenChangedUTC                     : 19.06.2015 06:41:37
WhenCreatedUTC                     : 10.06.2015 14:54:02
OrganizationId                     :
Id                                 : MAIL3\Rpc (Default Web Site)
OriginatingServer                  : HUS-DC-02.domain.com
IsValid                            : True
ObjectState                        : Changed

[PS] C:\Windows\system32>Get-OutlookAnywhere | select server,internalhostname,externalhostname
Server                                  InternalHostname                        ExternalHostname
------                                  ----------------                        ----------------
MAIL2                                   mail2.domain.com                        webmail.domain.com
MAIL3                                   mail3.domain.com

[PS] C:\Windows\system32>Get-OwaVirtualDirectory | select server,externalurl,internalurl | fl
Server      : MAIL2
ExternalUrl : https://webmail.domain.com/owa
InternalUrl : https://webmail.domain.com/owa
Server      : MAIL3
ExternalUrl : https://webmail.domain.com/owa
InternalUrl : https://webmail.domain.com/owa

[PS] C:\Windows\system32>Get-activesyncVirtualDirectory | select server,externalurl,internalurl | fl
Server      : MAIL2
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
Server      : MAIL3
ExternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync
InternalUrl : https://webmail.domain.com/Microsoft-Server-ActiveSync

[PS] C:\Windows\system32>Get-webservicesVirtualDirectory | select server,externalurl,internalurl | fl
Server      : MAIL2
ExternalUrl : https://webmail.domain.com/ews/exchange.asmx
InternalUrl : https://webmail.domain.com/ews/exchange.asmx
Server      : MAIL3
ExternalUrl : https://webmail.domain.com/EWS/Exchange.asmx
InternalUrl : https://webmail.domain.com/EWS/Exchange.asmx

[PS] C:\Windows\system32>Get-oabVirtualDirectory | select server,externalurl,internalurl | fl
Server      : MAIL2
ExternalUrl : https://webmail.domain.com/OAB
InternalUrl : https://webmail.domain.com/OAB
Server      : MAIL3
ExternalUrl : https://webmail.domain.com/OAB
InternalUrl : https://webmail.domain.com/OAB

[PS] C:\Windows\system32>get-clientaccessserver | select name,autodiscoverserviceinternaluri
Name                                                        AutoDiscoverServiceInternalUri
----                                                        ------------------------------
MAIL2                                                       https://autodiscover.domain.com/Autodiscover/Autodiscove...
MAIL3                                                       https://autodiscover.domain.com/Autodiscover/Autodiscove...



  • Edited by RayHell 13 hours 40 minutes ago Forgot som info
June 21st, 2015 1:44pm

Is mail3.domain.com in your certificate?

Consider using the same URL for internal and external access, or use names that you can put in the certificate instead of server

Free Windows Admin Tool Kit Click here and download it now
June 21st, 2015 2:01pm

That's what I'm doing, I've got webmail.domain.com on the cert all the time and want to get rid of those internal servernames from the cert, but one (mail2) is still there, will be removed by next renewal if I get this working. Already have split DNS, webmail.domain.com is registered internally With the Ip of mail2 and externally of the FW handling the external traffic. But setting all URLs on OutlookAnywhere to webmail.domain.com messes something up here.

Tnx.


  • Edited by RayHell 13 hours 22 minutes ago
June 21st, 2015 2:07pm

Do you have split-brain DNS?  Does webmail.domain.com resolve to the correct internal IP address?
Free Windows Admin Tool Kit Click here and download it now
June 21st, 2015 5:00pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics