ISSUE: Can't RPC Proxy Outlook Anywhere requests for Exchange 2010 mailbox users via the Exchange 2013 CAS.

SYMPTOMS: Externally with TestExchangeConnectivity.com, I get 'RPC Proxy Can't Be Pinged' with 'An HTTP 401 Unauthorized response was received from the remote Unknown server'.

SETUP:

Exchange 2013 CU2
Get-OutlookAnywhere Details:
ExternalHostname: webapp.mydomain.com
InternalHostname: ex2013.mydomain.local
ExternalClientAuthenticationMethod: Basic
InternalClientAuthenticationMethod: Ntlm
IISAuthenticationMethods: Basic, Ntlm, Negotiate
SSLOffloading: False

Certificate on 2013 server contains the names: ex2013.mydomain.local, webapp.mydomain.com, AutoDiscover.mydomain.local, AutoDiscover.mydomain.com, mydomain.local, mydomain.com

Exchange 2010 SP3 update rollup 1
Get-OutlookAnywhere Details:
ExternalHostname: webapp.mydomain.com
ClientAuthenticationMethod: Basic
IISAuthenticationMethods: Basic, Ntlm
SSLOffloading: False

Certificate on 2010 server contains the names: ex2010.mydomain.local, webapp.mydomain.com, autodiscover.mydomain.local, autodiscover.mydomain.com

Outlook providers:
EXCH  CertPrincipalName: msstd:webapp.mydomain.com
EXPR  CertPrincipalName: msstd:*.mydomain.com    (as I use an external reverse proxy with a public wildcard certificate)

ADDITIONAL DETAILS:
- With the above settings, Outlook 2010 doesn't seem to be able to proxy RPC through Exchange 2013.

Testing manually with RPCPING utility:
- Requests for port 6001 directed to Exchange 2010 for people with mailbox on Exchange 2010: works correctly
- Requests for port 6001 directed to Exchange 2013 for people with mailbox on Exchange 2013: works correctly
- Requests for port 6001 directed to Exchange 2013 for people with mailbox on Exchange 2010: error 401.1 Unauthorized

OWA and Activesync through Exchange 2013 for people with mailbox on Exchange 2010 are working fine.
Only RPC over HTTP seems to have problems.

- Here are some pertinent lines from the 2010 CAS server's IIS logs for a 2013 to 2010 RPC access:
2013-10-10 13:02:16 10.62.6.56 RPC_IN_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001 443 - 10.62.6.50 MSRPC 401 1 2148074248 624
2013-10-10 13:02:16 10.62.6.56 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001 443 - 10.62.6.50 MSRPC 401 1 2148074248 624
2013-10-10 13:02:16 10.62.6.56 RPC_IN_DATA /rpc/rpcproxy.dll - 443 - 10.62.6.50 HttpProxy.ClientAccessServer2010Ping 401 2 5 780

- Here are some pertinent lines from the 2013 CAS server's IIS logs for the same 2013 to 2010 RPC access:
2013-10-10 13:02:14 10.62.6.50 RPC_IN_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001&RequestId=b6464f37-a9fe-4f84-a32b-ff9af689607c&cafeReqId=b6464f37-a9fe-4f84-a32b-ff9af689607c; 443 - 10.62.7.15 MSRPC - 401 1 2148074254 4726
2013-10-10 13:02:14 10.62.6.50 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001&RequestId=4acc0118-7fac-49db-976d-152a4a6839b2&cafeReqId=4acc0118-7fac-49db-976d-152a4a6839b2; 443 - 10.62.7.15 MSRPC - 401 1 2148074254 0
2013-10-10 13:02:16 10.62.6.50 RPC_OUT_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001&RequestId=a591fb11-98c3-44e6-90c7-f719c7047fe4&cafeReqId=a591fb11-98c3-44e6-90c7-f719c7047fe4; 443 dom\2010user 10.62.7.15 MSRPC - 401 0 64 1544
2013-10-10 13:02:16 10.62.6.50 RPC_IN_DATA /rpc/rpcproxy.dll ex2010.mydomain.local:6001&RequestId=fbb94579-8d0b-41d7-8103-45c945141bd7&cafeReqId=fbb94579-8d0b-41d7-8103-45c945141bd7; 443 dom\2010user 10.62.7.15 MSRPC - 200 0 64 1700

Any thoughts or comments are highly appreciated. Let me know if additional details are needed.

Sounds familiar to :

http://social.technet.microsoft.com/Forums/exchange/en-US/728be9b1-4415-4df6-a997-5ecb9ded9a63/rpc-proxy-cant-be-pinged-20132010-coexistence-with-outlook-anywhere?forum=exchangesvrgeneral

Yes, it's almost the same issue but I've already configured CertPrincipalName of EXCH and EXPR OutlookProviders (as suggested in the linked article) without success.

This kind of issue is very hard to debug !

Yes, it's almost the same issue but I've already configured CertPrincipalName of EXCH and EXPR OutlookProviders (as suggested in the linked article) without success.

This kind of issue is very hard to debug !

I would open a case with Microsoft support. These things can be very difficult to diagnose

Hi,

Firstly, Id like to explain, since in Exchange 2013 we make use of Outlook Anywhere both internally and externally, we have a new Outlook Provider called EXHTTP. The EXHTTP Outlook Provider cannot be configured manually, but gets constructed by AutoDiscover based on the information within the EXCH (internal settings) and EXPR (external settings) Outlook Providers. The EXCH setting includes port settings and the internal URLs for the Exchange services that you have enabled:
http://blogs.technet.com/b/exchange/archive/2008/09/26/3406344.aspx

And according to your description, Id like to confirm whether both internal users and external users with mailboxes on Exchange 2013 work well.

Please also check IIS log and find the full error code of 401, such as 401.1, 401.2.

Hope it can help you.
Thanks,
Angela

I've configured Outlook Providers as follows:

EXCH  CertPrincipalName: msstd:webapp.mydomain.com
EXPR  CertPrincipalName: msstd:*.mydomain.com    (as I use an external reverse proxy with a public wildcard certificate)

I don't know if this is correct, but people with mailbox on Exchange 2013 server can connect without problems from inside and from outside.

Also https://testconnectivity.microsoft.com/ says that all is OK.

The only problem that I have is related to cohexistence with Exchange 2010: RPC over http proxy from 2013 CAS for people on the old Exchange server doesn't work.

I've also included IIS logs from both Exchange servers:
I can see several 401.1 errors but that doesn't help me at all...

Thanks,
Alessandro

1 - Did you enable Outlook Anywhere (OA) on the Exchange 2010 Server
2 - Make the 2010 server OA URL and Auth settings the same as Exchange 2013
3 - OA IIS authentication methods on the Exchange 2010 must include NTLM

I am having the exact same issue as the original poster. Any progress made with this?

At least my case I have things intermittently working now. It turns out one of the old 2010 CAS servers had an improper redirect on the RPC folder (in fact all of the virtual directories). Removing this and resetting IIS got things to work (at least temporarily). 

Hi,

Did you find a resolution to this issue?

I am having the exact same issue.

Cheers

Same problem here but with Exchange 2007 instead of 2010. Currently working with Microsoft going to pickup tomorrow Everything works except for external outlook anywhere when they are on 2007. Outlook anywhere works fine when they are on 2013

Has anyone come up with a solution for this?  I've migrated from 2007 and 2010 to 2013 5 times now and never had this issue.  I'm working on a new client and they have it.  Mailboxes on 2010 do not work with external outlook anywhere with the 2013 server.  All is set for NTLM.  Everything works with mailboxes on the 2013 server.  OWA works and ActiveSync works with no problem.  Only Outlook over RPC doesn't work (just like the original post).  Please let me know if anyone has found a working solution!  Thank you!

Hi

I have seen this now after quite a few installations. My test lab is setup with exchange 2010 and exchange 2013

The email clients with mailboxes on exchange 2013 work fine. The email clients with mailboxes on exchange 2010, well, the funny thing is the outlook profile setups fine, however when opening outlook it asks for the exchange server name and to confirm the user, once done it gives an error that the ost file is not an outlook data file.

NTLM is set as authentication, IIS authentication is set to include NTLM. weird one.

the iis logs for the 2010 mailbox reports as httpproxy.clientaccessserver2010ping 401 2 5 0