Today I hit a very strange problem with a customer environment

We deployed Exchange 2010 SP3 with Outlook Anywhere using internal Certificates from internal Authority.

We use reverse proxy and CAS array for publishing the services.

We did intensive test with Windows 7 clients and Outlook 2007/2010 . There were some configuration issues that we fixed in the process of the deployment but everything was working fine ,and Outlook Anywhere , ActiveSync are working without any problems.

Recently we tried to connect with Windows XP client but we receive constant prompt for authentication and Outlook is not connecting to the CAS Array servers.

I triple check Root CA , Certificates , Configuration , autodiscover config and so on . Still receive the prompt again and again.

I create a test environment that is very simple just to test RPC over HTTP without CAS array and Reverse proxy with Windows XP

I keep getting the same prompt ,but when I test with Windows 7 machine everything is fine and Outlook is connected.

My test configuration is like this:

Windows Server 2008 R2 Sp1 with DC role , certification authority and Exchange Server 2010 Sp3. 

autodiscover.domain.com points to DC (exchange server)

email.domain.com points to DC(Exchange server)

InternalURL and external(autodiscover ) https://autodiscover.domain.com/autodiscover/autodiscover.xml

EWS internal and external https://email.domain.com/EWS/Exchange.asmx

CAS Server : exchange.domain.local

Outlook Anywhere - NTLM

Outlook Anywhere FQDN: email.domain.com

One certificate with two SAN : autodiscover.domain.com and email.domain.com

Certificates and autodiscover is working fine in Windows XP . When I try to connect I get the prompt constantly .At the same time Windows 7 machine is  connected using RPC over HTTPS without error

I tried to set EXPR certificate principle name to msstd:email.domain.com but the problem persist.

I'm out of ideas . Based on my other Exchange 2010 Sp2 implementations there were no such problems.

To summarize : Windows 7 and Outlook 2007/2010 is connecting to Exchange 2010 Sp3

Windows XP and Outlook 2007/2010 can't connect to Exchange 2010 Sp3  

Hello,

Do you mean there is this issue when your outlook on XP connect to the exchange server, while other exchange servers have no issue? If so, I suggest you use the "get-exchangecertificate | fl" cmdlet to check your certificate.

Besides, please make sure your internal domain name and external domain name.

If you have any feedback on our support, please click here

That is exactly what I meant . Only Windows XP can't connect .

It seems that Windows XP SP3 can't recognize SAN attributes in the certificate . I reissued the certificate with Common Name : email.domain.com and then put SAN names

For now it seems to work properly .

Stupid Windows XP :)

Well , that actually fix the problem in the demo environment.

Did the same certificate trick at the customer site and now I receive

"The action cannot be completed. The connection to Exchange is unavailable..."

On the other side : If I test with Windows 7 outlook connects without problems.

update: I tried RPC Ping from Windows 7 and Windows XP The results are "

Windows 7 - OK on ports 6001,6002,6004

Windows XP - Exception 1722 on all ports

Update 2: If I change Outlook Anywhere authentication from NTLM to Basic both client work fine.

There is definitely some issue with NTLM authentication

Hello,

I think you are right.

The issue should be the certificate or authentication.

If you have any feedback on our support, please click here

If there is a certificate problem I think that Basic authentication should not work too.

If Windows XP tries to verify CRL maybe this is the problem ,but again why Windows 7 is connecting .

Hello,

At present, there is no article to explain the issue.

I aggree with you.

If you want to get the information on the issue, I suggest you contact microsoft support. Maybe they have these ideas on the issue.

If you have any feedback on our support, please click here

Took me nearly a full day to figure this out, but I think it's the same issue you are having. We are using a 3rd party wildcard cert but it's the same problem. We migrated to Exchange 2013 and all of our internal clients could connect except those running Windows XP. Outlook would repeatedly prompt for a password. I set the CPN for EXPR but it didn't help.

Turns out that Exchange 2013 only uses the CPN for EXPR for external clients. For internal clients, it needs to be set using

Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:*.domain.com

(I discovered this by analyzing the XML return files; Exchange 2013 now uses the EXHTTP protocol settings by default. There are two sets, one for internal, one for external. You can use -Identity EXHTTP, but setting the values for EXPR changes the external settings and EXCH changes the internal settings).

Thanks for the suggestion but changing Exchange Provider did not resolve problem.

I did some investigation and reconfiguration

Now I do not receive constant prompt but my outlook can't login to Exchange Server when I used NTLM authentication. I think that it can't connect to EWS by NTLM . If I use Outlook Anywhere with Basic configuration Windows XP and 7 are connecting

Windows 7 client are working fine without any issues with NTLM

My CAS Servers are behind Hardware NLB but the account is authenticating on CAS Servers.

WEBServicesVirtualDirectory is configured with authentication like this:

InternalAuthenticationMethods : {NTLM,WindowsIntegrated}

InternalAuthenticationMethods : {NTLM,WindowsIntegrated}

Outlook Anywhere

ClientAuthenticationMethod : NTLM

IISAuthenticationMethods : NTLM

I am having a similar issue but with the Apache Reverse proxy that I am using.  Apache doesn't allow the carrying RPV traffic over HTTP so I am constantly getting prompted for username and password as well.  Internally works just fine since I am not going through the proxy. 

Curious, what reverse proxy are you using?

Which SAN is first on the cert? If autodiscover.domain.com is first, you may need to set that as the CPN for the XP clients to connect. I believe XP only is able to check the first SAN.

CN: email.domain.com

SAN:

autodiscover.domain.com

san1.domain.com

san2.domain.com

sanXX.domain.com

email.domain.com

But in my test environment is the same and it works .

@elmidwill

Actually Apache as Reverse proxy is working pretty fine with RCP over HTTP . In that environment we are using NLB based on Linux and Apache . With basic authentication is fine .

If autodiscover.domain.com is first, you will probably need to set that as the CPN. Try

Set-OutlookProvider -Identity EXCH -CertPrincipalName msstd:autodiscover.domain.com
and/or
Set-OutlookProvider -Identity EXPR -CertPrincipalName msstd:autodiscover.domain.com

These settings are pushed out through AD and take about 15 minutes it seems. Use Test E-mail AutoConfiguration in Outlook to see if they are being pushed out and then try from XP.

That didn't work . CertPrincipalName should be the one in the "Issued To" but again that is not my case.

I tried with msstd:autodiscover.domain.com on HTTP provider (EXPR) without any luck .

Any new on this problem?? I'm out there and I have the same situation.

Contignously propted on XP Clienst.

So fas I did a lot of troubleshooting. Changed the EXCH certprincible name and so on!!!

For now, I do not see any llight!!!

Thans in advance.

Did you try using Basic authentication ? Is that any Reverse Proxy Firewall between the client and Server? Because I am using KEMP NLB I think that this was my issue . I talked to the customer and convinced him to use Basic authentication :)

I don't have any time to figure out why isn't working.