I have setup hosted exchange and have several companies on it. One company has their own server/domain, and is in no way linked to our hosted domain. A few of the users there are randomly having issues when they open outlook. It keeps prompting for their
username and password. I delete their outlook profile and recreate it and everything is fine for a while. Then at some point (usually a couple of weeks later) I get a call saying they can't login again. Most of the users in that company are not having an
issue, it's just a few that are. Could this be because they have their own domain? Any suggestions on what could be causing this?
Everyone at this particular company is using Outlook 2007. No, the user must type their password each time they open outlook. And no, we do not require a password change.
Did the company have Exchange 2007 deployed internally once upon a time, or still do? I wonder if Outlook 2007 is picking up the internal Service Connection Point (SCP) for autodiscover hence the continual prompting trying to auth to the incorrect exchange
server and failing.
I would have a look with TCP View next time to see where the connections are going.
No, they have never had any email server internally.
I do believe I have found what is causing the problem, I'm just not sure how to fix it. I think it is because the "Only connect to proxy servers that have this principal name in their certificate" check box gets checked automatically. I can uncheck that
and they are able to login. I do not know why only a select few are automatically getting checked. I have read several other forums on this issue and have tried several of their suggestions, putting the fqdn in the certprincipalname field on the server,
but no luck. I have also found that the autodiscover feature continually asks for the password when trying to setup outlook. I believe the two issues are related. I do think the answer has to do with the set-outlookprovider command and setting the certprincipalname
and server, but I just dont know what to put. Any ideas or thoughts on that?
One thing I forgot to ask, if you actually set the field correctly to "msstd:outlookanywhere.domain.com" does it work correctly?
If so, you should be able to simply do a "set-outlookprovider" and correctly configure the CertPrincipalName to make things work nicer. If you set the machine up via AutoDiscover, you will know if it is setup correctly.
BTW. You need to ensure you recycle the app pools on your CAS after updating those settings, otherwise you won't get any of your updates.
I tried setting the field for the CertPrincipalName, but I did not recycle the app pools. Maybe that was all that I was missing. I will try it again tonight and see how it goes.
I finally think it is working! I tried all combinations of the certprincipalname and I am able to use autodiscover with outlook anywhere. I am hoping this also fixes the login issue, but only time will tell on that.
I noticed that on my UCC certificate the "issued to" field was just domain.com, and not mail.domain.com like I though it was. Here are the commands that I used to get it working.
set-outlookprovider -identity web -server $null -certprincipalname msstd:domain.com
At first I did not realize I needed to include the msstd: in the certprincipalname, but I added that, recycled the AppPool in IIS and Autodiscover was working.
bember
Member
1 Points
11 Posts
Outlook password issues
Aug 22, 2008 06:22 PM|LINK
I have setup hosted exchange and have several companies on it. One company has their own server/domain, and is in no way linked to our hosted domain. A few of the users there are randomly having issues when they open outlook. It keeps prompting for their username and password. I delete their outlook profile and recreate it and everything is fine for a while. Then at some point (usually a couple of weeks later) I get a call saying they can't login again. Most of the users in that company are not having an issue, it's just a few that are. Could this be because they have their own domain? Any suggestions on what could be causing this?
Hosted Exchange Exchange Hosted Exchange 2007
filippg
Member
104 Points
122 Posts
Re: Outlook password issues
Aug 25, 2008 09:34 PM|LINK
Hi,
are the passwords stored in OL? We didn't get this working in OL 2003 at all... Do the passwords expire in your HMC-Domain?
Bye
Filipp
bember
Member
1 Points
11 Posts
Re: Outlook password issues
Aug 26, 2008 02:25 AM|LINK
Everyone at this particular company is using Outlook 2007. No, the user must type their password each time they open outlook. And no, we do not require a password change.
Russell Tomkins
Member
62 Points
26 Posts
Re: Outlook password issues
Aug 26, 2008 12:16 PM|LINK
Did the company have Exchange 2007 deployed internally once upon a time, or still do? I wonder if Outlook 2007 is picking up the internal Service Connection Point (SCP) for autodiscover hence the continual prompting trying to auth to the incorrect exchange server and failing.
I would have a look with TCP View next time to see where the connections are going.
Russ
bember
Member
1 Points
11 Posts
Re: Outlook password issues
Aug 26, 2008 12:43 PM|LINK
No, they have never had any email server internally.
I do believe I have found what is causing the problem, I'm just not sure how to fix it. I think it is because the "Only connect to proxy servers that have this principal name in their certificate" check box gets checked automatically. I can uncheck that and they are able to login. I do not know why only a select few are automatically getting checked. I have read several other forums on this issue and have tried several of their suggestions, putting the fqdn in the certprincipalname field on the server, but no luck. I have also found that the autodiscover feature continually asks for the password when trying to setup outlook. I believe the two issues are related. I do think the answer has to do with the set-outlookprovider command and setting the certprincipalname and server, but I just dont know what to put. Any ideas or thoughts on that?
Russell Tomkins
Member
62 Points
26 Posts
Re: Outlook password issues
Aug 26, 2008 01:02 PM|LINK
What does a get-outlookanywhere | fl return. Strip out anything identifying of course :)
Edit: get-outlookprovider | fl will be more useful sorry :)
Russ
bember
Member
1 Points
11 Posts
Re: Outlook password issues
Aug 26, 2008 01:11 PM|LINK
Get-OutlookAnywhere | fl
ServerName : <Servername>
SSLOffloading : False
ExternalHostname : <exteranl fqdn>
ClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Ntlm}
MetabasePath : IIS://<internal fqdn>/W3SVC/1/ROOT/Rpc
Path : C:\WINDOWS\System32\RpcProxy
Server : <Servername>
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : Rpc (Default Web Site)
DistinguishedName : CN=Rpc (Default Web Site),CN=HTTP,CN=Protocols,CN=
<Servername>,CN=Servers,CN=Exchange Administrative
Group (FYDIBOHF23SPDLT),CN=Administrative Groups,
CN=HostedExg,CN=Microsoft Exchange,CN=Services,CN=
Configuration,DC=hosted,DC=local
Identity : <Servername>\Rpc (Default Web Site)
Guid : 58cf7186-36ac-43d8-8249-fcb6f6d19091
ObjectCategory : <domain name>/Configuration/Schema/ms-Exch-Rpc-Http
-Virtual-Directory
ObjectClass : {top, msExchVirtualDirectory, msExchRpcHttpVirtual
Directory}
WhenChanged : 7/29/2008 7:21:00 PM
WhenCreated : 5/29/2008 5:42:30 PM
OriginatingServer : <domain controller fqdn>
IsValid : True
Get-OutlookProvider | fl
CertPrincipalName :
Server :
TTL : 1
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : EXCH
DistinguishedName : CN=EXCH,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Host
edExg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
=hosted,DC=local
Identity : EXCH
Guid : f43fb1c0-79a1-4c22-a102-05abada5976e
ObjectCategory : <domain name>/Configuration/Schema/ms-Exch-Auto-Discover-Con
fig
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/25/2008 9:06:18 PM
WhenCreated : 5/28/2008 1:34:40 PM
OriginatingServer : <domain controller>.<domain name>
IsValid : True
CertPrincipalName :
Server :
TTL : 1
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : EXPR
DistinguishedName : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Host
edExg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC
=hosted,DC=local
Identity : EXPR
Guid : bc66c632-3c48-4eee-ad25-48d64a48a5c7
ObjectCategory : <domain name>/Configuration/Schema/ms-Exch-Auto-Discover-Con
fig
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/25/2008 9:31:37 PM
WhenCreated : 5/28/2008 1:34:40 PM
OriginatingServer : <domain controller>.<domain name>
IsValid : True
CertPrincipalName :
Server :
TTL : 1
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
Name : WEB
DistinguishedName : CN=WEB,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=Hoste
dExg,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=
hosted,DC=local
Identity : WEB
Guid : f975ac45-9743-423c-9186-1c264e2137db
ObjectCategory : <domain name>/Configuration/Schema/ms-Exch-Auto-Discover-Con
fig
ObjectClass : {top, msExchAutoDiscoverConfig}
WhenChanged : 8/25/2008 9:27:18 PM
WhenCreated : 5/28/2008 1:34:40 PM
OriginatingServer : <domain controller>.<domain name>
IsValid : True
Russell Tomkins
Member
62 Points
26 Posts
Re: Outlook password issues
Aug 28, 2008 01:09 PM|LINK
One thing I forgot to ask, if you actually set the field correctly to "msstd:outlookanywhere.domain.com" does it work correctly?
If so, you should be able to simply do a "set-outlookprovider" and correctly configure the CertPrincipalName to make things work nicer. If you set the machine up via AutoDiscover, you will know if it is setup correctly.
BTW. You need to ensure you recycle the app pools on your CAS after updating those settings, otherwise you won't get any of your updates.
Russ
bember
Member
1 Points
11 Posts
Re: Outlook password issues
Aug 28, 2008 01:30 PM|LINK
I tried setting the field for the CertPrincipalName, but I did not recycle the app pools. Maybe that was all that I was missing. I will try it again tonight and see how it goes.
Thanks
bember
Member
1 Points
11 Posts
Re: Outlook password issues
Sep 03, 2008 01:14 AM|LINK
I finally think it is working! I tried all combinations of the certprincipalname and I am able to use autodiscover with outlook anywhere. I am hoping this also fixes the login issue, but only time will tell on that.
I noticed that on my UCC certificate the "issued to" field was just domain.com, and not mail.domain.com like I though it was. Here are the commands that I used to get it working.
set-outlookprovider -identity exch -server $null -certprincipalname msstd:domain.com
set-outlookprovider -identity expr -server $null -certprincipalname msstd:domain.com
set-outlookprovider -identity web -server $null -certprincipalname msstd:domain.com
At first I did not realize I needed to include the msstd: in the certprincipalname, but I added that, recycled the AppPool in IIS and Autodiscover was working.
Thanks for the help.