Legacy Windows XP clients must match the Certificate Common Name in Outlook for (RPC over HTTP) Exchange 2013

In this post I am going to discuss these two topics a bit further as this issue will impact many organisations moving to Exchange 2013 for those still running Windows XP (despite the fact it is no longer supported) seeming Exchange 2013 only supports RPC over HTTP or MAPI over HTTP (out of scope for this article). To recap what I wrote about in the previous articles 5 years ago, for RPC over HTTP(s) aka Outlook Anywhere to work on any version of the Outlook Client on the XP, the MSSTD value must match the "Common Name" on the certificate. What am I talking about? Well let me show you...
The MSSTD is specified under "Only connect to proxy servers that have this principal name in their certificate" which can be found within Outlook under Account Settings, Open the Account, More Settings, Connection Tab and finally Exchange Proxy Settings.
This value must match the "Common Name" of the certificate which in this example is mail.example.com as shown below next to "Issued to:"
From Windows Vista onwards the MSSTD can match any name in the Certificate which includes the Certificate Common Name as shown above and any Subject Alternative Names (SAN) which may exist on the certificate. 
For Windows XP the "Only connect to proxy servers that have this principal name in their certificate" value MUST MATCH the common name on the Certificate. The symptom for having this not matching is the user continuously being prompted for credentials in an infinite loop as I addressed under the article Outlook Anywhere keeps prompting for Password.

Comments

Post a Comment

Popular posts from this blog

Image
Faulting application name: hostcontrollerservice.exe, version: 16.0.775.0, time stamp: 0x5211bea8 Application Error Faulting application name: hostcontrollerservice.exe, version: 16.0.775.0, time stamp: 0x5211bea8 Faulting module name: KERNELBASE.dll, version: 6.2.9200.17637, time stamp: 0x56980227 Exception code: 0xe0434352 Fault offset: 0x000000000004b418 Faulting process id: 0x4878 Faulting application start time: 0x01d2a139409a0421 Faulting application path: D:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\HostController\hostcontrollerservice.exe Faulting module path: C:\Windows\system32\KERNELBASE.dll Report Id: 80ceb831-0d2c-11e7-950e-005056be650e Faulting package full name: Faulting package-relative application ID: Solution: Stop the Microsoft Exchange Search service and Microsoft Exchange Search Host Controller (this one probably already is). Edit the file installconfig located in C: \ Program Files \ Microsoft \ Exchange Server \ V15 \ Bin \ Search \ Ceres \ Ins
Read more

How to Configure ActiveSync Virtual Directories in coexistence between exchange 2007 and 2013, when you have different external and internal namespaces

Image
In coexistence environment (exchange 2007-2013), we could set Exchange 2013 ActiveSync External URL to mail.yourexternaldomain.com and set Internal URL to mail.yourinternaldomain.com . And set Exchange 2007 Internal URL to  mail.yourinternaldomain.com  and set External URL to Null .  We could run the following commands. Set-ActiveSyncVirtualDirectory -Identity "<CAS2013>\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalUrl "https:// mail.yourexternaldomain.com /Microsoft-Server-ActiveSync"    –InternalURL “https:// mail.yourinternaldomain.com /Microsoft-Server ActiveSync” Set-ActiveSyncVirtualDirectory -Identity "<CAS2007>\Microsoft-Server-ActiveSync (Default Web Site)" -ExternalUrl $Null    –InternalURL “https:// mail.yourinternaldomain.com  /Microsoft-Server-ActiveSync”
Read more

How to prevent sending external e-mail, but allow internal e-mail in Microsoft Exchange Server.

Image
Sometime may be you have internal & external domains configured in your organization and you don't want allow internal users to send emails outside the organization or to the public domains. You can achieve this using Microsoft Exchange Transport rules. Suppose you have all internal users in OU name "InternalMail" create a distribution group in the OU and add all internal users as member. Open up Exchange admin console " https://yourexchangeserver/ecp " and navigate to "mail flow" -> "Rules" Click the + button -> " Restrict messages by sender or recipient " In this example " extblk " is a distribution group. Added two conditions first is " the recipient is located " second is " the sender is a member of " Review the Rule mode is set to "Enforce" and leave other settings default and save the rule. You are done !
Read more