Friday, August 16, 2013

Prevent Outlook Anywhere (aka RPC over HTTP) from being automatically configured in Exchange 2010 with autodiscover

Hi Folks,

Yesterday I came across very interesting thing in Exchange OutlookAnywhere, So I thought to share with you.

Issue: -

OutlookAnywhere getting configured automatically in outlook by restarting the outlook and it’s pop-up for credentials.

Error Message: -

”Please enter user name and Password”

Error Statement: -

Now when user trying to access the mailbox through the Outlook the Auto discover Service will send the XML Request to Autodiscover Outlook provider and Autodiscover Outlook provider have the SCP connection values which will refer the EXPR. So if user system/Site have any network latency issues which will not able to contact the local Client Access Array Server which will route the connection to RPC over HTTPS. Due to the connection routed to Internet outlook will through the Pop-up for entering the Credentials.

Resolution: -

While troubleshooting the Outlook Pop up issue, I have verified the outlook settings and connection status the outlook getting configured Outlook Anywhere feature by automatically using Auto discover settings.

This is common behavior in Exchange, Once enabled the Outlook AnyWhere feature on Exchange Client Access server.

Once Prepare active directory has been completed below three entries are getting created automatically in Active Directory on the below location.

        1.    EXPR
        2.    EXCH
        3.    WEB

DistinguishedName    : CN=EXPR,CN=Outlook,CN=AutoDiscover,CN=Client Access,CN=ORG,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=com

The EXCH setting references the Exchange RPC protocol that is used internally. This setting includes port settings and the internal URLs for the Exchange services that you have enabled.

The EXPR setting references the Exchange HTTP protocol that is used by Outlook Anywhere. This setting includes the external URLs for the Exchange services that you have enabled, which are used by clients that access Exchange from the Internet.

The WEB setting contains the best URL for Outlook Web Access for the user to use. This setting is not in use.

Microsoft documented Deployment Considerations for the Autodiscover Service in:

For Single User Issue: -

1.    Verify any old user account password was saved in User account Managed Password Settings, If you found something please delete it.

Start ---->Control Panel ---->User accounts --->Managed Accounts ----->Advanced ----->Manage Passwords.

Multi-User Issue: -

     1.    Verify whether you have any Certificate issue by login to Exchange server.

Exchange Management Console ---->Server Configuration ----> Certificate.

     2.    If OutlookAnywhere authentication is mismatching with TMG OutlookAnywhere Web Publishing Rule Outlook will through Password Pop-up, Please make sure if you have setup NTLM authentication in Exchange servers TMG Rule should be in NTLM authentication.

    3.    Verify Outlook Provider have been configured any Server Name and Certificate Principal name by following command.

Get-Outlookprovider |FL Server, CertPrincipalName

     4.    If you found any entry by running above command, we need to remove the Server and CertificatePrincipalName which will prevent automatic configuration of Outlook Anywhere.

Get-OutlookProvider| Remove-OutlookProvider.

What is the Impact?: -

Once you removed Outlook Provider, autodiscover service will not connect to SCP connection which will lose of OOF,Free/Busy Information and Offline Address Book download.

Further Troubleshooting on this issue, I found a way to avoid Outlook Anywhere configuring automatically.

As I said above EXPR references the Exchange HTTP protocol that is used by Outlook Anywhere. This setting includes the external URLs for the Exchange services that you have enabled, which are used by clients that access Exchange from the Internet.

So we will remove EXPR Outlook Provider entry.

Remove-OutlookProvider -Identity "EXPR"

Once you removed EXPR reset the IIS for immediate effect or wait 15 minutes for AD Replication.

How to Confirm: -

1. Re-configure Outlook 2007/2010 profile.
2. Verify Outlook Anywhere will be disabled.

3. You can re-configure Outlook Anywhere by manually to access it.


Keep Visit.