Exchange 2010 – Outlook Anywhere – Outlook is unable to connect to the proxy server. (Error Code 10)

I noticed the error message below:

OutlookProxyCert1

---------------------------
Microsoft Outlook
---------------------------
There is a problem with the proxy server's security certificate.
The name on the security certificate is invalid or does not match the name of the target site.

Outlook is unable to connect to the proxy server. (Error Code 10)
---------------------------
OK 
---------------------------

Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).

EAC

EAC_OutlookAnywhereEMS

Set-OutlookAnywhere

  • ExternalHostname
  • InternalHostname
  • ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)
  • SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.

Testing

Outlook Anywhere can be tested via Test-OutlookConnectivity or Remote Connectivity Analyzer

Solution

In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.

[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.testexch.local -In
ternalClientsRequireSsl $true
[PS] C:\>Get-OutlookAnywhere | fl server,name,*hostname,ssl*,*auth*

Server : s03
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch.com
InternalHostname : mail.testexch.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

Server : s04
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch2013.com
InternalHostname : mail1.testexch2013.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}

EAC_OutlookAnywhere2Notes

Exchange 2013 – Outlook 2013 – The connection to Microsoft Exchange is unavailable.

If you use Autodiscover service by Outlook, you can see the following error (Exchange 2013 + Outlook 2013 in my case) :

OutlookMustBeOnline

Outlook error: Microsoft Outlook: The connection to Microsoft Exchange is unavailable. Outlook must be online or connected to complete this action.

Outlook error: Outlook is unable to connect to the proxy server. (Error Code 10)

The error could be due to:

  1. Firewall issue
  2. DNS failure
  3. Exchange misconfiguration
  4. Client issue
  5. Certificate validation failed

Well quite common problem.

Investigation

<?xml version="1.0" encoding="UTF-8"?>
-<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
-<Response> 
-<Error Id="3876576560" Time="21:12:30.2927520">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData/>
</Error>
</Response>
</Autodiscover>

Error code 600 means autodiscover service is accessible and works. Autodiscover request is corrupted at this point but it is typical behavior for testing via IE. Very useful articles regarding to Autodiscover are White Paper: Exchange 2007 Autodiscover Service and Troublshooting Autodiscover (Exchange 2007/2010).

Test-OutlookWebServices | fl
Source : s04.contoso.com
ServiceEndpoint : autodiscover.contoso.com
Scenario : AutoDiscoverOutlookProvider
ScenarioDescription : Autodiscover: Outlook Provider
Result : Failure
Latency : 22
Error : System.Net.WebException: The underlying connection was closed: Could not establish trust
 relationship for the SSL/TLS secure channel. --->
 System.Security.Authentication.AuthenticationException: The remote certificate is invalid
 according to the validation procedure.
…

The validation procedure (shortly):

  1. The name used to access the resource needs match the certificate exactly.
  2. The Certificate date must be valid
  3. The Certificate Authority which issued the certificate must be trusted by the client. (It needs to exist in the Trusted Root Certificate Authorities)

Solution

I checked CAS certificate issued by internal CA and I found missing letter in one SAN name. New certificate assigned to IIS service solved the error.

Notes