I noticed the error message below:
--------------------------- Microsoft Outlook --------------------------- There is a problem with the proxy server's security certificate. The name on the security certificate is invalid or does not match the name of the target site. Outlook is unable to connect to the proxy server. (Error Code 10) --------------------------- OK ---------------------------
Definitely it is related to Outlook Anywhere and client (Outlook 2013) which wraps remote procedure calls (RPCs) with an HTTP layer. By default this feature is enabled and all outlook connectivity takes place over it based on valid SSL certificate on CAS server(s). Mailbox servers only require the default self-signed SSL certificate. According to screen shot above is either needed to have value “s04.testexch.local” in the certificate on CASs, switch off requiredSSL or change the value regarding to your needs (e.g. you have certificate with different value).
EAC
EMS
- ExternalHostname
- InternalHostname
- ExternalClientAuthenticationMethod (Negotiate authentication: Enabled by default in Exchange 2013. This is a combination of Windows integrated authentication and Kerberos authentication. If we employ negotiate authentication, exchange will authenticate the client using NTLM authentication type and if unable to verify authenticity, will challenge the client to authenticate using a username and password.)
- SSLOffloadingNote: The SSLOffloading parameter specifies whether the Client Access server requires SSL. This value should be set only to $true when an SSL hardware solution is running in front of the Client Access server.
Testing
Outlook Anywhere can be tested via Test-OutlookConnectivity or Remote Connectivity Analyzer
Solution
In my case I used a cert issued by internal CA with two subject alternative names mail.testexch.local and autodiscove.testexch.local. So it was needed to rewrite the attribute InternalHostname on each CAS server only.
[PS] C:\>Get-OutlookAnywhere | Set-OutlookAnywhere -InternalHostname mail.testexch.local -In
ternalClientsRequireSsl $true
[PS] C:\>Get-OutlookAnywhere | fl server,name,*hostname,ssl*,*auth*
Server : s03
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch.com
InternalHostname : mail.testexch.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Server : s04
Name : Rpc (Default Web Site)
ExternalHostname : mail.testexch2013.com
InternalHostname : mail1.testexch2013.local
SSLOffloading : True
ExternalClientsRequireSsl : True
InternalClientsRequireSsl : True
ExternalClientAuthenticationMethod : Negotiate
InternalClientAuthenticationMethod : Ntlm
IISAuthenticationMethods : {Basic, Ntlm, Negotiate}
Notes
- CAS server in Exchange 2013 is only going to proxy the traffic and not render the mailbox data. Besides the advantage of having only Level 4 Load balancing solution (hell you could just use Round Robin), the new architecture will reduce the amount of namespaces you are going to need if you are deploying Exchange (source: EHLO: I am Exchange 2013–CAS Role).
- Exchange 2013: Configuring Outlook anywhere
- Exchange Team Blog – Exchange 2013 Client Access Server Role
- TechNet Articles – How to Configure SSL Offloading in Exchange 2010
Pingback: Error Code 10 Outlook Anywhere | OutlookRecoveryGuide.org