Monday, October 06, 2014

Sigh - Outlook Anywhere Exchange 2007 not playing nice with Exchange 2013

OK, now it's Outlook Anywhere's turn to go wonky. Users on Ex2007 is reporting that they cannot access Outlook externally.

exRCA returned an error:

RPC Proxy can't be pinged.

Additional Details

An unexpected network-level exception was encountered. Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: Microsoft.Exchange.Tools.ExRca.Extensions.MapiTransportException
Stack trace:
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
at Microsoft.Exchange.Tools.ExRca.Tests.MapiPingProxyTest.PerformTestReally()
Exception details:
Message: The remote server returned an error: (401) Unauthorized.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at RpcPingLib.RpcPing.PingProxy(String internalServerFqdn, String endpoint)
at Microsoft.Exchange.Tools.ExRca.Extensions.MapiRpcTestClient.PingProtocolProxy(String endpointIdentifier)
Elapsed Time: 280 ms. 

To make the long story short, the authentication method for Outlook Anywhere has to be set to NTLM on both Ex2013 and Ex2007. Again, just like the previously mentioned ActiveSync and OWA virtual directory issues, I had to reconfigure Outlook Anywhere.

  1. Disable Outlook Anywhere (
  2. Enable Outlook Anywhere - only performing the step under "To use the Exchange Management Console to enable Outlook Anywhere" (
Re configuring Outlook Anywhere will need 15 minutes to take effect. Watch the event viewer for the following entry:

Event Type: Information
Event Source: MSExchange RPC Over HTTP Autoconfig
Event Category: General 
Event ID: 3003
Date: 6/10/2014
Time: 10:50:51 AM
User: N/A
The Outlook Anywhere authentication settings have been updated.

Old settings: Ntlm
New settings: Basic

For more information, see Help and Support Center at

This article provides an extremely friendly insight that I could not find elsewhere:

The parts that struck me was:

  1. Note the two different authentication settings that are listed.  ClientAuthenticationMethod and IISAuthenticationMethods.   For the detail oriented people out there, you saw that one was plural and the other singular.
  2. Client authentication, which is used to allow clients like Outlook 2013 to authenticate with Exchange is properly configured.  The same consistent OA client authentication scheme should be deployed on legacy CAS and CAS 2013
  3. Internet Information Services (IIS) authentication, which is used to allow Exchange servers to communicate MUST include NTLM auth.
Therefore, I have also additionally set the IISAuthenticationMethods to NTLM as well (it was Basic only for some reason)

Set-OutlookAnywhere -Identity 'ExchangeServer\Rpc (Default Web Site)' -ClientAuthenticationMethod Basic -SSLOffloading $False –ExternalHostName -IISAuthenticationMethods NTLM, Basic

1 comment:

KWalsh said...

Are you sure that -ExternalHostName is right? Mine throws and error with this, I have to use -ExternalHostName instead.