Monday, July 12, 2010

Outlook Anywhere - Message: The underlying connection was closed: The connection was closed unexpectedly.

I ran into this problem a while back and thought I’d share my troubleshooting steps with the other professionals out there.

When trying to configure Outlook Anywhere at Some Company and using the https://www.testexchangeconnectivity.com/ to test, I kept getting the following error:

clip_image002[14]

Testing Http Authentication Methods for URL https://mail.domain.ca/rpc/rpcproxy.dll

Http Authentication Test failed

clip_image003[48]

Additional Details

Exception Details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack Trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.GetSupportedHttpAuthMethods()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.PerformTestReally()

Here’s the detailed test results:

clip_image005[4]

Connectivity Test Failed

Test Details

clip_image002[15]

Testing RPC/HTTP connectivity

RPC/HTTP test failed

clip_image003[49]

Test Steps

clip_image007[12]

Attempting to test Autodiscover for mailto:tluk@domain.ca

Successfully tested Autodiscover

clip_image003[50]

Test Steps

clip_image007[13]

Attempting each method of contacting the AutoDiscover Service

The AutoDiscover Service was successfully tested.

clip_image003[51]

Test Steps

clip_image002[16]

Attempting to test potential AutoDiscover URL https://domain.ca/AutoDiscover/AutoDiscover.xml

Failed testing this potential AutoDiscover URL

clip_image003[52]

Test Steps

clip_image009[30]

Attempting to resolve the host name domain.ca in DNS.

Host successfully resolved

clip_image003[53]

Additional Details

IP(s) returned: 99.999.999.99

clip_image009[31]

Testing TCP Port 443 on host domain.ca to ensure it is listening and open.

The port was opened successfully.

clip_image002[17]

Testing SSL Certificate for validity.

The SSL Certificate failed one or more certificate validation checks.

clip_image003[54]

Test Steps

clip_image002[18]

Validating certificate name

Certificate name validation failed

clip_image010[4] Tell me more about this issue and how to resolve it

clip_image003[55]

Additional Details

Host name domain.ca does not match any name found on the server certificate CN=webmail.domain.ca, OU=Domain Control Validated, O=webmail.domain.ca

clip_image007[14]

Attempting to test potential AutoDiscover URL https://autodiscover.domain.ca/AutoDiscover/AutoDiscover.xml

Testing AutoDiscover URL succeeded

clip_image003[56]

Test Steps

clip_image009[32]

Attempting to resolve the host name autodiscover.domain.ca in DNS.

Host successfully resolved

clip_image003[57]

Additional Details

IP(s) returned: 99.999.999.99

clip_image009[33]

Testing TCP Port 443 on host autodiscover.domain.ca to ensure it is listening and open.

The port was opened successfully.

clip_image007[15]

Testing SSL Certificate for validity.

The certificate passed all validation requirements.

clip_image003[58]

Test Steps

clip_image009[34]

Validating certificate name

Successfully validated the certificate name

clip_image003[59]

Additional Details

Found hostname autodiscover.domain.ca in Certificate Subject Alternative Name entry

clip_image012[6]

Validating certificate trust

The test passed with some warnings encountered. Please expand additional details.

clip_image003[60]

Additional Details

Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.

clip_image009[35]

Testing certificate date to ensure validity

Date Validation passed. The certificate is not expired.

clip_image003[61]

Additional Details

Certificate is valid: NotBefore = 5/6/2010 3:34:15 PM, NotAfter = 5/6/2013 3:34:15 PM"

clip_image009[36]

Attempting to send AutoDiscover POST request to potential autodiscover URLs.

Successfully Retrieved AutoDiscover Settings by sending AutoDiscover POST.

clip_image003[62]

Test Steps

clip_image009[37]

Attempting to Retrieve XML AutoDiscover Response from url https://autodiscover.domain.ca/AutoDiscover/AutoDiscover.xml for user mailto:tluk@domain.ca

Successfully Retrieved AutoDiscover XML Response

clip_image003[63]

Additional Details

AutoDiscover Account Settings
XML Response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>Terence Luk</DisplayName>
<LegacyDN>/o=domain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=TLuk</LegacyDN>
<DeploymentId>86ca6927-bc9f-43d0-8d7a-2b694bd93d75</DeploymentId>
</User>
<Account>
<AccountType>email</AccountType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>hq-exch1.domain.local</Server>
<ServerDN>/o=Domain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HQ-EXCH1</ServerDN>
<ServerVersion>720280B0</ServerVersion>
<MdbDN>/o=Domain/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=HQ-EXCH1/cn=Microsoft Private MDB</MdbDN>
<ASUrl>https://hq-exch1.domain.local/EWS/Exchange.asmx%3c/ASUrl>
<OOFUrl>https://hq-exch1.domain.local/EWS/Exchange.asmx%3c/OOFUrl>
<OABUrl>http://hq-exch1.domain.local/OAB/0fa5be65-3c78-4ad4-826d-0775ea7cbc91/%3c/OABUrl>
<UMUrl>https://hq-exch1.domain.local/UnifiedMessaging/Service.asmx%3c/UMUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<PublicFolderServer>hq-exch1.domain.local</PublicFolderServer>
<AD>hq-dc2.domain.local</AD>
<EwsUrl>https://hq-exch1.domain.local/EWS/Exchange.asmx%3c/EwsUrl>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.domain.ca</Server>
<OABUrl>https://mail.domain.ca/OAB/0fa5be65-3c78-4ad4-826d-0775ea7cbc91/%3c/OABUrl>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPackage>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</DirectoryPort>
<ReferralPort>0</ReferralPort>
<External>
<OWAUrl AuthenticationMethod="Fba">https://webmail.domain.com/owa%3c/OWAUrl>
<OWAUrl AuthenticationMethod="Fba">https://webmail.domain.ca/owa%3c/OWAUrl>
</External>
<Internal>
<OWAUrl AuthenticationMethod="Basic, Fba">https://hq-exch1.domain.local/owa%3c/OWAUrl>
<OWAUrl AuthenticationMethod="Basic, Fba">https://hq-exchange1.domain.local/owa%3c/OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://hq-exch1.domain.local/EWS/Exchange.asmx%3c/ASUrl>
</Protocol>
</Internal>
</Protocol>
</Account>
</Response>
</Autodiscover>

clip_image009[38]

Validating Autodiscover Settings for Outlook Anywhere

Outlook Anywhere Autodiscover Settings validated

clip_image009[39]

Attempting to resolve the host name mail.domain.ca in DNS.

Host successfully resolved

clip_image003[64]

Additional Details

IP(s) returned: 99.999.999.99

clip_image009[40]

Testing TCP Port 443 on host mail.domain.ca to ensure it is listening and open.

The port was opened successfully.

clip_image007[16]

Testing SSL Certificate for validity.

The certificate passed all validation requirements.

clip_image003[65]

Test Steps

clip_image009[41]

Validating certificate name

Successfully validated the certificate name

clip_image003[66]

Additional Details

Found hostname mail.domain.ca in Certificate Subject Alternative Name entry

clip_image012[7]

Validating certificate trust

The test passed with some warnings encountered. Please expand additional details.

clip_image003[67]

Additional Details

Only able to build certificate chain when using the Root Certificate Update functionality from Windows Update. Your server may not be properly configured to send down the required intermediate certificates to complete the chain. Consult the certificate installation instructions or FAQ's from your Certificate Authority for more information.

clip_image009[42]

Testing certificate date to ensure validity

Date Validation passed. The certificate is not expired.

clip_image003[68]

Additional Details

Certificate is valid: NotBefore = 5/6/2010 3:34:15 PM, NotAfter = 5/6/2013 3:34:15 PM"

clip_image002[19]

Testing Http Authentication Methods for URL https://mail.domain.ca/rpc/rpcproxy.dll

Http Authentication Test failed

clip_image003[69]

Additional Details

Exception Details:
Message: The underlying connection was closed: The connection was closed unexpectedly.
Type: System.Net.WebException
Stack Trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.GetSupportedHttpAuthMethods()
at Microsoft.Exchange.Tools.ExRca.Tests.HttpAuthMethodsTest.PerformTestReally()

As it turns out, when the RPC Windows component is installed, “Enable anonymous access” is enabled. The correct setting should be “Integrated Windows authentication” and “Basic authentication”.

clip_image014[4]

Once the proper settings were checked and iisreset was ran, the test ran correctly with:

clip_image009[43]

Testing Http Authentication Methods for URL https://mail.domain.ca/rpc/rpcproxy.dll

Http Authentication Methods are correct

clip_image003[70]

Additional Details

Found all expected authentication methods and no disallowed methods. Methods Found: Basic, Negotiate, NTLM

13 comments:

Anonymous said...

Thank you very much for this information. I recently worked on an active sync issue which was resolved after installing sp2 for exchange 2003. Unfortunately this broke RPCoverHTTP. I had searched several webistes prior to with no success. Your permissions on the RPC directory was spot on!

Terence Luk said...

Glad that the post helped. :)

Coolhandluq said...

Just helped me out as well. Much appreciated Terence. I had ripped out IIS and client access and reinstalled them, and set up virtual directories again. RPC over HTTP had defaulted to anonymous after reinstalling just like you said.

Thanks for posting!

phishman9 said...

Helped me too. This hadn't been a problem with access before, but running these tests trying to move to Exchange 2010 yielded this configuration error. Thanks!

phishman9 said...
This comment has been removed by the author.
Gechurch said...

Thank you for taking the time to post this.

I had already checked a bunch of IIS settings (including this one) from the excellent article at http://www.experts-exchange.com/Software/Server_Software/Email_Servers/Exchange/A_1798-Exchange-2003-Activesync-Connection-Problems-FAQ.html. The settings was right, and after a reboot the problem persisted. I wouldn't have checked the settings again except for you having the exact cause listed here. I checked again and sure enough anonymous was set! It's as though the change was made but the UI didn't update until a restart. In any event unticking it fixed the issue.

Anonymous said...

This worked for me too. Thanks. This worked on a SBS 2003 server.

Anonymous said...

Greatly appreciated! Worked for me as well. Exchange 2003 on Windows 2003 Server Standard Edition SP2.

Anonymous said...

TTTHHHHAANNNNNK you!!!!!! :-)

Anonymous said...

TTTHHAANNNNKKK YOU!!!!!
indeed...

mogali said...

Cheap Wildcard SSL - Cheap SSL certificates (including wildcard and multi-domain (SAN) SSL certificates) from Comodo, GeoTrust, Thawte and Symantec (VeriSign)

mogali said...
This comment has been removed by the author.
Bryan Gibson said...

Thank you so much for leaving this topic live on your blog. It just saved my bacon. You da man!