Since its introduction in Microsoft Outlook 2003, Outlook Anywhere has been a key tool in Microsoft’s mobile email armory. The concept behind it is simple and, providing all prerequisites are met, so is the setup. But there are times when Outlook Anywhere
1. Outlook Anywhere doesn’t accept user credentials
If Outlook Anywhere will not accept a username or password, check is to see if Exchange has all the most recent service packs and rollup updates applied. For example, if you’re still on Exchange Server 2003 -- as are so many others -- you must be on Service Pack 2 or later for Outlook Anywhere to work properly. Exchange Server 2007 requires Service Pack 2 or later as well.
I’ve also seen problems involving pre-Windows 7 Service Pack 1. Here, the issue lies with credentials that are locally cached in an incorrect format. Simply put, if Outlook Anywhere isn’t accepting credentials, service packs and rollup updates are the first place to check.
Additionally, if you use a proxy server on your network, make sure to add your Exchange server’s fully qualified domain name (FQDN) to the exclusion list. If it is not, authorization traffic will stop without warning and you won’t receive an error message as to why you can’t authenticate.
2. Outlook Anywhere security certificate issues
Exchange Server 2010 requires a subject alternative name (SAN) certificate in order for Outlook Anywhere to work correctly, as it allows multiple names to be associated with the certificate. Without this feature, only your outlook.domain.com (your Outlook Anywhere URL) will be recognized as a valid domain. Therefore, all the other required domain names are excluded. These names include:
- autodiscover.domain.com (your autodiscover address)
- OUTLOOK (your Exchange Server’s NetBIOS name)
SAN certificates aren’t cheap and many admins purchase certificates with short lifespans. The downside here is that expiration dates will creep up on you. This doesn’t affect connectivity, but it’s a bad practice and users will receive annoying certificate prompts when they start Outlook.
Anywhere will not connect
The “disconnected” status in the bottom right-hand corner of Outlook can stem from several different reasons: network issues, Exchange issues or security-related problems.
- Internet issues are going to be a problem if you’re using Outlook Anywhere on a larger scale -- such as with hosted Exchange. Before considering a move to hosted Exchange -- which uses Outlook Anywhere for mail delivery to end users -- make sure that you have the necessary Internet bandwidth to handle surplus traffic. If you don’t, your Internet connection will continue to crash and you’ll have plenty of unhappy users without email.
- Multiple reasons cause loss of Exchange connectivity, such as a change to your firewall (remember, port 443 should always be directed to Exchange). Your Exchange server might be turned off, the IIS server could be offline, or your proxy server may be blocking outbound traffic on the client side. A client-side issue may also stem from an Outlook add-on, such as a third-party mail scanner that’s blocking communications. Make sure to check all of the above.
- When it comes to security, Outlook Anywhere will be disconnected if your certificate store on your local PC becomes corrupted in any way. A full reinstallation is the only real fix. To determine whether or not this is your problem, enter your Outlook Web Access (OWA) address into a Web browser. If you see a message that states “not trusted” on a user’s PC, while others seem to be working, then the certificate store is to blame.
4. Out of office will not connect
A common thread surrounding these issues is that both admins and users receive little or no notice as to why Outlook Anywhere isn’t working. Out-of-office message problems are no exception. Additionally, the problem here lies not on the client or the server side, but actually somewhere in the middle.
When using the autodiscover service, you must create an additional external DNS record -- the aforementioned autodiscover.domain.com -- so that Outlook can resolve back to the source domain as it would if it were running locally. Creating the additional DNS SRV record allows the autodiscover service to correctly resolve out-of-office messages as well as client access role services like the offline address book, unified messaging and more.
Avoid overlooking crucial details when troubleshooting Outlook Anywhere.
This may seem obvious, but remember to check all the details, however small, when troubleshooting Outlook Anywhere. For example, when employees enter their usernames and passwords, they must remember to include the local domain name suffix in the username section. Local PC credentials attempt to authorize to the domain -- whether through the full user logon name format or NetBIOS. If the suffix isn’t included, authentication will fail. Also, if you enter the suffix in the uniform naming convention (UNC) format, it will be remembered in the credentials dialog box, if you use NetBIOS, it will not.
Another example is to make sure to check whether your Exchange is using NTLM authentication or basic authentication. Don’t forget, the details must match at both the client- and server-sides.
ABOUT THE AUTHOR
Dave Leaver has worked in the IT industry for the last ten years as an IT support engineer. He currently works for an IT support company in Cheltenham, UK, supporting over one thousand users, spanning over forty companies. Leaver specializes in Microsoft system migrations and Exchange Server. Leaver has also been a network administrator for the NHS and several large construction companies throughout the UK.
This was first published in February 2012