But it's running 2010 behind Forefront TMG, so it's potentially not going to talk through. Depends on what they have set up in TMG. I don't run TMG, but I run a 2010/365 Hybrid Coex and for mine you have to be on VPN to hit the internal server with a client, or go through OWA. He could have something similar.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Mail continuously fails with Exchange
- Thread starter profchildermass
- Start date
- Sort by reaction score
But it's running 2010 behind Forefront TMG, so it's potentially not going to talk through. Depends on what they have set up in TMG. I don't run TMG, but I run a 2010/365 Hybrid Coex and for mine you have to be on VPN to hit the internal server with a client, or go through OWA. He could have something similar.
Mac mail can no longer access Exchange 2007 in combination with TMG
Hallo Petvas, and others
My company has just changed something in TMG which has caused all Mac user's to lose accessibility to Exchange: Both Mail and Outlook 2011 applications. Until that moment we could connect without a problem.
According to the system administrators they changed the following keys on TMG:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\ Create a new DWORD value called AllowInsecureRenegoClients set to 0
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\ Create a new DWORD value called DisableRenegoOnServer set to 1
This seems to be related to disabling SSLv2 and enabling SSLv3
I was wandering if you have came across this issue? and if you point me to any relevant documentation or solution?
Kind regards,
Daniel
Hallo Petvas, and others
My company has just changed something in TMG which has caused all Mac user's to lose accessibility to Exchange: Both Mail and Outlook 2011 applications. Until that moment we could connect without a problem.
According to the system administrators they changed the following keys on TMG:
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\ Create a new DWORD value called AllowInsecureRenegoClients set to 0
HKLM\System\CurrentControlSet\Control\SecurityProviders\SChannel\ Create a new DWORD value called DisableRenegoOnServer set to 1
This seems to be related to disabling SSLv2 and enabling SSLv3
I was wandering if you have came across this issue? and if you point me to any relevant documentation or solution?
Kind regards,
Daniel
Exchange EWS CAS misconfiguration?
Hello - I joined this forum just so i could ask you this question:
I'm a field IT/Systems/Automation engineer but lack expertise with Exchange.. I also use a Mac. The Corp IT guys hired a consultant to migrate us from Exchange 2003 to 2010, and I'm thinking he might not have done things the right way..
1 - we switched from NTLM to kerberos authentication and now remote clients are prompted to enter their passwords when opening Outlook - previously their workstation credentials were passed through.
2 - users receive the 'the exchange administrator has made a change to the server... you must restart outlook" message every time they change network connectivity (wired>wireless, wifi hotspot 1>wifi hotspot2.. etc)
3 - (my issue) - if I manually configure Mac Mail to use one of our two load-balanced exchange servers, it works fine, but 'Reminders' doesn't work.. If i allow Mac mail to auto-configure itself, it properly identifies the internal CAS server and the external OWA server, but fails to 'connect' with the SSL error message described above. Nothing i do, short of changing the server, works. I have 'trusted' the SSL certificate.
For what it is worth, my email address suffix is different from the primary dns suffix, because we are a subsidiary of the main company. This doesn't really cause any problems as far as i can tell.
any suggestions why connectivity through CAS fails from Mac mail? MS outlook in windows has no problems.
your help/suggestions are greatly appreciated!
Hello - I joined this forum just so i could ask you this question:
I'm a field IT/Systems/Automation engineer but lack expertise with Exchange.. I also use a Mac. The Corp IT guys hired a consultant to migrate us from Exchange 2003 to 2010, and I'm thinking he might not have done things the right way..
1 - we switched from NTLM to kerberos authentication and now remote clients are prompted to enter their passwords when opening Outlook - previously their workstation credentials were passed through.
2 - users receive the 'the exchange administrator has made a change to the server... you must restart outlook" message every time they change network connectivity (wired>wireless, wifi hotspot 1>wifi hotspot2.. etc)
3 - (my issue) - if I manually configure Mac Mail to use one of our two load-balanced exchange servers, it works fine, but 'Reminders' doesn't work.. If i allow Mac mail to auto-configure itself, it properly identifies the internal CAS server and the external OWA server, but fails to 'connect' with the SSL error message described above. Nothing i do, short of changing the server, works. I have 'trusted' the SSL certificate.
For what it is worth, my email address suffix is different from the primary dns suffix, because we are a subsidiary of the main company. This doesn't really cause any problems as far as i can tell.
any suggestions why connectivity through CAS fails from Mac mail? MS outlook in windows has no problems.
your help/suggestions are greatly appreciated!
The Mac Mail App doesn't support Kerberos, unless your Mac is joined in the AD Domain of your company. If it works as a standalone machine, then it is normal that you get auth dialogs..
The Exchange consultant should configure NTLM as a fallback mechanism too.
This is how I would set that up:
Create an Alternate Service Account as type Computer: ASAEXC
setspn.exe A HTTP/mail.domain.com Domain\ ASAEXC$
setspn.exe A HTTP/powershell.domain.com Domain\ ASAEXC$
.\RollAlternateServiceAccountPassword.ps1 -ToEntireForest -GenerateNewPasswordFor Domain\ASAEXC$
Set the correct authentication method for all servers:
Get-OutlookAnywhere Server <Exchange_SERVER> -ADPropertiesOnly | Set-OutlookAnywhere -InternalClientAuthenticationMethod Negotiate -IISAuthenticationMethods NTLM, Negotiate
If you are using a different email suffix as the main one, then you will probably get a warning that the autodiscover certificate doesn't match your domain, or that your client needs to be forwarded to a different autodiscover server (autodiscover.smtp.yourdomain). You can probably configure your Mac client manually, or suppress the warning.
Thanks for your response..
let me clarify a few things..
I misspoke when i said Kerberos - instead, i have been told that NTLM direct connection (RPC) has been deprecated in favor of Basic authentication and RPC-over-HTTPS/SSL proxy (outlook anywhere). I guess this is what prevents automatic domain credential passthrough authentication for remote (internet based) clients. I assume password prompts in this scenario are normal now.
First, regarding my Mac Mail client -
if i manually enter one of our two exchange servers into the 'server' field.. the mail client works well.
If i let it auto discover (which it does correctly i believe.. finding our 'CAS' server for 'internal' and our 'OWA' server for 'external')... then my Mac mail client is unable to connect.
this does not appear to be related to auto discover or domain suffix..
does this mean that the exchange servers are using NTLM and the CAS is not? or maybe something else that I'm not thinking of?
can i use domain\username syntax for basic authentication or must i use username@domain.com?
let me clarify a few things..
I misspoke when i said Kerberos - instead, i have been told that NTLM direct connection (RPC) has been deprecated in favor of Basic authentication and RPC-over-HTTPS/SSL proxy (outlook anywhere). I guess this is what prevents automatic domain credential passthrough authentication for remote (internet based) clients. I assume password prompts in this scenario are normal now.
First, regarding my Mac Mail client -
if i manually enter one of our two exchange servers into the 'server' field.. the mail client works well.
If i let it auto discover (which it does correctly i believe.. finding our 'CAS' server for 'internal' and our 'OWA' server for 'external')... then my Mac mail client is unable to connect.
this does not appear to be related to auto discover or domain suffix..
does this mean that the exchange servers are using NTLM and the CAS is not? or maybe something else that I'm not thinking of?
can i use domain\username syntax for basic authentication or must i use username@domain.com?
Is your client connecting through your company's local area network or is it connecting via the Internet?
Your client should be able to resolve autodiscover.smtp.domain, otherwise it won't be able to configure itself successfully.
Connecting via LAN. Neither my mac nor a domain-joined windows machine can resolve autodiscover.smtp.domain.com obviously i am replacing 'domain' with my domain DNS suffix
For what it's worth, Windows Outlook clients auto configure correctly, whether on AD-joined or not.
my Mac is NOT on the domain, but it does 'discover' the correct internal cas.domain.com and external owa.domain.com servers. unfortunately this fails to connect. I have to manually change internal server to vmail1.domain.com (one of our exchange servers) and then connection succeeds
If your email address is test.com, then you should be able to resolve autodiscover.test.com
Windows Outlook Clients use the SCP published in AD for autodiscover, but non domain joined clients use DNS, so that means that Autodiscover seems to be working ok.