The setup is as follows

Windows Server 2012 R2 running Exchange 2013 CU5 - CAS Role
Windows Server 2012 R2 Running Exchange 2013 CU5 - Mailbox Role
Published via Web Application Proxy, using ADFS on Server 2012 R2

The problem

Browse to https://webmail.contoso.com/owa - log into OWA as myself this works fine - try and open another users mailbox that i have full access to, i get HTTP 400 bad request

If i browse to https://servername and perform the same procedure it works.   This leave me to the conclusion that the Web Application Proxy server / ADFS server is at fault

this KB article is not relevant in this instance, as I can resolve the names correctly;http://support.microsoft.com/kb/2770796/en-au

Any suggestions

Thank you.

Hi all,

I am currently trying to setup Exchange 2010 Outlook Web Access (OWA) to use ADFS for single sign-on.

I followed through the instructions on http://www.theidentityguy.com/articles/2010/10/15/access-owa-with-adfs.html and after a fair bit of poking and prodding I seemed to get it working correctly as users could log in without any problem.

However I am experiencing an issue when users try to delete emails, OWA reports "Your network connection isn't available.if the proplem continues, contact your helpdesk with this HTTP statis code:302.". 

After some Googling I can see numerous articles referencing the same issue- and they all seem to point towards authentication problems with the IIS web.config from the exchange server. This makes perfect sense since that's what I've been playing with to get ADFS working. I tested this by reverting the web.config back to its original state and voila- it works again (albeit without ADFS).

Below is the contents of web.config with ADFS working (but with the delete error)

URL has been changed to company.com

<?xml version="1.0" encoding="UTF-8"?><configuration><configSections><section name="microsoft.identityModel" type="Microsoft.IdentityModel.Configuration.MicrosoftIdentityModelSection, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /></configSections><system.webServer><httpRedirect enabled="false" /><modules runAllManagedModulesForAllRequests="true"><add name="WSFederationAuthenticationModule" type="Microsoft.IdentityModel.Web.WSFederationAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /><add name="SessionAuthenticationModule" type="Microsoft.IdentityModel.Web.SessionAuthenticationModule, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" preCondition="managedHandler" /></modules></system.webServer><appSettings><add key="FederationMetadataLocation" value="https://login.company.com/FederationMetadata/2007-06/FederationMetadata.xml" /></appSettings><location path="FederationMetadata"><system.web><authorization><allow users="*" /></authorization></system.web></location><system.web><authorization><deny users="?" /></authorization><authentication mode="None" /><compilation><assemblies><add assembly="Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" /></assemblies></compilation></system.web><microsoft.identityModel><service><audienceUris><add value="https://webmail.company.com/owa/" /></audienceUris><securityTokenHandlers><add type="Microsoft.IdentityModel.Tokens.Saml11.Saml11SecurityTokenHandler, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><samlSecurityTokenRequirement mapToWindows="true" useWindowsTokenService="true" /></add></securityTokenHandlers><applicationService><claimTypeRequired><!--Following are the claims offered by STS 'http://login.company.com/adfs/services/trust'. Add or uncomment claims that you require by your application and then update the federation metadata of this application.--><claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name" optional="true" /><claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/role" optional="true" /><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/CommonName" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/EmailAddress" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/claims/Group" optional="true" />--><claimType type="http://schemas.xmlsoap.org/claims/UPN" optional="true" /><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/privatepersonalidentifier" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationinstant" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/denyonlysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/denyonlyprimarygroupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarygroupsid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/isregistereduser" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/identifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/registrationid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/displayname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/ostype" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/osversion" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/devicecontext/claims/ismanaged" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-forwarded-client-ip" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-application" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-user-agent" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-client-ip" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-proxy" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/relyingpartytrustid" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/applicationpolicy" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/authoritykeyidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/basicconstraints" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/eku" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuer" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/issuername" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/keyusage" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/notafter" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/notbefore" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatepolicy" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/rsa" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/rawdata" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/san" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2008/06/identity/claims/serialnumber" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/signaturealgorithm" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/subject" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/subjectkeyidentifier" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/subjectname" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplateinformation" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/extension/certificatetemplatename" optional="true" />--><!--<claimType type="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/thumbprint" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/12/certificatecontext/field/x509version" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordexpirationtime" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordexpirationdays" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/ws/2012/01/passwordchangeurl" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/claims/authnmethodsreferences" optional="true" />--><!--<claimType type="http://schemas.microsoft.com/2012/01/requestcontext/claims/client-request-id" optional="true" />--></claimTypeRequired></applicationService><certificateValidation certificateValidationMode="None" /><federatedAuthentication><wsFederation passiveRedirectEnabled="true" issuer="https://login.company.com/adfs/ls/" realm="https://webmail.company.com/owa/" requireHttps="true" /><cookieHandler requireSsl="true" path="/" /></federatedAuthentication><issuerNameRegistry type="Microsoft.IdentityModel.Tokens.ConfigurationBasedIssuerNameRegistry, Microsoft.IdentityModel, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"><trustedIssuers><add thumbprint="5AB73BD59404270968C35A041354D8D25BFA84FC" name="http://login.company.com/adfs/services/trust" /></trustedIssuers></issuerNameRegistry></service></microsoft.identityModel></configuration>

Below is the original web.config which I have reverted to and everything works fine (without ADFS)

<?xml version="1.0" encoding="UTF-8"?><configuration><system.webServer><httpRedirect enabled="false" /></system.webServer></configuration>

We are having problems connecting users outside the network with Outlook.. Help please

Testing Outlook connectivity.
	The Outlook connectivity test failed.
	Additional Details   Elapsed Time: 23489 ms.
	Test Steps   The Microsoft Connectivity Analyzer is attempting to test Autodiscover for rricks@co.hernando.fl.us.   Testing Autodiscover failed.   Additional Details   Elapsed Time: 23488 ms.   Test Steps   Attempting each method of contacting the Autodiscover service.   The Autodiscover service couldn't be contacted successfully by any method.   Additional Details   Elapsed Time: 23488 ms.   Test Steps   Attempting to test potential Autodiscover URL https://co.hernando.fl.us:443/Autodiscover/Autodiscover.xml   Testing of this potential Autodiscover URL failed.   Additional Details   Elapsed Time: 21221 ms.   Test Steps   Attempting to resolve the host name co.hernando.fl.us in DNS.   The host name resolved successfully.   Additional Details   IP addresses returned: 24.129.129.232 Elapsed Time: 192 ms. Testing TCP port 443 on host co.hernando.fl.us to ensure it's listening and open.   The specified port is either blocked, not listening, or not producing the expected response

We are currently running Exchange 2010 sp3 and have a setup where we are providing email services to independent contractors who connect to us for email primarily using webmail.  We do not wish for the contractors to see each other in their address books.  We have long used the MSExchQueryBaseDN attribute in AD to specify an OU which has just a couple of corporate mail contacts in it and this is what all users see as the only entries in their address list when using outlook web app.

I have stood up our Exchange 2013 CU5 environment and have moved a few test users over to it.  Unfortunately the directory does not even appear when composing a new message and brining up the address book (only the user's contacts appear).  If I return the MSExchQueryBaseDN attribute to NULL value, the directory appears with ALL objects in it of course.

I initially thought maybe this type of segregation was no longer supported in Exchange 2013, but I found that in fact there is a new powershell command to set it in 2013 (Set-Mailbox -Identity Test User -QueryBaseDN "OU=Corp,DC=Domain,DC=Root").  Previously we had to do this manually in AD.

Should this type of filtering still work?  Any ideas why I'm seeing the behavior I am?

Note that I realize this likely could be handled by doing the following, of which I would only do as a last resort:

1) I could create an ABP for every contractor with an address list that contains only them (if I was talking about a handful, this would be OK but not really viable for hundreds).

2) I've seen info out there on filtering the MsExchSearchBase of the Default Global Address List.  I could set this to my OU which contains just the corporate contacts I wish users to see.  I don't know if this would cause any other impact though to my webmail-only users.  I also have a small subset which connect using RPC over HTTPS and we have Address Book Policies setup for each of those offices so that they only see their own office in their Global Address List so I don't think these users would be impacted either, but wanted to throw it out there.

We have a user who has these devices connected to our MX server;

iPhone 

iPad

Desktop Win 7 Pro, Outlook 2010

Laptop Win7 Pro, Outlook 2013

He will open an e-mail look at it, then delete. It then goes into the deleted items folder and duplicates as one read and one unread. We have not been able to figure out why this is happening. We have tried disconnecting all devices and reconnecting them, no joy. Tried recreating the .ost, no joy. Tried recreating user profile, no joy.

At one point we disconnected his laptop because he was getting a new one and it stopped doing it for the most part, still happened but not very often. Then we brought the new laptop online and it returned with a vengence. So we disconnected all devices and reconnected all devices except his desktop. He ran the weekend with no duplicates, Monday when we reconnected the desktop it came back strong.

It seems to be tied to the cached mode and Offline use. I did a complete uninstall/re-install and turned off cached mode for the re-up and had zero duplicates. A few days later I renamed the .ost and started Outlook and it immediately started popping dups on the other machine. I cancelled the build went and turned off the offline files option in outlook and restarted. No dups. I don't want to have this user operating without cached mode due to it being slower and having to wait if he loses the network briefly. Any ideas?

Franki

Environment:

Windows Server 2012 R2 running Lync 2013 - latest CU

Windows Server 2008 R2 SP1 running Exchange 2010 SP3 - latest RU

Trying to configure OWA integration with Lync, but .net framework 4.5.1 is installed, and it seems that it is incompatible with some of the hotfixes that need to be installed for this integration to work. For instance the UCAMRedist says it is for the wrong server verison, and unpacking the CWAOWASSPMAIN does not unpack the donnetfx35setup.exe fix. Is Lync integration with OWA only compatible with .net 3.5 and 4.0?

This is what I followed for the integration

http://technet.microsoft.com/en-us/library/gg420962(v=exchg.141).aspx 

http://jaworskiblog.com

Hello all,

I've been at this for a week and still cannot figure out what the cause of the issue might be.  I'm trying to setup SMIME encrypting and signature capabilities for an Exchange environment.  The UserCertificate Attribute is populating in ActiveDirectory for the users.  I have an online Root CA that does not issues anything but the Subordinate CA cert.  I then have a Subordinate CA that issues all client certificates.  The CRLs and AIA locations are functioning and downloadable.

When I try to send an encrypted message in OWA, all I receive is the message "An error occurred while encrypting this S/MIME message.  Certificates can't be found for any recipients."  Not sure what else do verify.  I believe I've configured the SMIMEConfig correctly in Exchange as well.  Based on this....http://technet.microsoft.com/en-us/library/dn626155(v=exchg.150).aspx

Thanks for any help

Program: Outlook 2010 / 2013

Feature: The automatically created calendar group "Team <Manager name>", that is generated on basis of Active Directory attribute "manager" each time Outlook starts.

When the manager has 50 or less employees, Outlook will automatically generate a "Team <manager name>" calendar group. When the manager has 100+ Outlook stops to generate the list / show the list. 

What is the precise limit, before Outlook stops to generate the list? 

Can it be raised?

I'm looking for the best way to restrict users who can access OWA externally, while keeping internal access to OWA open to everyone.  We would preferably like to control who has external access to OWA with an AD group. Users who have external access, would need both external and internal access to OWA. Internal users would only have internal access to OWA.

TMG is off the table since it is EOL. Reverse proxy might be a possibility, but I'm running into issues with the security setup and passing credentials.

Does anyone know the best way of restricting external access without disabling internal access?

Thanks

I have read a lot of articles and tried a lot of things, but I cannot get outlook to connect to my exchange server. This is a test environment, I have tried making my own certificate and signing it through my own CA to no avail. I have completely disabled windows firewall and stopped the service. I can ping between the two just fine by name or IP. I've tried not using cached mode, creating new profiles in outlook etc. I tried setting my CertPrincipalName to my FQDN in exchange powershell.

I am not an expert with exchange at all, but I feel like this should work with little to no configuration, instead I've wasted days on this. Half of the articles I've read don't seem to have solutions, and the other half have solutions that are not working for me.

I can access OWA and send emails on a client computer through OWA with no problems.

I am running a test domain on the same network as my current exchange 2003/sbs 2003 active environment, I don't know why this would be an issue, but if it is I cannot figure out why. The only thing I can see holding me back right now is not having a signed certificate from digicert etc, and an official internet domain set up, but I don't think either of those things matter in my situation. 

Any help is greatly appreciated and I'll gladly provide any other information requested to solve this issue, thank you.

Hello All,

I am looking for some advise regarding an issue I am experiencing. First, I would explain the environment:

I have 3 forest in my production environment:

1. Forest 1 having all user accounts (let's say it Source Domain i.e. ADSource.Local) with a UPN defined as "mail.com".

2. Forest 2 is hosting exchange services (let's say it Resource Domain i.e. Resource.Local). All the users ADSource.Local have linked mailboxes in the Resource.Local. ; all the users are able to connect their mailboxes through OWA & Outlook using their Email IDs in a format user"at"mail.com & that's working fine. User Logon Name in ADSource.Local and Email IDs in Resource.Local are same and used to access OWA & Outlook but the samaccountname is different that is used to logon the system.

3. Now, I have to migrate the user from ADSource to Forest 3 (let's say it Target Domain i.e. ADTarget.Local).

I created two-way trust b/w the forests used ADMT with PES (Password Export Server) & SID History to migrate Users, Computers and finally linked the mailboxes of these users using commandset-mailbox {MailboxAlias} -LinkedDomainController {targetUserForestDomainControler} -LinkedMasterAccount {NewAccountToLinkTheMailboxTo}  -LinkedCredential:(get-credential {targetCredential}).

After migration, migrated users are able to logon to the ADTarget.Local with all the system permissions and accesses as well except for OWA & Outlook. While I tried to connect OWA withDomain\UserName it allow me to access the mailbox whereas neither Outlook nor OWA not connected with the Email ID user"at"mail.com, that was working fine before the migration. I required to connect OWA & Outlook with the Email ID

Note that, in Exchange OWA authentication is set on Form-based authentication with Domain\Username format.

This issue made me crazy as I don't know what I miss.

Appreciate a solution for this.

Regards,

M. Faisal Sadiq

Hello almighty Microsoft Community!

I accidentally deleted an outlook 2010 calender item/event that included tracked mail conversations and other data, sadly I cant remember any exact data that would have been useful to search for.

Here is what I have tried to restore the item:

1. I checked the "deleted items" mail folder. The item does not show up in this folder.

2. I have looked through every other folder using the "folder" tab and the function "Recover Deleted Items." No luck here either, the calender event is gone.

Now for the tricky circumstances, I deleted the item from a shared calender that I am not the owner of. Therefore, I repeated the above two steps having logged onto the calender owner's account. No luck!

Are there any other options?

Thanks for your help,

Toby

Dear Team,

We have Exchange Server 2013 in our organization and we are facing a issue when we are trying to send a mail by using OWA.

When we click on the send button it will stuck in the draft folder.I have check every setting and found every thing is ok.

I restart the server several time but problem still exist. please help.

Regard

Saikat Das

Exchange 2013 SP1: Whenever I open my own mailbox in OWA (2013), I can see the 'Apps Bar' at the top of the email (such as Bing maps, Action Items etc) - but when I (or anyone else in the org) goes to 'Open another mailbox' that they have full access permissions to, this App bar disappears as soon as the other mailbox loads. This causes an issue for us as one of the apps is Symantec Enterprise Vault. The same thing appears to happen in the full Outlook 2013 client as well.

Is there any way to make the App Bar appear when opening another mailbox?

Thanks in advance.

Hello,

We had been through a migration from exchange 2010 to 2013 in the last year but have had an ongoing issue withsome Outlook clients getting a certificate warning after they launch the client.  Not all Outlook clients experience this.  We've just recently uninstalled exchange from our 2010 servers and shut them down.  What we have left are two 2013 servers in a DAG.  The certificate these Outlook clients are complaining about had expired in 2012.  Here is the warning they are getting:

"Certificate has expired warning or not yet valid"

I've been through numerous threads/sites regarding this error but it always ends up that there was an expired cert hanging out somewhere.  I cannot seem to find an expired cert anywhere...

I've ran the 'Get-ExchangeCertificate | fl' cmdlet and I see 7 certs listed, none of which match the thumbprint on the Cert Warning on Outlook.

When I check the registry of the Exchange servers here: HKLM>Software>Microsoft>SystemCertificates>My>Certificates

I can see 7 certificate entries listed there and the thumbprint matches those of the cmdlet ran from EMS.

OWA shows the correct cert expiring in 2015 and Outlook clients are pointed to the 2013 servers.  We do have a load balancer that AutoDiscover, OWA, SMTP are going through.  

It seems like some of these Outlook clients are still looking at the decommissioned 2010 Exchange servers' old certificate.  Any ideas on how I can get outlook to point to the new certificate/server?

Thanks.

Rory

Rory Schmitz

hi

if use outlook any where im received this message

the name of the security certificate is invalid or does not match

the name of the site. i can connected but get message , how to fix his ?

this error suddely happen before  3 weeks working fine

internaly working fine ,please advice me

I have exchange 2013 and 2010 installed and I'm in co-existence mode. Everything is working correctly except OWA. When I login with an account that has been moved to 2013 it works perfect but when I try to login with an account that is still on the 2010 server I get the ":( Sorry, something went wrong" message.

Outlook Anywhere and ActiveSync also works fine to access mailboxes on either server.

Any ideas on what I might be doing wrong?

Thanks!

My manager is having a problem.  "randomly" reoccurring meetings in outlook will after some time start showing as this:

"Exchange 2013 re-created a meeting that was missing from your calendar"

With all the "meat" of the body is missing.

We are running Exchange 2013 SP1 and Outlook 2013.  They look the same in OWA.  Meetings can be from different senders, different times etc.

Any thoughts?