After playing around for a while, I found the solution. Before I jump in to the fix, let me explain a few changes in Exchange 2010 in terms of MAPI connectivity.
- All MAPI clients connecting to Exchange 2010 server connects to the mailbox through the CAS Server.
- A new service named Exchange RPC Client Access is introduced in 2010 CAS which handles all MAPI connections.
- All MAPI clients connect to the mailbox server directly in Exchange 2007.
We can see that this service needs rpc encryption and it is set to True by default.
Same is the case with Outlook 2007 & 2010 profiles! Encryption between Outlook and Exchange is enabled by default, which explains why these clients can connect to Exchange 2010 without any issues.
Outlook 2003 profiles don’t enable encryption by default.
Once I checked the box, I could connect to my 2010 mailbox.
You can also disable the requirement of 2010 CAS servers to have encryption enabled by running Set-RpcClientAccess –server servername –EncryptionRequired $false. This is not recommended though!
If you have too many Outlook 2003 clients trying to connect to a 2010 server, you can enable encryption using Group Policy.
50 comments:
Great article.. thanks for sharing
In Exchange 2010, Outlook will be connecting to CAS which will atleast go with its name Client access server covering all types of clients
But it does introduce one more problem with placing the cas role in the environment, now we will need CAS, hub and mailbox role in each site where there is mailboxes.. Not a big deal but it does require some planing for external owa connectivity in larger environment since you do not want external connection to each CAS server in the environment. It some environment, they might need didicated CAS for OWA\activesync\RPC-http with loadbalancing as in exchange 2007.
May be it is better to have Mailbox and CAS role together (acting similar to Exch 2007 for outlook) and have HUB\CAS role additional for external connectivity.
I would be intrested to know how does outlook client determines which cas to use and how it is loadbalanced? Also by having outlook connection through CAS what are the sizing requirement to handle the load, does that means that you we need more CAS then mailbox server (since it act now more like database server)?
cheers
Hi Rajith
I was playing around with client connectivity and found that the Outlook 2007 do not automatically failover to active DAG Mailbox database server.
I found the cause of it, the MAPI client connect to the perticular CAS based upon a attribute "RPCclientAccessServer" in mailbox database property, which is set statically when the mailbox database is created.
Now you would expect that when active mailbox database fails, you will update the RPCClientaccessserver property in the database but that does not happen.
Even worst when you have one mailbox server (NO DAG) and 2 CAS server (on seperate server to mailbox), when you create a database it will set RPCclientaccessserver to one of the CAS server and if that server is unavailable for any reason, the client will disconnect and will not failover to onother cas server.
Looking around in web I found that you need to create a ClientAccessArray. using the powershell script
New-ClientAccessArray -Fqdn casarray.domain.com -name casarray.domain.com -site sitename
Even after creating this array which include both of CAS server in the environment, it does not do much.. I think there is still some bug in Exchange 2010 related to ClientAccessArray which is not working as expected.
http://technet.microsoft.com/en-us/library/ee332317(EXCHG.140).aspx
I even try to set the RPCclientAccessserver property to name of CLientaccessarray but that does not work since OUltook client will not be able to resolve the Clientaccessarray name.
I guess New-Clientaccessarray is not doing its job by creating a NLB on both the CAS Box and creating necessary DNS records. Not much documentation is provided on ClientAcessArray by MS yet.
As I mention in my earlier post, moving MAPI client to CAS server does require more planning and configuration..
I wounder how Outlook 2010 client works in this case?
Hope MS will resolve this in RTM..
That was right on the spot.
Thanks for sharing.
MM
Thanks for the comment MM.
Thanks for sharing this, exactly what I needed
Glad to know it helped you Thaner.
Very good information, it helped me very much. Thank you
Glad to know that it helped you Anonymous. Thanks for the comment.
Thank you, just the information I was looking for.
Thanks for the comment Anonymous. Would be nice to leave your name.
Rajith, we are currently implementing migration from 2003 to 2010, your article was a big help for me
Thank you
"Anonymous"
Davy Neirynck
Glad that the article helped you Davy.
This may sound stupid, but I can't configure my clients to receive the new security settings. I even followed this microsoft article: http://support.microsoft.com/kb/2006508. When I gpupdate /force my client to receive the new GPO, it changes his security settings but the checkbox in outlook - encryption isn't ticked?
Have any of you already implemented this using GPO's or used another way to do this?
My client runs win xp sp3 with outlook 2003.
Davy
Hi Davy,
Do you have SP3 on Outlook 2003? I haven't done it myself. I will test this in my lab & update you.
Hi Rajith,
I made it work, you have to be really careful when copying the text of the microsoft article because i always was getting the error when importing the administrative template there was a problem at line 16.
CLASS USER
CATEGORY "Outlook 2003 RPC Encryption"
CATEGORY "Exchange settings"
POLICY "Enable RPC Encryption"
KEYNAME Software\Policies\Microsoft\Office\11.0\Outlook\RPC
PART "Encrypt data between Microsoft Office Outlook and Microsoft Exchange" CHECKBOX
VALUENAME EnableRPCEncryption
VALUEON NUMERIC 1 DEFCHECKED
VALUEOFF NUMERIC 0
END PART
END POLICY
END CATEGORY
END CATEGORY
Also i forgot to replicate to my DC who was in another site that i used for testing. My users running outlook 2003 now have the encryption option enabled by default and are not allowed to change it. It also works fine on our terminal servers.
Much thanks,
Davy
Hi Davy,
Didn't get time to test it yesterday. Glad that you have sorted it out. And thanks for the update.
Hi Rajith,
Thank you very much, this was my exact error and solution.
You might want to indicate that Outlook 2003 can still access Exchange 2003 server mailboxes with encryption checked so a GP could be rolled out before mailboxes are moved without affecting connectivity.
McCue
Thanks McCue.
Yes, a group policy with custom adm template can be used to automatically force Outlook 2003 to use an encrypted channel between the client & the exchange server.
I will write about how to do this very soon.
you saved my life dude!
Happy to know that the article helped you Gert.
To answer Deepak's question on CASArray, you need to create a DNS record for the name that will be CASArray, you also need to either use hardware load balancer and point the name you created in step above to the hardware load balancer IP. If you choose to use Windows NLB instead, you will need to configure it on all CAS servers that will participate in array and assign it a unique IP. Using the cmdlet to create CASArray just tells CAS servers that an array exists. It does not work until you actually setup that array by using hardware or windows NLB.
You saved my life too. Thank you much.
Thanks Anonymous.
Good Good Good, thank you
Thanks Anonymous.
Big help, thanks!
Thanks Anonymous.
Thanks a lot! You saved my day for sure. :]
Greetings from Norway.
Thanks Anonymous from Norway...
helpful post - put in a new Exchange 2010 box over the weekend, all my 2007 clients were fine, but my one 2003 client was not. This past was first on google and extremely helpful
Hi Dave,
Happy to know that this post helped you solve your issue.
Thanks a lot
Thanks Anonymous.
I believe the command should be
Set-RpcClientAccess -Server "Servername" -EncryptionRequired $False
Thanks David.
I have changed it in the post.
I just migrated my exchange server to 2010. Clients are running a mix of outlook 03/07. Everyone on outlook 07 is working but only the machines that are less then 3-4 years old are getting the policy. Is there any prerequisites (such as SP3) for this to work. There are about 2500 computers in my company and around 400 are having this problem so help will be greatly appreciated.
Hi,
Doesn't the policy tell you the clients supported? You can see that normally at the bottom of the window, when the option is double clicked.
Isn't non-OutlookSP3 machines getting the policy? Or is it the OS service pack? Does it work if you manually enalbe one of the clients?
Thanks.
thanks a bunch. I wasn't aware of this and I was having just that problem at a client!
Good to know that it helped you. Thanks.
Thanks for this, it solved my problem and answered the question as to why
Thanks Anonymous.
zNot for me I still get the password box when i open outlook, if it type it in it connects but always asks for password :|
Hi Mark, Is it for Outlook 2007+ clients? If so, run "test email configuration" and see whether the urls are set properly.
Is this happening in Outlook 2003?
yes happening both in 2003 and 2007
Excellent post, thank you!
Thanks Mital.
Great Thanks a Lot !!!!
Thanks Anonymous
Many thanks for such informative post.I am very happy to knew about it...
http://godwinsblog.cdtech.in/2010/12/send-sms-directly-from-microsoft.html
Post a Comment