Thanks Michael. The connectivity test was unhappy that the SSL name had a mismatch between the External FQDN and the cert (we use a wildcard cert). So I used Set-OutlookProvider EXPR -CertPrincipalName to set the wildcard cert name and now it passes the test.
It has now worked on 4 out of 5 tries. The failed try, I rebooted and tried again and it worked (when it failed it was just re-prompting for credentials over and over). Interestingly, the prompt for domain members is still the internal name, but it does accept the credentials. Brad From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Monday, February 15, 2010 9:01 AM To: MS-Exchange Admin Issues Subject: RE: Outlook Anywhere Authentication Behavior Domain Member vs. Non-Domain member Sure, all the time. It's a key "use case" for OA. Almost certainly you have the ClientAuth or RpcAuth for one of the vdir's set wrong or an external URL set wrong. I'd start with testexchangeconnectivity.com and see what it says. Note that the detailed content of the response from autodiscover will tell you almost everything about your configuration. Using testexchangeconnectivity, you should be able to find the parameter which is set incorrectly and map it back to the parameter you need to change ('cuz the names just don't match). Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Brad Metzler [mailto:bmetz...@cu-portland.edu] Sent: Monday, February 15, 2010 11:34 AM To: MS-Exchange Admin Issues Subject: Outlook Anywhere Authentication Behavior Domain Member vs. Non-Domain member I have observed in our implementation for Exchange 2010 that non-Domain Members can use Outlook Anywhere, but Domain Member systems are unable. When a non-Domain Member creates a profile and auto-configures from a remote location, it appears Autodiscover works properly and they are prompted to authenticate to the server. The authentication box that is presented to them is asking them to authenticate to the external FQDN of the CAS server which works properly. When a Domain Member creates a profile and auto-configures from a remote location, while the Autodiscover appears to work, they are then prompted to authenticate to the internal name of the CAS server, an operation which they cannot complete remotely or without VPN. It appears that this may not even be a DNS related issue. As an experiment, I put the internal name of the server into the hosts file of the Domain Member system and tested it could ping the CAS server using the Internal name from the remote location. However when prompted to authenticate to the internal name server, the authentication still fails. We also tried configuring a Domain Member for Outlook Anywhere while on site, then taking the system off-site and the authentication issue persists, so it is not an issue that is only present during configuration. It seems that Domain Member systems are treated differently in how Outlook Anywhere handles their configuration. Again, non-Domain Members work as expected, it is only the Domain Members that cannot use Outlook Anywhere. Does anyone else out there successfully use Outlook Anywhere with Domain Member clients off-site? Brad