Cannot connect to Exchange server.

[Chris Smith]

Hi,

My IT department refuses to support my Mac and I cannot connect to their
Exchange Server. I have configured the account but the Folders window reads
"Not Connected" next to the account. Any thoughts?

Thanks,
Chris

P.S. This is my first Mac and (obviously) the first time I am using it in a
Windows-centric environment, so I apologize if I have left out any pertinent
information.

 

[Chris Smith]

BTW, I am running OS X 10.3.9 and trying to connect to a Exchange 2003 box.

 

[Bill Bryson]

Most likely your IT people have SSL required on the Exchange server. If OWA
is enabled (most likely) then in theory, Entourage should be able to connect
to the server if the IT people have done their job right. We have
experienced some of the "not connected" problems and they went away once the
System people enabled SSL for the backend servers and applied certificates
to them as well.

You can try using a unix-command to watch the traffic from your Mac by
opening a Terminal window and typing the command:

sudo tcpdump src your_ip_address

replace your_ip_address with the actual one in listed in the Network
Preferences.

Start up Entourage and watch lines appear in the Terminal window listing the
TCP/IP traffic going from your computer. If there is a SSL problem, you
will see a line periodically for each shared calendar in Entourage that
lists the host address of your backend server and "https:". Normally you
should see a ton of lines listing the backend server host address if the
connection is opened. Instead you will see only a few among the many other
lines. Entourage seems to try every minute or so to establish the
connections and will fail if the backend server it is trying to connect to
is not set up to respond to SSL and has a certificate. If you have two
shared accounts then you will two connection attempts fairly close together
as Entourage "talks". Unfortunately, though I can now see the accounts, I
now get a "certificate warning". Clicking OK still grants access to the
data.

Another test to see if the backend server will listen to SSL properly is to
go into a browser and try:

https://backend-server.domain.com/public

I am prompted for my UserID and password and then I see the empty public
folder we have. Prior to Systems putting on SSL and the certificate, I
would receive the error dialog - "no such server".

Other things that are critical is the DNS must include the domain of the
Exchange server in the Search domain. If it does not, you can manually type
the domain into the Network Pane in Systems Preferences. This was necessary
for me. Delegated access relies on this because it uses only
partially-qualified name. Finally, you need to have "Use SSL for WebDAV"
checked in the Advanced pane of the Tools/Accounts/Edit window.

Sorry if this is both too technical and not enough

Bill

 

[Corentin Cras-Méneur]

I also tried using port 3269 and I received a Root Certificate error
followed by:

"An unknown error (-17766) occurred."

You might need to import the cert of the server. If IT won;t give it to
you, there are still options to obtain it yourself.
You can find more information about how to do it there:
http://www.cortig.net/wordpress/?p=32
(the information is taken directly from the OmniWeb help).

OWA is enabled and I can access it through Safari. Is there a way to use OWA
to populate the GAL in Entourage?

OWA will allow you to get e-mail and sync address book and calendar.
Unfortunately, access to the GAL is done exclusively through LDAP.

Corentin

 

[Nathan Herring [MSFT]]

Here are the results of the port scan:

Port Scan has started ...

Port Scanning host: 10.0.1.14

Open Port: 389 ldap
Open Port: 636 ldaps
Open Port: 3268 msft-gc
Open Port: 3269 msft-gc-ssl
Port Scan has completed ...

These are the choices that can possibly work. 636 and 3269 are the SSL
versions of 389 and 3268. Entourage does not enforce that the SSL checkbox
and the port number are in sync, so watch out for that.

3268/3269 are the Global Catalog (GC) ports. It's just an alternative LDAP
port, and still uses LDAP for the protocol. Active Directory, however, will
serve _different content_ on the GC port. It will pick up replicated
directory information from across the forest. Furthermore, it has indexed in
a particular way that will support Virtual List View (VLV), a way to list
sections of records from a larger selection so a client (e.g., Entourage
2004 SP2, which introduced this functionality) can emulate browsing the GAL.
One caviat is that VLV was introduced in AD 2003. Another caviat is that VLV
will error out if you specify a search base at all.

389/636 are the standard LDAP ports. In Active Directory's case, this data
is particular to this particular domain. Also, Active Directory will not
permit tree searches of data from the root, and such requires a search base.
Unfortunately, tree search does not support VLV.

In the Accounts "Directory" field, I have 10.0.1.14 in both the "LDAP
server" and "Search Base" fields. Under 'Advanced Options' I have all three
boxes checked and I have over-ridden the default LDAP port to 3268. When I
search for a name, I get the following error message:

"The server can't be found. Be sure the mail server information is entered
correctly in the Account Manager, and that your DNS settings in the Network
Control Panel are correct."

This seems surprising, based on the fact that you can connect (enough to get
an LDAP error) below, but perhaps there is some strange port blocking that
the port scan doesn't notice?

I also tried using port 3269 and I received a Root Certificate error
followed by:

"An unknown error (-17766) occurred."

-17800 + invalidDNSyntax(34) = -17766. Your Search Base of "10.0.1.14" is
not a valid distinguishedName. A valid DN would be something like
"DC=domainname,DC=com". If you are using 3268/3269, per the commentary
above, I would suggest not using a search base.

Now, if you use SSL when connecting to a server via an IP address, the
server certificate has to include that IP address or it will not be
considered secure no matter if the root certificate is on your X509Anchors
keychain.

OWA is enabled and I can access it through Safari. Is there a way to use OWA
to populate the GAL in Entourage?

Not as yet; it's currently entirely LDAP-based.

I really appreciate your efforts to help me.

Thanks,
Chris

Hope this helps.

-nh