Discussion:
Cannot connect to Exchange server.
(too old to reply)
Chris Smith
2005-08-23 14:22:27 UTC
Permalink
Raw Message
Hi,

My IT department refuses to support my Mac and I cannot connect to their
Exchange Server. I have configured the account but the Folders window reads
"Not Connected" next to the account. Any thoughts?

Thanks,
Chris

P.S. This is my first Mac and (obviously) the first time I am using it in a
Windows-centric environment, so I apologize if I have left out any pertinent
information.
Chris Smith
2005-08-23 15:39:23 UTC
Permalink
Raw Message
BTW, I am running OS X 10.3.9 and trying to connect to a Exchange 2003 box.
Post by Chris Smith
Hi,
My IT department refuses to support my Mac and I cannot connect to their
Exchange Server. I have configured the account but the Folders window reads
"Not Connected" next to the account. Any thoughts?
Thanks,
Chris
P.S. This is my first Mac and (obviously) the first time I am using it in a
Windows-centric environment, so I apologize if I have left out any pertinent
information.
rliebsch
2005-08-23 18:21:11 UTC
Permalink
Raw Message
What version of Entourage are you using?

If you are using EntourageX you may not be able to connect, as the IT
department likely has disabled IMAP. If you are using Entourage2004 you
should be able to connect with little problem.

If you are using 2004, and cannot connect, confirm you set up the
account as an Exchange account, and also confirm that Outlook Web
Access works http://name.of.exchange/exchange is the default web site.
Chris Smith
2005-08-24 18:10:01 UTC
Permalink
Raw Message
Thank you very much. I had a very heated debate with IT yesterday and they
again refused my request. This morning I port-scanned their Exchange server
and was able to connect surreptitiously using LDAP. Needless to say I
learned a lot during the past 24 hours.

I am using Entourage2004 and the only issue I currently have is that I have
no global address book or public folders. Any thoughts?

Thanks,
Chris


On 8/23/05 2:21 PM, in article
Post by rliebsch
What version of Entourage are you using?
If you are using EntourageX you may not be able to connect, as the IT
department likely has disabled IMAP. If you are using Entourage2004 you
should be able to connect with little problem.
If you are using 2004, and cannot connect, confirm you set up the
account as an Exchange account, and also confirm that Outlook Web
Access works http://name.of.exchange/exchange is the default web site.
rliebsch
2005-08-24 20:19:14 UTC
Permalink
Raw Message
what port did you find LDAP on?
Is Outlook Web Access enabled? Did you see any web activity (port 80)
when you did a port scan?

basically, the default LDAP port is 3268. And the server will require
authentication. So confirm your settings in Tools: Accounts: Exchange:
then Directory Tab, Click the "Click here for Advanced options" and
confirm LDAP port number and authentication buttons.

Its likely they have OWA and LDAP (AD) enabled.

You won't have very robust access to the Public Folders or GAL. But you
can search against the GAL. For instance, you won't ever see a company
list. You can only make queries against the GAL. And public folders are
almost a joke in Entourage, nested folders are lost, public contacts
and calendars are also inaccessible.

You can however use OWA to get at these things.
Chris Smith
2005-08-25 12:08:41 UTC
Permalink
Raw Message
Here are the results of the port scan:

Port Scan has started ...

Port Scanning host: 10.0.1.14

Open Port: 25 smtp
Open Port: 53 domain
Open Port: 80 http
Open Port: 88 kerberos
Open Port: 110 pop3
Open Port: 135 epmap
Open Port: 139 netbios-ssn
Open Port: 389 ldap
Open Port: 443 https
Open Port: 445 microsoft-ds
Open Port: 464 kpasswd
Open Port: 593 http-rpc-epmap
Open Port: 636 ldaps
Open Port: 691 msexch-routing
Open Port: 995 pop3s
Open Port: 1026 cap
Open Port: 1030 iad1
Open Port: 1059 nimreg
Open Port: 1080 socks
Open Port: 1089 ff-annunc
Open Port: 1090 ff-fms
Open Port: 1096 cnrprotocol
Open Port: 1097 sunclustermgr
Open Port: 1107 isoipsigport-2
Open Port: 1113
Open Port: 1121
Open Port: 1177
Open Port: 1279 dellwebadmin-2
Open Port: 1291 seagulllms
Open Port: 1296 dproxy
Open Port: 1311 rxmon
Open Port: 1400 cadkey-tablet
Open Port: 1470 uaiact
Open Port: 3268 msft-gc
Open Port: 3269 msft-gc-ssl
Open Port: 3372 tip2
Open Port: 3389 ms-wbt-server
Open Port: 4101
Open Port: 4107
Open Port: 5800
Open Port: 5900
Open Port: 6001
Open Port: 6002
Open Port: 6101 synchronet-rtc
Port Scan has completed ...


In the Accounts "Directory" field, I have 10.0.1.14 in both the "LDAP
server" and "Search Base" fields. Under 'Advanced Options' I have all three
boxes checked and I have over-ridden the default LDAP port to 3268. When I
search for a name, I get the following error message:

"The server can't be found. Be sure the mail server information is entered
correctly in the Account Manager, and that your DNS settings in the Network
Control Panel are correct."

I also tried using port 3269 and I received a Root Certificate error
followed by:

"An unknown error (-17766) occurred."

OWA is enabled and I can access it through Safari. Is there a way to use OWA
to populate the GAL in Entourage?

I really appreciate your efforts to help me.

Thanks,
Chris

On 8/24/05 4:19 PM, in article
Post by rliebsch
what port did you find LDAP on?
Is Outlook Web Access enabled? Did you see any web activity (port 80)
when you did a port scan?
basically, the default LDAP port is 3268. And the server will require
then Directory Tab, Click the "Click here for Advanced options" and
confirm LDAP port number and authentication buttons.
Its likely they have OWA and LDAP (AD) enabled.
You won't have very robust access to the Public Folders or GAL. But you
can search against the GAL. For instance, you won't ever see a company
list. You can only make queries against the GAL. And public folders are
almost a joke in Entourage, nested folders are lost, public contacts
and calendars are also inaccessible.
You can however use OWA to get at these things.
Corentin Cras-Méneur
2005-08-25 23:51:11 UTC
Permalink
Raw Message
Post by Chris Smith
I also tried using port 3269 and I received a Root Certificate error
"An unknown error (-17766) occurred."
You might need to import the cert of the server. If IT won;t give it to
you, there are still options to obtain it yourself.
You can find more information about how to do it there:
http://www.cortig.net/wordpress/?p=32
(the information is taken directly from the OmniWeb help).
Post by Chris Smith
OWA is enabled and I can access it through Safari. Is there a way to use OWA
to populate the GAL in Entourage?
OWA will allow you to get e-mail and sync address book and calendar.
Unfortunately, access to the GAL is done exclusively through LDAP.

Corentin
--
--- Mac:MS MVP (Francophone) ---
http://www.mvps.org - http://mvp.support.microsoft.com
MVPs are not MS employees - Les MVP ne travaillent pas pour MS
Remove "NoSpam" to e-mail me - Retirez "NoSpam" pour m'écrire
Nathan Herring [MSFT]
2005-10-06 08:45:18 UTC
Permalink
Raw Message
Post by Chris Smith
Port Scan has started ...
Port Scanning host: 10.0.1.14
Open Port: 389 ldap
Open Port: 636 ldaps
Open Port: 3268 msft-gc
Open Port: 3269 msft-gc-ssl
Port Scan has completed ...
These are the choices that can possibly work. 636 and 3269 are the SSL
versions of 389 and 3268. Entourage does not enforce that the SSL checkbox
and the port number are in sync, so watch out for that.

3268/3269 are the Global Catalog (GC) ports. It's just an alternative LDAP
port, and still uses LDAP for the protocol. Active Directory, however, will
serve _different content_ on the GC port. It will pick up replicated
directory information from across the forest. Furthermore, it has indexed in
a particular way that will support Virtual List View (VLV), a way to list
sections of records from a larger selection so a client (e.g., Entourage
2004 SP2, which introduced this functionality) can emulate browsing the GAL.
One caviat is that VLV was introduced in AD 2003. Another caviat is that VLV
will error out if you specify a search base at all.

389/636 are the standard LDAP ports. In Active Directory's case, this data
is particular to this particular domain. Also, Active Directory will not
permit tree searches of data from the root, and such requires a search base.
Unfortunately, tree search does not support VLV.
Post by Chris Smith
In the Accounts "Directory" field, I have 10.0.1.14 in both the "LDAP
server" and "Search Base" fields. Under 'Advanced Options' I have all three
boxes checked and I have over-ridden the default LDAP port to 3268. When I
"The server can't be found. Be sure the mail server information is entered
correctly in the Account Manager, and that your DNS settings in the Network
Control Panel are correct."
This seems surprising, based on the fact that you can connect (enough to get
an LDAP error) below, but perhaps there is some strange port blocking that
the port scan doesn't notice?
Post by Chris Smith
I also tried using port 3269 and I received a Root Certificate error
"An unknown error (-17766) occurred."
-17800 + invalidDNSyntax(34) = -17766. Your Search Base of "10.0.1.14" is
not a valid distinguishedName. A valid DN would be something like
"DC=domainname,DC=com". If you are using 3268/3269, per the commentary
above, I would suggest not using a search base.

Now, if you use SSL when connecting to a server via an IP address, the
server certificate has to include that IP address or it will not be
considered secure no matter if the root certificate is on your X509Anchors
keychain.
Post by Chris Smith
OWA is enabled and I can access it through Safari. Is there a way to use OWA
to populate the GAL in Entourage?
Not as yet; it's currently entirely LDAP-based.
Post by Chris Smith
I really appreciate your efforts to help me.
Thanks,
Chris
Hope this helps.

-nh
--
Nathan Herring
MacBU SDE/Development

This posting is provided ³AS IS² with no warranties, and confers no rights.
Bill Bryson
2005-08-24 22:34:03 UTC
Permalink
Raw Message
Most likely your IT people have SSL required on the Exchange server. If OWA
is enabled (most likely) then in theory, Entourage should be able to connect
to the server if the IT people have done their job right. We have
experienced some of the "not connected" problems and they went away once the
System people enabled SSL for the backend servers and applied certificates
to them as well.

You can try using a unix-command to watch the traffic from your Mac by
opening a Terminal window and typing the command:

sudo tcpdump src your_ip_address

replace your_ip_address with the actual one in listed in the Network
Preferences.

Start up Entourage and watch lines appear in the Terminal window listing the
TCP/IP traffic going from your computer. If there is a SSL problem, you
will see a line periodically for each shared calendar in Entourage that
lists the host address of your backend server and "https:". Normally you
should see a ton of lines listing the backend server host address if the
connection is opened. Instead you will see only a few among the many other
lines. Entourage seems to try every minute or so to establish the
connections and will fail if the backend server it is trying to connect to
is not set up to respond to SSL and has a certificate. If you have two
shared accounts then you will two connection attempts fairly close together
as Entourage "talks". Unfortunately, though I can now see the accounts, I
now get a "certificate warning". Clicking OK still grants access to the
data.

Another test to see if the backend server will listen to SSL properly is to
go into a browser and try:

https://backend-server.domain.com/public

I am prompted for my UserID and password and then I see the empty public
folder we have. Prior to Systems putting on SSL and the certificate, I
would receive the error dialog - "no such server".

Other things that are critical is the DNS must include the domain of the
Exchange server in the Search domain. If it does not, you can manually type
the domain into the Network Pane in Systems Preferences. This was necessary
for me. Delegated access relies on this because it uses only
partially-qualified name. Finally, you need to have "Use SSL for WebDAV"
checked in the Advanced pane of the Tools/Accounts/Edit window.

Sorry if this is both too technical and not enough :-)

Bill
Post by Chris Smith
Hi,
My IT department refuses to support my Mac and I cannot connect to their
Exchange Server. I have configured the account but the Folders window reads
"Not Connected" next to the account. Any thoughts?
Thanks,
Chris
P.S. This is my first Mac and (obviously) the first time I am using it in a
Windows-centric environment, so I apologize if I have left out any pertinent
information.
Loading...