Exchange Server Setup

[kevincwoo]

(Sorry for the repeat post... Entourage sent the news post, with my
Korean name/e-mail etc, so I am re-sending the post.)

Our firm uses Exchange Server 2003 (OWA included). We all connect to
the
Server using Office 2003 running Windows XP. For various reasons, the
server
is always connected via what Microsoft calls "RPC over HTTP"
configuration.
So far we are happy with what we run...
Until now, that is.
I have a Macintosh and Entourage 2004 (running Mac OS 10.4.6), and I am

running into account setting problem.

1. Exchange Server cannot be seen unless I use
"http://mail.example.com/myname" name on Account Setup window. (replace

example.com with my Exchange Server name, and myname with my own
account
name) With the above set up, I have no problem editing/entering contact

information and calendar.

2. Can't look up the company's directory. It cannot find LDAP
directory.
However, at this moment, I don't know whether our server has LDAP
service,
so I am checking with IT manager in our server farm about it.

3. Can't send e-mail AT ALL. I receive error "-18597". It tells me my
mail
account is configured incorrectly.

4. Funny thing is... I have no problem accessing and sending e-mail
from
Apple Mail, configured with Exchange Server. It still doesn't see the
company's directory, but it has no problem sending mails.

Our IT manager is a complete I***t when it comes to Macintosh, so he
cannot
be reliable on this. Please help.

 

[Barry Wainwright [MVP]]

(Sorry for the repeat post... Entourage sent the news post, with my
Korean name/e-mail etc, so I am re-sending the post.)

Our firm uses Exchange Server 2003 (OWA included). We all connect to
the
Server using Office 2003 running Windows XP. For various reasons, the
server
is always connected via what Microsoft calls "RPC over HTTP"
configuration.
So far we are happy with what we run...
Until now, that is.
I have a Macintosh and Entourage 2004 (running Mac OS 10.4.6), and I am

running into account setting problem.

1. Exchange Server cannot be seen unless I use
"http://mail.example.com/myname" name on Account Setup window. (replace

example.com with my Exchange Server name, and myname with my own
account
name) With the above set up, I have no problem editing/entering contact

information and calendar.

2. Can't look up the company's directory. It cannot find LDAP
directory.
However, at this moment, I don't know whether our server has LDAP
service,
so I am checking with IT manager in our server farm about it.

3. Can't send e-mail AT ALL. I receive error "-18597". It tells me my
mail
account is configured incorrectly.

4. Funny thing is... I have no problem accessing and sending e-mail
from
Apple Mail, configured with Exchange Server. It still doesn't see the
company's directory, but it has no problem sending mails.

Our IT manager is a complete I***t when it comes to Macintosh, so he
cannot
be reliable on this. Please help.

First thing to check is whether you can access the account using Outlook Web
Access - Entourage 2004 uses the same protocols as OWA, so if you can't get
in there, you won't get in with Entourage.

 

[kevincwoo]

I can access it without any problems using Outlook Web Access in
Safari. It is only available with "https" stuff, but I was able to get
the proper certificate downloaded. On the other hand, I am not using
SSL connection either in Entourage 2004 or Apple Mail 2.0.

I have also tried to connect to the same server using Entourage 2004
and IMAP (the server is also configured for IMAP). I have no problem
sending/receiving e-mails with IMAP. It is the "exchange server"
setting that gives me the problems.

 

[Corentin Cras-Méneur]

I can access it without any problems using Outlook Web Access in
Safari. It is only available with "https" stuff, but I was able to get
the proper certificate downloaded.

Then simply copy the address from there
(https://yourserver/exchange/you) and try to use it as the address of
the server in the account settings in Entourage (with the https and
everything).

On the other hand, I am not using
SSL connection either in Entourage 2004 or Apple Mail 2.0.

Entourage definitively SHOULD be using SSL (which should probbly be more
or less automatic if you use the https address mentioned above) but Mail
doesn't need to. Mail only accesses the server through IMAP (with a few
additional tricks) which is completely different.

Corentin

 

[kevincwoo]

If I use "https", I get "Unable to establish a secure connection"
window. It tells me that I need to install root certificate, but
doesn't show me how. In Outlook 2003 and XP, I was given a choice to
save the root certificate, but not with Entourage and Mac OSX.

 

[kevincwoo]

Mickey, thanks for the information. My mail server is
mail.mcqs-korea.com (mcqs-korea is my firm's name) and e-mail address
is at mcqs-korea.com. Therefore, my e-mail address is set to
(e-mail address removed), and domain is mail.mcqs-korea.com. Exchange
server is accessed by http://mail.mcqs-korea.com/exchange.

When I use Apple Mail 2.0 with Exchange Server, "incoming server" and
"outgoing server" can be set separately. In both cases, I use
"mail.mcqs-korea.com", and that works fine. What I don't understand is
why Apple Mail works but not Entourage 2004.

 

[William Smith]

If I use "https", I get "Unable to establish a secure connection"
window. It tells me that I need to install root certificate, but
doesn't show me how. In Outlook 2003 and XP, I was given a choice to
save the root certificate, but not with Entourage and Mac OSX.

Hi Kevin!

Entourage doesn't support the automatic download and installation of
Exchange server certificates. Have a look at this link for how to do it
manually
<http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=inde
x&catid=&topic=19>.

Additionally, while outside your company network, be sure to select
"This DAV service requires a secure connection (SSL)" under the Account
Settings tab for your Exchange account in Entourage. This should be
equivalent to what Corentin has posted about using "https://" instead of
just "http://". Typically, Exchange servers won't require SSL while
inside your company network.

Hope this helps! bill

 

[kevincwoo]

Thanks, William. I've let the IT manager on getting me the certificate.
I don't think it will solve all my problems but it is at least a start.

Actually we don't have "company network".. The server is in a server
farm, and we only connect to the server using "RPC over HTTP" protocol.
It is because my colleagues spend most time at our clients' site. Since
we tend to move around often, it is rather difficult for us to ask for
IT managers in our clients' site to open specific ports, etc., etc. I
guess it is similar to WebDAV. Good part is my collegues running XP
have no problems in accessing Outlook and Exchange Server in every
situation so far.

 

[kevincwoo]

William. Thank you and thank you again. Your link
(http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&catid=&topic=19)
gave me an idea. This is how I did it.

1. I've already tried to access OWA using SSL connection, so Safari had
already downloaded a root certificate to my machine.
2. I went to Utilities/Keychain Access and saw that I had a certificate
from mail.mcqs-korea.com (my firm's mail site).
3. I "export"ed the root certificate, and saved it to Desktop.
4. I went to Microsoft Office 2004/Office/Microsoft Cert Manager and
"import"ed the root certificate. Now the certificate shows up in an
"intermediate certificate authorities" tab.
5. I deleted ~/Library/Preferences/OfficeSync Prefs, and launched
Entourage 2004.

Voila~ I can now send/receive e-mails. I still need to see why LDAP
doesn't work (or if even LDAP is installed). Problem isn't closed but
we've made some progress. Thank you all for helping me out.

 

[William Smith]

William. Thank you and thank you again. Your link
(http://www.themachelpdesk.com/modules.php?op=modload&name=News&file=index&cat
id=&topic=19)
gave me an idea. This is how I did it.

1. I've already tried to access OWA using SSL connection, so Safari had
already downloaded a root certificate to my machine.
2. I went to Utilities/Keychain Access and saw that I had a certificate
from mail.mcqs-korea.com (my firm's mail site).
3. I "export"ed the root certificate, and saved it to Desktop.
4. I went to Microsoft Office 2004/Office/Microsoft Cert Manager and
"import"ed the root certificate. Now the certificate shows up in an
"intermediate certificate authorities" tab.
5. I deleted ~/Library/Preferences/OfficeSync Prefs, and launched
Entourage 2004.

Voila~ I can now send/receive e-mails. I still need to see why LDAP
doesn't work (or if even LDAP is installed). Problem isn't closed but
we've made some progress. Thank you all for helping me out.

Hi Kevin!

Glad this worked for you and thank you for the new technique to install
the certificate. That's a great idea and I've passed it along to the
author of the article. This would not only shorten the article but allow
most folks to help themselves rather than requesting the aid of an
administrator.

As for LDAP, while I use Entourage at home to connect to my company's
Exchange server, our LDAP ports aren't open. This means I can't use the
GAL either. I'm finding this is more the norm than the exception.

I hope you're able to get the rest working for you.

bill

 

[Kevin Woo]

Well, it turned out the problem isn't over yet. Now I have no problem
sending/receiving e-mails. However, when I start Entourage, I still get
"root certificate is not installed" warning. Very odd. In Keychain
Access, I see certificate from my firm. In Microsoft Cert Manager, I
also see the same certificate. Both have been entrusted, and they tell
me they have no problems.

Except Entourage. It still warns me that root certificate is not
installed and any further activities will not be secure. It isn't a big
deal, since I only need to click the dialog box every time I start
Entourage. However, it is still puzzling.

 

[Kevin Woo]

I've asked my IT manager. He told me that LDAP is NOT part of Exchange
Server 2003/Windows Server 2003. He mentiones that ADSI (Active
Directory Service Interface) is required for third party software
(although hard to imagine Entourage being a third party) to access
Active Directory. If Entourage is not equipped to handle ADSI, he said,
it won't use Active Directory/LDAP.

I honestly don't understand what the problem is. Is my IT manager
correct?

 

[William Smith]

I've asked my IT manager. He told me that LDAP is NOT part of Exchange
Server 2003/Windows Server 2003. He mentiones that ADSI (Active
Directory Service Interface) is required for third party software
(although hard to imagine Entourage being a third party) to access
Active Directory. If Entourage is not equipped to handle ADSI, he said,
it won't use Active Directory/LDAP.

I honestly don't understand what the problem is. Is my IT manager
correct?

Hi Kevin!

I'm definitely no Exchange admin but, while I agree your IT manager is
correct that LDAP is not part of Exchange, Exchange is integrated with
Active Directory and Active Directory is based on LDAP. Entourage, to my
understanding, is not trying to use Active Directory per se. It's simply
trying to do an LDAP lookup that happens to be from Active Directory.
This may seem like semantics, but there's a difference.

My understanding of ADSI is that it's a Windows only application
connector to allow third-party developers the ability to write
applications and hook into the power of Active Directory for management
purposes. It doesn't apply to Mac software. Here's what I'm basing my
statements on
<http://www.wwwcoder.com/main/parentid/35/site/907/68/default.aspx>.

Entourage is designed to work with Exchange servers but does rely on an
organization's LDAP server for address lookups. The LDAP server is
typically an Active Directory domain controller.

Hope this gives some insight.

bill

 

[Kevin Woo]

It turned out I didn't need LDAP after all. I thought I needed that to
allow delegates and sharing of public folders (I handle access to my
firm's public folders). It turned out I didn't need that at all. I
simply needed to look up against my own contacts. Surely Entourage
doesn't show the GAL, but I could still type the name, look up against
my own contact list, then handle delegates.

I still have a small annoyance.. When I start Entourage, the program
tells me that I don't have the correct root certificate (which is odd..
since I've done all I can). However, at least my main problems are
solved.

Thank you all MVPs. You guys are truly MVPs!

 

[Bob Weiner]

LDAP is still nice for name resolution. For LDAP server, you should be
able to put in the name of any AD server which supports the GAL (not all are
configured to do that).

Of course, you have to be aware of firewall issues that may block that
access. It would be best if your IT people could set up a CNAME for
ldap.companyname.com to support this.

bob