Tag Archives: Outlook 2010

Outlook 2010 stays offline with Exchange Online

One of my clients is running Exchange 2010 in hybrid mode, and they have Outlook 2010 and Outlook 365 ProPlus client. For testing purposes, I have two VMs, one with Windows 7 and Office 2010 and one with Windows 10 and Office 365 ProPlus. And every Monday morning I run the Windows 7 VM for an hour or so to see if everything is working fine 😊

This morning my Outlook 2010 was working offline, and it didn’t want to go online (OWA and Outlook 365 ProPlus were working fine). Remove the Outlook profile but creating a new Outlook profile didn’t work. After a minute the dreaded an encrypted connection to your mail server is not available error message appeared:

An encrypted connection to your mail server is not available

Mostly this is caused by Autodiscover that goes wrong somewhere, the Remote Connectivity Analyzer shows that Autodiscover to the on-premises Exchange 2010 goes well, but that the redirect to Exchange Online goes wrong and it generates the following error message:

An HTTP 456 Unauthorized response was received from the remote Unknown server. This indicates that the user may not have logged on for the first time, or the account may be locked. To logon, go to http://portal.microsoftonline.com.

And further down more details are revealed:

X-AutoDiscovery-Error: LiveIdBasicAuth:AppPasswordRequired:<RequestId=8a51c25b-9213-4873-aff8-ebc1da40544f>;

An HTTP 456 Unauthorized response was received from the remote Unknown server

The AppPasswordRequired explains more. Last week I changed the MFA settings (see previous authenticator app for Office 365 blogpost). This works fine for OWA and Office 365 ProPlus, but not for Outlook 2010. Since Outlook 2010 does not work with Office 365 MFA, especially not in a hybrid environment (not even with an App Password).

The only workaround here was to temporarily disable MFA for my user account, create a new Outlook profile (which worked fine without MFA) and re-enable MFA. Again, Outlook 2010 does not recognize the MFA and still works with Exchange Online using basic authentication, but all other Office 365 services work fine with Office 365 MFA (both SMS and Authenticator authentication).

Outlook 2010 disconnected with TLS 1.2

When my normal laptop died last week I had to use an older laptop, and this laptop had Windows 7 and Outlook 2010 installed, one of my personal favorite Outlook clients.

However, Outlook 2010 did work correctly with Mailboxen in Exchange Online, but Outlook refused to work with Mailboxen on my on-premises Exchange 2016 server. The only thing I saw in the lower right corner was “Disconnected” and every now and then Outlook tried to connect, but no luck.

image

When checking the Connection Status in Outlook I could see that the directory connection was established, but the Exchange Connections disconnected. The Exchange sever and mailbox were ok since I was able to connect using OWA and my Outlook for iPhone client.

image

The Test Email AutoConfiguration option in Outlook wasn’t very helpful either, it just showed that it was unable to determine the settings and none of the Autodiscover options worked.

image

image

Using the Internet Explorer browser I tried to access my Autodiscover.exchangelabs.nl site, and after a logon prompt I got the famous ErrorCode 600. This is good, so I know my Autodiscover is at least listening properly.

image

The Exchange Remote Connectivity Analyzer (http://aka.ms/exrca) showed that there was an issue with my SSL certificate:

image

The SSL certificate however is a valid Digicert UC certificate and there’s nothing wrong with this certificate. IE does use it, and the Digicert help utility doesn’t show anything strange either.

image

Oh, and my Outlook 2016 running on another computer did work correctly, so there should be a configuration error impacting Outlook 2010 only.

Then I realized that a week before I accidentally ruined the Virtual Service on my Kemp Load Balancer and I quickly created a new Virtual Service using the correct template. As a security measure I only selected TLS 1.2 on the SSL properties of the Virtual Service.

image

After enabling TLS 1.0 on the Virtual Service, Outlook 2010 started to work correctly again and (to my surprise) so did the Remote Connectivity Analyzer.

image

image

So, obviously TLS 1.0 was the culprit here and by enabling TLS 1.0 Outlook 2010 started to work again.

When checking my laptop using the SSLLABS website (https://www.ssllabs.com/ssltest/viewMyClient.html), all looks fine and TLS 1.2 is fully supported by my Windows 7 client:

image

It must be something with Outlook 2010 and TLS1.2. I found an interesting article on Technet regarding enabling of TLS 1.1 and TLS 1.2. Create a DWORD value DefaultSecureProtocols in the registry under the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp


HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

Its value should be one of the following:

For only TLS 1.1 and 1.2: A00 (hexadecimal)


For TLS 1.0, 1.1, and 1.2: A80 (hexadecimal)

clip_image002

Also, create the following DWORD values DisabledByDefault in the following locations and assign it the value of ‘0’:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client


HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

image

When needed create the necessary subkeys under the \Protocols key.

Now your Windows 7 and Outlook 2010 will support a TLS 1.2 environment only (this is also true for Windows 8 BTW).

Summary

Outlook 2010 does not support TLS 1.2 out of the box. This can be an issue if you or your network department starts implementing a TLS 1.2 environment only. You have to enable TLS 1.2 on the workstation by setting a registry key. After this it works fine.

Next October Microsoft will stop support for TLS 1.0 and TLS 1.1. This means that if you run into an issue caused by TLS 1.0 or TLS 1.1 it won’t be fixed. Please note that Microsoft will continue to accept TLS 1.0 and TLS 1.1 connection from clients, it just won’t be supported anymore.

Microsoft is working on a plan to disable TLS 1.0 and TLS 1.1 but that won’t happen anytime soon. When this is going to happen, Microsoft will give notification 6 months in advance of disabling TLS 1.0 and TLS 1.1.

More information

https://www.ssllabs.com/ssltest/viewMyClient.html

https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

Last edited on October 26, 2018.