Exchange 2016 Integration with Saleforce - EWS

Daniel Klobnak 266 Reputation points
2021-02-03T21:18:37.98+00:00

On-Prem - single server Exchange 2016 CU 18 install. Customer wants to integrate SalesForce Add-on. Decided to have the Add-on be deployed centrally. Finally have the add-in installed on EAC. The issue is that it is not working. Sorry to be so vague. SF's support can be summarized as the quoted following: "Enabling an EWS end-point is a common practice...but if you have questions open an MS support". I have to admit, within our customer base, EWS end-points are not commonly 'enabled'.

Most SF VARs don't have much to share in the implementation with on-prem. 365 seems to be the way to go. Same for SF documentation/videos.

As mentioned in SF calls, is basically throw us a bone as to what to look for, and frankly the MS articles forwarded our way are, IMO, too much of a deep dive and seem to be focused on development of apps.

Hopefully someone can fill in the missing pieces for us.

Current state: EWS is running, and has been. It's internal and external urls are the same:
https://mail. domain.com/ews/exchange.asmx

When one enters the url both internally/externally one is prompted for creds and one logs in and is presented with "you have created a service...to test service svcutil.exe https://InternalFQDNofHost.domain.com:444/EWS/Services.wsdl

When I use Remote Connectivity Analyzer to test via autodiscover and/or Exchange Web Services URL they both are successful (related to impersonation).

When SF ran some internal tools against the EWS they showed green: meaning the url was fine; the SSL cert is fine; the level of authentication is solid for their add-on. All looks good, except there is a HTTP code of 401.

SF gathered some additional data, but said, it looks good.

(On a client and OWA) the debug tools reflect blanks in client, and in OWA the debug will not load.)

So I basically asked SF, other than downloading the app, is ther anything else we need to configure on Exchange. There is no genuine response.

But I keep coming back to this comment in document:
https://help.salesforce.com/articleView?id=000319996&language=en_US&type=1&mode=1
" An Exchange metadata endpoint that allows unauthenticated HTTP access must be available"
So I am assuming that a end-point needs to be configured.

SF also has list of IPs which needs to be whitelisted. I have focused on a firewall rule, which is completely open for the time being from the range, and there still are issues. So I am wondering if the whitelist is specifically for the endpoint (ie configured with Exchange).

So anyone have any practical guidance to clarify any of the above? If we have to make a specific endpoint for this app, is it really more involved than a few PS commands, or is it as involved as these MS documents that seem aimed at developers make it out to be?

I'd appreciate any general guidance or suggestions. It blows my mind that this is hard to locate any practical information. Thanks.

Exchange Server Management
Exchange Server Management
Exchange Server: A family of Microsoft client/server messaging and collaboration software.Management: The act or process of organizing, handling, directing or controlling something.
7,704 questions
{count} votes

Accepted answer
  1. Daniel Klobnak 266 Reputation points
    2021-02-12T18:50:46.367+00:00

    Hi, first thank you again for the comments and suggestions. All solid items to review. I had hit I most of them prior to my posting (which was not as exhaustive (or exhausting) of all the work that was done to date). But I have to say, after going through some 110 various urls - MS - SF - Reddit - other 3rd party add-ons that discuss EWS - I found one article today that resolved it. As the thread is archived, and the individual who posted only had one post to his 'name' I can not thank the individual directly.

    https://social.technet.microsoft.com/Forums/en-US/503705cc-275b-416d-8f37-2dca5e809959/configuration-of-ews-and-autodiscovermetadatajson1-for-external-calls?forum=exchangesvrgeneral
    Mica Doe
    regarding AuthConfig certificate.
    Although all the exchange certs were active and valid (checked that pretty early in the process) the Authconfig did not reflect a current thumbprint (which apparently does not matter for 'vanilla' Exchange functionality as everything else from Autodiscover etc was working fine).

    I followed the steps (repeated here for others if necessary) Per Mica (and thank you!):

    QUOTE -
    The cause was a missing / invalid Exchange Auth Certificate. I assigned our public valid OWA certificate to the Exchange Auth Configuration:

    Get-ExchangeCertificate

    Copy thumbprint of valid IIS/OWA cert

    $a=get-date
    Set-AuthConfig -NewCertificateThumbprint (your thumbprint) -NewCertificateEffectiveDate $a

    accept warning with Y

    Set-AuthConfig -PublishCertificate

    See if cert is in place:

    Get-AuthConfig

    Delete previous maybe invalid cert from Auth Config:

    Set-AuthConfig -clearpreviouscertificate

    Restart IIS

    iisreset

    JSON token gets delivered correctly now to Salesforce calls and Outlook Plugin is working.

    • END QUOTE.

    implemented, and everything worked!

    Note: when I opened my Outlook client after the change - Outlook could not open mailbox (and I thought I screwed the pooch), but close and open and all is well.

    Again thank you for your suggestions, and thank you @micha Doe. - Dan

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.