Solved

Exchange 2007 - Autodiscover not correctly configured.

Posted on 2008-06-16
3
473 Views
Last Modified: 2010-05-18
Hi There!

Bear with me, this could be a long and complicated post, and I am no expert with Exchange 2007.

We installed E2007 for a client, its a single server. They originally had the domain name domain1.co.nz and both internal and external DNS pointed at the same domain. They recently changed from domain1.co.nz to domain2.co.nz as their primary dns, however internally they still use domain1.co.nz. I created a second forward zone in the dns for domain2.co.nz.

It would appear that we have a number of problems and I am not certain if they are all linked, or a series of misconfigurations. They got a godaddy ssl cert, and accessing https://smtp.domain2.co.nz/owa gives no errors.

However all of a sudden randomly it would seem, a few of the locally connected clients running Outlook 2007 are getting a username and password prompt which no combination will resolve. Email still sends/receives ok.

http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html I found this after I did a search, and it may be that I am being stupid, but I couldn't really get very far with this. I added the autodiscover.domain2.co.nz and autodiscover.domain1.co.nz A records to the forward dns, and this didn't help.

We also have a problem whereby on the terminal server which is also a DC (Yes I know its not a recommended solution but there are good reasons for it) if we try and connect Outlook 2007 to the exchange server, it gives us a credentials prompt which always fails no matter what combination we use.

we use form based auth with domain1.co.nz predefined.

I have put some of the output I think might be relevant below, replacing the real names with the domain1 and domain2.

get-exchangecertiificate

A45F5F9D52689F530D5E5DBAF86E6790777AAB49  ...W.      CN=smtp.domain2.co.nz, OU=Domain Control Validated, O=smtp.domain2.co.nz
9A4E0BF172BC5C207A210CCF2FF10C58E59EEA1B  .....      CN=domain2CA, DC=domain1, DC=co, DC=nz
8A88A71DAAE9266C3911B8680D13745AB1056567  .....      CN=smtp.domain2.co.nz
55B941EF64651C51939841CC67BBC8987D9925FD  .....      CN=smtp.domain2.co.nz
2BCD471834DC3CC4F33CDF03294B5837FCD65991  IP..S      CN=domain1EXCH

[PS] C:\>Get-ClientAccessServer | fl name,Autodiscoverserviceinternaluri

Name                           : DOMAIN1EXCH
AutoDiscoverServiceInternalUri : https://smtp.domain2.co.nz/autodiscover/autodiscover.xml


[PS] C:\>Test-OutlookWebServices | fl


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@domain2.co.nz.

Id      : 1007
Type    : Information
Message : Testing server domain1EXCH.domain1.co.nz with the published name https://smtp.domain2.co.nz/ews/exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://smtp.domain2
          .co.nz/autodiscover/autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://smtp.domain2.co.nz/autodiscover/autodiscover.xml received the error The remote server re
          turned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.

The URLS Above are correct and resolve both internally and Externally.

I found a link that said to suppress the 401 error I could change a loopback setting in the registry, but I could not determine why you would do that if its not recommended, plus in the middle of the work day, its not really ideal to restart our exchange server. Is the purpose of this article to allow you to disable this error as you require to go further to get to the bottom of the problem? Will an IISreset get around the restart?

http://exchange-genie.blogspot.com/2007/07/401-error-when-attempting-test.html

Would appreciate any assistance, thanks very much in advance, please let me know if you need further information. The Server has all the latest patches/SP's?



0
Comment
Question by:networkn
  • 3
3 Comments
 

Author Comment

by:networkn
ID: 21799353
Ok I found this article:

http://technet.microsoft.com/en-us/library/bb332063.aspx

The godaddy cert is single name, pointing at smtp.domain2.co.nz and I am wondering if all I need to do to fix this is:

 Option 2: Using a New Single-Name Certificate

Use the Exchange Management Shell on your Client Access server to install and enable your new third-party certificate.
To use the Exchange Management Shell to install and enable a new third-party SSL certificate

    *

      On the Client Access server, open the Exchange Management Shell, and then run the following command:

      Import-ExchangeCertificate Path <full path to CER file> | Enable-ExchangeCertificate  -Services iis

Step 2: Modify the Service Connection Point

By default, the URL for the Autodiscover service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup. You will use the Set-ClientAccessServer cmdlet to modify this URL so that it points to the new location (FQDN) for the Autodiscover service.
Important:
You must repeat this step for every Client Access server that is installed in your Exchange messaging infrastructure.
To use the Exchange Management Shell to change the internal URL for the Autodiscover service

    *

      In the Exchange Management Shell, run the following command:

      Set-ClientAccessServer identity <servername> AutodiscoverServiceInternalUri https://autodiscover.contoso.com/autodiscover/autodiscover.xml

Step 3: Configure the Exchange Services URLs

Now that you have configured SSL for your Autodiscover service deployment scenario, you must configure your Exchange services for external and internal access. For more information, see How to Configure Exchange Services for the Autodiscover Service later in this white paper.

I guess I don't want to try something that could potentially break everything. Is there a way to backup this config so I can restore it if it turns to custard?
0
 

Author Comment

by:networkn
ID: 21800913
Well after a restart after hours I am STILL getting the 401 error, which is strange, I doublechecked it, and it looks correct. I did the right click on the start > test and it passed, but a send/receive gave me a prompt for a username and password I couldnt get past.
0
 

Accepted Solution

by:
networkn earned 0 total points
ID: 21852372
Solved by restoring IIS to an earlier configuration. The 401 didn't go away when I renamed that reg setting.
0

Featured Post

Too many email signature updates to deal with?

Do you feel like you are taking up all of your time constantly visiting users’ desks to make changes to email signatures? Wish you could manage all signatures from one central location, easily design them and deploy them quickly to users? Well, there is an easy way!

Join & Write a Comment

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
This process describes the steps required to Import and Export data from and to .pst files using Exchange 2010. We can use these steps to export data from a user to a .pst file, import data back to the same or a different user, or even import data t…
In this video we show how to create an Address List in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Organization >> Ad…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now