Exchange 2007 - Autodiscover not correctly configured.

Posted on 2008-06-16
Medium Priority
Last Modified: 2010-05-18
Hi There!

Bear with me, this could be a long and complicated post, and I am no expert with Exchange 2007.

We installed E2007 for a client, its a single server. They originally had the domain name domain1.co.nz and both internal and external DNS pointed at the same domain. They recently changed from domain1.co.nz to domain2.co.nz as their primary dns, however internally they still use domain1.co.nz. I created a second forward zone in the dns for domain2.co.nz.

It would appear that we have a number of problems and I am not certain if they are all linked, or a series of misconfigurations. They got a godaddy ssl cert, and accessing https://smtp.domain2.co.nz/owa gives no errors.

However all of a sudden randomly it would seem, a few of the locally connected clients running Outlook 2007 are getting a username and password prompt which no combination will resolve. Email still sends/receives ok.

http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html I found this after I did a search, and it may be that I am being stupid, but I couldn't really get very far with this. I added the autodiscover.domain2.co.nz and autodiscover.domain1.co.nz A records to the forward dns, and this didn't help.

We also have a problem whereby on the terminal server which is also a DC (Yes I know its not a recommended solution but there are good reasons for it) if we try and connect Outlook 2007 to the exchange server, it gives us a credentials prompt which always fails no matter what combination we use.

we use form based auth with domain1.co.nz predefined.

I have put some of the output I think might be relevant below, replacing the real names with the domain1 and domain2.


A45F5F9D52689F530D5E5DBAF86E6790777AAB49  ...W.      CN=smtp.domain2.co.nz, OU=Domain Control Validated, O=smtp.domain2.co.nz
9A4E0BF172BC5C207A210CCF2FF10C58E59EEA1B  .....      CN=domain2CA, DC=domain1, DC=co, DC=nz
8A88A71DAAE9266C3911B8680D13745AB1056567  .....      CN=smtp.domain2.co.nz
55B941EF64651C51939841CC67BBC8987D9925FD  .....      CN=smtp.domain2.co.nz
2BCD471834DC3CC4F33CDF03294B5837FCD65991  IP..S      CN=domain1EXCH

[PS] C:\>Get-ClientAccessServer | fl name,Autodiscoverserviceinternaluri

Name                           : DOMAIN1EXCH
AutoDiscoverServiceInternalUri : https://smtp.domain2.co.nz/autodiscover/autodiscover.xml

[PS] C:\>Test-OutlookWebServices | fl

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@domain2.co.nz.

Id      : 1007
Type    : Information
Message : Testing server domain1EXCH.domain1.co.nz with the published name https://smtp.domain2.co.nz/ews/exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://smtp.domain2

Id      : 1013
Type    : Error
Message : When contacting https://smtp.domain2.co.nz/autodiscover/autodiscover.xml received the error The remote server re
          turned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.

The URLS Above are correct and resolve both internally and Externally.

I found a link that said to suppress the 401 error I could change a loopback setting in the registry, but I could not determine why you would do that if its not recommended, plus in the middle of the work day, its not really ideal to restart our exchange server. Is the purpose of this article to allow you to disable this error as you require to go further to get to the bottom of the problem? Will an IISreset get around the restart?


Would appreciate any assistance, thanks very much in advance, please let me know if you need further information. The Server has all the latest patches/SP's?

Question by:networkn
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3

Author Comment

ID: 21799353
Ok I found this article:


The godaddy cert is single name, pointing at smtp.domain2.co.nz and I am wondering if all I need to do to fix this is:

 Option 2: Using a New Single-Name Certificate

Use the Exchange Management Shell on your Client Access server to install and enable your new third-party certificate.
To use the Exchange Management Shell to install and enable a new third-party SSL certificate


      On the Client Access server, open the Exchange Management Shell, and then run the following command:

      Import-ExchangeCertificate Path <full path to CER file> | Enable-ExchangeCertificate  -Services iis

Step 2: Modify the Service Connection Point

By default, the URL for the Autodiscover service stored in the SCP object in Active Directory will reference the internal FQDN for the Client Access server during Exchange 2007 Setup. You will use the Set-ClientAccessServer cmdlet to modify this URL so that it points to the new location (FQDN) for the Autodiscover service.
You must repeat this step for every Client Access server that is installed in your Exchange messaging infrastructure.
To use the Exchange Management Shell to change the internal URL for the Autodiscover service


      In the Exchange Management Shell, run the following command:

      Set-ClientAccessServer identity <servername> AutodiscoverServiceInternalUri https://autodiscover.contoso.com/autodiscover/autodiscover.xml

Step 3: Configure the Exchange Services URLs

Now that you have configured SSL for your Autodiscover service deployment scenario, you must configure your Exchange services for external and internal access. For more information, see How to Configure Exchange Services for the Autodiscover Service later in this white paper.

I guess I don't want to try something that could potentially break everything. Is there a way to backup this config so I can restore it if it turns to custard?

Author Comment

ID: 21800913
Well after a restart after hours I am STILL getting the 401 error, which is strange, I doublechecked it, and it looks correct. I did the right click on the start > test and it passed, but a send/receive gave me a prompt for a username and password I couldnt get past.

Accepted Solution

networkn earned 0 total points
ID: 21852372
Solved by restoring IIS to an earlier configuration. The 401 didn't go away when I renamed that reg setting.

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After hours on line I found a solution which pointed to the inherited Active Directory permissions . You have to give/allow permissions to the "Exchange trusted subsystem" for the user in the Active Directory...
Check out this step-by-step guide for using the newly updated Experts Exchange mobile app—released on May 30.
In this video we show how to create a Contact in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Contact ta…
In this video we show how to create a Resource Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: Navigate to the Recipients >> Resources tab.: "Recipients" is our default selection …

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question