Cannot Get Autodiscover to Set Up Outlook or Pass Free/Busy Information with 3rd Party UCC cert

I have a 3rd party UCC/SAN certificate from a trusted CA.  It is installed on an Exchange 2007 CAS server (single-server setup), the certificate automatically installs in the browser, and the autodiscover service passes all Exchange shell and remote tests that I have come across.  Yet, it will not configure Outlook, and inside the firewall free/busy information is not working.

I think I have a permissions issue, but let me lay out the problem first.

The firewall has 443, 80 and 25 open to this machine, and I am trying to do Autodiscover with Outlook 2007.  The Exchange server is patched through the 10/31 version of rollup 4, and running on Server 2008 patched all the way.  The AD is 2008.  OWA works perfectly.

Testing with Outlook's "Test E-mail Autoconfiguration" function seems to work for the Administrator account, but fails abjectly with any user account which is why I think there is an IIS permissions issue.

Using either the Administrator account, or a user account Outlook fails to set up a mail profile using the autodiscover service saying "the server cannot be contacted."

 I also don't seem to be able to set up an Outlook profile remotely in an RPC/HTTP setup using the same settings that would work on an Exchange 2003 server, but I am not certain the same settings are appropriate.

If I run the "Test E-mail Autoconfiguration" function from a remote Outlook client using the Administrator account, the "Results" tab resolves all internal and external URL's seemingly correct ( cannot copy the output.)  

The "Log" tab shows the following 4 lines with only the "Use Autodiscover" test being run (no Guessmart or Guessmart Authentication):

> Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml starting
> Autodiscover to https://externaldomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
> Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml starting
> Autodiscover to https://autodiscover.externaldomain.com/autodiscover/autodiscover.xml succeeded (0x00000000)

The XML tab shows the following:

<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Administrator</DisplayName>
      <LegacyDN>/o=First Organization/ou=first administrative group/cn=Recipients/cn=Administrator</LegacyDN>
      <DeploymentId>dbb40376-adab-4d86-bcea-50c6659da487</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>servername.internal.local</Server>
        <ServerDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=servername</ServerDN>
        <ServerVersion>720180F0</ServerVersion>
        <MdbDN>/o=First Organization/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=servername/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>servername.internal.local</PublicFolderServer>
        <AD>ADserver.internal.local</AD>
        <ASUrl>https://mail.externaldomain.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://mail.externaldomain.com/ews/exchange.asmx</EwsUrl>
        <OOFUrl>https://mail.externaldomain.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://mail.externaldomain.com/unifiedmessaging/service.asmx</UMUrl>
        <OABUrl>Public Folder</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>mail.externaldomain.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://mail.externaldomain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://mail.externaldomain.com/EWS/Exchange.asmx</EwsUrl>
        <OOFUrl>https://mail.externaldomain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://mail.externaldomain.com/UnifiedMessaging/Service.asmx</UMUrl>
        <OABUrl>Public Folder</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic, Fba">https://servername.internal.local/owa</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://mail.externaldomain.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

I would like to go over the IIS permissions, but IIS7 is kind of a pain and I cannot find any document so far that says for Exchange 2007 on IIS7 permissions should be set like so.

Thank you in advance for your attention and help!
irvconAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Pret0rianCommented:
Virtual Directories:
Autodiscover: Integrated Windows Authentication and basic Authentication
EWS: Same as above
RPC: same as above
On Default Website you should ONLY have "Enable Anonymous Access"

Check if they are the same as he ones i have put in here...

Remi
0
irvconAuthor Commented:
Only RPC was out of joint with your scenario, it only had Basic, and I added Windows Integrated.

Also, I figured out why the Admin account tests fine but the user accounts did not.  I won't go into the depths of it, but now they both test fine and both fail to set up an outlook profile in the exact way specified above.

Here is output from within the EMS:

[PS] C:\>test-outlookwebservices -identity user@externaldomain.com | fl


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address user@externaldomain.com.

Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://server.internaldomain.local/autodiscover/autodiscover.xml.

Id      : 1016
Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://mail.externaldomain.com/EWS/Exchange.asmx. The elapsed time was 46 milliseconds.

Id      : 1015
Type    : Information
Message : [EXCH]-The OAB is not configured for this user.

Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://mail.externaldomain.com/UnifiedMessaging/Service.asmx. The elapsed time was 15 milliseconds.

Id      : 1016
Type    : Success
Message : [EXPR]-Successfully contacted the AS service at https://mail.externaldomain.com/EWS/Exchange.asmx. The elapsed time was 62 milliseconds.

Id      : 1015
Type    : Information
Message : [EXPR]-The OAB is not configured for this user.

Id      : 1014
Type    : Success
Message : [EXPR]-Successfully contacted the UM service athttps://mail.externaldomain.com/UnifiedMessaging/Service.asmx. The elapsed time was 15 milliseconds.

Id      : 1017
Type    : Success
Message : [EXPR]-Successfully contacted the RPC/HTTP service at https://mail.externaldomain.com/Rpc. The elapsed time was 15 milliseconds.

Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
irvconAuthor Commented:
I went over it all with a fine-toothed comb and found a couple of small things which cumulatively seemed to do it.  I think the host file entries on the servers are what finally did the trick
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.