How do I get Autodiscovery to work?

tbsjsy used Ask the Experts™
Hi Everyone,
I really am posting here as a last resort. I've looked at a number of other posts regarding this issue, have followed FAQ's and walkthroughs and all sorts, but i'm drawing a blank.

I am having continued problems getting Autodiscover to work internally and externally. Let me give you my configuration.

I have a single Exchange 2007 server
I have a trusted ssl certificate for
I have modified the internal and external urls on all of the ex2007 web services.
The cert is installed into IIS correctly, I can run 'Get-ExchangeCertificates' and I am shown my certificate as the top option, it has a status of enabled and the RootCAType is ThirdParty.
my IIS has the cert set as it's port 443 binding certificate.
I created a new internal primary zone in DNS for my internet domain and i've configured an A record to direct to my local exchange server ip.
I've modified my external dns record to pass port 443 through to the exchange server IP
I have created an internet based SRV record to point to my Exchange server.
I have set up to direct to my exchange server.

When I run Test-OutlookWebServices -identity test.user I am given a glowing report saying that everything has been a "sucess". So on the surface things look good.

However, If I browse manually to on one of my domain pc's I get a small popup advising asking me if I want to use a particular certificate, which is NOT my TrustedSSL third part cert. it's a self signed local certificate. If I select OK to use it, I am shown the XML output:

  <?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="">
- <Response>
- <Error Time="11:27:06.0812428" Id="2799226687">
  <Message>Invalid Request</Message>
  <DebugData />

If I browse to I am given a large output of XML and it seems to work fine.

IF I browse to I am given the output:
403 - Forbidden: Access is denied.
You do not have permission to view this directory or page using the credentials that you supplied.

When I ctrl+right click the outlook icon on a domain joined client and select to test the settings, I get:

Autoconfiguration has started, this may take up to a minute
Autoconfiguration was unable to determine your settings! (this is displayed INSTANTLY after clicking test)

The Log output is as follows:

Attempting URL found through SCP
Autodiscover to starting
Autodiscover to FAILED (0X80072F0C)
Autodiscover to starting
Autodiscover to FAILED (0x800C8293)
Autodiscover to starting
Autodiscover to FAILED (0x800C8203)
Local autodiscover for starting
local autodiscover for FAILED (0x8004010F)
Redirect check to starting
Redirect check to FAILED (0x80072EE7)
Srv Record lookup for starting
Srv Record lookup for FAILED (0x8004010F)

more info: - Works perfectly. certificate is shown, can do everything.

In outlook client, noone in the office has ever been able to use OOF, we get a message about the service being unavailable.

All of the WebServices have options for Basic and WindowsIntegrated authentication set to true

And don't even get me started on trying to get OA working! I'm not even slightly close. I have mstsc access to a pc not joined to domain and i'm getting nowhere with it at all.

If any of you guys can help me out i'd be a very happy bunny, i feel like i've wasted a ton of time trying to get this sorted out and I don't think i'm getting anywhere.


Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Expert of the Quarter 2009
Expert of the Year 2009
If you have purchased a single name SSL certificate, for autodiscover to work your external DNS service MUST support SRV records. Most do not.
Ideally you should have a SAN/UC certificate with the relevant names in it, one of which is

If you insist on using a single name SSL then you will need to follow my guide here:

Autodiscover is not an optional feature though.

Outlook Anywhere is simply a matter of installing the RPC Proxy component and then enabling the feature.

To test things from outside, use the Microsoft test site and a test account.

Yes Mestha is right, you have to purchase a UCC certificate from the cetificate provider having SAN(Subject Alternative Name) for web mail and Autodiscover,  you can follow my below blogs links for Assigning certificates on Exchange and for OWA publishing;

Assigning Certificates on Exchange Server:

Publishing OWA on ISA:
You are Using Autodiscover with Srv Record so need to confirm if SRV record is created properly or not can check using below steps:
From your client machine, do the following:

1. Open a command prompt and enter nslookup/

2. Type set type=all, and then press enter.
3. Type (where domainname is the name of your
external domain for OWA URL i.e SMTP domain), and then press ENTER.
You should get an output as below SRV service location:
priority = 10
weight = 5
port = 443
svr hostname =

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial