Autodiscover issue for non-domain clients on Exchange 2007

Howdy,
We are having an issue where non-domain joined clients using Outlook anywhere are able to connect correctly but are receiving OAB sync errors and the inability to view Free/Busy when creating meetings in Outlook.  Everything works correctly for domain joined clients.

We have a 3rd party SSL certificate for outlook.mydomain.com (which can be correctly resolved externally and internally).

In Outlook 2007 using the 'Test email autoconfiguration" this is what we get:
Autodiscover to https://mydomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://mydomain.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.mydomain.com/autodiscover/autodiscover.xml starting
Autodiscover to https://autodiscover.mydomain/autodiscover/autodiscover.xml succeeded (0x00000000)

XML from 'Test email autoconfiguration' attached below.


Test-OutlookWebServices -ClientAccessServer exchangeserver | fl

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address administrator@mydomain.com.

Id      : 1007
Type    : Information
Message : Testing server exchangeserver.mydomain.com with the published name https://outlook.mydomain.com/ews/exchange.asmx & https://outlook.mydomain.com/EWS/Exchange.asmx.

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://outlook.mydomain.com/autodiscover/autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://outlook.mydomain.com/autodiscover/autodiscover.xml received the error The remote server returned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.


If you need any other information please let me know.
Thanks!
<?xml version="1.0" encoding="utf-8"?>
<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
  <Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
    <User>
      <DisplayName>Administrator</DisplayName>
      <LegacyDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=administrator</LegacyDN>
      <DeploymentId>467acf2f-51b3-44f0-b056-a5aee8ea93f9</DeploymentId>
    </User>
    <Account>
      <AccountType>email</AccountType>
      <Action>settings</Action>
      <Protocol>
        <Type>EXCH</Type>
        <Server>exchangeserver.mydomain.com</Server>
        <ServerDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGESERVERL</ServerDN>
        <ServerVersion>720180F0</ServerVersion>
        <MdbDN>/o=DOMAIN/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=EXCHANGESERVER/cn=Microsoft Private MDB</MdbDN>
        <PublicFolderServer>exchangeserver.mydomain.com</PublicFolderServer>
        <AD>pdc.mydomain.com</AD>
        <ASUrl>https://outlook.mydomain.com/ews/exchange.asmx</ASUrl>
        <EwsUrl>https://outlook.mydomain.com/ews/exchange.asmx</EwsUrl>
        <OOFUrl>https://outlook.mydomain.com/ews/exchange.asmx</OOFUrl>
        <UMUrl>https://outlook.mydomain.com/unifiedmessaging/service.asmx</UMUrl>
        <OABUrl>https://outlook.mydomain.com/oab/b3d168ff-ad9c-4cd2-a24e-47ce2c4d2948/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>EXPR</Type>
        <Server>outlook.mydomain.com</Server>
        <SSL>On</SSL>
        <AuthPackage>Basic</AuthPackage>
        <ASUrl>https://outlook.mydomain.com/EWS/Exchange.asmx</ASUrl>
        <EwsUrl>https://outlook.mydomain.com/EWS/Exchange.asmx</EwsUrl>
        <OOFUrl>https://outlook.mydomain.com/EWS/Exchange.asmx</OOFUrl>
        <UMUrl>https://outlook.mydomain.com/UnifiedMessaging/Service.asmx</UMUrl>
        <OABUrl>https://outlook.mydomain.com/OAB/b3d168ff-ad9c-4cd2-a24e-47ce2c4d2948/</OABUrl>
      </Protocol>
      <Protocol>
        <Type>WEB</Type>
        <External>
          <OWAUrl AuthenticationMethod="Fba">http://mail.mydomain.com/owa</OWAUrl>
          <Protocol>
            <Type>EXPR</Type>
            <ASUrl>https://outlook.mydomain.com/EWS/Exchange.asmx</ASUrl>
          </Protocol>
        </External>
        <Internal>
          <OWAUrl AuthenticationMethod="Basic">http://mail.mydomain.com/owa</OWAUrl>
          <Protocol>
            <Type>EXCH</Type>
            <ASUrl>https://outlook.mydomain.com/ews/exchange.asmx</ASUrl>
          </Protocol>
        </Internal>
      </Protocol>
    </Account>
  </Response>
</Autodiscover>

Open in new window

aiscomAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

adiloadiloCommented:
can you try https://www.testexchangeconnectivity.com/  to test autodiscover and report back ?
is this an internal or external autodiscover ? do you have any errors on the event viewr when non-domain clients connect ?
0
aiscomAuthor Commented:
Each test failed at some point:
1 - Testing TCP Port 443 on host imydomain.com to ensure it is listening and open:  Failed as this host record is actually going to a web server.
2 - The SSL Certificate failed one or more certificate validation checks: This failed because the SSL certificate is for outlook.mydomain.com instead of autodiscover.mydomain.com
3 - Checking Host autodiscover.mydomain.com for an HTTP redirect to AutoDiscover. Failed to get an HTTP redirect response for AutoDiscover
4 - Failed to contact AutoDiscover using the DNS SRV redirect method: Is this searching internal or external?

This is for external autodiscover.
There are no errors in the event log when running the test above.
The only errors in the logs have to do with an internal ssl certificate which is not used (we use the 3rd party one).
0
adiloadiloCommented:
hi there bases on the errors you listed the avaialability services will not work properly , please try fixing the autodiscover both internally and externally . you should create autodiscover.yourdomain.com A record inside and outside your network . though this is only used for outlook clients , it is rcommeneded that you set it properly for OAB to work and for other availability services . this is also required for Outlook Anywhere for clients which are not part of the domain and for clients outside your network .
Please follow this article to set the autodiscover.mydomain.com :

http://www.exchangeninjas.com/cascertificateconfig

if after setting autodisocver.mydomain.com you still have problems , then please post any errors you have .

Good Luck
0
The Ultimate Tool Kit for Technolgy Solution Provi

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy for valuable how-to assets including sample agreements, checklists, flowcharts, and more!

aiscomAuthor Commented:
We were thinking about using this method: http://www.exchangeninjas.com/CasCertMethod3

I was curious though on how this helps external clients.  autodiscover.mydomain.com already resolves externally and internally to the same places.  If we go with the above method wouldnt this only help internal non-domain clients?
0
aiscomAuthor Commented:
Anyone?  I am confused about the internal IP and if I have to do any additional forwarding of ports at our firewall or anything.
0
aiscomAuthor Commented:
:(
Would anyone know the details about this?
0
aiscomAuthor Commented:
I implemented this.
I still do not know if I have to update the external autodiscover.mydomain.com to a new IP address, just like I pointed it internally at the secondary address.  Anybody know for sure?
0
adiloadiloCommented:
Some non-domain users may recieve 401 Error when attempting to connect to the CAS server via autodiscover. The below articles talks about why IIS on cas server returns this error.

http://support.microsoft.com/?id=896861

You can test if you have same problem by attemtping to access the server in the following way:

https://netbiosname/Autodiscover/Autodiscover.xml :
It will prompt for credentials. After prompting a couple of times you get the following error:Error: Access is Denied.-

Use https://localhost/Autodiscover/Autodiscover.xml on the Exchange cas server  :
if this work fine and you get an output then you are facing this problem.

then do this

DisableLoopbackCheck can be disabled but then the system is left open to an attack and I would not recommend disabling this function unless you will enable once testing is completed.

: Disable the loopback check
Follow these steps on the server holding the CAS Role :
1.Click Start, click Run, type regedit, and then click OK.
2.In Registry Editor, locate and then click the following registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3.Right-click Lsa, point to New, and then click DWORD Value.
4.Type DisableLoopbackCheck, and then press ENTER.
5.Right-click DisableLoopbackCheck, and then click Modify.
6.In the Value data box, type 1, and then click OK.
7.Quit Registry Editor, and then restart the cas server

if still not working recreate you OAB :

The only thing I might do in your situation is re-create the OAB

http://technet.microsoft.com/en-us/library/bb123692.aspx

one way to test OAB is  

Get-OabVirtualDirectory | fl Name,InternalURL,ExternalURL

will return address of OAB to see if valid
0
aiscomAuthor Commented:
adiloadilo:
Using the netbios name link it pulled up the XML stating:

<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="09:56:10.5478501" Id="329614387">
  <ErrorCode>600</ErrorCode>
  <Message>Invalid Request</Message>
  <DebugData />
  </Error>
  </Response>
  </Autodiscover>

Attempting to pull up the localhost link Internet Explorer said that it could not display the page.

Using that OAB command it returned the internal and external URLs as: https://outlook.mydomain.com/oab

I tested with an internal non-domain client and it was able to pass the Outlook connection test for the HTTP redirect.  However when we testing the Free/Busy for a meeting it did not work.  Any ideas why or how to further troubleshoot?
0
aiscomAuthor Commented:
Anything else?
0
aiscomAuthor Commented:
:(
0
aiscomAuthor Commented:
For what its worth we were able to fix this.  The problem stemmed from the fact that the *primary* email address for most everyone was something different (mydomain2.com).  After we setup SRV records for this internally and externally everything started working correctly.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.