Solved

Out of Office Exchange 2007 - Server Not Available

Posted on 2010-08-24
16
1,305 Views
Last Modified: 2012-05-10
Hi all,

Been battling with a problem where Out of Office Assistant does not fire up on Outlook 2007 clients on my 2008SBS domain.

During my research I found a thread on another forum where a guy had exactly the same problem as me and he eventually found the cure himself.  The frustrating thing is that his description of what he did to fix it doesn't make sense when I try to follow his steps so was wondering if someone could get a grasp of what he meant and translate it into Server 2008 SBS steps please....

He said:

Okay...this is embarasing!

It was something that I checked but "took my glasses off" - apparently.

On the Virtual Directories within IIS if you go to Properties and then
Directory Security and then go to the Secure Communications area and click
on Edit... button you need to make sure that the "Ignore Client
Certificates" radio button is selected -AND NOT- "Accept Client
Certificates".

This came from opening up
https://mail.mydomain.com/autodiscover/autodiscover.xml and getting that
prompt that I mentined about a 'select a certificate' - but there was no
certificate to choose!  I simply hit okay and then put in the credentials.
Well, when I did this with MS-PSS he knew exactly what the issue was....

 
Many thanks

Adam

0
Comment
Question by:amlydiate
  • 7
  • 7
  • 2
16 Comments
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33516264
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33518590
OOF not working

Please check the following steps mentioned below:-

Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.


Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please check out these steps and revert back if the issue persists.
0
 

Author Comment

by:amlydiate
ID: 33518941
o.k. a few things:

1) Where can I set "Kernal mode authentication" as advised above, it isn't in the list when I select Authentication in IIS for each website, I just get Anonymous, ASP.NET, Basic, Digest, forms or Windows Authentication

2) Here are the results of test-outlookWebservices |fl:  

[PS] C:\Windows\System32>test-outlookWebservices |fl


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Adam@domain.co.uk.

Id      : 1007
Type    : Information
Message : Testing server 2K8SERVER.domain.local with the published name https://owa.domain.co.uk/ews/exchange.asmx & https://owa.domain.co.uk/ews/exchange.asmx.

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://owa.domain.co.uk/Autodiscover/Autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://owa.domain.co.uk/Autodiscover/Autodiscover.xml received the error The remote server returned an error: (403) Forbidden.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.

3) Webservices and OAB virtual directories are correct according to kb-940726

4) Yes we do have 3.5 .net bu trying to get Hotfix 958934 sets me on a wild goose chase, 934 has now been superceded by Hotfix 976814 which gives a link to contact Microsoft to get the hotfix but ultimately sends you to a web form which gives 3 options all requiring pre-payment to get support.  Driving me mad!

Guys, I'm really grateful for your help so far, I think one of the things here is going to fix it, just need a little more help as described above.

many thanks

Adam
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33519369
kernal Mode Authentication is located in IIS 7.
When you select the Authentication - Windows Integrated Authentication - on the top right hand side you will get Advanced Settings- Here you will find the Kernal Mode Authentication.

Please try to browse Autodiscover virtual directory and you should get the xml page with error 600.
https://owa.domain.co.uk/Autodiscover/Autodiscover.xml

Please try removing the Autodiscover Virtual Directory and recreate it.
And also please check whether you have set any Redirecttion.

Try creating an Forward Lookup zone with "domain.co.uk" and create the host records.
2 Host A record:- owa and Autodiscover associate with the internal IP address.
and do Ipconfig /flushdns and registerdns.

Please try doing this and revert back if the issue persists.

0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33519385
Sorry forgot to mention the command let to remove and recreate the Autodiscover Virtual directory as well as EWS.

Remove-AutodiscoverVirtualDirectory -Identity "CAS_Server_Name\Autodiscover (SBS Web Applications)"
Remove-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (SBS Web Applications)"
0
 

Author Comment

by:amlydiate
ID: 33526328
OK great comments so far, have managed to enable Kernal Mode in OAB as advised, however can't enable Kernal mode in EWS as it appears under Default Website which is not bound to 443.  Am I to assume that perhaps having EWS under default web site might be at least contributing towards the problem?  If so is there an easy way to move it (novice at IIS I'm afraid)

Up to now haven't removed and recreated any directories as I wanted to straighten out the more obvious issues first.  

I've tried browsing Autodiscovery virtual directory using 443 and that goes to the server IP address/Autodiscover and gives me a certificate error saying cert was for a different address.  When I then Click on Continue to this website I get asked for a username and password, which once entered gives me an HTTP Error 500.0 Internal Server Error


Any of this help?

Really appreciate your help so far, I'm desperate to get this fixed so would appreciate any further comments.

All the best

Adam
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33526465
Where did you get your UCC/SAN Cert from ?
You may have to re-key your certificate.
0
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 500 total points
ID: 33527848
Since you are using an SBS server the EWS virtual Directory should be under SBS Web Applications not under EWS.
And also, there is a problem with the Autodiscover Virtual Directory.
So you have to go for Removal of Virtual Directories. Now in your case, since EWS is in Default Web Site, make sure you run the following command to remove the EWS from Default website and to recreate it in SBS Web Applications.

Remove the directories.
Remove-AutodiscoverVirtualDirectory -Identity "CAS_Server_Name\Autodiscover (SBS Web Applications)"
Remove-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)"

Recreate the Directories.
New-AutodiscoverVirtualDirectory -WebSitename "SBS Web Applications"
New-WebServicesVirtualDirectory -WebSitename "SBS Web Applications"

Please try this, and please dont enable the kernal Mode Authentication, we dont required that. Disable the Kernal Mode Authentication from Autodiscover/ EWS and OAB.

After removing and recreating it, please follow the kb- 940726 once again to set the InternalUri and also please make sure that you have the SCP url listen the internal DNS.

And also make sure that you having the following authentication in this 3 directories.
Autodiscover :- Basic + Windows Integrated + SSL Enabled.
EWS :- Windows Integrated = No SSL.
OAB:- Windows Integrated = No SSL.

Please try this settings on the server now and please revert back if you have any issues.
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 

Author Comment

by:amlydiate
ID: 33529209
Hi v_9mhdrf,

Many thanks for that last post, have deleted and recreated the virtual directories as advised, have worked through the steps in 940726, I'm not sure what I should do in response to "have the SCP url listen the internal DNS" could you please tell me how to do this, I do have a forwarder in DNS for owa.domain.co.uk pointing to the IP address of the server, is this enough?

When I tried to check the authentication for OAB to make sure it was just Windows Integrated and No SSL I noticed that Forms Based authentication is enabled as well as Windows Authentication.  Problem is I can't disable Forms based as the button is greyed out and a message states "Challenge-based and login redirect-based authentication cannot be used simultaneously. This feature has been locked and is read only.

Does this matter?

Many thanks as always for your help

Adam
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33529222
Well! you have the internal DNS record for OWA.domain.co.uk and make sure that you have autodiscover.domain.co.uk in ur internal dns ip.
And well you should have only Windows Integrated Authentication not the FBA enabled.
Please check the authentication on SBS Web Application website and see whether there is same authentication selected.
If yes please remove it from there and then try to remove from OAB as well.

Hope this helps.
0
 

Author Comment

by:amlydiate
ID: 33529384
Thank you, I have now removed FBA from SBS Web Applications, and that disabled it in OAB also.  I have checked DNS and owa.domain.co.uk is in there pointing to the internal IP address of the server, I also have an entry for autodiscover.domain.co.uk pointing to the FQDN of the server.

After changing the authentication in IIS and checking DNS was o.k. I reset IIS.

I then tried to browse autodiscover in IE and entered https://owa.domain.co.uk/autodiscover/autodiscover.xml  I was immediately asked for a username and password in a box entitled connecting to owa.domain.co.uk. I entered the admin username and password and clicked o.k. then the box came back and the username suddenly contained "owa.domain.co.uk\administratorusername" and when I put the password in I get HTTP Error 401.1 - Unauthorized.


I've tried a client machine again out of curiosity after all these changes and Out of Office still doesn't work.

I think this is still a redirect or authentication issue somewhere...

Think we're close, would really appreciate any further comments if you can.

All the best

Adam
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33529416
Please use domain\username and password.
And please run Test-OutlookWebServices | fl, and please check whether you are getting 401 (Unauthorized). If yes then please follow the article of DisableLoopbackCheck with value 1.
<http://support.microsoft.com/kb/896861>.
Please try this, hope this helps.
0
 

Author Comment

by:amlydiate
ID: 33529418
Just to confirm, Autodiscover authentication is set to Basic and Windows only and set to require 128bit SSL and ignore client certificates, kernal mode authentication has been unticked.



0
 

Author Comment

by:amlydiate
ID: 33529534
Ah I DID get a 401 error in Test-OutlookWebServices, I then disabled loopback check on the server and browsed autodiscover again was asked for username and password and this time I can see the XML page detailing ErrorCode600.

I then ran Test-OutlookWebServices again and the test went much further,

Valid Autodiscover CP was found and contacted.
AS Service was contacted successfully
OAB Service was contacted successfully
UM Service was contacted successfully
The AS is not configured for this user (administrator)

Get the following errors though:
1013 when contacting https://owa.domain.co.uk/rpc (error 404) Not found
1017 when contacting the RPC/HTTP service at https://owa.domain.co.uk/rpc the time elapsed was 108 milliseconds

Now I had a more positive response from Autodiscover I then went back to the client PC, fired up Outlook and clicked on Out of Office Assistant and I still get "Your out of office settings cannot be displayed, because the server is currently unavailable.  Try again later." :-(
0
 

Author Closing Comment

by:amlydiate
ID: 33529687
I've got it working! The authentication on the newly recreated EWS Virtual Directory was not forcing SSL, I've checked SSL and everything is fine.

I am so grateful to you v_9mhdrf for all your help with this, it's been a really horrible feeling to not have it working for so long and you have made me a very happy man! THANK YOU!!!!

All the best

Adam
0
 
LVL 9

Expert Comment

by:v_9mhdrf
ID: 33538645
Thanks Adam.
Its my Pleasure to assist you!
0

Featured Post

The curse of the end user strikes again      

You’ve updated all your end user’s email signatures. Hooray! But guess what? They’re playing around with the HTML, adding stupid taglines and ruining the imagery. Find out how you can save your signatures from end users today.

Join & Write a Comment

Resolve Outlook connectivity issues after moving mailbox to new Exchange 2016 server
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
how to add IIS SMTP to handle application/Scanner relays into office 365.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now