?
Solved

Getting login prompt for Autodiscover on Exchange 2010

Posted on 2010-08-24
7
Medium Priority
?
2,402 Views
Last Modified: 2012-05-10
Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN.  Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console.  Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console.  Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell.  Set AutoDiscover SCP record to point to the public FQDN.

What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in.  The log-in name defaults to their public email address.  Tried all known permutations for enterting domain user credentials (i.e. domain\user, user@domain.local) but keep getting prompted.  Permissions all look correct at the file level and IIS.  Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.

Am I doing something wrong here or missing some step?  Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?
0
Comment
Question by:unisolutions
7 Comments
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 2000 total points
ID: 33518626
Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Please set the spn to communicate with GC as per the KB..
ExchangeAB should have the GC server name and Fqdn.

Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please all this steps and revert back if the issue still persists!!!

Thanks,
Mohammed
0
 

Author Comment

by:unisolutions
ID: 33518665
Thanks very much Mohammed... very detailed and I will try this tonight and let you know how I went.

Regards,

John
0
 
LVL 3

Expert Comment

by:jabri007
ID: 33519090
Please check the Virtual Directory Authentication Settings ..see below

http://msexchangeteam.com/archive/2008/02/01/447989.aspx

Also make sure the certicate issued to and host name for autodiscover is same
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Expert Comment

by:Girish_2500
ID: 33520088
hi,

Make sure that the URL mention in SCP resolves to ipaddress of the CAS servers internally via local DNS.
Ping SCP url internally and make sure it is reachable.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33521755
Mohammed @ you got skills man :)
That's a really *complete* post (including setSPN..)
0
 

Author Comment

by:unisolutions
ID: 33528479
Mohammed you are the man!  It all works beautifully now internally and externally.  It was the SetSPN -a http/(Exchange server FQDN) (Exchange server name) part that did the magic.
0
 

Author Closing Comment

by:unisolutions
ID: 33528608
Mohammed is a gun
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

If there is anything erroneous with Exchange Database, it causes a significant effect on email communication till the user remounts the database. Further, database crash directly affects Outlook users due to which they are unable to access their ema…
Microsoft Exchange Server gives you the ability to roll back a corrupt database, but still preserve any data written to that database since the last successful backup. Unfortunately the documentation on how to do this when recovering using imaging b…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

585 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question