Solved

Getting login prompt for Autodiscover on Exchange 2010

Posted on 2010-08-24
7
2,302 Views
Last Modified: 2012-05-10
Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN.  Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console.  Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console.  Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell.  Set AutoDiscover SCP record to point to the public FQDN.

What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in.  The log-in name defaults to their public email address.  Tried all known permutations for enterting domain user credentials (i.e. domain\user, user@domain.local) but keep getting prompted.  Permissions all look correct at the file level and IIS.  Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.

Am I doing something wrong here or missing some step?  Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?
0
Comment
Question by:unisolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 500 total points
ID: 33518626
Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Please set the spn to communicate with GC as per the KB..
ExchangeAB should have the GC server name and Fqdn.

Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please all this steps and revert back if the issue still persists!!!

Thanks,
Mohammed
0
 

Author Comment

by:unisolutions
ID: 33518665
Thanks very much Mohammed... very detailed and I will try this tonight and let you know how I went.

Regards,

John
0
 
LVL 3

Expert Comment

by:jabri007
ID: 33519090
Please check the Virtual Directory Authentication Settings ..see below

http://msexchangeteam.com/archive/2008/02/01/447989.aspx

Also make sure the certicate issued to and host name for autodiscover is same
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 3

Expert Comment

by:Girish_2500
ID: 33520088
hi,

Make sure that the URL mention in SCP resolves to ipaddress of the CAS servers internally via local DNS.
Ping SCP url internally and make sure it is reachable.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33521755
Mohammed @ you got skills man :)
That's a really *complete* post (including setSPN..)
0
 

Author Comment

by:unisolutions
ID: 33528479
Mohammed you are the man!  It all works beautifully now internally and externally.  It was the SetSPN -a http/(Exchange server FQDN) (Exchange server name) part that did the magic.
0
 

Author Closing Comment

by:unisolutions
ID: 33528608
Mohammed is a gun
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Follow this checklist to learn more about the 15 things you should never include in an email signature from personal quotes, animated gifs and out-of-date marketing content.
A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question