Solved

Getting login prompt for Autodiscover on Exchange 2010

Posted on 2010-08-24
7
2,311 Views
Last Modified: 2012-05-10
Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN.  Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console.  Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console.  Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell.  Set AutoDiscover SCP record to point to the public FQDN.

What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in.  The log-in name defaults to their public email address.  Tried all known permutations for enterting domain user credentials (i.e. domain\user, user@domain.local) but keep getting prompted.  Permissions all look correct at the file level and IIS.  Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.

Am I doing something wrong here or missing some step?  Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?
0
Comment
Question by:unisolutions
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 500 total points
ID: 33518626
Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Please set the spn to communicate with GC as per the KB..
ExchangeAB should have the GC server name and Fqdn.

Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please all this steps and revert back if the issue still persists!!!

Thanks,
Mohammed
0
 

Author Comment

by:unisolutions
ID: 33518665
Thanks very much Mohammed... very detailed and I will try this tonight and let you know how I went.

Regards,

John
0
 
LVL 3

Expert Comment

by:jabri007
ID: 33519090
Please check the Virtual Directory Authentication Settings ..see below

http://msexchangeteam.com/archive/2008/02/01/447989.aspx

Also make sure the certicate issued to and host name for autodiscover is same
0
Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

 
LVL 3

Expert Comment

by:Girish_2500
ID: 33520088
hi,

Make sure that the URL mention in SCP resolves to ipaddress of the CAS servers internally via local DNS.
Ping SCP url internally and make sure it is reachable.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33521755
Mohammed @ you got skills man :)
That's a really *complete* post (including setSPN..)
0
 

Author Comment

by:unisolutions
ID: 33528479
Mohammed you are the man!  It all works beautifully now internally and externally.  It was the SetSPN -a http/(Exchange server FQDN) (Exchange server name) part that did the magic.
0
 

Author Closing Comment

by:unisolutions
ID: 33528608
Mohammed is a gun
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Find out what you should include to make the best professional email signature for your organization.
This article explains how to install and use the NTBackup utility that comes with Windows Server.
In this video we show how to create a Distribution Group in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >>…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question