[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2367
  • Last Modified:

Getting login prompt for Autodiscover on Exchange 2010

Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN.  Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console.  Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console.  Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell.  Set AutoDiscover SCP record to point to the public FQDN.

What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in.  The log-in name defaults to their public email address.  Tried all known permutations for enterting domain user credentials (i.e. domain\user, user@domain.local) but keep getting prompted.  Permissions all look correct at the file level and IIS.  Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.

Am I doing something wrong here or missing some step?  Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?
0
unisolutions
Asked:
unisolutions
1 Solution
 
v_9mhdrfCommented:
Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml 

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Please set the spn to communicate with GC as per the KB..
ExchangeAB should have the GC server name and Fqdn.

Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please all this steps and revert back if the issue still persists!!!

Thanks,
Mohammed
0
 
unisolutionsAuthor Commented:
Thanks very much Mohammed... very detailed and I will try this tonight and let you know how I went.

Regards,

John
0
 
jabri007Commented:
Please check the Virtual Directory Authentication Settings ..see below

http://msexchangeteam.com/archive/2008/02/01/447989.aspx

Also make sure the certicate issued to and host name for autodiscover is same
0
NEW Veeam Backup for Microsoft Office 365 1.5

With Office 365, it’s your data and your responsibility to protect it. NEW Veeam Backup for Microsoft Office 365 eliminates the risk of losing access to your Office 365 data.

 
Girish_2500Commented:
hi,

Make sure that the URL mention in SCP resolves to ipaddress of the CAS servers internally via local DNS.
Ping SCP url internally and make sure it is reachable.
0
 
sunnyc7Commented:
Mohammed @ you got skills man :)
That's a really *complete* post (including setSPN..)
0
 
unisolutionsAuthor Commented:
Mohammed you are the man!  It all works beautifully now internally and externally.  It was the SetSPN -a http/(Exchange server FQDN) (Exchange server name) part that did the magic.
0
 
unisolutionsAuthor Commented:
Mohammed is a gun
0

Featured Post

Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now