Solved

Getting login prompt for Autodiscover on Exchange 2010

Posted on 2010-08-24
7
2,261 Views
Last Modified: 2012-05-10
Just migrated a client to a new domain running a single Exchange 2010 server on the internal LAN.  Imported the old commercial SSL certificate used for the public FQDN of the Exchange server and assigned it to the IIS role via the Exchange Management Console.  Changed all the internal (and external) URLs for OAB etc... to use the public FQDN via the Exchange Management Console.  Changed the internal and external URL for the Auto discovery site to use the public FQDN via the Exchange Managenet Shell.  Set AutoDiscover SCP record to point to the public FQDN.

What happens is when setting up Outlook internally using AutoDiscover, the user continually gets prompted to log in.  The log-in name defaults to their public email address.  Tried all known permutations for enterting domain user credentials (i.e. domain\user, user@domain.local) but keep getting prompted.  Permissions all look correct at the file level and IIS.  Changing it all back to the local / internal URLs and using the Exchange self-signed cert restores it back to normal but then I get the security warning on the certificate as it doesn't match the detiniation name.

Am I doing something wrong here or missing some step?  Is it possible to use a SSL certificate with the external FQDN for the Exchange AutoDiscover service?
0
Comment
Question by:unisolutions
7 Comments
 
LVL 9

Accepted Solution

by:
v_9mhdrf earned 500 total points
ID: 33518626
Autodiscover = Basic + Windows Integrated + SSL Forced == Disable - Kernel Mode Authentication.
OAB= Windows Integrated = Disable - Kernel Mode Authentication.
EWS= Windows Integrated = Disable - Kernel Mode Authentication + SSL forced.

Follow the kb-940726, and run the following command on the server.

Set-ClientAccessServer -Identity CAS_Server_Name -AutodiscoverServiceInternalUri https://mail.contoso.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.contoso.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity "CAS_Server_name\oab (Default Web Site)" -InternalUrl https://mail.contoso.com/oab

Please run the following command in the management shell:-

test-outlookWebserivces | fl and see the result. If you get 401 Unauthorized please follow the below link and restart the server.

DisableLoopbackcheck registry.
key as per the article <http://support.microsoft.com/kb/896861>.

Please follow the following article
http://support.microsoft.com/kb/927612

Please set the spn to communicate with GC as per the KB..
ExchangeAB should have the GC server name and Fqdn.

Then perform "SetSPN -a http/(Exchange server FQDN) (Exchange server name)"

Check the HTTP keep alive in IIS 7 in the following place:-
HTTP response headers on Default WebSite == set common headers.

If still the issue persists, please follow this steps:-

Delete and recreate the Autodiscover/ EWS Virtual Directories.
Remove-AutodiscoverVirtualDirectory -identity "CAS server name\Autodiscover (Default Web Site)"
Remove-WebservicesVirtualDirectory -identity "CAS server name\EWS (Default Web Site)"

new-AutodiscoverVirtualDirectory
new-WebservicesVirtualDirectory
And follow the kb-940726 again to set the InternalUri.
Perform IISreset.

And also please check whether you have 3.5 .netFramework, if yes please download and install the following hotfix.
KB- 958934

And Run Test EmailAutoconfiguration  from outlook 2007 client, and please select only Autodiscover. Remove Guessmart and Secure Guess mart.

Please all this steps and revert back if the issue still persists!!!

Thanks,
Mohammed
0
 

Author Comment

by:unisolutions
ID: 33518665
Thanks very much Mohammed... very detailed and I will try this tonight and let you know how I went.

Regards,

John
0
 
LVL 3

Expert Comment

by:jabri007
ID: 33519090
Please check the Virtual Directory Authentication Settings ..see below

http://msexchangeteam.com/archive/2008/02/01/447989.aspx

Also make sure the certicate issued to and host name for autodiscover is same
0
Want to promote your upcoming event?

Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

 
LVL 3

Expert Comment

by:Girish_2500
ID: 33520088
hi,

Make sure that the URL mention in SCP resolves to ipaddress of the CAS servers internally via local DNS.
Ping SCP url internally and make sure it is reachable.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33521755
Mohammed @ you got skills man :)
That's a really *complete* post (including setSPN..)
0
 

Author Comment

by:unisolutions
ID: 33528479
Mohammed you are the man!  It all works beautifully now internally and externally.  It was the SetSPN -a http/(Exchange server FQDN) (Exchange server name) part that did the magic.
0
 

Author Closing Comment

by:unisolutions
ID: 33528608
Mohammed is a gun
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now