Solved

Autodiscover keeps bombing out. works temporarily.

Posted on 2010-09-06
32
1,012 Views
Last Modified: 2012-05-10
Hi, I have a Windows Server SBS 2008 server with Exchange 2007.

All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from autodiscover.domain.com remotely and internally although mailbox connects and if you hit cancel it stays connected.

If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with autodiscover.domain.com also. If I browse to /autodiscover/autodiscover.xml either externally or internally I get prompted for password but it never shows XML file UNLESS....

...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.

It's almost like it works until somethign kicks back in.
0
Comment
Question by:Lee Pepper
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 13
  • 9
  • 6
  • +2
32 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33610966
recently I have had to re-set up autodiscover across several domains.  this was probably down to early misonfigurations.

I always now follow this guide ;

http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

I would just run over each section and check your autodiscover information.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33611018
can also try adding "msstd:[mail.domain.com]" to the Microsoft exchange proxy settings on a client computer. Replace the [mail.domain.com] with your external mail URL

It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
0
 

Author Comment

by:Lee Pepper
ID: 33611052
I have that ticked and setup - on that line I have - msstd:mail.domain.com.

Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to autodiscover.domain.com' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -

'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.

If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file

although it works temporarily after an IISRESET and I see the XML file.
0
Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

 
LVL 3

Expert Comment

by:thetime
ID: 33611117
Have you tried setting the authentication to NTLM?

And just confirm that the pc you are testing on is part of the domain for me please.
0
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33611122
Do all of your checks come back ok?


Powershell > test outlookwebservices  ?

The problem does sound IIS related.  How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?

Also, what do your event logs say?  Any IIS errors?
0
 

Author Comment

by:Lee Pepper
ID: 33611131
I havent tried NTLM, I have a few other customers with this working but this is the first SBS 2008. I have it working on normal SBS 2008 at two sites and a server 2003.

I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
0
 

Author Comment

by:Lee Pepper
ID: 33611158
This is from test-outlookwebservices


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@xxx.com.

Id      : 1007
Type    : Information
Message : Testing server xxxDC1.xxx.local with the published name https://mail.xxxl.com/ews/exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://
          mail.xxx.com/autodiscover/autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://mail.xxx.com/autodiscover/autodiscover.xml received the error The remote
          server returned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33611202
Just for testing, try setting it to NTLM, you can always set it back to Basic.
0
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33611445
Do you get an unauthorised  error from the clients too?

How about if you type localhost on the CAS server instead of the FQDN ;

http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33611584
How about the cert. issued-to value?
Is that like: *.domain.com?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611626
get-autodiscovervirtualdirectory | fl
get-clientaccessserver | fl

Please post back the output of both.

thanks
0
 

Author Comment

by:Lee Pepper
ID: 33611659

Name                           : XXXXXDC1
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : XXXXXDC1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : XXXXXXDC1.xxxx.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=XXXXDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                 =Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Service
                                 s,CN=Configuration,DC=xxxx,DC=local
Identity                       : XXXXDC1
Guid                           : c751cfd4-1112-49b6-b0dd-ccd4eafe1d52
ObjectCategory                 : xxxx.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 04/09/2010 10:07:32
WhenCreated                    : 25/08/2010 11:46:48

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://XXXXDC1.xxxxx.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,CN=Protocols,CN=XXXXDC1,CN=Se
                                rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gro
                                ups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
                                C=astell,DC=local
Identity                      : XXXXDC1\Autodiscover (SBS Web Applications)
Guid                          : 2530fefd-31c0-4fc8-b49b-72bdc2b093c8
ObjectCategory                : xxxxx.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 06/09/2010 11:43:40
WhenCreated                   : 25/08/2010 11:50:52
OriginatingServer             : XXXXDC1.astell.local
IsValid                       : True

The cert common name is mail.xxx.com and there is a SAN of autodiscover.xxx.com. In other words a UCC cert.
0
 

Author Comment

by:Lee Pepper
ID: 33611748
COAST-IT = I get same login prompt on server if I use FQDN or localhost. And same login prompt if done remotely.

I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.


auth401.JPG
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611763
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml

In this - is mail.domain.com = your external domain ?
Let me know your local FQDN and replace it here

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mailservername.domain.local/Autodiscover/Autodiscover.xml"
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611782
and this where
ASTELLDC1.astell.local

is your local mail server fqdn

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://ASTELLDC1.astell.local/Autodiscover/Autodiscover.xml"

it should not be https://SITES/

Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml

===
Are you running your exchange server on a DC ??
0
 

Author Comment

by:Lee Pepper
ID: 33611795
sunnyc7, will this make any difference to clients connecting remotely?

Also I have an internal DNS record set for mail.xxx.com that points to the internal IP address of the server. Not sure how this will make any difference.
0
 

Author Comment

by:Lee Pepper
ID: 33611804
Yes it is on a DC. Guess xxxing out all those names was a waste of time :-)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611815
no
these are for internalURL's
we are not changing anything for externalURL

if you have internal DNS for mail.XXX.com pointing to local IP - instead of using local FQDN you can use - mail.domain.com too

--
Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)

0
 
LVL 3

Expert Comment

by:thetime
ID: 33611841
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611845
Test it using Outlook.

Go to workstation
start > run > outlook /rpcdiag

see if connection is stable in connections monitor

if UCc/SAN cert is in the name of mail.domain.net then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert

We are changing only internal URL's
the mail.domain.com - has to be present in UCC/SAN cert name or it will be bomb too.

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

0
 

Author Comment

by:Lee Pepper
ID: 33611942
Yes, connection stays established. But whilst I watch that monitor the pop up appears for autodiscover.astell.com.

IE, connect to autodiscover.astell.com.

That SAN is in my UCC cert.
0
 

Author Comment

by:Lee Pepper
ID: 33611954
thetime- that reg entry did not work although not rebooted server yet. That will have to be done tonight.

0
 

Author Comment

by:Lee Pepper
ID: 33611964
Activesync also works but only if you put in servername (and not use autodiscover to configure phone).
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612116
lets see if your autodiscover bombs out after configuring the settings. If it doesnt you are good to go.

Registry changes require a reboot to take effect.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612169
About autodiscover popups
Change msstd value from autodiscover.domain.com to
Mail.domain.com
Same as your internal url above
0
 

Author Comment

by:Lee Pepper
ID: 33612182
Yeah it is that already.

It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612200
What happens when you open this from browser
https://mail.domain.com/autodiscover/autodiscover.xml ?
You should get a username / pass followed by xml

I think you are getting that because you have allowed integrated windows auth in autodiscover

Thanks
0
 
LVL 3

Expert Comment

by:thetime
ID: 33624711
https://www.testexchangeconnectivity.com/

Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.

Let us know about the registry key if it worked or not.

Regards,

TT
0
 

Author Comment

by:Lee Pepper
ID: 33624775
Think the reboot fixed it. I had another pop up this mornign but re-added Windows Authentication to Autodiscover website in IIS, retested at the exchange connectivity site which I have been using from the beginning and again both tests passed. Opened outlook, no second pop up and out of office works, which only works if autodiscover works!

Superb!!


0
 
LVL 3

Expert Comment

by:thetime
ID: 33624873
Glad to hear, Monitor it for a while and remember to mark the thread as solved when you are satisfied that it's working.

=)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33626872
hi peppele
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.

thanks
0
 

Accepted Solution

by:
Lee Pepper earned 0 total points
ID: 33662073
The problem reoccured so I eventually found this online which mirrorerd my exact problem.

Funny I couldn't find anyone with the same problem on any other message board - http://www.office-outlook.com/outlook-forum/index.php/m/617984/

So I ran the roll up, 4 I think, and that resolved the problem.

:-)
0

Featured Post

Free eBook: Backup on AWS

Everything you need to know about backup and disaster recovery with AWS, for FREE!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A procedure for exporting installed hotfix details of remote computers using powershell
How to resolve IMCEAEX NDRs in Exchange or Exchange Online related to invalid X500 addresses.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
how to add IIS SMTP to handle application/Scanner relays into office 365.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question