Link to home
Start Free TrialLog in
Avatar of Lee Pepper
Lee PepperFlag for United Kingdom of Great Britain and Northern Ireland

asked on

Autodiscover keeps bombing out. works temporarily.

Hi, I have a Windows Server SBS 2008 server with Exchange 2007.

All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from remotely and internally although mailbox connects and if you hit cancel it stays connected.

If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with also. If I browse to /autodiscover/autodiscover.xml either externally or internally I get prompted for password but it never shows XML file UNLESS....

...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.

It's almost like it works until somethign kicks back in.
Avatar of Coast-IT
Flag of United Kingdom of Great Britain and Northern Ireland image

recently I have had to re-set up autodiscover across several domains.  this was probably down to early misonfigurations.

I always now follow this guide ;

I would just run over each section and check your autodiscover information.
Avatar of thetime

can also try adding "msstd:[]" to the Microsoft exchange proxy settings on a client computer. Replace the [] with your external mail URL

It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
Avatar of Lee Pepper


I have that ticked and setup - on that line I have -

Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -

'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.

If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file

although it works temporarily after an IISRESET and I see the XML file.
Have you tried setting the authentication to NTLM?

And just confirm that the pc you are testing on is part of the domain for me please.
Do all of your checks come back ok?

Powershell > test outlookwebservices  ?

The problem does sound IIS related.  How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?

Also, what do your event logs say?  Any IIS errors?
I havent tried NTLM, I have a few other customers with this working but this is the first SBS 2008. I have it working on normal SBS 2008 at two sites and a server 2003.

I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
This is from test-outlookwebservices

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address

Id      : 1007
Type    : Information
Message : Testing server with the published name & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://

Id      : 1013
Type    : Error
Message : When contacting received the error The remote
          server returned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.
Just for testing, try setting it to NTLM, you can always set it back to Basic.
Do you get an unauthorised  error from the clients too?

How about if you type localhost on the CAS server instead of the FQDN ;
How about the cert. issued-to value?
Is that like: *
get-autodiscovervirtualdirectory | fl
get-clientaccessserver | fl

Please post back the output of both.


Name                           : XXXXXDC1
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : XXXXXDC1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri :
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : XXXXXXDC1.xxxx.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=XXXXDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                 =Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Service
Identity                       : XXXXDC1
Guid                           : c751cfd4-1112-49b6-b0dd-ccd4eafe1d52
ObjectCategory                 : xxxx.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 04/09/2010 10:07:32
WhenCreated                    : 25/08/2010 11:46:48

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://XXXXDC1.xxxxx.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,CN=Protocols,CN=XXXXDC1,CN=Se
                                rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gro
                                ups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
Identity                      : XXXXDC1\Autodiscover (SBS Web Applications)
Guid                          : 2530fefd-31c0-4fc8-b49b-72bdc2b093c8
ObjectCategory                : xxxxx.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 06/09/2010 11:43:40
WhenCreated                   : 25/08/2010 11:50:52
OriginatingServer             : XXXXDC1.astell.local
IsValid                       : True

The cert common name is and there is a SAN of In other words a UCC cert.
COAST-IT = I get same login prompt on server if I use FQDN or localhost. And same login prompt if done remotely.

I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.

AutoDiscoverServiceInternalUri :

In this - is = your external domain ?
Let me know your local FQDN and replace it here

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mailservername.domain.local/Autodiscover/Autodiscover.xml"
and this where

is your local mail server fqdn

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://ASTELLDC1.astell.local/Autodiscover/Autodiscover.xml"

it should not be https://SITES/

Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   :

Are you running your exchange server on a DC ??
sunnyc7, will this make any difference to clients connecting remotely?

Also I have an internal DNS record set for that points to the internal IP address of the server. Not sure how this will make any difference.
Yes it is on a DC. Guess xxxing out all those names was a waste of time :-)
these are for internalURL's
we are not changing anything for externalURL

if you have internal DNS for pointing to local IP - instead of using local FQDN you can use - too

Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)

Test it using Outlook.

Go to workstation
start > run > outlook /rpcdiag

see if connection is stable in connections monitor

if UCc/SAN cert is in the name of then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert

We are changing only internal URL's
the - has to be present in UCC/SAN cert name or it will be bomb too.

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:""
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:""

Yes, connection stays established. But whilst I watch that monitor the pop up appears for

IE, connect to

That SAN is in my UCC cert.
thetime- that reg entry did not work although not rebooted server yet. That will have to be done tonight.

Activesync also works but only if you put in servername (and not use autodiscover to configure phone).
lets see if your autodiscover bombs out after configuring the settings. If it doesnt you are good to go.

Registry changes require a reboot to take effect.
About autodiscover popups
Change msstd value from to
Same as your internal url above
Yeah it is that already.

It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
What happens when you open this from browser ?
You should get a username / pass followed by xml

I think you are getting that because you have allowed integrated windows auth in autodiscover


Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.

Let us know about the registry key if it worked or not.


Think the reboot fixed it. I had another pop up this mornign but re-added Windows Authentication to Autodiscover website in IIS, retested at the exchange connectivity site which I have been using from the beginning and again both tests passed. Opened outlook, no second pop up and out of office works, which only works if autodiscover works!


Glad to hear, Monitor it for a while and remember to mark the thread as solved when you are satisfied that it's working.

hi peppele
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.

Avatar of Lee Pepper
Lee Pepper
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial