Solved

Autodiscover keeps bombing out. works temporarily.

Posted on 2010-09-06
32
1,008 Views
Last Modified: 2012-05-10
Hi, I have a Windows Server SBS 2008 server with Exchange 2007.

All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from autodiscover.domain.com remotely and internally although mailbox connects and if you hit cancel it stays connected.

If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with autodiscover.domain.com also. If I browse to /autodiscover/autodiscover.xml either externally or internally I get prompted for password but it never shows XML file UNLESS....

...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.

It's almost like it works until somethign kicks back in.
0
Comment
Question by:peppele
  • 13
  • 9
  • 6
  • +2
32 Comments
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33610966
recently I have had to re-set up autodiscover across several domains.  this was probably down to early misonfigurations.

I always now follow this guide ;

http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

I would just run over each section and check your autodiscover information.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33611018
can also try adding "msstd:[mail.domain.com]" to the Microsoft exchange proxy settings on a client computer. Replace the [mail.domain.com] with your external mail URL

It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
0
 

Author Comment

by:peppele
ID: 33611052
I have that ticked and setup - on that line I have - msstd:mail.domain.com.

Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to autodiscover.domain.com' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -

'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.

If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file

although it works temporarily after an IISRESET and I see the XML file.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33611117
Have you tried setting the authentication to NTLM?

And just confirm that the pc you are testing on is part of the domain for me please.
0
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33611122
Do all of your checks come back ok?


Powershell > test outlookwebservices  ?

The problem does sound IIS related.  How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?

Also, what do your event logs say?  Any IIS errors?
0
 

Author Comment

by:peppele
ID: 33611131
I havent tried NTLM, I have a few other customers with this working but this is the first SBS 2008. I have it working on normal SBS 2008 at two sites and a server 2003.

I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
0
 

Author Comment

by:peppele
ID: 33611158
This is from test-outlookwebservices


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@xxx.com.

Id      : 1007
Type    : Information
Message : Testing server xxxDC1.xxx.local with the published name https://mail.xxxl.com/ews/exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://
          mail.xxx.com/autodiscover/autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://mail.xxx.com/autodiscover/autodiscover.xml received the error The remote
          server returned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.
0
 
LVL 3

Expert Comment

by:thetime
ID: 33611202
Just for testing, try setting it to NTLM, you can always set it back to Basic.
0
 
LVL 11

Expert Comment

by:Coast-IT
ID: 33611445
Do you get an unauthorised  error from the clients too?

How about if you type localhost on the CAS server instead of the FQDN ;

http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
0
 
LVL 26

Expert Comment

by:e_aravind
ID: 33611584
How about the cert. issued-to value?
Is that like: *.domain.com?
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611626
get-autodiscovervirtualdirectory | fl
get-clientaccessserver | fl

Please post back the output of both.

thanks
0
 

Author Comment

by:peppele
ID: 33611659

Name                           : XXXXXDC1
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : XXXXXDC1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : XXXXXXDC1.xxxx.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=XXXXDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                 =Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Service
                                 s,CN=Configuration,DC=xxxx,DC=local
Identity                       : XXXXDC1
Guid                           : c751cfd4-1112-49b6-b0dd-ccd4eafe1d52
ObjectCategory                 : xxxx.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 04/09/2010 10:07:32
WhenCreated                    : 25/08/2010 11:46:48

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://XXXXDC1.xxxxx.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,CN=Protocols,CN=XXXXDC1,CN=Se
                                rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gro
                                ups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
                                C=astell,DC=local
Identity                      : XXXXDC1\Autodiscover (SBS Web Applications)
Guid                          : 2530fefd-31c0-4fc8-b49b-72bdc2b093c8
ObjectCategory                : xxxxx.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 06/09/2010 11:43:40
WhenCreated                   : 25/08/2010 11:50:52
OriginatingServer             : XXXXDC1.astell.local
IsValid                       : True

The cert common name is mail.xxx.com and there is a SAN of autodiscover.xxx.com. In other words a UCC cert.
0
 

Author Comment

by:peppele
ID: 33611748
COAST-IT = I get same login prompt on server if I use FQDN or localhost. And same login prompt if done remotely.

I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.


auth401.JPG
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611763
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml

In this - is mail.domain.com = your external domain ?
Let me know your local FQDN and replace it here

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mailservername.domain.local/Autodiscover/Autodiscover.xml"
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611782
and this where
ASTELLDC1.astell.local

is your local mail server fqdn

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://ASTELLDC1.astell.local/Autodiscover/Autodiscover.xml"

it should not be https://SITES/

Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml

===
Are you running your exchange server on a DC ??
0
 

Author Comment

by:peppele
ID: 33611795
sunnyc7, will this make any difference to clients connecting remotely?

Also I have an internal DNS record set for mail.xxx.com that points to the internal IP address of the server. Not sure how this will make any difference.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:peppele
ID: 33611804
Yes it is on a DC. Guess xxxing out all those names was a waste of time :-)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611815
no
these are for internalURL's
we are not changing anything for externalURL

if you have internal DNS for mail.XXX.com pointing to local IP - instead of using local FQDN you can use - mail.domain.com too

--
Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)

0
 
LVL 3

Expert Comment

by:thetime
ID: 33611841
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33611845
Test it using Outlook.

Go to workstation
start > run > outlook /rpcdiag

see if connection is stable in connections monitor

if UCc/SAN cert is in the name of mail.domain.net then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert

We are changing only internal URL's
the mail.domain.com - has to be present in UCC/SAN cert name or it will be bomb too.

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

0
 

Author Comment

by:peppele
ID: 33611942
Yes, connection stays established. But whilst I watch that monitor the pop up appears for autodiscover.astell.com.

IE, connect to autodiscover.astell.com.

That SAN is in my UCC cert.
0
 

Author Comment

by:peppele
ID: 33611954
thetime- that reg entry did not work although not rebooted server yet. That will have to be done tonight.

0
 

Author Comment

by:peppele
ID: 33611964
Activesync also works but only if you put in servername (and not use autodiscover to configure phone).
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612116
lets see if your autodiscover bombs out after configuring the settings. If it doesnt you are good to go.

Registry changes require a reboot to take effect.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612169
About autodiscover popups
Change msstd value from autodiscover.domain.com to
Mail.domain.com
Same as your internal url above
0
 

Author Comment

by:peppele
ID: 33612182
Yeah it is that already.

It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33612200
What happens when you open this from browser
https://mail.domain.com/autodiscover/autodiscover.xml ?
You should get a username / pass followed by xml

I think you are getting that because you have allowed integrated windows auth in autodiscover

Thanks
0
 
LVL 3

Expert Comment

by:thetime
ID: 33624711
https://www.testexchangeconnectivity.com/

Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.

Let us know about the registry key if it worked or not.

Regards,

TT
0
 

Author Comment

by:peppele
ID: 33624775
Think the reboot fixed it. I had another pop up this mornign but re-added Windows Authentication to Autodiscover website in IIS, retested at the exchange connectivity site which I have been using from the beginning and again both tests passed. Opened outlook, no second pop up and out of office works, which only works if autodiscover works!

Superb!!


0
 
LVL 3

Expert Comment

by:thetime
ID: 33624873
Glad to hear, Monitor it for a while and remember to mark the thread as solved when you are satisfied that it's working.

=)
0
 
LVL 28

Expert Comment

by:sunnyc7
ID: 33626872
hi peppele
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.

thanks
0
 

Accepted Solution

by:
peppele earned 0 total points
ID: 33662073
The problem reoccured so I eventually found this online which mirrorerd my exact problem.

Funny I couldn't find anyone with the same problem on any other message board - http://www.office-outlook.com/outlook-forum/index.php/m/617984/

So I ran the roll up, 4 I think, and that resolved the problem.

:-)
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Join & Write a Comment

The recent Microsoft changes on update philosophy for Windows pre-10 and their impact on existing WSUS implementations.
Following basic email etiquette rules will help you write a professional email and achieve a good, lasting impression with your contacts.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

17 Experts available now in Live!

Get 1:1 Help Now