Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1023
  • Last Modified:

Autodiscover keeps bombing out. works temporarily.

Hi, I have a Windows Server SBS 2008 server with Exchange 2007.

All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from autodiscover.domain.com remotely and internally although mailbox connects and if you hit cancel it stays connected.

If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with autodiscover.domain.com also. If I browse to /autodiscover/autodiscover.xml either externally or internally I get prompted for password but it never shows XML file UNLESS....

...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.

It's almost like it works until somethign kicks back in.
0
Lee Pepper
Asked:
Lee Pepper
  • 13
  • 9
  • 6
  • +2
1 Solution
 
Coast-ITCommented:
recently I have had to re-set up autodiscover across several domains.  this was probably down to early misonfigurations.

I always now follow this guide ;

http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html

I would just run over each section and check your autodiscover information.
0
 
thetimeCommented:
can also try adding "msstd:[mail.domain.com]" to the Microsoft exchange proxy settings on a client computer. Replace the [mail.domain.com] with your external mail URL

It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
0
 
Lee PepperDirectorAuthor Commented:
I have that ticked and setup - on that line I have - msstd:mail.domain.com.

Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to autodiscover.domain.com' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -

'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.

If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file

although it works temporarily after an IISRESET and I see the XML file.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
thetimeCommented:
Have you tried setting the authentication to NTLM?

And just confirm that the pc you are testing on is part of the domain for me please.
0
 
Coast-ITCommented:
Do all of your checks come back ok?


Powershell > test outlookwebservices  ?

The problem does sound IIS related.  How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?

Also, what do your event logs say?  Any IIS errors?
0
 
Lee PepperDirectorAuthor Commented:
I havent tried NTLM, I have a few other customers with this working but this is the first SBS 2008. I have it working on normal SBS 2008 at two sites and a server 2003.

I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
0
 
Lee PepperDirectorAuthor Commented:
This is from test-outlookwebservices


Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address Administrator@xxx.com.

Id      : 1007
Type    : Information
Message : Testing server xxxDC1.xxx.local with the published name https://mail.xxxl.com/ews/exchange.asmx & .

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://
          mail.xxx.com/autodiscover/autodiscover.xml.

Id      : 1013
Type    : Error
Message : When contacting https://mail.xxx.com/autodiscover/autodiscover.xml received the error The remote
          server returned an error: (401) Unauthorized.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.
0
 
thetimeCommented:
Just for testing, try setting it to NTLM, you can always set it back to Basic.
0
 
Coast-ITCommented:
Do you get an unauthorised  error from the clients too?

How about if you type localhost on the CAS server instead of the FQDN ;

http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
0
 
e_aravindCommented:
How about the cert. issued-to value?
Is that like: *.domain.com?
0
 
sunnyc7Commented:
get-autodiscovervirtualdirectory | fl
get-clientaccessserver | fl

Please post back the output of both.

thanks
0
 
Lee PepperDirectorAuthor Commented:

Name                           : XXXXXDC1
OutlookAnywhereEnabled         : True
AutoDiscoverServiceCN          : XXXXXDC1
AutoDiscoverServiceClassName   : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid        : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope          : {Default-First-Site-Name}
IsValid                        : True
OriginatingServer              : XXXXXXDC1.xxxx.local
ExchangeVersion                : 0.1 (8.0.535.0)
DistinguishedName              : CN=XXXXDC1,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN
                                 =Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Service
                                 s,CN=Configuration,DC=xxxx,DC=local
Identity                       : XXXXDC1
Guid                           : c751cfd4-1112-49b6-b0dd-ccd4eafe1d52
ObjectCategory                 : xxxx.local/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                    : {top, server, msExchExchangeServer}
WhenChanged                    : 04/09/2010 10:07:32
WhenCreated                    : 25/08/2010 11:46:48

Name                          : Autodiscover (SBS Web Applications)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath                  : IIS://XXXXDC1.xxxxx.local/W3SVC/3/ROOT/Autodiscover
Path                          : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodiscover
Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (SBS Web Applications),CN=HTTP,CN=Protocols,CN=XXXXDC1,CN=Se
                                rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Gro
                                ups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Configuration,D
                                C=astell,DC=local
Identity                      : XXXXDC1\Autodiscover (SBS Web Applications)
Guid                          : 2530fefd-31c0-4fc8-b49b-72bdc2b093c8
ObjectCategory                : xxxxx.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 06/09/2010 11:43:40
WhenCreated                   : 25/08/2010 11:50:52
OriginatingServer             : XXXXDC1.astell.local
IsValid                       : True

The cert common name is mail.xxx.com and there is a SAN of autodiscover.xxx.com. In other words a UCC cert.
0
 
Lee PepperDirectorAuthor Commented:
COAST-IT = I get same login prompt on server if I use FQDN or localhost. And same login prompt if done remotely.

I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.


auth401.JPG
0
 
sunnyc7Commented:
AutoDiscoverServiceInternalUri : https://mail.xxx.com/autodiscover/autodiscover.xml

In this - is mail.domain.com = your external domain ?
Let me know your local FQDN and replace it here

Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mailservername.domain.local/Autodiscover/Autodiscover.xml"
0
 
sunnyc7Commented:
and this where
ASTELLDC1.astell.local

is your local mail server fqdn

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://ASTELLDC1.astell.local/Autodiscover/Autodiscover.xml"

it should not be https://SITES/

Server                        : ASTELLDC1
InternalUrl                   : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl                   : https://mail.xxxx.com/autodiscover/autodiscover.xml

===
Are you running your exchange server on a DC ??
0
 
Lee PepperDirectorAuthor Commented:
sunnyc7, will this make any difference to clients connecting remotely?

Also I have an internal DNS record set for mail.xxx.com that points to the internal IP address of the server. Not sure how this will make any difference.
0
 
Lee PepperDirectorAuthor Commented:
Yes it is on a DC. Guess xxxing out all those names was a waste of time :-)
0
 
sunnyc7Commented:
no
these are for internalURL's
we are not changing anything for externalURL

if you have internal DNS for mail.XXX.com pointing to local IP - instead of using local FQDN you can use - mail.domain.com too

--
Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)

0
 
sunnyc7Commented:
Test it using Outlook.

Go to workstation
start > run > outlook /rpcdiag

see if connection is stable in connections monitor

if UCc/SAN cert is in the name of mail.domain.net then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert

We are changing only internal URL's
the mail.domain.com - has to be present in UCC/SAN cert name or it will be bomb too.

Get-AutodiscoverVirtualDirectory | set-AutodiscoverVirtualDirectory -InternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceInternalUri:"https://mail.domain.com/Autodiscover/Autodiscover.xml"

0
 
Lee PepperDirectorAuthor Commented:
Yes, connection stays established. But whilst I watch that monitor the pop up appears for autodiscover.astell.com.

IE, connect to autodiscover.astell.com.

That SAN is in my UCC cert.
0
 
Lee PepperDirectorAuthor Commented:
thetime- that reg entry did not work although not rebooted server yet. That will have to be done tonight.

0
 
Lee PepperDirectorAuthor Commented:
Activesync also works but only if you put in servername (and not use autodiscover to configure phone).
0
 
sunnyc7Commented:
lets see if your autodiscover bombs out after configuring the settings. If it doesnt you are good to go.

Registry changes require a reboot to take effect.
0
 
sunnyc7Commented:
About autodiscover popups
Change msstd value from autodiscover.domain.com to
Mail.domain.com
Same as your internal url above
0
 
Lee PepperDirectorAuthor Commented:
Yeah it is that already.

It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
0
 
sunnyc7Commented:
What happens when you open this from browser
https://mail.domain.com/autodiscover/autodiscover.xml ?
You should get a username / pass followed by xml

I think you are getting that because you have allowed integrated windows auth in autodiscover

Thanks
0
 
thetimeCommented:
https://www.testexchangeconnectivity.com/

Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.

Let us know about the registry key if it worked or not.

Regards,

TT
0
 
Lee PepperDirectorAuthor Commented:
Think the reboot fixed it. I had another pop up this mornign but re-added Windows Authentication to Autodiscover website in IIS, retested at the exchange connectivity site which I have been using from the beginning and again both tests passed. Opened outlook, no second pop up and out of office works, which only works if autodiscover works!

Superb!!


0
 
thetimeCommented:
Glad to hear, Monitor it for a while and remember to mark the thread as solved when you are satisfied that it's working.

=)
0
 
sunnyc7Commented:
hi peppele
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.

thanks
0
 
Lee PepperDirectorAuthor Commented:
The problem reoccured so I eventually found this online which mirrorerd my exact problem.

Funny I couldn't find anyone with the same problem on any other message board - http://www.office-outlook.com/outlook-forum/index.php/m/617984/

So I ran the roll up, 4 I think, and that resolved the problem.

:-)
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

  • 13
  • 9
  • 6
  • +2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now