Lee Pepper
asked on
Autodiscover keeps bombing out. works temporarily.
Hi, I have a Windows Server SBS 2008 server with Exchange 2007.
All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from autodiscover.domain.com remotely and internally although mailbox connects and if you hit cancel it stays connected.
If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with autodiscover.domain.com also. If I browse to /autodiscover/autodiscover .xml either externally or internally I get prompted for password but it never shows XML file UNLESS....
...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.
It's almost like it works until somethign kicks back in.
All services are working other than Outlook Anwhere to a degree. Keep getting prompted for a second password in Outlook 2007 from autodiscover.domain.com remotely and internally although mailbox connects and if you hit cancel it stays connected.
If I run the connectivity test online the error i get is 'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'. Server is running GoDaddy cert with autodiscover.domain.com also. If I browse to /autodiscover/autodiscover
...I run iisreset then it works periodically. The connectivity site even says successful but then I open Outlook remotely, connect, get second password prompt, cant authenticate and then connectivity test fails if I try again.
It's almost like it works until somethign kicks back in.
can also try adding "msstd:[mail.domain.com]" to the Microsoft exchange proxy settings on a client computer. Replace the [mail.domain.com] with your external mail URL
It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
It needs to be inserted @ "Only connect to proxy servers which have this principle name in their certificate:"
ASKER
I have that ticked and setup - on that line I have - msstd:mail.domain.com.
Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to autodiscover.domain.com' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -
'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.
If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file
although it works temporarily after an IISRESET and I see the XML file.
Authentication is basic as it is for the autodiscover service. It's odd that OA connects and downloads e-mails but the 2nd prompt keeps coming back 'Connecting to autodiscover.domain.com' and its also weird that it will work for a while especially the connectivity test at the MS website but then stops working after about 5 minutes with the error -
'A Web Exception occurred because an HTTP 401 - Unauthorized response was received from Unknown'.
If I browse *.443 in IIS Autodiscover it prompts for a password but never gets to the XML file
although it works temporarily after an IISRESET and I see the XML file.
Have you tried setting the authentication to NTLM?
And just confirm that the pc you are testing on is part of the domain for me please.
And just confirm that the pc you are testing on is part of the domain for me please.
Do all of your checks come back ok?
Powershell > test outlookwebservices ?
The problem does sound IIS related. How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?
Also, what do your event logs say? Any IIS errors?
Powershell > test outlookwebservices ?
The problem does sound IIS related. How about Windows firewall (clutching at straws), have you tried switching this off on Exchange box?
Also, what do your event logs say? Any IIS errors?
ASKER
I havent tried NTLM, I have a few other customers with this working but this is the first SBS 2008. I have it working on normal SBS 2008 at two sites and a server 2003.
I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
I get the same results on mixture of machines - one domain joined and another not but that shouldnt matter. I get prompted and authenticate witht he domain\username and like I say, it connects and Outlook stays connected remotely but the 2nd prompt appears and never goes away. I dont think Out of office works remotely for example because that tries to connect to autodiscover to get the settings.
ASKER
This is from test-outlookwebservices
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address Administrator@xxx.com.
Id : 1007
Type : Information
Message : Testing server xxxDC1.xxx.local with the published name https://mail.xxxl.com/ews/exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://
mail.xxx.com/autodiscover/ autodiscov er.xml.
Id : 1013
Type : Error
Message : When contacting https://mail.xxx.com/autodiscover/autodiscover.xml received the error The remote
server returned an error: (401) Unauthorized.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
Id : 1003
Type : Information
Message : About to test AutoDiscover with the e-mail address Administrator@xxx.com.
Id : 1007
Type : Information
Message : Testing server xxxDC1.xxx.local with the published name https://mail.xxxl.com/ews/exchange.asmx & .
Id : 1019
Type : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is https://
mail.xxx.com/autodiscover/
Id : 1013
Type : Error
Message : When contacting https://mail.xxx.com/autodiscover/autodiscover.xml received the error The remote
server returned an error: (401) Unauthorized.
Id : 1006
Type : Error
Message : The Autodiscover service could not be contacted.
Just for testing, try setting it to NTLM, you can always set it back to Basic.
Do you get an unauthorised error from the clients too?
How about if you type localhost on the CAS server instead of the FQDN ;
http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
How about if you type localhost on the CAS server instead of the FQDN ;
http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
How about the cert. issued-to value?
Is that like: *.domain.com?
Is that like: *.domain.com?
get-autodiscovervirtualdir ectory | fl
get-clientaccessserver | fl
Please post back the output of both.
thanks
get-clientaccessserver | fl
Please post back the output of both.
thanks
ASKER
Name : XXXXXDC1
OutlookAnywhereEnabled : True
AutoDiscoverServiceCN : XXXXXDC1
AutoDiscoverServiceClassNa
AutoDiscoverServiceInterna
AutoDiscoverServiceGuid : 77378f46-2c66-4aa9-a6a6-3e
AutoDiscoverSiteScope : {Default-First-Site-Name}
IsValid : True
OriginatingServer : XXXXXXDC1.xxxx.local
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=XXXXDC1,CN=Servers,CN=E
=Administrative Groups,CN=First Organization,CN=Microsoft Exchange,CN=Service
s,CN=Configuration,DC=xxxx
Identity : XXXXDC1
Guid : c751cfd4-1112-49b6-b0dd-cc
ObjectCategory : xxxx.local/Configuration/S
ObjectClass : {top, server, msExchExchangeServer}
WhenChanged : 04/09/2010 10:07:32
WhenCreated : 25/08/2010 11:46:48
Name : Autodiscover (SBS Web Applications)
InternalAuthenticationMeth
ExternalAuthenticationMeth
BasicAuthentication : True
DigestAuthentication : False
WindowsAuthentication : True
MetabasePath : IIS://XXXXDC1.xxxxx.local/
Path : C:\Program Files\Microsoft\Exchange Server\ClientAccess\Autodi
Server : ASTELLDC1
InternalUrl : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl : https://mail.xxxx.com/autodiscover/autodiscover.xml
AdminDisplayName :
ExchangeVersion : 0.1 (8.0.535.0)
DistinguishedName : CN=Autodiscover (SBS Web Applications),CN=HTTP,CN=P
rvers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Admin
ups,CN=First Organization,CN=Microsoft Exchange,CN=Services,CN=Co
C=astell,DC=local
Identity : XXXXDC1\Autodiscover (SBS Web Applications)
Guid : 2530fefd-31c0-4fc8-b49b-72
ObjectCategory : xxxxx.local/Configuration/
ObjectClass : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualD
WhenChanged : 06/09/2010 11:43:40
WhenCreated : 25/08/2010 11:50:52
OriginatingServer : XXXXDC1.astell.local
IsValid : True
The cert common name is mail.xxx.com and there is a SAN of autodiscover.xxx.com. In other words a UCC cert.
ASKER
COAST-IT = I get same login prompt on server if I use FQDN or localhost. And same login prompt if done remotely.
I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.
auth401.JPG
I eventually get attached image on IIS. But, like I said earlier, it will work and show me the XML code for about 5 mins after I do an IISRESET.
auth401.JPG
AutoDiscoverServiceInterna lUri : https://mail.xxx.com/autodiscover/autodiscover.xml
In this - is mail.domain.com = your external domain ?
Let me know your local FQDN and replace it here
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceIntern alUri:"https://mailservername.domain.local/Autodiscover/Autodiscover.xml"
In this - is mail.domain.com = your external domain ?
Let me know your local FQDN and replace it here
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceIntern
and this where
ASTELLDC1.astell.local
is your local mail server fqdn
Get-AutodiscoverVirtualDir ectory | set-AutodiscoverVirtualDir ectory -InternalUrl:"https://ASTELLDC1.astell.local/Autodiscover/Autodiscover.xml"
it should not be https://SITES/
Server : ASTELLDC1
InternalUrl : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl : https://mail.xxxx.com/autodiscover/autodiscover.xml
===
Are you running your exchange server on a DC ??
ASTELLDC1.astell.local
is your local mail server fqdn
Get-AutodiscoverVirtualDir
it should not be https://SITES/
Server : ASTELLDC1
InternalUrl : https://sites/Autodiscover/Autodiscover.xml
ExternalUrl : https://mail.xxxx.com/autodiscover/autodiscover.xml
===
Are you running your exchange server on a DC ??
ASKER
sunnyc7, will this make any difference to clients connecting remotely?
Also I have an internal DNS record set for mail.xxx.com that points to the internal IP address of the server. Not sure how this will make any difference.
Also I have an internal DNS record set for mail.xxx.com that points to the internal IP address of the server. Not sure how this will make any difference.
ASKER
Yes it is on a DC. Guess xxxing out all those names was a waste of time :-)
no
these are for internalURL's
we are not changing anything for externalURL
if you have internal DNS for mail.XXX.com pointing to local IP - instead of using local FQDN you can use - mail.domain.com too
--
Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)
these are for internalURL's
we are not changing anything for externalURL
if you have internal DNS for mail.XXX.com pointing to local IP - instead of using local FQDN you can use - mail.domain.com too
--
Really bad idea = installing exchange on a DC.
But since it's all set and done - lets run with it till you get your next "issue" and you can revisit Experts-Exchange again :)
http://www.exchange-genie.com/2007/07/401-error-when-attempting-test-outlookwebservices/
Check this link please
Check this link please
Test it using Outlook.
Go to workstation
start > run > outlook /rpcdiag
see if connection is stable in connections monitor
if UCc/SAN cert is in the name of mail.domain.net then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert
We are changing only internal URL's
the mail.domain.com - has to be present in UCC/SAN cert name or it will be bomb too.
Get-AutodiscoverVirtualDir ectory | set-AutodiscoverVirtualDir ectory -InternalUrl:"https://mail.domain.com/Autodiscover/Autodiscover.xml"
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceIntern alUri:"https://mail.domain.com/Autodiscover/Autodiscover.xml"
Go to workstation
start > run > outlook /rpcdiag
see if connection is stable in connections monitor
if UCc/SAN cert is in the name of mail.domain.net then use that - instead of mail.domain.local > if that name is not present in UCC/SAN Cert
We are changing only internal URL's
the mail.domain.com - has to be present in UCC/SAN cert name or it will be bomb too.
Get-AutodiscoverVirtualDir
Get-ClientAccessServer | Set-ClientAccessServer -AutoDiscoverServiceIntern
ASKER
Yes, connection stays established. But whilst I watch that monitor the pop up appears for autodiscover.astell.com.
IE, connect to autodiscover.astell.com.
That SAN is in my UCC cert.
IE, connect to autodiscover.astell.com.
That SAN is in my UCC cert.
ASKER
thetime- that reg entry did not work although not rebooted server yet. That will have to be done tonight.
ASKER
Activesync also works but only if you put in servername (and not use autodiscover to configure phone).
lets see if your autodiscover bombs out after configuring the settings. If it doesnt you are good to go.
Registry changes require a reboot to take effect.
Registry changes require a reboot to take effect.
About autodiscover popups
Change msstd value from autodiscover.domain.com to
Mail.domain.com
Same as your internal url above
Change msstd value from autodiscover.domain.com to
Mail.domain.com
Same as your internal url above
ASKER
Yeah it is that already.
It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
It is an authentication thing here because like I said earlier, I can go to IIS on the server, logged on with an admin account and go to autodiscover site under SBS Web Applications, click browse *.443 and it prompts for password when it should just show the XML file straight away like iot does on other servers, or like it does shortly after an IISRESET.
What happens when you open this from browser
https://mail.domain.com/autodiscover/autodiscover.xml ?
You should get a username / pass followed by xml
I think you are getting that because you have allowed integrated windows auth in autodiscover
Thanks
https://mail.domain.com/autodiscover/autodiscover.xml ?
You should get a username / pass followed by xml
I think you are getting that because you have allowed integrated windows auth in autodiscover
Thanks
https://www.testexchangeconnectivity.com/
Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.
Let us know about the registry key if it worked or not.
Regards,
TT
Just for sanity please run this test using your server details and past here what it returns for you. It will help pin the problem.
Let us know about the registry key if it worked or not.
Regards,
TT
ASKER
Think the reboot fixed it. I had another pop up this mornign but re-added Windows Authentication to Autodiscover website in IIS, retested at the exchange connectivity site which I have been using from the beginning and again both tests passed. Opened outlook, no second pop up and out of office works, which only works if autodiscover works!
Superb!!
Superb!!
Glad to hear, Monitor it for a while and remember to mark the thread as solved when you are satisfied that it's working.
=)
=)
hi peppele
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.
thanks
Glad to hear that autodiscover works. Let me know if there is any other pending issues in this thread.
thanks
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I always now follow this guide ;
http://exchange-genie.blogspot.com/2007/07/autodiscover-ad-attribute.html
I would just run over each section and check your autodiscover information.