Link to home
Start Free TrialLog in
Avatar of mtheorygrp
mtheorygrp

asked on

Autodiscover Issues SBS 2008: Internal and External

The server has been up for about 1 year and no real issues, except that Out of Office assistant has never worked even for internal users...it works through OWA, but they hardly use it. Everyone is using Outlook 2007 or 2010 and there were never any Outlook 2003 clients. Autodiscover seems to work internally but it takes longer than any other exchange/outlook 2007 environment i manage. I'm talking 25-30 seconds instead of 3-5. Customer has an external domain of customerdomain.com and we purchased a GoDaddy cert for mail.customerdomain.com and installed it about two months ago using the IAMW. This resolved the warnings on OWA and also RWW, however it did nothing to resolve the Exchange issues. Outlook Anywhere works both internally and externally if configured manually.

I have removed the wildcard record in the their external DNS and created an SRV record that points to mail.customerdomain.com. There is also an existing A record mail.customerdomain.com that points to the external IP of SBS server. There are no autodiscover CNAME or A records in external DNS.

I used the Internet Address Management Wizard to initially setup the external DNS zone on the internal DNS server and this created a zone called mail.customerdomain.com and it contains an SOA record and an A record that points to the internal IP address of the SBS server.

Outlook Anywhere works externally if configured manually, as well as internally. It will always default to TCP/IP on fast networks, so internally it is a given that autodiscover favors a raw MAPI connection.

Here is the output of test-outlookwebservices -identity mtheory

Name                           : SBSSERVER
AutoDiscoverServiceInternalUri : https://mail.customerdomain.com/autodiscover/autodiscover.xml

and test-outlookwebservices -identity mtheory

   Id      Type Message
   --      ---- -------
 1003      Information About to test AutoDiscover with the e-mail address mtheory@customerdomain.com.
 1013      Error When contacting https://mail.customerdomain.com/autodiscover/autodiscover.xml received             the error The remote server returned an error: (401) Unauthorized.
 1006      Error The Autodiscover service could not be contacted.

I have attached the output of get-exchangecertificate | fl for review as well.

Lastly, I had an issue where Outlook 2007 detect the users email address as username@intcustomerdomain.local instead of email@customerdomain.com. I traced this to an issue with .NET 3.5 SP1 and after removing it, it is now populating correctly.

My suspicion is this is related to SSL certificates and IIS...but I need some help at this point.
getexchcert.txt
Avatar of MegaNuk3
MegaNuk3
Flag of United Kingdom of Great Britain and Northern Ireland image

Have you done a 'Test Outlook Autoconfiguration'? With Outlook open hold down CTRL and the right click on the Outlook icon in the System Tray and select 'Test Outlook Autoconfiguration' And then post results of the test.

Internally I would create a DNS zone for customerdomain.com as this is what Outlook is looking for. Then add your mail (A) record and SRV record in there to point to the internal IP address of your CAS
Avatar of mtheorygrp
mtheorygrp

ASKER

I changed the DNS Zone, and added the two records you suggest. Additionally, there is an SRV record in the intcustomerdomain.local that points to mail.customerdomain.com...is that ok?

I attached the results of the test autoconfiguration...all items blacked out read "customerdomain".
AutoConfiguration-2011-01-21-07-.JPG
Also, I just enabled logging in Outlook and I have attached the autodiscover log which represents the same info as the screenshot, just a bit easier to read and it makes sense why email auto setup is taking so long.
olkdisc.log
C:\Utilities\Err>err 0x80072f0c
# as an HRESULT: Severity: FAILURE (1), Facility: 0x7, Code 0x2f0c
# for hex 0x2f0c / decimal 12044 :
  ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED                        inetmsg.h
  ERROR_INTERNET_CLIENT_AUTH_CERT_NEEDED                        wininet.h
# 2 matches found for "0x80072f0c"

Got the Exchange error code diagnostic tool and it seems to indicate a certificate issue with mail.customerdomain.com, but from everything I can tell, it's working properly...at least for OWA and RWW. The certificate is a single site from GoDaddy so i know it's not a UCC/SAN issue.
Have you installed the intermediate Certs  from GoDaddy too?
Http://help.godaddy.com/article/869
ASKER CERTIFIED SOLUTION
Avatar of MegaNuk3
MegaNuk3
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
It works now! Thanks MegaNuk3!

It turns out that the issue was the ignore client certificates option. I had it set to accept, and it immediately breaks it. I had installed the intermediates, but that was not the issue.
Glad to hear it is sorted.

Feel free to award me some points when you have time ;-)
Ok, I guess we're not QUITE there yet...

When I choose ignore, all functions work for existing users, however any new outlook profiles prompt the user for a password upon initial setup. Entering the password once makes everything complete and one more entry once Outlook opens and you're good to go...until you open outlook again.

The problem is, Outlook is reverting the connection protocol to HTTPS which is why the users are being asked for their passwords, even when the device is domain joined.

Any idea on how to resolve this? I attached the Outlook Autodiscover log again for a new profile withe Autodiscover set to ignore certificates.

I will definitely award you points even if you don't resolve this particular issue.
olkdisc.log
Can you confirm you are running at least SP2 for Exchange 2007, if not SP3 on there?
How to install SP3 on SBS08
http://support.microsoft.com/kb/982423

Can you also confirm if the problem exists for both Outlook 2007 and Outlook 2010 clients or just Outlook 2007?

I am running SP3 with Update Rollup 2. After I changed Outlook Anywhere to use NTLM auth instead of Basic, Outlook 2007 setup with zero user input...but it still is using HTTPS which persay is not a problem...but I'd like to understand why...

My hunch is that the internal URL is matching the external URL for certain settings and the client thinks it's external, but I setup every customer like this and this is the first time i've had the issue.

I have one user in the office with Outlook 2010 so I'll try it out.
So Outlook 2010 configures itself to use TCP/IP instead of HTTPS.

Ideas?
Install this on Outlook 2007 and see if it changes to TCP/IP http://support.microsoft.com/kb/2458611
Installed that KB and now Outlook 2007 is setting the connection type to TCP/IP, but the initial email address populated is not the default SMTP value. It's mtheory@intcustomerdomain.local instead of mtheory@customerdomain.com. I dont think this will impact anything but I just checked another customer's environment and there's populates the default SMTP.
Add a new Primary  UPN of @customerdomain.com to the AD domain and the accounts then Outlook should pick that up as the SMTP address to resolve...

Can you confirm the user accounts have @customerdomain.com as their Primary SMTP address?
They all have @customerdomain.com as their primary SMTP address. See the attached list I exported from EMC.
primary.csv
Hmmm, test this:
1.) Create a new test account with a mailbox
2.) log onto a machine as this new test account and see if Outlook 2007 shows the correct SMTP address during autoconfig setup

During setup Outlook should query AD for the associated Primary sMtp of the logged in account
Thanks for the points. Did you get Outlook autoconfig to show the correct SMTP address in the end?
It was in fact working properly on all other machines, just the server I was testing on was misbehaving. It was planned for decommission anyway, so it's a non-issue for me.

Thanks for all your assistance.
No problem, glad it is all working now