Solved

Exchange 2007 autodiscover not working inside network

Posted on 2011-03-08
10
1,236 Views
Last Modified: 2012-05-11
The Problem: autodiscover not properly working on internal domain with non-domain laptop and Outlook. User keeps getting prompted for password inside Outlook and password not taking causing account to get locked out (due to lock out policies).

The Setup: 2 Windows 2003 servers. 1 server is the root domain controller and file server, the other server is Exchange 2007 with all the latest updates. Domain joined workstations in the office using Outlook are fine. Problems with NON domain laptops using autodiscover both inside and outside of the office.

I spent 10 hours on this last night and finally got autodiscover working properly outside of the office. When this user brings his non domain laptop into the office and uses Outlook, it fails again, prompts the user for the password, password does not work and locks out the user account. The corporate policy only allows 3 invalid login attempts before lockout with forced manual reset.

In Outlook sometimes there are multiple password prompts, 1 prompt for mail.domainname.com, and additional password prompt for autdiscover.domainname.com. Sometimes even a prompt for server.domain.local. The client can connect to the first prompt with his password and use email. However shortly thereafter autodiscover.dmainname.com password prompt pops up > password doesn’t work > user is locked out of account.

We have a trusted UCC SSL certificate installed for:
NetbiosServerName
server.domain.local
mail.domainname.com
autodiscover.domainname.com
autodiscover.domainname.local

Host A record for autdiscover.domainname.com is configured in external DNS to point to WAN IP and forward internally
Host A and PTR record configured with internal DNS for autodiscover.domainname.com > LAN IP of Exchange mail server.

I am only having the lockout (password prompt) problem with 1 user specifically. I was having this problem for this user externally until I resolved the problem this morning. Now it only seemed to be a problem when the user is working in Outlook 2007 on the internal network with a NON joined domain laptop.

Commands Output:

Get-ClientAccessServer
Name
----
EXCHANGE

Get-outlookprovider
Name                Server              CertPrincipalName   TTL
----                ------              -----------------   ---
EXCH                exchange                                                          1
EXPR                                    msstd:mail.domainname.com  1
WEB                                                                                             1

Test-OutlookWebServices | fl   (Notice the errors)
Id      : 1003
Type    : Information Message : About to test AutoDiscover with the e-mail address Administrator@domainname.com.
Id      : 1007
Type    : Information Message : Testing server server.domain.local with the published name https:/ /server.domain.local/EWS/Exchange.asmx & https://mail.domainname.com/EWS/Exchange.asmx.
Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscoverURL on this object is https://server.domain.local/Autodiscover/Autodiscover.xml.
Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://server.domain.local/Autodiscover/Autodiscover.xml.
Id      : 1016
Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://server.domain.local/EWS/Exchange.asmx. The elapsed time was 31 milliseconds.
Id      : 1015
Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://server.domain.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://server.domain.local/UnifiedMessaging/Service.asmx. The elapsed time was 31 milliseconds.
Id      : 1013
Type    : Error
Message : When contacting https://mail.domainname.com/EWS/Exchange.asmx received the error The request failed with HTTP status 401: Unauthorized.
Id      : 1016
Type    : Error
Message : [EXPR]-Error when contacting the AS service at https://mail.domainname.com/EWS/Exchange.asmx. The elapsed time was 31 milliseconds.
Id      : 1015
Type    : Success
Message : [EXPR]-Successfully contacted the OAB service at https://mail.domainname.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1014
Type    : Success
Message : [EXPR]-Successfully contacted the UM service at https://mail.domainname.com/UnifiedMessaging/Service.asmx. The elapsed time was 31 milliseconds.
Id      : 1017
Type    : Success
Message : [EXPR]-Successfully contacted the RPC/HTTP service at https://mail.domainname.com/Rpc. The elapsed time was 0 milliseconds.
Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.
Id      : 1021
Type    : Information
Message : The following web services generated errors.
 As in EXPR
Please use the prior output to diagnose and correct the errors.

get-autodiscovervirtualdirectory |fl
Name                          : Autodiscover (Default Web Site)
InternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods : {Basic, Ntlm, WindowsIntegrated}
BasicAuthentication           : True
DigestAuthentication          : False
WindowsAuthentication         : True
MetabasePath : IIS://server.domain.local/W3SVC/1/ROOT/AutodiscoverPath: D:\ProgramFiles\Exchsrvr\ClientAccess\Autodiscover
Server                        : EXCHANGE
InternalUrl                   :
ExternalUrl                   :
AdminDisplayName              :
ExchangeVersion               : 0.1 (8.0.535.0)
DistinguishedName             : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=EXCHANGE,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=name NE,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local
Identity                      : EXCHANGE\Autodiscover (Default Web Site)
Guid                          : 7a7fe343-490e-453d-9883-c5b24c7a417a
ObjectCategory                : domain.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                   : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                   : 2/29/2008 4:23:53 PM
WhenCreated                   : 2/29/2008 4:223:47 PM
OriginatingServer             : server.domain.local
IsValid                       : True

0
Comment
Question by:craignh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
10 Comments
 

Author Comment

by:craignh
ID: 35075384
Test-OutlookWebServices -Identity:username@domainname.com | fl

Id      : 1003
Type    : Information Message : About to test AutoDiscover with the e-mail address     username@domainname.com.
Id      : 1006
Type    : Information
Message : The Autodiscover service was contacted at https://server.domain.lo
          cal/Autodiscover/Autodiscover.xml.
Id      : 1016
Type    : Success
Message : [EXCH]-Successfully contacted the AS service at https://server.domain.local/EWS/Exchange.asmx. The elapsed time was 78 milliseconds.
Id      : 1015
Type    : Success
Message : [EXCH]-Successfully contacted the OAB service at https://server.domain.local/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1014
Type    : Success
Message : [EXCH]-Successfully contacted the UM service at https://server.domain.local/UnifiedMessaging/Service.asmx. The elapsed time was 62 mill
          iseconds.
Id      : 1013
Type    : Error
Message : When contacting https://mail.domainname.com/EWS/Exchange.asmx r
          eceived the error The request failed with HTTP status 401: Unauthorized.
Id      : 1016
Type    : Error
Message : [EXPR]-Error when contacting the AS service at https://mail.domainname.com/EWS/Exchange.asmx. The elapsed time was 31 milliseconds.
Id      : 1015
Type    : Success
Message : [EXPR]-Successfully contacted the OAB service at https://mail.domainname.com/EWS/Exchange.asmx. The elapsed time was 0 milliseconds.
Id      : 1014
Type    : Success
Message : [EXPR]-Successfully contacted the UM service at https://mail.domainname.com/UnifiedMessaging/Service.asmx. The elapsed time was 15 m
          illiseconds.
Id      : 1017
Type    : Success
Message : [EXPR]-Successfully contacted the RPC/HTTP service at https://mail.domainname.com/Rpc. The elapsed time was 15 milliseconds.
Id      : 1006
Type    : Success
Message : The Autodiscover service was tested successfully.
Id      : 1021
Type    : Information
Message : The following web services generated errors.
              As in EXPR  
Please use the prior output to diagnose and correct the errors.
0
 
LVL 12

Expert Comment

by:Nenadic
ID: 35075437
Your certificate appears to have server.domain.local as the principal name, whereas it should be mail.domain.com based on the MSSTD.

What happens when you change MSSTD to server.domain.local for the struggling laptop?  Bear in mind that you may need to configure resolution since it's not in AD.
0
 

Author Comment

by:craignh
ID: 35075502
IN OUTLOOK:

If clicking ctrl and rclick Outlook on client and selecting "test email autoconfiguration" it works outside of network. (after many hours of research and tweaks trying to get it to work)

When doing this inside the network I get the following errors

Some errors may be expected? https://domainname.com points to our WWW website hosted externally in a different location.Plus it also tries to redirect to http:// instead of https:// ?

Autodiscover to https://domainname.com/autodiscover/autodiscover.xml FAILED (0x800C8203)
Autodiscover to https://autodiscover.domainname.com/autodiscover/autodiscover.xml FAILED (0x800040113)
local autodiscover for domainname.com FAILED (0x8004010F)
Redirect Check to http://autodiscover.domainname.com/autodiscover/autodiscover.xml FAILED (0x80004005)
Srv Record lookup for domainname.com FAILED (0x8004010F)
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:craignh
ID: 35075623
Nenadic, The user is out of the office until tomorrow morning so I will have to wait until then to try it. it works fine externally. This user works 80% out of the office and 20% in the office.

I have never had to put the local qualified domain name for the MSSTD before.
The current SSL setting is MSSTD:mail.domainname.com

In RPC over HTTP settings, if I select both check boxes for use http first on fast and slow network, it seems to stop the double propmt for the password. However if I try to test outlook autoconfiguration it still fails. While this may be a temporary fix, the problem still remains of why Autodiscover fails internally.
0
 
LVL 7

Expert Comment

by:OctInv
ID: 35075908
Is Exchange all on one box, or are the roles on different boxes? I am a little confused as to why your Outlook client is looking at your WWW website, rather than the CAS server, and suspect it may be a DNS error internally.
0
 

Author Comment

by:craignh
ID: 35076187
All roles on 1 Exchange  box. Some of the users primarily work out in the field (spread across several states) and are rarely in the office. Upon originally installing and configuring this system (for a division of a small BANK), corporate would not approve any VPN's.

The user in question is rarely in the office (sales manager). He is setup to use Outlook with RPC over HTTP.

We have a www.domainname.com website setup that is hosted by a 3rd party. The host A record for the website (www.domainname.com) points to our web hosting service. We also have 2 additional DNS Host A records configured, mail.domainname.com and autodiscover.domainname.com. The both point to a public IP we own on our firewall and forward to our internal Exchange server. We also use OWA by going to https://mail.domainname.com.

It is my understanding that autodiscover automatically checks comopanyname.com (based on the e-mail address) and then goes to autodiscover.domainname.com afterwards? Correct me if I am wrong. Most small businesses host there website on www.domainname.com and their own mail server on mail.domainname.com internally.
0
 
LVL 7

Expert Comment

by:OctInv
ID: 35076393
If this user logs onto a laptop that is joined to the domain, what is the result (assuming the domain laptop is also using RPC/HTTPS)?
0
 
LVL 7

Expert Comment

by:OctInv
ID: 35076434
"Autodiscover to https://domainname.com/autodiscover/autodiscover.xml FAILED (0x800C8203)" looks wrong, as though the cient is trying to contact the 3rd party web server.

Are you able to browse in IE to your autodiscover XML file, in the autodiscover virtual directory?
0
 

Accepted Solution

by:
craignh earned 0 total points
ID: 35111109
Octlnv, It’s my understanding that the autodiscover service always checks the domainname.com portion of the users e-mail address first (user@domainname.com) prior to checking autodiscover.domainname.com. This is normal and expected behavior.

I finally got it work but I am not sure exactly which step solved the problem. I went through the entire autodiscover configuration from the beginning (over and over).

I think part of the fix had something to do with the internal and external autodiscover URL’s.
Also I was getting an RPC error on one of the commands and ended up giving the RPC virtual directory read permissions in IIS.
0
 

Author Closing Comment

by:craignh
ID: 35145547
Figured the problem out myself.
0

Featured Post

What is SQL Server and how does it work?

The purpose of this paper is to provide you background on SQL Server. It’s your self-study guide for learning fundamentals. It includes both the history of SQL and its technical basics. Concepts and definitions will form the solid foundation of your future DBA expertise.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A list of top three free exchange EDB viewers that helps the user to extract a mailbox from an unmounted .edb file and get a clear preview of all emails & other items with just a single click on mailboxes.
There are times when we need to generate a report on the inbox rules, where users have set up forwarding externally in their mailbox. In this article, I will be sharing a script I wrote to generate the report in CSV format.
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …

696 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question