PascalLavallee
asked on
Exchange 2003/2010 coexistence: Outlook Anywhere fails when using Autodiscover to detect settings
Hi,
We are running an Exchange 2003/2010 environment with one back-end EX2003 and one CAS/HUB/MBX 2010 server. None of the 2003 mailboxes have been migrated. I created a mailbox on EX2010 and tried running the ExRCA Outlook Anywhere (RPC over HTTP) for the EX2010 mailbox user. If I choose "Use Autodiscover to detect settings", the test fails with the following error:
Testing NSPI "Check Name" for user user@domain.com against server SERVER.domain.internal.
An error occurred while attempting to resolve the name.
Additional Details
The name could not be matched to a name in the address list.
Do you have any suggestions?
PL
We are running an Exchange 2003/2010 environment with one back-end EX2003 and one CAS/HUB/MBX 2010 server. None of the 2003 mailboxes have been migrated. I created a mailbox on EX2010 and tried running the ExRCA Outlook Anywhere (RPC over HTTP) for the EX2010 mailbox user. If I choose "Use Autodiscover to detect settings", the test fails with the following error:
Testing NSPI "Check Name" for user user@domain.com against server SERVER.domain.internal.
An error occurred while attempting to resolve the name.
Additional Details
The name could not be matched to a name in the address list.
Do you have any suggestions?
PL
Can you post the error messages from ExRCA?
Have you created an autodiscover.domainname.co m in your external DNS? Does the same name appear in your SAN/UCC certificate? Have you got a 3rd party SAN/UCC certificate?
If the answer to any of the above is no then autodiscover will not work.
If the answer to any of the above is no then autodiscover will not work.
ASKER
Please find below:
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for user@domain.com.
Autodiscover was tested successfully.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name domain.com doesn't match any name found on the server certificate CN=mail.domain.com, OU=Domain Control Validated, O=mail.domain.com.
Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 3/19/2011 8:44:10 AM, NotAfter = 3/19/2012 7:33:44 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user user@domain.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>First LastName</DisplayName>
<LegacyDN>/o=Company/ou=Ex change Administrative Group (FYDIBOHF23SPDLT)/cn=Recip ients/cn=F irst LastName</LegacyDN>
<DeploymentId>b558273b-a44 b-492d-b66 6-45d82e23 0220</Depl oymentId>
</User>
<Account>
<AccountType>email</Accoun tType>
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>SERVER.domain.inte rnal</Serv er>
<ServerDN>/o=Company/ou=Ex change Administrative Group (FYDIBOHF23SPDLT)/cn=Confi guration/c n=Servers/ cn=SERVER< /ServerDN>
<ServerVersion>738180DA</S erverVersi on>
<MdbDN>/o=Company/ou=Excha nge Administrative Group (FYDIBOHF23SPDLT)/cn=Confi guration/c n=Servers/ cn=SERVER/ cn=Microso ft Private MDB</MdbDN>
<ASUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://SERVER.domain.internal/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director yPort>
<ReferralPort>0</ReferralP ort>
<PublicFolderServer>SERVER .domain.in ternal</Pu blicFolder Server>
<AD>SERVER.domain.internal </AD>
<EwsUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://SERVER.domain.internal/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/vo icemail.as px&exs vurl=1</Ec pUrl-um>
<EcpUrl-aggr>?p=personalse ttings/Ema ilSubscrip tions.slab &exsvu rl=1</EcpU rl-aggr>
<EcpUrl-mt>PersonalSetting s/Delivery Report.asp x?exsvurl= 1&IsOW A=<IsOW A>& MsgID=< MsgID>& amp;Mbx=&l t;Mbx>< /EcpUrl-mt >
<EcpUrl-ret>?p=organize/re tentionpol icytags.sl ab&exs vurl=1</Ec pUrl-ret>
<EcpUrl-sms>?p=sms/textmes saging.sla b&exsv url=1</Ecp Url-sms>
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.domain.com</S erver>
<ASUrl>https://mail.domain.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.domain.com/ews/exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://mail.domain.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director yPort>
<ReferralPort>0</ReferralP ort>
<SSL>On</SSL>
<AuthPackage>Basic</AuthPa ckage>
<EwsUrl>https://mail.domain.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.domain.com/ECP/</EcpUrl>
<EcpUrl-um>?p=customize/vo icemail.as px&exs vurl=1</Ec pUrl-um>
<EcpUrl-aggr>?p=personalse ttings/Ema ilSubscrip tions.slab &exsvu rl=1</EcpU rl-aggr>
<EcpUrl-mt>PersonalSetting s/Delivery Report.asp x?exsvurl= 1&IsOW A=<IsOW A>& MsgID=< MsgID>& amp;Mbx=&l t;Mbx>< /EcpUrl-mt >
<EcpUrl-ret>?p=organize/re tentionpol icytags.sl ab&exs vurl=1</Ec pUrl-ret>
<EcpUrl-sms>?p=sms/textmes saging.sla b&exsv url=1</Ecp Url-sms>
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</Director yPort>
<ReferralPort>0</ReferralP ort>
<Internal>
<OWAUrl AuthenticationMethod="Basi c, Fba">https://SERVER.domain.internal/owa/</OWAUrl>
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba" >https://mail.domain.com/owa/</OWAUrl>
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.domain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
Autodiscover settings for Outlook Anywhere are being validated.
ExRCA validated the Outlook Anywhere Autodiscover settings.
Attempting to resolve the host name mail.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.domain.com was found in the Certificate Subject Common name.
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 3/19/2011 8:44:10 AM, NotAfter = 3/19/2012 7:33:44 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://mail.domain.com/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
Testing SSL mutual authentication with the RPC proxy server.
Mutual authentication was verified successfully.
Additional Details
Certificate common name mail.domain.com matches msstd:mail.domain.com.
Attempting to ping RPC proxy mail.domain.com.
RPC Proxy was pinged successfully.
Additional Details
Completed with HTTP status 200 - OK
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER.domain.internal.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 256 ms.
Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
An error occurred while testing the NSPI RPC endpoint.
Test Steps
Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server SERVER.domain.internal.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 78 ms.
Testing NSPI "Check Name" for user user@domain.com against server SERVER.domain.internal.
An error occurred while attempting to resolve the name.
Tell me more about this issue and how to resolve it
Additional Details
The name could not be matched to a name in the address list.
Testing RPC/HTTP connectivity.
The RPC/HTTP test failed.
Test Steps
ExRCA is attempting to test Autodiscover for user@domain.com.
Autodiscover was tested successfully.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service was tested successfully.
Test Steps
Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The SSL certificate failed one or more certificate validation checks.
Test Steps
Validating the certificate name.
Certificate name validation failed.
Tell me more about this issue and how to resolve it
Additional Details
Host name domain.com doesn't match any name found on the server certificate CN=mail.domain.com, OU=Domain Control Validated, O=mail.domain.com.
Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
Testing of the Autodiscover URL was successful.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 3/19/2011 8:44:10 AM, NotAfter = 3/19/2012 7:33:44 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
ExRCA successfully retrieved Autodiscover settings by sending an Autodiscover POST.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user user@domain.com.
The Autodiscover XML response was successfully retrieved.
Additional Details
Autodiscover Account Settings
XML response:
<?xml version="1.0"?>
<Autodiscover xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
<Response xmlns="http://schemas.microsoft.com/exchange/autodiscover/outlook/responseschema/2006a">
<User>
<DisplayName>First LastName</DisplayName>
<LegacyDN>/o=Company/ou=Ex
<DeploymentId>b558273b-a44
</User>
<Account>
<AccountType>email</Accoun
<Action>settings</Action>
<Protocol>
<Type>EXCH</Type>
<Server>SERVER.domain.inte
<ServerDN>/o=Company/ou=Ex
<ServerVersion>738180DA</S
<MdbDN>/o=Company/ou=Excha
<ASUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</ASUrl>
<OOFUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://SERVER.domain.internal/EWS/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<PublicFolderServer>SERVER
<AD>SERVER.domain.internal
<EwsUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</EwsUrl>
<EcpUrl>https://SERVER.domain.internal/ecp/</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-ret>?p=organize/re
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>EXPR</Type>
<Server>mail.domain.com</S
<ASUrl>https://mail.domain.com/ews/exchange.asmx</ASUrl>
<OOFUrl>https://mail.domain.com/ews/exchange.asmx</OOFUrl>
<OABUrl>Public Folder</OABUrl>
<UMUrl>https://mail.domain.com/ews/UM2007Legacy.asmx</UMUrl>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<SSL>On</SSL>
<AuthPackage>Basic</AuthPa
<EwsUrl>https://mail.domain.com/ews/exchange.asmx</EwsUrl>
<EcpUrl>https://mail.domain.com/ECP/</EcpUrl>
<EcpUrl-um>?p=customize/vo
<EcpUrl-aggr>?p=personalse
<EcpUrl-mt>PersonalSetting
<EcpUrl-ret>?p=organize/re
<EcpUrl-sms>?p=sms/textmes
</Protocol>
<Protocol>
<Type>WEB</Type>
<Port>0</Port>
<DirectoryPort>0</Director
<ReferralPort>0</ReferralP
<Internal>
<OWAUrl AuthenticationMethod="Basi
<Protocol>
<Type>EXCH</Type>
<ASUrl>https://SERVER.domain.internal/EWS/Exchange.asmx</ASUrl>
</Protocol>
</Internal>
<External>
<OWAUrl AuthenticationMethod="Fba"
<Protocol>
<Type>EXPR</Type>
<ASUrl>https://mail.domain.com/ews/exchange.asmx</ASUrl>
</Protocol>
</External>
</Protocol>
</Account>
</Response>
</Autodiscover>
Autodiscover settings for Outlook Anywhere are being validated.
ExRCA validated the Outlook Anywhere Autodiscover settings.
Attempting to resolve the host name mail.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host mail.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.domain.com was found in the Certificate Subject Common name.
Certificate trust is being validated.
The test passed with some warnings encountered. Please expand the additional details.
Additional Details
ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 3/19/2011 8:44:10 AM, NotAfter = 3/19/2012 7:33:44 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Testing HTTP Authentication Methods for URL https://mail.domain.com/rpc/rpcproxy.dll.
The HTTP authentication methods are correct.
Additional Details
ExRCA found all expected authentication methods and no disallowed methods. Methods found: Basic
Testing SSL mutual authentication with the RPC proxy server.
Mutual authentication was verified successfully.
Additional Details
Certificate common name mail.domain.com matches msstd:mail.domain.com.
Attempting to ping RPC proxy mail.domain.com.
RPC Proxy was pinged successfully.
Additional Details
Completed with HTTP status 200 - OK
Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server SERVER.domain.internal.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 256 ms.
Testing the Name Service Provider Interface (NSPI) on the Exchange Mailbox server.
An error occurred while testing the NSPI RPC endpoint.
Test Steps
Attempting to ping RPC endpoint 6004 (NSPI Proxy Interface) on server SERVER.domain.internal.
The endpoint was pinged successfully.
Additional Details
RPC Status Ok (0) returned in 78 ms.
Testing NSPI "Check Name" for user user@domain.com against server SERVER.domain.internal.
An error occurred while attempting to resolve the name.
Tell me more about this issue and how to resolve it
Additional Details
The name could not be matched to a name in the address list.
ASKER
demazter:
autodiscover.domain.com is an A record in our external DNS
autodiscover.domain.com appears in our UCC certificate
We got the certificate from a 1/3 party (godaddy)
autodiscover.domain.com is an A record in our external DNS
autodiscover.domain.com appears in our UCC certificate
We got the certificate from a 1/3 party (godaddy)
According to this you don't have the correct names in your certificate:
Host name domain.com doesn't match any name found on the server certificate CN=mail.domain.com, OU=Domain Control Validated, O=mail.domain.com.
ASKER
demazter:
I understand that https://domain.com/AutoDiscover/AutoDiscover.xml is the first URL contacted but domain.com points to the website server. We don't host the server. I don't recall seeing in Microsoft documents the need to include the root domain in the certificate, only the internal and external names of the Exchange servers. Just confirming here before I contact the certificate issuer and re-issue the certificate.
I understand that https://domain.com/AutoDiscover/AutoDiscover.xml is the first URL contacted but domain.com points to the website server. We don't host the server. I don't recall seeing in Microsoft documents the need to include the root domain in the certificate, only the internal and external names of the Exchange servers. Just confirming here before I contact the certificate issuer and re-issue the certificate.
The names you need are at an absolute minimum:
SERVERNAME.domain.local (the internal fully qualified domain name)
OWA.domain.com (the OWA URL)
Autodiscover.domainname.co m (where domainname.com is the part after the @ in the email address)
SERVERNAME.domain.local (the internal fully qualified domain name)
OWA.domain.com (the OWA URL)
Autodiscover.domainname.co
ASKER
I have the following names attached to the certificate
legacy.domain.com
legacy.domain.local
mail.domain.com
server1.domain.internal
server2.domain.internal
autodiscover.domain.com
autodiscover.domain.intern al
server1
server2
The last error of the test shows Testing NSPI "Check Name" for user user@domain.com. The name could not be matched to a name in the address list.
Any thoughts on this error?
Thank you.
legacy.domain.com
legacy.domain.local
mail.domain.com
server1.domain.internal
server2.domain.internal
autodiscover.domain.com
autodiscover.domain.intern
server1
server2
The last error of the test shows Testing NSPI "Check Name" for user user@domain.com. The name could not be matched to a name in the address list.
Any thoughts on this error?
Thank you.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I graded B because the comment was partially accurate. The user existed in Exchange but because it was hidden from the address lists, it was not visible to the connection process.