autddiscover issue with outlook anywhere?

Hello experts,

I have an issue where my users have in there sync folder of outlook the following error:

14:29:58 Microsoft Exchange offline address book
14:29:58 Not downloading Offline address book files.  A server (URL) could not be located.
14:29:58 0X8004010F

I did some research and it pointed me to the autodiscover feature and that my SSL cert did not have the SAN feature in it with autodiscover. Sooo, I bought a new SAN cert with all the domain names that are required and added an A record to my external DNS pointing to autodiscover.doman.com and hoped it would resolve the issue.
Well, it still is not syncing as it should. When I run the Test Email Configuration tool in Outlook it show under the log tab:

autodiscover to httpsL//domanname/autodiscover/autodiscover.xml FAILED (0x800C8203)
autodiscover to httpsL//autodiscover.domanname/autodiscover/autodiscover.xml succeeded (0x000000)

When I run the Exchange Remote Connectivity Analyzer tool it shows the following erros:

Attempting to test potential Autodiscover URL https://domainname.com/AutoDiscover/AutoDiscover.xml 
Testing of this potential Autodiscover URL failed.
Certificate trust is being validated.

The test passed with some warnings encountered. Please expand the additional details.
Additional Details
  ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled
 
Testing TCP port 443 on host domainname.com to ensure it's listening and open.
  The specified port is either blocked, not listening, or not producing the expected response.
   Tell me more about this issue and how to resolve it
   Additional Details
  A network error occurred while communicating with the remote host.
Exception details:
Message: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 77.59.198.72:443
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.TcpClient.Connect(String hostname, Int32 port)
at Microsoft.Exchange.Tools.ExRca.Tests.TcpPortTest.PerformTestReally()
 
Now in the above error the IP address that is specified is not to my remote site or mail server. It is the IP address provided by my domain host.

Can anyone give me any insight on what I may be overlooking or missing??
sbodnarAsked:
Who is Participating?
 
sbodnarConnect With a Mentor Author Commented:
Figured it out!!!

Turns out that the issue was a security setting on the OAB file in C:\Program Files\Microsoft\Exchange Server\ClientAccess. You need to give read permission to  IIS_IUSRS under the security tab on the OAB folder which will propegate to web.config. Also, go into IIS and scroll to Web Applications and down to the OAB folder. Once there enable directory browsing and it will work.
0
 
MegaNuk3Commented:
Can you verify that URL?
httpsL//domanname/autodiscover/autodiscover.xml ?

You seem to have a "L" after https
0
 
MegaNuk3Commented:
Does OAB download work on internal clients or not?
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
MegaNuk3Commented:
Also autodiscover.doman.com should be pointing at the external IP address of your CAS server, can you confirm that if you ping it externally it resolves to the Internet IP address of your CAS?
0
 
sbodnarAuthor Commented:
MegaNuk3,

I had a typo when I typed out the URL with the L. So please disregard that mistake.

How can I check if OAB download works on internal clients??

It does point to an external IP address of the CAS server but now I notice that when I ping either the autodiscover.domainname.com or remote.domainname.com neither one will respond. They are both timing out?
0
 
MegaNuk3Commented:
Are you pinging them from inside the network?

In internal outlook try tools --> download address book
0
 
sbodnarAuthor Commented:
no, I jumped on a box that has a completely different outside IP address on it.

When logged in on a domain connected computer and going to tools ---> download address book the outlook send/receive progress bar pops up and sticks at processing. Bottom right hand corner it says "offline address book connecting to Microsoft Exchange" and the progress bar doesnt move.
0
 
MegaNuk3Commented:
Do get-OABVirtualDirectory | fl
Look at the internalURL, externalURL and authentication values.

An easy way to resolve the OAB download issue for internal clients is to Untick the 'Require SSL' box on the OAB virtual directory and the change the internal URL mentioned above to http:// this is how Exchange is by default
0
 
sbodnarAuthor Commented:
using the OAB command you specified shows both internal and external address's to be the same URL authentication method.

https://remote.domainname.com/OAB
0
 
MegaNuk3Commented:
Is remote.domain.com on your cert and if you ping it internally does it resolve to the internal ip address of your CaS server ?
0
 
sbodnarAuthor Commented:
Yes it is on my cert and it resolves to my CAS server's IP address when I ping it
0
 
MegaNuk3Commented:
Does it resolve to the INTERNAL IP address of your CAS?
0
 
sbodnarAuthor Commented:
yes, my 192. 168.xxx  address
0
 
MegaNuk3Commented:
As per my earlier comment, change the internalURL to http://<internally resolvable name on cert>/owa and Untick the 'Require SSL' on the OAB VD. External clients will still connect over HTTPS as per the ExternalURL

Once the above works and your internal clients can download the OAB you can change it back to HTTPs again and see if it continues to work
0
 
MegaNuk3Commented:
Owa should be OAB in the above comment
0
 
sbodnarAuthor Commented:
Where do I make the change that you specified in this statment?

"change the internalURL to http://<internally resolvable name on cert>/owa and Untick the 'Require SSL' on the OAB VD"
0
 
MegaNuk3Commented:
IIS for the OAB VD 'Require SSL' setting

EMs:
Get-OABVirtualDirectory | set-OABVirtualDirectory -internalURL "http://<internal CAS FQDN>/OAB"
0
 
MegaNuk3Commented:
Thanks for your solution.
Did you try mine out? I have found mine to work too in these situations and then when you put ssl back on it normally continues to work...
0
 
MegaNuk3Commented:
Directory browsing is disabled in the systems I am looking at for the OAB VD and subfolders... And we have no issues downloading the OAB with these settings.
0
 
sbodnarAuthor Commented:
I did attempt your solution and it still would not resolve so I dug deeper and found the issue.

The main resolution was giving IIS_IUSRS read privliges to the OAB folder.
0
 
MegaNuk3Commented:
Ok, thanks.

Feel free to close this question.
0
 
sbodnarAuthor Commented:
resolved the issue
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.