• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 11770
  • Last Modified:

Autodiscover Externally 403 Forbidden Error

Hi,

Trying to get OLA working externally with Exchange 2010.
Correct autodiscover.ourdomain.com Name registered in SAN Certificate.
External DNS Name setup correctly and nslookup working externally
ExternalURl set through powershell.

The https://autodiscover.ourdomain.com/AutoDiscover/AutoDiscover.xml is resolving to the xml file internally without issue.

Externally, I get a 403:Forbidden. Access is denied error. when I try the URL above

Authentication on the Autodiscover Website is Basic and Windows Enabled, all else disabled. (tried it with Anonymous enabled also.)

testexchangeconnectivity.com tests failing with the below:


 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.ourdomain.com/AutoDiscover/AutoDiscover.xml for user smtp@ourdomain.com.
  ExRCA failed to obtain an Autodiscover XML response.
   Additional Details
  An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: You do not have permission to view this directory or page.
 
 Any ideas would be much appreciated.

Kind regards.
 
0
AshlingGarry
Asked:
AshlingGarry
  • 5
  • 3
2 Solutions
 
elawadCommented:
did you try it with the three basic,anonymous and windows authentication enabled and everything else disabled?
0
 
AshlingGarryAuthor Commented:
Yes, that was the initial default setting.
0
 
LeeDerbyshireCommented:
See if you can find the 403 response in the IIS log file.  There are about 20 different types of 403 error.  The most usual is caused by using http instead of https to access a resource where SSL is required.  But if you are sure you're using https from the external locations, then it must be one of the other types of 403 error.  The iis log file will reveal which one it is.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
AshlingGarryAuthor Commented:
Log entry below - not sure if can provide any more info?

2011-10-25 13:55:09 x.x.x.x POST /AutoDiscover/AutoDiscover.xml - 80 - x.x.x.x Microsoft+Office/12.0+(TestExchangeConnectivity.com) 403 4 5 46
2011-10-25 13:55:48 x.x.x.x POST /AutoDiscover/AutoDiscover.xml - 80 - x.x.x.x Microsoft+Office/12.0+(TestExchangeConnectivity.com) 403 4 5 31
2011-10-25 13:56:35 ::1 POST /powershell serializationLevel=Full;ExchClientVer=14.1.218.15;PSVersion=2.0 80 Domain\Username ::1 Microsoft+WinRM+Client 500 0 0 180006
0
 
LeeDerbyshireCommented:
The port number used in the request is 80, which indicates that plain http is being used.  Hence the 403.4 SSL Required response.  I haven't seen TestExchangeConnectivity recently, but is there a field where you type the URL in?  If so, did you type https or http?
0
 
AshlingGarryAuthor Commented:
I have the option to ignore trust for SSL - I tried this ticked and unticked.

I can't resolve the https://autodiscover.ourdomain.com/AutoDiscover/AutoDiscover.xml externally.
I get 403 forbidden, internally it works fine..
0
 
LeeDerbyshireCommented:
Something strange is happening if the recorded port number is 80 - it should be 443 for https.  Have a look at your router configuration - maybe incoming port 443 is mapped to port 80 internally?  Or do you have an ISA server?  The problem may be there.
0
 
AshlingGarryAuthor Commented:
I had to reset the AutoDiscover Virtual Directory within IIS, and ensure that the external DNS entries existed for each of the SMTP Domains. (They were registered on our SAN certificate)

Thanks for your help.
0
 
AshlingGarryAuthor Commented:
Final solution found was contributed to by the Experts above.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 5
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now