Solved

Activesync Autodiscover failing

Posted on 2012-04-05
31
1,048 Views
Last Modified: 2012-04-16
My Activesync Autodiscovery is failing (Both in real life, and at testexchangeconnectivity.com.

The failure at testexchangeconnectiivty.com is:
 
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user username.com
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       None of the expected XML elements were found in the XML response.


Test-outlookwebservices gives no errors.
Test-activesynconnectivity does give an error.


Error                       : An incorrect HTTP response was received for user domain.internal\username@domainname.com, HTTP code = MovedPermanently.


Further info:
Windows 2008 R2, Exchange 2010 SP1 (Installed as /hosting which may be relevant). There are two CAS using MS NLB - however, I get precisely the same results when the firewall points to either of the CAS directly.

Any ideas?
0
Comment
Question by:nphsmith
  • 15
  • 12
  • 2
  • +2
31 Comments
 
LVL 18

Expert Comment

by:suriyaehnop
ID: 37809987
Are you using credential format correctly? domain.com\username NOT domain.com\username@domain.com
0
 

Author Comment

by:nphsmith
ID: 37809993
Thanks, I have tried both, with the same result (Though I believe the UPN should work fine?)
0
 

Expert Comment

by:noifen
ID: 37810275
Make sure your autodiscover.domain.com DNS entries are pointing to the correct server (the one with autodiscover in IIS)
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810354
I had faced a similar issue and just reset the Virtual directories and everything worked fine.

http://technet.microsoft.com/en-us/library/ff629372.aspx
0
 

Author Comment

by:nphsmith
ID: 37810357
Yup, they are. I should mention that it passes the Outlook Autodiscovery test just fine, so it is unlikely to be a DNS/firewalling/certificate issue. The activesync autodiscover finds the correct server, connects to SSL, passes certificate, fails on the POST request. Full 'log' below:

Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user nick.smith@domain.com.
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       None of the expected XML elements were found in the XML response.
0
 

Author Comment

by:nphsmith
ID: 37810363
I'd prefer not to reset the Virtual Directories except as an absolute last resort. These are newly configured pre-production servers, so really shouldn't have any corruption or weirdness, and if there is, i'm likely to reintroduce the problem on recreation. Thanks though.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810383
If you dont want to reset them, then you will have to verify the permissions on each virtual directory.

In your case the authentication settings on the autodiscovery and OAB folder.

http://autodiscover.wordpress.com/2010/05/16/exchange-20102007-virtual-directory-default-permissions/
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810388
And with all due respect, when dealing with a Microsoft product, no matter even if it is a 'Vanilla' installation, you will still find 'some' errors.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810400
Also please confirm that you have the certificate installed on TMG listener and the Exchange servers.
0
 

Author Comment

by:nphsmith
ID: 37810406
The certificate is installed on the CAS servers, we don't use TMG. Checking permissions now, thanks for the link.
0
 

Author Comment

by:nphsmith
ID: 37810417
I can confirm permissions on Autodiscover and OAB  are correct.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810420
How exactly are you publishing Exchange?
0
 

Author Comment

by:nphsmith
ID: 37810437
Not entirely sure what you mean by Publish in this context (I'm mainly a Terminal Services guy, so publish usually means something else to me ):).

I have a Sonicwall (Hardware firewall) which Nats HTTP and HTTPS request through to the internal NLB IP Number (NB, I have also tried Natting direct to the CAS Servers 'normal' Ip number, to try and avoid any possible NLB complications. Results are the same).

Is that what you mean?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810472
That would work fine. I have used it in smaller offices, but prefer something like TMG/UAG in between to strengthen the security.

Also Its is VERY important to note if you have WAN management enabled on your sonic wall the default port is ALWAYS 443 if using SSL. You might want to change this since when you publish Exchange, it needs to use 443 if you have SSL enable for publishing.

Also if you are just forwarding, then the permissions should resolve the issue.
0
 

Author Comment

by:nphsmith
ID: 37810502
No Wan management on the Sonicwall, I can see that would cause issues.

I sort of incline to thinking it is IIS-related, but maybe not permissions. The error:

HTTP code = MovedPermanently

Suggests some sort of redirection issue, but I can't find anything :(
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 9

Expert Comment

by:Lance_P
ID: 37810522
Where did you get the certificates for exchange from? did you re-verify that they are installed correctly on both CAS?
0
 

Author Comment

by:nphsmith
ID: 37810533
Digcert, and yes as far as tests I have run can see they are indeed correctly installed. The exchange-connectivity tests are happy with the certificates (In fact, they do throw a warning that older versions of Windows Phone may not understand the certs, but I don't care about that, and can't think that's germane).
0
 
LVL 4

Expert Comment

by:vishalvasu
ID: 37815346
There seems to be some issues when ExRCA is attempting to retrieve the XML Autodiscover response from the URL. Try the autodiscover URL into a browser. You should be asked for credentials. Provide the credentials for your mailbox and log in. Let us know the results.
0
 

Author Comment

by:nphsmith
ID: 37817492
Yes, I am asked for credentials:
<?xml version="1.0" encoding="UTF-8"?>
-<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> -<Response> -<Error Id="2027028260" Time="21:25:22.2860966"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData/> </Error> </Response> </Autodiscover>
0
 
LVL 4

Expert Comment

by:vishalvasu
ID: 37818475
Can you try "ignore" client certificates and disable require SSL in IIS 7 settings?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37822509
Hi nphsmith,
   Just need to reconfirm, did you verify the permissions on the Autodiscover virtual directory? and the others just to make sure?

Also did you change any default settings on ASP?
0
 

Author Comment

by:nphsmith
ID: 37822536
Yes, verified permissions on Autodiscover virtual directory.
No changes made to ASP - I actually wouldn't know how :).

@Vishal, I think this is thecase already,but will confirm when I get back to civilization (Still on Easter break with wibbly internet right now).
0
 

Author Comment

by:nphsmith
ID: 37826534
Vishal, I can confirm that SSL is not required, and Client certificates ignored,  on Default, web sites and Autosidscover & OAB Virtual directories. Any other Virtual Directories I should check?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37830182
Recheck the RPC and RPC proxy as well.
0
 

Author Comment

by:nphsmith
ID: 37832475
Rechecked RPC and RPCwithCert. There is no RPCProxy virtual folder - should there be?
0
 
LVL 9

Accepted Solution

by:
Lance_P earned 500 total points
ID: 37837012
RPCwithCert is the right folder. RPCproxy is the dll file within the directory.
0
 

Author Comment

by:nphsmith
ID: 37850429
Following Microsoft Patch Thursday and subsequent reboot last week, it is mysteriously working. <shrug> as to why and <worried> as to it breaking again.

Points awarded to Lance_P for continuing efforts to be helpful.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37850774
Thanks nphsmith. Everyday is a mystery with Microsoft. (Unless you browse through their endless bulletins )

Glad its resolved with the patch. Should be a good heads up for anyone who has the same issue.
0
 

Author Comment

by:nphsmith
ID: 37851750
Except...it broke again :(
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37851763
This time round I'd say follow the first step and reset it. (with all updates since you have already patched)
0
 

Author Comment

by:nphsmith
ID: 37851926
That's current p[lan :)
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Scam emails are a huge burden for many businesses. Spotting one is not always easy. Follow our tips to identify if an email you receive is a scam.
In this video we show how to create an Accepted Domain in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Ac…
The basic steps you have just learned will be implemented in this video. The basic steps are shown to configure an Exchange DAG in a live working Exchange Server Environment and manage the same (Exchange Server 2010 Software is used in a Windows Ser…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now