Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Activesync Autodiscover failing

Posted on 2012-04-05
31
Medium Priority
?
1,150 Views
Last Modified: 2012-04-16
My Activesync Autodiscovery is failing (Both in real life, and at testexchangeconnectivity.com.

The failure at testexchangeconnectiivty.com is:
 
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user username.com
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       None of the expected XML elements were found in the XML response.


Test-outlookwebservices gives no errors.
Test-activesynconnectivity does give an error.


Error                       : An incorrect HTTP response was received for user domain.internal\username@domainname.com, HTTP code = MovedPermanently.


Further info:
Windows 2008 R2, Exchange 2010 SP1 (Installed as /hosting which may be relevant). There are two CAS using MS NLB - however, I get precisely the same results when the firewall points to either of the CAS directly.

Any ideas?
0
Comment
Question by:nphsmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 15
  • 12
  • 2
  • +2
31 Comments
 
LVL 19

Expert Comment

by:suriyaehnop
ID: 37809987
Are you using credential format correctly? domain.com\username NOT domain.com\username@domain.com
0
 

Author Comment

by:nphsmith
ID: 37809993
Thanks, I have tried both, with the same result (Though I believe the UPN should work fine?)
0
 

Expert Comment

by:noifen
ID: 37810275
Make sure your autodiscover.domain.com DNS entries are pointing to the correct server (the one with autodiscover in IIS)
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 9

Expert Comment

by:Lance_P
ID: 37810354
I had faced a similar issue and just reset the Virtual directories and everything worked fine.

http://technet.microsoft.com/en-us/library/ff629372.aspx
0
 

Author Comment

by:nphsmith
ID: 37810357
Yup, they are. I should mention that it passes the Outlook Autodiscovery test just fine, so it is unlikely to be a DNS/firewalling/certificate issue. The activesync autodiscover finds the correct server, connects to SSL, passes certificate, fails on the POST request. Full 'log' below:

Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user nick.smith@domain.com.
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       None of the expected XML elements were found in the XML response.
0
 

Author Comment

by:nphsmith
ID: 37810363
I'd prefer not to reset the Virtual Directories except as an absolute last resort. These are newly configured pre-production servers, so really shouldn't have any corruption or weirdness, and if there is, i'm likely to reintroduce the problem on recreation. Thanks though.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810383
If you dont want to reset them, then you will have to verify the permissions on each virtual directory.

In your case the authentication settings on the autodiscovery and OAB folder.

http://autodiscover.wordpress.com/2010/05/16/exchange-20102007-virtual-directory-default-permissions/
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810388
And with all due respect, when dealing with a Microsoft product, no matter even if it is a 'Vanilla' installation, you will still find 'some' errors.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810400
Also please confirm that you have the certificate installed on TMG listener and the Exchange servers.
0
 

Author Comment

by:nphsmith
ID: 37810406
The certificate is installed on the CAS servers, we don't use TMG. Checking permissions now, thanks for the link.
0
 

Author Comment

by:nphsmith
ID: 37810417
I can confirm permissions on Autodiscover and OAB  are correct.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810420
How exactly are you publishing Exchange?
0
 

Author Comment

by:nphsmith
ID: 37810437
Not entirely sure what you mean by Publish in this context (I'm mainly a Terminal Services guy, so publish usually means something else to me ):).

I have a Sonicwall (Hardware firewall) which Nats HTTP and HTTPS request through to the internal NLB IP Number (NB, I have also tried Natting direct to the CAS Servers 'normal' Ip number, to try and avoid any possible NLB complications. Results are the same).

Is that what you mean?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810472
That would work fine. I have used it in smaller offices, but prefer something like TMG/UAG in between to strengthen the security.

Also Its is VERY important to note if you have WAN management enabled on your sonic wall the default port is ALWAYS 443 if using SSL. You might want to change this since when you publish Exchange, it needs to use 443 if you have SSL enable for publishing.

Also if you are just forwarding, then the permissions should resolve the issue.
0
 

Author Comment

by:nphsmith
ID: 37810502
No Wan management on the Sonicwall, I can see that would cause issues.

I sort of incline to thinking it is IIS-related, but maybe not permissions. The error:

HTTP code = MovedPermanently

Suggests some sort of redirection issue, but I can't find anything :(
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37810522
Where did you get the certificates for exchange from? did you re-verify that they are installed correctly on both CAS?
0
 

Author Comment

by:nphsmith
ID: 37810533
Digcert, and yes as far as tests I have run can see they are indeed correctly installed. The exchange-connectivity tests are happy with the certificates (In fact, they do throw a warning that older versions of Windows Phone may not understand the certs, but I don't care about that, and can't think that's germane).
0
 
LVL 4

Expert Comment

by:vishalvasu
ID: 37815346
There seems to be some issues when ExRCA is attempting to retrieve the XML Autodiscover response from the URL. Try the autodiscover URL into a browser. You should be asked for credentials. Provide the credentials for your mailbox and log in. Let us know the results.
0
 

Author Comment

by:nphsmith
ID: 37817492
Yes, I am asked for credentials:
<?xml version="1.0" encoding="UTF-8"?>
-<Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006"> -<Response> -<Error Id="2027028260" Time="21:25:22.2860966"> <ErrorCode>600</ErrorCode> <Message>Invalid Request</Message> <DebugData/> </Error> </Response> </Autodiscover>
0
 
LVL 4

Expert Comment

by:vishalvasu
ID: 37818475
Can you try "ignore" client certificates and disable require SSL in IIS 7 settings?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37822509
Hi nphsmith,
   Just need to reconfirm, did you verify the permissions on the Autodiscover virtual directory? and the others just to make sure?

Also did you change any default settings on ASP?
0
 

Author Comment

by:nphsmith
ID: 37822536
Yes, verified permissions on Autodiscover virtual directory.
No changes made to ASP - I actually wouldn't know how :).

@Vishal, I think this is thecase already,but will confirm when I get back to civilization (Still on Easter break with wibbly internet right now).
0
 

Author Comment

by:nphsmith
ID: 37826534
Vishal, I can confirm that SSL is not required, and Client certificates ignored,  on Default, web sites and Autosidscover & OAB Virtual directories. Any other Virtual Directories I should check?
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37830182
Recheck the RPC and RPC proxy as well.
0
 

Author Comment

by:nphsmith
ID: 37832475
Rechecked RPC and RPCwithCert. There is no RPCProxy virtual folder - should there be?
0
 
LVL 9

Accepted Solution

by:
Lance_P earned 1000 total points
ID: 37837012
RPCwithCert is the right folder. RPCproxy is the dll file within the directory.
0
 

Author Comment

by:nphsmith
ID: 37850429
Following Microsoft Patch Thursday and subsequent reboot last week, it is mysteriously working. <shrug> as to why and <worried> as to it breaking again.

Points awarded to Lance_P for continuing efforts to be helpful.
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37850774
Thanks nphsmith. Everyday is a mystery with Microsoft. (Unless you browse through their endless bulletins )

Glad its resolved with the patch. Should be a good heads up for anyone who has the same issue.
0
 

Author Comment

by:nphsmith
ID: 37851750
Except...it broke again :(
0
 
LVL 9

Expert Comment

by:Lance_P
ID: 37851763
This time round I'd say follow the first step and reset it. (with all updates since you have already patched)
0
 

Author Comment

by:nphsmith
ID: 37851926
That's current p[lan :)
0

Featured Post

Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Know the reasons and solutions to move/import EDB to New Exchange Server. Also, find out how to recover an Exchange .edb file and to restore the file back.
The core idea of this article is to make you acquainted with the best way in which you can export Exchange mailbox to PST format.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question