PMIMIS
asked on
Exchange 2010 ActiveSync Problems
Hello Experts!
I am in the coexistence phase of a migration from Exchange 2003 to Exchange 2010 and I am having problems with autodiscover and ActiveSync that are making it impossible to get email to iPhones. In my company this is a very big deal.
Our environment consists of one server running Exchange 2003 and two servers running Exchange 2010. The 2010 servers sit behind a Kemp LoadMaster 2200 that load balances incoming web and smtp traffic.
When I run tests of Autodiscover and ActiveSync from www.testexchangeconnectivity.com I get the following relevant information:
Attempting to test potential Autodiscover URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.companyname.c om in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host autodiscover.companyname.c om to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.companyname.c om on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.companyname.com , OU=MIS, O="companyname", L=Seattle, S=Washington, C=US, Issuer: CN=DigiCert High Assurance CA-3, OU=www.digicert.com, O=DigiCert Inc, C=US.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.companyname.c om was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=webmail.companyname.com , OU=MIS, O="companyname", L=Seattle, S=Washington, C=US.
One or more certificate chains were constructed successfully.
Additional Details
A total of 4 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/26/2012 12:00:00 AM, NotAfter = 7/3/2013 12:00:00 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml for user testuser@companyname.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
The Response element in the payload was null.
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006" />
Please assist if you are able.
I am in the coexistence phase of a migration from Exchange 2003 to Exchange 2010 and I am having problems with autodiscover and ActiveSync that are making it impossible to get email to iPhones. In my company this is a very big deal.
Our environment consists of one server running Exchange 2003 and two servers running Exchange 2010. The 2010 servers sit behind a Kemp LoadMaster 2200 that load balances incoming web and smtp traffic.
When I run tests of Autodiscover and ActiveSync from www.testexchangeconnectivity.com I get the following relevant information:
Attempting to test potential Autodiscover URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.companyname.c
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host autodiscover.companyname.c
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.companyname.c
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=webmail.companyname.com
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.companyname.c
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
ExRCA is attempting to build certificate chains for certificate CN=webmail.companyname.com
One or more certificate chains were constructed successfully.
Additional Details
A total of 4 chains were built. The highest quality chain ends in root certificate CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=US.
Analyzing the certificate chains for compatibility problems with versions of Windows.
No Windows compatibility problems were identified.
Additional Details
The certificate chain has been validated up to a trusted root. Root = CN=Entrust.net Secure Server Certification Authority, OU=(c) 1999 Entrust.net Limited, OU=www.entrust.net/CPS incorp. by ref. (limits liab.), O=Entrust.net, C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/26/2012 12:00:00 AM, NotAfter = 7/3/2013 12:00:00 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml for user testuser@companyname.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
The Response element in the payload was null.
<?xml version="1.0"?>
<Autodiscover xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006" />
Please assist if you are able.
ASKER
Thank you for responding to my question.
I do not have an SRV record for autodiscover pointing to my firewall. I had planned to rely on the dns A record for autodiscover.companyname.c om.
The autodiscover virtual directory has both internalUrl and ExternalUrl set to https://autodiscover.companyname.com/autodiscover/autodiscover.xml.
On both client access servers the AutoDiscoverServiceInterna lUri is set to https://autodiscover.companyname.com/AutoDiscover/Autodiscover.xml.
If I open the link internally in IE I get a forms authentication box prepopulated with my username. When I enter my password it takes me to a page that says
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:33:51.0956606" Id="2239513966">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
If I go to that page externally I get almost the same thing except the authentication prompt does not have my username prepopulated. (Just the domain.) Then the following comes up.
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:37:22.1216382" Id="2239513966">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
When I run get-ActiveSyncVirtualDirec tory | fl
I get the following information
RunspaceId : f8ead0c3-c54f-42e5-8e26-c1 bf5f33af37
MobileClientFlags : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificatePro visioningE nabled : False
BadItemReportingEnabled : True
SendWatsonReport : True
MobileClientCertificateAut horityURL :
MobileClientCertTemplateNa me :
ActiveSyncServer : https://webmail.companyname/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUn knownServe rs : Allow
RemoteDocumentsAllowedServ ers : {}
RemoteDocumentsBlockedServ ers : {}
RemoteDocumentsInternalDom ainSuffixL ist : {}
MetabasePath : IIS://EX01.companyname.cor p/W3SVC/1/ ROOT/Micro soft-Serve r-ActiveSy nc
BasicAuthEnabled : True
WindowsAuthEnabled : False
CompressionEnabled : True
ClientCertAuth : Ignore
WebsiteName : Default Web Site
WebSiteSSLEnabled : False
VirtualDirectoryName : Microsoft-Server-ActiveSyn c
Path :
ExtendedProtectionTokenChe cking : None
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : EX01
InternalUrl : https://webmail.companyname.com/Microsoft-Server-ActiveSync
InternalAuthenticationMeth ods : {}
ExternalUrl : https://webmail.companyname.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMeth ods : {}
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Microsoft-Server-ActiveSyn c (Default Web Site)
DistinguishedName : CN=Microsoft-Server-Active Sync (Default Web Site),CN=HTTP,CN=Protocols ,CN=
EX01,CN=Servers,CN=Exchang e Administrative Group (FYDIBOHF23SPDLT),CN=
Administrative Groups,CN=companyname,CN=M icrosoft Exchang
e,CN=Services,CN=Configura tion,DC=co mpanyname, DC=corp
Identity : EX01\Microsoft-Server-Acti veSync (Default Web Site)
Guid : 96207981-fe7a-405e-b724-31 6a410ce1c6
ObjectCategory : companyname.corp/Configura tion/Schem a/ms-Exch- Mobile-Vir tual-Direc tory
ObjectClass : {top, msExchVirtualDirectory, msExchMobileVirtualDirecto ry}
WhenChanged : 7/31/2012 10:58:06 AM
WhenCreated : 7/30/2012 3:56:56 PM
WhenChangedUTC : 7/31/2012 5:58:06 PM
WhenCreatedUTC : 7/30/2012 10:56:56 PM
OrganizationId :
OriginatingServer : DC1.companyname.corp
IsValid : True
Webmail.companyname.com is the common name on the Subject Alternative Name certificate that we purchased.
I do not have an SRV record for autodiscover pointing to my firewall. I had planned to rely on the dns A record for autodiscover.companyname.c
The autodiscover virtual directory has both internalUrl and ExternalUrl set to https://autodiscover.companyname.com/autodiscover/autodiscover.xml.
On both client access servers the AutoDiscoverServiceInterna
If I open the link internally in IE I get a forms authentication box prepopulated with my username. When I enter my password it takes me to a page that says
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:33:51.0956606" Id="2239513966">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
If I go to that page externally I get almost the same thing except the authentication prompt does not have my username prepopulated. (Just the domain.) Then the following comes up.
<?xml version="1.0" encoding="utf-8" ?>
- <Autodiscover xmlns="http://schemas.microsoft.com/exchange/autodiscover/responseschema/2006">
- <Response>
- <Error Time="22:37:22.1216382" Id="2239513966">
<ErrorCode>600</ErrorCode>
<Message>Invalid Request</Message>
<DebugData />
</Error>
</Response>
</Autodiscover>
When I run get-ActiveSyncVirtualDirec
I get the following information
RunspaceId : f8ead0c3-c54f-42e5-8e26-c1
MobileClientFlags : BadItemReportingEnabled, SendWatsonReport
MobileClientCertificatePro
BadItemReportingEnabled : True
SendWatsonReport : True
MobileClientCertificateAut
MobileClientCertTemplateNa
ActiveSyncServer : https://webmail.companyname/Microsoft-Server-ActiveSync
RemoteDocumentsActionForUn
RemoteDocumentsAllowedServ
RemoteDocumentsBlockedServ
RemoteDocumentsInternalDom
MetabasePath : IIS://EX01.companyname.cor
BasicAuthEnabled : True
WindowsAuthEnabled : False
CompressionEnabled : True
ClientCertAuth : Ignore
WebsiteName : Default Web Site
WebSiteSSLEnabled : False
VirtualDirectoryName : Microsoft-Server-ActiveSyn
Path :
ExtendedProtectionTokenChe
ExtendedProtectionFlags : {}
ExtendedProtectionSPNList : {}
Server : EX01
InternalUrl : https://webmail.companyname.com/Microsoft-Server-ActiveSync
InternalAuthenticationMeth
ExternalUrl : https://webmail.companyname.com/Microsoft-Server-ActiveSync
ExternalAuthenticationMeth
AdminDisplayName :
ExchangeVersion : 0.10 (14.0.100.0)
Name : Microsoft-Server-ActiveSyn
DistinguishedName : CN=Microsoft-Server-Active
EX01,CN=Servers,CN=Exchang
Administrative Groups,CN=companyname,CN=M
e,CN=Services,CN=Configura
Identity : EX01\Microsoft-Server-Acti
Guid : 96207981-fe7a-405e-b724-31
ObjectCategory : companyname.corp/Configura
ObjectClass : {top, msExchVirtualDirectory, msExchMobileVirtualDirecto
WhenChanged : 7/31/2012 10:58:06 AM
WhenCreated : 7/30/2012 3:56:56 PM
WhenChangedUTC : 7/31/2012 5:58:06 PM
WhenCreatedUTC : 7/30/2012 10:56:56 PM
OrganizationId :
OriginatingServer : DC1.companyname.corp
IsValid : True
Webmail.companyname.com is the common name on the Subject Alternative Name certificate that we purchased.
=> Does your SAN have your CAS server name hosted on them with NETBIOS and their FQDN?
=> If you run test-outlookwebservices - does it error out?
=> What happens when you create a new profile using OL2k7 / OL2k10 and rely on autodiscover and not completing the profile details manually? Any errors?
Regards,
Exchange_Geek
=> If you run test-outlookwebservices - does it error out?
=> What happens when you create a new profile using OL2k7 / OL2k10 and rely on autodiscover and not completing the profile details manually? Any errors?
Regards,
Exchange_Geek
ASKER
The SAN certificate only has three names assinged:
webmail.companyname.com for web services such as OWA, EWS, and ECP
autodiscover.companyname.c om for autodiscover services
legacy.companyname.com for redirects to OWA on the 2003 server.
test-outlookwebservices fails because I have not installed the mailbox role on the servers yet. Specifically it says Failed to find the mailbox. Mailbox = 'extest_e88af0663a854@comp anyname.co rp'.
If I use the Outlook tool, Test E-Mail AutoConfiguration, it says Autoconfiguration was unable to determine your settings. The log shows the following:
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
GetLastError=0; httpStatus=200.
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml failed (0x800C8203)
webmail.companyname.com for web services such as OWA, EWS, and ECP
autodiscover.companyname.c
legacy.companyname.com for redirects to OWA on the 2003 server.
test-outlookwebservices fails because I have not installed the mailbox role on the servers yet. Specifically it says Failed to find the mailbox. Mailbox = 'extest_e88af0663a854@comp
If I use the Outlook tool, Test E-Mail AutoConfiguration, it says Autoconfiguration was unable to determine your settings. The log shows the following:
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml starting
GetLastError=0; httpStatus=200.
Autodiscover to https://autodiscover.companyname.com/autodiscover/autodiscover.xml failed (0x800C8203)
My bad i should have corrected you at the first instance
You mentioned
This should be pointed to
https://webmail.companyname.com/AutoDiscover/Autodiscover.xml
Get me the output
Get-ClientAccessServer | FT -AutodiscoverServiceIntern alUri
Get-WebServicesVirtualDire ctory | FT InternalUrl,ExternalURL
Get-OABVirtualDirectory | FT InternalURL,ExternalURL
Get-ActiveSyncVirtualDirec tory | FT InternalURL,ExternalURL
Set-OutlookAnywhere -identity "CAS Server Name\RPC (Default Web Site) | FT ExternalHostname
Regards,
Exchange_Geek
You mentioned
The autodiscover virtual directory has both internalUrl and ExternalUrl set to https://autodiscover.companyname.com/autodiscover/autodiscover.xml.
On both client access servers the AutoDiscoverServiceInternalUri is set to https://autodiscover.companyname.com/AutoDiscover/Autodiscover.xml.
This should be pointed to
https://webmail.companyname.com/AutoDiscover/Autodiscover.xml
Get me the output
Get-ClientAccessServer | FT -AutodiscoverServiceIntern
Get-WebServicesVirtualDire
Get-OABVirtualDirectory | FT InternalURL,ExternalURL
Get-ActiveSyncVirtualDirec
Set-OutlookAnywhere -identity "CAS Server Name\RPC (Default Web Site) | FT ExternalHostname
Regards,
Exchange_Geek
ASKER
I am not sure I agree with you about the requirement for the autodiscover Uri so point to https://webmail.companyname.com/AutoDiscover/Autodiscover.xml.
According to "Microsoft Exchange Server 2010 Best Practices" pages 163-164, clients attempt to search well-known URLs based on the user's email address, going through the following in order:
1. https://<smtp-address-domain>/auto discover/a utodiscove r.xml
2. https://autodiscover.<smtp-address-domain>/aut odiscover/ autodiscov er.xml
3. A local XML file if one has been configured
4. SRV record.
I appear to be properly configured for method 2.
I will get you the information that you asked for above soon.
According to "Microsoft Exchange Server 2010 Best Practices" pages 163-164, clients attempt to search well-known URLs based on the user's email address, going through the following in order:
1. https://<smtp-address-domain>/auto
2. https://autodiscover.<smtp-address-domain>/aut
3. A local XML file if one has been configured
4. SRV record.
I appear to be properly configured for method 2.
I will get you the information that you asked for above soon.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
This completely resolved the issue.
==> Do you have SRV Record for _autodiscover._tcp.domain.
==> Which URL does Autodiscover URL point to?
https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml is this what you find in EMC?
==> Open the link https://autodiscover.companyname.com/AutoDiscover/AutoDiscover.xml in IE internally and externally.
==> Which URL does Activesync URL point to?
****autodiscover.companyna
==> This is good.
Regards,
Exchange_Geek