• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 915
  • Last Modified:

Exchange 2010 WinRM/Kerberos Error + Autodiscover

Greetings,

After previous team members STIG'd the Exchange environment here odd things started occuring that we can't seem to nail down the root cause of...

1. Management Tool Console (only functions on 1 server all other attempts have this error):
"The attempt to connect to http://SERVER.DOMAIN/PowerShell using "Kerberos" autehtncation failed: Connecting to the remote server failed with the following error message: The WinRM Client cannot complete the operation within the time specified.  Check is the machine name is valid and is reachabvle over the network and firewall exception for Windows Remote Management Service is enabled."
        I've created a specific Firewall rule to troubleshoot this, tied it to the service winrm and allowed all connections both in coming and out going for both the main server and the server attempting to connect to it.

2. Autodiscover will NOT stay functioning... seems like as soon as I get it to work it breaks a few days later.  There was no "Require SSL" set on the Autodiscover VD and once I set that and restarted IIS I was able to test OK, three days later it stops working for some reason and there have been no changes with Internal URL, DNS, etc and no event logs.  Just pops up a server unavailable error and then crashes outlook on second attempt to launch out of office.  The original testing of Autodiscover seemed like it wasn't able to resolve any URLs on the client side, once I put on SSL require for that Virtual Directory it would immediately and for a few days then it stopped working again .

I've looked at a lot of webpages out there and haven't found any that resolve my issue.  Google doesn't even pull up any I haven't seen yet.  

I will be doing the following tool but am awaiting approval and also am doubtful that it will help since MS's whitepaper on the exchange management connection issues don't apply at all to the error above.  
http://blogs.technet.com/b/exchange/archive/2010/12/07/3411644.aspx

I have downloaded and used http://gallery.technet.microsoft.com/office/Exchange-2010-Architecture-9368ff56/view/Discussions and while it is a great tool it hasn't helped me.  

Any help would be greatly appreciated!

Exchange 2010 SP1 (SP2 install failed during last maintenance window, awaiting a new scheduled chance)
Windows Server 2008 R2 Ent SP1
0
convergencetech
Asked:
convergencetech
  • 2
1 Solution
 
R--RCommented:
Stop the antivirus and reboot and check.
0
 
convergencetechAuthor Commented:
I have checked my WINRM config as well, here's a portion of what it says:
"Config
MaxEnvelopeSize = 150
MaxTimeoutms = 60000
MaxBatchItems = 32000
MaxProviderRequests = 4294967295
Client
NetworkDelayms = 5000
URLPrefix = wsman
AllowUnencrypted = false
Auth:
 Basic TRUE
Digest = TRUE
KERBEROS = TRUE
Negotitate = True
Certificate = True
CredSSP = False
Default Ports:
HTTP = 5985
HTTPS = 5986
TrustedHosts = *.<CHILDDOMAIN>,*<ROOTDOMAIN>
Service
<a few lines not applicable to this I think and since I am typing it out I'm going to skip unless needed>
EnumerationTimeoutms = 60000
Auth:
 Basic = Fase
KERBEROS = TRUE
Negotitate = True
Certificate = False
CredSSP = False
cbtHardeningLevel = Relaxed
winrs
AllowRemoteShellAccess = true


I did notice that the CertificateThumprint was blank and don't have another environment to look at to compare if they are all that way.

BTW- I only have 1 live environment Nowhere to test things...
0
 
convergencetechAuthor Commented:
I have actually gone as far as uninstalling the AV on both the Exchange server and the client to test Autodiscover and it had no affect.
0
 
Simon Butler (Sembee)ConsultantCommented:
I would suggest that you do the following:

a. Reset the virtual directories. This is done through the management console on SP2, I think it is a new feature to SP2, so as you aren't on that you will have to do it the slow way.
http://technet.microsoft.com/en-us/library/ff629372.aspx

b. Get the SSL certificate rekeyed. So create a new request through the wizard in Exchange and install the response.

The WINRM error is very common and is often an IIS issue, which can be SSL certificate related.

Exchange 2010 SP2 might fix a lot of the issues as that effectively reinstalls the product.

Simon.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now