Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

SBS 2011 Exchange Activesyc Failure

Posted on 2013-01-12
15
Medium Priority
?
402 Views
Last Modified: 2013-01-17
I have a new installation of Microsoft Small Business Server 2011.  I am testing the functionality of Exchange Activesync using microsoft remote connectivity analyzer, and am getting a failure when using user credentials:
-------------------------------------------

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
      Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
             Test Steps
             ExRCA is attempting to retrieve an XML Autodiscover response from URL https://********.xml for user ***@*************co.uk.
      ExRCA failed to obtain an Autodiscover XML response.
             Additional Details
      None of the expected XML elements were found in the XML response.



My *’s !

-------------------------------------
I am getting success when I use my own admin credentials though, so this must be a permissions thing somewhere. I did a fair bit of googling yesterday and I’m ruling out certificate, DNS, or path problems (!)
My understanding is that the .xml document is produced on a per user basis ‘on the fly’ whenever a request is generated, so maybe a write permission for Authenticated Users?
Any ideas?
0
Comment
Question by:Jason Bevan
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
  • 3
  • +1
15 Comments
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38769828
check the authentication on the autodiscover virtual directory as this might be causing the issues.

you can do this check easily internally as well first to make sure it works for non-admin user
0
 
LVL 4

Expert Comment

by:pyranetuk
ID: 38769829
You could try these steps:

http://ic-fl.net/?p=11
0
 

Author Comment

by:Jason Bevan
ID: 38769841
Thanks for that, I don't think it's a URL issue as the admin credentials work. I think it may be permissions.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38769843
Have you setup either an Autodiscover A record in external DNS or an SRV record pointing to a name in your SSL certificate?

Have you bought and installed a 3rd party SSL certificate including autodiscover.yourdomain.com and mail.yourdomain.com (or whatever name you chose)?

If not - please do, then it should work happily.

Use the SSL certificates wizards to request a certificate and once installed, you should be good to go.

GoDaddy are about the cheapest place to buy an SSL certifciate.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38769848
this blog lists the permissions on the virtual directories so you could compare to yours

http://www.fixkar.com/articles/kb/1070/

no need to do any removable and re-add just double check at it looks like a permissions issue
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38769859
0
 

Author Comment

by:Jason Bevan
ID: 38769892
Thanks for the replies.

I have an commercial SSL cert and the Activesync test work with the admin credentials.  It is the Domain Users that have the problem.
I have an SRV record in DNS is the Microsoft Remote Connectin tool finding the server correctly.
I have checked the authenitcation on the Autodiscover site and they conform to the reccomendations.  Interestingly if I click on 'view virtual directories' none are listed.  Howerver, since I can successfully test the admin account this seems unlikely to be a cause of the problem.
I have checked as per alanharditsy and the allow inheritable permission is already ticked.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38769904
have you run the BPA on the inside to see if its ok?

can you run through and confirm you have internal and external ULR's for the web services that resemble the links you are using from outside and inside.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38769907
Test-OutlookWebServices -identity:johnc@alpineskihouse.com | ft * -AutoSize -Wrap

try running this on the inside to test and make sure it look ok - swapping ID for both non-admin and admin user

what have you got in the way of external to the exchange server - firewall, TMG ?
0
 

Author Comment

by:Jason Bevan
ID: 38769977
irweazelwallis - have run BPA and find I behind with Exchange service packs!  Will patch and post again.
Thanks.
0
 

Author Comment

by:Jason Bevan
ID: 38770252
Now updated to Exchange SP2 but no differnet.  
Every test in test-outlookwebservices for a regular user passed bar one, which was:
Error       The certificate for the URL https://********.********.local/Autodiscover/Autodiscover.xml is incorrect. For SSL to work, the certificate needs to have a subject of *************.***********.local, but the subject that was found is remote.**************.co.uk. Consider correcting service discovery, or installing a correct SSL certificate.
I think the error is probably spurious (Maybe?) as it's not failing with external SSL.  
The external SSL is fully validated in the earlier parts of the MRCA when I test both admin and user externally.
I have only a BT Business Hub which I believe to be correctly configured - again, the admin users have no problem with the tests.
Cheers.
0
 

Accepted Solution

by:
Jason Bevan earned 0 total points
ID: 38770300
I hang my head in shame.  A mismatch between the email aliases, address names and login names...
Six hours and a lot of hair tearing, and I only just noticed.
Sorted. Sorry for the bother. And thanks to all.
0
 
LVL 18

Expert Comment

by:irweazelwallis
ID: 38770317
so do you have the right names in your cert to work internally and externally

it should work internally to begin with otherwise you would have issues with outlook

for you firewall ports you should have http/https/443 allowed in and forwards to your CAS server


what happens if you browse to your autodiscover url - externally and internally
0
 
LVL 76

Expert Comment

by:Alan Hardisty
ID: 38770399
Oh well - glad that you have resolved it and sorry we couldn't help you this time around.  Maybe next time.

Alan
0
 

Author Closing Comment

by:Jason Bevan
ID: 38786392
The answer was an oversight on my part.
0

Featured Post

NFR key for Veeam Agent for Linux

Veeam is happy to provide a free NFR license for one year.  It allows for the non‑production use and valid for five workstations and two servers. Veeam Agent for Linux is a simple backup tool for your Linux installations, both on‑premises and in the public cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Here in this article, you will get a step by step guidance on how to restore an Exchange database to a recovery database. Get a brief on Recovery Database and how it can be used to restore Exchange database in this section!
With so many activities to perform, Exchange administrators are always busy in organizations. If everything, including Exchange Servers, Outlook clients, and Office 365 accounts work without any issues, they can sit and relax. But unfortunately, it…
In this video we show how to create a mailbox database in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Servers >> Data…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question