Link to home
Start Free TrialLog in
Avatar of pitboy
pitboy

asked on

AutoDiscover Exchange 2010 Problem

We are have a problem with out off office not working with internal Outlook 2010 clients. When they click on out office it returns an error about the server not being available. They are able to set out of office from https://mail.chbtitle.com/owa. We have an SSL cert with the name mail.chbtitle.com and SRV records in dns point to autodiscover._tcp.chbtitle.com. I can ping mail.chbtitle.com internally and also nslookup the SRV record. I ran the autodiscovey test from https://www.testexchangeconnectivity.com results below. I have also run the test email autoconfiguration tool in Outlook 2010 see the attached screen shot.

Any ideas where I should be looking?

Thanks,

Matt

Attempting to contact the Autodiscover service using the DNS SRV redirect method.
  ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
   Test Steps
   Attempting to locate SRV record _autodiscover._tcp.chbtitle.com in DNS.
  The Autodiscover SRV record was successfully retrieved from DNS.
   Additional Details
  The Service Location (SRV) record lookup returned host mail.chbtitle.com.
 
 Attempting to test potential Autodiscover URL https://mail.chbtitle.com/Autodiscover/Autodiscover.xml 
  Testing of this potential Autodiscover URL failed.
   Test Steps
   Attempting to resolve the host name mail.chbtitle.com in DNS.
  The host name resolved successfully.
   Additional Details
  IP addresses returned: 63.87.120.90
 
 Testing TCP port 443 on host mail.chbtitle.com to ensure it's listening and open.
  The port was opened successfully.
 Testing the SSL certificate to make sure it's valid.
  The certificate passed all validation requirements.
   Test Steps
   ExRCA is attempting to obtain the SSL certificate from remote server mail.chbtitle.com on port 443.
  ExRCA successfully obtained the remote SSL certificate.
   Additional Details
  Remote Certificate Subject: CN=mail.chbtitle.com, OU=Domain Control Validated, O=mail.chbtitle.com, Issuer: SERIALNUMBER=07969287, CN=Go Daddy Secure Certification Authority, OU=http://certificates.godaddy.com/repository, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
 
 Validating the certificate name.
  The certificate name was validated successfully.
   Additional Details
  Host name mail.chbtitle.com was found in the Certificate Subject Common name.
 
 Certificate trust is being validated.
  The certificate is trusted and all certificates are present in the chain.
   Test Steps
   ExRCA is attempting to build certificate chains for certificate CN=mail.chbtitle.com, OU=Domain Control Validated, O=mail.chbtitle.com.
  One or more certificate chains were constructed successfully.
   Additional Details
  A total of 1 chains were built. The highest quality chain ends in root certificate OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
 
 Analyzing the certificate chains for compatibility problems with versions of Windows.
  Potential compatibility problems were identified with some versions of Windows.
   Additional Details
  ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
 
 
 
 Testing the certificate date to confirm the certificate is valid.
  Date validation passed. The certificate hasn't expired.
   Additional Details
  The certificate is valid. NotBefore = 11/4/2011 8:19:50 PM, NotAfter = 11/4/2014 8:19:50 PM
 
 
 
 Checking the IIS configuration for client certificate authentication.
  Client certificate authentication wasn't detected.
   Additional Details
  Accept/Require Client Certificates isn't configured.
 
 Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
  Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
   Test Steps
   ExRCA is attempting to retrieve an XML Autodiscover response from URL https://mail.chbtitle.com/Autodiscover/Autodiscover.xml for user susans@chbtitle.com.
  ExRCA failed to obtain an Autodiscover XML response.
   Additional Details
  An HTTP 500 response was returned from Unknown.
outlook.jpg
Avatar of suriyaehnop
suriyaehnop
Flag of Malaysia image
Could you post the "result" tab as well when you doing Outlook Test email
Avatar of pitboy
pitboy

ASKER

here you go
outlook2.jpg
Avatar of pitboy
pitboy

ASKER

No one has any ideas on this?
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image
Autodiscover isn't working internally at all. The errors are just cascading down.
Did you change the value on set-clientaccessserver for AutodiscoverServiceInternalURI to reflect the SSL certificate?
Anything unusual about the server? Multiple IPs, multiple web sites etc?

As a note - you cannot bump on this site, so asking "No one has any ideas on this? " isn't going to help, only people looking at older questions (like me) will see it. Most people just look at the most recent stuff.

Simon.
Avatar of pitboy
pitboy

ASKER

Simon -

Thanks for your post. Here is the cmd I used when changing the URI.

Set-ClientAccessServer -Identity CHB02 -AutodiscoverServiceInternalUri https://mail.chbtitle.com/autodiscover/autodiscover.xml

The outlook clients are get this pop up from Outlook. See attached image.

Matt
autoconfigure.png
Avatar of pitboy
pitboy

ASKER

The server has one IP. It's a DC with Exchange installed on it. Not a good pratice but I wasn't the one who installed it. Just dealing with the mess.
Avatar of pitboy
pitboy

ASKER

This is what I get when going to https://mail.chbtitle.com/Autodiscover/Autodiscover.xml from a internal client computer. It prompts for a user and pass first.
autodiscover.xml.png
Avatar of jlipschitz
jlipschitz
Try creating a cname record in DNS for autodiscover.chbtitle.com and have it point to mail.chbtitle.com.  Do an ipconfig /flushdns on the client after it has been changed.  Close outlook if it was open and reopen it.  We had that issue and that resolved it internally.  Once you had determined that works, set it up on your internet DNS.  (Most people use a hosted DNS for their internet domain).  That should fix it for users outside of your corporate network connecting to your Exchange Server.
Avatar of pitboy
pitboy

ASKER

Thanks for the suggestion. When I did that and ran the test email auto config it pops up a SSL cert warning because of the name mismatch. The cert is issued to mail.chbtitle.com. I tell it yes to proceed and the test fails.
Avatar of pitboy
pitboy

ASKER

[PS] C:\Windows\system32>get-autodiscovervirtualdirectory | FL


RunspaceId                      : b29c650e-fbe3-47cd-a000-525ae02379af
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated, WSSecurity}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : True
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://CHB02.CHBT.local/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : CHB02
InternalUrl                     : https://mail.chbtitle.com/Autodiscover/Autodiscover.xml
ExternalUrl                     : https://mail.chbtitle.com/Autodiscover/Autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=CHB02,CN=Servers,CN=
                                  ge Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=CHBT,CN=M
                                  ft Exchange,CN=Services,CN=Configuration,DC=CHBT,DC=local
Identity                        : CHB02\Autodiscover (Default Web Site)
Guid                            : 75f67de5-aaf8-4376-bf83-4f90589dbdbb
ObjectCategory                  : CHBT.local/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 1/16/2013 5:05:27 PM
WhenCreated                     : 11/5/2010 3:07:27 PM
WhenChangedUTC                  : 1/16/2013 11:05:27 PM
WhenCreatedUTC                  : 11/5/2010 8:07:27 PM
OrganizationId                  :
OriginatingServer               : CHB02.CHBT.local
IsValid                         : True
Avatar of jlipschitz
jlipschitz
I apologize, it should not have been a CName, it should have been an A record of autodiscover.chbtitle.com  pointing to the IP of your Outlook Web Access Server's IP.  If you have a Cisco Firewall, you may have to use the internal IP.  If you have a firewall that allows traffic to be sent to the firewall and then back in without reallying going outside, then you can use the external IP for the A record.  If yo have a Cisco Firewall, then you will definately need an UCC Certificate.

Depending on the SSL Certificate type you have, you may need to get a UCC SSL Certificate that would allow you to have up to 5 domain names pointed at the same IP Address.  We had to get that for our server.  This would get rid of the certificate warning.

Here is a great article explaining how it should all work and good tools for testing:  http://www.petri.co.il/autodiscover-configuration-exchange-2010.htm
Avatar of Simon Butler (Sembee)
Simon Butler (Sembee)
Flag of United Kingdom of Great Britain and Northern Ireland image
Browsing to autodiscover will give the error that you have posted. That is to be expected.
The popup from the Mac clients is also to be expected because you are using SRV records.

Don't create an internal autodiscover DNS record unless you have an SSL certificate with autodiscover on it. It will only cause you problems because of the name mismatch.

Simon.
Avatar of pitboy
pitboy

ASKER

When I run the test for auto config they are clearing trying to resolve autodiscover.chbtitle.com. Since my ssl cert is issues to mail.chbtitle.com where do you tell the outlook clients to use mail.chbtitle.com to resolve autodiscover
Avatar of jlipschitz
jlipschitz
You can do it on a per client setting in the registry, but I don't know how you might deploy this across your network other than through vbs scripting:  

http://support.microsoft.com/kb/2480582

This article shows how to adjust those settings.  Be careful modifying the registry.  Always make good notes of what you add so you can delete them if they don't work.  Make backup copies of the registry if you change an existing value so that it can be restored.
Avatar of pitboy
pitboy

ASKER

I'm not looking to suppress the autoconfig pop up.

Here is a screen shot of what I am try to fix. it finds autodiscover.xml through SCP and it starts but fails with a statue of 500. Could the autodiscover.xml be corrput?

I also removed this users outlook profile and open Outlook to see if the server and user would automatically populate when adding an account. It worked as it should but out of office still is not working.
Avatar of pitboy
pitboy

ASKER

I'm also seeing this in the application event log on the Exchange server

Log Name:      Application
Source:        System.ServiceModel 3.0.0.0
Date:          1/16/2013 8:28:30 PM
Event ID:      3
Task Category: WebHost
Level:         Error
Keywords:      Classic
User:          SYSTEM
Computer:      CHB02.CHBT.local
Description:
WebHost failed to process a request.
 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/31201899
 Exception: System.ServiceModel.ServiceActivationException: The service '/Autodiscover/autodiscover.xml' cannot be activated due to an exception during compilation.  The exception message is: Method not found: 'System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)'.. ---> System.MissingMethodException: Method not found: 'System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)'.
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.WebConfigurationManagerWrapper.BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List`1 spnList)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.WebConfigurationManagerWrapper.GetExtendedProtectionPolicy(ConfigurationElement element)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.ProcessWindowsAuthentication(String siteName, String virtualPath, HostedServiceTransportSettings& transportSettings)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.CreateTransportSettings(String relativeVirtualPath)
   at System.ServiceModel.Activation.MetabaseSettingsIis.GetTransportSettings(String virtualPath)
   at System.ServiceModel.Activation.MetabaseSettingsIis.GetAuthenticationSchemes(String virtualPath)
   at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.BindingElement.BuildChannelListener[TChannel](BindingContext context)
   at Microsoft.Exchange.Autodiscover.WCF.LegacyMessageEncoderBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)
 Process Name: w3wp
 Process ID: 11056

Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
  <System>
    <Provider Name="System.ServiceModel 3.0.0.0" />
    <EventID Qualifiers="49154">3</EventID>
    <Level>2</Level>
    <Task>5</Task>
    <Keywords>0x80000000000000</Keywords>
    <TimeCreated SystemTime="2013-01-17T02:28:30.000000000Z" />
    <EventRecordID>560317</EventRecordID>
    <Channel>Application</Channel>
    <Computer>CHB02.CHBT.local</Computer>
    <Security UserID="S-1-5-18" />
  </System>
  <EventData>
    <Data>System.ServiceModel.ServiceHostingEnvironment+HostingManager/31201899</Data>
    <Data>System.ServiceModel.ServiceActivationException: The service '/Autodiscover/autodiscover.xml' cannot be activated due to an exception during compilation.  The exception message is: Method not found: 'System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)'.. ---&gt; System.MissingMethodException: Method not found: 'System.String System.ServiceModel.Activation.Iis7Helper.ExtendedProtectionDotlessSpnNotEnabledThrowHelper(System.Object)'.
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.WebConfigurationManagerWrapper.BuildExtendedProtectionPolicy(ExtendedProtectionTokenChecking tokenChecking, ExtendedProtectionFlags flags, List`1 spnList)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.WebConfigurationManagerWrapper.GetExtendedProtectionPolicy(ConfigurationElement element)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.ProcessWindowsAuthentication(String siteName, String virtualPath, HostedServiceTransportSettings&amp; transportSettings)
   at System.ServiceModel.WasHosting.MetabaseSettingsIis7V2.CreateTransportSettings(String relativeVirtualPath)
   at System.ServiceModel.Activation.MetabaseSettingsIis.GetTransportSettings(String virtualPath)
   at System.ServiceModel.Activation.MetabaseSettingsIis.GetAuthenticationSchemes(String virtualPath)
   at System.ServiceModel.Channels.HttpChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsChannelListener.ApplyHostedContext(VirtualPathExtension virtualPathExtension, Boolean isMetadataListener)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.BindingElement.BuildChannelListener[TChannel](BindingContext context)
   at Microsoft.Exchange.Autodiscover.WCF.LegacyMessageEncoderBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.BindingContext.BuildInnerChannelListener[TChannel]()
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener&amp; result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener&amp; result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath)</Data>
    <Data>w3wp</Data>
    <Data>11056</Data>
  </EventData>
</Event>
ASKER CERTIFIED SOLUTION
Avatar of pitboy
pitboy
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of jlipschitz
jlipschitz
Good job finding the solution and thanks for posting what you found.
Avatar of pitboy
pitboy

ASKER

because I found the solution myself