Exchange 2010 testexchangeconnectivity.com Autodiscover 401 unauthorized

Posted on 2013-01-30
Medium Priority
Last Modified: 2013-01-30
OK, I've been trying all the various tactics one finds for autodiscover troubleshooting for several weeks now with no luck, so I thought I'd bring it here and go back to first principles.  I'll give the output from testexchangeconnectivity.com and will provide other information as requested so as to proceed methodically.  Thanks in advance!

Here is the redacted output from testexchangeconnectivity.com:

      ExRCA is attempting to test Autodiscover for tester@domain.com.
       Testing Autodiscover failed.
      Test Steps
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
      Test Steps
      Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
      Test Steps
      Attempting to resolve the host name domain.com in DNS.
       The host name resolved successfully.
      Additional Details
       IP addresses returned: XXXXXXX
      Testing TCP port 443 on host domain.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
      Additional Details
       A network error occurred while communicating with the remote host.
      Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
      Test Steps
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
      Additional Details
       IP addresses returned: XXXXXXXXXXXX
      Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Test Steps
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
      Additional Details
       Remote Certificate Subject: XXXXXXXXXXXXXXXX
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
       Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      ExRCA is attempting to build certificate chains for certificate XXXXXXXXXXXXXXXX
       One or more certificate chains were constructed successfully.
      Additional Details
       A total of 1 chains were built. The highest quality chain ends in root certificate CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
      Additional Details
       ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
       The certificate is valid. NotBefore = 10/14/2012 12:00:00 AM, NotAfter = 10/14/2015 11:59:59 PM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
      Test Steps
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user tester@domain.com.
       ExRCA failed to obtain an Autodiscover XML response.
      Additional Details
       An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
Question by:McCombsExchange
  • 2
  • 2
LVL 10

Expert Comment

ID: 38836995
you either need to configure the UPN suffix for your user to match your email domain.com, or authenticate as domain\username.

Author Comment

ID: 38837004
Unfortunately, I am authenticating as domain\username.  Still this.
LVL 10

Accepted Solution

djcanter earned 2000 total points
ID: 38837049
The only way i can duplicate this is to have invalid domain\username/password combo.
If I have correct username/password, but invalid email address, the error is different.

Is this an on-premise exchange server? Can you confirm from AD the user logon name (pre-windows 2000).  Please also confirm the account is not locked.

Author Closing Comment

ID: 38837550
This is exactly why I needed to go back to first principles.  I was getting so bogged down in the minutiae of the auth settings and the internalautodiscoveruri and the certificate subject alternate names, I forgot that the script I used to create the test user creates room-type mailboxes, which of course are disabled.  /smh

It works now, of course.

Thank you!!!

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

This article involves a discussion about issues people have when it comes to Client Access in relating to Load Balancing in an Exchange environment which we had ourselves, along with a solution I found to the problem.
The article is for all the Exchange users seeking smooth and effective EDB to PST conversion. Exchange Server is the most widely used platform for messaging with collaborative sharing, Exchange online, secure working environment, etc.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit https://www.mail-signatures.com/articles/signature-templates/?sts=6651 If you want to manage em…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

568 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question