Solved

Exchange 2010 testexchangeconnectivity.com Autodiscover 401 unauthorized

Posted on 2013-01-30
4
3,720 Views
Last Modified: 2013-01-30
OK, I've been trying all the various tactics one finds for autodiscover troubleshooting for several weeks now with no luck, so I thought I'd bring it here and go back to first principles.  I'll give the output from testexchangeconnectivity.com and will provide other information as requested so as to proceed methodically.  Thanks in advance!

Here is the redacted output from testexchangeconnectivity.com:

      ExRCA is attempting to test Autodiscover for tester@domain.com.
       Testing Autodiscover failed.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: XXXXXXX
      Testing TCP port 443 on host domain.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       A network error occurred while communicating with the remote host.
      Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       IP addresses returned: XXXXXXXXXXXX
      Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Test Steps
       
      ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
       ExRCA successfully obtained the remote SSL certificate.
       
      Additional Details
       Remote Certificate Subject: XXXXXXXXXXXXXXXX
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
      Certificate trust is being validated.
       The certificate is trusted and all certificates are present in the chain.
       
      Test Steps
       
      ExRCA is attempting to build certificate chains for certificate XXXXXXXXXXXXXXXX
       One or more certificate chains were constructed successfully.
       
      Additional Details
       A total of 1 chains were built. The highest quality chain ends in root certificate CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SE.
      Analyzing the certificate chains for compatibility problems with versions of Windows.
       Potential compatibility problems were identified with some versions of Windows.
       
      Additional Details
       ExRCA can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       The certificate is valid. NotBefore = 10/14/2012 12:00:00 AM, NotAfter = 10/14/2015 11:59:59 PM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Test Steps
       
      ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user tester@domain.com.
       ExRCA failed to obtain an Autodiscover XML response.
       
      Additional Details
       An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN).
0
Comment
Question by:McCombsExchange
  • 2
  • 2
4 Comments
 
LVL 10

Expert Comment

by:djcanter
Comment Utility
you either need to configure the UPN suffix for your user to match your email domain.com, or authenticate as domain\username.
0
 
LVL 5

Author Comment

by:McCombsExchange
Comment Utility
Unfortunately, I am authenticating as domain\username.  Still this.
0
 
LVL 10

Accepted Solution

by:
djcanter earned 500 total points
Comment Utility
The only way i can duplicate this is to have invalid domain\username/password combo.
If I have correct username/password, but invalid email address, the error is different.

Is this an on-premise exchange server? Can you confirm from AD the user logon name (pre-windows 2000).  Please also confirm the account is not locked.
0
 
LVL 5

Author Closing Comment

by:McCombsExchange
Comment Utility
This is exactly why I needed to go back to first principles.  I was getting so bogged down in the minutiae of the auth settings and the internalautodiscoveruri and the certificate subject alternate names, I forgot that the script I used to create the test user creates room-type mailboxes, which of course are disabled.  /smh

It works now, of course.

Thank you!!!
0

Featured Post

Enabling OSINT in Activity Based Intelligence

Activity based intelligence (ABI) requires access to all available sources of data. Recorded Future allows analysts to observe structured data on the open, deep, and dark web.

Join & Write a Comment

We are happy to announce a brand new addition to our line of acclaimed email signature management products – CodeTwo Email Signatures for Office 365.
Easy CSR creation in Exchange 2007,2010 and 2013
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
The video tutorial explains the basics of the Exchange server Database Availability groups. The components of this video include: 1. Automatic Failover 2. Failover Clustering 3. Active Manager

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now