SBS 2008 / Exchange 2007 - Autodiscover error 500

I am trying to get auto discovery up and working to sync with iPhones. However, we are getting an error : The remote server returned an error: (500) Internal Server Error.

We have a (bought) certificate for our external facing server (remote.domain) and installed. When running >test-outlookwebservices|fl it gives:

Id      : 1003
Type    : Information
Message : About to test AutoDiscover with the e-mail address

Id      : 1007
Type    : Information
Message : Testing server ABC.domain.local with the published name &

Id      : 1019
Type    : Information
Message : Found a valid AutoDiscover service connection point. The AutoDiscover URL on this object is

Id      : 1013
Type    : Error
Message : When contacting received the error The remote server returned an error: (500) Internal Server Error.

Id      : 1006
Type    : Error
Message : The Autodiscover service could not be contacted.

Likewise when we try going to:
this also shows server error in /autodiscover' application

When using this gives:

An ActiveSync session is being attempted with the server.
       Errors were encountered while testing the Exchange ActiveSync session.
      Test Steps
      Attempting to send the OPTIONS command to the server.
       Testing of the OPTIONS command failed. For more information, see Additional Details.
      Additional Details
       An HTTP 500 response was returned from Unknown.
Headers received:
Content-Length: 4283
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Wed, 18 Sep 2013 01:05:02 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

Does anyone have any suggestions on what next to fix this?

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Hmm, just to make sure, please run in exchange power shell:
>get-webservicesvirtualdirectory |fl  url*

Also what are the subjects name in your  certificate .. only ?

If the email of your users is set like, this will not work because autodiscover will look for and not

if your only name is then you will need to put an SRV record in your external DNS

The SRV record should look like this :
_autodiscover._tcp IN SRV 0 0 443
Service: _autodiscover
 Protocol: _tcp
 Port Number: 443
hopvineAuthor Commented:
Running: get-webservicesvirtualdirectory |fl  *url*
InternalNLBBypassUrl : https://MYSERVER.domain.local/ews/exchange.asmx
InternalUrl          :
ExternalUrl          :

And yes, the only names in the certificate is

I should also note we do have a certificate which covers and This is currently only installed to our external web server.

On the SBS 2008 server, there is an entry in the DNS -> MYSERVER -> Forward Lookup Zones -> MYSERVER.local

This has an entry of:
Domain: MYSERVER.local
Service: _autodiscover
Protocol: _tcp
Port: 443
Host offering service:

Is there another place we should be putting this? Our website is hosted externally which uses cpanel to control it. This does not have an ability to add a SRV record.
In your internal DNS there is no point to put an SRV record because domain joined machines are querying the AD directly and your phones are always external anyway. You should delete that record.

So how and where did you register to point to your exchanche server ?
Normally it should be an external DNS record and there you can register the SRV record as well.

If its to much of trouble, you could disable SSL on the EWS virtual directorie and then instruct your cients to enter directly and uncheck "my server require SSL"

To disable SSL > open IIS console > EWS > SSL > uncheck require SLL > run iisreset in CMD

*** Note that the above will work for mobile phones but will never work for Outlook Anywhere i.e external Outlook clients.

In my opinion if you already bought a certificate you should try to fix this correctly in your external dns, so your  Outlook and mobile clients enjoy autodiscover :)
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

hopvineAuthor Commented:
Thanks. I have now removed the SRV records from the SBS server.

Currently on the external site's web host, there are 2 records which relate to this:      14400      IN      CNAME      DYNAMIC.DNS      14400      IN      A      <domain static IP address>

In the meantime, in IIS,  under Sites -> SBS  Web Applications -> EWS we have turned off SSL.

Certificate was purchased just for the (SBS 2008) server). It has been installed only onto this server. Is there something else missing?

Meanwhile now when we try with the MS network analyser, with manual settings of: this does succeed! [using the autodiscover settings however still does not]      14400      IN      CNAME      Edit   Delete      14400      IN      A      Edit   Delete      14400      IN      A

The Microsoft Connectivity Analyzer is testing Exchange ActiveSync.
       Exchange ActiveSync was tested successfully.
      Test Steps
      Attempting to resolve the host name in DNS.
       The host name resolved successfully.
      Additional Details
       IP addresses returned: A.B.C.D
      Testing TCP port 443 on host to ensure it's listening and open.
       The port was opened successfully.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
      Additional Details
       Remote Certificate Subject:, OU=Domain Control Validated - RapidSSL(R), OU=See (c)11, OU=ABC123,, C=GB, SERIALNUMBER=ABC Issuer: CN=SSL CA, O="SSL Inc.", C=US.
      Validating the certificate name.
       The certificate name was validated successfully.
      Additional Details
       Host name was found in the Certificate Subject Common name.
      Validating certificate trust for Windows Mobile devices.
       The certificate is trusted and all certificates are present in the chain.
      Test Steps
      The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate, OU=Domain Control Validated - RapidSSL(R), OU=See (c)11, OU=ABC123,, C=GB, SERIALNUMBER=ABC.
       One or more certificate chains were constructed successfully.
      Additional Details
       A total of 1 chains were built. The highest quality chain ends in root certificate CN=SSL CA, O=SSL Inc., C=US.
      Analyzing the certificate chains for compatibility problems with Windows Phone devices.
       Potential compatibility problems were identified with some versions of Windows Phone.
        Tell me more about this issue and how to resolve it
      Additional Details
       The certificate is only trusted on Windows Mobile 6.0 and later versions. Devices running Windows Mobile 5.0 and 5.0 with the Messaging and Security Feature Pack won't be able to sync. Root = CN=SSLl CA, O=SSL Inc., C=US.
      The Microsoft Connectivity Analyzer is analyzing intermediate certificates sent by the remote server.
       All intermediate certificates are present and valid.
      Additional Details
       All intermediate certificates were present and valid.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
      Additional Details
       The certificate is valid. NotBefore = 7/7/2011 4:21:28 PM, NotAfter = 7/8/2016 7:51:34 AM
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
      Additional Details
       Accept/Require Client Certificates isn't configured.
      Testing HTTP Authentication Methods for URL
       The HTTP authentication methods are correct.
      Additional Details
       The Microsoft Connectivity Analyzer found all expected authentication methods and no disallowed methods. Methods found: Basic
      An ActiveSync session is being attempted with the server.
       Testing of an Exchange ActiveSync session completed successfully.
      Test Steps
      Attempting to send the OPTIONS command to the server.
       The OPTIONS response was successfully received and is valid.
      Additional Details
       Headers received:
MS-Server-ActiveSync: 8.3
MS-ASProtocolVersions: 1.0,2.0,2.1,2.5,12.0,12.1
MS-ASProtocolCommands: Sync,SendMail,SmartForward,SmartReply,GetAttachment,GetHierarchy,CreateCollection,DeleteCollection,MoveCollection,FolderSync,FolderCreate,FolderDelete,FolderUpdate,MoveItems,GetItemEstimate,MeetingResponse,Search,Settings,Ping,ItemOperations,Provision,ResolveRecipients,ValidateCert
Content-Length: 0
Cache-Control: private
Date: Wed, 18 Sep 2013 12:15:10 GMT
Server: Microsoft-IIS/7.0
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET

      Attempting the FolderSync command on the Exchange ActiveSync session.
       The FolderSync command completed successfully.
      Additional Details
       Number of folders: XY

<FolderSync xmlns="FolderHierarchy:">
</Add>LIst of folders
      Attempting the initial sync to the Inbox folder. This initial sync won't return any data.
       The Sync command completed successfully.
      Additional Details
       Status: 1
      Attempting to test the GetItemEstimate command for the Inbox folder.
       The Microsoft Connectivity Analyzer successfully received the GetItemEstimate response from the server.
      Additional Details
       Estimate: XYZ messages
Well, not having a fixed IP and a CNAME to point to  your server might give you weird results.It should be an  A record like
The autodiscover record in your DNS is also useless because you dont have in your SAN certificate the name

Like I said , you need an SRV record on the external DNS.
The way you should think is :
1) I have only 1 name in my certificate >
2)How I can tell clients to connect automoatically to

Without getting into details, Outlook and phones using autodiscover are hardcoded to look for specific DNS record names in order to resolve your server
Those names are:
For each name (record) it checks if the corresponding name is in the certificate, if its not  then it will continue with the next one.
If all fails, it check for the existence of a SRV record
3) srv record >

Therefore you have 2 choices. Either put an SRV record or purchase another certificate with the name inside.
Here is a similair question I answered before :

Also  my article about autodicover might bring some light in the tunnel :)

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
hopvineAuthor Commented:
We are currently working with our hosting company to get a SRV record in place (we use cpanel and this does not have this as an option for us to do alas).

Else we will also be looking at plan b - getting an autodiscover cert.

Will post later on progress on this and how resolved, so can help others too.
hopvineAuthor Commented:
We have succeeded in getting our hosting company to add a SRV record. This does now appear to be filtering in - which is now able to traverse the tree using the M$ connectivity check, which I can see the SRV record is being used. This is:

We may still look to get another certificate, but getting the SRV added (which also then picks up and shows as valid's certificate) is looking good.

Thank you.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.