Partly working Autodiscover

Hi!

I’m migrating from Exchange 2003 to 2010 and are struggling with the Autodiscover setup.
When I connect external with Outlook 2013 it keeps asking for username and password.
I then have to logon with localdomain\username twice to finish the wizard. I’m really keen on getting this right so that e-mail address and password is the only thing that’s needed.
When I try to create an Exchange account on an Android device the server settings are found when using the administrator account, but it doesn’t accept the username/password. When using a “normal” user it fails to find the server settings at all.
I have ran Microsoft Connectivity Analyzer for Outlook Anywhere (RPC over HTTP) and ActiveSync. Both tests finish successfully using the autodiscover.externaldomain.com DNS record. But still I got this problem with Outlook and Android.
Outlook and Android devices works fine after manually configuration.
Maybe this has something to do with the SAN certificate since it doesn’t includes the mailserver.localdomain.local name? Or Basic/NTLM authentication?

This I what I have done:
•      Created a GoDaddy SAN certificate with this domain names:
Mail.extenaldomain.com
externaldomain.com
autodiscover.externaldomain.com

•      Activated Outlook Anywhere with NTLM authentication

•      Changed the URL’s for the Virtual Directories

Set-ClientAccessServer -Identity localhostname -AutodiscoverServiceInternalUri https://mail.externaldomain.com/autodiscover/autodiscover.xml

Set-WebServicesVirtualDirectory -Identity “localhostname\EWS (Default Web Site)” -InternalUrl https://mail.externaldomain.com/ews/exchange.asmx

Set-WebServicesVirtualDirectory -Identity “localhostname\EWS (Default Web Site)” -ExternalUrl https://mail.externaldomain.com/ews/exchange.asmx

Set-OABVirtualDirectory -Identity “localhostname\oab (Default Web Site)” -InternalUrl https://mail.externaldomain.com/oab

Set-ActiveSyncVirtualDirectory “localhostname\microsoft-server-activesync (Default Web Site)” -ExternalURL https://mail.externaldomain.com/microsoft-server
LVL 1
elit2007Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SteveIT ManagerCommented:
Hi

when we did this recently I also created legacy.donain.com which handled all the 2003 users orior to mailbox move


http://exchangeserverpro.com/exchange-2003-2010-coexistence/

In the end I bit the bullet, took a backup of the 2003 exchange and moved all mailboxes one friday night to the 2010 box rather than stay in coexistenxe
0
Giovanni HewardCommented:
You may want to review the guide I posted here.
0
elit2007Author Commented:
I suppose mail.externaldomain.com is my legacy name that is already included in the SAN certificate.
I have moved the administrator’s mailbox and a test user. So the account I'm testing against are located on the new Exchange server.
The Activesync and Outlook anywhere test finish successfully on http://testexchangeconnectivity. But in these tests also uses the localdomain/username. So I’m not sure if these tests will recognize my problem.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

TMekeelCommented:
Thats a setting in Exchange that needs to be changed if you want to use the email address.
Look at the OWA settings under Server Configuration > Client Access > Authentication tab > Use forms-based authentication.

You should be able to change that so you can login with your email address instead of Domain\Username.
0
elit2007Author Commented:
Perfect, i changed to only use the username and selected the internal domain. Now Outlook connects using the email address and password. Android cant still find the server settings, but maybe this is antother problem.
0
TMekeelCommented:
Do you have an autodiscover record in your registrar's DNS (or whomever is hosting your DNS for your domain?)
0
TMekeelCommented:
I also see you have set the internal uri for autodiscover, but what about external?

Lastly, in Server COnfiguration > Client Access > Exchange ActiveSync > Authentication,
what settings are you using?
0
elit2007Author Commented:
Sorry. Forgot about the external URLs. Used EMC for those.

Owa external URL: https://mail.externaldomain.com/owa

Activesync external URL: https://mail.externaldomain.com/Microsoft-Server-ActiveSync
Authentication: Basic
0
elit2007Author Commented:
And yes autodiscover.externaldomain.com i registred in DNS.

https://externaldomain.com/AutoDiscover/AutoDiscover.xml can't be used because the root is redirected to the corporate website.

I have not registred the SRV record. Should I?
0
elit2007Author Commented:
Arghh, fooled by the Widows Credential Manager. It is still prompting for the localdomain/username. See screenshot atached. Can't see anything about email login.
owa.png
0
TMekeelCommented:
I think you want upn for the auth.
Also, you should have an autodiscover CNAME pointing to https://mail.externaldomain.com in your registrar's dns.  Not your local AD DNS.
0
elit2007Author Commented:
So upn will work although the internal domain is a .local domain?

I already got a CNAME for autodiscover.externaldomain.com -> mail.externaldomain.com
on the external registrar.

The Exchange Connectivitytest find this record and run a successfully AvtiveSync test against it.
0
TMekeelCommented:
You can add the external domain as a upn suffix to AD and it should be fine.
Go to AD > AD Domains and Trusts.  Right-click Domains and Trusts and select Properites.
Add the external suffix example.com for example.
Then change the user's profile to the external suffix.

This will not stop domain accounts logging into local machines with domain\username.  They can still login that way, or now additionally with their email address.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
elit2007Author Commented:
Okey. So there will not be any problem to reach the external website from the local domain?
Or with other word, this settings will not affect the local DNS server?
0
elit2007Author Commented:
Another problem is that autodiscover is discovering the wrong certificate. Instead of using autodiscover.externaldomain.com, it is using the certificate from https://externaldomain.com.
I found an article about this, but is it so bad that this problem can't be solved without removing SSL on the external web hotell? It seems almost impossible to get autodiscover to work probably.


http://exchangemaster.wordpress.com/2013/05/07/new-behavior-in-outlook-2013-causing-certificate-errors-in-some-environments/
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.