elit2007
asked on
Partly working Autodiscover
Hi!
I’m migrating from Exchange 2003 to 2010 and are struggling with the Autodiscover setup.
When I connect external with Outlook 2013 it keeps asking for username and password.
I then have to logon with localdomain\username twice to finish the wizard. I’m really keen on getting this right so that e-mail address and password is the only thing that’s needed.
When I try to create an Exchange account on an Android device the server settings are found when using the administrator account, but it doesn’t accept the username/password. When using a “normal” user it fails to find the server settings at all.
I have ran Microsoft Connectivity Analyzer for Outlook Anywhere (RPC over HTTP) and ActiveSync. Both tests finish successfully using the autodiscover.externaldomai n.com DNS record. But still I got this problem with Outlook and Android.
Outlook and Android devices works fine after manually configuration.
Maybe this has something to do with the SAN certificate since it doesn’t includes the mailserver.localdomain.loc al name? Or Basic/NTLM authentication?
This I what I have done:
• Created a GoDaddy SAN certificate with this domain names:
Mail.extenaldomain.com
externaldomain.com
autodiscover.externaldomai n.com
• Activated Outlook Anywhere with NTLM authentication
• Changed the URL’s for the Virtual Directories
Set-ClientAccessServer -Identity localhostname -AutodiscoverServiceIntern alUri https://mail.externaldomain.com/autodiscover/autodiscover.xml
Set-WebServicesVirtualDire ctory -Identity “localhostname\EWS (Default Web Site)” -InternalUrl https://mail.externaldomain.com/ews/exchange.asmx
Set-WebServicesVirtualDire ctory -Identity “localhostname\EWS (Default Web Site)” -ExternalUrl https://mail.externaldomain.com/ews/exchange.asmx
Set-OABVirtualDirectory -Identity “localhostname\oab (Default Web Site)” -InternalUrl https://mail.externaldomain.com/oab
Set-ActiveSyncVirtualDirec tory “localhostname\microsoft-s erver-acti vesync (Default Web Site)” -ExternalURL https://mail.externaldomain.com/microsoft-server
I’m migrating from Exchange 2003 to 2010 and are struggling with the Autodiscover setup.
When I connect external with Outlook 2013 it keeps asking for username and password.
I then have to logon with localdomain\username twice to finish the wizard. I’m really keen on getting this right so that e-mail address and password is the only thing that’s needed.
When I try to create an Exchange account on an Android device the server settings are found when using the administrator account, but it doesn’t accept the username/password. When using a “normal” user it fails to find the server settings at all.
I have ran Microsoft Connectivity Analyzer for Outlook Anywhere (RPC over HTTP) and ActiveSync. Both tests finish successfully using the autodiscover.externaldomai
Outlook and Android devices works fine after manually configuration.
Maybe this has something to do with the SAN certificate since it doesn’t includes the mailserver.localdomain.loc
This I what I have done:
• Created a GoDaddy SAN certificate with this domain names:
Mail.extenaldomain.com
externaldomain.com
autodiscover.externaldomai
• Activated Outlook Anywhere with NTLM authentication
• Changed the URL’s for the Virtual Directories
Set-ClientAccessServer -Identity localhostname -AutodiscoverServiceIntern
Set-WebServicesVirtualDire
Set-WebServicesVirtualDire
Set-OABVirtualDirectory -Identity “localhostname\oab (Default Web Site)” -InternalUrl https://mail.externaldomain.com/oab
Set-ActiveSyncVirtualDirec
You may want to review the guide I posted here.
ASKER
I suppose mail.externaldomain.com is my legacy name that is already included in the SAN certificate.
I have moved the administrator’s mailbox and a test user. So the account I'm testing against are located on the new Exchange server.
The Activesync and Outlook anywhere test finish successfully on http://testexchangeconnectivity. But in these tests also uses the localdomain/username. So I’m not sure if these tests will recognize my problem.
I have moved the administrator’s mailbox and a test user. So the account I'm testing against are located on the new Exchange server.
The Activesync and Outlook anywhere test finish successfully on http://testexchangeconnectivity. But in these tests also uses the localdomain/username. So I’m not sure if these tests will recognize my problem.
Thats a setting in Exchange that needs to be changed if you want to use the email address.
Look at the OWA settings under Server Configuration > Client Access > Authentication tab > Use forms-based authentication.
You should be able to change that so you can login with your email address instead of Domain\Username.
Look at the OWA settings under Server Configuration > Client Access > Authentication tab > Use forms-based authentication.
You should be able to change that so you can login with your email address instead of Domain\Username.
ASKER
Perfect, i changed to only use the username and selected the internal domain. Now Outlook connects using the email address and password. Android cant still find the server settings, but maybe this is antother problem.
Do you have an autodiscover record in your registrar's DNS (or whomever is hosting your DNS for your domain?)
I also see you have set the internal uri for autodiscover, but what about external?
Lastly, in Server COnfiguration > Client Access > Exchange ActiveSync > Authentication,
what settings are you using?
Lastly, in Server COnfiguration > Client Access > Exchange ActiveSync > Authentication,
what settings are you using?
ASKER
Sorry. Forgot about the external URLs. Used EMC for those.
Owa external URL: https://mail.externaldomain.com/owa
Activesync external URL: https://mail.externaldomain.com/Microsoft-Server-ActiveSync
Authentication: Basic
Owa external URL: https://mail.externaldomain.com/owa
Activesync external URL: https://mail.externaldomain.com/Microsoft-Server-ActiveSync
Authentication: Basic
ASKER
And yes autodiscover.externaldomai n.com i registred in DNS.
https://externaldomain.com/AutoDiscover/AutoDiscover.xml can't be used because the root is redirected to the corporate website.
I have not registred the SRV record. Should I?
https://externaldomain.com/AutoDiscover/AutoDiscover.xml can't be used because the root is redirected to the corporate website.
I have not registred the SRV record. Should I?
ASKER
Arghh, fooled by the Widows Credential Manager. It is still prompting for the localdomain/username. See screenshot atached. Can't see anything about email login.
owa.png
owa.png
I think you want upn for the auth.
Also, you should have an autodiscover CNAME pointing to https://mail.externaldomain.com in your registrar's dns. Not your local AD DNS.
Also, you should have an autodiscover CNAME pointing to https://mail.externaldomain.com in your registrar's dns. Not your local AD DNS.
ASKER
So upn will work although the internal domain is a .local domain?
I already got a CNAME for autodiscover.externaldomai n.com -> mail.externaldomain.com
on the external registrar.
The Exchange Connectivitytest find this record and run a successfully AvtiveSync test against it.
I already got a CNAME for autodiscover.externaldomai
on the external registrar.
The Exchange Connectivitytest find this record and run a successfully AvtiveSync test against it.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Okey. So there will not be any problem to reach the external website from the local domain?
Or with other word, this settings will not affect the local DNS server?
Or with other word, this settings will not affect the local DNS server?
ASKER
Another problem is that autodiscover is discovering the wrong certificate. Instead of using autodiscover.externaldomai n.com, it is using the certificate from https://externaldomain.com.
I found an article about this, but is it so bad that this problem can't be solved without removing SSL on the external web hotell? It seems almost impossible to get autodiscover to work probably.
http://exchangemaster.wordpress.com/2013/05/07/new-behavior-in-outlook-2013-causing-certificate-errors-in-some-environments/
I found an article about this, but is it so bad that this problem can't be solved without removing SSL on the external web hotell? It seems almost impossible to get autodiscover to work probably.
http://exchangemaster.wordpress.com/2013/05/07/new-behavior-in-outlook-2013-causing-certificate-errors-in-some-environments/
when we did this recently I also created legacy.donain.com which handled all the 2003 users orior to mailbox move
http://exchangeserverpro.com/exchange-2003-2010-coexistence/
In the end I bit the bullet, took a backup of the 2003 exchange and moved all mailboxes one friday night to the 2010 box rather than stay in coexistenxe