Exchange 2010 Autodiscover prompt for credentials

Hi,

I'm having an issue where Autodiscovery within Exchange 2010 is playing up both internally and externally. When I browse to https://autodiscover.company.com/autodiscover/autodiscover.xml, I receive a prompt for credentials. If I enter the credentials, I receive the correct 600 response. However, if I click cancel, then I receive a message saying "You do not have permissions to view this directory or web page".

Things I have checked:

 - GoDaddy certificate has autodiscover.company.com as a SAN
 - External and Internal DNS for Autodiscover.company.com is correct
 - Firewall is allowing requests through and NAT'ing correctly
 - We are using the KEMP LoadMasters with ESP for reverse proxy (Kemp support have checked and verified the configuration)

Outputs from Get-ClientAccessServer and Get-AutodiscoverVirtualDirectory below....

Get-ClientAccessServer CAS-SERVER | fl


RunspaceId                           : 047c70d2-3dc1-4d15-b06e-1ed62c25826d
Name                                 : CAS-SERVER
Fqdn                                 : CAS-SERVER.DOMAIN.LOCAL
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : CAS-SERVER
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {DataCentre}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
IsOutOfService                       : False
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=CAS-SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),C
                                       N=Administrative Groups,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configu
                                       ration,DC=ad,DC=local
Identity                             : CAS-SERVER
Guid                                 : b09cddba-d54f-4bf6-b206-68b7f97ec3b2
ObjectCategory                       : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 19/09/2013 15:48:20
WhenCreated                          : 07/02/2013 11:42:20
WhenChangedUTC                       : 19/09/2013 14:48:20
WhenCreatedUTC                       : 07/02/2013 11:42:20
OrganizationId                       :
OriginatingServer                    : UKH1-ADDC01.DOMAIN.LOCAL


Get-AutodiscoverVirtualDirectory -Server CAS-SERVER | fl


RunspaceId                      : 047c70d2-3dc1-4d15-b06e-1ed62c25826d
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://CAS-SERVER.DOMAIN.LOCAL/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : CAS-SERVER
InternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (14.0.100.0)
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=CAS-SERVER,CN=Servers,C
                                  N=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchang
                                  e,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=local
Identity                        : CAS-SERVER\Autodiscover (Default Web Site)
Guid                            : 74d0735d-a7d7-4614-854d-a8a4948795a3
ObjectCategory                  : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 10/10/2013 15:24:10
WhenCreated                     : 10/10/2013 15:20:21
WhenChangedUTC                  : 10/10/2013 14:24:10
WhenCreatedUTC                  : 10/10/2013 14:20:21
OrganizationId                  :
OriginatingServer               : DOMAIN-CONTROLLER.DOMAIN.LOCAL
IsValid                         : True

MS RCA (TestConnectivity) reports two errors when testing autodiscovery:

The Microsoft Connectivity Analyser failed to obtain an autodiscover XML response.
An HTTP 500 response was returned from unknown

...and when attempting to contact autodiscover service using the HTTP redirect method...

The Microsoft Connectivity Analyser failed to obtain an autodiscover XML response.
A Web Exception occurred because an HTTP 400 - BadRequest response was received from unknown.

Incidentally - Outlook Anywhere isn't working either, but I guess this is due to Autodiscovery not working??

Any help appreciated!
Thanks
Tony
HoricePlantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Nick RhodeIT DirectorCommented:
Is NTLM authentication configured for Outlook Anywhere?  Also all the services are started and running correct needed by exchange?
0
HoricePlantAuthor Commented:
No - we have Basic Authentication selected, as per the recommendation from Kemp. Loadmasters don't currently support NTLM.
0
Nick RhodeIT DirectorCommented:
That's just silly.  Were there any recent changes?  Are you able to remove a user from the proxy and see if the issue still occurs?
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

HoricePlantAuthor Commented:
Apparently the feature is coming... but for now, it's either basic or Forms Based. Regarding changes, this is a new implementation, so whilst autodiscovery did work under TMG, we've replaced TMG with the Kemp LoadMasters. That said - Autodiscovery did stop working externally when TMG was still in place.

The user I'm testing externally and intenally isn't using proxy.
0
Simon Butler (Sembee)ConsultantCommented:
This:

Get-AutodiscoverVirtualDirectory -Server CAS-SERVER | fl

InternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml

Is wrong.

The values should not be populated. The default configuration should be left, which is null, so remove them.

If you bypass the load balancers, does it work then?

What do you get back if you do an Autodiscover test in Outlook?

Simon.
0
HoricePlantAuthor Commented:
Hi Simon,

I've removed both internal and external URL properties (I had only just set them today, following someones internet blog on how to reset the virtual directory through shell rather than EMC).

It's certainly made a difference though... as although Autodiscovery is still not working, Outlook Anywhere is now working. The client I'm testing from, fails the Test Email Auto Configuration with HTTP Statius 500. RCA also reports the same HTTP 500 status.

Thanks
Tony
0
HoricePlantAuthor Commented:
Just out of interest, RCA test on Outlook Anywhere still fails on the last test... Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server CAS-SERVER.domain.local. The RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC runtime process.
0
Simon Butler (Sembee)ConsultantCommented:
Did you make any other changes to the Autodiscover Virtual Directory after resetting it?
Did you reset Outlook Anywhere at all?

Simon.
0
HoricePlantAuthor Commented:
I noticed that AutodiscoverServiceInternalUri was previously set to point directly at a Client Access server (i.e. https://CAS-SERVER.COMPANY.com/autodiscover/autodiscover.xml)

I then changed it to 'https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml', which now points to the Kemp LoadMaster.
0
Simon Butler (Sembee)ConsultantCommented:
Either would be fine, as long as they are in the SSL certificate.
Authentication prompts can also be a sign of SSL certificate issues.

Simon.
0
sameertCommented:
Looks like permission issue on the auto discover web site that you have created. Your autodiscover web site should be set only for Anonymous authentication and the Autodiscover folder should be set for Basic and windows authentication. Make sure you have the DNS entry for autodiscover.domain.com.
0
HoricePlantAuthor Commented:
Hi Sameert,

I'm a little confused... do you mean the Autodiscover IIS website should be set to Anonymous only? If so, which Autodiscover folder should have basic and windows auth enabled?

DNS for autodiscover.domain.com is pointing to the Kemp LM.

Thanks
Tony
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
HoricePlantAuthor Commented:
No resolution found
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.