Exchange 2010 Autodiscover prompt for credentials

Posted on 2013-10-10
Medium Priority
Last Modified: 2013-12-24

I'm having an issue where Autodiscovery within Exchange 2010 is playing up both internally and externally. When I browse to https://autodiscover.company.com/autodiscover/autodiscover.xml, I receive a prompt for credentials. If I enter the credentials, I receive the correct 600 response. However, if I click cancel, then I receive a message saying "You do not have permissions to view this directory or web page".

Things I have checked:

 - GoDaddy certificate has autodiscover.company.com as a SAN
 - External and Internal DNS for Autodiscover.company.com is correct
 - Firewall is allowing requests through and NAT'ing correctly
 - We are using the KEMP LoadMasters with ESP for reverse proxy (Kemp support have checked and verified the configuration)

Outputs from Get-ClientAccessServer and Get-AutodiscoverVirtualDirectory below....

Get-ClientAccessServer CAS-SERVER | fl

RunspaceId                           : 047c70d2-3dc1-4d15-b06e-1ed62c25826d
Name                                 : CAS-SERVER
Fqdn                                 : CAS-SERVER.DOMAIN.LOCAL
OutlookAnywhereEnabled               : True
AutoDiscoverServiceCN                : CAS-SERVER
AutoDiscoverServiceClassName         : ms-Exchange-AutoDiscover-Service
AutoDiscoverServiceInternalUri       : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
AutoDiscoverServiceGuid              : 77378f46-2c66-4aa9-a6a6-3e7a48b19596
AutoDiscoverSiteScope                : {DataCentre}
AlternateServiceAccountConfiguration :
IrmLogEnabled                        : True
IrmLogMaxAge                         : 30.00:00:00
IrmLogMaxDirectorySize               : 250 MB (262,144,000 bytes)
IrmLogMaxFileSize                    : 10 MB (10,485,760 bytes)
IrmLogPath                           : C:\Program Files\Microsoft\Exchange Server\V14\Logging\IRMLogs
IsOutOfService                       : False
MigrationLogLoggingLevel             : Information
MigrationLogFilePath                 :
MigrationLogMaxAge                   : 180.00:00:00
MigrationLogMaxDirectorySize         : 10 GB (10,737,418,240 bytes)
MigrationLogMaxFileSize              : 100 MB (104,857,600 bytes)
IsValid                              : True
ExchangeVersion                      : 0.1 (8.0.535.0)
DistinguishedName                    : CN=CAS-SERVER,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),C
                                       N=Administrative Groups,CN=Exchange,CN=Microsoft Exchange,CN=Services,CN=Configu
Identity                             : CAS-SERVER
Guid                                 : b09cddba-d54f-4bf6-b206-68b7f97ec3b2
ObjectCategory                       : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Exchange-Server
ObjectClass                          : {top, server, msExchExchangeServer}
WhenChanged                          : 19/09/2013 15:48:20
WhenCreated                          : 07/02/2013 11:42:20
WhenChangedUTC                       : 19/09/2013 14:48:20
WhenCreatedUTC                       : 07/02/2013 11:42:20
OrganizationId                       :
OriginatingServer                    : UKH1-ADDC01.DOMAIN.LOCAL

Get-AutodiscoverVirtualDirectory -Server CAS-SERVER | fl

RunspaceId                      : 047c70d2-3dc1-4d15-b06e-1ed62c25826d
Name                            : Autodiscover (Default Web Site)
InternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
ExternalAuthenticationMethods   : {Basic, Ntlm, WindowsIntegrated}
LiveIdSpNegoAuthentication      : False
WSSecurityAuthentication        : False
LiveIdBasicAuthentication       : False
BasicAuthentication             : True
DigestAuthentication            : False
WindowsAuthentication           : True
MetabasePath                    : IIS://CAS-SERVER.DOMAIN.LOCAL/W3SVC/1/ROOT/Autodiscover
Path                            : C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Autodiscover
ExtendedProtectionTokenChecking : None
ExtendedProtectionFlags         : {}
ExtendedProtectionSPNList       : {}
Server                          : CAS-SERVER
InternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
AdminDisplayName                :
ExchangeVersion                 : 0.10 (
DistinguishedName               : CN=Autodiscover (Default Web Site),CN=HTTP,CN=Protocols,CN=CAS-SERVER,CN=Servers,C
                                  N=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Exchang
                                  e,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=ad,DC=local
Identity                        : CAS-SERVER\Autodiscover (Default Web Site)
Guid                            : 74d0735d-a7d7-4614-854d-a8a4948795a3
ObjectCategory                  : DOMAIN.LOCAL/Configuration/Schema/ms-Exch-Auto-Discover-Virtual-Directory
ObjectClass                     : {top, msExchVirtualDirectory, msExchAutoDiscoverVirtualDirectory}
WhenChanged                     : 10/10/2013 15:24:10
WhenCreated                     : 10/10/2013 15:20:21
WhenChangedUTC                  : 10/10/2013 14:24:10
WhenCreatedUTC                  : 10/10/2013 14:20:21
OrganizationId                  :
OriginatingServer               : DOMAIN-CONTROLLER.DOMAIN.LOCAL
IsValid                         : True

MS RCA (TestConnectivity) reports two errors when testing autodiscovery:

The Microsoft Connectivity Analyser failed to obtain an autodiscover XML response.
An HTTP 500 response was returned from unknown

...and when attempting to contact autodiscover service using the HTTP redirect method...

The Microsoft Connectivity Analyser failed to obtain an autodiscover XML response.
A Web Exception occurred because an HTTP 400 - BadRequest response was received from unknown.

Incidentally - Outlook Anywhere isn't working either, but I guess this is due to Autodiscovery not working??

Any help appreciated!
Question by:HoricePlant
  • 7
  • 3
  • 2
  • +1
LVL 22

Expert Comment

by:Nick Rhode
ID: 39562886
Is NTLM authentication configured for Outlook Anywhere?  Also all the services are started and running correct needed by exchange?

Author Comment

ID: 39562904
No - we have Basic Authentication selected, as per the recommendation from Kemp. Loadmasters don't currently support NTLM.
LVL 22

Expert Comment

by:Nick Rhode
ID: 39562917
That's just silly.  Were there any recent changes?  Are you able to remove a user from the proxy and see if the issue still occurs?
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why


Author Comment

ID: 39563552
Apparently the feature is coming... but for now, it's either basic or Forms Based. Regarding changes, this is a new implementation, so whilst autodiscovery did work under TMG, we've replaced TMG with the Kemp LoadMasters. That said - Autodiscovery did stop working externally when TMG was still in place.

The user I'm testing externally and intenally isn't using proxy.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39563730

Get-AutodiscoverVirtualDirectory -Server CAS-SERVER | fl

InternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml
ExternalUrl                     : https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml

Is wrong.

The values should not be populated. The default configuration should be left, which is null, so remove them.

If you bypass the load balancers, does it work then?

What do you get back if you do an Autodiscover test in Outlook?


Author Comment

ID: 39563898
Hi Simon,

I've removed both internal and external URL properties (I had only just set them today, following someones internet blog on how to reset the virtual directory through shell rather than EMC).

It's certainly made a difference though... as although Autodiscovery is still not working, Outlook Anywhere is now working. The client I'm testing from, fails the Test Email Auto Configuration with HTTP Statius 500. RCA also reports the same HTTP 500 status.


Author Comment

ID: 39563909
Just out of interest, RCA test on Outlook Anywhere still fails on the last test... Attempting to ping RPC endpoint 6001 (Exchange Information Store) on server CAS-SERVER.domain.local. The RPC_E_ACCESS_DENIED error (0x5) was thrown by the RPC runtime process.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39563967
Did you make any other changes to the Autodiscover Virtual Directory after resetting it?
Did you reset Outlook Anywhere at all?


Author Comment

ID: 39563987
I noticed that AutodiscoverServiceInternalUri was previously set to point directly at a Client Access server (i.e. https://CAS-SERVER.COMPANY.com/autodiscover/autodiscover.xml)

I then changed it to 'https://autodiscover.COMPANY.com/autodiscover/autodiscover.xml', which now points to the Kemp LoadMaster.
LVL 63

Expert Comment

by:Simon Butler (Sembee)
ID: 39564227
Either would be fine, as long as they are in the SSL certificate.
Authentication prompts can also be a sign of SSL certificate issues.


Expert Comment

ID: 39564630
Looks like permission issue on the auto discover web site that you have created. Your autodiscover web site should be set only for Anonymous authentication and the Autodiscover folder should be set for Basic and windows authentication. Make sure you have the DNS entry for autodiscover.domain.com.

Accepted Solution

HoricePlant earned 0 total points
ID: 39564840
Hi Sameert,

I'm a little confused... do you mean the Autodiscover IIS website should be set to Anonymous only? If so, which Autodiscover folder should have basic and windows auth enabled?

DNS for autodiscover.domain.com is pointing to the Kemp LM.


Author Closing Comment

ID: 39737624
No resolution found

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Let us take a look at the scenario, you have a database that is corrupt and you run the ESEUTIL command only to find you are unable to repair it. How do you now get the data back?
If there is anything erroneous with Exchange Database, it causes a significant effect on email communication till the user remounts the database. Further, database crash directly affects Outlook users due to which they are unable to access their ema…
how to add IIS SMTP to handle application/Scanner relays into office 365.
This video discusses moving either the default database or any database to a new volume.

619 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question