Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Outlook Clients Popup AutoDiscover redirect warning

Posted on 2014-11-02
11
Medium Priority
?
2,585 Views
Last Modified: 2014-11-16
We have Exchange server 2013 and Outlook 2010/2013 clients. All client services are published via Kemp Load balancer.

Problem is all outlook clients are popup the Autodiscover direct warning. I want to stop this without editing the REG.

Please see attached file. Autodiscover warning
0
Comment
Question by:ucguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 2

Expert Comment

by:MadHatterAdmin
ID: 40418108
Is your kemp pointed to a host object backend by a NLB & CAS array? More info about the architecture would help. Of recent that's how I deployed a solution and havent had an auto discover problem.

Have you reference the kemp deployment guide? A quick google will pull it up.
0
 

Author Comment

by:ucguy
ID: 40418135
Ex2013 does not have CAS Array
0
 
LVL 8

Expert Comment

by:tshearon
ID: 40418206
Make sure you have the correct Autodiscover record. You should have your Autodiscover.domain.com pointed to the correct IP. Also make sure you check the SRV DNS records and ensure they point to the current environment and not an older one.
0
Survive A High-Traffic Event with Percona

Your application or website rely on your database to deliver information about products and services to your customers. You can’t afford to have your database lose performance, lose availability or become unresponsive – even for just a few minutes.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418221
Hey ucguy,

Just wanted to confirm. Because of the changes between 2010 and 2013, did you use Kemp's Exchange 2013 template to set all this up? Just wanted to make sure you didn't use their 2010 template.
0
 
LVL 2

Expert Comment

by:BMarden
ID: 40418314
Domain name is blotted but I suspect you are getting Autodiscover from external (hosted domain).

The autodiscover on internal DNS should point to the exchange server, if you do not have an internal autodiscover you should create one.

BM
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418532
The autodiscover on internal DNS should point to the exchange server, if you do not have an internal autodiscover you should create one.

This is not entirely correct BMarden. The internal autodiscover record should point to the Kemp VIP.
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 1500 total points
ID: 40418748
Ah Gareth, how I missed ya :)

Alright so lets clarify a few things.. mainly on how the KEMP is setup. I am pretty well versed in the KEMP as I have set these up for the last four years.

- DNS.. on both internal and external where does autodiscover.company.com go to? In theory the CAS should have the AutoDiscoverInternalUri set (Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri) to autodiscover.company.com, and then you should have an A record pointing to the VIP. For external clients the A record should point to the NAT that does TCP 443 to the KEMP itself.

- In Exchange does the SSL certificate contain autodiscover.company.com? If not I would recommend grabbing a SAN and throw this along with your OWA URL on there.

- This can also be a KEMP issue. Are you doing Layer 7 or Layer 4 load balancing? Are you doing SSL offloading or SSL Bridging? In most cases for Layer 7 to work you should be doing SSL bridging so the KEMP can decrypt the packet, figure out the route and then re-encrypt it (at least if you followed the guide, which I am not saying you didnt.. but it does go over context rules and such). If you are using the template you are most likely doing persistence using L4 which would use Source IP (Layer 7 uses Super HTTP usually - requires some type of SSL bridging/offloading). Make sure the SSL certificate is valid on the KEMP device along with the intermediate certificate

Last but not least.. what does the SSL certificate located at? If you look at the details on what the Outlook client gets you can probably figure out the location.

@BMarden, you are absolutely wrong..

Internal AutoDiscover in Exchange 2010 on is automatically enabled (you can disable it through the registry, but its unsupported and will not work for Exchange 2013). To define internal, this is for domain joined clients who are using the Outlook client. What happens is when Outlook opens up and is a domain joined machine it looks at the local Active Directory server for the AutoDiscover SCP (defined by the CAS attribute AutoDiscoverInternalUri). That URL returned should be pointed only to an Exchange server if only a single CAS exists. Since the client is using a KEMP load balancer he would have this pointed in via a DNS A record to the VIP of the KEMP device.
0
 

Author Comment

by:ucguy
ID: 40420945
hello Adam,

Please note below answers.

 - DNS.. on both internal and external where does autodiscover.company.com go to? In theory the CAS should have the AutoDiscoverInternalUri set (Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri) to autodiscover.company.com, and then you should have an A record pointing to the VIP. For external clients the A record should point to the NAT that does TCP 443 to the KEMP itself.

1) Both External and Internal Autodiscover.company.com pointed to Kemp VIP. Created the A record for it as well.

2)   - In Exchange does the SSL certificate contain autodiscover.company.com? If not I would recommend grabbing a SAN and throw this along with your OWA URL on there.
In SSL certificate has Autodiscover.company.com as SAN.

3) I have certificate stored on the Kemp. when i check OWA, i cannot see any certificate errors.

4)  Internal AutoDiscover in Exchange 2010 on is automatically enabled (you can disable it through the registry, but its unsupported and will not work for Exchange 2013). To define internal, this is for domain joined clients who are using the Outlook client. What happens is when Outlook opens up and is a domain joined machine it looks at the local Active Directory server for the AutoDiscover SCP (defined by the CAS attribute AutoDiscoverInternalUri). That URL returned should be pointed only to an Exchange server if only a single CAS exists. Since the client is using a KEMP load balancer he would have this pointed in via a DNS A record to the VIP of the KEMP device.

I changed the internal autodiscoveruri to autodiscover.company.com and pointed to VIP.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40421290
when you changed the AutoDiscoverServiceInteralUri did the errors stop?
0
 

Author Comment

by:ucguy
ID: 40421374
I have done all the changes before post this question.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40421487
Run the following and post the results below:

Get-WebServicesVirtualDirectory | FL *URL*

That could also be from a misconfigured InternalURL for Exchange Web Services.
0

Featured Post

Get your Disaster Recovery as a Service basics

Disaster Recovery as a Service is one go-to solution that revolutionizes DR planning. Implementing DRaaS could be an efficient process, easily accessible to non-DR experts. Learn about monitoring, testing, executing failovers and failbacks to ensure a "healthy" DR environment.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you troubleshoot Outlook for clients, you may want to know a bit more about the OST file before doing your next job. IMAP can cause a lot of drama if removed in the accounts without backing up.
Are you an Exchange administrator employed with an organization? And, have you encountered a corrupt Exchange database due to which you are not able to open its EDB file. This article will explain all the steps to repair corrupt Exchange database.
To show how to create a transport rule in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Mail Flow >> Rules tab.:  To cr…
To show how to generate a certificate request in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Servers >> Certificates…
Suggested Courses

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question