Solved

Outlook Clients Popup AutoDiscover redirect warning

Posted on 2014-11-02
11
2,360 Views
Last Modified: 2014-11-16
We have Exchange server 2013 and Outlook 2010/2013 clients. All client services are published via Kemp Load balancer.

Problem is all outlook clients are popup the Autodiscover direct warning. I want to stop this without editing the REG.

Please see attached file. Autodiscover warning
0
Comment
Question by:ucguy
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
  • 2
  • +3
11 Comments
 
LVL 2

Expert Comment

by:MadHatterAdmin
ID: 40418108
Is your kemp pointed to a host object backend by a NLB & CAS array? More info about the architecture would help. Of recent that's how I deployed a solution and havent had an auto discover problem.

Have you reference the kemp deployment guide? A quick google will pull it up.
0
 

Author Comment

by:ucguy
ID: 40418135
Ex2013 does not have CAS Array
0
 
LVL 8

Expert Comment

by:tshearon
ID: 40418206
Make sure you have the correct Autodiscover record. You should have your Autodiscover.domain.com pointed to the correct IP. Also make sure you check the SRV DNS records and ensure they point to the current environment and not an older one.
0
Resolve Critical IT Incidents Fast

If your data, services or processes become compromised, your organization can suffer damage in just minutes and how fast you communicate during a major IT incident is everything. Learn how to immediately identify incidents & best practices to resolve them quickly and effectively.

 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418221
Hey ucguy,

Just wanted to confirm. Because of the changes between 2010 and 2013, did you use Kemp's Exchange 2013 template to set all this up? Just wanted to make sure you didn't use their 2010 template.
0
 
LVL 2

Expert Comment

by:BMarden
ID: 40418314
Domain name is blotted but I suspect you are getting Autodiscover from external (hosted domain).

The autodiscover on internal DNS should point to the exchange server, if you do not have an internal autodiscover you should create one.

BM
0
 
LVL 31

Expert Comment

by:Gareth Gudger
ID: 40418532
The autodiscover on internal DNS should point to the exchange server, if you do not have an internal autodiscover you should create one.

This is not entirely correct BMarden. The internal autodiscover record should point to the Kemp VIP.
0
 
LVL 19

Accepted Solution

by:
Adam Farage earned 500 total points
ID: 40418748
Ah Gareth, how I missed ya :)

Alright so lets clarify a few things.. mainly on how the KEMP is setup. I am pretty well versed in the KEMP as I have set these up for the last four years.

- DNS.. on both internal and external where does autodiscover.company.com go to? In theory the CAS should have the AutoDiscoverInternalUri set (Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri) to autodiscover.company.com, and then you should have an A record pointing to the VIP. For external clients the A record should point to the NAT that does TCP 443 to the KEMP itself.

- In Exchange does the SSL certificate contain autodiscover.company.com? If not I would recommend grabbing a SAN and throw this along with your OWA URL on there.

- This can also be a KEMP issue. Are you doing Layer 7 or Layer 4 load balancing? Are you doing SSL offloading or SSL Bridging? In most cases for Layer 7 to work you should be doing SSL bridging so the KEMP can decrypt the packet, figure out the route and then re-encrypt it (at least if you followed the guide, which I am not saying you didnt.. but it does go over context rules and such). If you are using the template you are most likely doing persistence using L4 which would use Source IP (Layer 7 uses Super HTTP usually - requires some type of SSL bridging/offloading). Make sure the SSL certificate is valid on the KEMP device along with the intermediate certificate

Last but not least.. what does the SSL certificate located at? If you look at the details on what the Outlook client gets you can probably figure out the location.

@BMarden, you are absolutely wrong..

Internal AutoDiscover in Exchange 2010 on is automatically enabled (you can disable it through the registry, but its unsupported and will not work for Exchange 2013). To define internal, this is for domain joined clients who are using the Outlook client. What happens is when Outlook opens up and is a domain joined machine it looks at the local Active Directory server for the AutoDiscover SCP (defined by the CAS attribute AutoDiscoverInternalUri). That URL returned should be pointed only to an Exchange server if only a single CAS exists. Since the client is using a KEMP load balancer he would have this pointed in via a DNS A record to the VIP of the KEMP device.
0
 

Author Comment

by:ucguy
ID: 40420945
hello Adam,

Please note below answers.

 - DNS.. on both internal and external where does autodiscover.company.com go to? In theory the CAS should have the AutoDiscoverInternalUri set (Get-ClientAccessServer | Select Name, AutoDiscoverInternalUri) to autodiscover.company.com, and then you should have an A record pointing to the VIP. For external clients the A record should point to the NAT that does TCP 443 to the KEMP itself.

1) Both External and Internal Autodiscover.company.com pointed to Kemp VIP. Created the A record for it as well.

2)   - In Exchange does the SSL certificate contain autodiscover.company.com? If not I would recommend grabbing a SAN and throw this along with your OWA URL on there.
In SSL certificate has Autodiscover.company.com as SAN.

3) I have certificate stored on the Kemp. when i check OWA, i cannot see any certificate errors.

4)  Internal AutoDiscover in Exchange 2010 on is automatically enabled (you can disable it through the registry, but its unsupported and will not work for Exchange 2013). To define internal, this is for domain joined clients who are using the Outlook client. What happens is when Outlook opens up and is a domain joined machine it looks at the local Active Directory server for the AutoDiscover SCP (defined by the CAS attribute AutoDiscoverInternalUri). That URL returned should be pointed only to an Exchange server if only a single CAS exists. Since the client is using a KEMP load balancer he would have this pointed in via a DNS A record to the VIP of the KEMP device.

I changed the internal autodiscoveruri to autodiscover.company.com and pointed to VIP.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40421290
when you changed the AutoDiscoverServiceInteralUri did the errors stop?
0
 

Author Comment

by:ucguy
ID: 40421374
I have done all the changes before post this question.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40421487
Run the following and post the results below:

Get-WebServicesVirtualDirectory | FL *URL*

That could also be from a misconfigured InternalURL for Exchange Web Services.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this step by step procedure, you will come to know the details of creating an Outlook meeting in 2007, 2010, 2013 & 2016.
Changing a few Outlook Options can help keep you organized!
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
CodeTwo Sync for iCloud (http://www.codetwo.com/sync-for-icloud?sts=6554) automatically synchronizes your Outlook 2016, 2013, 2010 or 2007 folders with iCloud folders available via iCloud Control Panel. This lets you automatically sync them with…

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question