Exchange 2013 Aotodiscover and Outlook Anywhere authentication

Hi Team,  
    I have an Exchange 2013 deployment, Now the internal process works fine
But for external users not joined to domain i keep getting the attached message

The server instead of owa.abc.com.au only shows abc.com.au and doesn't look like a basic authentication windows either.

So in short i think i need help understanding the auto discover and outlook anywhere for 2013 and see where this are going south.
Thanks
LVL 4
Costas GeorgiouNetwork AdministratorAsked:
Who is Participating?
 
Costas GeorgiouConnect With a Mentor Network AdministratorAuthor Commented:
Hi There,
  I can confirm that the issue is resolved

Cause: The whole configuration was right as Adam recommended, however the client has a HTTPS site which was responding to the SRV records autodiscover request and not sending it to the server.
https://domain.com/autodiscover/autodiscover.xml

I have made changes to the DNS so that the correct server responds.

Issue resolved
Thanks for your time Adam
0
 
Adam FarageConnect With a Mentor Enterprise ArchCommented:
Essentially an Outlook client that cannot contact the SCP (Service Connection Point, which is within AD) will then use the following method to attempt to contact the Autodiscover service..

https://domain.com/autodiscover/autodiscover.xml
https://autodiscover.domain.com/autodiscover/autodiscover.xml
http://domain.com/autodiscover/autodiscover.xml
http://autodiscover.domain.com/autodiscover/autodiscover.xml

From there if that fails it will then attempt to lookup a SRV record for Autodiscover. If that is not found then the whole Autodiscover for a non-domain joined client fails.

Most organizations configure an additional namespace called autodiscover.domain.com, and attach a public SSL certificate with the namespace on there (as a subject alternative name). This allows the autodiscover request to be pushed over SSL (which is required in most cases). Because we are talking about SSL / TLS you would need to have a forwarder of TCP 443 from the firewall to the endpoint (which is usually either a CAS OR a Network Load Balancer).

That's a really high overview of autodiscover, but tell us the following which will help troubleshoot this..

- Picture of the error message
- The DNS records published for Exchange, including OWA / EAS and AutoDiscover
- Firewall rules for Exchange (just let us know what they are)
- SSL certificates and the names on there
- The type of Outlook client

With that information alone I can most likely figure this out.
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
Sorry guys i forgot to attach the screenshot
Its attachedCapture.JPG now
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Costas GeorgiouNetwork AdministratorAuthor Commented:
The srv records are present but i notice that a prompt which usually comes for autodiscover doesn't come either
From looking above in the picture the prompt is a little different as well.
Normally it comes up as the following picture.
Capture.JPG
0
 
Adam FarageEnterprise ArchCommented:
What prompt? You should not be seeing a prompt for AutoDiscover at all.

That also looks normal, as the AutoDiscover service has returned the EXCH Outlook provider record (in this case it would contain the ExternalURL for Outlook Anywhere) which is asking you to authenticate.

Is there any other errors you are getting, because what you posted is not an error unless you cannot get past it.
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
i can't get past it , i have tried different formats for authentication and none of them work.
Domain\username
username@domain.local
Email and Password

I have attached the screenshot of the prompt for auto discover i was talking about?
Capture.JPG
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
Then only thing left is the type of authentication that is supported

I have attached few results that you can see
Capture.JPG
0
 
Adam FarageEnterprise ArchCommented:
The redirection is what you were talking about, error wise. If you can get around using the SRV record in DNS that is the best bet (and just use an A record to autodiscover.company.net.au). The error just tells you that you are being redirected to Autodiscover service anyways, but that is not the authentication prompt you are receiving.

Do you have anything in front of the CAS role, such as a reverse proxy or a firewall that might be doing stateful packet inspection?

Also can you do the following:

- On an external outlook client, close Outlook and run...

Outlook.exe /RPCDIAG

- Run the Outlook Anywhere test from testexchangeconnectivity.com

Post both of them here, curious on what it comes back with.
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
Here are the results for testexchangeconnectivity.com

I have compare the results with another client and here is what i find different
The address bar for this client shows as discoverer URL https://domain.com:443/autodicover/autodicover.xml
where as it would be https://owa.domain.com:443/autodicover/autodicover.xml

Capture1.JPG
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
I Think i am getting somewhere

https://domain.com/autodiscover/autodiscover.xml

for this client is getting a response from the hosting company because this client does have a secure website

I will get back to you once i figure out hot to resolve this with the results
Thanks
0
 
Costas GeorgiouNetwork AdministratorAuthor Commented:
Able to find the source of issue and resolved it.
0
 
Adam FarageEnterprise ArchCommented:
No problem. Glad I could assist.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.