Solved

Exchange 2013 Aotodiscover and Outlook Anywhere authentication

Posted on 2015-02-12
12
90 Views
Last Modified: 2015-02-22
Hi Team,  
    I have an Exchange 2013 deployment, Now the internal process works fine
But for external users not joined to domain i keep getting the attached message

The server instead of owa.abc.com.au only shows abc.com.au and doesn't look like a basic authentication windows either.

So in short i think i need help understanding the auto discover and outlook anywhere for 2013 and see where this are going south.
Thanks
0
Comment
Question by:Sabi Goraya
  • 8
  • 4
12 Comments
 
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 500 total points
Comment Utility
Essentially an Outlook client that cannot contact the SCP (Service Connection Point, which is within AD) will then use the following method to attempt to contact the Autodiscover service..

https://domain.com/autodiscover/autodiscover.xml
https://autodiscover.domain.com/autodiscover/autodiscover.xml
http://domain.com/autodiscover/autodiscover.xml
http://autodiscover.domain.com/autodiscover/autodiscover.xml

From there if that fails it will then attempt to lookup a SRV record for Autodiscover. If that is not found then the whole Autodiscover for a non-domain joined client fails.

Most organizations configure an additional namespace called autodiscover.domain.com, and attach a public SSL certificate with the namespace on there (as a subject alternative name). This allows the autodiscover request to be pushed over SSL (which is required in most cases). Because we are talking about SSL / TLS you would need to have a forwarder of TCP 443 from the firewall to the endpoint (which is usually either a CAS OR a Network Load Balancer).

That's a really high overview of autodiscover, but tell us the following which will help troubleshoot this..

- Picture of the error message
- The DNS records published for Exchange, including OWA / EAS and AutoDiscover
- Firewall rules for Exchange (just let us know what they are)
- SSL certificates and the names on there
- The type of Outlook client

With that information alone I can most likely figure this out.
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
Sorry guys i forgot to attach the screenshot
Its attachedCapture.JPG now
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
The srv records are present but i notice that a prompt which usually comes for autodiscover doesn't come either
From looking above in the picture the prompt is a little different as well.
Normally it comes up as the following picture.
Capture.JPG
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
What prompt? You should not be seeing a prompt for AutoDiscover at all.

That also looks normal, as the AutoDiscover service has returned the EXCH Outlook provider record (in this case it would contain the ExternalURL for Outlook Anywhere) which is asking you to authenticate.

Is there any other errors you are getting, because what you posted is not an error unless you cannot get past it.
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
i can't get past it , i have tried different formats for authentication and none of them work.
Domain\username
username@domain.local
Email and Password

I have attached the screenshot of the prompt for auto discover i was talking about?
Capture.JPG
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
Then only thing left is the type of authentication that is supported

I have attached few results that you can see
Capture.JPG
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
The redirection is what you were talking about, error wise. If you can get around using the SRV record in DNS that is the best bet (and just use an A record to autodiscover.company.net.au). The error just tells you that you are being redirected to Autodiscover service anyways, but that is not the authentication prompt you are receiving.

Do you have anything in front of the CAS role, such as a reverse proxy or a firewall that might be doing stateful packet inspection?

Also can you do the following:

- On an external outlook client, close Outlook and run...

Outlook.exe /RPCDIAG

- Run the Outlook Anywhere test from testexchangeconnectivity.com

Post both of them here, curious on what it comes back with.
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
Here are the results for testexchangeconnectivity.com

I have compare the results with another client and here is what i find different
The address bar for this client shows as discoverer URL https://domain.com:443/autodicover/autodicover.xml
where as it would be https://owa.domain.com:443/autodicover/autodicover.xml

Capture1.JPG
0
 
LVL 4

Author Comment

by:Sabi Goraya
Comment Utility
I Think i am getting somewhere

https://domain.com/autodiscover/autodiscover.xml

for this client is getting a response from the hosting company because this client does have a secure website

I will get back to you once i figure out hot to resolve this with the results
Thanks
0
 
LVL 4

Accepted Solution

by:
Sabi Goraya earned 0 total points
Comment Utility
Hi There,
  I can confirm that the issue is resolved

Cause: The whole configuration was right as Adam recommended, however the client has a HTTPS site which was responding to the SRV records autodiscover request and not sending it to the server.
https://domain.com/autodiscover/autodiscover.xml

I have made changes to the DNS so that the correct server responds.

Issue resolved
Thanks for your time Adam
0
 
LVL 4

Author Closing Comment

by:Sabi Goraya
Comment Utility
Able to find the source of issue and resolved it.
0
 
LVL 19

Expert Comment

by:Adam Farage
Comment Utility
No problem. Glad I could assist.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Not sure what the best email signature size is? Are you worried about email signature image size? Follow this best practice guide.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
how to add IIS SMTP to handle application/Scanner relays into office 365.

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now