?
Solved

Exchange 2013 Aotodiscover and Outlook Anywhere authentication

Posted on 2015-02-12
12
Medium Priority
?
108 Views
Last Modified: 2015-02-22
Hi Team,  
    I have an Exchange 2013 deployment, Now the internal process works fine
But for external users not joined to domain i keep getting the attached message

The server instead of owa.abc.com.au only shows abc.com.au and doesn't look like a basic authentication windows either.

So in short i think i need help understanding the auto discover and outlook anywhere for 2013 and see where this are going south.
Thanks
0
Comment
Question by:Sabi Goraya
  • 8
  • 4
12 Comments
 
LVL 19

Assisted Solution

by:Adam Farage
Adam Farage earned 2000 total points
ID: 40607273
Essentially an Outlook client that cannot contact the SCP (Service Connection Point, which is within AD) will then use the following method to attempt to contact the Autodiscover service..

https://domain.com/autodiscover/autodiscover.xml
https://autodiscover.domain.com/autodiscover/autodiscover.xml
http://domain.com/autodiscover/autodiscover.xml
http://autodiscover.domain.com/autodiscover/autodiscover.xml

From there if that fails it will then attempt to lookup a SRV record for Autodiscover. If that is not found then the whole Autodiscover for a non-domain joined client fails.

Most organizations configure an additional namespace called autodiscover.domain.com, and attach a public SSL certificate with the namespace on there (as a subject alternative name). This allows the autodiscover request to be pushed over SSL (which is required in most cases). Because we are talking about SSL / TLS you would need to have a forwarder of TCP 443 from the firewall to the endpoint (which is usually either a CAS OR a Network Load Balancer).

That's a really high overview of autodiscover, but tell us the following which will help troubleshoot this..

- Picture of the error message
- The DNS records published for Exchange, including OWA / EAS and AutoDiscover
- Firewall rules for Exchange (just let us know what they are)
- SSL certificates and the names on there
- The type of Outlook client

With that information alone I can most likely figure this out.
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40607291
Sorry guys i forgot to attach the screenshot
Its attachedCapture.JPG now
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40607293
The srv records are present but i notice that a prompt which usually comes for autodiscover doesn't come either
From looking above in the picture the prompt is a little different as well.
Normally it comes up as the following picture.
Capture.JPG
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 19

Expert Comment

by:Adam Farage
ID: 40607297
What prompt? You should not be seeing a prompt for AutoDiscover at all.

That also looks normal, as the AutoDiscover service has returned the EXCH Outlook provider record (in this case it would contain the ExternalURL for Outlook Anywhere) which is asking you to authenticate.

Is there any other errors you are getting, because what you posted is not an error unless you cannot get past it.
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40607303
i can't get past it , i have tried different formats for authentication and none of them work.
Domain\username
username@domain.local
Email and Password

I have attached the screenshot of the prompt for auto discover i was talking about?
Capture.JPG
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40607306
Then only thing left is the type of authentication that is supported

I have attached few results that you can see
Capture.JPG
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40607647
The redirection is what you were talking about, error wise. If you can get around using the SRV record in DNS that is the best bet (and just use an A record to autodiscover.company.net.au). The error just tells you that you are being redirected to Autodiscover service anyways, but that is not the authentication prompt you are receiving.

Do you have anything in front of the CAS role, such as a reverse proxy or a firewall that might be doing stateful packet inspection?

Also can you do the following:

- On an external outlook client, close Outlook and run...

Outlook.exe /RPCDIAG

- Run the Outlook Anywhere test from testexchangeconnectivity.com

Post both of them here, curious on what it comes back with.
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40611351
Here are the results for testexchangeconnectivity.com

I have compare the results with another client and here is what i find different
The address bar for this client shows as discoverer URL https://domain.com:443/autodicover/autodicover.xml
where as it would be https://owa.domain.com:443/autodicover/autodicover.xml

Capture1.JPG
0
 
LVL 4

Author Comment

by:Sabi Goraya
ID: 40611467
I Think i am getting somewhere

https://domain.com/autodiscover/autodiscover.xml

for this client is getting a response from the hosting company because this client does have a secure website

I will get back to you once i figure out hot to resolve this with the results
Thanks
0
 
LVL 4

Accepted Solution

by:
Sabi Goraya earned 0 total points
ID: 40611620
Hi There,
  I can confirm that the issue is resolved

Cause: The whole configuration was right as Adam recommended, however the client has a HTTPS site which was responding to the SRV records autodiscover request and not sending it to the server.
https://domain.com/autodiscover/autodiscover.xml

I have made changes to the DNS so that the correct server responds.

Issue resolved
Thanks for your time Adam
0
 
LVL 4

Author Closing Comment

by:Sabi Goraya
ID: 40620819
Able to find the source of issue and resolved it.
0
 
LVL 19

Expert Comment

by:Adam Farage
ID: 40624155
No problem. Glad I could assist.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Mailbox Corruption is a nightmare every Exchange DBA wishes he never has. Recovering from it can be super-hectic if not entirely futile. And though techniques like the New-MailboxRepairRequest cmdlet have been designed to help with fixing minor corr…
MS Outlook undoubtedly is the most widely used email client.Its user-friendliness, cost effectiveness, and availability with Microsoft Office Suite make it the most popular email application.  Its compatibility with Microsoft applications like Exch…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Whether it be Exchange Server Crash Issues, Dirty Shutdown Errors or Failed to mount error, Stellar Phoenix Mailbox Exchange Recovery has always got your back. With the help of its easy to understand user interface and 3 simple steps recovery proced…
Suggested Courses
Course of the Month14 days, 15 hours left to enroll

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question