Autodiscover not working during migration from Exchange 2010 to 2013

I am in the middle of an Exchange 2013 migration from Exchange 2010.  I am using a wildcard SSL certificate.  The same one I used with Exchange 2010.  

Simple install.  1 exchange 2010 server running all rolls.  1 2013 server I am moving to.  

OWA, mobile clients and existing 2010 mailboxes are all working fine.  I've migrated a lot of mailboxes to 2013 server.  But, I have to repair the Outlook profile for them to work after the migration.  This is fine.  I can do it.  Most users use webmail.  But, autodiscover is not working if the mailbox has been migrated.  It will work internally if the mailbox is still on 2010 but prompts for password.  

I have my virtual directories setup on my new server.  they all point to the same URL:  mail.mydomain.com accept for autodiscover, which is:  autodiscover.mydomain.com.

I have moved my DNS records to my Exchange 2013 server.  Mail flow is working.  OWA shows as 2013 and will switch to 2010 if the user is on that server.  

I can connect to the autodiscover url on my new server.  It prompts for login and the XML page is displays looks correct.

When I try to connect a user to Outlook 2010 or 2013 and it tries to autodiscover the setup it fails with error:  An encrypted connection to your mail server is not available.  Click Next to attempt using an unencrypted connection.  Click next will fail.  I can get it to connect by manually setting up the server settings.  

I have read many online articles and tried lots of things but am not getting it to work.
mschiradAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Have you changed the internal URL for Autodiscover?

get-clientaccessserver | select identity, autodiscoverserviceinternaluri

In this scenario they should be identical.
Internally clients do not use autodiscover.example.com - they query the domain for the above value, which MAY be autodiscover.example.com but it is just a URL.

Simon.
mschiradAuthor Commented:
Yes.  The internal URL for autodiscover on both servers is the same:

https://autodiscover.domain.com/autodiscover/autodiscover.xml

I have my local DNS for autodiscover.domain.com set to the 2013 server.
Simon Butler (Sembee)ConsultantCommented:
What about Outlook Anywhere?
Exchange 2013 only uses Outlook Anywhere to connect.
Have you removed the external URL from Outlook Anywhere on the Exchange 2010 server?

Simon.
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

mschiradAuthor Commented:
my external host name for Outlook Anywhere is mail.mydomain.com - I did not remove this.  

I have mail.mydomain.com DNS record pointed to Exchange 2013

Should I remove this?  I guess I thought the config could still be there I just needed to move DNS.
Simon Butler (Sembee)ConsultantCommented:
If you have that in Outlook Anywhere on the older version then you do need to remove it. Exchange will proxy it across from Exchange 2013. However by leaving it in it you stop the proxy from taking place, so Exchange attempts to redirect the client to the address - which means it routes back on itself.

Simon.
mschiradAuthor Commented:
How do I remove this?  Or do I just name it something different?
mschiradAuthor Commented:
This issue has not been resolved. I am still looking for a solution.  I am getting these errors in the event log:

WebHost failed to process a request.
 Sender Information: System.ServiceModel.ServiceHostingEnvironment+HostingManager/4032828
 Exception: System.ServiceModel.ServiceActivationException: The service '/Autodiscover/autodiscover.svc' cannot be activated due to an exception during compilation.  The exception message is: The authentication schemes configured on the host ('IntegratedWindowsAuthentication') do not allow those configured on the binding 'CustomBinding' ('Anonymous').  Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly.  Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the <serviceAuthenticationManager> element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.. ---> System.NotSupportedException: The authentication schemes configured on the host ('IntegratedWindowsAuthentication') do not allow those configured on the binding 'CustomBinding' ('Anonymous').  Please ensure that the SecurityMode is set to Transport or TransportCredentialOnly.  Additionally, this may be resolved by changing the authentication schemes for this application through the IIS management tool, through the ServiceHost.Authentication.AuthenticationSchemes property, in the application configuration file at the <serviceAuthenticationManager> element, by updating the ClientCredentialType property on the binding, or by adjusting the AuthenticationScheme property on the HttpTransportBindingElement.
   at System.ServiceModel.Channels.HttpTransportBindingElement.UpdateAuthenticationSchemes(BindingContext context)
   at System.ServiceModel.Channels.HttpsTransportBindingElement.BuildChannelListener[TChannel](BindingContext context)
   at System.ServiceModel.Channels.Binding.BuildChannelListener[TChannel](Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, BindingParameterCollection parameters)
   at System.ServiceModel.Description.DispatcherBuilder.MaybeCreateListener(Boolean actuallyCreate, Type[] supportedChannels, Binding binding, BindingParameterCollection parameters, Uri listenUriBaseAddress, String listenUriRelativeAddress, ListenUriMode listenUriMode, ServiceThrottle throttle, IChannelListener& result, Boolean supportContextSession)
   at System.ServiceModel.Description.DispatcherBuilder.BuildChannelListener(StuffPerListenUriInfo stuff, ServiceHostBase serviceHost, Uri listenUri, ListenUriMode listenUriMode, Boolean supportContextSession, IChannelListener& result)
   at System.ServiceModel.Description.DispatcherBuilder.InitializeServiceHost(ServiceDescription description, ServiceHostBase serviceHost)
   at System.ServiceModel.ServiceHostBase.InitializeRuntime()
   at System.ServiceModel.ServiceHostBase.OnOpen(TimeSpan timeout)
   at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.ActivateService(ServiceActivationInfo serviceActivationInfo, EventTraceActivity eventTraceActivity)
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
   --- End of inner exception stack trace ---
   at System.ServiceModel.ServiceHostingEnvironment.HostingManager.EnsureServiceAvailable(String normalizedVirtualPath, EventTraceActivity eventTraceActivity)
   at System.ServiceModel.ServiceHostingEnvironment.EnsureServiceAvailableFast(String relativeVirtualPath, EventTraceActivity eventTraceActivity)
 Process Name: w3wp
 Process ID: 9992

Open in new window

Simon Butler (Sembee)ConsultantCommented:
That looks like modifications have been made to the Autodiscover virtual directory.
I would remove the virtual directory with the command

remove-autodiscovervirtualdirectory

then run IISRESET to ensure the change is written to the IIS metabase, then recreate it with new-autodiscovervirtualdirectory

Simon.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
mschiradAuthor Commented:
I finally go this figured out.  

I made sure my authentication for autodiscover virtual directory (on both front and back end) was set like this:
·Anonymous Authentication: Enable
·ASP .NET Impersonation: Disabled
·Basic Authentication: Enabled
·Digest Authentication: Disabled
·Forms Authentication: Disabled
·Windows Authentication: Enabled
mschiradAuthor Commented:
I did not reset the virtual directories but I did check the authentication and perhaps if I did reset them it would have fixed it but I didn't want to delete without doing further investigation.  After I made changes I watched the event logs to see what the responses were and went from there.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.