Exchange AutoDiscover in Exchange 2010/2013 co-existence

HI

Have this weird issue with 2 installations. The easy one - 2010MBX, 2010CAS and 2013CAS/MBX (the complex is 4x2010MBX,2x2010CAS,8x2010CAS and MBX and 7 x 2013 CAS/MBX). but let's focus on the easy one.

everything is working in co-existence with 2013 as CAS --- everything but autodiscover.
We use autodiscover.domain.com for autodiscover, and outlook.domain.com for other https services.
When we test autodiscover with 2013 CAS wth a 2013 user, all is good
WHen we test autodiscover with 2010 CAS and a 2010 user, all is good
When we test autodiscover with 2013 CAS and a 2010 user, authentication prompts are displayed, but no username password is accepted---

I've done several other migrations, but these are the only ones making trouble.

URLs are correct
auth is the same on both servers ---
LVL 22
Jakob DigranesSenior ConsultantAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Where does the Autodiscover URL point? To Exchange 2010 or Exchange 2013?

What version of Outlook are the clients? Are they fully up to date? What are the client OS?

Simon.
0
Jakob DigranesSenior ConsultantAuthor Commented:
Thanks for attending to this Simon !

autodiscover in production points to Exch2010 - so users can work.
For test users - I've pointed it to Exchange 2013 server.
Outlook clients are both Outlook 2010 and 2013
Client OS is Win7 all over
it happens to a variety of clients. I've tested with testconnectivity offline client and it claims that SSL certificate for https://autodiscover.domain.com/autodiscover/autodiscover.xml doesn't contain the hostname autodiscover.domain.com (but it does - when opening certificate in web on both 2010 and 2013 server, it is okay).
0
Simon Butler (Sembee)ConsultantCommented:
Authentication prompts often do mean an SSL certificate error.
As the testing tools are complaining, that would suggest there is a problem with the certificate, or the wrong certificate is being presented to the clients.

You need to see what SSL certificate is being returned to the clients.

Simon.
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

Jakob DigranesSenior ConsultantAuthor Commented:
I've examined the certificate back and forth. Connectivity analyzer says that the site presented has the correct name (autodiscover.domain.com) but the certificate doesn't contain that name. But this is a SAN cert, and all other ways of examining this, show same certificate, and that the correct SAN entry is present. Try opening autodiscover.domain.com in a variety of browsers give noe errors ....
0
Simon Butler (Sembee)ConsultantCommented:
The only thing I can suggest is to get the certificate rekeyed.
That will ensure the correct certificate is presented.

Do you have a specific A record for Autodiscover in DNS? Rather than using a wildcard.

If this is internal machines, try changing the AutodiscoverServiceInternalURI to the common name on the certificate.

Simon.
0
Jakob DigranesSenior ConsultantAuthor Commented:
HI --- looks like the trick was that the OAB directory had lost its permissions ---
and changing Windows auth to negotiate/ntlm on all servers --- Will see tomorrow if this is fixed then
0
Jakob DigranesSenior ConsultantAuthor Commented:
Nope ... this was no good.
Discovered this now.
open OAB URL in web browser gives HTTP500 error
try to download from Outlook it just hangs on processing.
Tried most authentication settings, but ended up with Windows Auth only and RequireSSL
tried with basic, basic + Windows Auth, turning on and off SSL.
Providers tried changing aswell
When browsing /oab.xml directly to EX2010 its working, so it is the proxying between 2013 and 2010 that's not working.
Seemed at bit like this, but only one distribution point, and we're already at CU8:
https://support.microsoft.com/en-us/kb/3037417 

a workaround I'll test is to create a separate oab url pointing directly to EX2010 - but would be nice to know why this happens ...
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantAuthor Commented:
not really the solution, but the troubleshooting process should perhaps stand - as it may help others in similar problems.
This just worked after some time waiting  --- might be IIS delays and a impatient consultant
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.