Exchange AutoDiscover in Exchange 2010/2013 co-existence


Have this weird issue with 2 installations. The easy one - 2010MBX, 2010CAS and 2013CAS/MBX (the complex is 4x2010MBX,2x2010CAS,8x2010CAS and MBX and 7 x 2013 CAS/MBX). but let's focus on the easy one.

everything is working in co-existence with 2013 as CAS --- everything but autodiscover.
We use for autodiscover, and for other https services.
When we test autodiscover with 2013 CAS wth a 2013 user, all is good
WHen we test autodiscover with 2010 CAS and a 2010 user, all is good
When we test autodiscover with 2013 CAS and a 2010 user, authentication prompts are displayed, but no username password is accepted---

I've done several other migrations, but these are the only ones making trouble.

URLs are correct
auth is the same on both servers ---
LVL 23
Jakob DigranesSenior ConsultantAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Simon Butler (Sembee)ConsultantCommented:
Where does the Autodiscover URL point? To Exchange 2010 or Exchange 2013?

What version of Outlook are the clients? Are they fully up to date? What are the client OS?

Jakob DigranesSenior ConsultantAuthor Commented:
Thanks for attending to this Simon !

autodiscover in production points to Exch2010 - so users can work.
For test users - I've pointed it to Exchange 2013 server.
Outlook clients are both Outlook 2010 and 2013
Client OS is Win7 all over
it happens to a variety of clients. I've tested with testconnectivity offline client and it claims that SSL certificate for doesn't contain the hostname (but it does - when opening certificate in web on both 2010 and 2013 server, it is okay).
Simon Butler (Sembee)ConsultantCommented:
Authentication prompts often do mean an SSL certificate error.
As the testing tools are complaining, that would suggest there is a problem with the certificate, or the wrong certificate is being presented to the clients.

You need to see what SSL certificate is being returned to the clients.

Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Jakob DigranesSenior ConsultantAuthor Commented:
I've examined the certificate back and forth. Connectivity analyzer says that the site presented has the correct name ( but the certificate doesn't contain that name. But this is a SAN cert, and all other ways of examining this, show same certificate, and that the correct SAN entry is present. Try opening in a variety of browsers give noe errors ....
Simon Butler (Sembee)ConsultantCommented:
The only thing I can suggest is to get the certificate rekeyed.
That will ensure the correct certificate is presented.

Do you have a specific A record for Autodiscover in DNS? Rather than using a wildcard.

If this is internal machines, try changing the AutodiscoverServiceInternalURI to the common name on the certificate.

Jakob DigranesSenior ConsultantAuthor Commented:
HI --- looks like the trick was that the OAB directory had lost its permissions ---
and changing Windows auth to negotiate/ntlm on all servers --- Will see tomorrow if this is fixed then
Jakob DigranesSenior ConsultantAuthor Commented:
Nope ... this was no good.
Discovered this now.
open OAB URL in web browser gives HTTP500 error
try to download from Outlook it just hangs on processing.
Tried most authentication settings, but ended up with Windows Auth only and RequireSSL
tried with basic, basic + Windows Auth, turning on and off SSL.
Providers tried changing aswell
When browsing /oab.xml directly to EX2010 its working, so it is the proxying between 2013 and 2010 that's not working.
Seemed at bit like this, but only one distribution point, and we're already at CU8: 

a workaround I'll test is to create a separate oab url pointing directly to EX2010 - but would be nice to know why this happens ...

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Jakob DigranesSenior ConsultantAuthor Commented:
not really the solution, but the troubleshooting process should perhaps stand - as it may help others in similar problems.
This just worked after some time waiting  --- might be IIS delays and a impatient consultant
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.