Exchange 2010 - ActiveSync with AutoDiscover

I am attempting to get ActiveSync by Autodiscover working correctly on a new Exchange 2010 install

DMZ  - TMG 2010
LAN Multirole Exchange 2010 SP3 Server

I am seeing the following in the TMG logs

Action Denied
Status 12309 The server requries authorization to fullfill the request. Access to the Web server is denied.
Request POST http://autodiscover.domain.co.uk/Autodiscover/Autodiscover.xml

The authorization delegation for this rule is set to Basic Authentication

Active Sync works if you fill in the details manually
LVL 8
StuartTechnical Architect - CloudAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

StuartTechnical Architect - CloudAuthor Commented:
RCA Activesync with Autodiscover Test & Results


Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Additional Details
Elapsed Time: 26771 ms.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Additional Details
Elapsed Time: 26771 ms.
Test Steps
Attempting to test potential Autodiscover URL https://<domainname>.co.uk:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1635 ms.
Test Steps
Attempting to resolve the host name <domainname>.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 77.246.167.153
Elapsed Time: 218 ms.
Testing TCP port 443 on host <domainname>.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 279 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 370 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server <domainname>.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=www.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=Sunderland, S=Great Britain, C=GB, Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US.
Elapsed Time: 331 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name <domainname>.co.uk was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=www.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=Sunderland, S=Great Britain, C=GB.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US.
Elapsed Time: 15 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 4/1/2015 12:00:00 AM, NotAfter = 3/31/2017 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 438 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Additional Details
Elapsed Time: 328 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://<domainname>.co.uk:443/Autodiscover/Autodiscover.xml for user johnst@<domainname>.co.uk.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
A redirect response was received, but only HTTPS redirect URLs are supported in response to a POST request. The URL that was received was http://www.<domainname>.co.uk/Autodiscover/Autodiscover.xml. HTTP Response Headers: Connection: close Content-Length: 0 Location: http://www.<domainname>.co.uk/Autodiscover/Autodiscover.xml
Elapsed Time: 327 ms.
Attempting to test potential Autodiscover URL https://autodiscover.<domainname>.co.uk:443/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 3857 ms.
Test Steps
Attempting to resolve the host name autodiscover.<domainname>.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 212.188.135.132
Elapsed Time: 267 ms.
Testing TCP port 443 on host autodiscover.<domainname>.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 245 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 362 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.<domainname>.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=SUNDERLAND, S=GREAT BRITAIN, C=GB, Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US.
Elapsed Time: 326 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.<domainname>.co.uk was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=SUNDERLAND, S=GREAT BRITAIN, C=GB.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US.
Elapsed Time: 14 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/5/2015 12:00:00 AM, NotAfter = 8/4/2017 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 428 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Additional Details
Elapsed Time: 2553 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.<domainname>.co.uk:443/Autodiscover/Autodiscover.xml for user <user>@<domainname>.co.uk.
The Autodiscover XML response was successfully retrieved.
Additional Details
An HTTPS redirect was received in response to the Autodiscover request. The redirect URL is https://mail.<domainname>.co.uk/OWA. HTTP Response Headers: Connection: Keep-Alive Content-Length: 162 Content-Type: text/html; charset=UTF-8 Date: Tue, 08 Sep 2015 09:46:58 GMT Location: https://mail.<domainname>.co.uk/OWA Set-Cookie: cadata8E206409B73640869FDEF2118D0C5D58="04f67a654-caad-4f58-9845-7593563e3f3d61bi0Dd6MetXW4Gb/Y92IMpJbYwnQNwqL/qqlfOmKqm1pil69SxRsYjzOP1rfeMEo0PhtFUXBITHEm86+Cfn4YJuk29l3wAjZeWfG7HVyHDMoaBS392XXPuBHhalXH9KmCaNly6OCkbvwIFGSNkWHQx3iSZH+F4LJGOj/T0VzTA="; HttpOnly; secure; path=/ Server: Microsoft-IIS/7.5 X-Powered-By: ASP.NET
Elapsed Time: 637 ms.
Attempting to test potential Autodiscover URL https://mail.<domainname>.co.uk/OWA
Testing of this potential Autodiscover URL failed.
Additional Details
Elapsed Time: 1916 ms.
Test Steps
Attempting to resolve the host name mail.<domainname>.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 212.188.135.132
Elapsed Time: 243 ms.
Testing TCP port 443 on host mail.<domainname>.co.uk to ensure it's listening and open.
The port was opened successfully.
Additional Details
Elapsed Time: 244 ms.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Additional Details
Elapsed Time: 361 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server mail.<domainname>.co.uk on port 443.
The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=mail.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=SUNDERLAND, S=GREAT BRITAIN, C=GB, Issuer: CN=thawte SSL CA - G2, O="thawte, Inc.", C=US.
Elapsed Time: 325 ms.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name mail.<domainname>.co.uk was found in the Certificate Subject Common name.
Elapsed Time: 0 ms.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Test Steps
The Microsoft Connectivity Analyzer is attempting to build certificate chains for certificate CN=mail.<domainname>.co.uk, OU=IT, O=THE My Company COMPANY LIMITED, L=SUNDERLAND, S=GREAT BRITAIN, C=GB.
One or more certificate chains were constructed successfully.
Additional Details
A total of 1 chains were built. The highest quality chain ends in root certificate CN=thawte Primary Root CA, OU="(c) 2006 thawte, Inc. - For authorized use only", OU=Certification Services Division, O="thawte, Inc.", C=US.
Elapsed Time: 15 ms.
Analyzing the certificate chains for compatibility problems with versions of Windows.
Potential compatibility problems were identified with some versions of Windows.
Additional Details
The Microsoft Connectivity Analyzer can only validate the certificate chain using the Root Certificate Update functionality from Windows Update. Your certificate may not be trusted on Windows if the "Update Root Certificates" feature isn't enabled.
Elapsed Time: 2 ms.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 8/5/2015 12:00:00 AM, NotAfter = 8/4/2017 11:59:59 PM
Elapsed Time: 0 ms.
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Elapsed Time: 431 ms.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Additional Details
Elapsed Time: 635 ms.
Test Steps
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://mail.<domainname>.co.uk/OWA for user johnst@<domainname>.co.uk.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
Additional Details
The URL specified in the location HTTP header is invalid or is not an absolute URL: /OWA/ HTTP Response Headers: Connection: Keep-Alive Set-Cookie: cadata8E206409B73640869FDEF2118D0C5D58="041d54715-ae1f-434e-94bf-5c7702947fd76FP8Uc4Xt1Jp2DgIyUND+CRBO4TeI0TtQagcmVS3z+qT7oJuYOmEsEgQN0/epu2+dXh+81jddmZPAd/4T6DjtHEz3sT3mDmfPIS3lyEhDSqXVwB6sNYoB74ZeRJZj4JVl/6qdOlN2exvJJ2wRZRS/cnOA1Gmex8Sd0OV7UJBU/U="; HttpOnly; secure; path=/,ISAWPLB{570AC566-4FDF-4AB2-B140-76A94A9395CD}={46C022A9-4859-4399-A2FF-23250EFEA657}; HttpOnly; Path=/ Content-Length: 0 Date: Tue, 08 Sep 2015 09:47:00 GMT Location: /OWA/ X-Powered-By: ASP.NET X-UA-Compatible: IE=EmulateIE7
Elapsed Time: 634 ms.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Additional Details
Elapsed Time: 21037 ms.
Test Steps
Attempting to resolve the host name autodiscover.<domainname>.co.uk in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 212.188.135.132
Elapsed Time: 9 ms.
Testing TCP port 80 on host autodiscover.<domainname>.co.uk to ensure it's listening and open.
The specified port is either blocked, not listening, or not producing the expected response.
Tell me more about this issue and how to resolve it
Additional Details
A network error occurred while communicating with the remote host.
Elapsed Time: 21027 ms.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
Additional Details
Elapsed Time: 107 ms.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.<domainname>.co.uk in DNS.
The Autodiscover SRV record wasn't found in DNS.
Tell me more about this issue and how to resolve it
Additional Details
Elapsed Time: 107 ms.
Checking if there is an autodiscover CNAME record in DNS for your domain '<domainname>.co.uk' for Office 365.
Failed to validate autodiscover CNAME record in DNS. If your mailbox isn't in Office 365, you can ignore this warning.
Tell me more about this issue and how to resolve it
Additional Details
There is no Autodiscover CNAME record for your domain '<domainname>.co.uk'.
Elapsed Time: 133 ms.
0
Amit KumarCommented:
Pleas go through with this article, seems you need to change authentication delegation in publishing rule.
0
StuartTechnical Architect - CloudAuthor Commented:
Hi Amit thanks for your advice, I attempted to change those rules as the article suggests but as the web listener specifies to require auth (HMTL Form Authentication) I cannot make these changes without setting that to No Authentication. Wouldnt that be a security risk? FYI - Activesync, OWA and Outlook Anywhere share the same listener and the config is word for word the same as this article - http://blogs.technet.com/b/exchange/archive/2010/07/16/publishing-exchange-server-2010-with-forefront-uag-and-tmg.aspx
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Amit KumarCommented:
My article to just say no to delegation but client will have to authenticate. TMG is highly integrated with AD so it will work with authenticated users only.

On the other hand TMG is end of life product, I suggest not to use better go for any UTM firewall.
0
StuartTechnical Architect - CloudAuthor Commented:
Ok so I'm a little closer now only one part is failing (I don't think port 80 is open is this definitely required?)

Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
 
Additional Details
 
Elapsed Time: 332 ms.  
 
Test Steps
 
The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://<domainname>.co.uk:443/Autodiscover/Autodiscover.xml for user <username>@<domainname>.co.uk.
The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
 
Additional Details
 
A redirect response was received, but only HTTPS redirect URLs are supported in response to a POST request. The URL that was received was http://www.<domainname>.co.uk/Autodiscover/Autodiscover.xml.
HTTP Response Headers:
Connection: close
Content-Length: 0
Location: http://www.<domainname>.co.uk/Autodiscover/Autodiscover.xml

Elapsed Time: 332 ms.
0
StuartTechnical Architect - CloudAuthor Commented:
TMG Logs from RCA attempt

TMG.png
0
Amit KumarCommented:
80 port is not required.

Did you allow All users in TMG rule, i think if you allow all users it will solve your problem
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
StuartTechnical Architect - CloudAuthor Commented:
Still didn't work in afraid I'll take some screenshots in the morning :)
0
StuartTechnical Architect - CloudAuthor Commented:
Ok I have allowed all users to the Outlook Anywhere rule. I tried to connect again from an Outlook 2013 client on a non domain joined machine and observed the logs on the TMG Server

First log on TMGSecond log on TMGThird log on TMG
Still no luck :(

Are there any other tests I can do to pin point this issue?
0
StuartTechnical Architect - CloudAuthor Commented:
Allowing all users made it so Outlook Anywhere started to work, however Autodiscover is still an issue
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.