Outlook Autodiscover service not working for external users

The problem we are facing is when adding a new account to Outlook, the Autodiscovery service is unable to find the autodiscover.xml file as the SMTP domain for the e-mail address is different to that of the exchange server i.e joe.doe@domain.com exchange server is exchangeserver.local. So Outlook looks for https://domain.com:443/Autodiscover/Autodiscover.xml which does not contain the .xml file as our sever is on https://exchangeserver.local:443/Autodiscover/Autodiscover.xml

Is there a way for this to be redirected from the SMTP domain to our exchange server? The autodiscover.domain.com is pointing to autodiscover.outlook.com which is our ActiveSync service that then points to our internal Exchange server.

External users who have been able to connect after entering the settings in manually are prompted with a login credentials box every 6-8 minutes which says connecting to joe.doe@domain.com.

We are using Exchange server 2010 with an external facing Outlook Web Access server on owa.domain.com which has SANs that include the internal domain name of our exchange server as well as autodiscover.domain.com. The only SAN that is missing is the root domain for the SMTP address.
entuityadminAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Trent SmithCommented:
I would strongly advise you not to put a pointer in place and fix the autodiscover resolution instead.  It can be a bit trick and it takes a few extra steps but the thing is you wont have to go through this headache in the future if you fix it right the first time.  I have used this article on MSExchange.org many times and it has worked well for me.

http://www.msexchange.org/articles-tutorials/exchange-server-2010/management-administration/exchange-autodiscover.html
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
entuityadminAuthor Commented:
Thanks, I came across this article before which was useful,  the only difference I see, is within the Autodiscover under Sites and Services, we only have a serviceconnectionpoint that goes to the internal server name, not sure if we would need an entry for the address of our external facing OWA server?

The point from autodiscover.entuity.com to autodiscover.outlook.com is a requirement from Office 365 which classes it as an issue when it was originally pointing to our OWA server. Though, I'm not sure if this is making any difference.

The area I'm struggling to understand at the moment is how these settings will affect the root domain of the e-mail address, as this is a completely separate site that is used for our website using a third party proxy host with their own certificates. So I'm not sure how we are to get Outlook to find the autodiscover XML file from a website that will not store this information, the server we would probably want to look at would be a subdomain of this domain.com i.e owa.domain.com. Thus I'm unsure how Outlook is to find our OWA server for these settings without using some form of external DNS that points autodiscover.domain.com to this.
0
Trent SmithCommented:
Do you have a certificate for the site?
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

Trent SmithCommented:
Please be aware that this is the (Internet facing) Client Access Server. So besides the normal Outlook Web Access URL like https://webmail.exchange14.nl the same Client Access Server is also contacted using https://autodiscover.exchange14.nl. This is exactly the reason a Unified Communications (UC) or SAN certificate is needed. SAN is an abbreviation for Subject Alternative Names (and has nothing to do with your storage solution BTW). A SAN certificate contains besides the standard name other names as well. According to Microsoft knowledge base article 929395 the following UC certificate partners are officially supported:

Entrust - http://www.entrust.net/microsoft/
Comodo - http://www.comodo.com/msexchange
DigiCert - http://www.digicert.com/unified-communications-ssl-tls.htm
There are more 3rd party vendors for UC certificates and these certificates work fine as well, but the three above are officially supported by Microsoft.

You can check your certificate by browsing to the Outlook Web App site and request the properties of the certificate:
0
entuityadminAuthor Commented:
The internet facing OWA server has a certificate that contains:

DNS Name=owa.entuity.com
DNS Name=www.owa.entuity.com
DNS Name=entlonex06.entuity.local
DNS Name=autodiscover.entuity.com
DNS Name=legacy.entuity.com

So, it contains the root domain e-mail which it entuity.com and also the autodiscover for this domain.

The entuity.com domain has a different certificate but does contain entlonex06.entuity.local and owa.entuity.com
0
Trent SmithCommented:
Ok lets step back and attack this from another angle.  Has this problem just started or has it been an ongoing issue?
Are all the users able to log in to the OWA?
0
entuityadminAuthor Commented:
Sure, so this problem started occurring around the time a new domain controller was promoted and another reconfigured. The one that was reconfigured was a global catalog server which is now hosted on the newer domain controller. Looking at exchange, the global catalog server is set to the new domain controller which is working normally.

On an iPhone, I am able to autodiscover the settings just using the e-mail address and password of the domain user account. Users are able to log in to the OWA. On android clients, this does not work and in some cases will not work with the correct settings when added manually.
0
Trent SmithCommented:
Have you checked the Authentication of the IIS services?  This could be part of the issue.
0
entuityadminAuthor Commented:
Checked this earlier to see what authentication was being used  and seemed to match the settings I use.

Under default website of the Exchange server:
Autodiscover: Anonymous, basic, windows authentication
EWS: Anonymous, basic, windows authentication
owa: Basic authentication
Rpc: Basic authentication

Outlook client is set to negotiate and under Outlook Access Anywhere is set to use basic authentication.
0
Trent SmithCommented:
Try turning off your Windows Authentication for Autodiscover and EWS.
0
entuityadminAuthor Commented:
When I changed turned off Windows Authentication for Autodiscover and EWS, one of our Users internally got the password prompt. When I deleted my profile and tried to add my account, I also got the login box. Enabling these again has stopped this.
0
Trent SmithCommented:
Ok.have you used domain\username format to authenticate on the Android devices?
0
entuityadminAuthor Commented:
Just tested on an Android device and this works after manually changing the Exchange server settings. It defaults to entuity.com as the root domain which doesn't use the same certificate. Changing it to owa.entuity.com and then using domain\username works.
0
Trent SmithCommented:
That seems to be the typical on Android devices.  Sorry I thought you were having this issue on a broad scale.
0
entuityadminAuthor Commented:
The login prompt appears to just be affecting the Outlook client on our Windows machines, externally. I have my exchange account on my iPhone which does not prompt for logins.
0
younghvCommented:
I've requested that this question be deleted for the following reason:

Not enough information to confirm an answer.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.