Solved

Autodiscover not working when outside the organization

Posted on 2016-11-15
5
36 Views
Last Modified: 2016-11-16
I have a client who have a Exchange 2013 server. When they are on their TS the Outlook works just fine. But if they try to connect when they are outside the organization they cannot. So I run the Connectivity check and I get several errors:



Attempting the Autodiscover and Exchange ActiveSync test (if requested).
       Testing of Autodiscover for Exchange ActiveSync failed.
       
      Additional Details
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Additional Details
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://contoso.no:443/Autodiscover/Autodiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name contoso.no in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host contoso.no to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 454 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server contoso.no on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
      Attempting to test potential Autodiscover URL https://autodiscover.contoso.no:443/Autodiscover/Autodiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.contoso.no in DNS.
       The host name resolved successfully.
       
      Additional Details
      Testing TCP port 443 on host autodiscover.contoso.no to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 230 ms.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 455 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.contoso.no on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Remote Certificate Subject: CN=*.iterumasp.no, OU=Domain Control Validated, Issuer: CN=Go Daddy Secure Certificate Authority - G2, OU=http://certs.godaddy.com/repository/, O="GoDaddy.com, Inc.", L=Scottsdale, S=Arizona, C=US.
Elapsed Time: 431 ms.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
Host name autodiscover.contoso.no doesn't match any name found on the server certificate CN=*.iterumasp.no, OU=Domain Control Validated.
Elapsed Time: 0 ms.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Additional Details
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.contoso.no in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 188.92.82.137
Elapsed Time: 7 ms.
      Testing TCP port 80 on host autodiscover.contoso.no to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
A network error occurred while communicating with the remote host.
Elapsed Time: 1688 ms.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Additional Details
       
Elapsed Time: 2 ms.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.contoso.no in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
Elapsed Time: 2 ms.


The DNS is configured like this:

Name      Type      Content      Priority      TTL
autodiscover.contoso.no      CNAME      domain.ispvendor.no             3600
mx.contoso.no      A      192.168.100.100             600
oldaepost.contoso.no      TXT      "192.168.100.200"             7200
oldmail.contoso.no      TXT      "192.168.100.300"             7200
oldmx10.contoso.no      TXT      "email.contoso.no."             7200
contoso.no      SOA      ns1.idium.net. hostmaster.idium.net. 2016101700 86400 900 1814400 3600             7200
contoso.no      NS      ns1.idium.net             7200
contoso.no      NS      ns2.idium.net             7200
contoso.no      MX      gw1.security.comendo.com      10      1200
contoso.no      MX      gw1.security.comendo.com      20      1200
contoso.no      A      192.168.100.800                   7200
www.contoso.no      CNAME      contoso.no


I'm not sure if the problem is DNS or Certificate, any tip?
0
Comment
Question by:Tomas Bjerved
  • 2
  • 2
5 Comments
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
The certificate you have on exchange is *.iterumasp.no and your autodiscover is autodiscover.contoso.no this won't work for you.

You need to change the certificate on your exchange server to include your autodiscover
0
 
LVL 1

Author Comment

by:Tomas Bjerved
Comment Utility
ah, I forgot to change this detail. The iterumasp.no is part of the network, the contoso is actually pointing to this adress.
0
 
LVL 17

Accepted Solution

by:
LesterClayton earned 500 total points
Comment Utility
Without knowing your actual domain, it's hard for me to verify this, but autodiscover will not work using any of the first 3 methods if your ISP uses a wildcard certificate (*.iterumasp.no), and this is not your actual mail domain.  You need to create SRV records to point to your autodiscover server for it to be considered valid.  The 4th test - SRV records - will need to succeed.

In which case your SRV record should look like this:

_autodiscover._tcp.contoso.no        SRV service location:
          priority       = 0
          weight         = 0
          port           = 443
          svr hostname   = something.iterumasp.no
1
 
LVL 49

Expert Comment

by:Akhater
Comment Utility
autodiscover.iterumasp.no does not exist your mail domain is not @ iterumasp.no is it ?

Lester's proposition will also work
0
 
LVL 1

Author Closing Comment

by:Tomas Bjerved
Comment Utility
After cehcking in the DNS settings we see that this record is needed.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Outlook Free & Paid Tools
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
In this video we show how to create a Shared Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Sha…
To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now