How do you fix Autodiscover.xml on exchange server 2013?

I have just  taken over a bad exchange migration from 2010 to 2013.  Autodiscover has never worked.  I am a remote support tech and I have access to a local PC and to Exchange.  I cannot get Autodiscover to work anywhere.
Thanks in advance

This is my final output from the Exchange Connectivity test:

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.MYDOMAN.com:443/Autodiscover/Autodiscover.xml for user USER@MYDOMAIN.com.
       The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
       
      Additional Details
       
Exception details:
Message: The underlying connection was closed: An unexpected error occurred on a receive.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()
Exception details:
Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Type: System.IO.IOException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
Exception details:
Message: An existing connection was forcibly closed by the remote host
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
Elapsed Time: 2496 ms.
jeremy shawWannabe GeekAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Do you know if there is an external autodiscover record pointing to their exchange server? If not you will need to create an autodiscover A record.

Also setup and autodiscover A record on the clients internal DNS pointing to all the exchange 2016 servers that will handle the autodiscover requests.
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
1st thing.
Are you using a local CA or a public ca?

then.
check the virtual entry points (called SCP) with this script:
https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b with the -get option.

you should see the correct url in all.
https://autodiscover.MYDOMAN.com:443/Autodiscover/Autodiscover.xml

if you don't see it run the script with the options -set -urlpath "https://mail.MYDOMAN.com"
Since Https goes over :443 port you don't need to specify it again in there

Also post the result of this command in the exchange ps console:
Get-ExchangeCertificate

And make sure to hide the thumbprints.
0
jeremy shawWannabe GeekAuthor Commented:
Hello and thanks for your help.
It is a public CA.
The results of your script do return the proper URL.

[PS] C:\Windows\system32>Get-ExchangeCertificate

                                Services   Subject
                          --------   -------
*  ....S..    CN=mx.MYDOMAIN.com
*  IP.WS..    CN=mx.MYDOMAIN.com, OU=Domain Control Validated
*  ....S..    CN=Microsoft Exchange Server Auth Certificate
*  .......    CN=WMSvc-LOCALHOST
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

jeremy shawWannabe GeekAuthor Commented:
Hello, I do have the A record in place
0
timgreen7077Exchange EngineerCommented:
Is the A record internal, external or both? Also if External is it pointing to the external IP of your exchange server or load balancer that handles autodiscover requests?
0
jeremy shawWannabe GeekAuthor Commented:
Hello, and thank you.
I do have an internal A record for DNS and we have one setup externally as well. Internal points to internal and external points to external.
0
Robert PraschSenior NOC EngineerCommented:
Go to your ECP Control Panel and check how the external access is setup.

ECP - Virtual Directory [Configure External Access]
0
jeremy shawWannabe GeekAuthor Commented:
I cannot login to the autodisover.xml URL.  When attempting to login it just hangs and takes me back to login.  
Thanks again.
0
timgreen7077Exchange EngineerCommented:
Are internal and external pointing to exchange 2016?
Also run the below cmdlets and let us know the output:

Get-ClientAccessService -Identity "exchangeserver" | fl AutodiscoverServiceInternalURI
Get-WebServicesVirtualDirectory -Server "exchangeserver" | ft InternalURL, ExternalURL
0
Robert PraschSenior NOC EngineerCommented:
Are you able to telnet to port 443 on using the A record? Also you should be able to connect to it if you have local access to the server using http:server fqdn/ecp.

Apologies, just trying to understand more about the environment.
0
jeremy shawWannabe GeekAuthor Commented:
Capture.PNG
0
jeremy shawWannabe GeekAuthor Commented:
Capture.PNG
0
jeremy shawWannabe GeekAuthor Commented:
I am so grateful for all the assistance and I am focused only on this issue.  THANKS VERY MUCH!
0
jeremy shawWannabe GeekAuthor Commented:
Hi and thanks again.
It is Exchange 2013.  I cannot run the Get-ClientAccessService command.


[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server BL-EXCH2013 | ft InternalURL, ExternalURL

InternalUrl                                                 ExternalUrl
-----------                                                 -----------
https://mx.DOMINAN.com/ews/exchange.asmx                 https://mx.DOMAIN.com/ews/exchange.asmx
0
timgreen7077Exchange EngineerCommented:
Run it as get-clientaccessserver
0
timgreen7077Exchange EngineerCommented:
Also answer my questions about the internal and external A records.
0
jeremy shawWannabe GeekAuthor Commented:
Hello and thanks again:

[PS] C:\Windows\system32>Get-ClientAccessServer -Identity BL-EXCH2013 | fl AutodiscoverServiceInternalURI

AutoDiscoverServiceInternalUri : https://mx.DOMAIN.com/Autodiscover/Autodiscover.xml

Internal and external A records for Autodiscover are pointing to exchange server
0
jeremy shawWannabe GeekAuthor Commented:
Cannot telnet to port 443
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Open the port 443 on the firewall :) maybe is that all the issue because it should be open in the internal firewall of windows server.
0
jeremy shawWannabe GeekAuthor Commented:
Thank you.

The firewall is off on the internal Exchange server.
0
Robert PraschSenior NOC EngineerCommented:
Jeremy,

Do you have a firewall allowing access to the exchange server through port 443? Also is it just the one server acting as a mailbox/client access server or are their multiple servers involved?

The first thing we need to ensure is Port 443 is accessible through your client access server, this could either be a firewall issue or the port is not binded properly in IIS to 443.

Is their a hardware firewall involved and does your external A record have proper one-to-one NAT?
0
jeremy shawWannabe GeekAuthor Commented:
I can get to the OWA and ECP through https no problem.
They actually have configured and working clients but they wont let me see a working client to see how it is configured.
When i try to connect using autodiscover with outlook 365 it gives me a certificate warning for a cert we dont even have applied to our exchange server.
Internally, when I try to connect with outlook 2013 it gives me a pop-up that exchange is unavailable.

Thanks
0
Robert PraschSenior NOC EngineerCommented:
Office 365 testing may show a different certificate as it will check your root domain first such as domain.com and at that point you may get a certificate for the domain website such as *.wpengine.com

Have you confirmed all Exchange services are running on the Mailbox/CAS server?
0
jeremy shawWannabe GeekAuthor Commented:
Hello, yes.  imap and pop are disabled, otherwise all services are running.
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
I guess that if all of the tries fails you can get a 5 min check or a paid service of any of us to get that done. I think you can try to connect and when it fails check in the event viewer on the server. that would give u ligths, also you can use any of this scripts
graphical: https://gallery.technet.microsoft.com/scriptcenter/Histogram-Analysis-of-16c3ee3c
html: https://gallery.technet.microsoft.com/office/Get-event-logs-errors-and-6871f163
0
jeremy shawWannabe GeekAuthor Commented:
Here is what I get in the event logs when I try to login to https://mx.domain .com/autodiscover/autodiscover.xml:

Removal of permissions from process "c:\windows\system32\inetsrv\w3wp.exe" (PID=13012, LABEL=MSExchangeAutodiscoverAppPool) failed with error code 0x80070005.
0
Jose Gabriel Ortega CEE Solution Guide - CEO Faru Bonon ITCommented:
Run an antivirus:
https://www.malwarebytes.com/

And reapply permissions to that folder.

Looks like you got a virus that changed your permissions on the folders.
System, full control
Trusted Exchange Subsystem, full control
0
jeremy shawWannabe GeekAuthor Commented:
I have fixed it!!!!
The backend server Autodisover was configured with a domain user name instead of using pass-through authentication.
Changed to pass-through, IIS reset and all is working!!!!!  
Thanks to everyone for your help, but this was a nutty one.
CHEERS!
1

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeremy shawWannabe GeekAuthor Commented:
To all who tried to assist:  Sorry if i marked any of this wrong but nobody ever suggested going and checking permissions in IIS....let me know next time you are in Irvine, CA and I will buy you lunch to show my gratitude for trying to assist.
2
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Autodiscover service

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.