How do you fix Autodiscover.xml on exchange server 2013?

I have just  taken over a bad exchange migration from 2010 to 2013.  Autodiscover has never worked.  I am a remote support tech and I have access to a local PC and to Exchange.  I cannot get Autodiscover to work anywhere.
Thanks in advance

This is my final output from the Exchange Connectivity test:

The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL for user
       The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
      Additional Details
Exception details:
Message: The underlying connection was closed: An unexpected error occurred on a receive.
Type: System.Net.WebException
Stack trace:
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.Exchange.Tools.ExRca.Extensions.RcaHttpRequest.GetResponse()
Exception details:
Message: Unable to read data from the transport connection: An existing connection was forcibly closed by the remote host.
Type: System.IO.IOException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.FixedSizeReader.ReadPacket(Byte[] buffer, Int32 offset, Int32 count)
at System.Net.Security._SslStream.StartFrameHeader(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.StartReading(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.Security._SslStream.ProcessRead(Byte[] buffer, Int32 offset, Int32 count, AsyncProtocolRequest asyncRequest)
at System.Net.TlsStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.PooledStream.Read(Byte[] buffer, Int32 offset, Int32 size)
at System.Net.Connection.SyncRead(HttpWebRequest request, Boolean userRetrievedStream, Boolean probeRead)
Exception details:
Message: An existing connection was forcibly closed by the remote host
Type: System.Net.Sockets.SocketException
Stack trace:
at System.Net.Sockets.NetworkStream.Read(Byte[] buffer, Int32 offset, Int32 size)
Elapsed Time: 2496 ms.
jeremy shawWannabe GeekAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

timgreen7077Exchange EngineerCommented:
Do you know if there is an external autodiscover record pointing to their exchange server? If not you will need to create an autodiscover A record.

Also setup and autodiscover A record on the clients internal DNS pointing to all the exchange 2016 servers that will handle the autodiscover requests.
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
1st thing.
Are you using a local CA or a public ca?

check the virtual entry points (called SCP) with this script: with the -get option.

you should see the correct url in all.

if you don't see it run the script with the options -set -urlpath ""
Since Https goes over :443 port you don't need to specify it again in there

Also post the result of this command in the exchange ps console:

And make sure to hide the thumbprints.
jeremy shawWannabe GeekAuthor Commented:
Hello and thanks for your help.
It is a public CA.
The results of your script do return the proper URL.

[PS] C:\Windows\system32>Get-ExchangeCertificate

                                Services   Subject
                          --------   -------
*  ....S..
*  IP.WS.., OU=Domain Control Validated
*  ....S..    CN=Microsoft Exchange Server Auth Certificate
*  .......    CN=WMSvc-LOCALHOST
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

jeremy shawWannabe GeekAuthor Commented:
Hello, I do have the A record in place
timgreen7077Exchange EngineerCommented:
Is the A record internal, external or both? Also if External is it pointing to the external IP of your exchange server or load balancer that handles autodiscover requests?
jeremy shawWannabe GeekAuthor Commented:
Hello, and thank you.
I do have an internal A record for DNS and we have one setup externally as well. Internal points to internal and external points to external.
Robert PraschSenior NOC EngineerCommented:
Go to your ECP Control Panel and check how the external access is setup.

ECP - Virtual Directory [Configure External Access]
jeremy shawWannabe GeekAuthor Commented:
I cannot login to the autodisover.xml URL.  When attempting to login it just hangs and takes me back to login.  
Thanks again.
timgreen7077Exchange EngineerCommented:
Are internal and external pointing to exchange 2016?
Also run the below cmdlets and let us know the output:

Get-ClientAccessService -Identity "exchangeserver" | fl AutodiscoverServiceInternalURI
Get-WebServicesVirtualDirectory -Server "exchangeserver" | ft InternalURL, ExternalURL
Robert PraschSenior NOC EngineerCommented:
Are you able to telnet to port 443 on using the A record? Also you should be able to connect to it if you have local access to the server using http:server fqdn/ecp.

Apologies, just trying to understand more about the environment.
jeremy shawWannabe GeekAuthor Commented:
jeremy shawWannabe GeekAuthor Commented:
jeremy shawWannabe GeekAuthor Commented:
I am so grateful for all the assistance and I am focused only on this issue.  THANKS VERY MUCH!
jeremy shawWannabe GeekAuthor Commented:
Hi and thanks again.
It is Exchange 2013.  I cannot run the Get-ClientAccessService command.

[PS] C:\Windows\system32>Get-WebServicesVirtualDirectory -Server BL-EXCH2013 | ft InternalURL, ExternalURL

InternalUrl                                                 ExternalUrl
-----------                                                 -----------       
timgreen7077Exchange EngineerCommented:
Run it as get-clientaccessserver
timgreen7077Exchange EngineerCommented:
Also answer my questions about the internal and external A records.
jeremy shawWannabe GeekAuthor Commented:
Hello and thanks again:

[PS] C:\Windows\system32>Get-ClientAccessServer -Identity BL-EXCH2013 | fl AutodiscoverServiceInternalURI

AutoDiscoverServiceInternalUri :

Internal and external A records for Autodiscover are pointing to exchange server
jeremy shawWannabe GeekAuthor Commented:
Cannot telnet to port 443
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
Open the port 443 on the firewall :) maybe is that all the issue because it should be open in the internal firewall of windows server.
jeremy shawWannabe GeekAuthor Commented:
Thank you.

The firewall is off on the internal Exchange server.
Robert PraschSenior NOC EngineerCommented:

Do you have a firewall allowing access to the exchange server through port 443? Also is it just the one server acting as a mailbox/client access server or are their multiple servers involved?

The first thing we need to ensure is Port 443 is accessible through your client access server, this could either be a firewall issue or the port is not binded properly in IIS to 443.

Is their a hardware firewall involved and does your external A record have proper one-to-one NAT?
jeremy shawWannabe GeekAuthor Commented:
I can get to the OWA and ECP through https no problem.
They actually have configured and working clients but they wont let me see a working client to see how it is configured.
When i try to connect using autodiscover with outlook 365 it gives me a certificate warning for a cert we dont even have applied to our exchange server.
Internally, when I try to connect with outlook 2013 it gives me a pop-up that exchange is unavailable.

Robert PraschSenior NOC EngineerCommented:
Office 365 testing may show a different certificate as it will check your root domain first such as and at that point you may get a certificate for the domain website such as *

Have you confirmed all Exchange services are running on the Mailbox/CAS server?
jeremy shawWannabe GeekAuthor Commented:
Hello, yes.  imap and pop are disabled, otherwise all services are running.
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
I guess that if all of the tries fails you can get a 5 min check or a paid service of any of us to get that done. I think you can try to connect and when it fails check in the event viewer on the server. that would give u ligths, also you can use any of this scripts
jeremy shawWannabe GeekAuthor Commented:
Here is what I get in the event logs when I try to login to https://mx.domain .com/autodiscover/autodiscover.xml:

Removal of permissions from process "c:\windows\system32\inetsrv\w3wp.exe" (PID=13012, LABEL=MSExchangeAutodiscoverAppPool) failed with error code 0x80070005.
Jose Gabriel Ortega CastroCEO Faru Bonon IT - EE Solution ExpertCommented:
Run an antivirus:

And reapply permissions to that folder.

Looks like you got a virus that changed your permissions on the folders.
System, full control
Trusted Exchange Subsystem, full control
jeremy shawWannabe GeekAuthor Commented:
I have fixed it!!!!
The backend server Autodisover was configured with a domain user name instead of using pass-through authentication.
Changed to pass-through, IIS reset and all is working!!!!!  
Thanks to everyone for your help, but this was a nutty one.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jeremy shawWannabe GeekAuthor Commented:
To all who tried to assist:  Sorry if i marked any of this wrong but nobody ever suggested going and checking permissions in IIS....let me know next time you are in Irvine, CA and I will buy you lunch to show my gratitude for trying to assist.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.