Hybrid AutoDiscover issue

Kundan Gupta
Kundan Gupta used Ask the Experts™
on
Any one has suggestion on below. how to fix. this is office365 hybrid server

The Microsoft Connectivity Analyzer is attempting to test Autodiscover for email@domain.com.
       Testing Autodiscover failed.
       
      Additional Details
       
Elapsed Time: 47185 ms.
       
      Test Steps
       
      Attempting each method of contacting the Autodiscover service.
       The Autodiscover service couldn't be contacted successfully by any method.
       
      Additional Details
       
Elapsed Time: 47185 ms.
       
      Test Steps
       
      Attempting to test potential Autodiscover URL https://domain.com:443/Autodiscover/Autodiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Additional Details
       
Elapsed Time: 971 ms.
       
      Test Steps
       
      Attempting to resolve the host name domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 54.252.148.134
Elapsed Time: 133 ms.
      Testing TCP port 443 on host domain.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 210 ms.
      Testing the SSL certificate to make sure it's valid.
       The SSL certificate failed one or more certificate validation checks.
       
      Additional Details
       
Elapsed Time: 627 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server domain.com on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Elapsed Time: 595 ms.
      Validating the certificate name.
       Certificate name validation failed.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
Host name domain.com doesn't match any name found on the server certificate CN=businesscatalyst.com, OU=Hosting Services, O=Adobe Systems Incorporated, L=San Jose, S=California, C=US.
Elapsed Time: 1 ms.
      Attempting to test potential Autodiscover URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml
       Testing of this potential Autodiscover URL failed.
       
      Additional Details
       
Elapsed Time: 4095 ms.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 13.XXX.XXX.XXX, 13.XXX.XX.XX
Elapsed Time: 83 ms.
      Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
       The port was opened successfully.
       
      Additional Details
       
Elapsed Time: 213 ms.
      Testing the SSL certificate to make sure it's valid.
       The certificate passed all validation requirements.
       
      Additional Details
       
Elapsed Time: 629 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
       The Microsoft Connectivity Analyzer successfully obtained the remote SSL certificate.
       
      Additional Details
       
Remote Certificate Subject: CN=webmailnz.domain.com, OU=IT, O=company PTY LTD, Issuer: CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US.
Elapsed Time: 606 ms.
      Validating the certificate name.
       The certificate name was validated successfully.
       
      Additional Details
       
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Elapsed Time: 0 ms.
      Testing the certificate date to confirm the certificate is valid.
       Date validation passed. The certificate hasn't expired.
       
      Additional Details
       
The certificate is valid. NotBefore = 1/14/2019 12:00:00 AM, NotAfter = 1/15/2020 12:00:00 PM
Elapsed Time: 0 ms.
      Checking the IIS configuration for client certificate authentication.
       Client certificate authentication wasn't detected.
       
      Additional Details
       
Accept/Require Client Certificates isn't configured.
Elapsed Time: 807 ms.
      Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
       Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
       
      Additional Details
       
Elapsed Time: 2360 ms.
       
      Test Steps
       
      The Microsoft Connectivity Analyzer is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com:443/Autodiscover/Autodiscover.xml for user kundan.gupta@domain.com.
       The Microsoft Connectivity Analyzer failed to obtain an Autodiscover XML response.
       
      Additional Details
       
A Web exception occurred because an HTTP 503 - ServiceUnavailable response was received from Unknown.
HTTP Response Headers:
request-id: b0014cad-6e57-40aa-b0d3-59dd24cd5bb6
X-CalculatedBETarget: servername.production.domain.com
Persistent-Auth: true
X-FEServer: servername2
Content-Length: 0
Cache-Control: private
Date: Wed, 13 Mar 2019 12:36:28 GMT
Set-Cookie: ClientId=OYIVUMFJKCAHBJRG; expires=Thu, 12-Mar-2020 12:36:28 GMT; path=/; HttpOnly
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
X-Powered-By: ASP.NET
Elapsed Time: 2360 ms.
      Attempting to contact the Autodiscover service using the HTTP redirect method.
       The attempt to contact Autodiscover using the HTTP Redirect method failed.
       
      Additional Details
       
Elapsed Time: 42095 ms.
       
      Test Steps
       
      Attempting to resolve the host name autodiscover.domain.com in DNS.
       The host name resolved successfully.
       
      Additional Details
       
IP addresses returned: 13.XX.XX.XX, 13.237.XX.XX
Elapsed Time: 17 ms.
      Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
       The specified port is either blocked, not listening, or not producing the expected response.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
A network error occurred while communicating with the remote host.
Elapsed Time: 42077 ms.
      Attempting to contact the Autodiscover service using the DNS SRV redirect method.
       The Microsoft Connectivity Analyzer failed to contact the Autodiscover service using the DNS SRV redirect method.
       
      Additional Details
       
Elapsed Time: 21 ms.
       
      Test Steps
       
      Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
       The Autodiscover SRV record wasn't found in DNS.
        Tell me more about this issue and how to resolve it
       
      Additional Details
       
Elapsed Time: 20 ms.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
MaheshArchitect
Distinguished Expert 2018

Commented:
There is issue with SSL certificate hostnames as autodiscover.domain.com and mail.domain.com did not found in certificate used for exchange or either certificate is expired or its not from well know public CA

Can you check exchange server for public certificate and let me know what are SAN entries, who is publisher of certificate, if its not expired etc?

Commented:
Hi,

What we can see with this log is that the DNS name "autodiscover.domain.com" is successfully resolved, that the HTTPS TCP 443 port is listening on autodiscover.domain.com, and that the certificate is matching with the name requested... and then the analyzer fails to get the autodiscover.xml file !

It looks like you have issue on the equipment that is supposed to publish the internal autodiscover virtual directory. It may be a reverse proxy, or a firewall... anyway, you're not able to reach the internal autodiscover file from Internet. You must take a look on how you publish autodiscover.


By the way, in Hybrid mode, you should publish your Exchange On-Premise autodiscover virtual directory. Your internal Exchange autodiscover file will redirect the client to the Office 365 URLs in case the user mailbox is migrated on o365.
O365 autodiscover file is not able to redirect client to your internal Exchange server, so while you still have mailboxes in your on-premise server you MUST publish your internal Autodiscover.

Have a good day
Ahmed AbdelbasetInfrastructure Architect

Commented:
To have green output result, Make sure DNS names below included in Exchanhe certificate.

autodiscover.domain.com
domain.com
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Kundan GuptaSenior Administrator

Author

Commented:
I have certificate installed on EXCH server with SAN names as below

autodiscover.domain.com
domain.com

in DNS domain autodiscover.domain.com points to a load balancer.
MaheshArchitect
Distinguished Expert 2018

Commented:
Normally mail.domain.com also should be added to certificate and it should point to the exchange server
Anyways, did you configured ssl decryption on load balancer?
U can pass through traffic from load balancer and let exchange handle decryption and check what happens
Ahmed AbdelbasetInfrastructure Architect

Commented:
Make sure alsi that EWS and external URL is published and configured.
Top Rated Freelancer on MS Technologies
Awarded 2018
Distinguished Expert 2018
Commented:
Your SSL is a bit mistaken.

You should have 2 SAN in your Cert:
autodiscover.domain.com
mail.domain.com

You need to make sure that all your internal and external URLs matches the "mail.domain.com"
how can you do this?
Use this: https://gallery.technet.microsoft.com/office/Script-to-configure-the-5a58558b
with the option -get to get all the URLs internals and externals.

if any doesn't match use the same script with the options -set -urlpath "https://mail.domain.com" to set them all.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial