Autodiscover.xml not authenticating correctly - Exchange 2010
I am using a trial version at the moment, but if I can get the Autodiscover service to work for iPhones, then this will give me more ammo to purchase.
Running on Server 2008 r2
Single Exchange 2010 server
I ran test-outlookwebservices from the shell, and everything passed.
When I try from testexchangeconnectivity.com I get this output (changed domain and user information):
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://domain.com/AutoDiscover/AutoDiscover.xml for user user@domain.com
ExRCA failed to obtain an Autodiscover XML response.
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full User Principal Name (UPN)
So, then I tried launching the autodiscover.xml from IIS7.
When browsing to https://localhost/autodiscover/autodiscover.xml, I get the expected http 600 error responce, however, when I browse to https://domain.com/autodiscover/autodiscover.xml internally, I get the username/password popup window, but it will not
authenticate me.
The external and internal domain names are not the same. The user logs into corp.domain.com and the email address is domain.com. The accepted domain of domain.com is set as the default.
When prompted for the username/password, it is defaulting to corp.domain.com, which is correct.
Any help will be appreciated.
Moderators - If this is not in the correct forum, please feel free to move
Thanks,
Todd
November 18th, 2011 1:39pm
Do you have a DNS entry for autodiscover.example.com.
The error that you have posted is normal, if the root of the domain (example.com) is pointing to your public web site, which is how most domains are configured. The authentication prompt isn't coming from your server, but the external web site.
The usual method to implement autodiscover from the Internet is to create a DNS record for autodiscover.example.com along with the required SSL certificate.
Simon.Simon Butler, Exchange MVP
Blog |
Exchange Resources | In the UK?
Hire Me.
Free Windows Admin Tool Kit Click here and download it now
November 19th, 2011 9:50am
I do have DNS entries externally (pointing to our external IP) and internally (I created a forward lookup zone for domain.com and added a dns entry there as well).
Our web page is hosted by another company, so that has a different external IP.
Autodiscover.domain.com is pointing to our external IP and https service has been routed to this exchange server's IP.
I installed a Certificate Authority and created a SSL Cert for autodiscover.domain.com (as well as internal autodiscover, etc.).
When running the test from testexchangeconnectivity.com, autodiscover does connect to the exchange server, but still gives the same error. It passes the SSL tests without issue.
Is this still doing the same thing, prompting the website for login credentials instead of the exchange server?
Do I need a pointer for all https traffic externally to point to our external IP regardless of the prefix to domain.com?
Thanks for the help!
Todd
November 21st, 2011 9:24am
however, when I browse to https://domain.com/autodiscover/autodiscover.xml internally, I get the username/password popup window, but it will not authenticate me.
Can you try browsing internally to the following replacing exchangeserver with the internal name of the exchange server CAS... https://exchangeserver/autodiscover/autodiscover.xml
Please could you let me know the result?
Thanks
Free Windows Admin Tool Kit Click here and download it now
November 22nd, 2011 8:40am
https://exchangeserver/autodiscover/autodiscover.xml does work correctly.
I believe that when I try https://domain.com/autodiscover/autodiscover.xml, it is trying to authenticate to the web page.
To me this means that I need to redirect the https traffic for domain.com from the web hosting company IP to my company IP.
Let me know if this sounds correct.
Thanks!
Todd
November 22nd, 2011 11:37am
Internally on a domain connected machine https://exchangeserver/autodiscover/autodiscover.xml should work and depending on authentication you should see the XML page in IE. This really should be working. When you say it does not work correctly
- what happens?
Free Windows Admin Tool Kit Click here and download it now
November 23rd, 2011 3:35am
Yes, internally https://exchangeserver/autodiscover/autodiscover.xml does work. The XML page comes up correctly.
Internally and externally https://domain.com/autodiscover/autodiscover.xml does not work. I get a prompt for username/password, but even using known good credentials it does not accept them. It just asks for username/password again.
When I look at the event logs on the exchange server, I am getting a failed security audit saying login failed.
I reset the password for the test user to be sure I had it correct, and still getting the same error.
November 23rd, 2011 8:40am
When checking EXRCA it does check domain.com/autodiscover/autodiscover.xml but even if this does fail it will check autodiscover.domain.com/autodiscover/autodiscover.xml - does this fail?
If you put https://autodiscover.domain.com/autodiscover/autodiscover.xml into a browser externally what happens?
Free Windows Admin Tool Kit Click here and download it now
November 24th, 2011 3:07am
Hi,
Give it a try and test it from https://www.testexchangeconnectivity.com/ and post the result in here
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog:
http://www.testlabs.se/blog | Follow me on twitter:
jonand82
November 24th, 2011 4:43am
If I try https://autodiscover.domain.com/autodiscover/autodiscover.xml from a machine not joined to the domain, I get a "cannot display webpage" error.
From a computer joined to the domain, I get prompted for a username/password, but it doesn't accept it.
After three tries I get http error 401.1 - unauthorized to view the page.
Here is the test results as Jonas requested:
Attempting the Autodiscover and Exchange ActiveSync test (if requested).
Testing of Autodiscover for Exchange ActiveSync failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server domain.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=domain.com, OU=Comapny, O=Comapny, L=city, S=MI, C=US, Issuer: CN=corp-CA, DC=corp, DC=domain, DC=com.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name domain.com was found in the Certificate Subject Common name.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 11/8/2011 6:16:57 PM, NotAfter = 11/7/2013 6:16:57 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://domain.com/AutoDiscover/AutoDiscover.xml for user tuser@domain.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full
User Principal Name (UPN).
Attempting to test potential Autodiscover URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 443 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
ExRCA is attempting to obtain the SSL certificate from remote server autodiscover.domain.com on port 443.
ExRCA successfully obtained the remote SSL certificate.
Additional Details
Remote Certificate Subject: CN=domain.com, OU=Comapny, O=Comapny, L=city, S=MI, C=US, Issuer: CN=corp-CA, DC=corp, DC=domain, DC=com.
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.domain.com was found in the Certificate Subject Alternative Name entry.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 11/8/2011 6:16:57 PM, NotAfter = 11/7/2013 6:16:57 PM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.domain.com/AutoDiscover/AutoDiscover.xml for user tuser@domain.com.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
An HTTP 401 Unauthorized response was received from the remote Unknown server. This is usually the result of an incorrect username or password. If you are attempting to log onto an Office 365 service, ensure you are using your full
User Principal Name (UPN).
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.domain.com in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: x.x.x.x
Testing TCP port 80 on host autodiscover.domain.com to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.domain.com for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from IIS6.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.domain.com in DNS.
The Autodiscover SRV record wasn't found in DNS.
Free Windows Admin Tool Kit Click here and download it now
November 28th, 2011 11:30am
Is it port forwarded or are you using any kind of publishing like TMG/ISA?
The port seems to be open, port 443..https
Verify the username and password and try once again
Is the web site binded to any name?
What about the authentication, how is it configured?
Jonas Andersson | Microsoft Community Contributor Award 2011 | MCITP: EMA 2007/2010 | Blog:
http://www.testlabs.se/blog | Follow me on twitter:
jonand82
November 29th, 2011 10:13am
No publishing. Port 443 is directed through the firewall straight to the exchange server (Virtual server using Hyper-V, if that matters).
Website is "Default Web Site"
I reset the password just to make sure I was using the correct one.
Verified authentication settings based on this site:
http://msexchangeguru.com/2010/10/05/autodiscover/
I followed the settings for Exchange 2010, of course.
Tried it again, and same exact result.
Thanks!
Free Windows Admin Tool Kit Click here and download it now
November 29th, 2011 12:59pm