Autodiscover issues - Has to be something simple...
Hello all -
In general, I am getting issues with the Autodiscover service. I have read literally hundreds of pages of documentation and can not figure out where my config is incorrect. In my lab I have CAS/HUB installed on one server and MB on another.
The CAS/HUB is configured as a CASArray (named CorpMail.gklabs.net). The CAS array only has one member at this time and the member is named NC10LABS050.
I am using a UCC cert with the primary name being OWA.GKLabs.net. The SAN's are legacyOWA.gklabs.net, autodiscover.gklabs.net,
www.owa.gklabs.net and corpmail.gklabs.net. OWA 2010 works fine for 2010 MB's and also 2003 MB's (redirection to legacyOWA).
I am providing my general questions from Tests that I have ran along with their results to hopefully get some help from you. Sorry for the length but wanted to provide as much detail as some of you may need!
1. When I run a "Get-OWAVirtualDirectory |fl" I get an SSL mismatch error. Why is the server looking for an SSL for the CAS server name
https://nc10labs050.corp.gklabs.net/autodiscover/autodiscover.xml NC10LABS050? I have ran the "Set-ClientAccessServer
-identity "NC10S050 -AutoDiscoverServiceInternalUri https://owa.gklabs.net/autodiscover/autodiscover.xml" and I was under the impression this is the address internal users should be resolving to. How can I change this to match the Primary name on
the UCC Cert?
2. Also from the 'Get-OWAVirtualDirectory |fl" the internal and external URL's are blank. I have read that these are surpressed for security reasons so I assume this is correct if they are blank and the AutoDiscoverServiceInternalUri has been set.
3. When running testexchangeconnectivity.com tests with a 2010 MB user, I am getting HTTP 401 denied results.
4. When visiting
https://owa.gklabs.net/autodiscover/autodiscover.xml I am prompted for credentials. Regardless of what credentials I provide (admin or regular MB user) it always errors out with 401.1 unauthorized.
I have verified permissions on the Autodiscover directory has Anonymous, Basic and Windows authentication - SSL required, with 'ignore' selected. Authenticated Users also have Read & Execute permissions on the directory for Autodiscover.
Get-OWAVirtualDirectory |fl results:
[PS] C:\Windows\system32>Test-OutlookWebServices -identity
Gary.Wall@gklabs.net
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1019
Type : Information
Message : A valid Autodiscover service connection point was found. The Autodiscover URL on this object is
https://ow
a.gklabs.net/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1006
Type : Information
Message : Contacted the Autodiscover service at
https://owa.gklabs.net/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1016
Type : Information
Message : [EXCH] The AS is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1015
Type : Information
Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from
https://owa.gklabs.n
et/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1014
Type : Information
Message : [EXCH] The UM is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1016
Type : Information
Message : [EXPR] The AS is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1015
Type : Information
Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from
https://owa.gklabs.n
et/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1014
Type : Information
Message : [EXPR] The UM is configured for this user in the Autodiscover response received from
https://owa.gklabs.ne
t/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1022
Type : Success
Message : Autodiscover was tested successfully.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1104
Type : Error
Message : The certificate for the URL https://nc10labs050.corp.gklabs.net/autodiscover/autodiscover.xml
is incorrect
. For SSL to work, the certificate needs to have a subject of nc10labs050.corp.gklabs.net, instead the sub
ject found is owa.gklabs.net. Consider correcting service discovery, or installing a correct SSL certifica
te.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1106
Type : Information
Message : Contacted the Autodiscover service at
https://NC10LABS050.corp.GKLABS.NET:443/autodiscover/autodiscover.xm
l.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1116
Type : Information
Message : [EXCH] The AS is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1115
Type : Information
Message : [EXCH] The OAB is configured for this user in the Autodiscover response received from
https://NC10LABS050.
corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1114
Type : Information
Message : [EXCH] The UM is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1116
Type : Information
Message : [EXPR] The AS is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1115
Type : Information
Message : [EXPR] The OAB is configured for this user in the Autodiscover response received from
https://NC10LABS050.
corp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1114
Type : Information
Message : [EXPR] The UM is configured for this user in the Autodiscover response received from
https://NC10LABS050.c
orp.GKLABS.NET:443/autodiscover/autodiscover.xml.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1122
Type : Success
Message : Autodiscover was tested successfully.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1024
Type : Success
Message : [EXCH] Successfully contacted the AS service at
https://owa.gklabs.net/ews/exchange.asmx. The elapsed time
was 109 milliseconds.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1026
Type : Success
Message : [EXCH] Successfully contacted the UM service at
https://owa.gklabs.net/ews/exchange.asmx. The elapsed time
was 15 milliseconds.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1124
Type : Success
Message : [Server] Successfully contacted the AS service at
https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T
he elapsed time was 46 milliseconds.
RunspaceId : 70186105-1251-4772-bc90-f31d67f557e2
Id : 1126
Type : Success
Message : [Server] Successfully contacted the UM service at
https://nc10labs050.corp.gklabs.net/EWS/Exchange.asmx. T
he elapsed time was 15 milliseconds.
TestExchangeConnectivity Autodiscover results:
ExRCA is attempting to test Autodiscover for gary.wall@gklabs.net.
Testing Autodiscover failed.
Test Steps
Attempting each method of contacting the Autodiscover service.
The Autodiscover service couldn't be contacted successfully by any method.
Test Steps
Attempting to test potential Autodiscover URL https://gklabs.net/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name gklabs.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 206.195.148.50
Testing TCP port 443 on host gklabs.net to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name gklabs.net was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The certificate chain has been validated up to a trusted root. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 12/1/2010 4:31:12 PM, NotAfter = 11/11/2011 1:43:01 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://gklabs.net/AutoDiscover/AutoDiscover.xml for user gary.wall@gklabs.net.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
Attempting to test potential Autodiscover URL https://autodiscover.gklabs.net/AutoDiscover/AutoDiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name autodiscover.gklabs.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 206.195.148.50
Testing TCP port 443 on host autodiscover.gklabs.net to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name autodiscover.gklabs.net was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The certificate chain has been validated up to a trusted root. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 12/1/2010 4:31:12 PM, NotAfter = 11/11/2011 1:43:01 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://autodiscover.gklabs.net/AutoDiscover/AutoDiscover.xml for user gary.wall@gklabs.net.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
Attempting to contact the Autodiscover service using the HTTP redirect method.
The attempt to contact Autodiscover using the HTTP Redirect method failed.
Test Steps
Attempting to resolve the host name autodiscover.gklabs.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 206.195.148.50
Testing TCP port 80 on host autodiscover.gklabs.net to ensure it's listening and open.
The port was opened successfully.
ExRCA is checking the host autodiscover.gklabs.net for an HTTP redirect to the Autodiscover service.
ExRCA failed to get an HTTP redirect response for Autodiscover.
Additional Details
An HTTP 403 forbidden response was received. The response appears to have come from Unknown. Body of the response: You do not have permission to view this directory or page.
Attempting to contact the Autodiscover service using the DNS SRV redirect method.
ExRCA failed to contact the Autodiscover service using the DNS SRV redirect method.
Test Steps
Attempting to locate SRV record _autodiscover._tcp.gklabs.net in DNS.
The Autodiscover SRV record was successfully retrieved from DNS.
Additional Details
The Service Location (SRV) record lookup returned host gklabs.net.
Attempting to test potential Autodiscover URL https://gklabs.net/Autodiscover/Autodiscover.xml
Testing of this potential Autodiscover URL failed.
Test Steps
Attempting to resolve the host name gklabs.net in DNS.
The host name resolved successfully.
Additional Details
IP addresses returned: 206.195.148.50
Testing TCP port 443 on host gklabs.net to ensure it's listening and open.
The port was opened successfully.
Testing the SSL certificate to make sure it's valid.
The certificate passed all validation requirements.
Test Steps
Validating the certificate name.
The certificate name was validated successfully.
Additional Details
Host name gklabs.net was found in the Certificate Subject Alternative Name entry.
Certificate trust is being validated.
The certificate is trusted and all certificates are present in the chain.
Additional Details
The certificate chain has been validated up to a trusted root. Root = OU=Go Daddy Class 2 Certification Authority, O="The Go Daddy Group, Inc.", C=US.
Testing the certificate date to confirm the certificate is valid.
Date validation passed. The certificate hasn't expired.
Additional Details
The certificate is valid. NotBefore = 12/1/2010 4:31:12 PM, NotAfter = 11/11/2011 1:43:01 AM
Checking the IIS configuration for client certificate authentication.
Client certificate authentication wasn't detected.
Additional Details
Accept/Require Client Certificates isn't configured.
Attempting to send an Autodiscover POST request to potential Autodiscover URLs.
Autodiscover settings weren't obtained when the Autodiscover POST request was sent.
Test Steps
ExRCA is attempting to retrieve an XML Autodiscover response from URL https://gklabs.net/Autodiscover/Autodiscover.xml for user gary.wall@gklabs.net.
ExRCA failed to obtain an Autodiscover XML response.
Additional Details
A Web exception occurred because an HTTP 401 - Unauthorized response was received from Unknown.
Wall
December 3rd, 2010 4:15pm
1. Please post the complete text of any error message you discuss.
2. I have always configured those. Also don't forget to set them in Set-EcpVirtualDirectory.
3. What do you have set for ExternalURL and InternalURL for Get-AutodiscoverVirtualDirectory?
The failure for the https://glkabs.net/... URL is normal since you don't publish Autodiscover there. The 401 could be due to a certificate error, and may be fixed by checking all your settings.
Are you publishing behind an ISA or TMG server or the like?Ed Crowley MVP "There are seldom good technological solutions to behavioral problems."
Free Windows Admin Tool Kit Click here and download it now
December 3rd, 2010 8:44pm